From e7af0375131ec1beabe049ddf4149d8aad03e36c Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 30 Mar 2022 19:07:49 +0800
Subject: [PATCH 001/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4command=20input=20=E9=95=BF=E5=BA=A6=E9=97=AE=E9=A2=98?=
 =?UTF-8?q?=20(#7996)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 修改命令command input max_length 1024

* perf: 修改命令command input 长度问题

* perf: 修改命令command input 长度问题

* perf: 修改命令command input 长度问题

* perf: 修改命令command input 长度问题

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
---
 apps/common/utils/common.py                   | 21 +++++++++
 apps/terminal/api/command.py                  |  2 +-
 apps/terminal/backends/command/db.py          |  5 +-
 apps/terminal/backends/command/serializers.py | 46 ++++++++++---------
 apps/terminal/models/command.py               | 29 ++++++++++++
 apps/terminal/serializers/__init__.py         |  1 -
 apps/terminal/serializers/command.py          | 11 -----
 apps/terminal/serializers/terminal.py         | 13 +++---
 apps/users/models/user.py                     |  6 ++-
 apps/users/serializers/user.py                |  8 +++-
 apps/users/utils.py                           | 16 ++++---
 utils/generate_fake_data/generate.py          |  2 +
 .../generate_fake_data/resources/terminal.py  | 10 ++++
 13 files changed, 117 insertions(+), 53 deletions(-)
 delete mode 100644 apps/terminal/serializers/command.py
 create mode 100644 utils/generate_fake_data/resources/terminal.py

diff --git a/apps/common/utils/common.py b/apps/common/utils/common.py
index e5b9de4fd..d579eacfb 100644
--- a/apps/common/utils/common.py
+++ b/apps/common/utils/common.py
@@ -338,3 +338,24 @@ def get_file_by_arch(dir, filename):
         settings.BASE_DIR, dir, platform_name, arch, filename
     )
     return file_path
+
+
+def pretty_string(data: str, max_length=128, ellipsis_str='...'):
+    """
+    params:
+       data: abcdefgh
+       max_length: 7
+       ellipsis_str: ...
+   return:
+       ab...gh
+    """
+    if len(data) < max_length:
+        return data
+    remain_length = max_length - len(ellipsis_str)
+    half = remain_length // 2
+    if half <= 1:
+        return data[:max_length]
+    start = data[:half]
+    end = data[-half:]
+    data = f'{start}{ellipsis_str}{end}'
+    return data
diff --git a/apps/terminal/api/command.py b/apps/terminal/api/command.py
index 09ed27e30..22a2bb5c3 100644
--- a/apps/terminal/api/command.py
+++ b/apps/terminal/api/command.py
@@ -14,7 +14,7 @@ from terminal.filters import CommandFilter
 from orgs.utils import current_org
 from common.drf.api import JMSBulkModelViewSet
 from common.utils import get_logger
-from terminal.serializers import InsecureCommandAlertSerializer
+from terminal.backends.command.serializers import InsecureCommandAlertSerializer
 from terminal.exceptions import StorageInvalid
 from ..backends import (
     get_command_storage, get_multi_command_storage,
diff --git a/apps/terminal/backends/command/db.py b/apps/terminal/backends/command/db.py
index bb4fa957a..8b11569e9 100644
--- a/apps/terminal/backends/command/db.py
+++ b/apps/terminal/backends/command/db.py
@@ -4,6 +4,7 @@ import datetime
 from django.db import transaction
 from django.utils import timezone
 from django.db.utils import OperationalError
+from common.utils.common import pretty_string
 
 from .base import CommandBase
 
@@ -32,9 +33,11 @@ class CommandStore(CommandBase):
         """
         _commands = []
         for c in commands:
+            cmd_input = pretty_string(c['input'])
+            cmd_output = pretty_string(c['output'], max_length=1024)
             _commands.append(self.model(
                 user=c["user"], asset=c["asset"], system_user=c["system_user"],
-                input=c["input"], output=c["output"], session=c["session"],
+                input=cmd_input, output=cmd_output, session=c["session"],
                 risk_level=c.get("risk_level", 0), org_id=c["org_id"],
                 timestamp=c["timestamp"]
             ))
diff --git a/apps/terminal/backends/command/serializers.py b/apps/terminal/backends/command/serializers.py
index 8114ddbb1..625c4282e 100644
--- a/apps/terminal/backends/command/serializers.py
+++ b/apps/terminal/backends/command/serializers.py
@@ -4,27 +4,19 @@ from rest_framework import serializers
 
 from .models import AbstractSessionCommand
 
+__all__ = ['SessionCommandSerializer', 'InsecureCommandAlertSerializer']
 
-class SessionCommandSerializer(serializers.Serializer):
-    """使用这个类作为基础Command Log Serializer类, 用来序列化"""
 
-    id = serializers.UUIDField(read_only=True)
+class SimpleSessionCommandSerializer(serializers.Serializer):
+    """ 简单Session命令序列类, 用来提取公共字段 """
     user = serializers.CharField(label=_("User"))  # 限制 64 字符，见 validate_user
     asset = serializers.CharField(max_length=128, label=_("Asset"))
-    system_user = serializers.CharField(max_length=64, label=_("System user"))
-    input = serializers.CharField(max_length=128, label=_("Command"))
-    output = serializers.CharField(max_length=1024, allow_blank=True, label=_("Output"))
+    input = serializers.CharField(max_length=2048, label=_("Command"))
     session = serializers.CharField(max_length=36, label=_("Session ID"))
-    risk_level = serializers.ChoiceField(required=False, label=_("Risk level"), choices=AbstractSessionCommand.RISK_LEVEL_CHOICES)
-    risk_level_display = serializers.SerializerMethodField(label=_('Risk level display'))
+    risk_level = serializers.ChoiceField(
+        required=False, label=_("Risk level"), choices=AbstractSessionCommand.RISK_LEVEL_CHOICES
+    )
     org_id = serializers.CharField(max_length=36, required=False, default='', allow_null=True, allow_blank=True)
-    timestamp = serializers.IntegerField(label=_('Timestamp'))
-    remote_addr = serializers.CharField(read_only=True, label=_('Remote Address'))
-
-    @staticmethod
-    def get_risk_level_display(obj):
-        risk_mapper = dict(AbstractSessionCommand.RISK_LEVEL_CHOICES)
-        return risk_mapper.get(obj.risk_level)
 
     def validate_user(self, value):
         if len(value) > 64:
@@ -32,9 +24,21 @@ class SessionCommandSerializer(serializers.Serializer):
         return value
 
 
-class InsecureCommandAlertSerializer(serializers.Serializer):
-    input = serializers.CharField()
-    asset = serializers.CharField()
-    user = serializers.CharField()
-    risk_level = serializers.IntegerField()
-    session = serializers.UUIDField()
+class InsecureCommandAlertSerializer(SimpleSessionCommandSerializer):
+    pass
+
+
+class SessionCommandSerializer(SimpleSessionCommandSerializer):
+    """使用这个类作为基础Command Log Serializer类, 用来序列化"""
+
+    id = serializers.UUIDField(read_only=True)
+    system_user = serializers.CharField(max_length=64, label=_("System user"))
+    output = serializers.CharField(max_length=2048, allow_blank=True, label=_("Output"))
+    risk_level_display = serializers.SerializerMethodField(label=_('Risk level display'))
+    timestamp = serializers.IntegerField(label=_('Timestamp'))
+    remote_addr = serializers.CharField(read_only=True, label=_('Remote Address'))
+
+    @staticmethod
+    def get_risk_level_display(obj):
+        risk_mapper = dict(AbstractSessionCommand.RISK_LEVEL_CHOICES)
+        return risk_mapper.get(obj.risk_level)
diff --git a/apps/terminal/models/command.py b/apps/terminal/models/command.py
index 7609902f2..3e94740ff 100644
--- a/apps/terminal/models/command.py
+++ b/apps/terminal/models/command.py
@@ -1,5 +1,7 @@
 from __future__ import unicode_literals
 
+import time
+
 from django.db import models
 from django.db.models.signals import post_save
 from django.utils.translation import ugettext_lazy as _
@@ -18,6 +20,33 @@ class CommandManager(models.Manager):
 class Command(AbstractSessionCommand):
     objects = CommandManager()
 
+    @classmethod
+    def generate_fake(cls, count=100, org=None):
+        import uuid
+        import datetime
+        from orgs.models import Organization
+        from common.utils import random_string
+
+        if not org:
+            org = Organization.default()
+
+        d = datetime.datetime.now() - datetime.timedelta(days=1)
+        commands = [
+            cls(**{
+                'user': random_string(6),
+                'asset': random_string(10),
+                'system_user': random_string(6),
+                'session': str(uuid.uuid4()),
+                'input': random_string(16),
+                'output': random_string(64),
+                'timestamp': int(d.timestamp()),
+                'org_id': str(org.id)
+            })
+            for i in range(count)
+        ]
+        cls.objects.bulk_create(commands)
+        print(f'Create {len(commands)} commands of org ({org})')
+
     class Meta:
         db_table = "terminal_command"
         ordering = ('-timestamp',)
diff --git a/apps/terminal/serializers/__init__.py b/apps/terminal/serializers/__init__.py
index a2a5bbf30..4e868cabc 100644
--- a/apps/terminal/serializers/__init__.py
+++ b/apps/terminal/serializers/__init__.py
@@ -3,5 +3,4 @@
 from .terminal import *
 from .session import *
 from .storage import *
-from .command import *
 from .sharing import *
diff --git a/apps/terminal/serializers/command.py b/apps/terminal/serializers/command.py
deleted file mode 100644
index 01343e825..000000000
--- a/apps/terminal/serializers/command.py
+++ /dev/null
@@ -1,11 +0,0 @@
-# ~*~ coding: utf-8 ~*~
-from rest_framework import serializers
-
-
-class InsecureCommandAlertSerializer(serializers.Serializer):
-    input = serializers.CharField()
-    asset = serializers.CharField()
-    user = serializers.CharField()
-    risk_level = serializers.IntegerField()
-    session = serializers.UUIDField()
-    org_id = serializers.CharField()
diff --git a/apps/terminal/serializers/terminal.py b/apps/terminal/serializers/terminal.py
index be991d8a8..dd6565348 100644
--- a/apps/terminal/serializers/terminal.py
+++ b/apps/terminal/serializers/terminal.py
@@ -4,7 +4,7 @@ from django.utils.translation import ugettext_lazy as _
 from common.drf.serializers import BulkModelSerializer, AdaptedBulkListSerializer
 from common.utils import is_uuid
 from users.serializers import ServiceAccountSerializer
-from common.utils import get_request_ip
+from common.utils import get_request_ip, pretty_string
 from .. import const
 
 from ..models import (
@@ -111,12 +111,11 @@ class TerminalRegistrationSerializer(serializers.ModelSerializer):
         valid = super().is_valid(raise_exception=raise_exception)
         if not valid:
             return valid
-        name = self.validated_data.get('name')
-        if len(name) > 128:
-            self.validated_data['comment'] = name
-            name = '{}...{}'.format(name[:32], name[-32:])
-            self.validated_data['name'] = name
-
+        raw_name = self.validated_data.get('name')
+        name = pretty_string(raw_name)
+        self.validated_data['name'] = name
+        if len(raw_name) > 128:
+            self.validated_data['comment'] = raw_name
         data = {'name': name}
         kwargs = {'data': data}
         if self.instance and self.instance.user:
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 3aae3223b..1a5ce634c 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -401,10 +401,12 @@ class RoleMixin:
     def is_staff(self, value):
         pass
 
+    service_account_email_suffix = '@local.domain'
+
     @classmethod
-    def create_service_account(cls, name, comment):
+    def create_service_account(cls, name, email, comment):
         app = cls.objects.create(
-            username=name, name=name, email='{}@local.domain'.format(name),
+            username=name, name=name, email=email,
             comment=comment, is_first_login=False,
             created_by='System', is_service_account=True,
         )
diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index b998e8f6d..56409addf 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -6,6 +6,7 @@ from rest_framework import serializers
 
 from common.mixins import CommonBulkSerializerMixin
 from common.validators import PhoneValidator
+from common.utils import pretty_string
 from rbac.builtin import BuiltinRole
 from rbac.permissions import RBACPermission
 from rbac.models import OrgRoleBinding, SystemRoleBinding, Role
@@ -268,7 +269,9 @@ class ServiceAccountSerializer(serializers.ModelSerializer):
 
     def get_email(self):
         name = self.initial_data.get('name')
-        return '{}@serviceaccount.local'.format(name)
+        name_max_length = 128 - len(User.service_account_email_suffix)
+        name = pretty_string(name, max_length=name_max_length, ellipsis_str='-')
+        return '{}{}'.format(name, User.service_account_email_suffix)
 
     def validate_name(self, name):
         email = self.get_email()
@@ -283,6 +286,7 @@ class ServiceAccountSerializer(serializers.ModelSerializer):
 
     def create(self, validated_data):
         name = validated_data['name']
+        email = self.get_email()
         comment = validated_data.get('comment', '')
-        user, ak = User.create_service_account(name, comment)
+        user, ak = User.create_service_account(name, email, comment)
         return user
diff --git a/apps/users/utils.py b/apps/users/utils.py
index 3602d67ee..b32b0c0e0 100644
--- a/apps/users/utils.py
+++ b/apps/users/utils.py
@@ -11,7 +11,7 @@ from django.conf import settings
 from django.core.cache import cache
 
 from common.tasks import send_mail_async
-from common.utils import reverse, get_object_or_none, ip
+from common.utils import reverse, get_object_or_none, ip, pretty_string
 from .models import User
 
 logger = logging.getLogger('jumpserver')
@@ -229,12 +229,14 @@ class LoginIpBlockUtil(BlockGlobalIpUtilBase):
     BLOCK_KEY_TMPL = "_LOGIN_BLOCK_{}"
 
 
-def construct_user_email(username, email):
-    if '@' not in email:
-        if '@' in username:
-            email = username
-        else:
-            email = '{}@{}'.format(username, settings.EMAIL_SUFFIX)
+def construct_user_email(username, email, email_suffix=''):
+    if '@' in email:
+        return email
+    if '@' in username:
+        return username
+    if not email_suffix:
+        email_suffix = settings.EMAIL_SUFFIX
+    email = f'{username}@{email_suffix}'
     return email
 
 
diff --git a/utils/generate_fake_data/generate.py b/utils/generate_fake_data/generate.py
index 839295049..fb41d7e1d 100644
--- a/utils/generate_fake_data/generate.py
+++ b/utils/generate_fake_data/generate.py
@@ -15,6 +15,7 @@ django.setup()
 from resources.assets import AssetsGenerator, NodesGenerator, SystemUsersGenerator, AdminUsersGenerator
 from resources.users import UserGroupGenerator, UserGenerator
 from resources.perms import AssetPermissionGenerator
+from resources.terminal import CommandGenerator
 # from resources.system import StatGenerator
 
 
@@ -26,6 +27,7 @@ resource_generator_mapper = {
     'user': UserGenerator,
     'user_group': UserGroupGenerator,
     'asset_permission': AssetPermissionGenerator,
+    'command': CommandGenerator,
     # 'stat': StatGenerator
 }
 
diff --git a/utils/generate_fake_data/resources/terminal.py b/utils/generate_fake_data/resources/terminal.py
new file mode 100644
index 000000000..48d825b47
--- /dev/null
+++ b/utils/generate_fake_data/resources/terminal.py
@@ -0,0 +1,10 @@
+from .base import FakeDataGenerator
+from terminal.models import Command
+
+
+class CommandGenerator(FakeDataGenerator):
+    resource = 'command'
+
+    def do_generate(self, batch, batch_size):
+        Command.generate_fake(len(batch), self.org)
+

From c58d2456363371d6fd05852a0e3de7bf522a6512 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 30 Mar 2022 19:51:56 +0800
Subject: [PATCH 002/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dkoko=20setting?=
 =?UTF-8?q?=20(#8005)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/settings/serializers/terminal.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/apps/settings/serializers/terminal.py b/apps/settings/serializers/terminal.py
index 1ad5d9e75..c6073aa28 100644
--- a/apps/settings/serializers/terminal.py
+++ b/apps/settings/serializers/terminal.py
@@ -39,8 +39,12 @@ class TerminalSettingSerializer(serializers.Serializer):
     )
     XRDP_ENABLED = serializers.BooleanField(label=_("Enable XRDP"))
 
-    TERMINAL_KOKO_HOST = serializers.BooleanField(label=_("Koko host"))
-    TERMINAL_KOKO_SSH_PORT = serializers.BooleanField(label=_("Koko ssh port"))
+    TERMINAL_KOKO_HOST = serializers.CharField(
+        required=False, label=_("Koko host"), max_length=1024
+    )
+    TERMINAL_KOKO_SSH_PORT = serializers.CharField(
+        required=False, label=_("Koko ssh port"), max_length=1024
+    )
 
     TERMINAL_MAGNUS_ENABLED = serializers.BooleanField(label=_("Enable database proxy"))
     TERMINAL_MAGNUS_HOST = serializers.CharField(
@@ -59,4 +63,3 @@ class TerminalSettingSerializer(serializers.Serializer):
         required=False, label=_("PostgreSQL port"), default=54320,
         help_text=_('PostgreSQL protocol listen port')
     )
-

From 73cb5e10b414403b91b1acb3b34e7999153ccc65 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 30 Mar 2022 19:30:27 +0800
Subject: [PATCH 003/258] =?UTF-8?q?fix:=20=E6=B7=BB=E5=8A=A0=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E4=B8=8D=E8=83=BD=E8=87=AA=E6=9B=B4=E6=96=B0=E5=AD=97?=
 =?UTF-8?q?=E6=AE=B5=E9=80=BB=E8=BE=91=20&=20=E4=BF=AE=E5=A4=8D=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7is=5Factive=E5=88=9B=E5=BB=BA=E5=A4=B1=E8=B4=A5?=
 =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix: 添加用户不能自更新字段逻辑 & 修复用户is_active创建失败的问题

fix: 添加用户不能自更新字段逻辑 & 修复用户is_active创建失败的问题
---
 apps/users/serializers/user.py | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index 56409addf..3014aa2d9 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -133,6 +133,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
             'date_joined', 'last_login', 'created_by', 'is_first_login',
             'wecom_id', 'dingtalk_id', 'feishu_id'
         ]
+        disallow_self_update_fields = ['is_active']
         extra_kwargs = {
             'password': {'write_only': True, 'required': False, 'allow_null': True, 'allow_blank': True},
             'public_key': {'write_only': True},
@@ -181,7 +182,23 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
                 attrs.pop(field, None)
         return attrs
 
+    def check_disallow_self_update_fields(self, attrs):
+        request = self.context.get('request')
+        if not request or not request.user.is_authenticated:
+            return attrs
+        if not self.instance:
+            return attrs
+        if request.user.id != self.instance.id:
+            return attrs
+        disallow_fields = set(list(attrs.keys())) & set(self.Meta.disallow_self_update_fields)
+        if not disallow_fields:
+            return attrs
+        # 用户自己不能更新自己的一些字段
+        error = 'User Cannot self-update fields: {}'.format(disallow_fields)
+        raise serializers.ValidationError(error)
+
     def validate(self, attrs):
+        attrs = self.check_disallow_self_update_fields(attrs)
         attrs = self.change_password_to_raw(attrs)
         attrs = self.clean_auth_fields(attrs)
         attrs.pop('password_strategy', None)
@@ -206,17 +223,6 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
             field.set(value)
         return instance
 
-    def validate_is_active(self, is_active):
-        request = self.context.get('request')
-        if not request or not request.user.is_authenticated:
-            return is_active
-
-        user = request.user
-        if user.id == self.instance.id and not is_active:
-            # 用户自己不能禁用启用自己
-            raise serializers.ValidationError("Cannot inactive self")
-        return is_active
-
     def update(self, instance, validated_data):
         save_handler = partial(super().update, instance)
         instance = self.save_and_set_custom_m2m_fields(validated_data, save_handler, created=False)

From eff562505e2480f4a8d7b8252e866a1ff705c477 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 31 Mar 2022 11:22:48 +0800
Subject: [PATCH 004/258] =?UTF-8?q?feat:=20=E6=9B=B4=E6=96=B0=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.po | 170 ++++++++++++++-------------
 apps/locale/zh/LC_MESSAGES/django.po | 170 ++++++++++++++-------------
 apps/users/serializers/user.py       |   2 +-
 3 files changed, 175 insertions(+), 167 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index a6c716d25..bc5707e14 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-03-29 18:26+0800\n"
+"POT-Creation-Date: 2022-03-31 11:21+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -31,7 +31,7 @@ msgstr "Acls"
 #: settings/models.py:29 settings/serializers/sms.py:6
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
-#: users/models/group.py:15 users/models/user.py:659
+#: users/models/group.py:15 users/models/user.py:661
 #: users/templates/users/_select_user_modal.html:13
 #: users/templates/users/user_asset_permission.html:37
 #: users/templates/users/user_asset_permission.html:154
@@ -67,7 +67,7 @@ msgstr "アクティブ"
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
-#: users/models/group.py:16 users/models/user.py:696
+#: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
@@ -95,8 +95,8 @@ msgstr "ログイン確認"
 #: terminal/backends/command/models.py:19
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:42
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:884
-#: users/models/user.py:915 users/serializers/group.py:19
+#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
+#: users/models/user.py:917 users/serializers/group.py:19
 #: users/templates/users/user_asset_permission.html:38
 #: users/templates/users/user_asset_permission.html:64
 #: users/templates/users/user_database_app_permission.html:37
@@ -170,7 +170,7 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 #: authentication/forms.py:15 authentication/forms.py:17
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
-#: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:657
+#: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
 #: users/templates/users/_msg_user_created.html:12
 #: users/templates/users/_select_user_modal.html:14
 #: xpack/plugins/change_auth_plan/models/asset.py:34
@@ -285,7 +285,7 @@ msgstr "アプリケーション"
 #: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21
-#: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
+#: terminal/backends/command/serializers.py:35 terminal/models/session.py:46
 #: users/templates/users/_granted_assets.html:27
 #: users/templates/users/user_asset_permission.html:42
 #: users/templates/users/user_asset_permission.html:76
@@ -380,7 +380,7 @@ msgstr "タイプ表示"
 #: assets/serializers/cmd_filter.py:49 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:916
+#: users/models/group.py:18 users/models/user.py:918
 #: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "作成された日付"
@@ -632,7 +632,7 @@ msgstr "ラベル"
 #: assets/models/cluster.py:28 assets/models/cmd_filter.py:52
 #: assets/models/cmd_filter.py:99 assets/models/group.py:21
 #: common/db/models.py:111 common/mixins/models.py:49 orgs/models.py:66
-#: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:704
+#: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
 #: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
@@ -813,7 +813,7 @@ msgstr "帯域幅"
 msgid "Contact"
 msgstr "連絡先"
 
-#: assets/models/cluster.py:22 users/models/user.py:679
+#: assets/models/cluster.py:22 users/models/user.py:681
 msgid "Phone"
 msgstr "電話"
 
@@ -839,7 +839,7 @@ msgid "Default"
 msgstr "デフォルト"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:901
+#: users/models/user.py:903
 msgid "System"
 msgstr "システム"
 
@@ -848,7 +848,7 @@ msgid "Default Cluster"
 msgstr "デフォルトクラスター"
 
 #: assets/models/cmd_filter.py:34 perms/models/base.py:86
-#: users/models/group.py:31 users/models/user.py:665
+#: users/models/group.py:31 users/models/user.py:667
 #: users/templates/users/_select_user_modal.html:16
 #: users/templates/users/user_asset_permission.html:39
 #: users/templates/users/user_asset_permission.html:67
@@ -866,7 +866,7 @@ msgid "Regex"
 msgstr "正規情報"
 
 #: assets/models/cmd_filter.py:68 ops/models/command.py:26
-#: terminal/backends/command/serializers.py:15 terminal/models/session.py:53
+#: terminal/backends/command/serializers.py:14 terminal/models/session.py:53
 #: terminal/templates/terminal/_msg_command_alert.html:12
 #: terminal/templates/terminal/_msg_command_execute_alert.html:10
 msgid "Command"
@@ -1510,7 +1510,7 @@ msgstr "ユーザーエージェント"
 
 #: audits/models.py:124
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
-#: users/forms/profile.py:64 users/models/user.py:682
+#: users/forms/profile.py:64 users/models/user.py:684
 #: users/serializers/profile.py:121
 msgid "MFA"
 msgstr "MFA"
@@ -1588,13 +1588,13 @@ msgstr "認証トークン"
 
 #: audits/signal_handlers.py:71 authentication/notifications.py:73
 #: authentication/views/login.py:164 authentication/views/wecom.py:181
-#: notifications/backends/__init__.py:11 users/models/user.py:718
+#: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
 
 #: audits/signal_handlers.py:72 authentication/views/dingtalk.py:182
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
-#: users/models/user.py:719
+#: users/models/user.py:721
 msgid "DingTalk"
 msgstr "DingTalk"
 
@@ -2134,14 +2134,14 @@ msgid "Show"
 msgstr "表示"
 
 #: authentication/templates/authentication/_access_key_modal.html:66
-#: settings/serializers/security.py:39 users/models/user.py:554
+#: settings/serializers/security.py:39 users/models/user.py:556
 #: users/serializers/profile.py:111 users/templates/users/mfa_setting.html:61
 #: users/templates/users/user_verify_mfa.html:36
 msgid "Disable"
 msgstr "無効化"
 
 #: authentication/templates/authentication/_access_key_modal.html:67
-#: users/models/user.py:555 users/serializers/profile.py:112
+#: users/models/user.py:557 users/serializers/profile.py:112
 #: users/templates/users/mfa_setting.html:26
 #: users/templates/users/mfa_setting.html:68
 msgid "Enable"
@@ -2399,7 +2399,7 @@ msgid "The FeiShu is already bound to another user"
 msgstr "FeiShuはすでに別のユーザーにバインドされています"
 
 #: authentication/views/feishu.py:148 authentication/views/login.py:176
-#: notifications/backends/__init__.py:14 users/models/user.py:720
+#: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "本を飛ばす"
 
@@ -2699,7 +2699,7 @@ msgid "Notifications"
 msgstr "通知"
 
 #: notifications/backends/__init__.py:10 users/forms/profile.py:101
-#: users/models/user.py:661
+#: users/models/user.py:663
 msgid "Email"
 msgstr "メール"
 
@@ -2925,7 +2925,7 @@ msgid "Can view root org"
 msgstr "グローバル組織を表示できます"
 
 #: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
-#: users/models/user.py:669 users/templates/users/_select_user_modal.html:15
+#: users/models/user.py:671 users/templates/users/_select_user_modal.html:15
 msgid "Role"
 msgstr "ロール"
 
@@ -3012,7 +3012,7 @@ msgstr "クリップボードコピーペースト"
 #: perms/models/base.py:90
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
 #: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
-#: users/models/user.py:701
+#: users/models/user.py:703
 msgid "Date expired"
 msgstr "期限切れの日付"
 
@@ -3055,15 +3055,15 @@ msgstr "Organization {} のアプリケーション権限"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:139
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
 msgid "Is valid"
 msgstr "有効です"
 
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
-#: perms/serializers/asset/permission.py:44 users/serializers/user.py:85
-#: users/serializers/user.py:141
+#: perms/serializers/asset/permission.py:44 users/serializers/user.py:86
+#: users/serializers/user.py:143
 msgid "Is expired"
 msgstr "期限切れです"
 
@@ -4268,47 +4268,47 @@ msgstr "RDP訪問先住所、例: dev.jumpserver.org:3389"
 msgid "Enable XRDP"
 msgstr "XRDPの有効化"
 
-#: settings/serializers/terminal.py:42
+#: settings/serializers/terminal.py:43
 msgid "Koko host"
 msgstr "KOKO ホストアドレス"
 
-#: settings/serializers/terminal.py:43
+#: settings/serializers/terminal.py:46
 msgid "Koko ssh port"
 msgstr "Koko ssh ポート"
 
-#: settings/serializers/terminal.py:45
+#: settings/serializers/terminal.py:49
 msgid "Enable database proxy"
 msgstr "属性マップの有効化"
 
-#: settings/serializers/terminal.py:47
+#: settings/serializers/terminal.py:51
 msgid "Database proxy host"
 msgstr "データベースエージェントホスト"
 
-#: settings/serializers/terminal.py:48
+#: settings/serializers/terminal.py:52
 msgid "Database proxy host, eg: dev.jumpserver.org"
 msgstr "RDP訪問先住所、例: dev.jumpserver.org:3389"
 
-#: settings/serializers/terminal.py:51
+#: settings/serializers/terminal.py:55
 msgid "MySQL port"
 msgstr "MySQLポート"
 
-#: settings/serializers/terminal.py:52
+#: settings/serializers/terminal.py:56
 msgid "MySQL protocol listen port"
 msgstr "MySQLプロトコルリッスンポート"
 
-#: settings/serializers/terminal.py:55
+#: settings/serializers/terminal.py:59
 msgid "MariaDB port"
 msgstr "MariaDBポート"
 
-#: settings/serializers/terminal.py:56
+#: settings/serializers/terminal.py:60
 msgid "MariaDB protocol listen port"
 msgstr "MariaDBプロトコルリッスンポート"
 
-#: settings/serializers/terminal.py:59
+#: settings/serializers/terminal.py:63
 msgid "PostgreSQL port"
 msgstr "PostgreSQLポート"
 
-#: settings/serializers/terminal.py:60
+#: settings/serializers/terminal.py:64
 msgid "PostgreSQL protocol listen port"
 msgstr "PostgreSQLプロトコルリッスンポート"
 
@@ -4859,7 +4859,7 @@ msgid "Input"
 msgstr "入力"
 
 #: terminal/backends/command/models.py:23
-#: terminal/backends/command/serializers.py:16
+#: terminal/backends/command/serializers.py:36
 msgid "Output"
 msgstr "出力"
 
@@ -4870,23 +4870,23 @@ msgid "Session"
 msgstr "セッション"
 
 #: terminal/backends/command/models.py:25
-#: terminal/backends/command/serializers.py:18
+#: terminal/backends/command/serializers.py:17
 msgid "Risk level"
 msgstr "リスクレベル"
 
-#: terminal/backends/command/serializers.py:17
+#: terminal/backends/command/serializers.py:15
 msgid "Session ID"
 msgstr "セッションID"
 
-#: terminal/backends/command/serializers.py:19
+#: terminal/backends/command/serializers.py:37
 msgid "Risk level display"
 msgstr "リスクレベル表示"
 
-#: terminal/backends/command/serializers.py:21
+#: terminal/backends/command/serializers.py:38
 msgid "Timestamp"
 msgstr "タイムスタンプ"
 
-#: terminal/backends/command/serializers.py:22 terminal/models/terminal.py:105
+#: terminal/backends/command/serializers.py:39 terminal/models/terminal.py:105
 msgid "Remote Address"
 msgstr "リモートアドレス"
 
@@ -4915,7 +4915,7 @@ msgstr "一括作成非サポート"
 msgid "Storage is invalid"
 msgstr "ストレージが無効です"
 
-#: terminal/models/command.py:24
+#: terminal/models/command.py:53
 msgid "Command record"
 msgstr "コマンドレコード"
 
@@ -5140,7 +5140,7 @@ msgstr "エンドポイントが無効: パス '{}' を削除"
 msgid "Bucket"
 msgstr "バケット"
 
-#: terminal/serializers/storage.py:34 users/models/user.py:693
+#: terminal/serializers/storage.py:34 users/models/user.py:695
 msgid "Secret key"
 msgstr "秘密キー"
 
@@ -5747,68 +5747,68 @@ msgstr "公開鍵は古いものと同じであってはなりません。"
 msgid "Not a valid ssh public key"
 msgstr "有効なssh公開鍵ではありません"
 
-#: users/forms/profile.py:160 users/models/user.py:690
+#: users/forms/profile.py:160 users/models/user.py:692
 #: users/templates/users/user_password_update.html:48
 msgid "Public key"
 msgstr "公開キー"
 
-#: users/models/user.py:556
+#: users/models/user.py:558
 msgid "Force enable"
 msgstr "強制有効"
 
-#: users/models/user.py:623
+#: users/models/user.py:625
 msgid "Local"
 msgstr "ローカル"
 
-#: users/models/user.py:671 users/serializers/user.py:140
+#: users/models/user.py:673 users/serializers/user.py:142
 msgid "Is service account"
 msgstr "サービスアカウントです"
 
-#: users/models/user.py:673
+#: users/models/user.py:675
 msgid "Avatar"
 msgstr "アバター"
 
-#: users/models/user.py:676
+#: users/models/user.py:678
 msgid "Wechat"
 msgstr "微信"
 
-#: users/models/user.py:687
+#: users/models/user.py:689
 msgid "Private key"
 msgstr "ssh秘密鍵"
 
-#: users/models/user.py:709
+#: users/models/user.py:711
 msgid "Source"
 msgstr "ソース"
 
-#: users/models/user.py:713
+#: users/models/user.py:715
 msgid "Date password last updated"
 msgstr "最終更新日パスワード"
 
-#: users/models/user.py:716
+#: users/models/user.py:718
 msgid "Need update password"
 msgstr "更新パスワードが必要"
 
-#: users/models/user.py:886
+#: users/models/user.py:888
 msgid "Can invite user"
 msgstr "ユーザーを招待できます"
 
-#: users/models/user.py:887
+#: users/models/user.py:889
 msgid "Can remove user"
 msgstr "ユーザーを削除できます"
 
-#: users/models/user.py:888
+#: users/models/user.py:890
 msgid "Can match user"
 msgstr "ユーザーに一致できます"
 
-#: users/models/user.py:897
+#: users/models/user.py:899
 msgid "Administrator"
 msgstr "管理者"
 
-#: users/models/user.py:900
+#: users/models/user.py:902
 msgid "Administrator is the super user of system"
 msgstr "管理者はシステムのスーパーユーザーです"
 
-#: users/models/user.py:925
+#: users/models/user.py:927
 msgid "User password history"
 msgstr "ユーザーパスワード履歴"
 
@@ -5859,97 +5859,101 @@ msgstr "新しいパスワードを最後の {} 個のパスワードにする
 msgid "The newly set password is inconsistent"
 msgstr "新しく設定されたパスワードが一致しない"
 
-#: users/serializers/profile.py:142 users/serializers/user.py:138
+#: users/serializers/profile.py:142 users/serializers/user.py:140
 msgid "Is first login"
 msgstr "最初のログインです"
 
-#: users/serializers/user.py:24 users/serializers/user.py:31
+#: users/serializers/user.py:25 users/serializers/user.py:32
 msgid "System roles"
 msgstr "システムの役割"
 
-#: users/serializers/user.py:29 users/serializers/user.py:32
+#: users/serializers/user.py:30 users/serializers/user.py:33
 msgid "Org roles"
 msgstr "組織ロール"
 
-#: users/serializers/user.py:77
+#: users/serializers/user.py:78
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:22
 msgid "Password strategy"
 msgstr "パスワード戦略"
 
-#: users/serializers/user.py:79
+#: users/serializers/user.py:80
 msgid "MFA enabled"
 msgstr "MFA有効化"
 
-#: users/serializers/user.py:80
+#: users/serializers/user.py:81
 msgid "MFA force enabled"
 msgstr "MFAフォース有効化"
 
-#: users/serializers/user.py:82
+#: users/serializers/user.py:83
 msgid "MFA level display"
 msgstr "MFAレベル表示"
 
-#: users/serializers/user.py:84
+#: users/serializers/user.py:85
 msgid "Login blocked"
 msgstr "ログインブロック"
 
-#: users/serializers/user.py:87
+#: users/serializers/user.py:88
 msgid "Can public key authentication"
 msgstr "公開鍵認証が可能"
 
-#: users/serializers/user.py:142
+#: users/serializers/user.py:144
 msgid "Avatar url"
 msgstr "アバターURL"
 
-#: users/serializers/user.py:144
+#: users/serializers/user.py:146
 msgid "Groups name"
 msgstr "グループ名"
 
-#: users/serializers/user.py:145
+#: users/serializers/user.py:147
 msgid "Source name"
 msgstr "ソース名"
 
-#: users/serializers/user.py:146
+#: users/serializers/user.py:148
 msgid "Organization role name"
 msgstr "組織の役割名"
 
-#: users/serializers/user.py:147
+#: users/serializers/user.py:149
 msgid "Super role name"
 msgstr "スーパーロール名"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:150
 msgid "Total role name"
 msgstr "合計ロール名"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:152
 msgid "Is wecom bound"
 msgstr "企業の微信をバインドしているかどうか"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:153
 msgid "Is dingtalk bound"
 msgstr "ピンをバインドしているかどうか"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Is feishu bound"
 msgstr "飛本を縛ったかどうか"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:155
 msgid "Is OTP bound"
 msgstr "仮想MFAがバインドされているか"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "System role name"
 msgstr "システムロール名"
 
-#: users/serializers/user.py:247
+#: users/serializers/user.py:197
+msgid "User cannot self-update fields: {}"
+msgstr "ユーザーは自分のフィールドを更新できません: {}"
+
+#: users/serializers/user.py:254
 msgid "Select users"
 msgstr "ユーザーの選択"
 
-#: users/serializers/user.py:248
+#: users/serializers/user.py:255
 msgid "For security, only list several users"
 msgstr "セキュリティのために、複数のユーザーのみをリストします"
 
-#: users/serializers/user.py:281
+#: users/serializers/user.py:290
 msgid "name not unique"
 msgstr "名前が一意ではない"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index ee4727335..ffd8d4ba3 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-03-29 18:26+0800\n"
+"POT-Creation-Date: 2022-03-31 11:19+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -30,7 +30,7 @@ msgstr "访问控制"
 #: settings/models.py:29 settings/serializers/sms.py:6
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
-#: users/models/group.py:15 users/models/user.py:659
+#: users/models/group.py:15 users/models/user.py:661
 #: users/templates/users/_select_user_modal.html:13
 #: users/templates/users/user_asset_permission.html:37
 #: users/templates/users/user_asset_permission.html:154
@@ -66,7 +66,7 @@ msgstr "激活中"
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
-#: users/models/group.py:16 users/models/user.py:696
+#: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
@@ -94,8 +94,8 @@ msgstr "登录复核"
 #: terminal/backends/command/models.py:19
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:42
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:884
-#: users/models/user.py:915 users/serializers/group.py:19
+#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
+#: users/models/user.py:917 users/serializers/group.py:19
 #: users/templates/users/user_asset_permission.html:38
 #: users/templates/users/user_asset_permission.html:64
 #: users/templates/users/user_database_app_permission.html:37
@@ -169,7 +169,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 #: authentication/forms.py:15 authentication/forms.py:17
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
-#: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:657
+#: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
 #: users/templates/users/_msg_user_created.html:12
 #: users/templates/users/_select_user_modal.html:14
 #: xpack/plugins/change_auth_plan/models/asset.py:34
@@ -280,7 +280,7 @@ msgstr "应用程序"
 #: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21
-#: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
+#: terminal/backends/command/serializers.py:35 terminal/models/session.py:46
 #: users/templates/users/_granted_assets.html:27
 #: users/templates/users/user_asset_permission.html:42
 #: users/templates/users/user_asset_permission.html:76
@@ -375,7 +375,7 @@ msgstr "类型名称"
 #: assets/serializers/cmd_filter.py:49 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:916
+#: users/models/group.py:18 users/models/user.py:918
 #: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "创建日期"
@@ -627,7 +627,7 @@ msgstr "标签管理"
 #: assets/models/cluster.py:28 assets/models/cmd_filter.py:52
 #: assets/models/cmd_filter.py:99 assets/models/group.py:21
 #: common/db/models.py:111 common/mixins/models.py:49 orgs/models.py:66
-#: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:704
+#: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
 #: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
@@ -808,7 +808,7 @@ msgstr "带宽"
 msgid "Contact"
 msgstr "联系人"
 
-#: assets/models/cluster.py:22 users/models/user.py:679
+#: assets/models/cluster.py:22 users/models/user.py:681
 msgid "Phone"
 msgstr "手机"
 
@@ -834,7 +834,7 @@ msgid "Default"
 msgstr "默认"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:901
+#: users/models/user.py:903
 msgid "System"
 msgstr "系统"
 
@@ -843,7 +843,7 @@ msgid "Default Cluster"
 msgstr "默认Cluster"
 
 #: assets/models/cmd_filter.py:34 perms/models/base.py:86
-#: users/models/group.py:31 users/models/user.py:665
+#: users/models/group.py:31 users/models/user.py:667
 #: users/templates/users/_select_user_modal.html:16
 #: users/templates/users/user_asset_permission.html:39
 #: users/templates/users/user_asset_permission.html:67
@@ -861,7 +861,7 @@ msgid "Regex"
 msgstr "正则表达式"
 
 #: assets/models/cmd_filter.py:68 ops/models/command.py:26
-#: terminal/backends/command/serializers.py:15 terminal/models/session.py:53
+#: terminal/backends/command/serializers.py:14 terminal/models/session.py:53
 #: terminal/templates/terminal/_msg_command_alert.html:12
 #: terminal/templates/terminal/_msg_command_execute_alert.html:10
 msgid "Command"
@@ -1498,7 +1498,7 @@ msgstr "用户代理"
 
 #: audits/models.py:124
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
-#: users/forms/profile.py:64 users/models/user.py:682
+#: users/forms/profile.py:64 users/models/user.py:684
 #: users/serializers/profile.py:121
 msgid "MFA"
 msgstr "MFA"
@@ -1576,13 +1576,13 @@ msgstr "认证令牌"
 
 #: audits/signal_handlers.py:71 authentication/notifications.py:73
 #: authentication/views/login.py:164 authentication/views/wecom.py:181
-#: notifications/backends/__init__.py:11 users/models/user.py:718
+#: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企业微信"
 
 #: audits/signal_handlers.py:72 authentication/views/dingtalk.py:182
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
-#: users/models/user.py:719
+#: users/models/user.py:721
 msgid "DingTalk"
 msgstr "钉钉"
 
@@ -2113,14 +2113,14 @@ msgid "Show"
 msgstr "显示"
 
 #: authentication/templates/authentication/_access_key_modal.html:66
-#: settings/serializers/security.py:39 users/models/user.py:554
+#: settings/serializers/security.py:39 users/models/user.py:556
 #: users/serializers/profile.py:111 users/templates/users/mfa_setting.html:61
 #: users/templates/users/user_verify_mfa.html:36
 msgid "Disable"
 msgstr "禁用"
 
 #: authentication/templates/authentication/_access_key_modal.html:67
-#: users/models/user.py:555 users/serializers/profile.py:112
+#: users/models/user.py:557 users/serializers/profile.py:112
 #: users/templates/users/mfa_setting.html:26
 #: users/templates/users/mfa_setting.html:68
 msgid "Enable"
@@ -2369,7 +2369,7 @@ msgid "The FeiShu is already bound to another user"
 msgstr "该飞书已经绑定其他用户"
 
 #: authentication/views/feishu.py:148 authentication/views/login.py:176
-#: notifications/backends/__init__.py:14 users/models/user.py:720
+#: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "飞书"
 
@@ -2664,7 +2664,7 @@ msgid "Notifications"
 msgstr "通知"
 
 #: notifications/backends/__init__.py:10 users/forms/profile.py:101
-#: users/models/user.py:661
+#: users/models/user.py:663
 msgid "Email"
 msgstr "邮件"
 
@@ -2890,7 +2890,7 @@ msgid "Can view root org"
 msgstr "可以查看全局组织"
 
 #: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
-#: users/models/user.py:669 users/templates/users/_select_user_modal.html:15
+#: users/models/user.py:671 users/templates/users/_select_user_modal.html:15
 msgid "Role"
 msgstr "角色"
 
@@ -2977,7 +2977,7 @@ msgstr "剪贴板复制粘贴"
 #: perms/models/base.py:90
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
 #: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
-#: users/models/user.py:701
+#: users/models/user.py:703
 msgid "Date expired"
 msgstr "失效日期"
 
@@ -3020,15 +3020,15 @@ msgstr "组织 ({}) 的应用授权"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:139
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
 msgid "Is valid"
 msgstr "账号是否有效"
 
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
-#: perms/serializers/asset/permission.py:44 users/serializers/user.py:85
-#: users/serializers/user.py:141
+#: perms/serializers/asset/permission.py:44 users/serializers/user.py:86
+#: users/serializers/user.py:143
 msgid "Is expired"
 msgstr "已过期"
 
@@ -4206,47 +4206,47 @@ msgstr "RDP 访问地址, 如: dev.jumpserver.org:3389"
 msgid "Enable XRDP"
 msgstr "启用 XRDP 服务"
 
-#: settings/serializers/terminal.py:42
+#: settings/serializers/terminal.py:43
 msgid "Koko host"
 msgstr "KOKO 主机地址"
 
-#: settings/serializers/terminal.py:43
+#: settings/serializers/terminal.py:46
 msgid "Koko ssh port"
 msgstr "KOKO ssh 端口"
 
-#: settings/serializers/terminal.py:45
+#: settings/serializers/terminal.py:49
 msgid "Enable database proxy"
 msgstr "启用数据库组件"
 
-#: settings/serializers/terminal.py:47
+#: settings/serializers/terminal.py:51
 msgid "Database proxy host"
 msgstr "数据库主机地址"
 
-#: settings/serializers/terminal.py:48
+#: settings/serializers/terminal.py:52
 msgid "Database proxy host, eg: dev.jumpserver.org"
 msgstr "数据库组件地址, 如: dev.jumpserver.org (没有端口, 不同协议端口不同)"
 
-#: settings/serializers/terminal.py:51
+#: settings/serializers/terminal.py:55
 msgid "MySQL port"
 msgstr "MySQL 协议端口"
 
-#: settings/serializers/terminal.py:52
+#: settings/serializers/terminal.py:56
 msgid "MySQL protocol listen port"
 msgstr "MySQL 协议监听端口"
 
-#: settings/serializers/terminal.py:55
+#: settings/serializers/terminal.py:59
 msgid "MariaDB port"
 msgstr "MariaDB 端口"
 
-#: settings/serializers/terminal.py:56
+#: settings/serializers/terminal.py:60
 msgid "MariaDB protocol listen port"
 msgstr "MariaDB 协议监听的端口"
 
-#: settings/serializers/terminal.py:59
+#: settings/serializers/terminal.py:63
 msgid "PostgreSQL port"
 msgstr "PostgreSQL 端口"
 
-#: settings/serializers/terminal.py:60
+#: settings/serializers/terminal.py:64
 msgid "PostgreSQL protocol listen port"
 msgstr "PostgreSQL 协议监听端口"
 
@@ -4786,7 +4786,7 @@ msgid "Input"
 msgstr "输入"
 
 #: terminal/backends/command/models.py:23
-#: terminal/backends/command/serializers.py:16
+#: terminal/backends/command/serializers.py:36
 msgid "Output"
 msgstr "输出"
 
@@ -4797,23 +4797,23 @@ msgid "Session"
 msgstr "会话"
 
 #: terminal/backends/command/models.py:25
-#: terminal/backends/command/serializers.py:18
+#: terminal/backends/command/serializers.py:17
 msgid "Risk level"
 msgstr "风险等级"
 
-#: terminal/backends/command/serializers.py:17
+#: terminal/backends/command/serializers.py:15
 msgid "Session ID"
 msgstr "会话ID"
 
-#: terminal/backends/command/serializers.py:19
+#: terminal/backends/command/serializers.py:37
 msgid "Risk level display"
 msgstr "风险等级名称"
 
-#: terminal/backends/command/serializers.py:21
+#: terminal/backends/command/serializers.py:38
 msgid "Timestamp"
 msgstr "时间戳"
 
-#: terminal/backends/command/serializers.py:22 terminal/models/terminal.py:105
+#: terminal/backends/command/serializers.py:39 terminal/models/terminal.py:105
 msgid "Remote Address"
 msgstr "远端地址"
 
@@ -4842,7 +4842,7 @@ msgstr "不支持批量创建"
 msgid "Storage is invalid"
 msgstr "存储无效"
 
-#: terminal/models/command.py:24
+#: terminal/models/command.py:53
 msgid "Command record"
 msgstr "命令记录"
 
@@ -5067,7 +5067,7 @@ msgstr "端点无效: 移除路径 `{}`"
 msgid "Bucket"
 msgstr "桶名称"
 
-#: terminal/serializers/storage.py:34 users/models/user.py:693
+#: terminal/serializers/storage.py:34 users/models/user.py:695
 msgid "Secret key"
 msgstr "密钥"
 
@@ -5670,68 +5670,68 @@ msgstr "不能和原来的密钥相同"
 msgid "Not a valid ssh public key"
 msgstr "SSH密钥不合法"
 
-#: users/forms/profile.py:160 users/models/user.py:690
+#: users/forms/profile.py:160 users/models/user.py:692
 #: users/templates/users/user_password_update.html:48
 msgid "Public key"
 msgstr "SSH公钥"
 
-#: users/models/user.py:556
+#: users/models/user.py:558
 msgid "Force enable"
 msgstr "强制启用"
 
-#: users/models/user.py:623
+#: users/models/user.py:625
 msgid "Local"
 msgstr "数据库"
 
-#: users/models/user.py:671 users/serializers/user.py:140
+#: users/models/user.py:673 users/serializers/user.py:142
 msgid "Is service account"
 msgstr "服务账号"
 
-#: users/models/user.py:673
+#: users/models/user.py:675
 msgid "Avatar"
 msgstr "头像"
 
-#: users/models/user.py:676
+#: users/models/user.py:678
 msgid "Wechat"
 msgstr "微信"
 
-#: users/models/user.py:687
+#: users/models/user.py:689
 msgid "Private key"
 msgstr "ssh私钥"
 
-#: users/models/user.py:709
+#: users/models/user.py:711
 msgid "Source"
 msgstr "来源"
 
-#: users/models/user.py:713
+#: users/models/user.py:715
 msgid "Date password last updated"
 msgstr "最后更新密码日期"
 
-#: users/models/user.py:716
+#: users/models/user.py:718
 msgid "Need update password"
 msgstr "需要更新密码"
 
-#: users/models/user.py:886
+#: users/models/user.py:888
 msgid "Can invite user"
 msgstr "可以邀请用户"
 
-#: users/models/user.py:887
+#: users/models/user.py:889
 msgid "Can remove user"
 msgstr "可以移除用户"
 
-#: users/models/user.py:888
+#: users/models/user.py:890
 msgid "Can match user"
 msgstr "可以匹配用户"
 
-#: users/models/user.py:897
+#: users/models/user.py:899
 msgid "Administrator"
 msgstr "管理员"
 
-#: users/models/user.py:900
+#: users/models/user.py:902
 msgid "Administrator is the super user of system"
 msgstr "Administrator是初始的超级管理员"
 
-#: users/models/user.py:925
+#: users/models/user.py:927
 msgid "User password history"
 msgstr "用户密码历史"
 
@@ -5782,97 +5782,101 @@ msgstr "新密码不能是最近 {} 次的密码"
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:142 users/serializers/user.py:138
+#: users/serializers/profile.py:142 users/serializers/user.py:140
 msgid "Is first login"
 msgstr "首次登录"
 
-#: users/serializers/user.py:24 users/serializers/user.py:31
+#: users/serializers/user.py:25 users/serializers/user.py:32
 msgid "System roles"
 msgstr "系统角色"
 
-#: users/serializers/user.py:29 users/serializers/user.py:32
+#: users/serializers/user.py:30 users/serializers/user.py:33
 msgid "Org roles"
 msgstr "组织角色"
 
-#: users/serializers/user.py:77
+#: users/serializers/user.py:78
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:22
 msgid "Password strategy"
 msgstr "密码策略"
 
-#: users/serializers/user.py:79
+#: users/serializers/user.py:80
 msgid "MFA enabled"
 msgstr "MFA"
 
-#: users/serializers/user.py:80
+#: users/serializers/user.py:81
 msgid "MFA force enabled"
 msgstr "强制 MFA"
 
-#: users/serializers/user.py:82
+#: users/serializers/user.py:83
 msgid "MFA level display"
 msgstr "MFA 等级名称"
 
-#: users/serializers/user.py:84
+#: users/serializers/user.py:85
 msgid "Login blocked"
 msgstr "登录被阻塞"
 
-#: users/serializers/user.py:87
+#: users/serializers/user.py:88
 msgid "Can public key authentication"
 msgstr "能否公钥认证"
 
-#: users/serializers/user.py:142
+#: users/serializers/user.py:144
 msgid "Avatar url"
 msgstr "头像路径"
 
-#: users/serializers/user.py:144
+#: users/serializers/user.py:146
 msgid "Groups name"
 msgstr "用户组名"
 
-#: users/serializers/user.py:145
+#: users/serializers/user.py:147
 msgid "Source name"
 msgstr "用户来源名"
 
-#: users/serializers/user.py:146
+#: users/serializers/user.py:148
 msgid "Organization role name"
 msgstr "组织角色名称"
 
-#: users/serializers/user.py:147
+#: users/serializers/user.py:149
 msgid "Super role name"
 msgstr "超级角色名称"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:150
 msgid "Total role name"
 msgstr "汇总角色名称"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:152
 msgid "Is wecom bound"
 msgstr "是否绑定了企业微信"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:153
 msgid "Is dingtalk bound"
 msgstr "是否绑定了钉钉"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Is feishu bound"
 msgstr "是否绑定了飞书"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:155
 msgid "Is OTP bound"
 msgstr "是否绑定了虚拟 MFA"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "System role name"
 msgstr "系统角色名称"
 
-#: users/serializers/user.py:247
+#: users/serializers/user.py:197
+msgid "User cannot self-update fields: {}"
+msgstr "用户不能更新自己的字段: {}"
+
+#: users/serializers/user.py:254
 msgid "Select users"
 msgstr "选择用户"
 
-#: users/serializers/user.py:248
+#: users/serializers/user.py:255
 msgid "For security, only list several users"
 msgstr "为了安全，仅列出几个用户"
 
-#: users/serializers/user.py:281
+#: users/serializers/user.py:290
 msgid "name not unique"
 msgstr "名称重复"
 
diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index 3014aa2d9..5a1043267 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -194,7 +194,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
         if not disallow_fields:
             return attrs
         # 用户自己不能更新自己的一些字段
-        error = 'User Cannot self-update fields: {}'.format(disallow_fields)
+        error = _('User cannot self-update fields: {}').format(disallow_fields)
         raise serializers.ValidationError(error)
 
     def validate(self, attrs):

From 3121b4e3ff36f097a1aa9f3f96ba4a12670a9094 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 31 Mar 2022 11:38:49 +0800
Subject: [PATCH 005/258] =?UTF-8?q?feat:=20=E6=9B=B4=E6=96=B0=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo | 4 ++--
 apps/locale/zh/LC_MESSAGES/django.mo | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 22c57dcbe..69226e3a4 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:050a3fd63c1cf9b3dc60c8f138d58f029f2e8a32a71abd99fff6899b68c0f6d9
-size 129742
+oid sha256:bf72c66551e2e7b951960d96054ede0e3e6f3419c4d693f844dc2a61f583390f
+size 129861
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 860a45eaa..511437fb2 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1baa8c35aa2493c03c1fe7383a13ca4cfd9b18b44150770fb51f39433c18c74c
-size 107492
+oid sha256:6e803750e498ee3d0f3f66f7b74ee9c4b9fd3a6b2bc9a0ecf4bbd5a9c1582e18
+size 107581

From e602bc03419cbc9747d984cd8632260ea01deab4 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Fri, 1 Apr 2022 16:52:50 +0800
Subject: [PATCH 006/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=BD=91?=
 =?UTF-8?q?=E5=85=B3=E7=BF=BB=E8=AF=91=20(#8016)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/assets/serializers/domain.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/assets/serializers/domain.py b/apps/assets/serializers/domain.py
index b86938c43..6932572f8 100644
--- a/apps/assets/serializers/domain.py
+++ b/apps/assets/serializers/domain.py
@@ -43,7 +43,7 @@ class DomainSerializer(BulkOrgResourceModelSerializer):
 
 
 class GatewaySerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
-    is_connective = serializers.BooleanField(required=False)
+    is_connective = serializers.BooleanField(required=False, label=_('Connectivity'))
 
     class Meta:
         model = Gateway

From a936092020f42e1bda57aa8f5d905c8b570f53a0 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Sat, 2 Apr 2022 13:26:18 +0800
Subject: [PATCH 007/258] =?UTF-8?q?perf:=20es=E7=9B=B8=E5=85=B3=E4=BB=A3?=
 =?UTF-8?q?=E7=A0=81=E6=A0=BC=E5=BC=8F=E4=BC=98=E5=8C=96=20(#8020)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/terminal/backends/command/es.py | 37 ++++++++++++++--------------
 apps/terminal/serializers/storage.py | 18 +++-----------
 2 files changed, 21 insertions(+), 34 deletions(-)

diff --git a/apps/terminal/backends/command/es.py b/apps/terminal/backends/command/es.py
index d74ad3fa8..2e8a82c88 100644
--- a/apps/terminal/backends/command/es.py
+++ b/apps/terminal/backends/command/es.py
@@ -18,7 +18,6 @@ from common.utils import get_logger
 from common.exceptions import JMSException
 from .models import AbstractSessionCommand
 
-
 logger = get_logger(__file__)
 
 
@@ -27,7 +26,7 @@ class InvalidElasticsearch(JMSException):
     default_detail = _('Invalid elasticsearch config')
 
 
-class CommandStore():
+class CommandStore(object):
     def __init__(self, config):
         hosts = config.get("HOSTS")
         kwargs = config.get("OTHER", {})
@@ -208,7 +207,7 @@ class CommandStore():
         elif org_id in (real_default_org_id, ''):
             match.pop('org_id')
             should.append({
-                'bool':{
+                'bool': {
                     'must_not': [
                         {
                             'wildcard': {'org_id': '*'}
@@ -226,20 +225,20 @@ class CommandStore():
                     ],
                     'should': should,
                     'filter': [
-                        {
-                            'term': {k: v}
-                        } for k, v in exact.items()
-                    ] + [
-                        {
-                            'range': {
-                                'timestamp': timestamp_range
-                            }
-                        }
-                    ] + [
-                        {
-                            'ids': {k: v}
-                        } for k, v in index.items()
-                    ]
+                                  {
+                                      'term': {k: v}
+                                  } for k, v in exact.items()
+                              ] + [
+                                  {
+                                      'range': {
+                                          'timestamp': timestamp_range
+                                      }
+                                  }
+                              ] + [
+                                  {
+                                      'ids': {k: v}
+                                  } for k, v in index.items()
+                              ]
                 }
             },
         }
@@ -326,8 +325,8 @@ class QuerySet(DJQuerySet):
 
     def __getattribute__(self, item):
         if any((
-            item.startswith('__'),
-            item in QuerySet.__dict__,
+                item.startswith('__'),
+                item in QuerySet.__dict__,
         )):
             return object.__getattribute__(self, item)
 
diff --git a/apps/terminal/serializers/storage.py b/apps/terminal/serializers/storage.py
index 2b21625bd..81c885862 100644
--- a/apps/terminal/serializers/storage.py
+++ b/apps/terminal/serializers/storage.py
@@ -13,8 +13,6 @@ from rest_framework.validators import UniqueValidator
 
 # Replay storage serializers
 # --------------------------
-
-
 def replay_storage_endpoint_format_validator(endpoint):
     h = urlparse(endpoint)
     if h.path:
@@ -116,9 +114,8 @@ class ReplayStorageTypeAzureSerializer(serializers.Serializer):
         label=_('Endpoint suffix'), allow_null=True,
     )
 
+
 # mapping
-
-
 replay_storage_type_serializer_classes_mapping = {
     const.ReplayStorageTypeChoices.s3.value: ReplayStorageTypeS3Serializer,
     const.ReplayStorageTypeChoices.ceph.value: ReplayStorageTypeCephSerializer,
@@ -129,10 +126,9 @@ replay_storage_type_serializer_classes_mapping = {
     const.ReplayStorageTypeChoices.cos.value: ReplayStorageTypeCOSSerializer
 }
 
+
 # Command storage serializers
 # ---------------------------
-
-
 def command_storage_es_host_format_validator(host):
     h = urlparse(host)
     default_error_msg = _('The address format is incorrect')
@@ -151,7 +147,6 @@ def command_storage_es_host_format_validator(host):
 
 
 class CommandStorageTypeESSerializer(serializers.Serializer):
-
     hosts_help_text = '''
         Tip: If there are multiple hosts, use a comma (,) to separate them. <br>
         (eg: http://www.jumpserver.a.com:9100, http://www.jumpserver.b.com:9100)
@@ -169,17 +164,14 @@ class CommandStorageTypeESSerializer(serializers.Serializer):
         source='OTHER.IGNORE_VERIFY_CERTS', allow_null=True,
     )
 
+
 # mapping
-
-
 command_storage_type_serializer_classes_mapping = {
     const.CommandStorageTypeChoices.es.value: CommandStorageTypeESSerializer
 }
 
 
 # BaseStorageSerializer
-
-
 class BaseStorageSerializer(serializers.ModelSerializer):
     storage_type_serializer_classes_mapping = {}
     meta = MethodSerializer()
@@ -223,8 +215,6 @@ class BaseStorageSerializer(serializers.ModelSerializer):
 
 
 # CommandStorageSerializer
-
-
 class CommandStorageSerializer(BaseStorageSerializer):
     storage_type_serializer_classes_mapping = command_storage_type_serializer_classes_mapping
 
@@ -236,8 +226,6 @@ class CommandStorageSerializer(BaseStorageSerializer):
 
 
 # ReplayStorageSerializer
-
-
 class ReplayStorageSerializer(BaseStorageSerializer):
     storage_type_serializer_classes_mapping = replay_storage_type_serializer_classes_mapping
 

From 2cb08b4785a1c249290b56905003727cf6461e77 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Sat, 2 Apr 2022 15:51:23 +0800
Subject: [PATCH 008/258] fix: user is common user

---
 apps/ops/api/command.py | 2 +-
 apps/rbac/builtin.py    | 8 ++++++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/apps/ops/api/command.py b/apps/ops/api/command.py
index 2b7e5fda9..0d513cd9e 100644
--- a/apps/ops/api/command.py
+++ b/apps/ops/api/command.py
@@ -59,7 +59,7 @@ class CommandExecutionViewSet(RootOrgViewMixin, viewsets.ModelViewSet):
             raise ValidationError({"hosts": msg})
 
     def check_permissions(self, request):
-        if not settings.SECURITY_COMMAND_EXECUTION and request.user.is_common_user:
+        if not settings.SECURITY_COMMAND_EXECUTION:
             return self.permission_denied(request, "Command execution disabled")
         return super().check_permissions(request)
 
diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index a47139132..ce735ce8f 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -29,7 +29,6 @@ auditor_perms = user_perms + (
     ('ops', 'commandexecution', 'view', 'commandexecution')
 )
 
-
 app_exclude_perms = [
     ('users', 'user', 'add,delete', 'user'),
     ('orgs', 'org', 'add,delete,change', 'org'),
@@ -59,7 +58,8 @@ class PredefineRole:
         from rbac.models import Role
         return Role.objects.get(id=self.id)
 
-    def _get_defaults(self):
+    @property
+    def default_perms(self):
         from rbac.models import Permission
         q = Permission.get_define_permissions_q(self.perms)
         permissions = Permission.get_permissions(self.scope)
@@ -72,6 +72,10 @@ class PredefineRole:
             permissions = permissions.exclude(q)
 
         perms = permissions.values_list('id', flat=True)
+        return perms
+
+    def _get_defaults(self):
+        perms = self.default_perms
         defaults = {
             'id': self.id, 'name': self.name, 'scope': self.scope,
             'builtin': True, 'permissions': perms

From fe8527fd074de1c4300db60c21d2d9107d9c6875 Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Sat, 2 Apr 2022 10:04:18 +0800
Subject: [PATCH 009/258] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo |  4 +--
 apps/locale/ja/LC_MESSAGES/django.po | 49 +++++++++++++++++-----------
 apps/locale/zh/LC_MESSAGES/django.mo |  4 +--
 apps/locale/zh/LC_MESSAGES/django.po | 49 +++++++++++++++++-----------
 4 files changed, 64 insertions(+), 42 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 69226e3a4..663dad9e1 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:bf72c66551e2e7b951960d96054ede0e3e6f3419c4d693f844dc2a61f583390f
-size 129861
+oid sha256:17e378f009274c169039e815158ea9072ee89811bb27a5b17a628f2066fcfb86
+size 129989
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index bc5707e14..cc8a3b317 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-03-31 11:21+0800\n"
+"POT-Creation-Date: 2022-04-02 10:01+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -343,7 +343,7 @@ msgid "Domain"
 msgstr "ドメイン"
 
 #: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:58
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "ツールバーの"
 
@@ -767,11 +767,11 @@ msgstr "OK"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:30
+#: xpack/plugins/cloud/const.py:31
 msgid "Failed"
 msgstr "失敗しました"
 
-#: assets/models/base.py:38
+#: assets/models/base.py:38 assets/serializers/domain.py:46
 msgid "Connectivity"
 msgstr "接続性"
 
@@ -6520,58 +6520,62 @@ msgid "Baidu Cloud"
 msgstr "百度雲"
 
 #: xpack/plugins/cloud/const.py:15
+msgid "JD Cloud"
+msgstr "京東雲"
+
+#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "テンセント雲"
 
-#: xpack/plugins/cloud/const.py:16
+#: xpack/plugins/cloud/const.py:17
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:18
+#: xpack/plugins/cloud/const.py:19
 msgid "Huawei Private Cloud"
 msgstr "華為私有雲"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:20
 msgid "Qingyun Private Cloud"
 msgstr "青雲私有雲"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:21
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:22
 msgid "Google Cloud Platform"
 msgstr "谷歌雲"
 
-#: xpack/plugins/cloud/const.py:25
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name"
 msgstr "インスタンス名"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name and Partial IP"
 msgstr "インスタンス名と部分IP"
 
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:32
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:35
+#: xpack/plugins/cloud/const.py:36
 msgid "Unsync"
 msgstr "同期していません"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "New Sync"
 msgstr "新しい同期"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "Synced"
 msgstr "同期済み"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Released"
 msgstr "リリース済み"
 
@@ -6744,11 +6748,13 @@ msgid "South America (São Paulo)"
 msgstr "南米 (サンパウロ)"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
+#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "華北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
+#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "華南-広州"
 
@@ -6770,6 +6776,7 @@ msgid "CN North-Baoding"
 msgstr "華北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
+#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "華東-上海"
 
@@ -6834,11 +6841,15 @@ msgstr "華北-ウランチャブ一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "華南-広州-友好ユーザー環境"
 
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/providers/jdcloud.py:128
+msgid "CN East-Suqian"
+msgstr "華東-宿遷"
+
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Validity display"
 msgstr "有効表示"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Provider display"
 msgstr "プロバイダ表示"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 511437fb2..944990cc4 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:6e803750e498ee3d0f3f66f7b74ee9c4b9fd3a6b2bc9a0ecf4bbd5a9c1582e18
-size 107581
+oid sha256:51c19db490e2e3a7cc3c3fce33b2e4422239d8c64d591208cadaf062c5ccb0c9
+size 107709
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index ffd8d4ba3..68b8a566c 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-03-31 11:19+0800\n"
+"POT-Creation-Date: 2022-04-02 10:01+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -338,7 +338,7 @@ msgid "Domain"
 msgstr "网域"
 
 #: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:58
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "属性"
 
@@ -762,11 +762,11 @@ msgstr "成功"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:30
+#: xpack/plugins/cloud/const.py:31
 msgid "Failed"
 msgstr "失败"
 
-#: assets/models/base.py:38
+#: assets/models/base.py:38 assets/serializers/domain.py:46
 msgid "Connectivity"
 msgstr "可连接性"
 
@@ -6430,58 +6430,62 @@ msgid "Baidu Cloud"
 msgstr "百度云"
 
 #: xpack/plugins/cloud/const.py:15
+msgid "JD Cloud"
+msgstr "京东云"
+
+#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "腾讯云"
 
-#: xpack/plugins/cloud/const.py:16
+#: xpack/plugins/cloud/const.py:17
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:18
+#: xpack/plugins/cloud/const.py:19
 msgid "Huawei Private Cloud"
 msgstr "华为私有云"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:20
 msgid "Qingyun Private Cloud"
 msgstr "青云私有云"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:21
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:22
 msgid "Google Cloud Platform"
 msgstr "谷歌云"
 
-#: xpack/plugins/cloud/const.py:25
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name"
 msgstr "实例名称"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name and Partial IP"
 msgstr "实例名称和部分IP"
 
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:32
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:35
+#: xpack/plugins/cloud/const.py:36
 msgid "Unsync"
 msgstr "未同步"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "New Sync"
 msgstr "新同步"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "Synced"
 msgstr "已同步"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Released"
 msgstr "已释放"
 
@@ -6654,11 +6658,13 @@ msgid "South America (São Paulo)"
 msgstr "南美洲（圣保罗）"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
+#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "华北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
+#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "华南-广州"
 
@@ -6680,6 +6686,7 @@ msgid "CN North-Baoding"
 msgstr "华北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
+#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "华东-上海"
 
@@ -6744,11 +6751,15 @@ msgstr "华北-乌兰察布一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "华南-广州-友好用户环境"
 
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/providers/jdcloud.py:128
+msgid "CN East-Suqian"
+msgstr "华东-宿迁"
+
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Validity display"
 msgstr "有效性显示"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Provider display"
 msgstr "服务商显示"
 

From ef36b2e66265de4f196d2a90ac8444c9a7b74063 Mon Sep 17 00:00:00 2001
From: Eric <xplzv@126.com>
Date: Wed, 6 Apr 2022 14:58:13 +0800
Subject: [PATCH 010/258] =?UTF-8?q?perf:=20=E5=AE=8C=E5=96=84=20setting=20?=
 =?UTF-8?q?=E7=9A=84=E5=8A=A8=E6=80=81=E9=85=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/signal_handlers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/settings/signal_handlers.py b/apps/settings/signal_handlers.py
index 818b7ba03..18449a771 100644
--- a/apps/settings/signal_handlers.py
+++ b/apps/settings/signal_handlers.py
@@ -94,7 +94,7 @@ def monkey_patch_settings(sender, **kwargs):
     def monkey_patch_getattr(self, name):
         val = getattr(self._wrapped, name)
         # 只解析 defaults 中的 callable
-        if callable(val) and val.__module__ == 'jumpserver.conf':
+        if callable(val) and val.__module__.endswith('jumpserver.conf'):
             val = val()
         return val
 

From c8758f417d5208d35d34c84adf7dcbc3570a01b6 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Fri, 1 Apr 2022 15:33:14 +0800
Subject: [PATCH 011/258] =?UTF-8?q?feat:=20ldap=E4=B8=80=E9=94=AE=E5=AF=BC?=
 =?UTF-8?q?=E5=85=A5=E5=8F=8A=E8=AE=BE=E7=BD=AE=E7=94=A8=E6=88=B7=E7=BB=84?=
 =?UTF-8?q?=E7=BB=87?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/conf.py                | 5 +++--
 apps/jumpserver/settings/auth.py       | 1 +
 apps/settings/api/ldap.py              | 5 +++--
 apps/settings/serializers/auth/ldap.py | 9 ++++++---
 apps/users/tasks.py                    | 6 ++++--
 5 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 7aa8dc436..8e34d6f91 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -41,7 +41,7 @@ def import_string(dotted_path):
     except AttributeError as err:
         raise ImportError('Module "%s" does not define a "%s" attribute/class' % (
             module_path, class_name)
-        ) from err
+                          ) from err
 
 
 def is_absolute_uri(uri):
@@ -176,6 +176,7 @@ class Config(dict):
         'AUTH_LDAP_SYNC_IS_PERIODIC': False,
         'AUTH_LDAP_SYNC_INTERVAL': None,
         'AUTH_LDAP_SYNC_CRONTAB': None,
+        'AUTH_LDAP_SYNC_ORG_ID': '00000000-0000-0000-0000-000000000002',
         'AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS': False,
         'AUTH_LDAP_OPTIONS_OPT_REFERRALS': -1,
 
@@ -272,7 +273,7 @@ class Config(dict):
         'FEISHU_APP_ID': '',
         'FEISHU_APP_SECRET': '',
 
-        'LOGIN_REDIRECT_TO_BACKEND':  '',  # 'OPENID / CAS / SAML2
+        'LOGIN_REDIRECT_TO_BACKEND': '',  # 'OPENID / CAS / SAML2
         'LOGIN_REDIRECT_MSG_ENABLED': True,
 
         'SMS_ENABLED': False,
diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index c545772e1..f71afec9b 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -43,6 +43,7 @@ AUTH_LDAP_SEARCH_PAGED_SIZE = CONFIG.AUTH_LDAP_SEARCH_PAGED_SIZE
 AUTH_LDAP_SYNC_IS_PERIODIC = CONFIG.AUTH_LDAP_SYNC_IS_PERIODIC
 AUTH_LDAP_SYNC_INTERVAL = CONFIG.AUTH_LDAP_SYNC_INTERVAL
 AUTH_LDAP_SYNC_CRONTAB = CONFIG.AUTH_LDAP_SYNC_CRONTAB
+AUTH_LDAP_SYNC_ORG_ID = CONFIG.AUTH_LDAP_SYNC_ORG_ID
 AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS = CONFIG.AUTH_LDAP_USER_LOGIN_ONLY_IN_USERS
 
 
diff --git a/apps/settings/api/ldap.py b/apps/settings/api/ldap.py
index a66f0977e..e45414b81 100644
--- a/apps/settings/api/ldap.py
+++ b/apps/settings/api/ldap.py
@@ -195,7 +195,9 @@ class LDAPUserImportAPI(APIView):
     def get_ldap_users(self):
         username_list = self.request.data.get('username_list', [])
         cache_police = self.request.query_params.get('cache_police', True)
-        if cache_police in LDAP_USE_CACHE_FLAGS:
+        if '*' in username_list:
+            users = LDAPServerUtil().search()
+        elif cache_police in LDAP_USE_CACHE_FLAGS:
             users = LDAPCacheUtil().search(search_users=username_list)
         else:
             users = LDAPServerUtil().search(search_users=username_list)
@@ -234,4 +236,3 @@ class LDAPCacheRefreshAPI(generics.RetrieveAPIView):
             logger.error(str(e))
             return Response(data={'msg': str(e)}, status=400)
         return Response(data={'msg': 'success'})
-
diff --git a/apps/settings/serializers/auth/ldap.py b/apps/settings/serializers/auth/ldap.py
index 8508d2ee8..8e65d67b7 100644
--- a/apps/settings/serializers/auth/ldap.py
+++ b/apps/settings/serializers/auth/ldap.py
@@ -1,4 +1,3 @@
-
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
@@ -40,8 +39,9 @@ class LDAPSettingSerializer(serializers.Serializer):
         help_text=_('eg: ldap://localhost:389')
     )
     AUTH_LDAP_BIND_DN = serializers.CharField(required=False, max_length=1024, label=_('Bind DN'))
-    AUTH_LDAP_BIND_PASSWORD = serializers.CharField(max_length=1024, write_only=True, required=False,
-                                                    label=_('Password'))
+    AUTH_LDAP_BIND_PASSWORD = serializers.CharField(
+        max_length=1024, write_only=True, required=False, label=_('Password')
+    )
     AUTH_LDAP_SEARCH_OU = serializers.CharField(
         max_length=1024, allow_blank=True, required=False, label=_('User OU'),
         help_text=_('Use | split multi OUs')
@@ -55,6 +55,9 @@ class LDAPSettingSerializer(serializers.Serializer):
         help_text=_('User attr map present how to map LDAP user attr to '
                     'jumpserver, username,name,email is jumpserver attr')
     )
+    AUTH_LDAP_SYNC_ORG_ID = serializers.CharField(
+        required=False, label=_('Organization'), max_length=36
+    )
     AUTH_LDAP_SYNC_IS_PERIODIC = serializers.BooleanField(
         required=False, label=_('Periodic perform')
     )
diff --git a/apps/users/tasks.py b/apps/users/tasks.py
index a92fc2fb0..0f93fa6c3 100644
--- a/apps/users/tasks.py
+++ b/apps/users/tasks.py
@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 #
 
-import sys
 from celery import shared_task
 from django.conf import settings
 
@@ -11,6 +10,7 @@ from ops.celery.utils import (
 )
 from ops.celery.decorator import after_app_ready_start
 from common.utils import get_logger
+from orgs.models import Organization
 from .models import User
 from users.notifications import UserExpirationReminderMsg
 from settings.utils import LDAPServerUtil, LDAPImportUtil
@@ -81,7 +81,9 @@ def import_ldap_user():
     util_server = LDAPServerUtil()
     util_import = LDAPImportUtil()
     users = util_server.search()
-    errors = util_import.perform_import(users)
+    org_id = settings.AUTH_LDAP_SYNC_ORG_ID
+    org = Organization.get_instance(org_id)
+    errors = util_import.perform_import(users, org)
     if errors:
         logger.error("Imported LDAP users errors: {}".format(errors))
     else:

From f769d5a9bbc5b2efecf71e349f7f12c4e4d6e24c Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 7 Apr 2022 10:11:16 +0800
Subject: [PATCH 012/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E6=95=B0=E6=8D=AE=E4=B8=8D=E5=90=8C=E6=AD=A5=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/orgs/signal_handlers/cache.py | 48 +++++++++++++++++++++++-------
 apps/users/models/user.py          | 12 ++++----
 2 files changed, 44 insertions(+), 16 deletions(-)

diff --git a/apps/orgs/signal_handlers/cache.py b/apps/orgs/signal_handlers/cache.py
index 1d9ca3891..546d11311 100644
--- a/apps/orgs/signal_handlers/cache.py
+++ b/apps/orgs/signal_handlers/cache.py
@@ -1,33 +1,61 @@
+from functools import wraps
 from django.db.models.signals import post_save, pre_delete, pre_save, post_delete
 from django.dispatch import receiver
 
 from orgs.models import Organization
 from assets.models import Node
-from perms.models import (AssetPermission, ApplicationPermission)
+from perms.models import AssetPermission, ApplicationPermission
 from users.models import UserGroup, User
+from users.signals import pre_user_leave_org
 from applications.models import Application
 from terminal.models import Session
+from rbac.models import OrgRoleBinding, SystemRoleBinding
 from assets.models import Asset, SystemUser, Domain, Gateway
 from orgs.caches import OrgResourceStatisticsCache
+from orgs.utils import current_org
+from common.utils import get_logger
+
+logger = get_logger(__name__)
 
 
-def refresh_user_amount_on_user_create_or_delete(user_id):
-    orgs = Organization.objects.filter(m2m_org_members__user_id=user_id).distinct()
+def refresh_cache(name, org):
+    names = None
+    if isinstance(name, (str,)):
+        names = [name, ]
+    if isinstance(names, (list, tuple)):
+        for name in names:
+            OrgResourceStatisticsCache(org).expire(name)
+            OrgResourceStatisticsCache(Organization.root()).expire(name)
+    else:
+        logger.warning('refresh cache fail: {}'.format(name))
+
+
+def refresh_user_amount_cache(user):
+    orgs = user.orgs.distinct()
     for org in orgs:
-        org_cache = OrgResourceStatisticsCache(org)
-        org_cache.expire('users_amount')
-    OrgResourceStatisticsCache(Organization.root()).expire('users_amount')
+        refresh_cache('users_amount', org)
 
 
-@receiver(post_save, sender=User)
-def on_user_create_refresh_cache(sender, instance, created, **kwargs):
+@receiver(post_save, sender=OrgRoleBinding)
+def on_user_create_or_invite_refresh_cache(sender, instance, created, **kwargs):
     if created:
-        refresh_user_amount_on_user_create_or_delete(instance.id)
+        refresh_cache('users_amount', instance.org)
+
+
+@receiver(post_save, sender=SystemRoleBinding)
+def on_user_global_create_refresh_cache(sender, instance, created, **kwargs):
+    if created and current_org.is_root():
+        refresh_cache('users_amount', current_org)
+
+
+@receiver(pre_user_leave_org)
+def on_user_remove_refresh_cache(sender, org=None, **kwargs):
+    refresh_cache('users_amount', org)
 
 
 @receiver(pre_delete, sender=User)
 def on_user_delete_refresh_cache(sender, instance, **kwargs):
-    refresh_user_amount_on_user_create_or_delete(instance.id)
+    refresh_user_amount_cache(instance)
 
 
 # @receiver(m2m_changed, sender=OrganizationMember)
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 1a5ce634c..ede795d13 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -78,7 +78,7 @@ class AuthMixin:
     def is_history_password(self, password):
         allow_history_password_count = settings.OLD_PASSWORD_HISTORY_LIMIT_COUNT
         history_passwords = self.history_passwords.all() \
-            .order_by('-date_created')[:int(allow_history_password_count)]
+                                .order_by('-date_created')[:int(allow_history_password_count)]
 
         for history_password in history_passwords:
             if check_password(password, history_password.password):
@@ -726,7 +726,7 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
 
     @classmethod
     def get_group_ids_by_user_id(cls, user_id):
-        group_ids = cls.groups.through.objects.filter(user_id=user_id)\
+        group_ids = cls.groups.through.objects.filter(user_id=user_id) \
             .distinct().values_list('usergroup_id', flat=True)
         group_ids = list(group_ids)
         return group_ids
@@ -866,20 +866,20 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
     @property
     def all_orgs(self):
         from rbac.builtin import BuiltinRole
-        has_system_role = self.system_roles.all()\
-            .exclude(name=BuiltinRole.system_user.name)\
+        has_system_role = self.system_roles.all() \
+            .exclude(name=BuiltinRole.system_user.name) \
             .exists()
         if has_system_role:
             orgs = list(Organization.objects.all())
         else:
-            orgs = list(self.orgs.all().distinct())
+            orgs = list(self.orgs.distinct())
         if self.has_perm('orgs.view_rootorg'):
             orgs = [Organization.root()] + orgs
         return orgs
 
     @property
     def my_orgs(self):
-        return list(self.orgs.all().distinct())
+        return list(self.orgs.distinct())
 
     class Meta:
         ordering = ['username']

From 7c7d7d52b2f4fbad35cdbd5b71ab0f1e4be3286c Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Apr 2022 14:01:57 +0800
Subject: [PATCH 013/258] =?UTF-8?q?perf:=20asset=20number=20=E6=89=A9?=
 =?UTF-8?q?=E5=AE=B9=20(#8045)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 .../migrations/0090_auto_20220412_1145.py      | 18 ++++++++++++++++++
 apps/assets/models/asset.py                    |  4 ++--
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 apps/assets/migrations/0090_auto_20220412_1145.py

diff --git a/apps/assets/migrations/0090_auto_20220412_1145.py b/apps/assets/migrations/0090_auto_20220412_1145.py
new file mode 100644
index 000000000..c2cb879aa
--- /dev/null
+++ b/apps/assets/migrations/0090_auto_20220412_1145.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.1.14 on 2022-04-12 03:45
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0089_auto_20220310_0616'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='number',
+            field=models.CharField(blank=True, max_length=128, null=True, verbose_name='Asset number'),
+        ),
+    ]
diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index c4ecf9cfe..84ddee404 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -1,6 +1,6 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
-# 
+#
 
 import uuid
 import logging
@@ -223,7 +223,7 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
 
     # Some information
     public_ip = models.CharField(max_length=128, blank=True, null=True, verbose_name=_('Public IP'))
-    number = models.CharField(max_length=32, null=True, blank=True, verbose_name=_('Asset number'))
+    number = models.CharField(max_length=128, null=True, blank=True, verbose_name=_('Asset number'))
 
     labels = models.ManyToManyField('assets.Label', blank=True, related_name='assets', verbose_name=_("Labels"))
     created_by = models.CharField(max_length=128, null=True, blank=True, verbose_name=_('Created by'))

From 1f8ded49fa13846cb75ca303e5206a6647a5d3ae Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Apr 2022 14:25:49 +0800
Subject: [PATCH 014/258] =?UTF-8?q?feat:=20=E5=B7=A5=E4=BD=9C=E5=8F=B0?=
 =?UTF-8?q?=E5=8C=BA=E5=88=86=E7=BB=84=E7=BB=87=20(#8040)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 工作台受组织角色控制

* perf: workspace => workbench

* perf: 修改 workspace codename

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/authentication/urls/view_urls.py         |   1 -
 apps/jumpserver/views/index.py                |   5 +-
 apps/locale/ja/LC_MESSAGES/django.mo          |   2 +-
 apps/locale/ja/LC_MESSAGES/django.po          |   4 +-
 apps/locale/zh/LC_MESSAGES/django.mo          |   2 +-
 apps/locale/zh/LC_MESSAGES/django.po          |   4 +-
 .../api/application/user_permission/mixin.py  |   4 -
 apps/perms/api/asset/user_permission/mixin.py |   4 -
 apps/perms/utils/asset/user_permission.py     |   8 +-
 apps/rbac/builtin.py                          |   3 +-
 apps/rbac/migrations/0001_initial.py          |   2 +-
 .../migrations/0005_auto_20220307_1524.py     |   2 +-
 .../migrations/0006_auto_20220310_0616.py     |   2 +-
 .../migrations/0008_auto_20220411_1709.py     |  22 +
 .../migrations/0009_auto_20220411_1724.py     |  19 +
 apps/rbac/models/menu.py                      |   2 +-
 apps/rbac/tree.py                             |  16 +-
 apps/templates/_base_asset_tree_list.html     |  54 --
 apps/templates/_base_create_update.html       |  43 --
 apps/templates/_base_list.html                |  70 --
 apps/templates/_nav.html                      |   0
 apps/templates/_nav_user.html                 |   0
 apps/templates/_pagination.html               |  66 --
 apps/templates/delete_confirm.html            |  15 -
 apps/templates/index.html                     | 618 ------------------
 apps/terminal/api/session.py                  |   7 +-
 apps/tickets/api/relation.py                  |   7 +-
 .../templates/users/_base_user_detail.html    |  26 -
 .../templates/users/_granted_assets.html      | 222 -------
 .../templates/users/_select_user_modal.html   |  23 -
 .../users/_user_detail_nav_header.html        |  97 ---
 .../users/_user_update_pk_modal.html          |   8 -
 apps/users/templates/users/first_login.html   |  10 -
 .../templates/users/first_login_done.html     |  54 --
 .../users/user_asset_permission.html          | 201 ------
 .../users/user_database_app_permission.html   | 168 -----
 .../templates/users/user_password_update.html | 134 ----
 apps/users/utils.py                           |   2 -
 apps/users/views/profile/reset.py             |   7 +-
 39 files changed, 77 insertions(+), 1857 deletions(-)
 create mode 100644 apps/rbac/migrations/0008_auto_20220411_1709.py
 create mode 100644 apps/rbac/migrations/0009_auto_20220411_1724.py
 delete mode 100644 apps/templates/_base_asset_tree_list.html
 delete mode 100644 apps/templates/_base_create_update.html
 delete mode 100644 apps/templates/_base_list.html
 delete mode 100644 apps/templates/_nav.html
 delete mode 100644 apps/templates/_nav_user.html
 delete mode 100644 apps/templates/_pagination.html
 delete mode 100644 apps/templates/delete_confirm.html
 delete mode 100644 apps/templates/index.html
 delete mode 100644 apps/users/templates/users/_base_user_detail.html
 delete mode 100644 apps/users/templates/users/_granted_assets.html
 delete mode 100644 apps/users/templates/users/_select_user_modal.html
 delete mode 100644 apps/users/templates/users/_user_detail_nav_header.html
 delete mode 100644 apps/users/templates/users/_user_update_pk_modal.html
 delete mode 100644 apps/users/templates/users/first_login.html
 delete mode 100644 apps/users/templates/users/first_login_done.html
 delete mode 100644 apps/users/templates/users/user_asset_permission.html
 delete mode 100644 apps/users/templates/users/user_database_app_permission.html
 delete mode 100644 apps/users/templates/users/user_password_update.html

diff --git a/apps/authentication/urls/view_urls.py b/apps/authentication/urls/view_urls.py
index 2d0749470..9abd61e3b 100644
--- a/apps/authentication/urls/view_urls.py
+++ b/apps/authentication/urls/view_urls.py
@@ -55,7 +55,6 @@ urlpatterns = [
     path('profile/otp/enable/bind/', users_view.UserOtpEnableBindView.as_view(), name='user-otp-enable-bind'),
     path('profile/otp/disable/', users_view.UserOtpDisableView.as_view(),
          name='user-otp-disable'),
-    path('first-login/', users_view.UserFirstLoginView.as_view(), name='user-first-login'),
 
     # openid
     path('cas/', include(('authentication.backends.cas.urls', 'authentication'), namespace='cas')),
diff --git a/apps/jumpserver/views/index.py b/apps/jumpserver/views/index.py
index 8f974a483..639f6d683 100644
--- a/apps/jumpserver/views/index.py
+++ b/apps/jumpserver/views/index.py
@@ -1,4 +1,4 @@
-from django.views.generic import TemplateView
+from django.views.generic import View
 from django.shortcuts import redirect
 from common.permissions import IsValidUser
 from common.mixins.views import PermissionsMixin
@@ -6,8 +6,7 @@ from common.mixins.views import PermissionsMixin
 __all__ = ['IndexView']
 
 
-class IndexView(PermissionsMixin, TemplateView):
-    template_name = 'index.html'
+class IndexView(PermissionsMixin, View):
     permission_classes = [IsValidUser]
 
     def get(self, request, *args, **kwargs):
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 663dad9e1..080e2ab5e 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:17e378f009274c169039e815158ea9072ee89811bb27a5b17a628f2066fcfb86
+oid sha256:097c6d06ed8dcf2e1807560b6eb52d98cba31f25fe8d67ce4315668c150ca6b8
 size 129989
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index cc8a3b317..757d1e463 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -3188,7 +3188,7 @@ msgid "Can view audit view"
 msgstr "監査ビューを表示できます"
 
 #: rbac/models/menu.py:17
-msgid "Can view workspace view"
+msgid "Can view workbench view"
 msgstr "ワークスペースビューを表示できます"
 
 #: rbac/models/menu.py:18
@@ -3271,7 +3271,7 @@ msgid "Console view"
 msgstr "コンソールビュー"
 
 #: rbac/tree.py:27
-msgid "Workspace view"
+msgid "Workbench view"
 msgstr "ワークスペースビュー"
 
 #: rbac/tree.py:28
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 944990cc4..88f701b6b 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:51c19db490e2e3a7cc3c3fce33b2e4422239d8c64d591208cadaf062c5ccb0c9
+oid sha256:3d6a0d40534209f3ffab0b0ecfab7ec82f137156fc8e7b19ce1711036d14aeca
 size 107709
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 68b8a566c..fb29c7d9c 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -3151,7 +3151,7 @@ msgid "Can view audit view"
 msgstr "可以显示审计台"
 
 #: rbac/models/menu.py:17
-msgid "Can view workspace view"
+msgid "Can view workbench view"
 msgstr "可以显示工作台"
 
 #: rbac/models/menu.py:18
@@ -3233,7 +3233,7 @@ msgid "Console view"
 msgstr "控制台"
 
 #: rbac/tree.py:27
-msgid "Workspace view"
+msgid "Workbench view"
 msgstr "工作台"
 
 #: rbac/tree.py:28
diff --git a/apps/perms/api/application/user_permission/mixin.py b/apps/perms/api/application/user_permission/mixin.py
index b66788c31..6e8f91090 100644
--- a/apps/perms/api/application/user_permission/mixin.py
+++ b/apps/perms/api/application/user_permission/mixin.py
@@ -22,7 +22,3 @@ class AppRoleUserMixin(_RoleUserMixin):
         ('get_tree', 'perms.view_myapps'),
         ('GET', 'perms.view_myapps'),
     )
-
-    def dispatch(self, *args, **kwargs):
-        with tmp_to_root_org():
-            return super().dispatch(*args, **kwargs)
\ No newline at end of file
diff --git a/apps/perms/api/asset/user_permission/mixin.py b/apps/perms/api/asset/user_permission/mixin.py
index e06ec9787..c28da6c2d 100644
--- a/apps/perms/api/asset/user_permission/mixin.py
+++ b/apps/perms/api/asset/user_permission/mixin.py
@@ -36,7 +36,3 @@ class AssetRoleUserMixin(PermBaseMixin, _RoleUserMixin):
         ('get_tree', 'perms.view_myassets'),
         ('GET', 'perms.view_myassets'),
     )
-
-    def dispatch(self, *args, **kwargs):
-        with tmp_to_root_org():
-            return super().dispatch(*args, **kwargs)
diff --git a/apps/perms/utils/asset/user_permission.py b/apps/perms/utils/asset/user_permission.py
index 1ea189230..5baa93d01 100644
--- a/apps/perms/utils/asset/user_permission.py
+++ b/apps/perms/utils/asset/user_permission.py
@@ -202,7 +202,9 @@ class UserGrantedTreeRefreshController:
         user = self.user
 
         with tmp_to_root_org():
-            UserAssetGrantedTreeNodeRelation.objects.filter(user=user).exclude(org_id__in=self.org_ids).delete()
+            UserAssetGrantedTreeNodeRelation.objects.filter(user=user)\
+                .exclude(org_id__in=self.org_ids)\
+                .delete()
 
         if force or self.have_need_refresh_orgs():
             with UserGrantedTreeRebuildLock(user_id=user.id):
@@ -219,7 +221,9 @@ class UserGrantedTreeRefreshController:
                         utils = UserGrantedTreeBuildUtils(user)
                         utils.rebuild_user_granted_tree()
                         logger.info(
-                            f'Rebuild user tree ok: cost={time.time() - t_start} user={self.user} org={current_org}')
+                            f'Rebuild user tree ok: cost={time.time() - t_start} '
+                            f'user={self.user} org={current_org}'
+                        )
 
 
 class UserGrantedUtilsBase:
diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index ce735ce8f..4ce706a46 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -5,7 +5,7 @@ from .const import Scope, system_exclude_permissions, org_exclude_permissions
 # Todo: 获取应该区分 系统用户，和组织用户的权限
 # 工作台也区分组织后再考虑
 user_perms = (
-    ('rbac', 'menupermission', 'view', 'workspace'),
+    ('rbac', 'menupermission', 'view', 'workbench'),
     ('rbac', 'menupermission', 'view', 'webterminal'),
     ('rbac', 'menupermission', 'view', 'filemanager'),
     ('perms', 'permedasset', 'view,connect', 'myassets'),
@@ -17,6 +17,7 @@ user_perms = (
     ('ops', 'commandexecution', 'add', 'commandexecution'),
     ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
     ('tickets', 'ticket', 'view', 'ticket'),
+    ('orgs', 'organization', 'view', 'rootorg'),
 )
 
 auditor_perms = user_perms + (
diff --git a/apps/rbac/migrations/0001_initial.py b/apps/rbac/migrations/0001_initial.py
index 5687bf574..d3f94f6f2 100644
--- a/apps/rbac/migrations/0001_initial.py
+++ b/apps/rbac/migrations/0001_initial.py
@@ -27,7 +27,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'verbose_name': 'Menu permission',
-                'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view')],
+                'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workbench view')],
                 'default_permissions': [],
             },
         ),
diff --git a/apps/rbac/migrations/0005_auto_20220307_1524.py b/apps/rbac/migrations/0005_auto_20220307_1524.py
index afc8ea8ba..ba4427709 100644
--- a/apps/rbac/migrations/0005_auto_20220307_1524.py
+++ b/apps/rbac/migrations/0005_auto_20220307_1524.py
@@ -12,6 +12,6 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='menupermission',
-            options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
+            options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workbench view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
         ),
     ]
diff --git a/apps/rbac/migrations/0006_auto_20220310_0616.py b/apps/rbac/migrations/0006_auto_20220310_0616.py
index 395b73f03..7e3ba72de 100644
--- a/apps/rbac/migrations/0006_auto_20220310_0616.py
+++ b/apps/rbac/migrations/0006_auto_20220310_0616.py
@@ -12,6 +12,6 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='menupermission',
-            options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager') ], 'verbose_name': 'Menu permission'},
+            options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workbench view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager') ], 'verbose_name': 'Menu permission'},
         ),
     ]
diff --git a/apps/rbac/migrations/0008_auto_20220411_1709.py b/apps/rbac/migrations/0008_auto_20220411_1709.py
new file mode 100644
index 000000000..319fa5a37
--- /dev/null
+++ b/apps/rbac/migrations/0008_auto_20220411_1709.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.1.14 on 2022-04-11 09:09
+
+from django.db import migrations
+
+
+def migrate_workspace_to_workbench(apps, *args):
+    model = apps.get_model('auth', 'Permission')
+    model.objects.filter(codename='view_workspace').delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0007_auto_20220314_1525'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='menupermission',
+            options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workbench', 'Can view workbench view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
+        ),
+    ]
diff --git a/apps/rbac/migrations/0009_auto_20220411_1724.py b/apps/rbac/migrations/0009_auto_20220411_1724.py
new file mode 100644
index 000000000..4ffb51068
--- /dev/null
+++ b/apps/rbac/migrations/0009_auto_20220411_1724.py
@@ -0,0 +1,19 @@
+# Generated by Django 3.1.14 on 2022-04-11 09:24
+
+from django.db import migrations
+
+
+def migrate_workspace_to_workbench(apps, *args):
+    model = apps.get_model('auth', 'Permission')
+    model.objects.filter(codename='view_workspace').delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0008_auto_20220411_1709'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_workspace_to_workbench)
+    ]
diff --git a/apps/rbac/models/menu.py b/apps/rbac/models/menu.py
index 524894664..48538199b 100644
--- a/apps/rbac/models/menu.py
+++ b/apps/rbac/models/menu.py
@@ -14,7 +14,7 @@ class MenuPermission(models.Model):
         permissions = [
             ('view_console', _('Can view console view')),
             ('view_audit', _('Can view audit view')),
-            ('view_workspace', _('Can view workspace view')),
+            ('view_workbench', _('Can view workbench view')),
             ('view_webterminal', _('Can view web terminal')),
             ('view_filemanager', _('Can view file manager')),
         ]
diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py
index 5ea43e5ee..dfccafa8f 100644
--- a/apps/rbac/tree.py
+++ b/apps/rbac/tree.py
@@ -1,7 +1,7 @@
 #!/usr/bin/python
+import os
 from collections import defaultdict
 from typing import Callable
-import os
 
 from django.utils.translation import gettext_lazy as _, gettext, get_language
 from django.conf import settings
@@ -24,7 +24,7 @@ root_node_data = {
 # 第二层 view 节点，手动创建的
 view_nodes_data = [
     {'id': 'view_console', 'name': _('Console view')},
-    {'id': 'view_workspace', 'name': _('Workspace view')},
+    {'id': 'view_workbench', 'name': _('Workbench view')},
     {'id': 'view_audit', 'name': _('Audit view')},
     {'id': 'view_setting', 'name': _('System setting')},
     {'id': 'view_other', 'name': _('Other')},
@@ -55,8 +55,8 @@ extra_nodes_data = [
     {"id": "app_change_plan_node", "name": _("App change auth"), "pId": "accounts"},
     {"id": "asset_change_plan_node", "name": _("Asset change auth"), "pId": "accounts"},
     {"id": "terminal_node", "name": _("Terminal setting"), "pId": "view_setting"},
-    {'id': "my_assets", "name": _("My assets"), "pId": "view_workspace"},
-    {'id': "my_apps", "name": _("My apps"), "pId": "view_workspace"},
+    {'id': "my_assets", "name": _("My assets"), "pId": "view_workbench"},
+    {'id': "my_apps", "name": _("My apps"), "pId": "view_workbench"},
 ]
 
 # 将 model 放到其它节点下，而不是本来的 app 中
@@ -89,7 +89,7 @@ special_pid_mapper = {
     'audits.ftplog': 'terminal',
     'perms.view_myassets': 'my_assets',
     'perms.view_myapps': 'my_apps',
-    'ops.add_commandexecution': 'view_workspace',
+    'ops.add_commandexecution': 'view_workbench',
     'ops.view_commandexecution': 'audits',
     "perms.view_mykubernetsapp": "my_apps",
     "perms.connect_mykubernetsapp": "my_apps",
@@ -102,9 +102,9 @@ special_pid_mapper = {
     "settings.view_setting": "view_setting",
     "rbac.view_console": "view_console",
     "rbac.view_audit": "view_audit",
-    "rbac.view_workspace": "view_workspace",
-    "rbac.view_webterminal": "view_workspace",
-    "rbac.view_filemanager": "view_workspace",
+    "rbac.view_workbench": "view_workbench",
+    "rbac.view_webterminal": "view_workbench",
+    "rbac.view_filemanager": "view_workbench",
     'tickets.view_ticket': 'tickets'
 }
 
diff --git a/apps/templates/_base_asset_tree_list.html b/apps/templates/_base_asset_tree_list.html
deleted file mode 100644
index a989a4da1..000000000
--- a/apps/templates/_base_asset_tree_list.html
+++ /dev/null
@@ -1,54 +0,0 @@
-{% extends 'base.html' %}
-{% load static %}
-{% load i18n %}
-
-{% block help_message %}
-{% endblock %}
-
-{% block content %}
-<div class="wrapper wrapper-content">
-   <div class="row">
-       <div class="col-sm-3" id="split-left" style="padding-left: 3px;padding-right: 0">
-           {% include 'assets/_node_tree.html' %}
-       </div>
-       <div class="col-sm-9 animated fadeInRight" id="split-right">
-           <div class="tree-toggle" style="z-index: 10">
-               <div class="btn btn-sm btn-primary tree-toggle-btn" onclick="toggleSpliter()">
-                   <i class="fa fa-angle-left fa-x" id="toggle-icon"></i>
-               </div>
-           </div>
-           <div class="mail-box-header">
-               {% block table_container %}
-                    <table class="table table-striped table-bordered table-hover" id="{% block table_id %}editable{% endblock %}" >
-                        <thead>
-                            <tr>
-                                {% block table_head %} {% endblock %}
-                            </tr>
-                        </thead>
-                        <tbody>
-                        {% block table_body %} {% endblock %}
-                        </tbody>
-                    </table>
-                {% endblock %}
-           </div>
-       </div>
-   </div>
-</div>
-<script>
-var showTree = 1;
-function toggleSpliter() {
-    if (showTree === 1) {
-        $("#split-left").hide(500, function () {
-            $("#split-right").attr("class", "col-sm-12");
-            $("#toggle-icon").attr("class", "fa fa-angle-right fa-x");
-            showTree = 1;
-        });
-    } else {
-        $("#split-right").attr("class", "col-sm-9");
-        $("#toggle-icon").attr("class", "fa fa-angle-left fa-x");
-        $("#split-left").show(500);
-        showTree = 0;
-    }
-}
-</script>
-{% endblock %}
diff --git a/apps/templates/_base_create_update.html b/apps/templates/_base_create_update.html
deleted file mode 100644
index d206d40b2..000000000
--- a/apps/templates/_base_create_update.html
+++ /dev/null
@@ -1,43 +0,0 @@
-{% extends 'base.html' %}
-{% load i18n %}
-{% load static %}
-{% load bootstrap3 %}
-{% block custom_head_css_js %}
-    <script type="text/javascript" src="{% static 'js/pwstrength-bootstrap.js' %}"></script>
-    {% block custom_head_css_js_create %} {% endblock %}
-{% endblock %}
-
-{% block content %}
-    <div class="wrapper wrapper-content animated fadeInRight">
-        <div class="row">
-            <div class="col-sm-12">
-                <div class="ibox float-e-margins">
-                    <div class="ibox-title">
-                        <h5>{{ action }}</h5>
-                        <div class="ibox-tools">
-                            <a class="collapse-link">
-                                <i class="fa fa-chevron-up"></i>
-                            </a>
-                            <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                                <i class="fa fa-wrench"></i>
-                            </a>
-                            <a class="close-link">
-                                <i class="fa fa-times"></i>
-                            </a>
-                        </div>
-                    </div>
-                    <div class="ibox-content">
-                        {% if form.errors.all %}
-                            <div class="alert alert-danger" style="margin: 20px auto 0px">
-                                {{ form.errors.all }}
-                            </div>
-                        {% endif %}
-                        {% block form %}
-                        {% endblock %}
-                    </div>
-                </div>
-            </div>
-        </div>
-    </div>
-{% endblock %}
-
diff --git a/apps/templates/_base_list.html b/apps/templates/_base_list.html
deleted file mode 100644
index 9759081bd..000000000
--- a/apps/templates/_base_list.html
+++ /dev/null
@@ -1,70 +0,0 @@
-{% extends 'base.html' %}
-{% load static %}
-{% load i18n %}
-{% block content %}
-<div class="wrapper wrapper-content animated fadeInRight">
-    <div class="row">
-        <div class="col-sm-12">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <h5>
-                        {{ action }}
-                    </h5>
-                    <div class="ibox-tools">
-                        <a class="collapse-link">
-                            <i class="fa fa-chevron-up"></i>
-                        </a>
-                        <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                            <i class="fa fa-wrench"></i>
-                        </a>
-                        <a class="close-link">
-                            <i class="fa fa-times"></i>
-                        </a>
-                    </div>
-                </div>
-                <div class="ibox-content">
-                    <div class="" id="content_start">
-                        {% block content_left_head %} {% endblock %}
-                        {% block table_search %}
-                        <form id="search_form" method="get" action="" class="pull-right mail-search form-inline">
-                            {% block search_form %}
-                            <div class="input-group">
-                                <input type="text" class="form-control input-sm" name="keyword" placeholder="Search" value="{{ keyword }}">
-                            </div>
-                            <div class="input-group">
-                                <div class="input-group-btn">
-                                    <button id='search_btn' type="submit" class="btn btn-sm btn-primary">
-                                        {% trans 'Search' %}
-                                    </button>
-                                </div>
-                            </div>
-                            {% endblock %}
-                        </form>
-                        {% endblock %}
-                    </div>
-                    {% block table_container %}
-                    <table class="table table-striped table-bordered table-hover" id="editable" >
-                        <thead>
-                            <tr>
-                                {% block table_head %} {% endblock %}
-                            </tr>
-                        </thead>
-                        <tbody>
-                        {% block table_body %} {% endblock %}
-                        </tbody>
-                    </table>
-                    {% endblock %}
-                    <div class="row">
-                        <div class="col-sm-4">
-                            {% block content_bottom_left %} {% endblock %}
-                        </div>
-                        {% block table_pagination %}
-                        {% include '_pagination.html' %}
-                        {% endblock %}
-                    </div>
-                </div>
-            </div>
-        </div>
-    </div>
-</div>
-{% endblock %}
diff --git a/apps/templates/_nav.html b/apps/templates/_nav.html
deleted file mode 100644
index e69de29bb..000000000
diff --git a/apps/templates/_nav_user.html b/apps/templates/_nav_user.html
deleted file mode 100644
index e69de29bb..000000000
diff --git a/apps/templates/_pagination.html b/apps/templates/_pagination.html
deleted file mode 100644
index cf23b04fa..000000000
--- a/apps/templates/_pagination.html
+++ /dev/null
@@ -1,66 +0,0 @@
-{% load i18n %}
-{% load common_tags %}
-   {% if is_paginated %}
-   <div class="col-sm-4">
-       <div class="dataTables_info text-center" id="editable_info" role="status" aria-live="polite">
-{#           显示第 {{ page_obj.start_index }} 至 {{ page_obj.end_index }} 项结果，共 {{ paginator.count }} 项#}
-       </div>
-   </div>
-   <div class="col-sm-4">
-       <div class="dataTables_paginate paging_simple_numbers" id="editable_paginate">
-           <ul class="pagination" style="margin-top: 0; float: right">
-               {% if page_obj.has_previous %}
-                   <li class="paginate_button previous" aria-controls="editable" tabindex="0" id="previous">
-                       <a data-page="next" class="page" href="?page={{ page_obj.previous_page_number}}">‹</a>
-                   </li>
-               {% endif %}
-
-               {% for page in paginator.num_pages|pagination_range:page_obj.number %}
-                   {% if page == page_obj.number %}
-                       <li class="paginate_button active" aria-controls="editable" tabindex="0">
-                   {% else %}
-                       <li class="paginate_button" aria-controls="editable" tabindex="0">
-                   {% endif %}
-                           <a class="page" href="?page={{ page }}" title="第{{ page }}页">{{ page }}</a>
-                       </li>
-               {% endfor %}
-
-               {% if page_obj.has_next %}
-                   <li class="paginate_button next" aria-controls="editable" tabindex="0" id="next">
-                       <a data-page="next" class="page" href="?page={{ page_obj.next_page_number }}">›</a>
-                   </li>
-               {% endif %}
-           </ul>
-       </div>
-   </div>
-   {% endif %}
-<script>
-    $(document).ready(function () {
-        $('.page').click(function () {
-            var searchStr = location.search;
-            var old_href = $(this).attr('href').replace('?', '');
-            var searchArray = searchStr.split('&');
-
-            if (searchStr === '') {
-                searchStr = '?page=1'
-            }
-
-            if (searchStr.indexOf('page') >= 0) {
-                searchArray.pop();
-            }
-
-            searchArray.push(old_href);
-            if (searchArray.length > 1) {
-                $(this).attr('href', searchArray.join('&'));
-            }
-        })
-
-        $('#editable_info').html(
-            "{% trans 'Displays the results of items _START_ to _END_; A total of _TOTAL_ entries' %}"
-                .replace('_START_', {{ page_obj.start_index }})
-                .replace('_END_', {{ page_obj.end_index }})
-                .replace('_TOTAL_', {{ paginator.count }})
-        )
-    });
-
-</script>
diff --git a/apps/templates/delete_confirm.html b/apps/templates/delete_confirm.html
deleted file mode 100644
index 94f017ca2..000000000
--- a/apps/templates/delete_confirm.html
+++ /dev/null
@@ -1,15 +0,0 @@
-{% load i18n %}
-<!DOCTYPE html>
-<html lang="en">
-<head>
-    <meta charset="UTF-8">
-    <title>{% trans 'Confirm delete' %}</title>
-</head>
-<body>
-<form action="" method="post">
-    {% csrf_token %}
-    <p>{% trans 'Are you sure delete' %} <b>{{ object.name }} </b> ?</p>
-    <input type="submit" value="Confirm" />
-</form>
-</body>
-</html>
\ No newline at end of file
diff --git a/apps/templates/index.html b/apps/templates/index.html
deleted file mode 100644
index a216ddac8..000000000
--- a/apps/templates/index.html
+++ /dev/null
@@ -1,618 +0,0 @@
-{% extends 'base.html' %}
-{% load i18n %}
-{% load static %}
-{% block content %}
-<div class="wrapper wrapper-content">
-    <div class="row">
-        <div class="col-sm-3">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <span class="label label-success pull-right">Users</span>
-                    <h5>{% trans 'Total users' %}</h5>
-                </div>
-                <div class="ibox-content">
-                    <h1 class="no-margins"><a href="{% url 'users:user-list' %}"><span id="total_count_users"></span></a></h1>
-                    <small>All users</small>
-                </div>
-            </div>
-        </div>
-        <div class="col-sm-3">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <span class="label label-info pull-right">Assets</span>
-                    <h5>{% trans 'Total assets' %}</h5>
-                </div>
-                <div class="ibox-content">
-                    <h1 class="no-margins"><a href="{% url 'assets:asset-list' %}"><span id="total_count_assets"></span></a></h1>
-                    <small>All assets</small>
-                </div>
-            </div>
-        </div>
-
-        <div class="col-sm-3">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <span class="label label-primary pull-right">Online</span>
-                    <h5>{% trans 'Online users' %}</h5>
-                </div>
-                <div class="ibox-content">
-                    <h1 class="no-margins"><a href="{% url 'terminal:session-online-list' %}"> <span id="total_count_online_users"></span></a></h1>
-                    <small>Online users</small>
-                </div>
-            </div>
-        </div>
-
-        <div class="col-sm-3">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <span class="label label-danger pull-right">Connected</span>
-                    <h5>{% trans 'Online sessions' %}</h5>
-
-                </div>
-                <div class="ibox-content">
-                        <h1 class="no-margins"><a href="{% url 'terminal:session-online-list' %}"> <span id="total_count_online_sessions"></span></a></h1>
-                    <small>Online sessions</small>
-                </div>
-            </div>
-        </div>
-    </div>
-    <div class="row">
-        <div class="col-sm-2 border-bottom white-bg dashboard-header" style="margin-left:15px;height: 346px">
-            <small>{% trans 'In the past week, a total of ' %}<span class="text-info" id="dates_total_count_login_users"></span>{% trans ' users have logged in ' %}<span class="text-success" id="dates_total_count_login_times"></span>{% trans ' times asset.' %}</small>
-            <ul class="list-group clear-list m-t" id="dates_login_times_top5_users">
-            </ul>
-        </div>
-        <div class="col-sm-7" id="dates_metrics_echarts" style="margin-left: -15px;height: 346px;padding: 15px 0 15px 0;"></div>
-        <div class="col-sm-3 white-bg" id="top1" style="margin-left: -15px;height: 346px">
-            <div class="statistic-box">
-                <h4>
-                    {% trans 'Active user asset ratio' %}
-                </h4>
-                <p>
-                    {% trans 'The following graphs describe the percentage of active users per month and assets per user host per month, respectively.' %}
-                </p>
-                <div class="row text-center">
-                    <div class="col-sm-6">
-                        <div id="dates_total_count_users_pie"  style="width: 140px; height: 140px;">
-                        </div>
-                        <h5>{% trans 'User' %}</h5>
-                    </div>
-                    <div class="col-sm-6">
-                        <div id="dates_total_count_assets_pie" style="width: 140px; height: 140px;"></div>
-                        <h5>{% trans 'Asset' %}</h5>
-                    </div>
-                </div>
-                <div class="m-t">
-                    <small></small>
-                </div>
-            </div>
-        </div>
-    </div>
-    <br/>
-
-    <div class="row">
-        <div class="col-sm-4">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <h5>{% trans 'Top 10 assets in a week' %}</h5>
-                    <div class="ibox-tools">
-                        <a class="collapse-link">
-                            <i class="fa fa-chevron-up"></i>
-                        </a>
-                        <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                            <i class="fa fa-wrench"></i>
-                        </a>
-                        <ul class="dropdown-menu dropdown-user"></ul>
-                        <a class="close-link">
-                            <i class="fa fa-times"></i>
-                        </a>
-                    </div>
-                </div>
-                <div class="ibox-content ibox-heading">
-                    <h3><i class="fa fa-inbox"></i>{% trans 'Top 10 assets in a week'%}</h3>
-                    <small><i class="fa fa-map-marker"></i>{% trans 'Login frequency and last login record.' %}</small>
-                </div>
-                <div class="ibox-content inspinia-timeline" id="dates_login_times_top10_assets">
-                </div>
-            </div>
-        </div>
-        <div class="col-sm-4">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <h5>{% trans 'Last 10 login' %}</h5>
-                    <div class="ibox-tools">
-                        <span class="label label-info-light">10 Messages</span>
-                       </div>
-                </div>
-                <div class="ibox-content ibox-heading">
-                    <h3><i class="fa fa-paper-plane-o"></i> {% trans 'Login record' %}</h3>
-                    <small><i class="fa fa-map-marker"></i>{% trans 'Last 10 login records.' %}</small>
-                </div>
-                <div class="ibox-content">
-                    <div>
-                        <div class="feed-activity-list" id="dates_login_record_top10_sessions">
-                        </div>
-                    </div>
-                </div>
-            </div>
-        </div>
-
-        <div class="col-sm-4">
-            <div class="ibox float-e-margins">
-                <div class="ibox-title">
-                    <h5>{% trans 'Top 10 users in a week' %}</h5>
-                    <div class="ibox-tools">
-                        <a class="collapse-link">
-                            <i class="fa fa-chevron-up"></i>
-                        </a>
-                        <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                            <i class="fa fa-wrench"></i>
-                        </a>
-                        <ul class="dropdown-menu dropdown-user"></ul>
-                        <a class="close-link">
-                            <i class="fa fa-times"></i>
-                        </a>
-                    </div>
-                </div>
-                <div class="ibox-content ibox-heading">
-                    <h3><i class="fa fa-user"></i>{% trans 'Top 10 users in a week' %}</h3>
-                    <small><i class="fa fa-map-marker"></i>{% trans 'User login frequency and last login record.' %}</small>
-                </div>
-                <div class="ibox-content inspinia-timeline" id="dates_login_times_top10_users">
-                </div>
-            </div>
-        </div>
-    </div>
-</div>
-
-{% endblock %}
-
-{% block custom_foot_js %}
-<script src="{% static 'js/plugins/echarts/echarts.js' %}"></script>
-<script>
-
-function requireMonthMetricsECharts(data){
-    require(
-        [
-            'echarts',
-            'echarts/chart/line'
-        ],
-        function (ec) {
-            var monthMetricsECharts = ec.init(document.getElementById('dates_metrics_echarts'));
-            var option = {
-                title : {
-                    text: "{% trans 'Monthly data overview' %}",
-                    subtext: "{% trans 'History summary in one month' %}",
-                    x: 'center'
-                },
-                tooltip : {
-                    trigger: 'axis'
-                },
-                backgroundColor: '#fff',
-                legend: {
-                    data:["{% trans 'Login count' %}", "{% trans 'Active users' %}", "{% trans 'Active assets' %}"],
-                    y: 'bottom'
-                },
-                toolbox: {
-                    show : false,
-                    feature : {
-                        magicType : {show: true, type: ['line', 'bar']}
-                    }
-                },
-                calculable : true,
-                xAxis : [
-                    {
-                        type : 'category',
-                        boundaryGap : false,
-                        data : data['dates_metrics_date'],
-                    }
-                ],
-                yAxis : [
-                    {
-                        type : 'value'
-                    }
-                ],
-                series : [
-                    {
-                        name: "{% trans 'Login count' %}",
-                        type:'line',
-                        smooth: true,
-                        itemStyle: {normal: {areaStyle: {type: 'default'}}},
-                        data: data['dates_metrics_total_count_login']
-                    },
-                    {
-                        name: "{% trans 'Active users' %}",
-                        type: 'line',
-                        smooth: true,
-                        itemStyle: {normal: {areaStyle: {type: 'default'}}},
-                        data: data['dates_metrics_total_count_active_users']
-                    },
-                    {
-                        name:"{% trans 'Active assets' %}",
-                        type:'line',
-                        smooth:true,
-                        itemStyle: {normal: {areaStyle: {type: 'default'}}},
-                        data: data['dates_metrics_total_count_active_assets']
-                    }
-                ]
-            };
-            monthMetricsECharts.setOption(option);
-        }
-    );
-
-}
-
-function requireMonthTotalCountUsersPie(data){
-    require(
-        [
-            'echarts',
-            'echarts/chart/pie'
-        ],
-        function (ec) {
-            var monthTotalCountUsersPie = ec.init(document.getElementById('dates_total_count_users_pie'));
-            var option = {
-                tooltip : {
-                    trigger: 'item',
-                    formatter: "{b} <br> {c} <br> ({d}%)"
-                },
-                legend: {
-                    show: false,
-                    orient : 'vertical',
-                    x : 'left',
-                    data:["{% trans 'Monthly active users' %}", "{% trans 'Disable user' %}", "{% trans 'Month not logged in user' %}"]
-                },
-                toolbox: {
-                    show : false,
-                    feature : {
-                        mark : {show: true},
-                        dataView : {show: true, readOnly: false},
-                        magicType : {
-                            show: true,
-                            type: ['pie', 'funnel'],
-                            option: {
-                                funnel: {
-                                    x: '25%',
-                                    width: '50%',
-                                    funnelAlign: 'center',
-                                    max: 1548
-                                }
-                            }
-                        },
-                        restore : {show: true},
-                        saveAsImage : {show: true}
-                    }
-                },
-                calculable : true,
-                series : [
-                    {
-                        name:"{% trans 'Access to the source' %}",
-                        type:'pie',
-                        radius : ['50%', '70%'],
-                        avoidLabelOverlap: false,
-                        itemStyle : {
-                            normal : {
-                                label : {
-                                    show : false
-                                },
-                                labelLine : {
-                                    show : false
-                                }
-                            },
-                            emphasis : {
-                                label : {
-                                    show : true,
-                                    position : 'center',
-                                    textStyle : {
-                                        fontSize : '5',
-                                        fontWeight : 'bold'
-                                    }
-                                }
-                            }
-                        },
-                        data:[
-                            {value:data['dates_total_count_active_users'], name:"{% trans 'Monthly active users' %}"},
-                            {value:data['dates_total_count_disabled_users'], name:"{% trans 'Disable user' %}"},
-                            {value:data['dates_total_count_inactive_users'], name:"{% trans 'Month not logged in user' %}"}
-                        ]
-                    }
-                ]
-            };
-            monthTotalCountUsersPie.setOption(option);
-        }
-    );
-}
-
-function requireMonthTotalCountAssetsPie(data){
-    require(
-        [
-            'echarts',
-            'echarts/chart/pie'
-        ],
-        function (ec) {
-            var monthTotalCountAssetsPie = ec.init(document.getElementById('dates_total_count_assets_pie'));
-            var option = {
-                tooltip : {
-                    trigger: 'item',
-                    formatter: "{b} <br> {c} <br> ({d}%)"
-                },
-                legend: {
-                    show: false,
-                    orient : 'vertical',
-                    x : 'left',
-                    data:["{% trans 'Month is logged into the asset' %}", "{% trans 'Disable host' %}", "{% trans 'Month not logged on host' %}"]
-                },
-                toolbox: {
-                    show : false,
-                    feature : {
-                        mark : {show: true},
-                        dataView : {show: true, readOnly: false},
-                        magicType : {
-                            show: true,
-                            type: ['pie', 'funnel'],
-                            option: {
-                                funnel: {
-                                    x: '25%',
-                                    width: '50%',
-                                    funnelAlign: 'center',
-                                    max: 1548
-                                }
-                            }
-                        },
-                        restore : {show: true},
-                        saveAsImage : {show: true}
-                    }
-                },
-                calculable : true,
-                series : [
-                    {
-                        name:"{% trans 'Access to the source' %}",
-                        type:'pie',
-                        radius : ['50%', '70%'],
-                        itemStyle : {
-                            normal : {
-                                label : {
-                                    show : false
-                                },
-                                labelLine : {
-                                    show : false
-                                }
-                            },
-                            emphasis : {
-                                label : {
-                                    show : true,
-                                    position : 'center',
-                                    textStyle : {
-                                        fontSize : '5',
-                                        fontWeight : 'bold'
-                                    }
-                                }
-                            }
-                        },
-                        data:[
-                            {value:data['dates_total_count_active_assets'], name:"{% trans 'Month is logged into the host' %}"},
-                            {value:data['dates_total_count_disabled_assets'], name:"{% trans 'Disable host' %}"},
-                            {value:data['dates_total_count_inactive_assets'], name:"{% trans 'Month not logged on host' %}"}
-                        ]
-                    }
-                ]
-            };
-            monthTotalCountAssetsPie.setOption(option);
-        }
-    );
-}
-
-var indexUrl = "/api/v1/index/";
-
-function renderRequestApi(query, success, error){
-    var url = indexUrl + "?" + query;
-    if (!error){
-        error = function (){console.log("Request url error: " + url)}
-    }
-    requestApi({
-        url: url,
-        method: "GET",
-        success: success,
-        error: error,
-        flash_message: false,
-    })
-}
-
-function renderTotalCount(){
-     var success = function (data) {
-         $('#total_count_assets').html(data['total_count_assets']);
-         $('#total_count_users').html(data['total_count_users']);
-         $('#total_count_online_users').html(data['total_count_online_users']);
-         $('#total_count_online_sessions').html(data['total_count_online_sessions']);
-     };
-    renderRequestApi('total_count=1', success);
-}
-
-function renderMonthMetricsECharts(){
-    var success = function (data) {
-        requireMonthMetricsECharts(data)
-    };
-    renderRequestApi('dates_metrics=1', success)
-}
-
-function renderMonthTotalCountUsersPie(){
-    var success = function (data) {
-        requireMonthTotalCountUsersPie(data)
-    };
-    renderRequestApi('dates_total_count_users=1', success)
-
-}
-
-function renderMonthTotalCountAssetsPie(){
-    var success = function (data) {
-        requireMonthTotalCountAssetsPie(data)
-    };
-    renderRequestApi('dates_total_count_assets=1', success)
-}
-
-function renderWeekTotalCount(){
-    var success = function (data) {
-        $('#dates_total_count_login_users').html(data['dates_total_count_login_users']);
-        $('#dates_total_count_login_times').html(data['dates_total_count_login_times'])
-    };
-    renderRequestApi('dates_total_count=1', success)
-}
-
-function renderWeekLoginTimesTop5Users(){
-    var success = function (data){
-        var html = "";
-        var html_cell = "" +
-            "<li class=\"list-group-item fist-item\">" +
-            "<span class=\"pull-right\">" +
-            "{TOTAL} {% trans ' times/week' %}" +
-            "</span>" +
-            "<span class=\"label \">{INDEX}</span> {USER}" +
-            "</li>";
-
-        $.each(data['dates_login_times_top5_users'], function(index, value){
-            html += html_cell.replace('{TOTAL}', value['total'])
-                .replace('{USER}', value['user'])
-                .replace('{INDEX}', index+1)
-        });
-        $('#dates_login_times_top5_users').html(html)
-    };
-    renderRequestApi('dates_login_times_top5_users=1', success)
-}
-
-function renderWeekLoginTimesTop10Assets(){
-    var success = function (data){
-        var html = "";
-        var html_cell = "" +
-            "<div class=\"timeline-item\">" +
-            "<div class=\"row\">" +
-            "<div class=\"col-xs-5 date ellipsis\">" +
-            "<i class=\"fa fa-info-circle\"></i>" +
-            "<strong data-toggle=\"tooltip\" title=\"{ASSET}\">{ASSET}</strong>" +
-            "<br/>" +
-            "<small class=\"text-navy\">{TOTAL}{% trans ' times' %}</small>" +
-            "</div>" +
-            "<div class=\"col-xs-7 content no-top-border\">" +
-            "<p class=\"m-b-xs\">{% trans 'The time last logged in' %}</p>" +
-            "<p>{% trans 'At' %} {DATE_LAST}</p>" +
-            "</div>" +
-            "</div>" +
-            "</div>";
-
-        var assets = data['dates_login_times_top10_assets'];
-        if (assets.length !== 0){
-            $.each(assets, function(index, value){
-                html += html_cell
-                    .replaceAll('{ASSET}', value['asset'])
-                    .replace('{TOTAL}', value['total'])
-                    .replace('{DATE_LAST}', toSafeLocalDateStr(value['last']))
-            });
-        }
-        else{
-            html += "<p class=\"text-center\">{% trans '(No)' %}</p>"
-        }
-        $('#dates_login_times_top10_assets').html(html)
-    };
-    renderRequestApi('dates_login_times_top10_assets=1', success)
-}
-
-function renderWeekLoginTimesTop10Users(){
-    var success = function (data){
-        var html = "";
-        var html_cell = "" +
-            "<div class=\"timeline-item\">" +
-            "<div class=\"row\">" +
-            "<div class=\"col-xs-5 date ellipsis\">" +
-            "<i class=\"fa fa-info-circle\"></i>" +
-            "<strong data-toggle=\"tooltip\" title=\"{USER}\">{USER}</strong>" +
-            "<br/>" +
-            "<small class=\"text-navy\">{TOTAL}{% trans ' times' %}</small>" +
-            "</div>" +
-            "<div class=\"col-xs-7 content no-top-border\">" +
-            "<p class=\"m-b-xs\">{% trans 'The time last logged in' %}</p>" +
-            "<p>{% trans 'At' %} {DATE_LAST}</p>" +
-            "</div>" +
-            "</div>" +
-            "</div>";
-
-        var users = data['dates_login_times_top10_users'];
-        if (users.length !== 0){
-            $.each(users, function(index, value){
-                html += html_cell.replaceAll('{USER}', value['user'])
-                    .replace('{TOTAL}', value['total'])
-                    .replace('{DATE_LAST}', toSafeLocalDateStr(value['last']))
-            });
-        }
-        else{
-            html += "<p class=\"text-center\">{% trans '(No)' %}</p>"
-        }
-        $('#dates_login_times_top10_users').html(html)
-    };
-    renderRequestApi('dates_login_times_top10_users=1', success)
-}
-
-function renderWeekLoginRecordTop10Sessions(){
-    var success = function (data){
-        var html = "";
-        var html_cell = "" +
-            "<div class=\"feed-element\">" +
-            "<a href=\"#\" class=\"pull-left\">" +
-            "<img alt=\"image\" class=\"img-circle\" src=\"{% static 'img/avatar/user.png' %}\">" +
-            "</a>" +
-            "<div class=\"media-body \">" +
-            "<small class=\"pull-right {TEXT_NAVY}\">{TIMESINCE} {% trans 'Before' %}</small>" +
-            "<strong>{USER}</strong> {% trans 'Login in ' %}{ASSET} <br>" +
-            "<small class=\"text-muted\">{DATE_START}</small>" +
-            "</div>" +
-            "</div>";
-
-        var users = data['dates_login_record_top10_sessions'];
-        if (users.length !== 0){
-            $.each(users, function(index, value){
-                console.log(value['is_finished'])
-                html += html_cell.replaceAll('{USER}', value['user'])
-                    .replace('{ASSET}', value['asset'])
-                    .replace('{DATE_START}', toSafeLocalDateStr(value['date_start']))
-                    .replace('{TEXT_NAVY}', value['is_finished']?'':'text-navy')
-                    .replace('{TIMESINCE}', value['timesince'])
-
-            });
-        }
-        else{
-            html += "<p class=\"text-center\">{% trans '(No)' %}</p>"
-        }
-        $('#dates_login_record_top10_sessions').html(html)
-
-    };
-    renderRequestApi('dates_login_record_top10_sessions=1', success)
-}
-
-function renderData(){
-    renderTotalCount();
-    renderMonthMetricsECharts();
-    renderMonthTotalCountUsersPie();
-    renderMonthTotalCountAssetsPie();
-    renderWeekTotalCount();
-    renderWeekLoginTimesTop5Users();
-    renderWeekLoginTimesTop10Assets();
-    renderWeekLoginRecordTop10Sessions();
-    renderWeekLoginTimesTop10Users();
-}
-
-require.config({
-    paths: {
-        'echarts': '/static/js/plugins/echarts/chart/',
-        'echarts/chart/line': '/static/js/plugins/echarts/chart/line',
-        'echarts/chart/pie': '/static/js/plugins/echarts/chart/pie'
-    }
-});
-
-$(document).ready(function(){
-    $('#show').click(function(){
-        $('#show').css('display', 'none');
-        $('#more').css('display', 'block');
-    });
-    $("[data-toggle='tooltip']").tooltip();
-    renderData()
-});
-</script>
-
-{% endblock %}
diff --git a/apps/terminal/api/session.py b/apps/terminal/api/session.py
index c78d48383..3193956e5 100644
--- a/apps/terminal/api/session.py
+++ b/apps/terminal/api/session.py
@@ -42,10 +42,9 @@ class MySessionAPIView(generics.ListAPIView):
     serializer_class = serializers.SessionSerializer
 
     def get_queryset(self):
-        with tmp_to_root_org():
-            user = self.request.user
-            qs = Session.objects.filter(user_id=user.id)
-            return qs
+        user = self.request.user
+        qs = Session.objects.filter(user_id=user.id)
+        return qs
 
 
 class SessionViewSet(OrgBulkModelViewSet):
diff --git a/apps/tickets/api/relation.py b/apps/tickets/api/relation.py
index 2dfa33146..5061e6c00 100644
--- a/apps/tickets/api/relation.py
+++ b/apps/tickets/api/relation.py
@@ -24,10 +24,11 @@ class TicketSessionApi(views.APIView):
 
     def get(self, request, *args, **kwargs):
         with tmp_to_root_org():
-            ticketsession = TicketSession.objects.filter(ticket=self.kwargs['ticket_id']).first()
-            if not ticketsession:
+            tid = self.kwargs['ticket_id']
+            ticket_session = TicketSession.objects.filter(ticket=tid).first()
+            if not ticket_session:
                 return Response(status=status.HTTP_404_NOT_FOUND)
 
-            session = ticketsession.session
+            session = ticket_session.session
             serializer = SessionSerializer(session)
             return Response(serializer.data)
diff --git a/apps/users/templates/users/_base_user_detail.html b/apps/users/templates/users/_base_user_detail.html
deleted file mode 100644
index 936037ab8..000000000
--- a/apps/users/templates/users/_base_user_detail.html
+++ /dev/null
@@ -1,26 +0,0 @@
-{% extends 'base.html' %}
-{% load static %}
-{% load i18n %}
-
-{% block content %}
-    <div class="wrapper wrapper-content animated fadeInRight">
-        <div class="row">
-            <div class="col-sm-12">
-                <div class="ibox float-e-margins">
-                    <div class="panel-options">
-                        <ul class="nav nav-tabs">
-                            {% include 'users/_user_detail_nav_header.html' %}
-
-                            {% block content_nav_delete_update %}
-                            {% endblock %}
-                        </ul>
-                    </div>
-                    <div class="tab-content">
-                        {% block content_table %}
-                        {% endblock %}
-                    </div>
-                </div>
-            </div>
-        </div>
-    </div>
-{% endblock %}
diff --git a/apps/users/templates/users/_granted_assets.html b/apps/users/templates/users/_granted_assets.html
deleted file mode 100644
index 9d5006910..000000000
--- a/apps/users/templates/users/_granted_assets.html
+++ /dev/null
@@ -1,222 +0,0 @@
-{% load i18n %}
-<div class="col-lg-3" style="padding-left: 0" id="split-left">
-   <div class="ibox float-e-margins">
-       <div class="ibox-content mailbox-content" style="padding-top: 0">
-           <div class="file-manager ">
-               <div id="assetTree" class="ztree">
-                   {% trans 'Loading' %} ...
-               </div>
-               <div class="clearfix"></div>
-           </div>
-       </div>
-   </div>
-</div>
-<div class="col-lg-9 animated fadeInRight" id="split-right">
-    <div class="tree-toggle">
-       <div class="btn btn-sm btn-primary tree-toggle-btn" onclick="toggle()">
-           <i class="fa fa-angle-left fa-x" id="toggle-icon"></i>
-       </div>
-    </div>
-    <div class="mail-box-header">
-        <table class="table table-striped table-bordered table-hover" id="user_assets_table" >
-            <thead>
-                <tr>
-                    <th class="text-center"><input type="checkbox" class="ipt_check_all"></th>
-                    <th class="text-center">{% trans 'Hostname' %}</th>
-                    <th class="text-center">{% trans 'IP' %}</th>
-                    <th class="text-center">{% trans 'System user' %}</th>
-                    {% if show_actions %}
-                    <th class="text-center">{% trans 'Action' %}</th>
-                    {% endif %}
-                </tr>
-            </thead>
-            <tbody>
-            </tbody>
-        </table>
-    </div>
-</div>
-<script>
-var zTree;
-var inited = false;
-var url;
-var assetTable;
-var treeUrl = "NeedInput";
-var assetTableUrl = 'NeedInput';
-var selectUrl = 'NeedInput';
-var systemUsersUrl = "NeedInput";
-var showAssetHref = true; // Need input default true
-var actions = {};
-var labels = '';
-var requesting = false;
-
-function initTable() {
-    if (inited){
-        return assetTable
-    } else {
-        inited = true;
-    }
-    var options = {
-        ele: $('#user_assets_table'),
-        columnDefs: [
-            {targets: 1, createdCell: function (td, cellData, rowData) {
-                cellData = htmlEscape(cellData);
-                var assetDetailUrl = '{% url 'assets:asset-detail' pk=DEFAULT_PK %}'
-                        .replace("{{ DEFAULT_PK }}", rowData.id);
-                var detailBtn = '<a href="assetDetailUrl" class="asset-detail" data-asset="assetId">' + cellData + '</a>';
-                if (showAssetHref) {
-                    cellData = detailBtn.replace("assetDetailUrl", assetDetailUrl);
-                } else {
-                    detailBtn = detailBtn.replace("assetId", rowData.id);
-                    cellData = detailBtn.replace("assetDetailUrl", "");
-                }
-                $(td).html(cellData);
-            }},
-            {targets: 3, createdCell: function (td, cellData) {
-                var innerHtml = '<a class="btn-show-system-users" data-aid="99999999"> {% trans "Show" %} </a>'
-                    .replace('99999999', cellData);
-                $(td).html(innerHtml);
-
-            }},
-        ],
-        ajax_url: assetTableUrl,
-        columns: [
-            {data: "id"}, {data: "hostname" }, {data: "ip" },
-            {data: "id", orderable: false},
-            {% if show_actions %}
-            {data: "id", orderable: false}
-            {% endif %}
-        ]
-    };
-    {% if show_actions %}
-    options.columnDefs.push(actions);
-    {% endif %}
-    assetTable = jumpserver.initServerSideDataTable(options);
-    return assetTable
-}
-
-function onSelected(event, treeNode) {
-    var node_id = treeNode.meta.node.id;
-    url = selectUrl.replace("{{ DEFAULT_PK }}", node_id);
-    assetTable.ajax.url(url);
-    assetTable.ajax.reload();
-}
-
-
-function initTree(refresh) {
-    var asyncUrl = setUrlParam(treeUrl, 'cache_policy', '1');
-    var setting = {
-        view: {
-            dblClickExpand: false,
-            showLine: true
-        },
-        data: {
-            simpleData: {
-                enable: true
-            }
-        },
-        async: {
-			enable: true,
-			url: asyncUrl,
-			autoParam: ["id=key", "name=n", "level=lv"],
-            type: 'get'
-		},
-        callback: {
-            onSelected: onSelected
-        }
-    };
-
-    $.get(treeUrl, function(data, status) {
-        if (data.length === 0) {
-            data.push({"name": "{% trans 'empty' %}", "id": ""})
-        }
-        zTree = $.fn.zTree.init($("#assetTree"), setting, data);
-        if (!refresh) {
-            initTable();
-        }
-        rootNodeAddDom(zTree, function () {
-            treeUrl = setUrlParam(treeUrl, 'cache_policy', '2');
-            initTree(true);
-        });
-    });
-}
-
-function getGrantedAssetSystemUsers(assetID, success) {
-    var url = systemUsersUrl.replace("{{ DEFAULT_PK }}", assetID);
-    requestApi({
-        url: url,
-        method: "GET",
-        success: success,
-        flash_message: false
-    })
-}
-
-function loadLabels() {
-    var labelListUrl = '{% url "api-assets:label-list" %}';
-    var label = '<li><a style="font-weight: bolder">labelName:labelValue</a></li>';
-    if (requesting) {
-        return
-    }
-    if (!labels) {
-        var data = {
-            url: labelListUrl,
-            method: "GET",
-            success: function (data) {
-                data.forEach(function (value) {
-                    labels += label.replace("labelName", value.name).replace("labelValue", value.value)
-                });
-                $(".labels-menu").append(labels);
-                requesting = false;
-            },
-            error: function() {
-                requesting = false;
-            },
-            flash_message: false
-        };
-        requesting = true;
-        requestApi(data)
-    }
-}
-
-var show = 0;
-
-function toggle() {
-    if (show === 0) {
-        $("#split-left").hide(500, function () {
-            $("#split-right").attr("class", "col-lg-12");
-            $("#toggle-icon").attr("class", "fa fa-angle-right fa-x");
-            show = 1;
-        });
-    } else {
-        $("#split-right").attr("class", "col-lg-9");
-        $("#toggle-icon").attr("class", "fa fa-angle-left fa-x");
-        $("#split-left").show(500);
-        show = 0;
-    }
-    setTimeout(function () {
-        $(".table").css("width", "100%");
-        {#assetTable.columns.adjust();#}
-    }, 500)
-}
-
-$(document).ready(function () {
-    {#loadLabels()#}
-}).on('click', '.labels-menu li', function () {
-    var val = $(this).text();
-    $("#user_assets_table_filter input").val(val);
-    assetTable.search(val).draw();
-}).on('click', '.btn-show-system-users', function () {
-    var $this = $(this);
-    var assetId = $this.data('aid');
-
-    function success(systemUsers) {
-        var users = [];
-        $.each(systemUsers, function (id, data) {
-            var name = htmlEscape(data.name);
-            users.push(name);
-        });
-        $this.parent().html(users.join(','))
-    }
-
-    getGrantedAssetSystemUsers(assetId, success)
-})
-</script>
diff --git a/apps/users/templates/users/_select_user_modal.html b/apps/users/templates/users/_select_user_modal.html
deleted file mode 100644
index 5395b0a05..000000000
--- a/apps/users/templates/users/_select_user_modal.html
+++ /dev/null
@@ -1,23 +0,0 @@
-{% extends '_modal.html' %}
-{% load i18n %}
-{% block modal_class %}modal-lg{% endblock %}
-{% block modal_id %}select_user_modal{% endblock %}
-{% block modal_title%}{% trans "Please Select User" %}{% endblock %}
-{% block modal_body %}
-<table class="table table-striped table-bordered table-hover " id="select_user_table" >
-    <thead>
-        <tr>
-            <th class="text-center">
-                <div class="checkbox checkbox-default"><input id="" type="checkbox" class="ipt_check_all"><label></label></div>
-            </th>
-            <th class="text-center">{% trans 'Name' %}</th>
-            <th class="text-center">{% trans 'Username' %}</th>
-            <th class="text-center">{% trans 'Role' %}</th>
-            <th class="text-center">{% trans 'User group' %}</th>
-            <th class="text-center">{% trans 'Asset num' %}</th>
-            <th class="text-center">{% trans 'Active' %}</th>
-        </tr>
-    </thead>
-</table>
-{% endblock %}
-{% block modal_confirm_id %}btn_select_user{% endblock %}
diff --git a/apps/users/templates/users/_user_detail_nav_header.html b/apps/users/templates/users/_user_detail_nav_header.html
deleted file mode 100644
index 28079e149..000000000
--- a/apps/users/templates/users/_user_detail_nav_header.html
+++ /dev/null
@@ -1,97 +0,0 @@
-{% load static %}
-{% load i18n %}
-
-<style>
-    .nav .open>a, .nav .open>a:hover, .nav .open>a:focus{
-        border-color: white;
-    }
-</style>
-
-<li id="id_nav_user_detail">
-    <a href="{% url 'users:user-detail' pk=object.id %}" class="text-center"><i class="fa fa-laptop"></i> {% trans 'User detail' %} </a>
-</li>
-<li id="id_nav_user_detail_user_permission" class="btn-group">
-    <a class="btn btn-sm dropdown-toggle" data-toggle="dropdown">
-        <span>{% trans "User permissions" %}</span>
-        <i class="caret"></i>
-    </a>
-
-    <ul class="dropdown-menu">
-        <li id="id_nav_user_detail_assets">
-            <a href="{% url 'users:user-granted-asset' pk=object.id %}" class="text-center">
-                <i class="fa fa-cubes"></i>
-                <span>{% trans 'Asset granted' %}</span>
-                <i class="highlight-circle"></i>
-            </a>
-
-        </li>
-        <li id="id_nav_user_detail_asset_permissions">
-            <a href="{% url 'users:user-asset-permission' pk=object.id %}" class="text-center">
-                <i class="fa fa-edit"></i>
-                <span>{% trans 'Asset permission' %}</span>
-                <i class="highlight-circle"></i>
-            </a>
-        </li>
-
-        {% if LICENSE_VALID %}
-        <li id="id_nav_user_detail_remote_apps">
-            <a href="{% url 'users:user-granted-remote-app' pk=object.id %}" class="text-center">
-                <i class="fa fa-desktop"></i>
-                <span>{% trans 'RemoteApp granted' %}</span>
-                <i class="highlight-circle"></i>
-            </a>
-        </li>
-        <li id="id_nav_user_detail_remote_app_permissions">
-            <a href="{% url 'users:user-remote-app-permission' pk=object.id %}" class="text-center">
-                <i class="fa fa-edit"></i>
-                <span>{% trans 'RemoteApp permission' %}</span>
-                <i class="highlight-circle"></i>
-            </a>
-        </li>
-        <li id="id_nav_user_detail_database_apps">
-            <a href="{% url 'users:user-granted-database-app' pk=object.id %}" class="text-center">
-                <i class="fa fa-database"></i>
-                <span>{% trans 'DatabaseApp granted' %}</span>
-                <i class="highlight-circle"></i>
-            </a>
-        </li>
-        <li id="id_nav_user_detail_database_app_permissions">
-            <a href="{% url 'users:user-database-app-permission' pk=object.id %}" class="text-center">
-                <i class="fa fa-edit"></i>
-                <span>{% trans 'DatabaseApp permission' %}</span>
-                <i class="highlight-circle"></i>
-            </a>
-        </li>
-        {% endif %}
-
-    </ul>
-</li>
-
-<script>
-function activeUserDetailNav(prefix) {
-    var path = document.location.pathname;
-    if (prefix) {
-        path = path.replace(prefix, '');
-        console.log(path);
-    }
-    var navId, navId2 = '';
-    var idPrefix = 'id_nav_user_detail';
-    var navUserDetailId = "#" + idPrefix;
-    var navUserPermissionId = "#" + idPrefix + "_user_permission";
-    var urlArray = path.split("/");
-    var page = urlArray[urlArray.length-2];
-
-    if (page === "{{ object.id }}" || page === undefined){
-        navId = navUserDetailId;
-    }
-    else{
-        navId = navUserPermissionId;
-        navId2 = "#" + idPrefix + '_' + page.replace(/-/g, '_');
-        var highlightCircle = '<span class="fa fa-circle" style="padding-left: 5px; color: #1ab394"></span>';
-        $(navId2 + '>a>i.highlight-circle').html(highlightCircle);
-        $(navId + '>a>span').html($(navId2 + '>a>span').html());
-    }
-    $(navId).addClass('active')
-}
-activeUserDetailNav("{{ FORCE_SCRIPT_NAME }}");
-</script>
\ No newline at end of file
diff --git a/apps/users/templates/users/_user_update_pk_modal.html b/apps/users/templates/users/_user_update_pk_modal.html
deleted file mode 100644
index a7ed525c4..000000000
--- a/apps/users/templates/users/_user_update_pk_modal.html
+++ /dev/null
@@ -1,8 +0,0 @@
-{% extends '_modal.html' %}
-{% load i18n %}
-{% block modal_id %}user_update_pk_modal{% endblock %}
-{% block modal_title%}{% trans "Update User SSH Public Key" %}{% endblock %}
-{% block modal_body %}
-<textarea id="txt_pk" class="form-control" cols="30" rows="10" placeholder="ssh-rsa AAAAB3NzaC1yc2EAA....."></textarea>
-{% endblock %}
-{% block modal_confirm_id %}btn_user_update_pk{% endblock %}
diff --git a/apps/users/templates/users/first_login.html b/apps/users/templates/users/first_login.html
deleted file mode 100644
index bffa2fc0e..000000000
--- a/apps/users/templates/users/first_login.html
+++ /dev/null
@@ -1,10 +0,0 @@
-{% extends '_base_only_content.html' %}
-{% load static %}
-{% load i18n %}
-{% load bootstrap3 %}
-
-{% block title %} {% trans 'First Login' %} {% endblock %}
-
-{% block content %}
-    使用UI重构这个页面
-{% endblock %}
diff --git a/apps/users/templates/users/first_login_done.html b/apps/users/templates/users/first_login_done.html
deleted file mode 100644
index ae43d032b..000000000
--- a/apps/users/templates/users/first_login_done.html
+++ /dev/null
@@ -1,54 +0,0 @@
-{% extends 'base.html' %}
-{% load static %}
-{% load i18n %}
-{% load bootstrap3 %}
-
-
-{% block custom_head_css_js %}
-{{ wizard.form.media }}
-<link href="{% static 'css/plugins/steps/jquery.steps.css' %}" rel="stylesheet">
-{% endblock %}
-{% block first_login_message %}{% endblock %}
-
-{% block content %}
-<div class="wrapper wrapper-content animated fadeInRight">
-  <div class="row">
-    <div class="col-sm-12">
-        <div class="ibox">
-            <div class="ibox-title">
-              <h5>{% trans 'First Login' %}</h5>
-                <div class="ibox-tools">
-                    <a class="collapse-link">
-                        <i class="fa fa-chevron-up"></i>
-                    </a>
-                    <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                        <i class="fa fa-wrench"></i>
-                    </a>
-                </div>
-            </div>
-            <div class="ibox-content">
-                <div class="alert alert-success" id="messages">
-                    {% trans 'Welcome to use jumpserver, visit ' %}
-                    <a href="{{ user_guide_url }}" target="_blank">{% trans 'Use guide' %}</a> {% trans ' for more information' %}
-                </div>
-            </div>
-        </div>
-    </div>
-  </div>
-</div>
-{% endblock %}
-
-
-{% block custom_foot_js %}
-<script>
-$(document).on('click', ".fl_goto", function(){
-  var $form = $('#fl_form');
-  $('<input />', {'name': 'wizard_goto_step', 'value': $(this).data('goto'), 'type': 'hidden'}).appendTo($form);
-  $form.submit();
-  return false;
-}).on('click', '#fl_submit', function(){
-  $('#fl_form').submit();
-  return false;
-})
-</script>
-{% endblock %}
diff --git a/apps/users/templates/users/user_asset_permission.html b/apps/users/templates/users/user_asset_permission.html
deleted file mode 100644
index d0975f4b8..000000000
--- a/apps/users/templates/users/user_asset_permission.html
+++ /dev/null
@@ -1,201 +0,0 @@
-{% extends 'users/_base_user_detail.html' %}
-{% load static %}
-{% load i18n %}
-
-{% block custom_head_css_js %}
-    <link href="{% static "css/plugins/sweetalert/sweetalert.css" %}" rel="stylesheet">
-    <script src="{% static "js/plugins/sweetalert/sweetalert.min.js" %}"></script>
-{% endblock %}
-
-
-{% block content_table %}
-<div class="col-sm-10" style="padding-left: 0">
-    <div class="ibox float-e-margins">
-        <div class="ibox-title">
-            <span class="label"><b>{{ object.name }}</b></span>
-            <div class="ibox-tools">
-                <a class="collapse-link">
-                    <i class="fa fa-chevron-up"></i>
-                </a>
-                <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                    <i class="fa fa-wrench"></i>
-                </a>
-                <ul class="dropdown-menu dropdown-user">
-                </ul>
-                <a class="close-link">
-                    <i class="fa fa-times"></i>
-                </a>
-            </div>
-        </div>
-        <div class="ibox-content">
-            <table class="table table-striped table-bordered table-hover"
-                   id="permission_list_table"
-                   style="width: 100%">
-                <thead>
-                <tr>
-                    <th></th>
-                    <th>{% trans 'Name' %}</th>
-                    <th class="text-center">{% trans 'User' %}</th>
-                    <th class="text-center">{% trans 'User group' %}</th>
-                    <th class="text-center">{% trans 'Asset' %}</th>
-                    <th class="text-center">{% trans 'Node' %}</th>
-                    <th class="text-center">{% trans 'System user' %}</th>
-                    <th class="text-center">{% trans 'Validity' %}</th>
-                    <th class="text-center">{% trans 'Action' %}</th>
-                </tr>
-                </thead>
-                <tbody>
-                </tbody>
-            </table>
-        </div>
-    </div>
-</div>
-
-{% include '_filter_dropdown.html' %}
-
-{% endblock %}
-
-{% block custom_foot_js %}
-<script>
-jumpserver.nodes_selected = {};
-function format(d) {
-    var data = "";
-    if (d.users.length > 0 ) {
-        data += makeLabel(["{% trans 'User' %}", d.users.join(", ")])
-    }
-    if (d.user_groups.length > 0) {
-        data += makeLabel(["{% trans 'User group' %}", d.user_groups.join(", ")])
-    }
-    if (d.assets.length > 0) {
-       data += makeLabel(["{% trans 'Asset' %}", d.assets.join(", ")])
-    }
-    if (d.nodes.length > 0) {
-        data += makeLabel(["{% trans 'Node' %}", d.nodes.join(", ")])
-    }
-    if (d.system_users.length > 0) {
-        data += makeLabel(["{% trans 'System user' %}", d.system_users.join(", ")])
-    }
-    if (d.actions.length > 0) {
-        data += makeLabel(["{% trans 'Action' %}", d.actions.join(", ")])
-    }
-    return data
-}
-
-function initTable() {
-    var options = {
-        ele: $('#permission_list_table'),
-        toggle: true,
-        columnDefs: [
-            {targets: 0, createdCell: function (td, cellData, rowData) {
-                $(td).addClass("toggle");
-                $(td).html("<i class='fa fa-angle-right'></i>");
-            }},
-            {targets: 1, createdCell: function (td, cellData, rowData) {
-                cellData = htmlEscape(cellData);
-                var detail_btn = '<a href="{% url "perms:asset-permission-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
-                $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
-            }},
-            {targets: 2, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 3, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 4, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 5, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 6, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 7, createdCell: function (td, cellData) {
-                if (!cellData) {
-					$(td).html('<i class="fa fa-times text-danger"></i>')
-				} else {
-					$(td).html('<i class="fa fa-check text-navy"></i>')
-				}
-            }},
-            {targets: 8, createdCell: function (td, cellData, rowData) {
-                var name = htmlEscape(rowData.name);
-                var update_btn = '<a href="{% url "perms:asset-permission-update" pk=DEFAULT_PK %}" class="btn btn-xs m-l-xs btn-info">{% trans "Update" %}</a>'.replace('{{ DEFAULT_PK }}', cellData);
-                var del_btn = '<a class="btn btn-xs btn-danger m-l-xs btn-del" data-uid="{{ DEFAULT_PK }}" mark=1 data-name="99991938">{% trans "Delete" %}</a>'
-                    .replace('{{ DEFAULT_PK }}', cellData)
-                    .replace('99991938', name);
-                if (rowData.inherit) {
-                    del_btn = del_btn.replace("mark", "disabled")
-                }
-				$(td).html(update_btn + del_btn);
-            }}
-        ],
-        ajax_url: '{% url "api-perms:asset-permission-list" %}?user_id={{ object.id }}',
-        columns: [
-            {data: "id"}, {data: "name"}, {data: "users", orderable: false},
-            {data: "user_groups", orderable: false}, {data: "assets", orderable: false},
-            {data: "nodes", orderable: false}, {data: "system_users", orderable: false},
-            {data: "is_valid", orderable: false}, {data: "id", orderable: false, width: "120px"}
-        ],
-        select: {},
-        op_html: $('#actions').html()
-    };
-    table = jumpserver.initServerSideDataTable(options);
-    return table
-}
-
-$(document).ready(function() {
-   initTable();
-   var filterMenu = [
-        {title: "{% trans 'Name' %}", value: "name"},
-        {title: "{% trans 'Validity' %}", value: "is_valid"},
-        {title: "{% trans 'IP' %}", value: "ip"},
-        {title: "{% trans 'Hostname' %}", value: "hostname"},
-        {title: "{% trans 'Node' %}", value: "node"},
-        {title: "{% trans 'System user' %}", value: "system_user"},
-        {title: "{% trans 'Inherit' %}", value: "all", submenu: [
-            {title: "{% trans 'Include' %}", value: "1"},
-            {title: "{% trans 'Exclude' %}", value: "0"},
-        ]},
-    ];
-    initTableFilterDropdown('#permission_list_table_filter input', filterMenu, 15, 38)
-})
-.on('click', '.toggle', function (e) {
-    e.preventDefault();
-    var detailRows = [];
-    var tr = $(this).closest('tr');
-    var row = table.row(tr);
-    var idx = $.inArray(tr.attr('id'), detailRows);
-
-    if (row.child.isShown()) {
-        tr.removeClass('details');
-        $(this).children('i:first-child').removeClass('fa-angle-down').addClass('fa-angle-right');
-        row.child.hide();
-
-        // Remove from the 'open' array
-        detailRows.splice(idx, 1);
-    }
-    else {
-        tr.addClass('details');
-        $(this).children('i:first-child').removeClass('fa-angle-right').addClass('fa-angle-down');
-        row.child(format(row.data())).show();
-        // Add to the 'open' array
-        if ( idx === -1 ) {
-            detailRows.push(tr.attr('id'));
-        }
-    }
-})
-.on('click', '.btn-del', function () {
-    var $this = $(this);
-    var uid = $this.data('uid');
-    var name = $this.data('name');
-    var the_url = '{% url "api-perms:asset-permission-detail" pk=DEFAULT_PK %}'
-            .replace('{{ DEFAULT_PK }}', uid);
-    objectDelete($this, name, the_url);
-})
-</script>
-{% endblock %}
diff --git a/apps/users/templates/users/user_database_app_permission.html b/apps/users/templates/users/user_database_app_permission.html
deleted file mode 100644
index 73b3a7972..000000000
--- a/apps/users/templates/users/user_database_app_permission.html
+++ /dev/null
@@ -1,168 +0,0 @@
-{% extends 'users/_base_user_detail.html' %}
-{% load static %}
-{% load i18n %}
-
-{% block custom_head_css_js %}
-    <link href="{% static "css/plugins/sweetalert/sweetalert.css" %}" rel="stylesheet">
-    <script src="{% static "js/plugins/sweetalert/sweetalert.min.js" %}"></script>
-{% endblock %}
-
-{% block content_table %}
-<div class="col-sm-10" style="padding-left: 0">
-    <div class="ibox float-e-margins">
-        <div class="ibox-title">
-            <span class="label"><b>{{ object.name }}</b></span>
-            <div class="ibox-tools">
-                <a class="collapse-link">
-                    <i class="fa fa-chevron-up"></i>
-                </a>
-                <a class="dropdown-toggle" data-toggle="dropdown" href="#">
-                    <i class="fa fa-wrench"></i>
-                </a>
-                <ul class="dropdown-menu dropdown-user">
-                </ul>
-                <a class="close-link">
-                    <i class="fa fa-times"></i>
-                </a>
-            </div>
-        </div>
-        <div class="ibox-content">
-            <table class="table table-striped table-bordered table-hover"
-                   id="permission_list_table"
-                   style="width: 100%">
-                <thead>
-                <tr>
-                    <th></th>
-                    <th>{% trans 'Name' %}</th>
-                    <th class="text-center">{% trans 'User' %}</th>
-                    <th class="text-center">{% trans 'User group' %}</th>
-                    <th class="text-center">{% trans 'DatabaseApp' %}</th>
-                    <th class="text-center">{% trans 'System user' %}</th>
-                    <th class="text-center">{% trans 'Validity' %}</th>
-                    <th class="text-center">{% trans 'Action' %}</th>
-                </tr>
-                </thead>
-                <tbody>
-                </tbody>
-            </table>
-        </div>
-    </div>
-</div>
-{% endblock %}
-
-{% block custom_foot_js %}
-<script>
-function format(d) {
-    var data = "";
-    if (d.users.length > 0 ) {
-        data += makeLabel(["{% trans 'User' %}", d.users.join(", ")])
-    }
-    if (d.user_groups.length > 0) {
-        data += makeLabel(["{% trans 'User group' %}", d.user_groups.join(", ")])
-    }
-    if (d.database_apps.length > 0) {
-       data += makeLabel(["{% trans 'DatabaseApp' %}", d.database_apps.join(", ")])
-    }
-    if (d.system_users.length > 0) {
-        data += makeLabel(["{% trans 'System user' %}", d.system_users.join(", ")])
-    }
-    return data
-}
-function initTable() {
-    var options = {
-        ele: $('#permission_list_table'),
-        toggle: true,
-        columnDefs: [
-            {targets: 0, createdCell: function (td, cellData, rowData) {
-                $(td).addClass("toggle");
-                $(td).html("<i class='fa fa-angle-right'></i>");
-            }},
-            {targets: 1, createdCell: function (td, cellData, rowData) {
-                cellData = htmlEscape(cellData);
-                var detail_btn = '<a href="{% url "perms:database-app-permission-detail" pk=DEFAULT_PK %}">' + cellData + '</a>';
-                $(td).html(detail_btn.replace('{{ DEFAULT_PK }}', rowData.id));
-            }},
-            {targets: 2, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 3, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 4, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 5, createdCell: function (td, cellData) {
-                var num = cellData.length;
-                $(td).html(num);
-            }},
-            {targets: 6, createdCell: function (td, cellData) {
-                if (!cellData) {
-					$(td).html('<i class="fa fa-times text-danger"></i>')
-				} else {
-					$(td).html('<i class="fa fa-check text-navy"></i>')
-				}
-            }},
-            {targets: 7, createdCell: function (td, cellData, rowData) {
-                var name = htmlEscape(rowData.name);
-                var update_btn = '<a href="{% url "perms:database-app-permission-update" pk=DEFAULT_PK %}" class="btn btn-xs m-l-xs btn-info">{% trans "Update" %}</a>'.replace('{{ DEFAULT_PK }}', cellData);
-                var del_btn = '<a class="btn btn-xs btn-danger m-l-xs btn-del" data-uid="{{ DEFAULT_PK }}" mark=1 data-name="99991938">{% trans "Delete" %}</a>'
-                    .replace('{{ DEFAULT_PK }}', cellData)
-                    .replace('99991938', name);
-				$(td).html(update_btn + del_btn);
-            }}
-        ],
-        ajax_url: '{% url "api-perms:database-app-permission-list" %}?user_id={{ object.id }}',
-        columns: [
-            {data: "id"}, {data: "name"}, {data: "users", orderable: false},
-            {data: "user_groups", orderable: false}, {data: "database_apps", orderable: false},
-            {data: "system_users", orderable: false}, {data: "is_valid", orderable: false},
-            {data: "id", orderable: false, width: "120px"}
-        ],
-        select: {},
-        op_html: $('#actions').html()
-    };
-    table = jumpserver.initServerSideDataTable(options);
-    return table
-}
-
-$(document).ready(function() {
-   initTable();
-})
-.on('click', '.toggle', function (e) {
-    e.preventDefault();
-    var detailRows = [];
-    var tr = $(this).closest('tr');
-    var row = table.row(tr);
-    var idx = $.inArray(tr.attr('id'), detailRows);
-
-    if (row.child.isShown()) {
-        tr.removeClass('details');
-        $(this).children('i:first-child').removeClass('fa-angle-down').addClass('fa-angle-right');
-        row.child.hide();
-
-        // Remove from the 'open' array
-        detailRows.splice(idx, 1);
-    }
-    else {
-        tr.addClass('details');
-        $(this).children('i:first-child').removeClass('fa-angle-right').addClass('fa-angle-down');
-        row.child(format(row.data())).show();
-        // Add to the 'open' array
-        if ( idx === -1 ) {
-            detailRows.push(tr.attr('id'));
-        }
-    }
-})
-.on('click', '.btn-del', function () {
-    var $this = $(this);
-    var uid = $this.data('uid');
-    var name = $this.data('name');
-    var the_url = '{% url "api-perms:database-app-permission-detail" pk=DEFAULT_PK %}'
-            .replace('{{ DEFAULT_PK }}', uid);
-    objectDelete($this, name, the_url);
-})
-</script>
-{% endblock %}
diff --git a/apps/users/templates/users/user_password_update.html b/apps/users/templates/users/user_password_update.html
deleted file mode 100644
index 97bc044d6..000000000
--- a/apps/users/templates/users/user_password_update.html
+++ /dev/null
@@ -1,134 +0,0 @@
-{% extends 'base.html' %}
-{% load static %}
-{% load i18n %}
-{% load bootstrap3 %}
-
-{% block custom_head_css_js %}
-    <link href="{% static "css/plugins/cropper/cropper.min.css" %}" rel="stylesheet">
-    <link href="{% static "css/plugins/sweetalert/sweetalert.css" %}" rel="stylesheet">
-    <script src="{% static "js/plugins/sweetalert/sweetalert.min.js" %}"></script>
-    <script type="text/javascript" src="{% static 'js/pwstrength-bootstrap.js' %}"></script>
-    <script src="{% static "js/jumpserver.js" %}"></script>
-
-    <style>
-        .crop {
-            width: 200px;
-            height: 150px;
-            overflow: hidden;
-        }
-
-        .img-preview-sm img {
-            width: 64px;
-            height: 64px;
-            margin: -75px 0 0 -100px;
-        }
-
-        img {
-            max-width: 100%; /* This rule is very important, please do not ignore this! */
-        }
-    </style>
-{% endblock %}
-{% block content %}
-    <div class="wrapper wrapper-content animated fadeInRight">
-        <div class="row">
-            <div class="col-sm-12">
-                <div class="ibox float-e-margins">
-                    <div class="panel-options">
-                        <ul class="nav nav-tabs">
-                            <li>
-                                <a href="{% url 'users:user-profile-update' %}" class="text-center">{% trans 'Profile' %} </a>
-                            </li>
-                            {% if request.user.can_update_password %}
-                            <li class="active">
-                                <a href="{% url 'users:user-password-update' %}" class="text-center">{% trans 'Password' %} </a>
-                            </li>
-                            {% endif %}
-                            {% if request.user.can_update_ssh_key %}
-                            <li>
-                                <a href="{% url 'users:user-pubkey-update' %}" class="text-center">{% trans 'Public key' %} </a>
-                            </li>
-                            {% endif %}
-                        </ul>
-                    </div>
-                    <div class="tab-content" style="background-color: #ffffff">
-                        <div class="wrapper wrapper-content animated fadeInRight">
-                                <form method="post" class="form-horizontal" action="" enctype="multipart/form-data">
-                                    {% csrf_token %}
-                                    {% bootstrap_field form.old_password layout="horizontal" %}
-                                    {% bootstrap_field form.new_password layout="horizontal" %}
-                                    {#  密码popover  #}
-                                    <div id="container">
-                                        <div class="popover fade bottom in" role="tooltip" id="popover777" style=" display: none; width:260px;">
-                                            <div class="arrow" style="left: 50%;"></div>
-                                            <h3 class="popover-title" style="display: none;"></h3>
-                                            <h4>{% trans 'Your password must satisfy' %}</h4><div id="id_password_rules" style="color: #908a8a; margin-left:20px; font-size:15px;"></div>
-                                            <h4 style="margin-top: 10px;">{% trans 'Password strength' %}</h4><div id="id_progress"></div>
-                                            <div class="popover-content"></div>
-                                        </div>
-                                    </div>
-                                    {% bootstrap_field form.confirm_password layout="horizontal" %}
-
-                                    <div class="hr-line-dashed"></div>
-                                    <div class="form-group">
-                                        <div class="col-sm-4 col-sm-offset-2">
-                                            <button class="btn btn-white" type="reset">{% trans 'Reset' %}</button>
-                                            <button id="submit_button" class="btn btn-primary" type="submit">{% trans 'Submit' %}</button>
-                                        </div>
-                                    </div>
-                                </form>
-                            </div>
-                        </div>
-                    </div>
-                </div>
-            </div>
-        </div>
-{% endblock %}
-
-{% block custom_foot_js %}
-    <script src="{% static 'js/plugins/cropper/cropper.min.js' %}"></script>
-    <script>
-        $(document).ready(function () {
-
-            var el = $('#id_password_rules'),
-                idPassword = $('#id_new_password'),
-                idPopover = $('#popover777'),
-                container = $('#container'),
-                progress = $('#id_progress'),
-                password_check_rules = {{ password_check_rules|safe }},
-                minLength = 6,
-                top = idPassword.offset().top - $('.navbar').outerHeight(true) - $('.page-heading').outerHeight(true) - 10 + 34,
-                left = 377,
-                i18n_fallback = {
-                    "veryWeak": "{% trans 'Very weak' %}",
-                    "weak": "{% trans 'Weak' %}",
-                    "normal": "{% trans 'Normal' %}",
-                    "medium": "{% trans 'Medium' %}",
-                    "strong": "{% trans 'Strong' %}",
-                    "veryStrong": "{% trans 'Very strong' %}"
-                };
-
-            jQuery.each(password_check_rules, function (idx, rules) {
-                if(rules.key === 'id_security_password_min_length'){
-                    minLength = rules.value
-                }
-            });
-
-            // 初始化popover
-            initPopover(container, progress, idPassword, el, password_check_rules, i18n_fallback);
-
-            // 监听事件
-            idPassword.on('focus', function () {
-                idPopover.css('top', top);
-                idPopover.css('left', left);
-                idPopover.css('display', 'block');
-            });
-            idPassword.on('blur', function () {
-                idPopover.css('display', 'none');
-            });
-            idPassword.on('keyup', function(){
-                var password = idPassword.val();
-                checkPasswordRules(password, minLength);
-            });
-        })
-    </script>
-{% endblock %}
diff --git a/apps/users/utils.py b/apps/users/utils.py
index b32b0c0e0..f11d233e4 100644
--- a/apps/users/utils.py
+++ b/apps/users/utils.py
@@ -46,8 +46,6 @@ def get_user_or_pre_auth_user(request):
 
 
 def redirect_user_first_login_or_index(request, redirect_field_name):
-    # if request.user.is_first_login:
-    #     return reverse('authentication:user-first-login')
     url_in_post = request.POST.get(redirect_field_name)
     if url_in_post:
         return url_in_post
diff --git a/apps/users/views/profile/reset.py b/apps/users/views/profile/reset.py
index c3529c73c..cc14f6d53 100644
--- a/apps/users/views/profile/reset.py
+++ b/apps/users/views/profile/reset.py
@@ -21,7 +21,7 @@ from ... import forms
 
 
 __all__ = [
-    'UserLoginView', 'UserResetPasswordView', 'UserForgotPasswordView', 'UserFirstLoginView',
+    'UserLoginView', 'UserResetPasswordView', 'UserForgotPasswordView',
 ]
 
 
@@ -130,8 +130,3 @@ class UserResetPasswordView(FormView):
             'auto_redirect': True,
         }
         return FlashMessageUtil.gen_message_url(message_data)
-
-
-class UserFirstLoginView(PermissionsMixin, TemplateView):
-    template_name = 'users/first_login.html'
-    permission_classes = [IsValidUser]

From ffd98c6e3f409fd48ac7efc563356c8fc9481426 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 12 Apr 2022 15:11:51 +0800
Subject: [PATCH 015/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=20import?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/utils.py  | 3 +--
 apps/terminal/api/terminal.py | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/apps/authentication/utils.py b/apps/authentication/utils.py
index 6dc3866fe..cf4ce8185 100644
--- a/apps/authentication/utils.py
+++ b/apps/authentication/utils.py
@@ -9,8 +9,7 @@ from django.conf import settings
 from .notifications import DifferentCityLoginMessage
 from audits.models import UserLoginLog
 from audits.const import DEFAULT_CITY
-from common.utils import get_request_ip
-from common.utils import validate_ip, get_ip_city
+from common.utils import validate_ip, get_ip_city, get_request_ip
 from common.utils import get_logger
 
 logger = get_logger(__file__)
diff --git a/apps/terminal/api/terminal.py b/apps/terminal/api/terminal.py
index f3fa8f5d0..209492baa 100644
--- a/apps/terminal/api/terminal.py
+++ b/apps/terminal/api/terminal.py
@@ -12,7 +12,7 @@ from django.utils.translation import gettext_lazy as _
 
 from common.exceptions import JMSException
 from common.drf.api import JMSBulkModelViewSet
-from common.utils import get_object_or_none
+from common.utils import get_object_or_none, get_request_ip
 from common.permissions import WithBootstrapToken
 from ..models import Terminal
 from .. import serializers

From 4cf90df17ca174ef1a107bf9a114cdef0ca0763e Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 12 Apr 2022 15:19:59 +0800
Subject: [PATCH 016/258] =?UTF-8?q?perf:=20=E9=BB=98=E8=AE=A4=E8=A7=92?=
 =?UTF-8?q?=E8=89=B2=E6=B7=BB=E5=8A=A0=20created=20by?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/builtin.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index 4ce706a46..513ec210a 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -79,7 +79,7 @@ class PredefineRole:
         perms = self.default_perms
         defaults = {
             'id': self.id, 'name': self.name, 'scope': self.scope,
-            'builtin': True, 'permissions': perms
+            'builtin': True, 'permissions': perms, 'created_by': 'System',
         }
         return defaults
 

From f481463c64553490e0f1d43e55f35ef94b7a30f6 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Apr 2022 17:45:10 +0800
Subject: [PATCH 017/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0Endpoint=20(#?=
 =?UTF-8?q?8041)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: add Endpoint EndpointRule EndpointProtocol model

* feat: add Endpoint EndpointRule EndpointProtocol API

* feat: modify protocols field

* feat: 修改序列类

* feat: 获取connect-url连接地址

* feat: 获取connect-url连接地址

* feat: 优化后台获取smart-endpoint逻辑

* feat: 优化后台获取smart-endpoint逻辑

* feat: 删除配置KOKO、XRDP、MAGNUS

* feat: 删除配置KOKO、XRDP、MAGNUS

* feat: 修改翻译

* feat: 修改smart endpoint

* feat: 修改翻译

* feat: smart API 添加token解析

* feat: 删除 smart serializer

* feat: 修改迁移逻辑

* feat: 解决冲突

* feat: 修改匹配 endpoint

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
---
 apps/applications/models/application.py       |  20 +
 apps/assets/models/asset.py                   |   3 +
 apps/authentication/api/connection_token.py   |  30 +-
 apps/common/fields/model.py                   |  14 +-
 apps/jumpserver/conf.py                       |  14 +-
 apps/jumpserver/settings/custom.py            |  11 -
 apps/locale/ja/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po          | 628 +++++------------
 apps/locale/zh/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 634 +++++-------------
 apps/settings/api/public.py                   |   7 -
 apps/settings/serializers/terminal.py         |  30 +-
 apps/terminal/api/__init__.py                 |   1 +
 apps/terminal/api/endpoint.py                 |  78 +++
 .../migrations/0048_endpoint_endpointrule.py  |  86 +++
 apps/terminal/models/__init__.py              |   1 +
 apps/terminal/models/endpoint.py              |  94 +++
 apps/terminal/models/session.py               |   9 +
 apps/terminal/serializers/__init__.py         |   1 +
 apps/terminal/serializers/endpoint.py         |  51 ++
 apps/terminal/urls/api_urls.py                |   2 +
 21 files changed, 695 insertions(+), 1027 deletions(-)
 create mode 100644 apps/terminal/api/endpoint.py
 create mode 100644 apps/terminal/migrations/0048_endpoint_endpointrule.py
 create mode 100644 apps/terminal/models/endpoint.py
 create mode 100644 apps/terminal/serializers/endpoint.py

diff --git a/apps/applications/models/application.py b/apps/applications/models/application.py
index aa2d56f70..15e7dae14 100644
--- a/apps/applications/models/application.py
+++ b/apps/applications/models/application.py
@@ -247,6 +247,14 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
     def category_remote_app(self):
         return self.category == const.AppCategory.remote_app.value
 
+    @property
+    def category_cloud(self):
+        return self.category == const.AppCategory.cloud.value
+
+    @property
+    def category_db(self):
+        return self.category == const.AppCategory.db.value
+
     def get_rdp_remote_app_setting(self):
         from applications.serializers.attrs import get_serializer_class_by_application_type
         if not self.category_remote_app:
@@ -279,6 +287,18 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
         if raise_exception:
             raise ValueError("Remote App not has asset attr")
 
+    def get_target_ip(self):
+        if self.category_remote_app:
+            asset = self.get_remote_app_asset()
+            target_ip = asset.ip
+        elif self.category_cloud:
+            target_ip = self.attrs.get('cluster')
+        elif self.category_db:
+            target_ip = self.attrs.get('host')
+        else:
+            target_ip = ''
+        return target_ip
+
 
 class ApplicationUser(SystemUser):
     class Meta:
diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index 84ddee404..c80c65ce6 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -235,6 +235,9 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
     def __str__(self):
         return '{0.hostname}({0.ip})'.format(self)
 
+    def get_target_ip(self):
+        return self.ip
+
     def set_admin_user_relation(self):
         from .authbook import AuthBook
         if not self.admin_user:
diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index f8c64e417..3e905076c 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -31,12 +31,13 @@ from perms.models.base import Action
 from perms.utils.application.permission import get_application_actions
 from perms.utils.asset.permission import get_asset_actions
 from common.const.http import PATCH
+from terminal.models import EndpointRule
 from ..serializers import (
     ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
 )
 
 logger = get_logger(__name__)
-__all__ = ['UserConnectionTokenViewSet']
+__all__ = ['UserConnectionTokenViewSet', 'TokenCacheMixin']
 
 
 class ClientProtocolMixin:
@@ -51,6 +52,17 @@ class ClientProtocolMixin:
     request: Request
     get_serializer: Callable
     create_token: Callable
+    get_serializer_context: Callable
+
+    def get_smart_endpoint(self, protocol, asset=None, application=None):
+        if asset:
+            target_ip = asset.get_target_ip()
+        elif application:
+            target_ip = application.get_target_ip()
+        else:
+            target_ip = ''
+        endpoint = EndpointRule.match_endpoint(target_ip, protocol, self.request)
+        return endpoint
 
     def get_request_resource(self, serializer):
         asset = serializer.validated_data.get('asset')
@@ -122,10 +134,10 @@ class ClientProtocolMixin:
         options['screen mode id:i'] = '2' if full_screen else '1'
 
         # RDP Server 地址
-        address = settings.TERMINAL_RDP_ADDR
-        if not address or address == 'localhost:3389':
-            address = self.request.get_host().split(':')[0] + ':3389'
-        options['full address:s'] = address
+        endpoint = self.get_smart_endpoint(
+            protocol='rdp', asset=asset, application=application
+        )
+        options['full address:s'] = f'{endpoint.host}:{endpoint.rdp_port}'
         # 用户名
         options['username:s'] = '{}|{}'.format(user.username, token)
         if system_user.ad_domain:
@@ -169,9 +181,12 @@ class ClientProtocolMixin:
         else:
             name = '*'
 
+        endpoint = self.get_smart_endpoint(
+            protocol='ssh', asset=asset, application=application
+        )
         content = {
-            'ip': settings.TERMINAL_KOKO_HOST,
-            'port': str(settings.TERMINAL_KOKO_SSH_PORT),
+            'ip': endpoint.host,
+            'port': endpoint.ssh_port,
             'username': f'JMS-{token}',
             'password': secret
         }
@@ -345,6 +360,7 @@ class SecretDetailMixin:
 
 
 class TokenCacheMixin:
+    """ endpoint smart view 用到此类来解析token中的资产、应用 """
     CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
 
     def get_token_cache_key(self, token):
diff --git a/apps/common/fields/model.py b/apps/common/fields/model.py
index 4a4f3525d..a3ac13e82 100644
--- a/apps/common/fields/model.py
+++ b/apps/common/fields/model.py
@@ -4,7 +4,7 @@ import json
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.utils.encoding import force_text
-
+from django.core.validators import MinValueValidator, MaxValueValidator
 from ..utils import signer, crypto
 
 
@@ -13,7 +13,7 @@ __all__ = [
     'JsonCharField', 'JsonTextField', 'JsonListCharField', 'JsonListTextField',
     'JsonDictCharField', 'JsonDictTextField', 'EncryptCharField',
     'EncryptTextField', 'EncryptMixin', 'EncryptJsonDictTextField',
-    'EncryptJsonDictCharField',
+    'EncryptJsonDictCharField', 'PortField'
 ]
 
 
@@ -180,3 +180,13 @@ class EncryptJsonDictTextField(EncryptMixin, JsonDictTextField):
 class EncryptJsonDictCharField(EncryptMixin, JsonDictCharField):
     pass
 
+
+class PortField(models.IntegerField):
+    def __init__(self, *args, **kwargs):
+        kwargs.update({
+            'blank': False,
+            'null': False,
+            'validators': [MinValueValidator(0), MaxValueValidator(65535)]
+        })
+        super().__init__(*args, **kwargs)
+
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 8e34d6f91..f72ed899f 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -310,16 +310,12 @@ class Config(dict):
         'TERMINAL_HOST_KEY': '',
         'TERMINAL_TELNET_REGEX': '',
         'TERMINAL_COMMAND_STORAGE': {},
-        'TERMINAL_RDP_ADDR': lambda: urlparse(settings.SITE_URL).hostname + ':3389',
-        'XRDP_ENABLED': True,
-        'TERMINAL_KOKO_HOST': lambda: urlparse(settings.SITE_URL).hostname,
-        'TERMINAL_KOKO_SSH_PORT': 2222,
-
+        # 未来废弃(当下迁移会用)
+        'TERMINAL_RDP_ADDR': '',
+        # 保留(Luna还在用)
         'TERMINAL_MAGNUS_ENABLED': True,
-        'TERMINAL_MAGNUS_HOST': lambda: urlparse(settings.SITE_URL).hostname,
-        'TERMINAL_MAGNUS_MYSQL_PORT': 33060,
-        'TERMINAL_MAGNUS_MARIADB_PORT': 33061,
-        'TERMINAL_MAGNUS_POSTGRE_PORT': 54320,
+        # 保留(Luna还在用)
+        'XRDP_ENABLED': True,
 
         # 安全配置
         'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index 2aa05afe5..794180fd2 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -140,9 +140,6 @@ CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS = CONFIG.CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS
 
 XRDP_ENABLED = CONFIG.XRDP_ENABLED
 
-TERMINAL_KOKO_HOST = CONFIG.TERMINAL_KOKO_HOST
-TERMINAL_KOKO_SSH_PORT = CONFIG.TERMINAL_KOKO_SSH_PORT
-
 # SMS enabled
 SMS_ENABLED = CONFIG.SMS_ENABLED
 SMS_BACKEND = CONFIG.SMS_BACKEND
@@ -170,11 +167,3 @@ ANNOUNCEMENT = CONFIG.ANNOUNCEMENT
 # help
 HELP_DOCUMENT_URL = CONFIG.HELP_DOCUMENT_URL
 HELP_SUPPORT_URL = CONFIG.HELP_SUPPORT_URL
-
-# Magnus
-MAGNUS_ENABLED = CONFIG.MAGNUS_ENABLED
-TERMINAL_MAGNUS_HOST = CONFIG.TERMINAL_MAGNUS_HOST
-TERMINAL_MAGNUS_ENABLED = CONFIG.TERMINAL_MAGNUS_ENABLED
-TERMINAL_MAGNUS_MYSQL_PORT = CONFIG.TERMINAL_MAGNUS_MYSQL_PORT
-TERMINAL_MAGNUS_MARIADB_PORT = CONFIG.TERMINAL_MAGNUS_MARIADB_PORT
-TERMINAL_MAGNUS_POSTGRE_PORT = CONFIG.TERMINAL_MAGNUS_POSTGRE_PORT
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 080e2ab5e..73226f058 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:097c6d06ed8dcf2e1807560b6eb52d98cba31f25fe8d67ce4315668c150ca6b8
-size 129989
+oid sha256:70685e92cbf84f4178224a44fd84eb884a0acfb9749200541ea6655a9a397a72
+size 125019
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 757d1e463..c80ef4904 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-02 10:01+0800\n"
+"POT-Creation-Date: 2022-04-12 17:03+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,31 +29,27 @@ msgstr "Acls"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:53
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: users/templates/users/_select_user_modal.html:13
-#: users/templates/users/user_asset_permission.html:37
-#: users/templates/users/user_asset_permission.html:154
-#: users/templates/users/user_database_app_permission.html:36
 #: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名前"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247
+#: assets/models/user.py:247 terminal/models/endpoint.py:56
 msgid "Priority"
 msgstr "優先順位"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247
+#: assets/models/user.py:247 terminal/models/endpoint.py:57
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
 #: acls/models/base.py:31 authentication/models.py:17
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:26
-#: users/templates/users/_select_user_modal.html:18
 msgid "Active"
 msgstr "アクティブ"
 
@@ -65,6 +61,7 @@ msgstr "アクティブ"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
+#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:63
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
@@ -91,16 +88,12 @@ msgstr "ログイン確認"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:50 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:101 rbac/models/rolebinding.py:40 templates/index.html:78
+#: rbac/builtin.py:106 rbac/models/rolebinding.py:40
 #: terminal/backends/command/models.py:19
-#: terminal/backends/command/serializers.py:12 terminal/models/session.py:42
+#: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
 #: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
 #: users/models/user.py:917 users/serializers/group.py:19
-#: users/templates/users/user_asset_permission.html:38
-#: users/templates/users/user_asset_permission.html:64
-#: users/templates/users/user_database_app_permission.html:37
-#: users/templates/users/user_database_app_permission.html:58
 msgid "User"
 msgstr "ユーザー"
 
@@ -112,10 +105,6 @@ msgstr "ルール"
 #: acls/serializers/login_acl.py:17 acls/serializers/login_asset_acl.py:75
 #: assets/models/cmd_filter.py:89 audits/models.py:61 audits/serializers.py:51
 #: authentication/templates/authentication/_access_key_modal.html:34
-#: users/templates/users/_granted_assets.html:29
-#: users/templates/users/user_asset_permission.html:44
-#: users/templates/users/user_asset_permission.html:79
-#: users/templates/users/user_database_app_permission.html:42
 msgid "Action"
 msgstr "アクション"
 
@@ -136,16 +125,13 @@ msgstr "システムユーザー"
 
 #: acls/models/login_asset_acl.py:22
 #: applications/serializers/attrs/application_category/remote_app.py:36
-#: assets/models/asset.py:383 assets/models/authbook.py:19
+#: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:264 audits/models.py:39
-#: perms/models/asset_permission.py:23 templates/index.html:82
-#: terminal/backends/command/models.py:20
-#: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
+#: perms/models/asset_permission.py:23 terminal/backends/command/models.py:20
+#: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
-#: users/templates/users/user_asset_permission.html:40
-#: users/templates/users/user_asset_permission.html:70
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
 #: xpack/plugins/cloud/models.py:223
@@ -172,7 +158,6 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
 #: users/templates/users/_msg_user_created.html:12
-#: users/templates/users/_select_user_modal.html:14
 #: xpack/plugins/change_auth_plan/models/asset.py:34
 #: xpack/plugins/change_auth_plan/models/asset.py:195
 #: xpack/plugins/cloud/serializers/account_attrs.py:22
@@ -196,17 +181,13 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:8
-#: users/templates/users/_granted_assets.html:26
-#: users/templates/users/user_asset_permission.html:156
+#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:37
 msgid "IP"
 msgstr "IP"
 
 #: acls/serializers/login_asset_acl.py:35 assets/models/asset.py:211
 #: assets/serializers/account.py:14 assets/serializers/gathered_user.py:23
 #: settings/serializers/terminal.py:7
-#: users/templates/users/_granted_assets.html:25
-#: users/templates/users/user_asset_permission.html:157
 msgid "Hostname"
 msgstr "ホスト名"
 
@@ -220,7 +201,7 @@ msgstr ""
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
 #: assets/models/domain.py:62 assets/models/user.py:248
-#: terminal/serializers/session.py:30 terminal/serializers/storage.py:69
+#: terminal/serializers/session.py:30 terminal/serializers/storage.py:67
 msgid "Protocol"
 msgstr "プロトコル"
 
@@ -285,13 +266,7 @@ msgstr "アプリケーション"
 #: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21
-#: terminal/backends/command/serializers.py:35 terminal/models/session.py:46
-#: users/templates/users/_granted_assets.html:27
-#: users/templates/users/user_asset_permission.html:42
-#: users/templates/users/user_asset_permission.html:76
-#: users/templates/users/user_asset_permission.html:159
-#: users/templates/users/user_database_app_permission.html:40
-#: users/templates/users/user_database_app_permission.html:67
+#: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
 #: xpack/plugins/change_auth_plan/models/app.py:147
 #: xpack/plugins/change_auth_plan/serializers/app.py:65
@@ -343,7 +318,7 @@ msgid "Domain"
 msgstr "ドメイン"
 
 #: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/serializers/account.py:58
 msgid "Attrs"
 msgstr "ツールバーの"
 
@@ -351,7 +326,7 @@ msgstr "ツールバーの"
 msgid "Can match application"
 msgstr "アプリケーションを一致させることができます"
 
-#: applications/models/application.py:286
+#: applications/models/application.py:306
 msgid "Application user"
 msgstr "アプリケーションユーザー"
 
@@ -409,6 +384,7 @@ msgstr "クラスター"
 
 #: applications/serializers/attrs/application_category/db.py:11
 #: ops/models/adhoc.py:157 settings/serializers/auth/radius.py:14
+#: terminal/models/endpoint.py:11
 #: xpack/plugins/cloud/serializers/account_attrs.py:68
 msgid "Host"
 msgstr "ホスト"
@@ -639,27 +615,27 @@ msgstr "ラベル"
 msgid "Created by"
 msgstr "によって作成された"
 
-#: assets/models/asset.py:386
+#: assets/models/asset.py:389
 msgid "Can refresh asset hardware info"
 msgstr "資産ハードウェア情報を更新できます"
 
-#: assets/models/asset.py:387
+#: assets/models/asset.py:390
 msgid "Can test asset connectivity"
 msgstr "資産接続をテストできます"
 
-#: assets/models/asset.py:388
+#: assets/models/asset.py:391
 msgid "Can push system user to asset"
 msgstr "システムユーザーを資産にプッシュできます"
 
-#: assets/models/asset.py:389
+#: assets/models/asset.py:392
 msgid "Can match asset"
 msgstr "アセットを一致させることができます"
 
-#: assets/models/asset.py:390
+#: assets/models/asset.py:393
 msgid "Add asset to node"
 msgstr "ノードにアセットを追加する"
 
-#: assets/models/asset.py:391
+#: assets/models/asset.py:394
 msgid "Move asset to node"
 msgstr "アセットをノードに移動する"
 
@@ -706,7 +682,7 @@ msgid "Timing trigger"
 msgstr "タイミングトリガー"
 
 #: assets/models/backup.py:105 audits/models.py:44 ops/models/command.py:31
-#: perms/models/base.py:89 terminal/models/session.py:56
+#: perms/models/base.py:89 terminal/models/session.py:58
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:55
 #: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:57
 #: xpack/plugins/change_auth_plan/models/base.py:112
@@ -767,7 +743,7 @@ msgstr "OK"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:30
 msgid "Failed"
 msgstr "失敗しました"
 
@@ -782,9 +758,8 @@ msgstr "確認済みの日付"
 #: assets/models/base.py:177 audits/signal_handlers.py:68
 #: authentication/forms.py:22
 #: authentication/templates/authentication/login.html:181
-#: settings/serializers/auth/ldap.py:44 users/forms/profile.py:21
+#: settings/serializers/auth/ldap.py:43 users/forms/profile.py:21
 #: users/templates/users/_msg_user_created.html:13
-#: users/templates/users/user_password_update.html:43
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
@@ -849,11 +824,6 @@ msgstr "デフォルトクラスター"
 
 #: assets/models/cmd_filter.py:34 perms/models/base.py:86
 #: users/models/group.py:31 users/models/user.py:667
-#: users/templates/users/_select_user_modal.html:16
-#: users/templates/users/user_asset_permission.html:39
-#: users/templates/users/user_asset_permission.html:67
-#: users/templates/users/user_database_app_permission.html:38
-#: users/templates/users/user_database_app_permission.html:61
 msgid "User group"
 msgstr "ユーザーグループ"
 
@@ -866,7 +836,7 @@ msgid "Regex"
 msgstr "正規情報"
 
 #: assets/models/cmd_filter.py:68 ops/models/command.py:26
-#: terminal/backends/command/serializers.py:14 terminal/models/session.py:53
+#: terminal/backends/command/serializers.py:14 terminal/models/session.py:55
 #: terminal/templates/terminal/_msg_command_alert.html:12
 #: terminal/templates/terminal/_msg_command_execute_alert.html:10
 msgid "Command"
@@ -966,7 +936,7 @@ msgstr "ラベル"
 msgid "New node"
 msgstr "新しいノード"
 
-#: assets/models/node.py:474 users/templates/users/_granted_assets.html:130
+#: assets/models/node.py:474
 msgid "empty"
 msgstr "空"
 
@@ -983,9 +953,6 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: users/templates/users/user_asset_permission.html:41
-#: users/templates/users/user_asset_permission.html:73
-#: users/templates/users/user_asset_permission.html:158
 #: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
@@ -1140,7 +1107,7 @@ msgid "Actions"
 msgstr "アクション"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
-#: settings/serializers/auth/ldap.py:59
+#: settings/serializers/auth/ldap.py:62
 #: xpack/plugins/change_auth_plan/serializers/base.py:42
 msgid "Periodic perform"
 msgstr "定期的なパフォーマンス"
@@ -1388,8 +1355,7 @@ msgstr "監査"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:166 users/templates/users/user_asset_permission.html:128
-#: users/templates/users/user_database_app_permission.html:111
+#: rbac/tree.py:166
 msgid "Delete"
 msgstr "削除"
 
@@ -1418,7 +1384,7 @@ msgid "Symlink"
 msgstr "Symlink"
 
 #: audits/models.py:38 audits/models.py:64 audits/models.py:87
-#: terminal/models/session.py:49 terminal/models/sharing.py:82
+#: terminal/models/session.py:51 terminal/models/sharing.py:82
 msgid "Remote addr"
 msgstr "リモートaddr"
 
@@ -1448,8 +1414,6 @@ msgstr "作成"
 
 #: audits/models.py:56 rbac/tree.py:165 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
-#: users/templates/users/user_asset_permission.html:127
-#: users/templates/users/user_database_app_permission.html:110
 msgid "Update"
 msgstr "更新"
 
@@ -1558,7 +1522,7 @@ msgstr "ホスト表示"
 msgid "Result"
 msgstr "結果"
 
-#: audits/serializers.py:98 terminal/serializers/storage.py:161
+#: audits/serializers.py:98 terminal/serializers/storage.py:156
 msgid "Hosts"
 msgstr "ホスト"
 
@@ -1669,7 +1633,6 @@ msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 削除 {UserGroup}"
 
 #: audits/signal_handlers.py:131 perms/models/asset_permission.py:29
-#: users/templates/users/_user_detail_nav_header.html:31
 msgid "Asset permission"
 msgstr "資産権限"
 
@@ -1767,7 +1730,7 @@ msgstr "{ApplicationPermission} 追加 {SystemUser}"
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
-#: authentication/api/connection_token.py:313
+#: authentication/api/connection_token.py:328
 msgid "Invalid token"
 msgstr "無効なトークン"
 
@@ -2065,7 +2028,7 @@ msgstr "MFAタイプ ({}) が有効になっていない"
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
-#: authentication/models.py:33 terminal/serializers/storage.py:30
+#: authentication/models.py:33 terminal/serializers/storage.py:28
 msgid "Access key"
 msgstr "アクセスキー"
 
@@ -2129,7 +2092,6 @@ msgid "Date"
 msgstr "日付"
 
 #: authentication/templates/authentication/_access_key_modal.html:48
-#: users/templates/users/_granted_assets.html:75
 msgid "Show"
 msgstr "表示"
 
@@ -2189,7 +2151,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:295 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:296 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2650,11 +2612,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:294
+#: jumpserver/conf.py:295
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:296
+#: jumpserver/conf.py:297
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -2720,12 +2682,12 @@ msgid "App ops"
 msgstr "アプリ操作"
 
 #: ops/mixin.py:29 ops/mixin.py:92 ops/mixin.py:162
-#: settings/serializers/auth/ldap.py:66
+#: settings/serializers/auth/ldap.py:69
 msgid "Cycle perform"
 msgstr "サイクル実行"
 
 #: ops/mixin.py:33 ops/mixin.py:90 ops/mixin.py:109 ops/mixin.py:150
-#: settings/serializers/auth/ldap.py:63
+#: settings/serializers/auth/ldap.py:66
 msgid "Regularly perform"
 msgstr "定期的に実行する"
 
@@ -2912,7 +2874,8 @@ msgstr "アプリ組織"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:47
-#: rbac/serializers/rolebinding.py:40 tickets/serializers/ticket/ticket.py:77
+#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
+#: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
 msgstr "組織"
 
@@ -2925,7 +2888,7 @@ msgid "Can view root org"
 msgstr "グローバル組織を表示できます"
 
 #: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
-#: users/models/user.py:671 users/templates/users/_select_user_modal.html:15
+#: users/models/user.py:671
 msgid "Role"
 msgstr "ロール"
 
@@ -3151,27 +3114,27 @@ msgstr "{} 少なくとも1つのシステムロール"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:92
+#: rbac/builtin.py:97
 msgid "SystemAdmin"
 msgstr "システム管理者"
 
-#: rbac/builtin.py:95
+#: rbac/builtin.py:100
 msgid "SystemAuditor"
 msgstr "システム監査人"
 
-#: rbac/builtin.py:98
+#: rbac/builtin.py:103
 msgid "SystemComponent"
 msgstr "システムコンポーネント"
 
-#: rbac/builtin.py:104
+#: rbac/builtin.py:109
 msgid "OrgAdmin"
 msgstr "組織管理者"
 
-#: rbac/builtin.py:107
+#: rbac/builtin.py:112
 msgid "OrgAuditor"
 msgstr "監査員を組織する"
 
-#: rbac/builtin.py:110
+#: rbac/builtin.py:115
 msgid "OrgUser"
 msgstr "組織ユーザー"
 
@@ -3376,11 +3339,11 @@ msgstr "同期が実行中です。しばらくお待ちください。"
 msgid "Synchronization error: {}"
 msgstr "同期エラー: {}"
 
-#: settings/api/ldap.py:211
+#: settings/api/ldap.py:213
 msgid "Get ldap users is None"
 msgstr "Ldapユーザーを取得するにはNone"
 
-#: settings/api/ldap.py:220
+#: settings/api/ldap.py:222
 msgid "Imported {} users successfully (Organization: {})"
 msgstr "{} 人のユーザーを正常にインポートしました (組織: {})"
 
@@ -3508,15 +3471,15 @@ msgstr "ピン認証の有効化"
 msgid "Enable FeiShu Auth"
 msgstr "飛本認証の有効化"
 
-#: settings/serializers/auth/ldap.py:39
+#: settings/serializers/auth/ldap.py:38
 msgid "LDAP server"
 msgstr "LDAPサーバー"
 
-#: settings/serializers/auth/ldap.py:40
+#: settings/serializers/auth/ldap.py:39
 msgid "eg: ldap://localhost:389"
 msgstr "例: ldap://localhost:389"
 
-#: settings/serializers/auth/ldap.py:42
+#: settings/serializers/auth/ldap.py:41
 msgid "Bind DN"
 msgstr "DN のバインド"
 
@@ -3549,15 +3512,15 @@ msgstr ""
 "ユーザー属性マッピングは、LDAPのユーザー属性をjumpserverユーザーにマッピング"
 "する方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
 
-#: settings/serializers/auth/ldap.py:70
+#: settings/serializers/auth/ldap.py:73
 msgid "Connect timeout"
 msgstr "接続タイムアウト"
 
-#: settings/serializers/auth/ldap.py:72
+#: settings/serializers/auth/ldap.py:75
 msgid "Search paged size"
 msgstr "ページサイズを検索"
 
-#: settings/serializers/auth/ldap.py:74
+#: settings/serializers/auth/ldap.py:77
 msgid "Enable LDAP auth"
 msgstr "LDAP認証の有効化"
 
@@ -4256,61 +4219,13 @@ msgstr ""
 "ログイン成功メッセージはデバイスによって異なります。Telnet経由でデバイスにロ"
 "グインできない場合は、このパラメーターを設定します。"
 
-#: settings/serializers/terminal.py:37
-msgid "RDP address"
-msgstr "RDPアドレス"
-
-#: settings/serializers/terminal.py:38
-msgid "RDP visit address, eg: dev.jumpserver.org:3389"
-msgstr "RDP訪問先住所、例: dev.jumpserver.org:3389"
-
-#: settings/serializers/terminal.py:40
-msgid "Enable XRDP"
-msgstr "XRDPの有効化"
-
-#: settings/serializers/terminal.py:43
-msgid "Koko host"
-msgstr "KOKO ホストアドレス"
-
-#: settings/serializers/terminal.py:46
-msgid "Koko ssh port"
-msgstr "Koko ssh ポート"
-
-#: settings/serializers/terminal.py:49
+#: settings/serializers/terminal.py:36
 msgid "Enable database proxy"
 msgstr "属性マップの有効化"
 
-#: settings/serializers/terminal.py:51
-msgid "Database proxy host"
-msgstr "データベースエージェントホスト"
-
-#: settings/serializers/terminal.py:52
-msgid "Database proxy host, eg: dev.jumpserver.org"
-msgstr "RDP訪問先住所、例: dev.jumpserver.org:3389"
-
-#: settings/serializers/terminal.py:55
-msgid "MySQL port"
-msgstr "MySQLポート"
-
-#: settings/serializers/terminal.py:56
-msgid "MySQL protocol listen port"
-msgstr "MySQLプロトコルリッスンポート"
-
-#: settings/serializers/terminal.py:59
-msgid "MariaDB port"
-msgstr "MariaDBポート"
-
-#: settings/serializers/terminal.py:60
-msgid "MariaDB protocol listen port"
-msgstr "MariaDBプロトコルリッスンポート"
-
-#: settings/serializers/terminal.py:63
-msgid "PostgreSQL port"
-msgstr "PostgreSQLポート"
-
-#: settings/serializers/terminal.py:64
-msgid "PostgreSQL protocol listen port"
-msgstr "PostgreSQLプロトコルリッスンポート"
+#: settings/serializers/terminal.py:37
+msgid "Enable XRDP"
+msgstr "XRDPの有効化"
 
 #: settings/utils/ldap.py:417
 msgid "ldap:// or ldaps:// protocol is used."
@@ -4413,10 +4328,6 @@ msgstr "認証に失敗しました (不明): {}"
 msgid "Authentication success: {}"
 msgstr "認証成功: {}"
 
-#: templates/_base_list.html:37
-msgid "Search"
-msgstr "検索"
-
 #: templates/_csv_import_export.html:8
 msgid "Export"
 msgstr "エクスポート"
@@ -4466,7 +4377,6 @@ msgid "Commercial support"
 msgstr "商用サポート"
 
 #: templates/_header_bar.html:76 users/forms/profile.py:43
-#: users/templates/users/user_password_update.html:39
 msgid "Profile"
 msgstr "プロフィール"
 
@@ -4572,175 +4482,14 @@ msgstr "待つ:"
 msgid "The verification code has been sent"
 msgstr "確認コードが送信されました"
 
-#: templates/_pagination.html:59
-msgid ""
-"Displays the results of items _START_ to _END_; A total of _TOTAL_ entries"
-msgstr "アイテムの結果を表示します _START_ to _END_; 合計 _TOTAL_ エントリ"
-
 #: templates/_without_nav_base.html:26
 msgid "Home page"
 msgstr "ホームページ"
 
-#: templates/delete_confirm.html:6
-msgid "Confirm delete"
-msgstr "削除の確認"
-
-#: templates/delete_confirm.html:11
-msgid "Are you sure delete"
-msgstr "削除してもよろしいですか"
-
 #: templates/flash_message_standalone.html:25
 msgid "Cancel"
 msgstr "キャンセル"
 
-#: templates/index.html:11
-msgid "Total users"
-msgstr "合計ユーザー数"
-
-#: templates/index.html:23
-msgid "Total assets"
-msgstr "総資産"
-
-#: templates/index.html:36
-msgid "Online users"
-msgstr "オンラインユーザー"
-
-#: templates/index.html:49
-msgid "Online sessions"
-msgstr "オンラインセッション"
-
-#: templates/index.html:61
-msgid "In the past week, a total of "
-msgstr "過去1週間、共有 "
-
-#: templates/index.html:61
-msgid " users have logged in "
-msgstr " ビットユーザーログイン."
-
-#: templates/index.html:61
-msgid " times asset."
-msgstr " 次资产."
-
-#: templates/index.html:69
-msgid "Active user asset ratio"
-msgstr "アクティブなユーザー資産比率"
-
-#: templates/index.html:72
-msgid ""
-"The following graphs describe the percentage of active users per month and "
-"assets per user host per month, respectively."
-msgstr ""
-"次のグラフは、1か月あたりのアクティブユーザーの割合と、1か月あたりのユーザー"
-"ホストあたりの資産の割合をそれぞれ示しています。"
-
-#: templates/index.html:97 templates/index.html:112
-msgid "Top 10 assets in a week"
-msgstr "1週間でトップ10の資産"
-
-#: templates/index.html:113
-msgid "Login frequency and last login record."
-msgstr "ログイン頻度と最後のログイン記録。"
-
-#: templates/index.html:122
-msgid "Last 10 login"
-msgstr "最後の10ログイン"
-
-#: templates/index.html:128
-msgid "Login record"
-msgstr "ログイン記録"
-
-#: templates/index.html:129
-msgid "Last 10 login records."
-msgstr "最後の10件のログイン記録。"
-
-#: templates/index.html:143 templates/index.html:158
-msgid "Top 10 users in a week"
-msgstr "1週間でトップ10のユーザー"
-
-#: templates/index.html:159
-msgid "User login frequency and last login record."
-msgstr "ユーザーログイン頻度と最後のログインレコード。"
-
-#: templates/index.html:184
-msgid "Monthly data overview"
-msgstr "毎月のデータ概要"
-
-#: templates/index.html:185
-msgid "History summary in one month"
-msgstr "1ヶ月で履歴概要"
-
-#: templates/index.html:193 templates/index.html:217
-msgid "Login count"
-msgstr "ログイン数"
-
-#: templates/index.html:193 templates/index.html:224
-msgid "Active users"
-msgstr "アクティブユーザー"
-
-#: templates/index.html:193 templates/index.html:231
-msgid "Active assets"
-msgstr "アクティブな資産"
-
-#: templates/index.html:262 templates/index.html:313
-msgid "Monthly active users"
-msgstr "毎月のアクティブユーザー数"
-
-#: templates/index.html:262 templates/index.html:314
-msgid "Disable user"
-msgstr "ユーザーを無効にする"
-
-#: templates/index.html:262 templates/index.html:315
-msgid "Month not logged in user"
-msgstr "ユーザーにログインしていない月"
-
-#: templates/index.html:288 templates/index.html:368
-msgid "Access to the source"
-msgstr "ソースへのアクセス"
-
-#: templates/index.html:342
-msgid "Month is logged into the asset"
-msgstr "月が資産にログインされます"
-
-#: templates/index.html:342 templates/index.html:393
-msgid "Disable host"
-msgstr "ホストの無効化"
-
-#: templates/index.html:342 templates/index.html:394
-msgid "Month not logged on host"
-msgstr "月がホストにログオンしていない"
-
-#: templates/index.html:392
-msgid "Month is logged into the host"
-msgstr "月がホストにログインされます"
-
-#: templates/index.html:466
-msgid " times/week"
-msgstr " 時間/週"
-
-#: templates/index.html:491 templates/index.html:527
-msgid " times"
-msgstr " 回数"
-
-#: templates/index.html:494 templates/index.html:530
-msgid "The time last logged in"
-msgstr "最後にログインした時刻"
-
-#: templates/index.html:495 templates/index.html:531
-msgid "At"
-msgstr "于"
-
-#: templates/index.html:510 templates/index.html:545 templates/index.html:580
-msgid "(No)"
-msgstr "(しばらく)"
-
-#: templates/index.html:561
-msgid "Before"
-msgstr "前"
-
-#: templates/index.html:562
-msgid "Login in "
-msgstr "ログイン"
-
 #: templates/resource_download.html:18 templates/resource_download.html:24
 #: templates/resource_download.html:25 templates/resource_download.html:30
 msgid "Client"
@@ -4786,19 +4535,23 @@ msgstr ""
 msgid "Filters"
 msgstr "フィルター"
 
-#: terminal/api/session.py:211
+#: terminal/api/endpoint.py:65
+msgid "Not found protocol query params"
+msgstr ""
+
+#: terminal/api/session.py:210
 msgid "Session does not exist: {}"
 msgstr "セッションが存在しません: {}"
 
-#: terminal/api/session.py:214
+#: terminal/api/session.py:213
 msgid "Session is finished or the protocol not supported"
 msgstr "セッションが終了したか、プロトコルがサポートされていません"
 
-#: terminal/api/session.py:219
+#: terminal/api/session.py:218
 msgid "User does not exist: {}"
 msgstr "ユーザーが存在しない: {}"
 
-#: terminal/api/session.py:227
+#: terminal/api/session.py:226
 msgid "User does not have permission"
 msgstr "ユーザーに権限がありません"
 
@@ -4842,7 +4595,7 @@ msgstr "オンラインセッションを持つ"
 msgid "Terminals"
 msgstr "ターミナル管理"
 
-#: terminal/backends/command/es.py:27
+#: terminal/backends/command/es.py:26
 msgid "Invalid elasticsearch config"
 msgstr "無効なElasticsearch構成"
 
@@ -4899,7 +4652,6 @@ msgid "High"
 msgstr "高い"
 
 #: terminal/const.py:35 users/templates/users/reset_password.html:50
-#: users/templates/users/user_password_update.html:104
 msgid "Normal"
 msgstr "正常"
 
@@ -4919,6 +4671,49 @@ msgstr "ストレージが無効です"
 msgid "Command record"
 msgstr "コマンドレコード"
 
+#: terminal/models/endpoint.py:13
+msgid "HTTPS Port"
+msgstr "HTTPS ポート"
+
+#: terminal/models/endpoint.py:14 terminal/models/terminal.py:107
+msgid "HTTP Port"
+msgstr "HTTP ポート"
+
+#: terminal/models/endpoint.py:15 terminal/models/terminal.py:106
+msgid "SSH Port"
+msgstr "SSH ポート"
+
+#: terminal/models/endpoint.py:16
+msgid "RDP Port"
+msgstr "RDP ポート"
+
+#: terminal/models/endpoint.py:17
+msgid "MySQL Port"
+msgstr "MySQL ポート"
+
+#: terminal/models/endpoint.py:18
+msgid "MariaDB Port"
+msgstr "MariaDB ポート"
+
+#: terminal/models/endpoint.py:19
+msgid "PostgreSQL Port"
+msgstr "PostgreSQL ポート"
+
+#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:61
+#: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
+#: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
+#: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
+msgid "Endpoint"
+msgstr "エンドポイント"
+
+#: terminal/models/endpoint.py:54
+msgid "IP group"
+msgstr "IP グループ"
+
+#: terminal/models/endpoint.py:66
+msgid "Endpoint rule"
+msgstr "エンドポイントルール"
+
 #: terminal/models/replay.py:12
 msgid "Session replay"
 msgstr "セッション再生"
@@ -4931,35 +4726,35 @@ msgstr "セッションのリプレイをアップロードできます"
 msgid "Can download session replay"
 msgstr "セッション再生をダウンロードできます"
 
-#: terminal/models/session.py:48 terminal/models/sharing.py:87
+#: terminal/models/session.py:50 terminal/models/sharing.py:87
 msgid "Login from"
 msgstr "ログイン元"
 
-#: terminal/models/session.py:52
+#: terminal/models/session.py:54
 msgid "Replay"
 msgstr "リプレイ"
 
-#: terminal/models/session.py:57
+#: terminal/models/session.py:59
 msgid "Date end"
 msgstr "終了日"
 
-#: terminal/models/session.py:242
+#: terminal/models/session.py:251
 msgid "Session record"
 msgstr "セッション記録"
 
-#: terminal/models/session.py:244
+#: terminal/models/session.py:253
 msgid "Can monitor session"
 msgstr "セッションを監視できます"
 
-#: terminal/models/session.py:245
+#: terminal/models/session.py:254
 msgid "Can share session"
 msgstr "セッションを共有できます"
 
-#: terminal/models/session.py:246
+#: terminal/models/session.py:255
 msgid "Can terminate session"
 msgstr "セッションを終了できます"
 
-#: terminal/models/session.py:247
+#: terminal/models/session.py:256
 msgid "Can validate session action perm"
 msgstr "セッションアクションのパーマを検証できます"
 
@@ -5068,14 +4863,6 @@ msgstr "クワーグ"
 msgid "type"
 msgstr "タイプ"
 
-#: terminal/models/terminal.py:106
-msgid "SSH Port"
-msgstr "SSHポート"
-
-#: terminal/models/terminal.py:107
-msgid "HTTP Port"
-msgstr "HTTPポート"
-
 #: terminal/models/terminal.py:183 terminal/serializers/session.py:38
 msgid "Terminal"
 msgstr "ターミナル"
@@ -5132,65 +4919,59 @@ msgstr "終了できます"
 msgid "Command amount"
 msgstr "コマンド量"
 
-#: terminal/serializers/storage.py:21
+#: terminal/serializers/storage.py:19
 msgid "Endpoint invalid: remove path `{}`"
 msgstr "エンドポイントが無効: パス '{}' を削除"
 
-#: terminal/serializers/storage.py:27
+#: terminal/serializers/storage.py:25
 msgid "Bucket"
 msgstr "バケット"
 
-#: terminal/serializers/storage.py:34 users/models/user.py:695
+#: terminal/serializers/storage.py:32 users/models/user.py:695
 msgid "Secret key"
 msgstr "秘密キー"
 
-#: terminal/serializers/storage.py:39 terminal/serializers/storage.py:51
-#: terminal/serializers/storage.py:81 terminal/serializers/storage.py:91
-#: terminal/serializers/storage.py:99
-msgid "Endpoint"
-msgstr "エンドポイント"
-
-#: terminal/serializers/storage.py:66 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "リージョン"
 
-#: terminal/serializers/storage.py:110
+#: terminal/serializers/storage.py:108
 msgid "Container name"
 msgstr "コンテナー名"
 
-#: terminal/serializers/storage.py:112
+#: terminal/serializers/storage.py:110
 msgid "Account name"
 msgstr "アカウント名"
 
-#: terminal/serializers/storage.py:113
+#: terminal/serializers/storage.py:111
 msgid "Account key"
 msgstr "アカウントキー"
 
-#: terminal/serializers/storage.py:116
+#: terminal/serializers/storage.py:114
 msgid "Endpoint suffix"
 msgstr "エンドポイントサフィックス"
 
-#: terminal/serializers/storage.py:138
+#: terminal/serializers/storage.py:134
 msgid "The address format is incorrect"
 msgstr "アドレス形式が正しくありません"
 
-#: terminal/serializers/storage.py:145
+#: terminal/serializers/storage.py:141
 msgid "Host invalid"
 msgstr "ホスト無効"
 
-#: terminal/serializers/storage.py:148
+#: terminal/serializers/storage.py:144
 msgid "Port invalid"
 msgstr "ポートが無効"
 
-#: terminal/serializers/storage.py:164
+#: terminal/serializers/storage.py:159
 msgid "Index"
 msgstr "インデックス"
 
-#: terminal/serializers/storage.py:166
+#: terminal/serializers/storage.py:161
 msgid "Doc type"
 msgstr "Docタイプ"
 
-#: terminal/serializers/storage.py:168
+#: terminal/serializers/storage.py:163
 msgid "Ignore Certificate Verification"
 msgstr "証明書の検証を無視する"
 
@@ -5748,7 +5529,6 @@ msgid "Not a valid ssh public key"
 msgstr "有効なssh公開鍵ではありません"
 
 #: users/forms/profile.py:160 users/models/user.py:692
-#: users/templates/users/user_password_update.html:48
 msgid "Public key"
 msgstr "公開キー"
 
@@ -5957,10 +5737,6 @@ msgstr "セキュリティのために、複数のユーザーのみをリスト
 msgid "name not unique"
 msgstr "名前が一意ではない"
 
-#: users/templates/users/_granted_assets.html:7
-msgid "Loading"
-msgstr "読み込み中"
-
 #: users/templates/users/_msg_account_expire_reminder.html:7
 msgid "Your account will expire in"
 msgstr "アカウントの有効期限は"
@@ -6015,69 +5791,11 @@ msgstr "あなたのssh公開鍵はサイト管理者によってリセットさ
 msgid "click here to set your password"
 msgstr "ここをクリックしてパスワードを設定してください"
 
-#: users/templates/users/_select_user_modal.html:5
-msgid "Please Select User"
-msgstr "ユーザーを選択してください"
-
-#: users/templates/users/_select_user_modal.html:17
-msgid "Asset num"
-msgstr "資産num"
-
-#: users/templates/users/_user_detail_nav_header.html:11
-msgid "User detail"
-msgstr "ユーザーの詳細"
-
-#: users/templates/users/_user_detail_nav_header.html:15
-msgid "User permissions"
-msgstr "ユーザー権限"
-
-#: users/templates/users/_user_detail_nav_header.html:23
-msgid "Asset granted"
-msgstr "付与された資産"
-
-#: users/templates/users/_user_detail_nav_header.html:40
-msgid "RemoteApp granted"
-msgstr "承認されたリモートアプリケーション"
-
-#: users/templates/users/_user_detail_nav_header.html:47
-msgid "RemoteApp permission"
-msgstr "リモートアプリケーションのライセンス"
-
-#: users/templates/users/_user_detail_nav_header.html:54
-msgid "DatabaseApp granted"
-msgstr "認可されたデータベース・アプリケーション"
-
-#: users/templates/users/_user_detail_nav_header.html:61
-msgid "DatabaseApp permission"
-msgstr "数据库应用授权"
-
-#: users/templates/users/_user_update_pk_modal.html:4
-msgid "Update User SSH Public Key"
-msgstr "SSHキーの更新"
-
-#: users/templates/users/first_login.html:6
-#: users/templates/users/first_login_done.html:19
-msgid "First Login"
-msgstr "最初のログイン"
-
-#: users/templates/users/first_login_done.html:31
-msgid "Welcome to use jumpserver, visit "
-msgstr "JumpServer砦機へようこそ"
-
-#: users/templates/users/first_login_done.html:32
-msgid "Use guide"
-msgstr "ガイド人"
-
-#: users/templates/users/first_login_done.html:32
-msgid " for more information"
-msgstr "より多くの情報のため"
-
 #: users/templates/users/forgot_password.html:23
 msgid "Input your email, that will send a mail to your"
 msgstr "あなたのメールを入力し、それはあなたにメールを送信します"
 
 #: users/templates/users/forgot_password.html:32
-#: users/templates/users/user_password_update.html:75
 msgid "Submit"
 msgstr "送信"
 
@@ -6094,12 +5812,10 @@ msgid "MFA setting"
 msgstr "MFAの設定"
 
 #: users/templates/users/reset_password.html:23
-#: users/templates/users/user_password_update.html:64
 msgid "Your password must satisfy"
 msgstr "パスワードを満たす必要があります"
 
 #: users/templates/users/reset_password.html:24
-#: users/templates/users/user_password_update.html:65
 msgid "Password strength"
 msgstr "パスワードの強さ"
 
@@ -6108,54 +5824,25 @@ msgid "Setting"
 msgstr "設定"
 
 #: users/templates/users/reset_password.html:48
-#: users/templates/users/user_password_update.html:102
 msgid "Very weak"
 msgstr "非常に弱い"
 
 #: users/templates/users/reset_password.html:49
-#: users/templates/users/user_password_update.html:103
 msgid "Weak"
 msgstr "弱い"
 
 #: users/templates/users/reset_password.html:51
-#: users/templates/users/user_password_update.html:105
 msgid "Medium"
 msgstr "中"
 
 #: users/templates/users/reset_password.html:52
-#: users/templates/users/user_password_update.html:106
 msgid "Strong"
 msgstr "強い"
 
 #: users/templates/users/reset_password.html:53
-#: users/templates/users/user_password_update.html:107
 msgid "Very strong"
 msgstr "非常に強い"
 
-#: users/templates/users/user_asset_permission.html:43
-#: users/templates/users/user_asset_permission.html:155
-#: users/templates/users/user_database_app_permission.html:41
-#: xpack/plugins/cloud/models.py:34
-msgid "Validity"
-msgstr "有効性"
-
-#: users/templates/users/user_asset_permission.html:160
-msgid "Inherit"
-msgstr "継承"
-
-#: users/templates/users/user_asset_permission.html:161
-msgid "Include"
-msgstr "含める"
-
-#: users/templates/users/user_asset_permission.html:162
-msgid "Exclude"
-msgstr "除外"
-
-#: users/templates/users/user_database_app_permission.html:39
-#: users/templates/users/user_database_app_permission.html:64
-msgid "DatabaseApp"
-msgstr "データベースの適用"
-
 #: users/templates/users/user_otp_check_password.html:6
 msgid "Enable OTP"
 msgstr "OTPの有効化"
@@ -6205,10 +5892,6 @@ msgstr ""
 "インストール後、次のステップをクリックしてバインディングページに入ります (イ"
 "ンストールされている場合は、次のステップに直接進みます)。"
 
-#: users/templates/users/user_password_update.html:74
-msgid "Reset"
-msgstr "リセット"
-
 #: users/templates/users/user_password_verify.html:8
 #: users/templates/users/user_password_verify.html:9
 msgid "Verify password"
@@ -6520,62 +6203,58 @@ msgid "Baidu Cloud"
 msgstr "百度雲"
 
 #: xpack/plugins/cloud/const.py:15
-msgid "JD Cloud"
-msgstr "京東雲"
-
-#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "テンセント雲"
 
-#: xpack/plugins/cloud/const.py:17
+#: xpack/plugins/cloud/const.py:16
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:18
 msgid "Huawei Private Cloud"
 msgstr "華為私有雲"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:19
 msgid "Qingyun Private Cloud"
 msgstr "青雲私有雲"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:20
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:22
+#: xpack/plugins/cloud/const.py:21
 msgid "Google Cloud Platform"
 msgstr "谷歌雲"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:25
 msgid "Instance name"
 msgstr "インスタンス名"
 
-#: xpack/plugins/cloud/const.py:27
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name and Partial IP"
 msgstr "インスタンス名と部分IP"
 
-#: xpack/plugins/cloud/const.py:32
+#: xpack/plugins/cloud/const.py:31
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:35
 msgid "Unsync"
 msgstr "同期していません"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:36
 msgid "New Sync"
 msgstr "新しい同期"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:37
 msgid "Synced"
 msgstr "同期済み"
 
-#: xpack/plugins/cloud/const.py:39
+#: xpack/plugins/cloud/const.py:38
 msgid "Released"
 msgstr "リリース済み"
 
@@ -6587,6 +6266,10 @@ msgstr "クラウドセンター"
 msgid "Provider"
 msgstr "プロバイダー"
 
+#: xpack/plugins/cloud/models.py:34
+msgid "Validity"
+msgstr "有効性"
+
 #: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "クラウドアカウント"
@@ -6748,13 +6431,11 @@ msgid "South America (São Paulo)"
 msgstr "南米 (サンパウロ)"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
-#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "華北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
-#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "華南-広州"
 
@@ -6776,7 +6457,6 @@ msgid "CN North-Baoding"
 msgstr "華北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
-#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "華東-上海"
 
@@ -6841,15 +6521,11 @@ msgstr "華北-ウランチャブ一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "華南-広州-友好ユーザー環境"
 
-#: xpack/plugins/cloud/providers/jdcloud.py:128
-msgid "CN East-Suqian"
-msgstr "華東-宿遷"
-
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Validity display"
 msgstr "有効表示"
 
-#: xpack/plugins/cloud/serializers/account.py:61
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Provider display"
 msgstr "プロバイダ表示"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 88f701b6b..5b9f31b64 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3d6a0d40534209f3ffab0b0ecfab7ec82f137156fc8e7b19ce1711036d14aeca
-size 107709
+oid sha256:9c13775875a335e3c8dbc7f666af622c5aa12050100b15e616c210e8e3043e38
+size 103490
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index fb29c7d9c..b15b2c545 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-02 10:01+0800\n"
+"POT-Creation-Date: 2022-04-12 17:03+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -28,31 +28,27 @@ msgstr "访问控制"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:53
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: users/templates/users/_select_user_modal.html:13
-#: users/templates/users/user_asset_permission.html:37
-#: users/templates/users/user_asset_permission.html:154
-#: users/templates/users/user_database_app_permission.html:36
 #: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名称"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247
+#: assets/models/user.py:247 terminal/models/endpoint.py:56
 msgid "Priority"
 msgstr "优先级"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247
+#: assets/models/user.py:247 terminal/models/endpoint.py:57
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
 #: acls/models/base.py:31 authentication/models.py:17
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:26
-#: users/templates/users/_select_user_modal.html:18
 msgid "Active"
 msgstr "激活中"
 
@@ -64,6 +60,7 @@ msgstr "激活中"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
+#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:63
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
@@ -90,16 +87,12 @@ msgstr "登录复核"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:50 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:101 rbac/models/rolebinding.py:40 templates/index.html:78
+#: rbac/builtin.py:106 rbac/models/rolebinding.py:40
 #: terminal/backends/command/models.py:19
-#: terminal/backends/command/serializers.py:12 terminal/models/session.py:42
+#: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
 #: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
 #: users/models/user.py:917 users/serializers/group.py:19
-#: users/templates/users/user_asset_permission.html:38
-#: users/templates/users/user_asset_permission.html:64
-#: users/templates/users/user_database_app_permission.html:37
-#: users/templates/users/user_database_app_permission.html:58
 msgid "User"
 msgstr "用户"
 
@@ -111,10 +104,6 @@ msgstr "规则"
 #: acls/serializers/login_acl.py:17 acls/serializers/login_asset_acl.py:75
 #: assets/models/cmd_filter.py:89 audits/models.py:61 audits/serializers.py:51
 #: authentication/templates/authentication/_access_key_modal.html:34
-#: users/templates/users/_granted_assets.html:29
-#: users/templates/users/user_asset_permission.html:44
-#: users/templates/users/user_asset_permission.html:79
-#: users/templates/users/user_database_app_permission.html:42
 msgid "Action"
 msgstr "动作"
 
@@ -135,16 +124,13 @@ msgstr "系统用户"
 
 #: acls/models/login_asset_acl.py:22
 #: applications/serializers/attrs/application_category/remote_app.py:36
-#: assets/models/asset.py:383 assets/models/authbook.py:19
+#: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:264 audits/models.py:39
-#: perms/models/asset_permission.py:23 templates/index.html:82
-#: terminal/backends/command/models.py:20
-#: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
+#: perms/models/asset_permission.py:23 terminal/backends/command/models.py:20
+#: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
-#: users/templates/users/user_asset_permission.html:40
-#: users/templates/users/user_asset_permission.html:70
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
 #: xpack/plugins/cloud/models.py:223
@@ -171,7 +157,6 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
 #: users/templates/users/_msg_user_created.html:12
-#: users/templates/users/_select_user_modal.html:14
 #: xpack/plugins/change_auth_plan/models/asset.py:34
 #: xpack/plugins/change_auth_plan/models/asset.py:195
 #: xpack/plugins/cloud/serializers/account_attrs.py:22
@@ -194,17 +179,13 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:8
-#: users/templates/users/_granted_assets.html:26
-#: users/templates/users/user_asset_permission.html:156
+#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:37
 msgid "IP"
 msgstr "IP"
 
 #: acls/serializers/login_asset_acl.py:35 assets/models/asset.py:211
 #: assets/serializers/account.py:14 assets/serializers/gathered_user.py:23
 #: settings/serializers/terminal.py:7
-#: users/templates/users/_granted_assets.html:25
-#: users/templates/users/user_asset_permission.html:157
 msgid "Hostname"
 msgstr "主机名"
 
@@ -216,7 +197,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. 可选的协议
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
 #: assets/models/domain.py:62 assets/models/user.py:248
-#: terminal/serializers/session.py:30 terminal/serializers/storage.py:69
+#: terminal/serializers/session.py:30 terminal/serializers/storage.py:67
 msgid "Protocol"
 msgstr "协议"
 
@@ -280,13 +261,7 @@ msgstr "应用程序"
 #: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21
-#: terminal/backends/command/serializers.py:35 terminal/models/session.py:46
-#: users/templates/users/_granted_assets.html:27
-#: users/templates/users/user_asset_permission.html:42
-#: users/templates/users/user_asset_permission.html:76
-#: users/templates/users/user_asset_permission.html:159
-#: users/templates/users/user_database_app_permission.html:40
-#: users/templates/users/user_database_app_permission.html:67
+#: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
 #: xpack/plugins/change_auth_plan/models/app.py:147
 #: xpack/plugins/change_auth_plan/serializers/app.py:65
@@ -338,7 +313,7 @@ msgid "Domain"
 msgstr "网域"
 
 #: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/serializers/account.py:58
 msgid "Attrs"
 msgstr "属性"
 
@@ -346,7 +321,7 @@ msgstr "属性"
 msgid "Can match application"
 msgstr "匹配应用"
 
-#: applications/models/application.py:286
+#: applications/models/application.py:306
 msgid "Application user"
 msgstr "应用用户"
 
@@ -404,6 +379,7 @@ msgstr "集群"
 
 #: applications/serializers/attrs/application_category/db.py:11
 #: ops/models/adhoc.py:157 settings/serializers/auth/radius.py:14
+#: terminal/models/endpoint.py:11
 #: xpack/plugins/cloud/serializers/account_attrs.py:68
 msgid "Host"
 msgstr "主机"
@@ -634,27 +610,27 @@ msgstr "标签管理"
 msgid "Created by"
 msgstr "创建者"
 
-#: assets/models/asset.py:386
+#: assets/models/asset.py:389
 msgid "Can refresh asset hardware info"
 msgstr "可以更新资产硬件信息"
 
-#: assets/models/asset.py:387
+#: assets/models/asset.py:390
 msgid "Can test asset connectivity"
 msgstr "可以测试资产连接性"
 
-#: assets/models/asset.py:388
+#: assets/models/asset.py:391
 msgid "Can push system user to asset"
 msgstr "可以推送系统用户到资产"
 
-#: assets/models/asset.py:389
+#: assets/models/asset.py:392
 msgid "Can match asset"
 msgstr "可以匹配资产"
 
-#: assets/models/asset.py:390
+#: assets/models/asset.py:393
 msgid "Add asset to node"
 msgstr "添加资产到节点"
 
-#: assets/models/asset.py:391
+#: assets/models/asset.py:394
 msgid "Move asset to node"
 msgstr "移动资产到节点"
 
@@ -701,7 +677,7 @@ msgid "Timing trigger"
 msgstr "定时触发"
 
 #: assets/models/backup.py:105 audits/models.py:44 ops/models/command.py:31
-#: perms/models/base.py:89 terminal/models/session.py:56
+#: perms/models/base.py:89 terminal/models/session.py:58
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:55
 #: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:57
 #: xpack/plugins/change_auth_plan/models/base.py:112
@@ -762,7 +738,7 @@ msgstr "成功"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:30
 msgid "Failed"
 msgstr "失败"
 
@@ -777,9 +753,8 @@ msgstr "校验日期"
 #: assets/models/base.py:177 audits/signal_handlers.py:68
 #: authentication/forms.py:22
 #: authentication/templates/authentication/login.html:181
-#: settings/serializers/auth/ldap.py:44 users/forms/profile.py:21
+#: settings/serializers/auth/ldap.py:43 users/forms/profile.py:21
 #: users/templates/users/_msg_user_created.html:13
-#: users/templates/users/user_password_update.html:43
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
@@ -844,11 +819,6 @@ msgstr "默认Cluster"
 
 #: assets/models/cmd_filter.py:34 perms/models/base.py:86
 #: users/models/group.py:31 users/models/user.py:667
-#: users/templates/users/_select_user_modal.html:16
-#: users/templates/users/user_asset_permission.html:39
-#: users/templates/users/user_asset_permission.html:67
-#: users/templates/users/user_database_app_permission.html:38
-#: users/templates/users/user_database_app_permission.html:61
 msgid "User group"
 msgstr "用户组"
 
@@ -861,7 +831,7 @@ msgid "Regex"
 msgstr "正则表达式"
 
 #: assets/models/cmd_filter.py:68 ops/models/command.py:26
-#: terminal/backends/command/serializers.py:14 terminal/models/session.py:53
+#: terminal/backends/command/serializers.py:14 terminal/models/session.py:55
 #: terminal/templates/terminal/_msg_command_alert.html:12
 #: terminal/templates/terminal/_msg_command_execute_alert.html:10
 msgid "Command"
@@ -961,7 +931,7 @@ msgstr "标签"
 msgid "New node"
 msgstr "新节点"
 
-#: assets/models/node.py:474 users/templates/users/_granted_assets.html:130
+#: assets/models/node.py:474
 msgid "empty"
 msgstr "空"
 
@@ -978,9 +948,6 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: users/templates/users/user_asset_permission.html:41
-#: users/templates/users/user_asset_permission.html:73
-#: users/templates/users/user_asset_permission.html:158
 #: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
@@ -1132,7 +1099,7 @@ msgid "Actions"
 msgstr "动作"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
-#: settings/serializers/auth/ldap.py:59
+#: settings/serializers/auth/ldap.py:62
 #: xpack/plugins/change_auth_plan/serializers/base.py:42
 msgid "Periodic perform"
 msgstr "定时执行"
@@ -1376,8 +1343,7 @@ msgstr "日志审计"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:166 users/templates/users/user_asset_permission.html:128
-#: users/templates/users/user_database_app_permission.html:111
+#: rbac/tree.py:166
 msgid "Delete"
 msgstr "删除"
 
@@ -1406,7 +1372,7 @@ msgid "Symlink"
 msgstr "建立软链接"
 
 #: audits/models.py:38 audits/models.py:64 audits/models.py:87
-#: terminal/models/session.py:49 terminal/models/sharing.py:82
+#: terminal/models/session.py:51 terminal/models/sharing.py:82
 msgid "Remote addr"
 msgstr "远端地址"
 
@@ -1436,8 +1402,6 @@ msgstr "创建"
 
 #: audits/models.py:56 rbac/tree.py:165 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
-#: users/templates/users/user_asset_permission.html:127
-#: users/templates/users/user_database_app_permission.html:110
 msgid "Update"
 msgstr "更新"
 
@@ -1546,7 +1510,7 @@ msgstr "主机名称"
 msgid "Result"
 msgstr "结果"
 
-#: audits/serializers.py:98 terminal/serializers/storage.py:161
+#: audits/serializers.py:98 terminal/serializers/storage.py:156
 msgid "Hosts"
 msgstr "主机"
 
@@ -1657,7 +1621,6 @@ msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 移除 {UserGroup}"
 
 #: audits/signal_handlers.py:131 perms/models/asset_permission.py:29
-#: users/templates/users/_user_detail_nav_header.html:31
 msgid "Asset permission"
 msgstr "资产授权"
 
@@ -1755,7 +1718,7 @@ msgstr "{ApplicationPermission} 添加 {SystemUser}"
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
-#: authentication/api/connection_token.py:313
+#: authentication/api/connection_token.py:328
 msgid "Invalid token"
 msgstr "无效的令牌"
 
@@ -2044,7 +2007,7 @@ msgstr "该 MFA ({}) 方式没有启用"
 msgid "Please change your password"
 msgstr "请修改密码"
 
-#: authentication/models.py:33 terminal/serializers/storage.py:30
+#: authentication/models.py:33 terminal/serializers/storage.py:28
 msgid "Access key"
 msgstr "API key"
 
@@ -2108,7 +2071,6 @@ msgid "Date"
 msgstr "日期"
 
 #: authentication/templates/authentication/_access_key_modal.html:48
-#: users/templates/users/_granted_assets.html:75
 msgid "Show"
 msgstr "显示"
 
@@ -2168,7 +2130,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:295 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:296 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2620,11 +2582,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:294
+#: jumpserver/conf.py:295
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:296
+#: jumpserver/conf.py:297
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -2685,12 +2647,12 @@ msgid "App ops"
 msgstr "作业中心"
 
 #: ops/mixin.py:29 ops/mixin.py:92 ops/mixin.py:162
-#: settings/serializers/auth/ldap.py:66
+#: settings/serializers/auth/ldap.py:69
 msgid "Cycle perform"
 msgstr "周期执行"
 
 #: ops/mixin.py:33 ops/mixin.py:90 ops/mixin.py:109 ops/mixin.py:150
-#: settings/serializers/auth/ldap.py:63
+#: settings/serializers/auth/ldap.py:66
 msgid "Regularly perform"
 msgstr "定期执行"
 
@@ -2877,7 +2839,8 @@ msgstr "组织管理"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:47
-#: rbac/serializers/rolebinding.py:40 tickets/serializers/ticket/ticket.py:77
+#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
+#: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
 msgstr "组织"
 
@@ -2890,7 +2853,7 @@ msgid "Can view root org"
 msgstr "可以查看全局组织"
 
 #: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
-#: users/models/user.py:671 users/templates/users/_select_user_modal.html:15
+#: users/models/user.py:671
 msgid "Role"
 msgstr "角色"
 
@@ -3114,27 +3077,27 @@ msgstr "{} 至少有一个系统角色"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:92
+#: rbac/builtin.py:97
 msgid "SystemAdmin"
 msgstr "系统管理员"
 
-#: rbac/builtin.py:95
+#: rbac/builtin.py:100
 msgid "SystemAuditor"
 msgstr "系统审计员"
 
-#: rbac/builtin.py:98
+#: rbac/builtin.py:103
 msgid "SystemComponent"
 msgstr "系统组件"
 
-#: rbac/builtin.py:104
+#: rbac/builtin.py:109
 msgid "OrgAdmin"
 msgstr "组织管理员"
 
-#: rbac/builtin.py:107
+#: rbac/builtin.py:112
 msgid "OrgAuditor"
 msgstr "组织审计员"
 
-#: rbac/builtin.py:110
+#: rbac/builtin.py:115
 msgid "OrgUser"
 msgstr "组织用户"
 
@@ -3338,11 +3301,11 @@ msgstr "同步正在运行，请稍等"
 msgid "Synchronization error: {}"
 msgstr "同步错误: {}"
 
-#: settings/api/ldap.py:211
+#: settings/api/ldap.py:213
 msgid "Get ldap users is None"
 msgstr "获取 LDAP 用户为 None"
 
-#: settings/api/ldap.py:220
+#: settings/api/ldap.py:222
 msgid "Imported {} users successfully (Organization: {})"
 msgstr "成功导入 {} 个用户 ( 组织: {} )"
 
@@ -3470,15 +3433,15 @@ msgstr "启用钉钉认证"
 msgid "Enable FeiShu Auth"
 msgstr "启用飞书认证"
 
-#: settings/serializers/auth/ldap.py:39
+#: settings/serializers/auth/ldap.py:38
 msgid "LDAP server"
 msgstr "LDAP 地址"
 
-#: settings/serializers/auth/ldap.py:40
+#: settings/serializers/auth/ldap.py:39
 msgid "eg: ldap://localhost:389"
 msgstr "如: ldap://localhost:389"
 
-#: settings/serializers/auth/ldap.py:42
+#: settings/serializers/auth/ldap.py:41
 msgid "Bind DN"
 msgstr "绑定 DN"
 
@@ -3511,15 +3474,15 @@ msgstr ""
 "用户属性映射代表怎样将LDAP中用户属性映射到jumpserver用户上，username, name,"
 "email 是jumpserver的用户需要属性"
 
-#: settings/serializers/auth/ldap.py:70
+#: settings/serializers/auth/ldap.py:73
 msgid "Connect timeout"
 msgstr "连接超时时间"
 
-#: settings/serializers/auth/ldap.py:72
+#: settings/serializers/auth/ldap.py:75
 msgid "Search paged size"
 msgstr "搜索分页数量"
 
-#: settings/serializers/auth/ldap.py:74
+#: settings/serializers/auth/ldap.py:77
 msgid "Enable LDAP auth"
 msgstr "启用 LDAP 认证"
 
@@ -4194,61 +4157,13 @@ msgid ""
 "device through Telnet, set this parameter"
 msgstr "不同设备登录成功提示不一样，所以如果 telnet 不能正常登录，可以这里设置"
 
-#: settings/serializers/terminal.py:37
-msgid "RDP address"
-msgstr "RDP 地址"
-
-#: settings/serializers/terminal.py:38
-msgid "RDP visit address, eg: dev.jumpserver.org:3389"
-msgstr "RDP 访问地址, 如: dev.jumpserver.org:3389"
-
-#: settings/serializers/terminal.py:40
-msgid "Enable XRDP"
-msgstr "启用 XRDP 服务"
-
-#: settings/serializers/terminal.py:43
-msgid "Koko host"
-msgstr "KOKO 主机地址"
-
-#: settings/serializers/terminal.py:46
-msgid "Koko ssh port"
-msgstr "KOKO ssh 端口"
-
-#: settings/serializers/terminal.py:49
+#: settings/serializers/terminal.py:36
 msgid "Enable database proxy"
 msgstr "启用数据库组件"
 
-#: settings/serializers/terminal.py:51
-msgid "Database proxy host"
-msgstr "数据库主机地址"
-
-#: settings/serializers/terminal.py:52
-msgid "Database proxy host, eg: dev.jumpserver.org"
-msgstr "数据库组件地址, 如: dev.jumpserver.org (没有端口, 不同协议端口不同)"
-
-#: settings/serializers/terminal.py:55
-msgid "MySQL port"
-msgstr "MySQL 协议端口"
-
-#: settings/serializers/terminal.py:56
-msgid "MySQL protocol listen port"
-msgstr "MySQL 协议监听端口"
-
-#: settings/serializers/terminal.py:59
-msgid "MariaDB port"
-msgstr "MariaDB 端口"
-
-#: settings/serializers/terminal.py:60
-msgid "MariaDB protocol listen port"
-msgstr "MariaDB 协议监听的端口"
-
-#: settings/serializers/terminal.py:63
-msgid "PostgreSQL port"
-msgstr "PostgreSQL 端口"
-
-#: settings/serializers/terminal.py:64
-msgid "PostgreSQL protocol listen port"
-msgstr "PostgreSQL 协议监听端口"
+#: settings/serializers/terminal.py:37
+msgid "Enable XRDP"
+msgstr "启用 XRDP 服务"
 
 #: settings/utils/ldap.py:417
 msgid "ldap:// or ldaps:// protocol is used."
@@ -4351,10 +4266,6 @@ msgstr "认证失败: (未知): {}"
 msgid "Authentication success: {}"
 msgstr "认证成功: {}"
 
-#: templates/_base_list.html:37
-msgid "Search"
-msgstr "搜索"
-
 #: templates/_csv_import_export.html:8
 msgid "Export"
 msgstr "导出"
@@ -4400,7 +4311,6 @@ msgid "Commercial support"
 msgstr "商业支持"
 
 #: templates/_header_bar.html:76 users/forms/profile.py:43
-#: users/templates/users/user_password_update.html:39
 msgid "Profile"
 msgstr "个人信息"
 
@@ -4505,173 +4415,14 @@ msgstr "等待："
 msgid "The verification code has been sent"
 msgstr "验证码已发送"
 
-#: templates/_pagination.html:59
-msgid ""
-"Displays the results of items _START_ to _END_; A total of _TOTAL_ entries"
-msgstr "显示第 _START_ 至 _END_ 项结果; 总共 _TOTAL_ 项"
-
 #: templates/_without_nav_base.html:26
 msgid "Home page"
 msgstr "首页"
 
-#: templates/delete_confirm.html:6
-msgid "Confirm delete"
-msgstr "确认删除"
-
-#: templates/delete_confirm.html:11
-msgid "Are you sure delete"
-msgstr "您确定删除吗?"
-
 #: templates/flash_message_standalone.html:25
 msgid "Cancel"
 msgstr "取消"
 
-#: templates/index.html:11
-msgid "Total users"
-msgstr "用户总数"
-
-#: templates/index.html:23
-msgid "Total assets"
-msgstr "资产总数"
-
-#: templates/index.html:36
-msgid "Online users"
-msgstr "在线用户"
-
-#: templates/index.html:49
-msgid "Online sessions"
-msgstr "在线会话"
-
-#: templates/index.html:61
-msgid "In the past week, a total of "
-msgstr "过去一周, 共有 "
-
-#: templates/index.html:61
-msgid " users have logged in "
-msgstr " 位用户登录 "
-
-#: templates/index.html:61
-msgid " times asset."
-msgstr " 次资产."
-
-#: templates/index.html:69
-msgid "Active user asset ratio"
-msgstr "活跃用户资产占比"
-
-#: templates/index.html:72
-msgid ""
-"The following graphs describe the percentage of active users per month and "
-"assets per user host per month, respectively."
-msgstr "以下图形分别描述一个月活跃用户和资产占所有用户主机的百分比"
-
-#: templates/index.html:97 templates/index.html:112
-msgid "Top 10 assets in a week"
-msgstr "一周Top10资产"
-
-#: templates/index.html:113
-msgid "Login frequency and last login record."
-msgstr "登录次数及最近一次登录记录."
-
-#: templates/index.html:122
-msgid "Last 10 login"
-msgstr "最近十次登录"
-
-#: templates/index.html:128
-msgid "Login record"
-msgstr "登录记录"
-
-#: templates/index.html:129
-msgid "Last 10 login records."
-msgstr "最近十次登录记录."
-
-#: templates/index.html:143 templates/index.html:158
-msgid "Top 10 users in a week"
-msgstr "一周Top10用户"
-
-#: templates/index.html:159
-msgid "User login frequency and last login record."
-msgstr "用户登录次数及最近一次登录记录"
-
-#: templates/index.html:184
-msgid "Monthly data overview"
-msgstr "月数据总览"
-
-#: templates/index.html:185
-msgid "History summary in one month"
-msgstr "一个月内历史汇总"
-
-#: templates/index.html:193 templates/index.html:217
-msgid "Login count"
-msgstr "登录次数"
-
-#: templates/index.html:193 templates/index.html:224
-msgid "Active users"
-msgstr "活跃用户"
-
-#: templates/index.html:193 templates/index.html:231
-msgid "Active assets"
-msgstr "活跃资产"
-
-#: templates/index.html:262 templates/index.html:313
-msgid "Monthly active users"
-msgstr "月活跃用户"
-
-#: templates/index.html:262 templates/index.html:314
-msgid "Disable user"
-msgstr "禁用用户"
-
-#: templates/index.html:262 templates/index.html:315
-msgid "Month not logged in user"
-msgstr "月未登录用户"
-
-#: templates/index.html:288 templates/index.html:368
-msgid "Access to the source"
-msgstr "访问来源"
-
-#: templates/index.html:342
-msgid "Month is logged into the asset"
-msgstr "月被登录资产"
-
-#: templates/index.html:342 templates/index.html:393
-msgid "Disable host"
-msgstr "禁用主机"
-
-#: templates/index.html:342 templates/index.html:394
-msgid "Month not logged on host"
-msgstr "月未登录主机"
-
-#: templates/index.html:392
-msgid "Month is logged into the host"
-msgstr "月被登录主机"
-
-#: templates/index.html:466
-msgid " times/week"
-msgstr " 次/周"
-
-#: templates/index.html:491 templates/index.html:527
-msgid " times"
-msgstr " 次"
-
-#: templates/index.html:494 templates/index.html:530
-msgid "The time last logged in"
-msgstr "最近一次登录日期"
-
-#: templates/index.html:495 templates/index.html:531
-msgid "At"
-msgstr "于"
-
-#: templates/index.html:510 templates/index.html:545 templates/index.html:580
-msgid "(No)"
-msgstr "(暂无)"
-
-#: templates/index.html:561
-msgid "Before"
-msgstr "前"
-
-#: templates/index.html:562
-msgid "Login in "
-msgstr "登录了"
-
 #: templates/resource_download.html:18 templates/resource_download.html:24
 #: templates/resource_download.html:25 templates/resource_download.html:30
 msgid "Client"
@@ -4713,19 +4464,23 @@ msgstr "Jmservisor 是在 windows 远程应用发布服务器中用来拉起远
 msgid "Filters"
 msgstr "过滤"
 
-#: terminal/api/session.py:211
+#: terminal/api/endpoint.py:65
+msgid "Not found protocol query params"
+msgstr ""
+
+#: terminal/api/session.py:210
 msgid "Session does not exist: {}"
 msgstr "会话不存在: {}"
 
-#: terminal/api/session.py:214
+#: terminal/api/session.py:213
 msgid "Session is finished or the protocol not supported"
 msgstr "会话已经完成或协议不支持"
 
-#: terminal/api/session.py:219
+#: terminal/api/session.py:218
 msgid "User does not exist: {}"
 msgstr "用户不存在: {}"
 
-#: terminal/api/session.py:227
+#: terminal/api/session.py:226
 msgid "User does not have permission"
 msgstr "用户没有权限"
 
@@ -4769,7 +4524,7 @@ msgstr "有在线会话"
 msgid "Terminals"
 msgstr "终端管理"
 
-#: terminal/backends/command/es.py:27
+#: terminal/backends/command/es.py:26
 msgid "Invalid elasticsearch config"
 msgstr "无效的 Elasticsearch 配置"
 
@@ -4826,7 +4581,6 @@ msgid "High"
 msgstr "较高"
 
 #: terminal/const.py:35 users/templates/users/reset_password.html:50
-#: users/templates/users/user_password_update.html:104
 msgid "Normal"
 msgstr "正常"
 
@@ -4846,6 +4600,49 @@ msgstr "存储无效"
 msgid "Command record"
 msgstr "命令记录"
 
+#: terminal/models/endpoint.py:13
+msgid "HTTPS Port"
+msgstr "HTTPS 端口"
+
+#: terminal/models/endpoint.py:14 terminal/models/terminal.py:107
+msgid "HTTP Port"
+msgstr "HTTP 端口"
+
+#: terminal/models/endpoint.py:15 terminal/models/terminal.py:106
+msgid "SSH Port"
+msgstr "SSH 端口"
+
+#: terminal/models/endpoint.py:16
+msgid "RDP Port"
+msgstr "RDP 端口"
+
+#: terminal/models/endpoint.py:17
+msgid "MySQL Port"
+msgstr "MySQL 端口"
+
+#: terminal/models/endpoint.py:18
+msgid "MariaDB Port"
+msgstr "MariaDB 端口"
+
+#: terminal/models/endpoint.py:19
+msgid "PostgreSQL Port"
+msgstr "PostgreSQL 端口"
+
+#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:61
+#: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
+#: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
+#: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
+msgid "Endpoint"
+msgstr "端点"
+
+#: terminal/models/endpoint.py:54
+msgid "IP group"
+msgstr "IP 组"
+
+#: terminal/models/endpoint.py:66
+msgid "Endpoint rule"
+msgstr "端点规则"
+
 #: terminal/models/replay.py:12
 msgid "Session replay"
 msgstr "会话录像"
@@ -4858,35 +4655,35 @@ msgstr "可以上传会话录像"
 msgid "Can download session replay"
 msgstr "可以下载会话录像"
 
-#: terminal/models/session.py:48 terminal/models/sharing.py:87
+#: terminal/models/session.py:50 terminal/models/sharing.py:87
 msgid "Login from"
 msgstr "登录来源"
 
-#: terminal/models/session.py:52
+#: terminal/models/session.py:54
 msgid "Replay"
 msgstr "回放"
 
-#: terminal/models/session.py:57
+#: terminal/models/session.py:59
 msgid "Date end"
 msgstr "结束日期"
 
-#: terminal/models/session.py:242
+#: terminal/models/session.py:251
 msgid "Session record"
 msgstr "会话记录"
 
-#: terminal/models/session.py:244
+#: terminal/models/session.py:253
 msgid "Can monitor session"
 msgstr "可以监控会话"
 
-#: terminal/models/session.py:245
+#: terminal/models/session.py:254
 msgid "Can share session"
 msgstr "可以分享会话"
 
-#: terminal/models/session.py:246
+#: terminal/models/session.py:255
 msgid "Can terminate session"
 msgstr "可以终断会话"
 
-#: terminal/models/session.py:247
+#: terminal/models/session.py:256
 msgid "Can validate session action perm"
 msgstr "可以验证会话动作权限"
 
@@ -4995,14 +4792,6 @@ msgstr "其它参数"
 msgid "type"
 msgstr "类型"
 
-#: terminal/models/terminal.py:106
-msgid "SSH Port"
-msgstr "SSH端口"
-
-#: terminal/models/terminal.py:107
-msgid "HTTP Port"
-msgstr "HTTP端口"
-
 #: terminal/models/terminal.py:183 terminal/serializers/session.py:38
 msgid "Terminal"
 msgstr "终端"
@@ -5059,65 +4848,59 @@ msgstr "是否可中断"
 msgid "Command amount"
 msgstr "命令数量"
 
-#: terminal/serializers/storage.py:21
+#: terminal/serializers/storage.py:19
 msgid "Endpoint invalid: remove path `{}`"
 msgstr "端点无效: 移除路径 `{}`"
 
-#: terminal/serializers/storage.py:27
+#: terminal/serializers/storage.py:25
 msgid "Bucket"
 msgstr "桶名称"
 
-#: terminal/serializers/storage.py:34 users/models/user.py:695
+#: terminal/serializers/storage.py:32 users/models/user.py:695
 msgid "Secret key"
 msgstr "密钥"
 
-#: terminal/serializers/storage.py:39 terminal/serializers/storage.py:51
-#: terminal/serializers/storage.py:81 terminal/serializers/storage.py:91
-#: terminal/serializers/storage.py:99
-msgid "Endpoint"
-msgstr "端点"
-
-#: terminal/serializers/storage.py:66 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "地域"
 
-#: terminal/serializers/storage.py:110
+#: terminal/serializers/storage.py:108
 msgid "Container name"
 msgstr "容器名称"
 
-#: terminal/serializers/storage.py:112
+#: terminal/serializers/storage.py:110
 msgid "Account name"
 msgstr "账号名称"
 
-#: terminal/serializers/storage.py:113
+#: terminal/serializers/storage.py:111
 msgid "Account key"
 msgstr "账号密钥"
 
-#: terminal/serializers/storage.py:116
+#: terminal/serializers/storage.py:114
 msgid "Endpoint suffix"
 msgstr "端点后缀"
 
-#: terminal/serializers/storage.py:138
+#: terminal/serializers/storage.py:134
 msgid "The address format is incorrect"
 msgstr "地址格式不正确"
 
-#: terminal/serializers/storage.py:145
+#: terminal/serializers/storage.py:141
 msgid "Host invalid"
 msgstr "主机无效"
 
-#: terminal/serializers/storage.py:148
+#: terminal/serializers/storage.py:144
 msgid "Port invalid"
 msgstr "端口无效"
 
-#: terminal/serializers/storage.py:164
+#: terminal/serializers/storage.py:159
 msgid "Index"
 msgstr "索引"
 
-#: terminal/serializers/storage.py:166
+#: terminal/serializers/storage.py:161
 msgid "Doc type"
 msgstr "文档类型"
 
-#: terminal/serializers/storage.py:168
+#: terminal/serializers/storage.py:163
 msgid "Ignore Certificate Verification"
 msgstr "忽略证书认证"
 
@@ -5671,7 +5454,6 @@ msgid "Not a valid ssh public key"
 msgstr "SSH密钥不合法"
 
 #: users/forms/profile.py:160 users/models/user.py:692
-#: users/templates/users/user_password_update.html:48
 msgid "Public key"
 msgstr "SSH公钥"
 
@@ -5880,10 +5662,6 @@ msgstr "为了安全，仅列出几个用户"
 msgid "name not unique"
 msgstr "名称重复"
 
-#: users/templates/users/_granted_assets.html:7
-msgid "Loading"
-msgstr "加载中"
-
 #: users/templates/users/_msg_account_expire_reminder.html:7
 msgid "Your account will expire in"
 msgstr "您的账号即将过期"
@@ -5936,69 +5714,11 @@ msgstr "你的 SSH 密钥已经被管理员重置"
 msgid "click here to set your password"
 msgstr "点击这里设置密码"
 
-#: users/templates/users/_select_user_modal.html:5
-msgid "Please Select User"
-msgstr "选择用户"
-
-#: users/templates/users/_select_user_modal.html:17
-msgid "Asset num"
-msgstr "资产数量"
-
-#: users/templates/users/_user_detail_nav_header.html:11
-msgid "User detail"
-msgstr "用户详情"
-
-#: users/templates/users/_user_detail_nav_header.html:15
-msgid "User permissions"
-msgstr "用户授权"
-
-#: users/templates/users/_user_detail_nav_header.html:23
-msgid "Asset granted"
-msgstr "授权的资产"
-
-#: users/templates/users/_user_detail_nav_header.html:40
-msgid "RemoteApp granted"
-msgstr "授权的远程应用"
-
-#: users/templates/users/_user_detail_nav_header.html:47
-msgid "RemoteApp permission"
-msgstr "远程应用授权"
-
-#: users/templates/users/_user_detail_nav_header.html:54
-msgid "DatabaseApp granted"
-msgstr "授权的数据库应用"
-
-#: users/templates/users/_user_detail_nav_header.html:61
-msgid "DatabaseApp permission"
-msgstr "数据库应用授权"
-
-#: users/templates/users/_user_update_pk_modal.html:4
-msgid "Update User SSH Public Key"
-msgstr "更新SSH密钥"
-
-#: users/templates/users/first_login.html:6
-#: users/templates/users/first_login_done.html:19
-msgid "First Login"
-msgstr "首次登录"
-
-#: users/templates/users/first_login_done.html:31
-msgid "Welcome to use jumpserver, visit "
-msgstr "欢迎使用 JumpServer 堡垒机"
-
-#: users/templates/users/first_login_done.html:32
-msgid "Use guide"
-msgstr "向导"
-
-#: users/templates/users/first_login_done.html:32
-msgid " for more information"
-msgstr "获取更多信息"
-
 #: users/templates/users/forgot_password.html:23
 msgid "Input your email, that will send a mail to your"
 msgstr "输入您的邮箱, 将会发一封重置邮件到您的邮箱中"
 
 #: users/templates/users/forgot_password.html:32
-#: users/templates/users/user_password_update.html:75
 msgid "Submit"
 msgstr "提交"
 
@@ -6015,12 +5735,10 @@ msgid "MFA setting"
 msgstr "设置 MFA 多因子认证"
 
 #: users/templates/users/reset_password.html:23
-#: users/templates/users/user_password_update.html:64
 msgid "Your password must satisfy"
 msgstr "您的密码必须满足："
 
 #: users/templates/users/reset_password.html:24
-#: users/templates/users/user_password_update.html:65
 msgid "Password strength"
 msgstr "密码强度："
 
@@ -6029,54 +5747,25 @@ msgid "Setting"
 msgstr "设置"
 
 #: users/templates/users/reset_password.html:48
-#: users/templates/users/user_password_update.html:102
 msgid "Very weak"
 msgstr "很弱"
 
 #: users/templates/users/reset_password.html:49
-#: users/templates/users/user_password_update.html:103
 msgid "Weak"
 msgstr "弱"
 
 #: users/templates/users/reset_password.html:51
-#: users/templates/users/user_password_update.html:105
 msgid "Medium"
 msgstr "一般"
 
 #: users/templates/users/reset_password.html:52
-#: users/templates/users/user_password_update.html:106
 msgid "Strong"
 msgstr "强"
 
 #: users/templates/users/reset_password.html:53
-#: users/templates/users/user_password_update.html:107
 msgid "Very strong"
 msgstr "很强"
 
-#: users/templates/users/user_asset_permission.html:43
-#: users/templates/users/user_asset_permission.html:155
-#: users/templates/users/user_database_app_permission.html:41
-#: xpack/plugins/cloud/models.py:34
-msgid "Validity"
-msgstr "有效"
-
-#: users/templates/users/user_asset_permission.html:160
-msgid "Inherit"
-msgstr "继承"
-
-#: users/templates/users/user_asset_permission.html:161
-msgid "Include"
-msgstr "包含"
-
-#: users/templates/users/user_asset_permission.html:162
-msgid "Exclude"
-msgstr "不包含"
-
-#: users/templates/users/user_database_app_permission.html:39
-#: users/templates/users/user_database_app_permission.html:64
-msgid "DatabaseApp"
-msgstr "数据库应用"
-
 #: users/templates/users/user_otp_check_password.html:6
 msgid "Enable OTP"
 msgstr "启用 MFA(OTP)"
@@ -6120,10 +5809,6 @@ msgid ""
 "installed, go to the next step directly)."
 msgstr "安装完成后点击下一步进入绑定页面（如已安装，直接进入下一步）"
 
-#: users/templates/users/user_password_update.html:74
-msgid "Reset"
-msgstr "重置"
-
 #: users/templates/users/user_password_verify.html:8
 #: users/templates/users/user_password_verify.html:9
 msgid "Verify password"
@@ -6430,62 +6115,58 @@ msgid "Baidu Cloud"
 msgstr "百度云"
 
 #: xpack/plugins/cloud/const.py:15
-msgid "JD Cloud"
-msgstr "京东云"
-
-#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "腾讯云"
 
-#: xpack/plugins/cloud/const.py:17
+#: xpack/plugins/cloud/const.py:16
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:18
 msgid "Huawei Private Cloud"
 msgstr "华为私有云"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:19
 msgid "Qingyun Private Cloud"
 msgstr "青云私有云"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:20
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:22
+#: xpack/plugins/cloud/const.py:21
 msgid "Google Cloud Platform"
 msgstr "谷歌云"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:25
 msgid "Instance name"
 msgstr "实例名称"
 
-#: xpack/plugins/cloud/const.py:27
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name and Partial IP"
 msgstr "实例名称和部分IP"
 
-#: xpack/plugins/cloud/const.py:32
+#: xpack/plugins/cloud/const.py:31
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:35
 msgid "Unsync"
 msgstr "未同步"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:36
 msgid "New Sync"
 msgstr "新同步"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:37
 msgid "Synced"
 msgstr "已同步"
 
-#: xpack/plugins/cloud/const.py:39
+#: xpack/plugins/cloud/const.py:38
 msgid "Released"
 msgstr "已释放"
 
@@ -6497,6 +6178,10 @@ msgstr "云管中心"
 msgid "Provider"
 msgstr "云服务商"
 
+#: xpack/plugins/cloud/models.py:34
+msgid "Validity"
+msgstr "有效"
+
 #: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "云账号"
@@ -6658,13 +6343,11 @@ msgid "South America (São Paulo)"
 msgstr "南美洲（圣保罗）"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
-#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "华北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
-#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "华南-广州"
 
@@ -6686,7 +6369,6 @@ msgid "CN North-Baoding"
 msgstr "华北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
-#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "华东-上海"
 
@@ -6751,15 +6433,11 @@ msgstr "华北-乌兰察布一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "华南-广州-友好用户环境"
 
-#: xpack/plugins/cloud/providers/jdcloud.py:128
-msgid "CN East-Suqian"
-msgstr "华东-宿迁"
-
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Validity display"
 msgstr "有效性显示"
 
-#: xpack/plugins/cloud/serializers/account.py:61
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Provider display"
 msgstr "服务商显示"
 
@@ -6921,11 +6599,3 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
-
-#~ msgid "Database proxy MySQL protocol listen port"
-#~ msgstr "MySQL 协议监听的端口"
-
-#, fuzzy
-#~| msgid "Database proxy PostgreSQL port"
-#~ msgid "Database proxy PostgreSQL listen port"
-#~ msgstr "数据库组件 PostgreSQL 协议监听的端口"
diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index 43acffaf0..a6dc3b43c 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -64,13 +64,6 @@ class PublicSettingApi(generics.RetrieveAPIView):
                 "AUTH_FEISHU": settings.AUTH_FEISHU,
                 # Terminal
                 "XRDP_ENABLED": settings.XRDP_ENABLED,
-                "TERMINAL_KOKO_HOST": settings.TERMINAL_KOKO_HOST,
-                "TERMINAL_KOKO_SSH_PORT": settings.TERMINAL_KOKO_SSH_PORT,
-                "TERMINAL_MAGNUS_ENABLED": settings.TERMINAL_MAGNUS_ENABLED,
-                "TERMINAL_MAGNUS_HOST": settings.TERMINAL_MAGNUS_HOST,
-                "TERMINAL_MAGNUS_MYSQL_PORT": settings.TERMINAL_MAGNUS_MYSQL_PORT,
-                "TERMINAL_MAGNUS_MARIADB_PORT": settings.TERMINAL_MAGNUS_MARIADB_PORT,
-                "TERMINAL_MAGNUS_POSTGRE_PORT": settings.TERMINAL_MAGNUS_POSTGRE_PORT,
                 # Announcement
                 "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
                 "ANNOUNCEMENT": settings.ANNOUNCEMENT,
diff --git a/apps/settings/serializers/terminal.py b/apps/settings/serializers/terminal.py
index c6073aa28..bf4b8d7a0 100644
--- a/apps/settings/serializers/terminal.py
+++ b/apps/settings/serializers/terminal.py
@@ -33,33 +33,5 @@ class TerminalSettingSerializer(serializers.Serializer):
         help_text=_("The login success message varies with devices. "
                     "if you cannot log in to the device through Telnet, set this parameter")
     )
-    TERMINAL_RDP_ADDR = serializers.CharField(
-        required=False, label=_("RDP address"), max_length=1024, allow_blank=True,
-        help_text=_('RDP visit address, eg: dev.jumpserver.org:3389')
-    )
-    XRDP_ENABLED = serializers.BooleanField(label=_("Enable XRDP"))
-
-    TERMINAL_KOKO_HOST = serializers.CharField(
-        required=False, label=_("Koko host"), max_length=1024
-    )
-    TERMINAL_KOKO_SSH_PORT = serializers.CharField(
-        required=False, label=_("Koko ssh port"), max_length=1024
-    )
-
     TERMINAL_MAGNUS_ENABLED = serializers.BooleanField(label=_("Enable database proxy"))
-    TERMINAL_MAGNUS_HOST = serializers.CharField(
-        required=False, label=_("Database proxy host"), max_length=1024, allow_blank=True,
-        help_text=_('Database proxy host, eg: dev.jumpserver.org')
-    )
-    TERMINAL_MAGNUS_MYSQL_PORT = serializers.IntegerField(
-        required=False, label=_("MySQL port"), default=33060,
-        help_text=_('MySQL protocol listen port')
-    )
-    TERMINAL_MAGNUS_MARIADB_PORT = serializers.IntegerField(
-        required=False, label=_("MariaDB port"), default=33061,
-        help_text=_('MariaDB protocol listen port')
-    )
-    TERMINAL_MAGNUS_POSTGRE_PORT = serializers.IntegerField(
-        required=False, label=_("PostgreSQL port"), default=54320,
-        help_text=_('PostgreSQL protocol listen port')
-    )
+    XRDP_ENABLED = serializers.BooleanField(label=_("Enable XRDP"))
diff --git a/apps/terminal/api/__init__.py b/apps/terminal/api/__init__.py
index fec6da11e..16021a5ed 100644
--- a/apps/terminal/api/__init__.py
+++ b/apps/terminal/api/__init__.py
@@ -7,3 +7,4 @@ from .task import *
 from .storage import *
 from .status import *
 from .sharing import *
+from .endpoint import *
diff --git a/apps/terminal/api/endpoint.py b/apps/terminal/api/endpoint.py
new file mode 100644
index 000000000..14efb738f
--- /dev/null
+++ b/apps/terminal/api/endpoint.py
@@ -0,0 +1,78 @@
+from rest_framework.decorators import action
+from rest_framework.response import Response
+from rest_framework import status
+from common.drf.api import JMSBulkModelViewSet
+from common.utils import get_object_or_none
+from django.shortcuts import get_object_or_404
+from assets.models import Asset
+from orgs.utils import tmp_to_root_org
+from applications.models import Application
+from terminal.models import Session
+from ..models import Endpoint, EndpointRule
+from .. import serializers
+
+
+__all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
+
+
+class EndpointViewSet(JMSBulkModelViewSet):
+    filterset_fields = ('name', 'host')
+    search_fields = filterset_fields
+    serializer_class = serializers.EndpointSerializer
+    queryset = Endpoint.objects.all()
+    rbac_perms = {
+        'smart': 'terminal.view_endpoint'
+    }
+
+    @staticmethod
+    def get_target_ip(request):
+        # 用来方便测试
+        target_ip = request.GET.get('target_ip')
+        if target_ip:
+            return target_ip
+
+        asset_id = request.GET.get('asset_id')
+        app_id = request.GET.get('app_id')
+        session_id = request.GET.get('session_id')
+        token = request.GET.get('token')
+        if token:
+            from authentication.api.connection_token import TokenCacheMixin as TokenUtil
+            value = TokenUtil().get_token_from_cache(token)
+            if value:
+                if value.get('type') == 'asset':
+                    asset_id = value.get('asset')
+                else:
+                    app_id = value.get('application')
+        if asset_id:
+            pk, model = asset_id, Asset
+        elif app_id:
+            pk, model = app_id, Application
+        elif session_id:
+            pk, model = session_id, Session
+        else:
+            return ''
+
+        with tmp_to_root_org():
+            instance = get_object_or_404(model, pk=pk)
+            target_ip = instance.get_target_ip()
+            return target_ip
+
+    @action(methods=['get'], detail=False, url_path='smart')
+    def smart(self, request, *args, **kwargs):
+        protocol = request.GET.get('protocol')
+        if not protocol:
+            return Response(
+                data={'error': _('Not found protocol query params')},
+                status=status.HTTP_404_NOT_FOUND
+            )
+        target_ip = self.get_target_ip(request)
+        endpoint = EndpointRule.match_endpoint(target_ip, protocol, request)
+        serializer = self.get_serializer(endpoint)
+        return Response(serializer.data)
+
+
+class EndpointRuleViewSet(JMSBulkModelViewSet):
+    filterset_fields = ('name',)
+    search_fields = filterset_fields
+    serializer_class = serializers.EndpointRuleSerializer
+    queryset = EndpointRule.objects.all()
diff --git a/apps/terminal/migrations/0048_endpoint_endpointrule.py b/apps/terminal/migrations/0048_endpoint_endpointrule.py
new file mode 100644
index 000000000..9e75823e2
--- /dev/null
+++ b/apps/terminal/migrations/0048_endpoint_endpointrule.py
@@ -0,0 +1,86 @@
+# Generated by Django 3.1.14 on 2022-04-12 07:39
+
+import common.fields.model
+import django.core.validators
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+from django.conf import settings
+
+
+def migrate_endpoints(apps, schema_editor):
+    endpoint_data = {
+        'id': '00000000-0000-0000-0000-000000000001',
+        'name': 'Default',
+        'host': '',
+        'https_port': 0,
+        'http_port': 0,
+        'created_by': 'System'
+    }
+
+    if settings.XRDP_ENABLED:
+        xrdp_addr = settings.TERMINAL_RDP_ADDR
+        if ':' in xrdp_addr:
+            hostname, port = xrdp_addr.strip().split(':')
+        else:
+            hostname, port = xrdp_addr, 3389
+        endpoint_data.update({
+            'host': '' if hostname.strip() in ['localhost', '127.0.0.1'] else hostname.strip(),
+            'rdp_port': int(port)
+        })
+    Endpoint = apps.get_model("terminal", "Endpoint")
+    Endpoint.objects.create(**endpoint_data)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('terminal', '0047_auto_20220302_1951'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Endpoint',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, unique=True, blank=True, verbose_name='Name')),
+                ('host', models.CharField(max_length=256, verbose_name='Host')),
+                ('https_port', common.fields.model.PortField(default=443, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTPS Port')),
+                ('http_port', common.fields.model.PortField(default=80, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTP Port')),
+                ('ssh_port', common.fields.model.PortField(default=2222, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='SSH Port')),
+                ('rdp_port', common.fields.model.PortField(default=3389, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='RDP Port')),
+                ('mysql_port', common.fields.model.PortField(default=33060, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MySQL Port')),
+                ('mariadb_port', common.fields.model.PortField(default=33061, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MariaDB Port')),
+                ('postgresql_port', common.fields.model.PortField(default=54320, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='PostgreSQL Port')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+            ],
+            options={
+                'verbose_name': 'Endpoint',
+                'ordering': ('name',),
+            },
+        ),
+        migrations.CreateModel(
+            name='EndpointRule',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
+                ('ip_group', models.JSONField(default=list, verbose_name='IP group')),
+                ('priority', models.IntegerField(help_text='1-100, the lower the value will be match first', unique=True, validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('endpoint', models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='rules', to='terminal.endpoint', verbose_name='Endpoint')),
+            ],
+            options={
+                'verbose_name': 'Endpoint rule',
+                'ordering': ('priority', 'name'),
+            },
+        ),
+        migrations.RunPython(migrate_endpoints),
+    ]
diff --git a/apps/terminal/models/__init__.py b/apps/terminal/models/__init__.py
index e69928b3a..be079721d 100644
--- a/apps/terminal/models/__init__.py
+++ b/apps/terminal/models/__init__.py
@@ -6,3 +6,4 @@ from .task import *
 from .terminal import *
 from .sharing import *
 from .replay import *
+from .endpoint import *
diff --git a/apps/terminal/models/endpoint.py b/apps/terminal/models/endpoint.py
new file mode 100644
index 000000000..39f275f9a
--- /dev/null
+++ b/apps/terminal/models/endpoint.py
@@ -0,0 +1,94 @@
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+from django.core.validators import MinValueValidator, MaxValueValidator
+from common.db.models import JMSModel
+from common.fields.model import PortField
+from common.utils.ip import contains_ip
+
+
+class Endpoint(JMSModel):
+    name = models.CharField(max_length=128, verbose_name=_('Name'), unique=True)
+    host = models.CharField(max_length=256, blank=True, verbose_name=_('Host'))
+    # disabled value=0
+    https_port = PortField(default=443, verbose_name=_('HTTPS Port'))
+    http_port = PortField(default=80, verbose_name=_('HTTP Port'))
+    ssh_port = PortField(default=2222, verbose_name=_('SSH Port'))
+    rdp_port = PortField(default=3389, verbose_name=_('RDP Port'))
+    mysql_port = PortField(default=33060, verbose_name=_('MySQL Port'))
+    mariadb_port = PortField(default=33061, verbose_name=_('MariaDB Port'))
+    postgresql_port = PortField(default=54320, verbose_name=_('PostgreSQL Port'))
+    comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
+
+    default_id = '00000000-0000-0000-0000-000000000001'
+
+    class Meta:
+        verbose_name = _('Endpoint')
+        ordering = ('name',)
+
+    def __str__(self):
+        return self.name
+
+    def get_port(self, protocol):
+        return getattr(self, f'{protocol}_port', 0)
+
+    def delete(self, using=None, keep_parents=False):
+        if self.id == self.default_id:
+            return
+        return super().delete(using, keep_parents)
+
+    @classmethod
+    def get_or_create_default(cls, request=None):
+        data = {
+            'id': cls.default_id,
+            'name': 'Default',
+            'host': '',
+            'https_port': 0,
+            'http_port': 0,
+        }
+        endpoint, created = cls.objects.get_or_create(id=cls.default_id, defaults=data)
+        if not endpoint.host and request:
+            endpoint.host = request.get_host().split(':')[0]
+        return endpoint
+
+
+class EndpointRule(JMSModel):
+    name = models.CharField(max_length=128, verbose_name=_('Name'), unique=True)
+    ip_group = models.JSONField(default=list, verbose_name=_('IP group'))
+    priority = models.IntegerField(
+        verbose_name=_("Priority"), validators=[MinValueValidator(1), MaxValueValidator(100)],
+        unique=True, help_text=_("1-100, the lower the value will be match first"),
+    )
+    endpoint = models.ForeignKey(
+        'terminal.Endpoint', null=True, blank=True, related_name='rules',
+        on_delete=models.SET_NULL, verbose_name=_("Endpoint"),
+    )
+    comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
+
+    class Meta:
+        verbose_name = _('Endpoint rule')
+        ordering = ('priority', 'name')
+
+    def __str__(self):
+        return f'{self.name}({self.priority})'
+
+    @classmethod
+    def match(cls, target_ip, protocol):
+        for endpoint_rule in cls.objects.all().prefetch_related('endpoint'):
+            if not contains_ip(target_ip, endpoint_rule.ip_group):
+                continue
+            if not endpoint_rule.endpoint:
+                continue
+            if not endpoint_rule.endpoint.host:
+                continue
+            if endpoint_rule.endpoint.get_port(protocol) == 0:
+                continue
+            return endpoint_rule
+
+    @classmethod
+    def match_endpoint(cls, target_ip, protocol, request=None):
+        endpoint_rule = cls.match(target_ip, protocol)
+        if endpoint_rule:
+            endpoint = endpoint_rule.endpoint
+        else:
+            endpoint = Endpoint.get_or_create_default(request)
+        return endpoint
diff --git a/apps/terminal/models/session.py b/apps/terminal/models/session.py
index 09f1c9e91..565c54335 100644
--- a/apps/terminal/models/session.py
+++ b/apps/terminal/models/session.py
@@ -11,9 +11,11 @@ from django.core.files.storage import default_storage
 from django.core.cache import cache
 
 from assets.models import Asset
+from applications.models import Application
 from users.models import User
 from orgs.mixins.models import OrgModelMixin
 from django.db.models import TextChoices
+from common.utils import get_object_or_none
 from ..backends import get_multi_command_storage
 
 
@@ -194,6 +196,13 @@ class Session(OrgModelMixin):
     def login_from_display(self):
         return self.get_login_from_display()
 
+    def get_target_ip(self):
+        instance = get_object_or_none(Asset, pk=self.asset_id)
+        if not instance:
+            instance = get_object_or_none(Application, pk=self.asset_id)
+        target_ip = instance.get_target_ip() if instance else ''
+        return target_ip
+
     @classmethod
     def generate_fake(cls, count=100, is_finished=True):
         import random
diff --git a/apps/terminal/serializers/__init__.py b/apps/terminal/serializers/__init__.py
index 4e868cabc..e1312ebae 100644
--- a/apps/terminal/serializers/__init__.py
+++ b/apps/terminal/serializers/__init__.py
@@ -4,3 +4,4 @@ from .terminal import *
 from .session import *
 from .storage import *
 from .sharing import *
+from .endpoint import *
diff --git a/apps/terminal/serializers/endpoint.py b/apps/terminal/serializers/endpoint.py
new file mode 100644
index 000000000..822c6b5c2
--- /dev/null
+++ b/apps/terminal/serializers/endpoint.py
@@ -0,0 +1,51 @@
+from rest_framework import serializers
+from django.utils.translation import ugettext_lazy as _
+from common.drf.serializers import BulkModelSerializer
+from acls.serializers.rules import ip_group_help_text, ip_group_child_validator
+from ..models import Endpoint, EndpointRule
+
+__all__ = ['EndpointSerializer', 'EndpointRuleSerializer']
+
+
+class EndpointSerializer(BulkModelSerializer):
+
+    class Meta:
+        model = Endpoint
+        fields_mini = ['id', 'name']
+        fields_small = [
+            'host',
+            'https_port', 'http_port', 'ssh_port',
+            'rdp_port', 'mysql_port', 'mariadb_port',
+            'postgresql_port',
+        ]
+        fields = fields_mini + fields_small + [
+            'comment', 'date_created', 'date_updated', 'created_by'
+        ]
+        extra_kwargs = {
+            'https_port': {'default': 443},
+            'http_port': {'default': 80},
+            'ssh_port': {'default': 2222},
+            'rdp_port': {'default': 3389},
+            'mysql_port': {'default': 33060},
+            'mariadb_port': {'default': 33061},
+            'postgresql_port': {'default': 54320},
+        }
+
+
+class EndpointRuleSerializer(BulkModelSerializer):
+    ip_group = serializers.ListField(
+        default=['*'], label=_('IP'), help_text=ip_group_help_text,
+        child=serializers.CharField(max_length=1024, validators=[ip_group_child_validator])
+    )
+    endpoint_display = serializers.ReadOnlyField(source='endpoint.name', label=_('Endpoint'))
+
+    class Meta:
+        model = EndpointRule
+        fields_mini = ['id', 'name']
+        fields_small = fields_mini + ['ip_group', 'priority']
+        fields_fk = ['endpoint', 'endpoint_display']
+        fields = fields_mini + fields_small + fields_fk + [
+            'comment', 'date_created', 'date_updated', 'created_by'
+        ]
+        extra_kwargs = {
+        }
diff --git a/apps/terminal/urls/api_urls.py b/apps/terminal/urls/api_urls.py
index 9366332e2..c392f9c07 100644
--- a/apps/terminal/urls/api_urls.py
+++ b/apps/terminal/urls/api_urls.py
@@ -22,6 +22,8 @@ router.register(r'replay-storages', api.ReplayStorageViewSet, 'replay-storage')
 router.register(r'command-storages', api.CommandStorageViewSet, 'command-storage')
 router.register(r'session-sharings', api.SessionSharingViewSet, 'session-sharing')
 router.register(r'session-join-records', api.SessionJoinRecordsViewSet, 'session-sharing-record')
+router.register(r'endpoints', api.EndpointViewSet, 'endpoint')
+router.register(r'endpoint-rules', api.EndpointRuleViewSet, 'endpoint-rule')
 
 urlpatterns = [
     path('my-sessions/', api.MySessionAPIView.as_view(), name='my-session'),

From 3213fe098408e6908e176944ae055cb6ee9608c0 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 12 Apr 2022 17:59:28 +0800
Subject: [PATCH 018/258] =?UTF-8?q?chore:=20=E6=B7=BB=E5=8A=A0action=20lgt?=
 =?UTF-8?q?m?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/lgtm.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 .github/workflows/lgtm.yml

diff --git a/.github/workflows/lgtm.yml b/.github/workflows/lgtm.yml
new file mode 100644
index 000000000..022d89a71
--- /dev/null
+++ b/.github/workflows/lgtm.yml
@@ -0,0 +1,15 @@
+name: Send LGTM reaction
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@1.0.0
+      - uses: micnncim/action-lgtm-reaction@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From 72608146cc76f9ecd9e6c2e07e64d5c2cc21d002 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Apr 2022 18:25:28 +0800
Subject: [PATCH 019/258] chore: lgtm (#8048)

* chore: lgtm

* perf: add lgtm

Co-authored-by: ibuler <ibuler@qq.com>
---
 .github/workflows/lgtm.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/lgtm.yml b/.github/workflows/lgtm.yml
index 022d89a71..379ca5135 100644
--- a/.github/workflows/lgtm.yml
+++ b/.github/workflows/lgtm.yml
@@ -1,4 +1,5 @@
 name: Send LGTM reaction
+
 on:
   issue_comment:
     types: [created]
@@ -13,3 +14,5 @@ jobs:
       - uses: micnncim/action-lgtm-reaction@master
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          trigger: '["^.?lgtm$"]'

From b0f7c114fc0ff0c394d2b8b70199709ee0ec883e Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 13 Apr 2022 14:41:33 +0800
Subject: [PATCH 020/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20csrf=20tok?=
 =?UTF-8?q?en=20domain?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/settings/base.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index e5b382517..a4441711a 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -127,7 +127,7 @@ LOGIN_REDIRECT_URL = reverse_lazy('index')
 LOGIN_URL = reverse_lazy('authentication:login')
 
 SESSION_COOKIE_DOMAIN = CONFIG.SESSION_COOKIE_DOMAIN
-CSRF_COOKIE_DOMAIN = CONFIG.CSRF_COOKIE_DOMAIN
+CSRF_COOKIE_DOMAIN = CONFIG.SESSION_COOKIE_DOMAIN
 SESSION_COOKIE_AGE = CONFIG.SESSION_COOKIE_AGE
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 # 自定义的配置，SESSION_EXPIRE_AT_BROWSER_CLOSE 始终为 True, 下面这个来控制是否强制关闭后过期 cookie

From c630b11bd57e763d5c8ee86ae17382a654e596aa Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 13 Apr 2022 19:48:31 +0800
Subject: [PATCH 021/258] fix: port str (#8055)

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/authentication/api/connection_token.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 3e905076c..4afa7a306 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -186,7 +186,7 @@ class ClientProtocolMixin:
         )
         content = {
             'ip': endpoint.host,
-            'port': endpoint.ssh_port,
+            'port': str(endpoint.ssh_port),
             'username': f'JMS-{token}',
             'password': secret
         }

From 10b033010e8b238a7d8af1dc5910ce192ffe1c0d Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 13 Apr 2022 18:20:29 +0800
Subject: [PATCH 022/258] =?UTF-8?q?feat:=20=E4=BC=98=E5=8C=96=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4=E5=AF=BC=E5=87=BA=E6=97=B6=E9=97=B4=E6=88=B3=E5=8F=AF?=
 =?UTF-8?q?=E8=AF=BB=E6=80=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/api/command.py                  | 28 +------------------
 apps/terminal/backends/command/models.py      |  5 ++++
 apps/terminal/backends/command/serializers.py |  1 +
 apps/terminal/urls/api_urls.py                |  1 -
 4 files changed, 7 insertions(+), 28 deletions(-)

diff --git a/apps/terminal/api/command.py b/apps/terminal/api/command.py
index 22a2bb5c3..5b60a114a 100644
--- a/apps/terminal/api/command.py
+++ b/apps/terminal/api/command.py
@@ -1,13 +1,10 @@
 # -*- coding: utf-8 -*-
 #
-import time
 from django.conf import settings
 from django.utils import timezone
-from django.shortcuts import HttpResponse
 from rest_framework import generics
 from rest_framework.fields import DateTimeField
 from rest_framework.response import Response
-from django.template import loader
 
 from terminal.models import CommandStorage, Session, Command
 from terminal.filters import CommandFilter
@@ -23,7 +20,7 @@ from ..backends import (
 from ..notifications import CommandAlertMessage
 
 logger = get_logger(__name__)
-__all__ = ['CommandViewSet', 'CommandExportApi', 'InsecureCommandAlertAPI']
+__all__ = ['CommandViewSet', 'InsecureCommandAlertAPI']
 
 
 class CommandQueryMixin:
@@ -191,29 +188,6 @@ class CommandViewSet(JMSBulkModelViewSet):
             return Response({"msg": msg}, status=401)
 
 
-class CommandExportApi(CommandQueryMixin, generics.ListAPIView):
-    serializer_class = SessionCommandSerializer
-    rbac_perms = {
-        'list': 'terminal.view_command'
-    }
-
-    def list(self, request, *args, **kwargs):
-        queryset = self.filter_queryset(self.get_queryset())
-
-        template = 'terminal/command_report.html'
-        context = {
-            'queryset': queryset,
-            'total_count': len(queryset),
-            'now': time.time(),
-        }
-        content = loader.render_to_string(template, context, request)
-        content_type = 'application/octet-stream'
-        response = HttpResponse(content, content_type)
-        filename = 'command-report-{}.html'.format(int(time.time()))
-        response['Content-Disposition'] = 'attachment; filename="%s"' % filename
-        return response
-
-
 class InsecureCommandAlertAPI(generics.CreateAPIView):
     serializer_class = InsecureCommandAlertSerializer
     rbac_perms = {
diff --git a/apps/terminal/backends/command/models.py b/apps/terminal/backends/command/models.py
index 02a16d353..0a795b905 100644
--- a/apps/terminal/backends/command/models.py
+++ b/apps/terminal/backends/command/models.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 #
+from datetime import datetime
 import uuid
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
@@ -28,6 +29,10 @@ class AbstractSessionCommand(OrgModelMixin):
     class Meta:
         abstract = True
 
+    @lazyproperty
+    def timestamp_display(self):
+        return datetime.fromtimestamp(self.timestamp)
+
     @lazyproperty
     def remote_addr(self):
         from terminal.models import Session
diff --git a/apps/terminal/backends/command/serializers.py b/apps/terminal/backends/command/serializers.py
index 625c4282e..2eb9e434c 100644
--- a/apps/terminal/backends/command/serializers.py
+++ b/apps/terminal/backends/command/serializers.py
@@ -36,6 +36,7 @@ class SessionCommandSerializer(SimpleSessionCommandSerializer):
     output = serializers.CharField(max_length=2048, allow_blank=True, label=_("Output"))
     risk_level_display = serializers.SerializerMethodField(label=_('Risk level display'))
     timestamp = serializers.IntegerField(label=_('Timestamp'))
+    timestamp_display = serializers.DateTimeField(label=_('Datetime'))
     remote_addr = serializers.CharField(read_only=True, label=_('Remote Address'))
 
     @staticmethod
diff --git a/apps/terminal/urls/api_urls.py b/apps/terminal/urls/api_urls.py
index c392f9c07..3f0445350 100644
--- a/apps/terminal/urls/api_urls.py
+++ b/apps/terminal/urls/api_urls.py
@@ -36,7 +36,6 @@ urlpatterns = [
     path('tasks/kill-session/', api.KillSessionAPI.as_view(), name='kill-session'),
     path('tasks/kill-session-for-ticket/', api.KillSessionForTicketAPI.as_view(), name='kill-session-for-ticket'),
     path('terminals/config/', api.TerminalConfig.as_view(), name='terminal-config'),
-    path('commands/export/', api.CommandExportApi.as_view(), name="command-export"),
     path('commands/insecure-command/', api.InsecureCommandAlertAPI.as_view(), name="command-alert"),
     path('replay-storages/<uuid:pk>/test-connective/', api.ReplayStorageTestConnectiveApi.as_view(), name='replay-storage-test-connective'),
     path('command-storages/<uuid:pk>/test-connective/', api.CommandStorageTestConnectiveApi.as_view(), name='command-storage-test-connective'),

From b610d71e115a0deb2b042801df18d60eb722f94e Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 13 Apr 2022 20:24:56 +0800
Subject: [PATCH 023/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=20=E4=B8=B4?=
 =?UTF-8?q?=E6=97=B6=20password=20(#8035)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 添加 template password

* perf: 修改id

* perf: 修改 翻译

* perf: 修改 tmp token

* perf: 修改 token

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/audits/signal_handlers.py                |   1 +
 apps/authentication/api/__init__.py           |   1 +
 apps/authentication/api/temp_token.py         |  27 ++
 apps/authentication/api/token.py              |   1 -
 apps/authentication/backends/base.py          |   3 +-
 apps/authentication/backends/ldap.py          |   5 +-
 apps/authentication/backends/radius.py        |  27 +-
 .../authentication/backends/saml2/backends.py |   2 +-
 apps/authentication/backends/token.py         |  26 ++
 .../migrations/0010_temptoken.py              |  32 ++
 apps/authentication/models.py                 |  24 +-
 apps/authentication/serializers/__init__.py   |   3 +
 .../connect_token.py}                         |  97 +-----
 .../serializers/password_mfa.py               |  33 ++
 apps/authentication/serializers/token.py      | 103 +++++++
 apps/authentication/urls/api_urls.py          |   1 +
 apps/common/utils/common.py                   |   2 +
 apps/common/utils/random.py                   |  24 --
 apps/jumpserver/conf.py                       |   2 +
 apps/jumpserver/settings/auth.py              |  10 +-
 apps/locale/ja/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po          | 285 ++++++++++--------
 apps/locale/zh/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 282 +++++++++--------
 apps/rbac/builtin.py                          |   1 +
 apps/settings/api/public.py                   |   1 +
 26 files changed, 611 insertions(+), 390 deletions(-)
 create mode 100644 apps/authentication/api/temp_token.py
 create mode 100644 apps/authentication/backends/token.py
 create mode 100644 apps/authentication/migrations/0010_temptoken.py
 create mode 100644 apps/authentication/serializers/__init__.py
 rename apps/authentication/{serializers.py => serializers/connect_token.py} (59%)
 create mode 100644 apps/authentication/serializers/password_mfa.py
 create mode 100644 apps/authentication/serializers/token.py

diff --git a/apps/audits/signal_handlers.py b/apps/audits/signal_handlers.py
index daa3fa4bf..031b1e25c 100644
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@@ -70,6 +70,7 @@ class AuthBackendLabelMapping(LazyObject):
         backend_label_mapping[settings.AUTH_BACKEND_AUTH_TOKEN] = _('Auth Token')
         backend_label_mapping[settings.AUTH_BACKEND_WECOM] = _('WeCom')
         backend_label_mapping[settings.AUTH_BACKEND_DINGTALK] = _('DingTalk')
+        backend_label_mapping[settings.AUTH_BACKEND_TEMP_TOKEN] = _('Temporary token')
         return backend_label_mapping
 
     def _setup(self):
diff --git a/apps/authentication/api/__init__.py b/apps/authentication/api/__init__.py
index c0064f9bd..01a4c52e9 100644
--- a/apps/authentication/api/__init__.py
+++ b/apps/authentication/api/__init__.py
@@ -11,3 +11,4 @@ from .wecom import *
 from .dingtalk import *
 from .feishu import *
 from .password import *
+from .temp_token import *
diff --git a/apps/authentication/api/temp_token.py b/apps/authentication/api/temp_token.py
new file mode 100644
index 000000000..98c1d74d6
--- /dev/null
+++ b/apps/authentication/api/temp_token.py
@@ -0,0 +1,27 @@
+from django.utils import timezone
+from rest_framework.response import Response
+from rest_framework.decorators import action
+
+from common.drf.api import JMSModelViewSet
+from common.permissions import IsValidUser
+from ..models import TempToken
+from ..serializers import TempTokenSerializer
+
+
+class TempTokenViewSet(JMSModelViewSet):
+    serializer_class = TempTokenSerializer
+    permission_classes = [IsValidUser]
+    http_method_names = ['post', 'get', 'options', 'patch']
+
+    def get_queryset(self):
+        username = self.request.user.username
+        return TempToken.objects.filter(username=username)
+
+    @action(methods=['PATCH'], detail=True, url_path='expire')
+    def expire(self, *args, **kwargs):
+        instance = self.get_object()
+        instance.date_expired = timezone.now()
+        instance.save()
+        serializer = self.get_serializer(instance)
+        return Response(serializer.data)
+
diff --git a/apps/authentication/api/token.py b/apps/authentication/api/token.py
index df8c6eb3f..e5fe8bf2c 100644
--- a/apps/authentication/api/token.py
+++ b/apps/authentication/api/token.py
@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
 #
-from django.shortcuts import redirect
 from rest_framework.permissions import AllowAny
 from rest_framework.response import Response
 from rest_framework.generics import CreateAPIView
diff --git a/apps/authentication/backends/base.py b/apps/authentication/backends/base.py
index 64faf3334..84cdeab27 100644
--- a/apps/authentication/backends/base.py
+++ b/apps/authentication/backends/base.py
@@ -1,10 +1,11 @@
-from django.contrib.auth.backends import BaseBackend
 from django.contrib.auth.backends import ModelBackend
+from django.contrib.auth import get_user_model
 
 from users.models import User
 from common.utils import get_logger
 
 
+UserModel = get_user_model()
 logger = get_logger(__file__)
 
 
diff --git a/apps/authentication/backends/ldap.py b/apps/authentication/backends/ldap.py
index 1c8a80cb1..895226e58 100644
--- a/apps/authentication/backends/ldap.py
+++ b/apps/authentication/backends/ldap.py
@@ -53,7 +53,7 @@ class LDAPAuthorizationBackend(JMSBaseAuthBackend, LDAPBackend):
         else:
             built = False
 
-        return (user, built)
+        return user, built
 
     def pre_check(self, username, password):
         if not settings.AUTH_LDAP:
@@ -75,6 +75,9 @@ class LDAPAuthorizationBackend(JMSBaseAuthBackend, LDAPBackend):
 
     def authenticate(self, request=None, username=None, password=None, **kwargs):
         logger.info('Authentication LDAP backend')
+        if username is None or password is None:
+            logger.info('No username or password')
+            return None
         match, msg = self.pre_check(username, password)
         if not match:
             logger.info('Authenticate failed: {}'.format(msg))
diff --git a/apps/authentication/backends/radius.py b/apps/authentication/backends/radius.py
index 170534370..84f88165a 100644
--- a/apps/authentication/backends/radius.py
+++ b/apps/authentication/backends/radius.py
@@ -13,20 +13,23 @@ User = get_user_model()
 
 
 class CreateUserMixin:
-    def get_django_user(self, username, password=None, *args, **kwargs):
+    @staticmethod
+    def get_django_user(username, password=None, *args, **kwargs):
         if isinstance(username, bytes):
             username = username.decode()
-        try:
-            user = User.objects.get(username=username)
-        except User.DoesNotExist:
-            if '@' in username:
-                email = username
-            else:
-                email_suffix = settings.EMAIL_SUFFIX
-                email = '{}@{}'.format(username, email_suffix)
-            user = User(username=username, name=username, email=email)
-            user.source = user.Source.radius.value
-            user.save()
+        user = User.objects.filter(username=username).first()
+        if user:
+            return user
+
+        if '@' in username:
+            email = username
+        else:
+            email_suffix = settings.EMAIL_SUFFIX
+            email = '{}@{}'.format(username, email_suffix)
+
+        user = User(username=username, name=username, email=email)
+        user.source = user.Source.radius.value
+        user.save()
         return user
 
     def _perform_radius_auth(self, client, packet):
diff --git a/apps/authentication/backends/saml2/backends.py b/apps/authentication/backends/saml2/backends.py
index e1b1fb1eb..0ac0efe1c 100644
--- a/apps/authentication/backends/saml2/backends.py
+++ b/apps/authentication/backends/saml2/backends.py
@@ -14,7 +14,7 @@ from ..base import JMSModelBackend
 
 __all__ = ['SAML2Backend']
 
-logger = get_logger(__file__)
+logger = get_logger(__name__)
 
 
 class SAML2Backend(JMSModelBackend):
diff --git a/apps/authentication/backends/token.py b/apps/authentication/backends/token.py
new file mode 100644
index 000000000..be9cb9032
--- /dev/null
+++ b/apps/authentication/backends/token.py
@@ -0,0 +1,26 @@
+from django.utils import timezone
+from django.conf import settings
+from django.core.exceptions import PermissionDenied
+
+from authentication.models import TempToken
+from .base import JMSModelBackend
+
+
+class TempTokenAuthBackend(JMSModelBackend):
+    model = TempToken
+
+    def authenticate(self, request, username='', password='', *args, **kwargs):
+        token = self.model.objects.filter(username=username, secret=password).first()
+        if not token:
+            return None
+        if not token.is_valid:
+            raise PermissionDenied('Token is invalid, expired at {}'.format(token.date_expired))
+
+        token.verified = True
+        token.date_verified = timezone.now()
+        token.save()
+        return token.user
+
+    @staticmethod
+    def is_enabled():
+        return settings.AUTH_TEMP_TOKEN
diff --git a/apps/authentication/migrations/0010_temptoken.py b/apps/authentication/migrations/0010_temptoken.py
new file mode 100644
index 000000000..914188d3f
--- /dev/null
+++ b/apps/authentication/migrations/0010_temptoken.py
@@ -0,0 +1,32 @@
+# Generated by Django 3.1.14 on 2022-04-08 07:04
+
+from django.db import migrations, models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authentication', '0009_auto_20220310_0616'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='TempToken',
+            fields=[
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('username', models.CharField(max_length=128, verbose_name='Username')),
+                ('secret', models.CharField(max_length=64, verbose_name='Secret')),
+                ('verified', models.BooleanField(default=False, verbose_name='Verified')),
+                ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
+                ('date_expired', models.DateTimeField(verbose_name='Date verified')),
+            ],
+            options={
+                'verbose_name': 'Temporary token',
+            },
+        ),
+    ]
diff --git a/apps/authentication/models.py b/apps/authentication/models.py
index 1b353f737..54cab4fbd 100644
--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@@ -1,8 +1,9 @@
 import uuid
 
+from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
-from rest_framework.authtoken.models import Token
 from django.conf import settings
+from rest_framework.authtoken.models import Token
 
 from common.db import models
 
@@ -64,6 +65,27 @@ class ConnectionToken(models.JMSBaseModel):
         ]
 
 
+class TempToken(models.JMSModel):
+    username = models.CharField(max_length=128, verbose_name=_("Username"))
+    secret = models.CharField(max_length=64, verbose_name=_("Secret"))
+    verified = models.BooleanField(default=False, verbose_name=_("Verified"))
+    date_verified = models.DateTimeField(null=True, verbose_name=_("Date verified"))
+    date_expired = models.DateTimeField(verbose_name=_("Date expired"))
+
+    class Meta:
+        verbose_name = _("Temporary token")
+
+    @property
+    def user(self):
+        from users.models import User
+        return User.objects.filter(username=self.username).first()
+
+    @property
+    def is_valid(self):
+        not_expired = self.date_expired and self.date_expired > timezone.now()
+        return not self.verified and not_expired
+
+
 class SuperConnectionToken(ConnectionToken):
     class Meta:
         proxy = True
diff --git a/apps/authentication/serializers/__init__.py b/apps/authentication/serializers/__init__.py
new file mode 100644
index 000000000..7697c46db
--- /dev/null
+++ b/apps/authentication/serializers/__init__.py
@@ -0,0 +1,3 @@
+from .token import *
+from .connect_token import *
+from .password_mfa import *
diff --git a/apps/authentication/serializers.py b/apps/authentication/serializers/connect_token.py
similarity index 59%
rename from apps/authentication/serializers.py
rename to apps/authentication/serializers/connect_token.py
index f6661ba38..c8f94909d 100644
--- a/apps/authentication/serializers.py
+++ b/apps/authentication/serializers/connect_token.py
@@ -1,109 +1,22 @@
 # -*- coding: utf-8 -*-
 #
-from django.utils import timezone
 from rest_framework import serializers
 
-from common.utils import get_object_or_none
 from users.models import User
 from assets.models import Asset, SystemUser, Gateway, Domain, CommandFilterRule
 from applications.models import Application
-from users.serializers import UserProfileSerializer
 from assets.serializers import ProtocolsField
 from perms.serializers.base import ActionsField
-from .models import AccessKey
 
 __all__ = [
-    'AccessKeySerializer', 'OtpVerifySerializer', 'BearerTokenSerializer',
-    'MFAChallengeSerializer', 'SSOTokenSerializer',
-    'ConnectionTokenSerializer', 'ConnectionTokenSecretSerializer',
-    'PasswordVerifySerializer', 'MFASelectTypeSerializer',
+    'ConnectionTokenSerializer', 'ConnectionTokenApplicationSerializer',
+    'ConnectionTokenUserSerializer', 'ConnectionTokenFilterRuleSerializer',
+    'ConnectionTokenAssetSerializer', 'ConnectionTokenSystemUserSerializer',
+    'ConnectionTokenDomainSerializer', 'ConnectionTokenRemoteAppSerializer',
+    'ConnectionTokenGatewaySerializer', 'ConnectionTokenSecretSerializer'
 ]
 
 
-class AccessKeySerializer(serializers.ModelSerializer):
-    class Meta:
-        model = AccessKey
-        fields = ['id', 'secret', 'is_active', 'date_created']
-        read_only_fields = ['id', 'secret', 'date_created']
-
-
-class OtpVerifySerializer(serializers.Serializer):
-    code = serializers.CharField(max_length=6, min_length=6)
-
-
-class PasswordVerifySerializer(serializers.Serializer):
-    password = serializers.CharField()
-
-
-class BearerTokenSerializer(serializers.Serializer):
-    username = serializers.CharField(allow_null=True, required=False, write_only=True)
-    password = serializers.CharField(write_only=True, allow_null=True,
-                                     required=False, allow_blank=True)
-    public_key = serializers.CharField(write_only=True, allow_null=True,
-                                       allow_blank=True, required=False)
-    token = serializers.CharField(read_only=True)
-    keyword = serializers.SerializerMethodField()
-    date_expired = serializers.DateTimeField(read_only=True)
-    user = UserProfileSerializer(read_only=True)
-
-    @staticmethod
-    def get_keyword(obj):
-        return 'Bearer'
-
-    def update_last_login(self, user):
-        user.last_login = timezone.now()
-        user.save(update_fields=['last_login'])
-
-    def get_request_user(self):
-        request = self.context.get('request')
-        if request.user and request.user.is_authenticated:
-            user = request.user
-        else:
-            user_id = request.session.get('user_id')
-            user = get_object_or_none(User, pk=user_id)
-            if not user:
-                raise serializers.ValidationError(
-                    "user id {} not exist".format(user_id)
-                )
-        return user
-
-    def create(self, validated_data):
-        request = self.context.get('request')
-        user = self.get_request_user()
-
-        token, date_expired = user.create_bearer_token(request)
-        self.update_last_login(user)
-
-        instance = {
-            "token": token,
-            "date_expired": date_expired,
-            "user": user
-        }
-        return instance
-
-
-class MFASelectTypeSerializer(serializers.Serializer):
-    type = serializers.CharField()
-    username = serializers.CharField(required=False, allow_blank=True, allow_null=True)
-
-
-class MFAChallengeSerializer(serializers.Serializer):
-    type = serializers.CharField(write_only=True, required=False, allow_blank=True)
-    code = serializers.CharField(write_only=True)
-
-    def create(self, validated_data):
-        pass
-
-    def update(self, instance, validated_data):
-        pass
-
-
-class SSOTokenSerializer(serializers.Serializer):
-    username = serializers.CharField(write_only=True)
-    login_url = serializers.CharField(read_only=True)
-    next = serializers.CharField(write_only=True, allow_blank=True, required=False, allow_null=True)
-
-
 class ConnectionTokenSerializer(serializers.Serializer):
     user = serializers.CharField(max_length=128, required=False, allow_blank=True)
     system_user = serializers.CharField(max_length=128, required=True)
diff --git a/apps/authentication/serializers/password_mfa.py b/apps/authentication/serializers/password_mfa.py
new file mode 100644
index 000000000..c4c0679c6
--- /dev/null
+++ b/apps/authentication/serializers/password_mfa.py
@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+#
+from rest_framework import serializers
+
+
+__all__ = [
+    'OtpVerifySerializer', 'MFAChallengeSerializer', 'MFASelectTypeSerializer',
+    'PasswordVerifySerializer',
+]
+
+
+class PasswordVerifySerializer(serializers.Serializer):
+    password = serializers.CharField()
+
+
+class MFASelectTypeSerializer(serializers.Serializer):
+    type = serializers.CharField()
+    username = serializers.CharField(required=False, allow_blank=True, allow_null=True)
+
+
+class MFAChallengeSerializer(serializers.Serializer):
+    type = serializers.CharField(write_only=True, required=False, allow_blank=True)
+    code = serializers.CharField(write_only=True)
+
+    def create(self, validated_data):
+        pass
+
+    def update(self, instance, validated_data):
+        pass
+
+
+class OtpVerifySerializer(serializers.Serializer):
+    code = serializers.CharField(max_length=6, min_length=6)
diff --git a/apps/authentication/serializers/token.py b/apps/authentication/serializers/token.py
new file mode 100644
index 000000000..d1e87c0c0
--- /dev/null
+++ b/apps/authentication/serializers/token.py
@@ -0,0 +1,103 @@
+# -*- coding: utf-8 -*-
+#
+from django.utils import timezone
+from django.utils.translation import gettext_lazy as _
+from rest_framework import serializers
+
+from common.utils import get_object_or_none, random_string
+from users.models import User
+from users.serializers import UserProfileSerializer
+from ..models import AccessKey, TempToken
+
+__all__ = [
+    'AccessKeySerializer',  'BearerTokenSerializer',
+    'SSOTokenSerializer', 'TempTokenSerializer',
+]
+
+
+class AccessKeySerializer(serializers.ModelSerializer):
+    class Meta:
+        model = AccessKey
+        fields = ['id', 'secret', 'is_active', 'date_created']
+        read_only_fields = ['id', 'secret', 'date_created']
+
+
+class BearerTokenSerializer(serializers.Serializer):
+    username = serializers.CharField(allow_null=True, required=False, write_only=True)
+    password = serializers.CharField(write_only=True, allow_null=True,
+                                     required=False, allow_blank=True)
+    public_key = serializers.CharField(write_only=True, allow_null=True,
+                                       allow_blank=True, required=False)
+    token = serializers.CharField(read_only=True)
+    keyword = serializers.SerializerMethodField()
+    date_expired = serializers.DateTimeField(read_only=True)
+    user = UserProfileSerializer(read_only=True)
+
+    @staticmethod
+    def get_keyword(obj):
+        return 'Bearer'
+
+    def update_last_login(self, user):
+        user.last_login = timezone.now()
+        user.save(update_fields=['last_login'])
+
+    def get_request_user(self):
+        request = self.context.get('request')
+        if request.user and request.user.is_authenticated:
+            user = request.user
+        else:
+            user_id = request.session.get('user_id')
+            user = get_object_or_none(User, pk=user_id)
+            if not user:
+                raise serializers.ValidationError(
+                    "user id {} not exist".format(user_id)
+                )
+        return user
+
+    def create(self, validated_data):
+        request = self.context.get('request')
+        user = self.get_request_user()
+
+        token, date_expired = user.create_bearer_token(request)
+        self.update_last_login(user)
+
+        instance = {
+            "token": token,
+            "date_expired": date_expired,
+            "user": user
+        }
+        return instance
+
+
+class SSOTokenSerializer(serializers.Serializer):
+    username = serializers.CharField(write_only=True)
+    login_url = serializers.CharField(read_only=True)
+    next = serializers.CharField(write_only=True, allow_blank=True, required=False, allow_null=True)
+
+
+class TempTokenSerializer(serializers.ModelSerializer):
+    is_valid = serializers.BooleanField(label=_("Is valid"), read_only=True)
+
+    class Meta:
+        model = TempToken
+        fields = [
+            'id', 'username', 'secret', 'verified', 'is_valid',
+            'date_created', 'date_updated', 'date_verified',
+            'date_expired',
+        ]
+        read_only_fields = fields
+
+    def create(self, validated_data):
+        request = self.context.get('request')
+        if not request or not request.user:
+            raise PermissionError()
+
+        secret = random_string(36)
+        username = request.user.username
+        kwargs = {
+            'username': username, 'secret': secret,
+            'date_expired': timezone.now() + timezone.timedelta(seconds=5*60),
+        }
+        token = TempToken(**kwargs)
+        token.save()
+        return token
diff --git a/apps/authentication/urls/api_urls.py b/apps/authentication/urls/api_urls.py
index 1a6c43dd7..920988ee4 100644
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -9,6 +9,7 @@ app_name = 'authentication'
 router = DefaultRouter()
 router.register('access-keys', api.AccessKeyViewSet, 'access-key')
 router.register('sso', api.SSOViewSet, 'sso')
+router.register('temp-tokens', api.TempTokenViewSet, 'temp-token')
 router.register('connection-token', api.UserConnectionTokenViewSet, 'connection-token')
 
 
diff --git a/apps/common/utils/common.py b/apps/common/utils/common.py
index d579eacfb..3982b1349 100644
--- a/apps/common/utils/common.py
+++ b/apps/common/utils/common.py
@@ -31,6 +31,8 @@ def combine_seq(s1, s2, callback=None):
 
 
 def get_logger(name=''):
+    if '/' in name:
+        name = os.path.basename(name).replace('.py', '')
     return logging.getLogger('jumpserver.%s' % name)
 
 
diff --git a/apps/common/utils/random.py b/apps/common/utils/random.py
index 1a7449ef0..db3b39c05 100644
--- a/apps/common/utils/random.py
+++ b/apps/common/utils/random.py
@@ -40,27 +40,3 @@ def random_string(length, lower=True, upper=True, digit=True, special_char=False
 
     password = ''.join(password)
     return password
-
-
-# def strTimeProp(start, end, prop, fmt):
-#     time_start = time.mktime(time.strptime(start, fmt))
-#     time_end = time.mktime(time.strptime(end, fmt))
-#     ptime = time_start + prop * (time_end - time_start)
-#     return int(ptime)
-#
-#
-# def randomTimestamp(start, end, fmt='%Y-%m-%d %H:%M:%S'):
-#     return strTimeProp(start, end, random.random(), fmt)
-#
-#
-# def randomDate(start, end, frmt='%Y-%m-%d %H:%M:%S'):
-#     return time.strftime(frmt, time.localtime(strTimeProp(start, end, random.random(), frmt)))
-#
-#
-# def randomTimestampList(start, end, n, frmt='%Y-%m-%d %H:%M:%S'):
-#     return [randomTimestamp(start, end, frmt) for _ in range(n)]
-#
-#
-# def randomDateList(start, end, n, frmt='%Y-%m-%d %H:%M:%S'):
-#     return [randomDate(start, end, frmt) for _ in range(n)]
-
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index f72ed899f..3cc8a067d 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -256,6 +256,8 @@ class Config(dict):
         'AUTH_SAML2_PROVIDER_AUTHORIZATION_ENDPOINT': '/',
         'AUTH_SAML2_AUTHENTICATION_FAILURE_REDIRECT_URI': '/',
 
+        'AUTH_TEMP_TOKEN': False,
+
         # 企业微信
         'AUTH_WECOM': False,
         'WECOM_CORPID': '',
diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index f71afec9b..e07883d55 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -109,11 +109,11 @@ CAS_APPLY_ATTRIBUTES_TO_USER = CONFIG.CAS_APPLY_ATTRIBUTES_TO_USER
 CAS_RENAME_ATTRIBUTES = CONFIG.CAS_RENAME_ATTRIBUTES
 CAS_CREATE_USER = CONFIG.CAS_CREATE_USER
 
-# SSO Auth
+# SSO auth
 AUTH_SSO = CONFIG.AUTH_SSO
 AUTH_SSO_AUTHKEY_TTL = CONFIG.AUTH_SSO_AUTHKEY_TTL
 
-# WECOM Auth
+# WECOM auth
 AUTH_WECOM = CONFIG.AUTH_WECOM
 WECOM_CORPID = CONFIG.WECOM_CORPID
 WECOM_AGENTID = CONFIG.WECOM_AGENTID
@@ -141,6 +141,9 @@ SAML2_SP_ADVANCED_SETTINGS = CONFIG.SAML2_SP_ADVANCED_SETTINGS
 SAML2_LOGIN_URL_NAME = "authentication:saml2:saml2-login"
 SAML2_LOGOUT_URL_NAME = "authentication:saml2:saml2-logout"
 
+# 临时 token
+AUTH_TEMP_TOKEN = CONFIG.AUTH_TEMP_TOKEN
+
 # Other setting
 TOKEN_EXPIRATION = CONFIG.TOKEN_EXPIRATION
 OTP_IN_RADIUS = CONFIG.OTP_IN_RADIUS
@@ -160,6 +163,7 @@ AUTH_BACKEND_DINGTALK = 'authentication.backends.sso.DingTalkAuthentication'
 AUTH_BACKEND_FEISHU = 'authentication.backends.sso.FeiShuAuthentication'
 AUTH_BACKEND_AUTH_TOKEN = 'authentication.backends.sso.AuthorizationTokenAuthentication'
 AUTH_BACKEND_SAML2 = 'authentication.backends.saml2.SAML2Backend'
+AUTH_BACKEND_TEMP_TOKEN = 'authentication.backends.token.TempTokenAuthBackend'
 
 
 AUTHENTICATION_BACKENDS = [
@@ -172,7 +176,7 @@ AUTHENTICATION_BACKENDS = [
     # 扫码模式
     AUTH_BACKEND_WECOM, AUTH_BACKEND_DINGTALK, AUTH_BACKEND_FEISHU,
     # Token模式
-    AUTH_BACKEND_AUTH_TOKEN, AUTH_BACKEND_SSO,
+    AUTH_BACKEND_AUTH_TOKEN, AUTH_BACKEND_SSO, AUTH_BACKEND_TEMP_TOKEN
 ]
 
 ONLY_ALLOW_EXIST_USER_AUTH = CONFIG.ONLY_ALLOW_EXIST_USER_AUTH
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 73226f058..7044727ed 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:70685e92cbf84f4178224a44fd84eb884a0acfb9749200541ea6655a9a397a72
-size 125019
+oid sha256:89878c511a62211520b347ccf37676cb11e9a0b3257ff968fb6d5dd81726a1e5
+size 125117
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index c80ef4904..643d66c0c 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-12 17:03+0800\n"
+"POT-Creation-Date: 2022-04-13 20:21+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,25 +29,25 @@ msgstr "Acls"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:53
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:55
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:28
+#: xpack/plugins/cloud/models.py:27
 msgid "Name"
 msgstr "名前"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:56
+#: assets/models/user.py:247 terminal/models/endpoint.py:58
 msgid "Priority"
 msgstr "優先順位"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:57
+#: assets/models/user.py:247 terminal/models/endpoint.py:59
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
-#: acls/models/base.py:31 authentication/models.py:17
+#: acls/models/base.py:31 authentication/models.py:18
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:26
 msgid "Active"
@@ -61,12 +61,12 @@ msgstr "アクティブ"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:63
+#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:65
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
+#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "コメント"
@@ -87,9 +87,9 @@ msgstr "ログイン確認"
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
-#: authentication/models.py:50 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:106 rbac/models/rolebinding.py:40
-#: terminal/backends/command/models.py:19
+#: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
+#: rbac/builtin.py:107 rbac/models/rolebinding.py:40
+#: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
 #: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
@@ -129,12 +129,12 @@ msgstr "システムユーザー"
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:264 audits/models.py:39
-#: perms/models/asset_permission.py:23 terminal/backends/command/models.py:20
+#: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:223
+#: xpack/plugins/cloud/models.py:222
 msgid "Asset"
 msgstr "資産"
 
@@ -154,6 +154,7 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:119
 #: authentication/forms.py:15 authentication/forms.py:17
+#: authentication/models.py:69
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
@@ -265,7 +266,7 @@ msgstr "アプリケーション"
 #: applications/models/account.py:15 assets/models/authbook.py:20
 #: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
 #: perms/models/application_permission.py:33
-#: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21
+#: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
 #: xpack/plugins/change_auth_plan/models/app.py:147
@@ -317,7 +318,7 @@ msgstr "タイプ"
 msgid "Domain"
 msgstr "ドメイン"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
 #: xpack/plugins/cloud/serializers/account.py:58
 msgid "Attrs"
 msgstr "ツールバーの"
@@ -356,7 +357,7 @@ msgstr "タイプ表示"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:918
-#: xpack/plugins/cloud/models.py:125
+#: xpack/plugins/cloud/models.py:124
 msgid "Date created"
 msgstr "作成された日付"
 
@@ -571,7 +572,7 @@ msgstr "ホスト名生"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "プロトコル"
 
@@ -611,7 +612,7 @@ msgstr "ラベル"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "によって作成された"
 
@@ -715,7 +716,7 @@ msgstr "トリガーモード"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:179
+#: xpack/plugins/cloud/models.py:178
 msgid "Reason"
 msgstr "理由"
 
@@ -751,7 +752,7 @@ msgstr "失敗しました"
 msgid "Connectivity"
 msgstr "接続性"
 
-#: assets/models/base.py:40
+#: assets/models/base.py:40 authentication/models.py:72
 msgid "Date verified"
 msgstr "確認済みの日付"
 
@@ -953,7 +954,7 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
 
@@ -1011,7 +1012,7 @@ msgstr "ログインモード"
 msgid "SFTP Root"
 msgstr "SFTPルート"
 
-#: assets/models/user.py:254 authentication/models.py:48
+#: assets/models/user.py:254 authentication/models.py:49
 msgid "Token"
 msgstr "トークン"
 
@@ -1426,6 +1427,7 @@ msgid "Resource"
 msgstr "リソース"
 
 #: audits/models.py:65 audits/models.py:88
+#: terminal/backends/command/serializers.py:39
 msgid "Datetime"
 msgstr "時間"
 
@@ -1480,8 +1482,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
-#: xpack/plugins/cloud/models.py:227
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
+#: xpack/plugins/cloud/models.py:226
 msgid "Status"
 msgstr "ステータス"
 
@@ -1518,7 +1520,7 @@ msgid "Hosts display"
 msgstr "ホスト表示"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:173
+#: xpack/plugins/cloud/models.py:172
 msgid "Result"
 msgstr "結果"
 
@@ -1562,170 +1564,174 @@ msgstr "企業微信"
 msgid "DingTalk"
 msgstr "DingTalk"
 
-#: audits/signal_handlers.py:106
+#: audits/signal_handlers.py:73 authentication/models.py:76
+msgid "Temporary token"
+msgstr "一時的なトークン"
+
+#: audits/signal_handlers.py:107
 msgid "User and Group"
 msgstr "ユーザーとグループ"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:108
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} に参加 {UserGroup}"
 
-#: audits/signal_handlers.py:108
+#: audits/signal_handlers.py:109
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} のそばを通る {UserGroup}"
 
-#: audits/signal_handlers.py:111
+#: audits/signal_handlers.py:112
 msgid "Asset and SystemUser"
 msgstr "資産およびシステム・ユーザー"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:113
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:113
+#: audits/signal_handlers.py:114
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:116
+#: audits/signal_handlers.py:117
 msgid "Node and Asset"
 msgstr "ノードと資産"
 
-#: audits/signal_handlers.py:117
+#: audits/signal_handlers.py:118
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 追加 {Asset}"
 
-#: audits/signal_handlers.py:118
+#: audits/signal_handlers.py:119
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 削除 {Asset}"
 
-#: audits/signal_handlers.py:121
+#: audits/signal_handlers.py:122
 msgid "User asset permissions"
 msgstr "ユーザー資産の権限"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:123
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:123
+#: audits/signal_handlers.py:124
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:126
+#: audits/signal_handlers.py:127
 msgid "User group asset permissions"
 msgstr "ユーザーグループの資産権限"
 
-#: audits/signal_handlers.py:127
+#: audits/signal_handlers.py:128
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:128
+#: audits/signal_handlers.py:129
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:131 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:132 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "資産権限"
 
-#: audits/signal_handlers.py:132
+#: audits/signal_handlers.py:133
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 追加 {Asset}"
 
-#: audits/signal_handlers.py:133
+#: audits/signal_handlers.py:134
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 削除 {Asset}"
 
-#: audits/signal_handlers.py:136
+#: audits/signal_handlers.py:137
 msgid "Node permission"
 msgstr "ノード権限"
 
-#: audits/signal_handlers.py:137
+#: audits/signal_handlers.py:138
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 追加 {Node}"
 
-#: audits/signal_handlers.py:138
+#: audits/signal_handlers.py:139
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 削除 {Node}"
 
-#: audits/signal_handlers.py:141
+#: audits/signal_handlers.py:142
 msgid "Asset permission and SystemUser"
 msgstr "資産権限とSystemUser"
 
-#: audits/signal_handlers.py:142
+#: audits/signal_handlers.py:143
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:143
+#: audits/signal_handlers.py:144
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:146
+#: audits/signal_handlers.py:147
 msgid "User application permissions"
 msgstr "ユーザーアプリケーションの権限"
 
-#: audits/signal_handlers.py:147
+#: audits/signal_handlers.py:148
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:148
+#: audits/signal_handlers.py:149
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:151
+#: audits/signal_handlers.py:152
 msgid "User group application permissions"
 msgstr "ユーザーグループアプリケーションの権限"
 
-#: audits/signal_handlers.py:152
+#: audits/signal_handlers.py:153
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:153
+#: audits/signal_handlers.py:154
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:156 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:157 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "申請許可"
 
-#: audits/signal_handlers.py:157
+#: audits/signal_handlers.py:158
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 追加 {Application}"
 
-#: audits/signal_handlers.py:158
+#: audits/signal_handlers.py:159
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 削除 {Application}"
 
-#: audits/signal_handlers.py:161
+#: audits/signal_handlers.py:162
 msgid "Application permission and SystemUser"
 msgstr "アプリケーション権限とSystemUser"
 
-#: audits/signal_handlers.py:162
+#: audits/signal_handlers.py:163
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:163
+#: audits/signal_handlers.py:164
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
@@ -2028,31 +2034,48 @@ msgstr "MFAタイプ ({}) が有効になっていない"
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
-#: authentication/models.py:33 terminal/serializers/storage.py:28
+#: authentication/models.py:34 terminal/serializers/storage.py:28
 msgid "Access key"
 msgstr "アクセスキー"
 
-#: authentication/models.py:40
+#: authentication/models.py:41
 msgid "Private Token"
 msgstr "プライベートトークン"
 
-#: authentication/models.py:49
+#: authentication/models.py:50
 msgid "Expired"
 msgstr "期限切れ"
 
-#: authentication/models.py:53
+#: authentication/models.py:54
 msgid "SSO token"
 msgstr "SSO token"
 
-#: authentication/models.py:61
+#: authentication/models.py:62
 msgid "Connection token"
 msgstr "接続トークン"
 
-#: authentication/models.py:63
+#: authentication/models.py:64
 msgid "Can view connection token secret"
 msgstr "接続トークンの秘密を表示できます"
 
 #: authentication/models.py:70
+#: authentication/templates/authentication/_access_key_modal.html:31
+#: settings/serializers/auth/radius.py:17
+msgid "Secret"
+msgstr "ひみつ"
+
+#: authentication/models.py:71
+msgid "Verified"
+msgstr "確認済み"
+
+#: authentication/models.py:73 perms/models/base.py:90
+#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
+#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
+#: users/models/user.py:703
+msgid "Date expired"
+msgstr "期限切れの日付"
+
+#: authentication/models.py:92
 msgid "Super connection token"
 msgstr "スーパー接続トークン"
 
@@ -2064,6 +2087,14 @@ msgstr "異なる都市ログインのリマインダー"
 msgid "binding reminder"
 msgstr "バインディングリマインダー"
 
+#: authentication/serializers/token.py:79
+#: perms/serializers/application/permission.py:20
+#: perms/serializers/application/permission.py:41
+#: perms/serializers/asset/permission.py:19
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
+msgid "Is valid"
+msgstr "有効です"
+
 #: authentication/templates/authentication/_access_key_modal.html:6
 msgid "API key list"
 msgstr "APIキーリスト"
@@ -2081,11 +2112,6 @@ msgstr "ドキュメント"
 msgid "ID"
 msgstr "ID"
 
-#: authentication/templates/authentication/_access_key_modal.html:31
-#: settings/serializers/auth/radius.py:17
-msgid "Secret"
-msgstr "秘密"
-
 #: authentication/templates/authentication/_access_key_modal.html:33
 #: terminal/notifications.py:93 terminal/notifications.py:141
 msgid "Date"
@@ -2151,7 +2177,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:296 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:298 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2612,11 +2638,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:295
+#: jumpserver/conf.py:297
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:297
+#: jumpserver/conf.py:299
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -2972,13 +2998,6 @@ msgstr "クリップボードペースト"
 msgid "Clipboard copy paste"
 msgstr "クリップボードコピーペースト"
 
-#: perms/models/base.py:90
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
-#: users/models/user.py:703
-msgid "Date expired"
-msgstr "期限切れの日付"
-
 #: perms/models/base.py:94
 msgid "From ticket"
 msgstr "チケットから"
@@ -3015,13 +3034,6 @@ msgstr "アプリケーション権限の有効期限が近づいています"
 msgid "application permissions of organization {}"
 msgstr "Organization {} のアプリケーション権限"
 
-#: perms/serializers/application/permission.py:20
-#: perms/serializers/application/permission.py:41
-#: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
-msgid "Is valid"
-msgstr "有効です"
-
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
@@ -3114,27 +3126,27 @@ msgstr "{} 少なくとも1つのシステムロール"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:97
+#: rbac/builtin.py:98
 msgid "SystemAdmin"
 msgstr "システム管理者"
 
-#: rbac/builtin.py:100
+#: rbac/builtin.py:101
 msgid "SystemAuditor"
 msgstr "システム監査人"
 
-#: rbac/builtin.py:103
+#: rbac/builtin.py:104
 msgid "SystemComponent"
 msgstr "システムコンポーネント"
 
-#: rbac/builtin.py:109
+#: rbac/builtin.py:110
 msgid "OrgAdmin"
 msgstr "組織管理者"
 
-#: rbac/builtin.py:112
+#: rbac/builtin.py:113
 msgid "OrgAuditor"
 msgstr "監査員を組織する"
 
-#: rbac/builtin.py:115
+#: rbac/builtin.py:116
 msgid "OrgUser"
 msgstr "組織ユーザー"
 
@@ -4599,30 +4611,30 @@ msgstr "ターミナル管理"
 msgid "Invalid elasticsearch config"
 msgstr "無効なElasticsearch構成"
 
-#: terminal/backends/command/models.py:15
+#: terminal/backends/command/models.py:16
 msgid "Ordinary"
 msgstr "普通"
 
-#: terminal/backends/command/models.py:16
+#: terminal/backends/command/models.py:17
 msgid "Dangerous"
 msgstr "危険"
 
-#: terminal/backends/command/models.py:22
+#: terminal/backends/command/models.py:23
 msgid "Input"
 msgstr "入力"
 
-#: terminal/backends/command/models.py:23
+#: terminal/backends/command/models.py:24
 #: terminal/backends/command/serializers.py:36
 msgid "Output"
 msgstr "出力"
 
-#: terminal/backends/command/models.py:24 terminal/models/replay.py:9
+#: terminal/backends/command/models.py:25 terminal/models/replay.py:9
 #: terminal/models/sharing.py:17 terminal/models/sharing.py:64
 #: terminal/templates/terminal/_msg_command_alert.html:10
 msgid "Session"
 msgstr "セッション"
 
-#: terminal/backends/command/models.py:25
+#: terminal/backends/command/models.py:26
 #: terminal/backends/command/serializers.py:17
 msgid "Risk level"
 msgstr "リスクレベル"
@@ -4639,7 +4651,7 @@ msgstr "リスクレベル表示"
 msgid "Timestamp"
 msgstr "タイムスタンプ"
 
-#: terminal/backends/command/serializers.py:39 terminal/models/terminal.py:105
+#: terminal/backends/command/serializers.py:40 terminal/models/terminal.py:105
 msgid "Remote Address"
 msgstr "リモートアドレス"
 
@@ -4699,18 +4711,18 @@ msgstr "MariaDB ポート"
 msgid "PostgreSQL Port"
 msgstr "PostgreSQL ポート"
 
-#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:61
+#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:63
 #: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
 #: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
 #: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
 msgid "Endpoint"
 msgstr "エンドポイント"
 
-#: terminal/models/endpoint.py:54
+#: terminal/models/endpoint.py:56
 msgid "IP group"
 msgstr "IP グループ"
 
-#: terminal/models/endpoint.py:66
+#: terminal/models/endpoint.py:68
 msgid "Endpoint rule"
 msgstr "エンドポイントルール"
 
@@ -4931,7 +4943,7 @@ msgstr "バケット"
 msgid "Secret key"
 msgstr "秘密キー"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
 msgid "Region"
 msgstr "リージョン"
 
@@ -6262,79 +6274,79 @@ msgstr "リリース済み"
 msgid "Cloud center"
 msgstr "クラウドセンター"
 
-#: xpack/plugins/cloud/models.py:30
+#: xpack/plugins/cloud/models.py:29
 msgid "Provider"
 msgstr "プロバイダー"
 
-#: xpack/plugins/cloud/models.py:34
+#: xpack/plugins/cloud/models.py:33
 msgid "Validity"
 msgstr "有効性"
 
-#: xpack/plugins/cloud/models.py:39
+#: xpack/plugins/cloud/models.py:38
 msgid "Cloud account"
 msgstr "クラウドアカウント"
 
-#: xpack/plugins/cloud/models.py:41
+#: xpack/plugins/cloud/models.py:40
 msgid "Test cloud account"
 msgstr "クラウドアカウントのテスト"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "アカウント"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "リージョン"
 
-#: xpack/plugins/cloud/models.py:91
+#: xpack/plugins/cloud/models.py:90
 msgid "Hostname strategy"
 msgstr "ホスト名戦略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix adminユーザー"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows管理者"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IPネットワークセグメントグループ"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "常に更新"
 
-#: xpack/plugins/cloud/models.py:119
+#: xpack/plugins/cloud/models.py:118
 msgid "Date last sync"
 msgstr "最終同期日"
 
-#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
+#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
 msgid "Sync instance task"
 msgstr "インスタンスの同期タスク"
 
-#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
+#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
 msgid "Date sync"
 msgstr "日付の同期"
 
-#: xpack/plugins/cloud/models.py:186
+#: xpack/plugins/cloud/models.py:185
 msgid "Sync instance task execution"
 msgstr "インスタンスタスクの同期実行"
 
-#: xpack/plugins/cloud/models.py:210
+#: xpack/plugins/cloud/models.py:209
 msgid "Sync task"
 msgstr "同期タスク"
 
-#: xpack/plugins/cloud/models.py:214
+#: xpack/plugins/cloud/models.py:213
 msgid "Sync instance task history"
 msgstr "インスタンスタスク履歴の同期"
 
-#: xpack/plugins/cloud/models.py:217
+#: xpack/plugins/cloud/models.py:216
 msgid "Instance"
 msgstr "インスタンス"
 
-#: xpack/plugins/cloud/models.py:234
+#: xpack/plugins/cloud/models.py:233
 msgid "Sync instance detail"
 msgstr "同期インスタンスの詳細"
 
@@ -6688,3 +6700,26 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
+
+#~ msgid "Inherit"
+#~ msgstr "継承"
+
+#~ msgid "Include"
+#~ msgstr "含める"
+
+#~ msgid "Exclude"
+#~ msgstr "除外"
+
+#~ msgid "DatabaseApp"
+#~ msgstr "データベースの適用"
+
+#, fuzzy
+#~| msgid "Connection token"
+#~ msgid "One time token"
+#~ msgstr "接続トークン"
+
+#~ msgid "JD Cloud"
+#~ msgstr "京東雲"
+
+#~ msgid "CN East-Suqian"
+#~ msgstr "華東-宿遷"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 5b9f31b64..ad6a09539 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:9c13775875a335e3c8dbc7f666af622c5aa12050100b15e616c210e8e3043e38
-size 103490
+oid sha256:c5e41035cf1525f01fb773511041f0f8a3a25cdfb1fa4f1e681c6d7eec85f6b9
+size 103570
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index b15b2c545..365f797eb 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-12 17:03+0800\n"
+"POT-Creation-Date: 2022-04-13 20:21+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -28,25 +28,25 @@ msgstr "访问控制"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:53
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:55
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:28
+#: xpack/plugins/cloud/models.py:27
 msgid "Name"
 msgstr "名称"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:56
+#: assets/models/user.py:247 terminal/models/endpoint.py:58
 msgid "Priority"
 msgstr "优先级"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:57
+#: assets/models/user.py:247 terminal/models/endpoint.py:59
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
-#: acls/models/base.py:31 authentication/models.py:17
+#: acls/models/base.py:31 authentication/models.py:18
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:26
 msgid "Active"
@@ -60,12 +60,12 @@ msgstr "激活中"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:63
+#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:65
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
+#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "备注"
@@ -86,9 +86,9 @@ msgstr "登录复核"
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
-#: authentication/models.py:50 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:106 rbac/models/rolebinding.py:40
-#: terminal/backends/command/models.py:19
+#: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
+#: rbac/builtin.py:107 rbac/models/rolebinding.py:40
+#: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
 #: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
@@ -128,12 +128,12 @@ msgstr "系统用户"
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:264 audits/models.py:39
-#: perms/models/asset_permission.py:23 terminal/backends/command/models.py:20
+#: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:223
+#: xpack/plugins/cloud/models.py:222
 msgid "Asset"
 msgstr "资产"
 
@@ -153,6 +153,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:119
 #: authentication/forms.py:15 authentication/forms.py:17
+#: authentication/models.py:69
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
@@ -260,7 +261,7 @@ msgstr "应用程序"
 #: applications/models/account.py:15 assets/models/authbook.py:20
 #: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
 #: perms/models/application_permission.py:33
-#: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21
+#: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
 #: xpack/plugins/change_auth_plan/models/app.py:147
@@ -312,7 +313,7 @@ msgstr "类型"
 msgid "Domain"
 msgstr "网域"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
 #: xpack/plugins/cloud/serializers/account.py:58
 msgid "Attrs"
 msgstr "属性"
@@ -351,7 +352,7 @@ msgstr "类型名称"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:918
-#: xpack/plugins/cloud/models.py:125
+#: xpack/plugins/cloud/models.py:124
 msgid "Date created"
 msgstr "创建日期"
 
@@ -566,7 +567,7 @@ msgstr "主机名原始"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "协议组"
 
@@ -606,7 +607,7 @@ msgstr "标签管理"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "创建者"
 
@@ -710,7 +711,7 @@ msgstr "触发模式"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:179
+#: xpack/plugins/cloud/models.py:178
 msgid "Reason"
 msgstr "原因"
 
@@ -746,7 +747,7 @@ msgstr "失败"
 msgid "Connectivity"
 msgstr "可连接性"
 
-#: assets/models/base.py:40
+#: assets/models/base.py:40 authentication/models.py:72
 msgid "Date verified"
 msgstr "校验日期"
 
@@ -948,7 +949,7 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
 
@@ -1006,7 +1007,7 @@ msgstr "认证方式"
 msgid "SFTP Root"
 msgstr "SFTP根路径"
 
-#: assets/models/user.py:254 authentication/models.py:48
+#: assets/models/user.py:254 authentication/models.py:49
 msgid "Token"
 msgstr "Token"
 
@@ -1414,6 +1415,7 @@ msgid "Resource"
 msgstr "资源"
 
 #: audits/models.py:65 audits/models.py:88
+#: terminal/backends/command/serializers.py:39
 msgid "Datetime"
 msgstr "日期"
 
@@ -1468,8 +1470,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
-#: xpack/plugins/cloud/models.py:227
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
+#: xpack/plugins/cloud/models.py:226
 msgid "Status"
 msgstr "状态"
 
@@ -1506,7 +1508,7 @@ msgid "Hosts display"
 msgstr "主机名称"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:173
+#: xpack/plugins/cloud/models.py:172
 msgid "Result"
 msgstr "结果"
 
@@ -1550,170 +1552,174 @@ msgstr "企业微信"
 msgid "DingTalk"
 msgstr "钉钉"
 
-#: audits/signal_handlers.py:106
+#: audits/signal_handlers.py:73 authentication/models.py:76
+msgid "Temporary token"
+msgstr "临时 Token"
+
+#: audits/signal_handlers.py:107
 msgid "User and Group"
 msgstr "用户与用户组"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:108
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} 加入 {UserGroup}"
 
-#: audits/signal_handlers.py:108
+#: audits/signal_handlers.py:109
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} 离开 {UserGroup}"
 
-#: audits/signal_handlers.py:111
+#: audits/signal_handlers.py:112
 msgid "Asset and SystemUser"
 msgstr "资产与系统用户"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:113
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:113
+#: audits/signal_handlers.py:114
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:116
+#: audits/signal_handlers.py:117
 msgid "Node and Asset"
 msgstr "节点与资产"
 
-#: audits/signal_handlers.py:117
+#: audits/signal_handlers.py:118
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 添加 {Asset}"
 
-#: audits/signal_handlers.py:118
+#: audits/signal_handlers.py:119
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 移除 {Asset}"
 
-#: audits/signal_handlers.py:121
+#: audits/signal_handlers.py:122
 msgid "User asset permissions"
 msgstr "用户资产授权"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:123
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:123
+#: audits/signal_handlers.py:124
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:126
+#: audits/signal_handlers.py:127
 msgid "User group asset permissions"
 msgstr "用户组资产授权"
 
-#: audits/signal_handlers.py:127
+#: audits/signal_handlers.py:128
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:128
+#: audits/signal_handlers.py:129
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:131 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:132 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "资产授权"
 
-#: audits/signal_handlers.py:132
+#: audits/signal_handlers.py:133
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 添加 {Asset}"
 
-#: audits/signal_handlers.py:133
+#: audits/signal_handlers.py:134
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 移除 {Asset}"
 
-#: audits/signal_handlers.py:136
+#: audits/signal_handlers.py:137
 msgid "Node permission"
 msgstr "节点授权"
 
-#: audits/signal_handlers.py:137
+#: audits/signal_handlers.py:138
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 添加 {Node}"
 
-#: audits/signal_handlers.py:138
+#: audits/signal_handlers.py:139
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 移除 {Node}"
 
-#: audits/signal_handlers.py:141
+#: audits/signal_handlers.py:142
 msgid "Asset permission and SystemUser"
 msgstr "资产授权与系统用户"
 
-#: audits/signal_handlers.py:142
+#: audits/signal_handlers.py:143
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:143
+#: audits/signal_handlers.py:144
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:146
+#: audits/signal_handlers.py:147
 msgid "User application permissions"
 msgstr "用户应用授权"
 
-#: audits/signal_handlers.py:147
+#: audits/signal_handlers.py:148
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:148
+#: audits/signal_handlers.py:149
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:151
+#: audits/signal_handlers.py:152
 msgid "User group application permissions"
 msgstr "用户组应用授权"
 
-#: audits/signal_handlers.py:152
+#: audits/signal_handlers.py:153
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:153
+#: audits/signal_handlers.py:154
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:156 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:157 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "应用授权"
 
-#: audits/signal_handlers.py:157
+#: audits/signal_handlers.py:158
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 添加 {Application}"
 
-#: audits/signal_handlers.py:158
+#: audits/signal_handlers.py:159
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 移除 {Application}"
 
-#: audits/signal_handlers.py:161
+#: audits/signal_handlers.py:162
 msgid "Application permission and SystemUser"
 msgstr "应用授权与系统用户"
 
-#: audits/signal_handlers.py:162
+#: audits/signal_handlers.py:163
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:163
+#: audits/signal_handlers.py:164
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
@@ -2007,31 +2013,48 @@ msgstr "该 MFA ({}) 方式没有启用"
 msgid "Please change your password"
 msgstr "请修改密码"
 
-#: authentication/models.py:33 terminal/serializers/storage.py:28
+#: authentication/models.py:34 terminal/serializers/storage.py:28
 msgid "Access key"
 msgstr "API key"
 
-#: authentication/models.py:40
+#: authentication/models.py:41
 msgid "Private Token"
 msgstr "SSH密钥"
 
-#: authentication/models.py:49
+#: authentication/models.py:50
 msgid "Expired"
 msgstr "过期时间"
 
-#: authentication/models.py:53
+#: authentication/models.py:54
 msgid "SSO token"
 msgstr "SSO token"
 
-#: authentication/models.py:61
+#: authentication/models.py:62
 msgid "Connection token"
 msgstr "连接令牌"
 
-#: authentication/models.py:63
+#: authentication/models.py:64
 msgid "Can view connection token secret"
 msgstr "可以查看连接令牌密文"
 
 #: authentication/models.py:70
+#: authentication/templates/authentication/_access_key_modal.html:31
+#: settings/serializers/auth/radius.py:17
+msgid "Secret"
+msgstr "密钥"
+
+#: authentication/models.py:71
+msgid "Verified"
+msgstr "已校验"
+
+#: authentication/models.py:73 perms/models/base.py:90
+#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
+#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
+#: users/models/user.py:703
+msgid "Date expired"
+msgstr "失效日期"
+
+#: authentication/models.py:92
 msgid "Super connection token"
 msgstr "超级连接令牌"
 
@@ -2043,6 +2066,14 @@ msgstr "异地登录提醒"
 msgid "binding reminder"
 msgstr "绑定提醒"
 
+#: authentication/serializers/token.py:79
+#: perms/serializers/application/permission.py:20
+#: perms/serializers/application/permission.py:41
+#: perms/serializers/asset/permission.py:19
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
+msgid "Is valid"
+msgstr "账号是否有效"
+
 #: authentication/templates/authentication/_access_key_modal.html:6
 msgid "API key list"
 msgstr "API Key列表"
@@ -2060,11 +2091,6 @@ msgstr "文档"
 msgid "ID"
 msgstr "ID"
 
-#: authentication/templates/authentication/_access_key_modal.html:31
-#: settings/serializers/auth/radius.py:17
-msgid "Secret"
-msgstr "密钥"
-
 #: authentication/templates/authentication/_access_key_modal.html:33
 #: terminal/notifications.py:93 terminal/notifications.py:141
 msgid "Date"
@@ -2130,7 +2156,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:296 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:298 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2582,11 +2608,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:295
+#: jumpserver/conf.py:297
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:297
+#: jumpserver/conf.py:299
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -2937,13 +2963,6 @@ msgstr "剪贴板粘贴"
 msgid "Clipboard copy paste"
 msgstr "剪贴板复制粘贴"
 
-#: perms/models/base.py:90
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
-#: users/models/user.py:703
-msgid "Date expired"
-msgstr "失效日期"
-
 #: perms/models/base.py:94
 msgid "From ticket"
 msgstr "来自工单"
@@ -2980,13 +2999,6 @@ msgstr "应用授权规则即将过期"
 msgid "application permissions of organization {}"
 msgstr "组织 ({}) 的应用授权"
 
-#: perms/serializers/application/permission.py:20
-#: perms/serializers/application/permission.py:41
-#: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
-msgid "Is valid"
-msgstr "账号是否有效"
-
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
@@ -3077,27 +3089,27 @@ msgstr "{} 至少有一个系统角色"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:97
+#: rbac/builtin.py:98
 msgid "SystemAdmin"
 msgstr "系统管理员"
 
-#: rbac/builtin.py:100
+#: rbac/builtin.py:101
 msgid "SystemAuditor"
 msgstr "系统审计员"
 
-#: rbac/builtin.py:103
+#: rbac/builtin.py:104
 msgid "SystemComponent"
 msgstr "系统组件"
 
-#: rbac/builtin.py:109
+#: rbac/builtin.py:110
 msgid "OrgAdmin"
 msgstr "组织管理员"
 
-#: rbac/builtin.py:112
+#: rbac/builtin.py:113
 msgid "OrgAuditor"
 msgstr "组织审计员"
 
-#: rbac/builtin.py:115
+#: rbac/builtin.py:116
 msgid "OrgUser"
 msgstr "组织用户"
 
@@ -4528,30 +4540,30 @@ msgstr "终端管理"
 msgid "Invalid elasticsearch config"
 msgstr "无效的 Elasticsearch 配置"
 
-#: terminal/backends/command/models.py:15
+#: terminal/backends/command/models.py:16
 msgid "Ordinary"
 msgstr "普通"
 
-#: terminal/backends/command/models.py:16
+#: terminal/backends/command/models.py:17
 msgid "Dangerous"
 msgstr "危险"
 
-#: terminal/backends/command/models.py:22
+#: terminal/backends/command/models.py:23
 msgid "Input"
 msgstr "输入"
 
-#: terminal/backends/command/models.py:23
+#: terminal/backends/command/models.py:24
 #: terminal/backends/command/serializers.py:36
 msgid "Output"
 msgstr "输出"
 
-#: terminal/backends/command/models.py:24 terminal/models/replay.py:9
+#: terminal/backends/command/models.py:25 terminal/models/replay.py:9
 #: terminal/models/sharing.py:17 terminal/models/sharing.py:64
 #: terminal/templates/terminal/_msg_command_alert.html:10
 msgid "Session"
 msgstr "会话"
 
-#: terminal/backends/command/models.py:25
+#: terminal/backends/command/models.py:26
 #: terminal/backends/command/serializers.py:17
 msgid "Risk level"
 msgstr "风险等级"
@@ -4568,7 +4580,7 @@ msgstr "风险等级名称"
 msgid "Timestamp"
 msgstr "时间戳"
 
-#: terminal/backends/command/serializers.py:39 terminal/models/terminal.py:105
+#: terminal/backends/command/serializers.py:40 terminal/models/terminal.py:105
 msgid "Remote Address"
 msgstr "远端地址"
 
@@ -4628,18 +4640,18 @@ msgstr "MariaDB 端口"
 msgid "PostgreSQL Port"
 msgstr "PostgreSQL 端口"
 
-#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:61
+#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:63
 #: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
 #: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
 #: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
 msgid "Endpoint"
 msgstr "端点"
 
-#: terminal/models/endpoint.py:54
+#: terminal/models/endpoint.py:56
 msgid "IP group"
 msgstr "IP 组"
 
-#: terminal/models/endpoint.py:66
+#: terminal/models/endpoint.py:68
 msgid "Endpoint rule"
 msgstr "端点规则"
 
@@ -4860,7 +4872,7 @@ msgstr "桶名称"
 msgid "Secret key"
 msgstr "密钥"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
 msgid "Region"
 msgstr "地域"
 
@@ -6174,79 +6186,79 @@ msgstr "已释放"
 msgid "Cloud center"
 msgstr "云管中心"
 
-#: xpack/plugins/cloud/models.py:30
+#: xpack/plugins/cloud/models.py:29
 msgid "Provider"
 msgstr "云服务商"
 
-#: xpack/plugins/cloud/models.py:34
+#: xpack/plugins/cloud/models.py:33
 msgid "Validity"
 msgstr "有效"
 
-#: xpack/plugins/cloud/models.py:39
+#: xpack/plugins/cloud/models.py:38
 msgid "Cloud account"
 msgstr "云账号"
 
-#: xpack/plugins/cloud/models.py:41
+#: xpack/plugins/cloud/models.py:40
 msgid "Test cloud account"
 msgstr "测试云账号"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "账号"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "地域"
 
-#: xpack/plugins/cloud/models.py:91
+#: xpack/plugins/cloud/models.py:90
 msgid "Hostname strategy"
 msgstr "主机名策略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix 管理员"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows 管理员"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IP网段组"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "总是更新"
 
-#: xpack/plugins/cloud/models.py:119
+#: xpack/plugins/cloud/models.py:118
 msgid "Date last sync"
 msgstr "最后同步日期"
 
-#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
+#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
 msgid "Sync instance task"
 msgstr "同步实例任务"
 
-#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
+#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
 msgid "Date sync"
 msgstr "同步日期"
 
-#: xpack/plugins/cloud/models.py:186
+#: xpack/plugins/cloud/models.py:185
 msgid "Sync instance task execution"
 msgstr "同步实例任务执行"
 
-#: xpack/plugins/cloud/models.py:210
+#: xpack/plugins/cloud/models.py:209
 msgid "Sync task"
 msgstr "同步任务"
 
-#: xpack/plugins/cloud/models.py:214
+#: xpack/plugins/cloud/models.py:213
 msgid "Sync instance task history"
 msgstr "同步实例任务历史"
 
-#: xpack/plugins/cloud/models.py:217
+#: xpack/plugins/cloud/models.py:216
 msgid "Instance"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:234
+#: xpack/plugins/cloud/models.py:233
 msgid "Sync instance detail"
 msgstr "同步实例详情"
 
@@ -6599,3 +6611,23 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
+
+#~ msgid "Inherit"
+#~ msgstr "继承"
+
+#~ msgid "Include"
+#~ msgstr "包含"
+
+#~ msgid "Exclude"
+#~ msgstr "不包含"
+
+#~ msgid "DatabaseApp"
+#~ msgstr "数据库应用"
+
+#~ msgid "Database proxy MySQL protocol listen port"
+#~ msgstr "MySQL 协议监听的端口"
+
+#, fuzzy
+#~| msgid "Database proxy PostgreSQL port"
+#~ msgid "Database proxy PostgreSQL listen port"
+#~ msgstr "数据库组件 PostgreSQL 协议监听的端口"
diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index 513ec210a..d8e84a554 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -16,6 +16,7 @@ user_perms = (
     ('applications', 'application', 'match', 'application'),
     ('ops', 'commandexecution', 'add', 'commandexecution'),
     ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
+    ('authentication', 'temptoken', 'add', 'temptoken'),
     ('tickets', 'ticket', 'view', 'ticket'),
     ('orgs', 'organization', 'view', 'rootorg'),
 )
diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index a6dc3b43c..ca221f2de 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -67,6 +67,7 @@ class PublicSettingApi(generics.RetrieveAPIView):
                 # Announcement
                 "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
                 "ANNOUNCEMENT": settings.ANNOUNCEMENT,
+                "AUTH_TEMP_TOKEN": settings.AUTH_TEMP_TOKEN,
             }
         }
         return instance

From 5127214375cb4ad6458276a7a0c38e3cd6951c69 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 14 Apr 2022 12:18:11 +0800
Subject: [PATCH 024/258] =?UTF-8?q?feat:=20=E7=AB=99=E5=86=85=E4=BF=A1?=
 =?UTF-8?q?=E4=B8=80=E9=94=AE=E5=B7=B2=E8=AF=BB=20(#8057)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/notifications/api/site_msgs.py |  6 ++++++
 apps/notifications/site_msg.py      | 12 ++++++------
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/apps/notifications/api/site_msgs.py b/apps/notifications/api/site_msgs.py
index 632101384..29bd785d5 100644
--- a/apps/notifications/api/site_msgs.py
+++ b/apps/notifications/api/site_msgs.py
@@ -50,6 +50,12 @@ class SiteMessageViewSet(ListModelMixin, RetrieveModelMixin, JMSGenericViewSet):
         SiteMessageUtil.mark_msgs_as_read(user.id, ids)
         return Response({'detail': 'ok'})
 
+    @action(methods=[PATCH], detail=False, url_path='mark-as-read-all')
+    def mark_as_read_all(self, request, **kwargs):
+        user = request.user
+        SiteMessageUtil.mark_msgs_as_read(user.id)
+        return Response({'detail': 'ok'})
+
     @action(methods=[POST], detail=False)
     def send(self, request, **kwargs):
         seri = self.get_serializer(data=request.data)
diff --git a/apps/notifications/site_msg.py b/apps/notifications/site_msg.py
index 7a3c9457f..faa36b5f4 100644
--- a/apps/notifications/site_msg.py
+++ b/apps/notifications/site_msg.py
@@ -1,4 +1,4 @@
-from django.db.models import F
+from django.db.models import F, Q
 from django.db import transaction
 
 from common.utils.timezone import local_now
@@ -80,11 +80,11 @@ class SiteMessageUtil:
         return site_msgs_count
 
     @classmethod
-    def mark_msgs_as_read(cls, user_id, msg_ids):
-        site_msg_users = SiteMessageUsers.objects.filter(
-            user_id=user_id, sitemessage_id__in=msg_ids,
-            has_read=False
-        )
+    def mark_msgs_as_read(cls, user_id, msg_ids=None):
+        q = Q(user_id=user_id) & Q(has_read=False)
+        if msg_ids is not None:
+            q &= Q(sitemessage_id__in=msg_ids)
+        site_msg_users = SiteMessageUsers.objects.filter(q)
 
         for site_msg_user in site_msg_users:
             site_msg_user.has_read = True

From ea478fc8012d7f4cc00ff294bad4a3d4e4c39a0a Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 14 Apr 2022 12:53:33 +0800
Subject: [PATCH 025/258] =?UTF-8?q?fix:=20Public=20Setting=20=E6=B7=BB?=
 =?UTF-8?q?=E5=8A=A0=20Magnus?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/api/public.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index ca221f2de..5efa54319 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -64,6 +64,7 @@ class PublicSettingApi(generics.RetrieveAPIView):
                 "AUTH_FEISHU": settings.AUTH_FEISHU,
                 # Terminal
                 "XRDP_ENABLED": settings.XRDP_ENABLED,
+                "TERMINAL_MAGNUS_ENABLED": settings.TERMINAL_MAGNUS_ENABLED,
                 # Announcement
                 "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
                 "ANNOUNCEMENT": settings.ANNOUNCEMENT,

From c240a471dc743fe4cf9478edf92942c2bde9e69b Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 14 Apr 2022 14:10:05 +0800
Subject: [PATCH 026/258] =?UTF-8?q?fix:=20Public=20Setting=20=E6=B7=BB?=
 =?UTF-8?q?=E5=8A=A0=20Magnus?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/settings/custom.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index 794180fd2..cafdc1a59 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -139,6 +139,7 @@ LOGIN_REDIRECT_MSG_ENABLED = CONFIG.LOGIN_REDIRECT_MSG_ENABLED
 CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS = CONFIG.CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS
 
 XRDP_ENABLED = CONFIG.XRDP_ENABLED
+TERMINAL_MAGNUS_ENABLED = CONFIG.TERMINAL_MAGNUS_ENABLED
 
 # SMS enabled
 SMS_ENABLED = CONFIG.SMS_ENABLED

From 6d8e8856aca3c779bc8b70002a0edbd067f6aefa Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 14 Apr 2022 14:27:43 +0800
Subject: [PATCH 027/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4timestamp=5Fdisplay=E5=8F=AA=E8=AF=BB?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/backends/command/serializers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/terminal/backends/command/serializers.py b/apps/terminal/backends/command/serializers.py
index 2eb9e434c..9c8484efb 100644
--- a/apps/terminal/backends/command/serializers.py
+++ b/apps/terminal/backends/command/serializers.py
@@ -36,7 +36,7 @@ class SessionCommandSerializer(SimpleSessionCommandSerializer):
     output = serializers.CharField(max_length=2048, allow_blank=True, label=_("Output"))
     risk_level_display = serializers.SerializerMethodField(label=_('Risk level display'))
     timestamp = serializers.IntegerField(label=_('Timestamp'))
-    timestamp_display = serializers.DateTimeField(label=_('Datetime'))
+    timestamp_display = serializers.DateTimeField(read_only=True, label=_('Datetime'))
     remote_addr = serializers.CharField(read_only=True, label=_('Remote Address'))
 
     @staticmethod

From 7aa0c9bf196db83a6da0dd4dd4f8c7198298b492 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Wed, 13 Apr 2022 20:36:06 +0800
Subject: [PATCH 028/258] feat: download

---
 apps/locale/ja/LC_MESSAGES/django.mo  |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po  | 137 ++++++++++++++------------
 apps/locale/zh/LC_MESSAGES/django.mo  |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po  | 128 +++++++++++++-----------
 apps/templates/resource_download.html |  12 ++-
 5 files changed, 164 insertions(+), 121 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 7044727ed..c5ec670bb 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:89878c511a62211520b347ccf37676cb11e9a0b3257ff968fb6d5dd81726a1e5
-size 125117
+oid sha256:54be66877253eed7bec1db706604af83a48f1c5fbc95eef1132c7f880fef154a
+size 125598
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 643d66c0c..b7026603b 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-13 20:21+0800\n"
+"POT-Creation-Date: 2022-04-13 20:35+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -33,7 +33,7 @@ msgstr "Acls"
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:27
+#: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名前"
 
@@ -66,7 +66,7 @@ msgstr "アクティブ"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
+#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "コメント"
@@ -134,7 +134,7 @@ msgstr "システムユーザー"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:222
+#: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "資産"
 
@@ -318,8 +318,8 @@ msgstr "タイプ"
 msgid "Domain"
 msgstr "ドメイン"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
-#: xpack/plugins/cloud/serializers/account.py:58
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "ツールバーの"
 
@@ -357,7 +357,7 @@ msgstr "タイプ表示"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:918
-#: xpack/plugins/cloud/models.py:124
+#: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "作成された日付"
 
@@ -572,7 +572,7 @@ msgstr "ホスト名生"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "プロトコル"
 
@@ -612,7 +612,7 @@ msgstr "ラベル"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "によって作成された"
 
@@ -716,7 +716,7 @@ msgstr "トリガーモード"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:178
+#: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "理由"
 
@@ -744,7 +744,7 @@ msgstr "OK"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:30
+#: xpack/plugins/cloud/const.py:31
 msgid "Failed"
 msgstr "失敗しました"
 
@@ -954,7 +954,7 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
 
@@ -1482,8 +1482,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
-#: xpack/plugins/cloud/models.py:226
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "ステータス"
 
@@ -1520,7 +1520,7 @@ msgid "Hosts display"
 msgstr "ホスト表示"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:172
+#: xpack/plugins/cloud/models.py:173
 msgid "Result"
 msgstr "結果"
 
@@ -4504,16 +4504,18 @@ msgstr "キャンセル"
 
 #: templates/resource_download.html:18 templates/resource_download.html:24
 #: templates/resource_download.html:25 templates/resource_download.html:30
+#: templates/resource_download.html:40
 msgid "Client"
 msgstr "クライアント"
 
 #: templates/resource_download.html:20
 msgid ""
 "JumpServer Client, currently used to launch the client, now only support "
-"launch RDP client, The SSH client will next"
+"launch RDP SSH client, The Telnet client will next"
 msgstr ""
-"現在クライアントの起動に使用されているJumpServerクライアントは、RDPクライアン"
-"トの起動のみをサポートしています。"
+"JumpServerクライアントは、現在特定のクライアントプログラムの接続資産を喚起す"
+"るために使用されており、現在はRDP SSHクライアントのみをサポートしています。"
+"「Telnetは将来的にサポートする"
 
 #: templates/resource_download.html:30
 msgid "Microsoft"
@@ -4531,11 +4533,19 @@ msgstr ""
 "MacOSは、Windowsに付属のRDPアセットを接続するためにクライアントをダウンロード"
 "する必要があります"
 
-#: templates/resource_download.html:41
+#: templates/resource_download.html:42
+msgid ""
+"Windows needs to download the client to connect SSH assets, and the MacOS "
+"system uses its own terminal"
+msgstr ""
+"WindowsはクライアントをダウンロードしてSSH資産に接続する必要があり、macOSシス"
+"テムは独自のTerminalを採用している。"
+
+#: templates/resource_download.html:51
 msgid "Windows Remote application publisher tools"
 msgstr "Windowsリモートアプリケーション発行者ツール"
 
-#: templates/resource_download.html:42
+#: templates/resource_download.html:52
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -4943,7 +4953,7 @@ msgstr "バケット"
 msgid "Secret key"
 msgstr "秘密キー"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "リージョン"
 
@@ -6215,58 +6225,62 @@ msgid "Baidu Cloud"
 msgstr "百度雲"
 
 #: xpack/plugins/cloud/const.py:15
+msgid "JD Cloud"
+msgstr "京東雲"
+
+#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "テンセント雲"
 
-#: xpack/plugins/cloud/const.py:16
+#: xpack/plugins/cloud/const.py:17
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:18
+#: xpack/plugins/cloud/const.py:19
 msgid "Huawei Private Cloud"
 msgstr "華為私有雲"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:20
 msgid "Qingyun Private Cloud"
 msgstr "青雲私有雲"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:21
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:22
 msgid "Google Cloud Platform"
 msgstr "谷歌雲"
 
-#: xpack/plugins/cloud/const.py:25
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name"
 msgstr "インスタンス名"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name and Partial IP"
 msgstr "インスタンス名と部分IP"
 
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:32
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:35
+#: xpack/plugins/cloud/const.py:36
 msgid "Unsync"
 msgstr "同期していません"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "New Sync"
 msgstr "新しい同期"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "Synced"
 msgstr "同期済み"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Released"
 msgstr "リリース済み"
 
@@ -6274,79 +6288,79 @@ msgstr "リリース済み"
 msgid "Cloud center"
 msgstr "クラウドセンター"
 
-#: xpack/plugins/cloud/models.py:29
+#: xpack/plugins/cloud/models.py:30
 msgid "Provider"
 msgstr "プロバイダー"
 
-#: xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/models.py:34
 msgid "Validity"
 msgstr "有効性"
 
-#: xpack/plugins/cloud/models.py:38
+#: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "クラウドアカウント"
 
-#: xpack/plugins/cloud/models.py:40
+#: xpack/plugins/cloud/models.py:41
 msgid "Test cloud account"
 msgstr "クラウドアカウントのテスト"
 
-#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "アカウント"
 
-#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "リージョン"
 
-#: xpack/plugins/cloud/models.py:90
+#: xpack/plugins/cloud/models.py:91
 msgid "Hostname strategy"
 msgstr "ホスト名戦略"
 
-#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix adminユーザー"
 
-#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows管理者"
 
-#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IPネットワークセグメントグループ"
 
-#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "常に更新"
 
-#: xpack/plugins/cloud/models.py:118
+#: xpack/plugins/cloud/models.py:119
 msgid "Date last sync"
 msgstr "最終同期日"
 
-#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
+#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
 msgid "Sync instance task"
 msgstr "インスタンスの同期タスク"
 
-#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
+#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
 msgid "Date sync"
 msgstr "日付の同期"
 
-#: xpack/plugins/cloud/models.py:185
+#: xpack/plugins/cloud/models.py:186
 msgid "Sync instance task execution"
 msgstr "インスタンスタスクの同期実行"
 
-#: xpack/plugins/cloud/models.py:209
+#: xpack/plugins/cloud/models.py:210
 msgid "Sync task"
 msgstr "同期タスク"
 
-#: xpack/plugins/cloud/models.py:213
+#: xpack/plugins/cloud/models.py:214
 msgid "Sync instance task history"
 msgstr "インスタンスタスク履歴の同期"
 
-#: xpack/plugins/cloud/models.py:216
+#: xpack/plugins/cloud/models.py:217
 msgid "Instance"
 msgstr "インスタンス"
 
-#: xpack/plugins/cloud/models.py:233
+#: xpack/plugins/cloud/models.py:234
 msgid "Sync instance detail"
 msgstr "同期インスタンスの詳細"
 
@@ -6443,11 +6457,13 @@ msgid "South America (São Paulo)"
 msgstr "南米 (サンパウロ)"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
+#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "華北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
+#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "華南-広州"
 
@@ -6469,6 +6485,7 @@ msgid "CN North-Baoding"
 msgstr "華北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
+#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "華東-上海"
 
@@ -6533,11 +6550,15 @@ msgstr "華北-ウランチャブ一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "華南-広州-友好ユーザー環境"
 
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/providers/jdcloud.py:128
+msgid "CN East-Suqian"
+msgstr "華東-宿遷"
+
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Validity display"
 msgstr "有効表示"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Provider display"
 msgstr "プロバイダ表示"
 
@@ -6717,9 +6738,3 @@ msgstr "コミュニティ版"
 #~| msgid "Connection token"
 #~ msgid "One time token"
 #~ msgstr "接続トークン"
-
-#~ msgid "JD Cloud"
-#~ msgstr "京東雲"
-
-#~ msgid "CN East-Suqian"
-#~ msgstr "華東-宿遷"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index ad6a09539..c77cc1659 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c5e41035cf1525f01fb773511041f0f8a3a25cdfb1fa4f1e681c6d7eec85f6b9
-size 103570
+oid sha256:fa084dd92472110d4bea1674d1e9a96599f42f094aab92f8d34152fdf5726321
+size 103771
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 365f797eb..5682b29ff 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-13 20:21+0800\n"
+"POT-Creation-Date: 2022-04-13 20:35+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -32,7 +32,7 @@ msgstr "访问控制"
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:27
+#: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名称"
 
@@ -65,7 +65,7 @@ msgstr "激活中"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
+#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "备注"
@@ -133,7 +133,7 @@ msgstr "系统用户"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:222
+#: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "资产"
 
@@ -313,8 +313,8 @@ msgstr "类型"
 msgid "Domain"
 msgstr "网域"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
-#: xpack/plugins/cloud/serializers/account.py:58
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "属性"
 
@@ -352,7 +352,7 @@ msgstr "类型名称"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:918
-#: xpack/plugins/cloud/models.py:124
+#: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "创建日期"
 
@@ -567,7 +567,7 @@ msgstr "主机名原始"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "协议组"
 
@@ -607,7 +607,7 @@ msgstr "标签管理"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "创建者"
 
@@ -711,7 +711,7 @@ msgstr "触发模式"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:178
+#: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "原因"
 
@@ -739,7 +739,7 @@ msgstr "成功"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:30
+#: xpack/plugins/cloud/const.py:31
 msgid "Failed"
 msgstr "失败"
 
@@ -949,7 +949,7 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
 
@@ -1470,8 +1470,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
-#: xpack/plugins/cloud/models.py:226
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "状态"
 
@@ -1508,7 +1508,7 @@ msgid "Hosts display"
 msgstr "主机名称"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:172
+#: xpack/plugins/cloud/models.py:173
 msgid "Result"
 msgstr "结果"
 
@@ -4437,16 +4437,17 @@ msgstr "取消"
 
 #: templates/resource_download.html:18 templates/resource_download.html:24
 #: templates/resource_download.html:25 templates/resource_download.html:30
+#: templates/resource_download.html:40
 msgid "Client"
 msgstr "客户端"
 
 #: templates/resource_download.html:20
 msgid ""
 "JumpServer Client, currently used to launch the client, now only support "
-"launch RDP client, The SSH client will next"
+"launch RDP SSH client, The Telnet client will next"
 msgstr ""
-"JumpServer 客户端，目前用来唤起 特定客户端程序 连接资产, 目前仅支持 RDP 客户"
-"端，SSH、Telnet 会在未来支持"
+"JumpServer 客户端，目前用来唤起 特定客户端程序 连接资产, 目前仅支持 RDP SSH 客户"
+"端，Telnet 会在未来支持"
 
 #: templates/resource_download.html:30
 msgid "Microsoft"
@@ -4462,11 +4463,17 @@ msgid ""
 "Windows"
 msgstr "macOS 需要下载客户端来连接 RDP 资产，Windows 系统默认安装了该程序"
 
-#: templates/resource_download.html:41
+#: templates/resource_download.html:42
+msgid ""
+"Windows needs to download the client to connect SSH assets, and the MacOS "
+"system uses its own terminal"
+msgstr "Windows 需要下载客户端来连接SSH资产，macOS系统采用自带的Terminal"
+
+#: templates/resource_download.html:51
 msgid "Windows Remote application publisher tools"
 msgstr "Windows 远程应用发布服务器工具"
 
-#: templates/resource_download.html:42
+#: templates/resource_download.html:52
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -4872,7 +4879,7 @@ msgstr "桶名称"
 msgid "Secret key"
 msgstr "密钥"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "地域"
 
@@ -6127,58 +6134,62 @@ msgid "Baidu Cloud"
 msgstr "百度云"
 
 #: xpack/plugins/cloud/const.py:15
+msgid "JD Cloud"
+msgstr "京东云"
+
+#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "腾讯云"
 
-#: xpack/plugins/cloud/const.py:16
+#: xpack/plugins/cloud/const.py:17
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:18
+#: xpack/plugins/cloud/const.py:19
 msgid "Huawei Private Cloud"
 msgstr "华为私有云"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:20
 msgid "Qingyun Private Cloud"
 msgstr "青云私有云"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:21
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:22
 msgid "Google Cloud Platform"
 msgstr "谷歌云"
 
-#: xpack/plugins/cloud/const.py:25
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name"
 msgstr "实例名称"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name and Partial IP"
 msgstr "实例名称和部分IP"
 
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:32
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:35
+#: xpack/plugins/cloud/const.py:36
 msgid "Unsync"
 msgstr "未同步"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "New Sync"
 msgstr "新同步"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "Synced"
 msgstr "已同步"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Released"
 msgstr "已释放"
 
@@ -6186,79 +6197,79 @@ msgstr "已释放"
 msgid "Cloud center"
 msgstr "云管中心"
 
-#: xpack/plugins/cloud/models.py:29
+#: xpack/plugins/cloud/models.py:30
 msgid "Provider"
 msgstr "云服务商"
 
-#: xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/models.py:34
 msgid "Validity"
 msgstr "有效"
 
-#: xpack/plugins/cloud/models.py:38
+#: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "云账号"
 
-#: xpack/plugins/cloud/models.py:40
+#: xpack/plugins/cloud/models.py:41
 msgid "Test cloud account"
 msgstr "测试云账号"
 
-#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "账号"
 
-#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "地域"
 
-#: xpack/plugins/cloud/models.py:90
+#: xpack/plugins/cloud/models.py:91
 msgid "Hostname strategy"
 msgstr "主机名策略"
 
-#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix 管理员"
 
-#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows 管理员"
 
-#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IP网段组"
 
-#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "总是更新"
 
-#: xpack/plugins/cloud/models.py:118
+#: xpack/plugins/cloud/models.py:119
 msgid "Date last sync"
 msgstr "最后同步日期"
 
-#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
+#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
 msgid "Sync instance task"
 msgstr "同步实例任务"
 
-#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
+#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
 msgid "Date sync"
 msgstr "同步日期"
 
-#: xpack/plugins/cloud/models.py:185
+#: xpack/plugins/cloud/models.py:186
 msgid "Sync instance task execution"
 msgstr "同步实例任务执行"
 
-#: xpack/plugins/cloud/models.py:209
+#: xpack/plugins/cloud/models.py:210
 msgid "Sync task"
 msgstr "同步任务"
 
-#: xpack/plugins/cloud/models.py:213
+#: xpack/plugins/cloud/models.py:214
 msgid "Sync instance task history"
 msgstr "同步实例任务历史"
 
-#: xpack/plugins/cloud/models.py:216
+#: xpack/plugins/cloud/models.py:217
 msgid "Instance"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:233
+#: xpack/plugins/cloud/models.py:234
 msgid "Sync instance detail"
 msgstr "同步实例详情"
 
@@ -6355,11 +6366,13 @@ msgid "South America (São Paulo)"
 msgstr "南美洲（圣保罗）"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
+#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "华北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
+#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "华南-广州"
 
@@ -6381,6 +6394,7 @@ msgid "CN North-Baoding"
 msgstr "华北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
+#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "华东-上海"
 
@@ -6445,11 +6459,15 @@ msgstr "华北-乌兰察布一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "华南-广州-友好用户环境"
 
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/providers/jdcloud.py:128
+msgid "CN East-Suqian"
+msgstr "华东-宿迁"
+
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Validity display"
 msgstr "有效性显示"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Provider display"
 msgstr "服务商显示"
 
diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index 479408161..5dba5457c 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -17,7 +17,7 @@ p {
     <div class="group">
         <h2>JumpServer {% trans 'Client' %}</h2>
         <p>
-            {% trans 'JumpServer Client, currently used to launch the client, now only support launch RDP client, The SSH client will next' %}
+            {% trans 'JumpServer Client, currently used to launch the client, now only support launch RDP SSH client, The Telnet client will next' %}
 {#            //JumpServer 客户端，支持 RDP 的本地拉起，后续会支持拉起 ssh。#}
         </p>
         <ul>
@@ -36,6 +36,16 @@ p {
         </ul>
     </div>
 
+    <div class="group">
+        <h2>SSH {% trans 'Client' %}</h2>
+        <p>
+            {% trans 'Windows needs to download the client to connect SSH assets, and the MacOS system uses its own terminal' %}
+        </p>
+        <ul>
+            <li><a href="/download/Putty.exe">Putty.exe</a></li>
+        </ul>
+    </div>
+
     {% if XPACK_ENABLED  %}
         <div class="group">
             <h2>{% trans 'Windows Remote application publisher tools' %}</h2>

From 0b94d7414a8d46ef829bcbc6a4266c5bd09d0c0a Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 14 Apr 2022 19:51:10 +0800
Subject: [PATCH 029/258] feat: download (#8062)

Co-authored-by: feng626 <1304903146@qq.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
---
 apps/templates/resource_download.html | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index 5dba5457c..510b2159e 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -42,7 +42,9 @@ p {
             {% trans 'Windows needs to download the client to connect SSH assets, and the MacOS system uses its own terminal' %}
         </p>
         <ul>
-            <li><a href="/download/Putty.exe">Putty.exe</a></li>
+            <li><a href="/download/putty/w64/putty.exe">64-bit x86:  Putty.exe</a></li>
+            <li><a href="/download/putty/wa64/putty.exe">64-bit Arm: Putty.exe</a></li>
+            <li><a href="/download/putty/w32/putty.exe">32-bit x86:  Putty.exe</a></li>
         </ul>
     </div>
 

From 70a07539afb2e032e60539664dc8db96d96550ce Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Thu, 14 Apr 2022 21:55:34 +0800
Subject: [PATCH 030/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E9=83=A8?=
 =?UTF-8?q?=E5=88=86=E4=BA=91=E5=8E=82=E5=95=86=E7=9A=84redis=E8=BF=9E?=
 =?UTF-8?q?=E6=8E=A5=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/cache.py             | 28 ++++++++++++++++++++++++++++
 apps/jumpserver/settings/libs.py |  2 +-
 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/apps/common/cache.py b/apps/common/cache.py
index b988a8673..67aba9191 100644
--- a/apps/common/cache.py
+++ b/apps/common/cache.py
@@ -1,5 +1,7 @@
 import time
 
+from channels_redis.core import RedisChannelLayer as _RedisChannelLayer
+
 from common.utils.lock import DistributedLock
 from common.utils.connection import get_redis_client
 from common.utils import lazyproperty
@@ -216,3 +218,29 @@ class CacheValueDesc:
 
     def to_internal_value(self, value):
         return self.field_type.field_type(value)
+
+
+class RedisChannelLayer(_RedisChannelLayer):
+    async def _brpop_with_clean(self, index, channel, timeout):
+        cleanup_script = """
+            local backed_up = redis.call('ZRANGE', ARGV[2], 0, -1, 'WITHSCORES')
+            for i = #backed_up, 1, -2 do
+                redis.call('ZADD', ARGV[1], backed_up[i], backed_up[i - 1])
+            end
+            redis.call('DEL', ARGV[2])
+        """
+        backup_queue = self._backup_channel_name(channel)
+        async with self.connection(index) as connection:
+            # 部分云厂商的 Redis 此操作会报错(不支持，比如阿里云有限制)
+            try:
+                await connection.eval(cleanup_script, keys=[], args=[channel, backup_queue])
+            except:
+                pass
+            result = await connection.bzpopmin(channel, timeout=timeout)
+
+            if result is not None:
+                _, member, timestamp = result
+                await connection.zadd(backup_queue, float(timestamp), member)
+            else:
+                member = None
+            return member
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 11aa0ba16..03c10bf1f 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -96,7 +96,7 @@ else:
 
 CHANNEL_LAYERS = {
     'default': {
-        'BACKEND': 'channels_redis.core.RedisChannelLayer',
+        'BACKEND': 'common.cache.RedisChannelLayer',
         'CONFIG': {
             "hosts": [{
                 'address': (CONFIG.REDIS_HOST, CONFIG.REDIS_PORT),

From 97e59384e0d1be24ab4b76d1c376485d069deab5 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 15 Apr 2022 16:24:17 +0800
Subject: [PATCH 031/258] =?UTF-8?q?fix:=20connection=20token=20API=20?=
 =?UTF-8?q?=E8=BF=94=E5=9B=9E=E6=9C=89=E6=95=88=E6=97=B6=E9=97=B4?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/connection_token.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 4afa7a306..9e16d31ba 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -484,7 +484,8 @@ class UserConnectionTokenViewSet(
         tp = 'app' if application else 'asset'
         data = {
             "id": token, 'secret': secret,
-            'type': tp, 'protocol': system_user.protocol
+            'type': tp, 'protocol': system_user.protocol,
+            'expire_time': self.get_token_ttl(token),
         }
         return Response(data, status=201)
 

From 7b02777f1e87345aa6a34472d1499fda8bf86a2d Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 15 Apr 2022 15:31:02 +0800
Subject: [PATCH 032/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9endpoint=20sma?=
 =?UTF-8?q?rt=20API=E5=85=81=E8=AE=B8=E6=9C=89=E6=95=88=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E8=AE=BF=E9=97=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/settings/base.py | 1 -
 apps/terminal/api/endpoint.py    | 6 ++----
 2 files changed, 2 insertions(+), 5 deletions(-)

diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index a4441711a..b7f48a814 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -98,7 +98,6 @@ MIDDLEWARE = [
 ]
 
 ROOT_URLCONF = 'jumpserver.urls'
-
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
diff --git a/apps/terminal/api/endpoint.py b/apps/terminal/api/endpoint.py
index 14efb738f..d612db4a8 100644
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@@ -8,6 +8,7 @@ from assets.models import Asset
 from orgs.utils import tmp_to_root_org
 from applications.models import Application
 from terminal.models import Session
+from common.permissions import IsValidUser
 from ..models import Endpoint, EndpointRule
 from .. import serializers
 
@@ -20,9 +21,6 @@ class EndpointViewSet(JMSBulkModelViewSet):
     search_fields = filterset_fields
     serializer_class = serializers.EndpointSerializer
     queryset = Endpoint.objects.all()
-    rbac_perms = {
-        'smart': 'terminal.view_endpoint'
-    }
 
     @staticmethod
     def get_target_ip(request):
@@ -57,7 +55,7 @@ class EndpointViewSet(JMSBulkModelViewSet):
             target_ip = instance.get_target_ip()
             return target_ip
 
-    @action(methods=['get'], detail=False, url_path='smart')
+    @action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
     def smart(self, request, *args, **kwargs):
         protocol = request.GET.get('protocol')
         if not protocol:

From a647e73c02e9e36fbbe7da2dd3c1edb98dcf5306 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Fri, 15 Apr 2022 21:33:15 +0800
Subject: [PATCH 033/258] =?UTF-8?q?feat:=20=E8=AE=BE=E7=BD=AESessionCookie?=
 =?UTF-8?q?NamePrefix=20(#8071)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: 设置SessionCookieNamePrefix

* feat: 设置SessionCookieNamePrefix

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
---
 apps/authentication/middleware.py | 14 ++++++++++++++
 apps/jumpserver/conf.py           |  1 +
 apps/jumpserver/settings/base.py  | 16 ++++++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/apps/authentication/middleware.py b/apps/authentication/middleware.py
index 9481c3ff6..42bbb27cb 100644
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -1,5 +1,7 @@
 from django.shortcuts import redirect, reverse
+from django.utils.deprecation import MiddlewareMixin
 from django.http import HttpResponse
+from django.conf import settings
 
 
 class MFAMiddleware:
@@ -34,3 +36,15 @@ class MFAMiddleware:
 
         url = reverse('authentication:login-mfa') + '?_=middleware'
         return redirect(url)
+
+
+class SessionCookieMiddleware(MiddlewareMixin):
+
+    @staticmethod
+    def process_response(request, response: HttpResponse):
+        key = settings.SESSION_COOKIE_NAME_PREFIX_KEY
+        value = settings.SESSION_COOKIE_NAME_PREFIX
+        if request.COOKIES.get(key) == value:
+            return response
+        response.set_cookie(key, value)
+        return response
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 3cc8a067d..28ee9d8e9 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -157,6 +157,7 @@ class Config(dict):
         'DEFAULT_EXPIRED_YEARS': 70,
         'SESSION_COOKIE_DOMAIN': None,
         'CSRF_COOKIE_DOMAIN': None,
+        'SESSION_COOKIE_NAME_PREFIX': None,
         'SESSION_COOKIE_AGE': 3600 * 24,
         'SESSION_EXPIRE_AT_BROWSER_CLOSE': False,
         'LOGIN_URL': reverse_lazy('authentication:login'),
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index b7f48a814..b654a0365 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -94,10 +94,12 @@ MIDDLEWARE = [
     'authentication.backends.oidc.middleware.OIDCRefreshIDTokenMiddleware',
     'authentication.backends.cas.middleware.CASMiddleware',
     'authentication.middleware.MFAMiddleware',
+    'authentication.middleware.SessionCookieMiddleware',
     'simple_history.middleware.HistoryRequestMiddleware',
 ]
 
 ROOT_URLCONF = 'jumpserver.urls'
+
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
@@ -127,6 +129,20 @@ LOGIN_URL = reverse_lazy('authentication:login')
 
 SESSION_COOKIE_DOMAIN = CONFIG.SESSION_COOKIE_DOMAIN
 CSRF_COOKIE_DOMAIN = CONFIG.SESSION_COOKIE_DOMAIN
+
+# 设置 SESSION_COOKIE_NAME_PREFIX_KEY
+# 解决 不同域 session csrf cookie 获取混乱问题
+SESSION_COOKIE_NAME_PREFIX_KEY = 'SESSION_COOKIE_NAME_PREFIX'
+SESSION_COOKIE_NAME_PREFIX = CONFIG.SESSION_COOKIE_NAME_PREFIX
+if SESSION_COOKIE_NAME_PREFIX is not None:
+    pass
+elif SESSION_COOKIE_DOMAIN is not None:
+    SESSION_COOKIE_NAME_PREFIX = SESSION_COOKIE_DOMAIN.split('.')[0]
+else:
+    SESSION_COOKIE_NAME_PREFIX = 'jms_'
+CSRF_COOKIE_NAME = '{}csrftoken'.format(SESSION_COOKIE_NAME_PREFIX)
+SESSION_COOKIE_NAME = '{}sessionid'.format(SESSION_COOKIE_NAME_PREFIX)
+
 SESSION_COOKIE_AGE = CONFIG.SESSION_COOKIE_AGE
 SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 # 自定义的配置，SESSION_EXPIRE_AT_BROWSER_CLOSE 始终为 True, 下面这个来控制是否强制关闭后过期 cookie

From 10c146b07d2e15a3593636a0a94531eff78552d6 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Mon, 18 Apr 2022 11:31:53 +0800
Subject: [PATCH 034/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=BF=9C?=
 =?UTF-8?q?=E7=A8=8B=E5=BA=94=E7=94=A8=E6=97=A0=E8=B5=84=E4=BA=A7=E4=B8=8B?=
 =?UTF-8?q?=E8=BD=BDxrdp=20file=20500=20=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/applications/models/application.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/apps/applications/models/application.py b/apps/applications/models/application.py
index 15e7dae14..af1e27c2d 100644
--- a/apps/applications/models/application.py
+++ b/apps/applications/models/application.py
@@ -288,15 +288,14 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
             raise ValueError("Remote App not has asset attr")
 
     def get_target_ip(self):
+        target_ip = ''
         if self.category_remote_app:
             asset = self.get_remote_app_asset()
-            target_ip = asset.ip
+            target_ip = asset.ip if asset else target_ip
         elif self.category_cloud:
             target_ip = self.attrs.get('cluster')
         elif self.category_db:
             target_ip = self.attrs.get('host')
-        else:
-            target_ip = ''
         return target_ip
 
 

From 548a374c6dfe66b20351e49e9e8031f1d57f638c Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Fri, 15 Apr 2022 10:03:26 +0800
Subject: [PATCH 035/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E9=83=A8?=
 =?UTF-8?q?=E7=BD=B2=E5=9C=A8=E6=B2=A1=E6=9C=89=E5=AF=86=E7=A0=81=E7=9A=84?=
 =?UTF-8?q?redis=E4=B8=8A=E6=97=B6=EF=BC=8C=E7=AB=99=E5=86=85=E4=BF=A1?=
 =?UTF-8?q?=E6=95=B0=E9=87=8F=E4=B8=8D=E6=9B=B4=E6=96=B0=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/settings/libs.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 03c10bf1f..59446b9de 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -101,7 +101,7 @@ CHANNEL_LAYERS = {
             "hosts": [{
                 'address': (CONFIG.REDIS_HOST, CONFIG.REDIS_PORT),
                 'db': CONFIG.REDIS_DB_WS,
-                'password': CONFIG.REDIS_PASSWORD,
+                'password': CONFIG.REDIS_PASSWORD or None,
                 'ssl':  context
             }],
         },

From 3eab621b28b8eabae474022d2681f49b1c589f7c Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 18 Apr 2022 15:17:28 +0800
Subject: [PATCH 036/258] =?UTF-8?q?feat:=20=E4=BC=98=E5=8C=96Endpoint?=
 =?UTF-8?q?=E8=BF=81=E7=A7=BB=E9=80=BB=E8=BE=91=EF=BC=8C=E5=A2=9E=E5=8A=A0?=
 =?UTF-8?q?XRDP=E8=A7=84=E5=88=99=E5=92=8CEndpoint?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix: 修改Endpoint迁移文件
---
 apps/jumpserver/conf.py                       |  2 +-
 .../migrations/0048_endpoint_endpointrule.py  | 60 +++++++++++++++----
 2 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 28ee9d8e9..ec35ae6e5 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -313,7 +313,7 @@ class Config(dict):
         'TERMINAL_HOST_KEY': '',
         'TERMINAL_TELNET_REGEX': '',
         'TERMINAL_COMMAND_STORAGE': {},
-        # 未来废弃(当下迁移会用)
+        # 未来废弃(目前迁移会用)
         'TERMINAL_RDP_ADDR': '',
         # 保留(Luna还在用)
         'TERMINAL_MAGNUS_ENABLED': True,
diff --git a/apps/terminal/migrations/0048_endpoint_endpointrule.py b/apps/terminal/migrations/0048_endpoint_endpointrule.py
index 9e75823e2..6400f710a 100644
--- a/apps/terminal/migrations/0048_endpoint_endpointrule.py
+++ b/apps/terminal/migrations/0048_endpoint_endpointrule.py
@@ -1,5 +1,6 @@
 # Generated by Django 3.1.14 on 2022-04-12 07:39
 
+import copy
 import common.fields.model
 import django.core.validators
 from django.db import migrations, models
@@ -9,7 +10,9 @@ from django.conf import settings
 
 
 def migrate_endpoints(apps, schema_editor):
-    endpoint_data = {
+    Endpoint = apps.get_model("terminal", "Endpoint")
+    # migrate default
+    default_data = {
         'id': '00000000-0000-0000-0000-000000000001',
         'name': 'Default',
         'host': '',
@@ -17,19 +20,50 @@ def migrate_endpoints(apps, schema_editor):
         'http_port': 0,
         'created_by': 'System'
     }
+    default_endpoint = Endpoint.objects.create(**default_data)
 
-    if settings.XRDP_ENABLED:
-        xrdp_addr = settings.TERMINAL_RDP_ADDR
-        if ':' in xrdp_addr:
-            hostname, port = xrdp_addr.strip().split(':')
-        else:
-            hostname, port = xrdp_addr, 3389
-        endpoint_data.update({
-            'host': '' if hostname.strip() in ['localhost', '127.0.0.1'] else hostname.strip(),
-            'rdp_port': int(port)
-        })
-    Endpoint = apps.get_model("terminal", "Endpoint")
-    Endpoint.objects.create(**endpoint_data)
+    if not settings.XRDP_ENABLED:
+        return
+    # migrate xrdp
+    xrdp_addr = settings.TERMINAL_RDP_ADDR
+    if ':' in xrdp_addr:
+        host, rdp_port = xrdp_addr.strip().split(':')
+    else:
+        host, rdp_port = xrdp_addr, 3389
+    host = host.strip()
+    if host in ['localhost', '127.0.0.1']:
+        host = ''
+    if not host:
+        return
+    if isinstance(rdp_port, str) and rdp_port.isdigit():
+        rdp_port = int(rdp_port)
+    elif isinstance(rdp_port, int) and (0 <= rdp_port <= 65535):
+        rdp_port = rdp_port
+    else:
+        rdp_port = 3389
+    xrdp_data = {
+        'name': 'XRDP',
+        'host': host,
+        'https_port': 0,
+        'http_port': 0,
+        'ssh_port': 0,
+        'rdp_port': rdp_port,
+        'mysql_port': 0,
+        'mariadb_port': 0,
+        'postgresql_port': 0,
+        'created_by': 'System'
+    }
+    xrdp_endpoint = Endpoint.objects.create(**xrdp_data)
+
+    EndpointRule = apps.get_model("terminal", "EndpointRule")
+    xrdp_rule_data = {
+        'name': 'XRDP',
+        'ip_group': ['*'],
+        'priority': 20,
+        'endpoint': xrdp_endpoint,
+        'created_by': 'System'
+    }
+    EndpointRule.objects.create(**xrdp_rule_data)
 
 
 class Migration(migrations.Migration):

From 4362f8d5afe2cd59c96ff580753b0e9554e9b90b Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 18 Apr 2022 17:17:23 +0800
Subject: [PATCH 037/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E7=BB=84?=
 =?UTF-8?q?=E7=BB=87=20(#8080)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 优化用户的orgs

* perf: 优化组织

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/rbac/models/permission.py    |  1 -
 apps/rbac/models/role.py          | 14 ++++++++++++++
 apps/rbac/models/rolebinding.py   | 22 ++++++++++++++++++++++
 apps/users/models/user.py         | 29 +++++++++++++----------------
 apps/users/serializers/profile.py |  8 +++++---
 5 files changed, 54 insertions(+), 20 deletions(-)

diff --git a/apps/rbac/models/permission.py b/apps/rbac/models/permission.py
index a4ea91b15..bc8fa6231 100644
--- a/apps/rbac/models/permission.py
+++ b/apps/rbac/models/permission.py
@@ -90,4 +90,3 @@ class Permission(DjangoPermission):
         permissions = cls.objects.all()
         permissions = cls.clean_permissions(permissions, scope=scope)
         return permissions
-
diff --git a/apps/rbac/models/role.py b/apps/rbac/models/role.py
index b47bccb5b..98a226e6f 100644
--- a/apps/rbac/models/role.py
+++ b/apps/rbac/models/role.py
@@ -121,6 +121,20 @@ class Role(JMSModel):
     def is_org(self):
         return self.scope == const.Scope.org
 
+    @classmethod
+    def get_roles_by_perm(cls, perm):
+        app_label, codename = perm.split('.')
+        p = Permission.objects.filter(
+            codename=codename,
+            content_type__app_label=app_label
+        ).first()
+        if not p:
+            return p.roles.none()
+        role_ids = list(p.roles.all().values_list('id', flat=True))
+        admin_ids = [BuiltinRole.system_admin.id, BuiltinRole.org_admin.id]
+        role_ids += admin_ids
+        return cls.objects.filter(id__in=role_ids)
+
 
 class SystemRole(Role):
     objects = SystemRoleManager()
diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index a2ee06022..643e38207 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -100,6 +100,28 @@ class RoleBinding(JMSModel):
     def is_scope_org(self):
         return self.scope == Scope.org
 
+    @classmethod
+    def get_user_has_the_perm_orgs(cls, perm, user):
+        from orgs.models import Organization
+
+        roles = Role.get_roles_by_perm(perm)
+        bindings = list(cls.objects.root_all().filter(role__in=roles, user=user))
+        system_bindings = [b for b in bindings if b.scope == Role.Scope.system.value]
+
+        if perm == 'rbac.view_workbench':
+            all_orgs = user.orgs.all()
+        else:
+            all_orgs = Organization.objects.all()
+
+        if system_bindings:
+            orgs = all_orgs
+        else:
+            org_ids = [b.org.id for b in bindings if b.org]
+            orgs = all_orgs.filter(id__in=org_ids)
+        if orgs and user.has_perm('orgs.view_rootorg'):
+            orgs = [Organization.root(), *list(orgs)]
+        return orgs
+
 
 class OrgRoleBindingManager(RoleBindingManager):
     def get_queryset(self):
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index ede795d13..80b938468 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -863,23 +863,20 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
             return None
         return self.SOURCE_BACKEND_MAPPING.get(self.source, [])
 
-    @property
-    def all_orgs(self):
-        from rbac.builtin import BuiltinRole
-        has_system_role = self.system_roles.all() \
-            .exclude(name=BuiltinRole.system_user.name) \
-            .exists()
-        if has_system_role:
-            orgs = list(Organization.objects.all())
-        else:
-            orgs = list(self.orgs.distinct())
-        if self.has_perm('orgs.view_rootorg'):
-            orgs = [Organization.root()] + orgs
-        return orgs
+    @lazyproperty
+    def console_orgs(self):
+        from rbac.models import RoleBinding
+        return RoleBinding.get_user_has_the_perm_orgs('rbac.view_console', self)
 
-    @property
-    def my_orgs(self):
-        return list(self.orgs.distinct())
+    @lazyproperty
+    def audit_orgs(self):
+        from rbac.models import RoleBinding
+        return RoleBinding.get_user_has_the_perm_orgs('rbac.view_audit', self)
+
+    @lazyproperty
+    def workbench_orgs(self):
+        from rbac.models import RoleBinding
+        return RoleBinding.get_user_has_the_perm_orgs('rbac.view_workbench', self)
 
     class Meta:
         ordering = ['username']
diff --git a/apps/users/serializers/profile.py b/apps/users/serializers/profile.py
index 55083c23d..ac9671d23 100644
--- a/apps/users/serializers/profile.py
+++ b/apps/users/serializers/profile.py
@@ -121,14 +121,16 @@ class UserProfileSerializer(UserSerializer):
     mfa_level = serializers.ChoiceField(choices=MFA_LEVEL_CHOICES, label=_('MFA'), required=False)
     guide_url = serializers.SerializerMethodField()
     receive_backends = serializers.ListField(child=serializers.CharField(), read_only=True)
-    orgs = UserOrgSerializer(many=True, read_only=True, source='all_orgs')
-    myorgs = UserOrgSerializer(many=True, read_only=True, source='my_orgs')
+    console_orgs = UserOrgSerializer(many=True, read_only=True)
+    audit_orgs = UserOrgSerializer(many=True, read_only=True)
+    workbench_orgs = UserOrgSerializer(many=True, read_only=True)
     perms = serializers.ListField(label=_("Perms"), read_only=True)
 
     class Meta(UserSerializer.Meta):
         read_only_fields = [
             'date_joined', 'last_login', 'created_by', 'source',
-            'receive_backends', 'orgs', 'myorgs', 'perms',
+            'console_orgs', 'audit_orgs', 'workbench_orgs',
+            'receive_backends', 'perms',
         ]
         fields = UserSerializer.Meta.fields + [
             'public_key_comment', 'public_key_hash_md5', 'guide_url',

From fe47e4058865f9468d9da87e8ec23c41fb627471 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Mon, 18 Apr 2022 18:45:38 +0800
Subject: [PATCH 038/258] fix: es6 create index fail

---
 apps/terminal/backends/command/es.py | 46 ++++++++++++++++------------
 1 file changed, 27 insertions(+), 19 deletions(-)

diff --git a/apps/terminal/backends/command/es.py b/apps/terminal/backends/command/es.py
index 2e8a82c88..c7ae7060e 100644
--- a/apps/terminal/backends/command/es.py
+++ b/apps/terminal/backends/command/es.py
@@ -59,10 +59,15 @@ class CommandStore(object):
             data = self.es.indices.get_mapping(self.index)
         except NotFoundError:
             return False
-
+        info = self.es.info()
+        version = info['version']['number'].split('.')[0]
         try:
-            # 检测索引是不是新的类型
-            properties = data[self.index]['mappings']['properties']
+            if version == '6':
+                # 检测索引是不是新的类型 es6
+                properties = data[self.index]['mappings']['data']['properties']
+            else:
+                # 检测索引是不是新的类型 es7 default index type: _doc
+                properties = data[self.index]['mappings']['properties']
             if properties['session']['type'] == 'keyword' \
                     and properties['org_id']['type'] == 'keyword':
                 return True
@@ -75,27 +80,30 @@ class CommandStore(object):
         self._ensure_index_exists()
 
     def _ensure_index_exists(self):
-        mappings = {
-            "mappings": {
-                "properties": {
-                    "session": {
-                        "type": "keyword"
-                    },
-                    "org_id": {
-                        "type": "keyword"
-                    },
-                    "@timestamp": {
-                        "type": "date"
-                    },
-                    "timestamp": {
-                        "type": "long"
-                    }
-                }
+        properties = {
+            "session": {
+                "type": "keyword"
+            },
+            "org_id": {
+                "type": "keyword"
+            },
+            "@timestamp": {
+                "type": "date"
+            },
+            "timestamp": {
+                "type": "long"
             }
         }
+        info = self.es.info()
+        version = info['version']['number'].split('.')[0]
+        if version == '6':
+            mappings = {'mappings': {'data': {'properties': properties}}}
+        else:
+            mappings = {'mappings': {'properties': properties}}
 
         try:
             self.es.indices.create(self.index, body=mappings)
+            return
         except RequestError as e:
             logger.exception(e)
 

From 7b2d51f343c803499c1eb96d408fc114424836c8 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Mon, 18 Apr 2022 14:52:41 +0800
Subject: [PATCH 039/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=A7=92?=
 =?UTF-8?q?=E8=89=B2=E8=BF=87=E6=BB=A4=E5=A4=B1=E8=B4=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/api/role.py |  5 +++--
 apps/rbac/filters.py  | 25 +++++++++++++++++++++++++
 2 files changed, 28 insertions(+), 2 deletions(-)
 create mode 100644 apps/rbac/filters.py

diff --git a/apps/rbac/api/role.py b/apps/rbac/api/role.py
index a11edc409..ceb2e9c19 100644
--- a/apps/rbac/api/role.py
+++ b/apps/rbac/api/role.py
@@ -4,6 +4,7 @@ from rest_framework.exceptions import PermissionDenied
 from rest_framework.decorators import action
 
 from common.drf.api import JMSModelViewSet
+from ..filters import RoleFilter
 from ..serializers import RoleSerializer, RoleUserSerializer
 from ..models import Role, SystemRole, OrgRole
 from .permission import PermissionViewSet
@@ -20,8 +21,8 @@ class RoleViewSet(JMSModelViewSet):
         'default': RoleSerializer,
         'users': RoleUserSerializer,
     }
-    filterset_fields = ['name', 'scope', 'builtin']
-    search_fields = filterset_fields
+    filterset_class = RoleFilter
+    search_fields = ('name', 'scope', 'builtin')
     rbac_perms = {
         'users': 'rbac.view_rolebinding'
     }
diff --git a/apps/rbac/filters.py b/apps/rbac/filters.py
new file mode 100644
index 000000000..f9a936b66
--- /dev/null
+++ b/apps/rbac/filters.py
@@ -0,0 +1,25 @@
+from django_filters import rest_framework as filters
+
+from common.drf.filters import BaseFilterSet
+from rbac.models import Role
+
+
+class RoleFilter(BaseFilterSet):
+    name = filters.CharFilter(method='filter_name')
+
+    class Meta:
+        model = Role
+        fields = ('name', 'scope', 'builtin')
+
+    @staticmethod
+    def filter_name(queryset, name, value):
+        builtin_ids = []
+        for role in queryset.filter(builtin=True):
+            if value in role.display_name:
+                builtin_ids.append(role.id)
+        if builtin_ids:
+            builtin_qs = queryset.model.objects.filter(id__in=builtin_ids)
+        else:
+            builtin_qs = queryset.model.objects.none()
+        queryset = queryset.filter(name__icontains=value)
+        return queryset | builtin_qs

From f4ed4e1176d0168762084938f2d3250b3bd7a815 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 18 Apr 2022 19:50:51 +0800
Subject: [PATCH 040/258] =?UTF-8?q?perf:=20=E6=B7=BB=E5=8A=A0=20temp=20tok?=
 =?UTF-8?q?en=20=E6=8E=92=E5=BA=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/temp_token.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apps/authentication/api/temp_token.py b/apps/authentication/api/temp_token.py
index 98c1d74d6..a8fcc02af 100644
--- a/apps/authentication/api/temp_token.py
+++ b/apps/authentication/api/temp_token.py
@@ -15,7 +15,7 @@ class TempTokenViewSet(JMSModelViewSet):
 
     def get_queryset(self):
         username = self.request.user.username
-        return TempToken.objects.filter(username=username)
+        return TempToken.objects.filter(username=username).order_by('-date_created')
 
     @action(methods=['PATCH'], detail=True, url_path='expire')
     def expire(self, *args, **kwargs):
@@ -24,4 +24,3 @@ class TempTokenViewSet(JMSModelViewSet):
         instance.save()
         serializer = self.get_serializer(instance)
         return Response(serializer.data)
-

From 3e3835dc28cce7d94ce270bbf6fdc17fee6e3526 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 19 Apr 2022 10:34:17 +0800
Subject: [PATCH 041/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/migrations/0010_temptoken.py    |  2 +-
 apps/rbac/builtin.py                                | 13 ++++++++-----
 .../migrations/0048_endpoint_endpointrule.py        |  6 +++---
 3 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/apps/authentication/migrations/0010_temptoken.py b/apps/authentication/migrations/0010_temptoken.py
index 914188d3f..b76ae0f97 100644
--- a/apps/authentication/migrations/0010_temptoken.py
+++ b/apps/authentication/migrations/0010_temptoken.py
@@ -23,7 +23,7 @@ class Migration(migrations.Migration):
                 ('secret', models.CharField(max_length=64, verbose_name='Secret')),
                 ('verified', models.BooleanField(default=False, verbose_name='Verified')),
                 ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
-                ('date_expired', models.DateTimeField(verbose_name='Date verified')),
+                ('date_expired', models.DateTimeField(verbose_name='Date expired')),
             ],
             options={
                 'verbose_name': 'Temporary token',
diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index d8e84a554..a199c149c 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -2,6 +2,13 @@ from django.utils.translation import ugettext_noop
 
 from .const import Scope, system_exclude_permissions, org_exclude_permissions
 
+system_user_perms = (
+    ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
+    ('authentication', 'temptoken', 'add', 'temptoken'),
+    ('tickets', 'ticket', 'view', 'ticket'),
+    ('orgs', 'organization', 'view', 'rootorg'),
+)
+
 # Todo: 获取应该区分 系统用户，和组织用户的权限
 # 工作台也区分组织后再考虑
 user_perms = (
@@ -15,10 +22,6 @@ user_perms = (
     ('assets', 'node', 'match', 'node'),
     ('applications', 'application', 'match', 'application'),
     ('ops', 'commandexecution', 'add', 'commandexecution'),
-    ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
-    ('authentication', 'temptoken', 'add', 'temptoken'),
-    ('tickets', 'ticket', 'view', 'ticket'),
-    ('orgs', 'organization', 'view', 'rootorg'),
 )
 
 auditor_perms = user_perms + (
@@ -104,7 +107,7 @@ class BuiltinRole:
         '4', ugettext_noop('SystemComponent'), Scope.system, app_exclude_perms, 'exclude'
     )
     system_user = PredefineRole(
-        '3', ugettext_noop('User'), Scope.system, user_perms
+        '3', ugettext_noop('User'), Scope.system, system_user_perms
     )
     org_admin = PredefineRole(
         '5', ugettext_noop('OrgAdmin'), Scope.org, []
diff --git a/apps/terminal/migrations/0048_endpoint_endpointrule.py b/apps/terminal/migrations/0048_endpoint_endpointrule.py
index 6400f710a..a03d19e98 100644
--- a/apps/terminal/migrations/0048_endpoint_endpointrule.py
+++ b/apps/terminal/migrations/0048_endpoint_endpointrule.py
@@ -20,7 +20,7 @@ def migrate_endpoints(apps, schema_editor):
         'http_port': 0,
         'created_by': 'System'
     }
-    default_endpoint = Endpoint.objects.create(**default_data)
+    Endpoint.objects.create(**default_data)
 
     if not settings.XRDP_ENABLED:
         return
@@ -81,8 +81,8 @@ class Migration(migrations.Migration):
                 ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('name', models.CharField(max_length=128, unique=True, blank=True, verbose_name='Name')),
-                ('host', models.CharField(max_length=256, verbose_name='Host')),
+                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
+                ('host', models.CharField(max_length=256, verbose_name='Host', blank=True)),
                 ('https_port', common.fields.model.PortField(default=443, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTPS Port')),
                 ('http_port', common.fields.model.PortField(default=80, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTP Port')),
                 ('ssh_port', common.fields.model.PortField(default=2222, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='SSH Port')),

From 516cb05d69a9e59a4de72909987f6dfb251b38d0 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 19 Apr 2022 11:30:07 +0800
Subject: [PATCH 042/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/cmd_filter.py |  14 +-
 apps/locale/ja/LC_MESSAGES/django.po  | 193 ++++++++++++-------------
 apps/locale/zh/LC_MESSAGES/django.po  | 199 +++++++++++++-------------
 3 files changed, 198 insertions(+), 208 deletions(-)

diff --git a/apps/assets/serializers/cmd_filter.py b/apps/assets/serializers/cmd_filter.py
index a57fab72a..9a33dd6fa 100644
--- a/apps/assets/serializers/cmd_filter.py
+++ b/apps/assets/serializers/cmd_filter.py
@@ -31,24 +31,24 @@ class CommandFilterSerializer(BulkOrgResourceModelSerializer):
 
 
 class CommandFilterRuleSerializer(BulkOrgResourceModelSerializer):
-    type_display = serializers.ReadOnlyField(source='get_type_display')
-    action_display = serializers.ReadOnlyField(source='get_action_display')
+    type_display = serializers.ReadOnlyField(source='get_type_display', label=_("Type display"))
+    action_display = serializers.ReadOnlyField(source='get_action_display', label=_("Action display"))
 
     class Meta:
         model = CommandFilterRule
         fields_mini = ['id']
         fields_small = fields_mini + [
-           'type', 'type_display', 'content', 'ignore_case', 'pattern', 'priority',
-           'action', 'action_display', 'reviewers',
-           'date_created', 'date_updated',
-           'comment', 'created_by',
+            'type', 'type_display', 'content', 'ignore_case', 'pattern',
+            'priority', 'action', 'action_display', 'reviewers',
+            'date_created', 'date_updated', 'comment', 'created_by',
         ]
         fields_fk = ['filter']
         fields = fields_small + fields_fk
         extra_kwargs = {
             'date_created': {'label': _("Date created")},
             'date_updated': {'label': _("Date updated")},
-            'action_display': {'label': _("Action display")}
+            'action_display': {'label': _("Action display")},
+            'pattern': {'label': _("Pattern")}
         }
 
     def __init__(self, *args, **kwargs):
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index b7026603b..40ee2d43c 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-13 20:35+0800\n"
+"POT-Creation-Date: 2022-04-19 11:24+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -33,7 +33,7 @@ msgstr "Acls"
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:28
+#: xpack/plugins/cloud/models.py:27
 msgid "Name"
 msgstr "名前"
 
@@ -66,7 +66,7 @@ msgstr "アクティブ"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
+#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "コメント"
@@ -92,8 +92,8 @@ msgstr "ログイン確認"
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
-#: users/models/user.py:917 users/serializers/group.py:19
+#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:883
+#: users/models/user.py:914 users/serializers/group.py:19
 msgid "User"
 msgstr "ユーザー"
 
@@ -134,7 +134,7 @@ msgstr "システムユーザー"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:223
+#: xpack/plugins/cloud/models.py:222
 msgid "Asset"
 msgstr "資産"
 
@@ -318,8 +318,8 @@ msgstr "タイプ"
 msgid "Domain"
 msgstr "ドメイン"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:59
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
+#: xpack/plugins/cloud/serializers/account.py:58
 msgid "Attrs"
 msgstr "ツールバーの"
 
@@ -327,7 +327,7 @@ msgstr "ツールバーの"
 msgid "Can match application"
 msgstr "アプリケーションを一致させることができます"
 
-#: applications/models/application.py:306
+#: applications/models/application.py:305
 msgid "Application user"
 msgstr "アプリケーションユーザー"
 
@@ -340,8 +340,8 @@ msgstr "カテゴリ表示"
 
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
-#: assets/serializers/system_user.py:27 audits/serializers.py:29
-#: perms/serializers/application/permission.py:19
+#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:27
+#: audits/serializers.py:29 perms/serializers/application/permission.py:19
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
 #: tickets/serializers/ticket/ticket.py:21
 #: tickets/serializers/ticket/ticket.py:173
@@ -353,17 +353,17 @@ msgstr "タイプ表示"
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
 #: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
-#: assets/serializers/cmd_filter.py:49 common/db/models.py:113
+#: assets/serializers/cmd_filter.py:48 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:918
-#: xpack/plugins/cloud/models.py:125
+#: users/models/group.py:18 users/models/user.py:915
+#: xpack/plugins/cloud/models.py:124
 msgid "Date created"
 msgstr "作成された日付"
 
 #: applications/serializers/application.py:104 assets/models/base.py:182
 #: assets/models/gathered_user.py:20 assets/serializers/account.py:21
-#: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:50
+#: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
 #: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
 msgid "Date updated"
@@ -572,7 +572,7 @@ msgstr "ホスト名生"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "プロトコル"
 
@@ -612,7 +612,7 @@ msgstr "ラベル"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "によって作成された"
 
@@ -716,7 +716,7 @@ msgstr "トリガーモード"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:179
+#: xpack/plugins/cloud/models.py:178
 msgid "Reason"
 msgstr "理由"
 
@@ -744,7 +744,7 @@ msgstr "OK"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:30
 msgid "Failed"
 msgstr "失敗しました"
 
@@ -815,7 +815,7 @@ msgid "Default"
 msgstr "デフォルト"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:903
+#: users/models/user.py:900
 msgid "System"
 msgstr "システム"
 
@@ -954,7 +954,7 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
 
@@ -1126,10 +1126,14 @@ msgstr "キーパスワード"
 msgid "private key invalid or passphrase error"
 msgstr "秘密鍵が無効またはpassphraseエラー"
 
-#: assets/serializers/cmd_filter.py:51
+#: assets/serializers/cmd_filter.py:35 assets/serializers/cmd_filter.py:50
 msgid "Action display"
 msgstr "アクション表示"
 
+#: assets/serializers/cmd_filter.py:51 ops/models/adhoc.py:155
+msgid "Pattern"
+msgstr "パターン"
+
 #: assets/serializers/domain.py:13 assets/serializers/label.py:12
 #: assets/serializers/system_user.py:59
 #: perms/serializers/asset/permission.py:49
@@ -1482,8 +1486,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
-#: xpack/plugins/cloud/models.py:227
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
+#: xpack/plugins/cloud/models.py:226
 msgid "Status"
 msgstr "ステータス"
 
@@ -1520,7 +1524,7 @@ msgid "Hosts display"
 msgstr "ホスト表示"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:173
+#: xpack/plugins/cloud/models.py:172
 msgid "Result"
 msgstr "結果"
 
@@ -2177,7 +2181,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:298 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:299 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2638,11 +2642,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:297
+#: jumpserver/conf.py:298
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:299
+#: jumpserver/conf.py:300
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -2765,10 +2769,6 @@ msgstr "タスクモニターを表示できます"
 msgid "Tasks"
 msgstr "タスク"
 
-#: ops/models/adhoc.py:155
-msgid "Pattern"
-msgstr "パターン"
-
 #: ops/models/adhoc.py:156
 msgid "Options"
 msgstr "オプション"
@@ -3106,15 +3106,15 @@ msgstr "質問があったら、管理者に連絡して下さい"
 msgid "My applications"
 msgstr "私のアプリケーション"
 
-#: rbac/api/role.py:32
+#: rbac/api/role.py:33
 msgid "Internal role, can't be destroy"
 msgstr "内部の役割は、破壊することはできません"
 
-#: rbac/api/role.py:36
+#: rbac/api/role.py:37
 msgid "The role has been bound to users, can't be destroy"
 msgstr "ロールはユーザーにバインドされており、破壊することはできません"
 
-#: rbac/api/role.py:43
+#: rbac/api/role.py:44
 msgid "Internal role, can't be update"
 msgstr "内部ロール、更新できません"
 
@@ -3190,11 +3190,11 @@ msgstr "権限"
 msgid "Built-in"
 msgstr "内蔵"
 
-#: rbac/models/role.py:130
+#: rbac/models/role.py:144
 msgid "System role"
 msgstr "システムの役割"
 
-#: rbac/models/role.py:138
+#: rbac/models/role.py:152
 msgid "Organization role"
 msgstr "組織の役割"
 
@@ -3202,22 +3202,22 @@ msgstr "組織の役割"
 msgid "Role binding"
 msgstr "ロールバインディング"
 
-#: rbac/models/rolebinding.py:128
+#: rbac/models/rolebinding.py:150
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr ""
 "ユーザーの最後のロールは削除できません。ユーザーを組織から削除できます。"
 
-#: rbac/models/rolebinding.py:135
+#: rbac/models/rolebinding.py:157
 msgid "Organization role binding"
 msgstr "組織の役割バインディング"
 
-#: rbac/models/rolebinding.py:150
+#: rbac/models/rolebinding.py:172
 msgid "System role binding"
 msgstr "システムロールバインディング"
 
-#: rbac/serializers/permission.py:26 users/serializers/profile.py:126
+#: rbac/serializers/permission.py:26 users/serializers/profile.py:127
 msgid "Perms"
 msgstr "パーマ"
 
@@ -4541,11 +4541,11 @@ msgstr ""
 "WindowsはクライアントをダウンロードしてSSH資産に接続する必要があり、macOSシス"
 "テムは独自のTerminalを採用している。"
 
-#: templates/resource_download.html:51
+#: templates/resource_download.html:53
 msgid "Windows Remote application publisher tools"
 msgstr "Windowsリモートアプリケーション発行者ツール"
 
-#: templates/resource_download.html:52
+#: templates/resource_download.html:54
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -4557,7 +4557,7 @@ msgstr ""
 msgid "Filters"
 msgstr "フィルター"
 
-#: terminal/api/endpoint.py:65
+#: terminal/api/endpoint.py:63
 msgid "Not found protocol query params"
 msgstr ""
 
@@ -4953,7 +4953,7 @@ msgstr "バケット"
 msgid "Secret key"
 msgstr "秘密キー"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
 msgid "Region"
 msgstr "リージョン"
 
@@ -5546,7 +5546,7 @@ msgid "Public key should not be the same as your old one."
 msgstr "公開鍵は古いものと同じであってはなりません。"
 
 #: users/forms/profile.py:149 users/serializers/profile.py:95
-#: users/serializers/profile.py:176 users/serializers/profile.py:203
+#: users/serializers/profile.py:178 users/serializers/profile.py:205
 msgid "Not a valid ssh public key"
 msgstr "有効なssh公開鍵ではありません"
 
@@ -5590,27 +5590,27 @@ msgstr "最終更新日パスワード"
 msgid "Need update password"
 msgstr "更新パスワードが必要"
 
-#: users/models/user.py:888
+#: users/models/user.py:885
 msgid "Can invite user"
 msgstr "ユーザーを招待できます"
 
-#: users/models/user.py:889
+#: users/models/user.py:886
 msgid "Can remove user"
 msgstr "ユーザーを削除できます"
 
-#: users/models/user.py:890
+#: users/models/user.py:887
 msgid "Can match user"
 msgstr "ユーザーに一致できます"
 
-#: users/models/user.py:899
+#: users/models/user.py:896
 msgid "Administrator"
 msgstr "管理者"
 
-#: users/models/user.py:902
+#: users/models/user.py:899
 msgid "Administrator is the super user of system"
 msgstr "管理者はシステムのスーパーユーザーです"
 
-#: users/models/user.py:927
+#: users/models/user.py:924
 msgid "User password history"
 msgstr "ユーザーパスワード履歴"
 
@@ -5649,7 +5649,7 @@ msgstr "MFAのリセット"
 msgid "The old password is incorrect"
 msgstr "古いパスワードが正しくありません"
 
-#: users/serializers/profile.py:36 users/serializers/profile.py:190
+#: users/serializers/profile.py:36 users/serializers/profile.py:192
 msgid "Password does not match security rules"
 msgstr "パスワードがセキュリティルールと一致しない"
 
@@ -5661,7 +5661,7 @@ msgstr "新しいパスワードを最後の {} 個のパスワードにする
 msgid "The newly set password is inconsistent"
 msgstr "新しく設定されたパスワードが一致しない"
 
-#: users/serializers/profile.py:142 users/serializers/user.py:140
+#: users/serializers/profile.py:144 users/serializers/user.py:140
 msgid "Is first login"
 msgstr "最初のログインです"
 
@@ -6225,62 +6225,58 @@ msgid "Baidu Cloud"
 msgstr "百度雲"
 
 #: xpack/plugins/cloud/const.py:15
-msgid "JD Cloud"
-msgstr "京東雲"
-
-#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "テンセント雲"
 
-#: xpack/plugins/cloud/const.py:17
+#: xpack/plugins/cloud/const.py:16
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:18
 msgid "Huawei Private Cloud"
 msgstr "華為私有雲"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:19
 msgid "Qingyun Private Cloud"
 msgstr "青雲私有雲"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:20
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:22
+#: xpack/plugins/cloud/const.py:21
 msgid "Google Cloud Platform"
 msgstr "谷歌雲"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:25
 msgid "Instance name"
 msgstr "インスタンス名"
 
-#: xpack/plugins/cloud/const.py:27
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name and Partial IP"
 msgstr "インスタンス名と部分IP"
 
-#: xpack/plugins/cloud/const.py:32
+#: xpack/plugins/cloud/const.py:31
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:35
 msgid "Unsync"
 msgstr "同期していません"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:36
 msgid "New Sync"
 msgstr "新しい同期"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:37
 msgid "Synced"
 msgstr "同期済み"
 
-#: xpack/plugins/cloud/const.py:39
+#: xpack/plugins/cloud/const.py:38
 msgid "Released"
 msgstr "リリース済み"
 
@@ -6288,79 +6284,79 @@ msgstr "リリース済み"
 msgid "Cloud center"
 msgstr "クラウドセンター"
 
-#: xpack/plugins/cloud/models.py:30
+#: xpack/plugins/cloud/models.py:29
 msgid "Provider"
 msgstr "プロバイダー"
 
-#: xpack/plugins/cloud/models.py:34
+#: xpack/plugins/cloud/models.py:33
 msgid "Validity"
 msgstr "有効性"
 
-#: xpack/plugins/cloud/models.py:39
+#: xpack/plugins/cloud/models.py:38
 msgid "Cloud account"
 msgstr "クラウドアカウント"
 
-#: xpack/plugins/cloud/models.py:41
+#: xpack/plugins/cloud/models.py:40
 msgid "Test cloud account"
 msgstr "クラウドアカウントのテスト"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "アカウント"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "リージョン"
 
-#: xpack/plugins/cloud/models.py:91
+#: xpack/plugins/cloud/models.py:90
 msgid "Hostname strategy"
 msgstr "ホスト名戦略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix adminユーザー"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows管理者"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IPネットワークセグメントグループ"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "常に更新"
 
-#: xpack/plugins/cloud/models.py:119
+#: xpack/plugins/cloud/models.py:118
 msgid "Date last sync"
 msgstr "最終同期日"
 
-#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
+#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
 msgid "Sync instance task"
 msgstr "インスタンスの同期タスク"
 
-#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
+#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
 msgid "Date sync"
 msgstr "日付の同期"
 
-#: xpack/plugins/cloud/models.py:186
+#: xpack/plugins/cloud/models.py:185
 msgid "Sync instance task execution"
 msgstr "インスタンスタスクの同期実行"
 
-#: xpack/plugins/cloud/models.py:210
+#: xpack/plugins/cloud/models.py:209
 msgid "Sync task"
 msgstr "同期タスク"
 
-#: xpack/plugins/cloud/models.py:214
+#: xpack/plugins/cloud/models.py:213
 msgid "Sync instance task history"
 msgstr "インスタンスタスク履歴の同期"
 
-#: xpack/plugins/cloud/models.py:217
+#: xpack/plugins/cloud/models.py:216
 msgid "Instance"
 msgstr "インスタンス"
 
-#: xpack/plugins/cloud/models.py:234
+#: xpack/plugins/cloud/models.py:233
 msgid "Sync instance detail"
 msgstr "同期インスタンスの詳細"
 
@@ -6457,13 +6453,11 @@ msgid "South America (São Paulo)"
 msgstr "南米 (サンパウロ)"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
-#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "華北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
-#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "華南-広州"
 
@@ -6485,7 +6479,6 @@ msgid "CN North-Baoding"
 msgstr "華北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
-#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "華東-上海"
 
@@ -6550,15 +6543,11 @@ msgstr "華北-ウランチャブ一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "華南-広州-友好ユーザー環境"
 
-#: xpack/plugins/cloud/providers/jdcloud.py:128
-msgid "CN East-Suqian"
-msgstr "華東-宿遷"
-
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Validity display"
 msgstr "有効表示"
 
-#: xpack/plugins/cloud/serializers/account.py:61
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Provider display"
 msgstr "プロバイダ表示"
 
@@ -6722,6 +6711,12 @@ msgstr "究極のエディション"
 msgid "Community edition"
 msgstr "コミュニティ版"
 
+#~ msgid "JD Cloud"
+#~ msgstr "京東雲"
+
+#~ msgid "CN East-Suqian"
+#~ msgstr "華東-宿遷"
+
 #~ msgid "Inherit"
 #~ msgstr "継承"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 5682b29ff..a7387c76f 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-13 20:35+0800\n"
+"POT-Creation-Date: 2022-04-19 11:24+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -32,7 +32,7 @@ msgstr "访问控制"
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:28
+#: xpack/plugins/cloud/models.py:27
 msgid "Name"
 msgstr "名称"
 
@@ -65,7 +65,7 @@ msgstr "激活中"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
+#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "备注"
@@ -91,8 +91,8 @@ msgstr "登录复核"
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:886
-#: users/models/user.py:917 users/serializers/group.py:19
+#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:883
+#: users/models/user.py:914 users/serializers/group.py:19
 msgid "User"
 msgstr "用户"
 
@@ -133,7 +133,7 @@ msgstr "系统用户"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:223
+#: xpack/plugins/cloud/models.py:222
 msgid "Asset"
 msgstr "资产"
 
@@ -313,8 +313,8 @@ msgstr "类型"
 msgid "Domain"
 msgstr "网域"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:59
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
+#: xpack/plugins/cloud/serializers/account.py:58
 msgid "Attrs"
 msgstr "属性"
 
@@ -322,7 +322,7 @@ msgstr "属性"
 msgid "Can match application"
 msgstr "匹配应用"
 
-#: applications/models/application.py:306
+#: applications/models/application.py:305
 msgid "Application user"
 msgstr "应用用户"
 
@@ -335,8 +335,8 @@ msgstr "类别名称"
 
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
-#: assets/serializers/system_user.py:27 audits/serializers.py:29
-#: perms/serializers/application/permission.py:19
+#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:27
+#: audits/serializers.py:29 perms/serializers/application/permission.py:19
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
 #: tickets/serializers/ticket/ticket.py:21
 #: tickets/serializers/ticket/ticket.py:173
@@ -348,17 +348,17 @@ msgstr "类型名称"
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
 #: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
-#: assets/serializers/cmd_filter.py:49 common/db/models.py:113
+#: assets/serializers/cmd_filter.py:48 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:918
-#: xpack/plugins/cloud/models.py:125
+#: users/models/group.py:18 users/models/user.py:915
+#: xpack/plugins/cloud/models.py:124
 msgid "Date created"
 msgstr "创建日期"
 
 #: applications/serializers/application.py:104 assets/models/base.py:182
 #: assets/models/gathered_user.py:20 assets/serializers/account.py:21
-#: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:50
+#: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
 #: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
 msgid "Date updated"
@@ -567,7 +567,7 @@ msgstr "主机名原始"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "协议组"
 
@@ -607,7 +607,7 @@ msgstr "标签管理"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "创建者"
 
@@ -711,7 +711,7 @@ msgstr "触发模式"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:179
+#: xpack/plugins/cloud/models.py:178
 msgid "Reason"
 msgstr "原因"
 
@@ -739,7 +739,7 @@ msgstr "成功"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:30
 msgid "Failed"
 msgstr "失败"
 
@@ -810,7 +810,7 @@ msgid "Default"
 msgstr "默认"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:903
+#: users/models/user.py:900
 msgid "System"
 msgstr "系统"
 
@@ -949,7 +949,7 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
 
@@ -1118,9 +1118,13 @@ msgstr "密钥密码"
 msgid "private key invalid or passphrase error"
 msgstr "密钥不合法或密钥密码错误"
 
-#: assets/serializers/cmd_filter.py:51
+#: assets/serializers/cmd_filter.py:35 assets/serializers/cmd_filter.py:50
 msgid "Action display"
-msgstr "动作"
+msgstr "动作名称"
+
+#: assets/serializers/cmd_filter.py:51 ops/models/adhoc.py:155
+msgid "Pattern"
+msgstr "模式"
 
 #: assets/serializers/domain.py:13 assets/serializers/label.py:12
 #: assets/serializers/system_user.py:59
@@ -1470,8 +1474,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
-#: xpack/plugins/cloud/models.py:227
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
+#: xpack/plugins/cloud/models.py:226
 msgid "Status"
 msgstr "状态"
 
@@ -1508,7 +1512,7 @@ msgid "Hosts display"
 msgstr "主机名称"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:173
+#: xpack/plugins/cloud/models.py:172
 msgid "Result"
 msgstr "结果"
 
@@ -2156,7 +2160,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:298 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:299 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2608,11 +2612,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:297
+#: jumpserver/conf.py:298
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:299
+#: jumpserver/conf.py:300
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -2730,10 +2734,6 @@ msgstr "可以查看任务监控"
 msgid "Tasks"
 msgstr "任务"
 
-#: ops/models/adhoc.py:155
-msgid "Pattern"
-msgstr "模式"
-
 #: ops/models/adhoc.py:156
 msgid "Options"
 msgstr "选项"
@@ -3069,15 +3069,15 @@ msgstr "如果有疑问或需求，请联系系统管理员"
 msgid "My applications"
 msgstr "我的应用"
 
-#: rbac/api/role.py:32
+#: rbac/api/role.py:33
 msgid "Internal role, can't be destroy"
 msgstr "内部角色，不能删除"
 
-#: rbac/api/role.py:36
+#: rbac/api/role.py:37
 msgid "The role has been bound to users, can't be destroy"
 msgstr "角色已绑定用户，不能删除"
 
-#: rbac/api/role.py:43
+#: rbac/api/role.py:44
 msgid "Internal role, can't be update"
 msgstr "内部角色，不能更新"
 
@@ -3153,11 +3153,11 @@ msgstr "授权"
 msgid "Built-in"
 msgstr "内置"
 
-#: rbac/models/role.py:130
+#: rbac/models/role.py:144
 msgid "System role"
 msgstr "系统角色"
 
-#: rbac/models/role.py:138
+#: rbac/models/role.py:152
 msgid "Organization role"
 msgstr "组织角色"
 
@@ -3165,21 +3165,21 @@ msgstr "组织角色"
 msgid "Role binding"
 msgstr "角色绑定"
 
-#: rbac/models/rolebinding.py:128
+#: rbac/models/rolebinding.py:150
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr "用户最后一个角色，不能删除，你可以将用户从组织移除"
 
-#: rbac/models/rolebinding.py:135
+#: rbac/models/rolebinding.py:157
 msgid "Organization role binding"
 msgstr "组织角色绑定"
 
-#: rbac/models/rolebinding.py:150
+#: rbac/models/rolebinding.py:172
 msgid "System role binding"
 msgstr "系统角色绑定"
 
-#: rbac/serializers/permission.py:26 users/serializers/profile.py:126
+#: rbac/serializers/permission.py:26 users/serializers/profile.py:127
 msgid "Perms"
 msgstr "权限"
 
@@ -4446,8 +4446,8 @@ msgid ""
 "JumpServer Client, currently used to launch the client, now only support "
 "launch RDP SSH client, The Telnet client will next"
 msgstr ""
-"JumpServer 客户端，目前用来唤起 特定客户端程序 连接资产, 目前仅支持 RDP SSH 客户"
-"端，Telnet 会在未来支持"
+"JumpServer 客户端，目前用来唤起 特定客户端程序 连接资产, 目前仅支持 RDP SSH "
+"客户端，Telnet 会在未来支持"
 
 #: templates/resource_download.html:30
 msgid "Microsoft"
@@ -4469,11 +4469,11 @@ msgid ""
 "system uses its own terminal"
 msgstr "Windows 需要下载客户端来连接SSH资产，macOS系统采用自带的Terminal"
 
-#: templates/resource_download.html:51
+#: templates/resource_download.html:53
 msgid "Windows Remote application publisher tools"
 msgstr "Windows 远程应用发布服务器工具"
 
-#: templates/resource_download.html:52
+#: templates/resource_download.html:54
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -4483,7 +4483,7 @@ msgstr "Jmservisor 是在 windows 远程应用发布服务器中用来拉起远
 msgid "Filters"
 msgstr "过滤"
 
-#: terminal/api/endpoint.py:65
+#: terminal/api/endpoint.py:63
 msgid "Not found protocol query params"
 msgstr ""
 
@@ -4879,7 +4879,7 @@ msgstr "桶名称"
 msgid "Secret key"
 msgstr "密钥"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
 msgid "Region"
 msgstr "地域"
 
@@ -5468,7 +5468,7 @@ msgid "Public key should not be the same as your old one."
 msgstr "不能和原来的密钥相同"
 
 #: users/forms/profile.py:149 users/serializers/profile.py:95
-#: users/serializers/profile.py:176 users/serializers/profile.py:203
+#: users/serializers/profile.py:178 users/serializers/profile.py:205
 msgid "Not a valid ssh public key"
 msgstr "SSH密钥不合法"
 
@@ -5512,27 +5512,27 @@ msgstr "最后更新密码日期"
 msgid "Need update password"
 msgstr "需要更新密码"
 
-#: users/models/user.py:888
+#: users/models/user.py:885
 msgid "Can invite user"
 msgstr "可以邀请用户"
 
-#: users/models/user.py:889
+#: users/models/user.py:886
 msgid "Can remove user"
 msgstr "可以移除用户"
 
-#: users/models/user.py:890
+#: users/models/user.py:887
 msgid "Can match user"
 msgstr "可以匹配用户"
 
-#: users/models/user.py:899
+#: users/models/user.py:896
 msgid "Administrator"
 msgstr "管理员"
 
-#: users/models/user.py:902
+#: users/models/user.py:899
 msgid "Administrator is the super user of system"
 msgstr "Administrator是初始的超级管理员"
 
-#: users/models/user.py:927
+#: users/models/user.py:924
 msgid "User password history"
 msgstr "用户密码历史"
 
@@ -5571,7 +5571,7 @@ msgstr "重置 MFA"
 msgid "The old password is incorrect"
 msgstr "旧密码错误"
 
-#: users/serializers/profile.py:36 users/serializers/profile.py:190
+#: users/serializers/profile.py:36 users/serializers/profile.py:192
 msgid "Password does not match security rules"
 msgstr "密码不满足安全规则"
 
@@ -5583,7 +5583,7 @@ msgstr "新密码不能是最近 {} 次的密码"
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:142 users/serializers/user.py:140
+#: users/serializers/profile.py:144 users/serializers/user.py:140
 msgid "Is first login"
 msgstr "首次登录"
 
@@ -6134,62 +6134,58 @@ msgid "Baidu Cloud"
 msgstr "百度云"
 
 #: xpack/plugins/cloud/const.py:15
-msgid "JD Cloud"
-msgstr "京东云"
-
-#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "腾讯云"
 
-#: xpack/plugins/cloud/const.py:17
+#: xpack/plugins/cloud/const.py:16
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:18
 msgid "Huawei Private Cloud"
 msgstr "华为私有云"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:19
 msgid "Qingyun Private Cloud"
 msgstr "青云私有云"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:20
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:22
+#: xpack/plugins/cloud/const.py:21
 msgid "Google Cloud Platform"
 msgstr "谷歌云"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:25
 msgid "Instance name"
 msgstr "实例名称"
 
-#: xpack/plugins/cloud/const.py:27
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name and Partial IP"
 msgstr "实例名称和部分IP"
 
-#: xpack/plugins/cloud/const.py:32
+#: xpack/plugins/cloud/const.py:31
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:35
 msgid "Unsync"
 msgstr "未同步"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:36
 msgid "New Sync"
 msgstr "新同步"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:37
 msgid "Synced"
 msgstr "已同步"
 
-#: xpack/plugins/cloud/const.py:39
+#: xpack/plugins/cloud/const.py:38
 msgid "Released"
 msgstr "已释放"
 
@@ -6197,79 +6193,79 @@ msgstr "已释放"
 msgid "Cloud center"
 msgstr "云管中心"
 
-#: xpack/plugins/cloud/models.py:30
+#: xpack/plugins/cloud/models.py:29
 msgid "Provider"
 msgstr "云服务商"
 
-#: xpack/plugins/cloud/models.py:34
+#: xpack/plugins/cloud/models.py:33
 msgid "Validity"
 msgstr "有效"
 
-#: xpack/plugins/cloud/models.py:39
+#: xpack/plugins/cloud/models.py:38
 msgid "Cloud account"
 msgstr "云账号"
 
-#: xpack/plugins/cloud/models.py:41
+#: xpack/plugins/cloud/models.py:40
 msgid "Test cloud account"
 msgstr "测试云账号"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "账号"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "地域"
 
-#: xpack/plugins/cloud/models.py:91
+#: xpack/plugins/cloud/models.py:90
 msgid "Hostname strategy"
 msgstr "主机名策略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix 管理员"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows 管理员"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IP网段组"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "总是更新"
 
-#: xpack/plugins/cloud/models.py:119
+#: xpack/plugins/cloud/models.py:118
 msgid "Date last sync"
 msgstr "最后同步日期"
 
-#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
+#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
 msgid "Sync instance task"
 msgstr "同步实例任务"
 
-#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
+#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
 msgid "Date sync"
 msgstr "同步日期"
 
-#: xpack/plugins/cloud/models.py:186
+#: xpack/plugins/cloud/models.py:185
 msgid "Sync instance task execution"
 msgstr "同步实例任务执行"
 
-#: xpack/plugins/cloud/models.py:210
+#: xpack/plugins/cloud/models.py:209
 msgid "Sync task"
 msgstr "同步任务"
 
-#: xpack/plugins/cloud/models.py:214
+#: xpack/plugins/cloud/models.py:213
 msgid "Sync instance task history"
 msgstr "同步实例任务历史"
 
-#: xpack/plugins/cloud/models.py:217
+#: xpack/plugins/cloud/models.py:216
 msgid "Instance"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:234
+#: xpack/plugins/cloud/models.py:233
 msgid "Sync instance detail"
 msgstr "同步实例详情"
 
@@ -6366,13 +6362,11 @@ msgid "South America (São Paulo)"
 msgstr "南美洲（圣保罗）"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
-#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "华北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
-#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "华南-广州"
 
@@ -6394,7 +6388,6 @@ msgid "CN North-Baoding"
 msgstr "华北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
-#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "华东-上海"
 
@@ -6459,15 +6452,11 @@ msgstr "华北-乌兰察布一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "华南-广州-友好用户环境"
 
-#: xpack/plugins/cloud/providers/jdcloud.py:128
-msgid "CN East-Suqian"
-msgstr "华东-宿迁"
-
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Validity display"
 msgstr "有效性显示"
 
-#: xpack/plugins/cloud/serializers/account.py:61
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Provider display"
 msgstr "服务商显示"
 
@@ -6630,6 +6619,12 @@ msgstr "旗舰版"
 msgid "Community edition"
 msgstr "社区版"
 
+#~ msgid "JD Cloud"
+#~ msgstr "京东云"
+
+#~ msgid "CN East-Suqian"
+#~ msgstr "华东-宿迁"
+
 #~ msgid "Inherit"
 #~ msgstr "继承"
 

From be2708f83de684e8079625849b56bc9b81318b18 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 19 Apr 2022 14:26:17 +0800
Subject: [PATCH 043/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dajax=E8=AF=B7?=
 =?UTF-8?q?=E6=B1=82=E6=90=BA=E5=B8=A6csrftoken=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/static/js/jumpserver.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/static/js/jumpserver.js b/apps/static/js/jumpserver.js
index b930154ff..070c811f7 100644
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@@ -125,8 +125,9 @@ function csrfSafeMethod(method) {
 }
 
 function setAjaxCSRFToken() {
-    var csrftoken = getCookie('csrftoken');
-    var sessionid = getCookie('sessionid');
+    const prefix = getCookie('SESSION_COOKIE_NAME_PREFIX', '')
+    var csrftoken = getCookie(`${prefix}csrftoken`);
+    var sessionid = getCookie(`${prefix}sessionid`);
 
     $.ajaxSetup({
         beforeSend: function (xhr, settings) {

From f8fade4cf2d1e1f5b773dce7e790b012c41e6f06 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 19 Apr 2022 16:01:05 +0800
Subject: [PATCH 044/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=E9=A1=B9=20KoKo=20SSH=20Client=20=E6=96=B9=E5=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/conf.py               |   1 +
 apps/jumpserver/settings/custom.py    |   1 +
 apps/locale/ja/LC_MESSAGES/django.mo  |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po  | 158 ++++++++++++-------------
 apps/locale/zh/LC_MESSAGES/django.mo  |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po  | 161 ++++++++++++--------------
 apps/settings/api/public.py           |   1 +
 apps/settings/serializers/terminal.py |   3 +-
 8 files changed, 159 insertions(+), 174 deletions(-)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index ec35ae6e5..fa4a211d4 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -317,6 +317,7 @@ class Config(dict):
         'TERMINAL_RDP_ADDR': '',
         # 保留(Luna还在用)
         'TERMINAL_MAGNUS_ENABLED': True,
+        'TERMINAL_KOKO_SSH_ENABLED': True,
         # 保留(Luna还在用)
         'XRDP_ENABLED': True,
 
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index cafdc1a59..ecd710a2e 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -140,6 +140,7 @@ CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS = CONFIG.CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS
 
 XRDP_ENABLED = CONFIG.XRDP_ENABLED
 TERMINAL_MAGNUS_ENABLED = CONFIG.TERMINAL_MAGNUS_ENABLED
+TERMINAL_KOKO_SSH_ENABLED = CONFIG.TERMINAL_KOKO_SSH_ENABLED
 
 # SMS enabled
 SMS_ENABLED = CONFIG.SMS_ENABLED
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index c5ec670bb..e13ed4cfb 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:54be66877253eed7bec1db706604af83a48f1c5fbc95eef1132c7f880fef154a
-size 125598
+oid sha256:4e6962699271d0f5402223321e65211f1c7ad0b7a9b43524f3a0fac7ea2541d9
+size 125623
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 40ee2d43c..5377b3dda 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-19 11:24+0800\n"
+"POT-Creation-Date: 2022-04-19 15:57+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -33,7 +33,7 @@ msgstr "Acls"
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:27
+#: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名前"
 
@@ -66,7 +66,7 @@ msgstr "アクティブ"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
+#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "コメント"
@@ -88,7 +88,7 @@ msgstr "ログイン確認"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:107 rbac/models/rolebinding.py:40
+#: rbac/builtin.py:110 rbac/models/rolebinding.py:40
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
@@ -134,7 +134,7 @@ msgstr "システムユーザー"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:222
+#: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "資産"
 
@@ -318,8 +318,8 @@ msgstr "タイプ"
 msgid "Domain"
 msgstr "ドメイン"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
-#: xpack/plugins/cloud/serializers/account.py:58
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "ツールバーの"
 
@@ -357,7 +357,7 @@ msgstr "タイプ表示"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:915
-#: xpack/plugins/cloud/models.py:124
+#: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "作成された日付"
 
@@ -572,7 +572,7 @@ msgstr "ホスト名生"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "プロトコル"
 
@@ -612,7 +612,7 @@ msgstr "ラベル"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "によって作成された"
 
@@ -716,7 +716,7 @@ msgstr "トリガーモード"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:178
+#: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "理由"
 
@@ -744,7 +744,7 @@ msgstr "OK"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:30
+#: xpack/plugins/cloud/const.py:31
 msgid "Failed"
 msgstr "失敗しました"
 
@@ -954,7 +954,7 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
 
@@ -1486,8 +1486,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
-#: xpack/plugins/cloud/models.py:226
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "ステータス"
 
@@ -1524,7 +1524,7 @@ msgid "Hosts display"
 msgstr "ホスト表示"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:172
+#: xpack/plugins/cloud/models.py:173
 msgid "Result"
 msgstr "結果"
 
@@ -3126,27 +3126,27 @@ msgstr "{} 少なくとも1つのシステムロール"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:98
+#: rbac/builtin.py:101
 msgid "SystemAdmin"
 msgstr "システム管理者"
 
-#: rbac/builtin.py:101
+#: rbac/builtin.py:104
 msgid "SystemAuditor"
 msgstr "システム監査人"
 
-#: rbac/builtin.py:104
+#: rbac/builtin.py:107
 msgid "SystemComponent"
 msgstr "システムコンポーネント"
 
-#: rbac/builtin.py:110
+#: rbac/builtin.py:113
 msgid "OrgAdmin"
 msgstr "組織管理者"
 
-#: rbac/builtin.py:113
+#: rbac/builtin.py:116
 msgid "OrgAuditor"
 msgstr "監査員を組織する"
 
-#: rbac/builtin.py:116
+#: rbac/builtin.py:119
 msgid "OrgUser"
 msgstr "組織ユーザー"
 
@@ -4225,10 +4225,10 @@ msgstr "Telnetログインregex"
 
 #: settings/serializers/terminal.py:33
 msgid ""
-"The login success message varies with devices. if you cannot log in to the "
-"device through Telnet, set this parameter"
+"Tips: The login success message varies with devices. if you cannot log in to "
+"the device through Telnet, set this parameter"
 msgstr ""
-"ログイン成功メッセージはデバイスによって異なります。Telnet経由でデバイスにロ"
+"ヒント: ログイン成功メッセージはデバイスによって異なります。Telnet経由でデバイスにロ"
 "グインできない場合は、このパラメーターを設定します。"
 
 #: settings/serializers/terminal.py:36
@@ -4239,6 +4239,10 @@ msgstr "属性マップの有効化"
 msgid "Enable XRDP"
 msgstr "XRDPの有効化"
 
+#: settings/serializers/terminal.py:38
+msgid "Enable KoKo SSH"
+msgstr "KoKo SSHの有効化"
+
 #: settings/utils/ldap.py:417
 msgid "ldap:// or ldaps:// protocol is used."
 msgstr "ldap:// または ldaps:// プロトコルが使用されます。"
@@ -4953,7 +4957,7 @@ msgstr "バケット"
 msgid "Secret key"
 msgstr "秘密キー"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "リージョン"
 
@@ -6225,58 +6229,62 @@ msgid "Baidu Cloud"
 msgstr "百度雲"
 
 #: xpack/plugins/cloud/const.py:15
+msgid "JD Cloud"
+msgstr "京東雲"
+
+#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "テンセント雲"
 
-#: xpack/plugins/cloud/const.py:16
+#: xpack/plugins/cloud/const.py:17
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:18
+#: xpack/plugins/cloud/const.py:19
 msgid "Huawei Private Cloud"
 msgstr "華為私有雲"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:20
 msgid "Qingyun Private Cloud"
 msgstr "青雲私有雲"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:21
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:22
 msgid "Google Cloud Platform"
 msgstr "谷歌雲"
 
-#: xpack/plugins/cloud/const.py:25
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name"
 msgstr "インスタンス名"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name and Partial IP"
 msgstr "インスタンス名と部分IP"
 
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:32
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:35
+#: xpack/plugins/cloud/const.py:36
 msgid "Unsync"
 msgstr "同期していません"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "New Sync"
 msgstr "新しい同期"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "Synced"
 msgstr "同期済み"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Released"
 msgstr "リリース済み"
 
@@ -6284,79 +6292,79 @@ msgstr "リリース済み"
 msgid "Cloud center"
 msgstr "クラウドセンター"
 
-#: xpack/plugins/cloud/models.py:29
+#: xpack/plugins/cloud/models.py:30
 msgid "Provider"
 msgstr "プロバイダー"
 
-#: xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/models.py:34
 msgid "Validity"
 msgstr "有効性"
 
-#: xpack/plugins/cloud/models.py:38
+#: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "クラウドアカウント"
 
-#: xpack/plugins/cloud/models.py:40
+#: xpack/plugins/cloud/models.py:41
 msgid "Test cloud account"
 msgstr "クラウドアカウントのテスト"
 
-#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "アカウント"
 
-#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "リージョン"
 
-#: xpack/plugins/cloud/models.py:90
+#: xpack/plugins/cloud/models.py:91
 msgid "Hostname strategy"
 msgstr "ホスト名戦略"
 
-#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix adminユーザー"
 
-#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows管理者"
 
-#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IPネットワークセグメントグループ"
 
-#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "常に更新"
 
-#: xpack/plugins/cloud/models.py:118
+#: xpack/plugins/cloud/models.py:119
 msgid "Date last sync"
 msgstr "最終同期日"
 
-#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
+#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
 msgid "Sync instance task"
 msgstr "インスタンスの同期タスク"
 
-#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
+#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
 msgid "Date sync"
 msgstr "日付の同期"
 
-#: xpack/plugins/cloud/models.py:185
+#: xpack/plugins/cloud/models.py:186
 msgid "Sync instance task execution"
 msgstr "インスタンスタスクの同期実行"
 
-#: xpack/plugins/cloud/models.py:209
+#: xpack/plugins/cloud/models.py:210
 msgid "Sync task"
 msgstr "同期タスク"
 
-#: xpack/plugins/cloud/models.py:213
+#: xpack/plugins/cloud/models.py:214
 msgid "Sync instance task history"
 msgstr "インスタンスタスク履歴の同期"
 
-#: xpack/plugins/cloud/models.py:216
+#: xpack/plugins/cloud/models.py:217
 msgid "Instance"
 msgstr "インスタンス"
 
-#: xpack/plugins/cloud/models.py:233
+#: xpack/plugins/cloud/models.py:234
 msgid "Sync instance detail"
 msgstr "同期インスタンスの詳細"
 
@@ -6453,11 +6461,13 @@ msgid "South America (São Paulo)"
 msgstr "南米 (サンパウロ)"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
+#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "華北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
+#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "華南-広州"
 
@@ -6479,6 +6489,7 @@ msgid "CN North-Baoding"
 msgstr "華北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
+#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "華東-上海"
 
@@ -6543,11 +6554,15 @@ msgstr "華北-ウランチャブ一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "華南-広州-友好ユーザー環境"
 
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/providers/jdcloud.py:128
+msgid "CN East-Suqian"
+msgstr "華東-宿遷"
+
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Validity display"
 msgstr "有効表示"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Provider display"
 msgstr "プロバイダ表示"
 
@@ -6710,26 +6725,3 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
-
-#~ msgid "JD Cloud"
-#~ msgstr "京東雲"
-
-#~ msgid "CN East-Suqian"
-#~ msgstr "華東-宿遷"
-
-#~ msgid "Inherit"
-#~ msgstr "継承"
-
-#~ msgid "Include"
-#~ msgstr "含める"
-
-#~ msgid "Exclude"
-#~ msgstr "除外"
-
-#~ msgid "DatabaseApp"
-#~ msgstr "データベースの適用"
-
-#, fuzzy
-#~| msgid "Connection token"
-#~ msgid "One time token"
-#~ msgstr "接続トークン"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index c77cc1659..c73d42f67 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:fa084dd92472110d4bea1674d1e9a96599f42f094aab92f8d34152fdf5726321
-size 103771
+oid sha256:3462a9a3eef8f372bf341f2066a33d85e1f01aca5a8fe506528a1cd0a37e98b4
+size 103951
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index a7387c76f..77b7111be 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-19 11:24+0800\n"
+"POT-Creation-Date: 2022-04-19 15:57+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -32,7 +32,7 @@ msgstr "访问控制"
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:27
+#: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名称"
 
@@ -65,7 +65,7 @@ msgstr "激活中"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
+#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "备注"
@@ -87,7 +87,7 @@ msgstr "登录复核"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:107 rbac/models/rolebinding.py:40
+#: rbac/builtin.py:110 rbac/models/rolebinding.py:40
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
@@ -133,7 +133,7 @@ msgstr "系统用户"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:222
+#: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "资产"
 
@@ -313,8 +313,8 @@ msgstr "类型"
 msgid "Domain"
 msgstr "网域"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
-#: xpack/plugins/cloud/serializers/account.py:58
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "属性"
 
@@ -352,7 +352,7 @@ msgstr "类型名称"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:915
-#: xpack/plugins/cloud/models.py:124
+#: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "创建日期"
 
@@ -567,7 +567,7 @@ msgstr "主机名原始"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "协议组"
 
@@ -607,7 +607,7 @@ msgstr "标签管理"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "创建者"
 
@@ -711,7 +711,7 @@ msgstr "触发模式"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:178
+#: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "原因"
 
@@ -739,7 +739,7 @@ msgstr "成功"
 #: assets/models/base.py:32 audits/models.py:116
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:30
+#: xpack/plugins/cloud/const.py:31
 msgid "Failed"
 msgstr "失败"
 
@@ -949,7 +949,7 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
 
@@ -1474,8 +1474,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:126 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
-#: xpack/plugins/cloud/models.py:226
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "状态"
 
@@ -1512,7 +1512,7 @@ msgid "Hosts display"
 msgstr "主机名称"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:172
+#: xpack/plugins/cloud/models.py:173
 msgid "Result"
 msgstr "结果"
 
@@ -3089,27 +3089,27 @@ msgstr "{} 至少有一个系统角色"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:98
+#: rbac/builtin.py:101
 msgid "SystemAdmin"
 msgstr "系统管理员"
 
-#: rbac/builtin.py:101
+#: rbac/builtin.py:104
 msgid "SystemAuditor"
 msgstr "系统审计员"
 
-#: rbac/builtin.py:104
+#: rbac/builtin.py:107
 msgid "SystemComponent"
 msgstr "系统组件"
 
-#: rbac/builtin.py:110
+#: rbac/builtin.py:113
 msgid "OrgAdmin"
 msgstr "组织管理员"
 
-#: rbac/builtin.py:113
+#: rbac/builtin.py:116
 msgid "OrgAuditor"
 msgstr "组织审计员"
 
-#: rbac/builtin.py:116
+#: rbac/builtin.py:119
 msgid "OrgUser"
 msgstr "组织用户"
 
@@ -4165,9 +4165,9 @@ msgstr "Telnet 成功正则表达式"
 
 #: settings/serializers/terminal.py:33
 msgid ""
-"The login success message varies with devices. if you cannot log in to the "
-"device through Telnet, set this parameter"
-msgstr "不同设备登录成功提示不一样，所以如果 telnet 不能正常登录，可以这里设置"
+"Tips: The login success message varies with devices. if you cannot log in to "
+"the device through Telnet, set this parameter"
+msgstr "提示: 不同设备登录成功提示不一样，所以如果 telnet 不能正常登录，可以这里设置"
 
 #: settings/serializers/terminal.py:36
 msgid "Enable database proxy"
@@ -4177,6 +4177,10 @@ msgstr "启用数据库组件"
 msgid "Enable XRDP"
 msgstr "启用 XRDP 服务"
 
+#: settings/serializers/terminal.py:38
+msgid "Enable KoKo SSH"
+msgstr "启用 KoKo SSH"
+
 #: settings/utils/ldap.py:417
 msgid "ldap:// or ldaps:// protocol is used."
 msgstr "使用 ldap:// 或 ldaps:// 协议"
@@ -4879,7 +4883,7 @@ msgstr "桶名称"
 msgid "Secret key"
 msgstr "密钥"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "地域"
 
@@ -6134,58 +6138,62 @@ msgid "Baidu Cloud"
 msgstr "百度云"
 
 #: xpack/plugins/cloud/const.py:15
+msgid "JD Cloud"
+msgstr "京东云"
+
+#: xpack/plugins/cloud/const.py:16
 msgid "Tencent Cloud"
 msgstr "腾讯云"
 
-#: xpack/plugins/cloud/const.py:16
+#: xpack/plugins/cloud/const.py:17
 msgid "VMware"
 msgstr "VMware"
 
-#: xpack/plugins/cloud/const.py:17 xpack/plugins/cloud/providers/nutanix.py:13
+#: xpack/plugins/cloud/const.py:18 xpack/plugins/cloud/providers/nutanix.py:13
 msgid "Nutanix"
 msgstr "Nutanix"
 
-#: xpack/plugins/cloud/const.py:18
+#: xpack/plugins/cloud/const.py:19
 msgid "Huawei Private Cloud"
 msgstr "华为私有云"
 
-#: xpack/plugins/cloud/const.py:19
+#: xpack/plugins/cloud/const.py:20
 msgid "Qingyun Private Cloud"
 msgstr "青云私有云"
 
-#: xpack/plugins/cloud/const.py:20
+#: xpack/plugins/cloud/const.py:21
 msgid "OpenStack"
 msgstr "OpenStack"
 
-#: xpack/plugins/cloud/const.py:21
+#: xpack/plugins/cloud/const.py:22
 msgid "Google Cloud Platform"
 msgstr "谷歌云"
 
-#: xpack/plugins/cloud/const.py:25
+#: xpack/plugins/cloud/const.py:26
 msgid "Instance name"
 msgstr "实例名称"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name and Partial IP"
 msgstr "实例名称和部分IP"
 
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/cloud/const.py:32
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:35
+#: xpack/plugins/cloud/const.py:36
 msgid "Unsync"
 msgstr "未同步"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "New Sync"
 msgstr "新同步"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "Synced"
 msgstr "已同步"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Released"
 msgstr "已释放"
 
@@ -6193,79 +6201,79 @@ msgstr "已释放"
 msgid "Cloud center"
 msgstr "云管中心"
 
-#: xpack/plugins/cloud/models.py:29
+#: xpack/plugins/cloud/models.py:30
 msgid "Provider"
 msgstr "云服务商"
 
-#: xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/models.py:34
 msgid "Validity"
 msgstr "有效"
 
-#: xpack/plugins/cloud/models.py:38
+#: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "云账号"
 
-#: xpack/plugins/cloud/models.py:40
+#: xpack/plugins/cloud/models.py:41
 msgid "Test cloud account"
 msgstr "测试云账号"
 
-#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "账号"
 
-#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "地域"
 
-#: xpack/plugins/cloud/models.py:90
+#: xpack/plugins/cloud/models.py:91
 msgid "Hostname strategy"
 msgstr "主机名策略"
 
-#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix 管理员"
 
-#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows 管理员"
 
-#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IP网段组"
 
-#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "总是更新"
 
-#: xpack/plugins/cloud/models.py:118
+#: xpack/plugins/cloud/models.py:119
 msgid "Date last sync"
 msgstr "最后同步日期"
 
-#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
+#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
 msgid "Sync instance task"
 msgstr "同步实例任务"
 
-#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
+#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
 msgid "Date sync"
 msgstr "同步日期"
 
-#: xpack/plugins/cloud/models.py:185
+#: xpack/plugins/cloud/models.py:186
 msgid "Sync instance task execution"
 msgstr "同步实例任务执行"
 
-#: xpack/plugins/cloud/models.py:209
+#: xpack/plugins/cloud/models.py:210
 msgid "Sync task"
 msgstr "同步任务"
 
-#: xpack/plugins/cloud/models.py:213
+#: xpack/plugins/cloud/models.py:214
 msgid "Sync instance task history"
 msgstr "同步实例任务历史"
 
-#: xpack/plugins/cloud/models.py:216
+#: xpack/plugins/cloud/models.py:217
 msgid "Instance"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:233
+#: xpack/plugins/cloud/models.py:234
 msgid "Sync instance detail"
 msgstr "同步实例详情"
 
@@ -6362,11 +6370,13 @@ msgid "South America (São Paulo)"
 msgstr "南美洲（圣保罗）"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:54
+#: xpack/plugins/cloud/providers/jdcloud.py:127
 msgid "CN North-Beijing"
 msgstr "华北-北京"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:55
 #: xpack/plugins/cloud/providers/huaweicloud.py:40
+#: xpack/plugins/cloud/providers/jdcloud.py:130
 msgid "CN South-Guangzhou"
 msgstr "华南-广州"
 
@@ -6388,6 +6398,7 @@ msgid "CN North-Baoding"
 msgstr "华北-保定"
 
 #: xpack/plugins/cloud/providers/baiducloud.py:60
+#: xpack/plugins/cloud/providers/jdcloud.py:129
 msgid "CN East-Shanghai"
 msgstr "华东-上海"
 
@@ -6452,11 +6463,15 @@ msgstr "华北-乌兰察布一"
 msgid "CN South-Guangzhou-InvitationOnly"
 msgstr "华南-广州-友好用户环境"
 
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/providers/jdcloud.py:128
+msgid "CN East-Suqian"
+msgstr "华东-宿迁"
+
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Validity display"
 msgstr "有效性显示"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Provider display"
 msgstr "服务商显示"
 
@@ -6618,29 +6633,3 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
-
-#~ msgid "JD Cloud"
-#~ msgstr "京东云"
-
-#~ msgid "CN East-Suqian"
-#~ msgstr "华东-宿迁"
-
-#~ msgid "Inherit"
-#~ msgstr "继承"
-
-#~ msgid "Include"
-#~ msgstr "包含"
-
-#~ msgid "Exclude"
-#~ msgstr "不包含"
-
-#~ msgid "DatabaseApp"
-#~ msgstr "数据库应用"
-
-#~ msgid "Database proxy MySQL protocol listen port"
-#~ msgstr "MySQL 协议监听的端口"
-
-#, fuzzy
-#~| msgid "Database proxy PostgreSQL port"
-#~ msgid "Database proxy PostgreSQL listen port"
-#~ msgstr "数据库组件 PostgreSQL 协议监听的端口"
diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index 5efa54319..b9076618d 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -65,6 +65,7 @@ class PublicSettingApi(generics.RetrieveAPIView):
                 # Terminal
                 "XRDP_ENABLED": settings.XRDP_ENABLED,
                 "TERMINAL_MAGNUS_ENABLED": settings.TERMINAL_MAGNUS_ENABLED,
+                "TERMINAL_KOKO_SSH_ENABLED": settings.TERMINAL_KOKO_SSH_ENABLED,
                 # Announcement
                 "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
                 "ANNOUNCEMENT": settings.ANNOUNCEMENT,
diff --git a/apps/settings/serializers/terminal.py b/apps/settings/serializers/terminal.py
index bf4b8d7a0..8cdb9e065 100644
--- a/apps/settings/serializers/terminal.py
+++ b/apps/settings/serializers/terminal.py
@@ -30,8 +30,9 @@ class TerminalSettingSerializer(serializers.Serializer):
     )
     TERMINAL_TELNET_REGEX = serializers.CharField(
         allow_blank=True, max_length=1024, required=False, label=_('Telnet login regex'),
-        help_text=_("The login success message varies with devices. "
+        help_text=_("Tips: The login success message varies with devices. "
                     "if you cannot log in to the device through Telnet, set this parameter")
     )
     TERMINAL_MAGNUS_ENABLED = serializers.BooleanField(label=_("Enable database proxy"))
     XRDP_ENABLED = serializers.BooleanField(label=_("Enable XRDP"))
+    TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField(label=_("Enable KoKo SSH"))

From 3b9cb2a99c74d3e4abb71b0591f513220e4a9fa5 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 19 Apr 2022 16:25:29 +0800
Subject: [PATCH 045/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91=E4=B8=B4=E6=97=B6=E5=AF=86=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.po | 2 +-
 apps/locale/zh/LC_MESSAGES/django.po | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 5377b3dda..8c5147c50 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -1570,7 +1570,7 @@ msgstr "DingTalk"
 
 #: audits/signal_handlers.py:73 authentication/models.py:76
 msgid "Temporary token"
-msgstr "一時的なトークン"
+msgstr "仮パスワード"
 
 #: audits/signal_handlers.py:107
 msgid "User and Group"
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 77b7111be..5160cbfcf 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -1558,7 +1558,7 @@ msgstr "钉钉"
 
 #: audits/signal_handlers.py:73 authentication/models.py:76
 msgid "Temporary token"
-msgstr "临时 Token"
+msgstr "临时密码"
 
 #: audits/signal_handlers.py:107
 msgid "User and Group"

From 500477fad17d4a02331f8407ed38be1d3338a465 Mon Sep 17 00:00:00 2001
From: halo <wuyihuangw@gmail.com>
Date: Tue, 19 Apr 2022 17:06:05 +0800
Subject: [PATCH 046/258] =?UTF-8?q?fix:=20ftp=E6=97=A5=E5=BF=97=E6=B8=85?=
 =?UTF-8?q?=E7=90=86bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/audits/tasks.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/audits/tasks.py b/apps/audits/tasks.py
index 171fbe633..10fb67f44 100644
--- a/apps/audits/tasks.py
+++ b/apps/audits/tasks.py
@@ -7,7 +7,7 @@ from celery import shared_task
 from ops.celery.decorator import (
     register_as_period_task
 )
-from .models import UserLoginLog, OperateLog
+from .models import UserLoginLog, OperateLog, FTPLog
 from common.utils import get_log_keep_day
 
 
@@ -29,7 +29,7 @@ def clean_ftp_log_period():
     now = timezone.now()
     days = get_log_keep_day('FTP_LOG_KEEP_DAYS')
     expired_day = now - datetime.timedelta(days=days)
-    OperateLog.objects.filter(datetime__lt=expired_day).delete()
+    FTPLog.objects.filter(datetime__lt=expired_day).delete()
 
 
 @register_as_period_task(interval=3600*24)

From b4ac24ad6df81cf051e96a109e9c3083edfeab65 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 19 Apr 2022 16:44:11 +0800
Subject: [PATCH 047/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9endpoint/rule?=
 =?UTF-8?q?=E6=9D=83=E9=99=90=E6=A0=91=E4=BD=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/tree.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py
index dfccafa8f..a585bdf5c 100644
--- a/apps/rbac/tree.py
+++ b/apps/rbac/tree.py
@@ -86,6 +86,8 @@ special_pid_mapper = {
     'terminal.replaystorage': 'terminal_node',
     'terminal.status': 'terminal_node',
     'terminal.task': 'terminal_node',
+    'terminal.endpoint': 'terminal_node',
+    'terminal.endpointrule': 'terminal_node',
     'audits.ftplog': 'terminal',
     'perms.view_myassets': 'my_assets',
     'perms.view_myapps': 'my_apps',

From e4b0ab6a4585b1eef8db89518def30fb24d8a1d4 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 19 Apr 2022 16:17:16 +0800
Subject: [PATCH 048/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4=E6=89=A7=E8=A1=8C=E5=8C=BA=E5=88=86=E7=BB=84=E7=BB=87?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../asset/user_permission/user_permission_nodes_with_assets.py   | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py b/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
index d65f08df6..5d3940c9f 100644
--- a/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
+++ b/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
@@ -65,7 +65,6 @@ class MyGrantedNodesWithAssetsAsTreeApi(SerializeToTreeNodeMixin, ListAPIView):
         all_assets = all_assets.annotate(parent_key=F('nodes__key')).prefetch_related('platform')
         data.extend(self.serialize_assets(all_assets))
 
-    @tmp_to_root_org()
     def list(self, request: Request, *args, **kwargs):
         """
         此算法依赖 UserGrantedMappingNode

From 0addba7c149248167a0fc5fc447530257e2f7506 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 19 Apr 2022 16:20:09 +0800
Subject: [PATCH 049/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20command=20?=
 =?UTF-8?q?=E5=91=BD=E4=BB=A4=E6=89=A7=E8=A1=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/perms/api/asset/user_permission/common.py | 1 -
 apps/perms/api/system_user_permission.py       | 3 ---
 2 files changed, 4 deletions(-)

diff --git a/apps/perms/api/asset/user_permission/common.py b/apps/perms/api/asset/user_permission/common.py
index 1594cedb9..86bff2123 100644
--- a/apps/perms/api/asset/user_permission/common.py
+++ b/apps/perms/api/asset/user_permission/common.py
@@ -141,7 +141,6 @@ class UserGrantedAssetSystemUsersForAdminApi(ListAPIView):
         return queryset_list
 
 
-@method_decorator(tmp_to_root_org(), name='list')
 class MyGrantedAssetSystemUsersApi(UserGrantedAssetSystemUsersForAdminApi):
     permission_classes = (IsValidUser,)
 
diff --git a/apps/perms/api/system_user_permission.py b/apps/perms/api/system_user_permission.py
index 48d440baa..6d7569192 100644
--- a/apps/perms/api/system_user_permission.py
+++ b/apps/perms/api/system_user_permission.py
@@ -1,14 +1,11 @@
 from rest_framework import generics
-from django.utils.decorators import method_decorator
 
 from assets.models import SystemUser
 from common.permissions import IsValidUser
-from orgs.utils import tmp_to_root_org
 from perms.utils.asset.user_permission import get_user_all_asset_perm_ids
 from .. import serializers
 
 
-@method_decorator(tmp_to_root_org(), name='list')
 class SystemUserPermission(generics.ListAPIView):
     permission_classes = (IsValidUser,)
     serializer_class = serializers.SystemUserSerializer

From f026b86a204c7193e18f44695b876e15d9c09c09 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 19 Apr 2022 18:06:52 +0800
Subject: [PATCH 050/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96=E7=BB=84=E7=BB=87=E7=94=A8=E6=88=B7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/users/models/user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 80b938468..b69cd5726 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -455,7 +455,7 @@ class RoleMixin:
         if org is None:
             org = current_org
         if not org.is_root():
-            queryset = current_org.get_members()
+            queryset = org.get_members()
         queryset = cls.filter_not_service_account(queryset)
         return queryset
 

From 5f370c1c049aee1bf9b75f486aa50426a8964653 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 19 Apr 2022 19:10:36 +0800
Subject: [PATCH 051/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E5=86=85?=
 =?UTF-8?q?=E7=BD=AE=E7=B3=BB=E7=BB=9F=E7=94=A8=E6=88=B7=E8=A7=92=E8=89=B2?=
 =?UTF-8?q?=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/access_key.py | 4 ++--
 apps/authentication/api/temp_token.py | 7 +++++--
 apps/common/validators.py             | 2 +-
 apps/rbac/builtin.py                  | 3 ++-
 apps/rbac/const.py                    | 1 +
 5 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/apps/authentication/api/access_key.py b/apps/authentication/api/access_key.py
index 0762d0de9..bbda04c02 100644
--- a/apps/authentication/api/access_key.py
+++ b/apps/authentication/api/access_key.py
@@ -2,14 +2,14 @@
 #
 
 from rest_framework.viewsets import ModelViewSet
-
-from common.permissions import IsValidUser
 from .. import serializers
+from rbac.permissions import RBACPermission
 
 
 class AccessKeyViewSet(ModelViewSet):
     serializer_class = serializers.AccessKeySerializer
     search_fields = ['^id', '^secret']
+    permission_classes = [RBACPermission]
 
     def get_queryset(self):
         return self.request.user.access_keys.all()
diff --git a/apps/authentication/api/temp_token.py b/apps/authentication/api/temp_token.py
index a8fcc02af..6e640edd6 100644
--- a/apps/authentication/api/temp_token.py
+++ b/apps/authentication/api/temp_token.py
@@ -3,15 +3,18 @@ from rest_framework.response import Response
 from rest_framework.decorators import action
 
 from common.drf.api import JMSModelViewSet
-from common.permissions import IsValidUser
 from ..models import TempToken
 from ..serializers import TempTokenSerializer
+from rbac.permissions import RBACPermission
 
 
 class TempTokenViewSet(JMSModelViewSet):
     serializer_class = TempTokenSerializer
-    permission_classes = [IsValidUser]
+    permission_classes = [RBACPermission]
     http_method_names = ['post', 'get', 'options', 'patch']
+    rbac_perms = {
+        'expire': 'authentication.change_temptoken',
+    }
 
     def get_queryset(self):
         username = self.request.user.username
diff --git a/apps/common/validators.py b/apps/common/validators.py
index 352482a1b..4be90d855 100644
--- a/apps/common/validators.py
+++ b/apps/common/validators.py
@@ -42,7 +42,7 @@ class NoSpecialChars:
 
 
 class PhoneValidator:
-    pattern = re.compile(r"^1[356789]\d{9}$")
+    pattern = re.compile(r"^1[3456789]\d{9}$")
     message = _('The mobile phone number format is incorrect')
 
     def __call__(self, value):
diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index a199c149c..c99181d4e 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -4,7 +4,8 @@ from .const import Scope, system_exclude_permissions, org_exclude_permissions
 
 system_user_perms = (
     ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
-    ('authentication', 'temptoken', 'add', 'temptoken'),
+    ('authentication', 'temptoken', 'add,change,view', 'temptoken'),
+    ('authentication', 'accesskey', '*', '*'),
     ('tickets', 'ticket', 'view', 'ticket'),
     ('orgs', 'organization', 'view', 'rootorg'),
 )
diff --git a/apps/rbac/const.py b/apps/rbac/const.py
index 5d6ae08ec..d9b80b78a 100644
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@@ -25,6 +25,7 @@ exclude_permissions = (
     ('authentication', 'connectiontoken', 'change,delete', 'connectiontoken'),
     ('authentication', 'ssotoken', '*', '*'),
     ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'),
+    ('authentication', 'temptoken', 'delete', 'temptoken'),
     ('users', 'userpasswordhistory', '*', '*'),
     ('applications', 'applicationuser', '*', '*'),
     ('applications', 'historicalaccount', '*', '*'),

From 57969a4e23ed4fe27377deb3254a40fc1d799c45 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 19 Apr 2022 19:44:07 +0800
Subject: [PATCH 052/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96smart=20endpoint=E7=9A=84=E9=80=BB=E8=BE=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/api/endpoint.py    | 2 +-
 apps/terminal/models/endpoint.py | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/apps/terminal/api/endpoint.py b/apps/terminal/api/endpoint.py
index d612db4a8..494dacbe8 100644
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@@ -2,7 +2,7 @@ from rest_framework.decorators import action
 from rest_framework.response import Response
 from rest_framework import status
 from common.drf.api import JMSBulkModelViewSet
-from common.utils import get_object_or_none
+from django.utils.translation import ugettext_lazy as _
 from django.shortcuts import get_object_or_404
 from assets.models import Asset
 from orgs.utils import tmp_to_root_org
diff --git a/apps/terminal/models/endpoint.py b/apps/terminal/models/endpoint.py
index 39f275f9a..71b79c0e3 100644
--- a/apps/terminal/models/endpoint.py
+++ b/apps/terminal/models/endpoint.py
@@ -31,8 +31,11 @@ class Endpoint(JMSModel):
     def get_port(self, protocol):
         return getattr(self, f'{protocol}_port', 0)
 
+    def is_default(self):
+        return self.id == self.default_id
+
     def delete(self, using=None, keep_parents=False):
-        if self.id == self.default_id:
+        if self.is_default():
             return
         return super().delete(using, keep_parents)
 
@@ -78,6 +81,8 @@ class EndpointRule(JMSModel):
                 continue
             if not endpoint_rule.endpoint:
                 continue
+            if endpoint_rule.endpoint.is_default():
+                return endpoint_rule
             if not endpoint_rule.endpoint.host:
                 continue
             if endpoint_rule.endpoint.get_port(protocol) == 0:

From 611a00a5fa3a84d0339175702f6f3e8c5c942bec Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Tue, 19 Apr 2022 19:50:46 +0800
Subject: [PATCH 053/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dsuper=20user?=
 =?UTF-8?q?=20perm=20bug?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/connection_token.py | 2 --
 1 file changed, 2 deletions(-)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 9e16d31ba..479cac98c 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -70,8 +70,6 @@ class ClientProtocolMixin:
         system_user = serializer.validated_data['system_user']
 
         user = serializer.validated_data.get('user')
-        if not user or not self.request.user.is_superuser:
-            user = self.request.user
         return asset, application, system_user, user
 
     @staticmethod

From af9248ef7cb1c41238a203f7520a04c40988bce8 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 20 Apr 2022 10:24:08 +0800
Subject: [PATCH 054/258] =?UTF-8?q?fix:=20=E8=BF=98=E5=8E=9Fconnection=20t?=
 =?UTF-8?q?oken=20=E9=80=BB=E8=BE=91=20(#8101)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/authentication/api/connection_token.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 479cac98c..9e16d31ba 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -70,6 +70,8 @@ class ClientProtocolMixin:
         system_user = serializer.validated_data['system_user']
 
         user = serializer.validated_data.get('user')
+        if not user or not self.request.user.is_superuser:
+            user = self.request.user
         return asset, application, system_user, user
 
     @staticmethod

From 76474387921c30e7f6606a545f0846fd0b771b12 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 20 Apr 2022 11:18:50 +0800
Subject: [PATCH 055/258] =?UTF-8?q?perf:=20=E8=B4=A6=E5=8F=B7=E5=A4=87?=
 =?UTF-8?q?=E4=BB=BDlog=20(#8106)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/assets/task_handlers/backup/handlers.py | 17 +++++++++++------
 1 file changed, 11 insertions(+), 6 deletions(-)

diff --git a/apps/assets/task_handlers/backup/handlers.py b/apps/assets/task_handlers/backup/handlers.py
index a73bced59..600f8a2da 100644
--- a/apps/assets/task_handlers/backup/handlers.py
+++ b/apps/assets/task_handlers/backup/handlers.py
@@ -156,10 +156,7 @@ class AccountBackupHandler:
         logger.info('步骤完成: 用时 {}s'.format(timedelta))
         return files
 
-    def send_backup_mail(self, files):
-        recipients = self.execution.plan_snapshot.get('recipients')
-        if not recipients:
-            return
+    def send_backup_mail(self, files, recipients):
         if not files:
             return
         recipients = User.objects.filter(id__in=list(recipients))
@@ -198,8 +195,16 @@ class AccountBackupHandler:
         is_success = False
         error = '-'
         try:
-            files = self.create_excel()
-            self.send_backup_mail(files)
+            recipients = self.execution.plan_snapshot.get('recipients')
+            if not recipients:
+                logger.info(
+                    '\n'
+                    '\033[32m>>> 该备份任务未分配收件人\033[0m'
+                    ''
+                )
+            else:
+                files = self.create_excel()
+                self.send_backup_mail(files, recipients)
         except Exception as e:
             self.is_frozen = True
             logger.error('任务执行被异常中断')

From f1bd4ea91fbfdedf5e795202b76bb081cf25cbf2 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 20 Apr 2022 11:19:37 +0800
Subject: [PATCH 056/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20=E7=B3=BB?=
 =?UTF-8?q?=E7=BB=9F=E7=BA=A7=E5=88=AB=E7=94=A8=E6=88=B7=E8=A7=92=E8=89=B2?=
 =?UTF-8?q?=E7=9A=84=20perms?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/builtin.py            | 17 ++++++++---------
 apps/rbac/models/rolebinding.py |  5 +++--
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index c99181d4e..179889111 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -2,15 +2,6 @@ from django.utils.translation import ugettext_noop
 
 from .const import Scope, system_exclude_permissions, org_exclude_permissions
 
-system_user_perms = (
-    ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
-    ('authentication', 'temptoken', 'add,change,view', 'temptoken'),
-    ('authentication', 'accesskey', '*', '*'),
-    ('tickets', 'ticket', 'view', 'ticket'),
-    ('orgs', 'organization', 'view', 'rootorg'),
-)
-
-# Todo: 获取应该区分 系统用户，和组织用户的权限
 # 工作台也区分组织后再考虑
 user_perms = (
     ('rbac', 'menupermission', 'view', 'workbench'),
@@ -25,6 +16,14 @@ user_perms = (
     ('ops', 'commandexecution', 'add', 'commandexecution'),
 )
 
+system_user_perms = (
+    ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
+    ('authentication', 'temptoken', 'add,change,view', 'temptoken'),
+    ('authentication', 'accesskey', '*', '*'),
+    ('tickets', 'ticket', 'view', 'ticket'),
+    ('orgs', 'organization', 'view', 'rootorg'),
+) + user_perms
+
 auditor_perms = user_perms + (
     ('rbac', 'menupermission', 'view', 'audit'),
     ('audits', '*', '*', '*'),
diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index 643e38207..dc09f75d2 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -6,7 +6,7 @@ from rest_framework.serializers import ValidationError
 
 from common.db.models import JMSModel
 from common.utils import lazyproperty
-from orgs.utils import current_org
+from orgs.utils import current_org, tmp_to_root_org
 from .role import Role
 from ..const import Scope
 
@@ -105,7 +105,8 @@ class RoleBinding(JMSModel):
         from orgs.models import Organization
 
         roles = Role.get_roles_by_perm(perm)
-        bindings = list(cls.objects.root_all().filter(role__in=roles, user=user))
+        with tmp_to_root_org():
+            bindings = list(cls.objects.root_all().filter(role__in=roles, user=user))
         system_bindings = [b for b in bindings if b.scope == Role.Scope.system.value]
 
         if perm == 'rbac.view_workbench':

From d2dd487e2c6d8f0c8a7f3b042c373132ac0378eb Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 20 Apr 2022 16:05:33 +0800
Subject: [PATCH 057/258] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9LDAP=E5=AF=BC?=
 =?UTF-8?q?=E5=85=A5=E7=BB=84=E7=BB=87=E9=97=AE=E9=A2=98=20(#8111)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jiangjie.Bai <bugatti_it@163.com>

Co-authored-by: BaiJiangJie <bugatti_it@163.com>
---
 apps/settings/utils/ldap.py |  4 +++-
 apps/users/tasks.py         | 10 ++++++++--
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/apps/settings/utils/ldap.py b/apps/settings/utils/ldap.py
index 22f4c2b19..5175d7a31 100644
--- a/apps/settings/utils/ldap.py
+++ b/apps/settings/utils/ldap.py
@@ -376,7 +376,9 @@ class LDAPImportUtil(object):
             except Exception as e:
                 errors.append({user['username']: str(e)})
                 logger.error(e)
-        if org and org.is_root():
+        if not org:
+            return
+        if org.is_root():
             return
         for obj in objs:
             org.add_member(obj)
diff --git a/apps/users/tasks.py b/apps/users/tasks.py
index 0f93fa6c3..eb3ec8b9f 100644
--- a/apps/users/tasks.py
+++ b/apps/users/tasks.py
@@ -81,8 +81,14 @@ def import_ldap_user():
     util_server = LDAPServerUtil()
     util_import = LDAPImportUtil()
     users = util_server.search()
-    org_id = settings.AUTH_LDAP_SYNC_ORG_ID
-    org = Organization.get_instance(org_id)
+    if settings.XPACK_ENABLED:
+        org_id = settings.AUTH_LDAP_SYNC_ORG_ID
+        default_org = None
+    else:
+        # 社区版默认导入Default组织
+        org_id = Organization.DEFAULT_ID
+        default_org = Organization.default()
+    org = Organization.get_instance(org_id, default=default_org)
     errors = util_import.perform_import(users, org)
     if errors:
         logger.error("Imported LDAP users errors: {}".format(errors))

From c29d1337769b40fe55cb0dae7ab59001d69a6959 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 20 Apr 2022 16:30:41 +0800
Subject: [PATCH 058/258] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9LDAP=E5=AF=BC?=
 =?UTF-8?q?=E5=85=A5=E5=AE=9A=E6=97=B6=E4=BB=BB=E5=8A=A1interval/crontab?=
 =?UTF-8?q?=E4=BC=98=E5=85=88=E7=BA=A7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Jiangjie.Bai <bugatti_it@163.com>
---
 apps/users/tasks.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/users/tasks.py b/apps/users/tasks.py
index eb3ec8b9f..6d9bac660 100644
--- a/apps/users/tasks.py
+++ b/apps/users/tasks.py
@@ -112,6 +112,9 @@ def import_ldap_user_periodic():
     else:
         interval = None
     crontab = settings.AUTH_LDAP_SYNC_CRONTAB
+    if crontab:
+        # 优先使用 crontab
+        interval = None
     tasks = {
         task_name: {
             'task': import_ldap_user.name,

From 415521a0034ca12a7aee983c2e27a2bc02e6926b Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 20 Apr 2022 16:32:33 +0800
Subject: [PATCH 059/258] =?UTF-8?q?fix:=20=E5=88=A0=E9=99=A4=E7=BB=84?=
 =?UTF-8?q?=E7=BB=87=E6=97=B6=E6=A3=80=E6=B5=8Bldap=E5=90=8C=E6=AD=A5?=
 =?UTF-8?q?=E7=BB=84=E7=BB=87=20(#8112)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/locale/ja/LC_MESSAGES/django.mo |  4 +-
 apps/locale/ja/LC_MESSAGES/django.po | 57 ++++++++++++++++------------
 apps/locale/zh/LC_MESSAGES/django.mo |  4 +-
 apps/locale/zh/LC_MESSAGES/django.po | 55 +++++++++++++++------------
 apps/orgs/api.py                     |  6 +++
 5 files changed, 73 insertions(+), 53 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index e13ed4cfb..d94d92000 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:4e6962699271d0f5402223321e65211f1c7ad0b7a9b43524f3a0fac7ea2541d9
-size 125623
+oid sha256:c756a62144f20cbfa767a8afa63cfe3e01f65041e0ebd121533ad1411a034623
+size 125910
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 8c5147c50..690aa7d3f 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-19 15:57+0800\n"
+"POT-Creation-Date: 2022-04-20 16:23+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,7 +29,7 @@ msgstr "Acls"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:55
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
@@ -38,12 +38,12 @@ msgid "Name"
 msgstr "名前"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:58
+#: assets/models/user.py:247 terminal/models/endpoint.py:61
 msgid "Priority"
 msgstr "優先順位"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:59
+#: assets/models/user.py:247 terminal/models/endpoint.py:62
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
@@ -61,7 +61,7 @@ msgstr "アクティブ"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:65
+#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
@@ -1360,7 +1360,7 @@ msgstr "監査"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:166
+#: rbac/tree.py:168
 msgid "Delete"
 msgstr "削除"
 
@@ -1413,11 +1413,11 @@ msgstr "ファイル転送ログ"
 
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:163
+#: rbac/tree.py:165
 msgid "Create"
 msgstr "作成"
 
-#: audits/models.py:56 rbac/tree.py:165 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:167 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@@ -2886,15 +2886,22 @@ msgstr "タスクログ"
 msgid "Update task content: {}"
 msgstr "タスク内容の更新: {}"
 
-#: orgs/api.py:68
+#: orgs/api.py:69
 msgid "The current organization ({}) cannot be deleted"
 msgstr "現在の組織 ({}) は削除できません"
 
-#: orgs/api.py:76
+#: orgs/api.py:77
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "組織のリソース ({}) は削除できません"
 
-#: orgs/apps.py:7 rbac/tree.py:112
+#: orgs/api.py:83
+msgid ""
+"LDAP synchronization is set to the current organization. Please switch to "
+"another organization before deleting"
+msgstr ""
+"LDAP同期は現在の組織に設定されます。削除する前に別の組織に切り替えてください"
+
+#: orgs/apps.py:7 rbac/tree.py:114
 msgid "App organizations"
 msgstr "アプリ組織"
 
@@ -3202,18 +3209,18 @@ msgstr "組織の役割"
 msgid "Role binding"
 msgstr "ロールバインディング"
 
-#: rbac/models/rolebinding.py:150
+#: rbac/models/rolebinding.py:151
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr ""
 "ユーザーの最後のロールは削除できません。ユーザーを組織から削除できます。"
 
-#: rbac/models/rolebinding.py:157
+#: rbac/models/rolebinding.py:158
 msgid "Organization role binding"
 msgstr "組織の役割バインディング"
 
-#: rbac/models/rolebinding.py:172
+#: rbac/models/rolebinding.py:173
 msgid "System role binding"
 msgstr "システムロールバインディング"
 
@@ -3301,27 +3308,27 @@ msgstr "私の資産"
 msgid "My apps"
 msgstr "マイアプリ"
 
-#: rbac/tree.py:113
+#: rbac/tree.py:115
 msgid "Ticket comment"
 msgstr "チケットコメント"
 
-#: rbac/tree.py:114 tickets/models/ticket.py:163
+#: rbac/tree.py:116 tickets/models/ticket.py:163
 msgid "Ticket"
 msgstr "チケット"
 
-#: rbac/tree.py:115
+#: rbac/tree.py:117
 msgid "Common setting"
 msgstr "共通設定"
 
-#: rbac/tree.py:116
+#: rbac/tree.py:118
 msgid "View permission tree"
 msgstr "権限ツリーの表示"
 
-#: rbac/tree.py:117
+#: rbac/tree.py:119
 msgid "Execute batch command"
 msgstr "バッチ実行コマンド"
 
-#: rbac/tree.py:164
+#: rbac/tree.py:166
 msgid "View"
 msgstr "表示"
 
@@ -4228,8 +4235,8 @@ msgid ""
 "Tips: The login success message varies with devices. if you cannot log in to "
 "the device through Telnet, set this parameter"
 msgstr ""
-"ヒント: ログイン成功メッセージはデバイスによって異なります。Telnet経由でデバイスにロ"
-"グインできない場合は、このパラメーターを設定します。"
+"ヒント: ログイン成功メッセージはデバイスによって異なります。Telnet経由でデバ"
+"イスにログインできない場合は、このパラメーターを設定します。"
 
 #: settings/serializers/terminal.py:36
 msgid "Enable database proxy"
@@ -4725,18 +4732,18 @@ msgstr "MariaDB ポート"
 msgid "PostgreSQL Port"
 msgstr "PostgreSQL ポート"
 
-#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:63
+#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:66
 #: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
 #: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
 #: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
 msgid "Endpoint"
 msgstr "エンドポイント"
 
-#: terminal/models/endpoint.py:56
+#: terminal/models/endpoint.py:59
 msgid "IP group"
 msgstr "IP グループ"
 
-#: terminal/models/endpoint.py:68
+#: terminal/models/endpoint.py:71
 msgid "Endpoint rule"
 msgstr "エンドポイントルール"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index c73d42f67..4d43bfac0 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:3462a9a3eef8f372bf341f2066a33d85e1f01aca5a8fe506528a1cd0a37e98b4
-size 103951
+oid sha256:529a9646db39920766ffbe95b0de79bf0539df9f5807b5e36294031d8c4c7842
+size 104164
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 5160cbfcf..37d3e85e0 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-19 15:57+0800\n"
+"POT-Creation-Date: 2022-04-20 16:23+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -28,7 +28,7 @@ msgstr "访问控制"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:55
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
 #: terminal/models/storage.py:23 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
@@ -37,12 +37,12 @@ msgid "Name"
 msgstr "名称"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:58
+#: assets/models/user.py:247 terminal/models/endpoint.py:61
 msgid "Priority"
 msgstr "优先级"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:59
+#: assets/models/user.py:247 terminal/models/endpoint.py:62
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
@@ -60,7 +60,7 @@ msgstr "激活中"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:65
+#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
 #: terminal/models/storage.py:26 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
@@ -1348,7 +1348,7 @@ msgstr "日志审计"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:166
+#: rbac/tree.py:168
 msgid "Delete"
 msgstr "删除"
 
@@ -1401,11 +1401,11 @@ msgstr "文件管理"
 
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:163
+#: rbac/tree.py:165
 msgid "Create"
 msgstr "创建"
 
-#: audits/models.py:56 rbac/tree.py:165 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:167 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@@ -2851,15 +2851,21 @@ msgstr "任务列表"
 msgid "Update task content: {}"
 msgstr "更新任务内容: {}"
 
-#: orgs/api.py:68
+#: orgs/api.py:69
 msgid "The current organization ({}) cannot be deleted"
 msgstr "当前组织 ({}) 不能被删除"
 
-#: orgs/api.py:76
+#: orgs/api.py:77
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "组织存在资源 ({}) 不能被删除"
 
-#: orgs/apps.py:7 rbac/tree.py:112
+#: orgs/api.py:83
+msgid ""
+"LDAP synchronization is set to the current organization. Please switch to "
+"another organization before deleting"
+msgstr "LDAP同步设置组织为当前组织，请切换其他组织后再进行删除操作"
+
+#: orgs/apps.py:7 rbac/tree.py:114
 msgid "App organizations"
 msgstr "组织管理"
 
@@ -3165,17 +3171,17 @@ msgstr "组织角色"
 msgid "Role binding"
 msgstr "角色绑定"
 
-#: rbac/models/rolebinding.py:150
+#: rbac/models/rolebinding.py:151
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr "用户最后一个角色，不能删除，你可以将用户从组织移除"
 
-#: rbac/models/rolebinding.py:157
+#: rbac/models/rolebinding.py:158
 msgid "Organization role binding"
 msgstr "组织角色绑定"
 
-#: rbac/models/rolebinding.py:172
+#: rbac/models/rolebinding.py:173
 msgid "System role binding"
 msgstr "系统角色绑定"
 
@@ -3263,27 +3269,27 @@ msgstr "我的资产"
 msgid "My apps"
 msgstr "我的应用"
 
-#: rbac/tree.py:113
+#: rbac/tree.py:115
 msgid "Ticket comment"
 msgstr "工单评论"
 
-#: rbac/tree.py:114 tickets/models/ticket.py:163
+#: rbac/tree.py:116 tickets/models/ticket.py:163
 msgid "Ticket"
 msgstr "工单管理"
 
-#: rbac/tree.py:115
+#: rbac/tree.py:117
 msgid "Common setting"
 msgstr "一般设置"
 
-#: rbac/tree.py:116
+#: rbac/tree.py:118
 msgid "View permission tree"
 msgstr "查看授权树"
 
-#: rbac/tree.py:117
+#: rbac/tree.py:119
 msgid "Execute batch command"
 msgstr "执行批量命令"
 
-#: rbac/tree.py:164
+#: rbac/tree.py:166
 msgid "View"
 msgstr "查看"
 
@@ -4167,7 +4173,8 @@ msgstr "Telnet 成功正则表达式"
 msgid ""
 "Tips: The login success message varies with devices. if you cannot log in to "
 "the device through Telnet, set this parameter"
-msgstr "提示: 不同设备登录成功提示不一样，所以如果 telnet 不能正常登录，可以这里设置"
+msgstr ""
+"提示: 不同设备登录成功提示不一样，所以如果 telnet 不能正常登录，可以这里设置"
 
 #: settings/serializers/terminal.py:36
 msgid "Enable database proxy"
@@ -4651,18 +4658,18 @@ msgstr "MariaDB 端口"
 msgid "PostgreSQL Port"
 msgstr "PostgreSQL 端口"
 
-#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:63
+#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:66
 #: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
 #: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
 #: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
 msgid "Endpoint"
 msgstr "端点"
 
-#: terminal/models/endpoint.py:56
+#: terminal/models/endpoint.py:59
 msgid "IP group"
 msgstr "IP 组"
 
-#: terminal/models/endpoint.py:68
+#: terminal/models/endpoint.py:71
 msgid "Endpoint rule"
 msgstr "端点规则"
 
diff --git a/apps/orgs/api.py b/apps/orgs/api.py
index e1a41a29f..0723790cd 100644
--- a/apps/orgs/api.py
+++ b/apps/orgs/api.py
@@ -2,6 +2,7 @@
 #
 
 from django.utils.translation import ugettext as _
+from django.conf import settings
 from rest_framework_bulk import BulkModelViewSet
 from rest_framework.generics import RetrieveAPIView
 from rest_framework.exceptions import PermissionDenied
@@ -76,6 +77,11 @@ class OrgViewSet(BulkModelViewSet):
                 'The organization have resource ({}) cannot be deleted'
             ).format(model._meta.verbose_name)
             raise PermissionDenied(detail=msg)
+        if str(instance.id) == settings.AUTH_LDAP_SYNC_ORG_ID:
+            msg = _(
+                'LDAP synchronization is set to the current organization. Please switch to another organization before deleting'
+            )
+            raise PermissionDenied(detail=msg)
 
         super().perform_destroy(instance)
 

From b0b379e5a95bbf4c97af7040f555815bddcbf983 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 20 Apr 2022 16:38:42 +0800
Subject: [PATCH 060/258] fix: del org check ldap (#8114)

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/locale/ja/LC_MESSAGES/django.mo |  4 +-
 apps/locale/ja/LC_MESSAGES/django.po | 66 ++++++++++++++--------------
 apps/locale/zh/LC_MESSAGES/django.mo |  4 +-
 apps/locale/zh/LC_MESSAGES/django.po | 66 ++++++++++++++--------------
 apps/orgs/api.py                     | 11 ++---
 5 files changed, 76 insertions(+), 75 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index d94d92000..52b16b3bd 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c756a62144f20cbfa767a8afa63cfe3e01f65041e0ebd121533ad1411a034623
-size 125910
+oid sha256:f2c88ade4bfae213bdcdafad656af73f764e3b1b3f2b0c59aa39626e967730ca
+size 125911
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 690aa7d3f..8aa00bb46 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-20 16:23+0800\n"
+"POT-Creation-Date: 2022-04-20 16:35+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -2890,16 +2890,16 @@ msgstr "タスク内容の更新: {}"
 msgid "The current organization ({}) cannot be deleted"
 msgstr "現在の組織 ({}) は削除できません"
 
-#: orgs/api.py:77
-msgid "The organization have resource ({}) cannot be deleted"
-msgstr "組織のリソース ({}) は削除できません"
-
-#: orgs/api.py:83
+#: orgs/api.py:74
 msgid ""
 "LDAP synchronization is set to the current organization. Please switch to "
 "another organization before deleting"
 msgstr ""
-"LDAP同期は現在の組織に設定されます。削除する前に別の組織に切り替えてください"
+"LDAP 同期は現在の組織に設定されます。削除する前に別の組織に切り替えてください"
+
+#: orgs/api.py:83
+msgid "The organization have resource ({}) cannot be deleted"
+msgstr "組織のリソース ({}) は削除できません"
 
 #: orgs/apps.py:7 rbac/tree.py:114
 msgid "App organizations"
@@ -4250,104 +4250,104 @@ msgstr "XRDPの有効化"
 msgid "Enable KoKo SSH"
 msgstr "KoKo SSHの有効化"
 
-#: settings/utils/ldap.py:417
+#: settings/utils/ldap.py:419
 msgid "ldap:// or ldaps:// protocol is used."
 msgstr "ldap:// または ldaps:// プロトコルが使用されます。"
 
-#: settings/utils/ldap.py:428
+#: settings/utils/ldap.py:430
 msgid "Host or port is disconnected: {}"
 msgstr "ホストまたはポートが切断されました: {}"
 
-#: settings/utils/ldap.py:430
+#: settings/utils/ldap.py:432
 msgid "The port is not the port of the LDAP service: {}"
 msgstr "ポートはLDAPサービスのポートではありません: {}"
 
-#: settings/utils/ldap.py:432
+#: settings/utils/ldap.py:434
 msgid "Please add certificate: {}"
 msgstr "証明書を追加してください: {}"
 
-#: settings/utils/ldap.py:436 settings/utils/ldap.py:463
-#: settings/utils/ldap.py:493 settings/utils/ldap.py:521
+#: settings/utils/ldap.py:438 settings/utils/ldap.py:465
+#: settings/utils/ldap.py:495 settings/utils/ldap.py:523
 msgid "Unknown error: {}"
 msgstr "不明なエラー: {}"
 
-#: settings/utils/ldap.py:450
+#: settings/utils/ldap.py:452
 msgid "Bind DN or Password incorrect"
 msgstr "DNまたはパスワードのバインドが正しくありません"
 
-#: settings/utils/ldap.py:457
+#: settings/utils/ldap.py:459
 msgid "Please enter Bind DN: {}"
 msgstr "バインドDN: {} を入力してください"
 
-#: settings/utils/ldap.py:459
+#: settings/utils/ldap.py:461
 msgid "Please enter Password: {}"
 msgstr "パスワードを入力してください: {}"
 
-#: settings/utils/ldap.py:461
+#: settings/utils/ldap.py:463
 msgid "Please enter correct Bind DN and Password: {}"
 msgstr "正しいバインドDNとパスワードを入力してください: {}"
 
-#: settings/utils/ldap.py:479
+#: settings/utils/ldap.py:481
 msgid "Invalid User OU or User search filter: {}"
 msgstr "無効なユーザー OU またはユーザー検索フィルター: {}"
 
-#: settings/utils/ldap.py:510
+#: settings/utils/ldap.py:512
 msgid "LDAP User attr map not include: {}"
 msgstr "LDAP ユーザーattrマップは含まれません: {}"
 
-#: settings/utils/ldap.py:517
+#: settings/utils/ldap.py:519
 msgid "LDAP User attr map is not dict"
 msgstr "LDAPユーザーattrマップはdictではありません"
 
-#: settings/utils/ldap.py:536
+#: settings/utils/ldap.py:538
 msgid "LDAP authentication is not enabled"
 msgstr "LDAP 認証が有効になっていない"
 
-#: settings/utils/ldap.py:554
+#: settings/utils/ldap.py:556
 msgid "Error (Invalid LDAP server): {}"
 msgstr "エラー (LDAPサーバーが無効): {}"
 
-#: settings/utils/ldap.py:556
+#: settings/utils/ldap.py:558
 msgid "Error (Invalid Bind DN): {}"
 msgstr "エラー (DNのバインドが無効): {}"
 
-#: settings/utils/ldap.py:558
+#: settings/utils/ldap.py:560
 msgid "Error (Invalid LDAP User attr map): {}"
 msgstr "エラー (LDAPユーザーattrマップが無効): {}"
 
-#: settings/utils/ldap.py:560
+#: settings/utils/ldap.py:562
 msgid "Error (Invalid User OU or User search filter): {}"
 msgstr "エラー (ユーザーOUまたはユーザー検索フィルターが無効): {}"
 
-#: settings/utils/ldap.py:562
+#: settings/utils/ldap.py:564
 msgid "Error (Not enabled LDAP authentication): {}"
 msgstr "エラー (LDAP認証が有効化されていません): {}"
 
-#: settings/utils/ldap.py:564
+#: settings/utils/ldap.py:566
 msgid "Error (Unknown): {}"
 msgstr "エラー (不明): {}"
 
-#: settings/utils/ldap.py:567
+#: settings/utils/ldap.py:569
 msgid "Succeed: Match {} s user"
 msgstr "成功: {} 人のユーザーに一致"
 
-#: settings/utils/ldap.py:600
+#: settings/utils/ldap.py:602
 msgid "Authentication failed (configuration incorrect): {}"
 msgstr "認証に失敗しました (設定が正しくありません): {}"
 
-#: settings/utils/ldap.py:602
+#: settings/utils/ldap.py:604
 msgid "Authentication failed (before login check failed): {}"
 msgstr "認証に失敗しました (ログインチェックが失敗する前): {}"
 
-#: settings/utils/ldap.py:604
+#: settings/utils/ldap.py:606
 msgid "Authentication failed (username or password incorrect): {}"
 msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません): {}"
 
-#: settings/utils/ldap.py:606
+#: settings/utils/ldap.py:608
 msgid "Authentication failed (Unknown): {}"
 msgstr "認証に失敗しました (不明): {}"
 
-#: settings/utils/ldap.py:609
+#: settings/utils/ldap.py:611
 msgid "Authentication success: {}"
 msgstr "認証成功: {}"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 4d43bfac0..915796d03 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:529a9646db39920766ffbe95b0de79bf0539df9f5807b5e36294031d8c4c7842
-size 104164
+oid sha256:c75e0a1f2a047dac1374916c630bc0e8ef5ad5eea7518ffc21e93f747fc1235e
+size 104165
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 37d3e85e0..79cb6c940 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-20 16:23+0800\n"
+"POT-Creation-Date: 2022-04-20 16:35+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -2855,15 +2855,15 @@ msgstr "更新任务内容: {}"
 msgid "The current organization ({}) cannot be deleted"
 msgstr "当前组织 ({}) 不能被删除"
 
-#: orgs/api.py:77
-msgid "The organization have resource ({}) cannot be deleted"
-msgstr "组织存在资源 ({}) 不能被删除"
-
-#: orgs/api.py:83
+#: orgs/api.py:74
 msgid ""
 "LDAP synchronization is set to the current organization. Please switch to "
 "another organization before deleting"
-msgstr "LDAP同步设置组织为当前组织，请切换其他组织后再进行删除操作"
+msgstr "LDAP 同步设置组织为当前组织，请切换其他组织后再进行删除操作"
+
+#: orgs/api.py:83
+msgid "The organization have resource ({}) cannot be deleted"
+msgstr "组织存在资源 ({}) 不能被删除"
 
 #: orgs/apps.py:7 rbac/tree.py:114
 msgid "App organizations"
@@ -4188,104 +4188,104 @@ msgstr "启用 XRDP 服务"
 msgid "Enable KoKo SSH"
 msgstr "启用 KoKo SSH"
 
-#: settings/utils/ldap.py:417
+#: settings/utils/ldap.py:419
 msgid "ldap:// or ldaps:// protocol is used."
 msgstr "使用 ldap:// 或 ldaps:// 协议"
 
-#: settings/utils/ldap.py:428
+#: settings/utils/ldap.py:430
 msgid "Host or port is disconnected: {}"
 msgstr "主机或端口不可连接: {}"
 
-#: settings/utils/ldap.py:430
+#: settings/utils/ldap.py:432
 msgid "The port is not the port of the LDAP service: {}"
 msgstr "端口不是LDAP服务端口: {}"
 
-#: settings/utils/ldap.py:432
+#: settings/utils/ldap.py:434
 msgid "Please add certificate: {}"
 msgstr "请添加证书"
 
-#: settings/utils/ldap.py:436 settings/utils/ldap.py:463
-#: settings/utils/ldap.py:493 settings/utils/ldap.py:521
+#: settings/utils/ldap.py:438 settings/utils/ldap.py:465
+#: settings/utils/ldap.py:495 settings/utils/ldap.py:523
 msgid "Unknown error: {}"
 msgstr "未知错误: {}"
 
-#: settings/utils/ldap.py:450
+#: settings/utils/ldap.py:452
 msgid "Bind DN or Password incorrect"
 msgstr "绑定DN或密码错误"
 
-#: settings/utils/ldap.py:457
+#: settings/utils/ldap.py:459
 msgid "Please enter Bind DN: {}"
 msgstr "请输入绑定DN: {}"
 
-#: settings/utils/ldap.py:459
+#: settings/utils/ldap.py:461
 msgid "Please enter Password: {}"
 msgstr "请输入密码: {}"
 
-#: settings/utils/ldap.py:461
+#: settings/utils/ldap.py:463
 msgid "Please enter correct Bind DN and Password: {}"
 msgstr "请输入正确的绑定DN和密码: {}"
 
-#: settings/utils/ldap.py:479
+#: settings/utils/ldap.py:481
 msgid "Invalid User OU or User search filter: {}"
 msgstr "不合法的用户OU或用户过滤器: {}"
 
-#: settings/utils/ldap.py:510
+#: settings/utils/ldap.py:512
 msgid "LDAP User attr map not include: {}"
 msgstr "LDAP属性映射没有包含: {}"
 
-#: settings/utils/ldap.py:517
+#: settings/utils/ldap.py:519
 msgid "LDAP User attr map is not dict"
 msgstr "LDAP属性映射不合法"
 
-#: settings/utils/ldap.py:536
+#: settings/utils/ldap.py:538
 msgid "LDAP authentication is not enabled"
 msgstr "LDAP认证没有启用"
 
-#: settings/utils/ldap.py:554
+#: settings/utils/ldap.py:556
 msgid "Error (Invalid LDAP server): {}"
 msgstr "错误 （不合法的LDAP服务器地址）: {}"
 
-#: settings/utils/ldap.py:556
+#: settings/utils/ldap.py:558
 msgid "Error (Invalid Bind DN): {}"
 msgstr "错误（不合法的绑定DN）: {}"
 
-#: settings/utils/ldap.py:558
+#: settings/utils/ldap.py:560
 msgid "Error (Invalid LDAP User attr map): {}"
 msgstr "错误（不合法的LDAP属性映射）: {}"
 
-#: settings/utils/ldap.py:560
+#: settings/utils/ldap.py:562
 msgid "Error (Invalid User OU or User search filter): {}"
 msgstr "错误（不合法的用户OU或用户过滤器）: {}"
 
-#: settings/utils/ldap.py:562
+#: settings/utils/ldap.py:564
 msgid "Error (Not enabled LDAP authentication): {}"
 msgstr "错误（没有启用LDAP认证）: {}"
 
-#: settings/utils/ldap.py:564
+#: settings/utils/ldap.py:566
 msgid "Error (Unknown): {}"
 msgstr "错误（未知）: {}"
 
-#: settings/utils/ldap.py:567
+#: settings/utils/ldap.py:569
 msgid "Succeed: Match {} s user"
 msgstr "成功匹配 {} 个用户"
 
-#: settings/utils/ldap.py:600
+#: settings/utils/ldap.py:602
 msgid "Authentication failed (configuration incorrect): {}"
 msgstr "认证失败（配置错误）: {}"
 
-#: settings/utils/ldap.py:602
+#: settings/utils/ldap.py:604
 msgid "Authentication failed (before login check failed): {}"
 msgstr "认证失败（登录前检查失败）: {}"
 
-#: settings/utils/ldap.py:604
+#: settings/utils/ldap.py:606
 msgid "Authentication failed (username or password incorrect): {}"
 msgstr "认证失败 (用户名或密码不正确): {}"
 
-#: settings/utils/ldap.py:606
+#: settings/utils/ldap.py:608
 msgid "Authentication failed (Unknown): {}"
 msgstr "认证失败: (未知): {}"
 
-#: settings/utils/ldap.py:609
+#: settings/utils/ldap.py:611
 msgid "Authentication success: {}"
 msgstr "认证成功: {}"
 
diff --git a/apps/orgs/api.py b/apps/orgs/api.py
index 0723790cd..7a3271c50 100644
--- a/apps/orgs/api.py
+++ b/apps/orgs/api.py
@@ -69,6 +69,12 @@ class OrgViewSet(BulkModelViewSet):
             msg = _('The current organization ({}) cannot be deleted').format(current_org)
             raise PermissionDenied(detail=msg)
 
+        if str(instance.id) == settings.AUTH_LDAP_SYNC_ORG_ID:
+            msg = _(
+                'LDAP synchronization is set to the current organization. Please switch to another organization before deleting'
+            )
+            raise PermissionDenied(detail=msg)
+
         for model in org_related_models:
             data = self.get_data_from_model(instance, model)
             if not data:
@@ -77,11 +83,6 @@ class OrgViewSet(BulkModelViewSet):
                 'The organization have resource ({}) cannot be deleted'
             ).format(model._meta.verbose_name)
             raise PermissionDenied(detail=msg)
-        if str(instance.id) == settings.AUTH_LDAP_SYNC_ORG_ID:
-            msg = _(
-                'LDAP synchronization is set to the current organization. Please switch to another organization before deleting'
-            )
-            raise PermissionDenied(detail=msg)
 
         super().perform_destroy(instance)
 

From e61bae5ee4140d4fe5bbd4f3ca688bcd0d6e8a87 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 20 Apr 2022 18:50:53 +0800
Subject: [PATCH 061/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E6=9D=83?=
 =?UTF-8?q?=E9=99=90=E4=BD=8D=20(#8110)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 优化权限位

* perf: 优化返回的组织

* perf: 保证结果是 ok

* perf: 去掉 distinct

* perf: tree count

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/rbac/builtin.py            |  16 ++-
 apps/rbac/const.py              |   3 +
 apps/rbac/models/rolebinding.py |   8 +-
 apps/rbac/tree.py               | 167 +++++++++++++++++++-------------
 4 files changed, 120 insertions(+), 74 deletions(-)

diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index 179889111..b736ba226 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -2,6 +2,10 @@ from django.utils.translation import ugettext_noop
 
 from .const import Scope, system_exclude_permissions, org_exclude_permissions
 
+_view_root_perms = (
+    ('orgs', 'organization', 'view', 'rootorg'),
+)
+
 # 工作台也区分组织后再考虑
 user_perms = (
     ('rbac', 'menupermission', 'view', 'workbench'),
@@ -21,19 +25,23 @@ system_user_perms = (
     ('authentication', 'temptoken', 'add,change,view', 'temptoken'),
     ('authentication', 'accesskey', '*', '*'),
     ('tickets', 'ticket', 'view', 'ticket'),
-    ('orgs', 'organization', 'view', 'rootorg'),
 ) + user_perms
 
-auditor_perms = user_perms + (
+_auditor_perms = (
     ('rbac', 'menupermission', 'view', 'audit'),
     ('audits', '*', '*', '*'),
     ('terminal', 'commandstorage', 'view', 'commandstorage'),
     ('terminal', 'sessionreplay', 'view,download', 'sessionreplay'),
     ('terminal', 'session', '*', '*'),
     ('terminal', 'command', '*', '*'),
-    ('ops', 'commandexecution', 'view', 'commandexecution')
+    ('ops', 'commandexecution', 'view', 'commandexecution'),
 )
 
+auditor_perms = user_perms + _auditor_perms
+
+system_auditor_perms = system_user_perms + _auditor_perms + _view_root_perms
+
+
 app_exclude_perms = [
     ('users', 'user', 'add,delete', 'user'),
     ('orgs', 'org', 'add,delete,change', 'org'),
@@ -101,7 +109,7 @@ class BuiltinRole:
         '1', ugettext_noop('SystemAdmin'), Scope.system, []
     )
     system_auditor = PredefineRole(
-        '2', ugettext_noop('SystemAuditor'), Scope.system, auditor_perms
+        '2', ugettext_noop('SystemAuditor'), Scope.system, system_auditor_perms
     )
     system_component = PredefineRole(
         '4', ugettext_noop('SystemComponent'), Scope.system, app_exclude_perms, 'exclude'
diff --git a/apps/rbac/const.py b/apps/rbac/const.py
index d9b80b78a..b84b7c69e 100644
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@@ -108,8 +108,11 @@ only_system_permissions = (
     ('terminal', 'replaystorage', '*', '*'),
     ('terminal', 'status', '*', '*'),
     ('terminal', 'task', '*', '*'),
+    ('terminal', 'endpoint', '*', '*'),
+    ('terminal', 'endpointrule', '*', '*'),
     ('authentication', '*', '*', '*'),
     ('tickets', '*', '*', '*'),
+    ('orgs', 'organization', 'view', 'rootorg'),
 )
 
 only_org_permissions = (
diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index dc09f75d2..c0ac806ef 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -107,19 +107,23 @@ class RoleBinding(JMSModel):
         roles = Role.get_roles_by_perm(perm)
         with tmp_to_root_org():
             bindings = list(cls.objects.root_all().filter(role__in=roles, user=user))
-        system_bindings = [b for b in bindings if b.scope == Role.Scope.system.value]
 
+        system_bindings = [b for b in bindings if b.scope == Role.Scope.system.value]
+        # 工作台仅限于自己加入的组织
         if perm == 'rbac.view_workbench':
             all_orgs = user.orgs.all()
         else:
             all_orgs = Organization.objects.all()
 
+        # 有系统级别的绑定，就代表在所有组织有这个权限
         if system_bindings:
             orgs = all_orgs
         else:
             org_ids = [b.org.id for b in bindings if b.org]
             orgs = all_orgs.filter(id__in=org_ids)
-        if orgs and user.has_perm('orgs.view_rootorg'):
+
+        # 全局组织
+        if orgs and perm != 'rbac.view_workbench' and user.has_perm('orgs.view_rootorg'):
             orgs = [Organization.root(), *list(orgs)]
         return orgs
 
diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py
index a585bdf5c..bae0b930e 100644
--- a/apps/rbac/tree.py
+++ b/apps/rbac/tree.py
@@ -1,7 +1,8 @@
 #!/usr/bin/python
 import os
-from collections import defaultdict
 from typing import Callable
+from treelib import Tree
+from treelib.exceptions import NodeIDAbsentError
 
 from django.utils.translation import gettext_lazy as _, gettext, get_language
 from django.conf import settings
@@ -159,6 +160,65 @@ def sort_nodes(node):
     return value
 
 
+class CounterTree(Tree):
+    def get_total_count(self, node):
+        count = getattr(node, '_total_count', None)
+        if count is not None:
+            return count
+
+        if not node.data.isParent:
+            return 1
+
+        count = 0
+        children = self.children(node.identifier)
+        for child in children:
+            if child.data.isParent:
+                count += self.get_total_count(child)
+            else:
+                count += 1
+        node._total_count = count
+        return count
+
+    def get_checked_count(self, node):
+        count = getattr(node, '_checked_count', None)
+        if count is not None:
+            return count
+
+        if not node.data.isParent:
+            if node.data.checked:
+                return 1
+            else:
+                return 0
+
+        count = 0
+        children = self.children(node.identifier)
+        for child in children:
+            if child.data.isParent:
+                count += self.get_checked_count(child)
+            else:
+                if child.data.checked:
+                    count += 1
+        node._checked_count = count
+        return count
+
+    def add_nodes_to_tree(self, ztree_nodes, retry=0):
+        failed = []
+        for node in ztree_nodes:
+            pid = node.pId
+            if retry == 2:
+                pid = '$ROOT$'
+
+            try:
+                self.create_node(node.name, node.id, pid, data=node)
+            except NodeIDAbsentError:
+                failed.append(node)
+        if retry > 2:
+            return
+        if failed:
+            retry += 1
+            return self.add_nodes_to_tree(failed, retry)
+
+
 class PermissionTreeUtil:
     get_permissions: Callable
     action_mapper = {
@@ -183,8 +243,6 @@ class PermissionTreeUtil:
             Permission.get_permissions(scope)
         )
         self.check_disabled = check_disabled
-        self.total_counts = defaultdict(int)
-        self.checked_counts = defaultdict(int)
         self.lang = get_language()
 
     @staticmethod
@@ -211,38 +269,10 @@ class PermissionTreeUtil:
                 'name': name,
                 'pId': view,
             }
-            total_count = self.total_counts[app]
-            checked_count = self.checked_counts[app]
-            if total_count == 0:
-                continue
-            self.total_counts[view] += total_count
-            self.checked_counts[view] += checked_count
-            node = self._create_node(
-                app_data, total_count, checked_count,
-                'app', is_open=False
-            )
+            node = self._create_node(app_data, 'app', is_open=False)
             nodes.append(node)
         return nodes
 
-    def _get_model_counts_mapper(self):
-        model_counts = self.all_permissions \
-            .values('model', 'app', 'content_type') \
-            .order_by('content_type') \
-            .annotate(count=Count('content_type'))
-        model_check_counts = self.permissions \
-            .values('content_type', 'model') \
-            .order_by('content_type') \
-            .annotate(count=Count('content_type'))
-        model_counts_mapper = {
-            i['content_type']: i['count']
-            for i in model_counts
-        }
-        model_check_counts_mapper = {
-            i['content_type']: i['count']
-            for i in model_check_counts
-        }
-        return model_counts_mapper, model_check_counts_mapper
-
     @staticmethod
     def _check_model_xpack(model_id):
         app, model = model_id.split('.', 2)
@@ -263,17 +293,10 @@ class PermissionTreeUtil:
             if not self._check_model_xpack(model_id):
                 continue
 
-            total_count = self.total_counts[model_id]
-            checked_count = self.checked_counts[model_id]
-            if total_count == 0:
-                continue
-
             # 获取 pid
             app = ct.app_label
             if model_id in special_pid_mapper:
                 app = special_pid_mapper[model_id]
-            self.total_counts[app] += total_count
-            self.checked_counts[app] += checked_count
 
             # 获取 name
             name = f'{ct.name}'
@@ -284,7 +307,7 @@ class PermissionTreeUtil:
                 'id': model_id,
                 'name': name,
                 'pId': app,
-            }, total_count, checked_count, 'model', is_open=False)
+            }, 'model', is_open=False)
             nodes.append(node)
         return nodes
 
@@ -334,10 +357,7 @@ class PermissionTreeUtil:
             if title in special_pid_mapper:
                 pid = special_pid_mapper[title]
 
-            self.total_counts[pid] += 1
             checked = p.id in permissions_id
-            if checked:
-                self.checked_counts[pid] += 1
 
             node = TreeNode(**{
                 'id': p.id,
@@ -347,7 +367,7 @@ class PermissionTreeUtil:
                 'isParent': False,
                 'chkDisabled': self.check_disabled,
                 'iconSkin': icon,
-                'checked': p.id in permissions_id,
+                'checked': checked,
                 'open': False,
                 'meta': {
                     'type': 'perm',
@@ -356,13 +376,11 @@ class PermissionTreeUtil:
             nodes.append(node)
         return nodes
 
-    def _create_node(self, data, total_count, checked_count, tp,
-                     is_parent=True, is_open=True, icon='', checked=None):
+    def _create_node(self, data, tp, is_parent=True, is_open=True, icon='', checked=None):
         assert data.get('id')
         assert data.get('name')
         assert data.get('pId') is not None
-        if checked is None:
-            checked = total_count == checked_count
+
         node_data = {
             'isParent': is_parent,
             'iconSkin': icon,
@@ -380,46 +398,58 @@ class PermissionTreeUtil:
             node.name += ('[' + node.id + ']')
         if DEBUG_DB:
             node.name += ('-' + node.id)
-        node.name += f'({checked_count}/{total_count})'
         return node
 
     def _create_root_tree_node(self):
-        total_count = self.all_permissions.count()
-        checked_count = self.permissions.count()
-        node = self._create_node(root_node_data, total_count, checked_count, 'root')
+        node = self._create_node(root_node_data, 'root')
         return node
 
     def _create_views_node(self):
         nodes = []
         for view_data in view_nodes_data:
-            view = view_data['id']
             data = {
                 **view_data,
                 'pId': '$ROOT$',
             }
-            total_count = self.total_counts[view]
-            checked_count = self.checked_counts[view]
-            if total_count == 0:
-                continue
-            node = self._create_node(data, total_count, checked_count, 'view', is_open=True)
+            node = self._create_node(data, 'view', is_open=True)
             nodes.append(node)
         return nodes
 
     def _create_extra_nodes(self):
         nodes = []
         for data in extra_nodes_data:
-            i = data['id']
-            pid = data['pId']
-            checked_count = self.checked_counts[i]
-            total_count = self.total_counts[i]
+            node = self._create_node(data, 'extra', is_open=False)
+            nodes.append(node)
+        return nodes
+
+    @staticmethod
+    def compute_nodes_count(ztree_nodes):
+        tree = CounterTree()
+        reverse_nodes = ztree_nodes[::-1]
+        root = reverse_nodes[0]
+        tree.create_node(root.name, root.id, data=root)
+        tree.add_nodes_to_tree(reverse_nodes[1:])
+        counter_nodes = tree.all_nodes()
+
+        node_counts = {}
+        for n in counter_nodes:
+            if not n:
+                continue
+            total_count = tree.get_total_count(n)
+            checked_count = tree.get_checked_count(n)
+            node_counts[n.identifier] = [checked_count, total_count]
+
+        nodes = []
+        for node in ztree_nodes:
+            counter = node_counts[node.id]
+            if not counter:
+                counter = [0, 0]
+            checked_count, total_count = counter
             if total_count == 0:
                 continue
-            self.total_counts[pid] += total_count
-            self.checked_counts[pid] += checked_count
-            node = self._create_node(
-                data, total_count, checked_count,
-                'extra', is_open=False
-            )
+            node.name += '({}/{})'.format(checked_count, total_count)
+            if checked_count != 0:
+                node.checked = True
             nodes.append(node)
         return nodes
 
@@ -431,5 +461,6 @@ class PermissionTreeUtil:
         nodes += self._create_views_node()
         nodes += [self._create_root_tree_node()]
 
+        nodes = self.compute_nodes_count(nodes)
         nodes.sort(key=sort_nodes)
         return nodes

From 74f88d842d11211f9f4a7122b3572189dc53e2a7 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Wed, 20 Apr 2022 19:12:55 +0800
Subject: [PATCH 062/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9replay=20downl?=
 =?UTF-8?q?oad=20perm?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/api/session.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/terminal/api/session.py b/apps/terminal/api/session.py
index 3193956e5..6ba0477b9 100644
--- a/apps/terminal/api/session.py
+++ b/apps/terminal/api/session.py
@@ -63,7 +63,7 @@ class SessionViewSet(OrgBulkModelViewSet):
     ]
     extra_filter_backends = [DatetimeRangeFilter]
     rbac_perms = {
-        'download': ['terminal.download_sessionreplay|terminal.view_sessionreplay']
+        'download': ['terminal.download_sessionreplay']
     }
 
     @staticmethod

From 63ee2dd8fb1a1a893ea8da6883e9e93eb2d0e75e Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 20 Apr 2022 19:58:39 +0800
Subject: [PATCH 063/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96=E6=9D=83=E9=99=90=E6=A0=91=E6=9D=83=E9=99=90=E6=8E=A7?=
 =?UTF-8?q?=E5=88=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/api/role.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/rbac/api/role.py b/apps/rbac/api/role.py
index ceb2e9c19..f077964a6 100644
--- a/apps/rbac/api/role.py
+++ b/apps/rbac/api/role.py
@@ -90,7 +90,7 @@ class SystemRolePermissionsViewSet(BaseRolePermissionsViewSet):
     role_pk = 'system_role_pk'
     model = SystemRole
     rbac_perms = (
-        ('get_tree', 'rbac.view_systemrole'),
+        ('get_tree', 'rbac.view_permission'),
     )
 
 
@@ -99,6 +99,6 @@ class OrgRolePermissionsViewSet(BaseRolePermissionsViewSet):
     role_pk = 'org_role_pk'
     model = OrgRole
     rbac_perms = (
-        ('get_tree', 'rbac.view_orgrole'),
+        ('get_tree', 'rbac.view_permission'),
     )
 

From c3de7b78c2d80df73860b15fc42df2505c273585 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 21 Apr 2022 15:36:40 +0800
Subject: [PATCH 064/258] =?UTF-8?q?fix:=20=E8=BF=9C=E7=A8=8B=E5=BA=94?=
 =?UTF-8?q?=E7=94=A8=E6=8E=88=E6=9D=83=E6=97=B6=20=E6=9C=89=E4=BA=9B?=
 =?UTF-8?q?=E8=B5=84=E4=BA=A7=E5=B7=B2=E7=BB=8F=E4=B8=8D=E5=AD=98=E5=9C=A8?=
 =?UTF-8?q?=E4=BA=86=20=E5=AF=BC=E8=87=B4=E6=8E=88=E6=9D=83=E5=A4=B1?=
 =?UTF-8?q?=E8=B4=A5=20(#8127)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/perms/signal_handlers/app_permission.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apps/perms/signal_handlers/app_permission.py b/apps/perms/signal_handlers/app_permission.py
index 779c99dca..104f56e9a 100644
--- a/apps/perms/signal_handlers/app_permission.py
+++ b/apps/perms/signal_handlers/app_permission.py
@@ -4,7 +4,7 @@ from django.db.models.signals import m2m_changed
 from django.dispatch import receiver
 
 from users.models import User, UserGroup
-from assets.models import SystemUser
+from assets.models import Asset, SystemUser
 from applications.models import Application
 from common.utils import get_logger
 from common.exceptions import M2MReverseNotAllowed
@@ -48,6 +48,8 @@ def set_remote_app_asset_system_users_if_need(instance: ApplicationPermission, s
 
     attrs = instance.applications.all().values_list('attrs', flat=True)
     asset_ids = [attr['asset'] for attr in attrs if attr.get('asset')]
+    # 远程应用中资产可能在资产表里不存在
+    asset_ids = Asset.objects.filter(id__in=asset_ids).values_list('id', flat=True)
     if not asset_ids:
         return
 

From a6d61721ddd38fdff3df9de9fdd2ffb34ddb3bab Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 21 Apr 2022 16:13:03 +0800
Subject: [PATCH 065/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9csrftoken?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/static/js/jumpserver.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/static/js/jumpserver.js b/apps/static/js/jumpserver.js
index 070c811f7..680410763 100644
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@@ -125,7 +125,8 @@ function csrfSafeMethod(method) {
 }
 
 function setAjaxCSRFToken() {
-    const prefix = getCookie('SESSION_COOKIE_NAME_PREFIX', '')
+    let prefix = getCookie('SESSION_COOKIE_NAME_PREFIX');
+    if (!prefix || [`""`, `''`].indexOf(prefix) > -1) { prefix = ''; }
     var csrftoken = getCookie(`${prefix}csrftoken`);
     var sessionid = getCookie(`${prefix}sessionid`);
 

From d25cde1bd5442a038454e4b54e86622051fd3c9b Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 21 Apr 2022 22:37:29 +0800
Subject: [PATCH 066/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=A4=BE?=
 =?UTF-8?q?=E5=8C=BA=E7=89=88=E8=B7=B3=E8=BD=AC=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/models/rolebinding.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index c0ac806ef..835fbf6a7 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -1,6 +1,7 @@
 from django.utils.translation import gettext_lazy as _
 from django.db import models
 from django.db.models import Q
+from django.conf import settings
 from django.core.exceptions import ValidationError
 from rest_framework.serializers import ValidationError
 
@@ -115,6 +116,9 @@ class RoleBinding(JMSModel):
         else:
             all_orgs = Organization.objects.all()
 
+        if not settings.XPACK_ENABLED:
+            all_orgs = all_orgs.filter(id=Organization.DEFAULT_ID)
+
         # 有系统级别的绑定，就代表在所有组织有这个权限
         if system_bindings:
             orgs = all_orgs

From 978c1f6363d1d49f8c02cb2f9a602e075b9a6647 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 22 Apr 2022 13:44:39 +0800
Subject: [PATCH 067/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20Dockerfile?=
 =?UTF-8?q?,=20=E4=BC=98=E5=8C=96=E6=9E=84=E5=BB=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Dockerfile | 44 ++++++++++++++++++++++----------------------
 1 file changed, 22 insertions(+), 22 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 421f95b20..3ef2daad9 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,20 +1,5 @@
-# 编译代码
-FROM python:3.8-slim as stage-build
-MAINTAINER JumpServer Team <ibuler@qq.com>
-ARG VERSION
-ENV VERSION=$VERSION
-
-WORKDIR /opt/jumpserver
-ADD . .
-RUN cd utils && bash -ixeu build.sh
-
 FROM python:3.8-slim
-ARG PIP_MIRROR=https://pypi.douban.com/simple
-ENV PIP_MIRROR=$PIP_MIRROR
-ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
-ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
-
-WORKDIR /opt/jumpserver
+MAINTAINER JumpServer Team <ibuler@qq.com>
 
 ARG BUILD_DEPENDENCIES="              \
     g++                               \
@@ -62,21 +47,36 @@ RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
     && mv /bin/sh /bin/sh.bak  \
     && ln -s /bin/bash /bin/sh
 
-RUN mkdir -p /opt/jumpserver/oracle/ \
+RUN mkdir -p /opt/oracle/ \
     && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar \
-    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/jumpserver/oracle/ \
-    && echo "/opt/jumpserver/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/oracle/ \
+    && echo "/opt/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
     && ldconfig \
     && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
 
-COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+WORKDIR /tmp/build
+COPY ./requirements ./requirements
 
-RUN echo > config.yml \
-    && pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
+ARG PIP_MIRROR=https://mirrors.aliyun.com/pypi/simple/
+ENV PIP_MIRROR=$PIP_MIRROR
+ARG PIP_JMS_MIRROR=https://mirrors.aliyun.com/pypi/simple/
+ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
+# 因为以 jms 或者 jumpserver 开头的 mirror 上可能没有
+RUN pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
     && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
     && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
     && rm -rf ~/.cache/pip
 
+ARG VERSION
+ENV VERSION=$VERSION
+
+ADD . .
+RUN cd utils \
+    && bash -ixeu build.sh \
+    && mv ../release/jumpserver /opt/jumpserver \
+    && echo > /opt/jumpserver/config.yml
+
+WORKDIR /opt/jumpserver
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
 

From 529e3d12e097c2268ad7f680b889d8c50342780e Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 22 Apr 2022 13:50:05 +0800
Subject: [PATCH 068/258] =?UTF-8?q?perf:=20=E5=88=A0=E9=99=A4=20build?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile b/Dockerfile
index 3ef2daad9..dfbfbe0eb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -74,6 +74,7 @@ ADD . .
 RUN cd utils \
     && bash -ixeu build.sh \
     && mv ../release/jumpserver /opt/jumpserver \
+    && rm -rf /tmp/build \
     && echo > /opt/jumpserver/config.yml
 
 WORKDIR /opt/jumpserver

From 104d67263457302d98a2005d7f759b0ef4d0033f Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Sun, 24 Apr 2022 14:18:14 +0800
Subject: [PATCH 069/258] perf: client download

---
 apps/templates/resource_download.html | 28 ++++++++-------------------
 1 file changed, 8 insertions(+), 20 deletions(-)

diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index 510b2159e..c9cb4ea6f 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -15,45 +15,33 @@ p {
 </style>
 <div style="margin: 0 200px">
     <div class="group">
-        <h2>JumpServer {% trans 'Client' %}</h2>
+        <h2>JumpServer {% trans 'Client' %} v1.1.4</h2>
         <p>
             {% trans 'JumpServer Client, currently used to launch the client, now only support launch RDP SSH client, The Telnet client will next' %}
-{#            //JumpServer 客户端，支持 RDP 的本地拉起，后续会支持拉起 ssh。#}
         </p>
         <ul>
-            <li> <a href="/download/JumpServer-Client-Installer.msi">Windows {% trans 'Client' %}</a></li>
-            <li> <a href="/download/JumpServer-Client-Installer.dmg">macOS {% trans 'Client' %}</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer-x86_64.msi">jumpserver-client-windows-x86_64.msi</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer-arm64.msi">jumpserver-client-windows-arm64.msi</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer.dmg">jumpserver-client-darwin.dmg</a></li>
         </ul>
     </div>
 
     <div class="group">
-        <h2>{% trans 'Microsoft' %} RDP {% trans 'Official' %}{% trans 'Client' %}</h2>
+        <h2>{% trans 'Microsoft' %} RDP {% trans 'Official' %}{% trans 'Client' %} v10.6.7</h2>
         <p>
             {% trans 'macOS needs to download the client to connect RDP asset, which comes with Windows' %}
         </p>
         <ul>
-            <li><a href="/download/Microsoft_Remote_Desktop_10.6.7_installer.pkg">Microsoft_Remote_Desktop_10.6.7_installer.pkg</a></li>
-        </ul>
-    </div>
-
-    <div class="group">
-        <h2>SSH {% trans 'Client' %}</h2>
-        <p>
-            {% trans 'Windows needs to download the client to connect SSH assets, and the MacOS system uses its own terminal' %}
-        </p>
-        <ul>
-            <li><a href="/download/putty/w64/putty.exe">64-bit x86:  Putty.exe</a></li>
-            <li><a href="/download/putty/wa64/putty.exe">64-bit Arm: Putty.exe</a></li>
-            <li><a href="/download/putty/w32/putty.exe">32-bit x86:  Putty.exe</a></li>
+            <li><a href="/download/Microsoft_Remote_Desktop_10.6.7_installer.pkg">microsoft-remote-desktop-installer.pkg</a></li>
         </ul>
     </div>
 
     {% if XPACK_ENABLED  %}
         <div class="group">
-            <h2>{% trans 'Windows Remote application publisher tools' %}</h2>
+            <h2>{% trans 'Windows Remote application publisher tools' %} v2.0</h2>
             <p>{% trans 'Jmservisor is the program used to pull up remote applications in Windows Remote Application publisher' %}</p>
             <ul>
-                <li><a href="/download/Jmservisor.msi">Jmservisor</a></li>
+                <li><a href="/download/Jmservisor.msi">jmservisor.msi</a></li>
             </ul>
         </div>
     {% endif %}

From 034d0e285c1e322e74f561442cf52601cc8879ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=80=81=E5=B9=BF?= <ibuler@qq.com>
Date: Sun, 24 Apr 2022 17:37:08 +0800
Subject: [PATCH 070/258] Update README.md

---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index 3fdcb7fde..813327bfc 100644
--- a/README.md
+++ b/README.md
@@ -131,4 +131,3 @@ Licensed under The GNU General Public License version 3 (GPLv3)  (the "License")
 https://www.gnu.org/licenses/gpl-3.0.html
 
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-

From 9804ca5dd0a697a72163a7a043aea337b4df9584 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 25 Apr 2022 11:38:15 +0800
Subject: [PATCH 071/258] =?UTF-8?q?fix:=20workbench=5Forgs=20=E5=8E=BB?=
 =?UTF-8?q?=E9=87=8D=20(#8150)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/rbac/models/rolebinding.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index 835fbf6a7..ded35a278 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -112,7 +112,7 @@ class RoleBinding(JMSModel):
         system_bindings = [b for b in bindings if b.scope == Role.Scope.system.value]
         # 工作台仅限于自己加入的组织
         if perm == 'rbac.view_workbench':
-            all_orgs = user.orgs.all()
+            all_orgs = user.orgs.all().distinct()
         else:
             all_orgs = Organization.objects.all()
 

From 3a3f7eaf715ded06a1d28a07ba08235ef1d4c09d Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Thu, 21 Apr 2022 15:18:17 +0800
Subject: [PATCH 072/258] =?UTF-8?q?feat:=20=E4=BC=98=E5=8C=96SAML2?=
 =?UTF-8?q?=E7=94=9F=E6=88=90=E7=9A=84metadata=E6=96=87=E4=BB=B6=E5=86=85?=
 =?UTF-8?q?=E5=AE=B9=E5=8F=8A=E5=B1=9E=E6=80=A7=E6=98=A0=E5=B0=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/saml2/views.py | 53 +++++++++++++--------
 1 file changed, 33 insertions(+), 20 deletions(-)

diff --git a/apps/authentication/backends/saml2/views.py b/apps/authentication/backends/saml2/views.py
index b0b8fef8d..e91fd0660 100644
--- a/apps/authentication/backends/saml2/views.py
+++ b/apps/authentication/backends/saml2/views.py
@@ -74,27 +74,37 @@ class PrepareRequestMixin:
         return idp_settings
 
     @staticmethod
-    def get_attribute_consuming_service():
-        attr_mapping = settings.SAML2_RENAME_ATTRIBUTES
-        if attr_mapping and isinstance(attr_mapping, dict):
-            attr_list = [
-                {
-                    "name": sp_key,
-                    "friendlyName": idp_key, "isRequired": True
-                }
-                for idp_key, sp_key in attr_mapping.items()
-            ]
-            request_attribute_template = {
-                "attributeConsumingService": {
-                    "isDefault": False,
-                    "serviceName": "JumpServer",
-                    "serviceDescription": "JumpServer",
-                    "requestedAttributes": attr_list
-                }
+    def get_request_attributes():
+        attr_mapping = settings.SAML2_RENAME_ATTRIBUTES or {}
+        attr_map_reverse = {v: k for k, v in attr_mapping.items()}
+        need_attrs = (
+            ('username', 'username', True),
+            ('email', 'email', True),
+            ('name', 'name', False),
+            ('phone', 'phone', False),
+            ('comment', 'comment', False),
+        )
+        attr_list = []
+        for name, friend_name, is_required in need_attrs:
+            rename_name = attr_map_reverse.get(friend_name)
+            name = rename_name if rename_name else name
+            attr_list.append({
+                "name": name, "isRequired": is_required,
+                "friendlyName": friend_name,
+            })
+        return attr_list
+
+    def get_attribute_consuming_service(self):
+        attr_list = self.get_request_attributes()
+        request_attribute_template = {
+            "attributeConsumingService": {
+                "isDefault": False,
+                "serviceName": "JumpServer",
+                "serviceDescription": "JumpServer",
+                "requestedAttributes": attr_list
             }
-            return request_attribute_template
-        else:
-            return {}
+        }
+        return request_attribute_template
 
     @staticmethod
     def get_advanced_settings():
@@ -167,11 +177,14 @@ class PrepareRequestMixin:
 
     def get_attributes(self, saml_instance):
         user_attrs = {}
+        attr_mapping = settings.SAML2_RENAME_ATTRIBUTES
         attrs = saml_instance.get_attributes()
         valid_attrs = ['username', 'name', 'email', 'comment', 'phone']
 
         for attr, value in attrs.items():
             attr = attr.rsplit('/', 1)[-1]
+            if attr_mapping and attr_mapping.get(attr):
+                attr = attr_mapping.get(attr)
             if attr not in valid_attrs:
                 continue
             user_attrs[attr] = self.value_to_str(value)

From cb5d8fa13fcdab71794d555268bdd1d5f2b41468 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 26 Apr 2022 11:26:41 +0800
Subject: [PATCH 073/258] =?UTF-8?q?fix:=20=E5=8E=BB=E6=8E=89=E8=87=AA?=
 =?UTF-8?q?=E5=8A=A8=E7=94=9F=E6=88=90=E7=9A=84map=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/static/js/plugins/datatables/pdfmake.min.js.map             | 0
 apps/static/js/plugins/xterm/addons/attach/attach.js.map         | 1 -
 apps/static/js/plugins/xterm/addons/fit/fit.js.map               | 1 -
 apps/static/js/plugins/xterm/addons/fullscreen/fullscreen.js.map | 1 -
 apps/static/js/plugins/xterm/addons/search/search.js.map         | 1 -
 apps/static/js/plugins/xterm/addons/terminado/terminado.js.map   | 1 -
 apps/static/js/plugins/xterm/addons/webLinks/webLinks.js.map     | 1 -
 .../js/plugins/xterm/addons/winptyCompat/winptyCompat.js.map     | 1 -
 apps/static/js/plugins/xterm/addons/zmodem/zmodem.js.map         | 1 -
 apps/static/js/plugins/xterm/xterm.js.map                        | 1 -
 10 files changed, 9 deletions(-)
 delete mode 100644 apps/static/js/plugins/datatables/pdfmake.min.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/attach/attach.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/fit/fit.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/fullscreen/fullscreen.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/search/search.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/terminado/terminado.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/webLinks/webLinks.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/winptyCompat/winptyCompat.js.map
 delete mode 100644 apps/static/js/plugins/xterm/addons/zmodem/zmodem.js.map
 delete mode 100644 apps/static/js/plugins/xterm/xterm.js.map

diff --git a/apps/static/js/plugins/datatables/pdfmake.min.js.map b/apps/static/js/plugins/datatables/pdfmake.min.js.map
deleted file mode 100644
index e69de29bb..000000000
diff --git a/apps/static/js/plugins/xterm/addons/attach/attach.js.map b/apps/static/js/plugins/xterm/addons/attach/attach.js.map
deleted file mode 100644
index 8db239a59..000000000
--- a/apps/static/js/plugins/xterm/addons/attach/attach.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"attach.js","sources":["../../../src/addons/attach/attach.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2014 The xterm.js authors. All rights reserved.\n * @license MIT\n *\n * Implements the attach method, that attaches the terminal to a WebSocket stream.\n */\n\nimport { Terminal, IDisposable } from 'xterm';\nimport { IAttachAddonTerminal } from './Interfaces';\n\n/**\n * Attaches the given terminal to the given socket.\n *\n * @param term The terminal to be attached to the given socket.\n * @param socket The socket to attach the current terminal.\n * @param bidirectional Whether the terminal should send data to the socket as well.\n * @param buffered Whether the rendering of incoming data should happen instantly or at a maximum\n * frequency of 1 rendering per 10ms.\n */\nexport function attach(term: Terminal, socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n  const addonTerminal = <IAttachAddonTerminal>term;\n  bidirectional = (typeof bidirectional === 'undefined') ? true : bidirectional;\n  addonTerminal.__socket = socket;\n\n  addonTerminal.__flushBuffer = () => {\n    addonTerminal.write(addonTerminal.__attachSocketBuffer);\n    addonTerminal.__attachSocketBuffer = null;\n  };\n\n  addonTerminal.__pushToBuffer = (data: string) => {\n    if (addonTerminal.__attachSocketBuffer) {\n      addonTerminal.__attachSocketBuffer += data;\n    } else {\n      addonTerminal.__attachSocketBuffer = data;\n      setTimeout(addonTerminal.__flushBuffer, 10);\n    }\n  };\n\n  // TODO: This should be typed but there seem to be issues importing the type\n  let myTextDecoder: any;\n\n  addonTerminal.__getMessage = function(ev: MessageEvent): void {\n    let str: string;\n\n    if (typeof ev.data === 'object') {\n      if (!myTextDecoder) {\n        myTextDecoder = new TextDecoder();\n      }\n      if (ev.data instanceof ArrayBuffer) {\n        str = myTextDecoder.decode(ev.data);\n        displayData(str);\n      } else {\n        const fileReader = new FileReader();\n\n        fileReader.addEventListener('load', () => {\n          str = myTextDecoder.decode(this.result);\n          displayData(str);\n        });\n        fileReader.readAsArrayBuffer(ev.data);\n      }\n    } else if (typeof ev.data === 'string') {\n      displayData(ev.data);\n    } else {\n      throw Error(`Cannot handle \"${typeof ev.data}\" websocket message.`);\n    }\n  };\n\n  /**\n  * Push data to buffer or write it in the terminal.\n  * This is used as a callback for FileReader.onload.\n  *\n  * @param str String decoded by FileReader.\n  * @param data The data of the EventMessage.\n  */\n  function displayData(str?: string, data?: string): void {\n    if (buffered) {\n      addonTerminal.__pushToBuffer(str || data);\n    } else {\n      addonTerminal.write(str || data);\n    }\n  }\n\n  addonTerminal.__sendData = (data: string) => {\n    if (socket.readyState !== 1) {\n      return;\n    }\n    socket.send(data);\n  };\n\n  addonTerminal._core.register(addSocketListener(socket, 'message', addonTerminal.__getMessage));\n\n  if (bidirectional) {\n    addonTerminal._core.register(addonTerminal.addDisposableListener('data', addonTerminal.__sendData));\n  }\n\n  addonTerminal._core.register(addSocketListener(socket, 'close', () => detach(addonTerminal, socket)));\n  addonTerminal._core.register(addSocketListener(socket, 'error', () => detach(addonTerminal, socket)));\n}\n\nfunction addSocketListener(socket: WebSocket, type: string, handler: (this: WebSocket, ev: Event) => any): IDisposable {\n  socket.addEventListener(type, handler);\n  return {\n    dispose: () => {\n      if (!handler) {\n        // Already disposed\n        return;\n      }\n      socket.removeEventListener(type, handler);\n      handler = null;\n    }\n  };\n}\n\n/**\n * Detaches the given terminal from the given socket\n *\n * @param term The terminal to be detached from the given socket.\n * @param socket The socket from which to detach the current terminal.\n */\nexport function detach(term: Terminal, socket: WebSocket): void {\n  const addonTerminal = <IAttachAddonTerminal>term;\n  addonTerminal.off('data', addonTerminal.__sendData);\n\n  socket = (typeof socket === 'undefined') ? addonTerminal.__socket : socket;\n\n  if (socket) {\n    socket.removeEventListener('message', addonTerminal.__getMessage);\n  }\n\n  delete addonTerminal.__socket;\n}\n\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  /**\n   * Attaches the current terminal to the given socket\n   *\n   * @param socket The socket to attach the current terminal.\n   * @param bidirectional Whether the terminal should send data to the socket as well.\n   * @param buffered Whether the rendering of incoming data should happen instantly or at a maximum\n   * frequency of 1 rendering per 10ms.\n   */\n  (<any>terminalConstructor.prototype).attach = function (socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n    attach(this, socket, bidirectional, buffered);\n  };\n\n  /**\n   * Detaches the current terminal from the given socket.\n   *\n   * @param socket The socket from which to detach the current terminal.\n   */\n  (<any>terminalConstructor.prototype).detach = function (socket: WebSocket): void {\n    detach(this, socket);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADmBA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAGA;AAEA;AAAA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AASA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AACA;AA9EA;AAgFA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AAXA;AAcA;AASA;AACA;AACA;AAOA;AACA;AACA;AACA;AArBA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/addons/fit/fit.js.map b/apps/static/js/plugins/xterm/addons/fit/fit.js.map
deleted file mode 100644
index 5f1042e97..000000000
--- a/apps/static/js/plugins/xterm/addons/fit/fit.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"fit.js","sources":["../../../src/addons/fit/fit.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2014 The xterm.js authors. All rights reserved.\n * @license MIT\n *\n * Fit terminal columns and rows to the dimensions of its DOM element.\n *\n * ## Approach\n *\n *    Rows: Truncate the division of the terminal parent element height by the\n *          terminal row height.\n * Columns: Truncate the division of the terminal parent element width by the\n *          terminal character width (apply display: inline at the terminal\n *          row and truncate its width with the current number of columns).\n */\n\nimport { Terminal } from 'xterm';\n\nexport interface IGeometry {\n  rows: number;\n  cols: number;\n}\n\nexport function proposeGeometry(term: Terminal): IGeometry {\n  if (!term.element.parentElement) {\n    return null;\n  }\n  const parentElementStyle = window.getComputedStyle(term.element.parentElement);\n  const parentElementHeight = parseInt(parentElementStyle.getPropertyValue('height'));\n  const parentElementWidth = Math.max(0, parseInt(parentElementStyle.getPropertyValue('width')));\n  const elementStyle = window.getComputedStyle(term.element);\n  const elementPadding = {\n    top: parseInt(elementStyle.getPropertyValue('padding-top')),\n    bottom: parseInt(elementStyle.getPropertyValue('padding-bottom')),\n    right: parseInt(elementStyle.getPropertyValue('padding-right')),\n    left: parseInt(elementStyle.getPropertyValue('padding-left'))\n  };\n  const elementPaddingVer = elementPadding.top + elementPadding.bottom;\n  const elementPaddingHor = elementPadding.right + elementPadding.left;\n  const availableHeight = parentElementHeight - elementPaddingVer;\n  const availableWidth = parentElementWidth - elementPaddingHor - (<any>term)._core.viewport.scrollBarWidth;\n  const geometry = {\n    cols: Math.floor(availableWidth / (<any>term)._core.renderer.dimensions.actualCellWidth),\n    rows: Math.floor(availableHeight / (<any>term)._core.renderer.dimensions.actualCellHeight)\n  };\n  return geometry;\n}\n\nexport function fit(term: Terminal): void {\n  const geometry = proposeGeometry(term);\n  if (geometry) {\n    // Force a full render\n    if (term.rows !== geometry.rows || term.cols !== geometry.cols) {\n      (<any>term)._core.renderer.clear();\n      term.resize(geometry.cols, geometry.rows);\n    }\n  }\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).proposeGeometry = function (): IGeometry {\n    return proposeGeometry(this);\n  };\n\n  (<any>terminalConstructor.prototype).fit = function (): void {\n    fit(this);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADsBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAvBA;AAyBA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AATA;AAWA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AARA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/addons/fullscreen/fullscreen.js.map b/apps/static/js/plugins/xterm/addons/fullscreen/fullscreen.js.map
deleted file mode 100644
index dafbbe62e..000000000
--- a/apps/static/js/plugins/xterm/addons/fullscreen/fullscreen.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"fullscreen.js","sources":["../../../src/addons/fullscreen/fullscreen.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2014 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal } from 'xterm';\n\n/**\n * Toggle the given terminal's fullscreen mode.\n * @param term The terminal to toggle full screen mode\n * @param fullscreen Toggle fullscreen on (true) or off (false)\n */\nexport function toggleFullScreen(term: Terminal, fullscreen: boolean): void {\n  let fn: string;\n\n  if (typeof fullscreen === 'undefined') {\n    fn = (term.element.classList.contains('fullscreen')) ? 'remove' : 'add';\n  } else if (!fullscreen) {\n    fn = 'remove';\n  } else {\n    fn = 'add';\n  }\n\n  term.element.classList[fn]('fullscreen');\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).toggleFullScreen = function (fullscreen: boolean): void {\n    toggleFullScreen(this, fullscreen);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADYA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AAZA;AAcA;AACA;AACA;AACA;AACA;AAJA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/addons/search/search.js.map b/apps/static/js/plugins/xterm/addons/search/search.js.map
deleted file mode 100644
index eca9836aa..000000000
--- a/apps/static/js/plugins/xterm/addons/search/search.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"search.js","sources":["../../../src/addons/search/search.ts","../../../src/addons/search/SearchHelper.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { SearchHelper } from './SearchHelper';\nimport { Terminal } from 'xterm';\nimport { ISearchAddonTerminal } from './Interfaces';\n\n/**\n * Find the next instance of the term, then scroll to and select it. If it\n * doesn't exist, do nothing.\n * @param term Tne search term.\n * @return Whether a result was found.\n */\nexport function findNext(terminal: Terminal, term: string): boolean {\n  const addonTerminal = <ISearchAddonTerminal>terminal;\n  if (!addonTerminal.__searchHelper) {\n    addonTerminal.__searchHelper = new SearchHelper(addonTerminal);\n  }\n  return addonTerminal.__searchHelper.findNext(term);\n}\n\n/**\n * Find the previous instance of the term, then scroll to and select it. If it\n * doesn't exist, do nothing.\n * @param term Tne search term.\n * @return Whether a result was found.\n */\nexport function findPrevious(terminal: Terminal, term: string): boolean {\n  const addonTerminal = <ISearchAddonTerminal>terminal;\n  if (!addonTerminal.__searchHelper) {\n    addonTerminal.__searchHelper = new SearchHelper(addonTerminal);\n  }\n  return addonTerminal.__searchHelper.findPrevious(term);\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).findNext = function(term: string): boolean {\n    return findNext(this, term);\n  };\n\n  (<any>terminalConstructor.prototype).findPrevious = function(term: string): boolean {\n    return findPrevious(this, term);\n  };\n}\n","/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { ISearchHelper, ISearchAddonTerminal } from './Interfaces';\n\ninterface ISearchResult {\n  term: string;\n  col: number;\n  row: number;\n}\n\n/**\n * A class that knows how to search the terminal and how to display the results.\n */\nexport class SearchHelper implements ISearchHelper {\n  constructor(private _terminal: ISearchAddonTerminal) {\n    // TODO: Search for multiple instances on 1 line\n    // TODO: Don't use the actual selection, instead use a \"find selection\" so multiple instances can be highlighted\n    // TODO: Highlight other instances in the viewport\n    // TODO: Support regex, case sensitivity, etc.\n  }\n\n  /**\n   * Find the next instance of the term, then scroll to and select it. If it\n   * doesn't exist, do nothing.\n   * @param term Tne search term.\n   * @return Whether a result was found.\n   */\n  public findNext(term: string): boolean {\n    if (!term || term.length === 0) {\n      return false;\n    }\n\n    let result: ISearchResult;\n\n    let startRow = this._terminal._core.buffer.ydisp;\n    if (this._terminal._core.selectionManager.selectionEnd) {\n      // Start from the selection end if there is a selection\n      startRow = this._terminal._core.selectionManager.selectionEnd[1];\n    }\n\n    // Search from ydisp + 1 to end\n    for (let y = startRow + 1; y < this._terminal._core.buffer.ybase + this._terminal.rows; y++) {\n      result = this._findInLine(term, y);\n      if (result) {\n        break;\n      }\n    }\n\n    // Search from the top to the current ydisp\n    if (!result) {\n      for (let y = 0; y < startRow; y++) {\n        result = this._findInLine(term, y);\n        if (result) {\n          break;\n        }\n      }\n    }\n\n    // Set selection and scroll if a result was found\n    return this._selectResult(result);\n  }\n\n  /**\n   * Find the previous instance of the term, then scroll to and select it. If it\n   * doesn't exist, do nothing.\n   * @param term Tne search term.\n   * @return Whether a result was found.\n   */\n  public findPrevious(term: string): boolean {\n    if (!term || term.length === 0) {\n      return false;\n    }\n\n    let result: ISearchResult;\n\n    let startRow = this._terminal._core.buffer.ydisp;\n    if (this._terminal._core.selectionManager.selectionStart) {\n      // Start from the selection end if there is a selection\n      startRow = this._terminal._core.selectionManager.selectionStart[1];\n    }\n\n    // Search from ydisp + 1 to end\n    for (let y = startRow - 1; y >= 0; y--) {\n      result = this._findInLine(term, y);\n      if (result) {\n        break;\n      }\n    }\n\n    // Search from the top to the current ydisp\n    if (!result) {\n      for (let y = this._terminal._core.buffer.ybase + this._terminal.rows - 1; y > startRow; y--) {\n        result = this._findInLine(term, y);\n        if (result) {\n          break;\n        }\n      }\n    }\n\n    // Set selection and scroll if a result was found\n    return this._selectResult(result);\n  }\n\n  /**\n   * Searches a line for a search term.\n   * @param term Tne search term.\n   * @param y The line to search.\n   * @return The search result if it was found.\n   */\n  private _findInLine(term: string, y: number): ISearchResult {\n    const lowerStringLine = this._terminal._core.buffer.translateBufferLineToString(y, true).toLowerCase();\n    const lowerTerm = term.toLowerCase();\n    let searchIndex = lowerStringLine.indexOf(lowerTerm);\n    if (searchIndex >= 0) {\n      const line = this._terminal._core.buffer.lines.get(y);\n      for (let i = 0; i < searchIndex; i++) {\n        const charData = line[i];\n        // Adjust the searchIndex to normalize emoji into single chars\n        const char = charData[1/*CHAR_DATA_CHAR_INDEX*/];\n        if (char.length > 1) {\n          searchIndex -= char.length - 1;\n        }\n        // Adjust the searchIndex for empty characters following wide unicode\n        // chars (eg. CJK)\n        const charWidth = charData[2/*CHAR_DATA_WIDTH_INDEX*/];\n        if (charWidth === 0) {\n          searchIndex++;\n        }\n      }\n      return {\n        term,\n        col: searchIndex,\n        row: y\n      };\n    }\n  }\n\n  /**\n   * Selects and scrolls to a result.\n   * @param result The result to select.\n   * @return Whethera result was selected.\n   */\n  private _selectResult(result: ISearchResult): boolean {\n    if (!result) {\n      return false;\n    }\n    this._terminal._core.selectionManager.setSelection(result.col, result.row, result.term.length);\n    this._terminal.scrollLines(result.row - this._terminal._core.buffer.ydisp);\n    return true;\n  }\n}\n",null],"names":[],"mappings":"AEAA;;;ADgBA;AACA;AAAA;AAKA;AAQA;AACA;AACA;AACA;AAEA;AAEA;AACA;AAEA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAQA;AACA;AACA;AACA;AAEA;AAEA;AACA;AAEA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAQA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAzIa;;;;;ADXb;AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AANA;AAcA;AACA;AACA;AACA;AACA;AACA;AACA;AANA;AAQA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AARA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/addons/terminado/terminado.js.map b/apps/static/js/plugins/xterm/addons/terminado/terminado.js.map
deleted file mode 100644
index 2cbf18311..000000000
--- a/apps/static/js/plugins/xterm/addons/terminado/terminado.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"terminado.js","sources":["../../../src/addons/terminado/terminado.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2016 The xterm.js authors. All rights reserved.\n * @license MIT\n *\n * This module provides methods for attaching a terminal to a terminado\n * WebSocket stream.\n */\n\nimport { Terminal } from 'xterm';\nimport { ITerminadoAddonTerminal } from './Interfaces';\n\n/**\n * Attaches the given terminal to the given socket.\n *\n * @param term The terminal to be attached to the given socket.\n * @param socket The socket to attach the current terminal.\n * @param bidirectional Whether the terminal should send data to the socket as well.\n * @param buffered Whether the rendering of incoming data should happen instantly or at a maximum\n * frequency of 1 rendering per 10ms.\n */\nexport function terminadoAttach(term: Terminal, socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n  const addonTerminal = <ITerminadoAddonTerminal>term;\n  bidirectional = (typeof bidirectional === 'undefined') ? true : bidirectional;\n  addonTerminal.__socket = socket;\n\n  addonTerminal.__flushBuffer = () => {\n    addonTerminal.write(addonTerminal.__attachSocketBuffer);\n    addonTerminal.__attachSocketBuffer = null;\n  };\n\n  addonTerminal.__pushToBuffer = (data: string) => {\n    if (addonTerminal.__attachSocketBuffer) {\n      addonTerminal.__attachSocketBuffer += data;\n    } else {\n      addonTerminal.__attachSocketBuffer = data;\n      setTimeout(addonTerminal.__flushBuffer, 10);\n    }\n  };\n\n  addonTerminal.__getMessage = (ev: MessageEvent) => {\n    const data = JSON.parse(ev.data);\n    if (data[0] === 'stdout') {\n      if (buffered) {\n        addonTerminal.__pushToBuffer(data[1]);\n      } else {\n        addonTerminal.write(data[1]);\n      }\n    }\n  };\n\n  addonTerminal.__sendData = (data: string) => {\n    socket.send(JSON.stringify(['stdin', data]));\n  };\n\n  addonTerminal.__setSize = (size: {rows: number, cols: number}) => {\n    socket.send(JSON.stringify(['set_size', size.rows, size.cols]));\n  };\n\n  socket.addEventListener('message', addonTerminal.__getMessage);\n\n  if (bidirectional) {\n    addonTerminal.on('data', addonTerminal.__sendData);\n  }\n  addonTerminal.on('resize', addonTerminal.__setSize);\n\n  socket.addEventListener('close', () => terminadoDetach(addonTerminal, socket));\n  socket.addEventListener('error', () => terminadoDetach(addonTerminal, socket));\n}\n\n/**\n * Detaches the given terminal from the given socket\n *\n * @param term The terminal to be detached from the given socket.\n * @param socket The socket from which to detach the current terminal.\n */\nexport function terminadoDetach(term: Terminal, socket: WebSocket): void {\n  const addonTerminal = <ITerminadoAddonTerminal>term;\n  addonTerminal.off('data', addonTerminal.__sendData);\n\n  socket = (typeof socket === 'undefined') ? addonTerminal.__socket : socket;\n\n  if (socket) {\n    socket.removeEventListener('message', addonTerminal.__getMessage);\n  }\n\n  delete addonTerminal.__socket;\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  /**\n   * Attaches the current terminal to the given socket\n   *\n   * @param socket - The socket to attach the current terminal.\n   * @param bidirectional - Whether the terminal should send data to the socket as well.\n   * @param buffered - Whether the rendering of incoming data should happen instantly or at a\n   * maximum frequency of 1 rendering per 10ms.\n   */\n  (<any>terminalConstructor.prototype).terminadoAttach = function (socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n    return terminadoAttach(this, socket, bidirectional, buffered);\n  };\n\n  /**\n   * Detaches the current terminal from the given socket.\n   *\n   * @param socket The socket from which to detach the current terminal.\n   */\n  (<any>terminalConstructor.prototype).terminadoDetach = function (socket: WebSocket): void {\n    return terminadoDetach(this, socket);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADoBA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AA/CA;AAuDA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AAXA;AAaA;AASA;AACA;AACA;AAOA;AACA;AACA;AACA;AArBA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/addons/webLinks/webLinks.js.map b/apps/static/js/plugins/xterm/addons/webLinks/webLinks.js.map
deleted file mode 100644
index fd39bfb8b..000000000
--- a/apps/static/js/plugins/xterm/addons/webLinks/webLinks.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"webLinks.js","sources":["../../../src/addons/webLinks/webLinks.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal, ILinkMatcherOptions } from 'xterm';\n\nconst protocolClause = '(https?:\\\\/\\\\/)';\nconst domainCharacterSet = '[\\\\da-z\\\\.-]+';\nconst negatedDomainCharacterSet = '[^\\\\da-z\\\\.-]+';\nconst domainBodyClause = '(' + domainCharacterSet + ')';\nconst tldClause = '([a-z\\\\.]{2,6})';\nconst ipClause = '((\\\\d{1,3}\\\\.){3}\\\\d{1,3})';\nconst localHostClause = '(localhost)';\nconst portClause = '(:\\\\d{1,5})';\nconst hostClause = '((' + domainBodyClause + '\\\\.' + tldClause + ')|' + ipClause + '|' + localHostClause + ')' + portClause + '?';\nconst pathClause = '(\\\\/[\\\\/\\\\w\\\\.\\\\-%~]*)*';\nconst queryStringHashFragmentCharacterSet = '[0-9\\\\w\\\\[\\\\]\\\\(\\\\)\\\\/\\\\?\\\\!#@$%&\\'*+,:;~\\\\=\\\\.\\\\-]*';\nconst queryStringClause = '(\\\\?' + queryStringHashFragmentCharacterSet + ')?';\nconst hashFragmentClause = '(#' + queryStringHashFragmentCharacterSet + ')?';\nconst negatedPathCharacterSet = '[^\\\\/\\\\w\\\\.\\\\-%]+';\nconst bodyClause = hostClause + pathClause + queryStringClause + hashFragmentClause;\nconst start = '(?:^|' + negatedDomainCharacterSet + ')(';\nconst end = ')($|' + negatedPathCharacterSet + ')';\nconst strictUrlRegex = new RegExp(start + protocolClause + bodyClause + end);\n\nfunction handleLink(event: MouseEvent, uri: string): void {\n  window.open(uri, '_blank');\n}\n\n/**\n * Initialize the web links addon, registering the link matcher.\n * @param term The terminal to use web links within.\n * @param handler A custom handler to use.\n * @param options Custom options to use, matchIndex will always be ignored.\n */\nexport function webLinksInit(term: Terminal, handler: (event: MouseEvent, uri: string) => void = handleLink, options: ILinkMatcherOptions = {}): void {\n  options.matchIndex = 1;\n  term.registerLinkMatcher(strictUrlRegex, handler, options);\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).webLinksInit = function (handler?: (event: MouseEvent, uri: string) => void, options?: ILinkMatcherOptions): void {\n    webLinksInit(this, handler, options);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAQA;AAAA;AAAA;AACA;AACA;AACA;AAHA;AAKA;AACA;AACA;AACA;AACA;AAJA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/addons/winptyCompat/winptyCompat.js.map b/apps/static/js/plugins/xterm/addons/winptyCompat/winptyCompat.js.map
deleted file mode 100644
index da8f4acb1..000000000
--- a/apps/static/js/plugins/xterm/addons/winptyCompat/winptyCompat.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"winptyCompat.js","sources":["../../../src/addons/winptyCompat/winptyCompat.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal } from 'xterm';\nimport { IWinptyCompatAddonTerminal } from './Interfaces';\n\nexport function winptyCompatInit(terminal: Terminal): void {\n  const addonTerminal = <IWinptyCompatAddonTerminal>terminal;\n\n  // Don't do anything when the platform is not Windows\n  const isWindows = ['Windows', 'Win16', 'Win32', 'WinCE'].indexOf(navigator.platform) >= 0;\n  if (!isWindows) {\n    return;\n  }\n\n  // Winpty does not support wraparound mode which means that lines will never\n  // be marked as wrapped. This causes issues for things like copying a line\n  // retaining the wrapped new line characters or if consumers are listening\n  // in on the data stream.\n  //\n  // The workaround for this is to listen to every incoming line feed and mark\n  // the line as wrapped if the last character in the previous line is not a\n  // space. This is certainly not without its problems, but generally on\n  // Windows when text reaches the end of the terminal it's likely going to be\n  // wrapped.\n  addonTerminal.on('linefeed', () => {\n    const line = addonTerminal._core.buffer.lines.get(addonTerminal._core.buffer.ybase + addonTerminal._core.buffer.y - 1);\n    const lastChar = line[addonTerminal.cols - 1];\n\n    if (lastChar[3] !== 32 /* ' ' */) {\n      const nextLine = addonTerminal._core.buffer.lines.get(addonTerminal._core.buffer.ybase + addonTerminal._core.buffer.y);\n      (<any>nextLine).isWrapped = true;\n    }\n  });\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).winptyCompatInit = function (): void {\n    winptyCompatInit(this);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADQA;AACA;AAGA;AACA;AACA;AACA;AAYA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AA5BA;AA8BA;AACA;AACA;AACA;AACA;AAJA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/addons/zmodem/zmodem.js.map b/apps/static/js/plugins/xterm/addons/zmodem/zmodem.js.map
deleted file mode 100644
index 74927e7b5..000000000
--- a/apps/static/js/plugins/xterm/addons/zmodem/zmodem.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"zmodem.js","sources":["../../../src/addons/zmodem/zmodem.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal } from 'xterm';\n\n/**\n *\n * Allow xterm.js to handle ZMODEM uploads and downloads.\n *\n * This addon is a wrapper around zmodem.js. It adds the following to the\n *  Terminal class:\n *\n * - function `zmodemAttach(<WebSocket>, <Object>)` - creates a Zmodem.Sentry\n *      on the passed WebSocket object. The Object passed is optional and\n *      can contain:\n *          - noTerminalWriteOutsideSession: Suppress writes from the Sentry\n *            object to the Terminal while there is no active Session. This\n *            is necessary for compatibility with, for example, the\n *            `attach.js` addon.\n *\n * - event `zmodemDetect` - fired on Zmodem.Sentry’s `on_detect` callback.\n *      Passes the zmodem.js Detection object.\n *\n * - event `zmodemRetract` - fired on Zmodem.Sentry’s `on_retract` callback.\n *\n * You’ll need to provide logic to handle uploads and downloads.\n * See zmodem.js’s documentation for more details.\n *\n * **IMPORTANT:** After you confirm() a zmodem.js Detection, if you have\n *  used the `attach` or `terminado` addons, you’ll need to suspend their\n *  operation for the duration of the ZMODEM session. (The demo does this\n *  via `detach()` and a re-`attach()`.)\n */\n\nlet zmodem;\n\nexport interface IZmodemOptions {\n  noTerminalWriteOutsideSession?: boolean;\n}\n\nfunction zmodemAttach(ws: WebSocket, opts: IZmodemOptions = {}): void {\n  const term = this;\n  const senderFunc = (octets: ArrayLike<number>) => ws.send(new Uint8Array(octets));\n\n  let zsentry;\n\n  function shouldWrite(): boolean {\n    return !!zsentry.get_confirmed_session() || !opts.noTerminalWriteOutsideSession;\n  }\n\n  zsentry = new zmodem.Sentry({\n    to_terminal: (octets: ArrayLike<number>) => {\n      if (shouldWrite()) {\n        term.write(\n          String.fromCharCode.apply(String, octets)\n        );\n      }\n    },\n    sender: senderFunc,\n    on_retract: () => (<any>term).emit('zmodemRetract'),\n    on_detect: (detection: any) => (<any>term).emit('zmodemDetect', detection)\n  });\n\n  function handleWSMessage(evt: MessageEvent): void {\n\n    // In testing with xterm.js’s demo the first message was\n    // always text even if the rest were binary. While that\n    // may be specific to xterm.js’s demo, ultimately we\n    // should reject anything that isn’t binary.\n    if (typeof evt.data === 'string') {\n      if (shouldWrite()) {\n        term.write(evt.data);\n      }\n    }\n    else {\n      zsentry.consume(evt.data);\n    }\n  }\n\n  ws.binaryType = 'arraybuffer';\n  ws.addEventListener('message', handleWSMessage);\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  zmodem = (typeof window === 'object') ? (<any>window).Zmodem : {Browser: null};  // Nullify browser for tests\n\n  (<any>terminalConstructor.prototype).zmodemAttach = zmodemAttach;\n  (<any>terminalConstructor.prototype).zmodemBrowser = zmodem.Browser;\n}\n",null],"names":[],"mappings":"ACAA;;;ADoCA;AAMA;AAAA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAEA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AALA;"}
\ No newline at end of file
diff --git a/apps/static/js/plugins/xterm/xterm.js.map b/apps/static/js/plugins/xterm/xterm.js.map
deleted file mode 100644
index 76134bb59..000000000
--- a/apps/static/js/plugins/xterm/xterm.js.map
+++ /dev/null
@@ -1 +0,0 @@
-{"version":3,"file":"xterm.js","sources":["../src/xterm.js","../src/utils/Mouse.ts","../src/utils/Generic.ts","../src/utils/DomElementObjectPool.ts","../src/utils/CircularList.ts","../src/utils/CharMeasure.ts","../src/utils/BufferLine.ts","../src/utils/Browser.ts","../src/handlers/Clipboard.ts","../src/Viewport.ts","../src/SelectionModel.ts","../src/SelectionManager.ts","../src/Renderer.ts","../src/Parser.ts","../src/Linkifier.ts","../src/InputHandler.ts","../src/EventEmitter.ts","../src/EscapeSequences.ts","../src/CompositionHelper.ts","../src/Charsets.ts","../src/BufferSet.ts","../src/Buffer.ts","../node_modules/browserify/node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * xterm.js: xterm, in the browser\n * Originally forked from (with the author's permission):\n *   Fabrice Bellard's javascript vt100 for jslinux:\n *   http://bellard.org/jslinux/\n *   Copyright (c) 2011 Fabrice Bellard\n *   The original design remains. The terminal itself\n *   has been extended to include xterm CSI codes, among\n *   other features.\n * @license MIT\n */\n\nimport { BufferSet } from './BufferSet';\nimport { CompositionHelper } from './CompositionHelper';\nimport { EventEmitter } from './EventEmitter';\nimport { Viewport } from './Viewport';\nimport { rightClickHandler, moveTextAreaUnderMouseCursor, pasteHandler, copyHandler } from './handlers/Clipboard';\nimport { CircularList } from './utils/CircularList';\nimport { C0 } from './EscapeSequences';\nimport { InputHandler } from './InputHandler';\nimport { Parser } from './Parser';\nimport { Renderer } from './Renderer';\nimport { Linkifier } from './Linkifier';\nimport { SelectionManager } from './SelectionManager';\nimport { CharMeasure } from './utils/CharMeasure';\nimport * as Browser from './utils/Browser';\nimport * as Mouse from './utils/Mouse';\nimport { CHARSETS } from './Charsets';\nimport { getRawByteCoords } from './utils/Mouse';\nimport { translateBufferLineToString } from './utils/BufferLine';\n\n/**\n * Terminal Emulation References:\n *   http://vt100.net/\n *   http://invisible-island.net/xterm/ctlseqs/ctlseqs.txt\n *   http://invisible-island.net/xterm/ctlseqs/ctlseqs.html\n *   http://invisible-island.net/vttest/\n *   http://www.inwap.com/pdp10/ansicode.txt\n *   http://linux.die.net/man/4/console_codes\n *   http://linux.die.net/man/7/urxvt\n */\n\n// Let it work inside Node.js for automated testing purposes.\nvar document = (typeof window != 'undefined') ? window.document : null;\n\n/**\n * The amount of write requests to queue before sending an XOFF signal to the\n * pty process. This number must be small in order for ^C and similar sequences\n * to be responsive.\n */\nvar WRITE_BUFFER_PAUSE_THRESHOLD = 5;\n\n/**\n * The number of writes to perform in a single batch before allowing the\n * renderer to catch up with a 0ms setTimeout.\n */\nvar WRITE_BATCH_SIZE = 300;\n\n/**\n * The time between cursor blinks. This is driven by JS rather than a CSS\n * animation due to a bug in Chromium that causes it to use excessive CPU time.\n * See https://github.com/Microsoft/vscode/issues/22900\n */\nvar CURSOR_BLINK_INTERVAL = 600;\n\n/**\n * Terminal\n */\n\n/**\n * Creates a new `Terminal` object.\n *\n * @param {object} options An object containing a set of options, the available options are:\n *   - `cursorBlink` (boolean): Whether the terminal cursor blinks\n *   - `cols` (number): The number of columns of the terminal (horizontal size)\n *   - `rows` (number): The number of rows of the terminal (vertical size)\n *\n * @public\n * @class Xterm Xterm\n * @alias module:xterm/src/xterm\n */\nfunction Terminal(options) {\n  var self = this;\n\n  if (!(this instanceof Terminal)) {\n    return new Terminal(arguments[0], arguments[1], arguments[2]);\n  }\n\n  self.browser = Browser;\n  self.cancel = Terminal.cancel;\n\n  EventEmitter.call(this);\n\n  if (typeof options === 'number') {\n    options = {\n      cols: arguments[0],\n      rows: arguments[1],\n      handler: arguments[2]\n    };\n  }\n\n  options = options || {};\n\n\n  Object.keys(Terminal.defaults).forEach(function(key) {\n    if (options[key] == null) {\n      options[key] = Terminal.options[key];\n\n      if (Terminal[key] !== Terminal.defaults[key]) {\n        options[key] = Terminal[key];\n      }\n    }\n    self[key] = options[key];\n  });\n\n  if (options.colors.length === 8) {\n    options.colors = options.colors.concat(Terminal._colors.slice(8));\n  } else if (options.colors.length === 16) {\n    options.colors = options.colors.concat(Terminal._colors.slice(16));\n  } else if (options.colors.length === 10) {\n    options.colors = options.colors.slice(0, -2).concat(\n      Terminal._colors.slice(8, -2), options.colors.slice(-2));\n  } else if (options.colors.length === 18) {\n    options.colors = options.colors.concat(\n      Terminal._colors.slice(16, -2), options.colors.slice(-2));\n  }\n  this.colors = options.colors;\n\n  this.options = options;\n\n  // this.context = options.context || window;\n  // this.document = options.document || document;\n  this.parent = options.body || options.parent || (\n    document ? document.getElementsByTagName('body')[0] : null\n  );\n\n  this.cols = options.cols || options.geometry[0];\n  this.rows = options.rows || options.geometry[1];\n  this.geometry = [this.cols, this.rows];\n\n  if (options.handler) {\n    this.on('data', options.handler);\n  }\n\n  this.cursorState = 0;\n  this.cursorHidden = false;\n  this.convertEol;\n  this.queue = '';\n  this.customKeyEventHandler = null;\n  this.cursorBlinkInterval = null;\n\n  // modes\n  this.applicationKeypad = false;\n  this.applicationCursor = false;\n  this.originMode = false;\n  this.insertMode = false;\n  this.wraparoundMode = true; // defaults: xterm - true, vt100 - false\n\n  // charset\n  this.charset = null;\n  this.gcharset = null;\n  this.glevel = 0;\n  this.charsets = [null];\n\n  // mouse properties\n  this.decLocator;\n  this.x10Mouse;\n  this.vt200Mouse;\n  this.vt300Mouse;\n  this.normalMouse;\n  this.mouseEvents;\n  this.sendFocus;\n  this.utfMouse;\n  this.sgrMouse;\n  this.urxvtMouse;\n\n  // misc\n  this.element;\n  this.children;\n  this.refreshStart;\n  this.refreshEnd;\n  this.savedX;\n  this.savedY;\n  this.savedCols;\n\n  // stream\n  this.readable = true;\n  this.writable = true;\n\n  this.defAttr = (0 << 18) | (257 << 9) | (256 << 0);\n  this.curAttr = this.defAttr;\n\n  this.params = [];\n  this.currentParam = 0;\n  this.prefix = '';\n  this.postfix = '';\n\n  this.inputHandler = new InputHandler(this);\n  this.parser = new Parser(this.inputHandler, this);\n  // Reuse renderer if the Terminal is being recreated via a Terminal.reset call.\n  this.renderer = this.renderer || null;\n  this.selectionManager = this.selectionManager || null;\n  this.linkifier = this.linkifier || new Linkifier();\n\n  // user input states\n  this.writeBuffer = [];\n  this.writeInProgress = false;\n\n  /**\n   * Whether _xterm.js_ sent XOFF in order to catch up with the pty process.\n   * This is a distinct state from writeStopped so that if the user requested\n   * XOFF via ^S that it will not automatically resume when the writeBuffer goes\n   * below threshold.\n   */\n  this.xoffSentToCatchUp = false;\n\n  /** Whether writing has been stopped as a result of XOFF */\n  this.writeStopped = false;\n\n  // leftover surrogate high from previous write invocation\n  this.surrogate_high = '';\n\n  // Create the terminal's buffers and set the current buffer\n  this.buffers = new BufferSet(this);\n  this.buffer = this.buffers.active;  // Convenience shortcut;\n  this.buffers.on('activate', function (buffer) {\n    this._terminal.buffer = buffer;\n  });\n\n  // Ensure the selection manager has the correct buffer\n  if (this.selectionManager) {\n    this.selectionManager.setBuffer(this.buffer.lines);\n  }\n\n  this.setupStops();\n\n  // Store if user went browsing history in scrollback\n  this.userScrolling = false;\n}\n\ninherits(Terminal, EventEmitter);\n\n/**\n * back_color_erase feature for xterm.\n */\nTerminal.prototype.eraseAttr = function() {\n  // if (this.is('screen')) return this.defAttr;\n  return (this.defAttr & ~0x1ff) | (this.curAttr & 0x1ff);\n};\n\n/**\n * Colors\n */\n\n// Colors 0-15\nTerminal.tangoColors = [\n  // dark:\n  '#2e3436',\n  '#cc0000',\n  '#4e9a06',\n  '#c4a000',\n  '#3465a4',\n  '#75507b',\n  '#06989a',\n  '#d3d7cf',\n  // bright:\n  '#555753',\n  '#ef2929',\n  '#8ae234',\n  '#fce94f',\n  '#729fcf',\n  '#ad7fa8',\n  '#34e2e2',\n  '#eeeeec'\n];\n\n// Colors 0-15 + 16-255\n// Much thanks to TooTallNate for writing this.\nTerminal.colors = (function() {\n  var colors = Terminal.tangoColors.slice()\n  , r = [0x00, 0x5f, 0x87, 0xaf, 0xd7, 0xff]\n  , i;\n\n  // 16-231\n  i = 0;\n  for (; i < 216; i++) {\n    out(r[(i / 36) % 6 | 0], r[(i / 6) % 6 | 0], r[i % 6]);\n  }\n\n  // 232-255 (grey)\n  i = 0;\n  for (; i < 24; i++) {\n    r = 8 + i * 10;\n    out(r, r, r);\n  }\n\n  function out(r, g, b) {\n    colors.push('#' + hex(r) + hex(g) + hex(b));\n  }\n\n  function hex(c) {\n    c = c.toString(16);\n    return c.length < 2 ? '0' + c : c;\n  }\n\n  return colors;\n})();\n\nTerminal._colors = Terminal.colors.slice();\n\nTerminal.vcolors = (function() {\n  var out = []\n  , colors = Terminal.colors\n  , i = 0\n  , color;\n\n  for (; i < 256; i++) {\n    color = parseInt(colors[i].substring(1), 16);\n    out.push([\n      (color >> 16) & 0xff,\n      (color >> 8) & 0xff,\n      color & 0xff\n    ]);\n  }\n\n  return out;\n})();\n\n/**\n * Options\n */\n\nTerminal.defaults = {\n  colors: Terminal.colors,\n  theme: 'default',\n  convertEol: false,\n  termName: 'xterm',\n  geometry: [80, 24],\n  cursorBlink: false,\n  cursorStyle: 'block',\n  visualBell: false,\n  popOnBell: false,\n  scrollback: 1000,\n  screenKeys: false,\n  debug: false,\n  cancelEvents: false,\n  disableStdin: false,\n  useFlowControl: false,\n  tabStopWidth: 8\n  // programFeatures: false,\n  // focusKeys: false,\n};\n\nTerminal.options = {};\n\nTerminal.focus = null;\n\neach(keys(Terminal.defaults), function(key) {\n  Terminal[key] = Terminal.defaults[key];\n  Terminal.options[key] = Terminal.defaults[key];\n});\n\n/**\n * Focus the terminal. Delegates focus handling to the terminal's DOM element.\n */\nTerminal.prototype.focus = function() {\n  return this.textarea.focus();\n};\n\n/**\n * Retrieves an option's value from the terminal.\n * @param {string} key The option key.\n */\nTerminal.prototype.getOption = function(key) {\n  if (!(key in Terminal.defaults)) {\n    throw new Error('No option with key \"' + key + '\"');\n  }\n\n  if (typeof this.options[key] !== 'undefined') {\n    return this.options[key];\n  }\n\n  return this[key];\n};\n\n/**\n * Sets an option on the terminal.\n * @param {string} key The option key.\n * @param {string} value The option value.\n */\nTerminal.prototype.setOption = function(key, value) {\n  if (!(key in Terminal.defaults)) {\n    throw new Error('No option with key \"' + key + '\"');\n  }\n  switch (key) {\n    case 'scrollback':\n      if (value < this.rows) {\n        let msg = 'Setting the scrollback value less than the number of rows ';\n\n        msg += `(${this.rows}) is not allowed.`;\n\n        console.warn(msg);\n        return false;\n      }\n\n      if (this.options[key] !== value) {\n        if (this.buffer.lines.length > value) {\n          const amountToTrim = this.buffer.lines.length - value;\n          const needsRefresh = (this.buffer.ydisp - amountToTrim < 0);\n          this.buffer.lines.trimStart(amountToTrim);\n          this.buffer.ybase = Math.max(this.buffer.ybase - amountToTrim, 0);\n          this.buffer.ydisp = Math.max(this.buffer.ydisp - amountToTrim, 0);\n          if (needsRefresh) {\n            this.refresh(0, this.rows - 1);\n          }\n        }\n        this.buffer.lines.maxLength = value;\n        this.viewport.syncScrollArea();\n      }\n      break;\n  }\n  this[key] = value;\n  this.options[key] = value;\n  switch (key) {\n    case 'cursorBlink': this.setCursorBlinking(value); break;\n    case 'cursorStyle':\n      this.element.classList.toggle(`xterm-cursor-style-block`, value === 'block');\n      this.element.classList.toggle(`xterm-cursor-style-underline`, value === 'underline');\n      this.element.classList.toggle(`xterm-cursor-style-bar`, value === 'bar');\n      break;\n    case 'tabStopWidth': this.setupStops(); break;\n  }\n};\n\nTerminal.prototype.restartCursorBlinking = function () {\n  this.setCursorBlinking(this.options.cursorBlink);\n};\n\nTerminal.prototype.setCursorBlinking = function (enabled) {\n  this.element.classList.toggle('xterm-cursor-blink', enabled);\n  this.clearCursorBlinkingInterval();\n  if (enabled) {\n    var self = this;\n    this.cursorBlinkInterval = setInterval(function () {\n      self.element.classList.toggle('xterm-cursor-blink-on');\n    }, CURSOR_BLINK_INTERVAL);\n  }\n};\n\nTerminal.prototype.clearCursorBlinkingInterval = function () {\n  this.element.classList.remove('xterm-cursor-blink-on');\n  if (this.cursorBlinkInterval) {\n    clearInterval(this.cursorBlinkInterval);\n    this.cursorBlinkInterval = null;\n  }\n};\n\n/**\n * Binds the desired focus behavior on a given terminal object.\n *\n * @static\n */\nTerminal.bindFocus = function (term) {\n  on(term.textarea, 'focus', function (ev) {\n    if (term.sendFocus) {\n      term.send(C0.ESC + '[I');\n    }\n    term.element.classList.add('focus');\n    term.showCursor();\n    term.restartCursorBlinking.apply(term);\n    Terminal.focus = term;\n    term.emit('focus', {terminal: term});\n  });\n};\n\n/**\n * Blur the terminal. Delegates blur handling to the terminal's DOM element.\n */\nTerminal.prototype.blur = function() {\n  return this.textarea.blur();\n};\n\n/**\n * Binds the desired blur behavior on a given terminal object.\n *\n * @static\n */\nTerminal.bindBlur = function (term) {\n  on(term.textarea, 'blur', function (ev) {\n    term.refresh(term.buffer.y, term.buffer.y);\n    if (term.sendFocus) {\n      term.send(C0.ESC + '[O');\n    }\n    term.element.classList.remove('focus');\n    term.clearCursorBlinkingInterval.apply(term);\n    Terminal.focus = null;\n    term.emit('blur', {terminal: term});\n  });\n};\n\n/**\n * Initialize default behavior\n */\nTerminal.prototype.initGlobal = function() {\n  var term = this;\n\n  Terminal.bindKeys(this);\n  Terminal.bindFocus(this);\n  Terminal.bindBlur(this);\n\n  // Bind clipboard functionality\n  on(this.element, 'copy', event => {\n    // If mouse events are active it means the selection manager is disabled and\n    // copy should be handled by the host program.\n    if (!term.hasSelection()) {\n      return;\n    }\n    copyHandler(event, term, this.selectionManager);\n  });\n  const pasteHandlerWrapper = event => pasteHandler(event, term);\n  on(this.textarea, 'paste', pasteHandlerWrapper);\n  on(this.element, 'paste', pasteHandlerWrapper);\n\n  // Handle right click context menus\n  if (term.browser.isFirefox) {\n    // Firefox doesn't appear to fire the contextmenu event on right click\n    on(this.element, 'mousedown', event => {\n      if (event.button == 2) {\n        rightClickHandler(event, this.textarea, this.selectionManager);\n      }\n    });\n  } else {\n    on(this.element, 'contextmenu', event => {\n      rightClickHandler(event, this.textarea, this.selectionManager);\n    });\n  }\n\n  // Move the textarea under the cursor when middle clicking on Linux to ensure\n  // middle click to paste selection works. This only appears to work in Chrome\n  // at the time is writing.\n  if (term.browser.isLinux) {\n    // Use auxclick event over mousedown the latter doesn't seem to work. Note\n    // that the regular click event doesn't fire for the middle mouse button.\n    on(this.element, 'auxclick', event => {\n      if (event.button === 1) {\n        moveTextAreaUnderMouseCursor(event, this.textarea, this.selectionManager);\n      }\n    });\n  }\n};\n\n/**\n * Apply key handling to the terminal\n */\nTerminal.bindKeys = function(term) {\n  on(term.element, 'keydown', function(ev) {\n    if (document.activeElement != this) {\n      return;\n    }\n    term.keyDown(ev);\n  }, true);\n\n  on(term.element, 'keypress', function(ev) {\n    if (document.activeElement != this) {\n      return;\n    }\n    term.keyPress(ev);\n  }, true);\n\n  on(term.element, 'keyup', function(ev) {\n    if (!wasMondifierKeyOnlyEvent(ev)) {\n      term.focus(term);\n    }\n  }, true);\n\n  on(term.textarea, 'keydown', function(ev) {\n    term.keyDown(ev);\n  }, true);\n\n  on(term.textarea, 'keypress', function(ev) {\n    term.keyPress(ev);\n    // Truncate the textarea's value, since it is not needed\n    this.value = '';\n  }, true);\n\n  on(term.textarea, 'compositionstart', term.compositionHelper.compositionstart.bind(term.compositionHelper));\n  on(term.textarea, 'compositionupdate', term.compositionHelper.compositionupdate.bind(term.compositionHelper));\n  on(term.textarea, 'compositionend', term.compositionHelper.compositionend.bind(term.compositionHelper));\n  term.on('refresh', term.compositionHelper.updateCompositionElements.bind(term.compositionHelper));\n  term.on('refresh', function (data) {\n    term.queueLinkification(data.start, data.end)\n  });\n};\n\n\n/**\n * Insert the given row to the terminal or produce a new one\n * if no row argument is passed. Return the inserted row.\n * @param {HTMLElement} row (optional) The row to append to the terminal.\n */\nTerminal.prototype.insertRow = function (row) {\n  if (typeof row != 'object') {\n    row = document.createElement('div');\n  }\n\n  this.rowContainer.appendChild(row);\n  this.children.push(row);\n\n  return row;\n};\n\n/**\n * Opens the terminal within an element.\n *\n * @param {HTMLElement} parent The element to create the terminal within.\n * @param {boolean} focus Focus the terminal, after it gets instantiated in the DOM\n */\nTerminal.prototype.open = function(parent, focus) {\n  var self=this, i=0, div;\n\n  this.parent = parent || this.parent;\n\n  if (!this.parent) {\n    throw new Error('Terminal requires a parent element.');\n  }\n\n  // Grab global elements\n  this.context = this.parent.ownerDocument.defaultView;\n  this.document = this.parent.ownerDocument;\n  this.body = this.document.getElementsByTagName('body')[0];\n\n  //Create main element container\n  this.element = this.document.createElement('div');\n  this.element.classList.add('terminal');\n  this.element.classList.add('xterm');\n  this.element.classList.add('xterm-theme-' + this.theme);\n  this.element.classList.add(`xterm-cursor-style-${this.options.cursorStyle}`);\n  this.setCursorBlinking(this.options.cursorBlink);\n\n  this.element.setAttribute('tabindex', 0);\n\n  this.viewportElement = document.createElement('div');\n  this.viewportElement.classList.add('xterm-viewport');\n  this.element.appendChild(this.viewportElement);\n  this.viewportScrollArea = document.createElement('div');\n  this.viewportScrollArea.classList.add('xterm-scroll-area');\n  this.viewportElement.appendChild(this.viewportScrollArea);\n\n  // Create the selection container.\n  this.selectionContainer = document.createElement('div');\n  this.selectionContainer.classList.add('xterm-selection');\n  this.element.appendChild(this.selectionContainer);\n\n  // Create the container that will hold the lines of the terminal and then\n  // produce the lines the lines.\n  this.rowContainer = document.createElement('div');\n  this.rowContainer.classList.add('xterm-rows');\n  this.element.appendChild(this.rowContainer);\n  this.children = [];\n  this.linkifier.attachToDom(document, this.children);\n\n  // Create the container that will hold helpers like the textarea for\n  // capturing DOM Events. Then produce the helpers.\n  this.helperContainer = document.createElement('div');\n  this.helperContainer.classList.add('xterm-helpers');\n  // TODO: This should probably be inserted once it's filled to prevent an additional layout\n  this.element.appendChild(this.helperContainer);\n  this.textarea = document.createElement('textarea');\n  this.textarea.classList.add('xterm-helper-textarea');\n  this.textarea.setAttribute('autocorrect', 'off');\n  this.textarea.setAttribute('autocapitalize', 'off');\n  this.textarea.setAttribute('spellcheck', 'false');\n  this.textarea.tabIndex = 0;\n  this.textarea.addEventListener('focus', function() {\n    self.emit('focus', {terminal: self});\n  });\n  this.textarea.addEventListener('blur', function() {\n    self.emit('blur', {terminal: self});\n  });\n  this.helperContainer.appendChild(this.textarea);\n\n  this.compositionView = document.createElement('div');\n  this.compositionView.classList.add('composition-view');\n  this.compositionHelper = new CompositionHelper(this.textarea, this.compositionView, this);\n  this.helperContainer.appendChild(this.compositionView);\n\n  this.charSizeStyleElement = document.createElement('style');\n  this.helperContainer.appendChild(this.charSizeStyleElement);\n\n  for (; i < this.rows; i++) {\n    this.insertRow();\n  }\n  this.parent.appendChild(this.element);\n\n  this.charMeasure = new CharMeasure(document, this.helperContainer);\n  this.charMeasure.on('charsizechanged', function () {\n    self.updateCharSizeStyles();\n  });\n  this.charMeasure.measure();\n\n  this.viewport = new Viewport(this, this.viewportElement, this.viewportScrollArea, this.charMeasure);\n  this.renderer = new Renderer(this);\n  this.selectionManager = new SelectionManager(\n    this, this.buffer.lines, this.rowContainer, this.charMeasure\n  );\n  this.selectionManager.on('refresh', data => {\n    this.renderer.refreshSelection(data.start, data.end);\n  });\n  this.selectionManager.on('newselection', text => {\n    // If there's a new selection, put it into the textarea, focus and select it\n    // in order to register it as a selection on the OS. This event is fired\n    // only on Linux to enable middle click to paste selection.\n    this.textarea.value = text;\n    this.textarea.focus();\n    this.textarea.select();\n  });\n  this.on('scroll', () => this.selectionManager.refresh());\n  this.viewportElement.addEventListener('scroll', () => this.selectionManager.refresh());\n\n  // Setup loop that draws to screen\n  this.refresh(0, this.rows - 1);\n\n  // Initialize global actions that\n  // need to be taken on the document.\n  this.initGlobal();\n\n  /**\n   * Automatic focus functionality.\n   * TODO: Default to `false` starting with xterm.js 3.0.\n   */\n  if (typeof focus == 'undefined') {\n    let message = 'You did not pass the `focus` argument in `Terminal.prototype.open()`.\\n';\n\n    message += 'The `focus` argument now defaults to `true` but starting with xterm.js 3.0 ';\n    message += 'it will default to `false`.';\n\n    console.warn(message);\n    focus = true;\n  }\n\n  if (focus) {\n    this.focus();\n  }\n\n  // Listen for mouse events and translate\n  // them into terminal mouse protocols.\n  this.bindMouse();\n\n  /**\n   * This event is emitted when terminal has completed opening.\n   *\n   * @event open\n   */\n  this.emit('open');\n};\n\n\n/**\n * Attempts to load an add-on using CommonJS or RequireJS (whichever is available).\n * @param {string} addon The name of the addon to load\n * @static\n */\nTerminal.loadAddon = function(addon, callback) {\n  if (typeof exports === 'object' && typeof module === 'object') {\n    // CommonJS\n    return require('./addons/' + addon + '/' + addon);\n  } else if (typeof define == 'function') {\n    // RequireJS\n    return require(['./addons/' + addon + '/' + addon], callback);\n  } else {\n    console.error('Cannot load a module without a CommonJS or RequireJS environment.');\n    return false;\n  }\n};\n\n/**\n * Updates the helper CSS class with any changes necessary after the terminal's\n * character width has been changed.\n */\nTerminal.prototype.updateCharSizeStyles = function() {\n  this.charSizeStyleElement.textContent =\n      `.xterm-wide-char{width:${this.charMeasure.width * 2}px;}` +\n      `.xterm-normal-char{width:${this.charMeasure.width}px;}` +\n      `.xterm-rows > div{height:${this.charMeasure.height}px;}`;\n}\n\n/**\n * XTerm mouse events\n * http://invisible-island.net/xterm/ctlseqs/ctlseqs.html#Mouse%20Tracking\n * To better understand these\n * the xterm code is very helpful:\n * Relevant files:\n *   button.c, charproc.c, misc.c\n * Relevant functions in xterm/button.c:\n *   BtnCode, EmitButtonCode, EditorButton, SendMousePosition\n */\nTerminal.prototype.bindMouse = function() {\n  var el = this.element, self = this, pressed = 32;\n\n  // mouseup, mousedown, wheel\n  // left click: ^[[M 3<^[[M#3<\n  // wheel up: ^[[M`3>\n  function sendButton(ev) {\n    var button\n    , pos;\n\n    // get the xterm-style button\n    button = getButton(ev);\n\n    // get mouse coordinates\n    pos = getRawByteCoords(ev, self.rowContainer, self.charMeasure, self.cols, self.rows);\n    if (!pos) return;\n\n    sendEvent(button, pos);\n\n    switch (ev.overrideType || ev.type) {\n      case 'mousedown':\n        pressed = button;\n        break;\n      case 'mouseup':\n        // keep it at the left\n        // button, just in case.\n        pressed = 32;\n        break;\n      case 'wheel':\n        // nothing. don't\n        // interfere with\n        // `pressed`.\n        break;\n    }\n  }\n\n  // motion example of a left click:\n  // ^[[M 3<^[[M@4<^[[M@5<^[[M@6<^[[M@7<^[[M#7<\n  function sendMove(ev) {\n    var button = pressed\n    , pos;\n\n    pos = getRawByteCoords(ev, self.rowContainer, self.charMeasure, self.cols, self.rows);\n    if (!pos) return;\n\n    // buttons marked as motions\n    // are incremented by 32\n    button += 32;\n\n    sendEvent(button, pos);\n  }\n\n  // encode button and\n  // position to characters\n  function encode(data, ch) {\n    if (!self.utfMouse) {\n      if (ch === 255) return data.push(0);\n      if (ch > 127) ch = 127;\n      data.push(ch);\n    } else {\n      if (ch === 2047) return data.push(0);\n      if (ch < 127) {\n        data.push(ch);\n      } else {\n        if (ch > 2047) ch = 2047;\n        data.push(0xC0 | (ch >> 6));\n        data.push(0x80 | (ch & 0x3F));\n      }\n    }\n  }\n\n  // send a mouse event:\n  // regular/utf8: ^[[M Cb Cx Cy\n  // urxvt: ^[[ Cb ; Cx ; Cy M\n  // sgr: ^[[ Cb ; Cx ; Cy M/m\n  // vt300: ^[[ 24(1/3/5)~ [ Cx , Cy ] \\r\n  // locator: CSI P e ; P b ; P r ; P c ; P p & w\n  function sendEvent(button, pos) {\n    // self.emit('mouse', {\n    //   x: pos.x - 32,\n    //   y: pos.x - 32,\n    //   button: button\n    // });\n\n    if (self.vt300Mouse) {\n      // NOTE: Unstable.\n      // http://www.vt100.net/docs/vt3xx-gp/chapter15.html\n      button &= 3;\n      pos.x -= 32;\n      pos.y -= 32;\n      var data = C0.ESC + '[24';\n      if (button === 0) data += '1';\n      else if (button === 1) data += '3';\n      else if (button === 2) data += '5';\n      else if (button === 3) return;\n      else data += '0';\n      data += '~[' + pos.x + ',' + pos.y + ']\\r';\n      self.send(data);\n      return;\n    }\n\n    if (self.decLocator) {\n      // NOTE: Unstable.\n      button &= 3;\n      pos.x -= 32;\n      pos.y -= 32;\n      if (button === 0) button = 2;\n      else if (button === 1) button = 4;\n      else if (button === 2) button = 6;\n      else if (button === 3) button = 3;\n      self.send(C0.ESC + '['\n                + button\n                + ';'\n                + (button === 3 ? 4 : 0)\n                + ';'\n                + pos.y\n                + ';'\n                + pos.x\n                + ';'\n                + (pos.page || 0)\n                + '&w');\n      return;\n    }\n\n    if (self.urxvtMouse) {\n      pos.x -= 32;\n      pos.y -= 32;\n      pos.x++;\n      pos.y++;\n      self.send(C0.ESC + '[' + button + ';' + pos.x + ';' + pos.y + 'M');\n      return;\n    }\n\n    if (self.sgrMouse) {\n      pos.x -= 32;\n      pos.y -= 32;\n      self.send(C0.ESC + '[<'\n                + (((button & 3) === 3 ? button & ~3 : button) - 32)\n                + ';'\n                + pos.x\n                + ';'\n                + pos.y\n                + ((button & 3) === 3 ? 'm' : 'M'));\n      return;\n    }\n\n    var data = [];\n\n    encode(data, button);\n    encode(data, pos.x);\n    encode(data, pos.y);\n\n    self.send(C0.ESC + '[M' + String.fromCharCode.apply(String, data));\n  }\n\n  function getButton(ev) {\n    var button\n    , shift\n    , meta\n    , ctrl\n    , mod;\n\n    // two low bits:\n    // 0 = left\n    // 1 = middle\n    // 2 = right\n    // 3 = release\n    // wheel up/down:\n    // 1, and 2 - with 64 added\n    switch (ev.overrideType || ev.type) {\n      case 'mousedown':\n        button = ev.button != null\n          ? +ev.button\n        : ev.which != null\n          ? ev.which - 1\n        : null;\n\n        if (self.browser.isMSIE) {\n          button = button === 1 ? 0 : button === 4 ? 1 : button;\n        }\n        break;\n      case 'mouseup':\n        button = 3;\n        break;\n      case 'DOMMouseScroll':\n        button = ev.detail < 0\n          ? 64\n        : 65;\n        break;\n      case 'wheel':\n        button = ev.wheelDeltaY > 0\n          ? 64\n        : 65;\n        break;\n    }\n\n    // next three bits are the modifiers:\n    // 4 = shift, 8 = meta, 16 = control\n    shift = ev.shiftKey ? 4 : 0;\n    meta = ev.metaKey ? 8 : 0;\n    ctrl = ev.ctrlKey ? 16 : 0;\n    mod = shift | meta | ctrl;\n\n    // no mods\n    if (self.vt200Mouse) {\n      // ctrl only\n      mod &= ctrl;\n    } else if (!self.normalMouse) {\n      mod = 0;\n    }\n\n    // increment to SP\n    button = (32 + (mod << 2)) + button;\n\n    return button;\n  }\n\n  on(el, 'mousedown', function(ev) {\n\n    // Prevent the focus on the textarea from getting lost\n    // and make sure we get focused on mousedown\n    ev.preventDefault();\n    self.focus();\n\n    if (!self.mouseEvents) return;\n\n    // send the button\n    sendButton(ev);\n\n    // fix for odd bug\n    //if (self.vt200Mouse && !self.normalMouse) {\n    if (self.vt200Mouse) {\n      ev.overrideType = 'mouseup';\n      sendButton(ev);\n      return self.cancel(ev);\n    }\n\n    // bind events\n    if (self.normalMouse) on(self.document, 'mousemove', sendMove);\n\n    // x10 compatibility mode can't send button releases\n    if (!self.x10Mouse) {\n      on(self.document, 'mouseup', function up(ev) {\n        sendButton(ev);\n        if (self.normalMouse) off(self.document, 'mousemove', sendMove);\n        off(self.document, 'mouseup', up);\n        return self.cancel(ev);\n      });\n    }\n\n    return self.cancel(ev);\n  });\n\n  //if (self.normalMouse) {\n  //  on(self.document, 'mousemove', sendMove);\n  //}\n\n  on(el, 'wheel', function(ev) {\n    if (!self.mouseEvents) return;\n    if (self.x10Mouse\n        || self.vt300Mouse\n        || self.decLocator) return;\n    sendButton(ev);\n    return self.cancel(ev);\n  });\n\n  // allow wheel scrolling in\n  // the shell for example\n  on(el, 'wheel', function(ev) {\n    if (self.mouseEvents) return;\n    self.viewport.onWheel(ev);\n    return self.cancel(ev);\n  });\n\n  on(el, 'touchstart', function(ev) {\n    if (self.mouseEvents) return;\n    self.viewport.onTouchStart(ev);\n    return self.cancel(ev);\n  });\n\n  on(el, 'touchmove', function(ev) {\n    if (self.mouseEvents) return;\n    self.viewport.onTouchMove(ev);\n    return self.cancel(ev);\n  });\n};\n\n/**\n * Destroys the terminal.\n */\nTerminal.prototype.destroy = function() {\n  this.readable = false;\n  this.writable = false;\n  this._events = {};\n  this.handler = function() {};\n  this.write = function() {};\n  if (this.element && this.element.parentNode) {\n    this.element.parentNode.removeChild(this.element);\n  }\n  //this.emit('close');\n};\n\n/**\n * Tells the renderer to refresh terminal content between two rows (inclusive) at the next\n * opportunity.\n * @param {number} start The row to start from (between 0 and this.rows - 1).\n * @param {number} end The row to end at (between start and this.rows - 1).\n */\nTerminal.prototype.refresh = function(start, end) {\n  if (this.renderer) {\n    this.renderer.queueRefresh(start, end);\n  }\n};\n\n/**\n * Queues linkification for the specified rows.\n * @param {number} start The row to start from (between 0 and this.rows - 1).\n * @param {number} end The row to end at (between start and this.rows - 1).\n */\nTerminal.prototype.queueLinkification = function(start, end) {\n  if (this.linkifier) {\n    for (let i = start; i <= end; i++) {\n      this.linkifier.linkifyRow(i);\n    }\n  }\n};\n\n/**\n * Display the cursor element\n */\nTerminal.prototype.showCursor = function() {\n  if (!this.cursorState) {\n    this.cursorState = 1;\n    this.refresh(this.buffer.y, this.buffer.y);\n  }\n};\n\n/**\n * Scroll the terminal down 1 row, creating a blank line.\n * @param {boolean} isWrapped Whether the new line is wrapped from the previous\n * line.\n */\nTerminal.prototype.scroll = function(isWrapped) {\n  var row;\n\n  // Make room for the new row in lines\n  if (this.buffer.lines.length === this.buffer.lines.maxLength) {\n    this.buffer.lines.trimStart(1);\n    this.buffer.ybase--;\n    if (this.buffer.ydisp !== 0) {\n      this.buffer.ydisp--;\n    }\n  }\n\n  this.buffer.ybase++;\n\n  // TODO: Why is this done twice?\n  if (!this.userScrolling) {\n    this.buffer.ydisp = this.buffer.ybase;\n  }\n\n  // last line\n  row = this.buffer.ybase + this.rows - 1;\n\n  // subtract the bottom scroll region\n  row -= this.rows - 1 - this.buffer.scrollBottom;\n\n  if (row === this.buffer.lines.length) {\n    // Optimization: pushing is faster than splicing when they amount to the same behavior\n    this.buffer.lines.push(this.blankLine(undefined, isWrapped));\n  } else {\n    // add our new line\n    this.buffer.lines.splice(row, 0, this.blankLine(undefined, isWrapped));\n  }\n\n  if (this.buffer.scrollTop !== 0) {\n    if (this.buffer.ybase !== 0) {\n      this.buffer.ybase--;\n      if (!this.userScrolling) {\n        this.buffer.ydisp = this.buffer.ybase;\n      }\n    }\n    this.buffer.lines.splice(this.buffer.ybase + this.buffer.scrollTop, 1);\n  }\n\n  // this.maxRange();\n  this.updateRange(this.buffer.scrollTop);\n  this.updateRange(this.buffer.scrollBottom);\n\n  /**\n   * This event is emitted whenever the terminal is scrolled.\n   * The one parameter passed is the new y display position.\n   *\n   * @event scroll\n   */\n  this.emit('scroll', this.buffer.ydisp);\n};\n\n/**\n * Scroll the display of the terminal\n * @param {number} disp The number of lines to scroll down (negatives scroll up).\n * @param {boolean} suppressScrollEvent Don't emit the scroll event as scrollDisp. This is used\n * to avoid unwanted events being handled by the veiwport when the event was triggered from the\n * viewport originally.\n */\nTerminal.prototype.scrollDisp = function(disp, suppressScrollEvent) {\n  if (disp < 0) {\n    if (this.buffer.ydisp === 0) {\n      return;\n    }\n    this.userScrolling = true;\n  } else if (disp + this.buffer.ydisp >= this.buffer.ybase) {\n    this.userScrolling = false;\n  }\n\n  const oldYdisp = this.buffer.ydisp;\n  this.buffer.ydisp = Math.max(Math.min(this.buffer.ydisp + disp, this.buffer.ybase), 0);\n\n  // No change occurred, don't trigger scroll/refresh\n  if (oldYdisp === this.buffer.ydisp) {\n    return;\n  }\n\n  if (!suppressScrollEvent) {\n    this.emit('scroll', this.buffer.ydisp);\n  }\n\n  this.refresh(0, this.rows - 1);\n};\n\n/**\n * Scroll the display of the terminal by a number of pages.\n * @param {number} pageCount The number of pages to scroll (negative scrolls up).\n */\nTerminal.prototype.scrollPages = function(pageCount) {\n  this.scrollDisp(pageCount * (this.rows - 1));\n};\n\n/**\n * Scrolls the display of the terminal to the top.\n */\nTerminal.prototype.scrollToTop = function() {\n  this.scrollDisp(-this.buffer.ydisp);\n};\n\n/**\n * Scrolls the display of the terminal to the bottom.\n */\nTerminal.prototype.scrollToBottom = function() {\n  this.scrollDisp(this.buffer.ybase - this.buffer.ydisp);\n};\n\n/**\n * Writes text to the terminal.\n * @param {string} data The text to write to the terminal.\n */\nTerminal.prototype.write = function(data) {\n  this.writeBuffer.push(data);\n\n  // Send XOFF to pause the pty process if the write buffer becomes too large so\n  // xterm.js can catch up before more data is sent. This is necessary in order\n  // to keep signals such as ^C responsive.\n  if (this.options.useFlowControl && !this.xoffSentToCatchUp && this.writeBuffer.length >= WRITE_BUFFER_PAUSE_THRESHOLD) {\n    // XOFF - stop pty pipe\n    // XON will be triggered by emulator before processing data chunk\n    this.send(C0.DC3);\n    this.xoffSentToCatchUp = true;\n  }\n\n  if (!this.writeInProgress && this.writeBuffer.length > 0) {\n    // Kick off a write which will write all data in sequence recursively\n    this.writeInProgress = true;\n    // Kick off an async innerWrite so more writes can come in while processing data\n    var self = this;\n    setTimeout(function () {\n      self.innerWrite();\n    });\n  }\n};\n\nTerminal.prototype.innerWrite = function() {\n  var writeBatch = this.writeBuffer.splice(0, WRITE_BATCH_SIZE);\n  while (writeBatch.length > 0) {\n    var data = writeBatch.shift();\n    var l = data.length, i = 0, j, cs, ch, code, low, ch_width, row;\n\n    // If XOFF was sent in order to catch up with the pty process, resume it if\n    // the writeBuffer is empty to allow more data to come in.\n    if (this.xoffSentToCatchUp && writeBatch.length === 0 && this.writeBuffer.length === 0) {\n      this.send(C0.DC1);\n      this.xoffSentToCatchUp = false;\n    }\n\n    this.refreshStart = this.buffer.y;\n    this.refreshEnd = this.buffer.y;\n\n    // HACK: Set the parser state based on it's state at the time of return.\n    // This works around the bug #662 which saw the parser state reset in the\n    // middle of parsing escape sequence in two chunks. For some reason the\n    // state of the parser resets to 0 after exiting parser.parse. This change\n    // just sets the state back based on the correct return statement.\n    var state = this.parser.parse(data);\n    this.parser.setState(state);\n\n    this.updateRange(this.buffer.y);\n    this.refresh(this.refreshStart, this.refreshEnd);\n  }\n  if (this.writeBuffer.length > 0) {\n    // Allow renderer to catch up before processing the next batch\n    var self = this;\n    setTimeout(function () {\n      self.innerWrite();\n    }, 0);\n  } else {\n    this.writeInProgress = false;\n  }\n};\n\n/**\n * Writes text to the terminal, followed by a break line character (\\n).\n * @param {string} data The text to write to the terminal.\n */\nTerminal.prototype.writeln = function(data) {\n  this.write(data + '\\r\\n');\n};\n\n/**\n * DEPRECATED: only for backward compatibility. Please use attachCustomKeyEventHandler() instead.\n * @param {function} customKeydownHandler The custom KeyboardEvent handler to attach. This is a\n *   function that takes a KeyboardEvent, allowing consumers to stop propogation and/or prevent\n *   the default action. The function returns whether the event should be processed by xterm.js.\n */\nTerminal.prototype.attachCustomKeydownHandler = function(customKeydownHandler) {\n  let message = 'attachCustomKeydownHandler() is DEPRECATED and will be removed soon. Please use attachCustomKeyEventHandler() instead.';\n  console.warn(message);\n  this.attachCustomKeyEventHandler(customKeydownHandler);\n};\n\n/**\n * Attaches a custom key event handler which is run before keys are processed, giving consumers of\n * xterm.js ultimate control as to what keys should be processed by the terminal and what keys\n * should not.\n * @param {function} customKeyEventHandler The custom KeyboardEvent handler to attach. This is a\n *   function that takes a KeyboardEvent, allowing consumers to stop propogation and/or prevent\n *   the default action. The function returns whether the event should be processed by xterm.js.\n */\nTerminal.prototype.attachCustomKeyEventHandler = function(customKeyEventHandler) {\n  this.customKeyEventHandler = customKeyEventHandler;\n};\n\n/**\n * Attaches a http(s) link handler, forcing web links to behave differently to\n * regular <a> tags. This will trigger a refresh as links potentially need to be\n * reconstructed. Calling this with null will remove the handler.\n * @param {LinkMatcherHandler} handler The handler callback function.\n */\nTerminal.prototype.setHypertextLinkHandler = function(handler) {\n  if (!this.linkifier) {\n    throw new Error('Cannot attach a hypertext link handler before Terminal.open is called');\n  }\n  this.linkifier.setHypertextLinkHandler(handler);\n  // Refresh to force links to refresh\n  this.refresh(0, this.rows - 1);\n};\n\n/**\n * Attaches a validation callback for hypertext links. This is useful to use\n * validation logic or to do something with the link's element and url.\n * @param {LinkMatcherValidationCallback} callback The callback to use, this can\n * be cleared with null.\n */\nTerminal.prototype.setHypertextValidationCallback = function(callback) {\n  if (!this.linkifier) {\n    throw new Error('Cannot attach a hypertext validation callback before Terminal.open is called');\n  }\n  this.linkifier.setHypertextValidationCallback(callback);\n  // Refresh to force links to refresh\n  this.refresh(0, this.rows - 1);\n};\n\n/**\n   * Registers a link matcher, allowing custom link patterns to be matched and\n   * handled.\n   * @param {RegExp} regex The regular expression to search for, specifically\n   * this searches the textContent of the rows. You will want to use \\s to match\n   * a space ' ' character for example.\n   * @param {LinkMatcherHandler} handler The callback when the link is called.\n   * @param {LinkMatcherOptions} [options] Options for the link matcher.\n   * @return {number} The ID of the new matcher, this can be used to deregister.\n */\nTerminal.prototype.registerLinkMatcher = function(regex, handler, options) {\n  if (this.linkifier) {\n    var matcherId = this.linkifier.registerLinkMatcher(regex, handler, options);\n    this.refresh(0, this.rows - 1);\n    return matcherId;\n  }\n};\n\n/**\n * Deregisters a link matcher if it has been registered.\n * @param {number} matcherId The link matcher's ID (returned after register)\n */\nTerminal.prototype.deregisterLinkMatcher = function(matcherId) {\n  if (this.linkifier) {\n    if (this.linkifier.deregisterLinkMatcher(matcherId)) {\n      this.refresh(0, this.rows - 1);\n    }\n  }\n};\n\n/**\n * Gets whether the terminal has an active selection.\n */\nTerminal.prototype.hasSelection = function() {\n  return this.selectionManager ? this.selectionManager.hasSelection : false;\n};\n\n/**\n * Gets the terminal's current selection, this is useful for implementing copy\n * behavior outside of xterm.js.\n */\nTerminal.prototype.getSelection = function() {\n  return this.selectionManager ? this.selectionManager.selectionText : '';\n};\n\n/**\n * Clears the current terminal selection.\n */\nTerminal.prototype.clearSelection = function() {\n  if (this.selectionManager) {\n    this.selectionManager.clearSelection();\n  }\n};\n\n/**\n * Selects all text within the terminal.\n */\nTerminal.prototype.selectAll = function() {\n  if (this.selectionManager) {\n    this.selectionManager.selectAll();\n  }\n};\n\n/**\n * Handle a keydown event\n * Key Resources:\n *   - https://developer.mozilla.org/en-US/docs/DOM/KeyboardEvent\n * @param {KeyboardEvent} ev The keydown event to be handled.\n */\nTerminal.prototype.keyDown = function(ev) {\n  if (this.customKeyEventHandler && this.customKeyEventHandler(ev) === false) {\n    return false;\n  }\n\n  this.restartCursorBlinking();\n\n  if (!this.compositionHelper.keydown.bind(this.compositionHelper)(ev)) {\n    if (this.buffer.ybase !== this.buffer.ydisp) {\n      this.scrollToBottom();\n    }\n    return false;\n  }\n\n  var self = this;\n  var result = this.evaluateKeyEscapeSequence(ev);\n\n  if (result.key === C0.DC3) { // XOFF\n    this.writeStopped = true;\n  } else if (result.key === C0.DC1) { // XON\n    this.writeStopped = false;\n  }\n\n  if (result.scrollDisp) {\n    this.scrollDisp(result.scrollDisp);\n    return this.cancel(ev, true);\n  }\n\n  if (isThirdLevelShift(this, ev)) {\n    return true;\n  }\n\n  if (result.cancel) {\n    // The event is canceled at the end already, is this necessary?\n    this.cancel(ev, true);\n  }\n\n  if (!result.key) {\n    return true;\n  }\n\n  this.emit('keydown', ev);\n  this.emit('key', result.key, ev);\n  this.showCursor();\n  this.handler(result.key);\n\n  return this.cancel(ev, true);\n};\n\n/**\n * Returns an object that determines how a KeyboardEvent should be handled. The key of the\n * returned value is the new key code to pass to the PTY.\n *\n * Reference: http://invisible-island.net/xterm/ctlseqs/ctlseqs.html\n * @param {KeyboardEvent} ev The keyboard event to be translated to key escape sequence.\n */\nTerminal.prototype.evaluateKeyEscapeSequence = function(ev) {\n  var result = {\n    // Whether to cancel event propogation (NOTE: this may not be needed since the event is\n    // canceled at the end of keyDown\n    cancel: false,\n    // The new key even to emit\n    key: undefined,\n    // The number of characters to scroll, if this is defined it will cancel the event\n    scrollDisp: undefined\n  };\n  var modifiers = ev.shiftKey << 0 | ev.altKey << 1 | ev.ctrlKey << 2 | ev.metaKey << 3;\n  switch (ev.keyCode) {\n    case 8:\n      // backspace\n      if (ev.shiftKey) {\n        result.key = C0.BS; // ^H\n        break;\n      }\n      result.key = C0.DEL; // ^?\n      break;\n    case 9:\n      // tab\n      if (ev.shiftKey) {\n        result.key = C0.ESC + '[Z';\n        break;\n      }\n      result.key = C0.HT;\n      result.cancel = true;\n      break;\n    case 13:\n      // return/enter\n      result.key = C0.CR;\n      result.cancel = true;\n      break;\n    case 27:\n      // escape\n      result.key = C0.ESC;\n      result.cancel = true;\n      break;\n    case 37:\n      // left-arrow\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'D';\n        // HACK: Make Alt + left-arrow behave like Ctrl + left-arrow: move one word backwards\n        // http://unix.stackexchange.com/a/108106\n        // macOS uses different escape sequences than linux\n        if (result.key == C0.ESC + '[1;3D') {\n          result.key = (this.browser.isMac) ? C0.ESC + 'b' : C0.ESC + '[1;5D';\n        }\n      } else if (this.applicationCursor) {\n        result.key = C0.ESC + 'OD';\n      } else {\n        result.key = C0.ESC + '[D';\n      }\n      break;\n    case 39:\n      // right-arrow\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'C';\n        // HACK: Make Alt + right-arrow behave like Ctrl + right-arrow: move one word forward\n        // http://unix.stackexchange.com/a/108106\n        // macOS uses different escape sequences than linux\n        if (result.key == C0.ESC + '[1;3C') {\n          result.key = (this.browser.isMac) ? C0.ESC + 'f' : C0.ESC + '[1;5C';\n        }\n      } else if (this.applicationCursor) {\n        result.key = C0.ESC + 'OC';\n      } else {\n        result.key = C0.ESC + '[C';\n      }\n      break;\n    case 38:\n      // up-arrow\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'A';\n        // HACK: Make Alt + up-arrow behave like Ctrl + up-arrow\n        // http://unix.stackexchange.com/a/108106\n        if (result.key == C0.ESC + '[1;3A') {\n          result.key = C0.ESC + '[1;5A';\n        }\n      } else if (this.applicationCursor) {\n        result.key = C0.ESC + 'OA';\n      } else {\n        result.key = C0.ESC + '[A';\n      }\n      break;\n    case 40:\n      // down-arrow\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'B';\n        // HACK: Make Alt + down-arrow behave like Ctrl + down-arrow\n        // http://unix.stackexchange.com/a/108106\n        if (result.key == C0.ESC + '[1;3B') {\n          result.key = C0.ESC + '[1;5B';\n        }\n      } else if (this.applicationCursor) {\n        result.key = C0.ESC + 'OB';\n      } else {\n        result.key = C0.ESC + '[B';\n      }\n      break;\n    case 45:\n      // insert\n      if (!ev.shiftKey && !ev.ctrlKey) {\n        // <Ctrl> or <Shift> + <Insert> are used to\n        // copy-paste on some systems.\n        result.key = C0.ESC + '[2~';\n      }\n      break;\n    case 46:\n      // delete\n      if (modifiers) {\n        result.key = C0.ESC + '[3;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[3~';\n      }\n      break;\n    case 36:\n      // home\n      if (modifiers)\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'H';\n      else if (this.applicationCursor)\n        result.key = C0.ESC + 'OH';\n      else\n        result.key = C0.ESC + '[H';\n      break;\n    case 35:\n      // end\n      if (modifiers)\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'F';\n      else if (this.applicationCursor)\n        result.key = C0.ESC + 'OF';\n      else\n        result.key = C0.ESC + '[F';\n      break;\n    case 33:\n      // page up\n      if (ev.shiftKey) {\n        result.scrollDisp = -(this.rows - 1);\n      } else {\n        result.key = C0.ESC + '[5~';\n      }\n      break;\n    case 34:\n      // page down\n      if (ev.shiftKey) {\n        result.scrollDisp = this.rows - 1;\n      } else {\n        result.key = C0.ESC + '[6~';\n      }\n      break;\n    case 112:\n      // F1-F12\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'P';\n      } else {\n        result.key = C0.ESC + 'OP';\n      }\n      break;\n    case 113:\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'Q';\n      } else {\n        result.key = C0.ESC + 'OQ';\n      }\n      break;\n    case 114:\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'R';\n      } else {\n        result.key = C0.ESC + 'OR';\n      }\n      break;\n    case 115:\n      if (modifiers) {\n        result.key = C0.ESC + '[1;' + (modifiers + 1) + 'S';\n      } else {\n        result.key = C0.ESC + 'OS';\n      }\n      break;\n    case 116:\n      if (modifiers) {\n        result.key = C0.ESC + '[15;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[15~';\n      }\n      break;\n    case 117:\n      if (modifiers) {\n        result.key = C0.ESC + '[17;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[17~';\n      }\n      break;\n    case 118:\n      if (modifiers) {\n        result.key = C0.ESC + '[18;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[18~';\n      }\n      break;\n    case 119:\n      if (modifiers) {\n        result.key = C0.ESC + '[19;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[19~';\n      }\n      break;\n    case 120:\n      if (modifiers) {\n        result.key = C0.ESC + '[20;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[20~';\n      }\n      break;\n    case 121:\n      if (modifiers) {\n        result.key = C0.ESC + '[21;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[21~';\n      }\n      break;\n    case 122:\n      if (modifiers) {\n        result.key = C0.ESC + '[23;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[23~';\n      }\n      break;\n    case 123:\n      if (modifiers) {\n        result.key = C0.ESC + '[24;' + (modifiers + 1) + '~';\n      } else {\n        result.key = C0.ESC + '[24~';\n      }\n      break;\n    default:\n      // a-z and space\n      if (ev.ctrlKey && !ev.shiftKey && !ev.altKey && !ev.metaKey) {\n        if (ev.keyCode >= 65 && ev.keyCode <= 90) {\n          result.key = String.fromCharCode(ev.keyCode - 64);\n        } else if (ev.keyCode === 32) {\n          // NUL\n          result.key = String.fromCharCode(0);\n        } else if (ev.keyCode >= 51 && ev.keyCode <= 55) {\n          // escape, file sep, group sep, record sep, unit sep\n          result.key = String.fromCharCode(ev.keyCode - 51 + 27);\n        } else if (ev.keyCode === 56) {\n          // delete\n          result.key = String.fromCharCode(127);\n        } else if (ev.keyCode === 219) {\n          // ^[ - Control Sequence Introducer (CSI)\n          result.key = String.fromCharCode(27);\n        } else if (ev.keyCode === 220) {\n          // ^\\ - String Terminator (ST)\n          result.key = String.fromCharCode(28);\n        } else if (ev.keyCode === 221) {\n          // ^] - Operating System Command (OSC)\n          result.key = String.fromCharCode(29);\n        }\n      } else if (!this.browser.isMac && ev.altKey && !ev.ctrlKey && !ev.metaKey) {\n        // On Mac this is a third level shift. Use <Esc> instead.\n        if (ev.keyCode >= 65 && ev.keyCode <= 90) {\n          result.key = C0.ESC + String.fromCharCode(ev.keyCode + 32);\n        } else if (ev.keyCode === 192) {\n          result.key = C0.ESC + '`';\n        } else if (ev.keyCode >= 48 && ev.keyCode <= 57) {\n          result.key = C0.ESC + (ev.keyCode - 48);\n        }\n      } else if (this.browser.isMac && !ev.altKey && !ev.ctrlKey && ev.metaKey) {\n        if (ev.keyCode === 65) { // cmd + a\n          this.selectAll();\n        }\n      }\n      break;\n  }\n\n  return result;\n};\n\n/**\n * Set the G level of the terminal\n * @param g\n */\nTerminal.prototype.setgLevel = function(g) {\n  this.glevel = g;\n  this.charset = this.charsets[g];\n};\n\n/**\n * Set the charset for the given G level of the terminal\n * @param g\n * @param charset\n */\nTerminal.prototype.setgCharset = function(g, charset) {\n  this.charsets[g] = charset;\n  if (this.glevel === g) {\n    this.charset = charset;\n  }\n};\n\n/**\n * Handle a keypress event.\n * Key Resources:\n *   - https://developer.mozilla.org/en-US/docs/DOM/KeyboardEvent\n * @param {KeyboardEvent} ev The keypress event to be handled.\n */\nTerminal.prototype.keyPress = function(ev) {\n  var key;\n\n  if (this.customKeyEventHandler && this.customKeyEventHandler(ev) === false) {\n    return false;\n  }\n\n  this.cancel(ev);\n\n  if (ev.charCode) {\n    key = ev.charCode;\n  } else if (ev.which == null) {\n    key = ev.keyCode;\n  } else if (ev.which !== 0 && ev.charCode !== 0) {\n    key = ev.which;\n  } else {\n    return false;\n  }\n\n  if (!key || (\n    (ev.altKey || ev.ctrlKey || ev.metaKey) && !isThirdLevelShift(this, ev)\n  )) {\n    return false;\n  }\n\n  key = String.fromCharCode(key);\n\n  this.emit('keypress', key, ev);\n  this.emit('key', key, ev);\n  this.showCursor();\n  this.handler(key);\n\n  return true;\n};\n\n/**\n * Send data for handling to the terminal\n * @param {string} data\n */\nTerminal.prototype.send = function(data) {\n  var self = this;\n\n  if (!this.queue) {\n    setTimeout(function() {\n      self.handler(self.queue);\n      self.queue = '';\n    }, 1);\n  }\n\n  this.queue += data;\n};\n\n/**\n * Ring the bell.\n * Note: We could do sweet things with webaudio here\n */\nTerminal.prototype.bell = function() {\n  if (!this.visualBell) return;\n  var self = this;\n  this.element.style.borderColor = 'white';\n  setTimeout(function() {\n    self.element.style.borderColor = '';\n  }, 10);\n  if (this.popOnBell) this.focus();\n};\n\n/**\n * Log the current state to the console.\n */\nTerminal.prototype.log = function() {\n  if (!this.debug) return;\n  if (!this.context.console || !this.context.console.log) return;\n  var args = Array.prototype.slice.call(arguments);\n  this.context.console.log.apply(this.context.console, args);\n};\n\n/**\n * Log the current state as error to the console.\n */\nTerminal.prototype.error = function() {\n  if (!this.debug) return;\n  if (!this.context.console || !this.context.console.error) return;\n  var args = Array.prototype.slice.call(arguments);\n  this.context.console.error.apply(this.context.console, args);\n};\n\n/**\n * Resizes the terminal.\n *\n * @param {number} x The number of columns to resize to.\n * @param {number} y The number of rows to resize to.\n */\nTerminal.prototype.resize = function(x, y) {\n  if (isNaN(x) || isNaN(y)) {\n    return;\n  }\n\n  if (y > this.getOption('scrollback')) {\n    this.setOption('scrollback', y)\n  }\n\n  var line\n  , el\n  , i\n  , j\n  , ch\n  , addToY;\n\n  if (x === this.cols && y === this.rows) {\n    // Check if we still need to measure the char size (fixes #785).\n    if (!this.charMeasure.width || !this.charMeasure.height) {\n      this.charMeasure.measure();\n    }\n    return;\n  }\n\n  if (x < 1) x = 1;\n  if (y < 1) y = 1;\n\n  this.buffers.resize(x, y);\n\n  // Adjust rows in the DOM to accurately reflect the new dimensions\n  while (this.children.length < y) {\n    this.insertRow();\n  }\n  while (this.children.length > y) {\n    el = this.children.shift();\n    if (!el) continue;\n    el.parentNode.removeChild(el);\n  }\n\n  this.cols = x;\n  this.rows = y;\n  this.setupStops(this.cols);\n\n  this.charMeasure.measure();\n\n  this.refresh(0, this.rows - 1);\n\n  this.geometry = [this.cols, this.rows];\n  this.emit('resize', {terminal: this, cols: x, rows: y});\n};\n\n/**\n * Updates the range of rows to refresh\n * @param {number} y The number of rows to refresh next.\n */\nTerminal.prototype.updateRange = function(y) {\n  if (y < this.refreshStart) this.refreshStart = y;\n  if (y > this.refreshEnd) this.refreshEnd = y;\n  // if (y > this.refreshEnd) {\n  //   this.refreshEnd = y;\n  //   if (y > this.rows - 1) {\n  //     this.refreshEnd = this.rows - 1;\n  //   }\n  // }\n};\n\n/**\n * Set the range of refreshing to the maximum value\n */\nTerminal.prototype.maxRange = function() {\n  this.refreshStart = 0;\n  this.refreshEnd = this.rows - 1;\n};\n\n\n\n/**\n * Setup the tab stops.\n * @param {number} i\n */\nTerminal.prototype.setupStops = function(i) {\n  if (i != null) {\n    if (!this.buffer.tabs[i]) {\n      i = this.prevStop(i);\n    }\n  } else {\n    this.buffer.tabs = {};\n    i = 0;\n  }\n\n  for (; i < this.cols; i += this.getOption('tabStopWidth')) {\n    this.buffer.tabs[i] = true;\n  }\n};\n\n\n/**\n * Move the cursor to the previous tab stop from the given position (default is current).\n * @param {number} x The position to move the cursor to the previous tab stop.\n */\nTerminal.prototype.prevStop = function(x) {\n  if (x == null) x = this.buffer.x;\n  while (!this.buffer.tabs[--x] && x > 0);\n  return x >= this.cols\n    ? this.cols - 1\n  : x < 0 ? 0 : x;\n};\n\n\n/**\n * Move the cursor one tab stop forward from the given position (default is current).\n * @param {number} x The position to move the cursor one tab stop forward.\n */\nTerminal.prototype.nextStop = function(x) {\n  if (x == null) x = this.buffer.x;\n  while (!this.buffer.tabs[++x] && x < this.cols);\n  return x >= this.cols\n    ? this.cols - 1\n  : x < 0 ? 0 : x;\n};\n\n\n/**\n * Erase in the identified line everything from \"x\" to the end of the line (right).\n * @param {number} x The column from which to start erasing to the end of the line.\n * @param {number} y The line in which to operate.\n */\nTerminal.prototype.eraseRight = function(x, y) {\n  var line = this.buffer.lines.get(this.buffer.ybase + y);\n  if (!line) {\n    return;\n  }\n  var ch = [this.eraseAttr(), ' ', 1]; // xterm\n  for (; x < this.cols; x++) {\n    line[x] = ch;\n  }\n  this.updateRange(y);\n};\n\n\n\n/**\n * Erase in the identified line everything from \"x\" to the start of the line (left).\n * @param {number} x The column from which to start erasing to the start of the line.\n * @param {number} y The line in which to operate.\n */\nTerminal.prototype.eraseLeft = function(x, y) {\n  var line = this.buffer.lines.get(this.buffer.ybase + y);\n  if (!line) {\n    return;\n  }\n  var ch = [this.eraseAttr(), ' ', 1]; // xterm\n  x++;\n  while (x--) {\n    line[x] = ch;\n  }\n  this.updateRange(y);\n};\n\n/**\n * Clears the entire buffer, making the prompt line the new first line.\n */\nTerminal.prototype.clear = function() {\n  if (this.buffer.ybase === 0 && this.buffer.y === 0) {\n    // Don't clear if it's already clear\n    return;\n  }\n  this.buffer.lines.set(0, this.buffer.lines.get(this.buffer.ybase + this.buffer.y));\n  this.buffer.lines.length = 1;\n  this.buffer.ydisp = 0;\n  this.buffer.ybase = 0;\n  this.buffer.y = 0;\n  for (var i = 1; i < this.rows; i++) {\n    this.buffer.lines.push(this.blankLine());\n  }\n  this.refresh(0, this.rows - 1);\n  this.emit('scroll', this.buffer.ydisp);\n};\n\n/**\n * Erase all content in the given line\n * @param {number} y The line to erase all of its contents.\n */\nTerminal.prototype.eraseLine = function(y) {\n  this.eraseRight(0, y);\n};\n\n\n/**\n * Return the data array of a blank line\n * @param {number} cur First bunch of data for each \"blank\" character.\n * @param {boolean} isWrapped Whether the new line is wrapped from the previous line.\n */\nTerminal.prototype.blankLine = function(cur, isWrapped, cols) {\n  var attr = cur\n  ? this.eraseAttr()\n  : this.defAttr;\n\n  var ch = [attr, ' ', 1]  // width defaults to 1 halfwidth character\n  , line = []\n  , i = 0;\n\n  // TODO: It is not ideal that this is a property on an array, a buffer line\n  // class should be added that will hold this data and other useful functions.\n  if (isWrapped) {\n    line.isWrapped = isWrapped;\n  }\n\n  cols = cols || this.cols;\n  for (; i < cols; i++) {\n    line[i] = ch;\n  }\n\n  return line;\n};\n\n\n/**\n * If cur return the back color xterm feature attribute. Else return defAttr.\n * @param {object} cur\n */\nTerminal.prototype.ch = function(cur) {\n  return cur\n    ? [this.eraseAttr(), ' ', 1]\n  : [this.defAttr, ' ', 1];\n};\n\n\n/**\n * Evaluate if the current terminal is the given argument.\n * @param {object} term The terminal to evaluate\n */\nTerminal.prototype.is = function(term) {\n  var name = this.termName;\n  return (name + '').indexOf(term) === 0;\n};\n\n\n/**\n * Emit the 'data' event and populate the given data.\n * @param {string} data The data to populate in the event.\n */\nTerminal.prototype.handler = function(data) {\n  // Prevents all events to pty process if stdin is disabled\n  if (this.options.disableStdin) {\n    return;\n  }\n\n  // Clear the selection if the selection manager is available and has an active selection\n  if (this.selectionManager && this.selectionManager.hasSelection) {\n    this.selectionManager.clearSelection();\n  }\n\n  // Input is being sent to the terminal, the terminal should focus the prompt.\n  if (this.buffer.ybase !== this.buffer.ydisp) {\n    this.scrollToBottom();\n  }\n  this.emit('data', data);\n};\n\n\n/**\n * Emit the 'title' event and populate the given title.\n * @param {string} title The title to populate in the event.\n */\nTerminal.prototype.handleTitle = function(title) {\n  /**\n   * This event is emitted when the title of the terminal is changed\n   * from inside the terminal. The parameter is the new title.\n   *\n   * @event title\n   */\n  this.emit('title', title);\n};\n\n\n/**\n * ESC\n */\n\n/**\n * ESC D Index (IND is 0x84).\n */\nTerminal.prototype.index = function() {\n  this.buffer.y++;\n  if (this.buffer.y > this.buffer.scrollBottom) {\n    this.buffer.y--;\n    this.scroll();\n  }\n  // If the end of the line is hit, prevent this action from wrapping around to the next line.\n  if (this.buffer.x >= this.cols) {\n    this.buffer.x--;\n  }\n};\n\n\n/**\n * ESC M Reverse Index (RI is 0x8d).\n *\n * Move the cursor up one row, inserting a new blank line if necessary.\n */\nTerminal.prototype.reverseIndex = function() {\n  var j;\n  if (this.buffer.y === this.buffer.scrollTop) {\n    // possibly move the code below to term.reverseScroll();\n    // test: echo -ne '\\e[1;1H\\e[44m\\eM\\e[0m'\n    // blankLine(true) is xterm/linux behavior\n    this.buffer.lines.shiftElements(this.buffer.y + this.buffer.ybase, this.rows - 1, 1);\n    this.buffer.lines.set(this.buffer.y + this.buffer.ybase, this.blankLine(true));\n    this.updateRange(this.buffer.scrollTop);\n    this.updateRange(this.buffer.scrollBottom);\n  } else {\n    this.buffer.y--;\n  }\n};\n\n\n/**\n * ESC c Full Reset (RIS).\n */\nTerminal.prototype.reset = function() {\n  this.options.rows = this.rows;\n  this.options.cols = this.cols;\n  var customKeyEventHandler = this.customKeyEventHandler;\n  var cursorBlinkInterval = this.cursorBlinkInterval;\n  var inputHandler = this.inputHandler;\n  Terminal.call(this, this.options);\n  this.customKeyEventHandler = customKeyEventHandler;\n  this.cursorBlinkInterval = cursorBlinkInterval;\n  this.inputHandler = inputHandler;\n  this.refresh(0, this.rows - 1);\n  this.viewport.syncScrollArea();\n};\n\n\n/**\n * ESC H Tab Set (HTS is 0x88).\n */\nTerminal.prototype.tabSet = function() {\n  this.buffer.tabs[this.buffer.x] = true;\n};\n\n/**\n * Helpers\n */\n\nfunction on(el, type, handler, capture) {\n  if (!Array.isArray(el)) {\n    el = [el];\n  }\n  el.forEach(function (element) {\n    element.addEventListener(type, handler, capture || false);\n  });\n}\n\nfunction off(el, type, handler, capture) {\n  el.removeEventListener(type, handler, capture || false);\n}\n\nfunction cancel(ev, force) {\n  if (!this.cancelEvents && !force) {\n    return;\n  }\n  ev.preventDefault();\n  ev.stopPropagation();\n  return false;\n}\n\nfunction inherits(child, parent) {\n  function f() {\n    this.constructor = child;\n  }\n  f.prototype = parent.prototype;\n  child.prototype = new f;\n}\n\nfunction indexOf(obj, el) {\n  var i = obj.length;\n  while (i--) {\n    if (obj[i] === el) return i;\n  }\n  return -1;\n}\n\nfunction isThirdLevelShift(term, ev) {\n  var thirdLevelKey =\n      (term.browser.isMac && ev.altKey && !ev.ctrlKey && !ev.metaKey) ||\n      (term.browser.isMSWindows && ev.altKey && ev.ctrlKey && !ev.metaKey);\n\n  if (ev.type == 'keypress') {\n    return thirdLevelKey;\n  }\n\n  // Don't invoke for arrows, pageDown, home, backspace, etc. (on non-keypress events)\n  return thirdLevelKey && (!ev.keyCode || ev.keyCode > 47);\n}\n\n// Expose to InputHandler (temporary)\nTerminal.prototype.matchColor = matchColor;\n\nfunction matchColor(r1, g1, b1) {\n  var hash = (r1 << 16) | (g1 << 8) | b1;\n\n  if (matchColor._cache[hash] != null) {\n    return matchColor._cache[hash];\n  }\n\n  var ldiff = Infinity\n  , li = -1\n  , i = 0\n  , c\n  , r2\n  , g2\n  , b2\n  , diff;\n\n  for (; i < Terminal.vcolors.length; i++) {\n    c = Terminal.vcolors[i];\n    r2 = c[0];\n    g2 = c[1];\n    b2 = c[2];\n\n    diff = matchColor.distance(r1, g1, b1, r2, g2, b2);\n\n    if (diff === 0) {\n      li = i;\n      break;\n    }\n\n    if (diff < ldiff) {\n      ldiff = diff;\n      li = i;\n    }\n  }\n\n  return matchColor._cache[hash] = li;\n}\n\nmatchColor._cache = {};\n\n// http://stackoverflow.com/questions/1633828\nmatchColor.distance = function(r1, g1, b1, r2, g2, b2) {\n  return Math.pow(30 * (r1 - r2), 2)\n    + Math.pow(59 * (g1 - g2), 2)\n    + Math.pow(11 * (b1 - b2), 2);\n};\n\nfunction each(obj, iter, con) {\n  if (obj.forEach) return obj.forEach(iter, con);\n  for (var i = 0; i < obj.length; i++) {\n    iter.call(con, obj[i], i, obj);\n  }\n}\n\nfunction wasMondifierKeyOnlyEvent(ev) {\n  return ev.keyCode === 16 || // Shift\n    ev.keyCode === 17 || // Ctrl\n    ev.keyCode === 18; // Alt\n}\n\nfunction keys(obj) {\n  if (Object.keys) return Object.keys(obj);\n  var key, keys = [];\n  for (key in obj) {\n    if (Object.prototype.hasOwnProperty.call(obj, key)) {\n      keys.push(key);\n    }\n  }\n  return keys;\n}\n\n/**\n * Expose\n */\n\nTerminal.translateBufferLineToString = translateBufferLineToString;\nTerminal.EventEmitter = EventEmitter;\nTerminal.inherits = inherits;\n\n/**\n * Adds an event listener to the terminal.\n *\n * @param {string} event The name of the event. TODO: Document all event types\n * @param {function} callback The function to call when the event is triggered.\n */\nTerminal.on = on;\nTerminal.off = off;\nTerminal.cancel = cancel;\n\nmodule.exports = Terminal;\n","/**\n * @license MIT\n */\n\nimport { CharMeasure } from './CharMeasure';\n\nexport function getCoordsRelativeToElement(event: MouseEvent, element: HTMLElement): [number, number] {\n  // Ignore browsers that don't support MouseEvent.pageX\n  if (event.pageX == null) {\n    return null;\n  }\n\n  let x = event.pageX;\n  let y = event.pageY;\n\n  // Converts the coordinates from being relative to the document to being\n  // relative to the terminal.\n  while (element && element !== self.document.documentElement) {\n    x -= element.offsetLeft;\n    y -= element.offsetTop;\n    element = 'offsetParent' in element ? <HTMLElement>element.offsetParent : <HTMLElement>element.parentElement;\n  }\n  return [x, y];\n}\n\n/**\n * Gets coordinates within the terminal for a particular mouse event. The result\n * is returned as an array in the form [x, y] instead of an object as it's a\n * little faster and this function is used in some low level code.\n * @param event The mouse event.\n * @param rowContainer The terminal's row container.\n * @param charMeasure The char measure object used to determine character sizes.\n * @param colCount The number of columns in the terminal.\n * @param rowCount The number of rows n the terminal.\n * @param isSelection Whether the request is for the selection or not. This will\n * apply an offset to the x value such that the left half of the cell will\n * select that cell and the right half will select the next cell.\n */\nexport function getCoords(event: MouseEvent, rowContainer: HTMLElement, charMeasure: CharMeasure, colCount: number, rowCount: number, isSelection?: boolean): [number, number] {\n  // Coordinates cannot be measured if charMeasure has not been initialized\n  if (!charMeasure.width || !charMeasure.height) {\n    return null;\n  }\n\n  const coords = getCoordsRelativeToElement(event, rowContainer);\n  if (!coords) {\n    return null;\n  }\n\n  // Convert to cols/rows.\n  coords[0] = Math.ceil((coords[0] + (isSelection ? charMeasure.width / 2 : 0)) / charMeasure.width);\n  coords[1] = Math.ceil(coords[1] / charMeasure.height);\n\n  // Ensure coordinates are within the terminal viewport.\n  coords[0] = Math.min(Math.max(coords[0], 1), colCount + 1);\n  coords[1] = Math.min(Math.max(coords[1], 1), rowCount + 1);\n\n  return coords;\n}\n\n/**\n * Gets coordinates within the terminal for a particular mouse event, wrapping\n * them to the bounds of the terminal and adding 32 to both the x and y values\n * as expected by xterm.\n * @param event The mouse event.\n * @param rowContainer The terminal's row container.\n * @param charMeasure The char measure object used to determine character sizes.\n * @param colCount The number of columns in the terminal.\n * @param rowCount The number of rows in the terminal.\n */\nexport function getRawByteCoords(event: MouseEvent, rowContainer: HTMLElement, charMeasure: CharMeasure, colCount: number, rowCount: number): { x: number, y: number } {\n  const coords = getCoords(event, rowContainer, charMeasure, colCount, rowCount);\n  let x = coords[0];\n  let y = coords[1];\n\n  // xterm sends raw bytes and starts at 32 (SP) for each.\n  x += 32;\n  y += 32;\n\n  return { x, y };\n}\n","/**\n * Generic utilities module with methods that can be helpful at different parts of the code base.\n * @module xterm/utils/Generic\n * @license MIT\n */\n\n/**\n * Return if the given array contains the given element\n * @param {Array} array The array to search for the given element.\n * @param {Object} el The element to look for into the array\n */\nexport function contains(arr: any[], el: any) {\n  return arr.indexOf(el) >= 0;\n};\n","/**\n * @module xterm/utils/DomElementObjectPool\n * @license MIT\n */\n\n/**\n * An object pool that manages acquisition and releasing of DOM elements for\n * when reuse is desirable.\n */\nexport class DomElementObjectPool {\n  private static readonly OBJECT_ID_ATTRIBUTE = 'data-obj-id';\n\n  private static _objectCount = 0;\n\n  private _type: string;\n  private _pool: HTMLElement[];\n  private _inUse: {[key: string]: HTMLElement};\n\n  /**\n   * @param type The DOM element type (div, span, etc.).\n   */\n  constructor(private type: string) {\n    this._type = type;\n    this._pool = [];\n    this._inUse = {};\n  }\n\n  /**\n   * Acquire an element from the pool, creating it if the pool is empty.\n   */\n  public acquire(): HTMLElement {\n    let element: HTMLElement;\n    if (this._pool.length === 0) {\n      element = this._createNew();\n    } else {\n      element = this._pool.pop();\n    }\n    this._inUse[element.getAttribute(DomElementObjectPool.OBJECT_ID_ATTRIBUTE)] = element;\n    return element;\n  }\n\n  /**\n   * Release an element back into the pool. It's up to the caller of this\n   * function to ensure that all external references to the element have been\n   * removed.\n   * @param element The element being released.\n   */\n  public release(element: HTMLElement): void {\n    if (!this._inUse[element.getAttribute(DomElementObjectPool.OBJECT_ID_ATTRIBUTE)]) {\n      throw new Error('Could not release an element not yet acquired');\n    }\n    delete this._inUse[element.getAttribute(DomElementObjectPool.OBJECT_ID_ATTRIBUTE)];\n    this._cleanElement(element);\n    this._pool.push(element);\n  }\n\n  /**\n   * Creates a new element for the pool.\n   */\n  private _createNew(): HTMLElement {\n    const element = document.createElement(this._type);\n    const id = DomElementObjectPool._objectCount++;\n    element.setAttribute(DomElementObjectPool.OBJECT_ID_ATTRIBUTE, id.toString(10));\n    return element;\n  }\n\n  /**\n   * Resets an element back to a \"clean state\".\n   * @param element The element to be cleaned.\n   */\n  private _cleanElement(element: HTMLElement): void {\n    element.className = '';\n    element.innerHTML = '';\n  }\n}\n","/**\n * Represents a circular list; a list with a maximum size that wraps around when push is called,\n * overriding values at the start of the list.\n * @module xterm/utils/CircularList\n * @license MIT\n */\nimport { EventEmitter } from '../EventEmitter';\nimport { ICircularList } from '../Interfaces';\n\nexport class CircularList<T> extends EventEmitter implements ICircularList<T> {\n  private _array: T[];\n  private _startIndex: number;\n  private _length: number;\n\n  constructor(maxLength: number) {\n    super();\n    this._array = new Array<T>(maxLength);\n    this._startIndex = 0;\n    this._length = 0;\n  }\n\n  public get maxLength(): number {\n    return this._array.length;\n  }\n\n  public set maxLength(newMaxLength: number) {\n    // Reconstruct array, starting at index 0. Only transfer values from the\n    // indexes 0 to length.\n    let newArray = new Array<T>(newMaxLength);\n    for (let i = 0; i < Math.min(newMaxLength, this.length); i++) {\n      newArray[i] = this._array[this._getCyclicIndex(i)];\n    }\n    this._array = newArray;\n    this._startIndex = 0;\n  }\n\n  public get length(): number {\n    return this._length;\n  }\n\n  public set length(newLength: number) {\n    if (newLength > this._length) {\n      for (let i = this._length; i < newLength; i++) {\n        this._array[i] = undefined;\n      }\n    }\n    this._length = newLength;\n  }\n\n  public get forEach(): (callbackfn: (value: T, index: number) => void) => void {\n    return (callbackfn: (value: T, index: number) => void) => {\n      let i = 0;\n      let length = this.length;\n      for (let i = 0; i < length; i++) {\n        callbackfn(this.get(i), i);\n      }\n    };\n  }\n\n  /**\n   * Gets the value at an index.\n   *\n   * Note that for performance reasons there is no bounds checking here, the index reference is\n   * circular so this should always return a value and never throw.\n   * @param index The index of the value to get.\n   * @return The value corresponding to the index.\n   */\n  public get(index: number): T {\n    return this._array[this._getCyclicIndex(index)];\n  }\n\n  /**\n   * Sets the value at an index.\n   *\n   * Note that for performance reasons there is no bounds checking here, the index reference is\n   * circular so this should always return a value and never throw.\n   * @param index The index to set.\n   * @param value The value to set.\n   */\n  public set(index: number, value: T): void {\n    this._array[this._getCyclicIndex(index)] = value;\n  }\n\n  /**\n   * Pushes a new value onto the list, wrapping around to the start of the array, overriding index 0\n   * if the maximum length is reached.\n   * @param value The value to push onto the list.\n   */\n  public push(value: T): void {\n    this._array[this._getCyclicIndex(this._length)] = value;\n    if (this._length === this.maxLength) {\n      this._startIndex++;\n      if (this._startIndex === this.maxLength) {\n        this._startIndex = 0;\n      }\n      this.emit('trim', 1);\n    } else {\n      this._length++;\n    }\n  }\n\n  /**\n   * Removes and returns the last value on the list.\n   * @return The popped value.\n   */\n  public pop(): T {\n    return this._array[this._getCyclicIndex(this._length-- - 1)];\n  }\n\n  /**\n   * Deletes and/or inserts items at a particular index (in that order). Unlike\n   * Array.prototype.splice, this operation does not return the deleted items as a new array in\n   * order to save creating a new array. Note that this operation may shift all values in the list\n   * in the worst case.\n   * @param start The index to delete and/or insert.\n   * @param deleteCount The number of elements to delete.\n   * @param items The items to insert.\n   */\n  public splice(start: number, deleteCount: number, ...items: T[]): void {\n    // Delete items\n    if (deleteCount) {\n      for (let i = start; i < this._length - deleteCount; i++) {\n        this._array[this._getCyclicIndex(i)] = this._array[this._getCyclicIndex(i + deleteCount)];\n      }\n      this._length -= deleteCount;\n    }\n\n    if (items && items.length) {\n      // Add items\n      for (let i = this._length - 1; i >= start; i--) {\n        this._array[this._getCyclicIndex(i + items.length)] = this._array[this._getCyclicIndex(i)];\n      }\n      for (let i = 0; i < items.length; i++) {\n        this._array[this._getCyclicIndex(start + i)] = items[i];\n      }\n\n      // Adjust length as needed\n      if (this._length + items.length > this.maxLength) {\n        const countToTrim = (this._length + items.length) - this.maxLength;\n        this._startIndex += countToTrim;\n        this._length = this.maxLength;\n        this.emit('trim', countToTrim);\n      } else {\n        this._length += items.length;\n      }\n    }\n  }\n\n  /**\n   * Trims a number of items from the start of the list.\n   * @param count The number of items to remove.\n   */\n  public trimStart(count: number): void {\n    if (count > this._length) {\n      count = this._length;\n    }\n    this._startIndex += count;\n    this._length -= count;\n    this.emit('trim', count);\n  }\n\n  public shiftElements(start: number, count: number, offset: number): void {\n    if (count <= 0) {\n      return;\n    }\n    if (start < 0 || start >= this._length) {\n      throw new Error('start argument out of range');\n    }\n    if (start + offset < 0) {\n      throw new Error('Cannot shift elements in list beyond index 0');\n    }\n\n    if (offset > 0) {\n      for (let i = count - 1; i >= 0; i--) {\n        this.set(start + i + offset, this.get(start + i));\n      }\n      const expandListBy = (start + count + offset) - this._length;\n      if (expandListBy > 0) {\n        this._length += expandListBy;\n        while (this._length > this.maxLength) {\n          this._length--;\n          this._startIndex++;\n          this.emit('trim', 1);\n        }\n      }\n    } else {\n      for (let i = 0; i < count; i++) {\n        this.set(start + i + offset, this.get(start + i));\n      }\n    }\n  }\n\n  /**\n   * Gets the cyclic index for the specified regular index. The cyclic index can then be used on the\n   * backing array to get the element associated with the regular index.\n   * @param index The regular index.\n   * @returns The cyclic index.\n   */\n  private _getCyclicIndex(index: number): number {\n    return (this._startIndex + index) % this.maxLength;\n  }\n}\n","/**\n * @module xterm/utils/CharMeasure\n * @license MIT\n */\n\nimport { EventEmitter } from '../EventEmitter.js';\n\n/**\n * Utility class that measures the size of a character.\n */\nexport class CharMeasure extends EventEmitter {\n  private _document: Document;\n  private _parentElement: HTMLElement;\n  private _measureElement: HTMLElement;\n  private _width: number;\n  private _height: number;\n\n  constructor(document: Document, parentElement: HTMLElement) {\n    super();\n    this._document = document;\n    this._parentElement = parentElement;\n  }\n\n  public get width(): number {\n    return this._width;\n  }\n\n  public get height(): number {\n    return this._height;\n  }\n\n  public measure(): void {\n    if (!this._measureElement) {\n      this._measureElement = this._document.createElement('span');\n      this._measureElement.style.position = 'absolute';\n      this._measureElement.style.top = '0';\n      this._measureElement.style.left = '-9999em';\n      this._measureElement.textContent = 'W';\n      this._measureElement.setAttribute('aria-hidden', 'true');\n      this._parentElement.appendChild(this._measureElement);\n      // Perform _doMeasure async if the element was just attached as sometimes\n      // getBoundingClientRect does not return accurate values without this.\n      setTimeout(() => this._doMeasure(), 0);\n    } else {\n      this._doMeasure();\n    }\n  }\n\n  private _doMeasure(): void {\n    const geometry = this._measureElement.getBoundingClientRect();\n    // The element is likely currently display:none, we should retain the\n    // previous value.\n    if (geometry.width === 0 || geometry.height === 0) {\n      return;\n    }\n    if (this._width !== geometry.width || this._height !== geometry.height) {\n      this._width = geometry.width;\n      this._height = geometry.height;\n      this.emit('charsizechanged');\n    }\n  }\n}\n","/**\n * @license MIT\n */\n\n// TODO: This module should be merged into a buffer or buffer line class\n\nconst LINE_DATA_CHAR_INDEX = 1;\nconst LINE_DATA_WIDTH_INDEX = 2;\n\n/**\n * Translates a buffer line to a string, with optional start and end columns.\n * Wide characters will count as two columns in the resulting string. This\n * function is useful for getting the actual text underneath the raw selection\n * position.\n * @param line The line being translated.\n * @param trimRight Whether to trim whitespace to the right.\n * @param startCol The column to start at.\n * @param endCol The column to end at.\n */\nexport function translateBufferLineToString(line: any, trimRight: boolean, startCol: number = 0, endCol: number = null): string {\n  // Get full line\n  let lineString = '';\n  let widthAdjustedStartCol = startCol;\n  let widthAdjustedEndCol = endCol;\n  for (let i = 0; i < line.length; i++) {\n    const char = line[i];\n    lineString += char[LINE_DATA_CHAR_INDEX];\n    // Adjust start and end cols for wide characters if they affect their\n    // column indexes\n    if (char[LINE_DATA_WIDTH_INDEX] === 0) {\n      if (startCol >= i) {\n        widthAdjustedStartCol--;\n      }\n      if (endCol >= i) {\n        widthAdjustedEndCol--;\n      }\n    }\n  }\n\n  // Calculate the final end col by trimming whitespace on the right of the\n  // line if needed.\n  let finalEndCol = widthAdjustedEndCol || line.length;\n  if (trimRight) {\n    const rightWhitespaceIndex = lineString.search(/\\s+$/);\n    if (rightWhitespaceIndex !== -1) {\n      finalEndCol = Math.min(finalEndCol, rightWhitespaceIndex);\n    }\n    // Return the empty string if only trimmed whitespace is selected\n    if (finalEndCol <= widthAdjustedStartCol) {\n      return '';\n    }\n  }\n\n  return lineString.substring(widthAdjustedStartCol, finalEndCol);\n}\n","/**\n * Attributes and methods to help with identifying the current browser and platform.\n * @module xterm/utils/Browser\n * @license MIT\n */\n\nimport { contains } from './Generic';\n\nconst isNode = (typeof navigator === 'undefined') ? true : false;\nconst userAgent = (isNode) ? 'node' : navigator.userAgent;\nconst platform = (isNode) ? 'node' : navigator.platform;\n\nexport const isFirefox = !!~userAgent.indexOf('Firefox');\nexport const isMSIE = !!~userAgent.indexOf('MSIE') || !!~userAgent.indexOf('Trident');\n\n// Find the users platform. We use this to interpret the meta key\n// and ISO third level shifts.\n// http://stackoverflow.com/q/19877924/577598\nexport const isMac = contains(['Macintosh', 'MacIntel', 'MacPPC', 'Mac68K'], platform);\nexport const isIpad = platform === 'iPad';\nexport const isIphone = platform === 'iPhone';\nexport const isMSWindows = contains(['Windows', 'Win16', 'Win32', 'WinCE'], platform);\nexport const isLinux = platform.indexOf('Linux') >= 0;\n","/**\n * Clipboard handler module: exports methods for handling all clipboard-related events in the\n * terminal.\n * @module xterm/handlers/Clipboard\n * @license MIT\n */\n\nimport { ITerminal, ISelectionManager } from '../Interfaces';\n\ninterface IWindow extends Window {\n  clipboardData?: {\n    getData(format: string): string;\n    setData(format: string, data: string);\n  };\n}\n\ndeclare var window: IWindow;\n\n/**\n * Prepares text to be pasted into the terminal by normalizing the line endings\n * @param text The pasted text that needs processing before inserting into the terminal\n */\nexport function prepareTextForTerminal(text: string, isMSWindows: boolean): string {\n  if (isMSWindows) {\n    return text.replace(/\\r?\\n/g, '\\r');\n  }\n  return text;\n}\n\n/**\n * Binds copy functionality to the given terminal.\n * @param {ClipboardEvent} ev The original copy event to be handled\n */\nexport function copyHandler(ev: ClipboardEvent, term: ITerminal, selectionManager: ISelectionManager) {\n  if (term.browser.isMSIE) {\n    window.clipboardData.setData('Text', selectionManager.selectionText);\n  } else {\n    ev.clipboardData.setData('text/plain', selectionManager.selectionText);\n  }\n\n  // Prevent or the original text will be copied.\n  ev.preventDefault();\n}\n\n/**\n * Redirect the clipboard's data to the terminal's input handler.\n * @param {ClipboardEvent} ev The original paste event to be handled\n * @param {Terminal} term The terminal on which to apply the handled paste event\n */\nexport function pasteHandler(ev: ClipboardEvent, term: ITerminal) {\n  ev.stopPropagation();\n\n  let text: string;\n\n  let dispatchPaste = function(text) {\n    text = prepareTextForTerminal(text, term.browser.isMSWindows);\n    term.handler(text);\n    term.textarea.value = '';\n    term.emit('paste', text);\n\n    return term.cancel(ev);\n  };\n\n  if (term.browser.isMSIE) {\n    if (window.clipboardData) {\n      text = window.clipboardData.getData('Text');\n      dispatchPaste(text);\n    }\n  } else {\n    if (ev.clipboardData) {\n      text = ev.clipboardData.getData('text/plain');\n      dispatchPaste(text);\n    }\n  }\n}\n\n/**\n * Moves the textarea under the mouse cursor and focuses it.\n * @param ev The original right click event to be handled.\n * @param textarea The terminal's textarea.\n */\nexport function moveTextAreaUnderMouseCursor(ev: MouseEvent, textarea: HTMLTextAreaElement) {\n  // Bring textarea at the cursor position\n  textarea.style.position = 'fixed';\n  textarea.style.width = '20px';\n  textarea.style.height = '20px';\n  textarea.style.left = (ev.clientX - 10) + 'px';\n  textarea.style.top = (ev.clientY - 10) + 'px';\n  textarea.style.zIndex = '1000';\n\n  textarea.focus();\n\n  // Reset the terminal textarea's styling\n  setTimeout(function () {\n    textarea.style.position = null;\n    textarea.style.width = null;\n    textarea.style.height = null;\n    textarea.style.left = null;\n    textarea.style.top = null;\n    textarea.style.zIndex = null;\n  }, 4);\n}\n\n/**\n * Bind to right-click event and allow right-click copy and paste.\n * @param ev The original right click event to be handled.\n * @param textarea The terminal's textarea.\n * @param selectionManager The terminal's selection manager.\n */\nexport function rightClickHandler(ev: MouseEvent, textarea: HTMLTextAreaElement, selectionManager: ISelectionManager) {\n  moveTextAreaUnderMouseCursor(ev, textarea);\n\n  // Get textarea ready to copy from the context menu\n  textarea.value = selectionManager.selectionText;\n  textarea.select();\n}\n","/**\n * @license MIT\n */\n\nimport { ITerminal } from './Interfaces';\nimport { CharMeasure } from './utils/CharMeasure';\n\n/**\n * Represents the viewport of a terminal, the visible area within the larger buffer of output.\n * Logic for the virtual scroll bar is included in this object.\n */\nexport class Viewport {\n  private currentRowHeight: number;\n  private lastRecordedBufferLength: number;\n  private lastRecordedViewportHeight: number;\n  private lastTouchY: number;\n\n  /**\n   * Creates a new Viewport.\n   * @param terminal The terminal this viewport belongs to.\n   * @param viewportElement The DOM element acting as the viewport.\n   * @param scrollArea The DOM element acting as the scroll area.\n   * @param charMeasure A DOM element used to measure the character size of. the terminal.\n   */\n  constructor(\n    private terminal: ITerminal,\n    private viewportElement: HTMLElement,\n    private scrollArea: HTMLElement,\n    private charMeasure: CharMeasure\n  ) {\n    this.currentRowHeight = 0;\n    this.lastRecordedBufferLength = 0;\n    this.lastRecordedViewportHeight = 0;\n\n    this.terminal.on('scroll', this.syncScrollArea.bind(this));\n    this.terminal.on('resize', this.syncScrollArea.bind(this));\n    this.viewportElement.addEventListener('scroll', this.onScroll.bind(this));\n\n    // Perform this async to ensure the CharMeasure is ready.\n    setTimeout(() => this.syncScrollArea(), 0);\n  }\n\n  /**\n   * Refreshes row height, setting line-height, viewport height and scroll area height if\n   * necessary.\n   */\n  private refresh(): void {\n    if (this.charMeasure.height > 0) {\n      const rowHeightChanged = this.charMeasure.height !== this.currentRowHeight;\n      if (rowHeightChanged) {\n        this.currentRowHeight = this.charMeasure.height;\n        this.viewportElement.style.lineHeight = this.charMeasure.height + 'px';\n        this.terminal.rowContainer.style.lineHeight = this.charMeasure.height + 'px';\n      }\n      const viewportHeightChanged = this.lastRecordedViewportHeight !== this.terminal.rows;\n      if (rowHeightChanged || viewportHeightChanged) {\n        this.lastRecordedViewportHeight = this.terminal.rows;\n        this.viewportElement.style.height = this.charMeasure.height * this.terminal.rows + 'px';\n        this.terminal.selectionContainer.style.height = this.viewportElement.style.height;\n      }\n      this.scrollArea.style.height = (this.charMeasure.height * this.lastRecordedBufferLength) + 'px';\n    }\n  }\n\n  /**\n   * Updates dimensions and synchronizes the scroll area if necessary.\n   */\n  public syncScrollArea(): void {\n    if (this.lastRecordedBufferLength !== this.terminal.buffer.lines.length) {\n      // If buffer height changed\n      this.lastRecordedBufferLength = this.terminal.buffer.lines.length;\n      this.refresh();\n    } else if (this.lastRecordedViewportHeight !== this.terminal.rows) {\n      // If viewport height changed\n      this.refresh();\n    } else {\n      // If size has changed, refresh viewport\n      if (this.charMeasure.height !== this.currentRowHeight) {\n        this.refresh();\n      }\n    }\n\n    // Sync scrollTop\n    const scrollTop = this.terminal.buffer.ydisp * this.currentRowHeight;\n    if (this.viewportElement.scrollTop !== scrollTop) {\n      this.viewportElement.scrollTop = scrollTop;\n    }\n  }\n\n  /**\n   * Handles scroll events on the viewport, calculating the new viewport and requesting the\n   * terminal to scroll to it.\n   * @param ev The scroll event.\n   */\n  private onScroll(ev: Event) {\n    const newRow = Math.round(this.viewportElement.scrollTop / this.currentRowHeight);\n    const diff = newRow - this.terminal.buffer.ydisp;\n    this.terminal.scrollDisp(diff, true);\n  }\n\n  /**\n   * Handles mouse wheel events by adjusting the viewport's scrollTop and delegating the actual\n   * scrolling to `onScroll`, this event needs to be attached manually by the consumer of\n   * `Viewport`.\n   * @param ev The mouse wheel event.\n   */\n  public onWheel(ev: WheelEvent) {\n    if (ev.deltaY === 0) {\n      // Do nothing if it's not a vertical scroll event\n      return;\n    }\n    // Fallback to WheelEvent.DOM_DELTA_PIXEL\n    let multiplier = 1;\n    if (ev.deltaMode === WheelEvent.DOM_DELTA_LINE) {\n      multiplier = this.currentRowHeight;\n    } else if (ev.deltaMode === WheelEvent.DOM_DELTA_PAGE) {\n      multiplier = this.currentRowHeight * this.terminal.rows;\n    }\n    this.viewportElement.scrollTop += ev.deltaY * multiplier;\n    // Prevent the page from scrolling when the terminal scrolls\n    ev.preventDefault();\n  };\n\n  /**\n   * Handles the touchstart event, recording the touch occurred.\n   * @param ev The touch event.\n   */\n  public onTouchStart(ev: TouchEvent) {\n    this.lastTouchY = ev.touches[0].pageY;\n  };\n\n  /**\n   * Handles the touchmove event, scrolling the viewport if the position shifted.\n   * @param ev The touch event.\n   */\n  public onTouchMove(ev: TouchEvent) {\n    let deltaY = this.lastTouchY - ev.touches[0].pageY;\n    this.lastTouchY = ev.touches[0].pageY;\n    if (deltaY === 0) {\n      return;\n    }\n    this.viewportElement.scrollTop += deltaY;\n    ev.preventDefault();\n  };\n}\n","/**\n * @license MIT\n */\n\nimport { ITerminal } from './Interfaces';\n\n/**\n * Represents a selection within the buffer. This model only cares about column\n * and row coordinates, not wide characters.\n */\nexport class SelectionModel {\n  /**\n   * Whether select all is currently active.\n   */\n  public isSelectAllActive: boolean;\n\n  /**\n   * The [x, y] position the selection starts at.\n   */\n  public selectionStart: [number, number];\n\n  /**\n   * The minimal length of the selection from the start position. When double\n   * clicking on a word, the word will be selected which makes the selection\n   * start at the start of the word and makes this variable the length.\n   */\n  public selectionStartLength: number;\n\n  /**\n   * The [x, y] position the selection ends at.\n   */\n  public selectionEnd: [number, number];\n\n  constructor(\n    private _terminal: ITerminal\n  ) {\n    this.clearSelection();\n  }\n\n  /**\n   * Clears the current selection.\n   */\n  public clearSelection(): void {\n    this.selectionStart = null;\n    this.selectionEnd = null;\n    this.isSelectAllActive = false;\n    this.selectionStartLength = 0;\n  }\n\n  /**\n   * The final selection start, taking into consideration select all.\n   */\n  public get finalSelectionStart(): [number, number] {\n    if (this.isSelectAllActive) {\n      return [0, 0];\n    }\n\n    if (!this.selectionEnd || !this.selectionStart) {\n      return this.selectionStart;\n    }\n\n    return this.areSelectionValuesReversed() ? this.selectionEnd : this.selectionStart;\n  }\n\n  /**\n   * The final selection end, taking into consideration select all, double click\n   * word selection and triple click line selection.\n   */\n  public get finalSelectionEnd(): [number, number] {\n    if (this.isSelectAllActive) {\n      return [this._terminal.cols, this._terminal.buffer.ybase + this._terminal.rows - 1];\n    }\n\n    if (!this.selectionStart) {\n      return null;\n    }\n\n    // Use the selection start if the end doesn't exist or they're reversed\n    if (!this.selectionEnd || this.areSelectionValuesReversed()) {\n      return [this.selectionStart[0] + this.selectionStartLength, this.selectionStart[1]];\n    }\n\n    // Ensure the the word/line is selected after a double/triple click\n    if (this.selectionStartLength) {\n      // Select the larger of the two when start and end are on the same line\n      if (this.selectionEnd[1] === this.selectionStart[1]) {\n        return [Math.max(this.selectionStart[0] + this.selectionStartLength, this.selectionEnd[0]), this.selectionEnd[1]];\n      }\n    }\n    return this.selectionEnd;\n  }\n\n  /**\n   * Returns whether the selection start and end are reversed.\n   */\n  public areSelectionValuesReversed(): boolean {\n    const start = this.selectionStart;\n    const end = this.selectionEnd;\n    return start[1] > end[1] || (start[1] === end[1] && start[0] > end[0]);\n  }\n\n  /**\n   * Handle the buffer being trimmed, adjust the selection position.\n   * @param amount The amount the buffer is being trimmed.\n   * @return Whether a refresh is necessary.\n   */\n  public onTrim(amount: number): boolean {\n    // Adjust the selection position based on the trimmed amount.\n    if (this.selectionStart) {\n      this.selectionStart[1] -= amount;\n    }\n    if (this.selectionEnd) {\n      this.selectionEnd[1] -= amount;\n    }\n\n    // The selection has moved off the buffer, clear it.\n    if (this.selectionEnd && this.selectionEnd[1] < 0) {\n      this.clearSelection();\n      return true;\n    }\n\n    // If the selection start is trimmed, ensure the start column is 0.\n    if (this.selectionStart && this.selectionStart[1] < 0) {\n      this.selectionStart[1] = 0;\n    }\n    return false;\n  }\n}\n","/**\n * @license MIT\n */\n\nimport * as Mouse from './utils/Mouse';\nimport * as Browser from './utils/Browser';\nimport { CharMeasure } from './utils/CharMeasure';\nimport { CircularList } from './utils/CircularList';\nimport { EventEmitter } from './EventEmitter';\nimport { ITerminal, ICircularList } from './Interfaces';\nimport { SelectionModel } from './SelectionModel';\nimport { translateBufferLineToString } from './utils/BufferLine';\n\n/**\n * The number of pixels the mouse needs to be above or below the viewport in\n * order to scroll at the maximum speed.\n */\nconst DRAG_SCROLL_MAX_THRESHOLD = 50;\n\n/**\n * The maximum scrolling speed\n */\nconst DRAG_SCROLL_MAX_SPEED = 15;\n\n/**\n * The number of milliseconds between drag scroll updates.\n */\nconst DRAG_SCROLL_INTERVAL = 50;\n\n/**\n * A string containing all characters that are considered word separated by the\n * double click to select work logic.\n */\nconst WORD_SEPARATORS = ' ()[]{}\\'\"';\n\n// TODO: Move these constants elsewhere, they belong in a buffer or buffer\n//       data/line class.\nconst LINE_DATA_CHAR_INDEX = 1;\nconst LINE_DATA_WIDTH_INDEX = 2;\n\nconst NON_BREAKING_SPACE_CHAR = String.fromCharCode(160);\nconst ALL_NON_BREAKING_SPACE_REGEX = new RegExp(NON_BREAKING_SPACE_CHAR, 'g');\n\n/**\n * Represents a position of a word on a line.\n */\ninterface IWordPosition {\n  start: number;\n  length: number;\n}\n\n/**\n * A selection mode, this drives how the selection behaves on mouse move.\n */\nenum SelectionMode {\n  NORMAL,\n  WORD,\n  LINE\n}\n\n/**\n * A class that manages the selection of the terminal. With help from\n * SelectionModel, SelectionManager handles with all logic associated with\n * dealing with the selection, including handling mouse interaction, wide\n * characters and fetching the actual text within the selection. Rendering is\n * not handled by the SelectionManager but a 'refresh' event is fired when the\n * selection is ready to be redrawn.\n */\nexport class SelectionManager extends EventEmitter {\n  protected _model: SelectionModel;\n\n  /**\n   * The amount to scroll every drag scroll update (depends on how far the mouse\n   * drag is above or below the terminal).\n   */\n  private _dragScrollAmount: number;\n\n  /**\n   * The current selection mode.\n   */\n  private _activeSelectionMode: SelectionMode;\n\n  /**\n   * A setInterval timer that is active while the mouse is down whose callback\n   * scrolls the viewport when necessary.\n   */\n  private _dragScrollIntervalTimer: NodeJS.Timer;\n\n  /**\n   * The animation frame ID used for refreshing the selection.\n   */\n  private _refreshAnimationFrame: number;\n\n  /**\n   * Whether selection is enabled.\n   */\n  private _enabled = true;\n\n  private _mouseMoveListener: EventListener;\n  private _mouseUpListener: EventListener;\n\n  constructor(\n    private _terminal: ITerminal,\n    private _buffer: ICircularList<[number, string, number][]>,\n    private _rowContainer: HTMLElement,\n    private _charMeasure: CharMeasure\n  ) {\n    super();\n    this._initListeners();\n    this.enable();\n\n    this._model = new SelectionModel(_terminal);\n    this._activeSelectionMode = SelectionMode.NORMAL;\n  }\n\n  /**\n   * Initializes listener variables.\n   */\n  private _initListeners() {\n    this._mouseMoveListener = event => this._onMouseMove(<MouseEvent>event);\n    this._mouseUpListener = event => this._onMouseUp(<MouseEvent>event);\n\n    this._rowContainer.addEventListener('mousedown', event => this._onMouseDown(<MouseEvent>event));\n\n    // Only adjust the selection on trim, shiftElements is rarely used (only in\n    // reverseIndex) and delete in a splice is only ever used when the same\n    // number of elements was just added. Given this is could actually be\n    // beneficial to leave the selection as is for these cases.\n    this._buffer.on('trim', (amount: number) => this._onTrim(amount));\n  }\n\n  /**\n   * Disables the selection manager. This is useful for when terminal mouse\n   * are enabled.\n   */\n  public disable() {\n    this.clearSelection();\n    this._enabled = false;\n  }\n\n  /**\n   * Enable the selection manager.\n   */\n  public enable() {\n    this._enabled = true;\n  }\n\n  /**\n   * Sets the active buffer, this should be called when the alt buffer is\n   * switched in or out.\n   * @param buffer The active buffer.\n   */\n  public setBuffer(buffer: ICircularList<[number, string, number][]>): void {\n    this._buffer = buffer;\n    this.clearSelection();\n  }\n\n  public get selectionStart(): [number, number] { return this._model.finalSelectionStart; }\n  public get selectionEnd(): [number, number] { return this._model.finalSelectionEnd; }\n\n  /**\n   * Gets whether there is an active text selection.\n   */\n  public get hasSelection(): boolean {\n    const start = this._model.finalSelectionStart;\n    const end = this._model.finalSelectionEnd;\n    if (!start || !end) {\n      return false;\n    }\n    return start[0] !== end[0] || start[1] !== end[1];\n  }\n\n  /**\n   * Gets the text currently selected.\n   */\n  public get selectionText(): string {\n    const start = this._model.finalSelectionStart;\n    const end = this._model.finalSelectionEnd;\n    if (!start || !end) {\n      return '';\n    }\n\n    // Get first row\n    const startRowEndCol = start[1] === end[1] ? end[0] : null;\n    let result: string[] = [];\n    result.push(translateBufferLineToString(this._buffer.get(start[1]), true, start[0], startRowEndCol));\n\n    // Get middle rows\n    for (let i = start[1] + 1; i <= end[1] - 1; i++) {\n      const bufferLine = this._buffer.get(i);\n      const lineText = translateBufferLineToString(bufferLine, true);\n      if ((<any>bufferLine).isWrapped) {\n        result[result.length - 1] += lineText;\n      } else {\n        result.push(lineText);\n      }\n    }\n\n    // Get final row\n    if (start[1] !== end[1]) {\n      const bufferLine = this._buffer.get(end[1]);\n      const lineText = translateBufferLineToString(bufferLine, true, 0, end[0]);\n      if ((<any>bufferLine).isWrapped) {\n        result[result.length - 1] += lineText;\n      } else {\n        result.push(lineText);\n      }\n    }\n\n    // Format string by replacing non-breaking space chars with regular spaces\n    // and joining the array into a multi-line string.\n    const formattedResult = result.map(line => {\n      return line.replace(ALL_NON_BREAKING_SPACE_REGEX, ' ');\n    }).join(Browser.isMSWindows ? '\\r\\n' : '\\n');\n\n    return formattedResult;\n  }\n\n  /**\n   * Clears the current terminal selection.\n   */\n  public clearSelection(): void {\n    this._model.clearSelection();\n    this._removeMouseDownListeners();\n    this.refresh();\n  }\n\n  /**\n   * Queues a refresh, redrawing the selection on the next opportunity.\n   * @param isNewSelection Whether the selection should be registered as a new\n   * selection on Linux.\n   */\n  public refresh(isNewSelection?: boolean): void {\n    // Queue the refresh for the renderer\n    if (!this._refreshAnimationFrame) {\n      this._refreshAnimationFrame = window.requestAnimationFrame(() => this._refresh());\n    }\n\n    // If the platform is Linux and the refresh call comes from a mouse event,\n    // we need to update the selection for middle click to paste selection.\n    if (Browser.isLinux && isNewSelection) {\n      const selectionText = this.selectionText;\n      if (selectionText.length) {\n        this.emit('newselection', this.selectionText);\n      }\n    }\n  }\n\n  /**\n   * Fires the refresh event, causing consumers to pick it up and redraw the\n   * selection state.\n   */\n  private _refresh(): void {\n    this._refreshAnimationFrame = null;\n    this.emit('refresh', { start: this._model.finalSelectionStart, end: this._model.finalSelectionEnd });\n  }\n\n  /**\n   * Selects all text within the terminal.\n   */\n  public selectAll(): void {\n    this._model.isSelectAllActive = true;\n    this.refresh();\n  }\n\n  /**\n   * Handle the buffer being trimmed, adjust the selection position.\n   * @param amount The amount the buffer is being trimmed.\n   */\n  private _onTrim(amount: number) {\n    const needsRefresh = this._model.onTrim(amount);\n    if (needsRefresh) {\n      this.refresh();\n    }\n  }\n\n  /**\n   * Gets the 0-based [x, y] buffer coordinates of the current mouse event.\n   * @param event The mouse event.\n   */\n  private _getMouseBufferCoords(event: MouseEvent): [number, number] {\n    const coords = Mouse.getCoords(event, this._rowContainer, this._charMeasure, this._terminal.cols, this._terminal.rows, true);\n    if (!coords) {\n      return null;\n    }\n\n    // Convert to 0-based\n    coords[0]--;\n    coords[1]--;\n    // Convert viewport coords to buffer coords\n    coords[1] += this._terminal.buffer.ydisp;\n    return coords;\n  }\n\n  /**\n   * Gets the amount the viewport should be scrolled based on how far out of the\n   * terminal the mouse is.\n   * @param event The mouse event.\n   */\n  private _getMouseEventScrollAmount(event: MouseEvent): number {\n    let offset = Mouse.getCoordsRelativeToElement(event, this._rowContainer)[1];\n    const terminalHeight = this._terminal.rows * this._charMeasure.height;\n    if (offset >= 0 && offset <= terminalHeight) {\n      return 0;\n    }\n    if (offset > terminalHeight) {\n      offset -= terminalHeight;\n    }\n\n    offset = Math.min(Math.max(offset, -DRAG_SCROLL_MAX_THRESHOLD), DRAG_SCROLL_MAX_THRESHOLD);\n    offset /= DRAG_SCROLL_MAX_THRESHOLD;\n    return (offset / Math.abs(offset)) + Math.round(offset * (DRAG_SCROLL_MAX_SPEED - 1));\n  }\n\n  /**\n   * Handles te mousedown event, setting up for a new selection.\n   * @param event The mousedown event.\n   */\n  private _onMouseDown(event: MouseEvent) {\n    // If we have selection, we want the context menu on right click even if the\n    // terminal is in mouse mode.\n    if (event.button === 2 && this.hasSelection) {\n      event.stopPropagation();\n      return;\n    }\n\n    // Only action the primary button\n    if (event.button !== 0) {\n      return;\n    }\n\n    // Allow selection when using a specific modifier key, even when disabled\n    if (!this._enabled) {\n      const shouldForceSelection = Browser.isMac && event.altKey;\n\n      if (!shouldForceSelection) {\n        return;\n      }\n\n      // Don't send the mouse down event to the current process, we want to select\n      event.stopPropagation();\n    }\n\n    // Tell the browser not to start a regular selection\n    event.preventDefault();\n\n    // Reset drag scroll state\n    this._dragScrollAmount = 0;\n\n    if (this._enabled && event.shiftKey) {\n      this._onIncrementalClick(event);\n    } else {\n      if (event.detail === 1) {\n        this._onSingleClick(event);\n      } else if (event.detail === 2) {\n        this._onDoubleClick(event);\n      } else if (event.detail === 3) {\n        this._onTripleClick(event);\n      }\n    }\n\n    this._addMouseDownListeners();\n    this.refresh(true);\n  }\n\n  /**\n   * Adds listeners when mousedown is triggered.\n   */\n  private _addMouseDownListeners(): void {\n    // Listen on the document so that dragging outside of viewport works\n    this._rowContainer.ownerDocument.addEventListener('mousemove', this._mouseMoveListener);\n    this._rowContainer.ownerDocument.addEventListener('mouseup', this._mouseUpListener);\n    this._dragScrollIntervalTimer = setInterval(() => this._dragScroll(), DRAG_SCROLL_INTERVAL);\n  }\n\n  /**\n   * Removes the listeners that are registered when mousedown is triggered.\n   */\n  private _removeMouseDownListeners(): void {\n    this._rowContainer.ownerDocument.removeEventListener('mousemove', this._mouseMoveListener);\n    this._rowContainer.ownerDocument.removeEventListener('mouseup', this._mouseUpListener);\n    clearInterval(this._dragScrollIntervalTimer);\n    this._dragScrollIntervalTimer = null;\n  }\n\n  /**\n   * Performs an incremental click, setting the selection end position to the mouse\n   * position.\n   * @param event The mouse event.\n   */\n  private _onIncrementalClick(event: MouseEvent): void {\n    if (this._model.selectionStart) {\n      this._model.selectionEnd = this._getMouseBufferCoords(event);\n    }\n  }\n\n  /**\n   * Performs a single click, resetting relevant state and setting the selection\n   * start position.\n   * @param event The mouse event.\n   */\n  private _onSingleClick(event: MouseEvent): void {\n    this._model.selectionStartLength = 0;\n    this._model.isSelectAllActive = false;\n    this._activeSelectionMode = SelectionMode.NORMAL;\n\n    // Initialize the new selection\n    this._model.selectionStart = this._getMouseBufferCoords(event);\n    if (!this._model.selectionStart) {\n      return;\n    }\n    this._model.selectionEnd = null;\n\n    // Ensure the line exists\n    const line = this._buffer.get(this._model.selectionStart[1]);\n    if (!line) {\n      return;\n    }\n\n    // If the mouse is over the second half of a wide character, adjust the\n    // selection to cover the whole character\n    const char = line[this._model.selectionStart[0]];\n    if (char[LINE_DATA_WIDTH_INDEX] === 0) {\n      this._model.selectionStart[0]++;\n    }\n  }\n\n  /**\n   * Performs a double click, selecting the current work.\n   * @param event The mouse event.\n   */\n  private _onDoubleClick(event: MouseEvent): void {\n    const coords = this._getMouseBufferCoords(event);\n    if (coords) {\n      this._activeSelectionMode = SelectionMode.WORD;\n      this._selectWordAt(coords);\n    }\n  }\n\n  /**\n   * Performs a triple click, selecting the current line and activating line\n   * select mode.\n   * @param event The mouse event.\n   */\n  private _onTripleClick(event: MouseEvent): void {\n    const coords = this._getMouseBufferCoords(event);\n    if (coords) {\n      this._activeSelectionMode = SelectionMode.LINE;\n      this._selectLineAt(coords[1]);\n    }\n  }\n\n  /**\n   * Handles the mousemove event when the mouse button is down, recording the\n   * end of the selection and refreshing the selection.\n   * @param event The mousemove event.\n   */\n  private _onMouseMove(event: MouseEvent) {\n    // Record the previous position so we know whether to redraw the selection\n    // at the end.\n    const previousSelectionEnd = this._model.selectionEnd ? [this._model.selectionEnd[0], this._model.selectionEnd[1]] : null;\n\n    // Set the initial selection end based on the mouse coordinates\n    this._model.selectionEnd = this._getMouseBufferCoords(event);\n    if (!this._model.selectionEnd) {\n      this.refresh(true);\n      return;\n    }\n\n    // Select the entire line if line select mode is active.\n    if (this._activeSelectionMode === SelectionMode.LINE) {\n      if (this._model.selectionEnd[1] < this._model.selectionStart[1]) {\n        this._model.selectionEnd[0] = 0;\n      } else {\n        this._model.selectionEnd[0] = this._terminal.cols;\n      }\n    } else if (this._activeSelectionMode === SelectionMode.WORD) {\n      this._selectToWordAt(this._model.selectionEnd);\n    }\n\n    // Determine the amount of scrolling that will happen.\n    this._dragScrollAmount = this._getMouseEventScrollAmount(event);\n\n    // If the cursor was above or below the viewport, make sure it's at the\n    // start or end of the viewport respectively.\n    if (this._dragScrollAmount > 0) {\n      this._model.selectionEnd[0] = this._terminal.cols - 1;\n    } else if (this._dragScrollAmount < 0) {\n      this._model.selectionEnd[0] = 0;\n    }\n\n    // If the character is a wide character include the cell to the right in the\n    // selection. Note that selections at the very end of the line will never\n    // have a character.\n    if (this._model.selectionEnd[1] < this._buffer.length) {\n      const char = this._buffer.get(this._model.selectionEnd[1])[this._model.selectionEnd[0]];\n      if (char && char[2] === 0) {\n        this._model.selectionEnd[0]++;\n      }\n    }\n\n    // Only draw here if the selection changes.\n    if (!previousSelectionEnd ||\n      previousSelectionEnd[0] !== this._model.selectionEnd[0] ||\n      previousSelectionEnd[1] !== this._model.selectionEnd[1]) {\n      this.refresh(true);\n    }\n  }\n\n  /**\n   * The callback that occurs every DRAG_SCROLL_INTERVAL ms that does the\n   * scrolling of the viewport.\n   */\n  private _dragScroll() {\n    if (this._dragScrollAmount) {\n      this._terminal.scrollDisp(this._dragScrollAmount, false);\n      // Re-evaluate selection\n      if (this._dragScrollAmount > 0) {\n        this._model.selectionEnd = [this._terminal.cols - 1, this._terminal.buffer.ydisp + this._terminal.rows];\n      } else {\n        this._model.selectionEnd = [0, this._terminal.buffer.ydisp];\n      }\n      this.refresh();\n    }\n  }\n\n  /**\n   * Handles the mouseup event, removing the mousedown listeners.\n   * @param event The mouseup event.\n   */\n  private _onMouseUp(event: MouseEvent) {\n    this._removeMouseDownListeners();\n  }\n\n  /**\n   * Converts a viewport column to the character index on the buffer line, the\n   * latter takes into account wide characters.\n   * @param coords The coordinates to find the 2 index for.\n   */\n  private _convertViewportColToCharacterIndex(bufferLine: any, coords: [number, number]): number {\n    let charIndex = coords[0];\n    for (let i = 0; coords[0] >= i; i++) {\n      const char = bufferLine[i];\n      if (char[LINE_DATA_WIDTH_INDEX] === 0) {\n        charIndex--;\n      }\n    }\n    return charIndex;\n  }\n\n  public setSelection(col: number, row: number, length: number): void {\n    this._model.clearSelection();\n    this._removeMouseDownListeners();\n    this._model.selectionStart = [col, row];\n    this._model.selectionStartLength = length;\n    this.refresh();\n  }\n\n  /**\n   * Gets positional information for the word at the coordinated specified.\n   * @param coords The coordinates to get the word at.\n   */\n  private _getWordAt(coords: [number, number]): IWordPosition {\n    const bufferLine = this._buffer.get(coords[1]);\n    if (!bufferLine) {\n      return null;\n    }\n\n    const line = translateBufferLineToString(bufferLine, false);\n\n    // Get actual index, taking into consideration wide characters\n    let endIndex = this._convertViewportColToCharacterIndex(bufferLine, coords);\n    let startIndex = endIndex;\n\n    // Record offset to be used later\n    const charOffset = coords[0] - startIndex;\n    let leftWideCharCount = 0;\n    let rightWideCharCount = 0;\n\n    if (line.charAt(startIndex) === ' ') {\n      // Expand until non-whitespace is hit\n      while (startIndex > 0 && line.charAt(startIndex - 1) === ' ') {\n        startIndex--;\n      }\n      while (endIndex < line.length && line.charAt(endIndex + 1) === ' ') {\n        endIndex++;\n      }\n    } else {\n      // Expand until whitespace is hit. This algorithm works by scanning left\n      // and right from the starting position, keeping both the index format\n      // (line) and the column format (bufferLine) in sync. When a wide\n      // character is hit, it is recorded and the column index is adjusted.\n      let startCol = coords[0];\n      let endCol = coords[0];\n      // Consider the initial position, skip it and increment the wide char\n      // variable\n      if (bufferLine[startCol][LINE_DATA_WIDTH_INDEX] === 0) {\n        leftWideCharCount++;\n        startCol--;\n      }\n      if (bufferLine[endCol][LINE_DATA_WIDTH_INDEX] === 2) {\n        rightWideCharCount++;\n        endCol++;\n      }\n      // Expand the string in both directions until a space is hit\n      while (startIndex > 0 && !this._isCharWordSeparator(line.charAt(startIndex - 1))) {\n        if (bufferLine[startCol - 1][LINE_DATA_WIDTH_INDEX] === 0) {\n          // If the next character is a wide char, record it and skip the column\n          leftWideCharCount++;\n          startCol--;\n        }\n        startIndex--;\n        startCol--;\n      }\n      while (endIndex + 1 < line.length && !this._isCharWordSeparator(line.charAt(endIndex + 1))) {\n        if (bufferLine[endCol + 1][LINE_DATA_WIDTH_INDEX] === 2) {\n          // If the next character is a wide char, record it and skip the column\n          rightWideCharCount++;\n          endCol++;\n        }\n        endIndex++;\n        endCol++;\n      }\n    }\n\n    const start = startIndex + charOffset - leftWideCharCount;\n    const length = Math.min(endIndex - startIndex + leftWideCharCount + rightWideCharCount + 1/*include endIndex char*/, this._terminal.cols);\n    return { start, length };\n  }\n\n  /**\n   * Selects the word at the coordinates specified.\n   * @param coords The coordinates to get the word at.\n   */\n  protected _selectWordAt(coords: [number, number]): void {\n    const wordPosition = this._getWordAt(coords);\n    if (wordPosition) {\n      this._model.selectionStart = [wordPosition.start, coords[1]];\n      this._model.selectionStartLength = wordPosition.length;\n    }\n  }\n\n  /**\n   * Sets the selection end to the word at the coordinated specified.\n   * @param coords The coordinates to get the word at.\n   */\n  private _selectToWordAt(coords: [number, number]): void {\n    const wordPosition = this._getWordAt(coords);\n    if (wordPosition) {\n      this._model.selectionEnd = [this._model.areSelectionValuesReversed() ? wordPosition.start : (wordPosition.start + wordPosition.length), coords[1]];\n    }\n  }\n\n  /**\n   * Gets whether the character is considered a word separator by the select\n   * word logic.\n   * @param char The character to check.\n   */\n  private _isCharWordSeparator(char: string): boolean {\n    return WORD_SEPARATORS.indexOf(char) >= 0;\n  }\n\n  /**\n   * Selects the line specified.\n   * @param line The line index.\n   */\n  protected _selectLineAt(line: number): void {\n    this._model.selectionStart = [0, line];\n    this._model.selectionStartLength = this._terminal.cols;\n  }\n}\n","/**\n * @license MIT\n */\n\nimport { ITerminal } from './Interfaces';\nimport { DomElementObjectPool } from './utils/DomElementObjectPool';\n\n/**\n * The maximum number of refresh frames to skip when the write buffer is non-\n * empty. Note that these frames may be intermingled with frames that are\n * skipped via requestAnimationFrame's mechanism.\n */\nconst MAX_REFRESH_FRAME_SKIP = 5;\n\n/**\n * Flags used to render terminal text properly.\n */\nenum FLAGS {\n  BOLD = 1,\n  UNDERLINE = 2,\n  BLINK = 4,\n  INVERSE = 8,\n  INVISIBLE = 16\n};\n\nlet brokenBold: boolean = null;\n\nexport class Renderer {\n  /** A queue of the rows to be refreshed */\n  private _refreshRowsQueue: {start: number, end: number}[] = [];\n  private _refreshFramesSkipped = 0;\n  private _refreshAnimationFrame = null;\n\n  private _spanElementObjectPool = new DomElementObjectPool('span');\n\n  constructor(private _terminal: ITerminal) {\n    // Figure out whether boldness affects\n    // the character width of monospace fonts.\n    if (brokenBold === null) {\n      brokenBold = checkBoldBroken((<any>this._terminal).element);\n    }\n    this._spanElementObjectPool = new DomElementObjectPool('span');\n\n    // TODO: Pull more DOM interactions into Renderer.constructor, element for\n    // example should be owned by Renderer (and also exposed by Terminal due to\n    // to established public API).\n  }\n\n  /**\n   * Queues a refresh between two rows (inclusive), to be done on next animation\n   * frame.\n   * @param {number} start The start row.\n   * @param {number} end The end row.\n   */\n  public queueRefresh(start: number, end: number): void {\n    this._refreshRowsQueue.push({ start: start, end: end });\n    if (!this._refreshAnimationFrame) {\n      this._refreshAnimationFrame = window.requestAnimationFrame(this._refreshLoop.bind(this));\n    }\n  }\n\n  /**\n   * Performs the refresh loop callback, calling refresh only if a refresh is\n   * necessary before queueing up the next one.\n   */\n  private _refreshLoop(): void {\n    // Skip MAX_REFRESH_FRAME_SKIP frames if the writeBuffer is non-empty as it\n    // will need to be immediately refreshed anyway. This saves a lot of\n    // rendering time as the viewport DOM does not need to be refreshed, no\n    // scroll events, no layouts, etc.\n    const skipFrame = this._terminal.writeBuffer.length > 0 && this._refreshFramesSkipped++ <= MAX_REFRESH_FRAME_SKIP;\n    if (skipFrame) {\n      this._refreshAnimationFrame = window.requestAnimationFrame(this._refreshLoop.bind(this));\n      return;\n    }\n\n    this._refreshFramesSkipped = 0;\n    let start;\n    let end;\n    if (this._refreshRowsQueue.length > 4) {\n      // Just do a full refresh when 5+ refreshes are queued\n      start = 0;\n      end = this._terminal.rows - 1;\n    } else {\n      // Get start and end rows that need refreshing\n      start = this._refreshRowsQueue[0].start;\n      end = this._refreshRowsQueue[0].end;\n      for (let i = 1; i < this._refreshRowsQueue.length; i++) {\n        if (this._refreshRowsQueue[i].start < start) {\n          start = this._refreshRowsQueue[i].start;\n        }\n        if (this._refreshRowsQueue[i].end > end) {\n          end = this._refreshRowsQueue[i].end;\n        }\n      }\n    }\n    this._refreshRowsQueue = [];\n    this._refreshAnimationFrame = null;\n    this._refresh(start, end);\n  }\n\n  /**\n   * Refreshes (re-renders) terminal content within two rows (inclusive)\n   *\n   * Rendering Engine:\n   *\n   * In the screen buffer, each character is stored as a an array with a character\n   * and a 32-bit integer:\n   *   - First value: a utf-16 character.\n   *   - Second value:\n   *   - Next 9 bits: background color (0-511).\n   *   - Next 9 bits: foreground color (0-511).\n   *   - Next 14 bits: a mask for misc. flags:\n   *     - 1=bold\n   *     - 2=underline\n   *     - 4=blink\n   *     - 8=inverse\n   *     - 16=invisible\n   *\n   * @param {number} start The row to start from (between 0 and terminal's height terminal - 1)\n   * @param {number} end The row to end at (between fromRow and terminal's height terminal - 1)\n   */\n  private _refresh(start: number, end: number): void {\n    // If this is a big refresh, remove the terminal rows from the DOM for faster calculations\n    let parent;\n    if (end - start >= this._terminal.rows / 2) {\n      parent = this._terminal.element.parentNode;\n      if (parent) {\n        this._terminal.element.removeChild(this._terminal.rowContainer);\n      }\n    }\n\n    let width = this._terminal.cols;\n    let y = start;\n\n    if (end >= this._terminal.rows) {\n      this._terminal.log('`end` is too large. Most likely a bad CSR.');\n      end = this._terminal.rows - 1;\n    }\n\n    for (; y <= end; y++) {\n      let row = y + this._terminal.buffer.ydisp;\n\n      let line = this._terminal.buffer.lines.get(row);\n\n      let x;\n      if (this._terminal.buffer.y === y - (this._terminal.buffer.ybase - this._terminal.buffer.ydisp) &&\n          this._terminal.cursorState &&\n          !this._terminal.cursorHidden) {\n        x = this._terminal.buffer.x;\n      } else {\n        x = -1;\n      }\n\n      let attr = this._terminal.defAttr;\n\n      const documentFragment = document.createDocumentFragment();\n      let innerHTML = '';\n      let currentElement;\n\n      // Return the row's spans to the pool\n      while (this._terminal.children[y].children.length) {\n        const child = this._terminal.children[y].children[0];\n        this._terminal.children[y].removeChild(child);\n        this._spanElementObjectPool.release(<HTMLElement>child);\n      }\n\n      for (let i = 0; i < width; i++) {\n        // TODO: Could data be a more specific type?\n        let data: any = line[i][0];\n        const ch = line[i][1];\n        const ch_width: any = line[i][2];\n        const isCursor: boolean = i === x;\n        if (!ch_width) {\n          continue;\n        }\n\n        if (data !== attr || isCursor) {\n          if (attr !== this._terminal.defAttr && !isCursor) {\n            if (innerHTML) {\n              currentElement.innerHTML = innerHTML;\n              innerHTML = '';\n            }\n            documentFragment.appendChild(currentElement);\n            currentElement = null;\n          }\n          if (data !== this._terminal.defAttr || isCursor) {\n            if (innerHTML && !currentElement) {\n              currentElement = this._spanElementObjectPool.acquire();\n            }\n            if (currentElement) {\n              if (innerHTML) {\n                currentElement.innerHTML = innerHTML;\n                innerHTML = '';\n              }\n              documentFragment.appendChild(currentElement);\n            }\n            currentElement = this._spanElementObjectPool.acquire();\n\n            let bg = data & 0x1ff;\n            let fg = (data >> 9) & 0x1ff;\n            let flags = data >> 18;\n\n            if (isCursor) {\n              currentElement.classList.add('reverse-video');\n              currentElement.classList.add('terminal-cursor');\n            }\n\n            if (flags & FLAGS.BOLD) {\n              if (!brokenBold) {\n                currentElement.classList.add('xterm-bold');\n              }\n              // See: XTerm*boldColors\n              if (fg < 8) {\n                fg += 8;\n              }\n            }\n\n            if (flags & FLAGS.UNDERLINE) {\n              currentElement.classList.add('xterm-underline');\n            }\n\n            if (flags & FLAGS.BLINK) {\n              currentElement.classList.add('xterm-blink');\n            }\n\n            // If inverse flag is on, then swap the foreground and background variables.\n            if (flags & FLAGS.INVERSE) {\n              let temp = bg;\n              bg = fg;\n              fg = temp;\n              // Should inverse just be before the above boldColors effect instead?\n              if ((flags & 1) && fg < 8) {\n                fg += 8;\n              }\n            }\n\n            if (flags & FLAGS.INVISIBLE && !isCursor) {\n              currentElement.classList.add('xterm-hidden');\n            }\n\n            /**\n             * Weird situation: Invert flag used black foreground and white background results\n             * in invalid background color, positioned at the 256 index of the 256 terminal\n             * color map. Pin the colors manually in such a case.\n             *\n             * Source: https://github.com/sourcelair/xterm.js/issues/57\n             */\n            if (flags & FLAGS.INVERSE) {\n              if (bg === 257) {\n                bg = 15;\n              }\n              if (fg === 256) {\n                fg = 0;\n              }\n            }\n\n            if (bg < 256) {\n              currentElement.classList.add(`xterm-bg-color-${bg}`);\n            }\n\n            if (fg < 256) {\n              currentElement.classList.add(`xterm-color-${fg}`);\n            }\n\n          }\n        }\n\n        if (ch_width === 2) {\n          // Wrap wide characters so they're sized correctly. It's more difficult to release these\n          // from the object pool so just create new ones via innerHTML.\n          innerHTML += `<span class=\"xterm-wide-char\">${ch}</span>`;\n        } else if (ch.charCodeAt(0) > 255) {\n          // Wrap any non-wide unicode character as some fonts size them badly\n          innerHTML += `<span class=\"xterm-normal-char\">${ch}</span>`;\n        } else {\n          switch (ch) {\n            case '&':\n              innerHTML += '&amp;';\n              break;\n            case '<':\n              innerHTML += '&lt;';\n              break;\n            case '>':\n              innerHTML += '&gt;';\n              break;\n            default:\n              if (ch <= ' ') {\n                innerHTML += '&nbsp;';\n              } else {\n                innerHTML += ch;\n              }\n              break;\n          }\n        }\n\n        // The cursor needs its own element, therefore we set attr to -1\n        // which will cause the next character to be rendered in a new element\n        attr = isCursor ? -1 : data;\n\n      }\n\n      if (innerHTML && !currentElement) {\n        currentElement = this._spanElementObjectPool.acquire();\n      }\n      if (currentElement) {\n        if (innerHTML) {\n          currentElement.innerHTML = innerHTML;\n          innerHTML = '';\n        }\n        documentFragment.appendChild(currentElement);\n        currentElement = null;\n      }\n\n      this._terminal.children[y].appendChild(documentFragment);\n    }\n\n    if (parent) {\n      this._terminal.element.appendChild(this._terminal.rowContainer);\n    }\n\n    this._terminal.emit('refresh', {element: this._terminal.element, start: start, end: end});\n  };\n\n  /**\n   * Refreshes the selection in the DOM.\n   * @param start The selection start.\n   * @param end The selection end.\n   */\n  public refreshSelection(start: [number, number], end: [number, number]) {\n    // Remove all selections\n    while (this._terminal.selectionContainer.children.length) {\n      this._terminal.selectionContainer.removeChild(this._terminal.selectionContainer.children[0]);\n    }\n\n    // Selection does not exist\n    if (!start || !end) {\n      return;\n    }\n\n    // Translate from buffer position to viewport position\n    const viewportStartRow = start[1] - this._terminal.buffer.ydisp;\n    const viewportEndRow = end[1] - this._terminal.buffer.ydisp;\n    const viewportCappedStartRow = Math.max(viewportStartRow, 0);\n    const viewportCappedEndRow = Math.min(viewportEndRow, this._terminal.rows - 1);\n\n    // No need to draw the selection\n    if (viewportCappedStartRow >= this._terminal.rows || viewportCappedEndRow < 0) {\n      return;\n    }\n\n    // Create the selections\n    const documentFragment = document.createDocumentFragment();\n    // Draw first row\n    const startCol = viewportStartRow === viewportCappedStartRow ? start[0] : 0;\n    const endCol = viewportCappedStartRow === viewportCappedEndRow ? end[0] : this._terminal.cols;\n    documentFragment.appendChild(this._createSelectionElement(viewportCappedStartRow, startCol, endCol));\n    // Draw middle rows\n    const middleRowsCount = viewportCappedEndRow - viewportCappedStartRow - 1;\n    documentFragment.appendChild(this._createSelectionElement(viewportCappedStartRow + 1, 0, this._terminal.cols, middleRowsCount));\n    // Draw final row\n    if (viewportCappedStartRow !== viewportCappedEndRow) {\n      // Only draw viewportEndRow if it's not the same as viewporttartRow\n      const endCol = viewportEndRow === viewportCappedEndRow ? end[0] : this._terminal.cols;\n      documentFragment.appendChild(this._createSelectionElement(viewportCappedEndRow, 0, endCol));\n    }\n    this._terminal.selectionContainer.appendChild(documentFragment);\n  }\n\n  /**\n   * Creates a selection element at the specified position.\n   * @param row The row of the selection.\n   * @param colStart The start column.\n   * @param colEnd The end columns.\n   */\n  private _createSelectionElement(row: number, colStart: number, colEnd: number, rowCount: number = 1): HTMLElement {\n    const element = document.createElement('div');\n    element.style.height = `${rowCount * this._terminal.charMeasure.height}px`;\n    element.style.top = `${row * this._terminal.charMeasure.height}px`;\n    element.style.left = `${colStart * this._terminal.charMeasure.width}px`;\n    element.style.width = `${this._terminal.charMeasure.width * (colEnd - colStart)}px`;\n    return element;\n  }\n}\n\n\n// If bold is broken, we can't use it in the terminal.\nfunction checkBoldBroken(terminal) {\n  const document = terminal.ownerDocument;\n  const el = document.createElement('span');\n  el.innerHTML = 'hello world';\n  terminal.appendChild(el);\n  const w1 = el.offsetWidth;\n  const h1 = el.offsetHeight;\n  el.style.fontWeight = 'bold';\n  const w2 = el.offsetWidth;\n  const h2 = el.offsetHeight;\n  terminal.removeChild(el);\n  return w1 !== w2 || h1 !== h2;\n}\n","/**\n * @license MIT\n */\n\nimport { C0 } from './EscapeSequences';\nimport { IInputHandler } from './Interfaces';\nimport { CHARSETS, DEFAULT_CHARSET } from './Charsets';\n\nconst normalStateHandler: {[key: string]: (parser: Parser, handler: IInputHandler) => void} = {};\nnormalStateHandler[C0.BEL] = (parser, handler) => handler.bell();\nnormalStateHandler[C0.LF] = (parser, handler) => handler.lineFeed();\nnormalStateHandler[C0.VT] = normalStateHandler[C0.LF];\nnormalStateHandler[C0.FF] = normalStateHandler[C0.LF];\nnormalStateHandler[C0.CR] = (parser, handler) => handler.carriageReturn();\nnormalStateHandler[C0.BS] = (parser, handler) => handler.backspace();\nnormalStateHandler[C0.HT] = (parser, handler) => handler.tab();\nnormalStateHandler[C0.SO] = (parser, handler) => handler.shiftOut();\nnormalStateHandler[C0.SI] = (parser, handler) => handler.shiftIn();\nnormalStateHandler[C0.ESC] = (parser, handler) => parser.setState(ParserState.ESCAPED);\n\n// TODO: Remove terminal when parser owns params and currentParam\nconst escapedStateHandler: {[key: string]: (parser: Parser, terminal: any) => void} = {};\nescapedStateHandler['['] = (parser, terminal) => {\n  // ESC [ Control Sequence Introducer (CSI  is 0x9b)\n  terminal.params = [];\n  terminal.currentParam = 0;\n  parser.setState(ParserState.CSI_PARAM);\n};\nescapedStateHandler[']'] = (parser, terminal) => {\n  // ESC ] Operating System Command (OSC is 0x9d)\n  terminal.params = [];\n  terminal.currentParam = 0;\n  parser.setState(ParserState.OSC);\n};\nescapedStateHandler['P'] = (parser, terminal) => {\n  // ESC P Device Control String (DCS is 0x90)\n  terminal.params = [];\n  terminal.currentParam = 0;\n  parser.setState(ParserState.DCS);\n};\nescapedStateHandler['_'] = (parser, terminal) => {\n  // ESC _ Application Program Command ( APC is 0x9f).\n  parser.setState(ParserState.IGNORE);\n};\nescapedStateHandler['^'] = (parser, terminal) => {\n  // ESC ^ Privacy Message ( PM is 0x9e).\n  parser.setState(ParserState.IGNORE);\n};\nescapedStateHandler['c'] = (parser, terminal) => {\n  // ESC c Full Reset (RIS).\n  terminal.reset();\n};\nescapedStateHandler['E'] = (parser, terminal) => {\n  // ESC E Next Line ( NEL is 0x85).\n  terminal.buffer.x = 0;\n  terminal.index();\n  parser.setState(ParserState.NORMAL);\n};\nescapedStateHandler['D'] = (parser, terminal) => {\n  // ESC D Index ( IND is 0x84).\n  terminal.index();\n  parser.setState(ParserState.NORMAL);\n};\nescapedStateHandler['M'] = (parser, terminal) => {\n  // ESC M Reverse Index ( RI is 0x8d).\n  terminal.reverseIndex();\n  parser.setState(ParserState.NORMAL);\n};\nescapedStateHandler['%'] = (parser, terminal) => {\n  // ESC % Select default/utf-8 character set.\n  // @ = default, G = utf-8\n  terminal.setgLevel(0);\n  terminal.setgCharset(0, DEFAULT_CHARSET); // US (default)\n  parser.setState(ParserState.NORMAL);\n  parser.skipNextChar();\n};\nescapedStateHandler[C0.CAN] = (parser) => parser.setState(ParserState.NORMAL);\n\nconst csiParamStateHandler: {[key: string]: (parser: Parser) => void} = {};\ncsiParamStateHandler['?'] = (parser) => parser.setPrefix('?');\ncsiParamStateHandler['>'] = (parser) => parser.setPrefix('>');\ncsiParamStateHandler['!'] = (parser) => parser.setPrefix('!');\ncsiParamStateHandler['0'] = (parser) => parser.setParam(parser.getParam() * 10);\ncsiParamStateHandler['1'] = (parser) => parser.setParam(parser.getParam() * 10 + 1);\ncsiParamStateHandler['2'] = (parser) => parser.setParam(parser.getParam() * 10 + 2);\ncsiParamStateHandler['3'] = (parser) => parser.setParam(parser.getParam() * 10 + 3);\ncsiParamStateHandler['4'] = (parser) => parser.setParam(parser.getParam() * 10 + 4);\ncsiParamStateHandler['5'] = (parser) => parser.setParam(parser.getParam() * 10 + 5);\ncsiParamStateHandler['6'] = (parser) => parser.setParam(parser.getParam() * 10 + 6);\ncsiParamStateHandler['7'] = (parser) => parser.setParam(parser.getParam() * 10 + 7);\ncsiParamStateHandler['8'] = (parser) => parser.setParam(parser.getParam() * 10 + 8);\ncsiParamStateHandler['9'] = (parser) => parser.setParam(parser.getParam() * 10 + 9);\ncsiParamStateHandler['$'] = (parser) => parser.setPostfix('$');\ncsiParamStateHandler['\"'] = (parser) => parser.setPostfix('\"');\ncsiParamStateHandler[' '] = (parser) => parser.setPostfix(' ');\ncsiParamStateHandler['\\''] = (parser) => parser.setPostfix('\\'');\ncsiParamStateHandler[';'] = (parser) => parser.finalizeParam();\ncsiParamStateHandler[C0.CAN] = (parser) => parser.setState(ParserState.NORMAL);\n\nconst csiStateHandler: {[key: string]: (handler: IInputHandler, params: number[], prefix: string, postfix: string, parser: Parser) => void} = {};\ncsiStateHandler['@'] = (handler, params, prefix) => handler.insertChars(params);\ncsiStateHandler['A'] = (handler, params, prefix) => handler.cursorUp(params);\ncsiStateHandler['B'] = (handler, params, prefix) => handler.cursorDown(params);\ncsiStateHandler['C'] = (handler, params, prefix) => handler.cursorForward(params);\ncsiStateHandler['D'] = (handler, params, prefix) => handler.cursorBackward(params);\ncsiStateHandler['E'] = (handler, params, prefix) => handler.cursorNextLine(params);\ncsiStateHandler['F'] = (handler, params, prefix) => handler.cursorPrecedingLine(params);\ncsiStateHandler['G'] = (handler, params, prefix) => handler.cursorCharAbsolute(params);\ncsiStateHandler['H'] = (handler, params, prefix) => handler.cursorPosition(params);\ncsiStateHandler['I'] = (handler, params, prefix) => handler.cursorForwardTab(params);\ncsiStateHandler['J'] = (handler, params, prefix) => handler.eraseInDisplay(params);\ncsiStateHandler['K'] = (handler, params, prefix) => handler.eraseInLine(params);\ncsiStateHandler['L'] = (handler, params, prefix) => handler.insertLines(params);\ncsiStateHandler['M'] = (handler, params, prefix) => handler.deleteLines(params);\ncsiStateHandler['P'] = (handler, params, prefix) => handler.deleteChars(params);\ncsiStateHandler['S'] = (handler, params, prefix) => handler.scrollUp(params);\ncsiStateHandler['T'] = (handler, params, prefix) => {\n  if (params.length < 2 && !prefix) {\n    handler.scrollDown(params);\n  }\n};\ncsiStateHandler['X'] = (handler, params, prefix) => handler.eraseChars(params);\ncsiStateHandler['Z'] = (handler, params, prefix) => handler.cursorBackwardTab(params);\ncsiStateHandler['`'] = (handler, params, prefix) => handler.charPosAbsolute(params);\ncsiStateHandler['a'] = (handler, params, prefix) => handler.HPositionRelative(params);\ncsiStateHandler['b'] = (handler, params, prefix) => handler.repeatPrecedingCharacter(params);\ncsiStateHandler['c'] = (handler, params, prefix) => handler.sendDeviceAttributes(params);\ncsiStateHandler['d'] = (handler, params, prefix) => handler.linePosAbsolute(params);\ncsiStateHandler['e'] = (handler, params, prefix) => handler.VPositionRelative(params);\ncsiStateHandler['f'] = (handler, params, prefix) => handler.HVPosition(params);\ncsiStateHandler['g'] = (handler, params, prefix) => handler.tabClear(params);\ncsiStateHandler['h'] = (handler, params, prefix) => handler.setMode(params);\ncsiStateHandler['l'] = (handler, params, prefix) => handler.resetMode(params);\ncsiStateHandler['m'] = (handler, params, prefix) => handler.charAttributes(params);\ncsiStateHandler['n'] = (handler, params, prefix) => handler.deviceStatus(params);\ncsiStateHandler['p'] = (handler, params, prefix) => {\n  switch (prefix) {\n    case '!': handler.softReset(params); break;\n  }\n};\ncsiStateHandler['q'] = (handler, params, prefix, postfix) => {\n  if (postfix === ' ') {\n    handler.setCursorStyle(params);\n  }\n};\ncsiStateHandler['r'] = (handler, params) => handler.setScrollRegion(params);\ncsiStateHandler['s'] = (handler, params) => handler.saveCursor(params);\ncsiStateHandler['u'] = (handler, params) => handler.restoreCursor(params);\ncsiStateHandler[C0.CAN] = (handler, params, prefix, postfix, parser) => parser.setState(ParserState.NORMAL);\n\nenum ParserState {\n  NORMAL = 0,\n  ESCAPED = 1,\n  CSI_PARAM = 2,\n  CSI = 3,\n  OSC = 4,\n  CHARSET = 5,\n  DCS = 6,\n  IGNORE = 7\n}\n\n/**\n * The terminal's parser, all input into the terminal goes through the parser\n * which parses and defers the actual input handling the the IInputHandler\n * specified in the constructor.\n */\nexport class Parser {\n  private _state: ParserState;\n  private _position: number;\n\n  // TODO: Remove terminal when handler can do everything\n  constructor(\n    private _inputHandler: IInputHandler,\n    private _terminal: any\n  ) {\n    this._state = ParserState.NORMAL;\n  }\n\n  /**\n   * Parse and handle data.\n   *\n   * @param data The data to parse.\n   */\n  public parse(data: string): ParserState {\n    let l = data.length, j, cs, ch, code, low;\n\n    if (this._terminal.debug) {\n      this._terminal.log('data: ' + data);\n    }\n\n    this._position = 0;\n    // apply leftover surrogate high from last write\n    if (this._terminal.surrogate_high) {\n      data = this._terminal.surrogate_high + data;\n      this._terminal.surrogate_high = '';\n    }\n\n    for (; this._position < l; this._position++) {\n      ch = data[this._position];\n\n      // FIXME: higher chars than 0xa0 are not allowed in escape sequences\n      //        --> maybe move to default\n      code = data.charCodeAt(this._position);\n      if (0xD800 <= code && code <= 0xDBFF) {\n        // we got a surrogate high\n        // get surrogate low (next 2 bytes)\n        low = data.charCodeAt(this._position + 1);\n        if (isNaN(low)) {\n          // end of data stream, save surrogate high\n          this._terminal.surrogate_high = ch;\n          continue;\n        }\n        code = ((code - 0xD800) * 0x400) + (low - 0xDC00) + 0x10000;\n        ch += data.charAt(this._position + 1);\n      }\n      // surrogate low - already handled above\n      if (0xDC00 <= code && code <= 0xDFFF)\n        continue;\n\n      switch (this._state) {\n        case ParserState.NORMAL:\n          if (ch in normalStateHandler) {\n            normalStateHandler[ch](this, this._inputHandler);\n          } else {\n            this._inputHandler.addChar(ch, code);\n          }\n          break;\n        case ParserState.ESCAPED:\n          if (ch in escapedStateHandler) {\n            escapedStateHandler[ch](this, this._terminal);\n            // Skip switch as it was just handled\n            break;\n          }\n          switch (ch) {\n\n            // ESC (,),*,+,-,. Designate G0-G2 Character Set.\n            case '(': // <-- this seems to get all the attention\n            case ')':\n            case '*':\n            case '+':\n            case '-':\n            case '.':\n              switch (ch) {\n                case '(':\n                  this._terminal.gcharset = 0;\n                  break;\n                case ')':\n                  this._terminal.gcharset = 1;\n                  break;\n                case '*':\n                  this._terminal.gcharset = 2;\n                  break;\n                case '+':\n                  this._terminal.gcharset = 3;\n                  break;\n                case '-':\n                  this._terminal.gcharset = 1;\n                  break;\n                case '.':\n                  this._terminal.gcharset = 2;\n                  break;\n              }\n              this._state = ParserState.CHARSET;\n              break;\n\n            // Designate G3 Character Set (VT300).\n            // A = ISO Latin-1 Supplemental.\n            // Not implemented.\n            case '/':\n              this._terminal.gcharset = 3;\n              this._state = ParserState.CHARSET;\n              this._position--;\n              break;\n\n            // ESC N\n            // Single Shift Select of G2 Character Set\n            // ( SS2 is 0x8e). This affects next character only.\n            case 'N':\n              break;\n            // ESC O\n            // Single Shift Select of G3 Character Set\n            // ( SS3 is 0x8f). This affects next character only.\n            case 'O':\n              break;\n            // ESC n\n            // Invoke the G2 Character Set as GL (LS2).\n            case 'n':\n              this._terminal.setgLevel(2);\n              break;\n            // ESC o\n            // Invoke the G3 Character Set as GL (LS3).\n            case 'o':\n              this._terminal.setgLevel(3);\n              break;\n            // ESC |\n            // Invoke the G3 Character Set as GR (LS3R).\n            case '|':\n              this._terminal.setgLevel(3);\n              break;\n            // ESC }\n            // Invoke the G2 Character Set as GR (LS2R).\n            case '}':\n              this._terminal.setgLevel(2);\n              break;\n            // ESC ~\n            // Invoke the G1 Character Set as GR (LS1R).\n            case '~':\n              this._terminal.setgLevel(1);\n              break;\n\n            // ESC 7 Save Cursor (DECSC).\n            case '7':\n              this._inputHandler.saveCursor();\n              this._state = ParserState.NORMAL;\n              break;\n\n            // ESC 8 Restore Cursor (DECRC).\n            case '8':\n              this._inputHandler.restoreCursor();\n              this._state = ParserState.NORMAL;\n              break;\n\n            // ESC # 3 DEC line height/width\n            case '#':\n              this._state = ParserState.NORMAL;\n              this._position++;\n              break;\n\n            // ESC H Tab Set (HTS is 0x88).\n            case 'H':\n              this._terminal.tabSet();\n              this._state = ParserState.NORMAL;\n              break;\n\n            // ESC = Application Keypad (DECKPAM).\n            case '=':\n              this._terminal.log('Serial port requested application keypad.');\n              this._terminal.applicationKeypad = true;\n              this._terminal.viewport.syncScrollArea();\n              this._state = ParserState.NORMAL;\n              break;\n\n            // ESC > Normal Keypad (DECKPNM).\n            case '>':\n              this._terminal.log('Switching back to normal keypad.');\n              this._terminal.applicationKeypad = false;\n              this._terminal.viewport.syncScrollArea();\n              this._state = ParserState.NORMAL;\n              break;\n\n            default:\n              this._state = ParserState.NORMAL;\n              this._terminal.error('Unknown ESC control: %s.', ch);\n              break;\n          }\n          break;\n\n        case ParserState.CHARSET:\n          if (ch in CHARSETS) {\n            cs = CHARSETS[ch];\n            if (ch === '/') { // ISOLatin is actually /A\n              this.skipNextChar();\n            }\n          } else {\n            cs = DEFAULT_CHARSET;\n          }\n          this._terminal.setgCharset(this._terminal.gcharset, cs);\n          this._terminal.gcharset = null;\n          this._state = ParserState.NORMAL;\n          break;\n\n        case ParserState.OSC:\n          // OSC Ps ; Pt ST\n          // OSC Ps ; Pt BEL\n          //   Set Text Parameters.\n          if (ch === C0.ESC || ch === C0.BEL) {\n            if (ch === C0.ESC) this._position++;\n\n            this._terminal.params.push(this._terminal.currentParam);\n\n            switch (this._terminal.params[0]) {\n              case 0:\n              case 1:\n              case 2:\n                if (this._terminal.params[1]) {\n                  this._terminal.title = this._terminal.params[1];\n                  this._terminal.handleTitle(this._terminal.title);\n                }\n                break;\n              case 3:\n                // set X property\n                break;\n              case 4:\n              case 5:\n                // change dynamic colors\n                break;\n              case 10:\n              case 11:\n              case 12:\n              case 13:\n              case 14:\n              case 15:\n              case 16:\n              case 17:\n              case 18:\n              case 19:\n                // change dynamic ui colors\n                break;\n              case 46:\n                // change log file\n                break;\n              case 50:\n                // dynamic font\n                break;\n              case 51:\n                // emacs shell\n                break;\n              case 52:\n                // manipulate selection data\n                break;\n              case 104:\n              case 105:\n              case 110:\n              case 111:\n              case 112:\n              case 113:\n              case 114:\n              case 115:\n              case 116:\n              case 117:\n              case 118:\n                // reset colors\n                break;\n            }\n\n            this._terminal.params = [];\n            this._terminal.currentParam = 0;\n            this._state = ParserState.NORMAL;\n          } else {\n            if (!this._terminal.params.length) {\n              if (ch >= '0' && ch <= '9') {\n                this._terminal.currentParam =\n                  this._terminal.currentParam * 10 + ch.charCodeAt(0) - 48;\n              } else if (ch === ';') {\n                this._terminal.params.push(this._terminal.currentParam);\n                this._terminal.currentParam = '';\n              }\n            } else {\n              this._terminal.currentParam += ch;\n            }\n          }\n          break;\n\n        case ParserState.CSI_PARAM:\n          if (ch in csiParamStateHandler) {\n            csiParamStateHandler[ch](this);\n            break;\n          }\n          this.finalizeParam();\n          // Fall through the CSI as this character should be the CSI code.\n          this._state = ParserState.CSI;\n\n        case ParserState.CSI:\n          if (ch in csiStateHandler) {\n            if (this._terminal.debug) {\n              this._terminal.log(`CSI ${this._terminal.prefix ? this._terminal.prefix : ''} ${this._terminal.params ? this._terminal.params.join(';') : ''} ${this._terminal.postfix ? this._terminal.postfix : ''} ${ch}`);\n            }\n            csiStateHandler[ch](this._inputHandler, this._terminal.params, this._terminal.prefix, this._terminal.postfix, this);\n          } else {\n            this._terminal.error('Unknown CSI code: %s.', ch);\n          }\n\n          this._state = ParserState.NORMAL;\n          this._terminal.prefix = '';\n          this._terminal.postfix = '';\n          break;\n\n        case ParserState.DCS:\n          if (ch === C0.ESC || ch === C0.BEL) {\n            if (ch === C0.ESC) this._position++;\n            let pt;\n            let valid: boolean;\n\n            switch (this._terminal.prefix) {\n              // User-Defined Keys (DECUDK).\n              case '':\n                break;\n\n              // Request Status String (DECRQSS).\n              // test: echo -e '\\eP$q\"p\\e\\\\'\n              case '$q':\n                pt = this._terminal.currentParam;\n                valid = false;\n\n                switch (pt) {\n                  // DECSCA\n                  case '\"q':\n                    pt = '0\"q';\n                    break;\n\n                  // DECSCL\n                  case '\"p':\n                    pt = '61\"p';\n                    break;\n\n                  // DECSTBM\n                  case 'r':\n                    pt = ''\n                      + (this._terminal.buffer.scrollTop + 1)\n                      + ';'\n                      + (this._terminal.buffer.scrollBottom + 1)\n                      + 'r';\n                    break;\n\n                  // SGR\n                  case 'm':\n                    pt = '0m';\n                    break;\n\n                  default:\n                    this._terminal.error('Unknown DCS Pt: %s.', pt);\n                    pt = '';\n                    break;\n                }\n\n                this._terminal.send(C0.ESC + 'P' + +valid + '$r' + pt + C0.ESC + '\\\\');\n                break;\n\n              // Set Termcap/Terminfo Data (xterm, experimental).\n              case '+p':\n                break;\n\n              // Request Termcap/Terminfo String (xterm, experimental)\n              // Regular xterm does not even respond to this sequence.\n              // This can cause a small glitch in vim.\n              // test: echo -ne '\\eP+q6b64\\e\\\\'\n              case '+q':\n                pt = this._terminal.currentParam;\n                valid = false;\n\n                this._terminal.send(C0.ESC + 'P' + +valid + '+r' + pt + C0.ESC + '\\\\');\n                break;\n\n              default:\n                this._terminal.error('Unknown DCS prefix: %s.', this._terminal.prefix);\n                break;\n            }\n\n            this._terminal.currentParam = 0;\n            this._terminal.prefix = '';\n            this._state = ParserState.NORMAL;\n          } else if (!this._terminal.currentParam) {\n            if (!this._terminal.prefix && ch !== '$' && ch !== '+') {\n              this._terminal.currentParam = ch;\n            } else if (this._terminal.prefix.length === 2) {\n              this._terminal.currentParam = ch;\n            } else {\n              this._terminal.prefix += ch;\n            }\n          } else {\n            this._terminal.currentParam += ch;\n          }\n          break;\n\n        case ParserState.IGNORE:\n          // For PM and APC.\n          if (ch === C0.ESC || ch === C0.BEL) {\n            if (ch === C0.ESC) this._position++;\n            this._state = ParserState.NORMAL;\n          }\n          break;\n      }\n    }\n    return this._state;\n  }\n\n  /**\n   * Set the parser's current parsing state.\n   *\n   * @param state The new state.\n   */\n  public setState(state: ParserState): void {\n    this._state = state;\n  }\n\n  /**\n   * Sets the parsier's current prefix. CSI codes can have prefixes of '?', '>'\n   * or '!'.\n   *\n   * @param prefix The prefix.\n   */\n  public setPrefix(prefix: string): void {\n    this._terminal.prefix = prefix;\n  }\n\n  /**\n   * Sets the parsier's current prefix. CSI codes can have postfixes of '$',\n   * '\"', ' ', '\\''.\n   *\n   * @param postfix The postfix.\n   */\n  public setPostfix(postfix: string): void {\n    this._terminal.postfix = postfix;\n  }\n\n  /**\n   * Sets the parser's current parameter.\n   *\n   * @param param the parameter.\n   */\n  public setParam(param: number) {\n    this._terminal.currentParam = param;\n  }\n\n  /**\n   * Gets the parser's current parameter.\n   */\n  public getParam(): number {\n    return this._terminal.currentParam;\n  }\n\n  /**\n   * Finalizes the parser's current parameter, adding it to the list of\n   * parameters and setting the new current parameter to 0.\n   */\n  public finalizeParam(): void {\n    this._terminal.params.push(this._terminal.currentParam);\n    this._terminal.currentParam = 0;\n  }\n\n  /**\n   * Tell the parser to skip the next character.\n   */\n  public skipNextChar(): void {\n    this._position++;\n  }\n\n  /**\n   * Tell the parser to repeat parsing the current character (for example if it\n   * needs parsing using a different state.\n   */\n  // public repeatChar(): void {\n  //   this._position--;\n  // }\n}\n","/**\n * @license MIT\n */\n\nimport { LinkMatcherOptions } from './Interfaces';\nimport { LinkMatcher, LinkMatcherHandler, LinkMatcherValidationCallback } from './Types';\n\nconst INVALID_LINK_CLASS = 'xterm-invalid-link';\n\nconst protocolClause = '(https?:\\\\/\\\\/)';\nconst domainCharacterSet = '[\\\\da-z\\\\.-]+';\nconst negatedDomainCharacterSet = '[^\\\\da-z\\\\.-]+';\nconst domainBodyClause = '(' + domainCharacterSet + ')';\nconst tldClause = '([a-z\\\\.]{2,6})';\nconst ipClause = '((\\\\d{1,3}\\\\.){3}\\\\d{1,3})';\nconst localHostClause = '(localhost)';\nconst portClause = '(:\\\\d{1,5})';\nconst hostClause = '((' + domainBodyClause + '\\\\.' + tldClause + ')|' + ipClause + '|' + localHostClause + ')' + portClause + '?';\nconst pathClause = '(\\\\/[\\\\/\\\\w\\\\.\\\\-%~]*)*';\nconst queryStringHashFragmentCharacterSet = '[0-9\\\\w\\\\[\\\\]\\\\(\\\\)\\\\/\\\\?\\\\!#@$%&\\'*+,:;~\\\\=\\\\.\\\\-]*';\nconst queryStringClause = '(\\\\?' + queryStringHashFragmentCharacterSet + ')?';\nconst hashFragmentClause = '(#' + queryStringHashFragmentCharacterSet + ')?';\nconst negatedPathCharacterSet = '[^\\\\/\\\\w\\\\.\\\\-%]+';\nconst bodyClause = hostClause + pathClause + queryStringClause + hashFragmentClause;\nconst start = '(?:^|' + negatedDomainCharacterSet + ')(';\nconst end = ')($|' + negatedPathCharacterSet + ')';\nconst strictUrlRegex = new RegExp(start + protocolClause + bodyClause + end);\n\n/**\n * The ID of the built in http(s) link matcher.\n */\nconst HYPERTEXT_LINK_MATCHER_ID = 0;\n\n/**\n * The Linkifier applies links to rows shortly after they have been refreshed.\n */\nexport class Linkifier {\n  /**\n   * The time to wait after a row is changed before it is linkified. This prevents\n   * the costly operation of searching every row multiple times, potentially a\n   * huge amount of times.\n   */\n  protected static TIME_BEFORE_LINKIFY = 200;\n\n  protected _linkMatchers: LinkMatcher[];\n\n  private _document: Document;\n  private _rows: HTMLElement[];\n  private _rowTimeoutIds: number[];\n  private _nextLinkMatcherId = HYPERTEXT_LINK_MATCHER_ID;\n\n  constructor() {\n    this._rowTimeoutIds = [];\n    this._linkMatchers = [];\n    this.registerLinkMatcher(strictUrlRegex, null, { matchIndex: 1 });\n  }\n\n  /**\n   * Attaches the linkifier to the DOM, enabling linkification.\n   * @param document The document object.\n   * @param rows The array of rows to apply links to.\n   */\n  public attachToDom(document: Document, rows: HTMLElement[]) {\n    this._document = document;\n    this._rows = rows;\n  }\n\n  /**\n   * Queues a row for linkification.\n   * @param {number} rowIndex The index of the row to linkify.\n   */\n  public linkifyRow(rowIndex: number): void {\n    // Don't attempt linkify if not yet attached to DOM\n    if (!this._document) {\n      return;\n    }\n\n    const timeoutId = this._rowTimeoutIds[rowIndex];\n    if (timeoutId) {\n      clearTimeout(timeoutId);\n    }\n    this._rowTimeoutIds[rowIndex] = setTimeout(this._linkifyRow.bind(this, rowIndex), Linkifier.TIME_BEFORE_LINKIFY);\n  }\n\n  /**\n   * Attaches a handler for hypertext links, overriding default <a> behavior\n   * for standard http(s) links.\n   * @param {LinkHandler} handler The handler to use, this can be cleared with\n   * null.\n   */\n  public setHypertextLinkHandler(handler: LinkMatcherHandler): void {\n    this._linkMatchers[HYPERTEXT_LINK_MATCHER_ID].handler = handler;\n  }\n\n  /**\n   * Attaches a validation callback for hypertext links.\n   * @param {LinkMatcherValidationCallback} callback The callback to use, this\n   * can be cleared with null.\n   */\n  public setHypertextValidationCallback(callback: LinkMatcherValidationCallback): void {\n    this._linkMatchers[HYPERTEXT_LINK_MATCHER_ID].validationCallback = callback;\n  }\n\n  /**\n   * Registers a link matcher, allowing custom link patterns to be matched and\n   * handled.\n   * @param {RegExp} regex The regular expression to search for, specifically\n   * this searches the textContent of the rows. You will want to use \\s to match\n   * a space ' ' character for example.\n   * @param {LinkHandler} handler The callback when the link is called.\n   * @param {LinkMatcherOptions} [options] Options for the link matcher.\n   * @return {number} The ID of the new matcher, this can be used to deregister.\n   */\n  public registerLinkMatcher(regex: RegExp, handler: LinkMatcherHandler, options: LinkMatcherOptions = {}): number {\n    if (this._nextLinkMatcherId !== HYPERTEXT_LINK_MATCHER_ID && !handler) {\n      throw new Error('handler must be defined');\n    }\n    const matcher: LinkMatcher = {\n      id: this._nextLinkMatcherId++,\n      regex,\n      handler,\n      matchIndex: options.matchIndex,\n      validationCallback: options.validationCallback,\n      priority: options.priority || 0\n    };\n    this._addLinkMatcherToList(matcher);\n    return matcher.id;\n  }\n\n  /**\n   * Inserts a link matcher to the list in the correct position based on the\n   * priority of each link matcher. New link matchers of equal priority are\n   * considered after older link matchers.\n   * @param matcher The link matcher to be added.\n   */\n  private _addLinkMatcherToList(matcher: LinkMatcher): void {\n    if (this._linkMatchers.length === 0) {\n      this._linkMatchers.push(matcher);\n      return;\n    }\n\n    for (let i = this._linkMatchers.length - 1; i >= 0; i--) {\n      if (matcher.priority <= this._linkMatchers[i].priority) {\n        this._linkMatchers.splice(i + 1, 0, matcher);\n        return;\n      }\n    }\n\n    this._linkMatchers.splice(0, 0, matcher);\n  }\n\n  /**\n   * Deregisters a link matcher if it has been registered.\n   * @param {number} matcherId The link matcher's ID (returned after register)\n   * @return {boolean} Whether a link matcher was found and deregistered.\n   */\n  public deregisterLinkMatcher(matcherId: number): boolean {\n    // ID 0 is the hypertext link matcher which cannot be deregistered\n    for (let i = 1; i < this._linkMatchers.length; i++) {\n      if (this._linkMatchers[i].id === matcherId) {\n        this._linkMatchers.splice(i, 1);\n        return true;\n      }\n    }\n    return false;\n  }\n\n  /**\n   * Linkifies a row.\n   * @param {number} rowIndex The index of the row to linkify.\n   */\n  private _linkifyRow(rowIndex: number): void {\n    const row = this._rows[rowIndex];\n    if (!row) {\n      return;\n    }\n    const text = row.textContent;\n    for (let i = 0; i < this._linkMatchers.length; i++) {\n      const matcher = this._linkMatchers[i];\n      const linkElements = this._doLinkifyRow(row, matcher);\n        if (linkElements.length > 0) {\n        // Fire validation callback\n        if (matcher.validationCallback) {\n          for (let j = 0; j < linkElements.length; j++) {\n            const element = linkElements[j];\n            matcher.validationCallback(element.textContent, element, isValid => {\n              if (!isValid) {\n                element.classList.add(INVALID_LINK_CLASS);\n              }\n            });\n          }\n        }\n        // Only allow a single LinkMatcher to trigger on any given row.\n        return;\n      }\n    }\n  }\n\n  /**\n   * Linkifies a row given a specific handler.\n   * @param {HTMLElement} row The row to linkify.\n   * @param {LinkMatcher} matcher The link matcher for this line.\n   * @return The link element(s) that were added.\n   */\n  private _doLinkifyRow(row: HTMLElement, matcher: LinkMatcher): HTMLElement[] {\n    // Iterate over nodes as we want to consider text nodes\n    let result = [];\n    const isHttpLinkMatcher = matcher.id === HYPERTEXT_LINK_MATCHER_ID;\n    const nodes = row.childNodes;\n\n    // Find the first match\n    let match = row.textContent.match(matcher.regex);\n    if (!match || match.length === 0) {\n      return result;\n    }\n    let uri = match[typeof matcher.matchIndex !== 'number' ? 0 : matcher.matchIndex];\n    // Set the next searches start index\n    let rowStartIndex = match.index + uri.length;\n\n    for (let i = 0; i < nodes.length; i++) {\n      const node = nodes[i];\n      const searchIndex = node.textContent.indexOf(uri);\n      if (searchIndex >= 0) {\n        const linkElement = this._createAnchorElement(uri, matcher.handler, isHttpLinkMatcher);\n        if (node.textContent.length === uri.length) {\n          // Matches entire string\n          if (node.nodeType === 3 /*Node.TEXT_NODE*/) {\n            this._replaceNode(node, linkElement);\n          } else {\n            const element = (<HTMLElement>node);\n            if (element.nodeName === 'A') {\n              // This row has already been linkified\n              return result;\n            }\n            element.innerHTML = '';\n            element.appendChild(linkElement);\n          }\n        } else if (node.childNodes.length > 1) {\n          // Matches part of string in an element with multiple child nodes\n          for (let j = 0; j < node.childNodes.length; j++) {\n            const childNode = node.childNodes[j];\n            const childSearchIndex = childNode.textContent.indexOf(uri);\n            if (childSearchIndex !== -1) {\n              // Match found in currentNode\n              this._replaceNodeSubstringWithNode(childNode, linkElement, uri, childSearchIndex);\n              // Don't need to count nodesAdded by replacing the node as this\n              // is a child node, not a top-level node.\n              break;\n            }\n          }\n        } else {\n          // Matches part of string in a single text node\n          const nodesAdded = this._replaceNodeSubstringWithNode(node, linkElement, uri, searchIndex);\n          // No need to consider the new nodes\n          i += nodesAdded;\n        }\n        result.push(linkElement);\n\n        // Find the next match\n        match = row.textContent.substring(rowStartIndex).match(matcher.regex);\n        if (!match || match.length === 0) {\n          return result;\n        }\n        uri = match[typeof matcher.matchIndex !== 'number' ? 0 : matcher.matchIndex];\n        rowStartIndex += match.index + uri.length;\n      }\n    }\n    return result;\n  }\n\n  /**\n   * Creates a link anchor element.\n   * @param {string} uri The uri of the link.\n   * @return {HTMLAnchorElement} The link.\n   */\n  private _createAnchorElement(uri: string, handler: LinkMatcherHandler, isHypertextLinkHandler: boolean): HTMLAnchorElement {\n    const element = this._document.createElement('a');\n    element.textContent = uri;\n    element.draggable = false;\n    if (isHypertextLinkHandler) {\n      element.href = uri;\n      // Force link on another tab so work is not lost\n      element.target = '_blank';\n      element.addEventListener('click', (event: MouseEvent) => {\n        if (handler) {\n          return handler(event, uri);\n        }\n      });\n    } else {\n      element.addEventListener('click', (event: MouseEvent) => {\n        // Don't execute the handler if the link is flagged as invalid\n        if (element.classList.contains(INVALID_LINK_CLASS)) {\n          return;\n        }\n        return handler(event, uri);\n      });\n    }\n    return element;\n  }\n\n  /**\n   * Replace a node with 1 or more other nodes.\n   * @param {Node} oldNode The node to replace.\n   * @param {Node[]} newNodes The new nodes to insert in order.\n   */\n  private _replaceNode(oldNode: Node, ...newNodes: Node[]): void {\n    const parent = oldNode.parentNode;\n    for (let i = 0; i < newNodes.length; i++) {\n      parent.insertBefore(newNodes[i], oldNode);\n    }\n    parent.removeChild(oldNode);\n  }\n\n  /**\n   * Replace a substring within a node with a new node.\n   * @param {Node} targetNode The target node; either a text node or a <span>\n   * containing a single text node.\n   * @param {Node} newNode The new node to insert.\n   * @param {string} substring The substring to replace.\n   * @param {number} substringIndex The index of the substring within the string.\n   * @return The number of nodes to skip when searching for the next uri.\n   */\n  private _replaceNodeSubstringWithNode(targetNode: Node, newNode: Node, substring: string, substringIndex: number): number {\n    // If the targetNode is a non-text node with a single child, make the child\n    // the new targetNode.\n    if (targetNode.childNodes.length === 1) {\n      targetNode = targetNode.childNodes[0];\n    }\n\n    // The targetNode will be either a text node or a <span>. The text node\n    // (targetNode or its only-child) needs to be replaced with newNode plus new\n    // text nodes potentially on either side.\n    if (targetNode.nodeType !== 3/*Node.TEXT_NODE*/) {\n      throw new Error('targetNode must be a text node or only contain a single text node');\n    }\n\n    const fullText = targetNode.textContent;\n\n    if (substringIndex === 0) {\n      // Replace with <newNode><textnode>\n      const rightText = fullText.substring(substring.length);\n      const rightTextNode = this._document.createTextNode(rightText);\n      this._replaceNode(targetNode, newNode, rightTextNode);\n      return 0;\n    }\n\n    if (substringIndex === targetNode.textContent.length - substring.length) {\n      // Replace with <textnode><newNode>\n      const leftText = fullText.substring(0, substringIndex);\n      const leftTextNode = this._document.createTextNode(leftText);\n      this._replaceNode(targetNode, leftTextNode, newNode);\n      return 0;\n    }\n\n    // Replace with <textnode><newNode><textnode>\n    const leftText = fullText.substring(0, substringIndex);\n    const leftTextNode = this._document.createTextNode(leftText);\n    const rightText = fullText.substring(substringIndex + substring.length);\n    const rightTextNode = this._document.createTextNode(rightText);\n    this._replaceNode(targetNode, leftTextNode, newNode, rightTextNode);\n    return 1;\n  }\n}\n","/**\n * @license MIT\n */\n\nimport { IInputHandler, ITerminal } from './Interfaces';\nimport { C0 } from './EscapeSequences';\nimport { DEFAULT_CHARSET } from './Charsets';\n\n/**\n * The terminal's standard implementation of IInputHandler, this handles all\n * input from the Parser.\n *\n * Refer to http://invisible-island.net/xterm/ctlseqs/ctlseqs.html to understand\n * each function's header comment.\n */\nexport class InputHandler implements IInputHandler {\n  // TODO: We want to type _terminal when it's pulled into TS\n  constructor(private _terminal: any) { }\n\n  public addChar(char: string, code: number): void {\n    if (char >= ' ') {\n      // calculate print space\n      // expensive call, therefore we save width in line buffer\n      const ch_width = wcwidth(code);\n\n      if (this._terminal.charset && this._terminal.charset[char]) {\n        char = this._terminal.charset[char];\n      }\n\n      let row = this._terminal.buffer.y + this._terminal.buffer.ybase;\n\n      // insert combining char in last cell\n      // FIXME: needs handling after cursor jumps\n      if (!ch_width && this._terminal.buffer.x) {\n        // dont overflow left\n        if (this._terminal.buffer.lines.get(row)[this._terminal.buffer.x - 1]) {\n          if (!this._terminal.buffer.lines.get(row)[this._terminal.buffer.x - 1][2]) {\n\n            // found empty cell after fullwidth, need to go 2 cells back\n            if (this._terminal.buffer.lines.get(row)[this._terminal.buffer.x - 2])\n              this._terminal.buffer.lines.get(row)[this._terminal.buffer.x - 2][1] += char;\n\n          } else {\n            this._terminal.buffer.lines.get(row)[this._terminal.buffer.x - 1][1] += char;\n          }\n          this._terminal.updateRange(this._terminal.buffer.y);\n        }\n        return;\n      }\n\n      // goto next line if ch would overflow\n      // TODO: needs a global min terminal width of 2\n      if (this._terminal.buffer.x + ch_width - 1 >= this._terminal.cols) {\n        // autowrap - DECAWM\n        if (this._terminal.wraparoundMode) {\n          this._terminal.buffer.x = 0;\n          this._terminal.buffer.y++;\n          if (this._terminal.buffer.y > this._terminal.buffer.scrollBottom) {\n            this._terminal.buffer.y--;\n            this._terminal.scroll(true);\n          } else {\n            // The line already exists (eg. the initial viewport), mark it as a\n            // wrapped line\n            this._terminal.buffer.lines.get(this._terminal.buffer.y).isWrapped = true;\n          }\n        } else {\n          if (ch_width === 2)  // FIXME: check for xterm behavior\n            return;\n        }\n      }\n      row = this._terminal.buffer.y + this._terminal.buffer.ybase;\n\n      // insert mode: move characters to right\n      if (this._terminal.insertMode) {\n        // do this twice for a fullwidth char\n        for (let moves = 0; moves < ch_width; ++moves) {\n          // remove last cell, if it's width is 0\n          // we have to adjust the second last cell as well\n          const removed = this._terminal.buffer.lines.get(this._terminal.buffer.y + this._terminal.buffer.ybase).pop();\n          if (removed[2] === 0\n              && this._terminal.buffer.lines.get(row)[this._terminal.cols - 2]\n              && this._terminal.buffer.lines.get(row)[this._terminal.cols - 2][2] === 2) {\n            this._terminal.buffer.lines.get(row)[this._terminal.cols - 2] = [this._terminal.curAttr, ' ', 1];\n          }\n\n          // insert empty cell at cursor\n          this._terminal.buffer.lines.get(row).splice(this._terminal.buffer.x, 0, [this._terminal.curAttr, ' ', 1]);\n        }\n      }\n\n      this._terminal.buffer.lines.get(row)[this._terminal.buffer.x] = [this._terminal.curAttr, char, ch_width];\n      this._terminal.buffer.x++;\n      this._terminal.updateRange(this._terminal.buffer.y);\n\n      // fullwidth char - set next cell width to zero and advance cursor\n      if (ch_width === 2) {\n        this._terminal.buffer.lines.get(row)[this._terminal.buffer.x] = [this._terminal.curAttr, '', 0];\n        this._terminal.buffer.x++;\n      }\n    }\n  }\n\n  /**\n   * BEL\n   * Bell (Ctrl-G).\n   */\n  public bell(): void {\n    if (!this._terminal.visualBell) {\n      return;\n    }\n    this._terminal.element.style.borderColor = 'white';\n    setTimeout(() => this._terminal.element.style.borderColor = '', 10);\n    if (this._terminal.popOnBell) {\n      this._terminal.focus();\n    }\n  }\n\n  /**\n   * LF\n   * Line Feed or New Line (NL).  (LF  is Ctrl-J).\n   */\n  public lineFeed(): void {\n    if (this._terminal.convertEol) {\n      this._terminal.buffer.x = 0;\n    }\n    this._terminal.buffer.y++;\n    if (this._terminal.buffer.y > this._terminal.buffer.scrollBottom) {\n      this._terminal.buffer.y--;\n      this._terminal.scroll();\n    }\n    // If the end of the line is hit, prevent this action from wrapping around to the next line.\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x--;\n    }\n    /**\n     * This event is emitted whenever the terminal outputs a LF or NL.\n     *\n     * @event lineFeed\n     */\n    this._terminal.emit('lineFeed');\n  }\n\n  /**\n   * CR\n   * Carriage Return (Ctrl-M).\n   */\n  public carriageReturn(): void {\n    this._terminal.buffer.x = 0;\n  }\n\n  /**\n   * BS\n   * Backspace (Ctrl-H).\n   */\n  public backspace(): void {\n    if (this._terminal.buffer.x > 0) {\n      this._terminal.buffer.x--;\n    }\n  }\n\n  /**\n   * TAB\n   * Horizontal Tab (HT) (Ctrl-I).\n   */\n  public tab(): void {\n    this._terminal.buffer.x = this._terminal.nextStop();\n  }\n\n  /**\n   * SO\n   * Shift Out (Ctrl-N) -> Switch to Alternate Character Set.  This invokes the\n   * G1 character set.\n   */\n  public shiftOut(): void {\n    this._terminal.setgLevel(1);\n  }\n\n  /**\n   * SI\n   * Shift In (Ctrl-O) -> Switch to Standard Character Set.  This invokes the G0\n   * character set (the default).\n   */\n  public shiftIn(): void {\n    this._terminal.setgLevel(0);\n  }\n\n  /**\n   * CSI Ps @\n   * Insert Ps (Blank) Character(s) (default = 1) (ICH).\n   */\n  public insertChars(params: number[]): void {\n    let param, row, j, ch;\n\n    param = params[0];\n    if (param < 1) param = 1;\n\n    row = this._terminal.buffer.y + this._terminal.buffer.ybase;\n    j = this._terminal.buffer.x;\n    ch = [this._terminal.eraseAttr(), ' ', 1]; // xterm\n\n    while (param-- && j < this._terminal.cols) {\n      this._terminal.buffer.lines.get(row).splice(j++, 0, ch);\n      this._terminal.buffer.lines.get(row).pop();\n    }\n  }\n\n  /**\n   * CSI Ps A\n   * Cursor Up Ps Times (default = 1) (CUU).\n   */\n  public cursorUp(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.y -= param;\n    if (this._terminal.buffer.y < 0) {\n      this._terminal.buffer.y = 0;\n    }\n  }\n\n  /**\n   * CSI Ps B\n   * Cursor Down Ps Times (default = 1) (CUD).\n   */\n  public cursorDown(params: number[]) {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.y += param;\n    if (this._terminal.buffer.y >= this._terminal.rows) {\n      this._terminal.buffer.y = this._terminal.rows - 1;\n    }\n    // If the end of the line is hit, prevent this action from wrapping around to the next line.\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x--;\n    }\n  }\n\n  /**\n   * CSI Ps C\n   * Cursor Forward Ps Times (default = 1) (CUF).\n   */\n  public cursorForward(params: number[]) {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.x += param;\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x = this._terminal.cols - 1;\n    }\n  }\n\n  /**\n   * CSI Ps D\n   * Cursor Backward Ps Times (default = 1) (CUB).\n   */\n  public cursorBackward(params: number[]) {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    // If the end of the line is hit, prevent this action from wrapping around to the next line.\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x--;\n    }\n    this._terminal.buffer.x -= param;\n    if (this._terminal.buffer.x < 0) {\n      this._terminal.buffer.x = 0;\n    }\n  }\n\n  /**\n   * CSI Ps E\n   * Cursor Next Line Ps Times (default = 1) (CNL).\n   * same as CSI Ps B ?\n   */\n  public cursorNextLine(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.y += param;\n    if (this._terminal.buffer.y >= this._terminal.rows) {\n      this._terminal.buffer.y = this._terminal.rows - 1;\n    }\n    this._terminal.buffer.x = 0;\n  }\n\n\n  /**\n   * CSI Ps F\n   * Cursor Preceding Line Ps Times (default = 1) (CNL).\n   * reuse CSI Ps A ?\n   */\n  public cursorPrecedingLine(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.y -= param;\n    if (this._terminal.buffer.y < 0) {\n      this._terminal.buffer.y = 0;\n    }\n    this._terminal.buffer.x = 0;\n  }\n\n\n  /**\n   * CSI Ps G\n   * Cursor Character Absolute  [column] (default = [row,1]) (CHA).\n   */\n  public cursorCharAbsolute(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.x = param - 1;\n  }\n\n  /**\n   * CSI Ps ; Ps H\n   * Cursor Position [row;column] (default = [1,1]) (CUP).\n   */\n  public cursorPosition(params: number[]): void {\n    let row, col;\n\n    row = params[0] - 1;\n\n    if (params.length >= 2) {\n      col = params[1] - 1;\n    } else {\n      col = 0;\n    }\n\n    if (row < 0) {\n      row = 0;\n    } else if (row >= this._terminal.rows) {\n      row = this._terminal.rows - 1;\n    }\n\n    if (col < 0) {\n      col = 0;\n    } else if (col >= this._terminal.cols) {\n      col = this._terminal.cols - 1;\n    }\n\n    this._terminal.buffer.x = col;\n    this._terminal.buffer.y = row;\n  }\n\n  /**\n   * CSI Ps I\n   *   Cursor Forward Tabulation Ps tab stops (default = 1) (CHT).\n   */\n  public cursorForwardTab(params: number[]): void {\n    let param = params[0] || 1;\n    while (param--) {\n      this._terminal.buffer.x = this._terminal.nextStop();\n    }\n  }\n\n  /**\n   * CSI Ps J  Erase in Display (ED).\n   *     Ps = 0  -> Erase Below (default).\n   *     Ps = 1  -> Erase Above.\n   *     Ps = 2  -> Erase All.\n   *     Ps = 3  -> Erase Saved Lines (xterm).\n   * CSI ? Ps J\n   *   Erase in Display (DECSED).\n   *     Ps = 0  -> Selective Erase Below (default).\n   *     Ps = 1  -> Selective Erase Above.\n   *     Ps = 2  -> Selective Erase All.\n   */\n  public eraseInDisplay(params: number[]): void {\n    let j;\n    switch (params[0]) {\n      case 0:\n        this._terminal.eraseRight(this._terminal.buffer.x, this._terminal.buffer.y);\n        j = this._terminal.buffer.y + 1;\n        for (; j < this._terminal.rows; j++) {\n          this._terminal.eraseLine(j);\n        }\n        break;\n      case 1:\n        this._terminal.eraseLeft(this._terminal.buffer.x, this._terminal.buffer.y);\n        j = this._terminal.buffer.y;\n        while (j--) {\n          this._terminal.eraseLine(j);\n        }\n        break;\n      case 2:\n        j = this._terminal.rows;\n        while (j--) this._terminal.eraseLine(j);\n        break;\n      case 3:\n        // Clear scrollback (everything not in viewport)\n        const scrollBackSize = this._terminal.buffer.lines.length - this._terminal.rows;\n        if (scrollBackSize > 0) {\n          this._terminal.buffer.lines.trimStart(scrollBackSize);\n          this._terminal.buffer.ybase = Math.max(this._terminal.buffer.ybase - scrollBackSize, 0);\n          this._terminal.buffer.ydisp = Math.max(this._terminal.buffer.ydisp - scrollBackSize, 0);\n          // Force a scroll event to refresh viewport\n          this._terminal.emit('scroll', 0);\n        }\n        break;\n    }\n  }\n\n  /**\n   * CSI Ps K  Erase in Line (EL).\n   *     Ps = 0  -> Erase to Right (default).\n   *     Ps = 1  -> Erase to Left.\n   *     Ps = 2  -> Erase All.\n   * CSI ? Ps K\n   *   Erase in Line (DECSEL).\n   *     Ps = 0  -> Selective Erase to Right (default).\n   *     Ps = 1  -> Selective Erase to Left.\n   *     Ps = 2  -> Selective Erase All.\n   */\n  public eraseInLine(params: number[]): void {\n    switch (params[0]) {\n      case 0:\n        this._terminal.eraseRight(this._terminal.buffer.x, this._terminal.buffer.y);\n        break;\n      case 1:\n        this._terminal.eraseLeft(this._terminal.buffer.x, this._terminal.buffer.y);\n        break;\n      case 2:\n        this._terminal.eraseLine(this._terminal.buffer.y);\n        break;\n    }\n  }\n\n  /**\n   * CSI Ps L\n   * Insert Ps Line(s) (default = 1) (IL).\n   */\n  public insertLines(params: number[]): void {\n    let param, row, j;\n\n    param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    row = this._terminal.buffer.y + this._terminal.buffer.ybase;\n\n    j = this._terminal.rows - 1 - this._terminal.buffer.scrollBottom;\n    j = this._terminal.rows - 1 + this._terminal.buffer.ybase - j + 1;\n\n    while (param--) {\n      if (this._terminal.buffer.lines.length === this._terminal.buffer.lines.maxLength) {\n        // Trim the start of lines to make room for the new line\n        this._terminal.buffer.lines.trimStart(1);\n        this._terminal.buffer.ybase--;\n        this._terminal.buffer.ydisp--;\n        row--;\n        j--;\n      }\n      // test: echo -e '\\e[44m\\e[1L\\e[0m'\n      // blankLine(true) - xterm/linux behavior\n      this._terminal.buffer.lines.splice(row, 0, this._terminal.blankLine(true));\n      this._terminal.buffer.lines.splice(j, 1);\n    }\n\n    // this.maxRange();\n    this._terminal.updateRange(this._terminal.buffer.y);\n    this._terminal.updateRange(this._terminal.buffer.scrollBottom);\n  }\n\n  /**\n   * CSI Ps M\n   * Delete Ps Line(s) (default = 1) (DL).\n   */\n  public deleteLines(params: number[]): void {\n    let param, row, j;\n\n    param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    row = this._terminal.buffer.y + this._terminal.buffer.ybase;\n\n    j = this._terminal.rows - 1 - this._terminal.buffer.scrollBottom;\n    j = this._terminal.rows - 1 + this._terminal.buffer.ybase - j;\n\n    while (param--) {\n      if (this._terminal.buffer.lines.length === this._terminal.buffer.lines.maxLength) {\n        // Trim the start of lines to make room for the new line\n        this._terminal.buffer.lines.trimStart(1);\n        this._terminal.buffer.ybase -= 1;\n        this._terminal.buffer.ydisp -= 1;\n      }\n      // test: echo -e '\\e[44m\\e[1M\\e[0m'\n      // blankLine(true) - xterm/linux behavior\n      this._terminal.buffer.lines.splice(j + 1, 0, this._terminal.blankLine(true));\n      this._terminal.buffer.lines.splice(row, 1);\n    }\n\n    // this.maxRange();\n    this._terminal.updateRange(this._terminal.buffer.y);\n    this._terminal.updateRange(this._terminal.buffer.scrollBottom);\n  }\n\n  /**\n   * CSI Ps P\n   * Delete Ps Character(s) (default = 1) (DCH).\n   */\n  public deleteChars(params: number[]): void {\n    let param, row, ch;\n\n    param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n\n    row = this._terminal.buffer.y + this._terminal.buffer.ybase;\n    ch = [this._terminal.eraseAttr(), ' ', 1]; // xterm\n\n    while (param--) {\n      this._terminal.buffer.lines.get(row).splice(this._terminal.buffer.x, 1);\n      this._terminal.buffer.lines.get(row).push(ch);\n    }\n  }\n\n  /**\n   * CSI Ps S  Scroll up Ps lines (default = 1) (SU).\n   */\n  public scrollUp(params: number[]): void {\n    let param = params[0] || 1;\n    while (param--) {\n      this._terminal.buffer.lines.splice(this._terminal.buffer.ybase + this._terminal.buffer.scrollTop, 1);\n      this._terminal.buffer.lines.splice(this._terminal.buffer.ybase + this._terminal.buffer.scrollBottom, 0, this._terminal.blankLine());\n    }\n    // this.maxRange();\n    this._terminal.updateRange(this._terminal.buffer.scrollTop);\n    this._terminal.updateRange(this._terminal.buffer.scrollBottom);\n  }\n\n  /**\n   * CSI Ps T  Scroll down Ps lines (default = 1) (SD).\n   */\n  public scrollDown(params: number[]): void {\n    let param = params[0] || 1;\n    while (param--) {\n      this._terminal.buffer.lines.splice(this._terminal.buffer.ybase + this._terminal.buffer.scrollBottom, 1);\n      this._terminal.buffer.lines.splice(this._terminal.buffer.ybase + this._terminal.buffer.scrollTop, 0, this._terminal.blankLine());\n    }\n    // this.maxRange();\n    this._terminal.updateRange(this._terminal.buffer.scrollTop);\n    this._terminal.updateRange(this._terminal.buffer.scrollBottom);\n  }\n\n  /**\n   * CSI Ps X\n   * Erase Ps Character(s) (default = 1) (ECH).\n   */\n  public eraseChars(params: number[]): void {\n    let param, row, j, ch;\n\n    param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n\n    row = this._terminal.buffer.y + this._terminal.buffer.ybase;\n    j = this._terminal.buffer.x;\n    ch = [this._terminal.eraseAttr(), ' ', 1]; // xterm\n\n    while (param-- && j < this._terminal.cols) {\n      this._terminal.buffer.lines.get(row)[j++] = ch;\n    }\n  }\n\n  /**\n   * CSI Ps Z  Cursor Backward Tabulation Ps tab stops (default = 1) (CBT).\n   */\n  public cursorBackwardTab(params: number[]): void {\n    let param = params[0] || 1;\n    while (param--) {\n      this._terminal.buffer.x = this._terminal.prevStop();\n    }\n  }\n\n  /**\n   * CSI Pm `  Character Position Absolute\n   *   [column] (default = [row,1]) (HPA).\n   */\n  public charPosAbsolute(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.x = param - 1;\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x = this._terminal.cols - 1;\n    }\n  }\n\n  /**\n   * CSI Pm a  Character Position Relative\n   *   [columns] (default = [row,col+1]) (HPR)\n   * reuse CSI Ps C ?\n   */\n  public HPositionRelative(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.x += param;\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x = this._terminal.cols - 1;\n    }\n  }\n\n  /**\n   * CSI Ps b  Repeat the preceding graphic character Ps times (REP).\n   */\n  public repeatPrecedingCharacter(params: number[]): void {\n    let param = params[0] || 1\n      , line = this._terminal.buffer.lines.get(this._terminal.buffer.ybase + this._terminal.buffer.y)\n      , ch = line[this._terminal.buffer.x - 1] || [this._terminal.defAttr, ' ', 1];\n\n    while (param--) {\n      line[this._terminal.buffer.x++] = ch;\n    }\n  }\n\n  /**\n   * CSI Ps c  Send Device Attributes (Primary DA).\n   *     Ps = 0  or omitted -> request attributes from terminal.  The\n   *     response depends on the decTerminalID resource setting.\n   *     -> CSI ? 1 ; 2 c  (``VT100 with Advanced Video Option'')\n   *     -> CSI ? 1 ; 0 c  (``VT101 with No Options'')\n   *     -> CSI ? 6 c  (``VT102'')\n   *     -> CSI ? 6 0 ; 1 ; 2 ; 6 ; 8 ; 9 ; 1 5 ; c  (``VT220'')\n   *   The VT100-style response parameters do not mean anything by\n   *   themselves.  VT220 parameters do, telling the host what fea-\n   *   tures the terminal supports:\n   *     Ps = 1  -> 132-columns.\n   *     Ps = 2  -> Printer.\n   *     Ps = 6  -> Selective erase.\n   *     Ps = 8  -> User-defined keys.\n   *     Ps = 9  -> National replacement character sets.\n   *     Ps = 1 5  -> Technical characters.\n   *     Ps = 2 2  -> ANSI color, e.g., VT525.\n   *     Ps = 2 9  -> ANSI text locator (i.e., DEC Locator mode).\n   * CSI > Ps c\n   *   Send Device Attributes (Secondary DA).\n   *     Ps = 0  or omitted -> request the terminal's identification\n   *     code.  The response depends on the decTerminalID resource set-\n   *     ting.  It should apply only to VT220 and up, but xterm extends\n   *     this to VT100.\n   *     -> CSI  > Pp ; Pv ; Pc c\n   *   where Pp denotes the terminal type\n   *     Pp = 0  -> ``VT100''.\n   *     Pp = 1  -> ``VT220''.\n   *   and Pv is the firmware version (for xterm, this was originally\n   *   the XFree86 patch number, starting with 95).  In a DEC termi-\n   *   nal, Pc indicates the ROM cartridge registration number and is\n   *   always zero.\n   * More information:\n   *   xterm/charproc.c - line 2012, for more information.\n   *   vim responds with ^[[?0c or ^[[?1c after the terminal's response (?)\n   */\n  public sendDeviceAttributes(params: number[]): void {\n    if (params[0] > 0) {\n      return;\n    }\n\n    if (!this._terminal.prefix) {\n      if (this._terminal.is('xterm') || this._terminal.is('rxvt-unicode') || this._terminal.is('screen')) {\n        this._terminal.send(C0.ESC + '[?1;2c');\n      } else if (this._terminal.is('linux')) {\n        this._terminal.send(C0.ESC + '[?6c');\n      }\n    } else if (this._terminal.prefix === '>') {\n      // xterm and urxvt\n      // seem to spit this\n      // out around ~370 times (?).\n      if (this._terminal.is('xterm')) {\n        this._terminal.send(C0.ESC + '[>0;276;0c');\n      } else if (this._terminal.is('rxvt-unicode')) {\n        this._terminal.send(C0.ESC + '[>85;95;0c');\n      } else if (this._terminal.is('linux')) {\n        // not supported by linux console.\n        // linux console echoes parameters.\n        this._terminal.send(params[0] + 'c');\n      } else if (this._terminal.is('screen')) {\n        this._terminal.send(C0.ESC + '[>83;40003;0c');\n      }\n    }\n  }\n\n  /**\n   * CSI Pm d  Vertical Position Absolute (VPA)\n   *   [row] (default = [1,column])\n   */\n  public linePosAbsolute(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.y = param - 1;\n    if (this._terminal.buffer.y >= this._terminal.rows) {\n      this._terminal.buffer.y = this._terminal.rows - 1;\n    }\n  }\n\n  /**\n   * CSI Pm e  Vertical Position Relative (VPR)\n   *   [rows] (default = [row+1,column])\n   * reuse CSI Ps B ?\n   */\n  public VPositionRelative(params: number[]): void {\n    let param = params[0];\n    if (param < 1) {\n      param = 1;\n    }\n    this._terminal.buffer.y += param;\n    if (this._terminal.buffer.y >= this._terminal.rows) {\n      this._terminal.buffer.y = this._terminal.rows - 1;\n    }\n    // If the end of the line is hit, prevent this action from wrapping around to the next line.\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x--;\n    }\n  }\n\n  /**\n   * CSI Ps ; Ps f\n   *   Horizontal and Vertical Position [row;column] (default =\n   *   [1,1]) (HVP).\n   */\n  public HVPosition(params: number[]): void {\n    if (params[0] < 1) params[0] = 1;\n    if (params[1] < 1) params[1] = 1;\n\n    this._terminal.buffer.y = params[0] - 1;\n    if (this._terminal.buffer.y >= this._terminal.rows) {\n      this._terminal.buffer.y = this._terminal.rows - 1;\n    }\n\n    this._terminal.buffer.x = params[1] - 1;\n    if (this._terminal.buffer.x >= this._terminal.cols) {\n      this._terminal.buffer.x = this._terminal.cols - 1;\n    }\n  }\n\n  /**\n   * CSI Ps g  Tab Clear (TBC).\n   *     Ps = 0  -> Clear Current Column (default).\n   *     Ps = 3  -> Clear All.\n   * Potentially:\n   *   Ps = 2  -> Clear Stops on Line.\n   *   http://vt100.net/annarbor/aaa-ug/section6.html\n   */\n  public tabClear(params: number[]): void {\n    let param = params[0];\n    if (param <= 0) {\n      delete this._terminal.buffer.tabs[this._terminal.buffer.x];\n    } else if (param === 3) {\n      this._terminal.buffer.tabs = {};\n    }\n  }\n\n  /**\n   * CSI Pm h  Set Mode (SM).\n   *     Ps = 2  -> Keyboard Action Mode (AM).\n   *     Ps = 4  -> Insert Mode (IRM).\n   *     Ps = 1 2  -> Send/receive (SRM).\n   *     Ps = 2 0  -> Automatic Newline (LNM).\n   * CSI ? Pm h\n   *   DEC Private Mode Set (DECSET).\n   *     Ps = 1  -> Application Cursor Keys (DECCKM).\n   *     Ps = 2  -> Designate USASCII for character sets G0-G3\n   *     (DECANM), and set VT100 mode.\n   *     Ps = 3  -> 132 Column Mode (DECCOLM).\n   *     Ps = 4  -> Smooth (Slow) Scroll (DECSCLM).\n   *     Ps = 5  -> Reverse Video (DECSCNM).\n   *     Ps = 6  -> Origin Mode (DECOM).\n   *     Ps = 7  -> Wraparound Mode (DECAWM).\n   *     Ps = 8  -> Auto-repeat Keys (DECARM).\n   *     Ps = 9  -> Send Mouse X & Y on button press.  See the sec-\n   *     tion Mouse Tracking.\n   *     Ps = 1 0  -> Show toolbar (rxvt).\n   *     Ps = 1 2  -> Start Blinking Cursor (att610).\n   *     Ps = 1 8  -> Print form feed (DECPFF).\n   *     Ps = 1 9  -> Set print extent to full screen (DECPEX).\n   *     Ps = 2 5  -> Show Cursor (DECTCEM).\n   *     Ps = 3 0  -> Show scrollbar (rxvt).\n   *     Ps = 3 5  -> Enable font-shifting functions (rxvt).\n   *     Ps = 3 8  -> Enter Tektronix Mode (DECTEK).\n   *     Ps = 4 0  -> Allow 80 -> 132 Mode.\n   *     Ps = 4 1  -> more(1) fix (see curses resource).\n   *     Ps = 4 2  -> Enable Nation Replacement Character sets (DECN-\n   *     RCM).\n   *     Ps = 4 4  -> Turn On Margin Bell.\n   *     Ps = 4 5  -> Reverse-wraparound Mode.\n   *     Ps = 4 6  -> Start Logging.  This is normally disabled by a\n   *     compile-time option.\n   *     Ps = 4 7  -> Use Alternate Screen Buffer.  (This may be dis-\n   *     abled by the titeInhibit resource).\n   *     Ps = 6 6  -> Application keypad (DECNKM).\n   *     Ps = 6 7  -> Backarrow key sends backspace (DECBKM).\n   *     Ps = 1 0 0 0  -> Send Mouse X & Y on button press and\n   *     release.  See the section Mouse Tracking.\n   *     Ps = 1 0 0 1  -> Use Hilite Mouse Tracking.\n   *     Ps = 1 0 0 2  -> Use Cell Motion Mouse Tracking.\n   *     Ps = 1 0 0 3  -> Use All Motion Mouse Tracking.\n   *     Ps = 1 0 0 4  -> Send FocusIn/FocusOut events.\n   *     Ps = 1 0 0 5  -> Enable Extended Mouse Mode.\n   *     Ps = 1 0 1 0  -> Scroll to bottom on tty output (rxvt).\n   *     Ps = 1 0 1 1  -> Scroll to bottom on key press (rxvt).\n   *     Ps = 1 0 3 4  -> Interpret \"meta\" key, sets eighth bit.\n   *     (enables the eightBitInput resource).\n   *     Ps = 1 0 3 5  -> Enable special modifiers for Alt and Num-\n   *     Lock keys.  (This enables the numLock resource).\n   *     Ps = 1 0 3 6  -> Send ESC   when Meta modifies a key.  (This\n   *     enables the metaSendsEscape resource).\n   *     Ps = 1 0 3 7  -> Send DEL from the editing-keypad Delete\n   *     key.\n   *     Ps = 1 0 3 9  -> Send ESC  when Alt modifies a key.  (This\n   *     enables the altSendsEscape resource).\n   *     Ps = 1 0 4 0  -> Keep selection even if not highlighted.\n   *     (This enables the keepSelection resource).\n   *     Ps = 1 0 4 1  -> Use the CLIPBOARD selection.  (This enables\n   *     the selectToClipboard resource).\n   *     Ps = 1 0 4 2  -> Enable Urgency window manager hint when\n   *     Control-G is received.  (This enables the bellIsUrgent\n   *     resource).\n   *     Ps = 1 0 4 3  -> Enable raising of the window when Control-G\n   *     is received.  (enables the popOnBell resource).\n   *     Ps = 1 0 4 7  -> Use Alternate Screen Buffer.  (This may be\n   *     disabled by the titeInhibit resource).\n   *     Ps = 1 0 4 8  -> Save cursor as in DECSC.  (This may be dis-\n   *     abled by the titeInhibit resource).\n   *     Ps = 1 0 4 9  -> Save cursor as in DECSC and use Alternate\n   *     Screen Buffer, clearing it first.  (This may be disabled by\n   *     the titeInhibit resource).  This combines the effects of the 1\n   *     0 4 7  and 1 0 4 8  modes.  Use this with terminfo-based\n   *     applications rather than the 4 7  mode.\n   *     Ps = 1 0 5 0  -> Set terminfo/termcap function-key mode.\n   *     Ps = 1 0 5 1  -> Set Sun function-key mode.\n   *     Ps = 1 0 5 2  -> Set HP function-key mode.\n   *     Ps = 1 0 5 3  -> Set SCO function-key mode.\n   *     Ps = 1 0 6 0  -> Set legacy keyboard emulation (X11R6).\n   *     Ps = 1 0 6 1  -> Set VT220 keyboard emulation.\n   *     Ps = 2 0 0 4  -> Set bracketed paste mode.\n   * Modes:\n   *   http: *vt100.net/docs/vt220-rm/chapter4.html\n   */\n  public setMode(params: number[]): void {\n    if (params.length > 1) {\n      for (let i = 0; i < params.length; i++) {\n        this.setMode([params[i]]);\n      }\n\n      return;\n    }\n\n    if (!this._terminal.prefix) {\n      switch (params[0]) {\n        case 4:\n          this._terminal.insertMode = true;\n          break;\n        case 20:\n          // this._terminal.convertEol = true;\n          break;\n      }\n    } else if (this._terminal.prefix === '?') {\n      switch (params[0]) {\n        case 1:\n          this._terminal.applicationCursor = true;\n          break;\n        case 2:\n          this._terminal.setgCharset(0, DEFAULT_CHARSET);\n          this._terminal.setgCharset(1, DEFAULT_CHARSET);\n          this._terminal.setgCharset(2, DEFAULT_CHARSET);\n          this._terminal.setgCharset(3, DEFAULT_CHARSET);\n          // set VT100 mode here\n          break;\n        case 3: // 132 col mode\n          this._terminal.savedCols = this._terminal.cols;\n          this._terminal.resize(132, this._terminal.rows);\n          break;\n        case 6:\n          this._terminal.originMode = true;\n          break;\n        case 7:\n          this._terminal.wraparoundMode = true;\n          break;\n        case 12:\n          // this.cursorBlink = true;\n          break;\n        case 66:\n          this._terminal.log('Serial port requested application keypad.');\n          this._terminal.applicationKeypad = true;\n          this._terminal.viewport.syncScrollArea();\n          break;\n        case 9: // X10 Mouse\n          // no release, no motion, no wheel, no modifiers.\n        case 1000: // vt200 mouse\n          // no motion.\n          // no modifiers, except control on the wheel.\n        case 1002: // button event mouse\n        case 1003: // any event mouse\n          // any event - sends motion events,\n          // even if there is no button held down.\n\n          // TODO: Why are params[0] compares nested within a switch for params[0]?\n\n          this._terminal.x10Mouse = params[0] === 9;\n          this._terminal.vt200Mouse = params[0] === 1000;\n          this._terminal.normalMouse = params[0] > 1000;\n          this._terminal.mouseEvents = true;\n          this._terminal.element.classList.add('enable-mouse-events');\n          this._terminal.selectionManager.disable();\n          this._terminal.log('Binding to mouse events.');\n          break;\n        case 1004: // send focusin/focusout events\n          // focusin: ^[[I\n          // focusout: ^[[O\n          this._terminal.sendFocus = true;\n          break;\n        case 1005: // utf8 ext mode mouse\n          this._terminal.utfMouse = true;\n          // for wide terminals\n          // simply encodes large values as utf8 characters\n          break;\n        case 1006: // sgr ext mode mouse\n          this._terminal.sgrMouse = true;\n          // for wide terminals\n          // does not add 32 to fields\n          // press: ^[[<b;x;yM\n          // release: ^[[<b;x;ym\n          break;\n        case 1015: // urxvt ext mode mouse\n          this._terminal.urxvtMouse = true;\n          // for wide terminals\n          // numbers for fields\n          // press: ^[[b;x;yM\n          // motion: ^[[b;x;yT\n          break;\n        case 25: // show cursor\n          this._terminal.cursorHidden = false;\n          break;\n        case 1049: // alt screen buffer cursor\n          // TODO: Not sure if we need to save/restore after switching the buffer\n          // this.saveCursor(params);\n          // FALL-THROUGH\n        case 47: // alt screen buffer\n        case 1047: // alt screen buffer\n          this._terminal.buffers.activateAltBuffer();\n          this._terminal.viewport.syncScrollArea();\n          this._terminal.showCursor();\n          break;\n      }\n    }\n  }\n\n  /**\n   * CSI Pm l  Reset Mode (RM).\n   *     Ps = 2  -> Keyboard Action Mode (AM).\n   *     Ps = 4  -> Replace Mode (IRM).\n   *     Ps = 1 2  -> Send/receive (SRM).\n   *     Ps = 2 0  -> Normal Linefeed (LNM).\n   * CSI ? Pm l\n   *   DEC Private Mode Reset (DECRST).\n   *     Ps = 1  -> Normal Cursor Keys (DECCKM).\n   *     Ps = 2  -> Designate VT52 mode (DECANM).\n   *     Ps = 3  -> 80 Column Mode (DECCOLM).\n   *     Ps = 4  -> Jump (Fast) Scroll (DECSCLM).\n   *     Ps = 5  -> Normal Video (DECSCNM).\n   *     Ps = 6  -> Normal Cursor Mode (DECOM).\n   *     Ps = 7  -> No Wraparound Mode (DECAWM).\n   *     Ps = 8  -> No Auto-repeat Keys (DECARM).\n   *     Ps = 9  -> Don't send Mouse X & Y on button press.\n   *     Ps = 1 0  -> Hide toolbar (rxvt).\n   *     Ps = 1 2  -> Stop Blinking Cursor (att610).\n   *     Ps = 1 8  -> Don't print form feed (DECPFF).\n   *     Ps = 1 9  -> Limit print to scrolling region (DECPEX).\n   *     Ps = 2 5  -> Hide Cursor (DECTCEM).\n   *     Ps = 3 0  -> Don't show scrollbar (rxvt).\n   *     Ps = 3 5  -> Disable font-shifting functions (rxvt).\n   *     Ps = 4 0  -> Disallow 80 -> 132 Mode.\n   *     Ps = 4 1  -> No more(1) fix (see curses resource).\n   *     Ps = 4 2  -> Disable Nation Replacement Character sets (DEC-\n   *     NRCM).\n   *     Ps = 4 4  -> Turn Off Margin Bell.\n   *     Ps = 4 5  -> No Reverse-wraparound Mode.\n   *     Ps = 4 6  -> Stop Logging.  (This is normally disabled by a\n   *     compile-time option).\n   *     Ps = 4 7  -> Use Normal Screen Buffer.\n   *     Ps = 6 6  -> Numeric keypad (DECNKM).\n   *     Ps = 6 7  -> Backarrow key sends delete (DECBKM).\n   *     Ps = 1 0 0 0  -> Don't send Mouse X & Y on button press and\n   *     release.  See the section Mouse Tracking.\n   *     Ps = 1 0 0 1  -> Don't use Hilite Mouse Tracking.\n   *     Ps = 1 0 0 2  -> Don't use Cell Motion Mouse Tracking.\n   *     Ps = 1 0 0 3  -> Don't use All Motion Mouse Tracking.\n   *     Ps = 1 0 0 4  -> Don't send FocusIn/FocusOut events.\n   *     Ps = 1 0 0 5  -> Disable Extended Mouse Mode.\n   *     Ps = 1 0 1 0  -> Don't scroll to bottom on tty output\n   *     (rxvt).\n   *     Ps = 1 0 1 1  -> Don't scroll to bottom on key press (rxvt).\n   *     Ps = 1 0 3 4  -> Don't interpret \"meta\" key.  (This disables\n   *     the eightBitInput resource).\n   *     Ps = 1 0 3 5  -> Disable special modifiers for Alt and Num-\n   *     Lock keys.  (This disables the numLock resource).\n   *     Ps = 1 0 3 6  -> Don't send ESC  when Meta modifies a key.\n   *     (This disables the metaSendsEscape resource).\n   *     Ps = 1 0 3 7  -> Send VT220 Remove from the editing-keypad\n   *     Delete key.\n   *     Ps = 1 0 3 9  -> Don't send ESC  when Alt modifies a key.\n   *     (This disables the altSendsEscape resource).\n   *     Ps = 1 0 4 0  -> Do not keep selection when not highlighted.\n   *     (This disables the keepSelection resource).\n   *     Ps = 1 0 4 1  -> Use the PRIMARY selection.  (This disables\n   *     the selectToClipboard resource).\n   *     Ps = 1 0 4 2  -> Disable Urgency window manager hint when\n   *     Control-G is received.  (This disables the bellIsUrgent\n   *     resource).\n   *     Ps = 1 0 4 3  -> Disable raising of the window when Control-\n   *     G is received.  (This disables the popOnBell resource).\n   *     Ps = 1 0 4 7  -> Use Normal Screen Buffer, clearing screen\n   *     first if in the Alternate Screen.  (This may be disabled by\n   *     the titeInhibit resource).\n   *     Ps = 1 0 4 8  -> Restore cursor as in DECRC.  (This may be\n   *     disabled by the titeInhibit resource).\n   *     Ps = 1 0 4 9  -> Use Normal Screen Buffer and restore cursor\n   *     as in DECRC.  (This may be disabled by the titeInhibit\n   *     resource).  This combines the effects of the 1 0 4 7  and 1 0\n   *     4 8  modes.  Use this with terminfo-based applications rather\n   *     than the 4 7  mode.\n   *     Ps = 1 0 5 0  -> Reset terminfo/termcap function-key mode.\n   *     Ps = 1 0 5 1  -> Reset Sun function-key mode.\n   *     Ps = 1 0 5 2  -> Reset HP function-key mode.\n   *     Ps = 1 0 5 3  -> Reset SCO function-key mode.\n   *     Ps = 1 0 6 0  -> Reset legacy keyboard emulation (X11R6).\n   *     Ps = 1 0 6 1  -> Reset keyboard emulation to Sun/PC style.\n   *     Ps = 2 0 0 4  -> Reset bracketed paste mode.\n   */\n  public resetMode(params: number[]): void {\n    if (params.length > 1) {\n      for (let i = 0; i < params.length; i++) {\n        this.resetMode([params[i]]);\n      }\n\n      return;\n    }\n\n    if (!this._terminal.prefix) {\n      switch (params[0]) {\n        case 4:\n          this._terminal.insertMode = false;\n          break;\n        case 20:\n          // this._terminal.convertEol = false;\n          break;\n      }\n    } else if (this._terminal.prefix === '?') {\n      switch (params[0]) {\n        case 1:\n          this._terminal.applicationCursor = false;\n          break;\n        case 3:\n          if (this._terminal.cols === 132 && this._terminal.savedCols) {\n            this._terminal.resize(this._terminal.savedCols, this._terminal.rows);\n          }\n          delete this._terminal.savedCols;\n          break;\n        case 6:\n          this._terminal.originMode = false;\n          break;\n        case 7:\n          this._terminal.wraparoundMode = false;\n          break;\n        case 12:\n          // this.cursorBlink = false;\n          break;\n        case 66:\n          this._terminal.log('Switching back to normal keypad.');\n          this._terminal.applicationKeypad = false;\n          this._terminal.viewport.syncScrollArea();\n          break;\n        case 9: // X10 Mouse\n        case 1000: // vt200 mouse\n        case 1002: // button event mouse\n        case 1003: // any event mouse\n          this._terminal.x10Mouse = false;\n          this._terminal.vt200Mouse = false;\n          this._terminal.normalMouse = false;\n          this._terminal.mouseEvents = false;\n          this._terminal.element.classList.remove('enable-mouse-events');\n          this._terminal.selectionManager.enable();\n          break;\n        case 1004: // send focusin/focusout events\n          this._terminal.sendFocus = false;\n          break;\n        case 1005: // utf8 ext mode mouse\n          this._terminal.utfMouse = false;\n          break;\n        case 1006: // sgr ext mode mouse\n          this._terminal.sgrMouse = false;\n          break;\n        case 1015: // urxvt ext mode mouse\n          this._terminal.urxvtMouse = false;\n          break;\n        case 25: // hide cursor\n          this._terminal.cursorHidden = true;\n          break;\n        case 1049: // alt screen buffer cursor\n           // FALL-THROUGH\n        case 47: // normal screen buffer\n        case 1047: // normal screen buffer - clearing it first\n          // Ensure the selection manager has the correct buffer\n          this._terminal.buffers.activateNormalBuffer();\n          // TODO: Not sure if we need to save/restore after switching the buffer\n          // if (params[0] === 1049) {\n          //   this.restoreCursor(params);\n          // }\n          this._terminal.selectionManager.setBuffer(this._terminal.buffer.lines);\n          this._terminal.refresh(0, this._terminal.rows - 1);\n          this._terminal.viewport.syncScrollArea();\n          this._terminal.showCursor();\n          break;\n      }\n    }\n  }\n\n  /**\n   * CSI Pm m  Character Attributes (SGR).\n   *     Ps = 0  -> Normal (default).\n   *     Ps = 1  -> Bold.\n   *     Ps = 4  -> Underlined.\n   *     Ps = 5  -> Blink (appears as Bold).\n   *     Ps = 7  -> Inverse.\n   *     Ps = 8  -> Invisible, i.e., hidden (VT300).\n   *     Ps = 2 2  -> Normal (neither bold nor faint).\n   *     Ps = 2 4  -> Not underlined.\n   *     Ps = 2 5  -> Steady (not blinking).\n   *     Ps = 2 7  -> Positive (not inverse).\n   *     Ps = 2 8  -> Visible, i.e., not hidden (VT300).\n   *     Ps = 3 0  -> Set foreground color to Black.\n   *     Ps = 3 1  -> Set foreground color to Red.\n   *     Ps = 3 2  -> Set foreground color to Green.\n   *     Ps = 3 3  -> Set foreground color to Yellow.\n   *     Ps = 3 4  -> Set foreground color to Blue.\n   *     Ps = 3 5  -> Set foreground color to Magenta.\n   *     Ps = 3 6  -> Set foreground color to Cyan.\n   *     Ps = 3 7  -> Set foreground color to White.\n   *     Ps = 3 9  -> Set foreground color to default (original).\n   *     Ps = 4 0  -> Set background color to Black.\n   *     Ps = 4 1  -> Set background color to Red.\n   *     Ps = 4 2  -> Set background color to Green.\n   *     Ps = 4 3  -> Set background color to Yellow.\n   *     Ps = 4 4  -> Set background color to Blue.\n   *     Ps = 4 5  -> Set background color to Magenta.\n   *     Ps = 4 6  -> Set background color to Cyan.\n   *     Ps = 4 7  -> Set background color to White.\n   *     Ps = 4 9  -> Set background color to default (original).\n   *\n   *   If 16-color support is compiled, the following apply.  Assume\n   *   that xterm's resources are set so that the ISO color codes are\n   *   the first 8 of a set of 16.  Then the aixterm colors are the\n   *   bright versions of the ISO colors:\n   *     Ps = 9 0  -> Set foreground color to Black.\n   *     Ps = 9 1  -> Set foreground color to Red.\n   *     Ps = 9 2  -> Set foreground color to Green.\n   *     Ps = 9 3  -> Set foreground color to Yellow.\n   *     Ps = 9 4  -> Set foreground color to Blue.\n   *     Ps = 9 5  -> Set foreground color to Magenta.\n   *     Ps = 9 6  -> Set foreground color to Cyan.\n   *     Ps = 9 7  -> Set foreground color to White.\n   *     Ps = 1 0 0  -> Set background color to Black.\n   *     Ps = 1 0 1  -> Set background color to Red.\n   *     Ps = 1 0 2  -> Set background color to Green.\n   *     Ps = 1 0 3  -> Set background color to Yellow.\n   *     Ps = 1 0 4  -> Set background color to Blue.\n   *     Ps = 1 0 5  -> Set background color to Magenta.\n   *     Ps = 1 0 6  -> Set background color to Cyan.\n   *     Ps = 1 0 7  -> Set background color to White.\n   *\n   *   If xterm is compiled with the 16-color support disabled, it\n   *   supports the following, from rxvt:\n   *     Ps = 1 0 0  -> Set foreground and background color to\n   *     default.\n   *\n   *   If 88- or 256-color support is compiled, the following apply.\n   *     Ps = 3 8  ; 5  ; Ps -> Set foreground color to the second\n   *     Ps.\n   *     Ps = 4 8  ; 5  ; Ps -> Set background color to the second\n   *     Ps.\n   */\n  public charAttributes(params: number[]): void {\n    // Optimize a single SGR0.\n    if (params.length === 1 && params[0] === 0) {\n      this._terminal.curAttr = this._terminal.defAttr;\n      return;\n    }\n\n    let l = params.length\n    , i = 0\n    , flags = this._terminal.curAttr >> 18\n    , fg = (this._terminal.curAttr >> 9) & 0x1ff\n    , bg = this._terminal.curAttr & 0x1ff\n    , p;\n\n    for (; i < l; i++) {\n      p = params[i];\n      if (p >= 30 && p <= 37) {\n        // fg color 8\n        fg = p - 30;\n      } else if (p >= 40 && p <= 47) {\n        // bg color 8\n        bg = p - 40;\n      } else if (p >= 90 && p <= 97) {\n        // fg color 16\n        p += 8;\n        fg = p - 90;\n      } else if (p >= 100 && p <= 107) {\n        // bg color 16\n        p += 8;\n        bg = p - 100;\n      } else if (p === 0) {\n        // default\n        flags = this._terminal.defAttr >> 18;\n        fg = (this._terminal.defAttr >> 9) & 0x1ff;\n        bg = this._terminal.defAttr & 0x1ff;\n        // flags = 0;\n        // fg = 0x1ff;\n        // bg = 0x1ff;\n      } else if (p === 1) {\n        // bold text\n        flags |= 1;\n      } else if (p === 4) {\n        // underlined text\n        flags |= 2;\n      } else if (p === 5) {\n        // blink\n        flags |= 4;\n      } else if (p === 7) {\n        // inverse and positive\n        // test with: echo -e '\\e[31m\\e[42mhello\\e[7mworld\\e[27mhi\\e[m'\n        flags |= 8;\n      } else if (p === 8) {\n        // invisible\n        flags |= 16;\n      } else if (p === 22) {\n        // not bold\n        flags &= ~1;\n      } else if (p === 24) {\n        // not underlined\n        flags &= ~2;\n      } else if (p === 25) {\n        // not blink\n        flags &= ~4;\n      } else if (p === 27) {\n        // not inverse\n        flags &= ~8;\n      } else if (p === 28) {\n        // not invisible\n        flags &= ~16;\n      } else if (p === 39) {\n        // reset fg\n        fg = (this._terminal.defAttr >> 9) & 0x1ff;\n      } else if (p === 49) {\n        // reset bg\n        bg = this._terminal.defAttr & 0x1ff;\n      } else if (p === 38) {\n        // fg color 256\n        if (params[i + 1] === 2) {\n          i += 2;\n          fg = this._terminal.matchColor(\n            params[i] & 0xff,\n            params[i + 1] & 0xff,\n            params[i + 2] & 0xff);\n          if (fg === -1) fg = 0x1ff;\n          i += 2;\n        } else if (params[i + 1] === 5) {\n          i += 2;\n          p = params[i] & 0xff;\n          fg = p;\n        }\n      } else if (p === 48) {\n        // bg color 256\n        if (params[i + 1] === 2) {\n          i += 2;\n          bg = this._terminal.matchColor(\n            params[i] & 0xff,\n            params[i + 1] & 0xff,\n            params[i + 2] & 0xff);\n          if (bg === -1) bg = 0x1ff;\n          i += 2;\n        } else if (params[i + 1] === 5) {\n          i += 2;\n          p = params[i] & 0xff;\n          bg = p;\n        }\n      } else if (p === 100) {\n        // reset fg/bg\n        fg = (this._terminal.defAttr >> 9) & 0x1ff;\n        bg = this._terminal.defAttr & 0x1ff;\n      } else {\n        this._terminal.error('Unknown SGR attribute: %d.', p);\n      }\n    }\n\n    this._terminal.curAttr = (flags << 18) | (fg << 9) | bg;\n  }\n\n  /**\n   * CSI Ps n  Device Status Report (DSR).\n   *     Ps = 5  -> Status Report.  Result (``OK'') is\n   *   CSI 0 n\n   *     Ps = 6  -> Report Cursor Position (CPR) [row;column].\n   *   Result is\n   *   CSI r ; c R\n   * CSI ? Ps n\n   *   Device Status Report (DSR, DEC-specific).\n   *     Ps = 6  -> Report Cursor Position (CPR) [row;column] as CSI\n   *     ? r ; c R (assumes page is zero).\n   *     Ps = 1 5  -> Report Printer status as CSI ? 1 0  n  (ready).\n   *     or CSI ? 1 1  n  (not ready).\n   *     Ps = 2 5  -> Report UDK status as CSI ? 2 0  n  (unlocked)\n   *     or CSI ? 2 1  n  (locked).\n   *     Ps = 2 6  -> Report Keyboard status as\n   *   CSI ? 2 7  ;  1  ;  0  ;  0  n  (North American).\n   *   The last two parameters apply to VT400 & up, and denote key-\n   *   board ready and LK01 respectively.\n   *     Ps = 5 3  -> Report Locator status as\n   *   CSI ? 5 3  n  Locator available, if compiled-in, or\n   *   CSI ? 5 0  n  No Locator, if not.\n   */\n  public deviceStatus(params: number[]): void {\n    if (!this._terminal.prefix) {\n      switch (params[0]) {\n        case 5:\n          // status report\n          this._terminal.send(C0.ESC + '[0n');\n          break;\n        case 6:\n          // cursor position\n          this._terminal.send(C0.ESC + '['\n                    + (this._terminal.buffer.y + 1)\n                    + ';'\n                    + (this._terminal.buffer.x + 1)\n                    + 'R');\n          break;\n      }\n    } else if (this._terminal.prefix === '?') {\n      // modern xterm doesnt seem to\n      // respond to any of these except ?6, 6, and 5\n      switch (params[0]) {\n        case 6:\n          // cursor position\n          this._terminal.send(C0.ESC + '[?'\n                    + (this._terminal.buffer.y + 1)\n                    + ';'\n                    + (this._terminal.buffer.x + 1)\n                    + 'R');\n          break;\n        case 15:\n          // no printer\n          // this.send(C0.ESC + '[?11n');\n          break;\n        case 25:\n          // dont support user defined keys\n          // this.send(C0.ESC + '[?21n');\n          break;\n        case 26:\n          // north american keyboard\n          // this.send(C0.ESC + '[?27;1;0;0n');\n          break;\n        case 53:\n          // no dec locator/mouse\n          // this.send(C0.ESC + '[?50n');\n          break;\n      }\n    }\n  }\n\n  /**\n   * CSI ! p   Soft terminal reset (DECSTR).\n   * http://vt100.net/docs/vt220-rm/table4-10.html\n   */\n  public softReset(params: number[]): void {\n    this._terminal.cursorHidden = false;\n    this._terminal.insertMode = false;\n    this._terminal.originMode = false;\n    this._terminal.wraparoundMode = true;  // defaults: xterm - true, vt100 - false\n    this._terminal.applicationKeypad = false; // ?\n    this._terminal.viewport.syncScrollArea();\n    this._terminal.applicationCursor = false;\n    this._terminal.buffer.scrollTop = 0;\n    this._terminal.buffer.scrollBottom = this._terminal.rows - 1;\n    this._terminal.curAttr = this._terminal.defAttr;\n    this._terminal.buffer.x = this._terminal.buffer.y = 0; // ?\n    this._terminal.charset = null;\n    this._terminal.glevel = 0; // ??\n    this._terminal.charsets = [null]; // ??\n  }\n\n  /**\n   * CSI Ps SP q  Set cursor style (DECSCUSR, VT520).\n   *   Ps = 0  -> blinking block.\n   *   Ps = 1  -> blinking block (default).\n   *   Ps = 2  -> steady block.\n   *   Ps = 3  -> blinking underline.\n   *   Ps = 4  -> steady underline.\n   *   Ps = 5  -> blinking bar (xterm).\n   *   Ps = 6  -> steady bar (xterm).\n   */\n  public setCursorStyle(params?: number[]): void {\n    const param = params[0] < 1 ? 1 : params[0];\n    switch (param) {\n      case 1:\n      case 2:\n        this._terminal.setOption('cursorStyle', 'block');\n        break;\n      case 3:\n      case 4:\n        this._terminal.setOption('cursorStyle', 'underline');\n        break;\n      case 5:\n      case 6:\n        this._terminal.setOption('cursorStyle', 'bar');\n        break;\n    }\n    const isBlinking = param % 2 === 1;\n    this._terminal.setOption('cursorBlink', isBlinking);\n  }\n\n  /**\n   * CSI Ps ; Ps r\n   *   Set Scrolling Region [top;bottom] (default = full size of win-\n   *   dow) (DECSTBM).\n   * CSI ? Pm r\n   */\n  public setScrollRegion(params: number[]): void {\n    if (this._terminal.prefix) return;\n    this._terminal.buffer.scrollTop = (params[0] || 1) - 1;\n    this._terminal.buffer.scrollBottom = (params[1] && params[1] <= this._terminal.rows ? params[1] : this._terminal.rows) - 1;\n    this._terminal.buffer.x = 0;\n    this._terminal.buffer.y = 0;\n  }\n\n\n  /**\n   * CSI s\n   *   Save cursor (ANSI.SYS).\n   */\n  public saveCursor(params: number[]): void {\n    this._terminal.buffer.savedX = this._terminal.buffer.x;\n    this._terminal.buffer.savedY = this._terminal.buffer.y;\n  }\n\n\n  /**\n   * CSI u\n   *   Restore cursor (ANSI.SYS).\n   */\n  public restoreCursor(params: number[]): void {\n    this._terminal.buffer.x = this._terminal.buffer.savedX || 0;\n    this._terminal.buffer.y = this._terminal.buffer.savedY || 0;\n  }\n}\n\nexport const wcwidth = (function(opts) {\n    // extracted from https://www.cl.cam.ac.uk/%7Emgk25/ucs/wcwidth.c\n    // combining characters\n    const COMBINING_BMP = [\n      [0x0300, 0x036F], [0x0483, 0x0486], [0x0488, 0x0489],\n      [0x0591, 0x05BD], [0x05BF, 0x05BF], [0x05C1, 0x05C2],\n      [0x05C4, 0x05C5], [0x05C7, 0x05C7], [0x0600, 0x0603],\n      [0x0610, 0x0615], [0x064B, 0x065E], [0x0670, 0x0670],\n      [0x06D6, 0x06E4], [0x06E7, 0x06E8], [0x06EA, 0x06ED],\n      [0x070F, 0x070F], [0x0711, 0x0711], [0x0730, 0x074A],\n      [0x07A6, 0x07B0], [0x07EB, 0x07F3], [0x0901, 0x0902],\n      [0x093C, 0x093C], [0x0941, 0x0948], [0x094D, 0x094D],\n      [0x0951, 0x0954], [0x0962, 0x0963], [0x0981, 0x0981],\n      [0x09BC, 0x09BC], [0x09C1, 0x09C4], [0x09CD, 0x09CD],\n      [0x09E2, 0x09E3], [0x0A01, 0x0A02], [0x0A3C, 0x0A3C],\n      [0x0A41, 0x0A42], [0x0A47, 0x0A48], [0x0A4B, 0x0A4D],\n      [0x0A70, 0x0A71], [0x0A81, 0x0A82], [0x0ABC, 0x0ABC],\n      [0x0AC1, 0x0AC5], [0x0AC7, 0x0AC8], [0x0ACD, 0x0ACD],\n      [0x0AE2, 0x0AE3], [0x0B01, 0x0B01], [0x0B3C, 0x0B3C],\n      [0x0B3F, 0x0B3F], [0x0B41, 0x0B43], [0x0B4D, 0x0B4D],\n      [0x0B56, 0x0B56], [0x0B82, 0x0B82], [0x0BC0, 0x0BC0],\n      [0x0BCD, 0x0BCD], [0x0C3E, 0x0C40], [0x0C46, 0x0C48],\n      [0x0C4A, 0x0C4D], [0x0C55, 0x0C56], [0x0CBC, 0x0CBC],\n      [0x0CBF, 0x0CBF], [0x0CC6, 0x0CC6], [0x0CCC, 0x0CCD],\n      [0x0CE2, 0x0CE3], [0x0D41, 0x0D43], [0x0D4D, 0x0D4D],\n      [0x0DCA, 0x0DCA], [0x0DD2, 0x0DD4], [0x0DD6, 0x0DD6],\n      [0x0E31, 0x0E31], [0x0E34, 0x0E3A], [0x0E47, 0x0E4E],\n      [0x0EB1, 0x0EB1], [0x0EB4, 0x0EB9], [0x0EBB, 0x0EBC],\n      [0x0EC8, 0x0ECD], [0x0F18, 0x0F19], [0x0F35, 0x0F35],\n      [0x0F37, 0x0F37], [0x0F39, 0x0F39], [0x0F71, 0x0F7E],\n      [0x0F80, 0x0F84], [0x0F86, 0x0F87], [0x0F90, 0x0F97],\n      [0x0F99, 0x0FBC], [0x0FC6, 0x0FC6], [0x102D, 0x1030],\n      [0x1032, 0x1032], [0x1036, 0x1037], [0x1039, 0x1039],\n      [0x1058, 0x1059], [0x1160, 0x11FF], [0x135F, 0x135F],\n      [0x1712, 0x1714], [0x1732, 0x1734], [0x1752, 0x1753],\n      [0x1772, 0x1773], [0x17B4, 0x17B5], [0x17B7, 0x17BD],\n      [0x17C6, 0x17C6], [0x17C9, 0x17D3], [0x17DD, 0x17DD],\n      [0x180B, 0x180D], [0x18A9, 0x18A9], [0x1920, 0x1922],\n      [0x1927, 0x1928], [0x1932, 0x1932], [0x1939, 0x193B],\n      [0x1A17, 0x1A18], [0x1B00, 0x1B03], [0x1B34, 0x1B34],\n      [0x1B36, 0x1B3A], [0x1B3C, 0x1B3C], [0x1B42, 0x1B42],\n      [0x1B6B, 0x1B73], [0x1DC0, 0x1DCA], [0x1DFE, 0x1DFF],\n      [0x200B, 0x200F], [0x202A, 0x202E], [0x2060, 0x2063],\n      [0x206A, 0x206F], [0x20D0, 0x20EF], [0x302A, 0x302F],\n      [0x3099, 0x309A], [0xA806, 0xA806], [0xA80B, 0xA80B],\n      [0xA825, 0xA826], [0xFB1E, 0xFB1E], [0xFE00, 0xFE0F],\n      [0xFE20, 0xFE23], [0xFEFF, 0xFEFF], [0xFFF9, 0xFFFB],\n    ];\n    const COMBINING_HIGH = [\n      [0x10A01, 0x10A03], [0x10A05, 0x10A06], [0x10A0C, 0x10A0F],\n      [0x10A38, 0x10A3A], [0x10A3F, 0x10A3F], [0x1D167, 0x1D169],\n      [0x1D173, 0x1D182], [0x1D185, 0x1D18B], [0x1D1AA, 0x1D1AD],\n      [0x1D242, 0x1D244], [0xE0001, 0xE0001], [0xE0020, 0xE007F],\n      [0xE0100, 0xE01EF]\n    ];\n    // binary search\n    function bisearch(ucs, data) {\n      let min = 0;\n      let max = data.length - 1;\n      let mid;\n      if (ucs < data[0][0] || ucs > data[max][1])\n        return false;\n      while (max >= min) {\n        mid = (min + max) >> 1;\n        if (ucs > data[mid][1])\n          min = mid + 1;\n        else if (ucs < data[mid][0])\n          max = mid - 1;\n        else\n          return true;\n      }\n      return false;\n    }\n    function wcwidthBMP(ucs) {\n      // test for 8-bit control characters\n      if (ucs === 0)\n        return opts.nul;\n      if (ucs < 32 || (ucs >= 0x7f && ucs < 0xa0))\n        return opts.control;\n      // binary search in table of non-spacing characters\n      if (bisearch(ucs, COMBINING_BMP))\n        return 0;\n      // if we arrive here, ucs is not a combining or C0/C1 control character\n      if (isWideBMP(ucs)) {\n        return 2;\n      }\n      return 1;\n    }\n    function isWideBMP(ucs) {\n      return (\n        ucs >= 0x1100 && (\n        ucs <= 0x115f ||                // Hangul Jamo init. consonants\n        ucs === 0x2329 ||\n        ucs === 0x232a ||\n        (ucs >= 0x2e80 && ucs <= 0xa4cf && ucs !== 0x303f) ||  // CJK..Yi\n        (ucs >= 0xac00 && ucs <= 0xd7a3) ||    // Hangul Syllables\n        (ucs >= 0xf900 && ucs <= 0xfaff) ||    // CJK Compat Ideographs\n        (ucs >= 0xfe10 && ucs <= 0xfe19) ||    // Vertical forms\n        (ucs >= 0xfe30 && ucs <= 0xfe6f) ||    // CJK Compat Forms\n        (ucs >= 0xff00 && ucs <= 0xff60) ||    // Fullwidth Forms\n        (ucs >= 0xffe0 && ucs <= 0xffe6)));\n    }\n    function wcwidthHigh(ucs) {\n      if (bisearch(ucs, COMBINING_HIGH))\n        return 0;\n      if ((ucs >= 0x20000 && ucs <= 0x2fffd) || (ucs >= 0x30000 && ucs <= 0x3fffd)) {\n        return 2;\n      }\n      return 1;\n    }\n    const control = opts.control | 0;\n    let table = null;\n    function init_table() {\n      // lookup table for BMP\n      const CODEPOINTS = 65536;  // BMP holds 65536 codepoints\n      const BITWIDTH = 2;        // a codepoint can have a width of 0, 1 or 2\n      const ITEMSIZE = 32;       // using uint32_t\n      const CONTAINERSIZE = CODEPOINTS * BITWIDTH / ITEMSIZE;\n      const CODEPOINTS_PER_ITEM = ITEMSIZE / BITWIDTH;\n      table = (typeof Uint32Array === 'undefined')\n        ? new Array(CONTAINERSIZE)\n        : new Uint32Array(CONTAINERSIZE);\n      for (let i = 0; i < CONTAINERSIZE; ++i) {\n        let num = 0;\n        let pos = CODEPOINTS_PER_ITEM;\n        while (pos--)\n          num = (num << 2) | wcwidthBMP(CODEPOINTS_PER_ITEM * i + pos);\n        table[i] = num;\n      }\n    return table;\n    }\n    // get width from lookup table\n    //   position in container   : num / CODEPOINTS_PER_ITEM\n    //     ==> n = table[Math.floor(num / 16)]\n    //     ==> n = table[num >> 4]\n    //   16 codepoints per number:       FFEEDDCCBBAA99887766554433221100\n    //   position in number      : (num % CODEPOINTS_PER_ITEM) * BITWIDTH\n    //     ==> m = (n % 16) * 2\n    //     ==> m = (num & 15) << 1\n    //   right shift to position m\n    //     ==> n = n >> m     e.g. m=12  000000000000FFEEDDCCBBAA99887766\n    //   we are only interested in 2 LSBs, cut off higher bits\n    //     ==> n = n & 3      e.g.       000000000000000000000000000000XX\n    return function (num) {\n      num = num | 0;  // get asm.js like optimization under V8\n      if (num < 32)\n        return control | 0;\n      if (num < 127)\n        return 1;\n      let t = table || init_table();\n      if (num < 65536)\n        return t[num >> 4] >> ((num & 15) << 1) & 3;\n      // do a full search for high codepoints\n      return wcwidthHigh(num);\n    };\n})({nul: 0, control: 0});  // configurable options\n","/**\n * @license MIT\n */\n\nimport { IEventEmitter } from './Interfaces';\n\ninterface ListenerType {\n    (): void;\n    listener?: () => void;\n};\n\nexport class EventEmitter implements IEventEmitter {\n  private _events: {[type: string]: ListenerType[]};\n\n  constructor() {\n    // Restore the previous events if available, this will happen if the\n    // constructor is called multiple times on the same object (terminal reset).\n    this._events = this._events || {};\n  }\n\n  public on(type, listener): void {\n    this._events[type] = this._events[type] || [];\n    this._events[type].push(listener);\n  }\n\n  public off(type, listener): void {\n    if (!this._events[type]) {\n      return;\n    }\n\n    let obj = this._events[type];\n    let i = obj.length;\n\n    while (i--) {\n      if (obj[i] === listener || obj[i].listener === listener) {\n        obj.splice(i, 1);\n        return;\n      }\n    }\n  }\n\n  public removeAllListeners(type): void {\n    if (this._events[type]) {\n       delete this._events[type];\n    }\n  }\n\n  public once(type, listener): any {\n    function on() {\n      let args = Array.prototype.slice.call(arguments);\n      this.off(type, on);\n      return listener.apply(this, args);\n    }\n    (<any>on).listener = listener;\n    return this.on(type, on);\n  }\n\n  public emit(type: string, ...args: any[]): void {\n    if (!this._events[type]) {\n      return;\n    }\n    let obj = this._events[type];\n    for (let i = 0; i < obj.length; i++) {\n      obj[i].apply(this, args);\n    }\n  }\n\n  public listeners(type): ListenerType[] {\n    return this._events[type] || [];\n  }\n}\n","/**\n * @license MIT\n */\n\n/**\n * C0 control codes\n * See = https://en.wikipedia.org/wiki/C0_and_C1_control_codes\n */\nexport namespace C0 {\n  /** Null (Caret = ^@, C = \\0) */\n  export const NUL = '\\x00';\n  /** Start of Heading (Caret = ^A) */\n  export const SOH = '\\x01';\n  /** Start of Text (Caret = ^B) */\n  export const STX = '\\x02';\n  /** End of Text (Caret = ^C) */\n  export const ETX = '\\x03';\n  /** End of Transmission (Caret = ^D) */\n  export const EOT = '\\x04';\n  /** Enquiry (Caret = ^E) */\n  export const ENQ = '\\x05';\n  /** Acknowledge (Caret = ^F) */\n  export const ACK = '\\x06';\n  /** Bell (Caret = ^G, C = \\a) */\n  export const BEL = '\\x07';\n  /** Backspace (Caret = ^H, C = \\b) */\n  export const BS  = '\\x08';\n  /** Character Tabulation, Horizontal Tabulation (Caret = ^I, C = \\t) */\n  export const HT  = '\\x09';\n  /** Line Feed (Caret = ^J, C = \\n) */\n  export const LF  = '\\x0a';\n  /** Line Tabulation, Vertical Tabulation (Caret = ^K, C = \\v) */\n  export const VT  = '\\x0b';\n  /** Form Feed (Caret = ^L, C = \\f) */\n  export const FF  = '\\x0c';\n  /** Carriage Return (Caret = ^M, C = \\r) */\n  export const CR  = '\\x0d';\n  /** Shift Out (Caret = ^N) */\n  export const SO  = '\\x0e';\n  /** Shift In (Caret = ^O) */\n  export const SI  = '\\x0f';\n  /** Data Link Escape (Caret = ^P) */\n  export const DLE = '\\x10';\n  /** Device Control One (XON) (Caret = ^Q) */\n  export const DC1 = '\\x11';\n  /** Device Control Two (Caret = ^R) */\n  export const DC2 = '\\x12';\n  /** Device Control Three (XOFF) (Caret = ^S) */\n  export const DC3 = '\\x13';\n  /** Device Control Four (Caret = ^T) */\n  export const DC4 = '\\x14';\n  /** Negative Acknowledge (Caret = ^U) */\n  export const NAK = '\\x15';\n  /** Synchronous Idle (Caret = ^V) */\n  export const SYN = '\\x16';\n  /** End of Transmission Block (Caret = ^W) */\n  export const ETB = '\\x17';\n  /** Cancel (Caret = ^X) */\n  export const CAN = '\\x18';\n  /** End of Medium (Caret = ^Y) */\n  export const EM  = '\\x19';\n  /** Substitute (Caret = ^Z) */\n  export const SUB = '\\x1a';\n  /** Escape (Caret = ^[, C = \\e) */\n  export const ESC = '\\x1b';\n  /** File Separator (Caret = ^\\) */\n  export const FS  = '\\x1c';\n  /** Group Separator (Caret = ^]) */\n  export const GS  = '\\x1d';\n  /** Record Separator (Caret = ^^) */\n  export const RS  = '\\x1e';\n  /** Unit Separator (Caret = ^_) */\n  export const US  = '\\x1f';\n  /** Space */\n  export const SP  = '\\x20';\n  /** Delete (Caret = ^?) */\n  export const DEL = '\\x7f';\n};\n","/**\n * @license MIT\n */\n\nimport { ITerminal } from './Interfaces';\n\ninterface IPosition {\n  start: number;\n  end: number;\n}\n\n/**\n * Encapsulates the logic for handling compositionstart, compositionupdate and compositionend\n * events, displaying the in-progress composition to the UI and forwarding the final composition\n * to the handler.\n */\nexport class CompositionHelper {\n  /**\n   * Whether input composition is currently happening, eg. via a mobile keyboard, speech input or\n   * IME. This variable determines whether the compositionText should be displayed on the UI.\n   */\n  private isComposing: boolean;\n\n  /**\n   * The position within the input textarea's value of the current composition.\n   */\n  private compositionPosition: IPosition;\n\n  /**\n   * Whether a composition is in the process of being sent, setting this to false will cancel any\n   * in-progress composition.\n   */\n  private isSendingComposition: boolean;\n\n  /**\n   * Creates a new CompositionHelper.\n   * @param textarea The textarea that xterm uses for input.\n   * @param compositionView The element to display the in-progress composition in.\n   * @param terminal The Terminal to forward the finished composition to.\n   */\n  constructor(\n    private textarea: HTMLTextAreaElement,\n    private compositionView: HTMLElement,\n    private terminal: ITerminal\n  ) {\n    this.isComposing = false;\n    this.isSendingComposition = false;\n    this.compositionPosition = { start: null, end: null };\n  }\n\n  /**\n   * Handles the compositionstart event, activating the composition view.\n   */\n  public compositionstart() {\n    this.isComposing = true;\n    this.compositionPosition.start = this.textarea.value.length;\n    this.compositionView.textContent = '';\n    this.compositionView.classList.add('active');\n  }\n\n  /**\n   * Handles the compositionupdate event, updating the composition view.\n   * @param {CompositionEvent} ev The event.\n   */\n  public compositionupdate(ev: CompositionEvent) {\n    this.compositionView.textContent = ev.data;\n    this.updateCompositionElements();\n    setTimeout(() => {\n      this.compositionPosition.end = this.textarea.value.length;\n    }, 0);\n  }\n\n  /**\n   * Handles the compositionend event, hiding the composition view and sending the composition to\n   * the handler.\n   */\n  public compositionend() {\n    this.finalizeComposition(true);\n  }\n\n  /**\n   * Handles the keydown event, routing any necessary events to the CompositionHelper functions.\n   * @param ev The keydown event.\n   * @return Whether the Terminal should continue processing the keydown event.\n   */\n  public keydown(ev: KeyboardEvent) {\n    if (this.isComposing || this.isSendingComposition) {\n      if (ev.keyCode === 229) {\n        // Continue composing if the keyCode is the \"composition character\"\n        return false;\n      } else if (ev.keyCode === 16 || ev.keyCode === 17 || ev.keyCode === 18) {\n        // Continue composing if the keyCode is a modifier key\n        return false;\n      } else {\n        // Finish composition immediately. This is mainly here for the case where enter is\n        // pressed and the handler needs to be triggered before the command is executed.\n        this.finalizeComposition(false);\n      }\n    }\n\n    if (ev.keyCode === 229) {\n      // If the \"composition character\" is used but gets to this point it means a non-composition\n      // character (eg. numbers and punctuation) was pressed when the IME was active.\n      this.handleAnyTextareaChanges();\n      return false;\n    }\n\n    return true;\n  }\n\n  /**\n   * Finalizes the composition, resuming regular input actions. This is called when a composition\n   * is ending.\n   * @param waitForPropogation Whether to wait for events to propogate before sending\n   *   the input. This should be false if a non-composition keystroke is entered before the\n   *   compositionend event is triggered, such as enter, so that the composition is send before\n   *   the command is executed.\n   */\n  private finalizeComposition(waitForPropogation: boolean) {\n    this.compositionView.classList.remove('active');\n    this.isComposing = false;\n    this.clearTextareaPosition();\n\n    if (!waitForPropogation) {\n      // Cancel any delayed composition send requests and send the input immediately.\n      this.isSendingComposition = false;\n      const input = this.textarea.value.substring(this.compositionPosition.start, this.compositionPosition.end);\n      this.terminal.handler(input);\n    } else {\n      // Make a deep copy of the composition position here as a new compositionstart event may\n      // fire before the setTimeout executes.\n      const currentCompositionPosition = {\n        start: this.compositionPosition.start,\n        end: this.compositionPosition.end,\n      };\n\n      // Since composition* events happen before the changes take place in the textarea on most\n      // browsers, use a setTimeout with 0ms time to allow the native compositionend event to\n      // complete. This ensures the correct character is retrieved, this solution was used\n      // because:\n      // - The compositionend event's data property is unreliable, at least on Chromium\n      // - The last compositionupdate event's data property does not always accurately describe\n      //   the character, a counter example being Korean where an ending consonsant can move to\n      //   the following character if the following input is a vowel.\n      this.isSendingComposition = true;\n      setTimeout(() => {\n        // Ensure that the input has not already been sent\n        if (this.isSendingComposition) {\n          this.isSendingComposition = false;\n          let input;\n          if (this.isComposing) {\n            // Use the end position to get the string if a new composition has started.\n            input = this.textarea.value.substring(currentCompositionPosition.start, currentCompositionPosition.end);\n          } else {\n            // Don't use the end position here in order to pick up any characters after the\n            // composition has finished, for example when typing a non-composition character\n            // (eg. 2) after a composition character.\n            input = this.textarea.value.substring(currentCompositionPosition.start);\n          }\n          this.terminal.handler(input);\n        }\n      }, 0);\n    }\n  }\n\n  /**\n   * Apply any changes made to the textarea after the current event chain is allowed to complete.\n   * This should be called when not currently composing but a keydown event with the \"composition\n   * character\" (229) is triggered, in order to allow non-composition text to be entered when an\n   * IME is active.\n   */\n  private handleAnyTextareaChanges() {\n    const oldValue = this.textarea.value;\n    setTimeout(() => {\n      // Ignore if a composition has started since the timeout\n      if (!this.isComposing) {\n        const newValue = this.textarea.value;\n        const diff = newValue.replace(oldValue, '');\n        if (diff.length > 0) {\n          this.terminal.handler(diff);\n        }\n      }\n    }, 0);\n  }\n\n  /**\n   * Positions the composition view on top of the cursor and the textarea just below it (so the\n   * IME helper dialog is positioned correctly).\n   * @param dontRecurse Whether to use setTimeout to recursively trigger another update, this is\n   *   necessary as the IME events across browsers are not consistently triggered.\n   */\n  public updateCompositionElements(dontRecurse?: boolean) {\n    if (!this.isComposing) {\n      return;\n    }\n    const cursor = <HTMLElement>this.terminal.element.querySelector('.terminal-cursor');\n    if (cursor) {\n      // Take .xterm-rows offsetTop into account as well in case it's positioned absolutely within\n      // the .xterm element.\n      const xtermRows = <HTMLElement>this.terminal.element.querySelector('.xterm-rows');\n      const cursorTop = xtermRows.offsetTop + cursor.offsetTop;\n\n      this.compositionView.style.left = cursor.offsetLeft + 'px';\n      this.compositionView.style.top = cursorTop + 'px';\n      this.compositionView.style.height = cursor.offsetHeight + 'px';\n      this.compositionView.style.lineHeight = cursor.offsetHeight + 'px';\n      // Sync the textarea to the exact position of the composition view so the IME knows where the\n      // text is.\n      const compositionViewBounds = this.compositionView.getBoundingClientRect();\n      this.textarea.style.left = cursor.offsetLeft + 'px';\n      this.textarea.style.top = cursorTop + 'px';\n      this.textarea.style.width = compositionViewBounds.width + 'px';\n      this.textarea.style.height = compositionViewBounds.height + 'px';\n      this.textarea.style.lineHeight = compositionViewBounds.height + 'px';\n    }\n    if (!dontRecurse) {\n      setTimeout(() => this.updateCompositionElements(true), 0);\n    }\n  };\n\n  /**\n   * Clears the textarea's position so that the cursor does not blink on IE.\n   * @private\n   */\n  private clearTextareaPosition() {\n    this.textarea.style.left = '';\n    this.textarea.style.top = '';\n  };\n}\n","/**\n * @license MIT\n */\n\n/**\n * The character sets supported by the terminal. These enable several languages\n * to be represented within the terminal with only 8-bit encoding. See ISO 2022\n * for a discussion on character sets. Only VT100 character sets are supported.\n */\nexport const CHARSETS: {[key: string]: {[key: string]: string}} = {};\n\n/**\n * The default character set, US.\n */\nexport const DEFAULT_CHARSET = CHARSETS['B'];\n\n/**\n * DEC Special Character and Line Drawing Set.\n * Reference: http://vt100.net/docs/vt102-ug/table5-13.html\n * A lot of curses apps use this if they see TERM=xterm.\n * testing: echo -e '\\e(0a\\e(B'\n * The xterm output sometimes seems to conflict with the\n * reference above. xterm seems in line with the reference\n * when running vttest however.\n * The table below now uses xterm's output from vttest.\n */\nCHARSETS['0'] = {\n  '`': '\\u25c6', // '◆'\n  'a': '\\u2592', // '▒'\n  'b': '\\u0009', // '\\t'\n  'c': '\\u000c', // '\\f'\n  'd': '\\u000d', // '\\r'\n  'e': '\\u000a', // '\\n'\n  'f': '\\u00b0', // '°'\n  'g': '\\u00b1', // '±'\n  'h': '\\u2424', // '\\u2424' (NL)\n  'i': '\\u000b', // '\\v'\n  'j': '\\u2518', // '┘'\n  'k': '\\u2510', // '┐'\n  'l': '\\u250c', // '┌'\n  'm': '\\u2514', // '└'\n  'n': '\\u253c', // '┼'\n  'o': '\\u23ba', // '⎺'\n  'p': '\\u23bb', // '⎻'\n  'q': '\\u2500', // '─'\n  'r': '\\u23bc', // '⎼'\n  's': '\\u23bd', // '⎽'\n  't': '\\u251c', // '├'\n  'u': '\\u2524', // '┤'\n  'v': '\\u2534', // '┴'\n  'w': '\\u252c', // '┬'\n  'x': '\\u2502', // '│'\n  'y': '\\u2264', // '≤'\n  'z': '\\u2265', // '≥'\n  '{': '\\u03c0', // 'π'\n  '|': '\\u2260', // '≠'\n  '}': '\\u00a3', // '£'\n  '~': '\\u00b7'  // '·'\n};\n\n/**\n * British character set\n * ESC (A\n * Reference: http://vt100.net/docs/vt220-rm/table2-5.html\n */\nCHARSETS['A'] = {\n  '#': '£'\n};\n\n/**\n * United States character set\n * ESC (B\n */\nCHARSETS['B'] = null;\n\n/**\n * Dutch character set\n * ESC (4\n * Reference: http://vt100.net/docs/vt220-rm/table2-6.html\n */\nCHARSETS['4'] = {\n  '#': '£',\n  '@': '¾',\n  '[': 'ij',\n  '\\\\': '½',\n  ']': '|',\n  '{': '¨',\n  '|': 'f',\n  '}': '¼',\n  '~': '´'\n};\n\n/**\n * Finnish character set\n * ESC (C or ESC (5\n * Reference: http://vt100.net/docs/vt220-rm/table2-7.html\n */\nCHARSETS['C'] =\nCHARSETS['5'] = {\n  '[': 'Ä',\n  '\\\\': 'Ö',\n  ']': 'Å',\n  '^': 'Ü',\n  '`': 'é',\n  '{': 'ä',\n  '|': 'ö',\n  '}': 'å',\n  '~': 'ü'\n};\n\n/**\n * French character set\n * ESC (R\n * Reference: http://vt100.net/docs/vt220-rm/table2-8.html\n */\nCHARSETS['R'] = {\n  '#': '£',\n  '@': 'à',\n  '[': '°',\n  '\\\\': 'ç',\n  ']': '§',\n  '{': 'é',\n  '|': 'ù',\n  '}': 'è',\n  '~': '¨'\n};\n\n/**\n * French Canadian character set\n * ESC (Q\n * Reference: http://vt100.net/docs/vt220-rm/table2-9.html\n */\nCHARSETS['Q'] = {\n  '@': 'à',\n  '[': 'â',\n  '\\\\': 'ç',\n  ']': 'ê',\n  '^': 'î',\n  '`': 'ô',\n  '{': 'é',\n  '|': 'ù',\n  '}': 'è',\n  '~': 'û'\n};\n\n/**\n * German character set\n * ESC (K\n * Reference: http://vt100.net/docs/vt220-rm/table2-10.html\n */\nCHARSETS['K'] = {\n  '@': '§',\n  '[': 'Ä',\n  '\\\\': 'Ö',\n  ']': 'Ü',\n  '{': 'ä',\n  '|': 'ö',\n  '}': 'ü',\n  '~': 'ß'\n};\n\n/**\n * Italian character set\n * ESC (Y\n * Reference: http://vt100.net/docs/vt220-rm/table2-11.html\n */\nCHARSETS['Y'] = {\n  '#': '£',\n  '@': '§',\n  '[': '°',\n  '\\\\': 'ç',\n  ']': 'é',\n  '`': 'ù',\n  '{': 'à',\n  '|': 'ò',\n  '}': 'è',\n  '~': 'ì'\n};\n\n/**\n * Norwegian/Danish character set\n * ESC (E or ESC (6\n * Reference: http://vt100.net/docs/vt220-rm/table2-12.html\n */\nCHARSETS['E'] =\nCHARSETS['6'] = {\n  '@': 'Ä',\n  '[': 'Æ',\n  '\\\\': 'Ø',\n  ']': 'Å',\n  '^': 'Ü',\n  '`': 'ä',\n  '{': 'æ',\n  '|': 'ø',\n  '}': 'å',\n  '~': 'ü'\n};\n\n/**\n * Spanish character set\n * ESC (Z\n * Reference: http://vt100.net/docs/vt220-rm/table2-13.html\n */\nCHARSETS['Z'] = {\n  '#': '£',\n  '@': '§',\n  '[': '¡',\n  '\\\\': 'Ñ',\n  ']': '¿',\n  '{': '°',\n  '|': 'ñ',\n  '}': 'ç'\n};\n\n/**\n * Swedish character set\n * ESC (H or ESC (7\n * Reference: http://vt100.net/docs/vt220-rm/table2-14.html\n */\nCHARSETS['H'] =\nCHARSETS['7'] = {\n  '@': 'É',\n  '[': 'Ä',\n  '\\\\': 'Ö',\n  ']': 'Å',\n  '^': 'Ü',\n  '`': 'é',\n  '{': 'ä',\n  '|': 'ö',\n  '}': 'å',\n  '~': 'ü'\n};\n\n/**\n * Swiss character set\n * ESC (=\n * Reference: http://vt100.net/docs/vt220-rm/table2-15.html\n */\nCHARSETS['='] = {\n  '#': 'ù',\n  '@': 'à',\n  '[': 'é',\n  '\\\\': 'ç',\n  ']': 'ê',\n  '^': 'î',\n  '_': 'è',\n  '`': 'ô',\n  '{': 'ä',\n  '|': 'ö',\n  '}': 'ü',\n  '~': 'û'\n};\n","/**\n * @license MIT\n */\n\nimport { ITerminal, IBufferSet } from './Interfaces';\nimport { Buffer } from './Buffer';\nimport { EventEmitter } from './EventEmitter';\n\n/**\n * The BufferSet represents the set of two buffers used by xterm terminals (normal and alt) and\n * provides also utilities for working with them.\n */\nexport class BufferSet extends EventEmitter implements IBufferSet {\n  private _normal: Buffer;\n  private _alt: Buffer;\n  private _activeBuffer: Buffer;\n\n  /**\n   * Create a new BufferSet for the given terminal.\n   * @param {Terminal} terminal - The terminal the BufferSet will belong to\n   */\n  constructor(private _terminal: ITerminal) {\n    super();\n    this._normal = new Buffer(this._terminal);\n    this._normal.fillViewportRows();\n    this._alt = new Buffer(this._terminal);\n    this._activeBuffer = this._normal;\n  }\n\n  /**\n   * Returns the alt Buffer of the BufferSet\n   * @returns {Buffer}\n   */\n  public get alt(): Buffer {\n    return this._alt;\n  }\n\n  /**\n   * Returns the normal Buffer of the BufferSet\n   * @returns {Buffer}\n   */\n  public get active(): Buffer {\n    return this._activeBuffer;\n  }\n\n  /**\n   * Returns the currently active Buffer of the BufferSet\n   * @returns {Buffer}\n   */\n  public get normal(): Buffer {\n    return this._normal;\n  }\n\n  /**\n   * Sets the normal Buffer of the BufferSet as its currently active Buffer\n   */\n  public activateNormalBuffer(): void {\n    // The alt buffer should always be cleared when we switch to the normal\n    // buffer. This frees up memory since the alt buffer should always be new\n    // when activated.\n    this._alt.clear();\n\n    this._activeBuffer = this._normal;\n    this.emit('activate', this._normal);\n  }\n\n  /**\n   * Sets the alt Buffer of the BufferSet as its currently active Buffer\n   */\n  public activateAltBuffer(): void {\n    // Since the alt buffer is always cleared when the normal buffer is\n    // activated, we want to fill it when switching to it.\n    this._alt.fillViewportRows();\n\n    this._activeBuffer = this._alt;\n    this.emit('activate', this._alt);\n  }\n\n  /**\n   * Resizes both normal and alt buffers, adjusting their data accordingly.\n   * @param newCols The new number of columns.\n   * @param newRows The new number of rows.\n   */\n  public resize(newCols: number, newRows: number): void {\n    this._normal.resize(newCols, newRows);\n    this._alt.resize(newCols, newRows);\n  }\n}\n","/**\n * @license MIT\n */\n\nimport { ITerminal, IBuffer } from './Interfaces';\nimport { CircularList } from './utils/CircularList';\n\n/**\n * This class represents a terminal buffer (an internal state of the terminal), where the\n * following information is stored (in high-level):\n *   - text content of this particular buffer\n *   - cursor position\n *   - scroll position\n */\nexport class Buffer implements IBuffer {\n  private _lines: CircularList<[number, string, number][]>;\n\n  public ydisp: number;\n  public ybase: number;\n  public y: number;\n  public x: number;\n  public scrollBottom: number;\n  public scrollTop: number;\n  public tabs: any;\n  public savedY: number;\n  public savedX: number;\n\n  /**\n   * Create a new Buffer.\n   * @param {Terminal} _terminal - The terminal the Buffer will belong to\n   * @param {number} ydisp - The scroll position of the Buffer in the viewport\n   * @param {number} ybase - The scroll position of the y cursor (ybase + y = the y position within the Buffer)\n   * @param {number} y - The cursor's y position after ybase\n   * @param {number} x - The cursor's x position after ybase\n   */\n  constructor(\n    private _terminal: ITerminal\n  ) {\n    this.clear();\n  }\n\n  public get lines(): CircularList<[number, string, number][]> {\n    return this._lines;\n  }\n\n  /**\n   * Fills the buffer's viewport with blank lines.\n   */\n  public fillViewportRows(): void {\n    if (this._lines.length === 0) {\n      let i = this._terminal.rows;\n      while (i--) {\n        this.lines.push(this._terminal.blankLine());\n      }\n    }\n  }\n\n  /**\n   * Clears the buffer to it's initial state, discarding all previous data.\n   */\n  public clear(): void {\n    this.ydisp = 0;\n    this.ybase = 0;\n    this.y = 0;\n    this.x = 0;\n    this.scrollBottom = 0;\n    this.scrollTop = 0;\n    this.tabs = {};\n    this._lines = new CircularList<[number, string, number][]>(this._terminal.scrollback);\n    this.scrollBottom = this._terminal.rows - 1;\n  }\n\n  /**\n   * Resizes the buffer, adjusting its data accordingly.\n   * @param newCols The new number of columns.\n   * @param newRows The new number of rows.\n   */\n  public resize(newCols: number, newRows: number): void {\n    // Don't resize the buffer if it's empty and hasn't been used yet.\n    if (this._lines.length === 0) {\n      return;\n    }\n\n    // Deal with columns increasing (we don't do anything when columns reduce)\n    if (this._terminal.cols < newCols) {\n      const ch: [number, string, number] = [this._terminal.defAttr, ' ', 1]; // does xterm use the default attr?\n      for (let i = 0; i < this._lines.length; i++) {\n        // TODO: This should be removed, with tests setup for the case that was\n        // causing the underlying bug, see https://github.com/sourcelair/xterm.js/issues/824\n        if (this._lines.get(i) === undefined) {\n          this._lines.set(i, this._terminal.blankLine(undefined, undefined, newCols));\n        }\n        while (this._lines.get(i).length < newCols) {\n          this._lines.get(i).push(ch);\n        }\n      }\n    }\n\n    // Resize rows in both directions as needed\n    let addToY = 0;\n    if (this._terminal.rows < newRows) {\n      for (let y = this._terminal.rows; y < newRows; y++) {\n        if (this._lines.length < newRows + this.ybase) {\n          if (this.ybase > 0 && this._lines.length <= this.ybase + this.y + addToY + 1) {\n            // There is room above the buffer and there are no empty elements below the line,\n            // scroll up\n            this.ybase--;\n            addToY++;\n            if (this.ydisp > 0) {\n              // Viewport is at the top of the buffer, must increase downwards\n              this.ydisp--;\n            }\n          } else {\n            // Add a blank line if there is no buffer left at the top to scroll to, or if there\n            // are blank lines after the cursor\n            this._lines.push(this._terminal.blankLine(undefined, undefined, newCols));\n          }\n        }\n      }\n    } else { // (this._terminal.rows >= newRows)\n      for (let y = this._terminal.rows; y > newRows; y--) {\n        if (this._lines.length > newRows + this.ybase) {\n          if (this._lines.length > this.ybase + this.y + 1) {\n            // The line is a blank line below the cursor, remove it\n            this._lines.pop();\n          } else {\n            // The line is the cursor, scroll down\n            this.ybase++;\n            this.ydisp++;\n          }\n        }\n      }\n    }\n\n    // Make sure that the cursor stays on screen\n    if (this.y >= newRows) {\n      this.y = newRows - 1;\n    }\n    if (addToY) {\n      this.y += addToY;\n    }\n\n    if (this.x >= newCols) {\n      this.x = newCols - 1;\n    }\n\n    this.scrollTop = 0;\n    this.scrollBottom = newRows - 1;\n  }\n}\n",null],"names":[],"mappings":"AsBAA;;;ADKA;AASA;AAqBA;AACA;AAEA;AACA;AAEA;AAAA;AACA;AACA;;;AAAA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AAEA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAEA;AACA;AACA;AAAA;AAGA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AAAA;AAEA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AAvIa;;;;;;;;;;;;;;;;;ADTb;AACA;AAMA;AAAA;AASA;AAAA;AAAA;AAEA;AACA;AACA;AACA;;AACA;AAMA;AAAA;AACA;AACA;;;AAAA;AAMA;AAAA;AACA;AACA;;;AAAA;AAMA;AAAA;AACA;AACA;;;AAAA;AAKA;AAIA;AAEA;AACA;AACA;AAKA;AAGA;AAEA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AAAA;AA3Ea;;;;;;;ADHA;AAKA;AAYb;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AAMA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;;;;AD3OA;AAwBA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAMA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AAOA;AACA;AACA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAGA;AACA;AACA;AAEA;AAGA;AACA;AACA;AAEA;AACA;AAUA;AAAA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAAA;AAGA;AACA;AACA;AACA;AAUA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAAA;AAIA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AAAA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AAAA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAMA;AACA;AACA;AACA;AAAA;AACA;AAAA;AApNa;;;;;;;ADRb;AAAA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AAEA;AACA;AAAC;;;;;;;ADpEA;AAED;AAGA;AAGA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAAA;AAAA;AAAA;;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AA3Da;;;;;;;ADNb;AACA;AASA;AAEA;AAAA;AAAA;AAEA;AACA;AAGA;AAEA;AACA;AACA;AAEA;AAIA;AAEA;AACA;AAGA;AACA;AAEA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAIA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAGA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAGA;AAEA;AAGA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAEA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAMA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAMA;AACA;AAMA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AAOA;AACA;AACA;AAOA;AACA;AACA;AAMA;AACA;AAEA;AACA;AAAA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AAEA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AAcA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAaA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AAMA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AAMA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAMA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AAIA;AACA;AACA;AACA;AAuCA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAAA;AAIA;AACA;AACA;AAAA;AACA;AACA;AAAA;AAGA;AACA;AAAA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAOA;AACA;AAAA;AACA;AAAA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAUA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAwFA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAGA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AAKA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AAIA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAoFA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAkEA;AAEA;AACA;AACA;AACA;AAEA;AAOA;AACA;AACA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AACA;AAAA;AAEA;AACA;AACA;AAAA;AAEA;AACA;AACA;AAIA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAGA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AACA;AAIA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AAEA;AACA;AACA;AAIA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AAyBA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAGA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAGA;AACA;AAGA;AACA;AAGA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAYA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AAAA;AA96Ca;AAg7CA;AAGb;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAaA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;;;;;;;ADnlDA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AAKA;AAeA;AAFA;AAGA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AAMA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AAOA;AACA;AACA;AAYA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAOA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAPA;AAAA;AAOA;AACA;AAEA;AACA;AACA;AACA;AAQA;AAEA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAAA;AAEA;AACA;AACA;AACA;AAEA;AAGA;AACA;AACA;AACA;AAAA;AAEA;AAEA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AAAA;AAAA;AAAA;;AACA;AACA;AACA;AACA;AACA;AACA;AAWA;AAGA;AACA;AACA;AAKA;AACA;AACA;AAEA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAhUmB;AANN;;;;;;;ADhCb;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AAKA;AACA;AACA;AAEA;AACA;AAOA;AACA;AAEA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAIA;AACA;AAGA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AAKA;AACA;AAIA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAIA;AACA;AAAA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAEA;AAEA;AACA;AAIA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AAGA;AACA;AAMA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AAEA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AAQA;AACA;AACA;AAQA;AACA;AACA;AAOA;AACA;AACA;AAKA;AACA;AACA;AAMA;AACA;AACA;AACA;AAKA;AACA;AACA;AASA;AAAA;AA9da;;;;;;;ADjKb;AAOA;AAKA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAAC;AAED;AAEA;AAQA;AAAA;AANA;AACA;AACA;AAEA;AAKA;AACA;AACA;AACA;AAKA;AAQA;AACA;AACA;AACA;AACA;AACA;AAMA;AAKA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAuBA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAGA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AASA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AAGA;AACA;AAAA;AAEA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAIA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAAA;AAOA;AAEA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AAGA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAQA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AApWa;AAwWb;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;;;;;;;;;;;;;;;AD3YA;AACA;AAGA;AAEA;AACA;AAMA;AAKA;AAKA;AAMA;AAIA;AACA;AAEA;AACA;AAaA;AAAA;AACA;AACA;AACA;AACA;AAUA;AAAA;AAiCA;AAAA;AACA;AACA;AACA;AACA;AATA;AAYA;AACA;AAEA;AACA;;AACA;AAKA;AAAA;AACA;AACA;AAEA;AAMA;AACA;AAMA;AACA;AACA;AACA;AAKA;AACA;AACA;AAOA;AACA;AACA;AACA;AAEA;AAAA;;;AAAA;AACA;AAAA;;;AAAA;AAKA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAAA;AAKA;AAAA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAIA;AACA;AACA;AAEA;AACA;;;AAAA;AAKA;AACA;AACA;AACA;AACA;AAOA;AAAA;AAEA;AACA;AACA;AAIA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AAGA;AACA;AAEA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAMA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AAEA;AACA;AACA;AAGA;AACA;AAGA;AAGA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AACA;AAKA;AAAA;AAEA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAIA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AAGA;AAGA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAAA;AACA;AACA;AAGA;AAIA;AACA;AACA;AAAA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AAEA;AAGA;AACA;AAGA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAKA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AAAA;AA1lBa;;;;;;;AD1Db;AAuBA;AACA;AAEA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAKA;AAAA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;;;AAAA;AAMA;AAAA;AACA;AACA;AACA;AAEA;AACA;AACA;AAGA;AACA;AACA;AAGA;AAEA;AACA;AACA;AACA;AACA;AACA;;;AAAA;AAKA;AACA;AACA;AACA;AACA;AAOA;AAEA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAAA;AArHa;;;;;;;ADCb;AAaA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAGA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AAEA;AACA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AAQA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AAAA;AAMA;AACA;AACA;AAAA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AAAA;AArIa;;;;;;;ADWb;AACA;AACA;AACA;AACA;AACA;AALA;AAWA;AACA;AACA;AACA;AAAA;AACA;AACA;AAGA;AACA;AATA;AAgBA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAzBA;AAgCA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AApBA;AA4BA;AACA;AAGA;AACA;AACA;AANA;;;;;;;ADvGA;AAEA;AACA;AACA;AAEa;AACA;AAKA;AACA;AACA;AACA;AACA;;;;;;;ADhBb;AACA;AAYA;AAAA;AAAA;AAEA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAIA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAnCA;;;;;;;;;;;;;;;;;ADdA;AAKA;AAAA;AAOA;AAAA;AAEA;AACA;;AACA;AAEA;AAAA;AACA;AACA;;;AAAA;AAEA;AAAA;AACA;AACA;;;AAAA;AAEA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAnDa;;;;;;;;;;;;;;;;;ADJb;AAGA;AAAA;AAKA;AAAA;AAEA;AACA;AACA;;AACA;AAEA;AAAA;AACA;AACA;AAEA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAXA;AAaA;AAAA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AATA;AAWA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;;;AAAA;AAUA;AACA;AACA;AAUA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAMA;AACA;AACA;AAWA;AAAA;AAAA;AAAA;;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AAAA;AAhMa;;;;;;;ADAb;AAYA;AAAA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AAAA;AAhE0B;AAET;AAHJ;;;;;;;ADEb;AACA;AACA;AAFA;AAEC;;;;;;;ADPD;AAEA;AACA;AACA;AAEA;AACA;AAIA;AACA;AACA;AACA;AACA;AACA;AACA;AAjBA;AAgCA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AAGA;AACA;AAEA;AACA;AApBA;AAgCA;AACA;AACA;AACA;AAGA;AACA;AAEA;AACA;AAVA;;;;;;;AD1DA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAcA;AAOA;AAMA;AAOA;AAkBA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAGA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AAEA;AAAA;AACA;AAEA;AACA;AAEA;AAIA;AAIA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AAGA;AACA;AAQA;AAGA;AAGA;AAGA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAEA;AAGA;AACA;AAEA;AAKA;AAEA;AACA;AAOA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAIA;AACA;AAKA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAEA;AAEA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AAEA;AAEA;AAEA;AACA;AACA;AACA;AAKA;AACA;AACA;AAMA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AAAA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AAAA;AACA;AAEA;AACA;AACA;AAGA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AAEA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAKA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AAQA;AAAA;AACA;AAEA;AAEA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAIA;AACA;AACA;AACA;AACA;AAIA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAGA;AACA;AACA;AACA;AAIA;AACA;AACA;AACA;AACA;AACA;AAGA;AAIA;AAMA;AACA;AAEA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAIA;AAOA;AACA;AAQA;AACA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AAYA;AACA;AAKA;AACA;AAIA;AAGA;AACA;AAAA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAGA;AACA;AACA;AAIA;AACA;AACA;AAIA;AACA;AAGA;AACA;AAAA;AAIA;AAEA;AACA;AAIA;AACA;AACA;AAAA;AACA;AAAA;AACA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AAQA;AAOA;AAGA;AACA;AACA;AACA;AACA;AAAA;AACA;AAAA;AACA;AAAA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAAA;AACA;AAAA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AACA;AAaA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAIA;AACA;AACA;AACA;AAGA;AAEA;AACA;AAAA;AACA;AACA;AAGA;AAEA;AACA;AAEA;AAIA;AACA;AAEA;AAAA;AAGA;AAIA;AACA;AACA;AACA;AACA;AAGA;AAAA;AAGA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AAMA;AACA;AAAA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAIA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AAAA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAQA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AACA;AAOA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AAGA;AACA;AACA;AAGA;AAGA;AAEA;AAEA;AACA;AAAA;AAEA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAGA;AACA;AAQA;AACA;AASA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AAGA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAMA;AACA;AACA;AAKA;AACA;AACA;AAKA;AACA;AACA;AAMA;AACA;AAKA;AAGA;AACA;AACA;AAEA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAIA;AACA;AACA;AACA;AAEA;AACA;AAOA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAMA;AACA;AACA;AAQA;AACA;AACA;AACA;AACA;AAUA;AACA;AACA;AAQA;AACA;AACA;AACA;AACA;AAEA;AACA;AAQA;AACA;AACA;AACA;AACA;AAEA;AACA;AAYA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AAMA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AAKA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AAEA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AASA;AACA;AAGA;AAEA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAIA;AACA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AAIA;AACA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AAGA;AACA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AAGA;AACA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AAGA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AAAA;AAEA;AACA;AACA;AAAA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAMA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AACA;AACA;AAQA;AACA;AAEA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AAEA;AAGA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAMA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AAMA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AAKA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AAKA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AAOA;AAEA;AACA;AACA;AACA;AACA;AAEA;AAAA;AACA;AAAA;AAEA;AAGA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AACA;AAEA;AAEA;AAEA;AACA;AACA;AAMA;AACA;AAAA;AACA;AAAA;AAOA;AAKA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAOA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AACA;AAOA;AACA;AAAA;AACA;AAAA;AACA;AACA;AACA;AACA;AAQA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AASA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAKA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AAQA;AACA;AACA;AACA;AAEA;AAMA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AAOA;AACA;AACA;AACA;AACA;AAOA;AACA;AACA;AACA;AAOA;AAEA;AACA;AACA;AAGA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AAOA;AAOA;AACA;AAUA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAQA;AACA;AACA;AAIA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AAEA;AACA;AAEA;AAEA;AACA;AACA;AAGA;AACA;AAGA;AAEA;AACA;AAEA;AACA;AACA;AAEA;AASA;AACA;AACA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AAEA;AAGA;AACA;AACA;AACA;AACA;AAEA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AAEA;AACA;AAAA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAMA;AACA;AACA;AAQA;AACA;AACA;AAEA;;;"}
\ No newline at end of file

From dc42d1caa26e5c40931d7f3910e38d12e2cd0f59 Mon Sep 17 00:00:00 2001
From: halo <wuyihuangw@gmail.com>
Date: Wed, 27 Apr 2022 22:56:34 +0800
Subject: [PATCH 074/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9ssh=5Fclient?=
 =?UTF-8?q?=E8=BF=9E=E6=8E=A5=E9=80=89=E9=A1=B9=E7=BF=BB=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo  | 4 ++--
 apps/locale/ja/LC_MESSAGES/django.po  | 4 ++--
 apps/locale/zh/LC_MESSAGES/django.mo  | 4 ++--
 apps/locale/zh/LC_MESSAGES/django.po  | 4 ++--
 apps/settings/serializers/terminal.py | 2 +-
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 52b16b3bd..afbb57bf7 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f2c88ade4bfae213bdcdafad656af73f764e3b1b3f2b0c59aa39626e967730ca
-size 125911
+oid sha256:8f5891533a7cdfa3938ef057364f22b1df73685d423f9fa55bc46cd17439e56e
+size 125915
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 8aa00bb46..dfb2f3c56 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -4247,8 +4247,8 @@ msgid "Enable XRDP"
 msgstr "XRDPの有効化"
 
 #: settings/serializers/terminal.py:38
-msgid "Enable KoKo SSH"
-msgstr "KoKo SSHの有効化"
+msgid "Enable SSH Client"
+msgstr "SSH Clientの有効化"
 
 #: settings/utils/ldap.py:419
 msgid "ldap:// or ldaps:// protocol is used."
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 915796d03..58ce5f865 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c75e0a1f2a047dac1374916c630bc0e8ef5ad5eea7518ffc21e93f747fc1235e
-size 104165
+oid sha256:c6cf24f38fd82ad87d6062c4b36a771cb9fdeb76975b8b60f335a5a4fd9fd30c
+size 104169
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 79cb6c940..049fb5daa 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -4185,8 +4185,8 @@ msgid "Enable XRDP"
 msgstr "启用 XRDP 服务"
 
 #: settings/serializers/terminal.py:38
-msgid "Enable KoKo SSH"
-msgstr "启用 KoKo SSH"
+msgid "Enable SSH Client"
+msgstr "启用 SSH Client"
 
 #: settings/utils/ldap.py:419
 msgid "ldap:// or ldaps:// protocol is used."
diff --git a/apps/settings/serializers/terminal.py b/apps/settings/serializers/terminal.py
index 8cdb9e065..f6799eca1 100644
--- a/apps/settings/serializers/terminal.py
+++ b/apps/settings/serializers/terminal.py
@@ -35,4 +35,4 @@ class TerminalSettingSerializer(serializers.Serializer):
     )
     TERMINAL_MAGNUS_ENABLED = serializers.BooleanField(label=_("Enable database proxy"))
     XRDP_ENABLED = serializers.BooleanField(label=_("Enable XRDP"))
-    TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField(label=_("Enable KoKo SSH"))
+    TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField(label=_("Enable SSH Client"))

From 86e6982383bf06dc5ab446ab0cb05763910a835f Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Wed, 27 Apr 2022 17:16:30 +0800
Subject: [PATCH 075/258] =?UTF-8?q?fix:=20=E7=BB=84=E7=BB=87=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E5=91=98=20=E6=B7=BB=E5=8A=A0=20view=20platform=20per?=
 =?UTF-8?q?m?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/const.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/rbac/const.py b/apps/rbac/const.py
index b84b7c69e..1a3cc93b4 100644
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@@ -91,7 +91,7 @@ exclude_permissions = (
 
 
 only_system_permissions = (
-    ('assets', 'platform', '*', '*'),
+    ('assets', 'platform', 'add,change,delete', 'platform'),
     ('users', 'user', 'delete', 'user'),
     ('rbac', 'role', 'delete,add,change', 'role'),
     ('rbac', 'systemrole', '*', '*'),

From b1aadf1ee9e5ea090be6cea0ca2c36b0db35fc5e Mon Sep 17 00:00:00 2001
From: xiaziheng <1192939559@qq.com>
Date: Thu, 28 Apr 2022 16:16:06 +0800
Subject: [PATCH 076/258] Fix oidc (#8165)

---
 apps/authentication/backends/oidc/backends.py | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/apps/authentication/backends/oidc/backends.py b/apps/authentication/backends/oidc/backends.py
index d1d7bd48c..450de565c 100644
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -103,9 +103,23 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
         # Prepares the token payload that will be used to request an authentication token to the
         # token endpoint of the OIDC provider.
         logger.debug(log_prompt.format('Prepares token payload'))
+
+        """ The reason for need not client_id and client_secret in token_payload.
+
+        OIDC protocol indicate client's token_endpoint_auth_method only accept one type in
+            - client_secret_basic
+            - client_secret_post
+            - client_secret_jwt
+            - private_key_jwt
+            - none
+        If the client offer more than one auth method type to OIDC, OIDC will auth client failed.
+        OIDC default use client_secret_basic, this type only need in headers add Authorization=Basic xxx.
+        More info see: https://github.com/jumpserver/jumpserver/issues/8165
+
+        """
         token_payload = {
-            'client_id': settings.AUTH_OPENID_CLIENT_ID,
-            'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
+            # 'client_id': settings.AUTH_OPENID_CLIENT_ID,
+            # 'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
             'grant_type': 'authorization_code',
             'code': code,
             'redirect_uri': build_absolute_uri(

From 00ed7bb025e7113aa04b9de9e88cd52a2bfa9734 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 29 Apr 2022 12:54:15 +0800
Subject: [PATCH 077/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20OIDC=20?=
 =?UTF-8?q?=E6=94=AF=E6=8C=81=E9=80=89=E6=8B=A9=E8=AE=A4=E8=AF=81=E6=96=B9?=
 =?UTF-8?q?=E5=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/oidc/backends.py |  35 ++--
 apps/jumpserver/conf.py                       |   2 +
 apps/jumpserver/settings/auth.py              |   1 +
 apps/locale/ja/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po          | 155 +++++++++---------
 apps/locale/zh/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 151 ++++++++---------
 apps/settings/serializers/auth/oidc.py        |   8 +
 8 files changed, 191 insertions(+), 169 deletions(-)

diff --git a/apps/authentication/backends/oidc/backends.py b/apps/authentication/backends/oidc/backends.py
index 450de565c..8d4f2f629 100644
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -103,9 +103,8 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
         # Prepares the token payload that will be used to request an authentication token to the
         # token endpoint of the OIDC provider.
         logger.debug(log_prompt.format('Prepares token payload'))
-
-        """ The reason for need not client_id and client_secret in token_payload.
-
+        """ 
+        The reason for need not client_id and client_secret in token_payload.
         OIDC protocol indicate client's token_endpoint_auth_method only accept one type in
             - client_secret_basic
             - client_secret_post
@@ -113,25 +112,35 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
             - private_key_jwt
             - none
         If the client offer more than one auth method type to OIDC, OIDC will auth client failed.
-        OIDC default use client_secret_basic, this type only need in headers add Authorization=Basic xxx.
+        OIDC default use client_secret_basic, 
+        this type only need in headers add Authorization=Basic xxx.
+        
         More info see: https://github.com/jumpserver/jumpserver/issues/8165
-
+        More info see: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
         """
         token_payload = {
-            # 'client_id': settings.AUTH_OPENID_CLIENT_ID,
-            # 'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
             'grant_type': 'authorization_code',
             'code': code,
             'redirect_uri': build_absolute_uri(
                 request, path=reverse(settings.AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME)
             )
         }
-
-        # Prepares the token headers that will be used to request an authentication token to the
-        # token endpoint of the OIDC provider.
-        logger.debug(log_prompt.format('Prepares token headers'))
-        basic_token = "{}:{}".format(settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET)
-        headers = {"Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())}
+        if settings.AUTH_OPENID_CLIENT_AUTH_METHOD == 'client_secret_post':
+            token_payload.update({
+                'client_id': settings.AUTH_OPENID_CLIENT_ID,
+                'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
+            })
+            headers = None
+        else:
+            # Prepares the token headers that will be used to request an authentication token to the
+            # token endpoint of the OIDC provider.
+            logger.debug(log_prompt.format('Prepares token headers'))
+            basic_token = "{}:{}".format(
+                settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET
+            )
+            headers = {
+                "Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())
+            }
 
         # Calls the token endpoint.
         logger.debug(log_prompt.format('Call the token endpoint'))
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index fa4a211d4..18b998ab2 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -187,6 +187,8 @@ class Config(dict):
         'BASE_SITE_URL': None,
         'AUTH_OPENID_CLIENT_ID': 'client-id',
         'AUTH_OPENID_CLIENT_SECRET': 'client-secret',
+        # https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
+        'AUTH_OPENID_CLIENT_AUTH_METHOD': 'client_secret_basic',
         'AUTH_OPENID_SHARE_SESSION': True,
         'AUTH_OPENID_IGNORE_SSL_VERIFICATION': True,
 
diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index e07883d55..fb067078f 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -55,6 +55,7 @@ AUTH_OPENID = CONFIG.AUTH_OPENID
 BASE_SITE_URL = CONFIG.BASE_SITE_URL
 AUTH_OPENID_CLIENT_ID = CONFIG.AUTH_OPENID_CLIENT_ID
 AUTH_OPENID_CLIENT_SECRET = CONFIG.AUTH_OPENID_CLIENT_SECRET
+AUTH_OPENID_CLIENT_AUTH_METHOD = CONFIG.AUTH_OPENID_CLIENT_AUTH_METHOD
 AUTH_OPENID_PROVIDER_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_ENDPOINT
 AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT
 AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index afbb57bf7..7feeaece9 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8f5891533a7cdfa3938ef057364f22b1df73685d423f9fa55bc46cd17439e56e
-size 125915
+oid sha256:e70a491494af861945bde8a0b03c9b6e78dde7016446236ead362362b76b09a8
+size 125713
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index dfb2f3c56..a0b05f272 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-20 16:35+0800\n"
+"POT-Creation-Date: 2022-04-29 12:49+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -88,7 +88,7 @@ msgstr "ログイン確認"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:110 rbac/models/rolebinding.py:40
+#: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
@@ -1360,7 +1360,7 @@ msgstr "監査"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:168
+#: rbac/tree.py:228
 msgid "Delete"
 msgstr "削除"
 
@@ -1413,11 +1413,11 @@ msgstr "ファイル転送ログ"
 
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:165
+#: rbac/tree.py:225
 msgid "Create"
 msgstr "作成"
 
-#: audits/models.py:56 rbac/tree.py:167 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:227 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@@ -2181,7 +2181,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:299 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2642,11 +2642,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:298
+#: jumpserver/conf.py:300
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:300
+#: jumpserver/conf.py:302
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -2901,12 +2901,12 @@ msgstr ""
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "組織のリソース ({}) は削除できません"
 
-#: orgs/apps.py:7 rbac/tree.py:114
+#: orgs/apps.py:7 rbac/tree.py:115
 msgid "App organizations"
 msgstr "アプリ組織"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
-#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:47
+#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
@@ -2920,7 +2920,7 @@ msgstr "グローバル組織"
 msgid "Can view root org"
 msgstr "グローバル組織を表示できます"
 
-#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
+#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:44
 #: users/models/user.py:671
 msgid "Role"
 msgstr "ロール"
@@ -3133,27 +3133,27 @@ msgstr "{} 少なくとも1つのシステムロール"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:101
+#: rbac/builtin.py:109
 msgid "SystemAdmin"
 msgstr "システム管理者"
 
-#: rbac/builtin.py:104
+#: rbac/builtin.py:112
 msgid "SystemAuditor"
 msgstr "システム監査人"
 
-#: rbac/builtin.py:107
+#: rbac/builtin.py:115
 msgid "SystemComponent"
 msgstr "システムコンポーネント"
 
-#: rbac/builtin.py:113
+#: rbac/builtin.py:121
 msgid "OrgAdmin"
 msgstr "組織管理者"
 
-#: rbac/builtin.py:116
+#: rbac/builtin.py:124
 msgid "OrgAuditor"
 msgstr "監査員を組織する"
 
-#: rbac/builtin.py:119
+#: rbac/builtin.py:127
 msgid "OrgUser"
 msgstr "組織ユーザー"
 
@@ -3185,7 +3185,7 @@ msgstr "ファイルマネージャを表示できます"
 msgid "Permission"
 msgstr "権限"
 
-#: rbac/models/role.py:31 rbac/models/rolebinding.py:37
+#: rbac/models/role.py:31 rbac/models/rolebinding.py:38
 msgid "Scope"
 msgstr "スコープ"
 
@@ -3205,22 +3205,22 @@ msgstr "システムの役割"
 msgid "Organization role"
 msgstr "組織の役割"
 
-#: rbac/models/rolebinding.py:52
+#: rbac/models/rolebinding.py:53
 msgid "Role binding"
 msgstr "ロールバインディング"
 
-#: rbac/models/rolebinding.py:151
+#: rbac/models/rolebinding.py:159
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr ""
 "ユーザーの最後のロールは削除できません。ユーザーを組織から削除できます。"
 
-#: rbac/models/rolebinding.py:158
+#: rbac/models/rolebinding.py:166
 msgid "Organization role binding"
 msgstr "組織の役割バインディング"
 
-#: rbac/models/rolebinding.py:173
+#: rbac/models/rolebinding.py:181
 msgid "System role binding"
 msgstr "システムロールバインディング"
 
@@ -3244,91 +3244,91 @@ msgstr "ロール表示"
 msgid "Has bound this role"
 msgstr "この役割をバインドしました"
 
-#: rbac/tree.py:19 rbac/tree.py:20
+#: rbac/tree.py:20 rbac/tree.py:21
 msgid "All permissions"
 msgstr "すべての権限"
 
-#: rbac/tree.py:26
+#: rbac/tree.py:27
 msgid "Console view"
 msgstr "コンソールビュー"
 
-#: rbac/tree.py:27
+#: rbac/tree.py:28
 msgid "Workbench view"
 msgstr "ワークスペースビュー"
 
-#: rbac/tree.py:28
+#: rbac/tree.py:29
 msgid "Audit view"
 msgstr "監査ビュー"
 
-#: rbac/tree.py:29 settings/models.py:140
+#: rbac/tree.py:30 settings/models.py:140
 msgid "System setting"
 msgstr "システム設定"
 
-#: rbac/tree.py:30
+#: rbac/tree.py:31
 msgid "Other"
 msgstr "その他"
 
-#: rbac/tree.py:38
+#: rbac/tree.py:39
 msgid "Accounts"
 msgstr "アカウント"
 
-#: rbac/tree.py:42
+#: rbac/tree.py:43
 msgid "Session audits"
 msgstr "セッション監査"
 
-#: rbac/tree.py:52
+#: rbac/tree.py:53
 msgid "Cloud import"
 msgstr "クラウドインポート"
 
-#: rbac/tree.py:53
+#: rbac/tree.py:54
 msgid "Backup account"
 msgstr "バックアップアカウント"
 
-#: rbac/tree.py:54
+#: rbac/tree.py:55
 msgid "Gather account"
 msgstr "アカウントを集める"
 
-#: rbac/tree.py:55
+#: rbac/tree.py:56
 msgid "App change auth"
 msgstr "応用改密"
 
-#: rbac/tree.py:56
+#: rbac/tree.py:57
 msgid "Asset change auth"
 msgstr "資産の改ざん"
 
-#: rbac/tree.py:57
+#: rbac/tree.py:58
 msgid "Terminal setting"
 msgstr "ターミナル設定"
 
-#: rbac/tree.py:58
+#: rbac/tree.py:59
 msgid "My assets"
 msgstr "私の資産"
 
-#: rbac/tree.py:59
+#: rbac/tree.py:60
 msgid "My apps"
 msgstr "マイアプリ"
 
-#: rbac/tree.py:115
+#: rbac/tree.py:116
 msgid "Ticket comment"
 msgstr "チケットコメント"
 
-#: rbac/tree.py:116 tickets/models/ticket.py:163
+#: rbac/tree.py:117 tickets/models/ticket.py:163
 msgid "Ticket"
 msgstr "チケット"
 
-#: rbac/tree.py:117
+#: rbac/tree.py:118
 msgid "Common setting"
 msgstr "共通設定"
 
-#: rbac/tree.py:118
+#: rbac/tree.py:119
 msgid "View permission tree"
 msgstr "権限ツリーの表示"
 
-#: rbac/tree.py:119
+#: rbac/tree.py:120
 msgid "Execute batch command"
 msgstr "バッチ実行コマンド"
 
-#: rbac/tree.py:166
+#: rbac/tree.py:226
 msgid "View"
 msgstr "表示"
 
@@ -3454,7 +3454,7 @@ msgstr "ログインリダイレクトの有効化msg"
 msgid "Enable CAS Auth"
 msgstr "CAS 認証の有効化"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:32
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:40
 msgid "Server url"
 msgstr "サービス側アドレス"
 
@@ -3556,79 +3556,83 @@ msgstr "クライアントID"
 msgid "Client Secret"
 msgstr "クライアント秘密"
 
-#: settings/serializers/auth/oidc.py:20
+#: settings/serializers/auth/oidc.py:26
+msgid "Client authentication method"
+msgstr "クライアント認証方式"
+
+#: settings/serializers/auth/oidc.py:28
 msgid "Share session"
 msgstr "セッションの共有"
 
-#: settings/serializers/auth/oidc.py:22
+#: settings/serializers/auth/oidc.py:30
 msgid "Ignore ssl verification"
 msgstr "Ssl検証を無視する"
 
-#: settings/serializers/auth/oidc.py:29
+#: settings/serializers/auth/oidc.py:37
 msgid "Use Keycloak"
 msgstr "Keycloakを使用する"
 
-#: settings/serializers/auth/oidc.py:35
+#: settings/serializers/auth/oidc.py:43
 msgid "Realm name"
 msgstr "レルム名"
 
-#: settings/serializers/auth/oidc.py:41
+#: settings/serializers/auth/oidc.py:49
 msgid "Enable OPENID Auth"
 msgstr "OIDC認証の有効化"
 
-#: settings/serializers/auth/oidc.py:43
+#: settings/serializers/auth/oidc.py:51
 msgid "Provider endpoint"
 msgstr "プロバイダーエンドポイント"
 
-#: settings/serializers/auth/oidc.py:46
+#: settings/serializers/auth/oidc.py:54
 msgid "Provider auth endpoint"
 msgstr "認証エンドポイントアドレス"
 
-#: settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/oidc.py:57
 msgid "Provider token endpoint"
 msgstr "プロバイダートークンエンドポイント"
 
-#: settings/serializers/auth/oidc.py:52
+#: settings/serializers/auth/oidc.py:60
 msgid "Provider jwks endpoint"
 msgstr "プロバイダーjwksエンドポイント"
 
-#: settings/serializers/auth/oidc.py:55
+#: settings/serializers/auth/oidc.py:63
 msgid "Provider userinfo endpoint"
 msgstr "プロバイダーuserinfoエンドポイント"
 
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:66
 msgid "Provider end session endpoint"
 msgstr "プロバイダーのセッション終了エンドポイント"
 
-#: settings/serializers/auth/oidc.py:61
+#: settings/serializers/auth/oidc.py:69
 msgid "Provider sign alg"
 msgstr "プロビダーサインalg"
 
-#: settings/serializers/auth/oidc.py:64
+#: settings/serializers/auth/oidc.py:72
 msgid "Provider sign key"
 msgstr "プロバイダ署名キー"
 
-#: settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oidc.py:74
 msgid "Scopes"
 msgstr "スコープ"
 
-#: settings/serializers/auth/oidc.py:68
+#: settings/serializers/auth/oidc.py:76
 msgid "Id token max age"
 msgstr "IDトークンの最大年齢"
 
-#: settings/serializers/auth/oidc.py:71
+#: settings/serializers/auth/oidc.py:79
 msgid "Id token include claims"
 msgstr "IDトークンにはクレームが含まれます"
 
-#: settings/serializers/auth/oidc.py:73
+#: settings/serializers/auth/oidc.py:81
 msgid "Use state"
 msgstr "使用状態"
 
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:82
 msgid "Use nonce"
 msgstr "Nonceを使用"
 
-#: settings/serializers/auth/oidc.py:76 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:84 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "常にユーザーを更新"
 
@@ -4513,9 +4517,7 @@ msgstr "ホームページ"
 msgid "Cancel"
 msgstr "キャンセル"
 
-#: templates/resource_download.html:18 templates/resource_download.html:24
-#: templates/resource_download.html:25 templates/resource_download.html:30
-#: templates/resource_download.html:40
+#: templates/resource_download.html:18 templates/resource_download.html:30
 msgid "Client"
 msgstr "クライアント"
 
@@ -4544,19 +4546,11 @@ msgstr ""
 "MacOSは、Windowsに付属のRDPアセットを接続するためにクライアントをダウンロード"
 "する必要があります"
 
-#: templates/resource_download.html:42
-msgid ""
-"Windows needs to download the client to connect SSH assets, and the MacOS "
-"system uses its own terminal"
-msgstr ""
-"WindowsはクライアントをダウンロードしてSSH資産に接続する必要があり、macOSシス"
-"テムは独自のTerminalを採用している。"
-
-#: templates/resource_download.html:53
+#: templates/resource_download.html:41
 msgid "Windows Remote application publisher tools"
 msgstr "Windowsリモートアプリケーション発行者ツール"
 
-#: templates/resource_download.html:54
+#: templates/resource_download.html:42
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -6732,3 +6726,10 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
+
+#~ msgid ""
+#~ "Windows needs to download the client to connect SSH assets, and the MacOS "
+#~ "system uses its own terminal"
+#~ msgstr ""
+#~ "WindowsはクライアントをダウンロードしてSSH資産に接続する必要があり、macOS"
+#~ "システムは独自のTerminalを採用している。"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 58ce5f865..c651fb2c5 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c6cf24f38fd82ad87d6062c4b36a771cb9fdeb76975b8b60f335a5a4fd9fd30c
-size 104169
+oid sha256:95e9f6addbdb6811647fd2bb5ae64bfc2572a80702c371eab0a1bb041a1e8476
+size 104032
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 049fb5daa..e091a35c8 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-20 16:35+0800\n"
+"POT-Creation-Date: 2022-04-29 12:49+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -87,7 +87,7 @@ msgstr "登录复核"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:110 rbac/models/rolebinding.py:40
+#: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
@@ -1348,7 +1348,7 @@ msgstr "日志审计"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:168
+#: rbac/tree.py:228
 msgid "Delete"
 msgstr "删除"
 
@@ -1401,11 +1401,11 @@ msgstr "文件管理"
 
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:165
+#: rbac/tree.py:225
 msgid "Create"
 msgstr "创建"
 
-#: audits/models.py:56 rbac/tree.py:167 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:227 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@@ -2160,7 +2160,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:299 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: users/templates/users/_msg_account_expire_reminder.html:4
@@ -2612,11 +2612,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:298
+#: jumpserver/conf.py:300
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:300
+#: jumpserver/conf.py:302
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -2865,12 +2865,12 @@ msgstr "LDAP 同步设置组织为当前组织，请切换其他组织后再进
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "组织存在资源 ({}) 不能被删除"
 
-#: orgs/apps.py:7 rbac/tree.py:114
+#: orgs/apps.py:7 rbac/tree.py:115
 msgid "App organizations"
 msgstr "组织管理"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
-#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:47
+#: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
@@ -2884,7 +2884,7 @@ msgstr "全局组织"
 msgid "Can view root org"
 msgstr "可以查看全局组织"
 
-#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:43
+#: orgs/models.py:216 rbac/models/role.py:46 rbac/models/rolebinding.py:44
 #: users/models/user.py:671
 msgid "Role"
 msgstr "角色"
@@ -3095,27 +3095,27 @@ msgstr "{} 至少有一个系统角色"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:101
+#: rbac/builtin.py:109
 msgid "SystemAdmin"
 msgstr "系统管理员"
 
-#: rbac/builtin.py:104
+#: rbac/builtin.py:112
 msgid "SystemAuditor"
 msgstr "系统审计员"
 
-#: rbac/builtin.py:107
+#: rbac/builtin.py:115
 msgid "SystemComponent"
 msgstr "系统组件"
 
-#: rbac/builtin.py:113
+#: rbac/builtin.py:121
 msgid "OrgAdmin"
 msgstr "组织管理员"
 
-#: rbac/builtin.py:116
+#: rbac/builtin.py:124
 msgid "OrgAuditor"
 msgstr "组织审计员"
 
-#: rbac/builtin.py:119
+#: rbac/builtin.py:127
 msgid "OrgUser"
 msgstr "组织用户"
 
@@ -3147,7 +3147,7 @@ msgstr "文件管理"
 msgid "Permission"
 msgstr "权限"
 
-#: rbac/models/role.py:31 rbac/models/rolebinding.py:37
+#: rbac/models/role.py:31 rbac/models/rolebinding.py:38
 msgid "Scope"
 msgstr "范围"
 
@@ -3167,21 +3167,21 @@ msgstr "系统角色"
 msgid "Organization role"
 msgstr "组织角色"
 
-#: rbac/models/rolebinding.py:52
+#: rbac/models/rolebinding.py:53
 msgid "Role binding"
 msgstr "角色绑定"
 
-#: rbac/models/rolebinding.py:151
+#: rbac/models/rolebinding.py:159
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr "用户最后一个角色，不能删除，你可以将用户从组织移除"
 
-#: rbac/models/rolebinding.py:158
+#: rbac/models/rolebinding.py:166
 msgid "Organization role binding"
 msgstr "组织角色绑定"
 
-#: rbac/models/rolebinding.py:173
+#: rbac/models/rolebinding.py:181
 msgid "System role binding"
 msgstr "系统角色绑定"
 
@@ -3205,91 +3205,91 @@ msgstr "角色显示"
 msgid "Has bound this role"
 msgstr "已经绑定"
 
-#: rbac/tree.py:19 rbac/tree.py:20
+#: rbac/tree.py:20 rbac/tree.py:21
 msgid "All permissions"
 msgstr "所有权限"
 
-#: rbac/tree.py:26
+#: rbac/tree.py:27
 msgid "Console view"
 msgstr "控制台"
 
-#: rbac/tree.py:27
+#: rbac/tree.py:28
 msgid "Workbench view"
 msgstr "工作台"
 
-#: rbac/tree.py:28
+#: rbac/tree.py:29
 msgid "Audit view"
 msgstr "审计台"
 
-#: rbac/tree.py:29 settings/models.py:140
+#: rbac/tree.py:30 settings/models.py:140
 msgid "System setting"
 msgstr "系统设置"
 
-#: rbac/tree.py:30
+#: rbac/tree.py:31
 msgid "Other"
 msgstr "其它"
 
-#: rbac/tree.py:38
+#: rbac/tree.py:39
 msgid "Accounts"
 msgstr "账号管理"
 
-#: rbac/tree.py:42
+#: rbac/tree.py:43
 msgid "Session audits"
 msgstr "会话审计"
 
-#: rbac/tree.py:52
+#: rbac/tree.py:53
 msgid "Cloud import"
 msgstr "云同步"
 
-#: rbac/tree.py:53
+#: rbac/tree.py:54
 msgid "Backup account"
 msgstr "备份账号"
 
-#: rbac/tree.py:54
+#: rbac/tree.py:55
 msgid "Gather account"
 msgstr "收集账号"
 
-#: rbac/tree.py:55
+#: rbac/tree.py:56
 msgid "App change auth"
 msgstr "应用改密"
 
-#: rbac/tree.py:56
+#: rbac/tree.py:57
 msgid "Asset change auth"
 msgstr "资产改密"
 
-#: rbac/tree.py:57
+#: rbac/tree.py:58
 msgid "Terminal setting"
 msgstr "终端设置"
 
-#: rbac/tree.py:58
+#: rbac/tree.py:59
 msgid "My assets"
 msgstr "我的资产"
 
-#: rbac/tree.py:59
+#: rbac/tree.py:60
 msgid "My apps"
 msgstr "我的应用"
 
-#: rbac/tree.py:115
+#: rbac/tree.py:116
 msgid "Ticket comment"
 msgstr "工单评论"
 
-#: rbac/tree.py:116 tickets/models/ticket.py:163
+#: rbac/tree.py:117 tickets/models/ticket.py:163
 msgid "Ticket"
 msgstr "工单管理"
 
-#: rbac/tree.py:117
+#: rbac/tree.py:118
 msgid "Common setting"
 msgstr "一般设置"
 
-#: rbac/tree.py:118
+#: rbac/tree.py:119
 msgid "View permission tree"
 msgstr "查看授权树"
 
-#: rbac/tree.py:119
+#: rbac/tree.py:120
 msgid "Execute batch command"
 msgstr "执行批量命令"
 
-#: rbac/tree.py:166
+#: rbac/tree.py:226
 msgid "View"
 msgstr "查看"
 
@@ -3415,7 +3415,7 @@ msgstr "启用登录跳转提示"
 msgid "Enable CAS Auth"
 msgstr "启用 CAS 认证"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:32
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:40
 msgid "Server url"
 msgstr "服务端地址"
 
@@ -3517,79 +3517,83 @@ msgstr "客户端 ID"
 msgid "Client Secret"
 msgstr "客户端密钥"
 
-#: settings/serializers/auth/oidc.py:20
+#: settings/serializers/auth/oidc.py:26
+msgid "Client authentication method"
+msgstr "客户端认证方式"
+
+#: settings/serializers/auth/oidc.py:28
 msgid "Share session"
 msgstr "共享会话"
 
-#: settings/serializers/auth/oidc.py:22
+#: settings/serializers/auth/oidc.py:30
 msgid "Ignore ssl verification"
 msgstr "忽略 SSL 证书验证"
 
-#: settings/serializers/auth/oidc.py:29
+#: settings/serializers/auth/oidc.py:37
 msgid "Use Keycloak"
 msgstr "使用 Keycloak"
 
-#: settings/serializers/auth/oidc.py:35
+#: settings/serializers/auth/oidc.py:43
 msgid "Realm name"
 msgstr "域"
 
-#: settings/serializers/auth/oidc.py:41
+#: settings/serializers/auth/oidc.py:49
 msgid "Enable OPENID Auth"
 msgstr "启用 OIDC 认证"
 
-#: settings/serializers/auth/oidc.py:43
+#: settings/serializers/auth/oidc.py:51
 msgid "Provider endpoint"
 msgstr "端点地址"
 
-#: settings/serializers/auth/oidc.py:46
+#: settings/serializers/auth/oidc.py:54
 msgid "Provider auth endpoint"
 msgstr "授权端点地址"
 
-#: settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/oidc.py:57
 msgid "Provider token endpoint"
 msgstr "token 端点地址"
 
-#: settings/serializers/auth/oidc.py:52
+#: settings/serializers/auth/oidc.py:60
 msgid "Provider jwks endpoint"
 msgstr "jwks 端点地址"
 
-#: settings/serializers/auth/oidc.py:55
+#: settings/serializers/auth/oidc.py:63
 msgid "Provider userinfo endpoint"
 msgstr "用户信息端点地址"
 
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:66
 msgid "Provider end session endpoint"
 msgstr "注销会话端点地址"
 
-#: settings/serializers/auth/oidc.py:61
+#: settings/serializers/auth/oidc.py:69
 msgid "Provider sign alg"
 msgstr "签名算法"
 
-#: settings/serializers/auth/oidc.py:64
+#: settings/serializers/auth/oidc.py:72
 msgid "Provider sign key"
 msgstr "签名 Key"
 
-#: settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oidc.py:74
 msgid "Scopes"
 msgstr "连接范围"
 
-#: settings/serializers/auth/oidc.py:68
+#: settings/serializers/auth/oidc.py:76
 msgid "Id token max age"
 msgstr "令牌有效时间"
 
-#: settings/serializers/auth/oidc.py:71
+#: settings/serializers/auth/oidc.py:79
 msgid "Id token include claims"
 msgstr "声明"
 
-#: settings/serializers/auth/oidc.py:73
+#: settings/serializers/auth/oidc.py:81
 msgid "Use state"
 msgstr "使用状态"
 
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:82
 msgid "Use nonce"
 msgstr "临时使用"
 
-#: settings/serializers/auth/oidc.py:76 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:84 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "总是更新用户信息"
 
@@ -4446,9 +4450,7 @@ msgstr "首页"
 msgid "Cancel"
 msgstr "取消"
 
-#: templates/resource_download.html:18 templates/resource_download.html:24
-#: templates/resource_download.html:25 templates/resource_download.html:30
-#: templates/resource_download.html:40
+#: templates/resource_download.html:18 templates/resource_download.html:30
 msgid "Client"
 msgstr "客户端"
 
@@ -4474,17 +4476,11 @@ msgid ""
 "Windows"
 msgstr "macOS 需要下载客户端来连接 RDP 资产，Windows 系统默认安装了该程序"
 
-#: templates/resource_download.html:42
-msgid ""
-"Windows needs to download the client to connect SSH assets, and the MacOS "
-"system uses its own terminal"
-msgstr "Windows 需要下载客户端来连接SSH资产，macOS系统采用自带的Terminal"
-
-#: templates/resource_download.html:53
+#: templates/resource_download.html:41
 msgid "Windows Remote application publisher tools"
 msgstr "Windows 远程应用发布服务器工具"
 
-#: templates/resource_download.html:54
+#: templates/resource_download.html:42
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -6640,3 +6636,8 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
+
+#~ msgid ""
+#~ "Windows needs to download the client to connect SSH assets, and the MacOS "
+#~ "system uses its own terminal"
+#~ msgstr "Windows 需要下载客户端来连接SSH资产，macOS系统采用自带的Terminal"
diff --git a/apps/settings/serializers/auth/oidc.py b/apps/settings/serializers/auth/oidc.py
index 21f0f989e..a3777fb25 100644
--- a/apps/settings/serializers/auth/oidc.py
+++ b/apps/settings/serializers/auth/oidc.py
@@ -17,6 +17,14 @@ class CommonSettingSerializer(serializers.Serializer):
     AUTH_OPENID_CLIENT_SECRET = serializers.CharField(
         required=False, max_length=1024,  write_only=True, label=_('Client Secret')
     )
+    AUTH_OPENID_CLIENT_AUTH_METHOD = serializers.ChoiceField(
+        default='client_secret_basic',
+        choices=(
+            ('client_secret_basic', 'Client Secret Basic'),
+            ('client_secret_post', 'Client Secret Post')
+        ),
+        label=_('Client authentication method')
+    )
     AUTH_OPENID_SHARE_SESSION = serializers.BooleanField(required=False, label=_('Share session'))
     AUTH_OPENID_IGNORE_SSL_VERIFICATION = serializers.BooleanField(
         required=False, label=_('Ignore ssl verification')

From 2493647e5c49112805279001d6d9974b9b6c1e8c Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 29 Apr 2022 16:05:23 +0800
Subject: [PATCH 078/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dwindows?=
 =?UTF-8?q?=E6=89=A7=E8=A1=8Cansible=E6=98=BE=E7=A4=BAsudo=E5=A4=B1?=
 =?UTF-8?q?=E8=B4=A5=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/models/asset.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index c80c65ce6..85ac6c918 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -301,7 +301,7 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
             'private_key': auth_user.private_key_file
         }
 
-        if not with_become:
+        if not with_become or self.is_windows():
             return info
 
         if become_user:

From d23953932f2ea6ec3537f45c9323c075ed574308 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Sun, 24 Apr 2022 17:00:48 +0800
Subject: [PATCH 079/258] =?UTF-8?q?perf:=20connection=20token=20=E5=88=86a?=
 =?UTF-8?q?pi=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/connection_token.py   | 111 +++++++++---------
 .../serializers/connect_token.py              |  25 ++--
 apps/authentication/urls/api_urls.py          |   1 +
 3 files changed, 73 insertions(+), 64 deletions(-)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 9e16d31ba..ef69890e5 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -7,7 +7,6 @@ import os
 import base64
 import ctypes
 
-from django.conf import settings
 from django.core.cache import cache
 from django.shortcuts import get_object_or_404
 from django.http import HttpResponse
@@ -33,11 +32,11 @@ from perms.utils.asset.permission import get_asset_actions
 from common.const.http import PATCH
 from terminal.models import EndpointRule
 from ..serializers import (
-    ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
+    ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer
 )
 
 logger = get_logger(__name__)
-__all__ = ['UserConnectionTokenViewSet', 'TokenCacheMixin']
+__all__ = ['UserConnectionTokenViewSet', 'UserSuperConnectionTokenViewSet', 'TokenCacheMixin']
 
 
 class ClientProtocolMixin:
@@ -70,8 +69,7 @@ class ClientProtocolMixin:
         system_user = serializer.validated_data['system_user']
 
         user = serializer.validated_data.get('user')
-        if not user or not self.request.user.is_superuser:
-            user = self.request.user
+        user = user if user else self.request.user
         return asset, application, system_user, user
 
     @staticmethod
@@ -105,7 +103,7 @@ class ClientProtocolMixin:
             'bookmarktype:i': '3',
             'use redirection server name:i': '0',
             'smart sizing:i': '1',
-            #'drivestoredirect:s': '*',
+            # 'drivestoredirect:s': '*',
             # 'domain:s': ''
             # 'alternate shell:s:': '||MySQLWorkbench',
             # 'remoteapplicationname:s': 'Firefox',
@@ -206,21 +204,6 @@ class ClientProtocolMixin:
         rst = rst.decode('ascii')
         return rst
 
-    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
-    def get_rdp_file(self, request, *args, **kwargs):
-        if self.request.method == 'GET':
-            data = self.request.query_params
-        else:
-            data = self.request.data
-        serializer = self.get_serializer(data=data)
-        serializer.is_valid(raise_exception=True)
-        name, data = self.get_rdp_file_content(serializer)
-        response = HttpResponse(data, content_type='application/octet-stream')
-        filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
-        filename = urllib.parse.quote(filename)
-        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
-        return response
-
     def get_valid_serializer(self):
         if self.request.method == 'GET':
             data = self.request.query_params
@@ -252,6 +235,21 @@ class ClientProtocolMixin:
         }
         return data
 
+    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
+    def get_rdp_file(self, request, *args, **kwargs):
+        if self.request.method == 'GET':
+            data = self.request.query_params
+        else:
+            data = self.request.data
+        serializer = self.get_serializer(data=data)
+        serializer.is_valid(raise_exception=True)
+        name, data = self.get_rdp_file_content(serializer)
+        response = HttpResponse(data, content_type='application/octet-stream')
+        filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
+        filename = urllib.parse.quote(filename)
+        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
+        return response
+
     @action(methods=['POST', 'GET'], detail=False, url_path='client-url')
     def get_client_protocol_url(self, request, *args, **kwargs):
         serializer = self.get_valid_serializer()
@@ -370,7 +368,7 @@ class TokenCacheMixin:
         key = self.get_token_cache_key(token)
         return cache.ttl(key)
 
-    def set_token_to_cache(self, token, value, ttl=5*60):
+    def set_token_to_cache(self, token, value, ttl=5 * 60):
         key = self.get_token_cache_key(token)
         cache.set(key, value, timeout=ttl)
 
@@ -379,7 +377,7 @@ class TokenCacheMixin:
         value = cache.get(key, None)
         return value
 
-    def renewal_token(self, token, ttl=5*60):
+    def renewal_token(self, token, ttl=5 * 60):
         value = self.get_token_from_cache(token)
         if value:
             pre_ttl = self.get_token_ttl(token)
@@ -397,22 +395,10 @@ class TokenCacheMixin:
         return data
 
 
-class UserConnectionTokenViewSet(
+class BaseUserConnectionTokenViewSet(
     RootOrgViewMixin, SerializerMixin, ClientProtocolMixin,
-    SecretDetailMixin, TokenCacheMixin, GenericViewSet
+    TokenCacheMixin, GenericViewSet
 ):
-    serializer_classes = {
-        'default': ConnectionTokenSerializer,
-        'get_secret_detail': ConnectionTokenSecretSerializer,
-    }
-    rbac_perms = {
-        'GET': 'authentication.view_connectiontoken',
-        'create': 'authentication.add_connectiontoken',
-        'renewal': 'authentication.add_superconnectiontoken',
-        'get_secret_detail': 'authentication.view_connectiontokensecret',
-        'get_rdp_file': 'authentication.add_connectiontoken',
-        'get_client_protocol_url': 'authentication.add_connectiontoken',
-    }
 
     @staticmethod
     def check_resource_permission(user, asset, application, system_user):
@@ -429,22 +415,7 @@ class UserConnectionTokenViewSet(
             raise PermissionDenied(error)
         return True
 
-    @action(methods=[PATCH], detail=False)
-    def renewal(self, request, *args, **kwargs):
-        """ 续期 Token """
-        perm_required = 'authentication.add_superconnectiontoken'
-        if not request.user.has_perm(perm_required):
-            raise PermissionDenied('No permissions for authentication.add_superconnectiontoken')
-        token = request.data.get('token', '')
-        data = self.renewal_token(token)
-        status_code = 200 if data.get('ok') else 404
-        return Response(data=data, status=status_code)
-
-    def create_token(self, user, asset, application, system_user, ttl=5*60):
-        # 再次强调一下权限
-        perm_required = 'authentication.add_superconnectiontoken'
-        if user != self.request.user and not self.request.user.has_perm(perm_required):
-            raise PermissionDenied('Only can create user token')
+    def create_token(self, user, asset, application, system_user, ttl=5 * 60):
         self.check_resource_permission(user, asset, application, system_user)
         token = random_string(36)
         secret = random_string(16)
@@ -489,6 +460,20 @@ class UserConnectionTokenViewSet(
         }
         return Response(data, status=201)
 
+
+class UserConnectionTokenViewSet(BaseUserConnectionTokenViewSet, SecretDetailMixin):
+    serializer_classes = {
+        'default': ConnectionTokenSerializer,
+        'get_secret_detail': ConnectionTokenSecretSerializer,
+    }
+    rbac_perms = {
+        'GET': 'authentication.view_connectiontoken',
+        'create': 'authentication.add_connectiontoken',
+        'get_secret_detail': 'authentication.view_connectiontokensecret',
+        'get_rdp_file': 'authentication.add_connectiontoken',
+        'get_client_protocol_url': 'authentication.add_connectiontoken',
+    }
+
     def valid_token(self, token):
         from users.models import User
         from assets.models import SystemUser, Asset
@@ -526,3 +511,23 @@ class UserConnectionTokenViewSet(
         if not value:
             return Response('', status=404)
         return Response(value)
+
+
+class UserSuperConnectionTokenViewSet(
+    BaseUserConnectionTokenViewSet, TokenCacheMixin, GenericViewSet
+):
+    serializer_classes = {
+        'default': SuperConnectionTokenSerializer,
+    }
+    rbac_perms = {
+        'create': 'authentication.add_superconnectiontoken',
+        'renewal': 'authentication.add_superconnectiontoken'
+    }
+
+    @action(methods=[PATCH], detail=False)
+    def renewal(self, request, *args, **kwargs):
+        """ 续期 Token """
+        token = request.data.get('token', '')
+        data = self.renewal_token(token)
+        status_code = 200 if data.get('ok') else 404
+        return Response(data=data, status=status_code)
diff --git a/apps/authentication/serializers/connect_token.py b/apps/authentication/serializers/connect_token.py
index c8f94909d..d9694b5bd 100644
--- a/apps/authentication/serializers/connect_token.py
+++ b/apps/authentication/serializers/connect_token.py
@@ -13,24 +13,16 @@ __all__ = [
     'ConnectionTokenUserSerializer', 'ConnectionTokenFilterRuleSerializer',
     'ConnectionTokenAssetSerializer', 'ConnectionTokenSystemUserSerializer',
     'ConnectionTokenDomainSerializer', 'ConnectionTokenRemoteAppSerializer',
-    'ConnectionTokenGatewaySerializer', 'ConnectionTokenSecretSerializer'
+    'ConnectionTokenGatewaySerializer', 'ConnectionTokenSecretSerializer',
+    'SuperConnectionTokenSerializer'
 ]
 
 
 class ConnectionTokenSerializer(serializers.Serializer):
-    user = serializers.CharField(max_length=128, required=False, allow_blank=True)
     system_user = serializers.CharField(max_length=128, required=True)
     asset = serializers.CharField(max_length=128, required=False)
     application = serializers.CharField(max_length=128, required=False)
 
-    @staticmethod
-    def validate_user(user_id):
-        from users.models import User
-        user = User.objects.filter(id=user_id).first()
-        if user is None:
-            raise serializers.ValidationError('user id not exist')
-        return user
-
     @staticmethod
     def validate_system_user(system_user_id):
         from assets.models import SystemUser
@@ -65,6 +57,18 @@ class ConnectionTokenSerializer(serializers.Serializer):
         return super().validate(attrs)
 
 
+class SuperConnectionTokenSerializer(ConnectionTokenSerializer):
+    user = serializers.CharField(max_length=128, required=False, allow_blank=True)
+
+    @staticmethod
+    def validate_user(user_id):
+        from users.models import User
+        user = User.objects.filter(id=user_id).first()
+        if user is None:
+            raise serializers.ValidationError('user id not exist')
+        return user
+
+
 class ConnectionTokenUserSerializer(serializers.ModelSerializer):
     class Meta:
         model = User
@@ -114,7 +118,6 @@ class ConnectionTokenDomainSerializer(serializers.ModelSerializer):
 
 
 class ConnectionTokenFilterRuleSerializer(serializers.ModelSerializer):
-
     class Meta:
         model = CommandFilterRule
         fields = [
diff --git a/apps/authentication/urls/api_urls.py b/apps/authentication/urls/api_urls.py
index 920988ee4..754b7c793 100644
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -11,6 +11,7 @@ router.register('access-keys', api.AccessKeyViewSet, 'access-key')
 router.register('sso', api.SSOViewSet, 'sso')
 router.register('temp-tokens', api.TempTokenViewSet, 'temp-token')
 router.register('connection-token', api.UserConnectionTokenViewSet, 'connection-token')
+router.register('super-connection-token', api.UserSuperConnectionTokenViewSet, 'super-connection-token')
 
 
 urlpatterns = [

From c56179e9e4dbe34e7e269c6ed8e101ff191a23db Mon Sep 17 00:00:00 2001
From: jiangweidong <80373698+F2C-Jiang@users.noreply.github.com>
Date: Thu, 5 May 2022 13:07:48 +0800
Subject: [PATCH 080/258] =?UTF-8?q?feat:=20=E6=94=AF=E6=8C=81=E4=BC=81?=
 =?UTF-8?q?=E4=B8=9A=E5=BE=AE=E4=BF=A1=E3=80=81=E9=92=89=E9=92=89=E7=9B=B4?=
 =?UTF-8?q?=E6=8E=A5=E5=AE=A1=E6=89=B9=E5=B7=A5=E5=8D=95=20(#8115)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/views/dingtalk.py         |  10 +-
 apps/authentication/views/mixins.py           |  12 ++
 apps/authentication/views/wecom.py            |  10 +-
 apps/jumpserver/urls.py                       |   1 +
 apps/locale/ja/LC_MESSAGES/django.mo          |   3 -
 apps/locale/ja/LC_MESSAGES/django.po          | 113 +++++++++++++-----
 apps/locale/zh/LC_MESSAGES/django.mo          |   3 -
 apps/locale/zh/LC_MESSAGES/django.po          | 107 ++++++++++++-----
 apps/templates/_base_double_screen.html       |  42 +++++++
 apps/tickets/notifications.py                 |  36 +++++-
 .../templates/tickets/_msg_ticket.html        |  10 +-
 .../tickets/approve_check_password.html       |  52 ++++++++
 apps/tickets/urls/view_urls.py                |  12 ++
 apps/tickets/views/__init__.py                |   1 +
 apps/tickets/views/approve.py                 |  93 ++++++++++++++
 15 files changed, 424 insertions(+), 81 deletions(-)
 create mode 100644 apps/authentication/views/mixins.py
 delete mode 100644 apps/locale/ja/LC_MESSAGES/django.mo
 delete mode 100644 apps/locale/zh/LC_MESSAGES/django.mo
 create mode 100644 apps/templates/_base_double_screen.html
 create mode 100644 apps/tickets/templates/tickets/approve_check_password.html
 create mode 100644 apps/tickets/urls/view_urls.py
 create mode 100644 apps/tickets/views/__init__.py
 create mode 100644 apps/tickets/views/approve.py

diff --git a/apps/authentication/views/dingtalk.py b/apps/authentication/views/dingtalk.py
index b4fd2cede..0ca03749e 100644
--- a/apps/authentication/views/dingtalk.py
+++ b/apps/authentication/views/dingtalk.py
@@ -21,6 +21,7 @@ from authentication.mixins import AuthMixin
 from common.sdk.im.dingtalk import DingTalk
 from common.utils.common import get_request_ip
 from authentication.notifications import OAuthBindMessage
+from .mixins import METAMixin
 
 logger = get_logger(__file__)
 
@@ -200,14 +201,17 @@ class DingTalkEnableStartView(UserVerifyPasswordView):
         return success_url
 
 
-class DingTalkQRLoginView(DingTalkQRMixin, View):
+class DingTalkQRLoginView(DingTalkQRMixin, METAMixin, View):
     permission_classes = (AllowAny,)
 
     def get(self,  request: HttpRequest):
         redirect_url = request.GET.get('redirect_url')
 
         redirect_uri = reverse('authentication:dingtalk-qr-login-callback', external=True)
-        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
+        redirect_uri += '?' + urlencode({
+            'redirect_url': redirect_url,
+            'next': self.get_next_url_from_meta()
+        })
 
         url = self.get_qr_url(redirect_uri)
         return HttpResponseRedirect(url)
@@ -305,4 +309,4 @@ class DingTalkOAuthLoginCallbackView(AuthMixin, DingTalkOAuthMixin, View):
             response = self.get_failed_response(login_url, title=msg, msg=msg)
             return response
 
-        return self.redirect_to_guard_view()
\ No newline at end of file
+        return self.redirect_to_guard_view()
diff --git a/apps/authentication/views/mixins.py b/apps/authentication/views/mixins.py
new file mode 100644
index 000000000..3571dfac7
--- /dev/null
+++ b/apps/authentication/views/mixins.py
@@ -0,0 +1,12 @@
+# -*- coding: utf-8 -*-
+#
+
+class METAMixin:
+    def get_next_url_from_meta(self):
+        request_meta = self.request.META or {}
+        next_url = None
+        referer = request_meta.get('HTTP_REFERER', '')
+        next_url_item = referer.rsplit('next=', 1)
+        if len(next_url_item) > 1:
+            next_url = next_url_item[-1]
+        return next_url
diff --git a/apps/authentication/views/wecom.py b/apps/authentication/views/wecom.py
index 87afd08ea..5546bf619 100644
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -21,6 +21,7 @@ from common.utils.common import get_request_ip
 from authentication import errors
 from authentication.mixins import AuthMixin
 from authentication.notifications import OAuthBindMessage
+from .mixins import METAMixin
 
 logger = get_logger(__file__)
 
@@ -196,14 +197,17 @@ class WeComEnableStartView(UserVerifyPasswordView):
         return success_url
 
 
-class WeComQRLoginView(WeComQRMixin, View):
+class WeComQRLoginView(WeComQRMixin, METAMixin, View):
     permission_classes = (AllowAny,)
 
     def get(self,  request: HttpRequest):
         redirect_url = request.GET.get('redirect_url')
 
         redirect_uri = reverse('authentication:wecom-qr-login-callback', external=True)
-        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
+        redirect_uri += '?' + urlencode({
+            'redirect_url': redirect_url,
+            'next': self.get_next_url_from_meta()
+        })
 
         url = self.get_qr_url(redirect_uri)
         return HttpResponseRedirect(url)
@@ -301,4 +305,4 @@ class WeComOAuthLoginCallbackView(AuthMixin, WeComOAuthMixin, View):
             response = self.get_failed_response(login_url, title=msg, msg=msg)
             return response
 
-        return self.redirect_to_guard_view()
\ No newline at end of file
+        return self.redirect_to_guard_view()
diff --git a/apps/jumpserver/urls.py b/apps/jumpserver/urls.py
index 6a9ae69a9..be8c059ce 100644
--- a/apps/jumpserver/urls.py
+++ b/apps/jumpserver/urls.py
@@ -31,6 +31,7 @@ api_v1 = [
 app_view_patterns = [
     path('auth/', include('authentication.urls.view_urls'), name='auth'),
     path('ops/', include('ops.urls.view_urls'), name='ops'),
+    path('tickets/', include('tickets.urls.view_urls'), name='tickets'),
     path('common/', include('common.urls.view_urls'), name='common'),
     re_path(r'flower/(?P<path>.*)', views.celery_flower_view, name='flower-view'),
     path('download/', views.ResourceDownload.as_view(), name='download'),
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
deleted file mode 100644
index 7feeaece9..000000000
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:e70a491494af861945bde8a0b03c9b6e78dde7016446236ead362362b76b09a8
-size 125713
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index a0b05f272..e26cb7538 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-29 12:49+0800\n"
+"POT-Creation-Date: 2022-05-05 13:03+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1402,6 +1402,7 @@ msgid "Filename"
 msgstr "ファイル名"
 
 #: audits/models.py:43 audits/models.py:115 terminal/models/sharing.py:90
+#: tickets/views/approve.py:93
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
 #: xpack/plugins/change_auth_plan/serializers/asset.py:197
 msgid "Success"
@@ -1557,12 +1558,12 @@ msgid "Auth Token"
 msgstr "認証トークン"
 
 #: audits/signal_handlers.py:71 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:181
+#: authentication/views/login.py:164 authentication/views/wecom.py:182
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
 
-#: audits/signal_handlers.py:72 authentication/views/dingtalk.py:182
+#: audits/signal_handlers.py:72 authentication/views/dingtalk.py:183
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
@@ -1740,7 +1741,7 @@ msgstr "{ApplicationPermission} 追加 {SystemUser}"
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
-#: authentication/api/connection_token.py:328
+#: authentication/api/connection_token.py:326
 msgid "Invalid token"
 msgstr "無効なトークン"
 
@@ -2184,6 +2185,7 @@ msgstr "コードエラー"
 #: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
+#: tickets/templates/tickets/approve_check_password.html:23
 #: users/templates/users/_msg_account_expire_reminder.html:4
 #: users/templates/users/_msg_password_expire_reminder.html:4
 #: users/templates/users/_msg_reset_mfa.html:4
@@ -2323,54 +2325,54 @@ msgstr "返品"
 msgid "Copy success"
 msgstr "コピー成功"
 
-#: authentication/views/dingtalk.py:39
+#: authentication/views/dingtalk.py:40
 msgid "DingTalk Error, Please contact your system administrator"
 msgstr "DingTalkエラー、システム管理者に連絡してください"
 
-#: authentication/views/dingtalk.py:42
+#: authentication/views/dingtalk.py:43
 msgid "DingTalk Error"
 msgstr "DingTalkエラー"
 
-#: authentication/views/dingtalk.py:54 authentication/views/feishu.py:50
-#: authentication/views/wecom.py:54
+#: authentication/views/dingtalk.py:55 authentication/views/feishu.py:50
+#: authentication/views/wecom.py:55
 msgid ""
 "The system configuration is incorrect. Please contact your administrator"
 msgstr "システム設定が正しくありません。管理者に連絡してください"
 
-#: authentication/views/dingtalk.py:78
+#: authentication/views/dingtalk.py:79
 msgid "DingTalk is already bound"
 msgstr "DingTalkはすでにバインドされています"
 
-#: authentication/views/dingtalk.py:127 authentication/views/feishu.py:99
-#: authentication/views/wecom.py:127
+#: authentication/views/dingtalk.py:128 authentication/views/feishu.py:99
+#: authentication/views/wecom.py:128
 msgid "Please verify your password first"
 msgstr "最初にパスワードを確認してください"
 
-#: authentication/views/dingtalk.py:151 authentication/views/wecom.py:151
+#: authentication/views/dingtalk.py:152 authentication/views/wecom.py:152
 msgid "Invalid user_id"
 msgstr "無効なuser_id"
 
-#: authentication/views/dingtalk.py:167
+#: authentication/views/dingtalk.py:168
 msgid "DingTalk query user failed"
 msgstr "DingTalkクエリユーザーが失敗しました"
 
-#: authentication/views/dingtalk.py:176
+#: authentication/views/dingtalk.py:177
 msgid "The DingTalk is already bound to another user"
 msgstr "DingTalkはすでに別のユーザーにバインドされています"
 
-#: authentication/views/dingtalk.py:183
+#: authentication/views/dingtalk.py:184
 msgid "Binding DingTalk successfully"
 msgstr "DingTalkのバインドに成功"
 
-#: authentication/views/dingtalk.py:235 authentication/views/dingtalk.py:289
+#: authentication/views/dingtalk.py:239 authentication/views/dingtalk.py:293
 msgid "Failed to get user from DingTalk"
 msgstr "DingTalkからユーザーを取得できませんでした"
 
-#: authentication/views/dingtalk.py:241 authentication/views/dingtalk.py:295
+#: authentication/views/dingtalk.py:245 authentication/views/dingtalk.py:299
 msgid "DingTalk is not bound"
 msgstr "DingTalkはバインドされていません"
 
-#: authentication/views/dingtalk.py:242 authentication/views/dingtalk.py:296
+#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "パスワードでログインし、DingTalkをバインドしてください"
 
@@ -2443,39 +2445,39 @@ msgstr "ログアウト成功"
 msgid "Logout success, return login page"
 msgstr "ログアウト成功、ログインページを返す"
 
-#: authentication/views/wecom.py:39
+#: authentication/views/wecom.py:40
 msgid "WeCom Error, Please contact your system administrator"
 msgstr "企業微信エラー、システム管理者に連絡してください"
 
-#: authentication/views/wecom.py:42
+#: authentication/views/wecom.py:43
 msgid "WeCom Error"
 msgstr "企業微信エラー"
 
-#: authentication/views/wecom.py:78
+#: authentication/views/wecom.py:79
 msgid "WeCom is already bound"
 msgstr "企業の微信はすでにバインドされています"
 
-#: authentication/views/wecom.py:166
+#: authentication/views/wecom.py:167
 msgid "WeCom query user failed"
 msgstr "企業微信ユーザーの問合せに失敗しました"
 
-#: authentication/views/wecom.py:175
+#: authentication/views/wecom.py:176
 msgid "The WeCom is already bound to another user"
 msgstr "この企業の微信はすでに他のユーザーをバインドしている。"
 
-#: authentication/views/wecom.py:182
+#: authentication/views/wecom.py:183
 msgid "Binding WeCom successfully"
 msgstr "企業の微信のバインドに成功"
 
-#: authentication/views/wecom.py:231 authentication/views/wecom.py:285
+#: authentication/views/wecom.py:235 authentication/views/wecom.py:289
 msgid "Failed to get user from WeCom"
 msgstr "企業の微信からユーザーを取得できませんでした"
 
-#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
+#: authentication/views/wecom.py:241 authentication/views/wecom.py:295
 msgid "WeCom is not bound"
 msgstr "企業の微信をバインドしていません"
 
-#: authentication/views/wecom.py:238 authentication/views/wecom.py:292
+#: authentication/views/wecom.py:242 authentication/views/wecom.py:296
 msgid "Please login with a password and then bind the WeCom"
 msgstr "パスワードでログインしてからWeComをバインドしてください"
 
@@ -4564,7 +4566,7 @@ msgstr "フィルター"
 
 #: terminal/api/endpoint.py:63
 msgid "Not found protocol query params"
-msgstr ""
+msgstr "プロトコルクエリパラメータが見つかりません"
 
 #: terminal/api/session.py:210
 msgid "Session does not exist: {}"
@@ -5295,19 +5297,19 @@ msgstr "もう一度お試しください"
 msgid "Super ticket"
 msgstr "スーパーチケット"
 
-#: tickets/notifications.py:63
+#: tickets/notifications.py:72
 msgid "Your has a new ticket, applicant - {}"
 msgstr "新しいチケットがあります- {}"
 
-#: tickets/notifications.py:69
+#: tickets/notifications.py:78
 msgid "New Ticket - {} ({})"
 msgstr "新しいチケット- {} ({})"
 
-#: tickets/notifications.py:91
+#: tickets/notifications.py:123
 msgid "Your ticket has been processed, processor - {}"
 msgstr "チケットが処理されました。プロセッサー- {}"
 
-#: tickets/notifications.py:95
+#: tickets/notifications.py:127
 msgid "Ticket has processed - {} ({})"
 msgstr "チケットが処理済み- {} ({})"
 
@@ -5444,10 +5446,55 @@ msgid "The current organization type already exists"
 msgstr "現在の組織タイプは既に存在します。"
 
 #: tickets/templates/tickets/_base_ticket_body.html:17
-#: tickets/templates/tickets/_msg_ticket.html:12
 msgid "Click here to review"
 msgstr "こちらをクリックしてご覧ください"
 
+#: tickets/templates/tickets/_msg_ticket.html:12
+msgid "View details"
+msgstr "詳細の表示"
+
+#: tickets/templates/tickets/_msg_ticket.html:17
+msgid "Direct approval"
+msgstr "直接承認"
+
+#: tickets/templates/tickets/approve_check_password.html:11
+msgid "Ticket information"
+msgstr "作業指示情報"
+
+#: tickets/templates/tickets/approve_check_password.html:19
+#, fuzzy
+#| msgid "Ticket flow approval rule"
+msgid "Ticket approval"
+msgstr "作業指示の承認"
+
+#: tickets/templates/tickets/approve_check_password.html:35
+#: tickets/views/approve.py:25
+msgid "Ticket direct approval"
+msgstr "作業指示の直接承認"
+
+#: tickets/templates/tickets/approve_check_password.html:40
+msgid "Go Login"
+msgstr "ログイン"
+
+#: tickets/views/approve.py:26
+msgid ""
+"This ticket does not exist, the process has ended, or this link has expired"
+msgstr ""
+"このワークシートが存在しないか、ワークシートが終了したか、このリンクが無効に"
+"なっています"
+
+#: tickets/views/approve.py:55
+msgid "Click the button to approve directly"
+msgstr "ボタンをクリックすると、直接承認に成功します。"
+
+#: tickets/views/approve.py:57
+msgid "After successful authentication, this ticket can be approved directly"
+msgstr "認証に成功した後、作業指示書は直接承認することができる。"
+
+#: tickets/views/approve.py:84
+msgid "This user is not authorized to approve this ticket"
+msgstr "このユーザーはこの作業指示を承認する権限がありません"
+
 #: users/api/user.py:183
 msgid "Could not reset self otp, use profile reset instead"
 msgstr "自己otpをリセットできませんでした、代わりにプロファイルリセットを使用"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
deleted file mode 100644
index c651fb2c5..000000000
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:95e9f6addbdb6811647fd2bb5ae64bfc2572a80702c371eab0a1bb041a1e8476
-size 104032
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index e091a35c8..e362871c6 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-04-29 12:49+0800\n"
+"POT-Creation-Date: 2022-05-05 13:03+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -1390,6 +1390,7 @@ msgid "Filename"
 msgstr "文件名"
 
 #: audits/models.py:43 audits/models.py:115 terminal/models/sharing.py:90
+#: tickets/views/approve.py:93
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
 #: xpack/plugins/change_auth_plan/serializers/asset.py:197
 msgid "Success"
@@ -1545,12 +1546,12 @@ msgid "Auth Token"
 msgstr "认证令牌"
 
 #: audits/signal_handlers.py:71 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:181
+#: authentication/views/login.py:164 authentication/views/wecom.py:182
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企业微信"
 
-#: audits/signal_handlers.py:72 authentication/views/dingtalk.py:182
+#: audits/signal_handlers.py:72 authentication/views/dingtalk.py:183
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
@@ -1728,7 +1729,7 @@ msgstr "{ApplicationPermission} 添加 {SystemUser}"
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
-#: authentication/api/connection_token.py:328
+#: authentication/api/connection_token.py:326
 msgid "Invalid token"
 msgstr "无效的令牌"
 
@@ -2163,6 +2164,7 @@ msgstr "代码错误"
 #: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
+#: tickets/templates/tickets/approve_check_password.html:23
 #: users/templates/users/_msg_account_expire_reminder.html:4
 #: users/templates/users/_msg_password_expire_reminder.html:4
 #: users/templates/users/_msg_reset_mfa.html:4
@@ -2293,54 +2295,54 @@ msgstr "返回"
 msgid "Copy success"
 msgstr "复制成功"
 
-#: authentication/views/dingtalk.py:39
+#: authentication/views/dingtalk.py:40
 msgid "DingTalk Error, Please contact your system administrator"
 msgstr "钉钉错误，请联系系统管理员"
 
-#: authentication/views/dingtalk.py:42
+#: authentication/views/dingtalk.py:43
 msgid "DingTalk Error"
 msgstr "钉钉错误"
 
-#: authentication/views/dingtalk.py:54 authentication/views/feishu.py:50
-#: authentication/views/wecom.py:54
+#: authentication/views/dingtalk.py:55 authentication/views/feishu.py:50
+#: authentication/views/wecom.py:55
 msgid ""
 "The system configuration is incorrect. Please contact your administrator"
 msgstr "企业配置错误，请联系系统管理员"
 
-#: authentication/views/dingtalk.py:78
+#: authentication/views/dingtalk.py:79
 msgid "DingTalk is already bound"
 msgstr "钉钉已经绑定"
 
-#: authentication/views/dingtalk.py:127 authentication/views/feishu.py:99
-#: authentication/views/wecom.py:127
+#: authentication/views/dingtalk.py:128 authentication/views/feishu.py:99
+#: authentication/views/wecom.py:128
 msgid "Please verify your password first"
 msgstr "请检查密码"
 
-#: authentication/views/dingtalk.py:151 authentication/views/wecom.py:151
+#: authentication/views/dingtalk.py:152 authentication/views/wecom.py:152
 msgid "Invalid user_id"
 msgstr "无效的 user_id"
 
-#: authentication/views/dingtalk.py:167
+#: authentication/views/dingtalk.py:168
 msgid "DingTalk query user failed"
 msgstr "钉钉查询用户失败"
 
-#: authentication/views/dingtalk.py:176
+#: authentication/views/dingtalk.py:177
 msgid "The DingTalk is already bound to another user"
 msgstr "该钉钉已经绑定其他用户"
 
-#: authentication/views/dingtalk.py:183
+#: authentication/views/dingtalk.py:184
 msgid "Binding DingTalk successfully"
 msgstr "绑定 钉钉 成功"
 
-#: authentication/views/dingtalk.py:235 authentication/views/dingtalk.py:289
+#: authentication/views/dingtalk.py:239 authentication/views/dingtalk.py:293
 msgid "Failed to get user from DingTalk"
 msgstr "从钉钉获取用户失败"
 
-#: authentication/views/dingtalk.py:241 authentication/views/dingtalk.py:295
+#: authentication/views/dingtalk.py:245 authentication/views/dingtalk.py:299
 msgid "DingTalk is not bound"
 msgstr "钉钉没有绑定"
 
-#: authentication/views/dingtalk.py:242 authentication/views/dingtalk.py:296
+#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "请使用密码登录，然后绑定钉钉"
 
@@ -2413,39 +2415,39 @@ msgstr "退出登录成功"
 msgid "Logout success, return login page"
 msgstr "退出登录成功，返回到登录页面"
 
-#: authentication/views/wecom.py:39
+#: authentication/views/wecom.py:40
 msgid "WeCom Error, Please contact your system administrator"
 msgstr "企业微信错误，请联系系统管理员"
 
-#: authentication/views/wecom.py:42
+#: authentication/views/wecom.py:43
 msgid "WeCom Error"
 msgstr "企业微信错误"
 
-#: authentication/views/wecom.py:78
+#: authentication/views/wecom.py:79
 msgid "WeCom is already bound"
 msgstr "企业微信已经绑定"
 
-#: authentication/views/wecom.py:166
+#: authentication/views/wecom.py:167
 msgid "WeCom query user failed"
 msgstr "企业微信查询用户失败"
 
-#: authentication/views/wecom.py:175
+#: authentication/views/wecom.py:176
 msgid "The WeCom is already bound to another user"
 msgstr "该企业微信已经绑定其他用户"
 
-#: authentication/views/wecom.py:182
+#: authentication/views/wecom.py:183
 msgid "Binding WeCom successfully"
 msgstr "绑定 企业微信 成功"
 
-#: authentication/views/wecom.py:231 authentication/views/wecom.py:285
+#: authentication/views/wecom.py:235 authentication/views/wecom.py:289
 msgid "Failed to get user from WeCom"
 msgstr "从企业微信获取用户失败"
 
-#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
+#: authentication/views/wecom.py:241 authentication/views/wecom.py:295
 msgid "WeCom is not bound"
 msgstr "没有绑定企业微信"
 
-#: authentication/views/wecom.py:238 authentication/views/wecom.py:292
+#: authentication/views/wecom.py:242 authentication/views/wecom.py:296
 msgid "Please login with a password and then bind the WeCom"
 msgstr "请使用密码登录，然后绑定企业微信"
 
@@ -5221,19 +5223,19 @@ msgstr "请再次尝试"
 msgid "Super ticket"
 msgstr "超级工单"
 
-#: tickets/notifications.py:63
+#: tickets/notifications.py:72
 msgid "Your has a new ticket, applicant - {}"
 msgstr "你有一个新的工单, 申请人 - {}"
 
-#: tickets/notifications.py:69
+#: tickets/notifications.py:78
 msgid "New Ticket - {} ({})"
 msgstr "新工单 - {} ({})"
 
-#: tickets/notifications.py:91
+#: tickets/notifications.py:123
 msgid "Your ticket has been processed, processor - {}"
 msgstr "你的工单已被处理, 处理人 - {}"
 
-#: tickets/notifications.py:95
+#: tickets/notifications.py:127
 msgid "Ticket has processed - {} ({})"
 msgstr "你的工单已被处理, 处理人 - {} ({})"
 
@@ -5368,10 +5370,51 @@ msgid "The current organization type already exists"
 msgstr "当前组织已存在该类型"
 
 #: tickets/templates/tickets/_base_ticket_body.html:17
-#: tickets/templates/tickets/_msg_ticket.html:12
 msgid "Click here to review"
 msgstr "点击查看"
 
+#: tickets/templates/tickets/_msg_ticket.html:12
+msgid "View details"
+msgstr "查看详情"
+
+#: tickets/templates/tickets/_msg_ticket.html:17
+msgid "Direct approval"
+msgstr "直接批准"
+
+#: tickets/templates/tickets/approve_check_password.html:11
+msgid "Ticket information"
+msgstr "工单信息"
+
+#: tickets/templates/tickets/approve_check_password.html:19
+msgid "Ticket approval"
+msgstr "工单审批"
+
+#: tickets/templates/tickets/approve_check_password.html:35
+#: tickets/views/approve.py:25
+msgid "Ticket direct approval"
+msgstr "工单直接审批"
+
+#: tickets/templates/tickets/approve_check_password.html:40
+msgid "Go Login"
+msgstr "去登录"
+
+#: tickets/views/approve.py:26
+msgid ""
+"This ticket does not exist, the process has ended, or this link has expired"
+msgstr "工单不存在，或者工单流程已经结束，或者此链接已经过期"
+
+#: tickets/views/approve.py:55
+msgid "Click the button to approve directly"
+msgstr "点击按钮，即可直接审批成功"
+
+#: tickets/views/approve.py:57
+msgid "After successful authentication, this ticket can be approved directly"
+msgstr "认证成功后，工单可直接审批"
+
+#: tickets/views/approve.py:84
+msgid "This user is not authorized to approve this ticket"
+msgstr "此用户无权审批此工单"
+
 #: users/api/user.py:183
 msgid "Could not reset self otp, use profile reset instead"
 msgstr "不能在该页面重置 MFA 多因子认证, 请去个人信息页面重置"
diff --git a/apps/templates/_base_double_screen.html b/apps/templates/_base_double_screen.html
new file mode 100644
index 000000000..cd610fea5
--- /dev/null
+++ b/apps/templates/_base_double_screen.html
@@ -0,0 +1,42 @@
+{% load static %}
+{% load i18n %}
+<!DOCTYPE html>
+<html>
+
+<head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0">
+    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <title>{% block html_title %}{% endblock %}</title>
+
+    {% include '_head_css_js.html' %}
+    <link href="{% static "css/jumpserver.css" %}" rel="stylesheet">
+    <script src="{% static "js/jumpserver.js" %}"></script>
+    <style>
+        .outerBox {
+            max-width: 80%;
+            margin: 0 auto;
+            padding: 100px 20px 20px 20px;
+        }
+    </style>
+    {% block custom_head_css_js %} {% endblock %}
+</head>
+
+<body class="gray-bg">
+    <div class="outerBox animated fadeInDown">
+        <div class="row">
+            <div class="col-md-12">
+                    {% block content %} {% endblock %}
+            </div>
+        </div>
+        <hr/>
+        <div class="row">
+            <div class="col-md-12">
+                 {% include '_copyright.html' %}
+            </div>
+        </div>
+    </div>
+</body>
+{% include '_foot_js.html' %}
+{% block custom_foot_js %} {% endblock %}
+</html>
diff --git a/apps/tickets/notifications.py b/apps/tickets/notifications.py
index ffca227be..c29c8d00e 100644
--- a/apps/tickets/notifications.py
+++ b/apps/tickets/notifications.py
@@ -1,13 +1,15 @@
 from urllib.parse import urljoin
 
 from django.conf import settings
+from django.core.cache import cache
+from django.shortcuts import reverse
 from django.template.loader import render_to_string
 from django.utils.translation import ugettext_lazy as _
 
-from . import const
 from notifications.notifications import UserMessage
-from common.utils import get_logger
+from common.utils import get_logger, random_string
 from .models import Ticket
+from . import const
 
 logger = get_logger(__file__)
 
@@ -57,6 +59,13 @@ class TicketAppliedToAssignee(BaseTicketMessage):
     def __init__(self, user, ticket):
         self.ticket = ticket
         super().__init__(user)
+        self._token = None
+
+    @property
+    def token(self):
+        if self._token is None:
+            self._token = random_string(32)
+        return self._token
 
     @property
     def content_title(self):
@@ -71,6 +80,29 @@ class TicketAppliedToAssignee(BaseTicketMessage):
         )
         return title
 
+    def get_ticket_approval_url(self):
+        url = reverse('tickets:direct-approve', kwargs={'token': self.token})
+        return urljoin(settings.SITE_URL, url)
+
+    def get_html_msg(self) -> dict:
+        body = self.ticket.body.replace('\n', '<br/>')
+        context = dict(
+            title=self.content_title,
+            ticket_detail_url=self.ticket_detail_url,
+            body=body,
+        )
+
+        ticket_approval_url = self.get_ticket_approval_url()
+        context.update({'ticket_approval_url': ticket_approval_url})
+        message = render_to_string('tickets/_msg_ticket.html', context)
+        cache.set(self.token, {
+            'body': body, 'ticket_id': self.ticket.id
+        }, 3600)
+        return {
+            'subject': self.subject,
+            'message': message
+        }
+
     @classmethod
     def gen_test_msg(cls):
         from .models import Ticket
diff --git a/apps/tickets/templates/tickets/_msg_ticket.html b/apps/tickets/templates/tickets/_msg_ticket.html
index 15e2b2a3f..5f268592c 100644
--- a/apps/tickets/templates/tickets/_msg_ticket.html
+++ b/apps/tickets/templates/tickets/_msg_ticket.html
@@ -9,7 +9,13 @@
     <br>
     <div>
         <a href="{{ ticket_detail_url }}" target="_blank">
-            {% trans 'Click here to review' %}
+            {% trans 'View details' %}
         </a>
+        <br>
+        {% if ticket_approval_url %}
+            <a href="{{ ticket_approval_url }}" target="_blank">
+                {% trans 'Direct approval' %}
+            </a>
+        {% endif %}
     </div>
-</div>
\ No newline at end of file
+</div>
diff --git a/apps/tickets/templates/tickets/approve_check_password.html b/apps/tickets/templates/tickets/approve_check_password.html
new file mode 100644
index 000000000..66ee91e1b
--- /dev/null
+++ b/apps/tickets/templates/tickets/approve_check_password.html
@@ -0,0 +1,52 @@
+{% extends '_base_double_screen.html' %}
+{% load bootstrap3 %}
+{% load static %}
+{% load i18n %}
+
+
+{% block content %}
+<div class="col-lg-12">
+    <div class="col-lg-6">
+        <div class="ibox-content">
+            <h2 class="font-bold" style="display: inline">{% trans 'Ticket information' %}</h2>
+            <h1></h1>
+            <div style="word-break: break-all">{{ ticket_info | safe }}</div>
+        </div>
+    </div>
+    <div class="col-lg-6">
+        <div class="ibox-content">
+            <img src="{{ LOGO_URL }}" style="margin: auto" width="50" height="50">
+            <h2 class="font-bold" style="display: inline">{% trans 'Ticket approval' %}</h2>
+            <h1></h1>
+            <div class="ibox-content">
+                <p>
+                    {% trans 'Hello' %} {{ user.name }},
+                </p>
+                <p style="text-indent: 3em">
+                    {{ prompt_msg }}
+                </p>
+                <br>
+                <form id="approve-form" action="" method="post" role="form" novalidate="novalidate">
+                    {% csrf_token %}
+                    <div class="form-group" style="">
+                        {% if user.is_authenticated %}
+                        <button id='approve_button' class="btn btn-primary block full-width m-b"
+                        type="submit">
+                            {% trans 'Ticket direct approval' %}
+                        </button>
+                        {% else %}
+                        <a id='login_button' class="btn btn-primary block full-width m-b"
+                           href="{{ login_url }}">
+                            {% trans 'Go Login' %}
+                        </a>
+                        {% endif %}
+                    </div>
+                </form>
+            </div>
+        </div>
+    </div>
+</div>
+<style>
+
+</style>
+{% endblock %}
diff --git a/apps/tickets/urls/view_urls.py b/apps/tickets/urls/view_urls.py
new file mode 100644
index 000000000..f9fcaab84
--- /dev/null
+++ b/apps/tickets/urls/view_urls.py
@@ -0,0 +1,12 @@
+# coding:utf-8
+#
+
+from django.urls import path
+
+from .. import views
+
+app_name = 'tickets'
+
+urlpatterns = [
+    path('direct-approve/<str:token>/', views.TicketDirectApproveView.as_view(), name='direct-approve'),
+]
diff --git a/apps/tickets/views/__init__.py b/apps/tickets/views/__init__.py
new file mode 100644
index 000000000..ece19ff38
--- /dev/null
+++ b/apps/tickets/views/__init__.py
@@ -0,0 +1 @@
+from .approve import *
diff --git a/apps/tickets/views/approve.py b/apps/tickets/views/approve.py
new file mode 100644
index 000000000..8c014c425
--- /dev/null
+++ b/apps/tickets/views/approve.py
@@ -0,0 +1,93 @@
+# -*- coding: utf-8 -*-
+#
+
+from __future__ import unicode_literals
+from django.views.generic.base import TemplateView
+from django.shortcuts import redirect, reverse
+from django.core.cache import cache
+from django.utils.translation import ugettext as _
+
+from tickets.models import Ticket
+from tickets.errors import AlreadyClosed
+from common.utils import get_logger, FlashMessageUtil
+
+logger = get_logger(__name__)
+__all__ = ['TicketDirectApproveView']
+
+
+class TicketDirectApproveView(TemplateView):
+    template_name = 'tickets/approve_check_password.html'
+    redirect_field_name = 'next'
+
+    @property
+    def message_data(self):
+        return {
+            'title': _('Ticket direct approval'),
+            'error': _("This ticket does not exist, "
+                       "the process has ended, or this link has expired"),
+            'redirect_url': self.login_url,
+            'auto_redirect': False
+        }
+
+    @property
+    def login_url(self):
+        return reverse('authentication:login') + '?admin=1'
+
+    def redirect_message_response(self, **kwargs):
+        message_data = self.message_data
+        for key, value in kwargs.items():
+            if isinstance(value, str):
+                message_data[key] = value
+        if message_data.get('message'):
+            message_data.pop('error')
+        redirect_url = FlashMessageUtil.gen_message_url(message_data)
+        return redirect(redirect_url)
+
+    @staticmethod
+    def clear(token):
+        cache.delete(token)
+
+    def get_context_data(self, **kwargs):
+        # 放入工单信息
+        token = kwargs.get('token')
+        ticket_info = cache.get(token, {}).get('body', '')
+        if self.request.user.is_authenticated:
+            prompt_msg = _('Click the button to approve directly')
+        else:
+            prompt_msg = _('After successful authentication, this ticket can be approved directly')
+        kwargs.update({
+            'ticket_info': ticket_info, 'prompt_msg': prompt_msg,
+            'login_url': '%s&next=%s' % (
+                self.login_url,
+                reverse('tickets:direct-approve', kwargs={'token': token})
+            ),
+        })
+        return super().get_context_data(**kwargs)
+
+    def get(self, request, *args, **kwargs):
+        token = kwargs.get('token')
+        ticket_info = cache.get(token)
+        if not ticket_info:
+            return self.redirect_message_response(redirect_url=self.login_url)
+        return super().get(request, *args, **kwargs)
+
+    def post(self, request, **kwargs):
+        user = request.user
+        token = kwargs.get('token')
+        ticket_info = cache.get(token)
+        if not ticket_info:
+            return self.redirect_message_response(redirect_url=self.login_url)
+        try:
+            ticket_id = ticket_info.get('ticket_id')
+            ticket = Ticket.all().get(id=ticket_id)
+            if not ticket.has_current_assignee(user):
+                raise Exception(_("This user is not authorized to approve this ticket"))
+            ticket.approve(user)
+        except AlreadyClosed as e:
+            self.clear(token)
+            return self.redirect_message_response(error=str(e), redirect_url=self.login_url)
+        except Exception as e:
+            return self.redirect_message_response(error=str(e), redirect_url=self.login_url)
+
+        self.clear(token)
+        return self.redirect_message_response(message=_("Success"), redirect_url=self.login_url)

From e1515487016fe8b569f7c531ac53c14e20f31e40 Mon Sep 17 00:00:00 2001
From: jiangweidong <80373698+F2C-Jiang@users.noreply.github.com>
Date: Thu, 5 May 2022 14:42:09 +0800
Subject: [PATCH 081/258] =?UTF-8?q?perf:=20=E8=B4=A6=E5=8F=B7=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E4=B8=AD=E6=9F=A5=E7=9C=8B=E5=AF=86=E7=A0=81=E8=AE=B0?=
 =?UTF-8?q?=E5=BD=95=E6=97=A5=E5=BF=97=20(#8157)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/applications/api/account.py     |   3 +-
 apps/assets/api/accounts.py          |   3 +-
 apps/audits/const.py                 |  20 ++++
 apps/audits/models.py                |   2 +
 apps/audits/signal_handlers.py       |  44 +-------
 apps/audits/utils.py                 |  36 +++++-
 apps/common/mixins/views.py          |  37 ++++++-
 apps/locale/ja/LC_MESSAGES/django.po | 159 +++++++++++++++------------
 apps/locale/zh/LC_MESSAGES/django.po | 147 ++++++++++++++-----------
 9 files changed, 263 insertions(+), 188 deletions(-)

diff --git a/apps/applications/api/account.py b/apps/applications/api/account.py
index 4e66a730c..0a1581b28 100644
--- a/apps/applications/api/account.py
+++ b/apps/applications/api/account.py
@@ -6,6 +6,7 @@ from django.db.models import F, Q
 
 from common.drf.filters import BaseFilterSet
 from common.drf.api import JMSBulkModelViewSet
+from common.mixins import RecordViewLogMixin
 from rbac.permissions import RBACPermission
 from assets.models import SystemUser
 from ..models import Account
@@ -54,7 +55,7 @@ class SystemUserAppRelationViewSet(ApplicationAccountViewSet):
     perm_model = SystemUser
 
 
-class ApplicationAccountSecretViewSet(ApplicationAccountViewSet):
+class ApplicationAccountSecretViewSet(RecordViewLogMixin, ApplicationAccountViewSet):
     serializer_class = serializers.AppAccountSecretSerializer
     permission_classes = [RBACPermission, NeedMFAVerify]
     http_method_names = ['get', 'options']
diff --git a/apps/assets/api/accounts.py b/apps/assets/api/accounts.py
index 9989599b8..4a3629e46 100644
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@@ -8,6 +8,7 @@ from rest_framework.generics import CreateAPIView
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 from common.drf.filters import BaseFilterSet
+from common.mixins import RecordViewLogMixin
 from common.permissions import NeedMFAVerify
 from ..tasks.account_connectivity import test_accounts_connectivity_manual
 from ..models import AuthBook, Node
@@ -79,7 +80,7 @@ class AccountViewSet(OrgBulkModelViewSet):
         return Response(data={'task': task.id})
 
 
-class AccountSecretsViewSet(AccountViewSet):
+class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
     """
     因为可能要导出所有账号，所以单独建立了一个 viewset
     """
diff --git a/apps/audits/const.py b/apps/audits/const.py
index 97f6cc6b1..9ff993556 100644
--- a/apps/audits/const.py
+++ b/apps/audits/const.py
@@ -3,3 +3,23 @@
 from django.utils.translation import ugettext_lazy as _
 
 DEFAULT_CITY = _("Unknown")
+
+MODELS_NEED_RECORD = (
+    # users
+    'User', 'UserGroup',
+    # acls
+    'LoginACL', 'LoginAssetACL', 'LoginConfirmSetting',
+    # assets
+    'Asset', 'Node', 'AdminUser', 'SystemUser', 'Domain', 'Gateway', 'CommandFilterRule',
+    'CommandFilter', 'Platform', 'AuthBook',
+    # applications
+    'Application',
+    # orgs
+    'Organization',
+    # settings
+    'Setting',
+    # perms
+    'AssetPermission', 'ApplicationPermission',
+    # xpack
+    'License', 'Account', 'SyncInstanceTask', 'ChangeAuthPlan', 'GatherUserTask',
+)
diff --git a/apps/audits/models.py b/apps/audits/models.py
index 0cd17ede2..5dd8eb0a2 100644
--- a/apps/audits/models.py
+++ b/apps/audits/models.py
@@ -49,10 +49,12 @@ class FTPLog(OrgModelMixin):
 
 class OperateLog(OrgModelMixin):
     ACTION_CREATE = 'create'
+    ACTION_VIEW = 'view'
     ACTION_UPDATE = 'update'
     ACTION_DELETE = 'delete'
     ACTION_CHOICES = (
         (ACTION_CREATE, _("Create")),
+        (ACTION_VIEW, _("View")),
         (ACTION_UPDATE, _("Update")),
         (ACTION_DELETE, _("Delete"))
     )
diff --git a/apps/audits/signal_handlers.py b/apps/audits/signal_handlers.py
index 031b1e25c..5177cfca7 100644
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@@ -21,7 +21,7 @@ from jumpserver.utils import current_request
 from users.models import User
 from users.signals import post_user_change_password
 from terminal.models import Session, Command
-from .utils import write_login_log
+from .utils import write_login_log, create_operate_log
 from . import models, serializers
 from .models import OperateLog
 from orgs.utils import current_org
@@ -36,26 +36,6 @@ logger = get_logger(__name__)
 sys_logger = get_syslogger(__name__)
 json_render = JSONRenderer()
 
-MODELS_NEED_RECORD = (
-    # users
-    'User', 'UserGroup',
-    # acls
-    'LoginACL', 'LoginAssetACL', 'LoginConfirmSetting',
-    # assets
-    'Asset', 'Node', 'AdminUser', 'SystemUser', 'Domain', 'Gateway', 'CommandFilterRule',
-    'CommandFilter', 'Platform', 'AuthBook',
-    # applications
-    'Application',
-    # orgs
-    'Organization',
-    # settings
-    'Setting',
-    # perms
-    'AssetPermission', 'ApplicationPermission',
-    # xpack
-    'License', 'Account', 'SyncInstanceTask', 'ChangeAuthPlan', 'GatherUserTask',
-)
-
 
 class AuthBackendLabelMapping(LazyObject):
     @staticmethod
@@ -80,28 +60,6 @@ class AuthBackendLabelMapping(LazyObject):
 AUTH_BACKEND_LABEL_MAPPING = AuthBackendLabelMapping()
 
 
-def create_operate_log(action, sender, resource):
-    user = current_request.user if current_request else None
-    if not user or not user.is_authenticated:
-        return
-    model_name = sender._meta.object_name
-    if model_name not in MODELS_NEED_RECORD:
-        return
-    with translation.override('en'):
-        resource_type = sender._meta.verbose_name
-    remote_addr = get_request_ip(current_request)
-
-    data = {
-        "user": str(user), 'action': action, 'resource_type': resource_type,
-        'resource': str(resource), 'remote_addr': remote_addr,
-    }
-    with transaction.atomic():
-        try:
-            models.OperateLog.objects.create(**data)
-        except Exception as e:
-            logger.error("Create operate log error: {}".format(e))
-
-
 M2M_NEED_RECORD = {
     User.groups.through._meta.object_name: (
         _('User and Group'),
diff --git a/apps/audits/utils.py b/apps/audits/utils.py
index e569a7ebb..1fadbccee 100644
--- a/apps/audits/utils.py
+++ b/apps/audits/utils.py
@@ -1,9 +1,17 @@
 import csv
 import codecs
-from django.http import HttpResponse
 
-from .const import DEFAULT_CITY
-from common.utils import validate_ip, get_ip_city
+from django.http import HttpResponse
+from django.db import transaction
+from django.utils import translation
+
+from audits.models import OperateLog
+from common.utils import validate_ip, get_ip_city, get_request_ip, get_logger
+from jumpserver.utils import current_request
+from .const import DEFAULT_CITY, MODELS_NEED_RECORD
+
+
+logger = get_logger(__name__)
 
 
 def get_excel_response(filename):
@@ -36,3 +44,25 @@ def write_login_log(*args, **kwargs):
         city = get_ip_city(ip) or DEFAULT_CITY
     kwargs.update({'ip': ip, 'city': city})
     UserLoginLog.objects.create(**kwargs)
+
+
+def create_operate_log(action, sender, resource):
+    user = current_request.user if current_request else None
+    if not user or not user.is_authenticated:
+        return
+    model_name = sender._meta.object_name
+    if model_name not in MODELS_NEED_RECORD:
+        return
+    with translation.override('en'):
+        resource_type = sender._meta.verbose_name
+    remote_addr = get_request_ip(current_request)
+
+    data = {
+        "user": str(user), 'action': action, 'resource_type': resource_type,
+        'resource': str(resource), 'remote_addr': remote_addr,
+    }
+    with transaction.atomic():
+        try:
+            OperateLog.objects.create(**data)
+        except Exception as e:
+            logger.error("Create operate log error: {}".format(e))
diff --git a/apps/common/mixins/views.py b/apps/common/mixins/views.py
index 4fc1dbf3c..0028ccf0a 100644
--- a/apps/common/mixins/views.py
+++ b/apps/common/mixins/views.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 #
+from django.utils.translation import ugettext_lazy as _
 from django.contrib.auth.mixins import UserPassesTestMixin
 from rest_framework import permissions
 from rest_framework.decorators import action
@@ -7,8 +8,10 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 
 from common.permissions import IsValidUser
+from audits.utils import create_operate_log
+from audits.models import OperateLog
 
-__all__ = ["PermissionsMixin"]
+__all__ = ["PermissionsMixin", "RecordViewLogMixin"]
 
 
 class PermissionsMixin(UserPassesTestMixin):
@@ -24,3 +27,35 @@ class PermissionsMixin(UserPassesTestMixin):
             if not permission_class().has_permission(self.request, self):
                 return False
         return True
+
+
+class RecordViewLogMixin:
+    ACTION = OperateLog.ACTION_VIEW
+
+    @staticmethod
+    def get_resource_display(request):
+        query_params = dict(request.query_params)
+        if query_params.get('format'):
+            query_params.pop('format')
+        spm_filter = query_params.pop('spm') if query_params.get('spm') else None
+        if not query_params and not spm_filter:
+            display_message = _('Export all')
+        elif spm_filter:
+            display_message = _('Export only selected items')
+        else:
+            query = ','.join(
+                ['%s=%s' % (key, value) for key, value in query_params.items()]
+            )
+            display_message = _('Export filtered: %s') % query
+        return display_message
+
+    def list(self, request, *args, **kwargs):
+        response = super().list(request, *args, **kwargs)
+        resource = self.get_resource_display(request)
+        create_operate_log(self.ACTION, self.model, resource)
+        return response
+
+    def retrieve(self, request, *args, **kwargs):
+        response = super().retrieve(request, *args, **kwargs)
+        create_operate_log(self.ACTION, self.model, self.get_object())
+        return response
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index e26cb7538..b23c9cde9 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -86,7 +86,7 @@ msgstr "ログイン確認"
 
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
-#: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
+#: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
 #: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
@@ -103,7 +103,7 @@ msgstr "ルール"
 
 #: acls/models/login_acl.py:31 acls/models/login_asset_acl.py:26
 #: acls/serializers/login_acl.py:17 acls/serializers/login_asset_acl.py:75
-#: assets/models/cmd_filter.py:89 audits/models.py:61 audits/serializers.py:51
+#: assets/models/cmd_filter.py:89 audits/models.py:63 audits/serializers.py:51
 #: authentication/templates/authentication/_access_key_modal.html:34
 msgid "Action"
 msgstr "アクション"
@@ -152,7 +152,7 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 
 #: acls/serializers/login_acl.py:15 acls/serializers/login_asset_acl.py:17
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
-#: assets/models/gathered_user.py:15 audits/models.py:119
+#: assets/models/gathered_user.py:15 audits/models.py:121
 #: authentication/forms.py:15 authentication/forms.py:17
 #: authentication/models.py:69
 #: authentication/templates/authentication/_msg_different_city.html:9
@@ -711,7 +711,7 @@ msgstr "アカウントのバックアップスナップショット"
 msgid "Trigger mode"
 msgstr "トリガーモード"
 
-#: assets/models/backup.py:119 audits/models.py:125
+#: assets/models/backup.py:119 audits/models.py:127
 #: terminal/models/sharing.py:94
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
@@ -741,7 +741,7 @@ msgstr "不明"
 msgid "Ok"
 msgstr "OK"
 
-#: assets/models/base.py:32 audits/models.py:116
+#: assets/models/base.py:32 audits/models.py:118
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
 #: xpack/plugins/cloud/const.py:31
@@ -756,7 +756,7 @@ msgstr "接続性"
 msgid "Date verified"
 msgstr "確認済みの日付"
 
-#: assets/models/base.py:177 audits/signal_handlers.py:68
+#: assets/models/base.py:177 audits/signal_handlers.py:48
 #: authentication/forms.py:22
 #: authentication/templates/authentication/login.html:181
 #: settings/serializers/auth/ldap.py:43 users/forms/profile.py:21
@@ -1358,7 +1358,7 @@ msgstr "一致する資産がない、タスクを停止"
 msgid "Audits"
 msgstr "監査"
 
-#: audits/models.py:27 audits/models.py:57
+#: audits/models.py:27 audits/models.py:59
 #: authentication/templates/authentication/_access_key_modal.html:65
 #: rbac/tree.py:228
 msgid "Delete"
@@ -1388,7 +1388,7 @@ msgstr "Mkdir"
 msgid "Symlink"
 msgstr "Symlink"
 
-#: audits/models.py:38 audits/models.py:64 audits/models.py:87
+#: audits/models.py:38 audits/models.py:66 audits/models.py:89
 #: terminal/models/session.py:51 terminal/models/sharing.py:82
 msgid "Remote addr"
 msgstr "リモートaddr"
@@ -1412,95 +1412,100 @@ msgstr "成功"
 msgid "File transfer log"
 msgstr "ファイル転送ログ"
 
-#: audits/models.py:55
+#: audits/models.py:56
 #: authentication/templates/authentication/_access_key_modal.html:22
 #: rbac/tree.py:225
 msgid "Create"
 msgstr "作成"
 
 #: audits/models.py:56 rbac/tree.py:227 templates/_csv_import_export.html:18
+#: audits/models.py:57 rbac/tree.py:226
+msgid "View"
+msgstr "表示"
+
+#: audits/models.py:58 rbac/tree.py:227 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
 
-#: audits/models.py:62 audits/serializers.py:63
+#: audits/models.py:64 audits/serializers.py:63
 msgid "Resource Type"
 msgstr "リソースタイプ"
 
-#: audits/models.py:63
+#: audits/models.py:65
 msgid "Resource"
 msgstr "リソース"
 
-#: audits/models.py:65 audits/models.py:88
+#: audits/models.py:67 audits/models.py:90
 #: terminal/backends/command/serializers.py:39
 msgid "Datetime"
 msgstr "時間"
 
-#: audits/models.py:80
+#: audits/models.py:82
 msgid "Operate log"
 msgstr "ログの操作"
 
-#: audits/models.py:86
+#: audits/models.py:88
 msgid "Change by"
 msgstr "による変更"
 
-#: audits/models.py:94
+#: audits/models.py:96
 msgid "Password change log"
 msgstr "パスワード変更ログ"
 
-#: audits/models.py:109
+#: audits/models.py:111
 msgid "Disabled"
 msgstr "無効"
 
-#: audits/models.py:110 settings/models.py:33
+#: audits/models.py:112 settings/models.py:33
 msgid "Enabled"
 msgstr "有効化"
 
-#: audits/models.py:111
+#: audits/models.py:113
 msgid "-"
 msgstr "-"
 
-#: audits/models.py:120
+#: audits/models.py:122
 msgid "Login type"
 msgstr "ログインタイプ"
 
-#: audits/models.py:121
+#: audits/models.py:123
 #: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:14
 msgid "Login ip"
 msgstr "ログインIP"
 
-#: audits/models.py:122
+#: audits/models.py:124
 #: authentication/templates/authentication/_msg_different_city.html:11
 #: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:17
 msgid "Login city"
 msgstr "ログイン都市"
 
-#: audits/models.py:123 audits/serializers.py:44
+#: audits/models.py:125 audits/serializers.py:44
 msgid "User agent"
 msgstr "ユーザーエージェント"
 
-#: audits/models.py:124
+#: audits/models.py:126
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
 #: users/forms/profile.py:64 users/models/user.py:684
 #: users/serializers/profile.py:121
 msgid "MFA"
 msgstr "MFA"
 
-#: audits/models.py:126 terminal/models/status.py:33
+#: audits/models.py:128 terminal/models/status.py:33
 #: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "ステータス"
 
-#: audits/models.py:127
+#: audits/models.py:129
 msgid "Date login"
 msgstr "日付ログイン"
 
-#: audits/models.py:128 audits/serializers.py:46
+#: audits/models.py:130 audits/serializers.py:46
 msgid "Authentication backend"
 msgstr "認証バックエンド"
 
-#: audits/models.py:167
+#: audits/models.py:169
 msgid "User login log"
 msgstr "ユーザーログインログ"
 
@@ -1545,20 +1550,21 @@ msgstr "ディスプレイとして実行する"
 msgid "User display"
 msgstr "ユーザー表示"
 
-#: audits/signal_handlers.py:67
+#: audits/signal_handlers.py:47
 msgid "SSH Key"
 msgstr "SSHキー"
 
-#: audits/signal_handlers.py:69
+#: audits/signal_handlers.py:49
 msgid "SSO"
 msgstr "SSO"
 
-#: audits/signal_handlers.py:70
+#: audits/signal_handlers.py:50
 msgid "Auth Token"
 msgstr "認証トークン"
 
 #: audits/signal_handlers.py:71 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:182
+#: audits/signal_handlers.py:51 authentication/notifications.py:73
+#: authentication/views/login.py:164 authentication/views/wecom.py:181
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
@@ -1569,174 +1575,174 @@ msgstr "企業微信"
 msgid "DingTalk"
 msgstr "DingTalk"
 
-#: audits/signal_handlers.py:73 authentication/models.py:76
+#: audits/signal_handlers.py:53 authentication/models.py:76
 msgid "Temporary token"
 msgstr "仮パスワード"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:65
 msgid "User and Group"
 msgstr "ユーザーとグループ"
 
-#: audits/signal_handlers.py:108
+#: audits/signal_handlers.py:66
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} に参加 {UserGroup}"
 
-#: audits/signal_handlers.py:109
+#: audits/signal_handlers.py:67
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} のそばを通る {UserGroup}"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:70
 msgid "Asset and SystemUser"
 msgstr "資産およびシステム・ユーザー"
 
-#: audits/signal_handlers.py:113
+#: audits/signal_handlers.py:71
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:114
+#: audits/signal_handlers.py:72
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:117
+#: audits/signal_handlers.py:75
 msgid "Node and Asset"
 msgstr "ノードと資産"
 
-#: audits/signal_handlers.py:118
+#: audits/signal_handlers.py:76
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 追加 {Asset}"
 
-#: audits/signal_handlers.py:119
+#: audits/signal_handlers.py:77
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 削除 {Asset}"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:80
 msgid "User asset permissions"
 msgstr "ユーザー資産の権限"
 
-#: audits/signal_handlers.py:123
+#: audits/signal_handlers.py:81
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:124
+#: audits/signal_handlers.py:82
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:127
+#: audits/signal_handlers.py:85
 msgid "User group asset permissions"
 msgstr "ユーザーグループの資産権限"
 
-#: audits/signal_handlers.py:128
+#: audits/signal_handlers.py:86
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:129
+#: audits/signal_handlers.py:87
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:132 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:90 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "資産権限"
 
-#: audits/signal_handlers.py:133
+#: audits/signal_handlers.py:91
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 追加 {Asset}"
 
-#: audits/signal_handlers.py:134
+#: audits/signal_handlers.py:92
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 削除 {Asset}"
 
-#: audits/signal_handlers.py:137
+#: audits/signal_handlers.py:95
 msgid "Node permission"
 msgstr "ノード権限"
 
-#: audits/signal_handlers.py:138
+#: audits/signal_handlers.py:96
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 追加 {Node}"
 
-#: audits/signal_handlers.py:139
+#: audits/signal_handlers.py:97
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 削除 {Node}"
 
-#: audits/signal_handlers.py:142
+#: audits/signal_handlers.py:100
 msgid "Asset permission and SystemUser"
 msgstr "資産権限とSystemUser"
 
-#: audits/signal_handlers.py:143
+#: audits/signal_handlers.py:101
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:144
+#: audits/signal_handlers.py:102
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:147
+#: audits/signal_handlers.py:105
 msgid "User application permissions"
 msgstr "ユーザーアプリケーションの権限"
 
-#: audits/signal_handlers.py:148
+#: audits/signal_handlers.py:106
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:149
+#: audits/signal_handlers.py:107
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:152
+#: audits/signal_handlers.py:110
 msgid "User group application permissions"
 msgstr "ユーザーグループアプリケーションの権限"
 
-#: audits/signal_handlers.py:153
+#: audits/signal_handlers.py:111
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:154
+#: audits/signal_handlers.py:112
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:157 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:115 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "申請許可"
 
-#: audits/signal_handlers.py:158
+#: audits/signal_handlers.py:116
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 追加 {Application}"
 
-#: audits/signal_handlers.py:159
+#: audits/signal_handlers.py:117
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 削除 {Application}"
 
-#: audits/signal_handlers.py:162
+#: audits/signal_handlers.py:120
 msgid "Application permission and SystemUser"
 msgstr "アプリケーション権限とSystemUser"
 
-#: audits/signal_handlers.py:163
+#: audits/signal_handlers.py:121
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:164
+#: audits/signal_handlers.py:122
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
@@ -2580,6 +2586,19 @@ msgstr "は破棄されます"
 msgid "discard time"
 msgstr "時間を捨てる"
 
+#: common/mixins/views.py:41
+msgid "Export all"
+msgstr "すべてエクスポート"
+
+#: common/mixins/views.py:43
+msgid "Export only selected items"
+msgstr "選択項目のみエクスポート"
+
+#: common/mixins/views.py:48
+#, python-format
+msgid "Export filtered: %s"
+msgstr "検索のエクスポート: %s"
+
 #: common/sdk/im/exceptions.py:23
 msgid "Network error, please contact system administrator"
 msgstr "ネットワークエラー、システム管理者に連絡してください"
@@ -3330,10 +3349,6 @@ msgstr "権限ツリーの表示"
 msgid "Execute batch command"
 msgstr "バッチ実行コマンド"
 
-#: rbac/tree.py:226
-msgid "View"
-msgstr "表示"
-
 #: settings/api/alibaba_sms.py:31 settings/api/tencent_sms.py:35
 msgid "test_phone is required"
 msgstr "携帯番号をテストこのフィールドは必須です"
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index e362871c6..bc6f0a6ae 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -85,7 +85,7 @@ msgstr "登录复核"
 
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
-#: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
+#: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
 #: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
@@ -102,7 +102,7 @@ msgstr "规则"
 
 #: acls/models/login_acl.py:31 acls/models/login_asset_acl.py:26
 #: acls/serializers/login_acl.py:17 acls/serializers/login_asset_acl.py:75
-#: assets/models/cmd_filter.py:89 audits/models.py:61 audits/serializers.py:51
+#: assets/models/cmd_filter.py:89 audits/models.py:63 audits/serializers.py:51
 #: authentication/templates/authentication/_access_key_modal.html:34
 msgid "Action"
 msgstr "动作"
@@ -151,7 +151,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 
 #: acls/serializers/login_acl.py:15 acls/serializers/login_asset_acl.py:17
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
-#: assets/models/gathered_user.py:15 audits/models.py:119
+#: assets/models/gathered_user.py:15 audits/models.py:121
 #: authentication/forms.py:15 authentication/forms.py:17
 #: authentication/models.py:69
 #: authentication/templates/authentication/_msg_different_city.html:9
@@ -706,7 +706,7 @@ msgstr "账号备份快照"
 msgid "Trigger mode"
 msgstr "触发模式"
 
-#: assets/models/backup.py:119 audits/models.py:125
+#: assets/models/backup.py:119 audits/models.py:127
 #: terminal/models/sharing.py:94
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
@@ -736,7 +736,7 @@ msgstr "未知"
 msgid "Ok"
 msgstr "成功"
 
-#: assets/models/base.py:32 audits/models.py:116
+#: assets/models/base.py:32 audits/models.py:118
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
 #: xpack/plugins/cloud/const.py:31
@@ -751,7 +751,7 @@ msgstr "可连接性"
 msgid "Date verified"
 msgstr "校验日期"
 
-#: assets/models/base.py:177 audits/signal_handlers.py:68
+#: assets/models/base.py:177 audits/signal_handlers.py:48
 #: authentication/forms.py:22
 #: authentication/templates/authentication/login.html:181
 #: settings/serializers/auth/ldap.py:43 users/forms/profile.py:21
@@ -1346,7 +1346,7 @@ msgstr "没有匹配到资产，结束任务"
 msgid "Audits"
 msgstr "日志审计"
 
-#: audits/models.py:27 audits/models.py:57
+#: audits/models.py:27 audits/models.py:59
 #: authentication/templates/authentication/_access_key_modal.html:65
 #: rbac/tree.py:228
 msgid "Delete"
@@ -1376,7 +1376,7 @@ msgstr "创建目录"
 msgid "Symlink"
 msgstr "建立软链接"
 
-#: audits/models.py:38 audits/models.py:64 audits/models.py:87
+#: audits/models.py:38 audits/models.py:66 audits/models.py:89
 #: terminal/models/session.py:51 terminal/models/sharing.py:82
 msgid "Remote addr"
 msgstr "远端地址"
@@ -1400,7 +1400,7 @@ msgstr "成功"
 msgid "File transfer log"
 msgstr "文件管理"
 
-#: audits/models.py:55
+#: audits/models.py:56
 #: authentication/templates/authentication/_access_key_modal.html:22
 #: rbac/tree.py:225
 msgid "Create"
@@ -1411,84 +1411,84 @@ msgstr "创建"
 msgid "Update"
 msgstr "更新"
 
-#: audits/models.py:62 audits/serializers.py:63
+#: audits/models.py:64 audits/serializers.py:63
 msgid "Resource Type"
 msgstr "资源类型"
 
-#: audits/models.py:63
+#: audits/models.py:65
 msgid "Resource"
 msgstr "资源"
 
-#: audits/models.py:65 audits/models.py:88
+#: audits/models.py:67 audits/models.py:90
 #: terminal/backends/command/serializers.py:39
 msgid "Datetime"
 msgstr "日期"
 
-#: audits/models.py:80
+#: audits/models.py:82
 msgid "Operate log"
 msgstr "操作日志"
 
-#: audits/models.py:86
+#: audits/models.py:88
 msgid "Change by"
 msgstr "修改者"
 
-#: audits/models.py:94
+#: audits/models.py:96
 msgid "Password change log"
 msgstr "改密日志"
 
-#: audits/models.py:109
+#: audits/models.py:111
 msgid "Disabled"
 msgstr "禁用"
 
-#: audits/models.py:110 settings/models.py:33
+#: audits/models.py:112 settings/models.py:33
 msgid "Enabled"
 msgstr "启用"
 
-#: audits/models.py:111
+#: audits/models.py:113
 msgid "-"
 msgstr "-"
 
-#: audits/models.py:120
+#: audits/models.py:122
 msgid "Login type"
 msgstr "登录方式"
 
-#: audits/models.py:121
+#: audits/models.py:123
 #: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:14
 msgid "Login ip"
 msgstr "登录IP"
 
-#: audits/models.py:122
+#: audits/models.py:124
 #: authentication/templates/authentication/_msg_different_city.html:11
 #: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:17
 msgid "Login city"
 msgstr "登录城市"
 
-#: audits/models.py:123 audits/serializers.py:44
+#: audits/models.py:125 audits/serializers.py:44
 msgid "User agent"
 msgstr "用户代理"
 
-#: audits/models.py:124
+#: audits/models.py:126
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
 #: users/forms/profile.py:64 users/models/user.py:684
 #: users/serializers/profile.py:121
 msgid "MFA"
 msgstr "MFA"
 
-#: audits/models.py:126 terminal/models/status.py:33
+#: audits/models.py:128 terminal/models/status.py:33
 #: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "状态"
 
-#: audits/models.py:127
+#: audits/models.py:129
 msgid "Date login"
 msgstr "登录日期"
 
-#: audits/models.py:128 audits/serializers.py:46
+#: audits/models.py:130 audits/serializers.py:46
 msgid "Authentication backend"
 msgstr "认证方式"
 
-#: audits/models.py:167
+#: audits/models.py:169
 msgid "User login log"
 msgstr "用户登录日志"
 
@@ -1533,15 +1533,15 @@ msgstr "运行用户名称"
 msgid "User display"
 msgstr "用户名称"
 
-#: audits/signal_handlers.py:67
+#: audits/signal_handlers.py:47
 msgid "SSH Key"
 msgstr "SSH 密钥"
 
-#: audits/signal_handlers.py:69
+#: audits/signal_handlers.py:49
 msgid "SSO"
 msgstr "SSO"
 
-#: audits/signal_handlers.py:70
+#: audits/signal_handlers.py:50
 msgid "Auth Token"
 msgstr "认证令牌"
 
@@ -1557,174 +1557,174 @@ msgstr "企业微信"
 msgid "DingTalk"
 msgstr "钉钉"
 
-#: audits/signal_handlers.py:73 authentication/models.py:76
+#: audits/signal_handlers.py:53 authentication/models.py:76
 msgid "Temporary token"
 msgstr "临时密码"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:65
 msgid "User and Group"
 msgstr "用户与用户组"
 
-#: audits/signal_handlers.py:108
+#: audits/signal_handlers.py:66
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} 加入 {UserGroup}"
 
-#: audits/signal_handlers.py:109
+#: audits/signal_handlers.py:67
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} 离开 {UserGroup}"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:70
 msgid "Asset and SystemUser"
 msgstr "资产与系统用户"
 
-#: audits/signal_handlers.py:113
+#: audits/signal_handlers.py:71
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:114
+#: audits/signal_handlers.py:72
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:117
+#: audits/signal_handlers.py:75
 msgid "Node and Asset"
 msgstr "节点与资产"
 
-#: audits/signal_handlers.py:118
+#: audits/signal_handlers.py:76
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 添加 {Asset}"
 
-#: audits/signal_handlers.py:119
+#: audits/signal_handlers.py:77
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 移除 {Asset}"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:80
 msgid "User asset permissions"
 msgstr "用户资产授权"
 
-#: audits/signal_handlers.py:123
+#: audits/signal_handlers.py:81
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:124
+#: audits/signal_handlers.py:82
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:127
+#: audits/signal_handlers.py:85
 msgid "User group asset permissions"
 msgstr "用户组资产授权"
 
-#: audits/signal_handlers.py:128
+#: audits/signal_handlers.py:86
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:129
+#: audits/signal_handlers.py:87
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:132 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:90 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "资产授权"
 
-#: audits/signal_handlers.py:133
+#: audits/signal_handlers.py:91
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 添加 {Asset}"
 
-#: audits/signal_handlers.py:134
+#: audits/signal_handlers.py:92
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 移除 {Asset}"
 
-#: audits/signal_handlers.py:137
+#: audits/signal_handlers.py:95
 msgid "Node permission"
 msgstr "节点授权"
 
-#: audits/signal_handlers.py:138
+#: audits/signal_handlers.py:96
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 添加 {Node}"
 
-#: audits/signal_handlers.py:139
+#: audits/signal_handlers.py:97
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 移除 {Node}"
 
-#: audits/signal_handlers.py:142
+#: audits/signal_handlers.py:100
 msgid "Asset permission and SystemUser"
 msgstr "资产授权与系统用户"
 
-#: audits/signal_handlers.py:143
+#: audits/signal_handlers.py:101
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:144
+#: audits/signal_handlers.py:102
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:147
+#: audits/signal_handlers.py:105
 msgid "User application permissions"
 msgstr "用户应用授权"
 
-#: audits/signal_handlers.py:148
+#: audits/signal_handlers.py:106
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:149
+#: audits/signal_handlers.py:107
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:152
+#: audits/signal_handlers.py:110
 msgid "User group application permissions"
 msgstr "用户组应用授权"
 
-#: audits/signal_handlers.py:153
+#: audits/signal_handlers.py:111
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:154
+#: audits/signal_handlers.py:112
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:157 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:115 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "应用授权"
 
-#: audits/signal_handlers.py:158
+#: audits/signal_handlers.py:116
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 添加 {Application}"
 
-#: audits/signal_handlers.py:159
+#: audits/signal_handlers.py:117
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 移除 {Application}"
 
-#: audits/signal_handlers.py:162
+#: audits/signal_handlers.py:120
 msgid "Application permission and SystemUser"
 msgstr "应用授权与系统用户"
 
-#: audits/signal_handlers.py:163
+#: audits/signal_handlers.py:121
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:164
+#: audits/signal_handlers.py:122
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
@@ -2550,6 +2550,19 @@ msgstr "忽略的"
 msgid "discard time"
 msgstr "忽略时间"
 
+#: common/mixins/views.py:41
+msgid "Export all"
+msgstr "导出所有"
+
+#: common/mixins/views.py:43
+msgid "Export only selected items"
+msgstr "仅导出选择项"
+
+#: common/mixins/views.py:48
+#, python-format
+msgid "Export filtered: %s"
+msgstr "导出搜素: %s"
+
 #: common/sdk/im/exceptions.py:23
 msgid "Network error, please contact system administrator"
 msgstr "网络错误，请联系系统管理员"

From 56862a965daeea689ae357fcfbdc3c9f3ed5a885 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Sat, 7 May 2022 10:40:12 +0800
Subject: [PATCH 082/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dsystem-role?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96users=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98=20(#8196)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
---
 apps/rbac/api/role.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/rbac/api/role.py b/apps/rbac/api/role.py
index f077964a6..f398f0315 100644
--- a/apps/rbac/api/role.py
+++ b/apps/rbac/api/role.py
@@ -8,6 +8,7 @@ from ..filters import RoleFilter
 from ..serializers import RoleSerializer, RoleUserSerializer
 from ..models import Role, SystemRole, OrgRole
 from .permission import PermissionViewSet
+from common.mixins.api import PaginatedResponseMixin
 
 __all__ = [
     'RoleViewSet', 'SystemRoleViewSet', 'OrgRoleViewSet',
@@ -15,7 +16,7 @@ __all__ = [
 ]
 
 
-class RoleViewSet(JMSModelViewSet):
+class RoleViewSet(PaginatedResponseMixin, JMSModelViewSet):
     queryset = Role.objects.all()
     serializer_classes = {
         'default': RoleSerializer,
@@ -54,7 +55,7 @@ class RoleViewSet(JMSModelViewSet):
     def users(self, *args, **kwargs):
         role = self.get_object()
         queryset = role.users
-        return self.get_paginated_response_with_query_set(queryset)
+        return self.get_paginated_response_from_queryset(queryset)
 
 
 class SystemRoleViewSet(RoleViewSet):

From 3f856e68f0b68fb700b33dffa704e73e379f4da2 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 6 May 2022 16:27:14 +0800
Subject: [PATCH 083/258] =?UTF-8?q?feat:=20public=20settings=20=E5=8C=BA?=
 =?UTF-8?q?=E5=88=86=20public=20=E5=92=8C=20open?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/api/public.py         | 115 ++++++++++++++++------------
 apps/settings/serializers/public.py |  36 ++++++++-
 apps/settings/urls/api_urls.py      |   1 +
 3 files changed, 102 insertions(+), 50 deletions(-)

diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index b9076618d..108970c59 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -1,5 +1,5 @@
 from rest_framework import generics
-from rest_framework.permissions import AllowAny
+from rest_framework.permissions import AllowAny, IsAuthenticated
 from django.conf import settings
 
 from jumpserver.utils import has_valid_xpack_license, get_xpack_license_info
@@ -9,10 +9,10 @@ from ..utils import get_interface_setting
 
 logger = get_logger(__name__)
 
-__all__ = ['PublicSettingApi']
+__all__ = ['PublicSettingApi', 'OpenPublicSettingApi']
 
 
-class PublicSettingApi(generics.RetrieveAPIView):
+class OpenPublicSettingApi(generics.RetrieveAPIView):
     permission_classes = (AllowAny,)
     serializer_class = serializers.PublicSettingSerializer
 
@@ -27,49 +27,68 @@ class PublicSettingApi(generics.RetrieveAPIView):
         interface = get_interface_setting()
         return interface['login_title']
 
-    def get_object(self):
-        instance = {
-            "data": {
-                # Security
-                "WINDOWS_SKIP_ALL_MANUAL_PASSWORD": settings.WINDOWS_SKIP_ALL_MANUAL_PASSWORD,
-                "OLD_PASSWORD_HISTORY_LIMIT_COUNT": settings.OLD_PASSWORD_HISTORY_LIMIT_COUNT,
-                "SECURITY_MAX_IDLE_TIME": settings.SECURITY_MAX_IDLE_TIME,
-                "SECURITY_VIEW_AUTH_NEED_MFA": settings.SECURITY_VIEW_AUTH_NEED_MFA,
-                "SECURITY_MFA_VERIFY_TTL": settings.SECURITY_MFA_VERIFY_TTL,
-                "SECURITY_COMMAND_EXECUTION": settings.SECURITY_COMMAND_EXECUTION,
-                "SECURITY_PASSWORD_EXPIRATION_TIME": settings.SECURITY_PASSWORD_EXPIRATION_TIME,
-                "SECURITY_LUNA_REMEMBER_AUTH": settings.SECURITY_LUNA_REMEMBER_AUTH,
-                "PASSWORD_RULE": {
-                    'SECURITY_PASSWORD_MIN_LENGTH': settings.SECURITY_PASSWORD_MIN_LENGTH,
-                    'SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH': settings.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH,
-                    'SECURITY_PASSWORD_UPPER_CASE': settings.SECURITY_PASSWORD_UPPER_CASE,
-                    'SECURITY_PASSWORD_LOWER_CASE': settings.SECURITY_PASSWORD_LOWER_CASE,
-                    'SECURITY_PASSWORD_NUMBER': settings.SECURITY_PASSWORD_NUMBER,
-                    'SECURITY_PASSWORD_SPECIAL_CHAR': settings.SECURITY_PASSWORD_SPECIAL_CHAR,
-                },
-                'SECURITY_WATERMARK_ENABLED': settings.SECURITY_WATERMARK_ENABLED,
-                'SECURITY_SESSION_SHARE': settings.SECURITY_SESSION_SHARE,
-                # XPACK
-                "XPACK_ENABLED": settings.XPACK_ENABLED,
-                "XPACK_LICENSE_IS_VALID": has_valid_xpack_license(),
-                "XPACK_LICENSE_INFO": get_xpack_license_info(),
-                # Performance
-                "LOGIN_TITLE": self.get_login_title(),
-                "LOGO_URLS": self.get_logo_urls(),
-                "HELP_DOCUMENT_URL": settings.HELP_DOCUMENT_URL,
-                "HELP_SUPPORT_URL": settings.HELP_SUPPORT_URL,
-                # Auth
-                "AUTH_WECOM": settings.AUTH_WECOM,
-                "AUTH_DINGTALK": settings.AUTH_DINGTALK,
-                "AUTH_FEISHU": settings.AUTH_FEISHU,
-                # Terminal
-                "XRDP_ENABLED": settings.XRDP_ENABLED,
-                "TERMINAL_MAGNUS_ENABLED": settings.TERMINAL_MAGNUS_ENABLED,
-                "TERMINAL_KOKO_SSH_ENABLED": settings.TERMINAL_KOKO_SSH_ENABLED,
-                # Announcement
-                "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
-                "ANNOUNCEMENT": settings.ANNOUNCEMENT,
-                "AUTH_TEMP_TOKEN": settings.AUTH_TEMP_TOKEN,
-            }
+    def get_open_public_settings(self):
+        return {
+            "XPACK_ENABLED": settings.XPACK_ENABLED,
+            "LOGIN_TITLE": self.get_login_title(),
+            "LOGO_URLS": self.get_logo_urls(),
+            'SECURITY_WATERMARK_ENABLED': settings.SECURITY_WATERMARK_ENABLED,
         }
-        return instance
+
+    def get_object(self):
+        return self.get_open_public_settings()
+
+
+class PublicSettingApi(OpenPublicSettingApi):
+    permission_classes = (IsAuthenticated,)
+    serializer_class = serializers.PrivateSettingSerializer
+
+    @staticmethod
+    def get_public_settings():
+        return {
+            # Security
+            "WINDOWS_SKIP_ALL_MANUAL_PASSWORD": settings.WINDOWS_SKIP_ALL_MANUAL_PASSWORD,
+            "OLD_PASSWORD_HISTORY_LIMIT_COUNT": settings.OLD_PASSWORD_HISTORY_LIMIT_COUNT,
+            "SECURITY_MAX_IDLE_TIME": settings.SECURITY_MAX_IDLE_TIME,
+            "SECURITY_VIEW_AUTH_NEED_MFA": settings.SECURITY_VIEW_AUTH_NEED_MFA,
+            "SECURITY_MFA_VERIFY_TTL": settings.SECURITY_MFA_VERIFY_TTL,
+            "SECURITY_COMMAND_EXECUTION": settings.SECURITY_COMMAND_EXECUTION,
+            "SECURITY_PASSWORD_EXPIRATION_TIME": settings.SECURITY_PASSWORD_EXPIRATION_TIME,
+            "SECURITY_LUNA_REMEMBER_AUTH": settings.SECURITY_LUNA_REMEMBER_AUTH,
+            "PASSWORD_RULE": {
+                'SECURITY_PASSWORD_MIN_LENGTH': settings.SECURITY_PASSWORD_MIN_LENGTH,
+                'SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH': settings.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH,
+                'SECURITY_PASSWORD_UPPER_CASE': settings.SECURITY_PASSWORD_UPPER_CASE,
+                'SECURITY_PASSWORD_LOWER_CASE': settings.SECURITY_PASSWORD_LOWER_CASE,
+                'SECURITY_PASSWORD_NUMBER': settings.SECURITY_PASSWORD_NUMBER,
+                'SECURITY_PASSWORD_SPECIAL_CHAR': settings.SECURITY_PASSWORD_SPECIAL_CHAR,
+            },
+            'SECURITY_SESSION_SHARE': settings.SECURITY_SESSION_SHARE,
+            # XPACK
+            "XPACK_LICENSE_IS_VALID": has_valid_xpack_license(),
+            "XPACK_LICENSE_INFO": get_xpack_license_info(),
+            # Performance
+            "HELP_DOCUMENT_URL": settings.HELP_DOCUMENT_URL,
+            "HELP_SUPPORT_URL": settings.HELP_SUPPORT_URL,
+            # Auth
+            "AUTH_WECOM": settings.AUTH_WECOM,
+            "AUTH_DINGTALK": settings.AUTH_DINGTALK,
+            "AUTH_FEISHU": settings.AUTH_FEISHU,
+            # Terminal
+            "XRDP_ENABLED": settings.XRDP_ENABLED,
+            "TERMINAL_MAGNUS_ENABLED": settings.TERMINAL_MAGNUS_ENABLED,
+            "TERMINAL_KOKO_SSH_ENABLED": settings.TERMINAL_KOKO_SSH_ENABLED,
+            # Announcement
+            "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
+            "ANNOUNCEMENT": settings.ANNOUNCEMENT,
+            "AUTH_TEMP_TOKEN": settings.AUTH_TEMP_TOKEN,
+        }
+
+    def get_object(self):
+        open_public = self.get_open_public_settings()
+        public = self.get_public_settings()
+        return {
+            **open_public,
+            **public
+        }
+
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 52e39a954..852f9ccca 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -3,8 +3,40 @@
 
 from rest_framework import serializers
 
-__all__ = ['PublicSettingSerializer']
+__all__ = ['PublicSettingSerializer', 'PrivateSettingSerializer']
 
 
 class PublicSettingSerializer(serializers.Serializer):
-    data = serializers.DictField(read_only=True)
+    XPACK_ENABLED = serializers.BooleanField()
+    SECURITY_WATERMARK_ENABLED = serializers.BooleanField()
+    LOGIN_TITLE = serializers.CharField()
+    LOGO_URLS = serializers.DictField()
+
+
+class PrivateSettingSerializer(PublicSettingSerializer):
+    WINDOWS_SKIP_ALL_MANUAL_PASSWORD = serializers.BooleanField()
+    OLD_PASSWORD_HISTORY_LIMIT_COUNT = serializers.IntegerField()
+    SECURITY_MAX_IDLE_TIME = serializers.IntegerField()
+    SECURITY_VIEW_AUTH_NEED_MFA = serializers.BooleanField()
+    SECURITY_MFA_VERIFY_TTL = serializers.IntegerField()
+    SECURITY_COMMAND_EXECUTION = serializers.BooleanField()
+    SECURITY_PASSWORD_EXPIRATION_TIME = serializers.IntegerField()
+    SECURITY_LUNA_REMEMBER_AUTH = serializers.BooleanField()
+    PASSWORD_RULE = serializers.DictField()
+    SECURITY_SESSION_SHARE = serializers.BooleanField()
+    XPACK_LICENSE_IS_VALID = serializers.BooleanField()
+    XPACK_LICENSE_INFO = serializers.DictField()
+    HELP_DOCUMENT_URL = serializers.CharField()
+    HELP_SUPPORT_URL = serializers.CharField()
+
+    AUTH_WECOM = serializers.BooleanField()
+    AUTH_DINGTALK = serializers.BooleanField()
+    AUTH_FEISHU = serializers.BooleanField()
+    AUTH_TEMP_TOKEN = serializers.BooleanField()
+
+    XRDP_ENABLED = serializers.BooleanField()
+    TERMINAL_MAGNUS_ENABLED = serializers.BooleanField()
+    TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
+
+    ANNOUNCEMENT_ENABLED = serializers.BooleanField()
+    ANNOUNCEMENT = serializers.CharField()
\ No newline at end of file
diff --git a/apps/settings/urls/api_urls.py b/apps/settings/urls/api_urls.py
index 22825f4e8..728baf0ae 100644
--- a/apps/settings/urls/api_urls.py
+++ b/apps/settings/urls/api_urls.py
@@ -22,4 +22,5 @@ urlpatterns = [
 
     path('setting/', api.SettingsApi.as_view(), name='settings-setting'),
     path('public/', api.PublicSettingApi.as_view(), name='public-setting'),
+    path('public/open/', api.OpenPublicSettingApi.as_view(), name='open-public-setting'),
 ]

From 031077c2983300ed539d37462861c2048ecd7e11 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Sat, 7 May 2022 16:20:12 +0800
Subject: [PATCH 084/258] =?UTF-8?q?perf:=20password=20=E7=AD=89=E4=BD=BF?=
 =?UTF-8?q?=E7=94=A8=20rsa=20=E5=8A=A0=E5=AF=86=E4=BC=A0=E8=BE=93=20(#8188?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 修改 model fields 路径

* stash it

* pref: 统一加密方式，密码字段采用 rsa 加密

* pref: 临时密码使用 rsa

* perf: 去掉 debug msg

* perf: 去掉 Debug

* perf: 去掉 debug

* perf: 抽出来

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/applications/migrations/0001_initial.py  |  4 +-
 .../0010_appaccount_historicalappaccount.py   | 14 +--
 apps/assets/api/system_user.py                | 17 +---
 .../migrations/0032_auto_20190624_2108.py     | 26 +++---
 .../migrations/0035_auto_20190711_2018.py     | 10 +--
 apps/assets/migrations/0044_platform.py       |  4 +-
 .../migrations/0072_historicalauthbook.py     |  8 +-
 apps/assets/models/asset.py                   |  2 +-
 apps/assets/models/base.py                    |  2 +-
 apps/assets/serializers/base.py               |  7 +-
 .../migrations/0014_auto_20220505_1902.py     | 18 ++++
 apps/authentication/api/token.py              |  4 +-
 apps/authentication/forms.py                  | 16 +++-
 apps/authentication/middleware.py             | 29 +++++++
 apps/authentication/mixins.py                 | 86 +++----------------
 .../serializers/password_mfa.py               |  4 +-
 .../templates/authentication/login.html       | 13 +--
 apps/authentication/utils.py                  | 48 +----------
 apps/authentication/views/login.py            |  4 +-
 apps/common/{fields/model.py => db/fields.py} |  2 +-
 apps/common/drf/fields.py                     |  9 +-
 apps/common/fields/__init__.py                |  4 -
 apps/common/utils/crypto.py                   | 56 +++++++++++-
 apps/jumpserver/settings/base.py              |  1 +
 apps/jumpserver/settings/custom.py            |  3 +
 .../ops/migrations/0010_auto_20191217_1758.py | 12 +--
 .../ops/migrations/0011_auto_20200106_1534.py |  4 +-
 apps/ops/models/adhoc.py                      |  4 +-
 apps/settings/serializers/auth/ldap.py        |  4 +-
 apps/static/js/jumpserver.js                  | 16 ++++
 .../0016_commandstorage_replaystorage.py      |  6 +-
 .../migrations/0048_endpoint_endpointrule.py  | 17 ++--
 apps/terminal/models/endpoint.py              |  2 +-
 apps/terminal/models/storage.py               |  2 +-
 apps/tickets/migrations/0001_initial.py       |  4 +-
 apps/users/forms/profile.py                   |  9 +-
 .../migrations/0021_auto_20190625_1104.py     |  8 +-
 apps/users/migrations/0037_user_secret_key.py |  4 +-
 apps/users/models/user.py                     |  2 +-
 apps/users/serializers/profile.py             | 17 ++--
 .../users/templates/users/reset_password.html | 15 +++-
 .../templates/users/user_password_verify.html | 15 +++-
 apps/users/views/profile/password.py          |  4 +-
 43 files changed, 291 insertions(+), 245 deletions(-)
 create mode 100644 apps/audits/migrations/0014_auto_20220505_1902.py
 rename apps/common/{fields/model.py => db/fields.py} (99%)
 delete mode 100644 apps/common/fields/__init__.py

diff --git a/apps/applications/migrations/0001_initial.py b/apps/applications/migrations/0001_initial.py
index 221fd5e22..26948fc73 100644
--- a/apps/applications/migrations/0001_initial.py
+++ b/apps/applications/migrations/0001_initial.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-05-20 11:04
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
 import django.db.models.deletion
 import uuid
@@ -23,7 +23,7 @@ class Migration(migrations.Migration):
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
                 ('type', models.CharField(choices=[('Browser', (('chrome', 'Chrome'),)), ('Database tools', (('mysql_workbench', 'MySQL Workbench'),)), ('Virtualization tools', (('vmware_client', 'vSphere Client'),)), ('custom', 'Custom')], default='chrome', max_length=128, verbose_name='App type')),
                 ('path', models.CharField(max_length=128, verbose_name='App path')),
-                ('params', common.fields.model.EncryptJsonDictTextField(blank=True, default={}, max_length=4096, null=True, verbose_name='Parameters')),
+                ('params', common.db.fields.EncryptJsonDictTextField(blank=True, default={}, max_length=4096, null=True, verbose_name='Parameters')),
                 ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
                 ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
                 ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
diff --git a/apps/applications/migrations/0010_appaccount_historicalappaccount.py b/apps/applications/migrations/0010_appaccount_historicalappaccount.py
index fc2cf2ab9..f79fd2475 100644
--- a/apps/applications/migrations/0010_appaccount_historicalappaccount.py
+++ b/apps/applications/migrations/0010_appaccount_historicalappaccount.py
@@ -1,7 +1,7 @@
 # Generated by Django 3.1.12 on 2021-08-26 09:07
 
 import assets.models.base
-import common.fields.model
+import common.db.fields
 from django.conf import settings
 import django.core.validators
 from django.db import migrations, models
@@ -26,9 +26,9 @@ class Migration(migrations.Migration):
                 ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
                 ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                 ('comment', models.TextField(blank=True, verbose_name='Comment')),
                 ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
                 ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
@@ -56,9 +56,9 @@ class Migration(migrations.Migration):
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
                 ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                 ('comment', models.TextField(blank=True, verbose_name='Comment')),
                 ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
diff --git a/apps/assets/api/system_user.py b/apps/assets/api/system_user.py
index f679b4e3f..f95303a5e 100644
--- a/apps/assets/api/system_user.py
+++ b/apps/assets/api/system_user.py
@@ -4,7 +4,6 @@ from rest_framework.response import Response
 from rest_framework.decorators import action
 
 from common.utils import get_logger, get_object_or_none
-from common.utils.crypto import get_aes_crypto
 from common.permissions import IsValidUser
 from common.mixins.api import SuggestionMixin
 from orgs.mixins.api import OrgBulkModelViewSet
@@ -102,27 +101,17 @@ class SystemUserTempAuthInfoApi(generics.CreateAPIView):
     permission_classes = (IsValidUser,)
     serializer_class = SystemUserTempAuthSerializer
 
-    def decrypt_data_if_need(self, data):
-        csrf_token = self.request.META.get('CSRF_COOKIE')
-        aes = get_aes_crypto(csrf_token, 'ECB')
-        password = data.get('password', '')
-        try:
-            data['password'] = aes.decrypt(password)
-        except:
-            pass
-        return data
-
     def create(self, request, *args, **kwargs):
         serializer = super().get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
 
         pk = kwargs.get('pk')
-        data = self.decrypt_data_if_need(serializer.validated_data)
-        instance_id = data.get('instance_id')
+        data = serializer.validated_data
+        asset_or_app_id = data.get('instance_id')
 
         with tmp_to_root_org():
             instance = get_object_or_404(SystemUser, pk=pk)
-            instance.set_temp_auth(instance_id, self.request.user.id, data)
+            instance.set_temp_auth(asset_or_app_id, self.request.user.id, data)
         return Response(serializer.data, status=201)
 
 
diff --git a/apps/assets/migrations/0032_auto_20190624_2108.py b/apps/assets/migrations/0032_auto_20190624_2108.py
index 441f13cdb..275308e99 100644
--- a/apps/assets/migrations/0032_auto_20190624_2108.py
+++ b/apps/assets/migrations/0032_auto_20190624_2108.py
@@ -1,7 +1,7 @@
 # Generated by Django 2.1.7 on 2019-06-24 13:08
 
 import assets.models.utils
-import common.fields.model
+import common.db.fields
 from django.db import migrations
 
 
@@ -15,61 +15,61 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='adminuser',
             name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
         ),
         migrations.AlterField(
             model_name='adminuser',
             name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
         ),
         migrations.AlterField(
             model_name='adminuser',
             name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
         ),
         migrations.AlterField(
             model_name='authbook',
             name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
         ),
         migrations.AlterField(
             model_name='authbook',
             name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
         ),
         migrations.AlterField(
             model_name='authbook',
             name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
         ),
         migrations.AlterField(
             model_name='gateway',
             name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
         ),
         migrations.AlterField(
             model_name='gateway',
             name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
         ),
         migrations.AlterField(
             model_name='gateway',
             name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
         ),
         migrations.AlterField(
             model_name='systemuser',
             name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
         ),
         migrations.AlterField(
             model_name='systemuser',
             name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
         ),
         migrations.AlterField(
             model_name='systemuser',
             name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
         ),
     ]
diff --git a/apps/assets/migrations/0035_auto_20190711_2018.py b/apps/assets/migrations/0035_auto_20190711_2018.py
index 9dcbad1db..00eb41fe5 100644
--- a/apps/assets/migrations/0035_auto_20190711_2018.py
+++ b/apps/assets/migrations/0035_auto_20190711_2018.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-07-11 12:18
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations
 
 
@@ -14,21 +14,21 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='adminuser',
             name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
         ),
         migrations.AlterField(
             model_name='authbook',
             name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
         ),
         migrations.AlterField(
             model_name='gateway',
             name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
         ),
         migrations.AlterField(
             model_name='systemuser',
             name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
         ),
     ]
diff --git a/apps/assets/migrations/0044_platform.py b/apps/assets/migrations/0044_platform.py
index 8d45a8ee3..2e1ab723e 100644
--- a/apps/assets/migrations/0044_platform.py
+++ b/apps/assets/migrations/0044_platform.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.2.7 on 2019-12-06 07:26
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
 
 
@@ -36,7 +36,7 @@ class Migration(migrations.Migration):
                 ('name', models.SlugField(allow_unicode=True, unique=True, verbose_name='Name')),
                 ('base', models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Other', 'Other')], default='Linux', max_length=16, verbose_name='Base')),
                 ('charset', models.CharField(choices=[('utf8', 'UTF-8'), ('gbk', 'GBK')], default='utf8', max_length=8, verbose_name='Charset')),
-                ('meta', common.fields.model.JsonDictTextField(blank=True, null=True, verbose_name='Meta')),
+                ('meta', common.db.fields.JsonDictTextField(blank=True, null=True, verbose_name='Meta')),
                 ('internal', models.BooleanField(default=False, verbose_name='Internal')),
                 ('comment', models.TextField(blank=True, null=True, verbose_name='Comment')),
             ],
diff --git a/apps/assets/migrations/0072_historicalauthbook.py b/apps/assets/migrations/0072_historicalauthbook.py
index 978584824..e28949c1f 100644
--- a/apps/assets/migrations/0072_historicalauthbook.py
+++ b/apps/assets/migrations/0072_historicalauthbook.py
@@ -1,6 +1,6 @@
 # Generated by Django 3.1.6 on 2021-06-05 16:10
 
-import common.fields.model
+import common.db.fields
 from django.conf import settings
 import django.core.validators
 from django.db import migrations, models
@@ -58,9 +58,9 @@ class Migration(migrations.Migration):
                 ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
                 ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                 ('comment', models.TextField(blank=True, verbose_name='Comment')),
                 ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
                 ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index 85ac6c918..7dde0862f 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -11,7 +11,7 @@ from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from rest_framework.exceptions import ValidationError
 
-from common.fields.model import JsonDictTextField
+from common.db.fields import JsonDictTextField
 from common.utils import lazyproperty
 from orgs.mixins.models import OrgModelMixin, OrgManager
 
diff --git a/apps/assets/models/base.py b/apps/assets/models/base.py
index 38b7218c4..493036efc 100644
--- a/apps/assets/models/base.py
+++ b/apps/assets/models/base.py
@@ -19,7 +19,7 @@ from common.utils import (
 )
 from common.utils.encode import ssh_pubkey_gen
 from common.validators import alphanumeric
-from common import fields
+from common.db import fields
 from orgs.mixins.models import OrgModelMixin
 
 
diff --git a/apps/assets/serializers/base.py b/apps/assets/serializers/base.py
index 2f3486d01..7c8760562 100644
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@@ -6,12 +6,13 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
 from common.utils import ssh_pubkey_gen, ssh_private_key_gen, validate_ssh_private_key
+from common.drf.fields import EncryptedField
 from assets.models import Type
 
 
 class AuthSerializer(serializers.ModelSerializer):
-    password = serializers.CharField(required=False, allow_blank=True, allow_null=True, max_length=1024)
-    private_key = serializers.CharField(required=False, allow_blank=True, allow_null=True, max_length=4096)
+    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
+    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096)
 
     def gen_keys(self, private_key=None, password=None):
         if private_key is None:
@@ -31,6 +32,8 @@ class AuthSerializer(serializers.ModelSerializer):
 
 
 class AuthSerializerMixin(serializers.ModelSerializer):
+    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
+    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096)
     passphrase = serializers.CharField(
         allow_blank=True, allow_null=True, required=False, max_length=512,
         write_only=True, label=_('Key password')
diff --git a/apps/audits/migrations/0014_auto_20220505_1902.py b/apps/audits/migrations/0014_auto_20220505_1902.py
new file mode 100644
index 000000000..8c483560c
--- /dev/null
+++ b/apps/audits/migrations/0014_auto_20220505_1902.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.1.14 on 2022-05-05 11:02
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('audits', '0013_auto_20211130_1037'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='operatelog',
+            name='action',
+            field=models.CharField(choices=[('create', 'Create'), ('view', 'View'), ('update', 'Update'), ('delete', 'Delete')], max_length=16, verbose_name='Action'),
+        ),
+    ]
diff --git a/apps/authentication/api/token.py b/apps/authentication/api/token.py
index e5fe8bf2c..3bc8a33d1 100644
--- a/apps/authentication/api/token.py
+++ b/apps/authentication/api/token.py
@@ -27,8 +27,10 @@ class TokenCreateApi(AuthMixin, CreateAPIView):
     def create(self, request, *args, **kwargs):
         self.create_session_if_need()
         # 如果认证没有过，检查账号密码
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
         try:
-            user = self.check_user_auth_if_need()
+            user = self.get_user_or_auth(serializer.validated_data)
             self.check_user_mfa_if_need(user)
             self.check_user_login_confirm_if_need(user)
             self.send_auth_signal(success=True, user=user)
diff --git a/apps/authentication/forms.py b/apps/authentication/forms.py
index 16ca659c0..bd7fa7d67 100644
--- a/apps/authentication/forms.py
+++ b/apps/authentication/forms.py
@@ -1,15 +1,25 @@
 # -*- coding: utf-8 -*-
 #
-
 from django import forms
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 from captcha.fields import CaptchaField, CaptchaTextInput
 
+from common.utils import get_logger, rsa_decrypt_by_session_pkey
+
+logger = get_logger(__name__)
+
+
+class EncryptedField(forms.CharField):
+    def to_python(self, value):
+        value = super().to_python(value)
+        return rsa_decrypt_by_session_pkey(value)
+
 
 class UserLoginForm(forms.Form):
     days_auto_login = int(settings.SESSION_COOKIE_AGE / 3600 / 24)
-    disable_days_auto_login = settings.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE or days_auto_login < 1
+    disable_days_auto_login = settings.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE \
+                              or days_auto_login < 1
 
     username = forms.CharField(
         label=_('Username'), max_length=100,
@@ -18,7 +28,7 @@ class UserLoginForm(forms.Form):
             'autofocus': 'autofocus'
         })
     )
-    password = forms.CharField(
+    password = EncryptedField(
         label=_('Password'), widget=forms.PasswordInput,
         max_length=1024, strip=False
     )
diff --git a/apps/authentication/middleware.py b/apps/authentication/middleware.py
index 42bbb27cb..d2b4ff19e 100644
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -1,8 +1,12 @@
+import base64
+
 from django.shortcuts import redirect, reverse
 from django.utils.deprecation import MiddlewareMixin
 from django.http import HttpResponse
 from django.conf import settings
 
+from common.utils import gen_key_pair
+
 
 class MFAMiddleware:
     """
@@ -48,3 +52,28 @@ class SessionCookieMiddleware(MiddlewareMixin):
             return response
         response.set_cookie(key, value)
         return response
+
+
+class EncryptedMiddleware:
+    def __init__(self, get_response):
+        self.get_response = get_response
+
+    @staticmethod
+    def check_key_pair(request, response):
+        pub_key_name = settings.SESSION_RSA_PUBLIC_KEY_NAME
+        public_key = request.session.get(pub_key_name)
+        cookie_key = request.COOKIES.get(pub_key_name)
+        if public_key and public_key == cookie_key:
+            return
+
+        pri_key_name = settings.SESSION_RSA_PRIVATE_KEY_NAME
+        private_key, public_key = gen_key_pair()
+        public_key_decode = base64.b64encode(public_key.encode()).decode()
+        request.session[pub_key_name] = public_key_decode
+        request.session[pri_key_name] = private_key
+        response.set_cookie(pub_key_name, public_key_decode)
+
+    def __call__(self, request):
+        response = self.get_response(request)
+        self.check_key_pair(request, response)
+        return response
diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py
index 56216e91f..698601d4c 100644
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -23,9 +23,7 @@ from acls.models import LoginACL
 from users.models import User
 from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
 from . import errors
-from .utils import rsa_decrypt, gen_key_pair
 from .signals import post_auth_success, post_auth_failed
-from .const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY
 
 logger = get_logger(__name__)
 
@@ -91,46 +89,8 @@ def authenticate(request=None, **credentials):
 auth.authenticate = authenticate
 
 
-class PasswordEncryptionViewMixin:
-    request = None
-
-    def get_decrypted_password(self, password=None, username=None):
-        request = self.request
-        if hasattr(request, 'data'):
-            data = request.data
-        else:
-            data = request.POST
-
-        username = username or data.get('username')
-        password = password or data.get('password')
-
-        password = self.decrypt_passwd(password)
-        if not password:
-            self.raise_password_decrypt_failed(username=username)
-        return password
-
-    def raise_password_decrypt_failed(self, username):
-        ip = self.get_request_ip()
-        raise errors.CredentialError(
-            error=errors.reason_password_decrypt_failed,
-            username=username, ip=ip, request=self.request
-        )
-
-    def decrypt_passwd(self, raw_passwd):
-        # 获取解密密钥，对密码进行解密
-        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
-        if rsa_private_key is None:
-            return raw_passwd
-
-        try:
-            return rsa_decrypt(raw_passwd, rsa_private_key)
-        except Exception as e:
-            logger.error(e, exc_info=True)
-            logger.error(
-                f'Decrypt password failed: password[{raw_passwd}] '
-                f'rsa_private_key[{rsa_private_key}]'
-            )
-            return None
+class CommonMixin:
+    request: Request
 
     def get_request_ip(self):
         ip = ''
@@ -139,26 +99,6 @@ class PasswordEncryptionViewMixin:
         ip = ip or get_request_ip(self.request)
         return ip
 
-    def get_context_data(self, **kwargs):
-        # 生成加解密密钥对，public_key传递给前端，private_key存入session中供解密使用
-        rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
-        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
-        if not all([rsa_private_key, rsa_public_key]):
-            rsa_private_key, rsa_public_key = gen_key_pair()
-            rsa_public_key = rsa_public_key.replace('\n', '\\n')
-            self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
-            self.request.session[RSA_PUBLIC_KEY] = rsa_public_key
-
-        kwargs.update({
-            'rsa_public_key': rsa_public_key,
-        })
-        return super().get_context_data(**kwargs)
-
-
-class CommonMixin(PasswordEncryptionViewMixin):
-    request: Request
-    get_request_ip: Callable
-
     def raise_credential_error(self, error):
         raise self.partial_credential_error(error=error)
 
@@ -193,20 +133,13 @@ class CommonMixin(PasswordEncryptionViewMixin):
         user.backend = self.request.session.get("auth_backend")
         return user
 
-    def get_auth_data(self, decrypt_passwd=False):
+    def get_auth_data(self, data):
         request = self.request
-        if hasattr(request, 'data'):
-            data = request.data
-        else:
-            data = request.POST
 
         items = ['username', 'password', 'challenge', 'public_key', 'auto_login']
         username, password, challenge, public_key, auto_login = bulk_get(data, items, default='')
         ip = self.get_request_ip()
         self._set_partial_credential_error(username=username, ip=ip, request=request)
-
-        if decrypt_passwd:
-            password = self.get_decrypted_password()
         password = password + challenge.strip()
         return username, password, public_key, ip, auto_login
 
@@ -482,10 +415,10 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
         need = cache.get(self.key_prefix_captcha.format(ip))
         return need
 
-    def check_user_auth(self, decrypt_passwd=False):
+    def check_user_auth(self, valid_data=None):
         # pre check
         self.check_is_block()
-        username, password, public_key, ip, auto_login = self.get_auth_data(decrypt_passwd)
+        username, password, public_key, ip, auto_login = self.get_auth_data(valid_data)
         self._check_only_allow_exists_user_auth(username)
 
         # check auth
@@ -537,11 +470,12 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
         self.mark_password_ok(user, False)
         return user
 
-    def check_user_auth_if_need(self, decrypt_passwd=False):
+    def get_user_or_auth(self, valid_data):
         request = self.request
-        if not request.session.get('auth_password'):
-            return self.check_user_auth(decrypt_passwd=decrypt_passwd)
-        return self.get_user_from_session()
+        if request.session.get('auth_password'):
+            return self.get_user_from_session()
+        else:
+            return self.check_user_auth(valid_data)
 
     def clear_auth_mark(self):
         keys = ['auth_password', 'user_id', 'auth_confirm', 'auth_ticket_id']
diff --git a/apps/authentication/serializers/password_mfa.py b/apps/authentication/serializers/password_mfa.py
index c4c0679c6..cf3452af3 100644
--- a/apps/authentication/serializers/password_mfa.py
+++ b/apps/authentication/serializers/password_mfa.py
@@ -2,6 +2,8 @@
 #
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
+
 
 __all__ = [
     'OtpVerifySerializer', 'MFAChallengeSerializer', 'MFASelectTypeSerializer',
@@ -10,7 +12,7 @@ __all__ = [
 
 
 class PasswordVerifySerializer(serializers.Serializer):
-    password = serializers.CharField()
+    password = EncryptedField()
 
 
 class MFASelectTypeSerializer(serializers.Serializer):
diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index 677ee70d4..477df7af4 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -161,6 +161,7 @@
                 <span style="font-size: 21px;font-weight:400;color: #151515;letter-spacing: 0;">{{ JMS_TITLE }}</span>
             </div>
             <div class="contact-form col-md-10 col-md-offset-1">
+
                 <form id="login-form" action="" method="post" role="form" novalidate="novalidate">
                     {% csrf_token %}
                     <div style="line-height: 17px;margin-bottom: 20px;color: #999999;">
@@ -241,20 +242,10 @@
 {% include '_foot_js.html' %}
 <script type="text/javascript" src="/static/js/plugins/jsencrypt/jsencrypt.min.js"></script>
 <script>
-    function encryptLoginPassword(password, rsaPublicKey) {
-        if (!password) {
-            return ''
-        }
-        var jsencrypt = new JSEncrypt(); //加密对象
-        jsencrypt.setPublicKey(rsaPublicKey); // 设置密钥
-        return jsencrypt.encrypt(password); //加密
-    }
-
     function doLogin() {
         //公钥加密
-        var rsaPublicKey = "{{ rsa_public_key }}"
         var password = $('#password').val(); //明文密码
-        var passwordEncrypted = encryptLoginPassword(password, rsaPublicKey)
+        var passwordEncrypted = encryptPassword(password)
         $('#password-hidden').val(passwordEncrypted); //返回给密码输入input
         $('#login-form').submit(); //post提交
     }
diff --git a/apps/authentication/utils.py b/apps/authentication/utils.py
index cf4ce8185..c0588b206 100644
--- a/apps/authentication/utils.py
+++ b/apps/authentication/utils.py
@@ -1,62 +1,22 @@
 # -*- coding: utf-8 -*-
 #
-import base64
-from Cryptodome.PublicKey import RSA
-from Cryptodome.Cipher import PKCS1_v1_5
-from Cryptodome import Random
 
 from django.conf import settings
-from .notifications import DifferentCityLoginMessage
-from audits.models import UserLoginLog
-from audits.const import DEFAULT_CITY
+
 from common.utils import validate_ip, get_ip_city, get_request_ip
 from common.utils import get_logger
+from audits.models import UserLoginLog
+from audits.const import DEFAULT_CITY
+from .notifications import DifferentCityLoginMessage
 
 logger = get_logger(__file__)
 
 
-def gen_key_pair():
-    """ 生成加密key
-    用于登录页面提交用户名/密码时，对密码进行加密（前端）/解密（后端）
-    """
-    random_generator = Random.new().read
-    rsa = RSA.generate(1024, random_generator)
-    rsa_private_key = rsa.exportKey().decode()
-    rsa_public_key = rsa.publickey().exportKey().decode()
-    return rsa_private_key, rsa_public_key
-
-
-def rsa_encrypt(message, rsa_public_key):
-    """ 加密登录密码 """
-    key = RSA.importKey(rsa_public_key)
-    cipher = PKCS1_v1_5.new(key)
-    cipher_text = base64.b64encode(cipher.encrypt(message.encode())).decode()
-    return cipher_text
-
-
-def rsa_decrypt(cipher_text, rsa_private_key=None):
-    """ 解密登录密码 """
-    if rsa_private_key is None:
-        # rsa_private_key 为 None，可以能是API请求认证，不需要解密
-        return cipher_text
-
-    key = RSA.importKey(rsa_private_key)
-    cipher = PKCS1_v1_5.new(key)
-    cipher_decoded = base64.b64decode(cipher_text.encode())
-    # Todo: 弄明白为何要以下这么写，https://xbuba.com/questions/57035263
-    if len(cipher_decoded) == 127:
-        hex_fixed = '00' + cipher_decoded.hex()
-        cipher_decoded = base64.b16decode(hex_fixed.upper())
-    message = cipher.decrypt(cipher_decoded, b'error').decode()
-    return message
-
-
 def check_different_city_login_if_need(user, request):
     if not settings.SECURITY_CHECK_DIFFERENT_CITY_LOGIN:
         return
 
     ip = get_request_ip(request) or '0.0.0.0'
-
     if not (ip and validate_ip(ip)):
         city = DEFAULT_CITY
     else:
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index d5eaa8f9a..ae32b14ab 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -96,7 +96,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
         self.request.session.delete_test_cookie()
 
         try:
-            self.check_user_auth(decrypt_passwd=True)
+            self.check_user_auth(form.cleaned_data)
         except errors.AuthFailedError as e:
             form.add_error(None, e.msg)
             self.set_login_failed_mark()
@@ -219,7 +219,7 @@ class UserLoginGuardView(mixins.AuthMixin, RedirectView):
 
     def get_redirect_url(self, *args, **kwargs):
         try:
-            user = self.check_user_auth_if_need()
+            user = self.get_user_from_session()
             self.check_user_mfa_if_need(user)
             self.check_user_login_confirm_if_need(user)
         except (errors.CredentialError, errors.SessionEmptyError) as e:
diff --git a/apps/common/fields/model.py b/apps/common/db/fields.py
similarity index 99%
rename from apps/common/fields/model.py
rename to apps/common/db/fields.py
index a3ac13e82..0757bc068 100644
--- a/apps/common/fields/model.py
+++ b/apps/common/db/fields.py
@@ -5,7 +5,7 @@ from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.utils.encoding import force_text
 from django.core.validators import MinValueValidator, MaxValueValidator
-from ..utils import signer, crypto
+from common.utils import signer, crypto
 
 
 __all__ = [
diff --git a/apps/common/drf/fields.py b/apps/common/drf/fields.py
index 9b92af381..6958a2fd4 100644
--- a/apps/common/drf/fields.py
+++ b/apps/common/drf/fields.py
@@ -3,9 +3,10 @@
 
 from rest_framework import serializers
 
+from common.utils import rsa_decrypt_by_session_pkey
 
 __all__ = [
-    'ReadableHiddenField',
+    'ReadableHiddenField', 'EncryptedField'
 ]
 
 
@@ -23,3 +24,9 @@ class ReadableHiddenField(serializers.HiddenField):
         if hasattr(value, 'id'):
             return getattr(value, 'id')
         return value
+
+
+class EncryptedField(serializers.CharField):
+    def to_internal_value(self, value):
+        value = super().to_internal_value(value)
+        return rsa_decrypt_by_session_pkey(value)
diff --git a/apps/common/fields/__init__.py b/apps/common/fields/__init__.py
deleted file mode 100644
index cb3ff2081..000000000
--- a/apps/common/fields/__init__.py
+++ /dev/null
@@ -1,4 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from .model import *
diff --git a/apps/common/utils/crypto.py b/apps/common/utils/crypto.py
index 744e6c367..e09b244fd 100644
--- a/apps/common/utils/crypto.py
+++ b/apps/common/utils/crypto.py
@@ -1,7 +1,10 @@
 import base64
-from Cryptodome.Cipher import AES
+import logging
+from Cryptodome.Cipher import AES, PKCS1_v1_5
 from Cryptodome.Util.Padding import pad
 from Cryptodome.Random import get_random_bytes
+from Cryptodome.PublicKey import RSA
+from Cryptodome import Random
 from gmssl.sm4 import CryptSM4, SM4_ENCRYPT, SM4_DECRYPT
 
 from django.conf import settings
@@ -193,4 +196,55 @@ class Crypto:
                 continue
 
 
+def gen_key_pair(length=1024):
+    """ 生成加密key
+    用于登录页面提交用户名/密码时，对密码进行加密（前端）/解密（后端）
+    """
+    random_generator = Random.new().read
+    rsa = RSA.generate(length, random_generator)
+    rsa_private_key = rsa.exportKey().decode()
+    rsa_public_key = rsa.publickey().exportKey().decode()
+    return rsa_private_key, rsa_public_key
+
+
+def rsa_encrypt(message, rsa_public_key):
+    """ 加密登录密码 """
+    key = RSA.importKey(rsa_public_key)
+    cipher = PKCS1_v1_5.new(key)
+    cipher_text = base64.b64encode(cipher.encrypt(message.encode())).decode()
+    return cipher_text
+
+
+def rsa_decrypt(cipher_text, rsa_private_key=None):
+    """ 解密登录密码 """
+    if rsa_private_key is None:
+        # rsa_private_key 为 None，可以能是API请求认证，不需要解密
+        return cipher_text
+
+    key = RSA.importKey(rsa_private_key)
+    cipher = PKCS1_v1_5.new(key)
+    cipher_decoded = base64.b64decode(cipher_text.encode())
+    # Todo: 弄明白为何要以下这么写，https://xbuba.com/questions/57035263
+    if len(cipher_decoded) == 127:
+        hex_fixed = '00' + cipher_decoded.hex()
+        cipher_decoded = base64.b16decode(hex_fixed.upper())
+    message = cipher.decrypt(cipher_decoded, b'error').decode()
+    return message
+
+
+def rsa_decrypt_by_session_pkey(value):
+    from jumpserver.utils import current_request
+    private_key_name = settings.SESSION_RSA_PRIVATE_KEY_NAME
+    private_key = current_request.session.get(private_key_name)
+
+    if not private_key or not value:
+        return value
+
+    try:
+        value= rsa_decrypt(value, private_key)
+    except Exception as e:
+        logging.error('Decrypt field error: {}'.format(e))
+    return value
+
+
 crypto = Crypto()
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index b654a0365..7c3657f35 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -95,6 +95,7 @@ MIDDLEWARE = [
     'authentication.backends.cas.middleware.CASMiddleware',
     'authentication.middleware.MFAMiddleware',
     'authentication.middleware.SessionCookieMiddleware',
+    'authentication.middleware.EncryptedMiddleware',
     'simple_history.middleware.HistoryRequestMiddleware',
 ]
 
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index ecd710a2e..c4dfdcc24 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -169,3 +169,6 @@ ANNOUNCEMENT = CONFIG.ANNOUNCEMENT
 # help
 HELP_DOCUMENT_URL = CONFIG.HELP_DOCUMENT_URL
 HELP_SUPPORT_URL = CONFIG.HELP_SUPPORT_URL
+
+SESSION_RSA_PRIVATE_KEY_NAME = 'jms_private_key'
+SESSION_RSA_PUBLIC_KEY_NAME = 'jms_public_key'
diff --git a/apps/ops/migrations/0010_auto_20191217_1758.py b/apps/ops/migrations/0010_auto_20191217_1758.py
index a9a1555c0..af4441ff9 100644
--- a/apps/ops/migrations/0010_auto_20191217_1758.py
+++ b/apps/ops/migrations/0010_auto_20191217_1758.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.2.7 on 2019-12-17 09:58
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations
 
 
@@ -18,17 +18,17 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='adhoc',
             name='_become',
-            field=common.fields.model.EncryptJsonDictCharField(blank=True, null=True, default='', max_length=1024, verbose_name='Become'),
+            field=common.db.fields.EncryptJsonDictCharField(blank=True, null=True, default='', max_length=1024, verbose_name='Become'),
         ),
         migrations.AlterField(
             model_name='adhoc',
             name='_options',
-            field=common.fields.model.JsonDictCharField(default='', max_length=1024, verbose_name='Options'),
+            field=common.db.fields.JsonDictCharField(default='', max_length=1024, verbose_name='Options'),
         ),
         migrations.AlterField(
             model_name='adhoc',
             name='_tasks',
-            field=common.fields.model.JsonListTextField(verbose_name='Tasks'),
+            field=common.db.fields.JsonListTextField(verbose_name='Tasks'),
         ),
         migrations.RenameField(
             model_name='adhoc',
@@ -48,12 +48,12 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='adhocrunhistory',
             name='_result',
-            field=common.fields.model.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc raw result'),
+            field=common.db.fields.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc raw result'),
         ),
         migrations.AlterField(
             model_name='adhocrunhistory',
             name='_summary',
-            field=common.fields.model.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc result summary'),
+            field=common.db.fields.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc result summary'),
         ),
         migrations.RenameField(
             model_name='adhocrunhistory',
diff --git a/apps/ops/migrations/0011_auto_20200106_1534.py b/apps/ops/migrations/0011_auto_20200106_1534.py
index 0dba0160e..2938c502e 100644
--- a/apps/ops/migrations/0011_auto_20200106_1534.py
+++ b/apps/ops/migrations/0011_auto_20200106_1534.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.2.7 on 2020-01-06 07:34
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations
 
 
@@ -14,6 +14,6 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='adhoc',
             name='become',
-            field=common.fields.model.EncryptJsonDictCharField(blank=True, default='', max_length=1024, null=True, verbose_name='Become'),
+            field=common.db.fields.EncryptJsonDictCharField(blank=True, default='', max_length=1024, null=True, verbose_name='Become'),
         ),
     ]
diff --git a/apps/ops/models/adhoc.py b/apps/ops/models/adhoc.py
index 1a6e02fd1..0d1b32ba5 100644
--- a/apps/ops/models/adhoc.py
+++ b/apps/ops/models/adhoc.py
@@ -9,11 +9,11 @@ from celery import current_task
 from django.db import models
 from django.conf import settings
 from django.utils import timezone
-from django.utils.translation import ugettext_lazy as _, gettext
+from django.utils.translation import ugettext_lazy as _
 
 from common.utils import get_logger, lazyproperty
 from common.utils.translate import translate_value
-from common.fields.model import (
+from common.db.fields import (
     JsonListTextField, JsonDictCharField, EncryptJsonDictCharField,
     JsonDictTextField,
 )
diff --git a/apps/settings/serializers/auth/ldap.py b/apps/settings/serializers/auth/ldap.py
index 8e65d67b7..6ac00661c 100644
--- a/apps/settings/serializers/auth/ldap.py
+++ b/apps/settings/serializers/auth/ldap.py
@@ -1,6 +1,8 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
+
 __all__ = [
     'LDAPTestConfigSerializer', 'LDAPUserSerializer', 'LDAPTestLoginSerializer',
     'LDAPSettingSerializer',
@@ -20,7 +22,7 @@ class LDAPTestConfigSerializer(serializers.Serializer):
 
 class LDAPTestLoginSerializer(serializers.Serializer):
     username = serializers.CharField(max_length=1024, required=True)
-    password = serializers.CharField(max_length=2014, required=True)
+    password = EncryptedField(max_length=2014, required=True)
 
 
 class LDAPUserSerializer(serializers.Serializer):
diff --git a/apps/static/js/jumpserver.js b/apps/static/js/jumpserver.js
index 680410763..44f235793 100644
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@@ -1501,3 +1501,19 @@ function getStatusIcon(status, mapping, title) {
     }
     return icon;
 }
+
+function encryptPassword(password) {
+    if (!password) {
+        return ''
+    }
+    var rsaPublicKeyText = getCookie('jms_public_key')
+        .replaceAll('"', '')
+    var rsaPublicKey = atob(rsaPublicKeyText)
+    var jsencrypt = new JSEncrypt(); //加密对象
+    jsencrypt.setPublicKey(rsaPublicKey); // 设置密钥
+    var value = jsencrypt.encrypt(password); //加密
+    return value
+}
+
+
+window.encryptPassword = encryptPassword
diff --git a/apps/terminal/migrations/0016_commandstorage_replaystorage.py b/apps/terminal/migrations/0016_commandstorage_replaystorage.py
index 108112fa4..55ed5c784 100644
--- a/apps/terminal/migrations/0016_commandstorage_replaystorage.py
+++ b/apps/terminal/migrations/0016_commandstorage_replaystorage.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.2.5 on 2019-11-22 10:07
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
 import uuid
 
@@ -21,7 +21,7 @@ class Migration(migrations.Migration):
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                 ('name', models.CharField(max_length=32, unique=True, verbose_name='Name')),
                 ('type', models.CharField(choices=[('null', 'Null'), ('server', 'Server'), ('es', 'Elasticsearch')], default='server', max_length=16, verbose_name='Type')),
-                ('meta', common.fields.model.EncryptJsonDictTextField(default={})),
+                ('meta', common.db.fields.EncryptJsonDictTextField(default={})),
                 ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
             ],
             options={
@@ -37,7 +37,7 @@ class Migration(migrations.Migration):
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                 ('name', models.CharField(max_length=32, unique=True, verbose_name='Name')),
                 ('type', models.CharField(choices=[('null', 'Null'), ('server', 'Server'), ('s3', 'S3'), ('ceph', 'Ceph'), ('swift', 'Swift'), ('oss', 'OSS'), ('azure', 'Azure')], default='server', max_length=16, verbose_name='Type')),
-                ('meta', common.fields.model.EncryptJsonDictTextField(default={})),
+                ('meta', common.db.fields.EncryptJsonDictTextField(default={})),
                 ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
             ],
             options={
diff --git a/apps/terminal/migrations/0048_endpoint_endpointrule.py b/apps/terminal/migrations/0048_endpoint_endpointrule.py
index a03d19e98..ccdd59564 100644
--- a/apps/terminal/migrations/0048_endpoint_endpointrule.py
+++ b/apps/terminal/migrations/0048_endpoint_endpointrule.py
@@ -1,7 +1,6 @@
 # Generated by Django 3.1.14 on 2022-04-12 07:39
 
-import copy
-import common.fields.model
+import common.db.fields
 import django.core.validators
 from django.db import migrations, models
 import django.db.models.deletion
@@ -83,13 +82,13 @@ class Migration(migrations.Migration):
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                 ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
                 ('host', models.CharField(max_length=256, verbose_name='Host', blank=True)),
-                ('https_port', common.fields.model.PortField(default=443, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTPS Port')),
-                ('http_port', common.fields.model.PortField(default=80, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTP Port')),
-                ('ssh_port', common.fields.model.PortField(default=2222, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='SSH Port')),
-                ('rdp_port', common.fields.model.PortField(default=3389, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='RDP Port')),
-                ('mysql_port', common.fields.model.PortField(default=33060, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MySQL Port')),
-                ('mariadb_port', common.fields.model.PortField(default=33061, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MariaDB Port')),
-                ('postgresql_port', common.fields.model.PortField(default=54320, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='PostgreSQL Port')),
+                ('https_port', common.db.fields.PortField(default=443, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTPS Port')),
+                ('http_port', common.db.fields.PortField(default=80, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTP Port')),
+                ('ssh_port', common.db.fields.PortField(default=2222, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='SSH Port')),
+                ('rdp_port', common.db.fields.PortField(default=3389, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='RDP Port')),
+                ('mysql_port', common.db.fields.PortField(default=33060, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MySQL Port')),
+                ('mariadb_port', common.db.fields.PortField(default=33061, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MariaDB Port')),
+                ('postgresql_port', common.db.fields.PortField(default=54320, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='PostgreSQL Port')),
                 ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
             ],
             options={
diff --git a/apps/terminal/models/endpoint.py b/apps/terminal/models/endpoint.py
index 71b79c0e3..c95bfb752 100644
--- a/apps/terminal/models/endpoint.py
+++ b/apps/terminal/models/endpoint.py
@@ -2,7 +2,7 @@ from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.core.validators import MinValueValidator, MaxValueValidator
 from common.db.models import JMSModel
-from common.fields.model import PortField
+from common.db.fields import PortField
 from common.utils.ip import contains_ip
 
 
diff --git a/apps/terminal/models/storage.py b/apps/terminal/models/storage.py
index 93be5551a..e9d4f429b 100644
--- a/apps/terminal/models/storage.py
+++ b/apps/terminal/models/storage.py
@@ -9,7 +9,7 @@ from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
 from common.mixins import CommonModelMixin
 from common.utils import get_logger
-from common.fields.model import EncryptJsonDictTextField
+from common.db.fields import EncryptJsonDictTextField
 from terminal.backends import TYPE_ENGINE_MAPPING
 from .terminal import Terminal
 from .command import Command
diff --git a/apps/tickets/migrations/0001_initial.py b/apps/tickets/migrations/0001_initial.py
index 9b2b5d54e..83be9a78d 100644
--- a/apps/tickets/migrations/0001_initial.py
+++ b/apps/tickets/migrations/0001_initial.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.2.5 on 2019-11-15 06:57
 
-import common.fields.model
+import common.db.fields
 from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
@@ -26,7 +26,7 @@ class Migration(migrations.Migration):
                 ('user_display', models.CharField(max_length=128, verbose_name='User display name')),
                 ('title', models.CharField(max_length=256, verbose_name='Title')),
                 ('body', models.TextField(verbose_name='Body')),
-                ('meta', common.fields.model.JsonDictTextField(default='{}', verbose_name='Meta')),
+                ('meta', common.db.fields.JsonDictTextField(default='{}', verbose_name='Meta')),
                 ('assignee_display', models.CharField(blank=True, max_length=128, null=True, verbose_name='Assignee display name')),
                 ('assignees_display', models.CharField(blank=True, max_length=128, verbose_name='Assignees display name')),
                 ('type', models.CharField(choices=[('general', 'General'), ('login_confirm', 'Login confirm')], default='general', max_length=16, verbose_name='Type')),
diff --git a/apps/users/forms/profile.py b/apps/users/forms/profile.py
index d2b005e12..4917f8353 100644
--- a/apps/users/forms/profile.py
+++ b/apps/users/forms/profile.py
@@ -5,6 +5,7 @@ from django.utils.translation import gettext_lazy as _
 from captcha.fields import CaptchaField
 
 from common.utils import validate_ssh_public_key
+from authentication.forms import EncryptedField
 from ..models import User
 
 
@@ -17,7 +18,7 @@ __all__ = [
 
 
 class UserCheckPasswordForm(forms.Form):
-    password = forms.CharField(
+    password = EncryptedField(
         label=_('Password'), widget=forms.PasswordInput,
         max_length=1024, strip=False
     )
@@ -77,12 +78,12 @@ UserFirstLoginFinishForm.verbose_name = _("Finish")
 
 
 class UserTokenResetPasswordForm(forms.Form):
-    new_password = forms.CharField(
+    new_password = EncryptedField(
         min_length=5, max_length=128,
         widget=forms.PasswordInput,
         label=_("New password")
     )
-    confirm_password = forms.CharField(
+    confirm_password = EncryptedField(
         min_length=5, max_length=128,
         widget=forms.PasswordInput,
         label=_("Confirm password")
@@ -103,7 +104,7 @@ class UserForgotPasswordForm(forms.Form):
 
 
 class UserPasswordForm(UserTokenResetPasswordForm):
-    old_password = forms.CharField(
+    old_password = EncryptedField(
         max_length=128, widget=forms.PasswordInput,
         label=_("Old password")
     )
diff --git a/apps/users/migrations/0021_auto_20190625_1104.py b/apps/users/migrations/0021_auto_20190625_1104.py
index f14e72d02..4112a8693 100644
--- a/apps/users/migrations/0021_auto_20190625_1104.py
+++ b/apps/users/migrations/0021_auto_20190625_1104.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-06-25 03:04
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
 
 
@@ -14,17 +14,17 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='user',
             name='_otp_secret_key',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=128, null=True),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=128, null=True),
         ),
         migrations.AlterField(
             model_name='user',
             name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='Private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Private key'),
         ),
         migrations.AlterField(
             model_name='user',
             name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='Public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Public key'),
         ),
         migrations.AlterField(
             model_name='user',
diff --git a/apps/users/migrations/0037_user_secret_key.py b/apps/users/migrations/0037_user_secret_key.py
index 11e88fbd1..ccd79c70d 100644
--- a/apps/users/migrations/0037_user_secret_key.py
+++ b/apps/users/migrations/0037_user_secret_key.py
@@ -1,6 +1,6 @@
 # Generated by Django 3.1.13 on 2021-12-07 08:23
 
-import common.fields.model
+import common.db.fields
 from django.db import migrations
 
 
@@ -14,6 +14,6 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='user',
             name='secret_key',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Secret key'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Secret key'),
         ),
     ]
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index b69cd5726..c22be9523 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -20,7 +20,7 @@ from django.shortcuts import reverse
 from orgs.utils import current_org
 from orgs.models import Organization
 from rbac.const import Scope
-from common import fields
+from common.db import fields
 from common.utils import (
     date_expired_default, get_logger, lazyproperty, random_string, bulk_create_with_signal
 )
diff --git a/apps/users/serializers/profile.py b/apps/users/serializers/profile.py
index ac9671d23..d6cd9055f 100644
--- a/apps/users/serializers/profile.py
+++ b/apps/users/serializers/profile.py
@@ -3,6 +3,7 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
 from common.utils import validate_ssh_public_key
+from common.drf.fields import EncryptedField
 from ..models import User
 
 from .user import UserSerializer
@@ -16,9 +17,9 @@ class UserOrgSerializer(serializers.Serializer):
 
 
 class UserUpdatePasswordSerializer(serializers.ModelSerializer):
-    old_password = serializers.CharField(required=True, max_length=128, write_only=True)
-    new_password = serializers.CharField(required=True, max_length=128, write_only=True)
-    new_password_again = serializers.CharField(required=True, max_length=128, write_only=True)
+    old_password = EncryptedField(required=True, max_length=128, write_only=True)
+    new_password = EncryptedField(required=True, max_length=128, write_only=True)
+    new_password_again = EncryptedField(required=True, max_length=128, write_only=True)
 
     class Meta:
         model = User
@@ -41,11 +42,13 @@ class UserUpdatePasswordSerializer(serializers.ModelSerializer):
             raise serializers.ValidationError(msg)
         return value
 
-    def validate_new_password_again(self, value):
-        if value != self.initial_data.get('new_password', ''):
+    def validate(self, values):
+        new_password = values.get('new_password', '')
+        new_password_again = values.get('new_password_again', '')
+        if new_password != new_password_again:
             msg = _('The newly set password is inconsistent')
-            raise serializers.ValidationError(msg)
-        return value
+            raise serializers.ValidationError({'new_password_again': msg})
+        return values
 
     def update(self, instance, validated_data):
         new_password = self.validated_data.get('new_password')
diff --git a/apps/users/templates/users/reset_password.html b/apps/users/templates/users/reset_password.html
index ecad676bf..a8e0360c4 100644
--- a/apps/users/templates/users/reset_password.html
+++ b/apps/users/templates/users/reset_password.html
@@ -75,6 +75,19 @@ $(document).ready(function () {
         var password = idPassword.val();
         checkPasswordRules(password, minLength);
     })
+
+    $("form").submit(function(){
+        // Let's find the input to check
+        var ids = ['id_new_password', 'id_confirm_password']
+        for (id of ids) {
+            var passwordRef = $('#' + id)
+            var value = passwordRef.val()
+            if (value) {
+                value = encryptPassword(value)
+                passwordRef.val(value)
+            }
+        }
+    });
 })
- </script>
+</script>
 {% endblock %}
diff --git a/apps/users/templates/users/user_password_verify.html b/apps/users/templates/users/user_password_verify.html
index bfc72ee87..65dacc75d 100644
--- a/apps/users/templates/users/user_password_verify.html
+++ b/apps/users/templates/users/user_password_verify.html
@@ -15,10 +15,23 @@
         {% endif %}
         {% csrf_token %}
         <div class="form-input form-group">
-            <input type="password" class="form-control" name="{{ form.password.html_name }}" placeholder="{% trans 'Password' %}" required="">
+            <input type="password" id="password" class="form-control" name="{{ form.password.html_name }}" placeholder="{% trans 'Password' %}" required="">
         </div>
         <button type="submit" class="btn btn-primary">{% trans 'Confirm' %}</button>
     </form>
+    <script>
+        $("form").submit(function(){
+            // Let's find the input to check
+            var passwordRef = $('#password')
+            var value = passwordRef.val()
+            if (value) {
+                // Value is falsey (i.e. null), lets set a new one
+                value = encryptPassword(value)
+                passwordRef.val(value)
+            }
+        });
+    </script>
 {% endblock %}
 
 
+
diff --git a/apps/users/views/profile/password.py b/apps/users/views/profile/password.py
index 7c69dccd3..bb51b8aa4 100644
--- a/apps/users/views/profile/password.py
+++ b/apps/users/views/profile/password.py
@@ -7,7 +7,7 @@ from django.shortcuts import redirect
 from django.utils.translation import ugettext as _
 from django.views.generic.edit import FormView
 
-from authentication.mixins import PasswordEncryptionViewMixin, AuthMixin
+from authentication.mixins import AuthMixin
 from authentication import errors
 
 from common.utils import get_logger
@@ -31,7 +31,7 @@ class UserVerifyPasswordView(AuthMixin, FormView):
             return redirect('authentication:login')
 
         try:
-            password = self.get_decrypted_password(username=user.username)
+            password = form.cleaned_data['password']
         except errors.AuthFailedError as e:
             form.add_error("password", _(f"Password invalid") + f'({e.msg})')
             return self.form_invalid(form)

From 5e70a8af15135b826cbaded89205d47d28c2908b Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Fri, 15 Apr 2022 14:39:37 +0800
Subject: [PATCH 085/258] =?UTF-8?q?feat:=20=E6=94=AF=E6=8C=81=E5=B9=B3?=
 =?UTF-8?q?=E5=8F=B0=E5=85=B3=E8=81=94=E7=AE=97=E6=B3=95=EF=BC=8C=E6=94=AF?=
 =?UTF-8?q?=E6=8C=81AIX=E6=94=B9=E5=AF=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/models/asset.py           |  4 ++++
 apps/assets/tasks/push_system_user.py | 22 +++++++++++++---------
 apps/common/utils/encode.py           | 23 ++++++++++++++++++++---
 3 files changed, 37 insertions(+), 12 deletions(-)

diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index 7dde0862f..7d46a4b25 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -142,6 +142,10 @@ class Platform(models.Model):
     internal = models.BooleanField(default=False, verbose_name=_("Internal"))
     comment = models.TextField(blank=True, null=True, verbose_name=_("Comment"))
 
+    @property
+    def algorithm(self):
+        return self.meta.get('algorithm')
+
     @classmethod
     def default(cls):
         linux, created = cls.objects.get_or_create(
diff --git a/apps/assets/tasks/push_system_user.py b/apps/assets/tasks/push_system_user.py
index 4270f5e0f..46734e4be 100644
--- a/apps/assets/tasks/push_system_user.py
+++ b/apps/assets/tasks/push_system_user.py
@@ -32,9 +32,9 @@ def _dump_args(args: dict):
     return ' '.join([f'{k}={v}' for k, v in args.items() if v is not Empty])
 
 
-def get_push_unixlike_system_user_tasks(system_user, username=None):
+def get_push_unixlike_system_user_tasks(system_user, username=None, **kwargs):
     comment = system_user.name
-
+    algorithm = kwargs.get('algorithm')
     if username is None:
         username = system_user.username
 
@@ -104,7 +104,7 @@ def get_push_unixlike_system_user_tasks(system_user, username=None):
                 'module': 'user',
                 'args': 'name={} shell={} state=present password={}'.format(
                     username, system_user.shell,
-                    encrypt_password(password, salt="K3mIlKK"),
+                    encrypt_password(password, salt="K3mIlKK", algorithm=algorithm),
                 ),
             }
         })
@@ -138,7 +138,7 @@ def get_push_unixlike_system_user_tasks(system_user, username=None):
     return tasks
 
 
-def get_push_windows_system_user_tasks(system_user: SystemUser, username=None):
+def get_push_windows_system_user_tasks(system_user: SystemUser, username=None, **kwargs):
     if username is None:
         username = system_user.username
     password = system_user.password
@@ -176,7 +176,7 @@ def get_push_windows_system_user_tasks(system_user: SystemUser, username=None):
     return tasks
 
 
-def get_push_system_user_tasks(system_user, platform="unixlike", username=None):
+def get_push_system_user_tasks(system_user, platform="unixlike", username=None, algorithm=None):
     """
     获取推送系统用户的 ansible 命令，跟资产无关
     :param system_user:
@@ -190,16 +190,16 @@ def get_push_system_user_tasks(system_user, platform="unixlike", username=None):
     }
     get_tasks = get_task_map.get(platform, get_push_unixlike_system_user_tasks)
     if not system_user.username_same_with_user:
-        return get_tasks(system_user)
+        return get_tasks(system_user, algorithm=algorithm)
     tasks = []
     # 仅推送这个username
     if username is not None:
-        tasks.extend(get_tasks(system_user, username))
+        tasks.extend(get_tasks(system_user, username, algorithm=algorithm))
         return tasks
     users = system_user.users.all().values_list('username', flat=True)
     print(_("System user is dynamic: {}").format(list(users)))
     for _username in users:
-        tasks.extend(get_tasks(system_user, _username))
+        tasks.extend(get_tasks(system_user, _username, algorithm=algorithm))
     return tasks
 
 
@@ -244,7 +244,11 @@ def push_system_user_util(system_user, assets, task_name, username=None):
         for u in usernames:
             for a in _assets:
                 system_user.load_asset_special_auth(a, u)
-                tasks = get_push_system_user_tasks(system_user, platform, username=u)
+                algorithm = a.platform.algorithm
+                tasks = get_push_system_user_tasks(
+                    system_user, platform, username=u,
+                    algorithm=algorithm
+                )
                 run_task(tasks, [a])
 
 
diff --git a/apps/common/utils/encode.py b/apps/common/utils/encode.py
index d108a2094..4178e4a0d 100644
--- a/apps/common/utils/encode.py
+++ b/apps/common/utils/encode.py
@@ -186,10 +186,27 @@ def make_signature(access_key_secret, date=None):
     return content_md5(data)
 
 
-def encrypt_password(password, salt=None):
-    from passlib.hash import sha512_crypt
-    if password:
+def encrypt_password(password, salt=None, algorithm='sha512'):
+    from passlib.hash import sha512_crypt, des_crypt
+
+    def sha512():
         return sha512_crypt.using(rounds=5000).hash(password, salt=salt)
+
+    def des():
+        return des_crypt.hash(password, salt=salt[:2])
+
+    support_algorithm = {
+        'sha512': sha512, 'des': des
+    }
+
+    if isinstance(algorithm, str):
+        algorithm = algorithm.lower()
+
+    if algorithm not in support_algorithm.keys():
+        algorithm = 'sha512'
+
+    if password and support_algorithm[algorithm]:
+        return support_algorithm[algorithm]()
     return None
 
 

From 55e04e8e9f69c8880a51714b1f802697812945f8 Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Thu, 21 Apr 2022 11:05:15 +0800
Subject: [PATCH 086/258] =?UTF-8?q?feat:=20=E5=86=85=E7=BD=AEAIX=E7=B3=BB?=
 =?UTF-8?q?=E7=BB=9F=EF=BC=8C=E6=A0=B9=E6=8D=AE=E7=B3=BB=E7=BB=9F=E9=80=89?=
 =?UTF-8?q?=E6=8B=A9=E7=AE=97=E6=B3=95=E5=8A=A0=E5=AF=86=E5=AF=86=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/migrations/0090_auto_20220412_1145.py | 15 +++++++++++++++
 apps/assets/models/asset.py                       |  4 ----
 apps/assets/tasks/push_system_user.py             |  2 +-
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/apps/assets/migrations/0090_auto_20220412_1145.py b/apps/assets/migrations/0090_auto_20220412_1145.py
index c2cb879aa..434b7b3cf 100644
--- a/apps/assets/migrations/0090_auto_20220412_1145.py
+++ b/apps/assets/migrations/0090_auto_20220412_1145.py
@@ -3,6 +3,20 @@
 from django.db import migrations, models
 
 
+def create_internal_platform(apps, schema_editor):
+    model = apps.get_model("assets", "Platform")
+    db_alias = schema_editor.connection.alias
+    type_platforms = (
+        ('AIX', 'Unix', None),
+    )
+    for name, base, meta in type_platforms:
+        defaults = {'name': name, 'base': base, 'meta': meta, 'internal': True}
+        model.objects.using(db_alias).update_or_create(
+            name=name, defaults=defaults
+        )
+        migrations.RunPython(create_internal_platform)
+
+
 class Migration(migrations.Migration):
 
     dependencies = [
@@ -15,4 +29,5 @@ class Migration(migrations.Migration):
             name='number',
             field=models.CharField(blank=True, max_length=128, null=True, verbose_name='Asset number'),
         ),
+        migrations.RunPython(create_internal_platform)
     ]
diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index 7d46a4b25..7dde0862f 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -142,10 +142,6 @@ class Platform(models.Model):
     internal = models.BooleanField(default=False, verbose_name=_("Internal"))
     comment = models.TextField(blank=True, null=True, verbose_name=_("Comment"))
 
-    @property
-    def algorithm(self):
-        return self.meta.get('algorithm')
-
     @classmethod
     def default(cls):
         linux, created = cls.objects.get_or_create(
diff --git a/apps/assets/tasks/push_system_user.py b/apps/assets/tasks/push_system_user.py
index 46734e4be..98d2a0922 100644
--- a/apps/assets/tasks/push_system_user.py
+++ b/apps/assets/tasks/push_system_user.py
@@ -244,7 +244,7 @@ def push_system_user_util(system_user, assets, task_name, username=None):
         for u in usernames:
             for a in _assets:
                 system_user.load_asset_special_auth(a, u)
-                algorithm = a.platform.algorithm
+                algorithm = 'des' if a.platform.name == 'AIX' else 'sha512'
                 tasks = get_push_system_user_tasks(
                     system_user, platform, username=u,
                     algorithm=algorithm

From ab737ae09b49e76c7dbb1c8982144783c1cab8c4 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Sat, 7 May 2022 17:50:49 +0800
Subject: [PATCH 087/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96=E7=B1=BB=E5=9E=8B=E4=B8=BAnull=E7=9A=84=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4=E6=98=BE=E7=A4=BA=E4=B8=8D=E6=94=AF=E6=8C=81=E7=9A=84?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix: 修复获取类型为null的命令显示不支持的问题
---
 apps/terminal/models/storage.py | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/apps/terminal/models/storage.py b/apps/terminal/models/storage.py
index e9d4f429b..e0c815c04 100644
--- a/apps/terminal/models/storage.py
+++ b/apps/terminal/models/storage.py
@@ -89,16 +89,20 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
         return Terminal.objects.filter(command_storage=self.name, is_deleted=False).exists()
 
     def get_command_queryset(self):
+        if self.type_null:
+            return Command.objects.none()
+
         if self.type_server:
-            qs = Command.objects.all()
-        else:
-            if self.type not in TYPE_ENGINE_MAPPING:
-                logger.error(f'Command storage `{self.type}` not support')
-                return Command.objects.none()
+            return Command.objects.all()
+
+        if self.type in TYPE_ENGINE_MAPPING:
             engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])
             qs = engine_mod.QuerySet(self.config)
             qs.model = Command
-        return qs
+            return qs
+
+        logger.error(f'Command storage `{self.type}` not support')
+        return Command.objects.none()
 
     def save(self, force_insert=False, force_update=False, using=None,
              update_fields=None):

From 64eda5f28b52c80555f0a5ea4499cde1744beada Mon Sep 17 00:00:00 2001
From: jiangweidong <80373698+F2C-Jiang@users.noreply.github.com>
Date: Mon, 9 May 2022 16:37:31 +0800
Subject: [PATCH 088/258] =?UTF-8?q?perf:=20=E5=91=BD=E4=BB=A4=E5=AD=98?=
 =?UTF-8?q?=E5=82=A8ES=E5=8F=AF=E6=A0=B9=E6=8D=AE=E6=97=A5=E6=9C=9F?=
 =?UTF-8?q?=E5=8A=A8=E6=80=81=E5=BB=BA=E7=AB=8B=E7=B4=A2=E5=BC=95=20(#8180?=
 =?UTF-8?q?)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 命令存储ES可根据日期动态建立索引

* perf: 优化合并字段

* feat: 修改逻辑
---
 apps/common/utils/timezone.py        |  4 +++
 apps/locale/ja/LC_MESSAGES/django.po | 30 +++++++++++++++-------
 apps/locale/zh/LC_MESSAGES/django.po | 30 +++++++++++++++-------
 apps/terminal/backends/command/es.py | 37 ++++++++++++++++++++++------
 apps/terminal/models/storage.py      | 18 ++++++++++++++
 apps/terminal/models/terminal.py     |  2 +-
 apps/terminal/serializers/storage.py |  4 +++
 7 files changed, 98 insertions(+), 27 deletions(-)

diff --git a/apps/common/utils/timezone.py b/apps/common/utils/timezone.py
index c38fcdc92..4b60008af 100644
--- a/apps/common/utils/timezone.py
+++ b/apps/common/utils/timezone.py
@@ -32,6 +32,10 @@ def local_now_display(fmt='%Y-%m-%d %H:%M:%S'):
     return local_now().strftime(fmt)
 
 
+def local_now_date_display(fmt='%Y-%m-%d'):
+    return local_now().strftime(fmt)
+
+
 _rest_dt_field = DateTimeField()
 dt_parser = _rest_dt_field.to_internal_value
 dt_formatter = _rest_dt_field.to_representation
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index b23c9cde9..368cf98fb 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -30,7 +30,7 @@ msgstr "Acls"
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
 #: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
-#: terminal/models/storage.py:23 terminal/models/task.py:16
+#: terminal/models/storage.py:24 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
 #: xpack/plugins/cloud/models.py:28
@@ -62,7 +62,7 @@ msgstr "アクティブ"
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
-#: terminal/models/storage.py:26 terminal/models/terminal.py:114
+#: terminal/models/storage.py:27 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
@@ -305,7 +305,7 @@ msgstr "カテゴリ"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:246
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:55 terminal/models/storage.py:119
+#: terminal/models/storage.py:56 terminal/models/storage.py:136
 #: tickets/models/flow.py:56 tickets/models/ticket.py:131
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:29
 #: xpack/plugins/change_auth_plan/models/app.py:28
@@ -4639,7 +4639,7 @@ msgstr "オンラインセッションを持つ"
 msgid "Terminals"
 msgstr "ターミナル管理"
 
-#: terminal/backends/command/es.py:26
+#: terminal/backends/command/es.py:28
 msgid "Invalid elasticsearch config"
 msgstr "無効なElasticsearch構成"
 
@@ -4883,15 +4883,15 @@ msgstr "スレッド"
 msgid "Boot Time"
 msgstr "ブート時間"
 
-#: terminal/models/storage.py:25
+#: terminal/models/storage.py:26
 msgid "Default storage"
 msgstr "デフォルトのストレージ"
 
-#: terminal/models/storage.py:113 terminal/models/terminal.py:108
+#: terminal/models/storage.py:130 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "コマンドストレージ"
 
-#: terminal/models/storage.py:173 terminal/models/terminal.py:109
+#: terminal/models/storage.py:190 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "再生ストレージ"
 
@@ -5008,14 +5008,26 @@ msgid "Port invalid"
 msgstr "ポートが無効"
 
 #: terminal/serializers/storage.py:159
+msgid "Index by date"
+msgstr "日付による索引付け"
+
+#: terminal/serializers/storage.py:160
+msgid "Whether to create an index by date"
+msgstr "現在の日付に基づいてインデックスを動的に作成するかどうか"
+
+#: terminal/serializers/storage.py:163
+msgid "Index prefix"
+msgstr "インデックス接頭辞"
+
+#: terminal/serializers/storage.py:166
 msgid "Index"
 msgstr "インデックス"
 
-#: terminal/serializers/storage.py:161
+#: terminal/serializers/storage.py:168
 msgid "Doc type"
 msgstr "Docタイプ"
 
-#: terminal/serializers/storage.py:163
+#: terminal/serializers/storage.py:170
 msgid "Ignore Certificate Verification"
 msgstr "証明書の検証を無視する"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index bc6f0a6ae..ad6b041be 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -29,7 +29,7 @@ msgstr "访问控制"
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
 #: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
-#: terminal/models/storage.py:23 terminal/models/task.py:16
+#: terminal/models/storage.py:24 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:32
 #: users/models/group.py:15 users/models/user.py:661
 #: xpack/plugins/cloud/models.py:28
@@ -61,7 +61,7 @@ msgstr "激活中"
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
-#: terminal/models/storage.py:26 terminal/models/terminal.py:114
+#: terminal/models/storage.py:27 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
@@ -300,7 +300,7 @@ msgstr "类别"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:246
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:55 terminal/models/storage.py:119
+#: terminal/models/storage.py:56 terminal/models/storage.py:136
 #: tickets/models/flow.py:56 tickets/models/ticket.py:131
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:29
 #: xpack/plugins/change_auth_plan/models/app.py:28
@@ -4565,7 +4565,7 @@ msgstr "有在线会话"
 msgid "Terminals"
 msgstr "终端管理"
 
-#: terminal/backends/command/es.py:26
+#: terminal/backends/command/es.py:28
 msgid "Invalid elasticsearch config"
 msgstr "无效的 Elasticsearch 配置"
 
@@ -4809,15 +4809,15 @@ msgstr "线程数"
 msgid "Boot Time"
 msgstr "运行时间"
 
-#: terminal/models/storage.py:25
+#: terminal/models/storage.py:26
 msgid "Default storage"
 msgstr "默认存储"
 
-#: terminal/models/storage.py:113 terminal/models/terminal.py:108
+#: terminal/models/storage.py:130 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "命令存储"
 
-#: terminal/models/storage.py:173 terminal/models/terminal.py:109
+#: terminal/models/storage.py:190 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "录像存储"
 
@@ -4934,14 +4934,26 @@ msgid "Port invalid"
 msgstr "端口无效"
 
 #: terminal/serializers/storage.py:159
+msgid "Index by date"
+msgstr "按日期建索引"
+
+#: terminal/serializers/storage.py:160
+msgid "Whether to create an index by date"
+msgstr "是否根据日期动态建立索引"
+
+#: terminal/serializers/storage.py:163
+msgid "Index prefix"
+msgstr "索引前缀"
+
+#: terminal/serializers/storage.py:166
 msgid "Index"
 msgstr "索引"
 
-#: terminal/serializers/storage.py:161
+#: terminal/serializers/storage.py:168
 msgid "Doc type"
 msgstr "文档类型"
 
-#: terminal/serializers/storage.py:163
+#: terminal/serializers/storage.py:170
 msgid "Ignore Certificate Verification"
 msgstr "忽略证书认证"
 
diff --git a/apps/terminal/backends/command/es.py b/apps/terminal/backends/command/es.py
index c7ae7060e..997bd30fd 100644
--- a/apps/terminal/backends/command/es.py
+++ b/apps/terminal/backends/command/es.py
@@ -1,11 +1,12 @@
 # -*- coding: utf-8 -*-
 #
+import pytz
+import inspect
+
 from datetime import datetime
 from functools import reduce, partial
 from itertools import groupby
-import pytz
 from uuid import UUID
-import inspect
 
 from django.utils.translation import gettext_lazy as _
 from django.db.models import QuerySet as DJQuerySet
@@ -15,6 +16,7 @@ from elasticsearch.exceptions import RequestError, NotFoundError
 
 from common.utils.common import lazyproperty
 from common.utils import get_logger
+from common.utils.timezone import local_now_date_display, utc_now
 from common.exceptions import JMSException
 from .models import AbstractSessionCommand
 
@@ -28,12 +30,13 @@ class InvalidElasticsearch(JMSException):
 
 class CommandStore(object):
     def __init__(self, config):
-        hosts = config.get("HOSTS")
-        kwargs = config.get("OTHER", {})
-        self.index = config.get("INDEX") or 'jumpserver'
         self.doc_type = config.get("DOC_TYPE") or '_doc'
+        self.index_prefix = config.get('INDEX') or 'jumpserver'
+        self.is_index_by_date = bool(config.get('INDEX_BY_DATE'))
         self.exact_fields = {}
         self.match_fields = {}
+        hosts = config.get("HOSTS")
+        kwargs = config.get("OTHER", {})
 
         ignore_verify_certs = kwargs.pop('IGNORE_VERIFY_CERTS', False)
         if ignore_verify_certs:
@@ -50,6 +53,17 @@ class CommandStore(object):
         else:
             self.match_fields.update(may_exact_fields)
 
+        self.init_index(config)
+
+    def init_index(self, config):
+        if self.is_index_by_date:
+            date = local_now_date_display()
+            self.index = '%s-%s' % (self.index_prefix, date)
+            self.query_index = '%s-alias' % self.index_prefix
+        else:
+            self.index = config.get("INDEX") or 'jumpserver'
+            self.query_index = config.get("INDEX") or 'jumpserver'
+
     def is_new_index_type(self):
         if not self.ping(timeout=3):
             return False
@@ -101,11 +115,18 @@ class CommandStore(object):
         else:
             mappings = {'mappings': {'properties': properties}}
 
+        if self.is_index_by_date:
+            mappings['aliases'] = {
+                self.query_index: {}
+            }
         try:
             self.es.indices.create(self.index, body=mappings)
             return
         except RequestError as e:
-            logger.exception(e)
+            if e.error == 'resource_already_exists_exception':
+                logger.warning(e)
+            else:
+                logger.exception(e)
 
     @staticmethod
     def make_data(command):
@@ -141,7 +162,7 @@ class CommandStore(object):
         body = self.get_query_body(**query)
 
         data = self.es.search(
-            index=self.index, doc_type=self.doc_type, body=body, from_=from_, size=size,
+            index=self.query_index, doc_type=self.doc_type, body=body, from_=from_, size=size,
             sort=sort
         )
         source_data = []
@@ -154,7 +175,7 @@ class CommandStore(object):
 
     def count(self, **query):
         body = self.get_query_body(**query)
-        data = self.es.count(index=self.index, doc_type=self.doc_type, body=body)
+        data = self.es.count(index=self.query_index, doc_type=self.doc_type, body=body)
         return data["count"]
 
     def __getattr__(self, item):
diff --git a/apps/terminal/models/storage.py b/apps/terminal/models/storage.py
index e0c815c04..311a55fda 100644
--- a/apps/terminal/models/storage.py
+++ b/apps/terminal/models/storage.py
@@ -1,6 +1,7 @@
 from __future__ import unicode_literals
 
 import os
+
 from importlib import import_module
 
 import jms_storage
@@ -10,6 +11,7 @@ from django.conf import settings
 from common.mixins import CommonModelMixin
 from common.utils import get_logger
 from common.db.fields import EncryptJsonDictTextField
+from common.utils.timezone import local_now_date_display
 from terminal.backends import TYPE_ENGINE_MAPPING
 from .terminal import Terminal
 from .command import Command
@@ -63,6 +65,10 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
     def type_server(self):
         return self.type == const.CommandStorageTypeChoices.server.value
 
+    @property
+    def type_es(self):
+        return self.type == const.CommandStorageTypeChoices.es.value
+
     @property
     def type_null_or_server(self):
         return self.type_null or self.type_server
@@ -73,6 +79,18 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
         config.update({'TYPE': self.type})
         return config
 
+    @property
+    def valid_config(self):
+        config = self.config
+        if self.type_es and config.get('INDEX_BY_DATE'):
+            engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])
+            store = engine_mod.CommandStore(config)
+            store._ensure_index_exists()
+            index_prefix = config.get('INDEX') or 'jumpserver'
+            date = local_now_date_display()
+            config['INDEX'] = '%s-%s' % (index_prefix, date)
+        return config
+
     def is_valid(self):
         if self.type_null_or_server:
             return True
diff --git a/apps/terminal/models/terminal.py b/apps/terminal/models/terminal.py
index b5a753c96..4b585cfff 100644
--- a/apps/terminal/models/terminal.py
+++ b/apps/terminal/models/terminal.py
@@ -68,7 +68,7 @@ class StorageMixin:
     def get_command_storage_config(self):
         s = self.get_command_storage()
         if s:
-            config = s.config
+            config = s.valid_config
         else:
             config = settings.DEFAULT_TERMINAL_COMMAND_STORAGE
         return config
diff --git a/apps/terminal/serializers/storage.py b/apps/terminal/serializers/storage.py
index 81c885862..d04232d38 100644
--- a/apps/terminal/serializers/storage.py
+++ b/apps/terminal/serializers/storage.py
@@ -155,6 +155,10 @@ class CommandStorageTypeESSerializer(serializers.Serializer):
         child=serializers.CharField(validators=[command_storage_es_host_format_validator]),
         label=_('Hosts'), help_text=_(hosts_help_text), allow_null=True
     )
+    INDEX_BY_DATE = serializers.BooleanField(
+        default=False, label=_('Index by date'),
+        help_text=_('Whether to create an index by date')
+    )
     INDEX = serializers.CharField(
         max_length=1024, default='jumpserver', label=_('Index'), allow_null=True
     )

From 094446c548b1ab4ce48086783f6059e412440faa Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 10 May 2022 10:35:48 +0800
Subject: [PATCH 089/258] =?UTF-8?q?chore:=20=E5=8E=BB=E6=8E=89=E4=B8=80?=
 =?UTF-8?q?=E4=B8=AAworkflow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/lgtm.yml | 18 ------------------
 1 file changed, 18 deletions(-)
 delete mode 100644 .github/workflows/lgtm.yml

diff --git a/.github/workflows/lgtm.yml b/.github/workflows/lgtm.yml
deleted file mode 100644
index 379ca5135..000000000
--- a/.github/workflows/lgtm.yml
+++ /dev/null
@@ -1,18 +0,0 @@
-name: Send LGTM reaction
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@1.0.0
-      - uses: micnncim/action-lgtm-reaction@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          trigger: '["^.?lgtm$"]'

From b44fa6499464af9ab79166915065d97a5104bcf7 Mon Sep 17 00:00:00 2001
From: jiangweidong <80373698+F2C-Jiang@users.noreply.github.com>
Date: Tue, 10 May 2022 16:30:25 +0800
Subject: [PATCH 090/258] =?UTF-8?q?perf:=20=E4=BC=81=E4=B8=9A=E5=BE=AE?=
 =?UTF-8?q?=E4=BF=A1=E3=80=81=E9=92=89=E9=92=89=E5=B7=A5=E5=8D=95=E5=AE=A1?=
 =?UTF-8?q?=E6=89=B9=E5=A2=9E=E5=8A=A0=E6=8B=92=E7=BB=9D=E5=8A=9F=E8=83=BD?=
 =?UTF-8?q?=20(#8208)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 工单直接审批增加拒绝功能

* feat: 翻译

* perf: 修改动作名词

* perf: 修改翻译
---
 apps/locale/ja/LC_MESSAGES/django.po          | 264 ++++++++---------
 apps/locale/zh/LC_MESSAGES/django.po          | 270 +++++++++---------
 apps/templates/_base_double_screen.html       |   1 -
 .../tickets/approve_check_password.html       |   6 +-
 apps/tickets/views/approve.py                 |  11 +-
 5 files changed, 282 insertions(+), 270 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 368cf98fb..ef8e52bb1 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-05 13:03+0800\n"
+"POT-Creation-Date: 2022-05-10 10:46+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -30,8 +30,8 @@ msgstr "Acls"
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
 #: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
-#: terminal/models/storage.py:24 terminal/models/task.py:16
-#: terminal/models/terminal.py:100 users/forms/profile.py:32
+#: terminal/models/storage.py:25 terminal/models/task.py:16
+#: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
 #: xpack/plugins/cloud/models.py:28
 msgid "Name"
@@ -62,7 +62,7 @@ msgstr "アクティブ"
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
-#: terminal/models/storage.py:27 terminal/models/terminal.py:114
+#: terminal/models/storage.py:28 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
@@ -153,11 +153,11 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 #: acls/serializers/login_acl.py:15 acls/serializers/login_asset_acl.py:17
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:121
-#: authentication/forms.py:15 authentication/forms.py:17
+#: authentication/forms.py:25 authentication/forms.py:27
 #: authentication/models.py:69
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
-#: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
+#: ops/models/adhoc.py:159 users/forms/profile.py:32 users/models/user.py:659
 #: users/templates/users/_msg_user_created.html:12
 #: xpack/plugins/change_auth_plan/models/asset.py:34
 #: xpack/plugins/change_auth_plan/models/asset.py:195
@@ -305,7 +305,7 @@ msgstr "カテゴリ"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:246
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:56 terminal/models/storage.py:136
+#: terminal/models/storage.py:57 terminal/models/storage.py:141
 #: tickets/models/flow.py:56 tickets/models/ticket.py:131
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:29
 #: xpack/plugins/change_auth_plan/models/app.py:28
@@ -757,9 +757,9 @@ msgid "Date verified"
 msgstr "確認済みの日付"
 
 #: assets/models/base.py:177 audits/signal_handlers.py:48
-#: authentication/forms.py:22
-#: authentication/templates/authentication/login.html:181
-#: settings/serializers/auth/ldap.py:43 users/forms/profile.py:21
+#: authentication/forms.py:32
+#: authentication/templates/authentication/login.html:182
+#: settings/serializers/auth/ldap.py:45 users/forms/profile.py:22
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -1108,7 +1108,7 @@ msgid "Actions"
 msgstr "アクション"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
-#: settings/serializers/auth/ldap.py:62
+#: settings/serializers/auth/ldap.py:64
 #: xpack/plugins/change_auth_plan/serializers/base.py:42
 msgid "Periodic perform"
 msgstr "定期的なパフォーマンス"
@@ -1118,11 +1118,11 @@ msgstr "定期的なパフォーマンス"
 msgid "Currently only mail sending is supported"
 msgstr "現在、メール送信のみがサポートされています"
 
-#: assets/serializers/base.py:36
+#: assets/serializers/base.py:39
 msgid "Key password"
 msgstr "キーパスワード"
 
-#: assets/serializers/base.py:49
+#: assets/serializers/base.py:52
 msgid "private key invalid or passphrase error"
 msgstr "秘密鍵が無効またはpassphraseエラー"
 
@@ -1313,11 +1313,11 @@ msgstr "プラットフォームのプッシュシステムユーザーを開始
 msgid "Hosts count: {}"
 msgstr "ホスト数: {}"
 
-#: assets/tasks/push_system_user.py:259 assets/tasks/push_system_user.py:292
+#: assets/tasks/push_system_user.py:263 assets/tasks/push_system_user.py:296
 msgid "Push system users to assets: "
 msgstr "システムユーザーを資産にプッシュする:"
 
-#: assets/tasks/push_system_user.py:271
+#: assets/tasks/push_system_user.py:275
 msgid "Push system users to asset: "
 msgstr "システムユーザーをアセットにプッシュする:"
 
@@ -1401,8 +1401,8 @@ msgstr "操作"
 msgid "Filename"
 msgstr "ファイル名"
 
-#: audits/models.py:43 audits/models.py:115 terminal/models/sharing.py:90
-#: tickets/views/approve.py:93
+#: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:90
+#: tickets/views/approve.py:98
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
 #: xpack/plugins/change_auth_plan/serializers/asset.py:197
 msgid "Success"
@@ -1418,7 +1418,6 @@ msgstr "ファイル転送ログ"
 msgid "Create"
 msgstr "作成"
 
-#: audits/models.py:56 rbac/tree.py:227 templates/_csv_import_export.html:18
 #: audits/models.py:57 rbac/tree.py:226
 msgid "View"
 msgstr "表示"
@@ -1486,8 +1485,8 @@ msgstr "ユーザーエージェント"
 
 #: audits/models.py:126
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
-#: users/forms/profile.py:64 users/models/user.py:684
-#: users/serializers/profile.py:121
+#: users/forms/profile.py:65 users/models/user.py:684
+#: users/serializers/profile.py:124
 msgid "MFA"
 msgstr "MFA"
 
@@ -1562,14 +1561,13 @@ msgstr "SSO"
 msgid "Auth Token"
 msgstr "認証トークン"
 
-#: audits/signal_handlers.py:71 authentication/notifications.py:73
 #: audits/signal_handlers.py:51 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:181
+#: authentication/views/login.py:164 authentication/views/wecom.py:182
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
 
-#: audits/signal_handlers.py:72 authentication/views/dingtalk.py:183
+#: audits/signal_handlers.py:52 authentication/views/dingtalk.py:183
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
@@ -1936,15 +1934,15 @@ msgstr "期間は許可されていません"
 msgid "SSO auth closed"
 msgstr "SSO authは閉鎖されました"
 
-#: authentication/errors.py:300 authentication/mixins.py:372
+#: authentication/errors.py:300 authentication/mixins.py:305
 msgid "Your password is too simple, please change it for security"
 msgstr "パスワードがシンプルすぎるので、セキュリティのために変更してください"
 
-#: authentication/errors.py:309 authentication/mixins.py:379
+#: authentication/errors.py:309 authentication/mixins.py:312
 msgid "You should to change your password before login"
 msgstr "ログインする前にパスワードを変更する必要があります"
 
-#: authentication/errors.py:318 authentication/mixins.py:386
+#: authentication/errors.py:318 authentication/mixins.py:319
 msgid "Your password has expired, please reset before logging in"
 msgstr ""
 "パスワードの有効期限が切れました。ログインする前にリセットしてください。"
@@ -1965,23 +1963,23 @@ msgstr "SMSコードを入力してください"
 msgid "Phone not set"
 msgstr "電話が設定されていない"
 
-#: authentication/forms.py:35
+#: authentication/forms.py:45
 msgid "{} days auto login"
 msgstr "{} 日自動ログイン"
 
-#: authentication/forms.py:46
+#: authentication/forms.py:56
 msgid "MFA Code"
 msgstr "MFAコード"
 
-#: authentication/forms.py:47
+#: authentication/forms.py:57
 msgid "MFA type"
 msgstr "MFAタイプ"
 
-#: authentication/forms.py:60 users/forms/profile.py:27
+#: authentication/forms.py:70 users/forms/profile.py:28
 msgid "MFA code"
 msgstr "MFAコード"
 
-#: authentication/forms.py:62
+#: authentication/forms.py:72
 msgid "Dynamic code"
 msgstr "動的コード"
 
@@ -2037,11 +2035,11 @@ msgstr "電話番号を設定して有効にする"
 msgid "Clear phone number to disable"
 msgstr "無効にする電話番号をクリアする"
 
-#: authentication/mixins.py:322
+#: authentication/mixins.py:255
 msgid "The MFA type ({}) is not enabled"
 msgstr "MFAタイプ ({}) が有効になっていない"
 
-#: authentication/mixins.py:362
+#: authentication/mixins.py:295
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
@@ -2134,13 +2132,13 @@ msgstr "表示"
 
 #: authentication/templates/authentication/_access_key_modal.html:66
 #: settings/serializers/security.py:39 users/models/user.py:556
-#: users/serializers/profile.py:111 users/templates/users/mfa_setting.html:61
+#: users/serializers/profile.py:114 users/templates/users/mfa_setting.html:61
 #: users/templates/users/user_verify_mfa.html:36
 msgid "Disable"
 msgstr "無効化"
 
 #: authentication/templates/authentication/_access_key_modal.html:67
-#: users/models/user.py:557 users/serializers/profile.py:112
+#: users/models/user.py:557 users/serializers/profile.py:115
 #: users/templates/users/mfa_setting.html:26
 #: users/templates/users/mfa_setting.html:68
 msgid "Enable"
@@ -2161,7 +2159,7 @@ msgid "Play CAPTCHA as audio file"
 msgstr "CAPTCHAをオーディオファイルとして再生する"
 
 #: authentication/templates/authentication/_captcha_field.html:15
-#: users/forms/profile.py:102
+#: users/forms/profile.py:103
 msgid "Captcha"
 msgstr "キャプチャ"
 
@@ -2279,23 +2277,23 @@ msgstr ""
 "公開鍵の更新が開始されなかった場合、アカウントにセキュリティ上の問題がある可"
 "能性があります"
 
-#: authentication/templates/authentication/login.html:173
+#: authentication/templates/authentication/login.html:174
 msgid "Welcome back, please enter username and password to login"
 msgstr ""
 "おかえりなさい、ログインするためにユーザー名とパスワードを入力してください"
 
-#: authentication/templates/authentication/login.html:209
+#: authentication/templates/authentication/login.html:210
 #: users/templates/users/forgot_password.html:15
 #: users/templates/users/forgot_password.html:16
 msgid "Forgot password"
 msgstr "パスワードを忘れた"
 
-#: authentication/templates/authentication/login.html:216
+#: authentication/templates/authentication/login.html:217
 #: templates/_header_bar.html:89
 msgid "Login"
 msgstr "ログイン"
 
-#: authentication/templates/authentication/login.html:223
+#: authentication/templates/authentication/login.html:224
 msgid "More login options"
 msgstr "その他のログインオプション"
 
@@ -2501,6 +2499,34 @@ msgstr "%(name)s は正常に更新されました"
 msgid "ugettext_lazy"
 msgstr "ugettext_lazy"
 
+#: common/db/fields.py:80
+msgid "Marshal dict data to char field"
+msgstr "チャーフィールドへのマーシャルディクトデータ"
+
+#: common/db/fields.py:84
+msgid "Marshal dict data to text field"
+msgstr "テキストフィールドへのマーシャルディクトデータ"
+
+#: common/db/fields.py:96
+msgid "Marshal list data to char field"
+msgstr "元帥リストデータをチャーフィールドに"
+
+#: common/db/fields.py:100
+msgid "Marshal list data to text field"
+msgstr "マーシャルリストデータをテキストフィールドに"
+
+#: common/db/fields.py:104
+msgid "Marshal data to char field"
+msgstr "チャーフィールドへのマーシャルデータ"
+
+#: common/db/fields.py:108
+msgid "Marshal data to text field"
+msgstr "テキストフィールドへのマーシャルデータ"
+
+#: common/db/fields.py:150
+msgid "Encrypt field using Secret Key"
+msgstr "Secret Keyを使用したフィールドの暗号化"
+
 #: common/db/models.py:112
 msgid "Updated by"
 msgstr "によって更新"
@@ -2546,34 +2572,6 @@ msgstr "このアクションでは、MFAの確認が必要です。"
 msgid "Unexpect error occur"
 msgstr "予期しないエラーが発生します"
 
-#: common/fields/model.py:80
-msgid "Marshal dict data to char field"
-msgstr "チャーフィールドへのマーシャルディクトデータ"
-
-#: common/fields/model.py:84
-msgid "Marshal dict data to text field"
-msgstr "テキストフィールドへのマーシャルディクトデータ"
-
-#: common/fields/model.py:96
-msgid "Marshal list data to char field"
-msgstr "元帥リストデータをチャーフィールドに"
-
-#: common/fields/model.py:100
-msgid "Marshal list data to text field"
-msgstr "マーシャルリストデータをテキストフィールドに"
-
-#: common/fields/model.py:104
-msgid "Marshal data to char field"
-msgstr "チャーフィールドへのマーシャルデータ"
-
-#: common/fields/model.py:108
-msgid "Marshal data to text field"
-msgstr "テキストフィールドへのマーシャルデータ"
-
-#: common/fields/model.py:150
-msgid "Encrypt field using Secret Key"
-msgstr "Secret Keyを使用したフィールドの暗号化"
-
 #: common/mixins/api/action.py:52
 msgid "Request file format may be wrong"
 msgstr "リクエストファイルの形式が間違っている可能性があります"
@@ -2586,15 +2584,15 @@ msgstr "は破棄されます"
 msgid "discard time"
 msgstr "時間を捨てる"
 
-#: common/mixins/views.py:41
+#: common/mixins/views.py:42
 msgid "Export all"
 msgstr "すべてエクスポート"
 
-#: common/mixins/views.py:43
+#: common/mixins/views.py:44
 msgid "Export only selected items"
 msgstr "選択項目のみエクスポート"
 
-#: common/mixins/views.py:48
+#: common/mixins/views.py:49
 #, python-format
 msgid "Export filtered: %s"
 msgstr "検索のエクスポート: %s"
@@ -2711,7 +2709,7 @@ msgstr ""
 msgid "Notifications"
 msgstr "通知"
 
-#: notifications/backends/__init__.py:10 users/forms/profile.py:101
+#: notifications/backends/__init__.py:10 users/forms/profile.py:102
 #: users/models/user.py:663
 msgid "Email"
 msgstr "メール"
@@ -2733,12 +2731,12 @@ msgid "App ops"
 msgstr "アプリ操作"
 
 #: ops/mixin.py:29 ops/mixin.py:92 ops/mixin.py:162
-#: settings/serializers/auth/ldap.py:69
+#: settings/serializers/auth/ldap.py:71
 msgid "Cycle perform"
 msgstr "サイクル実行"
 
 #: ops/mixin.py:33 ops/mixin.py:90 ops/mixin.py:109 ops/mixin.py:150
-#: settings/serializers/auth/ldap.py:66
+#: settings/serializers/auth/ldap.py:68
 msgid "Regularly perform"
 msgstr "定期的に実行する"
 
@@ -2928,7 +2926,7 @@ msgstr "アプリ組織"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
-#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
+#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:61
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
 msgstr "組織"
@@ -3134,15 +3132,15 @@ msgstr "質問があったら、管理者に連絡して下さい"
 msgid "My applications"
 msgstr "私のアプリケーション"
 
-#: rbac/api/role.py:33
+#: rbac/api/role.py:34
 msgid "Internal role, can't be destroy"
 msgstr "内部の役割は、破壊することはできません"
 
-#: rbac/api/role.py:37
+#: rbac/api/role.py:38
 msgid "The role has been bound to users, can't be destroy"
 msgstr "ロールはユーザーにバインドされており、破壊することはできません"
 
-#: rbac/api/role.py:44
+#: rbac/api/role.py:45
 msgid "Internal role, can't be update"
 msgstr "内部ロール、更新できません"
 
@@ -3245,7 +3243,7 @@ msgstr "組織の役割バインディング"
 msgid "System role binding"
 msgstr "システムロールバインディング"
 
-#: rbac/serializers/permission.py:26 users/serializers/profile.py:127
+#: rbac/serializers/permission.py:26 users/serializers/profile.py:130
 msgid "Perms"
 msgstr "パーマ"
 
@@ -3507,40 +3505,40 @@ msgstr "ピン認証の有効化"
 msgid "Enable FeiShu Auth"
 msgstr "飛本認証の有効化"
 
-#: settings/serializers/auth/ldap.py:38
+#: settings/serializers/auth/ldap.py:40
 msgid "LDAP server"
 msgstr "LDAPサーバー"
 
-#: settings/serializers/auth/ldap.py:39
+#: settings/serializers/auth/ldap.py:41
 msgid "eg: ldap://localhost:389"
 msgstr "例: ldap://localhost:389"
 
-#: settings/serializers/auth/ldap.py:41
+#: settings/serializers/auth/ldap.py:43
 msgid "Bind DN"
 msgstr "DN のバインド"
 
-#: settings/serializers/auth/ldap.py:46
+#: settings/serializers/auth/ldap.py:48
 msgid "User OU"
 msgstr "ユーザー OU"
 
-#: settings/serializers/auth/ldap.py:47
+#: settings/serializers/auth/ldap.py:49
 msgid "Use | split multi OUs"
 msgstr "使用 | splitマルチ OU"
 
-#: settings/serializers/auth/ldap.py:50
+#: settings/serializers/auth/ldap.py:52
 msgid "User search filter"
 msgstr "ユーザー検索フィルター"
 
-#: settings/serializers/auth/ldap.py:51
+#: settings/serializers/auth/ldap.py:53
 #, python-format
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "選択は (cnまたはuidまたはsAMAccountName)=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:54
+#: settings/serializers/auth/ldap.py:56
 msgid "User attr map"
 msgstr "ユーザー属性マッピング"
 
-#: settings/serializers/auth/ldap.py:55
+#: settings/serializers/auth/ldap.py:57
 msgid ""
 "User attr map present how to map LDAP user attr to jumpserver, username,name,"
 "email is jumpserver attr"
@@ -3548,15 +3546,15 @@ msgstr ""
 "ユーザー属性マッピングは、LDAPのユーザー属性をjumpserverユーザーにマッピング"
 "する方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
 
-#: settings/serializers/auth/ldap.py:73
+#: settings/serializers/auth/ldap.py:75
 msgid "Connect timeout"
 msgstr "接続タイムアウト"
 
-#: settings/serializers/auth/ldap.py:75
+#: settings/serializers/auth/ldap.py:77
 msgid "Search paged size"
 msgstr "ページサイズを検索"
 
-#: settings/serializers/auth/ldap.py:77
+#: settings/serializers/auth/ldap.py:79
 msgid "Enable LDAP auth"
 msgstr "LDAP認証の有効化"
 
@@ -4420,7 +4418,7 @@ msgstr "ドキュメント"
 msgid "Commercial support"
 msgstr "商用サポート"
 
-#: templates/_header_bar.html:76 users/forms/profile.py:43
+#: templates/_header_bar.html:76 users/forms/profile.py:44
 msgid "Profile"
 msgstr "プロフィール"
 
@@ -4883,15 +4881,15 @@ msgstr "スレッド"
 msgid "Boot Time"
 msgstr "ブート時間"
 
-#: terminal/models/storage.py:26
+#: terminal/models/storage.py:27
 msgid "Default storage"
 msgstr "デフォルトのストレージ"
 
-#: terminal/models/storage.py:130 terminal/models/terminal.py:108
+#: terminal/models/storage.py:135 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "コマンドストレージ"
 
-#: terminal/models/storage.py:190 terminal/models/terminal.py:109
+#: terminal/models/storage.py:195 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "再生ストレージ"
 
@@ -5016,18 +5014,14 @@ msgid "Whether to create an index by date"
 msgstr "現在の日付に基づいてインデックスを動的に作成するかどうか"
 
 #: terminal/serializers/storage.py:163
-msgid "Index prefix"
-msgstr "インデックス接頭辞"
-
-#: terminal/serializers/storage.py:166
 msgid "Index"
 msgstr "インデックス"
 
-#: terminal/serializers/storage.py:168
+#: terminal/serializers/storage.py:165
 msgid "Doc type"
 msgstr "Docタイプ"
 
-#: terminal/serializers/storage.py:170
+#: terminal/serializers/storage.py:167
 msgid "Ignore Certificate Verification"
 msgstr "証明書の検証を無視する"
 
@@ -5489,17 +5483,19 @@ msgid "Ticket information"
 msgstr "作業指示情報"
 
 #: tickets/templates/tickets/approve_check_password.html:19
-#, fuzzy
-#| msgid "Ticket flow approval rule"
+#: tickets/views/approve.py:25
 msgid "Ticket approval"
 msgstr "作業指示の承認"
 
 #: tickets/templates/tickets/approve_check_password.html:35
-#: tickets/views/approve.py:25
 msgid "Ticket direct approval"
 msgstr "作業指示の直接承認"
 
-#: tickets/templates/tickets/approve_check_password.html:40
+#: tickets/templates/tickets/approve_check_password.html:39
+msgid "Ticket direct reject"
+msgstr "作業指示の直接却下"
+
+#: tickets/templates/tickets/approve_check_password.html:44
 msgid "Go Login"
 msgstr "ログイン"
 
@@ -5511,14 +5507,18 @@ msgstr ""
 "なっています"
 
 #: tickets/views/approve.py:55
-msgid "Click the button to approve directly"
-msgstr "ボタンをクリックすると、直接承認に成功します。"
+msgid "Click the button below to approve or reject"
+msgstr "下のボタンをクリックして同意または拒否。"
 
 #: tickets/views/approve.py:57
 msgid "After successful authentication, this ticket can be approved directly"
 msgstr "認証に成功した後、作業指示書は直接承認することができる。"
 
-#: tickets/views/approve.py:84
+#: tickets/views/approve.py:79
+msgid "Illegal approval action"
+msgstr "無効な承認アクション"
+
+#: tickets/views/approve.py:89
 msgid "This user is not authorized to approve this ticket"
 msgstr "このユーザーはこの作業指示を承認する権限がありません"
 
@@ -5558,7 +5558,7 @@ msgstr "MFAが有効化されていません"
 msgid "MFA method not support"
 msgstr "MFAメソッドはサポートしていません"
 
-#: users/forms/profile.py:49
+#: users/forms/profile.py:50
 msgid ""
 "When enabled, you will enter the MFA binding process the next time you log "
 "in. you can also directly bind in \"personal information -> quick "
@@ -5567,11 +5567,11 @@ msgstr ""
 "有効にすると、次回のログイン時にマルチファクタ認証バインドプロセスに入りま"
 "す。(個人情報->クイック修正->MFAマルチファクタ認証の設定)で直接バインド!"
 
-#: users/forms/profile.py:60
+#: users/forms/profile.py:61
 msgid "* Enable MFA to make the account more secure."
 msgstr "* アカウントをより安全にするためにMFAを有効にします。"
 
-#: users/forms/profile.py:69
+#: users/forms/profile.py:70
 msgid ""
 "In order to protect you and your company, please keep your account, password "
 "and key sensitive information properly. (for example: setting complex "
@@ -5580,56 +5580,56 @@ msgstr ""
 "あなたとあなたの会社を保護するために、アカウント、パスワード、キーの機密情報"
 "を適切に保管してください。(例: 複雑なパスワードの設定、MFAの有効化)"
 
-#: users/forms/profile.py:76
+#: users/forms/profile.py:77
 msgid "Finish"
 msgstr "仕上げ"
 
-#: users/forms/profile.py:83
+#: users/forms/profile.py:84
 msgid "New password"
 msgstr "新しいパスワード"
 
-#: users/forms/profile.py:88
+#: users/forms/profile.py:89
 msgid "Confirm password"
 msgstr "パスワードの確認"
 
-#: users/forms/profile.py:96
+#: users/forms/profile.py:97
 msgid "Password does not match"
 msgstr "パスワードが一致しない"
 
-#: users/forms/profile.py:108
+#: users/forms/profile.py:109
 msgid "Old password"
 msgstr "古いパスワード"
 
-#: users/forms/profile.py:118
+#: users/forms/profile.py:119
 msgid "Old password error"
 msgstr "古いパスワードエラー"
 
-#: users/forms/profile.py:128
+#: users/forms/profile.py:129
 msgid "Automatically configure and download the SSH key"
 msgstr "SSHキーの自動設定とダウンロード"
 
-#: users/forms/profile.py:130
+#: users/forms/profile.py:131
 msgid "ssh public key"
 msgstr "ssh公開キー"
 
-#: users/forms/profile.py:131
+#: users/forms/profile.py:132
 msgid "ssh-rsa AAAA..."
 msgstr "ssh-rsa AAAA.."
 
-#: users/forms/profile.py:132
+#: users/forms/profile.py:133
 msgid "Paste your id_rsa.pub here."
 msgstr "ここにid_rsa.pubを貼り付けます。"
 
-#: users/forms/profile.py:145
+#: users/forms/profile.py:146
 msgid "Public key should not be the same as your old one."
 msgstr "公開鍵は古いものと同じであってはなりません。"
 
-#: users/forms/profile.py:149 users/serializers/profile.py:95
-#: users/serializers/profile.py:178 users/serializers/profile.py:205
+#: users/forms/profile.py:150 users/serializers/profile.py:98
+#: users/serializers/profile.py:181 users/serializers/profile.py:208
 msgid "Not a valid ssh public key"
 msgstr "有効なssh公開鍵ではありません"
 
-#: users/forms/profile.py:160 users/models/user.py:692
+#: users/forms/profile.py:161 users/models/user.py:692
 msgid "Public key"
 msgstr "公開キー"
 
@@ -5724,23 +5724,23 @@ msgstr "SSHキーのリセット"
 msgid "Reset MFA"
 msgstr "MFAのリセット"
 
-#: users/serializers/profile.py:29
+#: users/serializers/profile.py:30
 msgid "The old password is incorrect"
 msgstr "古いパスワードが正しくありません"
 
-#: users/serializers/profile.py:36 users/serializers/profile.py:192
+#: users/serializers/profile.py:37 users/serializers/profile.py:195
 msgid "Password does not match security rules"
 msgstr "パスワードがセキュリティルールと一致しない"
 
-#: users/serializers/profile.py:40
+#: users/serializers/profile.py:41
 msgid "The new password cannot be the last {} passwords"
 msgstr "新しいパスワードを最後の {} 個のパスワードにすることはできません"
 
-#: users/serializers/profile.py:46 users/serializers/profile.py:66
+#: users/serializers/profile.py:49 users/serializers/profile.py:69
 msgid "The newly set password is inconsistent"
 msgstr "新しく設定されたパスワードが一致しない"
 
-#: users/serializers/profile.py:144 users/serializers/user.py:140
+#: users/serializers/profile.py:147 users/serializers/user.py:140
 msgid "Is first login"
 msgstr "最初のログインです"
 
@@ -6773,11 +6773,11 @@ msgstr "ログアウトページのロゴ"
 msgid "Interface setting"
 msgstr "インターフェイスの設定"
 
-#: xpack/plugins/license/api.py:43
+#: xpack/plugins/license/api.py:50
 msgid "License import successfully"
 msgstr "ライセンスのインポートに成功"
 
-#: xpack/plugins/license/api.py:44
+#: xpack/plugins/license/api.py:51
 msgid "License is invalid"
 msgstr "ライセンスが無効です"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index ad6b041be..daa3e5df9 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-05 13:03+0800\n"
+"POT-Creation-Date: 2022-05-10 10:45+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -29,8 +29,8 @@ msgstr "访问控制"
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
 #: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
-#: terminal/models/storage.py:24 terminal/models/task.py:16
-#: terminal/models/terminal.py:100 users/forms/profile.py:32
+#: terminal/models/storage.py:25 terminal/models/task.py:16
+#: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
 #: xpack/plugins/cloud/models.py:28
 msgid "Name"
@@ -61,7 +61,7 @@ msgstr "激活中"
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
-#: terminal/models/storage.py:27 terminal/models/terminal.py:114
+#: terminal/models/storage.py:28 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
@@ -152,11 +152,11 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 #: acls/serializers/login_acl.py:15 acls/serializers/login_asset_acl.py:17
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:121
-#: authentication/forms.py:15 authentication/forms.py:17
+#: authentication/forms.py:25 authentication/forms.py:27
 #: authentication/models.py:69
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
-#: ops/models/adhoc.py:159 users/forms/profile.py:31 users/models/user.py:659
+#: ops/models/adhoc.py:159 users/forms/profile.py:32 users/models/user.py:659
 #: users/templates/users/_msg_user_created.html:12
 #: xpack/plugins/change_auth_plan/models/asset.py:34
 #: xpack/plugins/change_auth_plan/models/asset.py:195
@@ -300,7 +300,7 @@ msgstr "类别"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:246
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:56 terminal/models/storage.py:136
+#: terminal/models/storage.py:57 terminal/models/storage.py:141
 #: tickets/models/flow.py:56 tickets/models/ticket.py:131
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:29
 #: xpack/plugins/change_auth_plan/models/app.py:28
@@ -752,9 +752,9 @@ msgid "Date verified"
 msgstr "校验日期"
 
 #: assets/models/base.py:177 audits/signal_handlers.py:48
-#: authentication/forms.py:22
-#: authentication/templates/authentication/login.html:181
-#: settings/serializers/auth/ldap.py:43 users/forms/profile.py:21
+#: authentication/forms.py:32
+#: authentication/templates/authentication/login.html:182
+#: settings/serializers/auth/ldap.py:45 users/forms/profile.py:22
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -1100,7 +1100,7 @@ msgid "Actions"
 msgstr "动作"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
-#: settings/serializers/auth/ldap.py:62
+#: settings/serializers/auth/ldap.py:64
 #: xpack/plugins/change_auth_plan/serializers/base.py:42
 msgid "Periodic perform"
 msgstr "定时执行"
@@ -1110,11 +1110,11 @@ msgstr "定时执行"
 msgid "Currently only mail sending is supported"
 msgstr "当前只支持邮件发送"
 
-#: assets/serializers/base.py:36
+#: assets/serializers/base.py:39
 msgid "Key password"
 msgstr "密钥密码"
 
-#: assets/serializers/base.py:49
+#: assets/serializers/base.py:52
 msgid "private key invalid or passphrase error"
 msgstr "密钥不合法或密钥密码错误"
 
@@ -1301,11 +1301,11 @@ msgstr "推送系统用户到平台: [{}]"
 msgid "Hosts count: {}"
 msgstr "主机数量: {}"
 
-#: assets/tasks/push_system_user.py:259 assets/tasks/push_system_user.py:292
+#: assets/tasks/push_system_user.py:263 assets/tasks/push_system_user.py:296
 msgid "Push system users to assets: "
 msgstr "推送系统用户到入资产: "
 
-#: assets/tasks/push_system_user.py:271
+#: assets/tasks/push_system_user.py:275
 msgid "Push system users to asset: "
 msgstr "推送系统用户到入资产: "
 
@@ -1389,8 +1389,8 @@ msgstr "操作"
 msgid "Filename"
 msgstr "文件名"
 
-#: audits/models.py:43 audits/models.py:115 terminal/models/sharing.py:90
-#: tickets/views/approve.py:93
+#: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:90
+#: tickets/views/approve.py:98
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
 #: xpack/plugins/change_auth_plan/serializers/asset.py:197
 msgid "Success"
@@ -1406,7 +1406,11 @@ msgstr "文件管理"
 msgid "Create"
 msgstr "创建"
 
-#: audits/models.py:56 rbac/tree.py:227 templates/_csv_import_export.html:18
+#: audits/models.py:57 rbac/tree.py:226
+msgid "View"
+msgstr "查看"
+
+#: audits/models.py:58 rbac/tree.py:227 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@@ -1469,8 +1473,8 @@ msgstr "用户代理"
 
 #: audits/models.py:126
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
-#: users/forms/profile.py:64 users/models/user.py:684
-#: users/serializers/profile.py:121
+#: users/forms/profile.py:65 users/models/user.py:684
+#: users/serializers/profile.py:124
 msgid "MFA"
 msgstr "MFA"
 
@@ -1545,13 +1549,13 @@ msgstr "SSO"
 msgid "Auth Token"
 msgstr "认证令牌"
 
-#: audits/signal_handlers.py:71 authentication/notifications.py:73
+#: audits/signal_handlers.py:51 authentication/notifications.py:73
 #: authentication/views/login.py:164 authentication/views/wecom.py:182
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企业微信"
 
-#: audits/signal_handlers.py:72 authentication/views/dingtalk.py:183
+#: audits/signal_handlers.py:52 authentication/views/dingtalk.py:183
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
@@ -1910,15 +1914,15 @@ msgstr "该 时间段 不被允许登录"
 msgid "SSO auth closed"
 msgstr "SSO 认证关闭了"
 
-#: authentication/errors.py:300 authentication/mixins.py:372
+#: authentication/errors.py:300 authentication/mixins.py:305
 msgid "Your password is too simple, please change it for security"
 msgstr "你的密码过于简单，为了安全，请修改"
 
-#: authentication/errors.py:309 authentication/mixins.py:379
+#: authentication/errors.py:309 authentication/mixins.py:312
 msgid "You should to change your password before login"
 msgstr "登录完成前，请先修改密码"
 
-#: authentication/errors.py:318 authentication/mixins.py:386
+#: authentication/errors.py:318 authentication/mixins.py:319
 msgid "Your password has expired, please reset before logging in"
 msgstr "您的密码已过期，先修改再登录"
 
@@ -1938,23 +1942,23 @@ msgstr "请输入短信验证码"
 msgid "Phone not set"
 msgstr "手机号没有设置"
 
-#: authentication/forms.py:35
+#: authentication/forms.py:45
 msgid "{} days auto login"
 msgstr "{} 天内自动登录"
 
-#: authentication/forms.py:46
+#: authentication/forms.py:56
 msgid "MFA Code"
 msgstr "MFA 验证码"
 
-#: authentication/forms.py:47
+#: authentication/forms.py:57
 msgid "MFA type"
 msgstr "MFA 类型"
 
-#: authentication/forms.py:60 users/forms/profile.py:27
+#: authentication/forms.py:70 users/forms/profile.py:28
 msgid "MFA code"
 msgstr "MFA 验证码"
 
-#: authentication/forms.py:62
+#: authentication/forms.py:72
 msgid "Dynamic code"
 msgstr "动态码"
 
@@ -2010,11 +2014,11 @@ msgstr "设置手机号码启用"
 msgid "Clear phone number to disable"
 msgstr "清空手机号码禁用"
 
-#: authentication/mixins.py:322
+#: authentication/mixins.py:255
 msgid "The MFA type ({}) is not enabled"
 msgstr "该 MFA ({}) 方式没有启用"
 
-#: authentication/mixins.py:362
+#: authentication/mixins.py:295
 msgid "Please change your password"
 msgstr "请修改密码"
 
@@ -2107,13 +2111,13 @@ msgstr "显示"
 
 #: authentication/templates/authentication/_access_key_modal.html:66
 #: settings/serializers/security.py:39 users/models/user.py:556
-#: users/serializers/profile.py:111 users/templates/users/mfa_setting.html:61
+#: users/serializers/profile.py:114 users/templates/users/mfa_setting.html:61
 #: users/templates/users/user_verify_mfa.html:36
 msgid "Disable"
 msgstr "禁用"
 
 #: authentication/templates/authentication/_access_key_modal.html:67
-#: users/models/user.py:557 users/serializers/profile.py:112
+#: users/models/user.py:557 users/serializers/profile.py:115
 #: users/templates/users/mfa_setting.html:26
 #: users/templates/users/mfa_setting.html:68
 msgid "Enable"
@@ -2134,7 +2138,7 @@ msgid "Play CAPTCHA as audio file"
 msgstr "语言播放验证码"
 
 #: authentication/templates/authentication/_captcha_field.html:15
-#: users/forms/profile.py:102
+#: users/forms/profile.py:103
 msgid "Captcha"
 msgstr "验证码"
 
@@ -2244,22 +2248,22 @@ msgid ""
 "security issues"
 msgstr "如果这次公钥更新不是由你发起的，那么你的账号可能存在安全问题"
 
-#: authentication/templates/authentication/login.html:173
+#: authentication/templates/authentication/login.html:174
 msgid "Welcome back, please enter username and password to login"
 msgstr "欢迎回来，请输入用户名和密码登录"
 
-#: authentication/templates/authentication/login.html:209
+#: authentication/templates/authentication/login.html:210
 #: users/templates/users/forgot_password.html:15
 #: users/templates/users/forgot_password.html:16
 msgid "Forgot password"
 msgstr "忘记密码"
 
-#: authentication/templates/authentication/login.html:216
+#: authentication/templates/authentication/login.html:217
 #: templates/_header_bar.html:89
 msgid "Login"
 msgstr "登录"
 
-#: authentication/templates/authentication/login.html:223
+#: authentication/templates/authentication/login.html:224
 msgid "More login options"
 msgstr "更多登录方式"
 
@@ -2465,6 +2469,34 @@ msgstr "%(name)s 更新成功"
 msgid "ugettext_lazy"
 msgstr "ugettext_lazy"
 
+#: common/db/fields.py:80
+msgid "Marshal dict data to char field"
+msgstr "编码 dict 为 char"
+
+#: common/db/fields.py:84
+msgid "Marshal dict data to text field"
+msgstr "编码 dict 为 text"
+
+#: common/db/fields.py:96
+msgid "Marshal list data to char field"
+msgstr "编码 list 为 char"
+
+#: common/db/fields.py:100
+msgid "Marshal list data to text field"
+msgstr "编码 list 为 text"
+
+#: common/db/fields.py:104
+msgid "Marshal data to char field"
+msgstr "编码数据为 char"
+
+#: common/db/fields.py:108
+msgid "Marshal data to text field"
+msgstr "编码数据为 text"
+
+#: common/db/fields.py:150
+msgid "Encrypt field using Secret Key"
+msgstr "加密的字段"
+
 #: common/db/models.py:112
 msgid "Updated by"
 msgstr "更新人"
@@ -2510,34 +2542,6 @@ msgstr "这个操作需要验证 MFA"
 msgid "Unexpect error occur"
 msgstr "发生意外错误"
 
-#: common/fields/model.py:80
-msgid "Marshal dict data to char field"
-msgstr "编码 dict 为 char"
-
-#: common/fields/model.py:84
-msgid "Marshal dict data to text field"
-msgstr "编码 dict 为 text"
-
-#: common/fields/model.py:96
-msgid "Marshal list data to char field"
-msgstr "编码 list 为 char"
-
-#: common/fields/model.py:100
-msgid "Marshal list data to text field"
-msgstr "编码 list 为 text"
-
-#: common/fields/model.py:104
-msgid "Marshal data to char field"
-msgstr "编码数据为 char"
-
-#: common/fields/model.py:108
-msgid "Marshal data to text field"
-msgstr "编码数据为 text"
-
-#: common/fields/model.py:150
-msgid "Encrypt field using Secret Key"
-msgstr "加密的字段"
-
 #: common/mixins/api/action.py:52
 msgid "Request file format may be wrong"
 msgstr "上传的文件格式错误 或 其它类型资源的文件"
@@ -2550,15 +2554,15 @@ msgstr "忽略的"
 msgid "discard time"
 msgstr "忽略时间"
 
-#: common/mixins/views.py:41
+#: common/mixins/views.py:42
 msgid "Export all"
 msgstr "导出所有"
 
-#: common/mixins/views.py:43
+#: common/mixins/views.py:44
 msgid "Export only selected items"
 msgstr "仅导出选择项"
 
-#: common/mixins/views.py:48
+#: common/mixins/views.py:49
 #, python-format
 msgid "Export filtered: %s"
 msgstr "导出搜素: %s"
@@ -2670,7 +2674,7 @@ msgstr ""
 msgid "Notifications"
 msgstr "通知"
 
-#: notifications/backends/__init__.py:10 users/forms/profile.py:101
+#: notifications/backends/__init__.py:10 users/forms/profile.py:102
 #: users/models/user.py:663
 msgid "Email"
 msgstr "邮件"
@@ -2692,12 +2696,12 @@ msgid "App ops"
 msgstr "作业中心"
 
 #: ops/mixin.py:29 ops/mixin.py:92 ops/mixin.py:162
-#: settings/serializers/auth/ldap.py:69
+#: settings/serializers/auth/ldap.py:71
 msgid "Cycle perform"
 msgstr "周期执行"
 
 #: ops/mixin.py:33 ops/mixin.py:90 ops/mixin.py:109 ops/mixin.py:150
-#: settings/serializers/auth/ldap.py:66
+#: settings/serializers/auth/ldap.py:68
 msgid "Regularly perform"
 msgstr "定期执行"
 
@@ -2886,7 +2890,7 @@ msgstr "组织管理"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
-#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:59
+#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:61
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
 msgstr "组织"
@@ -3090,15 +3094,15 @@ msgstr "如果有疑问或需求，请联系系统管理员"
 msgid "My applications"
 msgstr "我的应用"
 
-#: rbac/api/role.py:33
+#: rbac/api/role.py:34
 msgid "Internal role, can't be destroy"
 msgstr "内部角色，不能删除"
 
-#: rbac/api/role.py:37
+#: rbac/api/role.py:38
 msgid "The role has been bound to users, can't be destroy"
 msgstr "角色已绑定用户，不能删除"
 
-#: rbac/api/role.py:44
+#: rbac/api/role.py:45
 msgid "Internal role, can't be update"
 msgstr "内部角色，不能更新"
 
@@ -3200,7 +3204,7 @@ msgstr "组织角色绑定"
 msgid "System role binding"
 msgstr "系统角色绑定"
 
-#: rbac/serializers/permission.py:26 users/serializers/profile.py:127
+#: rbac/serializers/permission.py:26 users/serializers/profile.py:130
 msgid "Perms"
 msgstr "权限"
 
@@ -3304,10 +3308,6 @@ msgstr "查看授权树"
 msgid "Execute batch command"
 msgstr "执行批量命令"
 
-#: rbac/tree.py:226
-msgid "View"
-msgstr "查看"
-
 #: settings/api/alibaba_sms.py:31 settings/api/tencent_sms.py:35
 msgid "test_phone is required"
 msgstr "测试手机号 该字段是必填项。"
@@ -3466,40 +3466,40 @@ msgstr "启用钉钉认证"
 msgid "Enable FeiShu Auth"
 msgstr "启用飞书认证"
 
-#: settings/serializers/auth/ldap.py:38
+#: settings/serializers/auth/ldap.py:40
 msgid "LDAP server"
 msgstr "LDAP 地址"
 
-#: settings/serializers/auth/ldap.py:39
+#: settings/serializers/auth/ldap.py:41
 msgid "eg: ldap://localhost:389"
 msgstr "如: ldap://localhost:389"
 
-#: settings/serializers/auth/ldap.py:41
+#: settings/serializers/auth/ldap.py:43
 msgid "Bind DN"
 msgstr "绑定 DN"
 
-#: settings/serializers/auth/ldap.py:46
+#: settings/serializers/auth/ldap.py:48
 msgid "User OU"
 msgstr "用户 OU"
 
-#: settings/serializers/auth/ldap.py:47
+#: settings/serializers/auth/ldap.py:49
 msgid "Use | split multi OUs"
 msgstr "多个 OU 使用 | 分割"
 
-#: settings/serializers/auth/ldap.py:50
+#: settings/serializers/auth/ldap.py:52
 msgid "User search filter"
 msgstr "用户过滤器"
 
-#: settings/serializers/auth/ldap.py:51
+#: settings/serializers/auth/ldap.py:53
 #, python-format
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "可能的选项是(cn或uid或sAMAccountName=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:54
+#: settings/serializers/auth/ldap.py:56
 msgid "User attr map"
 msgstr "用户属性映射"
 
-#: settings/serializers/auth/ldap.py:55
+#: settings/serializers/auth/ldap.py:57
 msgid ""
 "User attr map present how to map LDAP user attr to jumpserver, username,name,"
 "email is jumpserver attr"
@@ -3507,15 +3507,15 @@ msgstr ""
 "用户属性映射代表怎样将LDAP中用户属性映射到jumpserver用户上，username, name,"
 "email 是jumpserver的用户需要属性"
 
-#: settings/serializers/auth/ldap.py:73
+#: settings/serializers/auth/ldap.py:75
 msgid "Connect timeout"
 msgstr "连接超时时间"
 
-#: settings/serializers/auth/ldap.py:75
+#: settings/serializers/auth/ldap.py:77
 msgid "Search paged size"
 msgstr "搜索分页数量"
 
-#: settings/serializers/auth/ldap.py:77
+#: settings/serializers/auth/ldap.py:79
 msgid "Enable LDAP auth"
 msgstr "启用 LDAP 认证"
 
@@ -4352,7 +4352,7 @@ msgstr "文档"
 msgid "Commercial support"
 msgstr "商业支持"
 
-#: templates/_header_bar.html:76 users/forms/profile.py:43
+#: templates/_header_bar.html:76 users/forms/profile.py:44
 msgid "Profile"
 msgstr "个人信息"
 
@@ -4809,15 +4809,15 @@ msgstr "线程数"
 msgid "Boot Time"
 msgstr "运行时间"
 
-#: terminal/models/storage.py:26
+#: terminal/models/storage.py:27
 msgid "Default storage"
 msgstr "默认存储"
 
-#: terminal/models/storage.py:130 terminal/models/terminal.py:108
+#: terminal/models/storage.py:135 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "命令存储"
 
-#: terminal/models/storage.py:190 terminal/models/terminal.py:109
+#: terminal/models/storage.py:195 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "录像存储"
 
@@ -4942,18 +4942,14 @@ msgid "Whether to create an index by date"
 msgstr "是否根据日期动态建立索引"
 
 #: terminal/serializers/storage.py:163
-msgid "Index prefix"
-msgstr "索引前缀"
-
-#: terminal/serializers/storage.py:166
 msgid "Index"
 msgstr "索引"
 
-#: terminal/serializers/storage.py:168
+#: terminal/serializers/storage.py:165
 msgid "Doc type"
 msgstr "文档类型"
 
-#: terminal/serializers/storage.py:170
+#: terminal/serializers/storage.py:167
 msgid "Ignore Certificate Verification"
 msgstr "忽略证书认证"
 
@@ -5411,15 +5407,19 @@ msgid "Ticket information"
 msgstr "工单信息"
 
 #: tickets/templates/tickets/approve_check_password.html:19
+#: tickets/views/approve.py:25
 msgid "Ticket approval"
 msgstr "工单审批"
 
 #: tickets/templates/tickets/approve_check_password.html:35
-#: tickets/views/approve.py:25
 msgid "Ticket direct approval"
 msgstr "工单直接审批"
 
-#: tickets/templates/tickets/approve_check_password.html:40
+#: tickets/templates/tickets/approve_check_password.html:39
+msgid "Ticket direct reject"
+msgstr "工单直接拒绝"
+
+#: tickets/templates/tickets/approve_check_password.html:44
 msgid "Go Login"
 msgstr "去登录"
 
@@ -5429,14 +5429,18 @@ msgid ""
 msgstr "工单不存在，或者工单流程已经结束，或者此链接已经过期"
 
 #: tickets/views/approve.py:55
-msgid "Click the button to approve directly"
-msgstr "点击按钮，即可直接审批成功"
+msgid "Click the button below to approve or reject"
+msgstr "点击下方按钮同意或者拒绝"
 
 #: tickets/views/approve.py:57
 msgid "After successful authentication, this ticket can be approved directly"
 msgstr "认证成功后，工单可直接审批"
 
-#: tickets/views/approve.py:84
+#: tickets/views/approve.py:79
+msgid "Illegal approval action"
+msgstr "无效的审批动作"
+
+#: tickets/views/approve.py:89
 msgid "This user is not authorized to approve this ticket"
 msgstr "此用户无权审批此工单"
 
@@ -5476,7 +5480,7 @@ msgstr "MFA 多因子认证没有开启"
 msgid "MFA method not support"
 msgstr "不支持该 MFA 方式"
 
-#: users/forms/profile.py:49
+#: users/forms/profile.py:50
 msgid ""
 "When enabled, you will enter the MFA binding process the next time you log "
 "in. you can also directly bind in \"personal information -> quick "
@@ -5485,11 +5489,11 @@ msgstr ""
 "启用之后您将会在下次登录时进入多因子认证绑定流程；您也可以在（个人信息->快速"
 "修改->设置 MFA 多因子认证）中直接绑定！"
 
-#: users/forms/profile.py:60
+#: users/forms/profile.py:61
 msgid "* Enable MFA to make the account more secure."
 msgstr "* 启用 MFA 多因子认证，使账号更加安全。"
 
-#: users/forms/profile.py:69
+#: users/forms/profile.py:70
 msgid ""
 "In order to protect you and your company, please keep your account, password "
 "and key sensitive information properly. (for example: setting complex "
@@ -5498,56 +5502,56 @@ msgstr ""
 "为了保护您和公司的安全，请妥善保管您的账号、密码和密钥等重要敏感信息；（如："
 "设置复杂密码，并启用 MFA 多因子认证）"
 
-#: users/forms/profile.py:76
+#: users/forms/profile.py:77
 msgid "Finish"
 msgstr "完成"
 
-#: users/forms/profile.py:83
+#: users/forms/profile.py:84
 msgid "New password"
 msgstr "新密码"
 
-#: users/forms/profile.py:88
+#: users/forms/profile.py:89
 msgid "Confirm password"
 msgstr "确认密码"
 
-#: users/forms/profile.py:96
+#: users/forms/profile.py:97
 msgid "Password does not match"
 msgstr "密码不一致"
 
-#: users/forms/profile.py:108
+#: users/forms/profile.py:109
 msgid "Old password"
 msgstr "原来密码"
 
-#: users/forms/profile.py:118
+#: users/forms/profile.py:119
 msgid "Old password error"
 msgstr "原来密码错误"
 
-#: users/forms/profile.py:128
+#: users/forms/profile.py:129
 msgid "Automatically configure and download the SSH key"
 msgstr "自动配置并下载SSH密钥"
 
-#: users/forms/profile.py:130
+#: users/forms/profile.py:131
 msgid "ssh public key"
 msgstr "SSH公钥"
 
-#: users/forms/profile.py:131
+#: users/forms/profile.py:132
 msgid "ssh-rsa AAAA..."
 msgstr "ssh-rsa AAAA..."
 
-#: users/forms/profile.py:132
+#: users/forms/profile.py:133
 msgid "Paste your id_rsa.pub here."
 msgstr "复制你的公钥到这里"
 
-#: users/forms/profile.py:145
+#: users/forms/profile.py:146
 msgid "Public key should not be the same as your old one."
 msgstr "不能和原来的密钥相同"
 
-#: users/forms/profile.py:149 users/serializers/profile.py:95
-#: users/serializers/profile.py:178 users/serializers/profile.py:205
+#: users/forms/profile.py:150 users/serializers/profile.py:98
+#: users/serializers/profile.py:181 users/serializers/profile.py:208
 msgid "Not a valid ssh public key"
 msgstr "SSH密钥不合法"
 
-#: users/forms/profile.py:160 users/models/user.py:692
+#: users/forms/profile.py:161 users/models/user.py:692
 msgid "Public key"
 msgstr "SSH公钥"
 
@@ -5642,23 +5646,23 @@ msgstr "重置 SSH 密钥"
 msgid "Reset MFA"
 msgstr "重置 MFA"
 
-#: users/serializers/profile.py:29
+#: users/serializers/profile.py:30
 msgid "The old password is incorrect"
 msgstr "旧密码错误"
 
-#: users/serializers/profile.py:36 users/serializers/profile.py:192
+#: users/serializers/profile.py:37 users/serializers/profile.py:195
 msgid "Password does not match security rules"
 msgstr "密码不满足安全规则"
 
-#: users/serializers/profile.py:40
+#: users/serializers/profile.py:41
 msgid "The new password cannot be the last {} passwords"
 msgstr "新密码不能是最近 {} 次的密码"
 
-#: users/serializers/profile.py:46 users/serializers/profile.py:66
+#: users/serializers/profile.py:49 users/serializers/profile.py:69
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:144 users/serializers/user.py:140
+#: users/serializers/profile.py:147 users/serializers/user.py:140
 msgid "Is first login"
 msgstr "首次登录"
 
@@ -6677,11 +6681,11 @@ msgstr "退出页面logo"
 msgid "Interface setting"
 msgstr "界面设置"
 
-#: xpack/plugins/license/api.py:43
+#: xpack/plugins/license/api.py:50
 msgid "License import successfully"
 msgstr "许可证导入成功"
 
-#: xpack/plugins/license/api.py:44
+#: xpack/plugins/license/api.py:51
 msgid "License is invalid"
 msgstr "无效的许可证"
 
diff --git a/apps/templates/_base_double_screen.html b/apps/templates/_base_double_screen.html
index cd610fea5..a78f9810e 100644
--- a/apps/templates/_base_double_screen.html
+++ b/apps/templates/_base_double_screen.html
@@ -14,7 +14,6 @@
     <script src="{% static "js/jumpserver.js" %}"></script>
     <style>
         .outerBox {
-            max-width: 80%;
             margin: 0 auto;
             padding: 100px 20px 20px 20px;
         }
diff --git a/apps/tickets/templates/tickets/approve_check_password.html b/apps/tickets/templates/tickets/approve_check_password.html
index 66ee91e1b..3e9d9afeb 100644
--- a/apps/tickets/templates/tickets/approve_check_password.html
+++ b/apps/tickets/templates/tickets/approve_check_password.html
@@ -30,10 +30,14 @@
                     {% csrf_token %}
                     <div class="form-group" style="">
                         {% if user.is_authenticated %}
-                        <button id='approve_button' class="btn btn-primary block full-width m-b"
+                        <button class="btn btn-primary block full-width m-b" name="action" value="approve"
                         type="submit">
                             {% trans 'Ticket direct approval' %}
                         </button>
+                        <button class="btn btn-primary block full-width m-b" name="action" value="reject"
+                        type="submit">
+                            {% trans 'Ticket direct reject' %}
+                        </button>
                         {% else %}
                         <a id='login_button' class="btn btn-primary block full-width m-b"
                            href="{{ login_url }}">
diff --git a/apps/tickets/views/approve.py b/apps/tickets/views/approve.py
index 8c014c425..6632dc813 100644
--- a/apps/tickets/views/approve.py
+++ b/apps/tickets/views/approve.py
@@ -22,7 +22,7 @@ class TicketDirectApproveView(TemplateView):
     @property
     def message_data(self):
         return {
-            'title': _('Ticket direct approval'),
+            'title': _('Ticket approval'),
             'error': _("This ticket does not exist, "
                        "the process has ended, or this link has expired"),
             'redirect_url': self.login_url,
@@ -52,7 +52,7 @@ class TicketDirectApproveView(TemplateView):
         token = kwargs.get('token')
         ticket_info = cache.get(token, {}).get('body', '')
         if self.request.user.is_authenticated:
-            prompt_msg = _('Click the button to approve directly')
+            prompt_msg = _('Click the button below to approve or reject')
         else:
             prompt_msg = _('After successful authentication, this ticket can be approved directly')
         kwargs.update({
@@ -74,6 +74,11 @@ class TicketDirectApproveView(TemplateView):
     def post(self, request, **kwargs):
         user = request.user
         token = kwargs.get('token')
+        action = request.POST.get('action')
+        if action not in ['approve', 'reject']:
+            msg = _('Illegal approval action')
+            return self.redirect_message_response(error=str(msg))
+
         ticket_info = cache.get(token)
         if not ticket_info:
             return self.redirect_message_response(redirect_url=self.login_url)
@@ -82,7 +87,7 @@ class TicketDirectApproveView(TemplateView):
             ticket = Ticket.all().get(id=ticket_id)
             if not ticket.has_current_assignee(user):
                 raise Exception(_("This user is not authorized to approve this ticket"))
-            ticket.approve(user)
+            getattr(ticket, action)(user)
         except AlreadyClosed as e:
             self.clear(token)
             return self.redirect_message_response(error=str(e), redirect_url=self.login_url)

From aff5b0035de35fc218d524473e01713d26b3ea66 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 10 May 2022 17:28:10 +0800
Subject: [PATCH 091/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E5=8A=A0?=
 =?UTF-8?q?=E5=AF=86=20(#8206)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 优化加密

* perf: 优化加密

* perf: 优化加密传输

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/authentication/forms.py                  |  4 +-
 apps/authentication/mixins.py                 |  1 +
 .../templates/authentication/login.html       |  2 +
 apps/common/drf/fields.py                     |  4 +-
 apps/common/utils/crypto.py                   | 13 ++-
 apps/static/js/jumpserver.js                  | 83 +++++++++++++++++--
 apps/static/js/plugins/buffer/buffer.min.js   |  1 +
 .../js/plugins/cryptojs/crypto-js.min.js      |  1 +
 8 files changed, 98 insertions(+), 11 deletions(-)
 create mode 100644 apps/static/js/plugins/buffer/buffer.min.js
 create mode 100644 apps/static/js/plugins/cryptojs/crypto-js.min.js

diff --git a/apps/authentication/forms.py b/apps/authentication/forms.py
index bd7fa7d67..e80407d15 100644
--- a/apps/authentication/forms.py
+++ b/apps/authentication/forms.py
@@ -5,7 +5,7 @@ from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 from captcha.fields import CaptchaField, CaptchaTextInput
 
-from common.utils import get_logger, rsa_decrypt_by_session_pkey
+from common.utils import get_logger, decrypt_password
 
 logger = get_logger(__name__)
 
@@ -13,7 +13,7 @@ logger = get_logger(__name__)
 class EncryptedField(forms.CharField):
     def to_python(self, value):
         value = super().to_python(value)
-        return rsa_decrypt_by_session_pkey(value)
+        return decrypt_password(value)
 
 
 class UserLoginForm(forms.Form):
diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py
index 698601d4c..2f4f1d6e0 100644
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -56,6 +56,7 @@ def authenticate(request=None, **credentials):
 
     for backend, backend_path in _get_backends(return_tuples=True):
         # 检查用户名是否允许认证 (预先检查，不浪费认证时间)
+        logger.info('Try using auth backend: {}'.format(str(backend)))
         if not backend.username_allow_authenticate(username):
             continue
 
diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index 477df7af4..823f22201 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -241,6 +241,8 @@
 </body>
 {% include '_foot_js.html' %}
 <script type="text/javascript" src="/static/js/plugins/jsencrypt/jsencrypt.min.js"></script>
+<script type="text/javascript" src="/static/js/plugins/cryptojs/crypto-js.min.js"></script>
+<script type="text/javascript" src="/static/js/plugins/buffer/buffer.min.js"></script>
 <script>
     function doLogin() {
         //公钥加密
diff --git a/apps/common/drf/fields.py b/apps/common/drf/fields.py
index 6958a2fd4..98919f2df 100644
--- a/apps/common/drf/fields.py
+++ b/apps/common/drf/fields.py
@@ -3,7 +3,7 @@
 
 from rest_framework import serializers
 
-from common.utils import rsa_decrypt_by_session_pkey
+from common.utils import decrypt_password
 
 __all__ = [
     'ReadableHiddenField', 'EncryptedField'
@@ -29,4 +29,4 @@ class ReadableHiddenField(serializers.HiddenField):
 class EncryptedField(serializers.CharField):
     def to_internal_value(self, value):
         value = super().to_internal_value(value)
-        return rsa_decrypt_by_session_pkey(value)
+        return decrypt_password(value)
diff --git a/apps/common/utils/crypto.py b/apps/common/utils/crypto.py
index e09b244fd..4fd9360f6 100644
--- a/apps/common/utils/crypto.py
+++ b/apps/common/utils/crypto.py
@@ -241,10 +241,21 @@ def rsa_decrypt_by_session_pkey(value):
         return value
 
     try:
-        value= rsa_decrypt(value, private_key)
+        value = rsa_decrypt(value, private_key)
     except Exception as e:
         logging.error('Decrypt field error: {}'.format(e))
     return value
 
 
+def decrypt_password(value):
+    cipher = value.split(':')
+    if len(cipher) != 2:
+        return value
+    key_cipher, password_cipher = cipher
+    aes_key = rsa_decrypt_by_session_pkey(key_cipher)
+    aes = get_aes_crypto(aes_key, 'ECB')
+    password = aes.decrypt(password_cipher)
+    return password
+
+
 crypto = Crypto()
diff --git a/apps/static/js/jumpserver.js b/apps/static/js/jumpserver.js
index 44f235793..e1e6707b2 100644
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@@ -1502,18 +1502,89 @@ function getStatusIcon(status, mapping, title) {
     return icon;
 }
 
+
+function fillKey(key) {
+    let keySize = 128
+    // 如果超过 key 16 位, 最大取 32 位，需要更改填充
+    if (key.length > 16) {
+        key = key.slice(0, 32)
+        keySize = keySize * 2
+    }
+    const filledKeyLength = keySize / 8
+    if (key.length >= filledKeyLength) {
+        return key.slice(0, filledKeyLength)
+    }
+    const filledKey = Buffer.alloc(keySize / 8)
+    const keys = Buffer.from(key)
+    for (let i = 0; i < keys.length; i++) {
+        filledKey[i] = keys[i]
+    }
+    return filledKey
+}
+
+function aesEncrypt(text, originKey) {
+    const key = CryptoJS.enc.Utf8.parse(fillKey(originKey));
+    return CryptoJS.AES.encrypt(text, key, {
+        mode: CryptoJS.mode.ECB,
+        padding: CryptoJS.pad.ZeroPadding
+    }).toString();
+}
+
+function rsaEncrypt(text, pubKey) {
+    if (!text) {
+        return text
+    }
+    const jsEncrypt = new JSEncrypt();
+    jsEncrypt.setPublicKey(pubKey);
+    return jsEncrypt.encrypt(text);
+}
+
+function rsaDecrypt(cipher, pkey) {
+    const jsEncrypt = new JSEncrypt();
+    jsEncrypt.setPrivateKey(pkey);
+    return jsEncrypt.decrypt(cipher)
+}
+
+
+window.rsaEncrypt = rsaEncrypt
+window.rsaDecrypt = rsaDecrypt
+
 function encryptPassword(password) {
     if (!password) {
         return ''
     }
-    var rsaPublicKeyText = getCookie('jms_public_key')
+    const aesKey = (Math.random() + 1).toString(36).substring(2)
+    // public key 是 base64 存储的
+    const rsaPublicKeyText = getCookie('jms_public_key')
         .replaceAll('"', '')
-    var rsaPublicKey = atob(rsaPublicKeyText)
-    var jsencrypt = new JSEncrypt(); //加密对象
-    jsencrypt.setPublicKey(rsaPublicKey); // 设置密钥
-    var value = jsencrypt.encrypt(password); //加密
-    return value
+    const rsaPublicKey = atob(rsaPublicKeyText)
+    const keyCipher = rsaEncrypt(aesKey, rsaPublicKey)
+    const passwordCipher = aesEncrypt(password, aesKey)
+    return `${keyCipher}:${passwordCipher}`
 }
 
 
+function randomString(length) {
+    const characters ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    let result = '';
+    const charactersLength = characters.length;
+    for ( let i = 0; i < length; i++ ) {
+        result += characters.charAt(Math.floor(Math.random() * charactersLength));
+    }
+
+    return result;
+}
+
+function testEncrypt() {
+    const radio = []
+    const len2 = []
+    for (let i=1;i<4096;i++) {
+        const password = randomString(i)
+        const cipher = encryptPassword(password)
+        len2.push([password.length, cipher.length])
+        radio.push(cipher.length/password.length)
+    }
+    return radio
+}
+
 window.encryptPassword = encryptPassword
diff --git a/apps/static/js/plugins/buffer/buffer.min.js b/apps/static/js/plugins/buffer/buffer.min.js
new file mode 100644
index 000000000..eaa75148a
--- /dev/null
+++ b/apps/static/js/plugins/buffer/buffer.min.js
@@ -0,0 +1 @@
+!function(){return function t(r,e,n){function i(f,u){if(!e[f]){if(!r[f]){var s="function"==typeof require&&require;if(!u&&s)return s(f,!0);if(o)return o(f,!0);var h=new Error("Cannot find module '"+f+"'");throw h.code="MODULE_NOT_FOUND",h}var a=e[f]={exports:{}};r[f][0].call(a.exports,function(t){return i(r[f][1][t]||t)},a,a.exports,t,r,e,n)}return e[f].exports}for(var o="function"==typeof require&&require,f=0;f<n.length;f++)i(n[f]);return i}}()({1:[function(t,r,e){(function(r){(function(){"use strict";const r=t("base64-js"),n=t("ieee754"),i="function"==typeof Symbol&&"function"==typeof Symbol.for?Symbol.for("nodejs.util.inspect.custom"):null;e.Buffer=u,e.SlowBuffer=function(t){+t!=t&&(t=0);return u.alloc(+t)},e.INSPECT_MAX_BYTES=50;const o=2147483647;function f(t){if(t>o)throw new RangeError('The value "'+t+'" is invalid for option "size"');const r=new Uint8Array(t);return Object.setPrototypeOf(r,u.prototype),r}function u(t,r,e){if("number"==typeof t){if("string"==typeof r)throw new TypeError('The "string" argument must be of type string. Received type number');return a(t)}return s(t,r,e)}function s(t,r,e){if("string"==typeof t)return function(t,r){"string"==typeof r&&""!==r||(r="utf8");if(!u.isEncoding(r))throw new TypeError("Unknown encoding: "+r);const e=0|y(t,r);let n=f(e);const i=n.write(t,r);i!==e&&(n=n.slice(0,i));return n}(t,r);if(ArrayBuffer.isView(t))return function(t){if(W(t,Uint8Array)){const r=new Uint8Array(t);return p(r.buffer,r.byteOffset,r.byteLength)}return c(t)}(t);if(null==t)throw new TypeError("The first argument must be one of type string, Buffer, ArrayBuffer, Array, or Array-like Object. Received type "+typeof t);if(W(t,ArrayBuffer)||t&&W(t.buffer,ArrayBuffer))return p(t,r,e);if("undefined"!=typeof SharedArrayBuffer&&(W(t,SharedArrayBuffer)||t&&W(t.buffer,SharedArrayBuffer)))return p(t,r,e);if("number"==typeof t)throw new TypeError('The "value" argument must not be of type number. Received type number');const n=t.valueOf&&t.valueOf();if(null!=n&&n!==t)return u.from(n,r,e);const i=function(t){if(u.isBuffer(t)){const r=0|l(t.length),e=f(r);return 0===e.length?e:(t.copy(e,0,0,r),e)}if(void 0!==t.length)return"number"!=typeof t.length||X(t.length)?f(0):c(t);if("Buffer"===t.type&&Array.isArray(t.data))return c(t.data)}(t);if(i)return i;if("undefined"!=typeof Symbol&&null!=Symbol.toPrimitive&&"function"==typeof t[Symbol.toPrimitive])return u.from(t[Symbol.toPrimitive]("string"),r,e);throw new TypeError("The first argument must be one of type string, Buffer, ArrayBuffer, Array, or Array-like Object. Received type "+typeof t)}function h(t){if("number"!=typeof t)throw new TypeError('"size" argument must be of type number');if(t<0)throw new RangeError('The value "'+t+'" is invalid for option "size"')}function a(t){return h(t),f(t<0?0:0|l(t))}function c(t){const r=t.length<0?0:0|l(t.length),e=f(r);for(let n=0;n<r;n+=1)e[n]=255&t[n];return e}function p(t,r,e){if(r<0||t.byteLength<r)throw new RangeError('"offset" is outside of buffer bounds');if(t.byteLength<r+(e||0))throw new RangeError('"length" is outside of buffer bounds');let n;return n=void 0===r&&void 0===e?new Uint8Array(t):void 0===e?new Uint8Array(t,r):new Uint8Array(t,r,e),Object.setPrototypeOf(n,u.prototype),n}function l(t){if(t>=o)throw new RangeError("Attempt to allocate Buffer larger than maximum size: 0x"+o.toString(16)+" bytes");return 0|t}function y(t,r){if(u.isBuffer(t))return t.length;if(ArrayBuffer.isView(t)||W(t,ArrayBuffer))return t.byteLength;if("string"!=typeof t)throw new TypeError('The "string" argument must be one of type string, Buffer, or ArrayBuffer. Received type '+typeof t);const e=t.length,n=arguments.length>2&&!0===arguments[2];if(!n&&0===e)return 0;let i=!1;for(;;)switch(r){case"ascii":case"latin1":case"binary":return e;case"utf8":case"utf-8":return q(t).length;case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return 2*e;case"hex":return e>>>1;case"base64":return G(t).length;default:if(i)return n?-1:q(t).length;r=(""+r).toLowerCase(),i=!0}}function g(t,r,e){const n=t[r];t[r]=t[e],t[e]=n}function w(t,r,e,n,i){if(0===t.length)return-1;if("string"==typeof e?(n=e,e=0):e>2147483647?e=2147483647:e<-2147483648&&(e=-2147483648),X(e=+e)&&(e=i?0:t.length-1),e<0&&(e=t.length+e),e>=t.length){if(i)return-1;e=t.length-1}else if(e<0){if(!i)return-1;e=0}if("string"==typeof r&&(r=u.from(r,n)),u.isBuffer(r))return 0===r.length?-1:d(t,r,e,n,i);if("number"==typeof r)return r&=255,"function"==typeof Uint8Array.prototype.indexOf?i?Uint8Array.prototype.indexOf.call(t,r,e):Uint8Array.prototype.lastIndexOf.call(t,r,e):d(t,[r],e,n,i);throw new TypeError("val must be string, number or Buffer")}function d(t,r,e,n,i){let o,f=1,u=t.length,s=r.length;if(void 0!==n&&("ucs2"===(n=String(n).toLowerCase())||"ucs-2"===n||"utf16le"===n||"utf-16le"===n)){if(t.length<2||r.length<2)return-1;f=2,u/=2,s/=2,e/=2}function h(t,r){return 1===f?t[r]:t.readUInt16BE(r*f)}if(i){let n=-1;for(o=e;o<u;o++)if(h(t,o)===h(r,-1===n?0:o-n)){if(-1===n&&(n=o),o-n+1===s)return n*f}else-1!==n&&(o-=o-n),n=-1}else for(e+s>u&&(e=u-s),o=e;o>=0;o--){let e=!0;for(let n=0;n<s;n++)if(h(t,o+n)!==h(r,n)){e=!1;break}if(e)return o}return-1}function b(t,r,e,n){e=Number(e)||0;const i=t.length-e;n?(n=Number(n))>i&&(n=i):n=i;const o=r.length;let f;for(n>o/2&&(n=o/2),f=0;f<n;++f){const n=parseInt(r.substr(2*f,2),16);if(X(n))return f;t[e+f]=n}return f}function m(t,r,e,n){return V(q(r,t.length-e),t,e,n)}function E(t,r,e,n){return V(function(t){const r=[];for(let e=0;e<t.length;++e)r.push(255&t.charCodeAt(e));return r}(r),t,e,n)}function B(t,r,e,n){return V(G(r),t,e,n)}function v(t,r,e,n){return V(function(t,r){let e,n,i;const o=[];for(let f=0;f<t.length&&!((r-=2)<0);++f)e=t.charCodeAt(f),n=e>>8,i=e%256,o.push(i),o.push(n);return o}(r,t.length-e),t,e,n)}function A(t,e,n){return 0===e&&n===t.length?r.fromByteArray(t):r.fromByteArray(t.slice(e,n))}function I(t,r,e){e=Math.min(t.length,e);const n=[];let i=r;for(;i<e;){const r=t[i];let o=null,f=r>239?4:r>223?3:r>191?2:1;if(i+f<=e){let e,n,u,s;switch(f){case 1:r<128&&(o=r);break;case 2:128==(192&(e=t[i+1]))&&(s=(31&r)<<6|63&e)>127&&(o=s);break;case 3:e=t[i+1],n=t[i+2],128==(192&e)&&128==(192&n)&&(s=(15&r)<<12|(63&e)<<6|63&n)>2047&&(s<55296||s>57343)&&(o=s);break;case 4:e=t[i+1],n=t[i+2],u=t[i+3],128==(192&e)&&128==(192&n)&&128==(192&u)&&(s=(15&r)<<18|(63&e)<<12|(63&n)<<6|63&u)>65535&&s<1114112&&(o=s)}}null===o?(o=65533,f=1):o>65535&&(o-=65536,n.push(o>>>10&1023|55296),o=56320|1023&o),n.push(o),i+=f}return function(t){const r=t.length;if(r<=U)return String.fromCharCode.apply(String,t);let e="",n=0;for(;n<r;)e+=String.fromCharCode.apply(String,t.slice(n,n+=U));return e}(n)}e.kMaxLength=o,u.TYPED_ARRAY_SUPPORT=function(){try{const t=new Uint8Array(1),r={foo:function(){return 42}};return Object.setPrototypeOf(r,Uint8Array.prototype),Object.setPrototypeOf(t,r),42===t.foo()}catch(t){return!1}}(),u.TYPED_ARRAY_SUPPORT||"undefined"==typeof console||"function"!=typeof console.error||console.error("This browser lacks typed array (Uint8Array) support which is required by `buffer` v5.x. Use `buffer` v4.x if you require old browser support."),Object.defineProperty(u.prototype,"parent",{enumerable:!0,get:function(){if(u.isBuffer(this))return this.buffer}}),Object.defineProperty(u.prototype,"offset",{enumerable:!0,get:function(){if(u.isBuffer(this))return this.byteOffset}}),window.Buffer=u,u.poolSize=8192,u.from=function(t,r,e){return s(t,r,e)},Object.setPrototypeOf(u.prototype,Uint8Array.prototype),Object.setPrototypeOf(u,Uint8Array),u.alloc=function(t,r,e){return function(t,r,e){return h(t),t<=0?f(t):void 0!==r?"string"==typeof e?f(t).fill(r,e):f(t).fill(r):f(t)}(t,r,e)},u.allocUnsafe=function(t){return a(t)},u.allocUnsafeSlow=function(t){return a(t)},u.isBuffer=function(t){return null!=t&&!0===t._isBuffer&&t!==u.prototype},u.compare=function(t,r){if(W(t,Uint8Array)&&(t=u.from(t,t.offset,t.byteLength)),W(r,Uint8Array)&&(r=u.from(r,r.offset,r.byteLength)),!u.isBuffer(t)||!u.isBuffer(r))throw new TypeError('The "buf1", "buf2" arguments must be one of type Buffer or Uint8Array');if(t===r)return 0;let e=t.length,n=r.length;for(let i=0,o=Math.min(e,n);i<o;++i)if(t[i]!==r[i]){e=t[i],n=r[i];break}return e<n?-1:n<e?1:0},u.isEncoding=function(t){switch(String(t).toLowerCase()){case"hex":case"utf8":case"utf-8":case"ascii":case"latin1":case"binary":case"base64":case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return!0;default:return!1}},u.concat=function(t,r){if(!Array.isArray(t))throw new TypeError('"list" argument must be an Array of Buffers');if(0===t.length)return u.alloc(0);let e;if(void 0===r)for(r=0,e=0;e<t.length;++e)r+=t[e].length;const n=u.allocUnsafe(r);let i=0;for(e=0;e<t.length;++e){let r=t[e];if(W(r,Uint8Array))i+r.length>n.length?(u.isBuffer(r)||(r=u.from(r.buffer,r.byteOffset,r.byteLength)),r.copy(n,i)):Uint8Array.prototype.set.call(n,r,i);else{if(!u.isBuffer(r))throw new TypeError('"list" argument must be an Array of Buffers');r.copy(n,i)}i+=r.length}return n},u.byteLength=y,u.prototype._isBuffer=!0,u.prototype.swap16=function(){const t=this.length;if(t%2!=0)throw new RangeError("Buffer size must be a multiple of 16-bits");for(let r=0;r<t;r+=2)g(this,r,r+1);return this},u.prototype.swap32=function(){const t=this.length;if(t%4!=0)throw new RangeError("Buffer size must be a multiple of 32-bits");for(let r=0;r<t;r+=4)g(this,r,r+3),g(this,r+1,r+2);return this},u.prototype.swap64=function(){const t=this.length;if(t%8!=0)throw new RangeError("Buffer size must be a multiple of 64-bits");for(let r=0;r<t;r+=8)g(this,r,r+7),g(this,r+1,r+6),g(this,r+2,r+5),g(this,r+3,r+4);return this},u.prototype.toString=function(){const t=this.length;return 0===t?"":0===arguments.length?I(this,0,t):function(t,r,e){let n=!1;if((void 0===r||r<0)&&(r=0),r>this.length)return"";if((void 0===e||e>this.length)&&(e=this.length),e<=0)return"";if((e>>>=0)<=(r>>>=0))return"";for(t||(t="utf8");;)switch(t){case"hex":return _(this,r,e);case"utf8":case"utf-8":return I(this,r,e);case"ascii":return R(this,r,e);case"latin1":case"binary":return T(this,r,e);case"base64":return A(this,r,e);case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return L(this,r,e);default:if(n)throw new TypeError("Unknown encoding: "+t);t=(t+"").toLowerCase(),n=!0}}.apply(this,arguments)},u.prototype.toLocaleString=u.prototype.toString,u.prototype.equals=function(t){if(!u.isBuffer(t))throw new TypeError("Argument must be a Buffer");return this===t||0===u.compare(this,t)},u.prototype.inspect=function(){let t="";const r=e.INSPECT_MAX_BYTES;return t=this.toString("hex",0,r).replace(/(.{2})/g,"$1 ").trim(),this.length>r&&(t+=" ... "),"<Buffer "+t+">"},i&&(u.prototype[i]=u.prototype.inspect),u.prototype.compare=function(t,r,e,n,i){if(W(t,Uint8Array)&&(t=u.from(t,t.offset,t.byteLength)),!u.isBuffer(t))throw new TypeError('The "target" argument must be one of type Buffer or Uint8Array. Received type '+typeof t);if(void 0===r&&(r=0),void 0===e&&(e=t?t.length:0),void 0===n&&(n=0),void 0===i&&(i=this.length),r<0||e>t.length||n<0||i>this.length)throw new RangeError("out of range index");if(n>=i&&r>=e)return 0;if(n>=i)return-1;if(r>=e)return 1;if(this===t)return 0;let o=(i>>>=0)-(n>>>=0),f=(e>>>=0)-(r>>>=0);const s=Math.min(o,f),h=this.slice(n,i),a=t.slice(r,e);for(let t=0;t<s;++t)if(h[t]!==a[t]){o=h[t],f=a[t];break}return o<f?-1:f<o?1:0},u.prototype.includes=function(t,r,e){return-1!==this.indexOf(t,r,e)},u.prototype.indexOf=function(t,r,e){return w(this,t,r,e,!0)},u.prototype.lastIndexOf=function(t,r,e){return w(this,t,r,e,!1)},u.prototype.write=function(t,r,e,n){if(void 0===r)n="utf8",e=this.length,r=0;else if(void 0===e&&"string"==typeof r)n=r,e=this.length,r=0;else{if(!isFinite(r))throw new Error("Buffer.write(string, encoding, offset[, length]) is no longer supported");r>>>=0,isFinite(e)?(e>>>=0,void 0===n&&(n="utf8")):(n=e,e=void 0)}const i=this.length-r;if((void 0===e||e>i)&&(e=i),t.length>0&&(e<0||r<0)||r>this.length)throw new RangeError("Attempt to write outside buffer bounds");n||(n="utf8");let o=!1;for(;;)switch(n){case"hex":return b(this,t,r,e);case"utf8":case"utf-8":return m(this,t,r,e);case"ascii":case"latin1":case"binary":return E(this,t,r,e);case"base64":return B(this,t,r,e);case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return v(this,t,r,e);default:if(o)throw new TypeError("Unknown encoding: "+n);n=(""+n).toLowerCase(),o=!0}},u.prototype.toJSON=function(){return{type:"Buffer",data:Array.prototype.slice.call(this._arr||this,0)}};const U=4096;function R(t,r,e){let n="";e=Math.min(t.length,e);for(let i=r;i<e;++i)n+=String.fromCharCode(127&t[i]);return n}function T(t,r,e){let n="";e=Math.min(t.length,e);for(let i=r;i<e;++i)n+=String.fromCharCode(t[i]);return n}function _(t,r,e){const n=t.length;(!r||r<0)&&(r=0),(!e||e<0||e>n)&&(e=n);let i="";for(let n=r;n<e;++n)i+=J[t[n]];return i}function L(t,r,e){const n=t.slice(r,e);let i="";for(let t=0;t<n.length-1;t+=2)i+=String.fromCharCode(n[t]+256*n[t+1]);return i}function S(t,r,e){if(t%1!=0||t<0)throw new RangeError("offset is not uint");if(t+r>e)throw new RangeError("Trying to access beyond buffer length")}function O(t,r,e,n,i,o){if(!u.isBuffer(t))throw new TypeError('"buffer" argument must be a Buffer instance');if(r>i||r<o)throw new RangeError('"value" argument is out of bounds');if(e+n>t.length)throw new RangeError("Index out of range")}function x(t,r,e,n,i){F(r,n,i,t,e,7);let o=Number(r&BigInt(4294967295));t[e++]=o,o>>=8,t[e++]=o,o>>=8,t[e++]=o,o>>=8,t[e++]=o;let f=Number(r>>BigInt(32)&BigInt(4294967295));return t[e++]=f,f>>=8,t[e++]=f,f>>=8,t[e++]=f,f>>=8,t[e++]=f,e}function C(t,r,e,n,i){F(r,n,i,t,e,7);let o=Number(r&BigInt(4294967295));t[e+7]=o,o>>=8,t[e+6]=o,o>>=8,t[e+5]=o,o>>=8,t[e+4]=o;let f=Number(r>>BigInt(32)&BigInt(4294967295));return t[e+3]=f,f>>=8,t[e+2]=f,f>>=8,t[e+1]=f,f>>=8,t[e]=f,e+8}function M(t,r,e,n,i,o){if(e+n>t.length)throw new RangeError("Index out of range");if(e<0)throw new RangeError("Index out of range")}function P(t,r,e,i,o){return r=+r,e>>>=0,o||M(t,0,e,4),n.write(t,r,e,i,23,4),e+4}function k(t,r,e,i,o){return r=+r,e>>>=0,o||M(t,0,e,8),n.write(t,r,e,i,52,8),e+8}u.prototype.slice=function(t,r){const e=this.length;(t=~~t)<0?(t+=e)<0&&(t=0):t>e&&(t=e),(r=void 0===r?e:~~r)<0?(r+=e)<0&&(r=0):r>e&&(r=e),r<t&&(r=t);const n=this.subarray(t,r);return Object.setPrototypeOf(n,u.prototype),n},u.prototype.readUintLE=u.prototype.readUIntLE=function(t,r,e){t>>>=0,r>>>=0,e||S(t,r,this.length);let n=this[t],i=1,o=0;for(;++o<r&&(i*=256);)n+=this[t+o]*i;return n},u.prototype.readUintBE=u.prototype.readUIntBE=function(t,r,e){t>>>=0,r>>>=0,e||S(t,r,this.length);let n=this[t+--r],i=1;for(;r>0&&(i*=256);)n+=this[t+--r]*i;return n},u.prototype.readUint8=u.prototype.readUInt8=function(t,r){return t>>>=0,r||S(t,1,this.length),this[t]},u.prototype.readUint16LE=u.prototype.readUInt16LE=function(t,r){return t>>>=0,r||S(t,2,this.length),this[t]|this[t+1]<<8},u.prototype.readUint16BE=u.prototype.readUInt16BE=function(t,r){return t>>>=0,r||S(t,2,this.length),this[t]<<8|this[t+1]},u.prototype.readUint32LE=u.prototype.readUInt32LE=function(t,r){return t>>>=0,r||S(t,4,this.length),(this[t]|this[t+1]<<8|this[t+2]<<16)+16777216*this[t+3]},u.prototype.readUint32BE=u.prototype.readUInt32BE=function(t,r){return t>>>=0,r||S(t,4,this.length),16777216*this[t]+(this[t+1]<<16|this[t+2]<<8|this[t+3])},u.prototype.readBigUInt64LE=Z(function(t){z(t>>>=0,"offset");const r=this[t],e=this[t+7];void 0!==r&&void 0!==e||D(t,this.length-8);const n=r+256*this[++t]+65536*this[++t]+this[++t]*2**24,i=this[++t]+256*this[++t]+65536*this[++t]+e*2**24;return BigInt(n)+(BigInt(i)<<BigInt(32))}),u.prototype.readBigUInt64BE=Z(function(t){z(t>>>=0,"offset");const r=this[t],e=this[t+7];void 0!==r&&void 0!==e||D(t,this.length-8);const n=r*2**24+65536*this[++t]+256*this[++t]+this[++t],i=this[++t]*2**24+65536*this[++t]+256*this[++t]+e;return(BigInt(n)<<BigInt(32))+BigInt(i)}),u.prototype.readIntLE=function(t,r,e){t>>>=0,r>>>=0,e||S(t,r,this.length);let n=this[t],i=1,o=0;for(;++o<r&&(i*=256);)n+=this[t+o]*i;return n>=(i*=128)&&(n-=Math.pow(2,8*r)),n},u.prototype.readIntBE=function(t,r,e){t>>>=0,r>>>=0,e||S(t,r,this.length);let n=r,i=1,o=this[t+--n];for(;n>0&&(i*=256);)o+=this[t+--n]*i;return o>=(i*=128)&&(o-=Math.pow(2,8*r)),o},u.prototype.readInt8=function(t,r){return t>>>=0,r||S(t,1,this.length),128&this[t]?-1*(255-this[t]+1):this[t]},u.prototype.readInt16LE=function(t,r){t>>>=0,r||S(t,2,this.length);const e=this[t]|this[t+1]<<8;return 32768&e?4294901760|e:e},u.prototype.readInt16BE=function(t,r){t>>>=0,r||S(t,2,this.length);const e=this[t+1]|this[t]<<8;return 32768&e?4294901760|e:e},u.prototype.readInt32LE=function(t,r){return t>>>=0,r||S(t,4,this.length),this[t]|this[t+1]<<8|this[t+2]<<16|this[t+3]<<24},u.prototype.readInt32BE=function(t,r){return t>>>=0,r||S(t,4,this.length),this[t]<<24|this[t+1]<<16|this[t+2]<<8|this[t+3]},u.prototype.readBigInt64LE=Z(function(t){z(t>>>=0,"offset");const r=this[t],e=this[t+7];void 0!==r&&void 0!==e||D(t,this.length-8);const n=this[t+4]+256*this[t+5]+65536*this[t+6]+(e<<24);return(BigInt(n)<<BigInt(32))+BigInt(r+256*this[++t]+65536*this[++t]+this[++t]*2**24)}),u.prototype.readBigInt64BE=Z(function(t){z(t>>>=0,"offset");const r=this[t],e=this[t+7];void 0!==r&&void 0!==e||D(t,this.length-8);const n=(r<<24)+65536*this[++t]+256*this[++t]+this[++t];return(BigInt(n)<<BigInt(32))+BigInt(this[++t]*2**24+65536*this[++t]+256*this[++t]+e)}),u.prototype.readFloatLE=function(t,r){return t>>>=0,r||S(t,4,this.length),n.read(this,t,!0,23,4)},u.prototype.readFloatBE=function(t,r){return t>>>=0,r||S(t,4,this.length),n.read(this,t,!1,23,4)},u.prototype.readDoubleLE=function(t,r){return t>>>=0,r||S(t,8,this.length),n.read(this,t,!0,52,8)},u.prototype.readDoubleBE=function(t,r){return t>>>=0,r||S(t,8,this.length),n.read(this,t,!1,52,8)},u.prototype.writeUintLE=u.prototype.writeUIntLE=function(t,r,e,n){if(t=+t,r>>>=0,e>>>=0,!n){O(this,t,r,e,Math.pow(2,8*e)-1,0)}let i=1,o=0;for(this[r]=255&t;++o<e&&(i*=256);)this[r+o]=t/i&255;return r+e},u.prototype.writeUintBE=u.prototype.writeUIntBE=function(t,r,e,n){if(t=+t,r>>>=0,e>>>=0,!n){O(this,t,r,e,Math.pow(2,8*e)-1,0)}let i=e-1,o=1;for(this[r+i]=255&t;--i>=0&&(o*=256);)this[r+i]=t/o&255;return r+e},u.prototype.writeUint8=u.prototype.writeUInt8=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,1,255,0),this[r]=255&t,r+1},u.prototype.writeUint16LE=u.prototype.writeUInt16LE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,2,65535,0),this[r]=255&t,this[r+1]=t>>>8,r+2},u.prototype.writeUint16BE=u.prototype.writeUInt16BE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,2,65535,0),this[r]=t>>>8,this[r+1]=255&t,r+2},u.prototype.writeUint32LE=u.prototype.writeUInt32LE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,4,4294967295,0),this[r+3]=t>>>24,this[r+2]=t>>>16,this[r+1]=t>>>8,this[r]=255&t,r+4},u.prototype.writeUint32BE=u.prototype.writeUInt32BE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,4,4294967295,0),this[r]=t>>>24,this[r+1]=t>>>16,this[r+2]=t>>>8,this[r+3]=255&t,r+4},u.prototype.writeBigUInt64LE=Z(function(t,r=0){return x(this,t,r,BigInt(0),BigInt("0xffffffffffffffff"))}),u.prototype.writeBigUInt64BE=Z(function(t,r=0){return C(this,t,r,BigInt(0),BigInt("0xffffffffffffffff"))}),u.prototype.writeIntLE=function(t,r,e,n){if(t=+t,r>>>=0,!n){const n=Math.pow(2,8*e-1);O(this,t,r,e,n-1,-n)}let i=0,o=1,f=0;for(this[r]=255&t;++i<e&&(o*=256);)t<0&&0===f&&0!==this[r+i-1]&&(f=1),this[r+i]=(t/o>>0)-f&255;return r+e},u.prototype.writeIntBE=function(t,r,e,n){if(t=+t,r>>>=0,!n){const n=Math.pow(2,8*e-1);O(this,t,r,e,n-1,-n)}let i=e-1,o=1,f=0;for(this[r+i]=255&t;--i>=0&&(o*=256);)t<0&&0===f&&0!==this[r+i+1]&&(f=1),this[r+i]=(t/o>>0)-f&255;return r+e},u.prototype.writeInt8=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,1,127,-128),t<0&&(t=255+t+1),this[r]=255&t,r+1},u.prototype.writeInt16LE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,2,32767,-32768),this[r]=255&t,this[r+1]=t>>>8,r+2},u.prototype.writeInt16BE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,2,32767,-32768),this[r]=t>>>8,this[r+1]=255&t,r+2},u.prototype.writeInt32LE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,4,2147483647,-2147483648),this[r]=255&t,this[r+1]=t>>>8,this[r+2]=t>>>16,this[r+3]=t>>>24,r+4},u.prototype.writeInt32BE=function(t,r,e){return t=+t,r>>>=0,e||O(this,t,r,4,2147483647,-2147483648),t<0&&(t=4294967295+t+1),this[r]=t>>>24,this[r+1]=t>>>16,this[r+2]=t>>>8,this[r+3]=255&t,r+4},u.prototype.writeBigInt64LE=Z(function(t,r=0){return x(this,t,r,-BigInt("0x8000000000000000"),BigInt("0x7fffffffffffffff"))}),u.prototype.writeBigInt64BE=Z(function(t,r=0){return C(this,t,r,-BigInt("0x8000000000000000"),BigInt("0x7fffffffffffffff"))}),u.prototype.writeFloatLE=function(t,r,e){return P(this,t,r,!0,e)},u.prototype.writeFloatBE=function(t,r,e){return P(this,t,r,!1,e)},u.prototype.writeDoubleLE=function(t,r,e){return k(this,t,r,!0,e)},u.prototype.writeDoubleBE=function(t,r,e){return k(this,t,r,!1,e)},u.prototype.copy=function(t,r,e,n){if(!u.isBuffer(t))throw new TypeError("argument should be a Buffer");if(e||(e=0),n||0===n||(n=this.length),r>=t.length&&(r=t.length),r||(r=0),n>0&&n<e&&(n=e),n===e)return 0;if(0===t.length||0===this.length)return 0;if(r<0)throw new RangeError("targetStart out of bounds");if(e<0||e>=this.length)throw new RangeError("Index out of range");if(n<0)throw new RangeError("sourceEnd out of bounds");n>this.length&&(n=this.length),t.length-r<n-e&&(n=t.length-r+e);const i=n-e;return this===t&&"function"==typeof Uint8Array.prototype.copyWithin?this.copyWithin(r,e,n):Uint8Array.prototype.set.call(t,this.subarray(e,n),r),i},u.prototype.fill=function(t,r,e,n){if("string"==typeof t){if("string"==typeof r?(n=r,r=0,e=this.length):"string"==typeof e&&(n=e,e=this.length),void 0!==n&&"string"!=typeof n)throw new TypeError("encoding must be a string");if("string"==typeof n&&!u.isEncoding(n))throw new TypeError("Unknown encoding: "+n);if(1===t.length){const r=t.charCodeAt(0);("utf8"===n&&r<128||"latin1"===n)&&(t=r)}}else"number"==typeof t?t&=255:"boolean"==typeof t&&(t=Number(t));if(r<0||this.length<r||this.length<e)throw new RangeError("Out of range index");if(e<=r)return this;let i;if(r>>>=0,e=void 0===e?this.length:e>>>0,t||(t=0),"number"==typeof t)for(i=r;i<e;++i)this[i]=t;else{const o=u.isBuffer(t)?t:u.from(t,n),f=o.length;if(0===f)throw new TypeError('The value "'+t+'" is invalid for argument "value"');for(i=0;i<e-r;++i)this[i+r]=o[i%f]}return this};const N={};function $(t,r,e){N[t]=class extends e{constructor(){super(),Object.defineProperty(this,"message",{value:r.apply(this,arguments),writable:!0,configurable:!0}),this.name=`${this.name} [${t}]`,this.stack,delete this.name}get code(){return t}set code(t){Object.defineProperty(this,"code",{configurable:!0,enumerable:!0,value:t,writable:!0})}toString(){return`${this.name} [${t}]: ${this.message}`}}}function j(t){let r="",e=t.length;const n="-"===t[0]?1:0;for(;e>=n+4;e-=3)r=`_${t.slice(e-3,e)}${r}`;return`${t.slice(0,e)}${r}`}function F(t,r,e,n,i,o){if(t>e||t<r){const n="bigint"==typeof r?"n":"";let i;throw i=o>3?0===r||r===BigInt(0)?`>= 0${n} and < 2${n} ** ${8*(o+1)}${n}`:`>= -(2${n} ** ${8*(o+1)-1}${n}) and < 2 ** `+`${8*(o+1)-1}${n}`:`>= ${r}${n} and <= ${e}${n}`,new N.ERR_OUT_OF_RANGE("value",i,t)}!function(t,r,e){z(r,"offset"),void 0!==t[r]&&void 0!==t[r+e]||D(r,t.length-(e+1))}(n,i,o)}function z(t,r){if("number"!=typeof t)throw new N.ERR_INVALID_ARG_TYPE(r,"number",t)}function D(t,r,e){if(Math.floor(t)!==t)throw z(t,e),new N.ERR_OUT_OF_RANGE(e||"offset","an integer",t);if(r<0)throw new N.ERR_BUFFER_OUT_OF_BOUNDS;throw new N.ERR_OUT_OF_RANGE(e||"offset",`>= ${e?1:0} and <= ${r}`,t)}$("ERR_BUFFER_OUT_OF_BOUNDS",function(t){return t?`${t} is outside of buffer bounds`:"Attempt to access memory outside buffer bounds"},RangeError),$("ERR_INVALID_ARG_TYPE",function(t,r){return`The "${t}" argument must be of type number. Received type ${typeof r}`},TypeError),$("ERR_OUT_OF_RANGE",function(t,r,e){let n=`The value of "${t}" is out of range.`,i=e;return Number.isInteger(e)&&Math.abs(e)>2**32?i=j(String(e)):"bigint"==typeof e&&(i=String(e),(e>BigInt(2)**BigInt(32)||e<-(BigInt(2)**BigInt(32)))&&(i=j(i)),i+="n"),n+=` It must be ${r}. Received ${i}`},RangeError);const Y=/[^+/0-9A-Za-z-_]/g;function q(t,r){let e;r=r||1/0;const n=t.length;let i=null;const o=[];for(let f=0;f<n;++f){if((e=t.charCodeAt(f))>55295&&e<57344){if(!i){if(e>56319){(r-=3)>-1&&o.push(239,191,189);continue}if(f+1===n){(r-=3)>-1&&o.push(239,191,189);continue}i=e;continue}if(e<56320){(r-=3)>-1&&o.push(239,191,189),i=e;continue}e=65536+(i-55296<<10|e-56320)}else i&&(r-=3)>-1&&o.push(239,191,189);if(i=null,e<128){if((r-=1)<0)break;o.push(e)}else if(e<2048){if((r-=2)<0)break;o.push(e>>6|192,63&e|128)}else if(e<65536){if((r-=3)<0)break;o.push(e>>12|224,e>>6&63|128,63&e|128)}else{if(!(e<1114112))throw new Error("Invalid code point");if((r-=4)<0)break;o.push(e>>18|240,e>>12&63|128,e>>6&63|128,63&e|128)}}return o}function G(t){return r.toByteArray(function(t){if((t=(t=t.split("=")[0]).trim().replace(Y,"")).length<2)return"";for(;t.length%4!=0;)t+="=";return t}(t))}function V(t,r,e,n){let i;for(i=0;i<n&&!(i+e>=r.length||i>=t.length);++i)r[i+e]=t[i];return i}function W(t,r){return t instanceof r||null!=t&&null!=t.constructor&&null!=t.constructor.name&&t.constructor.name===r.name}function X(t){return t!=t}const J=function(){const t=new Array(256);for(let r=0;r<16;++r){const e=16*r;for(let n=0;n<16;++n)t[e+n]="0123456789abcdef"[r]+"0123456789abcdef"[n]}return t}();function Z(t){return"undefined"==typeof BigInt?H:t}function H(){throw new Error("BigInt not supported")}}).call(this)}).call(this,t("buffer").Buffer)},{"base64-js":2,buffer:5,ieee754:3}],2:[function(t,r,e){"use strict";e.byteLength=function(t){var r=h(t),e=r[0],n=r[1];return 3*(e+n)/4-n},e.toByteArray=function(t){var r,e,n=h(t),f=n[0],u=n[1],s=new o(function(t,r,e){return 3*(r+e)/4-e}(0,f,u)),a=0,c=u>0?f-4:f;for(e=0;e<c;e+=4)r=i[t.charCodeAt(e)]<<18|i[t.charCodeAt(e+1)]<<12|i[t.charCodeAt(e+2)]<<6|i[t.charCodeAt(e+3)],s[a++]=r>>16&255,s[a++]=r>>8&255,s[a++]=255&r;2===u&&(r=i[t.charCodeAt(e)]<<2|i[t.charCodeAt(e+1)]>>4,s[a++]=255&r);1===u&&(r=i[t.charCodeAt(e)]<<10|i[t.charCodeAt(e+1)]<<4|i[t.charCodeAt(e+2)]>>2,s[a++]=r>>8&255,s[a++]=255&r);return s},e.fromByteArray=function(t){for(var r,e=t.length,i=e%3,o=[],f=0,u=e-i;f<u;f+=16383)o.push(a(t,f,f+16383>u?u:f+16383));1===i?(r=t[e-1],o.push(n[r>>2]+n[r<<4&63]+"==")):2===i&&(r=(t[e-2]<<8)+t[e-1],o.push(n[r>>10]+n[r>>4&63]+n[r<<2&63]+"="));return o.join("")};for(var n=[],i=[],o="undefined"!=typeof Uint8Array?Uint8Array:Array,f="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",u=0,s=f.length;u<s;++u)n[u]=f[u],i[f.charCodeAt(u)]=u;function h(t){var r=t.length;if(r%4>0)throw new Error("Invalid string. Length must be a multiple of 4");var e=t.indexOf("=");return-1===e&&(e=r),[e,e===r?0:4-e%4]}function a(t,r,e){for(var i,o,f=[],u=r;u<e;u+=3)i=(t[u]<<16&16711680)+(t[u+1]<<8&65280)+(255&t[u+2]),f.push(n[(o=i)>>18&63]+n[o>>12&63]+n[o>>6&63]+n[63&o]);return f.join("")}i["-".charCodeAt(0)]=62,i["_".charCodeAt(0)]=63},{}],3:[function(t,r,e){e.read=function(t,r,e,n,i){var o,f,u=8*i-n-1,s=(1<<u)-1,h=s>>1,a=-7,c=e?i-1:0,p=e?-1:1,l=t[r+c];for(c+=p,o=l&(1<<-a)-1,l>>=-a,a+=u;a>0;o=256*o+t[r+c],c+=p,a-=8);for(f=o&(1<<-a)-1,o>>=-a,a+=n;a>0;f=256*f+t[r+c],c+=p,a-=8);if(0===o)o=1-h;else{if(o===s)return f?NaN:1/0*(l?-1:1);f+=Math.pow(2,n),o-=h}return(l?-1:1)*f*Math.pow(2,o-n)},e.write=function(t,r,e,n,i,o){var f,u,s,h=8*o-i-1,a=(1<<h)-1,c=a>>1,p=23===i?Math.pow(2,-24)-Math.pow(2,-77):0,l=n?0:o-1,y=n?1:-1,g=r<0||0===r&&1/r<0?1:0;for(r=Math.abs(r),isNaN(r)||r===1/0?(u=isNaN(r)?1:0,f=a):(f=Math.floor(Math.log(r)/Math.LN2),r*(s=Math.pow(2,-f))<1&&(f--,s*=2),(r+=f+c>=1?p/s:p*Math.pow(2,1-c))*s>=2&&(f++,s/=2),f+c>=a?(u=0,f=a):f+c>=1?(u=(r*s-1)*Math.pow(2,i),f+=c):(u=r*Math.pow(2,c-1)*Math.pow(2,i),f=0));i>=8;t[e+l]=255&u,l+=y,u/=256,i-=8);for(f=f<<i|u,h+=i;h>0;t[e+l]=255&f,l+=y,f/=256,h-=8);t[e+l-y]|=128*g}},{}],4:[function(t,r,e){arguments[4][2][0].apply(e,arguments)},{dup:2}],5:[function(t,r,e){(function(r){(function(){"use strict";var r=t("base64-js"),n=t("ieee754");e.Buffer=f,e.SlowBuffer=function(t){+t!=t&&(t=0);return f.alloc(+t)},e.INSPECT_MAX_BYTES=50;var i=2147483647;function o(t){if(t>i)throw new RangeError('The value "'+t+'" is invalid for option "size"');var r=new Uint8Array(t);return r.__proto__=f.prototype,r}function f(t,r,e){if("number"==typeof t){if("string"==typeof r)throw new TypeError('The "string" argument must be of type string. Received type number');return h(t)}return u(t,r,e)}function u(t,r,e){if("string"==typeof t)return function(t,r){"string"==typeof r&&""!==r||(r="utf8");if(!f.isEncoding(r))throw new TypeError("Unknown encoding: "+r);var e=0|p(t,r),n=o(e),i=n.write(t,r);i!==e&&(n=n.slice(0,i));return n}(t,r);if(ArrayBuffer.isView(t))return a(t);if(null==t)throw TypeError("The first argument must be one of type string, Buffer, ArrayBuffer, Array, or Array-like Object. Received type "+typeof t);if(j(t,ArrayBuffer)||t&&j(t.buffer,ArrayBuffer))return function(t,r,e){if(r<0||t.byteLength<r)throw new RangeError('"offset" is outside of buffer bounds');if(t.byteLength<r+(e||0))throw new RangeError('"length" is outside of buffer bounds');var n;n=void 0===r&&void 0===e?new Uint8Array(t):void 0===e?new Uint8Array(t,r):new Uint8Array(t,r,e);return n.__proto__=f.prototype,n}(t,r,e);if("number"==typeof t)throw new TypeError('The "value" argument must not be of type number. Received type number');var n=t.valueOf&&t.valueOf();if(null!=n&&n!==t)return f.from(n,r,e);var i=function(t){if(f.isBuffer(t)){var r=0|c(t.length),e=o(r);return 0===e.length?e:(t.copy(e,0,0,r),e)}if(void 0!==t.length)return"number"!=typeof t.length||F(t.length)?o(0):a(t);if("Buffer"===t.type&&Array.isArray(t.data))return a(t.data)}(t);if(i)return i;if("undefined"!=typeof Symbol&&null!=Symbol.toPrimitive&&"function"==typeof t[Symbol.toPrimitive])return f.from(t[Symbol.toPrimitive]("string"),r,e);throw new TypeError("The first argument must be one of type string, Buffer, ArrayBuffer, Array, or Array-like Object. Received type "+typeof t)}function s(t){if("number"!=typeof t)throw new TypeError('"size" argument must be of type number');if(t<0)throw new RangeError('The value "'+t+'" is invalid for option "size"')}function h(t){return s(t),o(t<0?0:0|c(t))}function a(t){for(var r=t.length<0?0:0|c(t.length),e=o(r),n=0;n<r;n+=1)e[n]=255&t[n];return e}function c(t){if(t>=i)throw new RangeError("Attempt to allocate Buffer larger than maximum size: 0x"+i.toString(16)+" bytes");return 0|t}function p(t,r){if(f.isBuffer(t))return t.length;if(ArrayBuffer.isView(t)||j(t,ArrayBuffer))return t.byteLength;if("string"!=typeof t)throw new TypeError('The "string" argument must be one of type string, Buffer, or ArrayBuffer. Received type '+typeof t);var e=t.length,n=arguments.length>2&&!0===arguments[2];if(!n&&0===e)return 0;for(var i=!1;;)switch(r){case"ascii":case"latin1":case"binary":return e;case"utf8":case"utf-8":return k(t).length;case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return 2*e;case"hex":return e>>>1;case"base64":return N(t).length;default:if(i)return n?-1:k(t).length;r=(""+r).toLowerCase(),i=!0}}function l(t,r,e){var n=t[r];t[r]=t[e],t[e]=n}function y(t,r,e,n,i){if(0===t.length)return-1;if("string"==typeof e?(n=e,e=0):e>2147483647?e=2147483647:e<-2147483648&&(e=-2147483648),F(e=+e)&&(e=i?0:t.length-1),e<0&&(e=t.length+e),e>=t.length){if(i)return-1;e=t.length-1}else if(e<0){if(!i)return-1;e=0}if("string"==typeof r&&(r=f.from(r,n)),f.isBuffer(r))return 0===r.length?-1:g(t,r,e,n,i);if("number"==typeof r)return r&=255,"function"==typeof Uint8Array.prototype.indexOf?i?Uint8Array.prototype.indexOf.call(t,r,e):Uint8Array.prototype.lastIndexOf.call(t,r,e):g(t,[r],e,n,i);throw new TypeError("val must be string, number or Buffer")}function g(t,r,e,n,i){var o,f=1,u=t.length,s=r.length;if(void 0!==n&&("ucs2"===(n=String(n).toLowerCase())||"ucs-2"===n||"utf16le"===n||"utf-16le"===n)){if(t.length<2||r.length<2)return-1;f=2,u/=2,s/=2,e/=2}function h(t,r){return 1===f?t[r]:t.readUInt16BE(r*f)}if(i){var a=-1;for(o=e;o<u;o++)if(h(t,o)===h(r,-1===a?0:o-a)){if(-1===a&&(a=o),o-a+1===s)return a*f}else-1!==a&&(o-=o-a),a=-1}else for(e+s>u&&(e=u-s),o=e;o>=0;o--){for(var c=!0,p=0;p<s;p++)if(h(t,o+p)!==h(r,p)){c=!1;break}if(c)return o}return-1}function w(t,r,e,n){e=Number(e)||0;var i=t.length-e;n?(n=Number(n))>i&&(n=i):n=i;var o=r.length;n>o/2&&(n=o/2);for(var f=0;f<n;++f){var u=parseInt(r.substr(2*f,2),16);if(F(u))return f;t[e+f]=u}return f}function d(t,r,e,n){return $(k(r,t.length-e),t,e,n)}function b(t,r,e,n){return $(function(t){for(var r=[],e=0;e<t.length;++e)r.push(255&t.charCodeAt(e));return r}(r),t,e,n)}function m(t,r,e,n){return b(t,r,e,n)}function E(t,r,e,n){return $(N(r),t,e,n)}function B(t,r,e,n){return $(function(t,r){for(var e,n,i,o=[],f=0;f<t.length&&!((r-=2)<0);++f)e=t.charCodeAt(f),n=e>>8,i=e%256,o.push(i),o.push(n);return o}(r,t.length-e),t,e,n)}function v(t,e,n){return 0===e&&n===t.length?r.fromByteArray(t):r.fromByteArray(t.slice(e,n))}function A(t,r,e){e=Math.min(t.length,e);for(var n=[],i=r;i<e;){var o,f,u,s,h=t[i],a=null,c=h>239?4:h>223?3:h>191?2:1;if(i+c<=e)switch(c){case 1:h<128&&(a=h);break;case 2:128==(192&(o=t[i+1]))&&(s=(31&h)<<6|63&o)>127&&(a=s);break;case 3:o=t[i+1],f=t[i+2],128==(192&o)&&128==(192&f)&&(s=(15&h)<<12|(63&o)<<6|63&f)>2047&&(s<55296||s>57343)&&(a=s);break;case 4:o=t[i+1],f=t[i+2],u=t[i+3],128==(192&o)&&128==(192&f)&&128==(192&u)&&(s=(15&h)<<18|(63&o)<<12|(63&f)<<6|63&u)>65535&&s<1114112&&(a=s)}null===a?(a=65533,c=1):a>65535&&(a-=65536,n.push(a>>>10&1023|55296),a=56320|1023&a),n.push(a),i+=c}return function(t){var r=t.length;if(r<=I)return String.fromCharCode.apply(String,t);var e="",n=0;for(;n<r;)e+=String.fromCharCode.apply(String,t.slice(n,n+=I));return e}(n)}e.kMaxLength=i,f.TYPED_ARRAY_SUPPORT=function(){try{var t=new Uint8Array(1);return t.__proto__={__proto__:Uint8Array.prototype,foo:function(){return 42}},42===t.foo()}catch(t){return!1}}(),f.TYPED_ARRAY_SUPPORT||"undefined"==typeof console||"function"!=typeof console.error||console.error("This browser lacks typed array (Uint8Array) support which is required by `buffer` v5.x. Use `buffer` v4.x if you require old browser support."),Object.defineProperty(f.prototype,"parent",{enumerable:!0,get:function(){if(f.isBuffer(this))return this.buffer}}),Object.defineProperty(f.prototype,"offset",{enumerable:!0,get:function(){if(f.isBuffer(this))return this.byteOffset}}),"undefined"!=typeof Symbol&&null!=Symbol.species&&f[Symbol.species]===f&&Object.defineProperty(f,Symbol.species,{value:null,configurable:!0,enumerable:!1,writable:!1}),f.poolSize=8192,f.from=function(t,r,e){return u(t,r,e)},f.prototype.__proto__=Uint8Array.prototype,f.__proto__=Uint8Array,f.alloc=function(t,r,e){return function(t,r,e){return s(t),t<=0?o(t):void 0!==r?"string"==typeof e?o(t).fill(r,e):o(t).fill(r):o(t)}(t,r,e)},f.allocUnsafe=function(t){return h(t)},f.allocUnsafeSlow=function(t){return h(t)},f.isBuffer=function(t){return null!=t&&!0===t._isBuffer&&t!==f.prototype},f.compare=function(t,r){if(j(t,Uint8Array)&&(t=f.from(t,t.offset,t.byteLength)),j(r,Uint8Array)&&(r=f.from(r,r.offset,r.byteLength)),!f.isBuffer(t)||!f.isBuffer(r))throw new TypeError('The "buf1", "buf2" arguments must be one of type Buffer or Uint8Array');if(t===r)return 0;for(var e=t.length,n=r.length,i=0,o=Math.min(e,n);i<o;++i)if(t[i]!==r[i]){e=t[i],n=r[i];break}return e<n?-1:n<e?1:0},f.isEncoding=function(t){switch(String(t).toLowerCase()){case"hex":case"utf8":case"utf-8":case"ascii":case"latin1":case"binary":case"base64":case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return!0;default:return!1}},f.concat=function(t,r){if(!Array.isArray(t))throw new TypeError('"list" argument must be an Array of Buffers');if(0===t.length)return f.alloc(0);var e;if(void 0===r)for(r=0,e=0;e<t.length;++e)r+=t[e].length;var n=f.allocUnsafe(r),i=0;for(e=0;e<t.length;++e){var o=t[e];if(j(o,Uint8Array)&&(o=f.from(o)),!f.isBuffer(o))throw new TypeError('"list" argument must be an Array of Buffers');o.copy(n,i),i+=o.length}return n},f.byteLength=p,f.prototype._isBuffer=!0,f.prototype.swap16=function(){var t=this.length;if(t%2!=0)throw new RangeError("Buffer size must be a multiple of 16-bits");for(var r=0;r<t;r+=2)l(this,r,r+1);return this},f.prototype.swap32=function(){var t=this.length;if(t%4!=0)throw new RangeError("Buffer size must be a multiple of 32-bits");for(var r=0;r<t;r+=4)l(this,r,r+3),l(this,r+1,r+2);return this},f.prototype.swap64=function(){var t=this.length;if(t%8!=0)throw new RangeError("Buffer size must be a multiple of 64-bits");for(var r=0;r<t;r+=8)l(this,r,r+7),l(this,r+1,r+6),l(this,r+2,r+5),l(this,r+3,r+4);return this},f.prototype.toString=function(){var t=this.length;return 0===t?"":0===arguments.length?A(this,0,t):function(t,r,e){var n=!1;if((void 0===r||r<0)&&(r=0),r>this.length)return"";if((void 0===e||e>this.length)&&(e=this.length),e<=0)return"";if((e>>>=0)<=(r>>>=0))return"";for(t||(t="utf8");;)switch(t){case"hex":return T(this,r,e);case"utf8":case"utf-8":return A(this,r,e);case"ascii":return U(this,r,e);case"latin1":case"binary":return R(this,r,e);case"base64":return v(this,r,e);case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return _(this,r,e);default:if(n)throw new TypeError("Unknown encoding: "+t);t=(t+"").toLowerCase(),n=!0}}.apply(this,arguments)},f.prototype.toLocaleString=f.prototype.toString,f.prototype.equals=function(t){if(!f.isBuffer(t))throw new TypeError("Argument must be a Buffer");return this===t||0===f.compare(this,t)},f.prototype.inspect=function(){var t="",r=e.INSPECT_MAX_BYTES;return t=this.toString("hex",0,r).replace(/(.{2})/g,"$1 ").trim(),this.length>r&&(t+=" ... "),"<Buffer "+t+">"},f.prototype.compare=function(t,r,e,n,i){if(j(t,Uint8Array)&&(t=f.from(t,t.offset,t.byteLength)),!f.isBuffer(t))throw new TypeError('The "target" argument must be one of type Buffer or Uint8Array. Received type '+typeof t);if(void 0===r&&(r=0),void 0===e&&(e=t?t.length:0),void 0===n&&(n=0),void 0===i&&(i=this.length),r<0||e>t.length||n<0||i>this.length)throw new RangeError("out of range index");if(n>=i&&r>=e)return 0;if(n>=i)return-1;if(r>=e)return 1;if(this===t)return 0;for(var o=(i>>>=0)-(n>>>=0),u=(e>>>=0)-(r>>>=0),s=Math.min(o,u),h=this.slice(n,i),a=t.slice(r,e),c=0;c<s;++c)if(h[c]!==a[c]){o=h[c],u=a[c];break}return o<u?-1:u<o?1:0},f.prototype.includes=function(t,r,e){return-1!==this.indexOf(t,r,e)},f.prototype.indexOf=function(t,r,e){return y(this,t,r,e,!0)},f.prototype.lastIndexOf=function(t,r,e){return y(this,t,r,e,!1)},f.prototype.write=function(t,r,e,n){if(void 0===r)n="utf8",e=this.length,r=0;else if(void 0===e&&"string"==typeof r)n=r,e=this.length,r=0;else{if(!isFinite(r))throw new Error("Buffer.write(string, encoding, offset[, length]) is no longer supported");r>>>=0,isFinite(e)?(e>>>=0,void 0===n&&(n="utf8")):(n=e,e=void 0)}var i=this.length-r;if((void 0===e||e>i)&&(e=i),t.length>0&&(e<0||r<0)||r>this.length)throw new RangeError("Attempt to write outside buffer bounds");n||(n="utf8");for(var o=!1;;)switch(n){case"hex":return w(this,t,r,e);case"utf8":case"utf-8":return d(this,t,r,e);case"ascii":return b(this,t,r,e);case"latin1":case"binary":return m(this,t,r,e);case"base64":return E(this,t,r,e);case"ucs2":case"ucs-2":case"utf16le":case"utf-16le":return B(this,t,r,e);default:if(o)throw new TypeError("Unknown encoding: "+n);n=(""+n).toLowerCase(),o=!0}},f.prototype.toJSON=function(){return{type:"Buffer",data:Array.prototype.slice.call(this._arr||this,0)}};var I=4096;function U(t,r,e){var n="";e=Math.min(t.length,e);for(var i=r;i<e;++i)n+=String.fromCharCode(127&t[i]);return n}function R(t,r,e){var n="";e=Math.min(t.length,e);for(var i=r;i<e;++i)n+=String.fromCharCode(t[i]);return n}function T(t,r,e){var n=t.length;(!r||r<0)&&(r=0),(!e||e<0||e>n)&&(e=n);for(var i="",o=r;o<e;++o)i+=P(t[o]);return i}function _(t,r,e){for(var n=t.slice(r,e),i="",o=0;o<n.length;o+=2)i+=String.fromCharCode(n[o]+256*n[o+1]);return i}function L(t,r,e){if(t%1!=0||t<0)throw new RangeError("offset is not uint");if(t+r>e)throw new RangeError("Trying to access beyond buffer length")}function S(t,r,e,n,i,o){if(!f.isBuffer(t))throw new TypeError('"buffer" argument must be a Buffer instance');if(r>i||r<o)throw new RangeError('"value" argument is out of bounds');if(e+n>t.length)throw new RangeError("Index out of range")}function O(t,r,e,n,i,o){if(e+n>t.length)throw new RangeError("Index out of range");if(e<0)throw new RangeError("Index out of range")}function x(t,r,e,i,o){return r=+r,e>>>=0,o||O(t,0,e,4),n.write(t,r,e,i,23,4),e+4}function C(t,r,e,i,o){return r=+r,e>>>=0,o||O(t,0,e,8),n.write(t,r,e,i,52,8),e+8}f.prototype.slice=function(t,r){var e=this.length;(t=~~t)<0?(t+=e)<0&&(t=0):t>e&&(t=e),(r=void 0===r?e:~~r)<0?(r+=e)<0&&(r=0):r>e&&(r=e),r<t&&(r=t);var n=this.subarray(t,r);return n.__proto__=f.prototype,n},f.prototype.readUIntLE=function(t,r,e){t>>>=0,r>>>=0,e||L(t,r,this.length);for(var n=this[t],i=1,o=0;++o<r&&(i*=256);)n+=this[t+o]*i;return n},f.prototype.readUIntBE=function(t,r,e){t>>>=0,r>>>=0,e||L(t,r,this.length);for(var n=this[t+--r],i=1;r>0&&(i*=256);)n+=this[t+--r]*i;return n},f.prototype.readUInt8=function(t,r){return t>>>=0,r||L(t,1,this.length),this[t]},f.prototype.readUInt16LE=function(t,r){return t>>>=0,r||L(t,2,this.length),this[t]|this[t+1]<<8},f.prototype.readUInt16BE=function(t,r){return t>>>=0,r||L(t,2,this.length),this[t]<<8|this[t+1]},f.prototype.readUInt32LE=function(t,r){return t>>>=0,r||L(t,4,this.length),(this[t]|this[t+1]<<8|this[t+2]<<16)+16777216*this[t+3]},f.prototype.readUInt32BE=function(t,r){return t>>>=0,r||L(t,4,this.length),16777216*this[t]+(this[t+1]<<16|this[t+2]<<8|this[t+3])},f.prototype.readIntLE=function(t,r,e){t>>>=0,r>>>=0,e||L(t,r,this.length);for(var n=this[t],i=1,o=0;++o<r&&(i*=256);)n+=this[t+o]*i;return n>=(i*=128)&&(n-=Math.pow(2,8*r)),n},f.prototype.readIntBE=function(t,r,e){t>>>=0,r>>>=0,e||L(t,r,this.length);for(var n=r,i=1,o=this[t+--n];n>0&&(i*=256);)o+=this[t+--n]*i;return o>=(i*=128)&&(o-=Math.pow(2,8*r)),o},f.prototype.readInt8=function(t,r){return t>>>=0,r||L(t,1,this.length),128&this[t]?-1*(255-this[t]+1):this[t]},f.prototype.readInt16LE=function(t,r){t>>>=0,r||L(t,2,this.length);var e=this[t]|this[t+1]<<8;return 32768&e?4294901760|e:e},f.prototype.readInt16BE=function(t,r){t>>>=0,r||L(t,2,this.length);var e=this[t+1]|this[t]<<8;return 32768&e?4294901760|e:e},f.prototype.readInt32LE=function(t,r){return t>>>=0,r||L(t,4,this.length),this[t]|this[t+1]<<8|this[t+2]<<16|this[t+3]<<24},f.prototype.readInt32BE=function(t,r){return t>>>=0,r||L(t,4,this.length),this[t]<<24|this[t+1]<<16|this[t+2]<<8|this[t+3]},f.prototype.readFloatLE=function(t,r){return t>>>=0,r||L(t,4,this.length),n.read(this,t,!0,23,4)},f.prototype.readFloatBE=function(t,r){return t>>>=0,r||L(t,4,this.length),n.read(this,t,!1,23,4)},f.prototype.readDoubleLE=function(t,r){return t>>>=0,r||L(t,8,this.length),n.read(this,t,!0,52,8)},f.prototype.readDoubleBE=function(t,r){return t>>>=0,r||L(t,8,this.length),n.read(this,t,!1,52,8)},f.prototype.writeUIntLE=function(t,r,e,n){(t=+t,r>>>=0,e>>>=0,n)||S(this,t,r,e,Math.pow(2,8*e)-1,0);var i=1,o=0;for(this[r]=255&t;++o<e&&(i*=256);)this[r+o]=t/i&255;return r+e},f.prototype.writeUIntBE=function(t,r,e,n){(t=+t,r>>>=0,e>>>=0,n)||S(this,t,r,e,Math.pow(2,8*e)-1,0);var i=e-1,o=1;for(this[r+i]=255&t;--i>=0&&(o*=256);)this[r+i]=t/o&255;return r+e},f.prototype.writeUInt8=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,1,255,0),this[r]=255&t,r+1},f.prototype.writeUInt16LE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,2,65535,0),this[r]=255&t,this[r+1]=t>>>8,r+2},f.prototype.writeUInt16BE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,2,65535,0),this[r]=t>>>8,this[r+1]=255&t,r+2},f.prototype.writeUInt32LE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,4,4294967295,0),this[r+3]=t>>>24,this[r+2]=t>>>16,this[r+1]=t>>>8,this[r]=255&t,r+4},f.prototype.writeUInt32BE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,4,4294967295,0),this[r]=t>>>24,this[r+1]=t>>>16,this[r+2]=t>>>8,this[r+3]=255&t,r+4},f.prototype.writeIntLE=function(t,r,e,n){if(t=+t,r>>>=0,!n){var i=Math.pow(2,8*e-1);S(this,t,r,e,i-1,-i)}var o=0,f=1,u=0;for(this[r]=255&t;++o<e&&(f*=256);)t<0&&0===u&&0!==this[r+o-1]&&(u=1),this[r+o]=(t/f>>0)-u&255;return r+e},f.prototype.writeIntBE=function(t,r,e,n){if(t=+t,r>>>=0,!n){var i=Math.pow(2,8*e-1);S(this,t,r,e,i-1,-i)}var o=e-1,f=1,u=0;for(this[r+o]=255&t;--o>=0&&(f*=256);)t<0&&0===u&&0!==this[r+o+1]&&(u=1),this[r+o]=(t/f>>0)-u&255;return r+e},f.prototype.writeInt8=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,1,127,-128),t<0&&(t=255+t+1),this[r]=255&t,r+1},f.prototype.writeInt16LE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,2,32767,-32768),this[r]=255&t,this[r+1]=t>>>8,r+2},f.prototype.writeInt16BE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,2,32767,-32768),this[r]=t>>>8,this[r+1]=255&t,r+2},f.prototype.writeInt32LE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,4,2147483647,-2147483648),this[r]=255&t,this[r+1]=t>>>8,this[r+2]=t>>>16,this[r+3]=t>>>24,r+4},f.prototype.writeInt32BE=function(t,r,e){return t=+t,r>>>=0,e||S(this,t,r,4,2147483647,-2147483648),t<0&&(t=4294967295+t+1),this[r]=t>>>24,this[r+1]=t>>>16,this[r+2]=t>>>8,this[r+3]=255&t,r+4},f.prototype.writeFloatLE=function(t,r,e){return x(this,t,r,!0,e)},f.prototype.writeFloatBE=function(t,r,e){return x(this,t,r,!1,e)},f.prototype.writeDoubleLE=function(t,r,e){return C(this,t,r,!0,e)},f.prototype.writeDoubleBE=function(t,r,e){return C(this,t,r,!1,e)},f.prototype.copy=function(t,r,e,n){if(!f.isBuffer(t))throw new TypeError("argument should be a Buffer");if(e||(e=0),n||0===n||(n=this.length),r>=t.length&&(r=t.length),r||(r=0),n>0&&n<e&&(n=e),n===e)return 0;if(0===t.length||0===this.length)return 0;if(r<0)throw new RangeError("targetStart out of bounds");if(e<0||e>=this.length)throw new RangeError("Index out of range");if(n<0)throw new RangeError("sourceEnd out of bounds");n>this.length&&(n=this.length),t.length-r<n-e&&(n=t.length-r+e);var i=n-e;if(this===t&&"function"==typeof Uint8Array.prototype.copyWithin)this.copyWithin(r,e,n);else if(this===t&&e<r&&r<n)for(var o=i-1;o>=0;--o)t[o+r]=this[o+e];else Uint8Array.prototype.set.call(t,this.subarray(e,n),r);return i},f.prototype.fill=function(t,r,e,n){if("string"==typeof t){if("string"==typeof r?(n=r,r=0,e=this.length):"string"==typeof e&&(n=e,e=this.length),void 0!==n&&"string"!=typeof n)throw new TypeError("encoding must be a string");if("string"==typeof n&&!f.isEncoding(n))throw new TypeError("Unknown encoding: "+n);if(1===t.length){var i=t.charCodeAt(0);("utf8"===n&&i<128||"latin1"===n)&&(t=i)}}else"number"==typeof t&&(t&=255);if(r<0||this.length<r||this.length<e)throw new RangeError("Out of range index");if(e<=r)return this;var o;if(r>>>=0,e=void 0===e?this.length:e>>>0,t||(t=0),"number"==typeof t)for(o=r;o<e;++o)this[o]=t;else{var u=f.isBuffer(t)?t:f.from(t,n),s=u.length;if(0===s)throw new TypeError('The value "'+t+'" is invalid for argument "value"');for(o=0;o<e-r;++o)this[o+r]=u[o%s]}return this};var M=/[^+/0-9A-Za-z-_]/g;function P(t){return t<16?"0"+t.toString(16):t.toString(16)}function k(t,r){var e;r=r||1/0;for(var n=t.length,i=null,o=[],f=0;f<n;++f){if((e=t.charCodeAt(f))>55295&&e<57344){if(!i){if(e>56319){(r-=3)>-1&&o.push(239,191,189);continue}if(f+1===n){(r-=3)>-1&&o.push(239,191,189);continue}i=e;continue}if(e<56320){(r-=3)>-1&&o.push(239,191,189),i=e;continue}e=65536+(i-55296<<10|e-56320)}else i&&(r-=3)>-1&&o.push(239,191,189);if(i=null,e<128){if((r-=1)<0)break;o.push(e)}else if(e<2048){if((r-=2)<0)break;o.push(e>>6|192,63&e|128)}else if(e<65536){if((r-=3)<0)break;o.push(e>>12|224,e>>6&63|128,63&e|128)}else{if(!(e<1114112))throw new Error("Invalid code point");if((r-=4)<0)break;o.push(e>>18|240,e>>12&63|128,e>>6&63|128,63&e|128)}}return o}function N(t){return r.toByteArray(function(t){if((t=(t=t.split("=")[0]).trim().replace(M,"")).length<2)return"";for(;t.length%4!=0;)t+="=";return t}(t))}function $(t,r,e,n){for(var i=0;i<n&&!(i+e>=r.length||i>=t.length);++i)r[i+e]=t[i];return i}function j(t,r){return t instanceof r||null!=t&&null!=t.constructor&&null!=t.constructor.name&&t.constructor.name===r.name}function F(t){return t!=t}}).call(this)}).call(this,t("buffer").Buffer)},{"base64-js":4,buffer:5,ieee754:6}],6:[function(t,r,e){arguments[4][3][0].apply(e,arguments)},{dup:3}]},{},[1]);
diff --git a/apps/static/js/plugins/cryptojs/crypto-js.min.js b/apps/static/js/plugins/cryptojs/crypto-js.min.js
new file mode 100644
index 000000000..1deebee38
--- /dev/null
+++ b/apps/static/js/plugins/cryptojs/crypto-js.min.js
@@ -0,0 +1 @@
+!function(t,e){"object"==typeof exports?module.exports=exports=e():"function"==typeof define&&define.amd?define([],e):t.CryptoJS=e()}(this,function(){var h,t,e,r,i,n,f,o,s,c,a,l,d,m,x,b,H,z,A,u,p,_,v,y,g,B,w,k,S,C,D,E,R,M,F,P,W,O,I,U,K,X,L,j,N,T,q,Z,V,G,J,$,Q,Y,tt,et,rt,it,nt,ot,st,ct,at,ht,lt,ft,dt,ut,pt,_t,vt,yt,gt,Bt,wt,kt,St,bt=bt||function(l){var t;if("undefined"!=typeof window&&window.crypto&&(t=window.crypto),!t&&"undefined"!=typeof window&&window.msCrypto&&(t=window.msCrypto),!t&&"undefined"!=typeof global&&global.crypto&&(t=global.crypto),!t&&"function"==typeof require)try{t=require("crypto")}catch(t){}function i(){if(t){if("function"==typeof t.getRandomValues)try{return t.getRandomValues(new Uint32Array(1))[0]}catch(t){}if("function"==typeof t.randomBytes)try{return t.randomBytes(4).readInt32LE()}catch(t){}}throw new Error("Native crypto module could not be used to get secure random number.")}var r=Object.create||function(t){var e;return n.prototype=t,e=new n,n.prototype=null,e};function n(){}var e={},o=e.lib={},s=o.Base={extend:function(t){var e=r(this);return t&&e.mixIn(t),e.hasOwnProperty("init")&&this.init!==e.init||(e.init=function(){e.$super.init.apply(this,arguments)}),(e.init.prototype=e).$super=this,e},create:function(){var t=this.extend();return t.init.apply(t,arguments),t},init:function(){},mixIn:function(t){for(var e in t)t.hasOwnProperty(e)&&(this[e]=t[e]);t.hasOwnProperty("toString")&&(this.toString=t.toString)},clone:function(){return this.init.prototype.extend(this)}},f=o.WordArray=s.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:4*t.length},toString:function(t){return(t||a).stringify(this)},concat:function(t){var e=this.words,r=t.words,i=this.sigBytes,n=t.sigBytes;if(this.clamp(),i%4)for(var o=0;o<n;o++){var s=r[o>>>2]>>>24-o%4*8&255;e[i+o>>>2]|=s<<24-(i+o)%4*8}else for(o=0;o<n;o+=4)e[i+o>>>2]=r[o>>>2];return this.sigBytes+=n,this},clamp:function(){var t=this.words,e=this.sigBytes;t[e>>>2]&=4294967295<<32-e%4*8,t.length=l.ceil(e/4)},clone:function(){var t=s.clone.call(this);return t.words=this.words.slice(0),t},random:function(t){for(var e=[],r=0;r<t;r+=4)e.push(i());return new f.init(e,t)}}),c=e.enc={},a=c.Hex={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push((o>>>4).toString(16)),i.push((15&o).toString(16))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i+=2)r[i>>>3]|=parseInt(t.substr(i,2),16)<<24-i%8*4;return new f.init(r,e/2)}},h=c.Latin1={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n++){var o=e[n>>>2]>>>24-n%4*8&255;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>2]|=(255&t.charCodeAt(i))<<24-i%4*8;return new f.init(r,e)}},d=c.Utf8={stringify:function(t){try{return decodeURIComponent(escape(h.stringify(t)))}catch(t){throw new Error("Malformed UTF-8 data")}},parse:function(t){return h.parse(unescape(encodeURIComponent(t)))}},u=o.BufferedBlockAlgorithm=s.extend({reset:function(){this._data=new f.init,this._nDataBytes=0},_append:function(t){"string"==typeof t&&(t=d.parse(t)),this._data.concat(t),this._nDataBytes+=t.sigBytes},_process:function(t){var e,r=this._data,i=r.words,n=r.sigBytes,o=this.blockSize,s=n/(4*o),c=(s=t?l.ceil(s):l.max((0|s)-this._minBufferSize,0))*o,a=l.min(4*c,n);if(c){for(var h=0;h<c;h+=o)this._doProcessBlock(i,h);e=i.splice(0,c),r.sigBytes-=a}return new f.init(e,a)},clone:function(){var t=s.clone.call(this);return t._data=this._data.clone(),t},_minBufferSize:0}),p=(o.Hasher=u.extend({cfg:s.extend(),init:function(t){this.cfg=this.cfg.extend(t),this.reset()},reset:function(){u.reset.call(this),this._doReset()},update:function(t){return this._append(t),this._process(),this},finalize:function(t){return t&&this._append(t),this._doFinalize()},blockSize:16,_createHelper:function(r){return function(t,e){return new r.init(e).finalize(t)}},_createHmacHelper:function(r){return function(t,e){return new p.HMAC.init(r,e).finalize(t)}}}),e.algo={});return e}(Math);function mt(t,e,r){return t^e^r}function xt(t,e,r){return t&e|~t&r}function Ht(t,e,r){return(t|~e)^r}function zt(t,e,r){return t&r|e&~r}function At(t,e,r){return t^(e|~r)}function Ct(t,e){return t<<e|t>>>32-e}function Dt(t,e,r,i){var n,o=this._iv;o?(n=o.slice(0),this._iv=void 0):n=this._prevBlock,i.encryptBlock(n,0);for(var s=0;s<r;s++)t[e+s]^=n[s]}function Et(t){if(255==(t>>24&255)){var e=t>>16&255,r=t>>8&255,i=255&t;255===e?(e=0,255===r?(r=0,255===i?i=0:++i):++r):++e,t=0,t+=e<<16,t+=r<<8,t+=i}else t+=1<<24;return t}function Rt(){for(var t=this._X,e=this._C,r=0;r<8;r++)ft[r]=e[r];e[0]=e[0]+1295307597+this._b|0,e[1]=e[1]+3545052371+(e[0]>>>0<ft[0]>>>0?1:0)|0,e[2]=e[2]+886263092+(e[1]>>>0<ft[1]>>>0?1:0)|0,e[3]=e[3]+1295307597+(e[2]>>>0<ft[2]>>>0?1:0)|0,e[4]=e[4]+3545052371+(e[3]>>>0<ft[3]>>>0?1:0)|0,e[5]=e[5]+886263092+(e[4]>>>0<ft[4]>>>0?1:0)|0,e[6]=e[6]+1295307597+(e[5]>>>0<ft[5]>>>0?1:0)|0,e[7]=e[7]+3545052371+(e[6]>>>0<ft[6]>>>0?1:0)|0,this._b=e[7]>>>0<ft[7]>>>0?1:0;for(r=0;r<8;r++){var i=t[r]+e[r],n=65535&i,o=i>>>16,s=((n*n>>>17)+n*o>>>15)+o*o,c=((4294901760&i)*i|0)+((65535&i)*i|0);dt[r]=s^c}t[0]=dt[0]+(dt[7]<<16|dt[7]>>>16)+(dt[6]<<16|dt[6]>>>16)|0,t[1]=dt[1]+(dt[0]<<8|dt[0]>>>24)+dt[7]|0,t[2]=dt[2]+(dt[1]<<16|dt[1]>>>16)+(dt[0]<<16|dt[0]>>>16)|0,t[3]=dt[3]+(dt[2]<<8|dt[2]>>>24)+dt[1]|0,t[4]=dt[4]+(dt[3]<<16|dt[3]>>>16)+(dt[2]<<16|dt[2]>>>16)|0,t[5]=dt[5]+(dt[4]<<8|dt[4]>>>24)+dt[3]|0,t[6]=dt[6]+(dt[5]<<16|dt[5]>>>16)+(dt[4]<<16|dt[4]>>>16)|0,t[7]=dt[7]+(dt[6]<<8|dt[6]>>>24)+dt[5]|0}function Mt(){for(var t=this._X,e=this._C,r=0;r<8;r++)wt[r]=e[r];e[0]=e[0]+1295307597+this._b|0,e[1]=e[1]+3545052371+(e[0]>>>0<wt[0]>>>0?1:0)|0,e[2]=e[2]+886263092+(e[1]>>>0<wt[1]>>>0?1:0)|0,e[3]=e[3]+1295307597+(e[2]>>>0<wt[2]>>>0?1:0)|0,e[4]=e[4]+3545052371+(e[3]>>>0<wt[3]>>>0?1:0)|0,e[5]=e[5]+886263092+(e[4]>>>0<wt[4]>>>0?1:0)|0,e[6]=e[6]+1295307597+(e[5]>>>0<wt[5]>>>0?1:0)|0,e[7]=e[7]+3545052371+(e[6]>>>0<wt[6]>>>0?1:0)|0,this._b=e[7]>>>0<wt[7]>>>0?1:0;for(r=0;r<8;r++){var i=t[r]+e[r],n=65535&i,o=i>>>16,s=((n*n>>>17)+n*o>>>15)+o*o,c=((4294901760&i)*i|0)+((65535&i)*i|0);kt[r]=s^c}t[0]=kt[0]+(kt[7]<<16|kt[7]>>>16)+(kt[6]<<16|kt[6]>>>16)|0,t[1]=kt[1]+(kt[0]<<8|kt[0]>>>24)+kt[7]|0,t[2]=kt[2]+(kt[1]<<16|kt[1]>>>16)+(kt[0]<<16|kt[0]>>>16)|0,t[3]=kt[3]+(kt[2]<<8|kt[2]>>>24)+kt[1]|0,t[4]=kt[4]+(kt[3]<<16|kt[3]>>>16)+(kt[2]<<16|kt[2]>>>16)|0,t[5]=kt[5]+(kt[4]<<8|kt[4]>>>24)+kt[3]|0,t[6]=kt[6]+(kt[5]<<16|kt[5]>>>16)+(kt[4]<<16|kt[4]>>>16)|0,t[7]=kt[7]+(kt[6]<<8|kt[6]>>>24)+kt[5]|0}return h=bt.lib.WordArray,bt.enc.Base64={stringify:function(t){var e=t.words,r=t.sigBytes,i=this._map;t.clamp();for(var n=[],o=0;o<r;o+=3)for(var s=(e[o>>>2]>>>24-o%4*8&255)<<16|(e[o+1>>>2]>>>24-(o+1)%4*8&255)<<8|e[o+2>>>2]>>>24-(o+2)%4*8&255,c=0;c<4&&o+.75*c<r;c++)n.push(i.charAt(s>>>6*(3-c)&63));var a=i.charAt(64);if(a)for(;n.length%4;)n.push(a);return n.join("")},parse:function(t){var e=t.length,r=this._map,i=this._reverseMap;if(!i){i=this._reverseMap=[];for(var n=0;n<r.length;n++)i[r.charCodeAt(n)]=n}var o=r.charAt(64);if(o){var s=t.indexOf(o);-1!==s&&(e=s)}return function(t,e,r){for(var i=[],n=0,o=0;o<e;o++)if(o%4){var s=r[t.charCodeAt(o-1)]<<o%4*2,c=r[t.charCodeAt(o)]>>>6-o%4*2,a=s|c;i[n>>>2]|=a<<24-n%4*8,n++}return h.create(i,n)}(t,e,i)},_map:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/="},function(l){var t=bt,e=t.lib,r=e.WordArray,i=e.Hasher,n=t.algo,H=[];!function(){for(var t=0;t<64;t++)H[t]=4294967296*l.abs(l.sin(t+1))|0}();var o=n.MD5=i.extend({_doReset:function(){this._hash=new r.init([1732584193,4023233417,2562383102,271733878])},_doProcessBlock:function(t,e){for(var r=0;r<16;r++){var i=e+r,n=t[i];t[i]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8)}var o=this._hash.words,s=t[e+0],c=t[e+1],a=t[e+2],h=t[e+3],l=t[e+4],f=t[e+5],d=t[e+6],u=t[e+7],p=t[e+8],_=t[e+9],v=t[e+10],y=t[e+11],g=t[e+12],B=t[e+13],w=t[e+14],k=t[e+15],S=o[0],m=o[1],x=o[2],b=o[3];S=z(S,m,x,b,s,7,H[0]),b=z(b,S,m,x,c,12,H[1]),x=z(x,b,S,m,a,17,H[2]),m=z(m,x,b,S,h,22,H[3]),S=z(S,m,x,b,l,7,H[4]),b=z(b,S,m,x,f,12,H[5]),x=z(x,b,S,m,d,17,H[6]),m=z(m,x,b,S,u,22,H[7]),S=z(S,m,x,b,p,7,H[8]),b=z(b,S,m,x,_,12,H[9]),x=z(x,b,S,m,v,17,H[10]),m=z(m,x,b,S,y,22,H[11]),S=z(S,m,x,b,g,7,H[12]),b=z(b,S,m,x,B,12,H[13]),x=z(x,b,S,m,w,17,H[14]),S=A(S,m=z(m,x,b,S,k,22,H[15]),x,b,c,5,H[16]),b=A(b,S,m,x,d,9,H[17]),x=A(x,b,S,m,y,14,H[18]),m=A(m,x,b,S,s,20,H[19]),S=A(S,m,x,b,f,5,H[20]),b=A(b,S,m,x,v,9,H[21]),x=A(x,b,S,m,k,14,H[22]),m=A(m,x,b,S,l,20,H[23]),S=A(S,m,x,b,_,5,H[24]),b=A(b,S,m,x,w,9,H[25]),x=A(x,b,S,m,h,14,H[26]),m=A(m,x,b,S,p,20,H[27]),S=A(S,m,x,b,B,5,H[28]),b=A(b,S,m,x,a,9,H[29]),x=A(x,b,S,m,u,14,H[30]),S=C(S,m=A(m,x,b,S,g,20,H[31]),x,b,f,4,H[32]),b=C(b,S,m,x,p,11,H[33]),x=C(x,b,S,m,y,16,H[34]),m=C(m,x,b,S,w,23,H[35]),S=C(S,m,x,b,c,4,H[36]),b=C(b,S,m,x,l,11,H[37]),x=C(x,b,S,m,u,16,H[38]),m=C(m,x,b,S,v,23,H[39]),S=C(S,m,x,b,B,4,H[40]),b=C(b,S,m,x,s,11,H[41]),x=C(x,b,S,m,h,16,H[42]),m=C(m,x,b,S,d,23,H[43]),S=C(S,m,x,b,_,4,H[44]),b=C(b,S,m,x,g,11,H[45]),x=C(x,b,S,m,k,16,H[46]),S=D(S,m=C(m,x,b,S,a,23,H[47]),x,b,s,6,H[48]),b=D(b,S,m,x,u,10,H[49]),x=D(x,b,S,m,w,15,H[50]),m=D(m,x,b,S,f,21,H[51]),S=D(S,m,x,b,g,6,H[52]),b=D(b,S,m,x,h,10,H[53]),x=D(x,b,S,m,v,15,H[54]),m=D(m,x,b,S,c,21,H[55]),S=D(S,m,x,b,p,6,H[56]),b=D(b,S,m,x,k,10,H[57]),x=D(x,b,S,m,d,15,H[58]),m=D(m,x,b,S,B,21,H[59]),S=D(S,m,x,b,l,6,H[60]),b=D(b,S,m,x,y,10,H[61]),x=D(x,b,S,m,a,15,H[62]),m=D(m,x,b,S,_,21,H[63]),o[0]=o[0]+S|0,o[1]=o[1]+m|0,o[2]=o[2]+x|0,o[3]=o[3]+b|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;e[i>>>5]|=128<<24-i%32;var n=l.floor(r/4294967296),o=r;e[15+(64+i>>>9<<4)]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8),e[14+(64+i>>>9<<4)]=16711935&(o<<8|o>>>24)|4278255360&(o<<24|o>>>8),t.sigBytes=4*(e.length+1),this._process();for(var s=this._hash,c=s.words,a=0;a<4;a++){var h=c[a];c[a]=16711935&(h<<8|h>>>24)|4278255360&(h<<24|h>>>8)}return s},clone:function(){var t=i.clone.call(this);return t._hash=this._hash.clone(),t}});function z(t,e,r,i,n,o,s){var c=t+(e&r|~e&i)+n+s;return(c<<o|c>>>32-o)+e}function A(t,e,r,i,n,o,s){var c=t+(e&i|r&~i)+n+s;return(c<<o|c>>>32-o)+e}function C(t,e,r,i,n,o,s){var c=t+(e^r^i)+n+s;return(c<<o|c>>>32-o)+e}function D(t,e,r,i,n,o,s){var c=t+(r^(e|~i))+n+s;return(c<<o|c>>>32-o)+e}t.MD5=i._createHelper(o),t.HmacMD5=i._createHmacHelper(o)}(Math),e=(t=bt).lib,r=e.WordArray,i=e.Hasher,n=t.algo,f=[],o=n.SHA1=i.extend({_doReset:function(){this._hash=new r.init([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=0;a<80;a++){if(a<16)f[a]=0|t[e+a];else{var h=f[a-3]^f[a-8]^f[a-14]^f[a-16];f[a]=h<<1|h>>>31}var l=(i<<5|i>>>27)+c+f[a];l+=a<20?1518500249+(n&o|~n&s):a<40?1859775393+(n^o^s):a<60?(n&o|n&s|o&s)-1894007588:(n^o^s)-899497514,c=s,s=o,o=n<<30|n>>>2,n=i,i=l}r[0]=r[0]+i|0,r[1]=r[1]+n|0,r[2]=r[2]+o|0,r[3]=r[3]+s|0,r[4]=r[4]+c|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=Math.floor(r/4294967296),e[15+(64+i>>>9<<4)]=r,t.sigBytes=4*e.length,this._process(),this._hash},clone:function(){var t=i.clone.call(this);return t._hash=this._hash.clone(),t}}),t.SHA1=i._createHelper(o),t.HmacSHA1=i._createHmacHelper(o),function(n){var t=bt,e=t.lib,r=e.WordArray,i=e.Hasher,o=t.algo,s=[],B=[];!function(){function t(t){for(var e=n.sqrt(t),r=2;r<=e;r++)if(!(t%r))return;return 1}function e(t){return 4294967296*(t-(0|t))|0}for(var r=2,i=0;i<64;)t(r)&&(i<8&&(s[i]=e(n.pow(r,.5))),B[i]=e(n.pow(r,1/3)),i++),r++}();var w=[],c=o.SHA256=i.extend({_doReset:function(){this._hash=new r.init(s.slice(0))},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=r[5],h=r[6],l=r[7],f=0;f<64;f++){if(f<16)w[f]=0|t[e+f];else{var d=w[f-15],u=(d<<25|d>>>7)^(d<<14|d>>>18)^d>>>3,p=w[f-2],_=(p<<15|p>>>17)^(p<<13|p>>>19)^p>>>10;w[f]=u+w[f-7]+_+w[f-16]}var v=i&n^i&o^n&o,y=(i<<30|i>>>2)^(i<<19|i>>>13)^(i<<10|i>>>22),g=l+((c<<26|c>>>6)^(c<<21|c>>>11)^(c<<7|c>>>25))+(c&a^~c&h)+B[f]+w[f];l=h,h=a,a=c,c=s+g|0,s=o,o=n,n=i,i=g+(y+v)|0}r[0]=r[0]+i|0,r[1]=r[1]+n|0,r[2]=r[2]+o|0,r[3]=r[3]+s|0,r[4]=r[4]+c|0,r[5]=r[5]+a|0,r[6]=r[6]+h|0,r[7]=r[7]+l|0},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=n.floor(r/4294967296),e[15+(64+i>>>9<<4)]=r,t.sigBytes=4*e.length,this._process(),this._hash},clone:function(){var t=i.clone.call(this);return t._hash=this._hash.clone(),t}});t.SHA256=i._createHelper(c),t.HmacSHA256=i._createHmacHelper(c)}(Math),function(){var n=bt.lib.WordArray,t=bt.enc;t.Utf16=t.Utf16BE={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n+=2){var o=e[n>>>2]>>>16-n%4*8&65535;i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>1]|=t.charCodeAt(i)<<16-i%2*16;return n.create(r,2*e)}};function s(t){return t<<8&4278255360|t>>>8&16711935}t.Utf16LE={stringify:function(t){for(var e=t.words,r=t.sigBytes,i=[],n=0;n<r;n+=2){var o=s(e[n>>>2]>>>16-n%4*8&65535);i.push(String.fromCharCode(o))}return i.join("")},parse:function(t){for(var e=t.length,r=[],i=0;i<e;i++)r[i>>>1]|=s(t.charCodeAt(i)<<16-i%2*16);return n.create(r,2*e)}}}(),function(){if("function"==typeof ArrayBuffer){var t=bt.lib.WordArray,n=t.init;(t.init=function(t){if(t instanceof ArrayBuffer&&(t=new Uint8Array(t)),(t instanceof Int8Array||"undefined"!=typeof Uint8ClampedArray&&t instanceof Uint8ClampedArray||t instanceof Int16Array||t instanceof Uint16Array||t instanceof Int32Array||t instanceof Uint32Array||t instanceof Float32Array||t instanceof Float64Array)&&(t=new Uint8Array(t.buffer,t.byteOffset,t.byteLength)),t instanceof Uint8Array){for(var e=t.byteLength,r=[],i=0;i<e;i++)r[i>>>2]|=t[i]<<24-i%4*8;n.call(this,r,e)}else n.apply(this,arguments)}).prototype=t}}(),Math,c=(s=bt).lib,a=c.WordArray,l=c.Hasher,d=s.algo,m=a.create([0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,7,4,13,1,10,6,15,3,12,0,9,5,2,14,11,8,3,10,14,4,9,15,8,1,2,7,0,6,13,11,5,12,1,9,11,10,0,8,12,4,13,3,7,15,14,5,6,2,4,0,5,9,7,12,2,10,14,1,3,8,11,6,15,13]),x=a.create([5,14,7,0,9,2,11,4,13,6,15,8,1,10,3,12,6,11,3,7,0,13,5,10,14,15,8,12,4,9,1,2,15,5,1,3,7,14,6,9,11,8,12,2,10,0,4,13,8,6,4,1,3,11,15,0,5,12,2,13,9,7,10,14,12,15,10,4,1,5,8,7,6,2,13,14,0,3,9,11]),b=a.create([11,14,15,12,5,8,7,9,11,13,14,15,6,7,9,8,7,6,8,13,11,9,7,15,7,12,15,9,11,7,13,12,11,13,6,7,14,9,13,15,14,8,13,6,5,12,7,5,11,12,14,15,14,15,9,8,9,14,5,6,8,6,5,12,9,15,5,11,6,8,13,12,5,12,13,14,11,8,5,6]),H=a.create([8,9,9,11,13,15,15,5,7,7,8,11,14,14,12,6,9,13,15,7,12,8,9,11,7,7,12,7,6,15,13,11,9,7,15,11,8,6,6,14,12,13,5,14,13,13,7,5,15,5,8,11,14,14,6,14,6,9,12,9,12,5,15,8,8,5,12,9,12,5,14,6,8,13,6,5,15,13,11,11]),z=a.create([0,1518500249,1859775393,2400959708,2840853838]),A=a.create([1352829926,1548603684,1836072691,2053994217,0]),u=d.RIPEMD160=l.extend({_doReset:function(){this._hash=a.create([1732584193,4023233417,2562383102,271733878,3285377520])},_doProcessBlock:function(t,e){for(var r=0;r<16;r++){var i=e+r,n=t[i];t[i]=16711935&(n<<8|n>>>24)|4278255360&(n<<24|n>>>8)}var o,s,c,a,h,l,f,d,u,p,_,v=this._hash.words,y=z.words,g=A.words,B=m.words,w=x.words,k=b.words,S=H.words;l=o=v[0],f=s=v[1],d=c=v[2],u=a=v[3],p=h=v[4];for(r=0;r<80;r+=1)_=o+t[e+B[r]]|0,_+=r<16?mt(s,c,a)+y[0]:r<32?xt(s,c,a)+y[1]:r<48?Ht(s,c,a)+y[2]:r<64?zt(s,c,a)+y[3]:At(s,c,a)+y[4],_=(_=Ct(_|=0,k[r]))+h|0,o=h,h=a,a=Ct(c,10),c=s,s=_,_=l+t[e+w[r]]|0,_+=r<16?At(f,d,u)+g[0]:r<32?zt(f,d,u)+g[1]:r<48?Ht(f,d,u)+g[2]:r<64?xt(f,d,u)+g[3]:mt(f,d,u)+g[4],_=(_=Ct(_|=0,S[r]))+p|0,l=p,p=u,u=Ct(d,10),d=f,f=_;_=v[1]+c+u|0,v[1]=v[2]+a+p|0,v[2]=v[3]+h+l|0,v[3]=v[4]+o+f|0,v[4]=v[0]+s+d|0,v[0]=_},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;e[i>>>5]|=128<<24-i%32,e[14+(64+i>>>9<<4)]=16711935&(r<<8|r>>>24)|4278255360&(r<<24|r>>>8),t.sigBytes=4*(e.length+1),this._process();for(var n=this._hash,o=n.words,s=0;s<5;s++){var c=o[s];o[s]=16711935&(c<<8|c>>>24)|4278255360&(c<<24|c>>>8)}return n},clone:function(){var t=l.clone.call(this);return t._hash=this._hash.clone(),t}}),s.RIPEMD160=l._createHelper(u),s.HmacRIPEMD160=l._createHmacHelper(u),p=bt.lib.Base,_=bt.enc.Utf8,bt.algo.HMAC=p.extend({init:function(t,e){t=this._hasher=new t.init,"string"==typeof e&&(e=_.parse(e));var r=t.blockSize,i=4*r;e.sigBytes>i&&(e=t.finalize(e)),e.clamp();for(var n=this._oKey=e.clone(),o=this._iKey=e.clone(),s=n.words,c=o.words,a=0;a<r;a++)s[a]^=1549556828,c[a]^=909522486;n.sigBytes=o.sigBytes=i,this.reset()},reset:function(){var t=this._hasher;t.reset(),t.update(this._iKey)},update:function(t){return this._hasher.update(t),this},finalize:function(t){var e=this._hasher,r=e.finalize(t);return e.reset(),e.finalize(this._oKey.clone().concat(r))}}),y=(v=bt).lib,g=y.Base,B=y.WordArray,w=v.algo,k=w.SHA1,S=w.HMAC,C=w.PBKDF2=g.extend({cfg:g.extend({keySize:4,hasher:k,iterations:1}),init:function(t){this.cfg=this.cfg.extend(t)},compute:function(t,e){for(var r=this.cfg,i=S.create(r.hasher,t),n=B.create(),o=B.create([1]),s=n.words,c=o.words,a=r.keySize,h=r.iterations;s.length<a;){var l=i.update(e).finalize(o);i.reset();for(var f=l.words,d=f.length,u=l,p=1;p<h;p++){u=i.finalize(u),i.reset();for(var _=u.words,v=0;v<d;v++)f[v]^=_[v]}n.concat(l),c[0]++}return n.sigBytes=4*a,n}}),v.PBKDF2=function(t,e,r){return C.create(r).compute(t,e)},E=(D=bt).lib,R=E.Base,M=E.WordArray,F=D.algo,P=F.MD5,W=F.EvpKDF=R.extend({cfg:R.extend({keySize:4,hasher:P,iterations:1}),init:function(t){this.cfg=this.cfg.extend(t)},compute:function(t,e){for(var r,i=this.cfg,n=i.hasher.create(),o=M.create(),s=o.words,c=i.keySize,a=i.iterations;s.length<c;){r&&n.update(r),r=n.update(t).finalize(e),n.reset();for(var h=1;h<a;h++)r=n.finalize(r),n.reset();o.concat(r)}return o.sigBytes=4*c,o}}),D.EvpKDF=function(t,e,r){return W.create(r).compute(t,e)},I=(O=bt).lib.WordArray,U=O.algo,K=U.SHA256,X=U.SHA224=K.extend({_doReset:function(){this._hash=new I.init([3238371032,914150663,812702999,4144912697,4290775857,1750603025,1694076839,3204075428])},_doFinalize:function(){var t=K._doFinalize.call(this);return t.sigBytes-=4,t}}),O.SHA224=K._createHelper(X),O.HmacSHA224=K._createHmacHelper(X),L=bt.lib,j=L.Base,N=L.WordArray,(T=bt.x64={}).Word=j.extend({init:function(t,e){this.high=t,this.low=e}}),T.WordArray=j.extend({init:function(t,e){t=this.words=t||[],this.sigBytes=null!=e?e:8*t.length},toX32:function(){for(var t=this.words,e=t.length,r=[],i=0;i<e;i++){var n=t[i];r.push(n.high),r.push(n.low)}return N.create(r,this.sigBytes)},clone:function(){for(var t=j.clone.call(this),e=t.words=this.words.slice(0),r=e.length,i=0;i<r;i++)e[i]=e[i].clone();return t}}),function(d){var t=bt,e=t.lib,u=e.WordArray,i=e.Hasher,l=t.x64.Word,r=t.algo,C=[],D=[],E=[];!function(){for(var t=1,e=0,r=0;r<24;r++){C[t+5*e]=(r+1)*(r+2)/2%64;var i=(2*t+3*e)%5;t=e%5,e=i}for(t=0;t<5;t++)for(e=0;e<5;e++)D[t+5*e]=e+(2*t+3*e)%5*5;for(var n=1,o=0;o<24;o++){for(var s=0,c=0,a=0;a<7;a++){if(1&n){var h=(1<<a)-1;h<32?c^=1<<h:s^=1<<h-32}128&n?n=n<<1^113:n<<=1}E[o]=l.create(s,c)}}();var R=[];!function(){for(var t=0;t<25;t++)R[t]=l.create()}();var n=r.SHA3=i.extend({cfg:i.cfg.extend({outputLength:512}),_doReset:function(){for(var t=this._state=[],e=0;e<25;e++)t[e]=new l.init;this.blockSize=(1600-2*this.cfg.outputLength)/32},_doProcessBlock:function(t,e){for(var r=this._state,i=this.blockSize/2,n=0;n<i;n++){var o=t[e+2*n],s=t[e+2*n+1];o=16711935&(o<<8|o>>>24)|4278255360&(o<<24|o>>>8),s=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),(x=r[n]).high^=s,x.low^=o}for(var c=0;c<24;c++){for(var a=0;a<5;a++){for(var h=0,l=0,f=0;f<5;f++){h^=(x=r[a+5*f]).high,l^=x.low}var d=R[a];d.high=h,d.low=l}for(a=0;a<5;a++){var u=R[(a+4)%5],p=R[(a+1)%5],_=p.high,v=p.low;for(h=u.high^(_<<1|v>>>31),l=u.low^(v<<1|_>>>31),f=0;f<5;f++){(x=r[a+5*f]).high^=h,x.low^=l}}for(var y=1;y<25;y++){var g=(x=r[y]).high,B=x.low,w=C[y];l=w<32?(h=g<<w|B>>>32-w,B<<w|g>>>32-w):(h=B<<w-32|g>>>64-w,g<<w-32|B>>>64-w);var k=R[D[y]];k.high=h,k.low=l}var S=R[0],m=r[0];S.high=m.high,S.low=m.low;for(a=0;a<5;a++)for(f=0;f<5;f++){var x=r[y=a+5*f],b=R[y],H=R[(a+1)%5+5*f],z=R[(a+2)%5+5*f];x.high=b.high^~H.high&z.high,x.low=b.low^~H.low&z.low}x=r[0];var A=E[c];x.high^=A.high,x.low^=A.low}},_doFinalize:function(){var t=this._data,e=t.words,r=(this._nDataBytes,8*t.sigBytes),i=32*this.blockSize;e[r>>>5]|=1<<24-r%32,e[(d.ceil((1+r)/i)*i>>>5)-1]|=128,t.sigBytes=4*e.length,this._process();for(var n=this._state,o=this.cfg.outputLength/8,s=o/8,c=[],a=0;a<s;a++){var h=n[a],l=h.high,f=h.low;l=16711935&(l<<8|l>>>24)|4278255360&(l<<24|l>>>8),f=16711935&(f<<8|f>>>24)|4278255360&(f<<24|f>>>8),c.push(f),c.push(l)}return new u.init(c,o)},clone:function(){for(var t=i.clone.call(this),e=t._state=this._state.slice(0),r=0;r<25;r++)e[r]=e[r].clone();return t}});t.SHA3=i._createHelper(n),t.HmacSHA3=i._createHmacHelper(n)}(Math),function(){var t=bt,e=t.lib.Hasher,r=t.x64,i=r.Word,n=r.WordArray,o=t.algo;function s(){return i.create.apply(i,arguments)}var mt=[s(1116352408,3609767458),s(1899447441,602891725),s(3049323471,3964484399),s(3921009573,2173295548),s(961987163,4081628472),s(1508970993,3053834265),s(2453635748,2937671579),s(2870763221,3664609560),s(3624381080,2734883394),s(310598401,1164996542),s(607225278,1323610764),s(1426881987,3590304994),s(1925078388,4068182383),s(2162078206,991336113),s(2614888103,633803317),s(3248222580,3479774868),s(3835390401,2666613458),s(4022224774,944711139),s(264347078,2341262773),s(604807628,2007800933),s(770255983,1495990901),s(1249150122,1856431235),s(1555081692,3175218132),s(1996064986,2198950837),s(2554220882,3999719339),s(2821834349,766784016),s(2952996808,2566594879),s(3210313671,3203337956),s(3336571891,1034457026),s(3584528711,2466948901),s(113926993,3758326383),s(338241895,168717936),s(666307205,1188179964),s(773529912,1546045734),s(1294757372,1522805485),s(1396182291,2643833823),s(1695183700,2343527390),s(1986661051,1014477480),s(2177026350,1206759142),s(2456956037,344077627),s(2730485921,1290863460),s(2820302411,3158454273),s(3259730800,3505952657),s(3345764771,106217008),s(3516065817,3606008344),s(3600352804,1432725776),s(4094571909,1467031594),s(275423344,851169720),s(430227734,3100823752),s(506948616,1363258195),s(659060556,3750685593),s(883997877,3785050280),s(958139571,3318307427),s(1322822218,3812723403),s(1537002063,2003034995),s(1747873779,3602036899),s(1955562222,1575990012),s(2024104815,1125592928),s(2227730452,2716904306),s(2361852424,442776044),s(2428436474,593698344),s(2756734187,3733110249),s(3204031479,2999351573),s(3329325298,3815920427),s(3391569614,3928383900),s(3515267271,566280711),s(3940187606,3454069534),s(4118630271,4000239992),s(116418474,1914138554),s(174292421,2731055270),s(289380356,3203993006),s(460393269,320620315),s(685471733,587496836),s(852142971,1086792851),s(1017036298,365543100),s(1126000580,2618297676),s(1288033470,3409855158),s(1501505948,4234509866),s(1607167915,987167468),s(1816402316,1246189591)],xt=[];!function(){for(var t=0;t<80;t++)xt[t]=s()}();var c=o.SHA512=e.extend({_doReset:function(){this._hash=new n.init([new i.init(1779033703,4089235720),new i.init(3144134277,2227873595),new i.init(1013904242,4271175723),new i.init(2773480762,1595750129),new i.init(1359893119,2917565137),new i.init(2600822924,725511199),new i.init(528734635,4215389547),new i.init(1541459225,327033209)])},_doProcessBlock:function(t,e){for(var r=this._hash.words,i=r[0],n=r[1],o=r[2],s=r[3],c=r[4],a=r[5],h=r[6],l=r[7],f=i.high,d=i.low,u=n.high,p=n.low,_=o.high,v=o.low,y=s.high,g=s.low,B=c.high,w=c.low,k=a.high,S=a.low,m=h.high,x=h.low,b=l.high,H=l.low,z=f,A=d,C=u,D=p,E=_,R=v,M=y,F=g,P=B,W=w,O=k,I=S,U=m,K=x,X=b,L=H,j=0;j<80;j++){var N,T,q=xt[j];if(j<16)T=q.high=0|t[e+2*j],N=q.low=0|t[e+2*j+1];else{var Z=xt[j-15],V=Z.high,G=Z.low,J=(V>>>1|G<<31)^(V>>>8|G<<24)^V>>>7,$=(G>>>1|V<<31)^(G>>>8|V<<24)^(G>>>7|V<<25),Q=xt[j-2],Y=Q.high,tt=Q.low,et=(Y>>>19|tt<<13)^(Y<<3|tt>>>29)^Y>>>6,rt=(tt>>>19|Y<<13)^(tt<<3|Y>>>29)^(tt>>>6|Y<<26),it=xt[j-7],nt=it.high,ot=it.low,st=xt[j-16],ct=st.high,at=st.low;T=(T=(T=J+nt+((N=$+ot)>>>0<$>>>0?1:0))+et+((N+=rt)>>>0<rt>>>0?1:0))+ct+((N+=at)>>>0<at>>>0?1:0),q.high=T,q.low=N}var ht,lt=P&O^~P&U,ft=W&I^~W&K,dt=z&C^z&E^C&E,ut=A&D^A&R^D&R,pt=(z>>>28|A<<4)^(z<<30|A>>>2)^(z<<25|A>>>7),_t=(A>>>28|z<<4)^(A<<30|z>>>2)^(A<<25|z>>>7),vt=(P>>>14|W<<18)^(P>>>18|W<<14)^(P<<23|W>>>9),yt=(W>>>14|P<<18)^(W>>>18|P<<14)^(W<<23|P>>>9),gt=mt[j],Bt=gt.high,wt=gt.low,kt=X+vt+((ht=L+yt)>>>0<L>>>0?1:0),St=_t+ut;X=U,L=K,U=O,K=I,O=P,I=W,P=M+(kt=(kt=(kt=kt+lt+((ht=ht+ft)>>>0<ft>>>0?1:0))+Bt+((ht=ht+wt)>>>0<wt>>>0?1:0))+T+((ht=ht+N)>>>0<N>>>0?1:0))+((W=F+ht|0)>>>0<F>>>0?1:0)|0,M=E,F=R,E=C,R=D,C=z,D=A,z=kt+(pt+dt+(St>>>0<_t>>>0?1:0))+((A=ht+St|0)>>>0<ht>>>0?1:0)|0}d=i.low=d+A,i.high=f+z+(d>>>0<A>>>0?1:0),p=n.low=p+D,n.high=u+C+(p>>>0<D>>>0?1:0),v=o.low=v+R,o.high=_+E+(v>>>0<R>>>0?1:0),g=s.low=g+F,s.high=y+M+(g>>>0<F>>>0?1:0),w=c.low=w+W,c.high=B+P+(w>>>0<W>>>0?1:0),S=a.low=S+I,a.high=k+O+(S>>>0<I>>>0?1:0),x=h.low=x+K,h.high=m+U+(x>>>0<K>>>0?1:0),H=l.low=H+L,l.high=b+X+(H>>>0<L>>>0?1:0)},_doFinalize:function(){var t=this._data,e=t.words,r=8*this._nDataBytes,i=8*t.sigBytes;return e[i>>>5]|=128<<24-i%32,e[30+(128+i>>>10<<5)]=Math.floor(r/4294967296),e[31+(128+i>>>10<<5)]=r,t.sigBytes=4*e.length,this._process(),this._hash.toX32()},clone:function(){var t=e.clone.call(this);return t._hash=this._hash.clone(),t},blockSize:32});t.SHA512=e._createHelper(c),t.HmacSHA512=e._createHmacHelper(c)}(),Z=(q=bt).x64,V=Z.Word,G=Z.WordArray,J=q.algo,$=J.SHA512,Q=J.SHA384=$.extend({_doReset:function(){this._hash=new G.init([new V.init(3418070365,3238371032),new V.init(1654270250,914150663),new V.init(2438529370,812702999),new V.init(355462360,4144912697),new V.init(1731405415,4290775857),new V.init(2394180231,1750603025),new V.init(3675008525,1694076839),new V.init(1203062813,3204075428)])},_doFinalize:function(){var t=$._doFinalize.call(this);return t.sigBytes-=16,t}}),q.SHA384=$._createHelper(Q),q.HmacSHA384=$._createHmacHelper(Q),bt.lib.Cipher||function(){var t=bt,e=t.lib,r=e.Base,a=e.WordArray,i=e.BufferedBlockAlgorithm,n=t.enc,o=(n.Utf8,n.Base64),s=t.algo.EvpKDF,c=e.Cipher=i.extend({cfg:r.extend(),createEncryptor:function(t,e){return this.create(this._ENC_XFORM_MODE,t,e)},createDecryptor:function(t,e){return this.create(this._DEC_XFORM_MODE,t,e)},init:function(t,e,r){this.cfg=this.cfg.extend(r),this._xformMode=t,this._key=e,this.reset()},reset:function(){i.reset.call(this),this._doReset()},process:function(t){return this._append(t),this._process()},finalize:function(t){return t&&this._append(t),this._doFinalize()},keySize:4,ivSize:4,_ENC_XFORM_MODE:1,_DEC_XFORM_MODE:2,_createHelper:function(i){return{encrypt:function(t,e,r){return h(e).encrypt(i,t,e,r)},decrypt:function(t,e,r){return h(e).decrypt(i,t,e,r)}}}});function h(t){return"string"==typeof t?w:g}e.StreamCipher=c.extend({_doFinalize:function(){return this._process(!0)},blockSize:1});var l,f=t.mode={},d=e.BlockCipherMode=r.extend({createEncryptor:function(t,e){return this.Encryptor.create(t,e)},createDecryptor:function(t,e){return this.Decryptor.create(t,e)},init:function(t,e){this._cipher=t,this._iv=e}}),u=f.CBC=((l=d.extend()).Encryptor=l.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize;p.call(this,t,e,i),r.encryptBlock(t,e),this._prevBlock=t.slice(e,e+i)}}),l.Decryptor=l.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=t.slice(e,e+i);r.decryptBlock(t,e),p.call(this,t,e,i),this._prevBlock=n}}),l);function p(t,e,r){var i,n=this._iv;n?(i=n,this._iv=void 0):i=this._prevBlock;for(var o=0;o<r;o++)t[e+o]^=i[o]}var _=(t.pad={}).Pkcs7={pad:function(t,e){for(var r=4*e,i=r-t.sigBytes%r,n=i<<24|i<<16|i<<8|i,o=[],s=0;s<i;s+=4)o.push(n);var c=a.create(o,i);t.concat(c)},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},v=(e.BlockCipher=c.extend({cfg:c.cfg.extend({mode:u,padding:_}),reset:function(){var t;c.reset.call(this);var e=this.cfg,r=e.iv,i=e.mode;this._xformMode==this._ENC_XFORM_MODE?t=i.createEncryptor:(t=i.createDecryptor,this._minBufferSize=1),this._mode&&this._mode.__creator==t?this._mode.init(this,r&&r.words):(this._mode=t.call(i,this,r&&r.words),this._mode.__creator=t)},_doProcessBlock:function(t,e){this._mode.processBlock(t,e)},_doFinalize:function(){var t,e=this.cfg.padding;return this._xformMode==this._ENC_XFORM_MODE?(e.pad(this._data,this.blockSize),t=this._process(!0)):(t=this._process(!0),e.unpad(t)),t},blockSize:4}),e.CipherParams=r.extend({init:function(t){this.mixIn(t)},toString:function(t){return(t||this.formatter).stringify(this)}})),y=(t.format={}).OpenSSL={stringify:function(t){var e=t.ciphertext,r=t.salt;return(r?a.create([1398893684,1701076831]).concat(r).concat(e):e).toString(o)},parse:function(t){var e,r=o.parse(t),i=r.words;return 1398893684==i[0]&&1701076831==i[1]&&(e=a.create(i.slice(2,4)),i.splice(0,4),r.sigBytes-=16),v.create({ciphertext:r,salt:e})}},g=e.SerializableCipher=r.extend({cfg:r.extend({format:y}),encrypt:function(t,e,r,i){i=this.cfg.extend(i);var n=t.createEncryptor(r,i),o=n.finalize(e),s=n.cfg;return v.create({ciphertext:o,key:r,iv:s.iv,algorithm:t,mode:s.mode,padding:s.padding,blockSize:t.blockSize,formatter:i.format})},decrypt:function(t,e,r,i){return i=this.cfg.extend(i),e=this._parse(e,i.format),t.createDecryptor(r,i).finalize(e.ciphertext)},_parse:function(t,e){return"string"==typeof t?e.parse(t,this):t}}),B=(t.kdf={}).OpenSSL={execute:function(t,e,r,i){i=i||a.random(8);var n=s.create({keySize:e+r}).compute(t,i),o=a.create(n.words.slice(e),4*r);return n.sigBytes=4*e,v.create({key:n,iv:o,salt:i})}},w=e.PasswordBasedCipher=g.extend({cfg:g.cfg.extend({kdf:B}),encrypt:function(t,e,r,i){var n=(i=this.cfg.extend(i)).kdf.execute(r,t.keySize,t.ivSize);i.iv=n.iv;var o=g.encrypt.call(this,t,e,n.key,i);return o.mixIn(n),o},decrypt:function(t,e,r,i){i=this.cfg.extend(i),e=this._parse(e,i.format);var n=i.kdf.execute(r,t.keySize,t.ivSize,e.salt);return i.iv=n.iv,g.decrypt.call(this,t,e,n.key,i)}})}(),bt.mode.CFB=((Y=bt.lib.BlockCipherMode.extend()).Encryptor=Y.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize;Dt.call(this,t,e,i,r),this._prevBlock=t.slice(e,e+i)}}),Y.Decryptor=Y.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=t.slice(e,e+i);Dt.call(this,t,e,i,r),this._prevBlock=n}}),Y),bt.mode.ECB=((tt=bt.lib.BlockCipherMode.extend()).Encryptor=tt.extend({processBlock:function(t,e){this._cipher.encryptBlock(t,e)}}),tt.Decryptor=tt.extend({processBlock:function(t,e){this._cipher.decryptBlock(t,e)}}),tt),bt.pad.AnsiX923={pad:function(t,e){var r=t.sigBytes,i=4*e,n=i-r%i,o=r+n-1;t.clamp(),t.words[o>>>2]|=n<<24-o%4*8,t.sigBytes+=n},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},bt.pad.Iso10126={pad:function(t,e){var r=4*e,i=r-t.sigBytes%r;t.concat(bt.lib.WordArray.random(i-1)).concat(bt.lib.WordArray.create([i<<24],1))},unpad:function(t){var e=255&t.words[t.sigBytes-1>>>2];t.sigBytes-=e}},bt.pad.Iso97971={pad:function(t,e){t.concat(bt.lib.WordArray.create([2147483648],1)),bt.pad.ZeroPadding.pad(t,e)},unpad:function(t){bt.pad.ZeroPadding.unpad(t),t.sigBytes--}},bt.mode.OFB=(et=bt.lib.BlockCipherMode.extend(),rt=et.Encryptor=et.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._keystream;n&&(o=this._keystream=n.slice(0),this._iv=void 0),r.encryptBlock(o,0);for(var s=0;s<i;s++)t[e+s]^=o[s]}}),et.Decryptor=rt,et),bt.pad.NoPadding={pad:function(){},unpad:function(){}},it=bt.lib.CipherParams,nt=bt.enc.Hex,bt.format.Hex={stringify:function(t){return t.ciphertext.toString(nt)},parse:function(t){var e=nt.parse(t);return it.create({ciphertext:e})}},function(){var t=bt,e=t.lib.BlockCipher,r=t.algo,h=[],l=[],f=[],d=[],u=[],p=[],_=[],v=[],y=[],g=[];!function(){for(var t=[],e=0;e<256;e++)t[e]=e<128?e<<1:e<<1^283;var r=0,i=0;for(e=0;e<256;e++){var n=i^i<<1^i<<2^i<<3^i<<4;n=n>>>8^255&n^99,h[r]=n;var o=t[l[n]=r],s=t[o],c=t[s],a=257*t[n]^16843008*n;f[r]=a<<24|a>>>8,d[r]=a<<16|a>>>16,u[r]=a<<8|a>>>24,p[r]=a;a=16843009*c^65537*s^257*o^16843008*r;_[n]=a<<24|a>>>8,v[n]=a<<16|a>>>16,y[n]=a<<8|a>>>24,g[n]=a,r?(r=o^t[t[t[c^o]]],i^=t[t[i]]):r=i=1}}();var B=[0,1,2,4,8,16,32,64,128,27,54],i=r.AES=e.extend({_doReset:function(){if(!this._nRounds||this._keyPriorReset!==this._key){for(var t=this._keyPriorReset=this._key,e=t.words,r=t.sigBytes/4,i=4*(1+(this._nRounds=6+r)),n=this._keySchedule=[],o=0;o<i;o++)o<r?n[o]=e[o]:(a=n[o-1],o%r?6<r&&o%r==4&&(a=h[a>>>24]<<24|h[a>>>16&255]<<16|h[a>>>8&255]<<8|h[255&a]):(a=h[(a=a<<8|a>>>24)>>>24]<<24|h[a>>>16&255]<<16|h[a>>>8&255]<<8|h[255&a],a^=B[o/r|0]<<24),n[o]=n[o-r]^a);for(var s=this._invKeySchedule=[],c=0;c<i;c++){o=i-c;if(c%4)var a=n[o];else a=n[o-4];s[c]=c<4||o<=4?a:_[h[a>>>24]]^v[h[a>>>16&255]]^y[h[a>>>8&255]]^g[h[255&a]]}}},encryptBlock:function(t,e){this._doCryptBlock(t,e,this._keySchedule,f,d,u,p,h)},decryptBlock:function(t,e){var r=t[e+1];t[e+1]=t[e+3],t[e+3]=r,this._doCryptBlock(t,e,this._invKeySchedule,_,v,y,g,l);r=t[e+1];t[e+1]=t[e+3],t[e+3]=r},_doCryptBlock:function(t,e,r,i,n,o,s,c){for(var a=this._nRounds,h=t[e]^r[0],l=t[e+1]^r[1],f=t[e+2]^r[2],d=t[e+3]^r[3],u=4,p=1;p<a;p++){var _=i[h>>>24]^n[l>>>16&255]^o[f>>>8&255]^s[255&d]^r[u++],v=i[l>>>24]^n[f>>>16&255]^o[d>>>8&255]^s[255&h]^r[u++],y=i[f>>>24]^n[d>>>16&255]^o[h>>>8&255]^s[255&l]^r[u++],g=i[d>>>24]^n[h>>>16&255]^o[l>>>8&255]^s[255&f]^r[u++];h=_,l=v,f=y,d=g}_=(c[h>>>24]<<24|c[l>>>16&255]<<16|c[f>>>8&255]<<8|c[255&d])^r[u++],v=(c[l>>>24]<<24|c[f>>>16&255]<<16|c[d>>>8&255]<<8|c[255&h])^r[u++],y=(c[f>>>24]<<24|c[d>>>16&255]<<16|c[h>>>8&255]<<8|c[255&l])^r[u++],g=(c[d>>>24]<<24|c[h>>>16&255]<<16|c[l>>>8&255]<<8|c[255&f])^r[u++];t[e]=_,t[e+1]=v,t[e+2]=y,t[e+3]=g},keySize:8});t.AES=e._createHelper(i)}(),function(){var t=bt,e=t.lib,n=e.WordArray,r=e.BlockCipher,i=t.algo,h=[57,49,41,33,25,17,9,1,58,50,42,34,26,18,10,2,59,51,43,35,27,19,11,3,60,52,44,36,63,55,47,39,31,23,15,7,62,54,46,38,30,22,14,6,61,53,45,37,29,21,13,5,28,20,12,4],l=[14,17,11,24,1,5,3,28,15,6,21,10,23,19,12,4,26,8,16,7,27,20,13,2,41,52,31,37,47,55,30,40,51,45,33,48,44,49,39,56,34,53,46,42,50,36,29,32],f=[1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28],d=[{0:8421888,268435456:32768,536870912:8421378,805306368:2,1073741824:512,1342177280:8421890,1610612736:8389122,1879048192:8388608,2147483648:514,2415919104:8389120,2684354560:33280,2952790016:8421376,3221225472:32770,3489660928:8388610,3758096384:0,4026531840:33282,134217728:0,402653184:8421890,671088640:33282,939524096:32768,1207959552:8421888,1476395008:512,1744830464:8421378,2013265920:2,2281701376:8389120,2550136832:33280,2818572288:8421376,3087007744:8389122,3355443200:8388610,3623878656:32770,3892314112:514,4160749568:8388608,1:32768,268435457:2,536870913:8421888,805306369:8388608,1073741825:8421378,1342177281:33280,1610612737:512,1879048193:8389122,2147483649:8421890,2415919105:8421376,2684354561:8388610,2952790017:33282,3221225473:514,3489660929:8389120,3758096385:32770,4026531841:0,134217729:8421890,402653185:8421376,671088641:8388608,939524097:512,1207959553:32768,1476395009:8388610,1744830465:2,2013265921:33282,2281701377:32770,2550136833:8389122,2818572289:514,3087007745:8421888,3355443201:8389120,3623878657:0,3892314113:33280,4160749569:8421378},{0:1074282512,16777216:16384,33554432:524288,50331648:1074266128,67108864:1073741840,83886080:1074282496,100663296:1073758208,117440512:16,134217728:540672,150994944:1073758224,167772160:1073741824,184549376:540688,201326592:524304,218103808:0,234881024:16400,251658240:1074266112,8388608:1073758208,25165824:540688,41943040:16,58720256:1073758224,75497472:1074282512,92274688:1073741824,109051904:524288,125829120:1074266128,142606336:524304,159383552:0,176160768:16384,192937984:1074266112,209715200:1073741840,226492416:540672,243269632:1074282496,260046848:16400,268435456:0,285212672:1074266128,301989888:1073758224,318767104:1074282496,335544320:1074266112,352321536:16,369098752:540688,385875968:16384,402653184:16400,419430400:524288,436207616:524304,452984832:1073741840,469762048:540672,486539264:1073758208,503316480:1073741824,520093696:1074282512,276824064:540688,293601280:524288,310378496:1074266112,327155712:16384,343932928:1073758208,360710144:1074282512,377487360:16,394264576:1073741824,411041792:1074282496,427819008:1073741840,444596224:1073758224,461373440:524304,478150656:0,494927872:16400,511705088:1074266128,528482304:540672},{0:260,1048576:0,2097152:67109120,3145728:65796,4194304:65540,5242880:67108868,6291456:67174660,7340032:67174400,8388608:67108864,9437184:67174656,10485760:65792,11534336:67174404,12582912:67109124,13631488:65536,14680064:4,15728640:256,524288:67174656,1572864:67174404,2621440:0,3670016:67109120,4718592:67108868,5767168:65536,6815744:65540,7864320:260,8912896:4,9961472:256,11010048:67174400,12058624:65796,13107200:65792,14155776:67109124,15204352:67174660,16252928:67108864,16777216:67174656,17825792:65540,18874368:65536,19922944:67109120,20971520:256,22020096:67174660,23068672:67108868,24117248:0,25165824:67109124,26214400:67108864,27262976:4,28311552:65792,29360128:67174400,30408704:260,31457280:65796,32505856:67174404,17301504:67108864,18350080:260,19398656:67174656,20447232:0,21495808:65540,22544384:67109120,23592960:256,24641536:67174404,25690112:65536,26738688:67174660,27787264:65796,28835840:67108868,29884416:67109124,30932992:67174400,31981568:4,33030144:65792},{0:2151682048,65536:2147487808,131072:4198464,196608:2151677952,262144:0,327680:4198400,393216:2147483712,458752:4194368,524288:2147483648,589824:4194304,655360:64,720896:2147487744,786432:2151678016,851968:4160,917504:4096,983040:2151682112,32768:2147487808,98304:64,163840:2151678016,229376:2147487744,294912:4198400,360448:2151682112,425984:0,491520:2151677952,557056:4096,622592:2151682048,688128:4194304,753664:4160,819200:2147483648,884736:4194368,950272:4198464,1015808:2147483712,1048576:4194368,1114112:4198400,1179648:2147483712,1245184:0,1310720:4160,1376256:2151678016,1441792:2151682048,1507328:2147487808,1572864:2151682112,1638400:2147483648,1703936:2151677952,1769472:4198464,1835008:2147487744,1900544:4194304,1966080:64,2031616:4096,1081344:2151677952,1146880:2151682112,1212416:0,1277952:4198400,1343488:4194368,1409024:2147483648,1474560:2147487808,1540096:64,1605632:2147483712,1671168:4096,1736704:2147487744,1802240:2151678016,1867776:4160,1933312:2151682048,1998848:4194304,2064384:4198464},{0:128,4096:17039360,8192:262144,12288:536870912,16384:537133184,20480:16777344,24576:553648256,28672:262272,32768:16777216,36864:537133056,40960:536871040,45056:553910400,49152:553910272,53248:0,57344:17039488,61440:553648128,2048:17039488,6144:553648256,10240:128,14336:17039360,18432:262144,22528:537133184,26624:553910272,30720:536870912,34816:537133056,38912:0,43008:553910400,47104:16777344,51200:536871040,55296:553648128,59392:16777216,63488:262272,65536:262144,69632:128,73728:536870912,77824:553648256,81920:16777344,86016:553910272,90112:537133184,94208:16777216,98304:553910400,102400:553648128,106496:17039360,110592:537133056,114688:262272,118784:536871040,122880:0,126976:17039488,67584:553648256,71680:16777216,75776:17039360,79872:537133184,83968:536870912,88064:17039488,92160:128,96256:553910272,100352:262272,104448:553910400,108544:0,112640:553648128,116736:16777344,120832:262144,124928:537133056,129024:536871040},{0:268435464,256:8192,512:270532608,768:270540808,1024:268443648,1280:2097152,1536:2097160,1792:268435456,2048:0,2304:268443656,2560:2105344,2816:8,3072:270532616,3328:2105352,3584:8200,3840:270540800,128:270532608,384:270540808,640:8,896:2097152,1152:2105352,1408:268435464,1664:268443648,1920:8200,2176:2097160,2432:8192,2688:268443656,2944:270532616,3200:0,3456:270540800,3712:2105344,3968:268435456,4096:268443648,4352:270532616,4608:270540808,4864:8200,5120:2097152,5376:268435456,5632:268435464,5888:2105344,6144:2105352,6400:0,6656:8,6912:270532608,7168:8192,7424:268443656,7680:270540800,7936:2097160,4224:8,4480:2105344,4736:2097152,4992:268435464,5248:268443648,5504:8200,5760:270540808,6016:270532608,6272:270540800,6528:270532616,6784:8192,7040:2105352,7296:2097160,7552:0,7808:268435456,8064:268443656},{0:1048576,16:33555457,32:1024,48:1049601,64:34604033,80:0,96:1,112:34603009,128:33555456,144:1048577,160:33554433,176:34604032,192:34603008,208:1025,224:1049600,240:33554432,8:34603009,24:0,40:33555457,56:34604032,72:1048576,88:33554433,104:33554432,120:1025,136:1049601,152:33555456,168:34603008,184:1048577,200:1024,216:34604033,232:1,248:1049600,256:33554432,272:1048576,288:33555457,304:34603009,320:1048577,336:33555456,352:34604032,368:1049601,384:1025,400:34604033,416:1049600,432:1,448:0,464:34603008,480:33554433,496:1024,264:1049600,280:33555457,296:34603009,312:1,328:33554432,344:1048576,360:1025,376:34604032,392:33554433,408:34603008,424:0,440:34604033,456:1049601,472:1024,488:33555456,504:1048577},{0:134219808,1:131072,2:134217728,3:32,4:131104,5:134350880,6:134350848,7:2048,8:134348800,9:134219776,10:133120,11:134348832,12:2080,13:0,14:134217760,15:133152,2147483648:2048,2147483649:134350880,2147483650:134219808,2147483651:134217728,2147483652:134348800,2147483653:133120,2147483654:133152,2147483655:32,2147483656:134217760,2147483657:2080,2147483658:131104,2147483659:134350848,2147483660:0,2147483661:134348832,2147483662:134219776,2147483663:131072,16:133152,17:134350848,18:32,19:2048,20:134219776,21:134217760,22:134348832,23:131072,24:0,25:131104,26:134348800,27:134219808,28:134350880,29:133120,30:2080,31:134217728,2147483664:131072,2147483665:2048,2147483666:134348832,2147483667:133152,2147483668:32,2147483669:134348800,2147483670:134217728,2147483671:134219808,2147483672:134350880,2147483673:134217760,2147483674:134219776,2147483675:0,2147483676:133120,2147483677:2080,2147483678:131104,2147483679:134350848}],u=[4160749569,528482304,33030144,2064384,129024,8064,504,2147483679],o=i.DES=r.extend({_doReset:function(){for(var t=this._key.words,e=[],r=0;r<56;r++){var i=h[r]-1;e[r]=t[i>>>5]>>>31-i%32&1}for(var n=this._subKeys=[],o=0;o<16;o++){var s=n[o]=[],c=f[o];for(r=0;r<24;r++)s[r/6|0]|=e[(l[r]-1+c)%28]<<31-r%6,s[4+(r/6|0)]|=e[28+(l[r+24]-1+c)%28]<<31-r%6;s[0]=s[0]<<1|s[0]>>>31;for(r=1;r<7;r++)s[r]=s[r]>>>4*(r-1)+3;s[7]=s[7]<<5|s[7]>>>27}var a=this._invSubKeys=[];for(r=0;r<16;r++)a[r]=n[15-r]},encryptBlock:function(t,e){this._doCryptBlock(t,e,this._subKeys)},decryptBlock:function(t,e){this._doCryptBlock(t,e,this._invSubKeys)},_doCryptBlock:function(t,e,r){this._lBlock=t[e],this._rBlock=t[e+1],p.call(this,4,252645135),p.call(this,16,65535),_.call(this,2,858993459),_.call(this,8,16711935),p.call(this,1,1431655765);for(var i=0;i<16;i++){for(var n=r[i],o=this._lBlock,s=this._rBlock,c=0,a=0;a<8;a++)c|=d[a][((s^n[a])&u[a])>>>0];this._lBlock=s,this._rBlock=o^c}var h=this._lBlock;this._lBlock=this._rBlock,this._rBlock=h,p.call(this,1,1431655765),_.call(this,8,16711935),_.call(this,2,858993459),p.call(this,16,65535),p.call(this,4,252645135),t[e]=this._lBlock,t[e+1]=this._rBlock},keySize:2,ivSize:2,blockSize:2});function p(t,e){var r=(this._lBlock>>>t^this._rBlock)&e;this._rBlock^=r,this._lBlock^=r<<t}function _(t,e){var r=(this._rBlock>>>t^this._lBlock)&e;this._lBlock^=r,this._rBlock^=r<<t}t.DES=r._createHelper(o);var s=i.TripleDES=r.extend({_doReset:function(){var t=this._key.words;if(2!==t.length&&4!==t.length&&t.length<6)throw new Error("Invalid key length - 3DES requires the key length to be 64, 128, 192 or >192.");var e=t.slice(0,2),r=t.length<4?t.slice(0,2):t.slice(2,4),i=t.length<6?t.slice(0,2):t.slice(4,6);this._des1=o.createEncryptor(n.create(e)),this._des2=o.createEncryptor(n.create(r)),this._des3=o.createEncryptor(n.create(i))},encryptBlock:function(t,e){this._des1.encryptBlock(t,e),this._des2.decryptBlock(t,e),this._des3.encryptBlock(t,e)},decryptBlock:function(t,e){this._des3.decryptBlock(t,e),this._des2.encryptBlock(t,e),this._des1.decryptBlock(t,e)},keySize:6,ivSize:2,blockSize:2});t.TripleDES=r._createHelper(s)}(),function(){var t=bt,e=t.lib.StreamCipher,r=t.algo,i=r.RC4=e.extend({_doReset:function(){for(var t=this._key,e=t.words,r=t.sigBytes,i=this._S=[],n=0;n<256;n++)i[n]=n;n=0;for(var o=0;n<256;n++){var s=n%r,c=e[s>>>2]>>>24-s%4*8&255;o=(o+i[n]+c)%256;var a=i[n];i[n]=i[o],i[o]=a}this._i=this._j=0},_doProcessBlock:function(t,e){t[e]^=n.call(this)},keySize:8,ivSize:0});function n(){for(var t=this._S,e=this._i,r=this._j,i=0,n=0;n<4;n++){r=(r+t[e=(e+1)%256])%256;var o=t[e];t[e]=t[r],t[r]=o,i|=t[(t[e]+t[r])%256]<<24-8*n}return this._i=e,this._j=r,i}t.RC4=e._createHelper(i);var o=r.RC4Drop=i.extend({cfg:i.cfg.extend({drop:192}),_doReset:function(){i._doReset.call(this);for(var t=this.cfg.drop;0<t;t--)n.call(this)}});t.RC4Drop=e._createHelper(o)}(),bt.mode.CTRGladman=(ot=bt.lib.BlockCipherMode.extend(),st=ot.Encryptor=ot.extend({processBlock:function(t,e){var r,i=this._cipher,n=i.blockSize,o=this._iv,s=this._counter;o&&(s=this._counter=o.slice(0),this._iv=void 0),0===((r=s)[0]=Et(r[0]))&&(r[1]=Et(r[1]));var c=s.slice(0);i.encryptBlock(c,0);for(var a=0;a<n;a++)t[e+a]^=c[a]}}),ot.Decryptor=st,ot),at=(ct=bt).lib.StreamCipher,ht=ct.algo,lt=[],ft=[],dt=[],ut=ht.Rabbit=at.extend({_doReset:function(){for(var t=this._key.words,e=this.cfg.iv,r=0;r<4;r++)t[r]=16711935&(t[r]<<8|t[r]>>>24)|4278255360&(t[r]<<24|t[r]>>>8);var i=this._X=[t[0],t[3]<<16|t[2]>>>16,t[1],t[0]<<16|t[3]>>>16,t[2],t[1]<<16|t[0]>>>16,t[3],t[2]<<16|t[1]>>>16],n=this._C=[t[2]<<16|t[2]>>>16,4294901760&t[0]|65535&t[1],t[3]<<16|t[3]>>>16,4294901760&t[1]|65535&t[2],t[0]<<16|t[0]>>>16,4294901760&t[2]|65535&t[3],t[1]<<16|t[1]>>>16,4294901760&t[3]|65535&t[0]];for(r=this._b=0;r<4;r++)Rt.call(this);for(r=0;r<8;r++)n[r]^=i[r+4&7];if(e){var o=e.words,s=o[0],c=o[1],a=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),h=16711935&(c<<8|c>>>24)|4278255360&(c<<24|c>>>8),l=a>>>16|4294901760&h,f=h<<16|65535&a;n[0]^=a,n[1]^=l,n[2]^=h,n[3]^=f,n[4]^=a,n[5]^=l,n[6]^=h,n[7]^=f;for(r=0;r<4;r++)Rt.call(this)}},_doProcessBlock:function(t,e){var r=this._X;Rt.call(this),lt[0]=r[0]^r[5]>>>16^r[3]<<16,lt[1]=r[2]^r[7]>>>16^r[5]<<16,lt[2]=r[4]^r[1]>>>16^r[7]<<16,lt[3]=r[6]^r[3]>>>16^r[1]<<16;for(var i=0;i<4;i++)lt[i]=16711935&(lt[i]<<8|lt[i]>>>24)|4278255360&(lt[i]<<24|lt[i]>>>8),t[e+i]^=lt[i]},blockSize:4,ivSize:2}),ct.Rabbit=at._createHelper(ut),bt.mode.CTR=(pt=bt.lib.BlockCipherMode.extend(),_t=pt.Encryptor=pt.extend({processBlock:function(t,e){var r=this._cipher,i=r.blockSize,n=this._iv,o=this._counter;n&&(o=this._counter=n.slice(0),this._iv=void 0);var s=o.slice(0);r.encryptBlock(s,0),o[i-1]=o[i-1]+1|0;for(var c=0;c<i;c++)t[e+c]^=s[c]}}),pt.Decryptor=_t,pt),yt=(vt=bt).lib.StreamCipher,gt=vt.algo,Bt=[],wt=[],kt=[],St=gt.RabbitLegacy=yt.extend({_doReset:function(){for(var t=this._key.words,e=this.cfg.iv,r=this._X=[t[0],t[3]<<16|t[2]>>>16,t[1],t[0]<<16|t[3]>>>16,t[2],t[1]<<16|t[0]>>>16,t[3],t[2]<<16|t[1]>>>16],i=this._C=[t[2]<<16|t[2]>>>16,4294901760&t[0]|65535&t[1],t[3]<<16|t[3]>>>16,4294901760&t[1]|65535&t[2],t[0]<<16|t[0]>>>16,4294901760&t[2]|65535&t[3],t[1]<<16|t[1]>>>16,4294901760&t[3]|65535&t[0]],n=this._b=0;n<4;n++)Mt.call(this);for(n=0;n<8;n++)i[n]^=r[n+4&7];if(e){var o=e.words,s=o[0],c=o[1],a=16711935&(s<<8|s>>>24)|4278255360&(s<<24|s>>>8),h=16711935&(c<<8|c>>>24)|4278255360&(c<<24|c>>>8),l=a>>>16|4294901760&h,f=h<<16|65535&a;i[0]^=a,i[1]^=l,i[2]^=h,i[3]^=f,i[4]^=a,i[5]^=l,i[6]^=h,i[7]^=f;for(n=0;n<4;n++)Mt.call(this)}},_doProcessBlock:function(t,e){var r=this._X;Mt.call(this),Bt[0]=r[0]^r[5]>>>16^r[3]<<16,Bt[1]=r[2]^r[7]>>>16^r[5]<<16,Bt[2]=r[4]^r[1]>>>16^r[7]<<16,Bt[3]=r[6]^r[3]>>>16^r[1]<<16;for(var i=0;i<4;i++)Bt[i]=16711935&(Bt[i]<<8|Bt[i]>>>24)|4278255360&(Bt[i]<<24|Bt[i]>>>8),t[e+i]^=Bt[i]},blockSize:4,ivSize:2}),vt.RabbitLegacy=yt._createHelper(St),bt.pad.ZeroPadding={pad:function(t,e){var r=4*e;t.clamp(),t.sigBytes+=r-(t.sigBytes%r||r)},unpad:function(t){var e=t.words,r=t.sigBytes-1;for(r=t.sigBytes-1;0<=r;r--)if(e[r>>>2]>>>24-r%4*8&255){t.sigBytes=r+1;break}}},bt});
\ No newline at end of file

From bf466a1ba27082dd27e31fd2f3197cf502970ef7 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 10 May 2022 19:15:17 +0800
Subject: [PATCH 092/258] =?UTF-8?q?feat:=20LDAP=E5=90=8C=E6=AD=A5=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E6=94=AF=E6=8C=81=E7=BB=84=E7=BB=87?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/serializers/auth/ldap.py |  1 +
 apps/settings/utils/ldap.py            | 58 +++++++++++++++++++++++---
 2 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/apps/settings/serializers/auth/ldap.py b/apps/settings/serializers/auth/ldap.py
index 6ac00661c..2278925c1 100644
--- a/apps/settings/serializers/auth/ldap.py
+++ b/apps/settings/serializers/auth/ldap.py
@@ -30,6 +30,7 @@ class LDAPUserSerializer(serializers.Serializer):
     username = serializers.CharField()
     name = serializers.CharField()
     email = serializers.CharField()
+    groups = serializers.ListField(child=serializers.CharField(), default=[])
     existing = serializers.BooleanField(read_only=True)
 
 
diff --git a/apps/settings/utils/ldap.py b/apps/settings/utils/ldap.py
index 5175d7a31..da08d5664 100644
--- a/apps/settings/utils/ldap.py
+++ b/apps/settings/utils/ldap.py
@@ -1,6 +1,7 @@
 # coding: utf-8
 #
 
+import os
 import json
 from ldap3 import Server, Connection, SIMPLE
 from ldap3.core.exceptions import (
@@ -21,12 +22,14 @@ from django.conf import settings
 from django.core.cache import cache
 from django.utils.translation import ugettext_lazy as _
 from copy import deepcopy
+from collections import defaultdict
+from orgs.utils import tmp_to_org
 
 from common.const import LDAP_AD_ACCOUNT_DISABLE
 from common.utils import timeit, get_logger
 from common.db.utils import close_old_connections
 from users.utils import construct_user_email
-from users.models import User
+from users.models import User, UserGroup
 from authentication.backends.ldap import LDAPAuthorizationBackend, LDAPUser
 
 logger = get_logger(__file__)
@@ -185,6 +188,12 @@ class LDAPServerUtil(object):
             if attr == 'is_active' and mapping.lower() == 'useraccountcontrol' \
                     and value:
                 value = int(value) & LDAP_AD_ACCOUNT_DISABLE != LDAP_AD_ACCOUNT_DISABLE
+            if attr == 'groups' and mapping.lower() == 'memberof':
+                # AD: {'groups': 'memberOf'}
+                if isinstance(value, str) and value:
+                    value = [value]
+                if not isinstance(value, list):
+                    value = []
             user[attr] = value.strip() if isinstance(value, str) else value
         return user
 
@@ -244,10 +253,13 @@ class LDAPCacheUtil(object):
                 if user['username'] in self.search_users
             ]
         elif self.search_value:
-            filter_users = [
-                user for user in users
-                if self.search_value.lower() in ','.join(user.values()).lower()
-            ]
+            filter_users = []
+            for u in users:
+                search_value = self.search_value.lower()
+                user_all_attr_value = [v for v in u.values() if isinstance(v, str)]
+                if search_value not in ','.join(user_all_attr_value).lower():
+                    continue
+                filter_users.append(u)
         else:
             filter_users = users
         return filter_users
@@ -345,6 +357,7 @@ class LDAPSyncUtil(object):
 
 
 class LDAPImportUtil(object):
+    user_group_name_prefix = 'AD '
 
     def __init__(self):
         pass
@@ -365,23 +378,58 @@ class LDAPImportUtil(object):
         )
         return obj, created
 
+    def get_user_group_names(self, groups) -> list:
+        if not isinstance(groups, list):
+            logger.error('Groups type not list')
+            return []
+        group_names = []
+        for group in groups:
+            if not group:
+                continue
+            if not isinstance(group, str):
+                continue
+            # get group name for AD, Such as: CN=Users,CN=Builtin,DC=jms,DC=com
+            group_name = group.split(',')[0].split('=')[-1]
+            group_name = f'{self.user_group_name_prefix}{group_name}'.strip()
+            group_names.append(group_name)
+        return group_names
+
     def perform_import(self, users, org=None):
         logger.info('Start perform import ldap users, count: {}'.format(len(users)))
         errors = []
         objs = []
+        group_users_mapper = defaultdict(set)
         for user in users:
+            groups = user.pop('groups', [])
             try:
                 obj, created = self.update_or_create(user)
                 objs.append(obj)
             except Exception as e:
                 errors.append({user['username']: str(e)})
                 logger.error(e)
+                continue
+            try:
+                group_names = self.get_user_group_names(groups)
+                for group_name in group_names:
+                    group_users_mapper[group_name].add(obj)
+            except Exception as e:
+                errors.append({user['username']: str(e)})
+                logger.error(e)
+                continue
         if not org:
             return
         if org.is_root():
             return
+        # add user to org
         for obj in objs:
             org.add_member(obj)
+        # add user to group
+        with tmp_to_org(org):
+            for group_name, users in group_users_mapper.items():
+                group, created = UserGroup.objects.get_or_create(
+                    name=group_name, defaults={'name': group_name}
+                )
+                group.users.add(*users)
         logger.info('End perform import ldap users')
         return errors
 

From bc8df726034f5197396a7b83b8f85a32bfb9e8cb Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 11 May 2022 15:57:48 +0800
Subject: [PATCH 093/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E5=88=9B?=
 =?UTF-8?q?=E5=BB=BA=E6=9B=B4=E6=96=B0=E7=94=A8=E6=88=B7=E7=9A=84=E5=AF=86?=
 =?UTF-8?q?=E7=A0=81=E5=AD=97=E6=AE=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/users/serializers/user.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index 5a1043267..b1a9cf1d4 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -7,6 +7,7 @@ from rest_framework import serializers
 from common.mixins import CommonBulkSerializerMixin
 from common.validators import PhoneValidator
 from common.utils import pretty_string
+from common.drf.fields import EncryptedField
 from rbac.builtin import BuiltinRole
 from rbac.permissions import RBACPermission
 from rbac.models import OrgRoleBinding, SystemRoleBinding, Role
@@ -87,6 +88,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
     can_public_key_auth = serializers.ReadOnlyField(
         source='can_use_ssh_key_login', label=_('Can public key authentication')
     )
+    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
     # Todo: 这里看看该怎么搞
     # can_update = serializers.SerializerMethodField(label=_('Can update'))
     # can_delete = serializers.SerializerMethodField(label=_('Can delete'))

From d692188a34196a02e644a0e2df3548c98b449690 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 11 May 2022 15:27:54 +0800
Subject: [PATCH 094/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20i18n?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo |  3 ++
 apps/locale/ja/LC_MESSAGES/django.po | 76 ++++++++++++++--------------
 apps/locale/zh/LC_MESSAGES/django.mo |  3 ++
 apps/locale/zh/LC_MESSAGES/django.po | 76 ++++++++++++++--------------
 4 files changed, 82 insertions(+), 76 deletions(-)
 create mode 100644 apps/locale/ja/LC_MESSAGES/django.mo
 create mode 100644 apps/locale/zh/LC_MESSAGES/django.mo

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
new file mode 100644
index 000000000..eba651a80
--- /dev/null
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:90a70c14fd3b546cb1ef6a96da4cd7a2acde947128bbb773527ed1845510511c
+size 127420
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index ef8e52bb1..a4c8fddc7 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-10 10:46+0800\n"
+"POT-Creation-Date: 2022-05-11 10:44+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -33,7 +33,7 @@ msgstr "Acls"
 #: terminal/models/storage.py:25 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:28
+#: xpack/plugins/cloud/models.py:27
 msgid "Name"
 msgstr "名前"
 
@@ -66,7 +66,7 @@ msgstr "アクティブ"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
+#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "コメント"
@@ -134,7 +134,7 @@ msgstr "システムユーザー"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:223
+#: xpack/plugins/cloud/models.py:222
 msgid "Asset"
 msgstr "資産"
 
@@ -318,7 +318,7 @@ msgstr "タイプ"
 msgid "Domain"
 msgstr "ドメイン"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
 #: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "ツールバーの"
@@ -357,7 +357,7 @@ msgstr "タイプ表示"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:915
-#: xpack/plugins/cloud/models.py:125
+#: xpack/plugins/cloud/models.py:124
 msgid "Date created"
 msgstr "作成された日付"
 
@@ -572,7 +572,7 @@ msgstr "ホスト名生"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "プロトコル"
 
@@ -612,7 +612,7 @@ msgstr "ラベル"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "によって作成された"
 
@@ -716,7 +716,7 @@ msgstr "トリガーモード"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:179
+#: xpack/plugins/cloud/models.py:178
 msgid "Reason"
 msgstr "理由"
 
@@ -954,7 +954,7 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
 
@@ -1491,8 +1491,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
-#: xpack/plugins/cloud/models.py:227
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
+#: xpack/plugins/cloud/models.py:226
 msgid "Status"
 msgstr "ステータス"
 
@@ -1529,7 +1529,7 @@ msgid "Hosts display"
 msgstr "ホスト表示"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:173
+#: xpack/plugins/cloud/models.py:172
 msgid "Result"
 msgstr "結果"
 
@@ -1934,15 +1934,15 @@ msgstr "期間は許可されていません"
 msgid "SSO auth closed"
 msgstr "SSO authは閉鎖されました"
 
-#: authentication/errors.py:300 authentication/mixins.py:305
+#: authentication/errors.py:300 authentication/mixins.py:306
 msgid "Your password is too simple, please change it for security"
 msgstr "パスワードがシンプルすぎるので、セキュリティのために変更してください"
 
-#: authentication/errors.py:309 authentication/mixins.py:312
+#: authentication/errors.py:309 authentication/mixins.py:313
 msgid "You should to change your password before login"
 msgstr "ログインする前にパスワードを変更する必要があります"
 
-#: authentication/errors.py:318 authentication/mixins.py:319
+#: authentication/errors.py:318 authentication/mixins.py:320
 msgid "Your password has expired, please reset before logging in"
 msgstr ""
 "パスワードの有効期限が切れました。ログインする前にリセットしてください。"
@@ -2035,11 +2035,11 @@ msgstr "電話番号を設定して有効にする"
 msgid "Clear phone number to disable"
 msgstr "無効にする電話番号をクリアする"
 
-#: authentication/mixins.py:255
+#: authentication/mixins.py:256
 msgid "The MFA type ({}) is not enabled"
 msgstr "MFAタイプ ({}) が有効になっていない"
 
-#: authentication/mixins.py:295
+#: authentication/mixins.py:296
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
@@ -4973,7 +4973,7 @@ msgstr "バケット"
 msgid "Secret key"
 msgstr "秘密キー"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
 msgid "Region"
 msgstr "リージョン"
 
@@ -6367,79 +6367,79 @@ msgstr "リリース済み"
 msgid "Cloud center"
 msgstr "クラウドセンター"
 
-#: xpack/plugins/cloud/models.py:30
+#: xpack/plugins/cloud/models.py:29
 msgid "Provider"
 msgstr "プロバイダー"
 
-#: xpack/plugins/cloud/models.py:34
+#: xpack/plugins/cloud/models.py:33
 msgid "Validity"
 msgstr "有効性"
 
-#: xpack/plugins/cloud/models.py:39
+#: xpack/plugins/cloud/models.py:38
 msgid "Cloud account"
 msgstr "クラウドアカウント"
 
-#: xpack/plugins/cloud/models.py:41
+#: xpack/plugins/cloud/models.py:40
 msgid "Test cloud account"
 msgstr "クラウドアカウントのテスト"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "アカウント"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "リージョン"
 
-#: xpack/plugins/cloud/models.py:91
+#: xpack/plugins/cloud/models.py:90
 msgid "Hostname strategy"
 msgstr "ホスト名戦略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix adminユーザー"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows管理者"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IPネットワークセグメントグループ"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "常に更新"
 
-#: xpack/plugins/cloud/models.py:119
+#: xpack/plugins/cloud/models.py:118
 msgid "Date last sync"
 msgstr "最終同期日"
 
-#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
+#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
 msgid "Sync instance task"
 msgstr "インスタンスの同期タスク"
 
-#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
+#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
 msgid "Date sync"
 msgstr "日付の同期"
 
-#: xpack/plugins/cloud/models.py:186
+#: xpack/plugins/cloud/models.py:185
 msgid "Sync instance task execution"
 msgstr "インスタンスタスクの同期実行"
 
-#: xpack/plugins/cloud/models.py:210
+#: xpack/plugins/cloud/models.py:209
 msgid "Sync task"
 msgstr "同期タスク"
 
-#: xpack/plugins/cloud/models.py:214
+#: xpack/plugins/cloud/models.py:213
 msgid "Sync instance task history"
 msgstr "インスタンスタスク履歴の同期"
 
-#: xpack/plugins/cloud/models.py:217
+#: xpack/plugins/cloud/models.py:216
 msgid "Instance"
 msgstr "インスタンス"
 
-#: xpack/plugins/cloud/models.py:234
+#: xpack/plugins/cloud/models.py:233
 msgid "Sync instance detail"
 msgstr "同期インスタンスの詳細"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
new file mode 100644
index 000000000..5d4b3e1b9
--- /dev/null
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f181a41eb4dd8a30a576f7903e5c9f519da2042e5e095ac27146d7b4002ba3df
+size 105303
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index daa3e5df9..1ad70f740 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-10 10:45+0800\n"
+"POT-Creation-Date: 2022-05-11 10:44+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -32,7 +32,7 @@ msgstr "访问控制"
 #: terminal/models/storage.py:25 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:28
+#: xpack/plugins/cloud/models.py:27
 msgid "Name"
 msgstr "名称"
 
@@ -65,7 +65,7 @@ msgstr "激活中"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
+#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "备注"
@@ -133,7 +133,7 @@ msgstr "系统用户"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:223
+#: xpack/plugins/cloud/models.py:222
 msgid "Asset"
 msgstr "资产"
 
@@ -313,7 +313,7 @@ msgstr "类型"
 msgid "Domain"
 msgstr "网域"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
 #: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "属性"
@@ -352,7 +352,7 @@ msgstr "类型名称"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:915
-#: xpack/plugins/cloud/models.py:125
+#: xpack/plugins/cloud/models.py:124
 msgid "Date created"
 msgstr "创建日期"
 
@@ -567,7 +567,7 @@ msgstr "主机名原始"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "协议组"
 
@@ -607,7 +607,7 @@ msgstr "标签管理"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "创建者"
 
@@ -711,7 +711,7 @@ msgstr "触发模式"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:179
+#: xpack/plugins/cloud/models.py:178
 msgid "Reason"
 msgstr "原因"
 
@@ -949,7 +949,7 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
 
@@ -1479,8 +1479,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
-#: xpack/plugins/cloud/models.py:227
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
+#: xpack/plugins/cloud/models.py:226
 msgid "Status"
 msgstr "状态"
 
@@ -1517,7 +1517,7 @@ msgid "Hosts display"
 msgstr "主机名称"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:173
+#: xpack/plugins/cloud/models.py:172
 msgid "Result"
 msgstr "结果"
 
@@ -1914,15 +1914,15 @@ msgstr "该 时间段 不被允许登录"
 msgid "SSO auth closed"
 msgstr "SSO 认证关闭了"
 
-#: authentication/errors.py:300 authentication/mixins.py:305
+#: authentication/errors.py:300 authentication/mixins.py:306
 msgid "Your password is too simple, please change it for security"
 msgstr "你的密码过于简单，为了安全，请修改"
 
-#: authentication/errors.py:309 authentication/mixins.py:312
+#: authentication/errors.py:309 authentication/mixins.py:313
 msgid "You should to change your password before login"
 msgstr "登录完成前，请先修改密码"
 
-#: authentication/errors.py:318 authentication/mixins.py:319
+#: authentication/errors.py:318 authentication/mixins.py:320
 msgid "Your password has expired, please reset before logging in"
 msgstr "您的密码已过期，先修改再登录"
 
@@ -2014,11 +2014,11 @@ msgstr "设置手机号码启用"
 msgid "Clear phone number to disable"
 msgstr "清空手机号码禁用"
 
-#: authentication/mixins.py:255
+#: authentication/mixins.py:256
 msgid "The MFA type ({}) is not enabled"
 msgstr "该 MFA ({}) 方式没有启用"
 
-#: authentication/mixins.py:295
+#: authentication/mixins.py:296
 msgid "Please change your password"
 msgstr "请修改密码"
 
@@ -4901,7 +4901,7 @@ msgstr "桶名称"
 msgid "Secret key"
 msgstr "密钥"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
 msgid "Region"
 msgstr "地域"
 
@@ -6276,79 +6276,79 @@ msgstr "已释放"
 msgid "Cloud center"
 msgstr "云管中心"
 
-#: xpack/plugins/cloud/models.py:30
+#: xpack/plugins/cloud/models.py:29
 msgid "Provider"
 msgstr "云服务商"
 
-#: xpack/plugins/cloud/models.py:34
+#: xpack/plugins/cloud/models.py:33
 msgid "Validity"
 msgstr "有效"
 
-#: xpack/plugins/cloud/models.py:39
+#: xpack/plugins/cloud/models.py:38
 msgid "Cloud account"
 msgstr "云账号"
 
-#: xpack/plugins/cloud/models.py:41
+#: xpack/plugins/cloud/models.py:40
 msgid "Test cloud account"
 msgstr "测试云账号"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "账号"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "地域"
 
-#: xpack/plugins/cloud/models.py:91
+#: xpack/plugins/cloud/models.py:90
 msgid "Hostname strategy"
 msgstr "主机名策略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix 管理员"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows 管理员"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IP网段组"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "总是更新"
 
-#: xpack/plugins/cloud/models.py:119
+#: xpack/plugins/cloud/models.py:118
 msgid "Date last sync"
 msgstr "最后同步日期"
 
-#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
+#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
 msgid "Sync instance task"
 msgstr "同步实例任务"
 
-#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
+#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
 msgid "Date sync"
 msgstr "同步日期"
 
-#: xpack/plugins/cloud/models.py:186
+#: xpack/plugins/cloud/models.py:185
 msgid "Sync instance task execution"
 msgstr "同步实例任务执行"
 
-#: xpack/plugins/cloud/models.py:210
+#: xpack/plugins/cloud/models.py:209
 msgid "Sync task"
 msgstr "同步任务"
 
-#: xpack/plugins/cloud/models.py:214
+#: xpack/plugins/cloud/models.py:213
 msgid "Sync instance task history"
 msgstr "同步实例任务历史"
 
-#: xpack/plugins/cloud/models.py:217
+#: xpack/plugins/cloud/models.py:216
 msgid "Instance"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:234
+#: xpack/plugins/cloud/models.py:233
 msgid "Sync instance detail"
 msgstr "同步实例详情"
 

From dab8828b0392111a89ec66cba2661ae1be3d503c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 11 May 2022 17:09:23 +0800
Subject: [PATCH 095/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20setting=20?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/api/public.py         | 60 ++++++++---------------------
 apps/settings/serializers/public.py |  7 ++--
 2 files changed, 20 insertions(+), 47 deletions(-)

diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index 108970c59..724001e28 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -27,34 +27,31 @@ class OpenPublicSettingApi(generics.RetrieveAPIView):
         interface = get_interface_setting()
         return interface['login_title']
 
-    def get_open_public_settings(self):
+    def get_object(self):
         return {
             "XPACK_ENABLED": settings.XPACK_ENABLED,
             "LOGIN_TITLE": self.get_login_title(),
             "LOGO_URLS": self.get_logo_urls(),
-            'SECURITY_WATERMARK_ENABLED': settings.SECURITY_WATERMARK_ENABLED,
         }
 
-    def get_object(self):
-        return self.get_open_public_settings()
-
 
 class PublicSettingApi(OpenPublicSettingApi):
     permission_classes = (IsAuthenticated,)
     serializer_class = serializers.PrivateSettingSerializer
 
-    @staticmethod
-    def get_public_settings():
-        return {
-            # Security
-            "WINDOWS_SKIP_ALL_MANUAL_PASSWORD": settings.WINDOWS_SKIP_ALL_MANUAL_PASSWORD,
-            "OLD_PASSWORD_HISTORY_LIMIT_COUNT": settings.OLD_PASSWORD_HISTORY_LIMIT_COUNT,
-            "SECURITY_MAX_IDLE_TIME": settings.SECURITY_MAX_IDLE_TIME,
-            "SECURITY_VIEW_AUTH_NEED_MFA": settings.SECURITY_VIEW_AUTH_NEED_MFA,
-            "SECURITY_MFA_VERIFY_TTL": settings.SECURITY_MFA_VERIFY_TTL,
-            "SECURITY_COMMAND_EXECUTION": settings.SECURITY_COMMAND_EXECUTION,
-            "SECURITY_PASSWORD_EXPIRATION_TIME": settings.SECURITY_PASSWORD_EXPIRATION_TIME,
-            "SECURITY_LUNA_REMEMBER_AUTH": settings.SECURITY_LUNA_REMEMBER_AUTH,
+    def get_object(self):
+        values = super().get_object()
+
+        serializer = self.serializer_class()
+        field_names = list(serializer.fields.keys())
+
+        for name in field_names:
+            if hasattr(settings, name):
+                values[name] = getattr(settings, name)
+
+        values.update({
+            "XPACK_LICENSE_IS_VALID": has_valid_xpack_license(),
+            "XPACK_LICENSE_INFO": get_xpack_license_info(),
             "PASSWORD_RULE": {
                 'SECURITY_PASSWORD_MIN_LENGTH': settings.SECURITY_PASSWORD_MIN_LENGTH,
                 'SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH': settings.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH,
@@ -63,32 +60,7 @@ class PublicSettingApi(OpenPublicSettingApi):
                 'SECURITY_PASSWORD_NUMBER': settings.SECURITY_PASSWORD_NUMBER,
                 'SECURITY_PASSWORD_SPECIAL_CHAR': settings.SECURITY_PASSWORD_SPECIAL_CHAR,
             },
-            'SECURITY_SESSION_SHARE': settings.SECURITY_SESSION_SHARE,
-            # XPACK
-            "XPACK_LICENSE_IS_VALID": has_valid_xpack_license(),
-            "XPACK_LICENSE_INFO": get_xpack_license_info(),
-            # Performance
-            "HELP_DOCUMENT_URL": settings.HELP_DOCUMENT_URL,
-            "HELP_SUPPORT_URL": settings.HELP_SUPPORT_URL,
-            # Auth
-            "AUTH_WECOM": settings.AUTH_WECOM,
-            "AUTH_DINGTALK": settings.AUTH_DINGTALK,
-            "AUTH_FEISHU": settings.AUTH_FEISHU,
-            # Terminal
-            "XRDP_ENABLED": settings.XRDP_ENABLED,
-            "TERMINAL_MAGNUS_ENABLED": settings.TERMINAL_MAGNUS_ENABLED,
-            "TERMINAL_KOKO_SSH_ENABLED": settings.TERMINAL_KOKO_SSH_ENABLED,
-            # Announcement
-            "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
-            "ANNOUNCEMENT": settings.ANNOUNCEMENT,
-            "AUTH_TEMP_TOKEN": settings.AUTH_TEMP_TOKEN,
-        }
+        })
+        return values
 
-    def get_object(self):
-        open_public = self.get_open_public_settings()
-        public = self.get_public_settings()
-        return {
-            **open_public,
-            **public
-        }
 
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 852f9ccca..877230489 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -1,5 +1,5 @@
 # coding: utf-8
-# 
+#
 
 from rest_framework import serializers
 
@@ -8,7 +8,6 @@ __all__ = ['PublicSettingSerializer', 'PrivateSettingSerializer']
 
 class PublicSettingSerializer(serializers.Serializer):
     XPACK_ENABLED = serializers.BooleanField()
-    SECURITY_WATERMARK_ENABLED = serializers.BooleanField()
     LOGIN_TITLE = serializers.CharField()
     LOGO_URLS = serializers.DictField()
 
@@ -22,6 +21,8 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     SECURITY_COMMAND_EXECUTION = serializers.BooleanField()
     SECURITY_PASSWORD_EXPIRATION_TIME = serializers.IntegerField()
     SECURITY_LUNA_REMEMBER_AUTH = serializers.BooleanField()
+    SECURITY_WATERMARK_ENABLED = serializers.BooleanField()
+    SESSION_EXPIRE_AT_BROWSER_CLOSE = serializers.BooleanField()
     PASSWORD_RULE = serializers.DictField()
     SECURITY_SESSION_SHARE = serializers.BooleanField()
     XPACK_LICENSE_IS_VALID = serializers.BooleanField()
@@ -39,4 +40,4 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
 
     ANNOUNCEMENT_ENABLED = serializers.BooleanField()
-    ANNOUNCEMENT = serializers.CharField()
\ No newline at end of file
+    ANNOUNCEMENT = serializers.CharField()

From c692eed3c6999793a001b1064564cc5e5304da5f Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 12 May 2022 10:59:19 +0800
Subject: [PATCH 096/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9client=20?=
 =?UTF-8?q?=E7=89=88=E6=9C=AC=20(#8223)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/templates/resource_download.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index c9cb4ea6f..7f59d521c 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -15,7 +15,7 @@ p {
 </style>
 <div style="margin: 0 200px">
     <div class="group">
-        <h2>JumpServer {% trans 'Client' %} v1.1.4</h2>
+        <h2>JumpServer {% trans 'Client' %} v1.1.5</h2>
         <p>
             {% trans 'JumpServer Client, currently used to launch the client, now only support launch RDP SSH client, The Telnet client will next' %}
         </p>

From 4f37b2b920acbb8cdb9a527ad0a4c9b4b03f19fe Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 12 May 2022 11:27:32 +0800
Subject: [PATCH 097/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20setting=20?=
 =?UTF-8?q?=E8=AF=BB=E5=8F=96=EF=BC=8C=E9=81=BF=E5=85=8D=E9=81=97=E6=BC=8F?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/api/public.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index 724001e28..9753c1bdd 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -41,14 +41,6 @@ class PublicSettingApi(OpenPublicSettingApi):
 
     def get_object(self):
         values = super().get_object()
-
-        serializer = self.serializer_class()
-        field_names = list(serializer.fields.keys())
-
-        for name in field_names:
-            if hasattr(settings, name):
-                values[name] = getattr(settings, name)
-
         values.update({
             "XPACK_LICENSE_IS_VALID": has_valid_xpack_license(),
             "XPACK_LICENSE_INFO": get_xpack_license_info(),
@@ -61,6 +53,15 @@ class PublicSettingApi(OpenPublicSettingApi):
                 'SECURITY_PASSWORD_SPECIAL_CHAR': settings.SECURITY_PASSWORD_SPECIAL_CHAR,
             },
         })
+
+        serializer = self.serializer_class()
+        field_names = list(serializer.fields.keys())
+        for name in field_names:
+            if name in values:
+                continue
+            # 提前把异常爆出来
+            values[name] = getattr(settings, name)
         return values
 
 
+

From 6409b7deee81969095ff8333a94b5987289b7da5 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 12 May 2022 14:47:35 +0800
Subject: [PATCH 098/258] =?UTF-8?q?feat:=20Endpoint=E6=B7=BB=E5=8A=A0Redis?=
 =?UTF-8?q?=20Port=20(#8225)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
Co-authored-by: Jiangjie.Bai <32935519+BaiJiangJie@users.noreply.github.com>
---
 apps/locale/ja/LC_MESSAGES/django.po          | 110 +++++++++---------
 apps/locale/zh/LC_MESSAGES/django.po          | 110 +++++++++---------
 .../migrations/0049_endpoint_redis_port.py    |  20 ++++
 apps/terminal/models/endpoint.py              |   1 +
 apps/terminal/serializers/endpoint.py         |   3 +-
 5 files changed, 137 insertions(+), 107 deletions(-)
 create mode 100644 apps/terminal/migrations/0049_endpoint_redis_port.py

diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index a4c8fddc7..a8145faa8 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-11 10:44+0800\n"
+"POT-Creation-Date: 2022-05-12 14:39+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,7 +29,7 @@ msgstr "Acls"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:59
 #: terminal/models/storage.py:25 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
@@ -38,12 +38,12 @@ msgid "Name"
 msgstr "名前"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:61
+#: assets/models/user.py:247 terminal/models/endpoint.py:62
 msgid "Priority"
 msgstr "優先順位"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:62
+#: assets/models/user.py:247 terminal/models/endpoint.py:63
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
@@ -61,7 +61,7 @@ msgstr "アクティブ"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
+#: terminal/models/endpoint.py:21 terminal/models/endpoint.py:69
 #: terminal/models/storage.py:28 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
@@ -182,7 +182,7 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:37
+#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:38
 msgid "IP"
 msgstr "IP"
 
@@ -759,7 +759,7 @@ msgstr "確認済みの日付"
 #: assets/models/base.py:177 audits/signal_handlers.py:48
 #: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:182
-#: settings/serializers/auth/ldap.py:45 users/forms/profile.py:22
+#: settings/serializers/auth/ldap.py:46 users/forms/profile.py:22
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -1108,7 +1108,7 @@ msgid "Actions"
 msgstr "アクション"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
-#: settings/serializers/auth/ldap.py:64
+#: settings/serializers/auth/ldap.py:65
 #: xpack/plugins/change_auth_plan/serializers/base.py:42
 msgid "Periodic perform"
 msgstr "定期的なパフォーマンス"
@@ -2731,12 +2731,12 @@ msgid "App ops"
 msgstr "アプリ操作"
 
 #: ops/mixin.py:29 ops/mixin.py:92 ops/mixin.py:162
-#: settings/serializers/auth/ldap.py:71
+#: settings/serializers/auth/ldap.py:72
 msgid "Cycle perform"
 msgstr "サイクル実行"
 
 #: ops/mixin.py:33 ops/mixin.py:90 ops/mixin.py:109 ops/mixin.py:150
-#: settings/serializers/auth/ldap.py:68
+#: settings/serializers/auth/ldap.py:69
 msgid "Regularly perform"
 msgstr "定期的に実行する"
 
@@ -2926,7 +2926,7 @@ msgstr "アプリ組織"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
-#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:61
+#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
 msgstr "組織"
@@ -3505,40 +3505,40 @@ msgstr "ピン認証の有効化"
 msgid "Enable FeiShu Auth"
 msgstr "飛本認証の有効化"
 
-#: settings/serializers/auth/ldap.py:40
+#: settings/serializers/auth/ldap.py:41
 msgid "LDAP server"
 msgstr "LDAPサーバー"
 
-#: settings/serializers/auth/ldap.py:41
+#: settings/serializers/auth/ldap.py:42
 msgid "eg: ldap://localhost:389"
 msgstr "例: ldap://localhost:389"
 
-#: settings/serializers/auth/ldap.py:43
+#: settings/serializers/auth/ldap.py:44
 msgid "Bind DN"
 msgstr "DN のバインド"
 
-#: settings/serializers/auth/ldap.py:48
+#: settings/serializers/auth/ldap.py:49
 msgid "User OU"
 msgstr "ユーザー OU"
 
-#: settings/serializers/auth/ldap.py:49
+#: settings/serializers/auth/ldap.py:50
 msgid "Use | split multi OUs"
 msgstr "使用 | splitマルチ OU"
 
-#: settings/serializers/auth/ldap.py:52
+#: settings/serializers/auth/ldap.py:53
 msgid "User search filter"
 msgstr "ユーザー検索フィルター"
 
-#: settings/serializers/auth/ldap.py:53
+#: settings/serializers/auth/ldap.py:54
 #, python-format
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "選択は (cnまたはuidまたはsAMAccountName)=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:56
+#: settings/serializers/auth/ldap.py:57
 msgid "User attr map"
 msgstr "ユーザー属性マッピング"
 
-#: settings/serializers/auth/ldap.py:57
+#: settings/serializers/auth/ldap.py:58
 msgid ""
 "User attr map present how to map LDAP user attr to jumpserver, username,name,"
 "email is jumpserver attr"
@@ -3546,15 +3546,15 @@ msgstr ""
 "ユーザー属性マッピングは、LDAPのユーザー属性をjumpserverユーザーにマッピング"
 "する方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
 
-#: settings/serializers/auth/ldap.py:75
+#: settings/serializers/auth/ldap.py:76
 msgid "Connect timeout"
 msgstr "接続タイムアウト"
 
-#: settings/serializers/auth/ldap.py:77
+#: settings/serializers/auth/ldap.py:78
 msgid "Search paged size"
 msgstr "ページサイズを検索"
 
-#: settings/serializers/auth/ldap.py:79
+#: settings/serializers/auth/ldap.py:80
 msgid "Enable LDAP auth"
 msgstr "LDAP認証の有効化"
 
@@ -4269,104 +4269,104 @@ msgstr "XRDPの有効化"
 msgid "Enable SSH Client"
 msgstr "SSH Clientの有効化"
 
-#: settings/utils/ldap.py:419
+#: settings/utils/ldap.py:467
 msgid "ldap:// or ldaps:// protocol is used."
 msgstr "ldap:// または ldaps:// プロトコルが使用されます。"
 
-#: settings/utils/ldap.py:430
+#: settings/utils/ldap.py:478
 msgid "Host or port is disconnected: {}"
 msgstr "ホストまたはポートが切断されました: {}"
 
-#: settings/utils/ldap.py:432
+#: settings/utils/ldap.py:480
 msgid "The port is not the port of the LDAP service: {}"
 msgstr "ポートはLDAPサービスのポートではありません: {}"
 
-#: settings/utils/ldap.py:434
+#: settings/utils/ldap.py:482
 msgid "Please add certificate: {}"
 msgstr "証明書を追加してください: {}"
 
-#: settings/utils/ldap.py:438 settings/utils/ldap.py:465
-#: settings/utils/ldap.py:495 settings/utils/ldap.py:523
+#: settings/utils/ldap.py:486 settings/utils/ldap.py:513
+#: settings/utils/ldap.py:543 settings/utils/ldap.py:571
 msgid "Unknown error: {}"
 msgstr "不明なエラー: {}"
 
-#: settings/utils/ldap.py:452
+#: settings/utils/ldap.py:500
 msgid "Bind DN or Password incorrect"
 msgstr "DNまたはパスワードのバインドが正しくありません"
 
-#: settings/utils/ldap.py:459
+#: settings/utils/ldap.py:507
 msgid "Please enter Bind DN: {}"
 msgstr "バインドDN: {} を入力してください"
 
-#: settings/utils/ldap.py:461
+#: settings/utils/ldap.py:509
 msgid "Please enter Password: {}"
 msgstr "パスワードを入力してください: {}"
 
-#: settings/utils/ldap.py:463
+#: settings/utils/ldap.py:511
 msgid "Please enter correct Bind DN and Password: {}"
 msgstr "正しいバインドDNとパスワードを入力してください: {}"
 
-#: settings/utils/ldap.py:481
+#: settings/utils/ldap.py:529
 msgid "Invalid User OU or User search filter: {}"
 msgstr "無効なユーザー OU またはユーザー検索フィルター: {}"
 
-#: settings/utils/ldap.py:512
+#: settings/utils/ldap.py:560
 msgid "LDAP User attr map not include: {}"
 msgstr "LDAP ユーザーattrマップは含まれません: {}"
 
-#: settings/utils/ldap.py:519
+#: settings/utils/ldap.py:567
 msgid "LDAP User attr map is not dict"
 msgstr "LDAPユーザーattrマップはdictではありません"
 
-#: settings/utils/ldap.py:538
+#: settings/utils/ldap.py:586
 msgid "LDAP authentication is not enabled"
 msgstr "LDAP 認証が有効になっていない"
 
-#: settings/utils/ldap.py:556
+#: settings/utils/ldap.py:604
 msgid "Error (Invalid LDAP server): {}"
 msgstr "エラー (LDAPサーバーが無効): {}"
 
-#: settings/utils/ldap.py:558
+#: settings/utils/ldap.py:606
 msgid "Error (Invalid Bind DN): {}"
 msgstr "エラー (DNのバインドが無効): {}"
 
-#: settings/utils/ldap.py:560
+#: settings/utils/ldap.py:608
 msgid "Error (Invalid LDAP User attr map): {}"
 msgstr "エラー (LDAPユーザーattrマップが無効): {}"
 
-#: settings/utils/ldap.py:562
+#: settings/utils/ldap.py:610
 msgid "Error (Invalid User OU or User search filter): {}"
 msgstr "エラー (ユーザーOUまたはユーザー検索フィルターが無効): {}"
 
-#: settings/utils/ldap.py:564
+#: settings/utils/ldap.py:612
 msgid "Error (Not enabled LDAP authentication): {}"
 msgstr "エラー (LDAP認証が有効化されていません): {}"
 
-#: settings/utils/ldap.py:566
+#: settings/utils/ldap.py:614
 msgid "Error (Unknown): {}"
 msgstr "エラー (不明): {}"
 
-#: settings/utils/ldap.py:569
+#: settings/utils/ldap.py:617
 msgid "Succeed: Match {} s user"
 msgstr "成功: {} 人のユーザーに一致"
 
-#: settings/utils/ldap.py:602
+#: settings/utils/ldap.py:650
 msgid "Authentication failed (configuration incorrect): {}"
 msgstr "認証に失敗しました (設定が正しくありません): {}"
 
-#: settings/utils/ldap.py:604
+#: settings/utils/ldap.py:652
 msgid "Authentication failed (before login check failed): {}"
 msgstr "認証に失敗しました (ログインチェックが失敗する前): {}"
 
-#: settings/utils/ldap.py:606
+#: settings/utils/ldap.py:654
 msgid "Authentication failed (username or password incorrect): {}"
 msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません): {}"
 
-#: settings/utils/ldap.py:608
+#: settings/utils/ldap.py:656
 msgid "Authentication failed (Unknown): {}"
 msgstr "認証に失敗しました (不明): {}"
 
-#: settings/utils/ldap.py:611
+#: settings/utils/ldap.py:659
 msgid "Authentication success: {}"
 msgstr "認証成功: {}"
 
@@ -4741,18 +4741,22 @@ msgstr "MariaDB ポート"
 msgid "PostgreSQL Port"
 msgstr "PostgreSQL ポート"
 
-#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:66
-#: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
+#: terminal/models/endpoint.py:20
+msgid "Redis Port"
+msgstr "Redis ポート"
+
+#: terminal/models/endpoint.py:26 terminal/models/endpoint.py:67
+#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:37
 #: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
 #: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
 msgid "Endpoint"
 msgstr "エンドポイント"
 
-#: terminal/models/endpoint.py:59
+#: terminal/models/endpoint.py:60
 msgid "IP group"
 msgstr "IP グループ"
 
-#: terminal/models/endpoint.py:71
+#: terminal/models/endpoint.py:72
 msgid "Endpoint rule"
 msgstr "エンドポイントルール"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 1ad70f740..9f099484e 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-11 10:44+0800\n"
+"POT-Creation-Date: 2022-05-12 14:39+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -28,7 +28,7 @@ msgstr "访问控制"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:58
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:59
 #: terminal/models/storage.py:25 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
@@ -37,12 +37,12 @@ msgid "Name"
 msgstr "名称"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:61
+#: assets/models/user.py:247 terminal/models/endpoint.py:62
 msgid "Priority"
 msgstr "优先级"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:62
+#: assets/models/user.py:247 terminal/models/endpoint.py:63
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
@@ -60,7 +60,7 @@ msgstr "激活中"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:20 terminal/models/endpoint.py:68
+#: terminal/models/endpoint.py:21 terminal/models/endpoint.py:69
 #: terminal/models/storage.py:28 terminal/models/terminal.py:114
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
@@ -180,7 +180,7 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:37
+#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:38
 msgid "IP"
 msgstr "IP"
 
@@ -754,7 +754,7 @@ msgstr "校验日期"
 #: assets/models/base.py:177 audits/signal_handlers.py:48
 #: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:182
-#: settings/serializers/auth/ldap.py:45 users/forms/profile.py:22
+#: settings/serializers/auth/ldap.py:46 users/forms/profile.py:22
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -1100,7 +1100,7 @@ msgid "Actions"
 msgstr "动作"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
-#: settings/serializers/auth/ldap.py:64
+#: settings/serializers/auth/ldap.py:65
 #: xpack/plugins/change_auth_plan/serializers/base.py:42
 msgid "Periodic perform"
 msgstr "定时执行"
@@ -2696,12 +2696,12 @@ msgid "App ops"
 msgstr "作业中心"
 
 #: ops/mixin.py:29 ops/mixin.py:92 ops/mixin.py:162
-#: settings/serializers/auth/ldap.py:71
+#: settings/serializers/auth/ldap.py:72
 msgid "Cycle perform"
 msgstr "周期执行"
 
 #: ops/mixin.py:33 ops/mixin.py:90 ops/mixin.py:109 ops/mixin.py:150
-#: settings/serializers/auth/ldap.py:68
+#: settings/serializers/auth/ldap.py:69
 msgid "Regularly perform"
 msgstr "定期执行"
 
@@ -2890,7 +2890,7 @@ msgstr "组织管理"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
-#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:61
+#: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
 #: tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
 msgstr "组织"
@@ -3466,40 +3466,40 @@ msgstr "启用钉钉认证"
 msgid "Enable FeiShu Auth"
 msgstr "启用飞书认证"
 
-#: settings/serializers/auth/ldap.py:40
+#: settings/serializers/auth/ldap.py:41
 msgid "LDAP server"
 msgstr "LDAP 地址"
 
-#: settings/serializers/auth/ldap.py:41
+#: settings/serializers/auth/ldap.py:42
 msgid "eg: ldap://localhost:389"
 msgstr "如: ldap://localhost:389"
 
-#: settings/serializers/auth/ldap.py:43
+#: settings/serializers/auth/ldap.py:44
 msgid "Bind DN"
 msgstr "绑定 DN"
 
-#: settings/serializers/auth/ldap.py:48
+#: settings/serializers/auth/ldap.py:49
 msgid "User OU"
 msgstr "用户 OU"
 
-#: settings/serializers/auth/ldap.py:49
+#: settings/serializers/auth/ldap.py:50
 msgid "Use | split multi OUs"
 msgstr "多个 OU 使用 | 分割"
 
-#: settings/serializers/auth/ldap.py:52
+#: settings/serializers/auth/ldap.py:53
 msgid "User search filter"
 msgstr "用户过滤器"
 
-#: settings/serializers/auth/ldap.py:53
+#: settings/serializers/auth/ldap.py:54
 #, python-format
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "可能的选项是(cn或uid或sAMAccountName=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:56
+#: settings/serializers/auth/ldap.py:57
 msgid "User attr map"
 msgstr "用户属性映射"
 
-#: settings/serializers/auth/ldap.py:57
+#: settings/serializers/auth/ldap.py:58
 msgid ""
 "User attr map present how to map LDAP user attr to jumpserver, username,name,"
 "email is jumpserver attr"
@@ -3507,15 +3507,15 @@ msgstr ""
 "用户属性映射代表怎样将LDAP中用户属性映射到jumpserver用户上，username, name,"
 "email 是jumpserver的用户需要属性"
 
-#: settings/serializers/auth/ldap.py:75
+#: settings/serializers/auth/ldap.py:76
 msgid "Connect timeout"
 msgstr "连接超时时间"
 
-#: settings/serializers/auth/ldap.py:77
+#: settings/serializers/auth/ldap.py:78
 msgid "Search paged size"
 msgstr "搜索分页数量"
 
-#: settings/serializers/auth/ldap.py:79
+#: settings/serializers/auth/ldap.py:80
 msgid "Enable LDAP auth"
 msgstr "启用 LDAP 认证"
 
@@ -4207,104 +4207,104 @@ msgstr "启用 XRDP 服务"
 msgid "Enable SSH Client"
 msgstr "启用 SSH Client"
 
-#: settings/utils/ldap.py:419
+#: settings/utils/ldap.py:467
 msgid "ldap:// or ldaps:// protocol is used."
 msgstr "使用 ldap:// 或 ldaps:// 协议"
 
-#: settings/utils/ldap.py:430
+#: settings/utils/ldap.py:478
 msgid "Host or port is disconnected: {}"
 msgstr "主机或端口不可连接: {}"
 
-#: settings/utils/ldap.py:432
+#: settings/utils/ldap.py:480
 msgid "The port is not the port of the LDAP service: {}"
 msgstr "端口不是LDAP服务端口: {}"
 
-#: settings/utils/ldap.py:434
+#: settings/utils/ldap.py:482
 msgid "Please add certificate: {}"
 msgstr "请添加证书"
 
-#: settings/utils/ldap.py:438 settings/utils/ldap.py:465
-#: settings/utils/ldap.py:495 settings/utils/ldap.py:523
+#: settings/utils/ldap.py:486 settings/utils/ldap.py:513
+#: settings/utils/ldap.py:543 settings/utils/ldap.py:571
 msgid "Unknown error: {}"
 msgstr "未知错误: {}"
 
-#: settings/utils/ldap.py:452
+#: settings/utils/ldap.py:500
 msgid "Bind DN or Password incorrect"
 msgstr "绑定DN或密码错误"
 
-#: settings/utils/ldap.py:459
+#: settings/utils/ldap.py:507
 msgid "Please enter Bind DN: {}"
 msgstr "请输入绑定DN: {}"
 
-#: settings/utils/ldap.py:461
+#: settings/utils/ldap.py:509
 msgid "Please enter Password: {}"
 msgstr "请输入密码: {}"
 
-#: settings/utils/ldap.py:463
+#: settings/utils/ldap.py:511
 msgid "Please enter correct Bind DN and Password: {}"
 msgstr "请输入正确的绑定DN和密码: {}"
 
-#: settings/utils/ldap.py:481
+#: settings/utils/ldap.py:529
 msgid "Invalid User OU or User search filter: {}"
 msgstr "不合法的用户OU或用户过滤器: {}"
 
-#: settings/utils/ldap.py:512
+#: settings/utils/ldap.py:560
 msgid "LDAP User attr map not include: {}"
 msgstr "LDAP属性映射没有包含: {}"
 
-#: settings/utils/ldap.py:519
+#: settings/utils/ldap.py:567
 msgid "LDAP User attr map is not dict"
 msgstr "LDAP属性映射不合法"
 
-#: settings/utils/ldap.py:538
+#: settings/utils/ldap.py:586
 msgid "LDAP authentication is not enabled"
 msgstr "LDAP认证没有启用"
 
-#: settings/utils/ldap.py:556
+#: settings/utils/ldap.py:604
 msgid "Error (Invalid LDAP server): {}"
 msgstr "错误 （不合法的LDAP服务器地址）: {}"
 
-#: settings/utils/ldap.py:558
+#: settings/utils/ldap.py:606
 msgid "Error (Invalid Bind DN): {}"
 msgstr "错误（不合法的绑定DN）: {}"
 
-#: settings/utils/ldap.py:560
+#: settings/utils/ldap.py:608
 msgid "Error (Invalid LDAP User attr map): {}"
 msgstr "错误（不合法的LDAP属性映射）: {}"
 
-#: settings/utils/ldap.py:562
+#: settings/utils/ldap.py:610
 msgid "Error (Invalid User OU or User search filter): {}"
 msgstr "错误（不合法的用户OU或用户过滤器）: {}"
 
-#: settings/utils/ldap.py:564
+#: settings/utils/ldap.py:612
 msgid "Error (Not enabled LDAP authentication): {}"
 msgstr "错误（没有启用LDAP认证）: {}"
 
-#: settings/utils/ldap.py:566
+#: settings/utils/ldap.py:614
 msgid "Error (Unknown): {}"
 msgstr "错误（未知）: {}"
 
-#: settings/utils/ldap.py:569
+#: settings/utils/ldap.py:617
 msgid "Succeed: Match {} s user"
 msgstr "成功匹配 {} 个用户"
 
-#: settings/utils/ldap.py:602
+#: settings/utils/ldap.py:650
 msgid "Authentication failed (configuration incorrect): {}"
 msgstr "认证失败（配置错误）: {}"
 
-#: settings/utils/ldap.py:604
+#: settings/utils/ldap.py:652
 msgid "Authentication failed (before login check failed): {}"
 msgstr "认证失败（登录前检查失败）: {}"
 
-#: settings/utils/ldap.py:606
+#: settings/utils/ldap.py:654
 msgid "Authentication failed (username or password incorrect): {}"
 msgstr "认证失败 (用户名或密码不正确): {}"
 
-#: settings/utils/ldap.py:608
+#: settings/utils/ldap.py:656
 msgid "Authentication failed (Unknown): {}"
 msgstr "认证失败: (未知): {}"
 
-#: settings/utils/ldap.py:611
+#: settings/utils/ldap.py:659
 msgid "Authentication success: {}"
 msgstr "认证成功: {}"
 
@@ -4669,18 +4669,22 @@ msgstr "MariaDB 端口"
 msgid "PostgreSQL Port"
 msgstr "PostgreSQL 端口"
 
-#: terminal/models/endpoint.py:25 terminal/models/endpoint.py:66
-#: terminal/serializers/endpoint.py:40 terminal/serializers/storage.py:37
+#: terminal/models/endpoint.py:20
+msgid "Redis Port"
+msgstr "Redis 端口"
+
+#: terminal/models/endpoint.py:26 terminal/models/endpoint.py:67
+#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:37
 #: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
 #: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
 msgid "Endpoint"
 msgstr "端点"
 
-#: terminal/models/endpoint.py:59
+#: terminal/models/endpoint.py:60
 msgid "IP group"
 msgstr "IP 组"
 
-#: terminal/models/endpoint.py:71
+#: terminal/models/endpoint.py:72
 msgid "Endpoint rule"
 msgstr "端点规则"
 
diff --git a/apps/terminal/migrations/0049_endpoint_redis_port.py b/apps/terminal/migrations/0049_endpoint_redis_port.py
new file mode 100644
index 000000000..d1b1b38f1
--- /dev/null
+++ b/apps/terminal/migrations/0049_endpoint_redis_port.py
@@ -0,0 +1,20 @@
+# Generated by Django 3.1.14 on 2022-05-12 06:35
+
+import common.db.fields
+import django.core.validators
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('terminal', '0048_endpoint_endpointrule'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='endpoint',
+            name='redis_port',
+            field=common.db.fields.PortField(default=63790, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='Redis Port'),
+        ),
+    ]
diff --git a/apps/terminal/models/endpoint.py b/apps/terminal/models/endpoint.py
index c95bfb752..ec2f0bef6 100644
--- a/apps/terminal/models/endpoint.py
+++ b/apps/terminal/models/endpoint.py
@@ -17,6 +17,7 @@ class Endpoint(JMSModel):
     mysql_port = PortField(default=33060, verbose_name=_('MySQL Port'))
     mariadb_port = PortField(default=33061, verbose_name=_('MariaDB Port'))
     postgresql_port = PortField(default=54320, verbose_name=_('PostgreSQL Port'))
+    redis_port = PortField(default=63790, verbose_name=_('Redis Port'))
     comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
 
     default_id = '00000000-0000-0000-0000-000000000001'
diff --git a/apps/terminal/serializers/endpoint.py b/apps/terminal/serializers/endpoint.py
index 822c6b5c2..1c51c1604 100644
--- a/apps/terminal/serializers/endpoint.py
+++ b/apps/terminal/serializers/endpoint.py
@@ -16,7 +16,7 @@ class EndpointSerializer(BulkModelSerializer):
             'host',
             'https_port', 'http_port', 'ssh_port',
             'rdp_port', 'mysql_port', 'mariadb_port',
-            'postgresql_port',
+            'postgresql_port', 'redis_port',
         ]
         fields = fields_mini + fields_small + [
             'comment', 'date_created', 'date_updated', 'created_by'
@@ -29,6 +29,7 @@ class EndpointSerializer(BulkModelSerializer):
             'mysql_port': {'default': 33060},
             'mariadb_port': {'default': 33061},
             'postgresql_port': {'default': 54320},
+            'redis_port': {'default': 63790},
         }
 
 

From 475678e29b0789173de71f8e4ae532a134d6ae97 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 13 May 2022 17:10:29 +0800
Subject: [PATCH 099/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=AF=86?=
 =?UTF-8?q?=E7=A0=81=20write=20only?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/drf/fields.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/common/drf/fields.py b/apps/common/drf/fields.py
index 98919f2df..abddeca01 100644
--- a/apps/common/drf/fields.py
+++ b/apps/common/drf/fields.py
@@ -27,6 +27,10 @@ class ReadableHiddenField(serializers.HiddenField):
 
 
 class EncryptedField(serializers.CharField):
+    def __init__(self, **kwargs):
+        kwargs['write_only'] = True
+        super().__init__(**kwargs)
+
     def to_internal_value(self, value):
         value = super().to_internal_value(value)
         return decrypt_password(value)

From 1e6e59d8152833bd1b77727325458324012bf7da Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 16 May 2022 10:04:41 +0800
Subject: [PATCH 100/258] =?UTF-8?q?perf:=20=E6=B7=BB=E5=8A=A0=20ipdb?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitattributes | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitattributes b/.gitattributes
index 35ca802a3..24d9e1cd5 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,2 +1,3 @@
 *.mmdb filter=lfs diff=lfs merge=lfs -text
 *.mo filter=lfs diff=lfs merge=lfs -text
+*.ipdb filter=lfs diff=lfs merge=lfs -text

From 2a8f8dd709f296747bbf9a4aee1e49eece812b88 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 16 May 2022 12:18:23 +0800
Subject: [PATCH 101/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E4=BD=BF?=
 =?UTF-8?q?=E7=94=A8=E4=B8=A4=E4=B8=AA=20ip=20=E5=BA=93?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/utils/__init__.py                 |  1 -
 apps/common/utils/{geoip => ip}/__init__.py   |  0
 .../utils/{ => ip}/geoip/GeoLite2-City.mmdb   |  0
 apps/common/utils/ip/geoip/__init__.py        |  1 +
 apps/common/utils/{ => ip}/geoip/utils.py     | 20 ++++++++--------
 apps/common/utils/ip/ipip/__init__.py         |  3 +++
 apps/common/utils/ip/ipip/ipipfree.ipdb       |  3 +++
 apps/common/utils/ip/ipip/utils.py            | 23 +++++++++++++++++++
 apps/common/utils/{ip.py => ip/utils.py}      | 18 +++++++++++++++
 9 files changed, 57 insertions(+), 12 deletions(-)
 rename apps/common/utils/{geoip => ip}/__init__.py (100%)
 rename apps/common/utils/{ => ip}/geoip/GeoLite2-City.mmdb (100%)
 create mode 100644 apps/common/utils/ip/geoip/__init__.py
 rename apps/common/utils/{ => ip}/geoip/utils.py (69%)
 create mode 100644 apps/common/utils/ip/ipip/__init__.py
 create mode 100644 apps/common/utils/ip/ipip/ipipfree.ipdb
 create mode 100644 apps/common/utils/ip/ipip/utils.py
 rename apps/common/utils/{ip.py => ip/utils.py} (75%)

diff --git a/apps/common/utils/__init__.py b/apps/common/utils/__init__.py
index d76814506..87d36595b 100644
--- a/apps/common/utils/__init__.py
+++ b/apps/common/utils/__init__.py
@@ -9,4 +9,3 @@ from .crypto import *
 from .random import *
 from .jumpserver import *
 from .ip import *
-from .geoip import *
diff --git a/apps/common/utils/geoip/__init__.py b/apps/common/utils/ip/__init__.py
similarity index 100%
rename from apps/common/utils/geoip/__init__.py
rename to apps/common/utils/ip/__init__.py
diff --git a/apps/common/utils/geoip/GeoLite2-City.mmdb b/apps/common/utils/ip/geoip/GeoLite2-City.mmdb
similarity index 100%
rename from apps/common/utils/geoip/GeoLite2-City.mmdb
rename to apps/common/utils/ip/geoip/GeoLite2-City.mmdb
diff --git a/apps/common/utils/ip/geoip/__init__.py b/apps/common/utils/ip/geoip/__init__.py
new file mode 100644
index 000000000..16281fe0b
--- /dev/null
+++ b/apps/common/utils/ip/geoip/__init__.py
@@ -0,0 +1 @@
+from .utils import *
diff --git a/apps/common/utils/geoip/utils.py b/apps/common/utils/ip/geoip/utils.py
similarity index 69%
rename from apps/common/utils/geoip/utils.py
rename to apps/common/utils/ip/geoip/utils.py
index e80c0b262..5e829f610 100644
--- a/apps/common/utils/geoip/utils.py
+++ b/apps/common/utils/ip/geoip/utils.py
@@ -8,11 +8,11 @@ from geoip2.errors import GeoIP2Error
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
 
-__all__ = ['get_ip_city']
+__all__ = ['get_ip_city_by_geoip']
 reader = None
 
 
-def get_ip_city(ip):
+def get_ip_city_by_geoip(ip):
     if not ip or '.' not in ip or not isinstance(ip, str):
         return _("Invalid ip")
     if ':' in ip:
@@ -32,15 +32,13 @@ def get_ip_city(ip):
     try:
         response = reader.city(ip)
     except GeoIP2Error:
-        return _("Unknown ip")
+        return {}
 
-    names = response.city.names
-    if not names:
-        names = response.country.names
+    city_names = response.city.names or {}
+    lang = settings.LANGUAGE_CODE[:2]
+    if lang == 'zh':
+        lang = 'zh-CN'
+    city = city_names.get(lang, _("Unknown"))
+    return city
 
-    if 'en' in settings.LANGUAGE_CODE and 'en' in names:
-        return names['en']
-    elif 'zh-CN' in names:
-        return names['zh-CN']
-    return _("Unknown ip")
 
diff --git a/apps/common/utils/ip/ipip/__init__.py b/apps/common/utils/ip/ipip/__init__.py
new file mode 100644
index 000000000..103b36654
--- /dev/null
+++ b/apps/common/utils/ip/ipip/__init__.py
@@ -0,0 +1,3 @@
+# -*- coding: utf-8 -*-
+#
+from .utils import *
diff --git a/apps/common/utils/ip/ipip/ipipfree.ipdb b/apps/common/utils/ip/ipip/ipipfree.ipdb
new file mode 100644
index 000000000..ddd90522c
--- /dev/null
+++ b/apps/common/utils/ip/ipip/ipipfree.ipdb
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b82b874152c798dda407ffe7544e1f5ec67efa1f5c334efc0d3893b8053b4be1
+size 3649897
diff --git a/apps/common/utils/ip/ipip/utils.py b/apps/common/utils/ip/ipip/utils.py
new file mode 100644
index 000000000..ef97f4794
--- /dev/null
+++ b/apps/common/utils/ip/ipip/utils.py
@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+#
+import os
+from django.utils.translation import ugettext as _
+
+import ipdb
+
+__all__ = ['get_ip_city_by_ipip']
+ipip_db = None
+
+
+def get_ip_city_by_ipip(ip):
+    global ipip_db
+    if not ip or not isinstance(ip, str):
+        return _("Invalid ip")
+    if ':' in ip:
+        return 'IPv6'
+    if ipip_db is None:
+        ipip_db_path = os.path.join(os.path.dirname(__file__), 'ipipfree.ipdb')
+        ipip_db = ipdb.City(ipip_db_path)
+
+    info = ipip_db.find_info(ip, 'CN')
+    return {'city': info.city_name, 'country': info.country_name}
diff --git a/apps/common/utils/ip.py b/apps/common/utils/ip/utils.py
similarity index 75%
rename from apps/common/utils/ip.py
rename to apps/common/utils/ip/utils.py
index 0000a5da7..e75ecb85c 100644
--- a/apps/common/utils/ip.py
+++ b/apps/common/utils/ip/utils.py
@@ -1,4 +1,9 @@
 from ipaddress import ip_network, ip_address
+from django.conf import settings
+from django.utils.translation import gettext_lazy as _
+
+from .ipip import get_ip_city_by_ipip
+from .geoip import get_ip_city_by_geoip
 
 
 def is_ip_address(address):
@@ -66,3 +71,16 @@ def contains_ip(ip, ip_group):
                 return True
 
     return False
+
+
+def get_ip_city(ip):
+    info = get_ip_city_by_ipip(ip)
+    city = info.get('city', _("Unknown"))
+    country = info.get('country')
+
+    # 国内城市 并且 语言是中文就使用国内
+    is_zh = settings.LANGUAGE_CODE.startswith('zh')
+    if country == '中国' and is_zh:
+        return city
+    else:
+        return get_ip_city_by_geoip(ip)

From 525538e775295126de982c92d0169067654890c0 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Mon, 16 May 2022 17:28:02 +0800
Subject: [PATCH 102/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=AF=86?=
 =?UTF-8?q?=E7=A0=81=E5=AF=86=E9=92=A5=E7=BF=BB=E8=AF=91=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/base.py | 8 ++++++--
 apps/users/serializers/user.py  | 4 +++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/apps/assets/serializers/base.py b/apps/assets/serializers/base.py
index 7c8760562..841ebeaae 100644
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@@ -32,8 +32,12 @@ class AuthSerializer(serializers.ModelSerializer):
 
 
 class AuthSerializerMixin(serializers.ModelSerializer):
-    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
-    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096)
+    password = EncryptedField(
+        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024
+    )
+    private_key = EncryptedField(
+        label=_('SSH private key'), required=False, allow_blank=True, allow_null=True, max_length=4096
+    )
     passphrase = serializers.CharField(
         allow_blank=True, allow_null=True, required=False, max_length=512,
         write_only=True, label=_('Key password')
diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index b1a9cf1d4..98abb47a6 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -88,7 +88,9 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
     can_public_key_auth = serializers.ReadOnlyField(
         source='can_use_ssh_key_login', label=_('Can public key authentication')
     )
-    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
+    password = EncryptedField(
+        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024
+    )
     # Todo: 这里看看该怎么搞
     # can_update = serializers.SerializerMethodField(label=_('Can update'))
     # can_delete = serializers.SerializerMethodField(label=_('Can delete'))

From 3b253e276cb92bbf846fca80637527bf0713c772 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 16 May 2022 17:50:28 +0800
Subject: [PATCH 103/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91=20(#8244)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: Jiangjie.Bai <32935519+BaiJiangJie@users.noreply.github.com>
---
 apps/assets/serializers/base.py        | 4 ++--
 apps/settings/serializers/auth/ldap.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/assets/serializers/base.py b/apps/assets/serializers/base.py
index 841ebeaae..c20b1abb8 100644
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@@ -11,8 +11,8 @@ from assets.models import Type
 
 
 class AuthSerializer(serializers.ModelSerializer):
-    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
-    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096)
+    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024, label=_('Password'))
+    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096, label=_('Private key'))
 
     def gen_keys(self, private_key=None, password=None):
         if private_key is None:
diff --git a/apps/settings/serializers/auth/ldap.py b/apps/settings/serializers/auth/ldap.py
index 2278925c1..2f2d710c9 100644
--- a/apps/settings/serializers/auth/ldap.py
+++ b/apps/settings/serializers/auth/ldap.py
@@ -22,7 +22,7 @@ class LDAPTestConfigSerializer(serializers.Serializer):
 
 class LDAPTestLoginSerializer(serializers.Serializer):
     username = serializers.CharField(max_length=1024, required=True)
-    password = EncryptedField(max_length=2014, required=True)
+    password = EncryptedField(max_length=2014, required=True, label=_("Password"))
 
 
 class LDAPUserSerializer(serializers.Serializer):

From d87dc7cbd648ccff50f1d6c601b172a119b26aab Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Mon, 16 May 2022 16:47:02 +0800
Subject: [PATCH 104/258] fix: import ipdb

---
 requirements/requirements.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 24aa5cf6a..ce530e0de 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -131,3 +131,4 @@ pandas==1.3.5
 pyjwkest==1.4.2
 jsonfield2==4.0.0.post0
 bce-python-sdk==0.8.64
+ipdb==0.13.9

From 2a5497de14f87a5b2f2a8f004b1fc28afe3fc4fb Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 16 May 2022 17:44:45 +0800
Subject: [PATCH 105/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E5=AE=A1=E6=89=B9=E6=96=87=E6=A1=88?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po          | 144 +++++++++---------
 apps/locale/zh/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 144 +++++++++---------
 .../tickets/approve_check_password.html       |   4 +-
 5 files changed, 148 insertions(+), 152 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index eba651a80..c78d49bb5 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:90a70c14fd3b546cb1ef6a96da4cd7a2acde947128bbb773527ed1845510511c
-size 127420
+oid sha256:01a52223f421d736b00a600f623d28ac4a43e97a30f5e9cbebc3e6d18ed4527e
+size 127324
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index a8145faa8..287e88567 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-12 14:39+0800\n"
+"POT-Creation-Date: 2022-05-16 17:43+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -33,7 +33,7 @@ msgstr "Acls"
 #: terminal/models/storage.py:25 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:27
+#: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名前"
 
@@ -66,12 +66,13 @@ msgstr "アクティブ"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
+#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "コメント"
 
 #: acls/models/login_acl.py:18 tickets/const.py:38
+#: tickets/templates/tickets/approve_check_password.html:39
 msgid "Reject"
 msgstr "拒否"
 
@@ -134,7 +135,7 @@ msgstr "システムユーザー"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:222
+#: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "資産"
 
@@ -318,7 +319,7 @@ msgstr "タイプ"
 msgid "Domain"
 msgstr "ドメイン"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
 #: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "ツールバーの"
@@ -357,7 +358,7 @@ msgstr "タイプ表示"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:915
-#: xpack/plugins/cloud/models.py:124
+#: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "作成された日付"
 
@@ -572,7 +573,7 @@ msgstr "ホスト名生"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "プロトコル"
 
@@ -612,7 +613,7 @@ msgstr "ラベル"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "によって作成された"
 
@@ -716,7 +717,7 @@ msgstr "トリガーモード"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:178
+#: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "理由"
 
@@ -734,6 +735,7 @@ msgid "Account backup execution"
 msgstr "アカウントバックアップの実行"
 
 #: assets/models/base.py:30 assets/tasks/const.py:51 audits/const.py:5
+#: common/utils/ip/geoip/utils.py:41 common/utils/ip/utils.py:78
 msgid "Unknown"
 msgstr "不明"
 
@@ -954,7 +956,7 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
 
@@ -1491,8 +1493,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
-#: xpack/plugins/cloud/models.py:226
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "ステータス"
 
@@ -1529,7 +1531,7 @@ msgid "Hosts display"
 msgstr "ホスト表示"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:172
+#: xpack/plugins/cloud/models.py:173
 msgid "Result"
 msgstr "結果"
 
@@ -2100,7 +2102,7 @@ msgstr "バインディングリマインダー"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:143
 msgid "Is valid"
 msgstr "有効です"
 
@@ -2637,18 +2639,15 @@ msgstr "確認コードが正しくありません"
 msgid "Please wait {} seconds before sending"
 msgstr "{} 秒待ってから送信してください"
 
-#: common/utils/geoip/utils.py:17 common/utils/geoip/utils.py:30
+#: common/utils/ip/geoip/utils.py:17 common/utils/ip/geoip/utils.py:30
+#: common/utils/ip/ipip/utils.py:15
 msgid "Invalid ip"
 msgstr "無効なIP"
 
-#: common/utils/geoip/utils.py:28
+#: common/utils/ip/geoip/utils.py:28
 msgid "LAN"
 msgstr "LAN"
 
-#: common/utils/geoip/utils.py:35 common/utils/geoip/utils.py:45
-msgid "Unknown ip"
-msgstr "不明なip"
-
 #: common/validators.py:32
 msgid "This field must be unique."
 msgstr "このフィールドは一意である必要があります。"
@@ -3063,8 +3062,8 @@ msgstr "Organization {} のアプリケーション権限"
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
-#: perms/serializers/asset/permission.py:44 users/serializers/user.py:86
-#: users/serializers/user.py:143
+#: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
+#: users/serializers/user.py:145
 msgid "Is expired"
 msgstr "期限切れです"
 
@@ -4977,7 +4976,7 @@ msgstr "バケット"
 msgid "Secret key"
 msgstr "秘密キー"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "リージョン"
 
@@ -5492,12 +5491,8 @@ msgid "Ticket approval"
 msgstr "作業指示の承認"
 
 #: tickets/templates/tickets/approve_check_password.html:35
-msgid "Ticket direct approval"
-msgstr "作業指示の直接承認"
-
-#: tickets/templates/tickets/approve_check_password.html:39
-msgid "Ticket direct reject"
-msgstr "作業指示の直接却下"
+msgid "Approval"
+msgstr "承認"
 
 #: tickets/templates/tickets/approve_check_password.html:44
 msgid "Go Login"
@@ -5645,7 +5640,7 @@ msgstr "強制有効"
 msgid "Local"
 msgstr "ローカル"
 
-#: users/models/user.py:673 users/serializers/user.py:142
+#: users/models/user.py:673 users/serializers/user.py:144
 msgid "Is service account"
 msgstr "サービスアカウントです"
 
@@ -5744,101 +5739,101 @@ msgstr "新しいパスワードを最後の {} 個のパスワードにする
 msgid "The newly set password is inconsistent"
 msgstr "新しく設定されたパスワードが一致しない"
 
-#: users/serializers/profile.py:147 users/serializers/user.py:140
+#: users/serializers/profile.py:147 users/serializers/user.py:142
 msgid "Is first login"
 msgstr "最初のログインです"
 
-#: users/serializers/user.py:25 users/serializers/user.py:32
+#: users/serializers/user.py:26 users/serializers/user.py:33
 msgid "System roles"
 msgstr "システムの役割"
 
-#: users/serializers/user.py:30 users/serializers/user.py:33
+#: users/serializers/user.py:31 users/serializers/user.py:34
 msgid "Org roles"
 msgstr "組織ロール"
 
-#: users/serializers/user.py:78
+#: users/serializers/user.py:79
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:22
 msgid "Password strategy"
 msgstr "パスワード戦略"
 
-#: users/serializers/user.py:80
+#: users/serializers/user.py:81
 msgid "MFA enabled"
 msgstr "MFA有効化"
 
-#: users/serializers/user.py:81
+#: users/serializers/user.py:82
 msgid "MFA force enabled"
 msgstr "MFAフォース有効化"
 
-#: users/serializers/user.py:83
+#: users/serializers/user.py:84
 msgid "MFA level display"
 msgstr "MFAレベル表示"
 
-#: users/serializers/user.py:85
+#: users/serializers/user.py:86
 msgid "Login blocked"
 msgstr "ログインブロック"
 
-#: users/serializers/user.py:88
+#: users/serializers/user.py:89
 msgid "Can public key authentication"
 msgstr "公開鍵認証が可能"
 
-#: users/serializers/user.py:144
+#: users/serializers/user.py:146
 msgid "Avatar url"
 msgstr "アバターURL"
 
-#: users/serializers/user.py:146
+#: users/serializers/user.py:148
 msgid "Groups name"
 msgstr "グループ名"
 
-#: users/serializers/user.py:147
+#: users/serializers/user.py:149
 msgid "Source name"
 msgstr "ソース名"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:150
 msgid "Organization role name"
 msgstr "組織の役割名"
 
-#: users/serializers/user.py:149
+#: users/serializers/user.py:151
 msgid "Super role name"
 msgstr "スーパーロール名"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:152
 msgid "Total role name"
 msgstr "合計ロール名"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Is wecom bound"
 msgstr "企業の微信をバインドしているかどうか"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:155
 msgid "Is dingtalk bound"
 msgstr "ピンをバインドしているかどうか"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:156
 msgid "Is feishu bound"
 msgstr "飛本を縛ったかどうか"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "Is OTP bound"
 msgstr "仮想MFAがバインドされているか"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:159
 msgid "System role name"
 msgstr "システムロール名"
 
-#: users/serializers/user.py:197
+#: users/serializers/user.py:199
 msgid "User cannot self-update fields: {}"
 msgstr "ユーザーは自分のフィールドを更新できません: {}"
 
-#: users/serializers/user.py:254
+#: users/serializers/user.py:256
 msgid "Select users"
 msgstr "ユーザーの選択"
 
-#: users/serializers/user.py:255
+#: users/serializers/user.py:257
 msgid "For security, only list several users"
 msgstr "セキュリティのために、複数のユーザーのみをリストします"
 
-#: users/serializers/user.py:290
+#: users/serializers/user.py:292
 msgid "name not unique"
 msgstr "名前が一意ではない"
 
@@ -6371,79 +6366,79 @@ msgstr "リリース済み"
 msgid "Cloud center"
 msgstr "クラウドセンター"
 
-#: xpack/plugins/cloud/models.py:29
+#: xpack/plugins/cloud/models.py:30
 msgid "Provider"
 msgstr "プロバイダー"
 
-#: xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/models.py:34
 msgid "Validity"
 msgstr "有効性"
 
-#: xpack/plugins/cloud/models.py:38
+#: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "クラウドアカウント"
 
-#: xpack/plugins/cloud/models.py:40
+#: xpack/plugins/cloud/models.py:41
 msgid "Test cloud account"
 msgstr "クラウドアカウントのテスト"
 
-#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "アカウント"
 
-#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "リージョン"
 
-#: xpack/plugins/cloud/models.py:90
+#: xpack/plugins/cloud/models.py:91
 msgid "Hostname strategy"
 msgstr "ホスト名戦略"
 
-#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix adminユーザー"
 
-#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows管理者"
 
-#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IPネットワークセグメントグループ"
 
-#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "常に更新"
 
-#: xpack/plugins/cloud/models.py:118
+#: xpack/plugins/cloud/models.py:119
 msgid "Date last sync"
 msgstr "最終同期日"
 
-#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
+#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
 msgid "Sync instance task"
 msgstr "インスタンスの同期タスク"
 
-#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
+#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
 msgid "Date sync"
 msgstr "日付の同期"
 
-#: xpack/plugins/cloud/models.py:185
+#: xpack/plugins/cloud/models.py:186
 msgid "Sync instance task execution"
 msgstr "インスタンスタスクの同期実行"
 
-#: xpack/plugins/cloud/models.py:209
+#: xpack/plugins/cloud/models.py:210
 msgid "Sync task"
 msgstr "同期タスク"
 
-#: xpack/plugins/cloud/models.py:213
+#: xpack/plugins/cloud/models.py:214
 msgid "Sync instance task history"
 msgstr "インスタンスタスク履歴の同期"
 
-#: xpack/plugins/cloud/models.py:216
+#: xpack/plugins/cloud/models.py:217
 msgid "Instance"
 msgstr "インスタンス"
 
-#: xpack/plugins/cloud/models.py:233
+#: xpack/plugins/cloud/models.py:234
 msgid "Sync instance detail"
 msgstr "同期インスタンスの詳細"
 
@@ -6805,6 +6800,9 @@ msgstr "究極のエディション"
 msgid "Community edition"
 msgstr "コミュニティ版"
 
+#~ msgid "Unknown ip"
+#~ msgstr "不明なip"
+
 #~ msgid ""
 #~ "Windows needs to download the client to connect SSH assets, and the MacOS "
 #~ "system uses its own terminal"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 5d4b3e1b9..3a91677a1 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f181a41eb4dd8a30a576f7903e5c9f519da2042e5e095ac27146d7b4002ba3df
-size 105303
+oid sha256:e4a00b4e1a3bc944c968987fd3c65798fb39fa552e91457693ec8fcb597820f0
+size 105225
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 9f099484e..feda0fbe7 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-12 14:39+0800\n"
+"POT-Creation-Date: 2022-05-16 17:43+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -32,7 +32,7 @@ msgstr "访问控制"
 #: terminal/models/storage.py:25 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
-#: xpack/plugins/cloud/models.py:27
+#: xpack/plugins/cloud/models.py:28
 msgid "Name"
 msgstr "名称"
 
@@ -65,12 +65,13 @@ msgstr "激活中"
 #: tickets/models/comment.py:24 tickets/models/ticket.py:154
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
-#: xpack/plugins/cloud/models.py:34 xpack/plugins/cloud/models.py:115
+#: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
 #: xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "备注"
 
 #: acls/models/login_acl.py:18 tickets/const.py:38
+#: tickets/templates/tickets/approve_check_password.html:39
 msgid "Reject"
 msgstr "拒绝"
 
@@ -133,7 +134,7 @@ msgstr "系统用户"
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
-#: xpack/plugins/cloud/models.py:222
+#: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "资产"
 
@@ -313,7 +314,7 @@ msgstr "类型"
 msgid "Domain"
 msgstr "网域"
 
-#: applications/models/application.py:228 xpack/plugins/cloud/models.py:32
+#: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
 #: xpack/plugins/cloud/serializers/account.py:59
 msgid "Attrs"
 msgstr "属性"
@@ -352,7 +353,7 @@ msgstr "类型名称"
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:915
-#: xpack/plugins/cloud/models.py:124
+#: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "创建日期"
 
@@ -567,7 +568,7 @@ msgstr "主机名原始"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:106 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "协议组"
 
@@ -607,7 +608,7 @@ msgstr "标签管理"
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
-#: xpack/plugins/cloud/models.py:121 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/cloud/models.py:122 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "创建者"
 
@@ -711,7 +712,7 @@ msgstr "触发模式"
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:179
-#: xpack/plugins/cloud/models.py:178
+#: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "原因"
 
@@ -729,6 +730,7 @@ msgid "Account backup execution"
 msgstr "账号备份执行"
 
 #: assets/models/base.py:30 assets/tasks/const.py:51 audits/const.py:5
+#: common/utils/ip/geoip/utils.py:41 common/utils/ip/utils.py:78
 msgid "Unknown"
 msgstr "未知"
 
@@ -949,7 +951,7 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:263
-#: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
 
@@ -1479,8 +1481,8 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:174
-#: xpack/plugins/cloud/models.py:226
+#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "状态"
 
@@ -1517,7 +1519,7 @@ msgid "Hosts display"
 msgstr "主机名称"
 
 #: audits/serializers.py:96 ops/models/command.py:27
-#: xpack/plugins/cloud/models.py:172
+#: xpack/plugins/cloud/models.py:173
 msgid "Result"
 msgstr "结果"
 
@@ -2079,7 +2081,7 @@ msgstr "绑定提醒"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:141
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:143
 msgid "Is valid"
 msgstr "账号是否有效"
 
@@ -2607,18 +2609,15 @@ msgstr "验证码错误"
 msgid "Please wait {} seconds before sending"
 msgstr "请在 {} 秒后发送"
 
-#: common/utils/geoip/utils.py:17 common/utils/geoip/utils.py:30
+#: common/utils/ip/geoip/utils.py:17 common/utils/ip/geoip/utils.py:30
+#: common/utils/ip/ipip/utils.py:15
 msgid "Invalid ip"
 msgstr "无效IP"
 
-#: common/utils/geoip/utils.py:28
+#: common/utils/ip/geoip/utils.py:28
 msgid "LAN"
 msgstr "LAN"
 
-#: common/utils/geoip/utils.py:35 common/utils/geoip/utils.py:45
-msgid "Unknown ip"
-msgstr "未知ip"
-
 #: common/validators.py:32
 msgid "This field must be unique."
 msgstr "字段必须唯一"
@@ -3027,8 +3026,8 @@ msgstr "组织 ({}) 的应用授权"
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
-#: perms/serializers/asset/permission.py:44 users/serializers/user.py:86
-#: users/serializers/user.py:143
+#: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
+#: users/serializers/user.py:145
 msgid "Is expired"
 msgstr "已过期"
 
@@ -4905,7 +4904,7 @@ msgstr "桶名称"
 msgid "Secret key"
 msgstr "密钥"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:219
+#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "地域"
 
@@ -5416,12 +5415,8 @@ msgid "Ticket approval"
 msgstr "工单审批"
 
 #: tickets/templates/tickets/approve_check_password.html:35
-msgid "Ticket direct approval"
-msgstr "工单直接审批"
-
-#: tickets/templates/tickets/approve_check_password.html:39
-msgid "Ticket direct reject"
-msgstr "工单直接拒绝"
+msgid "Approval"
+msgstr "同意"
 
 #: tickets/templates/tickets/approve_check_password.html:44
 msgid "Go Login"
@@ -5567,7 +5562,7 @@ msgstr "强制启用"
 msgid "Local"
 msgstr "数据库"
 
-#: users/models/user.py:673 users/serializers/user.py:142
+#: users/models/user.py:673 users/serializers/user.py:144
 msgid "Is service account"
 msgstr "服务账号"
 
@@ -5666,101 +5661,101 @@ msgstr "新密码不能是最近 {} 次的密码"
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:147 users/serializers/user.py:140
+#: users/serializers/profile.py:147 users/serializers/user.py:142
 msgid "Is first login"
 msgstr "首次登录"
 
-#: users/serializers/user.py:25 users/serializers/user.py:32
+#: users/serializers/user.py:26 users/serializers/user.py:33
 msgid "System roles"
 msgstr "系统角色"
 
-#: users/serializers/user.py:30 users/serializers/user.py:33
+#: users/serializers/user.py:31 users/serializers/user.py:34
 msgid "Org roles"
 msgstr "组织角色"
 
-#: users/serializers/user.py:78
+#: users/serializers/user.py:79
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:22
 msgid "Password strategy"
 msgstr "密码策略"
 
-#: users/serializers/user.py:80
+#: users/serializers/user.py:81
 msgid "MFA enabled"
 msgstr "MFA"
 
-#: users/serializers/user.py:81
+#: users/serializers/user.py:82
 msgid "MFA force enabled"
 msgstr "强制 MFA"
 
-#: users/serializers/user.py:83
+#: users/serializers/user.py:84
 msgid "MFA level display"
 msgstr "MFA 等级名称"
 
-#: users/serializers/user.py:85
+#: users/serializers/user.py:86
 msgid "Login blocked"
 msgstr "登录被阻塞"
 
-#: users/serializers/user.py:88
+#: users/serializers/user.py:89
 msgid "Can public key authentication"
 msgstr "能否公钥认证"
 
-#: users/serializers/user.py:144
+#: users/serializers/user.py:146
 msgid "Avatar url"
 msgstr "头像路径"
 
-#: users/serializers/user.py:146
+#: users/serializers/user.py:148
 msgid "Groups name"
 msgstr "用户组名"
 
-#: users/serializers/user.py:147
+#: users/serializers/user.py:149
 msgid "Source name"
 msgstr "用户来源名"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:150
 msgid "Organization role name"
 msgstr "组织角色名称"
 
-#: users/serializers/user.py:149
+#: users/serializers/user.py:151
 msgid "Super role name"
 msgstr "超级角色名称"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:152
 msgid "Total role name"
 msgstr "汇总角色名称"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Is wecom bound"
 msgstr "是否绑定了企业微信"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:155
 msgid "Is dingtalk bound"
 msgstr "是否绑定了钉钉"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:156
 msgid "Is feishu bound"
 msgstr "是否绑定了飞书"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "Is OTP bound"
 msgstr "是否绑定了虚拟 MFA"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:159
 msgid "System role name"
 msgstr "系统角色名称"
 
-#: users/serializers/user.py:197
+#: users/serializers/user.py:199
 msgid "User cannot self-update fields: {}"
 msgstr "用户不能更新自己的字段: {}"
 
-#: users/serializers/user.py:254
+#: users/serializers/user.py:256
 msgid "Select users"
 msgstr "选择用户"
 
-#: users/serializers/user.py:255
+#: users/serializers/user.py:257
 msgid "For security, only list several users"
 msgstr "为了安全，仅列出几个用户"
 
-#: users/serializers/user.py:290
+#: users/serializers/user.py:292
 msgid "name not unique"
 msgstr "名称重复"
 
@@ -6280,79 +6275,79 @@ msgstr "已释放"
 msgid "Cloud center"
 msgstr "云管中心"
 
-#: xpack/plugins/cloud/models.py:29
+#: xpack/plugins/cloud/models.py:30
 msgid "Provider"
 msgstr "云服务商"
 
-#: xpack/plugins/cloud/models.py:33
+#: xpack/plugins/cloud/models.py:34
 msgid "Validity"
 msgstr "有效"
 
-#: xpack/plugins/cloud/models.py:38
+#: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "云账号"
 
-#: xpack/plugins/cloud/models.py:40
+#: xpack/plugins/cloud/models.py:41
 msgid "Test cloud account"
 msgstr "测试云账号"
 
-#: xpack/plugins/cloud/models.py:84 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
 msgid "Account"
 msgstr "账号"
 
-#: xpack/plugins/cloud/models.py:87 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
 msgid "Regions"
 msgstr "地域"
 
-#: xpack/plugins/cloud/models.py:90
+#: xpack/plugins/cloud/models.py:91
 msgid "Hostname strategy"
 msgstr "主机名策略"
 
-#: xpack/plugins/cloud/models.py:99 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
 msgid "Unix admin user"
 msgstr "Unix 管理员"
 
-#: xpack/plugins/cloud/models.py:103 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
 msgid "Windows admin user"
 msgstr "Windows 管理员"
 
-#: xpack/plugins/cloud/models.py:109 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
 msgid "IP network segment group"
 msgstr "IP网段组"
 
-#: xpack/plugins/cloud/models.py:112 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
 msgid "Always update"
 msgstr "总是更新"
 
-#: xpack/plugins/cloud/models.py:118
+#: xpack/plugins/cloud/models.py:119
 msgid "Date last sync"
 msgstr "最后同步日期"
 
-#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/models.py:170
+#: xpack/plugins/cloud/models.py:130 xpack/plugins/cloud/models.py:171
 msgid "Sync instance task"
 msgstr "同步实例任务"
 
-#: xpack/plugins/cloud/models.py:181 xpack/plugins/cloud/models.py:229
+#: xpack/plugins/cloud/models.py:182 xpack/plugins/cloud/models.py:230
 msgid "Date sync"
 msgstr "同步日期"
 
-#: xpack/plugins/cloud/models.py:185
+#: xpack/plugins/cloud/models.py:186
 msgid "Sync instance task execution"
 msgstr "同步实例任务执行"
 
-#: xpack/plugins/cloud/models.py:209
+#: xpack/plugins/cloud/models.py:210
 msgid "Sync task"
 msgstr "同步任务"
 
-#: xpack/plugins/cloud/models.py:213
+#: xpack/plugins/cloud/models.py:214
 msgid "Sync instance task history"
 msgstr "同步实例任务历史"
 
-#: xpack/plugins/cloud/models.py:216
+#: xpack/plugins/cloud/models.py:217
 msgid "Instance"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:233
+#: xpack/plugins/cloud/models.py:234
 msgid "Sync instance detail"
 msgstr "同步实例详情"
 
@@ -6713,6 +6708,9 @@ msgstr "旗舰版"
 msgid "Community edition"
 msgstr "社区版"
 
+#~ msgid "Unknown ip"
+#~ msgstr "未知ip"
+
 #~ msgid ""
 #~ "Windows needs to download the client to connect SSH assets, and the MacOS "
 #~ "system uses its own terminal"
diff --git a/apps/tickets/templates/tickets/approve_check_password.html b/apps/tickets/templates/tickets/approve_check_password.html
index 3e9d9afeb..d75e9f956 100644
--- a/apps/tickets/templates/tickets/approve_check_password.html
+++ b/apps/tickets/templates/tickets/approve_check_password.html
@@ -32,11 +32,11 @@
                         {% if user.is_authenticated %}
                         <button class="btn btn-primary block full-width m-b" name="action" value="approve"
                         type="submit">
-                            {% trans 'Ticket direct approval' %}
+                            {% trans 'Approval' %}
                         </button>
                         <button class="btn btn-primary block full-width m-b" name="action" value="reject"
                         type="submit">
-                            {% trans 'Ticket direct reject' %}
+                            {% trans 'Reject' %}
                         </button>
                         {% else %}
                         <a id='login_button' class="btn btn-primary block full-width m-b"

From 2c4f937e0b66d901847dbd45a827193b1c1b12ef Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 16 May 2022 16:12:13 +0800
Subject: [PATCH 106/258] =?UTF-8?q?fix:=20=E8=A7=A3=E5=86=B3LDAP=E5=90=8C?=
 =?UTF-8?q?=E6=AD=A5=E7=94=A8=E6=88=B7=E4=BB=AA=E8=A1=A8=E7=9B=98=E6=80=BB?=
 =?UTF-8?q?=E6=95=B0=E6=B2=A1=E6=9C=89=E5=88=B7=E6=96=B0=E7=9A=84=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/orgs/signal_handlers/cache.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/orgs/signal_handlers/cache.py b/apps/orgs/signal_handlers/cache.py
index 546d11311..9de31bbb0 100644
--- a/apps/orgs/signal_handlers/cache.py
+++ b/apps/orgs/signal_handlers/cache.py
@@ -9,7 +9,7 @@ from users.models import UserGroup, User
 from users.signals import pre_user_leave_org
 from applications.models import Application
 from terminal.models import Session
-from rbac.models import OrgRoleBinding, SystemRoleBinding
+from rbac.models import OrgRoleBinding, SystemRoleBinding, RoleBinding
 from assets.models import Asset, SystemUser, Domain, Gateway
 from orgs.caches import OrgResourceStatisticsCache
 from orgs.utils import current_org
@@ -85,6 +85,7 @@ class OrgResourceStatisticsRefreshUtil:
         Node: ['nodes_amount'],
         Asset: ['assets_amount'],
         UserGroup: ['groups_amount'],
+        RoleBinding: ['users_amount']
     }
 
     @classmethod

From e80b6936a2ba2e926572978ff46c7aa9f62751af Mon Sep 17 00:00:00 2001
From: jiangweidong <weidong.jiang@fit2cloud.com>
Date: Fri, 13 May 2022 15:50:01 +0800
Subject: [PATCH 107/258] =?UTF-8?q?perf:=20=E5=85=BC=E5=AE=B9AWS=E4=B8=8Ar?=
 =?UTF-8?q?edis[ssl]=E6=97=A0=E8=AF=81=E4=B9=A6=E6=97=A0=E6=B3=95=E9=83=A8?=
 =?UTF-8?q?=E7=BD=B2=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/utils/connection.py      | 2 +-
 apps/jumpserver/rewriting/session.py | 2 +-
 apps/jumpserver/settings/base.py     | 7 ++++++-
 apps/jumpserver/settings/libs.py     | 7 ++++---
 4 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/apps/common/utils/connection.py b/apps/common/utils/connection.py
index 291d4516d..242b0cb21 100644
--- a/apps/common/utils/connection.py
+++ b/apps/common/utils/connection.py
@@ -19,7 +19,7 @@ def get_redis_client(db=0):
         'password': CONFIG.REDIS_PASSWORD,
         'db': db,
         "ssl": is_true(CONFIG.REDIS_USE_SSL),
-        'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
+        'ssl_cert_reqs': getattr(settings, 'REDIS_SSL_REQUIRED'),
         'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
         'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
         'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
diff --git a/apps/jumpserver/rewriting/session.py b/apps/jumpserver/rewriting/session.py
index d7e0428aa..f3b432657 100644
--- a/apps/jumpserver/rewriting/session.py
+++ b/apps/jumpserver/rewriting/session.py
@@ -18,7 +18,7 @@ class RedisServer(_RedisServer):
         ssl_params = {}
         if CONFIG.REDIS_USE_SSL:
             ssl_params = {
-                'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
+                'ssl_cert_reqs': getattr(settings, 'REDIS_SSL_REQUIRED'),
                 'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
                 'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
                 'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index 7c3657f35..327c3ea97 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -277,6 +277,11 @@ REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.crt')
 if not os.path.exists(REDIS_SSL_CA_CERTS):
     REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.pem')
 
+if not os.path.exists(REDIS_SSL_CA_CERTS):
+    REDIS_SSL_CA_CERTS = None
+
+REDIS_SSL_REQUIRED = CONFIG.REDIS_SSL_REQUIRED or 'none'
+
 CACHES = {
     'default': {
         # 'BACKEND': 'redis_cache.RedisCache',
@@ -291,7 +296,7 @@ CACHES = {
         'OPTIONS': {
             "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
             "CONNECTION_POOL_KWARGS": {
-                'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
+                'ssl_cert_reqs': REDIS_SSL_REQUIRED,
                 "ssl_keyfile": REDIS_SSL_KEYFILE,
                 "ssl_certfile": REDIS_SSL_CERTFILE,
                 "ssl_ca_certs": REDIS_SSL_CA_CERTS
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 59446b9de..c67c21f0b 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -3,7 +3,7 @@
 import os
 import ssl
 
-from .base import REDIS_SSL_CA_CERTS, REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE
+from .base import REDIS_SSL_CA_CERTS, REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE, REDIS_SSL_REQUIRED
 from ..const import CONFIG, PROJECT_DIR
 
 REST_FRAMEWORK = {
@@ -90,7 +90,8 @@ if not CONFIG.REDIS_USE_SSL:
 else:
     context = ssl.SSLContext()
     context.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
-    context.load_verify_locations(REDIS_SSL_CA_CERTS)
+    if REDIS_SSL_CA_CERTS:
+        context.load_verify_locations(REDIS_SSL_CA_CERTS)
     if REDIS_SSL_CERTFILE and REDIS_SSL_KEYFILE:
         context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
 
@@ -140,7 +141,7 @@ CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
 CELERY_TASK_SOFT_TIME_LIMIT = 3600
 if CONFIG.REDIS_USE_SSL:
     CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
-        'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
+        'ssl_cert_reqs': REDIS_SSL_REQUIRED,
         'ssl_ca_certs': REDIS_SSL_CA_CERTS,
         'ssl_certfile': REDIS_SSL_CERTFILE,
         'ssl_keyfile': REDIS_SSL_KEYFILE

From 521ec0245b61ff8bbbe88ea5bcdc52d8a75a53c2 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 16 May 2022 19:55:49 +0800
Subject: [PATCH 108/258] =?UTF-8?q?fix:=20ipdb=20=E7=89=88=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index ce530e0de..139cfbcd5 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -131,4 +131,4 @@ pandas==1.3.5
 pyjwkest==1.4.2
 jsonfield2==4.0.0.post0
 bce-python-sdk==0.8.64
-ipdb==0.13.9
+ipip-ipdb==1.2.1

From 83571718e9f9cacdb4ef3573b25c3c6ada76979c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 16 May 2022 19:59:46 +0800
Subject: [PATCH 109/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E7=89=88?=
 =?UTF-8?q?=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 139cfbcd5..c301148ea 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -131,4 +131,4 @@ pandas==1.3.5
 pyjwkest==1.4.2
 jsonfield2==4.0.0.post0
 bce-python-sdk==0.8.64
-ipip-ipdb==1.2.1
+ipip-ipdb==1.6.1

From 2c73611cb4ec140fdb4e98ac86e668e9553d4070 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 17 May 2022 11:28:43 +0800
Subject: [PATCH 110/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=85=AC?=
 =?UTF-8?q?=E5=91=8A=E4=B8=8D=E6=98=BE=E7=A4=BA=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/serializers/public.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 877230489..afc4fbec2 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -40,4 +40,4 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
 
     ANNOUNCEMENT_ENABLED = serializers.BooleanField()
-    ANNOUNCEMENT = serializers.CharField()
+    ANNOUNCEMENT = serializers.DictField()

From d675b1d4fc3c310b5e7874cdedb4f5bcceaa5ec7 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 17 May 2022 16:53:15 +0800
Subject: [PATCH 111/258] =?UTF-8?q?fix:=20k8s=20token=20=E8=A7=A3=E5=AF=86?=
 =?UTF-8?q?=20(#8252)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/assets/serializers/system_user.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apps/assets/serializers/system_user.py b/apps/assets/serializers/system_user.py
index 850870762..ab07533d0 100644
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -4,6 +4,7 @@ from django.db.models import Count
 
 from common.mixins.serializers import BulkSerializerMixin
 from common.utils import ssh_pubkey_gen
+from common.drf.fields import EncryptedField
 from common.validators import alphanumeric_re, alphanumeric_cn_re, alphanumeric_win_re
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import SystemUser, Asset
@@ -26,6 +27,9 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     auto_generate_key = serializers.BooleanField(initial=True, required=False, write_only=True)
     type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
     ssh_key_fingerprint = serializers.ReadOnlyField(label=_('SSH key fingerprint'))
+    token = EncryptedField(
+        label=_('Token'), required=False, write_only=True, style={'base_template': 'textarea.html'}
+    )
     applications_amount = serializers.IntegerField(
         source='apps_amount', read_only=True, label=_('Apps amount')
     )

From 07779c5a7a59984b534e28ef7df5f853cd48ebbb Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 17 May 2022 18:57:04 +0800
Subject: [PATCH 112/258] =?UTF-8?q?perf:=20=E5=B7=A5=E5=8D=95=E5=90=AF?=
 =?UTF-8?q?=E7=94=A8=20(#8254)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: Jiangjie.Bai <32935519+BaiJiangJie@users.noreply.github.com>
---
 apps/jumpserver/conf.py              |  2 +
 apps/jumpserver/settings/custom.py   |  1 +
 apps/locale/ja/LC_MESSAGES/django.mo |  4 +-
 apps/locale/ja/LC_MESSAGES/django.po | 65 +++++++++++++++-------------
 apps/locale/zh/LC_MESSAGES/django.mo |  4 +-
 apps/locale/zh/LC_MESSAGES/django.po | 65 +++++++++++++++-------------
 apps/settings/serializers/basic.py   |  1 +
 apps/settings/serializers/public.py  |  4 +-
 8 files changed, 83 insertions(+), 63 deletions(-)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 18b998ab2..6f84397ac 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -389,6 +389,8 @@ class Config(dict):
         'FTP_LOG_KEEP_DAYS': 200,
         'CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS': 30,
 
+        'TICKETS_ENABLED': True,
+
         # 废弃的
         'DEFAULT_ORG_SHOW_ALL_USERS': True,
         'ORG_CHANGE_TO_URL': '',
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index c4dfdcc24..b2768f2d8 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -119,6 +119,7 @@ CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED = CONFIG.CHANGE_AUTH_PLAN_SECURE_MODE_ENABL
 
 DATETIME_DISPLAY_FORMAT = '%Y-%m-%d %H:%M:%S'
 
+TICKETS_ENABLED = CONFIG.TICKETS_ENABLED
 REFERER_CHECK_ENABLED = CONFIG.REFERER_CHECK_ENABLED
 
 CONNECTION_TOKEN_ENABLED = CONFIG.CONNECTION_TOKEN_ENABLED
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index c78d49bb5..b6af2bdf7 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:01a52223f421d736b00a600f623d28ac4a43e97a30f5e9cbebc3e6d18ed4527e
-size 127324
+oid sha256:843b6dffe6af09073053e21f65be4c8264e6dee05509b375c8191dde8c9079b6
+size 127386
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 287e88567..6b97b95d0 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-16 17:43+0800\n"
+"POT-Creation-Date: 2022-05-17 18:02+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -758,10 +758,12 @@ msgstr "接続性"
 msgid "Date verified"
 msgstr "確認済みの日付"
 
-#: assets/models/base.py:177 audits/signal_handlers.py:48
+#: assets/models/base.py:177 assets/serializers/base.py:14
+#: assets/serializers/base.py:36 audits/signal_handlers.py:48
 #: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:182
-#: settings/serializers/auth/ldap.py:46 users/forms/profile.py:22
+#: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
+#: users/forms/profile.py:22 users/serializers/user.py:92
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -771,7 +773,8 @@ msgstr "確認済みの日付"
 msgid "Password"
 msgstr "パスワード"
 
-#: assets/models/base.py:178 xpack/plugins/change_auth_plan/models/asset.py:53
+#: assets/models/base.py:178 assets/serializers/base.py:39
+#: xpack/plugins/change_auth_plan/models/asset.py:53
 #: xpack/plugins/change_auth_plan/models/asset.py:130
 #: xpack/plugins/change_auth_plan/models/asset.py:206
 msgid "SSH private key"
@@ -1120,11 +1123,15 @@ msgstr "定期的なパフォーマンス"
 msgid "Currently only mail sending is supported"
 msgstr "現在、メール送信のみがサポートされています"
 
-#: assets/serializers/base.py:39
+#: assets/serializers/base.py:15 users/models/user.py:689
+msgid "Private key"
+msgstr "ssh秘密鍵"
+
+#: assets/serializers/base.py:43
 msgid "Key password"
 msgstr "キーパスワード"
 
-#: assets/serializers/base.py:52
+#: assets/serializers/base.py:56
 msgid "private key invalid or passphrase error"
 msgstr "秘密鍵が無効またはpassphraseエラー"
 
@@ -2102,7 +2109,7 @@ msgstr "バインディングリマインダー"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:143
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:145
 msgid "Is valid"
 msgstr "有効です"
 
@@ -3063,7 +3070,7 @@ msgstr "Organization {} のアプリケーション権限"
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
 #: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
-#: users/serializers/user.py:145
+#: users/serializers/user.py:147
 msgid "Is expired"
 msgstr "期限切れです"
 
@@ -3773,6 +3780,10 @@ msgstr "アナウンスの有効化"
 msgid "Announcement"
 msgstr "発表"
 
+#: settings/serializers/basic.py:46
+msgid "Enable tickets"
+msgstr "チケットを有効にする"
+
 #: settings/serializers/cleaning.py:10
 msgid "Login log keep days"
 msgstr "ログインログは日数を保持します"
@@ -5640,7 +5651,7 @@ msgstr "強制有効"
 msgid "Local"
 msgstr "ローカル"
 
-#: users/models/user.py:673 users/serializers/user.py:144
+#: users/models/user.py:673 users/serializers/user.py:146
 msgid "Is service account"
 msgstr "サービスアカウントです"
 
@@ -5652,10 +5663,6 @@ msgstr "アバター"
 msgid "Wechat"
 msgstr "微信"
 
-#: users/models/user.py:689
-msgid "Private key"
-msgstr "ssh秘密鍵"
-
 #: users/models/user.py:711
 msgid "Source"
 msgstr "ソース"
@@ -5739,7 +5746,7 @@ msgstr "新しいパスワードを最後の {} 個のパスワードにする
 msgid "The newly set password is inconsistent"
 msgstr "新しく設定されたパスワードが一致しない"
 
-#: users/serializers/profile.py:147 users/serializers/user.py:142
+#: users/serializers/profile.py:147 users/serializers/user.py:144
 msgid "Is first login"
 msgstr "最初のログインです"
 
@@ -5777,63 +5784,63 @@ msgstr "ログインブロック"
 msgid "Can public key authentication"
 msgstr "公開鍵認証が可能"
 
-#: users/serializers/user.py:146
+#: users/serializers/user.py:148
 msgid "Avatar url"
 msgstr "アバターURL"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:150
 msgid "Groups name"
 msgstr "グループ名"
 
-#: users/serializers/user.py:149
+#: users/serializers/user.py:151
 msgid "Source name"
 msgstr "ソース名"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:152
 msgid "Organization role name"
 msgstr "組織の役割名"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:153
 msgid "Super role name"
 msgstr "スーパーロール名"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Total role name"
 msgstr "合計ロール名"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:156
 msgid "Is wecom bound"
 msgstr "企業の微信をバインドしているかどうか"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "Is dingtalk bound"
 msgstr "ピンをバインドしているかどうか"
 
-#: users/serializers/user.py:156
+#: users/serializers/user.py:158
 msgid "Is feishu bound"
 msgstr "飛本を縛ったかどうか"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:159
 msgid "Is OTP bound"
 msgstr "仮想MFAがバインドされているか"
 
-#: users/serializers/user.py:159
+#: users/serializers/user.py:161
 msgid "System role name"
 msgstr "システムロール名"
 
-#: users/serializers/user.py:199
+#: users/serializers/user.py:201
 msgid "User cannot self-update fields: {}"
 msgstr "ユーザーは自分のフィールドを更新できません: {}"
 
-#: users/serializers/user.py:256
+#: users/serializers/user.py:258
 msgid "Select users"
 msgstr "ユーザーの選択"
 
-#: users/serializers/user.py:257
+#: users/serializers/user.py:259
 msgid "For security, only list several users"
 msgstr "セキュリティのために、複数のユーザーのみをリストします"
 
-#: users/serializers/user.py:292
+#: users/serializers/user.py:294
 msgid "name not unique"
 msgstr "名前が一意ではない"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 3a91677a1..88b5034ea 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e4a00b4e1a3bc944c968987fd3c65798fb39fa552e91457693ec8fcb597820f0
-size 105225
+oid sha256:a78975a5a6669bfcc0f99bc4d47811be82a0620e873e51e4a17d06548e3b1e7f
+size 105269
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index feda0fbe7..20a071d1c 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-16 17:43+0800\n"
+"POT-Creation-Date: 2022-05-17 18:02+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -753,10 +753,12 @@ msgstr "可连接性"
 msgid "Date verified"
 msgstr "校验日期"
 
-#: assets/models/base.py:177 audits/signal_handlers.py:48
+#: assets/models/base.py:177 assets/serializers/base.py:14
+#: assets/serializers/base.py:36 audits/signal_handlers.py:48
 #: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:182
-#: settings/serializers/auth/ldap.py:46 users/forms/profile.py:22
+#: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
+#: users/forms/profile.py:22 users/serializers/user.py:92
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -766,7 +768,8 @@ msgstr "校验日期"
 msgid "Password"
 msgstr "密码"
 
-#: assets/models/base.py:178 xpack/plugins/change_auth_plan/models/asset.py:53
+#: assets/models/base.py:178 assets/serializers/base.py:39
+#: xpack/plugins/change_auth_plan/models/asset.py:53
 #: xpack/plugins/change_auth_plan/models/asset.py:130
 #: xpack/plugins/change_auth_plan/models/asset.py:206
 msgid "SSH private key"
@@ -1112,11 +1115,15 @@ msgstr "定时执行"
 msgid "Currently only mail sending is supported"
 msgstr "当前只支持邮件发送"
 
-#: assets/serializers/base.py:39
+#: assets/serializers/base.py:15 users/models/user.py:689
+msgid "Private key"
+msgstr "ssh私钥"
+
+#: assets/serializers/base.py:43
 msgid "Key password"
 msgstr "密钥密码"
 
-#: assets/serializers/base.py:52
+#: assets/serializers/base.py:56
 msgid "private key invalid or passphrase error"
 msgstr "密钥不合法或密钥密码错误"
 
@@ -2081,7 +2088,7 @@ msgstr "绑定提醒"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:143
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:145
 msgid "Is valid"
 msgstr "账号是否有效"
 
@@ -3027,7 +3034,7 @@ msgstr "组织 ({}) 的应用授权"
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
 #: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
-#: users/serializers/user.py:145
+#: users/serializers/user.py:147
 msgid "Is expired"
 msgstr "已过期"
 
@@ -3733,6 +3740,10 @@ msgstr "启用公告"
 msgid "Announcement"
 msgstr "公告"
 
+#: settings/serializers/basic.py:46
+msgid "Enable tickets"
+msgstr "启用工单"
+
 #: settings/serializers/cleaning.py:10
 msgid "Login log keep days"
 msgstr "登录日志"
@@ -5562,7 +5573,7 @@ msgstr "强制启用"
 msgid "Local"
 msgstr "数据库"
 
-#: users/models/user.py:673 users/serializers/user.py:144
+#: users/models/user.py:673 users/serializers/user.py:146
 msgid "Is service account"
 msgstr "服务账号"
 
@@ -5574,10 +5585,6 @@ msgstr "头像"
 msgid "Wechat"
 msgstr "微信"
 
-#: users/models/user.py:689
-msgid "Private key"
-msgstr "ssh私钥"
-
 #: users/models/user.py:711
 msgid "Source"
 msgstr "来源"
@@ -5661,7 +5668,7 @@ msgstr "新密码不能是最近 {} 次的密码"
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:147 users/serializers/user.py:142
+#: users/serializers/profile.py:147 users/serializers/user.py:144
 msgid "Is first login"
 msgstr "首次登录"
 
@@ -5699,63 +5706,63 @@ msgstr "登录被阻塞"
 msgid "Can public key authentication"
 msgstr "能否公钥认证"
 
-#: users/serializers/user.py:146
+#: users/serializers/user.py:148
 msgid "Avatar url"
 msgstr "头像路径"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:150
 msgid "Groups name"
 msgstr "用户组名"
 
-#: users/serializers/user.py:149
+#: users/serializers/user.py:151
 msgid "Source name"
 msgstr "用户来源名"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:152
 msgid "Organization role name"
 msgstr "组织角色名称"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:153
 msgid "Super role name"
 msgstr "超级角色名称"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Total role name"
 msgstr "汇总角色名称"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:156
 msgid "Is wecom bound"
 msgstr "是否绑定了企业微信"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "Is dingtalk bound"
 msgstr "是否绑定了钉钉"
 
-#: users/serializers/user.py:156
+#: users/serializers/user.py:158
 msgid "Is feishu bound"
 msgstr "是否绑定了飞书"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:159
 msgid "Is OTP bound"
 msgstr "是否绑定了虚拟 MFA"
 
-#: users/serializers/user.py:159
+#: users/serializers/user.py:161
 msgid "System role name"
 msgstr "系统角色名称"
 
-#: users/serializers/user.py:199
+#: users/serializers/user.py:201
 msgid "User cannot self-update fields: {}"
 msgstr "用户不能更新自己的字段: {}"
 
-#: users/serializers/user.py:256
+#: users/serializers/user.py:258
 msgid "Select users"
 msgstr "选择用户"
 
-#: users/serializers/user.py:257
+#: users/serializers/user.py:259
 msgid "For security, only list several users"
 msgstr "为了安全，仅列出几个用户"
 
-#: users/serializers/user.py:292
+#: users/serializers/user.py:294
 msgid "name not unique"
 msgstr "名称重复"
 
diff --git a/apps/settings/serializers/basic.py b/apps/settings/serializers/basic.py
index e0672f0df..3208ad1be 100644
--- a/apps/settings/serializers/basic.py
+++ b/apps/settings/serializers/basic.py
@@ -43,6 +43,7 @@ class BasicSettingSerializer(serializers.Serializer):
     )
     ANNOUNCEMENT_ENABLED = serializers.BooleanField(label=_('Enable announcement'), default=True)
     ANNOUNCEMENT = AnnouncementSerializer(label=_("Announcement"))
+    TICKETS_ENABLED = serializers.BooleanField(required=False, default=True, label=_("Enable tickets"))
 
     @staticmethod
     def validate_SITE_URL(s):
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index afc4fbec2..fed540bc0 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -40,4 +40,6 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
 
     ANNOUNCEMENT_ENABLED = serializers.BooleanField()
-    ANNOUNCEMENT = serializers.DictField()
+    ANNOUNCEMENT = serializers.CharField()
+    
+    TICKETS_ENABLED = serializers.BooleanField()

From 0fc5a33983fe9ad8970bd0dc2875b7ee6eeaf79e Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 17 May 2022 18:50:16 +0800
Subject: [PATCH 113/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E4=BC=81?=
 =?UTF-8?q?=E4=B8=9A=E5=BE=AE=E4=BF=A1=E3=80=81=E9=92=89=E9=92=89=E3=80=81?=
 =?UTF-8?q?=E9=A3=9E=E4=B9=A6=E7=99=BB=E5=BD=95=E8=B7=B3=E8=BD=AC=E9=97=AE?=
 =?UTF-8?q?=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/views/dingtalk.py |  5 +++--
 apps/authentication/views/feishu.py   |  7 ++++---
 apps/authentication/views/wecom.py    |  6 +++---
 apps/users/utils.py                   | 12 +++++++-----
 4 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/apps/authentication/views/dingtalk.py b/apps/authentication/views/dingtalk.py
index 0ca03749e..e97424aee 100644
--- a/apps/authentication/views/dingtalk.py
+++ b/apps/authentication/views/dingtalk.py
@@ -205,12 +205,13 @@ class DingTalkQRLoginView(DingTalkQRMixin, METAMixin, View):
     permission_classes = (AllowAny,)
 
     def get(self,  request: HttpRequest):
-        redirect_url = request.GET.get('redirect_url')
+        redirect_url = request.GET.get('redirect_url') or reverse('index')
+        next_url = self.get_next_url_from_meta() or reverse('index')
 
         redirect_uri = reverse('authentication:dingtalk-qr-login-callback', external=True)
         redirect_uri += '?' + urlencode({
             'redirect_url': redirect_url,
-            'next': self.get_next_url_from_meta()
+            'next': next_url,
         })
 
         url = self.get_qr_url(redirect_uri)
diff --git a/apps/authentication/views/feishu.py b/apps/authentication/views/feishu.py
index 88ba6636e..172aa2603 100644
--- a/apps/authentication/views/feishu.py
+++ b/apps/authentication/views/feishu.py
@@ -170,10 +170,11 @@ class FeiShuQRLoginView(FeiShuQRMixin, View):
     permission_classes = (AllowAny,)
 
     def get(self,  request: HttpRequest):
-        redirect_url = request.GET.get('redirect_url')
-
+        redirect_url = request.GET.get('redirect_url') or reverse('index')
         redirect_uri = reverse('authentication:feishu-qr-login-callback', external=True)
-        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
+        redirect_uri += '?' + urlencode({
+            'redirect_url': redirect_url,
+        })
 
         url = self.get_qr_url(redirect_uri)
         return HttpResponseRedirect(url)
diff --git a/apps/authentication/views/wecom.py b/apps/authentication/views/wecom.py
index 5546bf619..9b7963de8 100644
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -201,12 +201,12 @@ class WeComQRLoginView(WeComQRMixin, METAMixin, View):
     permission_classes = (AllowAny,)
 
     def get(self,  request: HttpRequest):
-        redirect_url = request.GET.get('redirect_url')
-
+        redirect_url = request.GET.get('redirect_url') or reverse('index')
+        next_url = self.get_next_url_from_meta() or reverse('index')
         redirect_uri = reverse('authentication:wecom-qr-login-callback', external=True)
         redirect_uri += '?' + urlencode({
             'redirect_url': redirect_url,
-            'next': self.get_next_url_from_meta()
+            'next': next_url,
         })
 
         url = self.get_qr_url(redirect_uri)
diff --git a/apps/users/utils.py b/apps/users/utils.py
index f11d233e4..a2fb9afac 100644
--- a/apps/users/utils.py
+++ b/apps/users/utils.py
@@ -46,11 +46,13 @@ def get_user_or_pre_auth_user(request):
 
 
 def redirect_user_first_login_or_index(request, redirect_field_name):
-    url_in_post = request.POST.get(redirect_field_name)
-    if url_in_post:
-        return url_in_post
-    url_in_get = request.GET.get(redirect_field_name, reverse('index'))
-    return url_in_get
+    url = request.POST.get(redirect_field_name)
+    if not url:
+        url = request.GET.get(redirect_field_name)
+    # 防止 next 地址为 None
+    if not url or url.lower() in ['none']:
+        url = reverse('index')
+    return url
 
 
 def generate_otp_uri(username, otp_secret_key=None, issuer="JumpServer"):

From 7eec50804c1901390784bf05adf49c802e172f3b Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 17 May 2022 19:34:15 +0800
Subject: [PATCH 114/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20encrypted?=
 =?UTF-8?q?=20field?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/drf/fields.py | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/common/drf/fields.py b/apps/common/drf/fields.py
index abddeca01..f97925f43 100644
--- a/apps/common/drf/fields.py
+++ b/apps/common/drf/fields.py
@@ -27,8 +27,10 @@ class ReadableHiddenField(serializers.HiddenField):
 
 
 class EncryptedField(serializers.CharField):
-    def __init__(self, **kwargs):
-        kwargs['write_only'] = True
+    def __init__(self, write_only=None, **kwargs):
+        if write_only is None:
+            write_only = True
+        kwargs['write_only'] = write_only
         super().__init__(**kwargs)
 
     def to_internal_value(self, value):

From 14710e9c9ee263e0e9d3b4ee231ec916125765a1 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Tue, 17 May 2022 20:32:36 +0800
Subject: [PATCH 115/258] =?UTF-8?q?feat:=20=E5=B7=A5=E5=8D=95=E5=AE=A1?=
 =?UTF-8?q?=E6=89=B9=E4=BA=BA=E4=B8=AD=E5=8E=BB=E9=99=A4=E7=94=B3=E8=AF=B7?=
 =?UTF-8?q?=E4=BA=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/acls/models/login_acl.py       |  6 ++++--
 apps/acls/models/login_asset_acl.py |  2 +-
 apps/assets/models/cmd_filter.py    |  6 ++++--
 apps/tickets/api/ticket.py          |  7 ++++---
 apps/tickets/models/ticket.py       | 15 ++++++++++++---
 5 files changed, 25 insertions(+), 11 deletions(-)

diff --git a/apps/acls/models/login_acl.py b/apps/acls/models/login_acl.py
index 6e1fbff73..f9b24e426 100644
--- a/apps/acls/models/login_acl.py
+++ b/apps/acls/models/login_acl.py
@@ -123,6 +123,8 @@ class LoginACL(BaseACL):
             'org_id': Organization.ROOT_ID,
         }
         ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(self.reviewers.all())
-        ticket.open(self.user)
+        applicant = self.user
+        assignees = self.reviewers.all()
+        ticket.create_process_map_and_node(assignees, applicant)
+        ticket.open(applicant)
         return ticket
diff --git a/apps/acls/models/login_asset_acl.py b/apps/acls/models/login_asset_acl.py
index 0bde3c14f..dda9d97c1 100644
--- a/apps/acls/models/login_asset_acl.py
+++ b/apps/acls/models/login_asset_acl.py
@@ -97,7 +97,7 @@ class LoginAssetACL(BaseACL, OrgModelMixin):
             'org_id': org_id,
         }
         ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(assignees)
+        ticket.create_process_map_and_node(assignees, user)
         ticket.open(applicant=user)
         return ticket
 
diff --git a/apps/assets/models/cmd_filter.py b/apps/assets/models/cmd_filter.py
index 82fd50e89..c92a25109 100644
--- a/apps/assets/models/cmd_filter.py
+++ b/apps/assets/models/cmd_filter.py
@@ -181,8 +181,10 @@ class CommandFilterRule(OrgModelMixin):
             'org_id': org_id,
         }
         ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(self.reviewers.all())
-        ticket.open(applicant=session.user_obj)
+        applicant = session.user_obj
+        assignees = self.reviewers.all()
+        ticket.create_process_map_and_node(assignees, applicant)
+        ticket.open(applicant)
         return ticket
 
     @classmethod
diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py
index 8e7923e8e..586188898 100644
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -53,9 +53,10 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
 
     def perform_create(self, serializer):
         instance = serializer.save()
-        instance.create_related_node()
-        instance.process_map = instance.create_process_map()
-        instance.open(applicant=self.request.user)
+        applicant = self.request.user
+        instance.create_related_node(applicant)
+        instance.process_map = instance.create_process_map(applicant)
+        instance.open(applicant)
 
     @action(detail=False, methods=[POST], permission_classes=[RBACPermission, ])
     def open(self, request, *args, **kwargs):
diff --git a/apps/tickets/models/ticket.py b/apps/tickets/models/ticket.py
index aa536584d..c05fa8b3b 100644
--- a/apps/tickets/models/ticket.py
+++ b/apps/tickets/models/ticket.py
@@ -188,22 +188,30 @@ class Ticket(CommonModelMixin, StatusMixin, OrgModelMixin):
             .exclude(state=ProcessStatus.notified).first()
         return processor.assignee if processor else None
 
-    def create_related_node(self):
+    def ignore_applicant(self, assignees, applicant=None):
+        applicant = applicant if applicant else self.applicant
+        if len(assignees) != 1:
+            assignees = set(assignees) - {applicant, }
+        return list(assignees)
+
+    def create_related_node(self, applicant=None):
         org_id = self.flow.org_id
         approval_rule = self.get_current_ticket_flow_approve()
         ticket_step = TicketStep.objects.create(ticket=self, level=self.approval_step)
         ticket_assignees = []
         assignees = approval_rule.get_assignees(org_id=org_id)
+        assignees = self.ignore_applicant(assignees, applicant)
         for assignee in assignees:
             ticket_assignees.append(TicketAssignee(step=ticket_step, assignee=assignee))
         TicketAssignee.objects.bulk_create(ticket_assignees)
 
-    def create_process_map(self):
+    def create_process_map(self, applicant=None):
         org_id = self.flow.org_id
         approval_rules = self.flow.rules.order_by('level')
         nodes = list()
         for node in approval_rules:
             assignees = node.get_assignees(org_id=org_id)
+            assignees = self.ignore_applicant(assignees, applicant)
             assignee_ids = [assignee.id for assignee in assignees]
             assignees_display = [str(assignee) for assignee in assignees]
             nodes.append(
@@ -217,7 +225,8 @@ class Ticket(CommonModelMixin, StatusMixin, OrgModelMixin):
         return nodes
 
     # TODO 兼容不存在流的工单
-    def create_process_map_and_node(self, assignees):
+    def create_process_map_and_node(self, assignees, applicant):
+        assignees = self.ignore_applicant(assignees, applicant)
         self.process_map = [{
             'approval_level': 1,
             'state': 'notified',

From 0c71190337c0959bc7bfe9eac7d181b4fe085a0c Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 17 May 2022 21:12:59 +0800
Subject: [PATCH 116/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=20EncryptedFi?=
 =?UTF-8?q?eld=20=E5=AD=97=E6=AE=B5=E7=9A=84=20write=5Fonly=20=E5=B1=9E?=
 =?UTF-8?q?=E6=80=A7=20(#8259)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* fix: 修改 EncryptedField 字段的 write_only 属性

fix: 修改 EncryptedField 字段的 write_only 属性

* fix: 修改 EncryptedField 字段的 write_only 属性

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
Co-authored-by: Jiangjie.Bai <32935519+BaiJiangJie@users.noreply.github.com>
---
 apps/applications/serializers/application.py |  4 ++--
 apps/assets/serializers/account.py           |  3 ++-
 apps/common/drf/serializers.py               | 21 +++++++++++++++++++-
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/apps/applications/serializers/application.py b/apps/applications/serializers/application.py
index 9b62d1dc1..35a07e262 100644
--- a/apps/applications/serializers/application.py
+++ b/apps/applications/serializers/application.py
@@ -5,7 +5,7 @@ from django.utils.translation import ugettext_lazy as _
 
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from assets.serializers.base import AuthSerializerMixin
-from common.drf.serializers import MethodSerializer
+from common.drf.serializers import MethodSerializer, SecretReadableMixin
 from .attrs import (
     category_serializer_classes_mapping,
     type_serializer_classes_mapping,
@@ -152,7 +152,7 @@ class AppAccountSerializer(AppSerializerMixin, AuthSerializerMixin, BulkOrgResou
         return super().to_representation(instance)
 
 
-class AppAccountSecretSerializer(AppAccountSerializer):
+class AppAccountSecretSerializer(SecretReadableMixin, AppAccountSerializer):
     class Meta(AppAccountSerializer.Meta):
         fields_backup = [
             'id', 'app_display', 'attrs', 'username', 'password', 'private_key',
diff --git a/apps/assets/serializers/account.py b/apps/assets/serializers/account.py
index daa7f38f8..bc4bea563 100644
--- a/apps/assets/serializers/account.py
+++ b/apps/assets/serializers/account.py
@@ -7,6 +7,7 @@ from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from .base import AuthSerializerMixin
 from .utils import validate_password_contains_left_double_curly_bracket
 from common.utils.encode import ssh_pubkey_gen
+from common.drf.serializers import SecretReadableMixin
 
 
 class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
@@ -70,7 +71,7 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         return super().to_representation(instance)
 
 
-class AccountSecretSerializer(AccountSerializer):
+class AccountSecretSerializer(SecretReadableMixin, AccountSerializer):
     class Meta(AccountSerializer.Meta):
         fields_backup = [
             'hostname', 'ip', 'platform', 'protocols', 'username', 'password',
diff --git a/apps/common/drf/serializers.py b/apps/common/drf/serializers.py
index 4beb59fe7..1dde4a77e 100644
--- a/apps/common/drf/serializers.py
+++ b/apps/common/drf/serializers.py
@@ -8,10 +8,12 @@ from common.mixins import BulkListSerializerMixin
 from django.utils.functional import cached_property
 from rest_framework.utils.serializer_helpers import BindingDict
 from common.mixins.serializers import BulkSerializerMixin
+from common.drf.fields import EncryptedField
 
 __all__ = [
     'MethodSerializer',
-    'EmptySerializer', 'BulkModelSerializer', 'AdaptedBulkListSerializer', 'CeleryTaskSerializer'
+    'EmptySerializer', 'BulkModelSerializer', 'AdaptedBulkListSerializer', 'CeleryTaskSerializer',
+    'SecretReadableMixin'
 ]
 
 
@@ -83,3 +85,20 @@ class CeleryTaskSerializer(serializers.Serializer):
     task = serializers.CharField(read_only=True)
 
 
+class SecretReadableMixin(serializers.Serializer):
+    """ 加密字段 (EncryptedField) 可读性 """
+
+    def __init__(self, *args, **kwargs):
+        super(SecretReadableMixin, self).__init__(*args, **kwargs)
+        if not hasattr(self, 'Meta') or not hasattr(self.Meta, 'extra_kwargs'):
+            return
+        extra_kwargs = self.Meta.extra_kwargs
+        for field_name, serializer_field in self.fields.items():
+            if not isinstance(serializer_field, EncryptedField):
+                continue
+            if field_name not in extra_kwargs:
+                continue
+            field_extra_kwargs = extra_kwargs[field_name]
+            if 'write_only' not in field_extra_kwargs:
+                continue
+            serializer_field.write_only = field_extra_kwargs['write_only']

From c3c0f87c015a5e1d6a12a8f8e48d48ada55fd8e4 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 17 May 2022 21:17:17 +0800
Subject: [PATCH 117/258] =?UTF-8?q?perf:=20domain=20gateway=20=E4=B9=9F?=
 =?UTF-8?q?=E6=B7=BB=E5=8A=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/domain.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/assets/serializers/domain.py b/apps/assets/serializers/domain.py
index 6932572f8..fa1a39574 100644
--- a/apps/assets/serializers/domain.py
+++ b/apps/assets/serializers/domain.py
@@ -5,6 +5,7 @@ from django.utils.translation import ugettext_lazy as _
 
 from common.validators import alphanumeric
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
+from common.drf.serializers import SecretReadableMixin
 from ..models import Domain, Gateway
 from .base import AuthSerializerMixin
 
@@ -67,7 +68,7 @@ class GatewaySerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         }
 
 
-class GatewayWithAuthSerializer(GatewaySerializer):
+class GatewayWithAuthSerializer(SecretReadableMixin, GatewaySerializer):
     class Meta(GatewaySerializer.Meta):
         extra_kwargs = {
             'password': {'write_only': False},

From b76920a4bf09cdec43739182e5446195cfbacd25 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 17 May 2022 22:09:08 +0800
Subject: [PATCH 118/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E7=BB=84?=
 =?UTF-8?q?=E7=BB=87=E8=B5=84=E6=BA=90=E7=BB=9F=E8=AE=A1=E6=97=B6=20org=20?=
 =?UTF-8?q?=E4=B8=BANone=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/orgs/signal_handlers/cache.py | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/apps/orgs/signal_handlers/cache.py b/apps/orgs/signal_handlers/cache.py
index 9de31bbb0..8bd2ca609 100644
--- a/apps/orgs/signal_handlers/cache.py
+++ b/apps/orgs/signal_handlers/cache.py
@@ -91,10 +91,11 @@ class OrgResourceStatisticsRefreshUtil:
     @classmethod
     def refresh_if_need(cls, instance):
         cache_field_name = cls.model_cache_field_mapper.get(type(instance))
-        if cache_field_name:
-            org_cache = OrgResourceStatisticsCache(instance.org)
-            org_cache.expire(*cache_field_name)
-            OrgResourceStatisticsCache(Organization.root()).expire(*cache_field_name)
+        if not cache_field_name:
+            return
+        OrgResourceStatisticsCache(Organization.root()).expire(*cache_field_name)
+        if instance.org:
+            OrgResourceStatisticsCache(instance.org).expire(*cache_field_name)
 
 
 @receiver(post_save)

From fe3059c1fd0904e3996db0734a3f3bccd4bc6bc4 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 17 May 2022 23:49:06 +0800
Subject: [PATCH 119/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96=E5=AF=86=E7=A0=81=E5=A4=B1=E8=B4=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/system_user.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/assets/serializers/system_user.py b/apps/assets/serializers/system_user.py
index ab07533d0..278a99d87 100644
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -5,6 +5,7 @@ from django.db.models import Count
 from common.mixins.serializers import BulkSerializerMixin
 from common.utils import ssh_pubkey_gen
 from common.drf.fields import EncryptedField
+from common.drf.serializers import SecretReadableMixin
 from common.validators import alphanumeric_re, alphanumeric_cn_re, alphanumeric_win_re
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import SystemUser, Asset
@@ -252,7 +253,7 @@ class MiniSystemUserSerializer(serializers.ModelSerializer):
         fields = SystemUserSerializer.Meta.fields_mini
 
 
-class SystemUserWithAuthInfoSerializer(SystemUserSerializer):
+class SystemUserWithAuthInfoSerializer(SecretReadableMixin, SystemUserSerializer):
     class Meta(SystemUserSerializer.Meta):
         fields_mini = ['id', 'name', 'username']
         fields_write_only = ['password', 'public_key', 'private_key']
@@ -268,6 +269,9 @@ class SystemUserWithAuthInfoSerializer(SystemUserSerializer):
             'assets_amount': {'label': _('Asset')},
             'login_mode_display': {'label': _('Login mode display')},
             'created_by': {'read_only': True},
+            'password': {'write_only': False},
+            'private_key': {'write_only': False},
+            'token': {'write_only': False}
         }
 
 

From 44ffd099244a3a9de7b6c4dad7d06c88b2624cf8 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 17 May 2022 22:21:37 +0800
Subject: [PATCH 120/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=8F=AF?=
 =?UTF-8?q?=E8=83=BD=E7=9A=84=20decode=20error?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/utils/crypto.py | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/apps/common/utils/crypto.py b/apps/common/utils/crypto.py
index 4fd9360f6..f6a690a82 100644
--- a/apps/common/utils/crypto.py
+++ b/apps/common/utils/crypto.py
@@ -91,12 +91,13 @@ class AESCrypto:
 
     def encrypt(self, text):
         aes = self.aes()
-        return str(base64.encodebytes(aes.encrypt(self.to_16(text))),
-                   encoding='utf8').replace('\n', '')  # 加密
+        cipher = base64.encodebytes(aes.encrypt(self.to_16(text)))
+        return str(cipher, encoding='utf8').replace('\n', '')  # 加密
 
     def decrypt(self, text):
         aes = self.aes()
-        return str(aes.decrypt(base64.decodebytes(bytes(text, encoding='utf8'))).rstrip(b'\0').decode("utf8"))  # 解密
+        text_decoded = base64.decodebytes(bytes(text, encoding='utf8'))
+        return str(aes.decrypt(text_decoded).rstrip(b'\0').decode("utf8"))
 
 
 class AESCryptoGCM:
@@ -234,6 +235,8 @@ def rsa_decrypt(cipher_text, rsa_private_key=None):
 
 def rsa_decrypt_by_session_pkey(value):
     from jumpserver.utils import current_request
+    if not current_request:
+        return value
     private_key_name = settings.SESSION_RSA_PRIVATE_KEY_NAME
     private_key = current_request.session.get(private_key_name)
 
@@ -254,7 +257,11 @@ def decrypt_password(value):
     key_cipher, password_cipher = cipher
     aes_key = rsa_decrypt_by_session_pkey(key_cipher)
     aes = get_aes_crypto(aes_key, 'ECB')
-    password = aes.decrypt(password_cipher)
+    try:
+        password = aes.decrypt(password_cipher)
+    except UnicodeDecodeError as e:
+        logging.error("Decript password error: {}, {}".format(password_cipher, e))
+        return value
     return password
 
 

From e5f4b8000e173b40543fec9be1656ece3b5fc946 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 17 May 2022 17:02:16 +0800
Subject: [PATCH 121/258] stash

---
 apps/authentication/middleware.py | 30 ++++++++++++------------------
 apps/jumpserver/settings/base.py  |  1 -
 2 files changed, 12 insertions(+), 19 deletions(-)

diff --git a/apps/authentication/middleware.py b/apps/authentication/middleware.py
index d2b4ff19e..96d0017e9 100644
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -45,21 +45,7 @@ class MFAMiddleware:
 class SessionCookieMiddleware(MiddlewareMixin):
 
     @staticmethod
-    def process_response(request, response: HttpResponse):
-        key = settings.SESSION_COOKIE_NAME_PREFIX_KEY
-        value = settings.SESSION_COOKIE_NAME_PREFIX
-        if request.COOKIES.get(key) == value:
-            return response
-        response.set_cookie(key, value)
-        return response
-
-
-class EncryptedMiddleware:
-    def __init__(self, get_response):
-        self.get_response = get_response
-
-    @staticmethod
-    def check_key_pair(request, response):
+    def set_cookie_public_key(request, response):
         pub_key_name = settings.SESSION_RSA_PUBLIC_KEY_NAME
         public_key = request.session.get(pub_key_name)
         cookie_key = request.COOKIES.get(pub_key_name)
@@ -73,7 +59,15 @@ class EncryptedMiddleware:
         request.session[pri_key_name] = private_key
         response.set_cookie(pub_key_name, public_key_decode)
 
-    def __call__(self, request):
-        response = self.get_response(request)
-        self.check_key_pair(request, response)
+    @staticmethod
+    def set_session_cooke_prefix(request, response):
+        key = settings.SESSION_COOKIE_NAME_PREFIX_KEY
+        value = settings.SESSION_COOKIE_NAME_PREFIX
+        if request.COOKIES.get(key) == value:
+            return response
+        response.set_cookie(key, value)
+
+    def process_response(self, request, response: HttpResponse):
+        self.set_session_cooke_prefix(request, response)
+        self.set_session_cooke_prefix(request, response)
         return response
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index 327c3ea97..c1baf2882 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -95,7 +95,6 @@ MIDDLEWARE = [
     'authentication.backends.cas.middleware.CASMiddleware',
     'authentication.middleware.MFAMiddleware',
     'authentication.middleware.SessionCookieMiddleware',
-    'authentication.middleware.EncryptedMiddleware',
     'simple_history.middleware.HistoryRequestMiddleware',
 ]
 

From aa7540045b00d072a1fe5a469c9b68caca9e0905 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 18 May 2022 14:42:54 +0800
Subject: [PATCH 122/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=20session=20?=
 =?UTF-8?q?guard?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/middleware.py      | 20 +++++++++++++++++---
 apps/authentication/signal_handlers.py |  3 +++
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/apps/authentication/middleware.py b/apps/authentication/middleware.py
index 96d0017e9..f1f60bbc5 100644
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -60,14 +60,28 @@ class SessionCookieMiddleware(MiddlewareMixin):
         response.set_cookie(pub_key_name, public_key_decode)
 
     @staticmethod
-    def set_session_cooke_prefix(request, response):
+    def set_cookie_session_prefix(request, response):
         key = settings.SESSION_COOKIE_NAME_PREFIX_KEY
         value = settings.SESSION_COOKIE_NAME_PREFIX
         if request.COOKIES.get(key) == value:
             return response
         response.set_cookie(key, value)
 
+    @staticmethod
+    def set_cookie_session_expire(request, response):
+        if not request.session.get('auth_session_expiration_required'):
+            return
+        value = 'age'
+        if settings.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE or \
+                not request.session.get('auto_login', False):
+            value = 'close'
+
+        age = request.session.get_expiry_age()
+        response.set_cookie('jms_session_expire', value, max_age=age)
+        request.session.pop('auth_session_expiration_required', None)
+
     def process_response(self, request, response: HttpResponse):
-        self.set_session_cooke_prefix(request, response)
-        self.set_session_cooke_prefix(request, response)
+        self.set_cookie_session_prefix(request, response)
+        self.set_cookie_public_key(request, response)
+        self.set_cookie_session_expire(request, response)
         return response
diff --git a/apps/authentication/signal_handlers.py b/apps/authentication/signal_handlers.py
index 0d2a617f9..ac155dcf0 100644
--- a/apps/authentication/signal_handlers.py
+++ b/apps/authentication/signal_handlers.py
@@ -35,6 +35,9 @@ def on_user_auth_login_success(sender, user, request, **kwargs):
             session.delete()
         cache.set(lock_key, request.session.session_key, None)
 
+    # 标记登录，设置 cookie，前端可以控制刷新, Middleware 会拦截这个生成 cookie
+    request.session['auth_session_expiration_required'] = 1
+
 
 @receiver(openid_user_login_success)
 def on_oidc_user_login_success(sender, request, user, create=False, **kwargs):

From c8d7c7c56f454bcdfadd4d4a409b81116ff41f0d Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 18 May 2022 18:32:53 +0800
Subject: [PATCH 123/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Doidc=E8=AE=A4?=
 =?UTF-8?q?=E8=AF=81=E4=B8=8D=E5=8C=BA=E5=88=86=E5=A4=A7=E5=B0=8F=E5=86=99?=
 =?UTF-8?q?=20(#8267)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/authentication/backends/oidc/backends.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/apps/authentication/backends/oidc/backends.py b/apps/authentication/backends/oidc/backends.py
index 8d4f2f629..daa614ec8 100644
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -281,6 +281,11 @@ class OIDCAuthPasswordBackend(OIDCBaseBackend):
         try:
             claims_response.raise_for_status()
             claims = claims_response.json()
+            preferred_username = claims.get('preferred_username')
+            if preferred_username and \
+                    preferred_username.lower() == username.lower() and \
+                    preferred_username != username:
+                return
         except Exception as e:
             error = "Json claims response error, claims response " \
                     "content is: {}, error is: {}".format(claims_response.content, str(e))
@@ -309,5 +314,3 @@ class OIDCAuthPasswordBackend(OIDCBaseBackend):
             openid_user_login_failed.send(
                 sender=self.__class__, request=request, username=username, reason="User is invalid"
             )
-            return None
-

From 99e1b2cf92f419902c37aa1884d36b7be6fd90de Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Wed, 18 May 2022 19:52:22 +0800
Subject: [PATCH 124/258] =?UTF-8?q?fix:=20=E4=B8=8D=E6=94=AF=E6=8C=81es8?=
 =?UTF-8?q?=20=E6=8F=90=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo |  4 ++--
 apps/locale/ja/LC_MESSAGES/django.po |  4 ++++
 apps/locale/zh/LC_MESSAGES/django.mo |  4 ++--
 apps/locale/zh/LC_MESSAGES/django.po |  4 ++++
 apps/terminal/backends/command/es.py | 14 ++++++++++++--
 5 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index b6af2bdf7..29bcfa164 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:843b6dffe6af09073053e21f65be4c8264e6dee05509b375c8191dde8c9079b6
-size 127386
+oid sha256:5effe3cb5eb97d51bf886d21dfbe785bb789722f30774a6595eac7aa79b6315a
+size 127478
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 6b97b95d0..c976bf085 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -4651,6 +4651,10 @@ msgstr "ターミナル管理"
 msgid "Invalid elasticsearch config"
 msgstr "無効なElasticsearch構成"
 
+#: terminal/backends/command/es.py:33
+msgid "Not Support Elasticsearch8"
+msgstr "サポートされていません Elasticsearch8"
+
 #: terminal/backends/command/models.py:16
 msgid "Ordinary"
 msgstr "普通"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 88b5034ea..317e02a96 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:a78975a5a6669bfcc0f99bc4d47811be82a0620e873e51e4a17d06548e3b1e7f
-size 105269
+oid sha256:d30f8d3abc215c35bb2dd889374eeef896a193f8010ccd5ae8e27aa408f045c7
+size 105337
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 20a071d1c..8dee918fb 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -4579,6 +4579,10 @@ msgstr "终端管理"
 msgid "Invalid elasticsearch config"
 msgstr "无效的 Elasticsearch 配置"
 
+#: terminal/backends/command/es.py:33
+msgid "Not Support Elasticsearch8"
+msgstr "不支持 Elasticsearch8"
+
 #: terminal/backends/command/models.py:16
 msgid "Ordinary"
 msgstr "普通"
diff --git a/apps/terminal/backends/command/es.py b/apps/terminal/backends/command/es.py
index 997bd30fd..ae76b2974 100644
--- a/apps/terminal/backends/command/es.py
+++ b/apps/terminal/backends/command/es.py
@@ -28,6 +28,11 @@ class InvalidElasticsearch(JMSException):
     default_detail = _('Invalid elasticsearch config')
 
 
+class NotSupportElasticsearch8(JMSException):
+    default_code = 'not_support_elasticsearch8'
+    default_detail = _('Not Support Elasticsearch8')
+
+
 class CommandStore(object):
     def __init__(self, config):
         self.doc_type = config.get("DOC_TYPE") or '_doc'
@@ -68,13 +73,18 @@ class CommandStore(object):
         if not self.ping(timeout=3):
             return False
 
+        info = self.es.info()
+        version = info['version']['number'].split('.')[0]
+
+        if version == '8':
+            raise NotSupportElasticsearch8
+
         try:
             # 获取索引信息，如果没有定义，直接返回
             data = self.es.indices.get_mapping(self.index)
         except NotFoundError:
             return False
-        info = self.es.info()
-        version = info['version']['number'].split('.')[0]
+
         try:
             if version == '6':
                 # 检测索引是不是新的类型 es6

From 10295569025b12b054e7692deda55105d1e07283 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Fri, 20 May 2022 10:01:41 +0800
Subject: [PATCH 125/258] =?UTF-8?q?perf:=20remote=20app=20=E5=AD=97?=
 =?UTF-8?q?=E6=AE=B5=E4=B9=9F=E5=8A=A0=E5=AF=86=20(#8274)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: remote app 字段也加密

* perf: 修改一些加密字段

Co-authored-by: ibuler <ibuler@qq.com>
---
 .../attrs/application_type/chrome.py          |  19 +-
 .../attrs/application_type/custom.py          |  13 +-
 .../attrs/application_type/mysql_workbench.py |  13 +-
 .../attrs/application_type/vmware_client.py   |  13 +-
 apps/locale/ja/LC_MESSAGES/django.mo          |   3 -
 apps/locale/ja/LC_MESSAGES/django.po          | 366 ++++++++---------
 apps/locale/zh/LC_MESSAGES/django.mo          |   3 -
 apps/locale/zh/LC_MESSAGES/django.po          | 368 +++++++++---------
 apps/settings/serializers/auth/dingtalk.py    |   4 +-
 apps/settings/serializers/auth/feishu.py      |   4 +-
 apps/settings/serializers/auth/ldap.py        |   6 +-
 apps/settings/serializers/auth/oidc.py        |   6 +-
 apps/settings/serializers/auth/radius.py      |  10 +-
 apps/settings/serializers/auth/sms.py         |   7 +-
 apps/settings/serializers/auth/wecom.py       |   6 +-
 apps/settings/serializers/email.py            |   8 +-
 apps/terminal/serializers/storage.py          |  17 +-
 apps/users/serializers/profile.py             |  20 +-
 18 files changed, 456 insertions(+), 430 deletions(-)
 delete mode 100644 apps/locale/ja/LC_MESSAGES/django.mo
 delete mode 100644 apps/locale/zh/LC_MESSAGES/django.mo

diff --git a/apps/applications/serializers/attrs/application_type/chrome.py b/apps/applications/serializers/attrs/application_type/chrome.py
index 96b4587e7..08035bc31 100644
--- a/apps/applications/serializers/attrs/application_type/chrome.py
+++ b/apps/applications/serializers/attrs/application_type/chrome.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer
 
 __all__ = ['ChromeSerializer', 'ChromeSecretSerializer']
@@ -13,19 +14,21 @@ class ChromeSerializer(RemoteAppSerializer):
         max_length=128, label=_('Application path'), default=CHROME_PATH, allow_null=True,
     )
     chrome_target = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, label=_('Target URL'), allow_null=True,
+        max_length=128, allow_blank=True, required=False,
+        label=_('Target URL'), allow_null=True,
     )
     chrome_username = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, label=_('Chrome username'), allow_null=True,
+        max_length=128, allow_blank=True, required=False,
+        label=_('Chrome username'), allow_null=True,
     )
-    chrome_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Chrome password'),
-        allow_null=True
+    chrome_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Chrome password'), allow_null=True
     )
 
 
 class ChromeSecretSerializer(ChromeSerializer):
-    chrome_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Chrome password'),
-        allow_null=True
+    chrome_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Chrome password'), allow_null=True, write_only=False
     )
diff --git a/apps/applications/serializers/attrs/application_type/custom.py b/apps/applications/serializers/attrs/application_type/custom.py
index 0a58c28b1..cfef59d5f 100644
--- a/apps/applications/serializers/attrs/application_type/custom.py
+++ b/apps/applications/serializers/attrs/application_type/custom.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer
 
 __all__ = ['CustomSerializer', 'CustomSecretSerializer']
@@ -19,14 +20,14 @@ class CustomSerializer(RemoteAppSerializer):
         max_length=128, allow_blank=True, required=False, label=_('Custom Username'),
         allow_null=True,
     )
-    custom_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Custom password'),
-        allow_null=True,
+    custom_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Custom password'), allow_null=True,
     )
 
 
 class CustomSecretSerializer(RemoteAppSerializer):
-    custom_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Custom password'),
-        allow_null=True,
+    custom_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False, write_only=False,
+        label=_('Custom password'), allow_null=True,
     )
diff --git a/apps/applications/serializers/attrs/application_type/mysql_workbench.py b/apps/applications/serializers/attrs/application_type/mysql_workbench.py
index bc41a689b..6092b2ed1 100644
--- a/apps/applications/serializers/attrs/application_type/mysql_workbench.py
+++ b/apps/applications/serializers/attrs/application_type/mysql_workbench.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer
 
 __all__ = ['MySQLWorkbenchSerializer', 'MySQLWorkbenchSecretSerializer']
@@ -29,14 +30,14 @@ class MySQLWorkbenchSerializer(RemoteAppSerializer):
         max_length=128, allow_blank=True, required=False, label=_('Mysql workbench username'),
         allow_null=True,
     )
-    mysql_workbench_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Mysql workbench password'),
-        allow_null=True,
+    mysql_workbench_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Mysql workbench password'), allow_null=True,
     )
 
 
 class MySQLWorkbenchSecretSerializer(RemoteAppSerializer):
-    mysql_workbench_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Mysql workbench password'),
-        allow_null=True,
+    mysql_workbench_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False, write_only=False,
+        label=_('Mysql workbench password'), allow_null=True,
     )
diff --git a/apps/applications/serializers/attrs/application_type/vmware_client.py b/apps/applications/serializers/attrs/application_type/vmware_client.py
index 6ec3975cb..d6b9cef0b 100644
--- a/apps/applications/serializers/attrs/application_type/vmware_client.py
+++ b/apps/applications/serializers/attrs/application_type/vmware_client.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer
 
 __all__ = ['VMwareClientSerializer', 'VMwareClientSecretSerializer']
@@ -25,14 +26,14 @@ class VMwareClientSerializer(RemoteAppSerializer):
         max_length=128, allow_blank=True, required=False, label=_('Vmware username'),
         allow_null=True
     )
-    vmware_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Vmware password'),
-        allow_null=True
+    vmware_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Vmware password'), allow_null=True
     )
 
 
 class VMwareClientSecretSerializer(RemoteAppSerializer):
-    vmware_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Vmware password'),
-        allow_null=True
+    vmware_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False, write_only=False,
+        label=_('Vmware password'), allow_null=True
     )
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
deleted file mode 100644
index 29bcfa164..000000000
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:5effe3cb5eb97d51bf886d21dfbe785bb789722f30774a6595eac7aa79b6315a
-size 127478
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index c976bf085..d850a1cc1 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-17 18:02+0800\n"
+"POT-Creation-Date: 2022-05-19 13:16+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -129,7 +129,7 @@ msgstr "システムユーザー"
 #: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
-#: assets/serializers/system_user.py:264 audits/models.py:39
+#: assets/serializers/system_user.py:269 audits/models.py:39
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -162,7 +162,7 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 #: users/templates/users/_msg_user_created.html:12
 #: xpack/plugins/change_auth_plan/models/asset.py:34
 #: xpack/plugins/change_auth_plan/models/asset.py:195
-#: xpack/plugins/cloud/serializers/account_attrs.py:22
+#: xpack/plugins/cloud/serializers/account_attrs.py:24
 msgid "Username"
 msgstr "ユーザー名"
 
@@ -177,9 +177,9 @@ msgstr ""
 "db8:1a:1110:::/64 (ドメイン名サポート)"
 
 #: acls/serializers/login_asset_acl.py:31 acls/serializers/rules/rules.py:33
-#: applications/serializers/attrs/application_type/mysql_workbench.py:17
+#: applications/serializers/attrs/application_type/mysql_workbench.py:18
 #: assets/models/asset.py:210 assets/models/domain.py:60
-#: assets/serializers/account.py:13
+#: assets/serializers/account.py:14
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
@@ -188,7 +188,7 @@ msgid "IP"
 msgstr "IP"
 
 #: acls/serializers/login_asset_acl.py:35 assets/models/asset.py:211
-#: assets/serializers/account.py:14 assets/serializers/gathered_user.py:23
+#: assets/serializers/account.py:15 assets/serializers/gathered_user.py:23
 #: settings/serializers/terminal.py:7
 msgid "Hostname"
 msgstr "ホスト名"
@@ -203,7 +203,7 @@ msgstr ""
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
 #: assets/models/domain.py:62 assets/models/user.py:248
-#: terminal/serializers/session.py:30 terminal/serializers/storage.py:67
+#: terminal/serializers/session.py:30 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "プロトコル"
 
@@ -245,7 +245,7 @@ msgstr "アプリケーション"
 
 #: applications/const.py:8
 #: applications/serializers/attrs/application_category/db.py:14
-#: applications/serializers/attrs/application_type/mysql_workbench.py:25
+#: applications/serializers/attrs/application_type/mysql_workbench.py:26
 #: xpack/plugins/change_auth_plan/models/app.py:32
 msgid "Database"
 msgstr "データベース"
@@ -341,7 +341,7 @@ msgstr "カテゴリ表示"
 
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
-#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:27
+#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:29
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
 #: tickets/serializers/ticket/ticket.py:21
@@ -353,7 +353,7 @@ msgstr "タイプ表示"
 #: assets/models/base.py:181 assets/models/cluster.py:26
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
-#: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
+#: assets/serializers/account.py:19 assets/serializers/cmd_filter.py:28
 #: assets/serializers/cmd_filter.py:48 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
@@ -363,7 +363,7 @@ msgid "Date created"
 msgstr "作成された日付"
 
 #: applications/serializers/application.py:104 assets/models/base.py:182
-#: assets/models/gathered_user.py:20 assets/serializers/account.py:21
+#: assets/models/gathered_user.py:20 assets/serializers/account.py:22
 #: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
 #: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
@@ -387,88 +387,88 @@ msgstr "クラスター"
 #: applications/serializers/attrs/application_category/db.py:11
 #: ops/models/adhoc.py:157 settings/serializers/auth/radius.py:14
 #: terminal/models/endpoint.py:11
-#: xpack/plugins/cloud/serializers/account_attrs.py:68
+#: xpack/plugins/cloud/serializers/account_attrs.py:70
 msgid "Host"
 msgstr "ホスト"
 
 #: applications/serializers/attrs/application_category/db.py:12
 #: applications/serializers/attrs/application_type/mongodb.py:10
 #: applications/serializers/attrs/application_type/mysql.py:10
-#: applications/serializers/attrs/application_type/mysql_workbench.py:21
+#: applications/serializers/attrs/application_type/mysql_workbench.py:22
 #: applications/serializers/attrs/application_type/oracle.py:10
 #: applications/serializers/attrs/application_type/pgsql.py:10
 #: applications/serializers/attrs/application_type/redis.py:10
 #: applications/serializers/attrs/application_type/sqlserver.py:10
 #: assets/models/asset.py:214 assets/models/domain.py:61
 #: settings/serializers/auth/radius.py:15
-#: xpack/plugins/cloud/serializers/account_attrs.py:69
+#: xpack/plugins/cloud/serializers/account_attrs.py:71
 msgid "Port"
 msgstr "ポート"
 
 #: applications/serializers/attrs/application_category/remote_app.py:39
-#: applications/serializers/attrs/application_type/chrome.py:13
-#: applications/serializers/attrs/application_type/mysql_workbench.py:13
-#: applications/serializers/attrs/application_type/vmware_client.py:17
+#: applications/serializers/attrs/application_type/chrome.py:14
+#: applications/serializers/attrs/application_type/mysql_workbench.py:14
+#: applications/serializers/attrs/application_type/vmware_client.py:18
 msgid "Application path"
 msgstr "アプリケーションパス"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
-#: assets/serializers/system_user.py:163
+#: assets/serializers/system_user.py:168
 #: xpack/plugins/change_auth_plan/serializers/asset.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:69
 #: xpack/plugins/change_auth_plan/serializers/asset.py:72
 #: xpack/plugins/change_auth_plan/serializers/asset.py:103
-#: xpack/plugins/cloud/serializers/account_attrs.py:52
+#: xpack/plugins/cloud/serializers/account_attrs.py:54
 msgid "This field is required."
 msgstr "このフィールドは必須です。"
 
-#: applications/serializers/attrs/application_type/chrome.py:16
-#: applications/serializers/attrs/application_type/vmware_client.py:21
+#: applications/serializers/attrs/application_type/chrome.py:18
+#: applications/serializers/attrs/application_type/vmware_client.py:22
 msgid "Target URL"
 msgstr "ターゲットURL"
 
-#: applications/serializers/attrs/application_type/chrome.py:19
+#: applications/serializers/attrs/application_type/chrome.py:22
 msgid "Chrome username"
 msgstr "Chromeユーザー名"
 
-#: applications/serializers/attrs/application_type/chrome.py:22
-#: applications/serializers/attrs/application_type/chrome.py:29
+#: applications/serializers/attrs/application_type/chrome.py:26
+#: applications/serializers/attrs/application_type/chrome.py:33
 msgid "Chrome password"
 msgstr "Chromeパスワード"
 
-#: applications/serializers/attrs/application_type/custom.py:11
+#: applications/serializers/attrs/application_type/custom.py:12
 msgid "Operating parameter"
 msgstr "操作パラメータ"
 
-#: applications/serializers/attrs/application_type/custom.py:15
+#: applications/serializers/attrs/application_type/custom.py:16
 msgid "Target url"
 msgstr "ターゲットURL"
 
-#: applications/serializers/attrs/application_type/custom.py:19
+#: applications/serializers/attrs/application_type/custom.py:20
 msgid "Custom Username"
 msgstr "カスタムユーザー名"
 
-#: applications/serializers/attrs/application_type/custom.py:23
-#: applications/serializers/attrs/application_type/custom.py:30
+#: applications/serializers/attrs/application_type/custom.py:25
+#: applications/serializers/attrs/application_type/custom.py:32
 #: xpack/plugins/change_auth_plan/models/base.py:27
 msgid "Custom password"
 msgstr "カスタムパスワード"
 
-#: applications/serializers/attrs/application_type/mysql_workbench.py:29
+#: applications/serializers/attrs/application_type/mysql_workbench.py:30
 msgid "Mysql workbench username"
 msgstr "Mysql workbench のユーザー名"
 
-#: applications/serializers/attrs/application_type/mysql_workbench.py:33
-#: applications/serializers/attrs/application_type/mysql_workbench.py:40
+#: applications/serializers/attrs/application_type/mysql_workbench.py:35
+#: applications/serializers/attrs/application_type/mysql_workbench.py:42
 msgid "Mysql workbench password"
 msgstr "Mysql workbench パスワード"
 
-#: applications/serializers/attrs/application_type/vmware_client.py:25
+#: applications/serializers/attrs/application_type/vmware_client.py:26
 msgid "Vmware username"
 msgstr "Vmware ユーザー名"
 
-#: applications/serializers/attrs/application_type/vmware_client.py:29
-#: applications/serializers/attrs/application_type/vmware_client.py:36
+#: applications/serializers/attrs/application_type/vmware_client.py:31
+#: applications/serializers/attrs/application_type/vmware_client.py:38
 msgid "Vmware password"
 msgstr "Vmware パスワード"
 
@@ -510,7 +510,7 @@ msgid "Internal"
 msgstr "内部"
 
 #: assets/models/asset.py:162 assets/models/asset.py:216
-#: assets/serializers/account.py:15 assets/serializers/asset.py:63
+#: assets/serializers/account.py:16 assets/serializers/asset.py:63
 #: perms/serializers/asset/user_permission.py:43
 msgid "Platform"
 msgstr "プラットフォーム"
@@ -571,7 +571,7 @@ msgstr "システムアーキテクチャ"
 msgid "Hostname raw"
 msgstr "ホスト名生"
 
-#: assets/models/asset.py:215 assets/serializers/account.py:16
+#: assets/models/asset.py:215 assets/serializers/account.py:17
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
 #: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
@@ -750,7 +750,7 @@ msgstr "OK"
 msgid "Failed"
 msgstr "失敗しました"
 
-#: assets/models/base.py:38 assets/serializers/domain.py:46
+#: assets/models/base.py:38 assets/serializers/domain.py:47
 msgid "Connectivity"
 msgstr "接続性"
 
@@ -769,7 +769,7 @@ msgstr "確認済みの日付"
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
 #: xpack/plugins/change_auth_plan/models/base.py:196
-#: xpack/plugins/cloud/serializers/account_attrs.py:24
+#: xpack/plugins/cloud/serializers/account_attrs.py:26
 msgid "Password"
 msgstr "パスワード"
 
@@ -833,7 +833,7 @@ msgstr "デフォルトクラスター"
 msgid "User group"
 msgstr "ユーザーグループ"
 
-#: assets/models/cmd_filter.py:60 assets/serializers/system_user.py:54
+#: assets/models/cmd_filter.py:60 assets/serializers/system_user.py:59
 msgid "Command filter"
 msgstr "コマンドフィルター"
 
@@ -958,7 +958,7 @@ msgstr "フルバリュー"
 msgid "Parent key"
 msgstr "親キー"
 
-#: assets/models/node.py:559 assets/serializers/system_user.py:263
+#: assets/models/node.py:559 assets/serializers/system_user.py:268
 #: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
@@ -983,7 +983,7 @@ msgstr "共通ユーザー"
 msgid "Username same with user"
 msgstr "ユーザーと同じユーザー名"
 
-#: assets/models/user.py:240 assets/serializers/domain.py:29
+#: assets/models/user.py:240 assets/serializers/domain.py:30
 #: terminal/templates/terminal/_msg_command_execute_alert.html:16
 #: xpack/plugins/change_auth_plan/models/asset.py:39
 msgid "Assets"
@@ -1017,7 +1017,8 @@ msgstr "ログインモード"
 msgid "SFTP Root"
 msgstr "SFTPルート"
 
-#: assets/models/user.py:254 authentication/models.py:49
+#: assets/models/user.py:254 assets/serializers/system_user.py:32
+#: authentication/models.py:49
 msgid "Token"
 msgstr "トークン"
 
@@ -1068,7 +1069,7 @@ msgstr ""
 "されていません-個人情報にアクセスしてください-> ファイル暗号化パスワードを設"
 "定してください暗号化パスワード"
 
-#: assets/serializers/account.py:40 assets/serializers/account.py:83
+#: assets/serializers/account.py:41 assets/serializers/account.py:84
 msgid "System user display"
 msgstr "システムユーザー表示"
 
@@ -1143,17 +1144,17 @@ msgstr "アクション表示"
 msgid "Pattern"
 msgstr "パターン"
 
-#: assets/serializers/domain.py:13 assets/serializers/label.py:12
-#: assets/serializers/system_user.py:59
+#: assets/serializers/domain.py:14 assets/serializers/label.py:12
+#: assets/serializers/system_user.py:64
 #: perms/serializers/asset/permission.py:49
 msgid "Assets amount"
 msgstr "資産額"
 
-#: assets/serializers/domain.py:14
+#: assets/serializers/domain.py:15
 msgid "Applications amount"
 msgstr "申し込み金額"
 
-#: assets/serializers/domain.py:15
+#: assets/serializers/domain.py:16
 msgid "Gateways count"
 msgstr "ゲートウェイ数"
 
@@ -1169,78 +1170,78 @@ msgstr "含まれない:/"
 msgid "The same level node name cannot be the same"
 msgstr "同じレベルのノード名を同じにすることはできません。"
 
-#: assets/serializers/system_user.py:28
+#: assets/serializers/system_user.py:30
 msgid "SSH key fingerprint"
 msgstr "SSHキー指紋"
 
-#: assets/serializers/system_user.py:30
+#: assets/serializers/system_user.py:35
 #: perms/serializers/application/permission.py:46
 msgid "Apps amount"
 msgstr "アプリの量"
 
-#: assets/serializers/system_user.py:58
+#: assets/serializers/system_user.py:63
 #: perms/serializers/asset/permission.py:50
 msgid "Nodes amount"
 msgstr "ノード量"
 
-#: assets/serializers/system_user.py:60 assets/serializers/system_user.py:265
+#: assets/serializers/system_user.py:65 assets/serializers/system_user.py:270
 msgid "Login mode display"
 msgstr "ログインモード表示"
 
-#: assets/serializers/system_user.py:62
+#: assets/serializers/system_user.py:67
 msgid "Ad domain"
 msgstr "広告ドメイン"
 
-#: assets/serializers/system_user.py:63
+#: assets/serializers/system_user.py:68
 msgid "Is asset protocol"
 msgstr "資産プロトコルです"
 
-#: assets/serializers/system_user.py:64
+#: assets/serializers/system_user.py:69
 msgid "Only ssh and automatic login system users are supported"
 msgstr "sshと自動ログインシステムのユーザーのみがサポートされています"
 
-#: assets/serializers/system_user.py:104
+#: assets/serializers/system_user.py:109
 msgid "Username same with user with protocol {} only allow 1"
 msgstr "プロトコル {} のユーザーと同じユーザー名は1のみ許可します"
 
-#: assets/serializers/system_user.py:117 common/validators.py:14
+#: assets/serializers/system_user.py:122 common/validators.py:14
 msgid "Special char not allowed"
 msgstr "特別なcharは許可されていません"
 
-#: assets/serializers/system_user.py:127
+#: assets/serializers/system_user.py:132
 msgid "* Automatic login mode must fill in the username."
 msgstr "* 自動ログインモードはユーザー名を入力する必要があります。"
 
-#: assets/serializers/system_user.py:142
+#: assets/serializers/system_user.py:147
 msgid "Path should starts with /"
 msgstr "パスは/で始まる必要があります"
 
-#: assets/serializers/system_user.py:154
+#: assets/serializers/system_user.py:159
 msgid "Password or private key required"
 msgstr "パスワードまたは秘密鍵が必要"
 
-#: assets/serializers/system_user.py:168
+#: assets/serializers/system_user.py:173
 msgid "Only ssh protocol system users are allowed"
 msgstr "Sshプロトコルシステムユーザーのみが許可されています"
 
-#: assets/serializers/system_user.py:172
+#: assets/serializers/system_user.py:177
 msgid "The protocol must be consistent with the current user: {}"
 msgstr "プロトコルは現在のユーザーと一致している必要があります: {}"
 
-#: assets/serializers/system_user.py:176
+#: assets/serializers/system_user.py:181
 msgid "Only system users with automatic login are allowed"
 msgstr "自動ログインを持つシステムユーザーのみが許可されます"
 
-#: assets/serializers/system_user.py:281
+#: assets/serializers/system_user.py:289
 msgid "System user name"
 msgstr "システムユーザー名"
 
-#: assets/serializers/system_user.py:282 orgs/mixins/serializers.py:26
+#: assets/serializers/system_user.py:290 orgs/mixins/serializers.py:26
 #: rbac/serializers/rolebinding.py:23
 msgid "Org name"
 msgstr "組織名"
 
-#: assets/serializers/system_user.py:291
+#: assets/serializers/system_user.py:299
 msgid "Asset hostname"
 msgstr "資産ホスト名"
 
@@ -1495,7 +1496,7 @@ msgstr "ユーザーエージェント"
 #: audits/models.py:126
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
 #: users/forms/profile.py:65 users/models/user.py:684
-#: users/serializers/profile.py:124
+#: users/serializers/profile.py:126
 msgid "MFA"
 msgstr "MFA"
 
@@ -1542,7 +1543,7 @@ msgstr "ホスト表示"
 msgid "Result"
 msgstr "結果"
 
-#: audits/serializers.py:98 terminal/serializers/storage.py:156
+#: audits/serializers.py:98 terminal/serializers/storage.py:157
 msgid "Hosts"
 msgstr "ホスト"
 
@@ -2052,7 +2053,7 @@ msgstr "MFAタイプ ({}) が有効になっていない"
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
-#: authentication/models.py:34 terminal/serializers/storage.py:28
+#: authentication/models.py:34
 msgid "Access key"
 msgstr "アクセスキー"
 
@@ -2141,13 +2142,13 @@ msgstr "表示"
 
 #: authentication/templates/authentication/_access_key_modal.html:66
 #: settings/serializers/security.py:39 users/models/user.py:556
-#: users/serializers/profile.py:114 users/templates/users/mfa_setting.html:61
+#: users/serializers/profile.py:116 users/templates/users/mfa_setting.html:61
 #: users/templates/users/user_verify_mfa.html:36
 msgid "Disable"
 msgstr "無効化"
 
 #: authentication/templates/authentication/_access_key_modal.html:67
-#: users/models/user.py:557 users/serializers/profile.py:115
+#: users/models/user.py:557 users/serializers/profile.py:117
 #: users/templates/users/mfa_setting.html:26
 #: users/templates/users/mfa_setting.html:68
 msgid "Enable"
@@ -2377,15 +2378,15 @@ msgstr "DingTalkはすでに別のユーザーにバインドされています"
 msgid "Binding DingTalk successfully"
 msgstr "DingTalkのバインドに成功"
 
-#: authentication/views/dingtalk.py:239 authentication/views/dingtalk.py:293
+#: authentication/views/dingtalk.py:240 authentication/views/dingtalk.py:294
 msgid "Failed to get user from DingTalk"
 msgstr "DingTalkからユーザーを取得できませんでした"
 
-#: authentication/views/dingtalk.py:245 authentication/views/dingtalk.py:299
+#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
 msgid "DingTalk is not bound"
 msgstr "DingTalkはバインドされていません"
 
-#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
+#: authentication/views/dingtalk.py:247 authentication/views/dingtalk.py:301
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "パスワードでログインし、DingTalkをバインドしてください"
 
@@ -2414,15 +2415,15 @@ msgstr "本を飛ばす"
 msgid "Binding FeiShu successfully"
 msgstr "本を飛ばすのバインドに成功"
 
-#: authentication/views/feishu.py:200
+#: authentication/views/feishu.py:201
 msgid "Failed to get user from FeiShu"
 msgstr "本を飛ばすからユーザーを取得できませんでした"
 
-#: authentication/views/feishu.py:206
+#: authentication/views/feishu.py:207
 msgid "FeiShu is not bound"
 msgstr "本を飛ばすは拘束されていません"
 
-#: authentication/views/feishu.py:207
+#: authentication/views/feishu.py:208
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "パスワードでログインしてから本を飛ばすをバインドしてください"
 
@@ -3249,7 +3250,7 @@ msgstr "組織の役割バインディング"
 msgid "System role binding"
 msgstr "システムロールバインディング"
 
-#: rbac/serializers/permission.py:26 users/serializers/profile.py:130
+#: rbac/serializers/permission.py:26 users/serializers/profile.py:132
 msgid "Perms"
 msgstr "パーマ"
 
@@ -3475,7 +3476,7 @@ msgstr "ログインリダイレクトの有効化msg"
 msgid "Enable CAS Auth"
 msgstr "CAS 認証の有効化"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:40
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:42
 msgid "Server url"
 msgstr "サービス側アドレス"
 
@@ -3503,11 +3504,11 @@ msgstr "マッピングのプロパティ"
 msgid "Create user if not"
 msgstr "そうでない場合はユーザーを作成"
 
-#: settings/serializers/auth/dingtalk.py:11
+#: settings/serializers/auth/dingtalk.py:13
 msgid "Enable DingTalk Auth"
 msgstr "ピン認証の有効化"
 
-#: settings/serializers/auth/feishu.py:10
+#: settings/serializers/auth/feishu.py:12
 msgid "Enable FeiShu Auth"
 msgstr "飛本認証の有効化"
 
@@ -3564,96 +3565,96 @@ msgstr "ページサイズを検索"
 msgid "Enable LDAP auth"
 msgstr "LDAP認証の有効化"
 
-#: settings/serializers/auth/oidc.py:12
+#: settings/serializers/auth/oidc.py:14
 msgid "Base site url"
 msgstr "ベースサイトのアドレス"
 
-#: settings/serializers/auth/oidc.py:15
+#: settings/serializers/auth/oidc.py:17
 msgid "Client Id"
 msgstr "クライアントID"
 
-#: settings/serializers/auth/oidc.py:18
-#: xpack/plugins/cloud/serializers/account_attrs.py:34
+#: settings/serializers/auth/oidc.py:20
+#: xpack/plugins/cloud/serializers/account_attrs.py:36
 msgid "Client Secret"
 msgstr "クライアント秘密"
 
-#: settings/serializers/auth/oidc.py:26
+#: settings/serializers/auth/oidc.py:28
 msgid "Client authentication method"
 msgstr "クライアント認証方式"
 
-#: settings/serializers/auth/oidc.py:28
+#: settings/serializers/auth/oidc.py:30
 msgid "Share session"
 msgstr "セッションの共有"
 
-#: settings/serializers/auth/oidc.py:30
+#: settings/serializers/auth/oidc.py:32
 msgid "Ignore ssl verification"
 msgstr "Ssl検証を無視する"
 
-#: settings/serializers/auth/oidc.py:37
+#: settings/serializers/auth/oidc.py:39
 msgid "Use Keycloak"
 msgstr "Keycloakを使用する"
 
-#: settings/serializers/auth/oidc.py:43
+#: settings/serializers/auth/oidc.py:45
 msgid "Realm name"
 msgstr "レルム名"
 
-#: settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/oidc.py:51
 msgid "Enable OPENID Auth"
 msgstr "OIDC認証の有効化"
 
-#: settings/serializers/auth/oidc.py:51
+#: settings/serializers/auth/oidc.py:53
 msgid "Provider endpoint"
 msgstr "プロバイダーエンドポイント"
 
-#: settings/serializers/auth/oidc.py:54
+#: settings/serializers/auth/oidc.py:56
 msgid "Provider auth endpoint"
 msgstr "認証エンドポイントアドレス"
 
-#: settings/serializers/auth/oidc.py:57
+#: settings/serializers/auth/oidc.py:59
 msgid "Provider token endpoint"
 msgstr "プロバイダートークンエンドポイント"
 
-#: settings/serializers/auth/oidc.py:60
+#: settings/serializers/auth/oidc.py:62
 msgid "Provider jwks endpoint"
 msgstr "プロバイダーjwksエンドポイント"
 
-#: settings/serializers/auth/oidc.py:63
+#: settings/serializers/auth/oidc.py:65
 msgid "Provider userinfo endpoint"
 msgstr "プロバイダーuserinfoエンドポイント"
 
-#: settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oidc.py:68
 msgid "Provider end session endpoint"
 msgstr "プロバイダーのセッション終了エンドポイント"
 
-#: settings/serializers/auth/oidc.py:69
+#: settings/serializers/auth/oidc.py:71
 msgid "Provider sign alg"
 msgstr "プロビダーサインalg"
 
-#: settings/serializers/auth/oidc.py:72
+#: settings/serializers/auth/oidc.py:74
 msgid "Provider sign key"
 msgstr "プロバイダ署名キー"
 
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:76
 msgid "Scopes"
 msgstr "スコープ"
 
-#: settings/serializers/auth/oidc.py:76
+#: settings/serializers/auth/oidc.py:78
 msgid "Id token max age"
 msgstr "IDトークンの最大年齢"
 
-#: settings/serializers/auth/oidc.py:79
+#: settings/serializers/auth/oidc.py:81
 msgid "Id token include claims"
 msgstr "IDトークンにはクレームが含まれます"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:83
 msgid "Use state"
 msgstr "使用状態"
 
-#: settings/serializers/auth/oidc.py:82
+#: settings/serializers/auth/oidc.py:84
 msgid "Use nonce"
 msgstr "Nonceを使用"
 
-#: settings/serializers/auth/oidc.py:84 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:86 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "常にユーザーを更新"
 
@@ -3689,25 +3690,25 @@ msgstr "SP プライベートキー"
 msgid "SP cert"
 msgstr "SP 証明書"
 
-#: settings/serializers/auth/sms.py:10
+#: settings/serializers/auth/sms.py:11
 msgid "Enable SMS"
 msgstr "SMSの有効化"
 
-#: settings/serializers/auth/sms.py:12
+#: settings/serializers/auth/sms.py:13
 msgid "SMS provider"
 msgstr "SMSプロバイダ"
 
-#: settings/serializers/auth/sms.py:17 settings/serializers/auth/sms.py:35
-#: settings/serializers/auth/sms.py:43 settings/serializers/email.py:63
+#: settings/serializers/auth/sms.py:18 settings/serializers/auth/sms.py:36
+#: settings/serializers/auth/sms.py:44 settings/serializers/email.py:65
 msgid "Signature"
 msgstr "署名"
 
-#: settings/serializers/auth/sms.py:18 settings/serializers/auth/sms.py:36
-#: settings/serializers/auth/sms.py:44
+#: settings/serializers/auth/sms.py:19 settings/serializers/auth/sms.py:37
+#: settings/serializers/auth/sms.py:45
 msgid "Template code"
 msgstr "テンプレートコード"
 
-#: settings/serializers/auth/sms.py:22
+#: settings/serializers/auth/sms.py:23
 msgid "Test phone"
 msgstr "テスト電話"
 
@@ -3728,7 +3729,7 @@ msgstr "Token有効期間"
 msgid "Unit: second"
 msgstr "単位: 秒"
 
-#: settings/serializers/auth/wecom.py:11
+#: settings/serializers/auth/wecom.py:13
 msgid "Enable WeCom Auth"
 msgstr "企業微信認証の有効化"
 
@@ -3822,69 +3823,69 @@ msgstr ""
 "単位:日。セッション、録画、コマンドレコードがそれを超えると削除されます(デー"
 "タベースストレージにのみ影響します。ossなどは影響しません」影響を受ける)"
 
-#: settings/serializers/email.py:18
+#: settings/serializers/email.py:20
 msgid "SMTP host"
 msgstr "SMTPホスト"
 
-#: settings/serializers/email.py:19
+#: settings/serializers/email.py:21
 msgid "SMTP port"
 msgstr "SMTPポート"
 
-#: settings/serializers/email.py:20
+#: settings/serializers/email.py:22
 msgid "SMTP account"
 msgstr "SMTPアカウント"
 
-#: settings/serializers/email.py:22
+#: settings/serializers/email.py:24
 msgid "SMTP password"
 msgstr "SMTPパスワード"
 
-#: settings/serializers/email.py:23
+#: settings/serializers/email.py:25
 msgid "Tips: Some provider use token except password"
 msgstr "ヒント: 一部のプロバイダーはパスワード以外のトークンを使用します"
 
-#: settings/serializers/email.py:26
+#: settings/serializers/email.py:28
 msgid "Send user"
 msgstr "ユーザーを送信"
 
-#: settings/serializers/email.py:27
+#: settings/serializers/email.py:29
 msgid "Tips: Send mail account, default SMTP account as the send account"
 msgstr ""
 "ヒント: 送信メールアカウント、送信アカウントとしてのデフォルトのSMTPアカウン"
 "ト"
 
-#: settings/serializers/email.py:30
+#: settings/serializers/email.py:32
 msgid "Test recipient"
 msgstr "テスト受信者"
 
-#: settings/serializers/email.py:31
+#: settings/serializers/email.py:33
 msgid "Tips: Used only as a test mail recipient"
 msgstr "ヒント: テストメールの受信者としてのみ使用"
 
-#: settings/serializers/email.py:34
+#: settings/serializers/email.py:36
 msgid "Use SSL"
 msgstr "SSLの使用"
 
-#: settings/serializers/email.py:35
+#: settings/serializers/email.py:37
 msgid "If SMTP port is 465, may be select"
 msgstr "SMTPポートが465の場合は、"
 
-#: settings/serializers/email.py:38
+#: settings/serializers/email.py:40
 msgid "Use TLS"
 msgstr "TLSの使用"
 
-#: settings/serializers/email.py:39
+#: settings/serializers/email.py:41
 msgid "If SMTP port is 587, may be select"
 msgstr "SMTPポートが587の場合は、"
 
-#: settings/serializers/email.py:42
+#: settings/serializers/email.py:44
 msgid "Subject prefix"
 msgstr "件名プレフィックス"
 
-#: settings/serializers/email.py:49
+#: settings/serializers/email.py:51
 msgid "Create user email subject"
 msgstr "ユーザーメール件名の作成"
 
-#: settings/serializers/email.py:50
+#: settings/serializers/email.py:52
 msgid ""
 "Tips: When creating a user, send the subject of the email (eg:Create account "
 "successfully)"
@@ -3892,20 +3893,20 @@ msgstr ""
 "ヒント: ユーザーを作成するときに、メールの件名を送信します (例: アカウントを"
 "正常に作成)"
 
-#: settings/serializers/email.py:54
+#: settings/serializers/email.py:56
 msgid "Create user honorific"
 msgstr "ユーザー敬語の作成"
 
-#: settings/serializers/email.py:55
+#: settings/serializers/email.py:57
 msgid "Tips: When creating a user, send the honorific of the email (eg:Hello)"
 msgstr ""
 "ヒント: ユーザーを作成するときは、メールの敬語を送信します (例: こんにちは)"
 
-#: settings/serializers/email.py:59
+#: settings/serializers/email.py:61
 msgid "Create user email content"
 msgstr "ユーザーのメールコンテンツを作成する"
 
-#: settings/serializers/email.py:60
+#: settings/serializers/email.py:62
 #, python-brace-format
 msgid ""
 "Tips: When creating a user, send the content of the email, support "
@@ -3914,7 +3915,7 @@ msgstr ""
 "ヒント:ユーザーの作成時にパスワード設定メールの内容を送信し、{username}{name}"
 "{email}ラベルをサポートします。"
 
-#: settings/serializers/email.py:64
+#: settings/serializers/email.py:66
 msgid "Tips: Email signature (eg:jumpserver)"
 msgstr "ヒント: メール署名 (例: jumpserver)"
 
@@ -4760,9 +4761,9 @@ msgid "Redis Port"
 msgstr "Redis ポート"
 
 #: terminal/models/endpoint.py:26 terminal/models/endpoint.py:67
-#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:37
-#: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
-#: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
+#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:38
+#: terminal/serializers/storage.py:50 terminal/serializers/storage.py:80
+#: terminal/serializers/storage.py:90 terminal/serializers/storage.py:98
 msgid "Endpoint"
 msgstr "エンドポイント"
 
@@ -4979,67 +4980,73 @@ msgstr "終了できます"
 msgid "Command amount"
 msgstr "コマンド量"
 
-#: terminal/serializers/storage.py:19
+#: terminal/serializers/storage.py:20
 msgid "Endpoint invalid: remove path `{}`"
 msgstr "エンドポイントが無効: パス '{}' を削除"
 
-#: terminal/serializers/storage.py:25
+#: terminal/serializers/storage.py:26
 msgid "Bucket"
 msgstr "バケット"
 
-#: terminal/serializers/storage.py:32 users/models/user.py:695
-msgid "Secret key"
-msgstr "秘密キー"
+#: terminal/serializers/storage.py:30
+#: xpack/plugins/cloud/serializers/account_attrs.py:15
+msgid "Access key id"
+msgstr "アクセスキー"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:34
+#: xpack/plugins/cloud/serializers/account_attrs.py:18
+msgid "Access key secret"
+msgstr "アクセスキーシークレット"
+
+#: terminal/serializers/storage.py:65 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "リージョン"
 
-#: terminal/serializers/storage.py:108
+#: terminal/serializers/storage.py:109
 msgid "Container name"
 msgstr "コンテナー名"
 
-#: terminal/serializers/storage.py:110
+#: terminal/serializers/storage.py:111
 msgid "Account name"
 msgstr "アカウント名"
 
-#: terminal/serializers/storage.py:111
+#: terminal/serializers/storage.py:112
 msgid "Account key"
 msgstr "アカウントキー"
 
-#: terminal/serializers/storage.py:114
+#: terminal/serializers/storage.py:115
 msgid "Endpoint suffix"
 msgstr "エンドポイントサフィックス"
 
-#: terminal/serializers/storage.py:134
+#: terminal/serializers/storage.py:135
 msgid "The address format is incorrect"
 msgstr "アドレス形式が正しくありません"
 
-#: terminal/serializers/storage.py:141
+#: terminal/serializers/storage.py:142
 msgid "Host invalid"
 msgstr "ホスト無効"
 
-#: terminal/serializers/storage.py:144
+#: terminal/serializers/storage.py:145
 msgid "Port invalid"
 msgstr "ポートが無効"
 
-#: terminal/serializers/storage.py:159
+#: terminal/serializers/storage.py:160
 msgid "Index by date"
 msgstr "日付による索引付け"
 
-#: terminal/serializers/storage.py:160
+#: terminal/serializers/storage.py:161
 msgid "Whether to create an index by date"
 msgstr "現在の日付に基づいてインデックスを動的に作成するかどうか"
 
-#: terminal/serializers/storage.py:163
+#: terminal/serializers/storage.py:164
 msgid "Index"
 msgstr "インデックス"
 
-#: terminal/serializers/storage.py:165
+#: terminal/serializers/storage.py:166
 msgid "Doc type"
 msgstr "Docタイプ"
 
-#: terminal/serializers/storage.py:167
+#: terminal/serializers/storage.py:168
 msgid "Ignore Certificate Verification"
 msgstr "証明書の検証を無視する"
 
@@ -5328,11 +5335,11 @@ msgstr "プロセス"
 msgid "TicketFlow"
 msgstr "作業指示プロセス"
 
-#: tickets/models/ticket.py:311
+#: tickets/models/ticket.py:320
 msgid "Please try again"
 msgstr "もう一度お試しください"
 
-#: tickets/models/ticket.py:319
+#: tickets/models/ticket.py:328
 msgid "Super ticket"
 msgstr "スーパーチケット"
 
@@ -5638,8 +5645,8 @@ msgstr "ここにid_rsa.pubを貼り付けます。"
 msgid "Public key should not be the same as your old one."
 msgstr "公開鍵は古いものと同じであってはなりません。"
 
-#: users/forms/profile.py:150 users/serializers/profile.py:98
-#: users/serializers/profile.py:181 users/serializers/profile.py:208
+#: users/forms/profile.py:150 users/serializers/profile.py:100
+#: users/serializers/profile.py:183 users/serializers/profile.py:210
 msgid "Not a valid ssh public key"
 msgstr "有効なssh公開鍵ではありません"
 
@@ -5667,6 +5674,10 @@ msgstr "アバター"
 msgid "Wechat"
 msgstr "微信"
 
+#: users/models/user.py:695
+msgid "Secret key"
+msgstr "秘密キー"
+
 #: users/models/user.py:711
 msgid "Source"
 msgstr "ソース"
@@ -5738,7 +5749,7 @@ msgstr "MFAのリセット"
 msgid "The old password is incorrect"
 msgstr "古いパスワードが正しくありません"
 
-#: users/serializers/profile.py:37 users/serializers/profile.py:195
+#: users/serializers/profile.py:37 users/serializers/profile.py:197
 msgid "Password does not match security rules"
 msgstr "パスワードがセキュリティルールと一致しない"
 
@@ -5746,11 +5757,11 @@ msgstr "パスワードがセキュリティルールと一致しない"
 msgid "The new password cannot be the last {} passwords"
 msgstr "新しいパスワードを最後の {} 個のパスワードにすることはできません"
 
-#: users/serializers/profile.py:49 users/serializers/profile.py:69
+#: users/serializers/profile.py:49 users/serializers/profile.py:71
 msgid "The newly set password is inconsistent"
 msgstr "新しく設定されたパスワードが一致しない"
 
-#: users/serializers/profile.py:147 users/serializers/user.py:144
+#: users/serializers/profile.py:149 users/serializers/user.py:144
 msgid "Is first login"
 msgstr "最初のログインです"
 
@@ -6651,48 +6662,40 @@ msgstr "有効表示"
 msgid "Provider display"
 msgstr "プロバイダ表示"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:13
-msgid "AccessKey ID"
-msgstr "アクセスキーID"
-
-#: xpack/plugins/cloud/serializers/account_attrs.py:16
-msgid "AccessKey Secret"
-msgstr "アクセスキーシークレット"
-
-#: xpack/plugins/cloud/serializers/account_attrs.py:31
+#: xpack/plugins/cloud/serializers/account_attrs.py:33
 msgid "Client ID"
 msgstr "クライアントID"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:37
+#: xpack/plugins/cloud/serializers/account_attrs.py:39
 msgid "Tenant ID"
 msgstr "テナントID"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:40
+#: xpack/plugins/cloud/serializers/account_attrs.py:42
 msgid "Subscription ID"
 msgstr "サブスクリプションID"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:91
-#: xpack/plugins/cloud/serializers/account_attrs.py:96
+#: xpack/plugins/cloud/serializers/account_attrs.py:93
+#: xpack/plugins/cloud/serializers/account_attrs.py:98
 msgid "API Endpoint"
 msgstr "APIエンドポイント"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:102
+#: xpack/plugins/cloud/serializers/account_attrs.py:104
 msgid "Auth url"
 msgstr "認証アドレス"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:103
+#: xpack/plugins/cloud/serializers/account_attrs.py:105
 msgid "eg: http://openstack.example.com:5000/v3"
 msgstr "例えば: http://openstack.example.com:5000/v3"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:106
+#: xpack/plugins/cloud/serializers/account_attrs.py:108
 msgid "User domain"
 msgstr "ユーザードメイン"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:113
+#: xpack/plugins/cloud/serializers/account_attrs.py:115
 msgid "Service account key"
 msgstr "サービスアカウントキー"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:114
+#: xpack/plugins/cloud/serializers/account_attrs.py:116
 msgid "The file is in JSON format"
 msgstr "ファイルはJSON形式です。"
 
@@ -6811,6 +6814,9 @@ msgstr "究極のエディション"
 msgid "Community edition"
 msgstr "コミュニティ版"
 
+#~ msgid "AccessKey ID"
+#~ msgstr "アクセスキーID"
+
 #~ msgid "Unknown ip"
 #~ msgstr "不明なip"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
deleted file mode 100644
index 317e02a96..000000000
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:d30f8d3abc215c35bb2dd889374eeef896a193f8010ccd5ae8e27aa408f045c7
-size 105337
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 8dee918fb..2ee578f43 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-17 18:02+0800\n"
+"POT-Creation-Date: 2022-05-19 13:16+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -128,7 +128,7 @@ msgstr "系统用户"
 #: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
-#: assets/serializers/system_user.py:264 audits/models.py:39
+#: assets/serializers/system_user.py:269 audits/models.py:39
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -161,7 +161,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 #: users/templates/users/_msg_user_created.html:12
 #: xpack/plugins/change_auth_plan/models/asset.py:34
 #: xpack/plugins/change_auth_plan/models/asset.py:195
-#: xpack/plugins/cloud/serializers/account_attrs.py:22
+#: xpack/plugins/cloud/serializers/account_attrs.py:24
 msgid "Username"
 msgstr "用户名"
 
@@ -175,9 +175,9 @@ msgstr ""
 "10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64 （支持网域）"
 
 #: acls/serializers/login_asset_acl.py:31 acls/serializers/rules/rules.py:33
-#: applications/serializers/attrs/application_type/mysql_workbench.py:17
+#: applications/serializers/attrs/application_type/mysql_workbench.py:18
 #: assets/models/asset.py:210 assets/models/domain.py:60
-#: assets/serializers/account.py:13
+#: assets/serializers/account.py:14
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
@@ -186,7 +186,7 @@ msgid "IP"
 msgstr "IP"
 
 #: acls/serializers/login_asset_acl.py:35 assets/models/asset.py:211
-#: assets/serializers/account.py:14 assets/serializers/gathered_user.py:23
+#: assets/serializers/account.py:15 assets/serializers/gathered_user.py:23
 #: settings/serializers/terminal.py:7
 msgid "Hostname"
 msgstr "主机名"
@@ -199,7 +199,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. 可选的协议
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
 #: assets/models/domain.py:62 assets/models/user.py:248
-#: terminal/serializers/session.py:30 terminal/serializers/storage.py:67
+#: terminal/serializers/session.py:30 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "协议"
 
@@ -240,7 +240,7 @@ msgstr "应用管理"
 
 #: applications/const.py:8
 #: applications/serializers/attrs/application_category/db.py:14
-#: applications/serializers/attrs/application_type/mysql_workbench.py:25
+#: applications/serializers/attrs/application_type/mysql_workbench.py:26
 #: xpack/plugins/change_auth_plan/models/app.py:32
 msgid "Database"
 msgstr "数据库"
@@ -336,7 +336,7 @@ msgstr "类别名称"
 
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
-#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:27
+#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:29
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
 #: tickets/serializers/ticket/ticket.py:21
@@ -348,7 +348,7 @@ msgstr "类型名称"
 #: assets/models/base.py:181 assets/models/cluster.py:26
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
-#: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
+#: assets/serializers/account.py:19 assets/serializers/cmd_filter.py:28
 #: assets/serializers/cmd_filter.py:48 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
@@ -358,7 +358,7 @@ msgid "Date created"
 msgstr "创建日期"
 
 #: applications/serializers/application.py:104 assets/models/base.py:182
-#: assets/models/gathered_user.py:20 assets/serializers/account.py:21
+#: assets/models/gathered_user.py:20 assets/serializers/account.py:22
 #: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
 #: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
@@ -382,88 +382,88 @@ msgstr "集群"
 #: applications/serializers/attrs/application_category/db.py:11
 #: ops/models/adhoc.py:157 settings/serializers/auth/radius.py:14
 #: terminal/models/endpoint.py:11
-#: xpack/plugins/cloud/serializers/account_attrs.py:68
+#: xpack/plugins/cloud/serializers/account_attrs.py:70
 msgid "Host"
 msgstr "主机"
 
 #: applications/serializers/attrs/application_category/db.py:12
 #: applications/serializers/attrs/application_type/mongodb.py:10
 #: applications/serializers/attrs/application_type/mysql.py:10
-#: applications/serializers/attrs/application_type/mysql_workbench.py:21
+#: applications/serializers/attrs/application_type/mysql_workbench.py:22
 #: applications/serializers/attrs/application_type/oracle.py:10
 #: applications/serializers/attrs/application_type/pgsql.py:10
 #: applications/serializers/attrs/application_type/redis.py:10
 #: applications/serializers/attrs/application_type/sqlserver.py:10
 #: assets/models/asset.py:214 assets/models/domain.py:61
 #: settings/serializers/auth/radius.py:15
-#: xpack/plugins/cloud/serializers/account_attrs.py:69
+#: xpack/plugins/cloud/serializers/account_attrs.py:71
 msgid "Port"
 msgstr "端口"
 
 #: applications/serializers/attrs/application_category/remote_app.py:39
-#: applications/serializers/attrs/application_type/chrome.py:13
-#: applications/serializers/attrs/application_type/mysql_workbench.py:13
-#: applications/serializers/attrs/application_type/vmware_client.py:17
+#: applications/serializers/attrs/application_type/chrome.py:14
+#: applications/serializers/attrs/application_type/mysql_workbench.py:14
+#: applications/serializers/attrs/application_type/vmware_client.py:18
 msgid "Application path"
 msgstr "应用路径"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
-#: assets/serializers/system_user.py:163
+#: assets/serializers/system_user.py:168
 #: xpack/plugins/change_auth_plan/serializers/asset.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:69
 #: xpack/plugins/change_auth_plan/serializers/asset.py:72
 #: xpack/plugins/change_auth_plan/serializers/asset.py:103
-#: xpack/plugins/cloud/serializers/account_attrs.py:52
+#: xpack/plugins/cloud/serializers/account_attrs.py:54
 msgid "This field is required."
 msgstr "该字段是必填项。"
 
-#: applications/serializers/attrs/application_type/chrome.py:16
-#: applications/serializers/attrs/application_type/vmware_client.py:21
+#: applications/serializers/attrs/application_type/chrome.py:18
+#: applications/serializers/attrs/application_type/vmware_client.py:22
 msgid "Target URL"
 msgstr "目标URL"
 
-#: applications/serializers/attrs/application_type/chrome.py:19
+#: applications/serializers/attrs/application_type/chrome.py:22
 msgid "Chrome username"
 msgstr "Chrome 用户名"
 
-#: applications/serializers/attrs/application_type/chrome.py:22
-#: applications/serializers/attrs/application_type/chrome.py:29
+#: applications/serializers/attrs/application_type/chrome.py:26
+#: applications/serializers/attrs/application_type/chrome.py:33
 msgid "Chrome password"
 msgstr "Chrome 密码"
 
-#: applications/serializers/attrs/application_type/custom.py:11
+#: applications/serializers/attrs/application_type/custom.py:12
 msgid "Operating parameter"
 msgstr "运行参数"
 
-#: applications/serializers/attrs/application_type/custom.py:15
+#: applications/serializers/attrs/application_type/custom.py:16
 msgid "Target url"
 msgstr "目标URL"
 
-#: applications/serializers/attrs/application_type/custom.py:19
+#: applications/serializers/attrs/application_type/custom.py:20
 msgid "Custom Username"
 msgstr "自定义用户名"
 
-#: applications/serializers/attrs/application_type/custom.py:23
-#: applications/serializers/attrs/application_type/custom.py:30
+#: applications/serializers/attrs/application_type/custom.py:25
+#: applications/serializers/attrs/application_type/custom.py:32
 #: xpack/plugins/change_auth_plan/models/base.py:27
 msgid "Custom password"
 msgstr "自定义密码"
 
-#: applications/serializers/attrs/application_type/mysql_workbench.py:29
+#: applications/serializers/attrs/application_type/mysql_workbench.py:30
 msgid "Mysql workbench username"
 msgstr "Mysql 工作台 用户名"
 
-#: applications/serializers/attrs/application_type/mysql_workbench.py:33
-#: applications/serializers/attrs/application_type/mysql_workbench.py:40
+#: applications/serializers/attrs/application_type/mysql_workbench.py:35
+#: applications/serializers/attrs/application_type/mysql_workbench.py:42
 msgid "Mysql workbench password"
 msgstr "Mysql 工作台 密码"
 
-#: applications/serializers/attrs/application_type/vmware_client.py:25
+#: applications/serializers/attrs/application_type/vmware_client.py:26
 msgid "Vmware username"
 msgstr "Vmware 用户名"
 
-#: applications/serializers/attrs/application_type/vmware_client.py:29
-#: applications/serializers/attrs/application_type/vmware_client.py:36
+#: applications/serializers/attrs/application_type/vmware_client.py:31
+#: applications/serializers/attrs/application_type/vmware_client.py:38
 msgid "Vmware password"
 msgstr "Vmware 密码"
 
@@ -505,7 +505,7 @@ msgid "Internal"
 msgstr "内部的"
 
 #: assets/models/asset.py:162 assets/models/asset.py:216
-#: assets/serializers/account.py:15 assets/serializers/asset.py:63
+#: assets/serializers/account.py:16 assets/serializers/asset.py:63
 #: perms/serializers/asset/user_permission.py:43
 msgid "Platform"
 msgstr "系统平台"
@@ -566,7 +566,7 @@ msgstr "系统架构"
 msgid "Hostname raw"
 msgstr "主机名原始"
 
-#: assets/models/asset.py:215 assets/serializers/account.py:16
+#: assets/models/asset.py:215 assets/serializers/account.py:17
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
 #: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
@@ -745,7 +745,7 @@ msgstr "成功"
 msgid "Failed"
 msgstr "失败"
 
-#: assets/models/base.py:38 assets/serializers/domain.py:46
+#: assets/models/base.py:38 assets/serializers/domain.py:47
 msgid "Connectivity"
 msgstr "可连接性"
 
@@ -764,7 +764,7 @@ msgstr "校验日期"
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
 #: xpack/plugins/change_auth_plan/models/base.py:196
-#: xpack/plugins/cloud/serializers/account_attrs.py:24
+#: xpack/plugins/cloud/serializers/account_attrs.py:26
 msgid "Password"
 msgstr "密码"
 
@@ -828,7 +828,7 @@ msgstr "默认Cluster"
 msgid "User group"
 msgstr "用户组"
 
-#: assets/models/cmd_filter.py:60 assets/serializers/system_user.py:54
+#: assets/models/cmd_filter.py:60 assets/serializers/system_user.py:59
 msgid "Command filter"
 msgstr "命令过滤器"
 
@@ -953,7 +953,7 @@ msgstr "全称"
 msgid "Parent key"
 msgstr "ssh私钥"
 
-#: assets/models/node.py:559 assets/serializers/system_user.py:263
+#: assets/models/node.py:559 assets/serializers/system_user.py:268
 #: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
@@ -978,7 +978,7 @@ msgstr "普通用户"
 msgid "Username same with user"
 msgstr "用户名与用户相同"
 
-#: assets/models/user.py:240 assets/serializers/domain.py:29
+#: assets/models/user.py:240 assets/serializers/domain.py:30
 #: terminal/templates/terminal/_msg_command_execute_alert.html:16
 #: xpack/plugins/change_auth_plan/models/asset.py:39
 msgid "Assets"
@@ -1012,7 +1012,8 @@ msgstr "认证方式"
 msgid "SFTP Root"
 msgstr "SFTP根路径"
 
-#: assets/models/user.py:254 authentication/models.py:49
+#: assets/models/user.py:254 assets/serializers/system_user.py:32
+#: authentication/models.py:49
 msgid "Token"
 msgstr "Token"
 
@@ -1060,7 +1061,7 @@ msgstr ""
 "{} - 账号备份任务已完成: 未设置加密密码 - 请前往个人信息 -> 文件加密密码中设"
 "置加密密码"
 
-#: assets/serializers/account.py:40 assets/serializers/account.py:83
+#: assets/serializers/account.py:41 assets/serializers/account.py:84
 msgid "System user display"
 msgstr "系统用户名称"
 
@@ -1135,17 +1136,17 @@ msgstr "动作名称"
 msgid "Pattern"
 msgstr "模式"
 
-#: assets/serializers/domain.py:13 assets/serializers/label.py:12
-#: assets/serializers/system_user.py:59
+#: assets/serializers/domain.py:14 assets/serializers/label.py:12
+#: assets/serializers/system_user.py:64
 #: perms/serializers/asset/permission.py:49
 msgid "Assets amount"
 msgstr "资产数量"
 
-#: assets/serializers/domain.py:14
+#: assets/serializers/domain.py:15
 msgid "Applications amount"
 msgstr "应用数量"
 
-#: assets/serializers/domain.py:15
+#: assets/serializers/domain.py:16
 msgid "Gateways count"
 msgstr "网关数量"
 
@@ -1161,78 +1162,78 @@ msgstr "不能包含: /"
 msgid "The same level node name cannot be the same"
 msgstr "同级别节点名字不能重复"
 
-#: assets/serializers/system_user.py:28
+#: assets/serializers/system_user.py:30
 msgid "SSH key fingerprint"
 msgstr "密钥指纹"
 
-#: assets/serializers/system_user.py:30
+#: assets/serializers/system_user.py:35
 #: perms/serializers/application/permission.py:46
 msgid "Apps amount"
 msgstr "应用数量"
 
-#: assets/serializers/system_user.py:58
+#: assets/serializers/system_user.py:63
 #: perms/serializers/asset/permission.py:50
 msgid "Nodes amount"
 msgstr "节点数量"
 
-#: assets/serializers/system_user.py:60 assets/serializers/system_user.py:265
+#: assets/serializers/system_user.py:65 assets/serializers/system_user.py:270
 msgid "Login mode display"
 msgstr "认证方式名称"
 
-#: assets/serializers/system_user.py:62
+#: assets/serializers/system_user.py:67
 msgid "Ad domain"
 msgstr "Ad 网域"
 
-#: assets/serializers/system_user.py:63
+#: assets/serializers/system_user.py:68
 msgid "Is asset protocol"
 msgstr "资产协议"
 
-#: assets/serializers/system_user.py:64
+#: assets/serializers/system_user.py:69
 msgid "Only ssh and automatic login system users are supported"
 msgstr "仅支持ssh协议和自动登录的系统用户"
 
-#: assets/serializers/system_user.py:104
+#: assets/serializers/system_user.py:109
 msgid "Username same with user with protocol {} only allow 1"
 msgstr "用户名和用户相同的一种协议只允许存在一个"
 
-#: assets/serializers/system_user.py:117 common/validators.py:14
+#: assets/serializers/system_user.py:122 common/validators.py:14
 msgid "Special char not allowed"
 msgstr "不能包含特殊字符"
 
-#: assets/serializers/system_user.py:127
+#: assets/serializers/system_user.py:132
 msgid "* Automatic login mode must fill in the username."
 msgstr "自动登录模式，必须填写用户名"
 
-#: assets/serializers/system_user.py:142
+#: assets/serializers/system_user.py:147
 msgid "Path should starts with /"
 msgstr "路径应该以 / 开头"
 
-#: assets/serializers/system_user.py:154
+#: assets/serializers/system_user.py:159
 msgid "Password or private key required"
 msgstr "密码或密钥密码需要一个"
 
-#: assets/serializers/system_user.py:168
+#: assets/serializers/system_user.py:173
 msgid "Only ssh protocol system users are allowed"
 msgstr "仅允许ssh协议的系统用户"
 
-#: assets/serializers/system_user.py:172
+#: assets/serializers/system_user.py:177
 msgid "The protocol must be consistent with the current user: {}"
 msgstr "协议必须和当前用户保持一致: {}"
 
-#: assets/serializers/system_user.py:176
+#: assets/serializers/system_user.py:181
 msgid "Only system users with automatic login are allowed"
 msgstr "仅允许自动登录的系统用户"
 
-#: assets/serializers/system_user.py:281
+#: assets/serializers/system_user.py:289
 msgid "System user name"
 msgstr "系统用户名称"
 
-#: assets/serializers/system_user.py:282 orgs/mixins/serializers.py:26
+#: assets/serializers/system_user.py:290 orgs/mixins/serializers.py:26
 #: rbac/serializers/rolebinding.py:23
 msgid "Org name"
 msgstr "组织名称"
 
-#: assets/serializers/system_user.py:291
+#: assets/serializers/system_user.py:299
 msgid "Asset hostname"
 msgstr "资产主机名"
 
@@ -1483,7 +1484,7 @@ msgstr "用户代理"
 #: audits/models.py:126
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
 #: users/forms/profile.py:65 users/models/user.py:684
-#: users/serializers/profile.py:124
+#: users/serializers/profile.py:126
 msgid "MFA"
 msgstr "MFA"
 
@@ -1530,7 +1531,7 @@ msgstr "主机名称"
 msgid "Result"
 msgstr "结果"
 
-#: audits/serializers.py:98 terminal/serializers/storage.py:156
+#: audits/serializers.py:98 terminal/serializers/storage.py:157
 msgid "Hosts"
 msgstr "主机"
 
@@ -2031,9 +2032,9 @@ msgstr "该 MFA ({}) 方式没有启用"
 msgid "Please change your password"
 msgstr "请修改密码"
 
-#: authentication/models.py:34 terminal/serializers/storage.py:28
+#: authentication/models.py:34
 msgid "Access key"
-msgstr "API key"
+msgstr "Access key"
 
 #: authentication/models.py:41
 msgid "Private Token"
@@ -2120,13 +2121,13 @@ msgstr "显示"
 
 #: authentication/templates/authentication/_access_key_modal.html:66
 #: settings/serializers/security.py:39 users/models/user.py:556
-#: users/serializers/profile.py:114 users/templates/users/mfa_setting.html:61
+#: users/serializers/profile.py:116 users/templates/users/mfa_setting.html:61
 #: users/templates/users/user_verify_mfa.html:36
 msgid "Disable"
 msgstr "禁用"
 
 #: authentication/templates/authentication/_access_key_modal.html:67
-#: users/models/user.py:557 users/serializers/profile.py:115
+#: users/models/user.py:557 users/serializers/profile.py:117
 #: users/templates/users/mfa_setting.html:26
 #: users/templates/users/mfa_setting.html:68
 msgid "Enable"
@@ -2347,15 +2348,15 @@ msgstr "该钉钉已经绑定其他用户"
 msgid "Binding DingTalk successfully"
 msgstr "绑定 钉钉 成功"
 
-#: authentication/views/dingtalk.py:239 authentication/views/dingtalk.py:293
+#: authentication/views/dingtalk.py:240 authentication/views/dingtalk.py:294
 msgid "Failed to get user from DingTalk"
 msgstr "从钉钉获取用户失败"
 
-#: authentication/views/dingtalk.py:245 authentication/views/dingtalk.py:299
+#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
 msgid "DingTalk is not bound"
 msgstr "钉钉没有绑定"
 
-#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
+#: authentication/views/dingtalk.py:247 authentication/views/dingtalk.py:301
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "请使用密码登录，然后绑定钉钉"
 
@@ -2384,15 +2385,15 @@ msgstr "飞书"
 msgid "Binding FeiShu successfully"
 msgstr "绑定 飞书 成功"
 
-#: authentication/views/feishu.py:200
+#: authentication/views/feishu.py:201
 msgid "Failed to get user from FeiShu"
 msgstr "从飞书获取用户失败"
 
-#: authentication/views/feishu.py:206
+#: authentication/views/feishu.py:207
 msgid "FeiShu is not bound"
 msgstr "没有绑定飞书"
 
-#: authentication/views/feishu.py:207
+#: authentication/views/feishu.py:208
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "请使用密码登录，然后绑定飞书"
 
@@ -3210,7 +3211,7 @@ msgstr "组织角色绑定"
 msgid "System role binding"
 msgstr "系统角色绑定"
 
-#: rbac/serializers/permission.py:26 users/serializers/profile.py:130
+#: rbac/serializers/permission.py:26 users/serializers/profile.py:132
 msgid "Perms"
 msgstr "权限"
 
@@ -3436,7 +3437,7 @@ msgstr "启用登录跳转提示"
 msgid "Enable CAS Auth"
 msgstr "启用 CAS 认证"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:40
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:42
 msgid "Server url"
 msgstr "服务端地址"
 
@@ -3464,11 +3465,11 @@ msgstr "映射属性"
 msgid "Create user if not"
 msgstr "创建用户(如果不存在)"
 
-#: settings/serializers/auth/dingtalk.py:11
+#: settings/serializers/auth/dingtalk.py:13
 msgid "Enable DingTalk Auth"
 msgstr "启用钉钉认证"
 
-#: settings/serializers/auth/feishu.py:10
+#: settings/serializers/auth/feishu.py:12
 msgid "Enable FeiShu Auth"
 msgstr "启用飞书认证"
 
@@ -3525,96 +3526,96 @@ msgstr "搜索分页数量"
 msgid "Enable LDAP auth"
 msgstr "启用 LDAP 认证"
 
-#: settings/serializers/auth/oidc.py:12
+#: settings/serializers/auth/oidc.py:14
 msgid "Base site url"
 msgstr "JumpServer 地址"
 
-#: settings/serializers/auth/oidc.py:15
+#: settings/serializers/auth/oidc.py:17
 msgid "Client Id"
 msgstr "客户端 ID"
 
-#: settings/serializers/auth/oidc.py:18
-#: xpack/plugins/cloud/serializers/account_attrs.py:34
+#: settings/serializers/auth/oidc.py:20
+#: xpack/plugins/cloud/serializers/account_attrs.py:36
 msgid "Client Secret"
 msgstr "客户端密钥"
 
-#: settings/serializers/auth/oidc.py:26
+#: settings/serializers/auth/oidc.py:28
 msgid "Client authentication method"
 msgstr "客户端认证方式"
 
-#: settings/serializers/auth/oidc.py:28
+#: settings/serializers/auth/oidc.py:30
 msgid "Share session"
 msgstr "共享会话"
 
-#: settings/serializers/auth/oidc.py:30
+#: settings/serializers/auth/oidc.py:32
 msgid "Ignore ssl verification"
 msgstr "忽略 SSL 证书验证"
 
-#: settings/serializers/auth/oidc.py:37
+#: settings/serializers/auth/oidc.py:39
 msgid "Use Keycloak"
 msgstr "使用 Keycloak"
 
-#: settings/serializers/auth/oidc.py:43
+#: settings/serializers/auth/oidc.py:45
 msgid "Realm name"
 msgstr "域"
 
-#: settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/oidc.py:51
 msgid "Enable OPENID Auth"
 msgstr "启用 OIDC 认证"
 
-#: settings/serializers/auth/oidc.py:51
+#: settings/serializers/auth/oidc.py:53
 msgid "Provider endpoint"
 msgstr "端点地址"
 
-#: settings/serializers/auth/oidc.py:54
+#: settings/serializers/auth/oidc.py:56
 msgid "Provider auth endpoint"
 msgstr "授权端点地址"
 
-#: settings/serializers/auth/oidc.py:57
+#: settings/serializers/auth/oidc.py:59
 msgid "Provider token endpoint"
 msgstr "token 端点地址"
 
-#: settings/serializers/auth/oidc.py:60
+#: settings/serializers/auth/oidc.py:62
 msgid "Provider jwks endpoint"
 msgstr "jwks 端点地址"
 
-#: settings/serializers/auth/oidc.py:63
+#: settings/serializers/auth/oidc.py:65
 msgid "Provider userinfo endpoint"
 msgstr "用户信息端点地址"
 
-#: settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oidc.py:68
 msgid "Provider end session endpoint"
 msgstr "注销会话端点地址"
 
-#: settings/serializers/auth/oidc.py:69
+#: settings/serializers/auth/oidc.py:71
 msgid "Provider sign alg"
 msgstr "签名算法"
 
-#: settings/serializers/auth/oidc.py:72
+#: settings/serializers/auth/oidc.py:74
 msgid "Provider sign key"
 msgstr "签名 Key"
 
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:76
 msgid "Scopes"
 msgstr "连接范围"
 
-#: settings/serializers/auth/oidc.py:76
+#: settings/serializers/auth/oidc.py:78
 msgid "Id token max age"
 msgstr "令牌有效时间"
 
-#: settings/serializers/auth/oidc.py:79
+#: settings/serializers/auth/oidc.py:81
 msgid "Id token include claims"
 msgstr "声明"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:83
 msgid "Use state"
 msgstr "使用状态"
 
-#: settings/serializers/auth/oidc.py:82
+#: settings/serializers/auth/oidc.py:84
 msgid "Use nonce"
 msgstr "临时使用"
 
-#: settings/serializers/auth/oidc.py:84 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:86 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "总是更新用户信息"
 
@@ -3650,25 +3651,25 @@ msgstr "SP 密钥"
 msgid "SP cert"
 msgstr "SP 证书"
 
-#: settings/serializers/auth/sms.py:10
+#: settings/serializers/auth/sms.py:11
 msgid "Enable SMS"
 msgstr "启用 SMS"
 
-#: settings/serializers/auth/sms.py:12
+#: settings/serializers/auth/sms.py:13
 msgid "SMS provider"
 msgstr "短信服务商"
 
-#: settings/serializers/auth/sms.py:17 settings/serializers/auth/sms.py:35
-#: settings/serializers/auth/sms.py:43 settings/serializers/email.py:63
+#: settings/serializers/auth/sms.py:18 settings/serializers/auth/sms.py:36
+#: settings/serializers/auth/sms.py:44 settings/serializers/email.py:65
 msgid "Signature"
 msgstr "签名"
 
-#: settings/serializers/auth/sms.py:18 settings/serializers/auth/sms.py:36
-#: settings/serializers/auth/sms.py:44
+#: settings/serializers/auth/sms.py:19 settings/serializers/auth/sms.py:37
+#: settings/serializers/auth/sms.py:45
 msgid "Template code"
 msgstr "模板"
 
-#: settings/serializers/auth/sms.py:22
+#: settings/serializers/auth/sms.py:23
 msgid "Test phone"
 msgstr "测试手机号"
 
@@ -3688,7 +3689,7 @@ msgstr "Token 有效期"
 msgid "Unit: second"
 msgstr "单位: 秒"
 
-#: settings/serializers/auth/wecom.py:11
+#: settings/serializers/auth/wecom.py:13
 msgid "Enable WeCom Auth"
 msgstr "启用企业微信认证"
 
@@ -3782,85 +3783,85 @@ msgstr ""
 "单位：天。 会话、录像、命令记录超过该时长将会被删除(仅影响数据库存储, oss等不"
 "受影响)"
 
-#: settings/serializers/email.py:18
+#: settings/serializers/email.py:20
 msgid "SMTP host"
 msgstr "SMTP 主机"
 
-#: settings/serializers/email.py:19
+#: settings/serializers/email.py:21
 msgid "SMTP port"
 msgstr "SMTP 端口"
 
-#: settings/serializers/email.py:20
+#: settings/serializers/email.py:22
 msgid "SMTP account"
 msgstr "SMTP 账号"
 
-#: settings/serializers/email.py:22
+#: settings/serializers/email.py:24
 msgid "SMTP password"
 msgstr "SMTP 密码"
 
-#: settings/serializers/email.py:23
+#: settings/serializers/email.py:25
 msgid "Tips: Some provider use token except password"
 msgstr "提示：一些邮件提供商需要输入的是授权码"
 
-#: settings/serializers/email.py:26
+#: settings/serializers/email.py:28
 msgid "Send user"
 msgstr "发件人"
 
-#: settings/serializers/email.py:27
+#: settings/serializers/email.py:29
 msgid "Tips: Send mail account, default SMTP account as the send account"
 msgstr "提示：发送邮件账号，默认使用 SMTP 账号作为发送账号"
 
-#: settings/serializers/email.py:30
+#: settings/serializers/email.py:32
 msgid "Test recipient"
 msgstr "测试收件人"
 
-#: settings/serializers/email.py:31
+#: settings/serializers/email.py:33
 msgid "Tips: Used only as a test mail recipient"
 msgstr "提示：仅用来作为测试邮件收件人"
 
-#: settings/serializers/email.py:34
+#: settings/serializers/email.py:36
 msgid "Use SSL"
 msgstr "使用 SSL"
 
-#: settings/serializers/email.py:35
+#: settings/serializers/email.py:37
 msgid "If SMTP port is 465, may be select"
 msgstr "如果SMTP端口是465，通常需要启用 SSL"
 
-#: settings/serializers/email.py:38
+#: settings/serializers/email.py:40
 msgid "Use TLS"
 msgstr "使用 TLS"
 
-#: settings/serializers/email.py:39
+#: settings/serializers/email.py:41
 msgid "If SMTP port is 587, may be select"
 msgstr "如果SMTP端口是587，通常需要启用 TLS"
 
-#: settings/serializers/email.py:42
+#: settings/serializers/email.py:44
 msgid "Subject prefix"
 msgstr "主题前缀"
 
-#: settings/serializers/email.py:49
+#: settings/serializers/email.py:51
 msgid "Create user email subject"
 msgstr "邮件主题"
 
-#: settings/serializers/email.py:50
+#: settings/serializers/email.py:52
 msgid ""
 "Tips: When creating a user, send the subject of the email (eg:Create account "
 "successfully)"
 msgstr "提示: 创建用户时，发送设置密码邮件的主题 (例如: 创建用户成功)"
 
-#: settings/serializers/email.py:54
+#: settings/serializers/email.py:56
 msgid "Create user honorific"
 msgstr "邮件问候语"
 
-#: settings/serializers/email.py:55
+#: settings/serializers/email.py:57
 msgid "Tips: When creating a user, send the honorific of the email (eg:Hello)"
 msgstr "提示: 创建用户时，发送设置密码邮件的敬语 (例如: 你好)"
 
-#: settings/serializers/email.py:59
+#: settings/serializers/email.py:61
 msgid "Create user email content"
 msgstr "邮件的内容"
 
-#: settings/serializers/email.py:60
+#: settings/serializers/email.py:62
 #, python-brace-format
 msgid ""
 "Tips: When creating a user, send the content of the email, support "
@@ -3868,7 +3869,7 @@ msgid ""
 msgstr ""
 "提示: 创建用户时，发送设置密码邮件的内容, 支持 {username} {name} {email} 标签"
 
-#: settings/serializers/email.py:64
+#: settings/serializers/email.py:66
 msgid "Tips: Email signature (eg:jumpserver)"
 msgstr "邮件署名 (如:jumpserver)"
 
@@ -4688,9 +4689,9 @@ msgid "Redis Port"
 msgstr "Redis 端口"
 
 #: terminal/models/endpoint.py:26 terminal/models/endpoint.py:67
-#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:37
-#: terminal/serializers/storage.py:49 terminal/serializers/storage.py:79
-#: terminal/serializers/storage.py:89 terminal/serializers/storage.py:97
+#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:38
+#: terminal/serializers/storage.py:50 terminal/serializers/storage.py:80
+#: terminal/serializers/storage.py:90 terminal/serializers/storage.py:98
 msgid "Endpoint"
 msgstr "端点"
 
@@ -4907,67 +4908,73 @@ msgstr "是否可中断"
 msgid "Command amount"
 msgstr "命令数量"
 
-#: terminal/serializers/storage.py:19
+#: terminal/serializers/storage.py:20
 msgid "Endpoint invalid: remove path `{}`"
 msgstr "端点无效: 移除路径 `{}`"
 
-#: terminal/serializers/storage.py:25
+#: terminal/serializers/storage.py:26
 msgid "Bucket"
 msgstr "桶名称"
 
-#: terminal/serializers/storage.py:32 users/models/user.py:695
-msgid "Secret key"
-msgstr "密钥"
+#: terminal/serializers/storage.py:30
+#: xpack/plugins/cloud/serializers/account_attrs.py:15
+msgid "Access key id"
+msgstr "访问密钥 ID(AK)"
 
-#: terminal/serializers/storage.py:64 xpack/plugins/cloud/models.py:220
+#: terminal/serializers/storage.py:34
+#: xpack/plugins/cloud/serializers/account_attrs.py:18
+msgid "Access key secret"
+msgstr "访问密钥密文(SK)"
+
+#: terminal/serializers/storage.py:65 xpack/plugins/cloud/models.py:220
 msgid "Region"
 msgstr "地域"
 
-#: terminal/serializers/storage.py:108
+#: terminal/serializers/storage.py:109
 msgid "Container name"
 msgstr "容器名称"
 
-#: terminal/serializers/storage.py:110
+#: terminal/serializers/storage.py:111
 msgid "Account name"
 msgstr "账号名称"
 
-#: terminal/serializers/storage.py:111
+#: terminal/serializers/storage.py:112
 msgid "Account key"
 msgstr "账号密钥"
 
-#: terminal/serializers/storage.py:114
+#: terminal/serializers/storage.py:115
 msgid "Endpoint suffix"
 msgstr "端点后缀"
 
-#: terminal/serializers/storage.py:134
+#: terminal/serializers/storage.py:135
 msgid "The address format is incorrect"
 msgstr "地址格式不正确"
 
-#: terminal/serializers/storage.py:141
+#: terminal/serializers/storage.py:142
 msgid "Host invalid"
 msgstr "主机无效"
 
-#: terminal/serializers/storage.py:144
+#: terminal/serializers/storage.py:145
 msgid "Port invalid"
 msgstr "端口无效"
 
-#: terminal/serializers/storage.py:159
+#: terminal/serializers/storage.py:160
 msgid "Index by date"
 msgstr "按日期建索引"
 
-#: terminal/serializers/storage.py:160
+#: terminal/serializers/storage.py:161
 msgid "Whether to create an index by date"
 msgstr "是否根据日期动态建立索引"
 
-#: terminal/serializers/storage.py:163
+#: terminal/serializers/storage.py:164
 msgid "Index"
 msgstr "索引"
 
-#: terminal/serializers/storage.py:165
+#: terminal/serializers/storage.py:166
 msgid "Doc type"
 msgstr "文档类型"
 
-#: terminal/serializers/storage.py:167
+#: terminal/serializers/storage.py:168
 msgid "Ignore Certificate Verification"
 msgstr "忽略证书认证"
 
@@ -5254,11 +5261,11 @@ msgstr "流程"
 msgid "TicketFlow"
 msgstr "工单流程"
 
-#: tickets/models/ticket.py:311
+#: tickets/models/ticket.py:320
 msgid "Please try again"
 msgstr "请再次尝试"
 
-#: tickets/models/ticket.py:319
+#: tickets/models/ticket.py:328
 msgid "Super ticket"
 msgstr "超级工单"
 
@@ -5560,8 +5567,8 @@ msgstr "复制你的公钥到这里"
 msgid "Public key should not be the same as your old one."
 msgstr "不能和原来的密钥相同"
 
-#: users/forms/profile.py:150 users/serializers/profile.py:98
-#: users/serializers/profile.py:181 users/serializers/profile.py:208
+#: users/forms/profile.py:150 users/serializers/profile.py:100
+#: users/serializers/profile.py:183 users/serializers/profile.py:210
 msgid "Not a valid ssh public key"
 msgstr "SSH密钥不合法"
 
@@ -5589,6 +5596,10 @@ msgstr "头像"
 msgid "Wechat"
 msgstr "微信"
 
+#: users/models/user.py:695
+msgid "Secret key"
+msgstr "Secret key"
+
 #: users/models/user.py:711
 msgid "Source"
 msgstr "来源"
@@ -5660,7 +5671,7 @@ msgstr "重置 MFA"
 msgid "The old password is incorrect"
 msgstr "旧密码错误"
 
-#: users/serializers/profile.py:37 users/serializers/profile.py:195
+#: users/serializers/profile.py:37 users/serializers/profile.py:197
 msgid "Password does not match security rules"
 msgstr "密码不满足安全规则"
 
@@ -5668,11 +5679,11 @@ msgstr "密码不满足安全规则"
 msgid "The new password cannot be the last {} passwords"
 msgstr "新密码不能是最近 {} 次的密码"
 
-#: users/serializers/profile.py:49 users/serializers/profile.py:69
+#: users/serializers/profile.py:49 users/serializers/profile.py:71
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:147 users/serializers/user.py:144
+#: users/serializers/profile.py:149 users/serializers/user.py:144
 msgid "Is first login"
 msgstr "首次登录"
 
@@ -6560,48 +6571,40 @@ msgstr "有效性显示"
 msgid "Provider display"
 msgstr "服务商显示"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:13
-msgid "AccessKey ID"
-msgstr "Access key ID"
-
-#: xpack/plugins/cloud/serializers/account_attrs.py:16
-msgid "AccessKey Secret"
-msgstr "Access key secret"
-
-#: xpack/plugins/cloud/serializers/account_attrs.py:31
+#: xpack/plugins/cloud/serializers/account_attrs.py:33
 msgid "Client ID"
 msgstr "客户端 ID"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:37
+#: xpack/plugins/cloud/serializers/account_attrs.py:39
 msgid "Tenant ID"
 msgstr "租户 ID"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:40
+#: xpack/plugins/cloud/serializers/account_attrs.py:42
 msgid "Subscription ID"
 msgstr "订阅 ID"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:91
-#: xpack/plugins/cloud/serializers/account_attrs.py:96
+#: xpack/plugins/cloud/serializers/account_attrs.py:93
+#: xpack/plugins/cloud/serializers/account_attrs.py:98
 msgid "API Endpoint"
 msgstr "API 端点"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:102
+#: xpack/plugins/cloud/serializers/account_attrs.py:104
 msgid "Auth url"
 msgstr "认证地址"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:103
+#: xpack/plugins/cloud/serializers/account_attrs.py:105
 msgid "eg: http://openstack.example.com:5000/v3"
 msgstr "如: http://openstack.example.com:5000/v3"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:106
+#: xpack/plugins/cloud/serializers/account_attrs.py:108
 msgid "User domain"
 msgstr "用户域"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:113
+#: xpack/plugins/cloud/serializers/account_attrs.py:115
 msgid "Service account key"
 msgstr "服务账号密钥"
 
-#: xpack/plugins/cloud/serializers/account_attrs.py:114
+#: xpack/plugins/cloud/serializers/account_attrs.py:116
 msgid "The file is in JSON format"
 msgstr "JSON 格式的文件"
 
@@ -6719,6 +6722,9 @@ msgstr "旗舰版"
 msgid "Community edition"
 msgstr "社区版"
 
+#~ msgid "AccessKey ID"
+#~ msgstr "Access key ID"
+
 #~ msgid "Unknown ip"
 #~ msgstr "未知ip"
 
diff --git a/apps/settings/serializers/auth/dingtalk.py b/apps/settings/serializers/auth/dingtalk.py
index 062f19f26..37875bba3 100644
--- a/apps/settings/serializers/auth/dingtalk.py
+++ b/apps/settings/serializers/auth/dingtalk.py
@@ -1,11 +1,13 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
+
 __all__ = ['DingTalkSettingSerializer']
 
 
 class DingTalkSettingSerializer(serializers.Serializer):
     DINGTALK_AGENTID = serializers.CharField(max_length=256, required=True, label='AgentId')
     DINGTALK_APPKEY = serializers.CharField(max_length=256, required=True, label='AppKey')
-    DINGTALK_APPSECRET = serializers.CharField(max_length=256, required=False, label='AppSecret', write_only=True)
+    DINGTALK_APPSECRET = EncryptedField(max_length=256, required=False, label='AppSecret')
     AUTH_DINGTALK = serializers.BooleanField(default=False, label=_('Enable DingTalk Auth'))
diff --git a/apps/settings/serializers/auth/feishu.py b/apps/settings/serializers/auth/feishu.py
index 68b7ee2b1..67478bae5 100644
--- a/apps/settings/serializers/auth/feishu.py
+++ b/apps/settings/serializers/auth/feishu.py
@@ -1,11 +1,13 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
+
 __all__ = ['FeiShuSettingSerializer']
 
 
 class FeiShuSettingSerializer(serializers.Serializer):
     FEISHU_APP_ID = serializers.CharField(max_length=256, required=True, label='App ID')
-    FEISHU_APP_SECRET = serializers.CharField(max_length=256, required=False, label='App Secret', write_only=True)
+    FEISHU_APP_SECRET = EncryptedField(max_length=256, required=False, label='App Secret')
     AUTH_FEISHU = serializers.BooleanField(default=False, label=_('Enable FeiShu Auth'))
 
diff --git a/apps/settings/serializers/auth/ldap.py b/apps/settings/serializers/auth/ldap.py
index 2f2d710c9..ddf963443 100644
--- a/apps/settings/serializers/auth/ldap.py
+++ b/apps/settings/serializers/auth/ldap.py
@@ -12,7 +12,7 @@ __all__ = [
 class LDAPTestConfigSerializer(serializers.Serializer):
     AUTH_LDAP_SERVER_URI = serializers.CharField(max_length=1024)
     AUTH_LDAP_BIND_DN = serializers.CharField(max_length=1024, required=False, allow_blank=True)
-    AUTH_LDAP_BIND_PASSWORD = serializers.CharField(required=False, allow_blank=True)
+    AUTH_LDAP_BIND_PASSWORD = EncryptedField(required=False, allow_blank=True)
     AUTH_LDAP_SEARCH_OU = serializers.CharField()
     AUTH_LDAP_SEARCH_FILTER = serializers.CharField()
     AUTH_LDAP_USER_ATTR_MAP = serializers.CharField()
@@ -42,8 +42,8 @@ class LDAPSettingSerializer(serializers.Serializer):
         help_text=_('eg: ldap://localhost:389')
     )
     AUTH_LDAP_BIND_DN = serializers.CharField(required=False, max_length=1024, label=_('Bind DN'))
-    AUTH_LDAP_BIND_PASSWORD = serializers.CharField(
-        max_length=1024, write_only=True, required=False, label=_('Password')
+    AUTH_LDAP_BIND_PASSWORD = EncryptedField(
+        max_length=1024, required=False, label=_('Password')
     )
     AUTH_LDAP_SEARCH_OU = serializers.CharField(
         max_length=1024, allow_blank=True, required=False, label=_('User OU'),
diff --git a/apps/settings/serializers/auth/oidc.py b/apps/settings/serializers/auth/oidc.py
index a3777fb25..5ab73ea04 100644
--- a/apps/settings/serializers/auth/oidc.py
+++ b/apps/settings/serializers/auth/oidc.py
@@ -1,6 +1,8 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
+
 __all__ = [
     'OIDCSettingSerializer', 'KeycloakSettingSerializer',
 ]
@@ -14,8 +16,8 @@ class CommonSettingSerializer(serializers.Serializer):
     AUTH_OPENID_CLIENT_ID = serializers.CharField(
         required=False, max_length=1024, label=_('Client Id')
     )
-    AUTH_OPENID_CLIENT_SECRET = serializers.CharField(
-        required=False, max_length=1024,  write_only=True, label=_('Client Secret')
+    AUTH_OPENID_CLIENT_SECRET = EncryptedField(
+        required=False, max_length=1024, label=_('Client Secret')
     )
     AUTH_OPENID_CLIENT_AUTH_METHOD = serializers.ChoiceField(
         default='client_secret_basic',
diff --git a/apps/settings/serializers/auth/radius.py b/apps/settings/serializers/auth/radius.py
index fa5633fc8..4d56510bf 100644
--- a/apps/settings/serializers/auth/radius.py
+++ b/apps/settings/serializers/auth/radius.py
@@ -4,16 +4,16 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
-__all__ = [
-    'RadiusSettingSerializer',
-]
+from common.drf.fields import EncryptedField
+
+__all__ = ['RadiusSettingSerializer']
 
 
 class RadiusSettingSerializer(serializers.Serializer):
     AUTH_RADIUS = serializers.BooleanField(required=False, label=_('Enable Radius Auth'))
     RADIUS_SERVER = serializers.CharField(required=False, allow_blank=True, max_length=1024, label=_('Host'))
     RADIUS_PORT = serializers.IntegerField(required=False, label=_('Port'))
-    RADIUS_SECRET = serializers.CharField(
-        required=False, max_length=1024, allow_null=True, label=_('Secret'), write_only=True
+    RADIUS_SECRET = EncryptedField(
+        required=False, max_length=1024, allow_null=True, label=_('Secret'),
     )
     OTP_IN_RADIUS = serializers.BooleanField(required=False, label=_('OTP in Radius'))
diff --git a/apps/settings/serializers/auth/sms.py b/apps/settings/serializers/auth/sms.py
index 246c11da6..cd3bef74c 100644
--- a/apps/settings/serializers/auth/sms.py
+++ b/apps/settings/serializers/auth/sms.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
 from common.sdk.sms import BACKENDS
 
 __all__ = ['SMSSettingSerializer', 'AlibabaSMSSettingSerializer', 'TencentSMSSettingSerializer']
@@ -29,8 +30,8 @@ class BaseSMSSettingSerializer(serializers.Serializer):
 
 class AlibabaSMSSettingSerializer(BaseSMSSettingSerializer):
     ALIBABA_ACCESS_KEY_ID = serializers.CharField(max_length=256, required=True, label='AccessKeyId')
-    ALIBABA_ACCESS_KEY_SECRET = serializers.CharField(
-        max_length=256, required=False, label='AccessKeySecret', write_only=True
+    ALIBABA_ACCESS_KEY_SECRET = EncryptedField(
+        max_length=256, required=False, label='AccessKeySecret',
     )
     ALIBABA_VERIFY_SIGN_NAME = serializers.CharField(max_length=256, required=True, label=_('Signature'))
     ALIBABA_VERIFY_TEMPLATE_CODE = serializers.CharField(max_length=256, required=True, label=_('Template code'))
@@ -38,7 +39,7 @@ class AlibabaSMSSettingSerializer(BaseSMSSettingSerializer):
 
 class TencentSMSSettingSerializer(BaseSMSSettingSerializer):
     TENCENT_SECRET_ID = serializers.CharField(max_length=256, required=True, label='Secret id')
-    TENCENT_SECRET_KEY = serializers.CharField(max_length=256, required=False, label='Secret key', write_only=True)
+    TENCENT_SECRET_KEY = EncryptedField(max_length=256, required=False, label='Secret key')
     TENCENT_SDKAPPID = serializers.CharField(max_length=256, required=True, label='SDK app id')
     TENCENT_VERIFY_SIGN_NAME = serializers.CharField(max_length=256, required=True, label=_('Signature'))
     TENCENT_VERIFY_TEMPLATE_CODE = serializers.CharField(max_length=256, required=True, label=_('Template code'))
diff --git a/apps/settings/serializers/auth/wecom.py b/apps/settings/serializers/auth/wecom.py
index ceb83aa85..bd1498105 100644
--- a/apps/settings/serializers/auth/wecom.py
+++ b/apps/settings/serializers/auth/wecom.py
@@ -1,11 +1,13 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
+
 __all__ = ['WeComSettingSerializer']
 
 
 class WeComSettingSerializer(serializers.Serializer):
     WECOM_CORPID = serializers.CharField(max_length=256, required=True, label='corpid')
     WECOM_AGENTID = serializers.CharField(max_length=256, required=True, label='agentid')
-    WECOM_SECRET = serializers.CharField(max_length=256, required=False, label='secret', write_only=True)
-    AUTH_WECOM = serializers.BooleanField(default=False, label=_('Enable WeCom Auth'))
\ No newline at end of file
+    WECOM_SECRET = EncryptedField(max_length=256, required=False, label='secret')
+    AUTH_WECOM = serializers.BooleanField(default=False, label=_('Enable WeCom Auth'))
diff --git a/apps/settings/serializers/email.py b/apps/settings/serializers/email.py
index 4395d7473..c67cf2216 100644
--- a/apps/settings/serializers/email.py
+++ b/apps/settings/serializers/email.py
@@ -1,9 +1,11 @@
 # coding: utf-8
-# 
+#
 
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.drf.fields import EncryptedField
+
 __all__ = ['MailTestSerializer', 'EmailSettingSerializer', 'EmailContentSettingSerializer']
 
 
@@ -18,8 +20,8 @@ class EmailSettingSerializer(serializers.Serializer):
     EMAIL_HOST = serializers.CharField(max_length=1024, required=True, label=_("SMTP host"))
     EMAIL_PORT = serializers.CharField(max_length=5, required=True, label=_("SMTP port"))
     EMAIL_HOST_USER = serializers.CharField(max_length=128, required=True, label=_("SMTP account"))
-    EMAIL_HOST_PASSWORD = serializers.CharField(
-        max_length=1024, write_only=True, required=False, label=_("SMTP password"),
+    EMAIL_HOST_PASSWORD = EncryptedField(
+        max_length=1024, required=False, label=_("SMTP password"),
         help_text=_("Tips: Some provider use token except password")
     )
     EMAIL_FROM = serializers.CharField(
diff --git a/apps/terminal/serializers/storage.py b/apps/terminal/serializers/storage.py
index d04232d38..ff7d386de 100644
--- a/apps/terminal/serializers/storage.py
+++ b/apps/terminal/serializers/storage.py
@@ -1,14 +1,15 @@
 # -*- coding: utf-8 -*-
 #
 from rest_framework import serializers
+from rest_framework.validators import UniqueValidator
 from urllib.parse import urlparse
 from django.utils.translation import ugettext_lazy as _
 from django.db.models import TextChoices
+
 from common.drf.serializers import MethodSerializer
-from common.drf.fields import ReadableHiddenField
+from common.drf.fields import ReadableHiddenField, EncryptedField
 from ..models import ReplayStorage, CommandStorage
 from .. import const
-from rest_framework.validators import UniqueValidator
 
 
 # Replay storage serializers
@@ -25,12 +26,12 @@ class ReplayStorageTypeBaseSerializer(serializers.Serializer):
         required=True, max_length=1024, label=_('Bucket'), allow_null=True
     )
     ACCESS_KEY = serializers.CharField(
-        max_length=1024, required=False, allow_blank=True, write_only=True, label=_('Access key'),
-        allow_null=True,
+        max_length=1024, required=False, allow_blank=True,
+        label=_('Access key id'), allow_null=True,
     )
-    SECRET_KEY = serializers.CharField(
-        max_length=1024, required=False, allow_blank=True, write_only=True, label=_('Secret key'),
-        allow_null=True,
+    SECRET_KEY = EncryptedField(
+        max_length=1024, required=False, allow_blank=True,
+        label=_('Access key secret'), allow_null=True,
     )
     ENDPOINT = serializers.CharField(
         validators=[replay_storage_endpoint_format_validator],
@@ -108,7 +109,7 @@ class ReplayStorageTypeAzureSerializer(serializers.Serializer):
         max_length=1024, label=_('Container name'), allow_null=True
     )
     ACCOUNT_NAME = serializers.CharField(max_length=1024, label=_('Account name'), allow_null=True)
-    ACCOUNT_KEY = serializers.CharField(max_length=1024, label=_('Account key'), allow_null=True)
+    ACCOUNT_KEY = EncryptedField(max_length=1024, label=_('Account key'), allow_null=True)
     ENDPOINT_SUFFIX = serializers.ChoiceField(
         choices=EndpointSuffixChoices.choices, default=EndpointSuffixChoices.china.value,
         label=_('Endpoint suffix'), allow_null=True,
diff --git a/apps/users/serializers/profile.py b/apps/users/serializers/profile.py
index d6cd9055f..c8dfb7782 100644
--- a/apps/users/serializers/profile.py
+++ b/apps/users/serializers/profile.py
@@ -17,9 +17,9 @@ class UserOrgSerializer(serializers.Serializer):
 
 
 class UserUpdatePasswordSerializer(serializers.ModelSerializer):
-    old_password = EncryptedField(required=True, max_length=128, write_only=True)
-    new_password = EncryptedField(required=True, max_length=128, write_only=True)
-    new_password_again = EncryptedField(required=True, max_length=128, write_only=True)
+    old_password = EncryptedField(required=True, max_length=128)
+    new_password = EncryptedField(required=True, max_length=128)
+    new_password_again = EncryptedField(required=True, max_length=128)
 
     class Meta:
         model = User
@@ -57,18 +57,20 @@ class UserUpdatePasswordSerializer(serializers.ModelSerializer):
 
 
 class UserUpdateSecretKeySerializer(serializers.ModelSerializer):
-    new_secret_key = serializers.CharField(required=True, max_length=128, write_only=True)
-    new_secret_key_again = serializers.CharField(required=True, max_length=128, write_only=True)
+    new_secret_key = EncryptedField(required=True, max_length=128)
+    new_secret_key_again = EncryptedField(required=True, max_length=128)
 
     class Meta:
         model = User
         fields = ['new_secret_key', 'new_secret_key_again']
 
-    def validate_new_secret_key_again(self, value):
-        if value != self.initial_data.get('new_secret_key', ''):
+    def validate(self, values):
+        new_secret_key = values.get('new_secret_key', '')
+        new_secret_key_again = values.get('new_secret_key_again', '')
+        if new_secret_key != new_secret_key_again:
             msg = _('The newly set password is inconsistent')
-            raise serializers.ValidationError(msg)
-        return value
+            raise serializers.ValidationError({'new_secret_key_again': msg})
+        return values
 
     def update(self, instance, validated_data):
         new_secret_key = self.validated_data.get('new_secret_key')

From 0a04f0f35146fdd1bde364ddf9e6cd66f4d768e4 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 20 May 2022 00:10:22 +0800
Subject: [PATCH 126/258] =?UTF-8?q?perf:=20=E4=B8=8B=E8=BD=BD=20ip=20?=
 =?UTF-8?q?=E6=95=B0=E6=8D=AE=E5=BA=93?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/utils/file.py | 10 ++++++++++
 jms                       | 17 +++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/apps/common/utils/file.py b/apps/common/utils/file.py
index c00293de5..9529fbdca 100644
--- a/apps/common/utils/file.py
+++ b/apps/common/utils/file.py
@@ -1,6 +1,8 @@
 import os
 import csv
+
 import pyzipper
+import requests
 
 
 def create_csv_file(filename, headers, rows, ):
@@ -18,3 +20,11 @@ def encrypt_and_compress_zip_file(filename, secret_password, encrypted_filenames
         for encrypted_filename in encrypted_filenames:
             with open(encrypted_filename, 'rb') as f:
                 zf.writestr(os.path.basename(encrypted_filename), f.read())
+
+
+def download_file(src, path):
+    with requests.get(src, stream=True) as r:
+        r.raise_for_status()
+        with open(path, 'wb') as f:
+            for chunk in r.iter_content(chunk_size=8192):
+                f.write(chunk)
diff --git a/jms b/jms
index 517fb0602..5d5b5c433 100755
--- a/jms
+++ b/jms
@@ -8,6 +8,7 @@ import time
 import argparse
 import sys
 import django
+import requests
 from django.core import management
 from django.db.utils import OperationalError
 
@@ -33,6 +34,7 @@ except ImportError as e:
 
 try:
     from jumpserver.const import CONFIG
+    from common.utils.file import download_file
 except ImportError as e:
     print("Import error: {}".format(e))
     print("Could not find config file, `cp config_example.yml config.yml`")
@@ -105,6 +107,20 @@ def compile_i18n_file():
     logging.info("Compile i18n files done")
 
 
+def download_ip_db():
+    db_base_dir = os.path.join(APP_DIR, 'common', 'utils', 'ip')
+    db_path_url_mapper = {
+        ('geoip', 'GeoLite2-City.mmdb'): 'https://jms-pkg.oss-cn-beijing.aliyuncs.com/ip/GeoLite2-City.mmdb',
+        ('ipip', 'ipipfree.ipdb'): 'https://jms-pkg.oss-cn-beijing.aliyuncs.com/ip/ipipfree.ipdb'
+    }
+    for p, src in db_path_url_mapper.items():
+        path = os.path.join(db_base_dir, *p)
+        if os.path.isfile(path) and os.path.getsize(path) > 1000:
+            continue
+        print("Download ip db: {}".format(path))
+        download_file(src, path)
+
+
 def upgrade_db():
     collect_static()
     perform_db_migrate()
@@ -114,6 +130,7 @@ def prepare():
     check_database_connection()
     upgrade_db()
     expire_caches()
+    download_ip_db()
 
 
 def start_services():

From 26cf64ad2d9c66b8f492ec2929500304c38ed73f Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 20 May 2022 11:40:06 +0800
Subject: [PATCH 127/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20i18?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo | 3 +++
 apps/locale/zh/LC_MESSAGES/django.mo | 3 +++
 2 files changed, 6 insertions(+)
 create mode 100644 apps/locale/ja/LC_MESSAGES/django.mo
 create mode 100644 apps/locale/zh/LC_MESSAGES/django.mo

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
new file mode 100644
index 000000000..2f0a7842c
--- /dev/null
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:82cdb805f6d681577806fb6fc41178b5dd28eafc68b1348f433ba7f7f5ce9920
+size 127478
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
new file mode 100644
index 000000000..65a32959d
--- /dev/null
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:b03f7f9c1d450f8a3012330c00d084c88465d99e355c42ec10f568a8ffa7611c
+size 105357

From 09ef72a4a8bde20b94302b32c2324d5986377806 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 24 May 2022 10:18:20 +0800
Subject: [PATCH 128/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20Migrations?=
 =?UTF-8?q?=20=E9=94=99=E8=AF=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/migrations/0090_auto_20220412_1145.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/assets/migrations/0090_auto_20220412_1145.py b/apps/assets/migrations/0090_auto_20220412_1145.py
index 434b7b3cf..3259cd37b 100644
--- a/apps/assets/migrations/0090_auto_20220412_1145.py
+++ b/apps/assets/migrations/0090_auto_20220412_1145.py
@@ -14,7 +14,6 @@ def create_internal_platform(apps, schema_editor):
         model.objects.using(db_alias).update_or_create(
             name=name, defaults=defaults
         )
-        migrations.RunPython(create_internal_platform)
 
 
 class Migration(migrations.Migration):

From a08dd5ee722dfe2e0249833066ff731c4ce1344c Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Tue, 24 May 2022 11:03:12 +0800
Subject: [PATCH 129/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E6=9B=B4=E6=96=B0=E8=87=AA=E5=B7=B1=E5=AF=86=E7=A0=81?=
 =?UTF-8?q?=20url=20=E4=B8=8D=E5=87=86=E7=A1=AE=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/users/notifications.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/users/notifications.py b/apps/users/notifications.py
index 99aeb77b7..645e206cd 100644
--- a/apps/users/notifications.py
+++ b/apps/users/notifications.py
@@ -143,7 +143,7 @@ class PasswordExpirationReminderMsg(UserMessage):
         subject = _('Password is about expire')
 
         date_password_expired_local = timezone.localtime(user.date_password_expired)
-        update_password_url = urljoin(settings.SITE_URL, '/ui/#/users/profile/?activeTab=PasswordUpdate')
+        update_password_url = urljoin(settings.SITE_URL, '/ui/#/profile/setting/?activeTab=PasswordUpdate')
         date_password_expired = date_password_expired_local.strftime('%Y-%m-%d %H:%M:%S')
         context = {
             'name': user.name,

From 041302d5d261fe1e71781efd703961eddea4cf01 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 24 May 2022 12:31:16 +0800
Subject: [PATCH 130/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=8E=B7?=
 =?UTF-8?q?=E5=8F=96=20city=20=E6=97=B6=E5=8F=AF=E8=83=BD=E7=9A=84?=
 =?UTF-8?q?=E6=8A=A5=E9=94=99=20(#8294)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/common/utils/ip/geoip/utils.py |  6 +-----
 apps/common/utils/ip/ipip/utils.py  | 13 ++++++-------
 apps/common/utils/ip/utils.py       | 23 ++++++++++++++---------
 3 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/apps/common/utils/ip/geoip/utils.py b/apps/common/utils/ip/geoip/utils.py
index 5e829f610..64752a3a1 100644
--- a/apps/common/utils/ip/geoip/utils.py
+++ b/apps/common/utils/ip/geoip/utils.py
@@ -13,10 +13,6 @@ reader = None
 
 
 def get_ip_city_by_geoip(ip):
-    if not ip or '.' not in ip or not isinstance(ip, str):
-        return _("Invalid ip")
-    if ':' in ip:
-        return 'IPv6'
     global reader
     if reader is None:
         path = os.path.join(os.path.dirname(__file__), 'GeoLite2-City.mmdb')
@@ -32,7 +28,7 @@ def get_ip_city_by_geoip(ip):
     try:
         response = reader.city(ip)
     except GeoIP2Error:
-        return {}
+        return _("Unknown")
 
     city_names = response.city.names or {}
     lang = settings.LANGUAGE_CODE[:2]
diff --git a/apps/common/utils/ip/ipip/utils.py b/apps/common/utils/ip/ipip/utils.py
index ef97f4794..e94009b70 100644
--- a/apps/common/utils/ip/ipip/utils.py
+++ b/apps/common/utils/ip/ipip/utils.py
@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 #
 import os
-from django.utils.translation import ugettext as _
 
 import ipdb
 
@@ -11,13 +10,13 @@ ipip_db = None
 
 def get_ip_city_by_ipip(ip):
     global ipip_db
-    if not ip or not isinstance(ip, str):
-        return _("Invalid ip")
-    if ':' in ip:
-        return 'IPv6'
     if ipip_db is None:
         ipip_db_path = os.path.join(os.path.dirname(__file__), 'ipipfree.ipdb')
         ipip_db = ipdb.City(ipip_db_path)
-
-    info = ipip_db.find_info(ip, 'CN')
+    try:
+        info = ipip_db.find_info(ip, 'CN')
+    except ValueError:
+        return None
+    if not info:
+        raise None
     return {'city': info.city_name, 'country': info.country_name}
diff --git a/apps/common/utils/ip/utils.py b/apps/common/utils/ip/utils.py
index e75ecb85c..d62cba00d 100644
--- a/apps/common/utils/ip/utils.py
+++ b/apps/common/utils/ip/utils.py
@@ -74,13 +74,18 @@ def contains_ip(ip, ip_group):
 
 
 def get_ip_city(ip):
-    info = get_ip_city_by_ipip(ip)
-    city = info.get('city', _("Unknown"))
-    country = info.get('country')
+    if not ip or not isinstance(ip, str):
+        return _("Invalid ip")
+    if ':' in ip:
+        return 'IPv6'
 
-    # 国内城市 并且 语言是中文就使用国内
-    is_zh = settings.LANGUAGE_CODE.startswith('zh')
-    if country == '中国' and is_zh:
-        return city
-    else:
-        return get_ip_city_by_geoip(ip)
+    info = get_ip_city_by_ipip(ip)
+    if info:
+        city = info.get('city', _("Unknown"))
+        country = info.get('country')
+
+        # 国内城市 并且 语言是中文就使用国内
+        is_zh = settings.LANGUAGE_CODE.startswith('zh')
+        if country == '中国' and is_zh:
+            return city
+    return get_ip_city_by_geoip(ip)

From b24d2f628aefe44076d75fc7e032cfe54df37f72 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Fri, 27 May 2022 14:14:47 +0800
Subject: [PATCH 131/258] perf: update download (#8304)

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/templates/resource_download.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index 7f59d521c..09215b532 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -21,8 +21,8 @@ p {
         </p>
         <ul>
             <li> <a href="/download/JumpServer-Client-Installer-x86_64.msi">jumpserver-client-windows-x86_64.msi</a></li>
-            <li> <a href="/download/JumpServer-Client-Installer-arm64.msi">jumpserver-client-windows-arm64.msi</a></li>
             <li> <a href="/download/JumpServer-Client-Installer.dmg">jumpserver-client-darwin.dmg</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer.run">jumpserver-client-linux.run</a></li>
         </ul>
     </div>
 

From 42202bd528faa5af225d41aece891a290f139a7a Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 27 May 2022 17:21:03 +0800
Subject: [PATCH 132/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=20public=20se?=
 =?UTF-8?q?ttings=20API=E5=85=AC=E5=91=8A=E5=AD=97=E6=AE=B5=E7=B1=BB?=
 =?UTF-8?q?=E5=9E=8B=E4=B8=BA=20dict?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/serializers/public.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index fed540bc0..22fe55142 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -40,6 +40,6 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
 
     ANNOUNCEMENT_ENABLED = serializers.BooleanField()
-    ANNOUNCEMENT = serializers.CharField()
+    ANNOUNCEMENT = serializers.DictField()
     
     TICKETS_ENABLED = serializers.BooleanField()

From 1322106c9113c66fbd9a256c571e4c8d22861324 Mon Sep 17 00:00:00 2001
From: "Chayim I. Kirshen" <c@kirshen.com>
Date: Sun, 29 May 2022 14:03:19 +0300
Subject: [PATCH 133/258] bumping redis-py to 4.3.1 (latest)

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index c301148ea..6387c2dd9 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -59,7 +59,7 @@ PyNaCl==1.5.0
 python-dateutil==2.8.2
 pytz==2018.3
 PyYAML==6.0
-redis==3.5.3
+redis==4.3.1
 requests==2.25.1
 jms-storage==0.0.42
 s3transfer==0.5.0

From 992c1407b6f55e1e27c7878995c50a3d18772958 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E8=80=81=E5=B9=BF?= <ibuler@qq.com>
Date: Mon, 30 May 2022 14:51:29 +0800
Subject: [PATCH 134/258] Update README.md (#8316)

* Update README.md

* Update README.md

* Update README.md

* Update README.md
---
 README.md | 32 +++++++++++---------------------
 1 file changed, 11 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index 813327bfc..751dec240 100644
--- a/README.md
+++ b/README.md
@@ -5,6 +5,7 @@
   <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
   <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
   <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
+  <a href="https://github.com/jumpserver/jumpserver/commits"><img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/jumpserver/jumpserver.svg" /></a>
   <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>
 
@@ -55,12 +56,15 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - [手动安装](https://github.com/jumpserver/installer)
 
 ### 组件项目
-- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI 项目
-- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal 项目
-- [KoKo](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
-- [Lion](https://github.com/jumpserver/lion-release) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
-- [Clients](https://github.com/jumpserver/clients) JumpServer 客户端 项目
-- [Installer](https://github.com/jumpserver/installer) JumpServer 安装包 项目
+| 项目                                                                          |  状态          | 描述                                     |
+| ---------------------------------------------------------------------------  |  -------------------   | ---------------------------------------- |
+| [Lina](https://github.com/jumpserver/lina) | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a> | JumpServer Web UI 项目 |
+| [Luna](https://github.com/jumpserver/luna) | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a> | JumpServer Web Terminal 项目 |
+| [KoKo](https://github.com/jumpserver/koko) | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a> | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
+| [Lion](https://github.com/jumpserver/lion-release) | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>  | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
+| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库 Proxy Connector 项目) |
+| [Clients](https://github.com/jumpserver/clients) | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" /> | JumpServer 客户端 项目 |
+| [Installer](https://github.com/jumpserver/installer)| <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" /> | JumpServer 安装包 项目 |
 
 ### 社区
 
@@ -75,21 +79,7 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 
 感谢以下贡献者，让 JumpServer 更加完善
 
-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
-</a>
-
-<a href="https://github.com/jumpserver/koko/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
-</a>
-
-<a href="https://github.com/jumpserver/lina/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
-</a>
-
-<a href="https://github.com/jumpserver/luna/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
-</a>
+<a href="https://github.com/halo-dev/halo/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
 
 
 

From 021635b8507f4bda8e6d4076ca995753d03c0015 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 30 May 2022 15:07:05 +0800
Subject: [PATCH 135/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20readme?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 README.md | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 751dec240..70dac07d1 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,6 @@
-<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
+<p align="center">
+  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
+</p>
 <h3 align="center">多云环境下更好用的堡垒机</h3>
 
 <p align="center">
@@ -16,7 +18,7 @@
 
 JumpServer 是全球首款开源的堡垒机，使用 GPLv3 开源协议，是符合 4A 规范的运维安全审计系统。
 
-JumpServer 使用 Python 开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
+JumpServer 使用 Python 开发，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
 
 JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。
 
@@ -29,9 +31,9 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - 开源: 零门槛，线上快速获取和安装；
 - 分布式: 轻松支持大规模并发访问；
 - 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
+- 多租户: 一套系统，多个子公司或部门同时使用；
 - 多云支持: 一套系统，同时管理不同云上面的资产；
 - 云端存储: 审计录像云端存储，永不丢失；
-- 多租户: 一套系统，多个子公司和部门同时使用；
 - 多应用支持: 数据库，Windows远程应用，Kubernetes。
 
 ### UI 展示
@@ -62,7 +64,7 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 | [Luna](https://github.com/jumpserver/luna) | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a> | JumpServer Web Terminal 项目 |
 | [KoKo](https://github.com/jumpserver/koko) | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a> | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
 | [Lion](https://github.com/jumpserver/lion-release) | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>  | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
-| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库 Proxy Connector 项目) |
+| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目 |
 | [Clients](https://github.com/jumpserver/clients) | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" /> | JumpServer 客户端 项目 |
 | [Installer](https://github.com/jumpserver/installer)| <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" /> | JumpServer 安装包 项目 |
 
@@ -79,13 +81,13 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 
 感谢以下贡献者，让 JumpServer 更加完善
 
-<a href="https://github.com/halo-dev/halo/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
 
 
 
 ### 致谢
-- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC协议设备，JumpServer 图形化组件 Lion 依赖 
-- [OmniDB](https://omnidb.org/) Web页面连接使用数据库，JumpServer Web数据库依赖
+- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC 协议设备，JumpServer 图形化组件 Lion 依赖 
+- [OmniDB](https://omnidb.org/) Web 页面连接使用数据库，JumpServer Web 数据库依赖
 
 
 ### JumpServer 企业版 
@@ -93,14 +95,14 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 
 ### 案例研究
 
-- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
-- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
-- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
-- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
-- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
-- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
-- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
-- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。
+- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
+- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
+- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
+- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
+- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
 
 ### 安全说明
 

From 15423291ccb5379b5399030702f3a30bb99b5cca Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 30 May 2022 15:25:54 +0800
Subject: [PATCH 136/258] =?UTF-8?q?fix:=20=20=E4=BF=AE=E5=A4=8Dldap?=
 =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=99=BB=E5=BD=95=E6=97=B6=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E7=BB=84=E4=B8=8D=E8=AE=BE=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/ldap.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/authentication/backends/ldap.py b/apps/authentication/backends/ldap.py
index 895226e58..354d6211e 100644
--- a/apps/authentication/backends/ldap.py
+++ b/apps/authentication/backends/ldap.py
@@ -157,6 +157,8 @@ class LDAPUser(_LDAPUser):
 
     def _populate_user_from_attributes(self):
         for field, attr in self.settings.USER_ATTR_MAP.items():
+            if field in ['groups']:
+                continue
             try:
                 value = self.attrs[attr][0]
                 value = value.strip()

From 196663f2055c268e98711253d9509956807a7e3b Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 30 May 2022 16:01:57 +0800
Subject: [PATCH 137/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E7=94=9F?=
 =?UTF-8?q?=E6=88=90=E5=81=87=E6=95=B0=E6=8D=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 utils/generate_fake_data/generate.py          |  4 +-
 utils/generate_fake_data/resources/system.py  |  4 +-
 .../generate_fake_data/resources/terminal.py  | 45 ++++++++++++++++++-
 utils/generate_fake_data/resources/users.py   |  2 -
 4 files changed, 48 insertions(+), 7 deletions(-)

diff --git a/utils/generate_fake_data/generate.py b/utils/generate_fake_data/generate.py
index fb41d7e1d..97340e8e6 100644
--- a/utils/generate_fake_data/generate.py
+++ b/utils/generate_fake_data/generate.py
@@ -15,8 +15,7 @@ django.setup()
 from resources.assets import AssetsGenerator, NodesGenerator, SystemUsersGenerator, AdminUsersGenerator
 from resources.users import UserGroupGenerator, UserGenerator
 from resources.perms import AssetPermissionGenerator
-from resources.terminal import CommandGenerator
-# from resources.system import StatGenerator
+from resources.terminal import CommandGenerator, SessionGenerator
 
 
 resource_generator_mapper = {
@@ -28,6 +27,7 @@ resource_generator_mapper = {
     'user_group': UserGroupGenerator,
     'asset_permission': AssetPermissionGenerator,
     'command': CommandGenerator,
+    'session': SessionGenerator
     # 'stat': StatGenerator
 }
 
diff --git a/utils/generate_fake_data/resources/system.py b/utils/generate_fake_data/resources/system.py
index 69a12d144..fb40ce83a 100644
--- a/utils/generate_fake_data/resources/system.py
+++ b/utils/generate_fake_data/resources/system.py
@@ -1,7 +1,7 @@
 import random
 
 from .base import FakeDataGenerator
-from system.models import *
+from terminal.models import *
 
 
 class StatGenerator(FakeDataGenerator):
@@ -66,4 +66,4 @@ class StatGenerator(FakeDataGenerator):
                         'datetime': datetime
                     })
                     items.append(Stat(**node))
-            Stat.objects.bulk_create(items, ignore_conflicts=True)
\ No newline at end of file
+            Stat.objects.bulk_create(items, ignore_conflicts=True)
diff --git a/utils/generate_fake_data/resources/terminal.py b/utils/generate_fake_data/resources/terminal.py
index 48d825b47..481e98f6d 100644
--- a/utils/generate_fake_data/resources/terminal.py
+++ b/utils/generate_fake_data/resources/terminal.py
@@ -1,5 +1,9 @@
 from .base import FakeDataGenerator
-from terminal.models import Command
+from users.models import *
+from assets.models import *
+from terminal.models import *
+import forgery_py
+import random
 
 
 class CommandGenerator(FakeDataGenerator):
@@ -8,3 +12,42 @@ class CommandGenerator(FakeDataGenerator):
     def do_generate(self, batch, batch_size):
         Command.generate_fake(len(batch), self.org)
 
+
+class SessionGenerator(FakeDataGenerator):
+    resource = 'session'
+    users: list
+    assets: list
+    system_users: list
+
+    def pre_generate(self):
+        self.users = list(User.objects.all())
+        self.assets = list(Asset.objects.all())
+        self.system_users = list(SystemUser.objects.all())
+
+    def do_generate(self, batch, batch_size):
+        user = random.choice(self.users)
+        asset = random.choice(self.assets)
+        system_user = random.choice(self.system_users)
+
+        objects = []
+
+        now = timezone.now()
+        timedelta = list(range(30))
+        for i in batch:
+            delta = random.choice(timedelta)
+            date_start = now - timezone.timedelta(days=delta, seconds=delta * 60)
+            date_end = date_start + timezone.timedelta(seconds=delta * 60)
+            data = dict(
+                user=user.name,
+                user_id=user.id,
+                asset=asset.hostname,
+                asset_id=asset.id,
+                system_user=system_user.name,
+                system_user_id=system_user.id,
+                org_id=self.org.id,
+                date_start=date_start,
+                date_end=date_end,
+            )
+            objects.append(Session(**data))
+        creates = Session.objects.bulk_create(objects, ignore_conflicts=True)
+
diff --git a/utils/generate_fake_data/resources/users.py b/utils/generate_fake_data/resources/users.py
index 887c7240c..c973fec5e 100644
--- a/utils/generate_fake_data/resources/users.py
+++ b/utils/generate_fake_data/resources/users.py
@@ -24,7 +24,6 @@ class UserGenerator(FakeDataGenerator):
     group_ids: list
 
     def pre_generate(self):
-        self.roles = list(dict(User.ROLE.choices).keys())
         self.group_ids = list(UserGroup.objects.all().values_list('id', flat=True))
 
     def set_org(self, users):
@@ -53,7 +52,6 @@ class UserGenerator(FakeDataGenerator):
                 username=username,
                 email=email,
                 name=username.title(),
-                role=choice(self.roles),
                 created_by='Faker'
             )
             users.append(u)

From 327c6beab4c175a5d85a4033c53f42c6f5e6aee8 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 30 May 2022 16:20:34 +0800
Subject: [PATCH 138/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=81=87?=
 =?UTF-8?q?=E6=95=B0=E6=8D=AE=E6=9E=84=E9=80=A0?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 utils/generate_fake_data/resources/terminal.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/utils/generate_fake_data/resources/terminal.py b/utils/generate_fake_data/resources/terminal.py
index 481e98f6d..fde3cd267 100644
--- a/utils/generate_fake_data/resources/terminal.py
+++ b/utils/generate_fake_data/resources/terminal.py
@@ -47,6 +47,7 @@ class SessionGenerator(FakeDataGenerator):
                 org_id=self.org.id,
                 date_start=date_start,
                 date_end=date_end,
+                is_finished=True
             )
             objects.append(Session(**data))
         creates = Session.objects.bulk_create(objects, ignore_conflicts=True)

From f7cbcc46f4d8e245ea767a023ddf9555aa40f81f Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 31 May 2022 15:58:14 +0800
Subject: [PATCH 139/258] =?UTF-8?q?perf:=20=E5=8D=87=E7=BA=A7=20ansible=20?=
 =?UTF-8?q?version?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 6387c2dd9..8833b6e60 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -1,5 +1,5 @@
 amqp==5.0.9
-ansible==2.10
+ansible==2.10.7
 asn1crypto==0.24.0
 bcrypt==3.1.4
 billiard==3.6.4.0

From af1150bb86524b6dfc70bc6e4b982c871c1596f2 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 31 May 2022 15:39:49 +0800
Subject: [PATCH 140/258] =?UTF-8?q?feat:=20OIDC=20=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E5=B1=9E=E6=80=A7=E6=98=A0=E5=B0=84=E5=80=BC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/oidc/backends.py | 24 ++++++++++++-------
 apps/jumpserver/conf.py                       |  3 +++
 apps/jumpserver/settings/auth.py              |  1 +
 apps/settings/serializers/auth/oidc.py        |  5 ++++
 4 files changed, 24 insertions(+), 9 deletions(-)

diff --git a/apps/authentication/backends/oidc/backends.py b/apps/authentication/backends/oidc/backends.py
index daa614ec8..ec5765510 100644
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -18,6 +18,7 @@ from django.urls import reverse
 from django.conf import settings
 
 from common.utils import get_logger
+from users.utils import construct_user_email
 
 from ..base import JMSBaseAuthBackend
 from .utils import validate_and_return_id_token, build_absolute_uri
@@ -39,17 +40,22 @@ class UserMixin:
         logger.debug(log_prompt.format('start'))
 
         sub = claims['sub']
-        name = claims.get('name', sub)
-        username = claims.get('preferred_username', sub)
-        email = claims.get('email', "{}@{}".format(username, 'jumpserver.openid'))
-        logger.debug(
-            log_prompt.format(
-                "sub: {}|name: {}|username: {}|email: {}".format(sub, name, username, email)
-            )
-        )
+
+        # Construct user attrs value
+        user_attrs = {}
+        for field, attr in settings.AUTH_OPENID_USER_ATTR_MAP.items():
+            user_attrs[field] = claims.get(attr, sub)
+        email = user_attrs.get('email', '')
+        email = construct_user_email(user_attrs.get('username'), email, 'jumpserver.openid')
+        user_attrs.update({'email': email})
+
+        logger.debug(log_prompt.format(user_attrs))
+
+        username = user_attrs.get('username')
+        name = user_attrs.get('name')
 
         user, created = get_user_model().objects.get_or_create(
-            username=username, defaults={"name": name, "email": email}
+            username=username, defaults=user_attrs
         )
         logger.debug(log_prompt.format("user: {}|created: {}".format(user, created)))
         logger.debug(log_prompt.format("Send signal => openid create or update user"))
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 6f84397ac..85c3b4598 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -191,6 +191,9 @@ class Config(dict):
         'AUTH_OPENID_CLIENT_AUTH_METHOD': 'client_secret_basic',
         'AUTH_OPENID_SHARE_SESSION': True,
         'AUTH_OPENID_IGNORE_SSL_VERIFICATION': True,
+        'AUTH_OPENID_USER_ATTR_MAP': {
+            'name': 'name', 'username': 'preferred_username', 'email': 'email'
+        },
 
         # OpenID 新配置参数 (version >= 1.5.9)
         'AUTH_OPENID_PROVIDER_ENDPOINT': 'https://oidc.example.com/',
diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index fb067078f..010e92f31 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -73,6 +73,7 @@ AUTH_OPENID_USE_NONCE = CONFIG.AUTH_OPENID_USE_NONCE
 AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION
 AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION
 AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER
+AUTH_OPENID_USER_ATTR_MAP = CONFIG.AUTH_OPENID_USER_ATTR_MAP
 AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:openid:login'
 AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:openid:login-callback'
 AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:openid:logout'
diff --git a/apps/settings/serializers/auth/oidc.py b/apps/settings/serializers/auth/oidc.py
index 5ab73ea04..ad30729a0 100644
--- a/apps/settings/serializers/auth/oidc.py
+++ b/apps/settings/serializers/auth/oidc.py
@@ -31,6 +31,11 @@ class CommonSettingSerializer(serializers.Serializer):
     AUTH_OPENID_IGNORE_SSL_VERIFICATION = serializers.BooleanField(
         required=False, label=_('Ignore ssl verification')
     )
+    AUTH_OPENID_USER_ATTR_MAP = serializers.DictField(
+        required=True, label=_('User attr map'),
+        help_text=_('User attr map present how to map OpenID user attr to '
+                    'jumpserver, username,name,email is jumpserver attr')
+    )
 
 
 class KeycloakSettingSerializer(CommonSettingSerializer):

From 6c0d0c3e9285d5e144463b71eeee84bd07f32237 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 31 May 2022 16:09:31 +0800
Subject: [PATCH 141/258] =?UTF-8?q?feat:=20OIDC=20=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E6=B7=BB=E5=8A=A0=E5=B1=9E=E6=80=A7=E6=98=A0=E5=B0=84=E5=80=BC?=
 =?UTF-8?q?=20(#8327)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: OIDC 用户添加属性映射值

* feat: OIDC 用户添加属性映射值

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
---
 apps/locale/ja/LC_MESSAGES/django.po | 139 +++++++++++++++------------
 apps/locale/zh/LC_MESSAGES/django.po | 139 +++++++++++++++------------
 2 files changed, 154 insertions(+), 124 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index d850a1cc1..2d7a87994 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-19 13:16+0800\n"
+"POT-Creation-Date: 2022-05-31 16:02+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -134,7 +134,7 @@ msgstr "システムユーザー"
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
-#: xpack/plugins/change_auth_plan/serializers/asset.py:180
+#: xpack/plugins/change_auth_plan/serializers/asset.py:181
 #: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "資産"
@@ -320,7 +320,7 @@ msgid "Domain"
 msgstr "ドメイン"
 
 #: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Attrs"
 msgstr "ツールバーの"
 
@@ -414,10 +414,10 @@ msgstr "アプリケーションパス"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
 #: assets/serializers/system_user.py:168
-#: xpack/plugins/change_auth_plan/serializers/asset.py:66
-#: xpack/plugins/change_auth_plan/serializers/asset.py:69
-#: xpack/plugins/change_auth_plan/serializers/asset.py:72
-#: xpack/plugins/change_auth_plan/serializers/asset.py:103
+#: xpack/plugins/change_auth_plan/serializers/asset.py:67
+#: xpack/plugins/change_auth_plan/serializers/asset.py:70
+#: xpack/plugins/change_auth_plan/serializers/asset.py:73
+#: xpack/plugins/change_auth_plan/serializers/asset.py:104
 #: xpack/plugins/cloud/serializers/account_attrs.py:54
 msgid "This field is required."
 msgstr "このフィールドは必須です。"
@@ -665,7 +665,7 @@ msgstr "すべて"
 #: assets/models/backup.py:52 assets/serializers/backup.py:32
 #: xpack/plugins/change_auth_plan/models/app.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:62
-#: xpack/plugins/change_auth_plan/serializers/base.py:44
+#: xpack/plugins/change_auth_plan/serializers/base.py:49
 msgid "Recipient"
 msgstr "受信者"
 
@@ -708,7 +708,7 @@ msgstr "アカウントのバックアップスナップショット"
 
 #: assets/models/backup.py:116 assets/serializers/backup.py:40
 #: xpack/plugins/change_auth_plan/models/base.py:125
-#: xpack/plugins/change_auth_plan/serializers/base.py:73
+#: xpack/plugins/change_auth_plan/serializers/base.py:82
 msgid "Trigger mode"
 msgstr "トリガーモード"
 
@@ -716,7 +716,7 @@ msgstr "トリガーモード"
 #: terminal/models/sharing.py:94
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
-#: xpack/plugins/change_auth_plan/serializers/asset.py:179
+#: xpack/plugins/change_auth_plan/serializers/asset.py:180
 #: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "理由"
@@ -726,7 +726,7 @@ msgstr "理由"
 #: terminal/serializers/session.py:35
 #: xpack/plugins/change_auth_plan/models/base.py:202
 #: xpack/plugins/change_auth_plan/serializers/app.py:67
-#: xpack/plugins/change_auth_plan/serializers/asset.py:181
+#: xpack/plugins/change_auth_plan/serializers/asset.py:182
 msgid "Is success"
 msgstr "成功は"
 
@@ -735,7 +735,8 @@ msgid "Account backup execution"
 msgstr "アカウントバックアップの実行"
 
 #: assets/models/base.py:30 assets/tasks/const.py:51 audits/const.py:5
-#: common/utils/ip/geoip/utils.py:41 common/utils/ip/utils.py:78
+#: common/utils/ip/geoip/utils.py:31 common/utils/ip/geoip/utils.py:37
+#: common/utils/ip/utils.py:84
 msgid "Unknown"
 msgstr "不明"
 
@@ -745,8 +746,8 @@ msgstr "OK"
 
 #: assets/models/base.py:32 audits/models.py:118
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
-#: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/change_auth_plan/serializers/asset.py:199
+#: xpack/plugins/cloud/const.py:32
 msgid "Failed"
 msgstr "失敗しました"
 
@@ -769,6 +770,8 @@ msgstr "確認済みの日付"
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
 #: xpack/plugins/change_auth_plan/models/base.py:196
+#: xpack/plugins/change_auth_plan/serializers/base.py:22
+#: xpack/plugins/change_auth_plan/serializers/base.py:77
 #: xpack/plugins/cloud/serializers/account_attrs.py:26
 msgid "Password"
 msgstr "パスワード"
@@ -898,7 +901,7 @@ msgstr "テストゲートウェイ"
 msgid "Unable to connect to port {port} on {ip}"
 msgstr "{ip} でポート {port} に接続できません"
 
-#: assets/models/domain.py:133
+#: assets/models/domain.py:133 xpack/plugins/cloud/providers/fc.py:48
 msgid "Authentication failed"
 msgstr "認証に失敗しました"
 
@@ -1115,12 +1118,12 @@ msgstr "アクション"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
 #: settings/serializers/auth/ldap.py:65
-#: xpack/plugins/change_auth_plan/serializers/base.py:42
+#: xpack/plugins/change_auth_plan/serializers/base.py:47
 msgid "Periodic perform"
 msgstr "定期的なパフォーマンス"
 
 #: assets/serializers/backup.py:33
-#: xpack/plugins/change_auth_plan/serializers/base.py:45
+#: xpack/plugins/change_auth_plan/serializers/base.py:50
 msgid "Currently only mail sending is supported"
 msgstr "現在、メール送信のみがサポートされています"
 
@@ -1414,7 +1417,7 @@ msgstr "ファイル名"
 #: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:90
 #: tickets/views/approve.py:98
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
-#: xpack/plugins/change_auth_plan/serializers/asset.py:197
+#: xpack/plugins/change_auth_plan/serializers/asset.py:198
 msgid "Success"
 msgstr "成功"
 
@@ -2196,7 +2199,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:304 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:23
@@ -2647,15 +2650,14 @@ msgstr "確認コードが正しくありません"
 msgid "Please wait {} seconds before sending"
 msgstr "{} 秒待ってから送信してください"
 
-#: common/utils/ip/geoip/utils.py:17 common/utils/ip/geoip/utils.py:30
-#: common/utils/ip/ipip/utils.py:15
-msgid "Invalid ip"
-msgstr "無効なIP"
-
-#: common/utils/ip/geoip/utils.py:28
+#: common/utils/ip/geoip/utils.py:24
 msgid "LAN"
 msgstr "LAN"
 
+#: common/utils/ip/geoip/utils.py:26 common/utils/ip/utils.py:78
+msgid "Invalid ip"
+msgstr "無効なIP"
+
 #: common/validators.py:32
 msgid "This field must be unique."
 msgstr "このフィールドは一意である必要があります。"
@@ -2668,11 +2670,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:300
+#: jumpserver/conf.py:303
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:302
+#: jumpserver/conf.py:305
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -3476,7 +3478,7 @@ msgstr "ログインリダイレクトの有効化msg"
 msgid "Enable CAS Auth"
 msgstr "CAS 認証の有効化"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:42
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:47
 msgid "Server url"
 msgstr "サービス側アドレス"
 
@@ -3541,7 +3543,7 @@ msgstr "ユーザー検索フィルター"
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "選択は (cnまたはuidまたはsAMAccountName)=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:57
+#: settings/serializers/auth/ldap.py:57 settings/serializers/auth/oidc.py:35
 msgid "User attr map"
 msgstr "ユーザー属性マッピング"
 
@@ -3590,71 +3592,79 @@ msgstr "セッションの共有"
 msgid "Ignore ssl verification"
 msgstr "Ssl検証を無視する"
 
-#: settings/serializers/auth/oidc.py:39
+#: settings/serializers/auth/oidc.py:36
+msgid ""
+"User attr map present how to map OpenID user attr to jumpserver, username,"
+"name,email is jumpserver attr"
+msgstr ""
+"ユーザー属性マッピングは、OpenIDのユーザー属性をjumpserverユーザーにマッピング"
+"する方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
+
+#: settings/serializers/auth/oidc.py:44
 msgid "Use Keycloak"
 msgstr "Keycloakを使用する"
 
-#: settings/serializers/auth/oidc.py:45
+#: settings/serializers/auth/oidc.py:50
 msgid "Realm name"
 msgstr "レルム名"
 
-#: settings/serializers/auth/oidc.py:51
+#: settings/serializers/auth/oidc.py:56
 msgid "Enable OPENID Auth"
 msgstr "OIDC認証の有効化"
 
-#: settings/serializers/auth/oidc.py:53
+#: settings/serializers/auth/oidc.py:58
 msgid "Provider endpoint"
 msgstr "プロバイダーエンドポイント"
 
-#: settings/serializers/auth/oidc.py:56
+#: settings/serializers/auth/oidc.py:61
 msgid "Provider auth endpoint"
 msgstr "認証エンドポイントアドレス"
 
-#: settings/serializers/auth/oidc.py:59
+#: settings/serializers/auth/oidc.py:64
 msgid "Provider token endpoint"
 msgstr "プロバイダートークンエンドポイント"
 
-#: settings/serializers/auth/oidc.py:62
+#: settings/serializers/auth/oidc.py:67
 msgid "Provider jwks endpoint"
 msgstr "プロバイダーjwksエンドポイント"
 
-#: settings/serializers/auth/oidc.py:65
+#: settings/serializers/auth/oidc.py:70
 msgid "Provider userinfo endpoint"
 msgstr "プロバイダーuserinfoエンドポイント"
 
-#: settings/serializers/auth/oidc.py:68
+#: settings/serializers/auth/oidc.py:73
 msgid "Provider end session endpoint"
 msgstr "プロバイダーのセッション終了エンドポイント"
 
-#: settings/serializers/auth/oidc.py:71
+#: settings/serializers/auth/oidc.py:76
 msgid "Provider sign alg"
 msgstr "プロビダーサインalg"
 
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:79
 msgid "Provider sign key"
 msgstr "プロバイダ署名キー"
 
-#: settings/serializers/auth/oidc.py:76
+#: settings/serializers/auth/oidc.py:81
 msgid "Scopes"
 msgstr "スコープ"
 
-#: settings/serializers/auth/oidc.py:78
+#: settings/serializers/auth/oidc.py:83
 msgid "Id token max age"
 msgstr "IDトークンの最大年齢"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:86
 msgid "Id token include claims"
 msgstr "IDトークンにはクレームが含まれます"
 
-#: settings/serializers/auth/oidc.py:83
+#: settings/serializers/auth/oidc.py:88
 msgid "Use state"
 msgstr "使用状態"
 
-#: settings/serializers/auth/oidc.py:84
+#: settings/serializers/auth/oidc.py:89
 msgid "Use nonce"
 msgstr "Nonceを使用"
 
-#: settings/serializers/auth/oidc.py:86 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:91 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "常にユーザーを更新"
 
@@ -5775,7 +5785,7 @@ msgstr "組織ロール"
 
 #: users/serializers/user.py:79
 #: xpack/plugins/change_auth_plan/models/base.py:35
-#: xpack/plugins/change_auth_plan/serializers/base.py:22
+#: xpack/plugins/change_auth_plan/serializers/base.py:27
 msgid "Password strategy"
 msgstr "パスワード戦略"
 
@@ -6160,7 +6170,7 @@ msgid "Replace (The key generated by JumpServer) "
 msgstr "置換(JumpServerによって生成された鍵)"
 
 #: xpack/plugins/change_auth_plan/models/asset.py:49
-#: xpack/plugins/change_auth_plan/serializers/asset.py:35
+#: xpack/plugins/change_auth_plan/serializers/asset.py:36
 msgid "SSH Key strategy"
 msgstr "SSHキー戦略"
 
@@ -6252,23 +6262,23 @@ msgstr ""
 "{} -暗号化変更タスクが完了しました: 暗号化パスワードが設定されていません-個人"
 "情報にアクセスしてください-> ファイル暗号化パスワードを設定してください"
 
-#: xpack/plugins/change_auth_plan/serializers/asset.py:32
+#: xpack/plugins/change_auth_plan/serializers/asset.py:33
 msgid "Change Password"
 msgstr "パスワードの変更"
 
-#: xpack/plugins/change_auth_plan/serializers/asset.py:33
+#: xpack/plugins/change_auth_plan/serializers/asset.py:34
 msgid "Change SSH Key"
 msgstr "SSHキーの変更"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:43
+#: xpack/plugins/change_auth_plan/serializers/base.py:48
 msgid "Run times"
 msgstr "実行時間"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:57
+#: xpack/plugins/change_auth_plan/serializers/base.py:62
 msgid "* Please enter the correct password length"
 msgstr "* 正しいパスワードの長さを入力してください"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:60
+#: xpack/plugins/change_auth_plan/serializers/base.py:65
 msgid "* Password length range 6-30 bits"
 msgstr "* パスワードの長さの範囲6-30ビット"
 
@@ -6356,31 +6366,35 @@ msgstr "OpenStack"
 msgid "Google Cloud Platform"
 msgstr "谷歌雲"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:23
+msgid "Fusion Compute"
+msgstr ""
+
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name"
 msgstr "インスタンス名"
 
-#: xpack/plugins/cloud/const.py:27
+#: xpack/plugins/cloud/const.py:28
 msgid "Instance name and Partial IP"
 msgstr "インスタンス名と部分IP"
 
-#: xpack/plugins/cloud/const.py:32
+#: xpack/plugins/cloud/const.py:33
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "Unsync"
 msgstr "同期していません"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "New Sync"
 msgstr "新しい同期"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Synced"
 msgstr "同期済み"
 
-#: xpack/plugins/cloud/const.py:39
+#: xpack/plugins/cloud/const.py:40
 msgid "Released"
 msgstr "リリース済み"
 
@@ -6654,11 +6668,11 @@ msgstr "華南-広州-友好ユーザー環境"
 msgid "CN East-Suqian"
 msgstr "華東-宿遷"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Validity display"
 msgstr "有効表示"
 
-#: xpack/plugins/cloud/serializers/account.py:61
+#: xpack/plugins/cloud/serializers/account.py:62
 msgid "Provider display"
 msgstr "プロバイダ表示"
 
@@ -6676,6 +6690,7 @@ msgstr "サブスクリプションID"
 
 #: xpack/plugins/cloud/serializers/account_attrs.py:93
 #: xpack/plugins/cloud/serializers/account_attrs.py:98
+#: xpack/plugins/cloud/serializers/account_attrs.py:122
 msgid "API Endpoint"
 msgstr "APIエンドポイント"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 2ee578f43..8560a07ac 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-19 13:16+0800\n"
+"POT-Creation-Date: 2022-05-31 16:02+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -133,7 +133,7 @@ msgstr "系统用户"
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
-#: xpack/plugins/change_auth_plan/serializers/asset.py:180
+#: xpack/plugins/change_auth_plan/serializers/asset.py:181
 #: xpack/plugins/cloud/models.py:223
 msgid "Asset"
 msgstr "资产"
@@ -315,7 +315,7 @@ msgid "Domain"
 msgstr "网域"
 
 #: applications/models/application.py:228 xpack/plugins/cloud/models.py:33
-#: xpack/plugins/cloud/serializers/account.py:59
+#: xpack/plugins/cloud/serializers/account.py:60
 msgid "Attrs"
 msgstr "属性"
 
@@ -409,10 +409,10 @@ msgstr "应用路径"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
 #: assets/serializers/system_user.py:168
-#: xpack/plugins/change_auth_plan/serializers/asset.py:66
-#: xpack/plugins/change_auth_plan/serializers/asset.py:69
-#: xpack/plugins/change_auth_plan/serializers/asset.py:72
-#: xpack/plugins/change_auth_plan/serializers/asset.py:103
+#: xpack/plugins/change_auth_plan/serializers/asset.py:67
+#: xpack/plugins/change_auth_plan/serializers/asset.py:70
+#: xpack/plugins/change_auth_plan/serializers/asset.py:73
+#: xpack/plugins/change_auth_plan/serializers/asset.py:104
 #: xpack/plugins/cloud/serializers/account_attrs.py:54
 msgid "This field is required."
 msgstr "该字段是必填项。"
@@ -660,7 +660,7 @@ msgstr "全部"
 #: assets/models/backup.py:52 assets/serializers/backup.py:32
 #: xpack/plugins/change_auth_plan/models/app.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:62
-#: xpack/plugins/change_auth_plan/serializers/base.py:44
+#: xpack/plugins/change_auth_plan/serializers/base.py:49
 msgid "Recipient"
 msgstr "收件人"
 
@@ -703,7 +703,7 @@ msgstr "账号备份快照"
 
 #: assets/models/backup.py:116 assets/serializers/backup.py:40
 #: xpack/plugins/change_auth_plan/models/base.py:125
-#: xpack/plugins/change_auth_plan/serializers/base.py:73
+#: xpack/plugins/change_auth_plan/serializers/base.py:82
 msgid "Trigger mode"
 msgstr "触发模式"
 
@@ -711,7 +711,7 @@ msgstr "触发模式"
 #: terminal/models/sharing.py:94
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
-#: xpack/plugins/change_auth_plan/serializers/asset.py:179
+#: xpack/plugins/change_auth_plan/serializers/asset.py:180
 #: xpack/plugins/cloud/models.py:179
 msgid "Reason"
 msgstr "原因"
@@ -721,7 +721,7 @@ msgstr "原因"
 #: terminal/serializers/session.py:35
 #: xpack/plugins/change_auth_plan/models/base.py:202
 #: xpack/plugins/change_auth_plan/serializers/app.py:67
-#: xpack/plugins/change_auth_plan/serializers/asset.py:181
+#: xpack/plugins/change_auth_plan/serializers/asset.py:182
 msgid "Is success"
 msgstr "是否成功"
 
@@ -730,7 +730,8 @@ msgid "Account backup execution"
 msgstr "账号备份执行"
 
 #: assets/models/base.py:30 assets/tasks/const.py:51 audits/const.py:5
-#: common/utils/ip/geoip/utils.py:41 common/utils/ip/utils.py:78
+#: common/utils/ip/geoip/utils.py:31 common/utils/ip/geoip/utils.py:37
+#: common/utils/ip/utils.py:84
 msgid "Unknown"
 msgstr "未知"
 
@@ -740,8 +741,8 @@ msgstr "成功"
 
 #: assets/models/base.py:32 audits/models.py:118
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
-#: xpack/plugins/change_auth_plan/serializers/asset.py:198
-#: xpack/plugins/cloud/const.py:31
+#: xpack/plugins/change_auth_plan/serializers/asset.py:199
+#: xpack/plugins/cloud/const.py:32
 msgid "Failed"
 msgstr "失败"
 
@@ -764,6 +765,8 @@ msgstr "校验日期"
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
 #: xpack/plugins/change_auth_plan/models/base.py:196
+#: xpack/plugins/change_auth_plan/serializers/base.py:22
+#: xpack/plugins/change_auth_plan/serializers/base.py:77
 #: xpack/plugins/cloud/serializers/account_attrs.py:26
 msgid "Password"
 msgstr "密码"
@@ -893,7 +896,7 @@ msgstr "测试网关"
 msgid "Unable to connect to port {port} on {ip}"
 msgstr "无法连接到 {ip} 上的端口 {port}"
 
-#: assets/models/domain.py:133
+#: assets/models/domain.py:133 xpack/plugins/cloud/providers/fc.py:48
 msgid "Authentication failed"
 msgstr "认证失败"
 
@@ -1107,12 +1110,12 @@ msgstr "动作"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
 #: settings/serializers/auth/ldap.py:65
-#: xpack/plugins/change_auth_plan/serializers/base.py:42
+#: xpack/plugins/change_auth_plan/serializers/base.py:47
 msgid "Periodic perform"
 msgstr "定时执行"
 
 #: assets/serializers/backup.py:33
-#: xpack/plugins/change_auth_plan/serializers/base.py:45
+#: xpack/plugins/change_auth_plan/serializers/base.py:50
 msgid "Currently only mail sending is supported"
 msgstr "当前只支持邮件发送"
 
@@ -1402,7 +1405,7 @@ msgstr "文件名"
 #: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:90
 #: tickets/views/approve.py:98
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
-#: xpack/plugins/change_auth_plan/serializers/asset.py:197
+#: xpack/plugins/change_auth_plan/serializers/asset.py:198
 msgid "Success"
 msgstr "成功"
 
@@ -2175,7 +2178,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:301 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:304 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:23
@@ -2617,15 +2620,14 @@ msgstr "验证码错误"
 msgid "Please wait {} seconds before sending"
 msgstr "请在 {} 秒后发送"
 
-#: common/utils/ip/geoip/utils.py:17 common/utils/ip/geoip/utils.py:30
-#: common/utils/ip/ipip/utils.py:15
-msgid "Invalid ip"
-msgstr "无效IP"
-
-#: common/utils/ip/geoip/utils.py:28
+#: common/utils/ip/geoip/utils.py:24
 msgid "LAN"
 msgstr "LAN"
 
+#: common/utils/ip/geoip/utils.py:26 common/utils/ip/utils.py:78
+msgid "Invalid ip"
+msgstr "无效IP"
+
 #: common/validators.py:32
 msgid "This field must be unique."
 msgstr "字段必须唯一"
@@ -2638,11 +2640,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:300
+#: jumpserver/conf.py:303
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:302
+#: jumpserver/conf.py:305
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -3437,7 +3439,7 @@ msgstr "启用登录跳转提示"
 msgid "Enable CAS Auth"
 msgstr "启用 CAS 认证"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:42
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:47
 msgid "Server url"
 msgstr "服务端地址"
 
@@ -3502,7 +3504,7 @@ msgstr "用户过滤器"
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "可能的选项是(cn或uid或sAMAccountName=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:57
+#: settings/serializers/auth/ldap.py:57 settings/serializers/auth/oidc.py:35
 msgid "User attr map"
 msgstr "用户属性映射"
 
@@ -3551,71 +3553,79 @@ msgstr "共享会话"
 msgid "Ignore ssl verification"
 msgstr "忽略 SSL 证书验证"
 
-#: settings/serializers/auth/oidc.py:39
+#: settings/serializers/auth/oidc.py:36
+msgid ""
+"User attr map present how to map OpenID user attr to jumpserver, username,"
+"name,email is jumpserver attr"
+msgstr ""
+"用户属性映射代表怎样将OpenID中用户属性映射到jumpserver用户上，username, name,"
+"email 是jumpserver的用户需要属性"
+
+#: settings/serializers/auth/oidc.py:44
 msgid "Use Keycloak"
 msgstr "使用 Keycloak"
 
-#: settings/serializers/auth/oidc.py:45
+#: settings/serializers/auth/oidc.py:50
 msgid "Realm name"
 msgstr "域"
 
-#: settings/serializers/auth/oidc.py:51
+#: settings/serializers/auth/oidc.py:56
 msgid "Enable OPENID Auth"
 msgstr "启用 OIDC 认证"
 
-#: settings/serializers/auth/oidc.py:53
+#: settings/serializers/auth/oidc.py:58
 msgid "Provider endpoint"
 msgstr "端点地址"
 
-#: settings/serializers/auth/oidc.py:56
+#: settings/serializers/auth/oidc.py:61
 msgid "Provider auth endpoint"
 msgstr "授权端点地址"
 
-#: settings/serializers/auth/oidc.py:59
+#: settings/serializers/auth/oidc.py:64
 msgid "Provider token endpoint"
 msgstr "token 端点地址"
 
-#: settings/serializers/auth/oidc.py:62
+#: settings/serializers/auth/oidc.py:67
 msgid "Provider jwks endpoint"
 msgstr "jwks 端点地址"
 
-#: settings/serializers/auth/oidc.py:65
+#: settings/serializers/auth/oidc.py:70
 msgid "Provider userinfo endpoint"
 msgstr "用户信息端点地址"
 
-#: settings/serializers/auth/oidc.py:68
+#: settings/serializers/auth/oidc.py:73
 msgid "Provider end session endpoint"
 msgstr "注销会话端点地址"
 
-#: settings/serializers/auth/oidc.py:71
+#: settings/serializers/auth/oidc.py:76
 msgid "Provider sign alg"
 msgstr "签名算法"
 
-#: settings/serializers/auth/oidc.py:74
+#: settings/serializers/auth/oidc.py:79
 msgid "Provider sign key"
 msgstr "签名 Key"
 
-#: settings/serializers/auth/oidc.py:76
+#: settings/serializers/auth/oidc.py:81
 msgid "Scopes"
 msgstr "连接范围"
 
-#: settings/serializers/auth/oidc.py:78
+#: settings/serializers/auth/oidc.py:83
 msgid "Id token max age"
 msgstr "令牌有效时间"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:86
 msgid "Id token include claims"
 msgstr "声明"
 
-#: settings/serializers/auth/oidc.py:83
+#: settings/serializers/auth/oidc.py:88
 msgid "Use state"
 msgstr "使用状态"
 
-#: settings/serializers/auth/oidc.py:84
+#: settings/serializers/auth/oidc.py:89
 msgid "Use nonce"
 msgstr "临时使用"
 
-#: settings/serializers/auth/oidc.py:86 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:91 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "总是更新用户信息"
 
@@ -5697,7 +5707,7 @@ msgstr "组织角色"
 
 #: users/serializers/user.py:79
 #: xpack/plugins/change_auth_plan/models/base.py:35
-#: xpack/plugins/change_auth_plan/serializers/base.py:22
+#: xpack/plugins/change_auth_plan/serializers/base.py:27
 msgid "Password strategy"
 msgstr "密码策略"
 
@@ -6069,7 +6079,7 @@ msgid "Replace (The key generated by JumpServer) "
 msgstr "替换 (由 JumpServer 生成的密钥)"
 
 #: xpack/plugins/change_auth_plan/models/asset.py:49
-#: xpack/plugins/change_auth_plan/serializers/asset.py:35
+#: xpack/plugins/change_auth_plan/serializers/asset.py:36
 msgid "SSH Key strategy"
 msgstr "SSH 密钥策略"
 
@@ -6161,23 +6171,23 @@ msgstr ""
 "{} - 改密任务已完成: 未设置加密密码 - 请前往个人信息 -> 文件加密密码中设置加"
 "密密码"
 
-#: xpack/plugins/change_auth_plan/serializers/asset.py:32
+#: xpack/plugins/change_auth_plan/serializers/asset.py:33
 msgid "Change Password"
 msgstr "更改密码"
 
-#: xpack/plugins/change_auth_plan/serializers/asset.py:33
+#: xpack/plugins/change_auth_plan/serializers/asset.py:34
 msgid "Change SSH Key"
 msgstr "修改 SSH Key"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:43
+#: xpack/plugins/change_auth_plan/serializers/base.py:48
 msgid "Run times"
 msgstr "执行次数"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:57
+#: xpack/plugins/change_auth_plan/serializers/base.py:62
 msgid "* Please enter the correct password length"
 msgstr "* 请输入正确的密码长度"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:60
+#: xpack/plugins/change_auth_plan/serializers/base.py:65
 msgid "* Password length range 6-30 bits"
 msgstr "* 密码长度范围 6-30 位"
 
@@ -6265,31 +6275,35 @@ msgstr "OpenStack"
 msgid "Google Cloud Platform"
 msgstr "谷歌云"
 
-#: xpack/plugins/cloud/const.py:26
+#: xpack/plugins/cloud/const.py:23
+msgid "Fusion Compute"
+msgstr ""
+
+#: xpack/plugins/cloud/const.py:27
 msgid "Instance name"
 msgstr "实例名称"
 
-#: xpack/plugins/cloud/const.py:27
+#: xpack/plugins/cloud/const.py:28
 msgid "Instance name and Partial IP"
 msgstr "实例名称和部分IP"
 
-#: xpack/plugins/cloud/const.py:32
+#: xpack/plugins/cloud/const.py:33
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/const.py:36
+#: xpack/plugins/cloud/const.py:37
 msgid "Unsync"
 msgstr "未同步"
 
-#: xpack/plugins/cloud/const.py:37
+#: xpack/plugins/cloud/const.py:38
 msgid "New Sync"
 msgstr "新同步"
 
-#: xpack/plugins/cloud/const.py:38
+#: xpack/plugins/cloud/const.py:39
 msgid "Synced"
 msgstr "已同步"
 
-#: xpack/plugins/cloud/const.py:39
+#: xpack/plugins/cloud/const.py:40
 msgid "Released"
 msgstr "已释放"
 
@@ -6563,11 +6577,11 @@ msgstr "华南-广州-友好用户环境"
 msgid "CN East-Suqian"
 msgstr "华东-宿迁"
 
-#: xpack/plugins/cloud/serializers/account.py:60
+#: xpack/plugins/cloud/serializers/account.py:61
 msgid "Validity display"
 msgstr "有效性显示"
 
-#: xpack/plugins/cloud/serializers/account.py:61
+#: xpack/plugins/cloud/serializers/account.py:62
 msgid "Provider display"
 msgstr "服务商显示"
 
@@ -6585,6 +6599,7 @@ msgstr "订阅 ID"
 
 #: xpack/plugins/cloud/serializers/account_attrs.py:93
 #: xpack/plugins/cloud/serializers/account_attrs.py:98
+#: xpack/plugins/cloud/serializers/account_attrs.py:122
 msgid "API Endpoint"
 msgstr "API 端点"
 

From 810c5004020184df59eab5b77073e99897853cc1 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 31 May 2022 16:20:33 +0800
Subject: [PATCH 142/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=E9=A1=B9=20CONNECTION=5FTOKEN=5FEXPIRATION?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/connection_token.py | 38 +++++++++++----------
 apps/jumpserver/conf.py                     |  1 +
 apps/jumpserver/settings/auth.py            |  2 ++
 3 files changed, 23 insertions(+), 18 deletions(-)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index ef69890e5..acf8dea84 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -18,6 +18,7 @@ from rest_framework.viewsets import GenericViewSet
 from rest_framework.decorators import action
 from rest_framework.exceptions import PermissionDenied
 from rest_framework import serializers
+from django.conf import settings
 
 from applications.models import Application
 from authentication.signals import post_auth_failed
@@ -361,23 +362,7 @@ class TokenCacheMixin:
     """ endpoint smart view 用到此类来解析token中的资产、应用 """
     CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
 
-    def get_token_cache_key(self, token):
-        return self.CACHE_KEY_PREFIX.format(token)
-
-    def get_token_ttl(self, token):
-        key = self.get_token_cache_key(token)
-        return cache.ttl(key)
-
-    def set_token_to_cache(self, token, value, ttl=5 * 60):
-        key = self.get_token_cache_key(token)
-        cache.set(key, value, timeout=ttl)
-
-    def get_token_from_cache(self, token):
-        key = self.get_token_cache_key(token)
-        value = cache.get(key, None)
-        return value
-
-    def renewal_token(self, token, ttl=5 * 60):
+    def renewal_token(self, token, ttl=None):
         value = self.get_token_from_cache(token)
         if value:
             pre_ttl = self.get_token_ttl(token)
@@ -394,6 +379,23 @@ class TokenCacheMixin:
         }
         return data
 
+    def get_token_ttl(self, token):
+        key = self.get_token_cache_key(token)
+        return cache.ttl(key)
+
+    def set_token_to_cache(self, token, value, ttl=None):
+        key = self.get_token_cache_key(token)
+        ttl = ttl or settings.CONNECTION_TOKEN_EXPIRATION
+        cache.set(key, value, timeout=ttl)
+
+    def get_token_from_cache(self, token):
+        key = self.get_token_cache_key(token)
+        value = cache.get(key, None)
+        return value
+
+    def get_token_cache_key(self, token):
+        return self.CACHE_KEY_PREFIX.format(token)
+
 
 class BaseUserConnectionTokenViewSet(
     RootOrgViewMixin, SerializerMixin, ClientProtocolMixin,
@@ -415,7 +417,7 @@ class BaseUserConnectionTokenViewSet(
             raise PermissionDenied(error)
         return True
 
-    def create_token(self, user, asset, application, system_user, ttl=5 * 60):
+    def create_token(self, user, asset, application, system_user, ttl=None):
         self.check_resource_permission(user, asset, application, system_user)
         token = random_string(36)
         secret = random_string(16)
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 85c3b4598..93aa46806 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -161,6 +161,7 @@ class Config(dict):
         'SESSION_COOKIE_AGE': 3600 * 24,
         'SESSION_EXPIRE_AT_BROWSER_CLOSE': False,
         'LOGIN_URL': reverse_lazy('authentication:login'),
+        'CONNECTION_TOKEN_EXPIRATION': 5 * 60,
 
         # Custom Config
         # Auth LDAP settings
diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index 010e92f31..2a293cb48 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -149,6 +149,8 @@ AUTH_TEMP_TOKEN = CONFIG.AUTH_TEMP_TOKEN
 # Other setting
 TOKEN_EXPIRATION = CONFIG.TOKEN_EXPIRATION
 OTP_IN_RADIUS = CONFIG.OTP_IN_RADIUS
+# Connection token
+CONNECTION_TOKEN_EXPIRATION = CONFIG.CONNECTION_TOKEN_EXPIRATION
 
 
 RBAC_BACKEND = 'rbac.backends.RBACBackend'

From 3bc307d666d22a4d09dbcb9a9712c31efa5d7a03 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <32935519+BaiJiangJie@users.noreply.github.com>
Date: Wed, 1 Jun 2022 18:00:22 +0800
Subject: [PATCH 143/258] =?UTF-8?q?perf:=20=E8=AE=BE=E7=BD=AEConnection=20?=
 =?UTF-8?q?Token=20=E9=BB=98=E8=AE=A4=E6=9C=80=E5=B0=915=E5=88=86=E9=92=9F?=
 =?UTF-8?q?=20(#8331)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/settings/auth.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/jumpserver/settings/auth.py b/apps/jumpserver/settings/auth.py
index 2a293cb48..95a12d01f 100644
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@@ -151,6 +151,9 @@ TOKEN_EXPIRATION = CONFIG.TOKEN_EXPIRATION
 OTP_IN_RADIUS = CONFIG.OTP_IN_RADIUS
 # Connection token
 CONNECTION_TOKEN_EXPIRATION = CONFIG.CONNECTION_TOKEN_EXPIRATION
+if CONNECTION_TOKEN_EXPIRATION < 5 * 60:
+    # 最少5分钟
+    CONNECTION_TOKEN_EXPIRATION = 5 * 60
 
 
 RBAC_BACKEND = 'rbac.backends.RBACBackend'

From e096244e75fbebbd96f7bb02acc342af2f99ab01 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 6 Jun 2022 13:30:04 +0800
Subject: [PATCH 144/258] =?UTF-8?q?pref:=20app=20tree=20=E6=B7=BB=E5=8A=A0?=
 =?UTF-8?q?=20icon?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../user_permission_nodes_with_assets.py        |  5 ++++-
 apps/perms/tree/app.py                          |  1 +
 apps/perms/utils/asset/user_permission.py       | 17 +++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py b/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
index 5d3940c9f..4d4408355 100644
--- a/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
+++ b/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
@@ -128,6 +128,7 @@ class GrantedNodeChildrenWithAssetsAsTreeApiMixin(SerializeToTreeNodeMixin,
 
         nodes = PermNode.objects.none()
         assets = Asset.objects.none()
+        all_tree_nodes = []
 
         if not key:
             nodes = nodes_query_utils.get_top_level_nodes()
@@ -142,7 +143,9 @@ class GrantedNodeChildrenWithAssetsAsTreeApiMixin(SerializeToTreeNodeMixin,
 
         tree_nodes = self.serialize_nodes(nodes, with_asset_amount=True)
         tree_assets = self.serialize_assets(assets, key)
-        return Response(data=[*tree_nodes, *tree_assets])
+        all_tree_nodes.extend(tree_nodes)
+        all_tree_nodes.extend(tree_assets)
+        return Response(data=all_tree_nodes)
 
 
 class UserGrantedNodeChildrenWithAssetsAsTreeApi(AssetRoleAdminMixin, GrantedNodeChildrenWithAssetsAsTreeApiMixin):
diff --git a/apps/perms/tree/app.py b/apps/perms/tree/app.py
index e46d05473..cc8611938 100644
--- a/apps/perms/tree/app.py
+++ b/apps/perms/tree/app.py
@@ -28,6 +28,7 @@ class GrantedAppTreeUtil:
             'title': name,
             'pId': '',
             'open': True,
+            'iconSkin': 'applications',
             'isParent': True,
             'meta': {
                 'type': 'root'
diff --git a/apps/perms/utils/asset/user_permission.py b/apps/perms/utils/asset/user_permission.py
index 5baa93d01..dd15c0b38 100644
--- a/apps/perms/utils/asset/user_permission.py
+++ b/apps/perms/utils/asset/user_permission.py
@@ -5,6 +5,7 @@ import time
 from django.core.cache import cache
 from django.conf import settings
 from django.db.models import Q, QuerySet
+from django.utils.translation import gettext as _
 
 from common.db.models import output_as_string, UnionQuerySet
 from common.utils.common import lazyproperty, timeit
@@ -614,6 +615,22 @@ class UserGrantedNodesQueryUtils(UserGrantedUtilsBase):
         assets_amount = assets_query_utils.get_favorite_assets().values_list('id').count()
         return PermNode.get_favorite_node(assets_amount)
 
+    @staticmethod
+    def get_root_node():
+        name = _('My assets')
+        node = {
+            'id': '',
+            'name': name,
+            'title': name,
+            'pId': '',
+            'open': True,
+            'isParent': True,
+            'meta': {
+                'type': 'root'
+            }
+        }
+        return node
+
     def get_special_nodes(self):
         nodes = []
         if settings.PERM_SINGLE_ASSET_TO_UNGROUP_NODE:

From dade0cadda9364aa6c40b0d7e621dff9c5f5557a Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 6 Jun 2022 15:51:17 +0800
Subject: [PATCH 145/258] =?UTF-8?q?feat:=20=E5=85=8B=E9=9A=86=E8=A7=92?=
 =?UTF-8?q?=E8=89=B2=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/api/role.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/apps/rbac/api/role.py b/apps/rbac/api/role.py
index f398f0315..44cb899db 100644
--- a/apps/rbac/api/role.py
+++ b/apps/rbac/api/role.py
@@ -39,6 +39,21 @@ class RoleViewSet(PaginatedResponseMixin, JMSModelViewSet):
                 raise PermissionDenied(error)
         return super().perform_destroy(instance)
 
+    def perform_create(self, serializer):
+        super(RoleViewSet, self).perform_create(serializer)
+        self.set_permissions_if_need(serializer.instance)
+
+    def set_permissions_if_need(self, instance):
+        if not isinstance(instance, Role):
+            return
+        clone_from = self.request.query_params.get('clone_from')
+        if not clone_from:
+            return
+        clone = Role.objects.filter(id=clone_from).first()
+        if not clone:
+            return
+        instance.permissions.set(clone.permissions.all())
+
     def perform_update(self, serializer):
         instance = serializer.instance
         if instance.builtin:

From 2366f02d10fd48b974e9ff2145f14ce5a81e8872 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 6 Jun 2022 18:04:11 +0800
Subject: [PATCH 146/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E7=BB=84?=
 =?UTF-8?q?=E4=BB=B6=E7=B1=BB=E5=9E=8B=20razor=20=E5=B9=B6=E6=9B=BF?=
 =?UTF-8?q?=E6=8D=A2=20XRDP=5FENABLED?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/conf.py                       |  3 +--
 apps/jumpserver/settings/custom.py            |  2 +-
 .../migrations/0006_remove_setting_enabled.py | 23 +++++++++++++++++++
 apps/settings/serializers/public.py           |  2 +-
 apps/settings/serializers/terminal.py         |  2 +-
 apps/terminal/const.py                        |  1 +
 .../migrations/0048_endpoint_endpointrule.py  |  6 ++---
 .../migrations/0050_auto_20220606_1745.py     | 18 +++++++++++++++
 8 files changed, 49 insertions(+), 8 deletions(-)
 create mode 100644 apps/settings/migrations/0006_remove_setting_enabled.py
 create mode 100644 apps/terminal/migrations/0050_auto_20220606_1745.py

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 93aa46806..df8b5f287 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -324,8 +324,7 @@ class Config(dict):
         # 保留(Luna还在用)
         'TERMINAL_MAGNUS_ENABLED': True,
         'TERMINAL_KOKO_SSH_ENABLED': True,
-        # 保留(Luna还在用)
-        'XRDP_ENABLED': True,
+        'TERMINAL_RAZOR_ENABLED': True,
 
         # 安全配置
         'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index b2768f2d8..9f645617b 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -139,7 +139,7 @@ LOGIN_REDIRECT_MSG_ENABLED = CONFIG.LOGIN_REDIRECT_MSG_ENABLED
 
 CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS = CONFIG.CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS
 
-XRDP_ENABLED = CONFIG.XRDP_ENABLED
+TERMINAL_RAZOR_ENABLED = CONFIG.TERMINAL_RAZOR_ENABLED
 TERMINAL_MAGNUS_ENABLED = CONFIG.TERMINAL_MAGNUS_ENABLED
 TERMINAL_KOKO_SSH_ENABLED = CONFIG.TERMINAL_KOKO_SSH_ENABLED
 
diff --git a/apps/settings/migrations/0006_remove_setting_enabled.py b/apps/settings/migrations/0006_remove_setting_enabled.py
new file mode 100644
index 000000000..0982bc0f2
--- /dev/null
+++ b/apps/settings/migrations/0006_remove_setting_enabled.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.1.14 on 2022-06-06 09:45
+
+from django.db import migrations
+
+
+def migrate_terminal_razor_enabled(apps, schema_editor):
+    setting_model = apps.get_model("settings", "Setting")
+    s = setting_model.objects.filter(name='XRDP_ENABLED').first()
+    if not s:
+        return
+    s.name = 'TERMINAL_RAZOR_ENABLED'
+    s.save()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('settings', '0005_auto_20220310_0616'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_terminal_razor_enabled),
+    ]
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 22fe55142..7e9f46b7d 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -35,7 +35,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     AUTH_FEISHU = serializers.BooleanField()
     AUTH_TEMP_TOKEN = serializers.BooleanField()
 
-    XRDP_ENABLED = serializers.BooleanField()
+    TERMINAL_RAZOR_ENABLED = serializers.BooleanField()
     TERMINAL_MAGNUS_ENABLED = serializers.BooleanField()
     TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
 
diff --git a/apps/settings/serializers/terminal.py b/apps/settings/serializers/terminal.py
index f6799eca1..1b70fadf3 100644
--- a/apps/settings/serializers/terminal.py
+++ b/apps/settings/serializers/terminal.py
@@ -34,5 +34,5 @@ class TerminalSettingSerializer(serializers.Serializer):
                     "if you cannot log in to the device through Telnet, set this parameter")
     )
     TERMINAL_MAGNUS_ENABLED = serializers.BooleanField(label=_("Enable database proxy"))
-    XRDP_ENABLED = serializers.BooleanField(label=_("Enable XRDP"))
+    TERMINAL_RAZOR_ENABLED = serializers.BooleanField(label=_("Enable Razor"))
     TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField(label=_("Enable SSH Client"))
diff --git a/apps/terminal/const.py b/apps/terminal/const.py
index 931a3e887..7289f3180 100644
--- a/apps/terminal/const.py
+++ b/apps/terminal/const.py
@@ -49,6 +49,7 @@ class TerminalTypeChoices(TextChoices):
     core = 'core', 'Core'
     celery = 'celery', 'Celery'
     magnus = 'magnus',  'Magnus'
+    razor = 'razor',  'Razor'
 
     @classmethod
     def types(cls):
diff --git a/apps/terminal/migrations/0048_endpoint_endpointrule.py b/apps/terminal/migrations/0048_endpoint_endpointrule.py
index ccdd59564..1ea7c3d03 100644
--- a/apps/terminal/migrations/0048_endpoint_endpointrule.py
+++ b/apps/terminal/migrations/0048_endpoint_endpointrule.py
@@ -21,7 +21,7 @@ def migrate_endpoints(apps, schema_editor):
     }
     Endpoint.objects.create(**default_data)
 
-    if not settings.XRDP_ENABLED:
+    if not settings.TERMINAL_RAZOR_ENABLED:
         return
     # migrate xrdp
     xrdp_addr = settings.TERMINAL_RDP_ADDR
@@ -41,7 +41,7 @@ def migrate_endpoints(apps, schema_editor):
     else:
         rdp_port = 3389
     xrdp_data = {
-        'name': 'XRDP',
+        'name': 'Razor',
         'host': host,
         'https_port': 0,
         'http_port': 0,
@@ -56,7 +56,7 @@ def migrate_endpoints(apps, schema_editor):
 
     EndpointRule = apps.get_model("terminal", "EndpointRule")
     xrdp_rule_data = {
-        'name': 'XRDP',
+        'name': 'Razor',
         'ip_group': ['*'],
         'priority': 20,
         'endpoint': xrdp_endpoint,
diff --git a/apps/terminal/migrations/0050_auto_20220606_1745.py b/apps/terminal/migrations/0050_auto_20220606_1745.py
new file mode 100644
index 000000000..88e7cc138
--- /dev/null
+++ b/apps/terminal/migrations/0050_auto_20220606_1745.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.1.14 on 2022-06-06 09:45
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('terminal', '0049_endpoint_redis_port'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='terminal',
+            name='type',
+            field=models.CharField(choices=[('koko', 'KoKo'), ('guacamole', 'Guacamole'), ('omnidb', 'OmniDB'), ('xrdp', 'Xrdp'), ('lion', 'Lion'), ('core', 'Core'), ('celery', 'Celery'), ('magnus', 'Magnus'), ('razor', 'Razor')], default='koko', max_length=64, verbose_name='type'),
+        ),
+    ]

From a5acdb9f607c472308347a4494013b407611ccb5 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 7 Jun 2022 19:26:07 +0800
Subject: [PATCH 147/258] =?UTF-8?q?perf:=20=E7=BB=9F=E4=B8=80=E6=A0=A1?=
 =?UTF-8?q?=E9=AA=8C=E5=BD=93=E5=89=8D=E7=94=A8=E6=88=B7api=20(#8324)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/audits/signal_handlers.py              |  1 +
 apps/authentication/api/__init__.py         |  1 +
 apps/authentication/api/confirm.py          | 85 +++++++++++++++++++++
 apps/authentication/api/dingtalk.py         |  5 +-
 apps/authentication/api/feishu.py           |  4 +-
 apps/authentication/api/wecom.py            |  5 +-
 apps/authentication/const.py                |  8 ++
 apps/authentication/serializers/__init__.py |  1 +
 apps/authentication/serializers/confirm.py  | 11 +++
 apps/authentication/urls/api_urls.py        |  1 +
 apps/authentication/views/dingtalk.py       | 10 +--
 apps/authentication/views/feishu.py         |  9 +--
 apps/authentication/views/wecom.py          |  9 +--
 apps/users/models/user.py                   |  5 ++
 apps/users/permissions.py                   | 11 ++-
 apps/users/utils.py                         | 13 ++++
 16 files changed, 148 insertions(+), 31 deletions(-)
 create mode 100644 apps/authentication/api/confirm.py
 create mode 100644 apps/authentication/serializers/confirm.py

diff --git a/apps/audits/signal_handlers.py b/apps/audits/signal_handlers.py
index 5177cfca7..86a593c41 100644
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@@ -274,6 +274,7 @@ def on_user_auth_success(sender, user, request, login_type=None, **kwargs):
     logger.debug('User login success: {}'.format(user.username))
     check_different_city_login_if_need(user, request)
     data = generate_data(user.username, request, login_type=login_type)
+    request.session['login_time'] = data['datetime'].strftime("%Y-%m-%d %H:%M:%S")
     data.update({'mfa': int(user.mfa_enabled), 'status': True})
     write_login_log(**data)
 
diff --git a/apps/authentication/api/__init__.py b/apps/authentication/api/__init__.py
index 01a4c52e9..85fda3c1e 100644
--- a/apps/authentication/api/__init__.py
+++ b/apps/authentication/api/__init__.py
@@ -5,6 +5,7 @@ from .connection_token import *
 from .token import *
 from .mfa import *
 from .access_key import *
+from .confirm import *
 from .login_confirm import *
 from .sso import *
 from .wecom import *
diff --git a/apps/authentication/api/confirm.py b/apps/authentication/api/confirm.py
new file mode 100644
index 000000000..c77a1d533
--- /dev/null
+++ b/apps/authentication/api/confirm.py
@@ -0,0 +1,85 @@
+# -*- coding: utf-8 -*-
+#
+import time
+from datetime import datetime
+
+from django.utils import timezone
+from django.conf import settings
+from django.utils.translation import ugettext_lazy as _
+from rest_framework.generics import ListCreateAPIView
+from rest_framework.response import Response
+
+from common.permissions import IsValidUser
+from ..mfa import MFAOtp
+from ..const import ConfirmType
+from ..mixins import authenticate
+from ..serializers import ConfirmSerializer
+
+
+class ConfirmViewSet(ListCreateAPIView):
+    permission_classes = (IsValidUser,)
+    serializer_class = ConfirmSerializer
+
+    def check(self, confirm_type: str):
+        if confirm_type == ConfirmType.MFA:
+            return bool(MFAOtp(self.user).is_active())
+
+        if confirm_type == ConfirmType.PASSWORD:
+            return self.user.is_password_authenticate()
+
+        if confirm_type == ConfirmType.RELOGIN:
+            return not self.user.is_password_authenticate()
+
+    def authenticate(self, confirm_type, secret_key):
+        if confirm_type == ConfirmType.MFA:
+            ok, msg = MFAOtp(self.user).check_code(secret_key)
+            return ok, msg
+
+        if confirm_type == ConfirmType.PASSWORD:
+            ok = authenticate(self.request, username=self.user.username, password=secret_key)
+            msg = '' if ok else _('Authentication failed password incorrect')
+            return ok, msg
+
+        if confirm_type == ConfirmType.RELOGIN:
+            now = timezone.now().strftime("%Y-%m-%d %H:%M:%S")
+            now = datetime.strptime(now, '%Y-%m-%d %H:%M:%S')
+            login_time = self.request.session.get('login_time')
+            SPECIFIED_TIME = 5
+            msg = _('Login time has exceeded {} minutes, please login again').format(SPECIFIED_TIME)
+            if not login_time:
+                return False, msg
+            login_time = datetime.strptime(login_time, '%Y-%m-%d %H:%M:%S')
+            if (now - login_time).seconds >= SPECIFIED_TIME * 60:
+                return False, msg
+            return True, ''
+
+    @property
+    def user(self):
+        return self.request.user
+
+    def list(self, request, *args, **kwargs):
+        if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
+            return Response('ok')
+
+        mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
+        if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
+            return Response('ok')
+
+        data = []
+        for i, confirm_type in enumerate(ConfirmType.values, 1):
+            if self.check(confirm_type):
+                data.append({'name': confirm_type, 'level': i})
+        msg = _('This action require verify your MFA')
+        return Response({'error': msg, 'backends': data}, status=400)
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        validated_data = serializer.validated_data
+        confirm_type = validated_data.get('confirm_type')
+        secret_key = validated_data.get('secret_key')
+        ok, msg = self.authenticate(confirm_type, secret_key)
+        if ok:
+            request.session["MFA_VERIFY_TIME"] = int(time.time())
+            return Response('ok')
+        return Response({'error': msg}, status=400)
diff --git a/apps/authentication/api/dingtalk.py b/apps/authentication/api/dingtalk.py
index da03f015b..ccc3db64d 100644
--- a/apps/authentication/api/dingtalk.py
+++ b/apps/authentication/api/dingtalk.py
@@ -2,7 +2,7 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from users.permissions import IsAuthPasswdTimeValid
+from users.permissions import IsAuthConfirmTimeValid
 from users.models import User
 from common.utils import get_logger
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
@@ -26,9 +26,8 @@ class DingTalkQRUnBindBase(APIView):
 
 
 class DingTalkQRUnBindForUserApi(RoleUserMixin, DingTalkQRUnBindBase):
-    permission_classes = (IsAuthPasswdTimeValid,)
+    permission_classes = (IsAuthConfirmTimeValid,)
 
 
 class DingTalkQRUnBindForAdminApi(RoleAdminMixin, DingTalkQRUnBindBase):
     user_id_url_kwarg = 'user_id'
-    
\ No newline at end of file
diff --git a/apps/authentication/api/feishu.py b/apps/authentication/api/feishu.py
index aaed60db9..13637b247 100644
--- a/apps/authentication/api/feishu.py
+++ b/apps/authentication/api/feishu.py
@@ -2,7 +2,7 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from users.permissions import IsAuthPasswdTimeValid
+from users.permissions import IsAuthConfirmTimeValid
 from users.models import User
 from common.utils import get_logger
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
@@ -26,7 +26,7 @@ class FeiShuQRUnBindBase(APIView):
 
 
 class FeiShuQRUnBindForUserApi(RoleUserMixin, FeiShuQRUnBindBase):
-    permission_classes = (IsAuthPasswdTimeValid,)
+    permission_classes = (IsAuthConfirmTimeValid,)
 
 
 class FeiShuQRUnBindForAdminApi(RoleAdminMixin, FeiShuQRUnBindBase):
diff --git a/apps/authentication/api/wecom.py b/apps/authentication/api/wecom.py
index 486efde21..e64bc9919 100644
--- a/apps/authentication/api/wecom.py
+++ b/apps/authentication/api/wecom.py
@@ -2,7 +2,7 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from users.permissions import IsAuthPasswdTimeValid
+from users.permissions import IsAuthConfirmTimeValid
 from users.models import User
 from common.utils import get_logger
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
@@ -26,9 +26,8 @@ class WeComQRUnBindBase(APIView):
 
 
 class WeComQRUnBindForUserApi(RoleUserMixin, WeComQRUnBindBase):
-    permission_classes = (IsAuthPasswdTimeValid,)
+    permission_classes = (IsAuthConfirmTimeValid,)
 
 
 class WeComQRUnBindForAdminApi(RoleAdminMixin, WeComQRUnBindBase):
     user_id_url_kwarg = 'user_id'
-    
\ No newline at end of file
diff --git a/apps/authentication/const.py b/apps/authentication/const.py
index f5cf56471..4c8578dff 100644
--- a/apps/authentication/const.py
+++ b/apps/authentication/const.py
@@ -1,2 +1,10 @@
+from django.db.models import TextChoices
+
 RSA_PRIVATE_KEY = 'rsa_private_key'
 RSA_PUBLIC_KEY = 'rsa_public_key'
+
+
+class ConfirmType(TextChoices):
+    RELOGIN = 'relogin', 'Re-Login'
+    PASSWORD = 'password', 'Password'
+    MFA = 'mfa', 'MFA'
diff --git a/apps/authentication/serializers/__init__.py b/apps/authentication/serializers/__init__.py
index 7697c46db..aa94f0fc8 100644
--- a/apps/authentication/serializers/__init__.py
+++ b/apps/authentication/serializers/__init__.py
@@ -1,3 +1,4 @@
 from .token import *
 from .connect_token import *
 from .password_mfa import *
+from .confirm import *
diff --git a/apps/authentication/serializers/confirm.py b/apps/authentication/serializers/confirm.py
new file mode 100644
index 000000000..fe5984190
--- /dev/null
+++ b/apps/authentication/serializers/confirm.py
@@ -0,0 +1,11 @@
+from rest_framework import serializers
+
+from common.drf.fields import EncryptedField
+from ..const import ConfirmType
+
+
+class ConfirmSerializer(serializers.Serializer):
+    confirm_type = serializers.ChoiceField(
+        required=True, choices=ConfirmType.choices
+    )
+    secret_key = EncryptedField()
diff --git a/apps/authentication/urls/api_urls.py b/apps/authentication/urls/api_urls.py
index 754b7c793..44a89bf97 100644
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -26,6 +26,7 @@ urlpatterns = [
     path('feishu/event/subscription/callback/', api.FeiShuEventSubscriptionCallback.as_view(), name='feishu-event-subscription-callback'),
 
     path('auth/', api.TokenCreateApi.as_view(), name='user-auth'),
+    path('confirm/', api.ConfirmViewSet.as_view(), name='user-confirm'),
     path('tokens/', api.TokenCreateApi.as_view(), name='auth-token'),
     path('mfa/verify/', api.MFAChallengeVerifyApi.as_view(), name='mfa-verify'),
     path('mfa/challenge/', api.MFAChallengeVerifyApi.as_view(), name='mfa-challenge'),
diff --git a/apps/authentication/views/dingtalk.py b/apps/authentication/views/dingtalk.py
index e97424aee..6b93b3d4c 100644
--- a/apps/authentication/views/dingtalk.py
+++ b/apps/authentication/views/dingtalk.py
@@ -9,8 +9,9 @@ from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException
 
 from users.views import UserVerifyPasswordView
-from users.utils import is_auth_password_time_valid
+from users.utils import is_auth_confirm_time_valid
 from users.models import User
+from users.permissions import IsAuthConfirmTimeValid
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
@@ -118,17 +119,12 @@ class DingTalkOAuthMixin(DingTalkBaseMixin, View):
 
 
 class DingTalkQRBindView(DingTalkQRMixin, View):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, IsAuthConfirmTimeValid)
 
     def get(self, request: HttpRequest):
         user = request.user
         redirect_url = request.GET.get('redirect_url')
 
-        if not is_auth_password_time_valid(request.session):
-            msg = _('Please verify your password first')
-            response = self.get_failed_response(redirect_url, msg, msg)
-            return response
-
         redirect_uri = reverse('authentication:dingtalk-qr-bind-callback', kwargs={'user_id': user.id}, external=True)
         redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
 
diff --git a/apps/authentication/views/feishu.py b/apps/authentication/views/feishu.py
index 172aa2603..ea0db44e1 100644
--- a/apps/authentication/views/feishu.py
+++ b/apps/authentication/views/feishu.py
@@ -8,7 +8,7 @@ from django.db.utils import IntegrityError
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException
 
-from users.utils import is_auth_password_time_valid
+from users.permissions import IsAuthConfirmTimeValid
 from users.views import UserVerifyPasswordView
 from users.models import User
 from common.utils import get_logger, FlashMessageUtil
@@ -89,17 +89,12 @@ class FeiShuQRMixin(PermissionsMixin, View):
 
 
 class FeiShuQRBindView(FeiShuQRMixin, View):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, IsAuthConfirmTimeValid)
 
     def get(self, request: HttpRequest):
         user = request.user
         redirect_url = request.GET.get('redirect_url')
 
-        if not is_auth_password_time_valid(request.session):
-            msg = _('Please verify your password first')
-            response = self.get_failed_response(redirect_url, msg, msg)
-            return response
-
         redirect_uri = reverse('authentication:feishu-qr-bind-callback', external=True)
         redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
 
diff --git a/apps/authentication/views/wecom.py b/apps/authentication/views/wecom.py
index 9b7963de8..cb5cc2178 100644
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -9,8 +9,8 @@ from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException
 
 from users.views import UserVerifyPasswordView
-from users.utils import is_auth_password_time_valid
 from users.models import User
+from users.permissions import IsAuthConfirmTimeValid
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
@@ -118,17 +118,12 @@ class WeComOAuthMixin(WeComBaseMixin, View):
 
 
 class WeComQRBindView(WeComQRMixin, View):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, IsAuthConfirmTimeValid)
 
     def get(self, request: HttpRequest):
         user = request.user
         redirect_url = request.GET.get('redirect_url')
 
-        if not is_auth_password_time_valid(request.session):
-            msg = _('Please verify your password first')
-            response = self.get_failed_response(redirect_url, msg, msg)
-            return response
-
         redirect_uri = reverse('authentication:wecom-qr-bind-callback', kwargs={'user_id': user.id}, external=True)
         redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
 
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index c22be9523..13c5edb0f 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -791,6 +791,11 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
     def is_local(self):
         return self.source == self.Source.local.value
 
+    def is_password_authenticate(self):
+        cas = self.Source.cas
+        saml2 = self.Source.saml2
+        return self.source not in [cas, saml2]
+
     def set_unprovide_attr_if_need(self):
         if not self.name:
             self.name = self.username
diff --git a/apps/users/permissions.py b/apps/users/permissions.py
index 03534d211..a0df71116 100644
--- a/apps/users/permissions.py
+++ b/apps/users/permissions.py
@@ -1,10 +1,17 @@
 from rest_framework import permissions
 
-from .utils import is_auth_password_time_valid
+from .utils import is_auth_password_time_valid, is_auth_confirm_time_valid
 
 
 class IsAuthPasswdTimeValid(permissions.IsAuthenticated):
 
     def has_permission(self, request, view):
         return super().has_permission(request, view) \
-            and is_auth_password_time_valid(request.session)
+               and is_auth_password_time_valid(request.session)
+
+
+class IsAuthConfirmTimeValid(permissions.IsAuthenticated):
+
+    def has_permission(self, request, view):
+        return super().has_permission(request, view) \
+               and is_auth_confirm_time_valid(request.session)
diff --git a/apps/users/utils.py b/apps/users/utils.py
index a2fb9afac..60485f497 100644
--- a/apps/users/utils.py
+++ b/apps/users/utils.py
@@ -255,3 +255,16 @@ def is_auth_password_time_valid(session):
 
 def is_auth_otp_time_valid(session):
     return is_auth_time_valid(session, 'auth_otp_expired_at')
+
+
+def is_confirm_time_valid(session, key):
+    if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
+        return True
+    mfa_verify_time = session.get(key, 0)
+    if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
+        return True
+    return False
+
+
+def is_auth_confirm_time_valid(session):
+    return is_confirm_time_valid(session, 'MFA_VERIFY_TIME')

From c6949b4f685fdc20d917ca0684bfbcd7acbce359 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 8 Jun 2022 10:02:47 +0800
Subject: [PATCH 148/258] =?UTF-8?q?perf:=20=E5=8E=BB=E6=8E=89=20remote=20a?=
 =?UTF-8?q?pp=20=E7=9A=84=E5=8A=A0=E5=AF=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/connection_token.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index acf8dea84..828a93be5 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -161,7 +161,6 @@ class ClientProtocolMixin:
             options['alternate shell:s'] = app
             options['remoteapplicationprogram:s'] = app
             options['remoteapplicationname:s'] = name
-            options['remoteapplicationcmdline:s'] = '- ' + self.get_encrypt_cmdline(application)
         else:
             name = '*'
 

From 81ef61482090ef9d1f31482f38be9126c02d2512 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 8 Jun 2022 19:32:50 +0800
Subject: [PATCH 149/258] =?UTF-8?q?fix:=20relogin=E9=87=8D=E7=BD=AEMFA=5FV?=
 =?UTF-8?q?ERIFY=5FTIME=20(#8348)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/audits/signal_handlers.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/audits/signal_handlers.py b/apps/audits/signal_handlers.py
index 86a593c41..902c0896e 100644
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@@ -1,5 +1,7 @@
 # -*- coding: utf-8 -*-
 #
+import time
+
 from django.db.models.signals import (
     post_save, m2m_changed, pre_delete
 )
@@ -275,6 +277,7 @@ def on_user_auth_success(sender, user, request, login_type=None, **kwargs):
     check_different_city_login_if_need(user, request)
     data = generate_data(user.username, request, login_type=login_type)
     request.session['login_time'] = data['datetime'].strftime("%Y-%m-%d %H:%M:%S")
+    request.session["MFA_VERIFY_TIME"] = int(time.time())
     data.update({'mfa': int(user.mfa_enabled), 'status': True})
     write_login_log(**data)
 

From a5c6ba6cd6c277052ccc3eca362a95728df0b2ca Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 9 Jun 2022 10:19:34 +0800
Subject: [PATCH 150/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20perm=20app?=
 =?UTF-8?q?=20node?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/perms/tree/app.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/perms/tree/app.py b/apps/perms/tree/app.py
index cc8611938..0b74c1e9b 100644
--- a/apps/perms/tree/app.py
+++ b/apps/perms/tree/app.py
@@ -64,7 +64,6 @@ class GrantedAppTreeUtil:
             return tree_nodes
 
         root_node = self.create_root_node()
-        tree_nodes.append(root_node)
         organizations = self.filter_organizations(applications)
 
         for i, org in enumerate(organizations):

From 9d1e94d3c21695e410cb5753c8ab251d09e16ce4 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 10 Jun 2022 18:22:57 +0800
Subject: [PATCH 151/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E6=89=8B?=
 =?UTF-8?q?=E5=8A=A8=E7=99=BB=E5=BD=95=E7=B3=BB=E7=BB=9F=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?=E8=BF=9E=E6=8E=A5RemoteApp=E5=BA=94=E7=94=A8=E8=8E=B7=E5=8F=96?=
 =?UTF-8?q?=E4=B8=8D=E5=88=B0=E8=AE=A4=E8=AF=81=E4=BF=A1=E6=81=AF=E7=9A=84?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/models/user.py | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/apps/assets/models/user.py b/apps/assets/models/user.py
index ce0029768..e20664071 100644
--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -133,6 +133,15 @@ class AuthMixin:
             self.password = password
 
     def load_app_more_auth(self, app_id=None, username=None, user_id=None):
+        # 清除认证信息
+        self._clean_auth_info_if_manual_login_mode()
+
+        # 先加载临时认证信息
+        if self.login_mode == self.LOGIN_MANUAL:
+            self._load_tmp_auth_if_has(app_id, user_id)
+            return
+
+        # Remote app
         from applications.models import Application
         app = get_object_or_none(Application, pk=app_id)
         if app and app.category_remote_app:
@@ -141,11 +150,6 @@ class AuthMixin:
             return
 
         # Other app
-        self._clean_auth_info_if_manual_login_mode()
-        # 加载临时认证信息
-        if self.login_mode == self.LOGIN_MANUAL:
-            self._load_tmp_auth_if_has(app_id, user_id)
-            return
         # 更新用户名
         from users.models import User
         user = get_object_or_none(User, pk=user_id) if user_id else None

From 3755f8f33acd1744b5ae3a62e518a2b8e73a48fd Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 13 Jun 2022 10:54:34 +0800
Subject: [PATCH 152/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E6=8E=A8?=
 =?UTF-8?q?=E9=80=81=E5=8A=A8=E6=80=81=E7=94=A8=E6=88=B7=20comment=20?=
 =?UTF-8?q?=E4=B8=AD=E5=8C=85=E5=90=AB=E7=A9=BA=E6=A0=BC=E5=AF=BC=E8=87=B4?=
 =?UTF-8?q?=E6=8E=A8=E9=80=81=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/tasks/push_system_user.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/assets/tasks/push_system_user.py b/apps/assets/tasks/push_system_user.py
index 98d2a0922..ee4af0fd5 100644
--- a/apps/assets/tasks/push_system_user.py
+++ b/apps/assets/tasks/push_system_user.py
@@ -33,16 +33,17 @@ def _dump_args(args: dict):
 
 
 def get_push_unixlike_system_user_tasks(system_user, username=None, **kwargs):
-    comment = system_user.name
     algorithm = kwargs.get('algorithm')
     if username is None:
         username = system_user.username
 
+    comment = system_user.name
     if system_user.username_same_with_user:
         from users.models import User
         user = User.objects.filter(username=username).only('name', 'username').first()
         if user:
             comment = f'{system_user.name}[{str(user)}]'
+    comment = comment.replace(' ', '')
 
     password = system_user.password
     public_key = system_user.public_key

From 0464b1a9e69c2ca407b213a797652460b2620159 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 13 Jun 2022 14:22:07 +0800
Subject: [PATCH 153/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E8=BF=81?=
 =?UTF-8?q?=E7=A7=BB=20rbac=20=E9=80=9F=E5=BA=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

perf: migrate
---
 apps/rbac/builtin.py                          | 30 ++++++----
 .../migrations/0004_auto_20211201_1901.py     | 53 +++++++++-------
 utils/test_run_migrations.py                  | 60 +++++++++++++++++++
 3 files changed, 110 insertions(+), 33 deletions(-)
 create mode 100644 utils/test_run_migrations.py

diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py
index b736ba226..34733dc59 100644
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -126,6 +126,8 @@ class BuiltinRole:
     org_user = PredefineRole(
         '7', ugettext_noop('OrgUser'), Scope.org, user_perms
     )
+    system_role_mapper = None
+    org_role_mapper = None
 
     @classmethod
     def get_roles(cls):
@@ -138,22 +140,24 @@ class BuiltinRole:
 
     @classmethod
     def get_system_role_by_old_name(cls, name):
-        mapper = {
-            'App': cls.system_component,
-            'Admin': cls.system_admin,
-            'User': cls.system_user,
-            'Auditor': cls.system_auditor
-        }
-        return mapper[name].get_role()
+        if not cls.system_role_mapper:
+            cls.system_role_mapper = {
+                'App': cls.system_component.get_role(),
+                'Admin': cls.system_admin.get_role(),
+                'User': cls.system_user.get_role(),
+                'Auditor': cls.system_auditor.get_role()
+            }
+        return cls.system_role_mapper[name]
 
     @classmethod
     def get_org_role_by_old_name(cls, name):
-        mapper = {
-            'Admin': cls.org_admin,
-            'User': cls.org_user,
-            'Auditor': cls.org_auditor,
-        }
-        return mapper[name].get_role()
+        if not cls.org_role_mapper:
+            cls.org_role_mapper = {
+                'Admin': cls.org_admin.get_role(),
+                'User': cls.org_user.get_role(),
+                'Auditor': cls.org_auditor.get_role(),
+            }
+        return cls.org_role_mapper[name]
 
     @classmethod
     def sync_to_db(cls, show_msg=False):
diff --git a/apps/rbac/migrations/0004_auto_20211201_1901.py b/apps/rbac/migrations/0004_auto_20211201_1901.py
index 36736f254..eafe37539 100644
--- a/apps/rbac/migrations/0004_auto_20211201_1901.py
+++ b/apps/rbac/migrations/0004_auto_20211201_1901.py
@@ -1,5 +1,4 @@
-# Generated by Django 3.1.13 on 2021-12-01 11:01
-
+import time
 from django.db import migrations
 
 from rbac.builtin import BuiltinRole
@@ -11,31 +10,45 @@ def migrate_system_role_binding(apps, schema_editor):
     role_binding_model = apps.get_model('rbac', 'SystemRoleBinding')
     users = user_model.objects.using(db_alias).all()
 
-    role_bindings = []
-    for user in users:
-        role = BuiltinRole.get_system_role_by_old_name(user.role)
-        role_binding = role_binding_model(scope='system', user_id=user.id, role_id=role.id)
-        role_bindings.append(role_binding)
-    role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
+    grouped_users = [users[i:i+1000] for i in range(0, len(users), 1000)]
+    for i, group in enumerate(grouped_users):
+        role_bindings = []
+        start = time.time()
+        for user in group:
+            role = BuiltinRole.get_system_role_by_old_name(user.role)
+            role_binding = role_binding_model(scope='system', user_id=user.id, role_id=role.id)
+            role_bindings.append(role_binding)
+        role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
+        print("Create role binding: {}-{} using: {:.2f}s".format(
+            i*1000, i*1000 + len(group), time.time()-start
+        ))
 
 
 def migrate_org_role_binding(apps, schema_editor):
     db_alias = schema_editor.connection.alias
     org_member_model = apps.get_model('orgs', 'OrganizationMember')
     role_binding_model = apps.get_model('rbac', 'RoleBinding')
-    members = org_member_model.objects.using(db_alias).all()
+    members = org_member_model.objects.using(db_alias)\
+        .only('role', 'user_id', 'org_id')\
+        .all()
 
-    role_bindings = []
-    for member in members:
-        role = BuiltinRole.get_org_role_by_old_name(member.role)
-        role_binding = role_binding_model(
-            scope='org',
-            user_id=member.user.id,
-            role_id=role.id,
-            org_id=member.org.id
-        )
-        role_bindings.append(role_binding)
-    role_binding_model.objects.bulk_create(role_bindings)
+    grouped_members = [members[i:i+1000] for i in range(0, len(members), 1000)]
+    for i, group in enumerate(grouped_members):
+        role_bindings = []
+        start = time.time()
+        for member in group:
+            role = BuiltinRole.get_org_role_by_old_name(member.role)
+            role_binding = role_binding_model(
+                scope='org',
+                user_id=member.user_id,
+                role_id=role.id,
+                org_id=member.org_id
+            )
+            role_bindings.append(role_binding)
+        role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
+        print("Create role binding: {}-{} using: {:.2f}s".format(
+            i*1000, i*1000 + len(group), time.time()-start
+        ))
 
 
 class Migration(migrations.Migration):
diff --git a/utils/test_run_migrations.py b/utils/test_run_migrations.py
new file mode 100644
index 000000000..c45c46ec1
--- /dev/null
+++ b/utils/test_run_migrations.py
@@ -0,0 +1,60 @@
+# Generated by Django 3.1.13 on 2021-12-01 11:01
+import os
+import sys
+import django
+import time
+
+app_path = '***** Change me *******'
+sys.path.insert(0, app_path)
+os.environ.setdefault("DJANGO_SETTINGS_MODULE", "jumpserver.settings")
+django.setup()
+
+from django.apps import apps
+from django.db import connection
+
+# ========================== 添加到需要测试的 migrations 上方 ==========================
+
+
+from django.db import migrations
+
+from rbac.builtin import BuiltinRole
+
+
+def migrate_some_binding(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    user_model = apps.get_model('users', 'User')
+    role_binding_model = apps.get_model('rbac', 'SystemRoleBinding')
+    users = user_model.objects.using(db_alias).all()
+
+    grouped_users = [users[i:i+1000] for i in range(0, len(users), 1000)]
+    for i, group in enumerate(grouped_users):
+        role_bindings = []
+        start = time.time()
+        for user in group:
+            role = BuiltinRole.get_system_role_by_old_name(user.role)
+            role_binding = role_binding_model(scope='system', user_id=user.id, role_id=role.id)
+            role_bindings.append(role_binding)
+        role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
+        print("Create role binding: {}-{} using: {:.2f}s".format(
+            i*1000, i*1000 + len(group), time.time()-start
+        ))
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0003_auto_20211130_1037'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_some_binding),
+    ]
+
+
+# ================== 添加到下方 ======================
+def main():
+    schema_editor = connection.schema_editor()
+    migrate_some_binding(apps, schema_editor)
+
+
+# main()

From 25ae790f7d14927d7f3268e6de772b1f1e35475b Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 13 Jun 2022 15:45:10 +0800
Subject: [PATCH 154/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9client=20?=
 =?UTF-8?q?=E7=89=88=E6=9C=AC=20(#8375)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/templates/resource_download.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index 09215b532..57570eb8e 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -15,7 +15,7 @@ p {
 </style>
 <div style="margin: 0 200px">
     <div class="group">
-        <h2>JumpServer {% trans 'Client' %} v1.1.5</h2>
+        <h2>JumpServer {% trans 'Client' %} v1.1.6</h2>
         <p>
             {% trans 'JumpServer Client, currently used to launch the client, now only support launch RDP SSH client, The Telnet client will next' %}
         </p>

From 95f8b12912a775104c6da2c5962be0cb908de8cb Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 13 Jun 2022 15:33:27 +0800
Subject: [PATCH 155/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E9=83=A8?=
 =?UTF-8?q?=E5=88=86=20password=20encrypted=20field=20extra=20kwargs=20?=
 =?UTF-8?q?=E5=8F=82=E6=95=B0=E4=B8=8D=E7=94=9F=E6=95=88=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/account.py     |  5 -----
 apps/assets/serializers/base.py        |  4 +++-
 apps/assets/serializers/system_user.py | 11 +++++------
 3 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/apps/assets/serializers/account.py b/apps/assets/serializers/account.py
index bc4bea563..5cbb26d88 100644
--- a/apps/assets/serializers/account.py
+++ b/apps/assets/serializers/account.py
@@ -5,7 +5,6 @@ from assets.models import AuthBook
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 
 from .base import AuthSerializerMixin
-from .utils import validate_password_contains_left_double_curly_bracket
 from common.utils.encode import ssh_pubkey_gen
 from common.drf.serializers import SecretReadableMixin
 
@@ -32,10 +31,6 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         fields = fields_small + fields_fk
         extra_kwargs = {
             'username': {'required': True},
-            'password': {
-                'write_only': True,
-                "validators": [validate_password_contains_left_double_curly_bracket]
-            },
             'private_key': {'write_only': True},
             'public_key': {'write_only': True},
             'systemuser_display': {'label': _('System user display')}
diff --git a/apps/assets/serializers/base.py b/apps/assets/serializers/base.py
index c20b1abb8..92cc65f19 100644
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@@ -8,6 +8,7 @@ from rest_framework import serializers
 from common.utils import ssh_pubkey_gen, ssh_private_key_gen, validate_ssh_private_key
 from common.drf.fields import EncryptedField
 from assets.models import Type
+from .utils import validate_password_contains_left_double_curly_bracket
 
 
 class AuthSerializer(serializers.ModelSerializer):
@@ -33,7 +34,8 @@ class AuthSerializer(serializers.ModelSerializer):
 
 class AuthSerializerMixin(serializers.ModelSerializer):
     password = EncryptedField(
-        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024
+        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024,
+        validators=[validate_password_contains_left_double_curly_bracket]
     )
     private_key = EncryptedField(
         label=_('SSH private key'), required=False, allow_blank=True, allow_null=True, max_length=4096
diff --git a/apps/assets/serializers/system_user.py b/apps/assets/serializers/system_user.py
index 278a99d87..68ade0ebd 100644
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -25,6 +25,11 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     """
     系统用户
     """
+    password = EncryptedField(
+        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024,
+        trim_whitespace=False, validators=[validate_password_contains_left_double_curly_bracket],
+        write_only=True
+    )
     auto_generate_key = serializers.BooleanField(initial=True, required=False, write_only=True)
     type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
     ssh_key_fingerprint = serializers.ReadOnlyField(label=_('SSH key fingerprint'))
@@ -51,15 +56,9 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         fields_m2m = ['cmd_filters', 'assets_amount', 'applications_amount', 'nodes']
         fields = fields_small + fields_m2m
         extra_kwargs = {
-            'password': {
-                "write_only": True,
-                'trim_whitespace': False,
-                "validators": [validate_password_contains_left_double_curly_bracket]
-            },
             'cmd_filters': {"required": False, 'label': _('Command filter')},
             'public_key': {"write_only": True},
             'private_key': {"write_only": True},
-            'token': {"write_only": True},
             'nodes_amount': {'label': _('Nodes amount')},
             'assets_amount': {'label': _('Assets amount')},
             'login_mode_display': {'label': _('Login mode display')},

From 556ce0a1463b9c5f5fe6779821aa2ff5c0e63eb1 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 13 Jun 2022 16:26:36 +0800
Subject: [PATCH 156/258] =?UTF-8?q?perf:=20=E7=BB=A7=E7=BB=AD=E4=BC=98?=
 =?UTF-8?q?=E5=8C=96=E4=B8=80=E6=B3=A2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../migrations/0004_auto_20211201_1901.py     | 40 +++++++++++++------
 utils/test_run_migrations.py                  | 24 +++++++----
 2 files changed, 44 insertions(+), 20 deletions(-)

diff --git a/apps/rbac/migrations/0004_auto_20211201_1901.py b/apps/rbac/migrations/0004_auto_20211201_1901.py
index eafe37539..9d59d99fc 100644
--- a/apps/rbac/migrations/0004_auto_20211201_1901.py
+++ b/apps/rbac/migrations/0004_auto_20211201_1901.py
@@ -1,3 +1,5 @@
+# Generated by Django 3.1.13 on 2021-12-01 11:01
+
 import time
 from django.db import migrations
 
@@ -8,35 +10,48 @@ def migrate_system_role_binding(apps, schema_editor):
     db_alias = schema_editor.connection.alias
     user_model = apps.get_model('users', 'User')
     role_binding_model = apps.get_model('rbac', 'SystemRoleBinding')
-    users = user_model.objects.using(db_alias).all()
 
-    grouped_users = [users[i:i+1000] for i in range(0, len(users), 1000)]
-    for i, group in enumerate(grouped_users):
+    count = 0
+    bulk_size = 1000
+    while True:
+        users = user_model.objects.using(db_alias) \
+            .only('role', 'id') \
+            .all()[count:count+bulk_size]
+        if not users:
+            break
+
         role_bindings = []
         start = time.time()
-        for user in group:
+        for user in users:
             role = BuiltinRole.get_system_role_by_old_name(user.role)
             role_binding = role_binding_model(scope='system', user_id=user.id, role_id=role.id)
             role_bindings.append(role_binding)
+
         role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
         print("Create role binding: {}-{} using: {:.2f}s".format(
-            i*1000, i*1000 + len(group), time.time()-start
+            count, count + len(users), time.time()-start
         ))
+        count += len(users)
 
 
 def migrate_org_role_binding(apps, schema_editor):
     db_alias = schema_editor.connection.alias
     org_member_model = apps.get_model('orgs', 'OrganizationMember')
     role_binding_model = apps.get_model('rbac', 'RoleBinding')
-    members = org_member_model.objects.using(db_alias)\
-        .only('role', 'user_id', 'org_id')\
-        .all()
 
-    grouped_members = [members[i:i+1000] for i in range(0, len(members), 1000)]
-    for i, group in enumerate(grouped_members):
+    count = 0
+    bulk_size = 1000
+
+    while True:
+        members = org_member_model.objects.using(db_alias)\
+            .only('role', 'user_id', 'org_id')\
+            .all()[count:count+bulk_size]
+        if not members:
+            break
         role_bindings = []
         start = time.time()
-        for member in group:
+
+        for member in members:
             role = BuiltinRole.get_org_role_by_old_name(member.role)
             role_binding = role_binding_model(
                 scope='org',
@@ -47,8 +62,9 @@ def migrate_org_role_binding(apps, schema_editor):
             role_bindings.append(role_binding)
         role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
         print("Create role binding: {}-{} using: {:.2f}s".format(
-            i*1000, i*1000 + len(group), time.time()-start
+            count, count + len(members), time.time()-start
         ))
+        count += len(members)
 
 
 class Migration(migrations.Migration):
diff --git a/utils/test_run_migrations.py b/utils/test_run_migrations.py
index c45c46ec1..33c7c3c5c 100644
--- a/utils/test_run_migrations.py
+++ b/utils/test_run_migrations.py
@@ -20,24 +20,32 @@ from django.db import migrations
 from rbac.builtin import BuiltinRole
 
 
-def migrate_some_binding(apps, schema_editor):
+def migrate_system_role_binding(apps, schema_editor):
     db_alias = schema_editor.connection.alias
     user_model = apps.get_model('users', 'User')
     role_binding_model = apps.get_model('rbac', 'SystemRoleBinding')
-    users = user_model.objects.using(db_alias).all()
 
-    grouped_users = [users[i:i+1000] for i in range(0, len(users), 1000)]
-    for i, group in enumerate(grouped_users):
+    count = 0
+    bulk_size = 1000
+    while True:
+        users = user_model.objects.using(db_alias) \
+                    .only('role', 'id') \
+                    .all()[count:count+bulk_size]
+        if not users:
+            break
+
         role_bindings = []
         start = time.time()
-        for user in group:
+        for user in users:
             role = BuiltinRole.get_system_role_by_old_name(user.role)
             role_binding = role_binding_model(scope='system', user_id=user.id, role_id=role.id)
             role_bindings.append(role_binding)
+
         role_binding_model.objects.bulk_create(role_bindings, ignore_conflicts=True)
         print("Create role binding: {}-{} using: {:.2f}s".format(
-            i*1000, i*1000 + len(group), time.time()-start
+            count, count + len(users), time.time()-start
         ))
+        count += len(users)
 
 
 class Migration(migrations.Migration):
@@ -47,14 +55,14 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(migrate_some_binding),
+        migrations.RunPython(migrate_system_role_binding),
     ]
 
 
 # ================== 添加到下方 ======================
 def main():
     schema_editor = connection.schema_editor()
-    migrate_some_binding(apps, schema_editor)
+    migrate_system_role_binding(apps, schema_editor)
 
 
 # main()

From f91bfedc50d4701e65a6c062db83483b5917272e Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Tue, 14 Jun 2022 16:03:42 +0800
Subject: [PATCH 157/258] =?UTF-8?q?perf:=20=E6=8E=88=E6=9D=83=E8=BF=87?=
 =?UTF-8?q?=E6=9C=9F=E9=80=9A=E7=9F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po          | 366 +++++++++---------
 apps/locale/zh/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 353 ++++++++---------
 apps/locale/zh/LC_MESSAGES/djangojs.po        |   1 -
 apps/perms/notifications.py                   |  15 +-
 apps/perms/tasks.py                           |  64 ++-
 .../perms/_msg_item_permissions_expire.html   |   2 +-
 .../perms/_msg_permed_items_expire.html       |   2 +-
 9 files changed, 430 insertions(+), 381 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 2f0a7842c..50947cea2 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:82cdb805f6d681577806fb6fc41178b5dd28eafc68b1348f433ba7f7f5ce9920
-size 127478
+oid sha256:8a0e0ef94fd1cf5b3d41c378b54e8af2fb502c7f1e9d6a3e54084e8113978561
+size 127495
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 2d7a87994..11310178e 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-31 16:02+0800\n"
+"POT-Creation-Date: 2022-06-14 15:48+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -38,12 +38,12 @@ msgid "Name"
 msgstr "名前"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:62
+#: assets/models/user.py:251 terminal/models/endpoint.py:62
 msgid "Priority"
 msgstr "優先順位"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:63
+#: assets/models/user.py:251 terminal/models/endpoint.py:63
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
@@ -93,8 +93,8 @@ msgstr "ログイン確認"
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:883
-#: users/models/user.py:914 users/serializers/group.py:19
+#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:888
+#: users/models/user.py:919 users/serializers/group.py:19
 msgid "User"
 msgstr "ユーザー"
 
@@ -129,7 +129,7 @@ msgstr "システムユーザー"
 #: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
-#: assets/serializers/system_user.py:269 audits/models.py:39
+#: assets/serializers/system_user.py:268 audits/models.py:39
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -179,7 +179,7 @@ msgstr ""
 #: acls/serializers/login_asset_acl.py:31 acls/serializers/rules/rules.py:33
 #: applications/serializers/attrs/application_type/mysql_workbench.py:18
 #: assets/models/asset.py:210 assets/models/domain.py:60
-#: assets/serializers/account.py:14
+#: assets/serializers/account.py:13
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
@@ -188,7 +188,7 @@ msgid "IP"
 msgstr "IP"
 
 #: acls/serializers/login_asset_acl.py:35 assets/models/asset.py:211
-#: assets/serializers/account.py:15 assets/serializers/gathered_user.py:23
+#: assets/serializers/account.py:14 assets/serializers/gathered_user.py:23
 #: settings/serializers/terminal.py:7
 msgid "Hostname"
 msgstr "ホスト名"
@@ -202,7 +202,7 @@ msgstr ""
 "ション: {}"
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
-#: assets/models/domain.py:62 assets/models/user.py:248
+#: assets/models/domain.py:62 assets/models/user.py:252
 #: terminal/serializers/session.py:30 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "プロトコル"
@@ -265,7 +265,7 @@ msgid "Application"
 msgstr "アプリケーション"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
-#: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
+#: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
@@ -303,7 +303,7 @@ msgstr "カテゴリ"
 
 #: applications/models/application.py:222
 #: applications/serializers/application.py:101 assets/models/backup.py:49
-#: assets/models/cmd_filter.py:82 assets/models/user.py:246
+#: assets/models/cmd_filter.py:82 assets/models/user.py:250
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
 #: terminal/models/storage.py:57 terminal/models/storage.py:141
@@ -341,7 +341,7 @@ msgstr "カテゴリ表示"
 
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
-#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:29
+#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
 #: tickets/serializers/ticket/ticket.py:21
@@ -353,17 +353,17 @@ msgstr "タイプ表示"
 #: assets/models/base.py:181 assets/models/cluster.py:26
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
-#: assets/serializers/account.py:19 assets/serializers/cmd_filter.py:28
+#: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
 #: assets/serializers/cmd_filter.py:48 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:915
+#: users/models/group.py:18 users/models/user.py:920
 #: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "作成された日付"
 
 #: applications/serializers/application.py:104 assets/models/base.py:182
-#: assets/models/gathered_user.py:20 assets/serializers/account.py:22
+#: assets/models/gathered_user.py:20 assets/serializers/account.py:21
 #: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
 #: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
@@ -413,7 +413,7 @@ msgid "Application path"
 msgstr "アプリケーションパス"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
-#: assets/serializers/system_user.py:168
+#: assets/serializers/system_user.py:167
 #: xpack/plugins/change_auth_plan/serializers/asset.py:67
 #: xpack/plugins/change_auth_plan/serializers/asset.py:70
 #: xpack/plugins/change_auth_plan/serializers/asset.py:73
@@ -510,7 +510,7 @@ msgid "Internal"
 msgstr "内部"
 
 #: assets/models/asset.py:162 assets/models/asset.py:216
-#: assets/serializers/account.py:16 assets/serializers/asset.py:63
+#: assets/serializers/account.py:15 assets/serializers/asset.py:63
 #: perms/serializers/asset/user_permission.py:43
 msgid "Platform"
 msgstr "プラットフォーム"
@@ -571,13 +571,13 @@ msgstr "システムアーキテクチャ"
 msgid "Hostname raw"
 msgstr "ホスト名生"
 
-#: assets/models/asset.py:215 assets/serializers/account.py:17
+#: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
 #: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "プロトコル"
 
-#: assets/models/asset.py:218 assets/models/user.py:238
+#: assets/models/asset.py:218 assets/models/user.py:242
 #: perms/models/asset_permission.py:24
 #: xpack/plugins/change_auth_plan/models/asset.py:43
 #: xpack/plugins/gathered_user/models.py:24
@@ -590,7 +590,7 @@ msgid "Is active"
 msgstr "アクティブです。"
 
 #: assets/models/asset.py:222 assets/models/cluster.py:19
-#: assets/models/user.py:235 assets/models/user.py:390
+#: assets/models/user.py:239 assets/models/user.py:394
 msgid "Admin user"
 msgstr "管理ユーザー"
 
@@ -759,9 +759,9 @@ msgstr "接続性"
 msgid "Date verified"
 msgstr "確認済みの日付"
 
-#: assets/models/base.py:177 assets/serializers/base.py:14
-#: assets/serializers/base.py:36 audits/signal_handlers.py:48
-#: authentication/forms.py:32
+#: assets/models/base.py:177 assets/serializers/base.py:15
+#: assets/serializers/base.py:37 assets/serializers/system_user.py:29
+#: audits/signal_handlers.py:50 authentication/forms.py:32
 #: authentication/templates/authentication/login.html:182
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
 #: users/forms/profile.py:22 users/serializers/user.py:92
@@ -776,7 +776,7 @@ msgstr "確認済みの日付"
 msgid "Password"
 msgstr "パスワード"
 
-#: assets/models/base.py:178 assets/serializers/base.py:39
+#: assets/models/base.py:178 assets/serializers/base.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:53
 #: xpack/plugins/change_auth_plan/models/asset.py:130
 #: xpack/plugins/change_auth_plan/models/asset.py:206
@@ -823,7 +823,7 @@ msgid "Default"
 msgstr "デフォルト"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:900
+#: users/models/user.py:905
 msgid "System"
 msgstr "システム"
 
@@ -961,7 +961,7 @@ msgstr "フルバリュー"
 msgid "Parent key"
 msgstr "親キー"
 
-#: assets/models/node.py:559 assets/serializers/system_user.py:268
+#: assets/models/node.py:559 assets/serializers/system_user.py:267
 #: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "ノード"
@@ -970,78 +970,78 @@ msgstr "ノード"
 msgid "Can match node"
 msgstr "ノードを一致させることができます"
 
-#: assets/models/user.py:229
+#: assets/models/user.py:233
 msgid "Automatic managed"
 msgstr "自動管理"
 
-#: assets/models/user.py:230
+#: assets/models/user.py:234
 msgid "Manually input"
 msgstr "手動入力"
 
-#: assets/models/user.py:234
+#: assets/models/user.py:238
 msgid "Common user"
 msgstr "共通ユーザー"
 
-#: assets/models/user.py:237
+#: assets/models/user.py:241
 msgid "Username same with user"
 msgstr "ユーザーと同じユーザー名"
 
-#: assets/models/user.py:240 assets/serializers/domain.py:30
+#: assets/models/user.py:244 assets/serializers/domain.py:30
 #: terminal/templates/terminal/_msg_command_execute_alert.html:16
 #: xpack/plugins/change_auth_plan/models/asset.py:39
 msgid "Assets"
 msgstr "資産"
 
-#: assets/models/user.py:244 users/apps.py:9
+#: assets/models/user.py:248 users/apps.py:9
 msgid "Users"
 msgstr "ユーザー"
 
-#: assets/models/user.py:245
+#: assets/models/user.py:249
 msgid "User groups"
 msgstr "ユーザーグループ"
 
-#: assets/models/user.py:249
+#: assets/models/user.py:253
 msgid "Auto push"
 msgstr "オートプッシュ"
 
-#: assets/models/user.py:250
+#: assets/models/user.py:254
 msgid "Sudo"
 msgstr "すど"
 
-#: assets/models/user.py:251
+#: assets/models/user.py:255
 msgid "Shell"
 msgstr "シェル"
 
-#: assets/models/user.py:252
+#: assets/models/user.py:256
 msgid "Login mode"
 msgstr "ログインモード"
 
-#: assets/models/user.py:253
+#: assets/models/user.py:257
 msgid "SFTP Root"
 msgstr "SFTPルート"
 
-#: assets/models/user.py:254 assets/serializers/system_user.py:32
+#: assets/models/user.py:258 assets/serializers/system_user.py:37
 #: authentication/models.py:49
 msgid "Token"
 msgstr "トークン"
 
-#: assets/models/user.py:255
+#: assets/models/user.py:259
 msgid "Home"
 msgstr "ホーム"
 
-#: assets/models/user.py:256
+#: assets/models/user.py:260
 msgid "System groups"
 msgstr "システムグループ"
 
-#: assets/models/user.py:259
+#: assets/models/user.py:263
 msgid "User switch"
 msgstr "ユーザースイッチ"
 
-#: assets/models/user.py:260
+#: assets/models/user.py:264
 msgid "Switch from"
 msgstr "から切り替え"
 
-#: assets/models/user.py:340
+#: assets/models/user.py:344
 msgid "Can match system user"
 msgstr "システムユーザーに一致できます"
 
@@ -1072,7 +1072,7 @@ msgstr ""
 "されていません-個人情報にアクセスしてください-> ファイル暗号化パスワードを設"
 "定してください暗号化パスワード"
 
-#: assets/serializers/account.py:41 assets/serializers/account.py:84
+#: assets/serializers/account.py:36 assets/serializers/account.py:79
 msgid "System user display"
 msgstr "システムユーザー表示"
 
@@ -1127,15 +1127,15 @@ msgstr "定期的なパフォーマンス"
 msgid "Currently only mail sending is supported"
 msgstr "現在、メール送信のみがサポートされています"
 
-#: assets/serializers/base.py:15 users/models/user.py:689
+#: assets/serializers/base.py:16 users/models/user.py:689
 msgid "Private key"
 msgstr "ssh秘密鍵"
 
-#: assets/serializers/base.py:43
+#: assets/serializers/base.py:45
 msgid "Key password"
 msgstr "キーパスワード"
 
-#: assets/serializers/base.py:56
+#: assets/serializers/base.py:58
 msgid "private key invalid or passphrase error"
 msgstr "秘密鍵が無効またはpassphraseエラー"
 
@@ -1148,7 +1148,7 @@ msgid "Pattern"
 msgstr "パターン"
 
 #: assets/serializers/domain.py:14 assets/serializers/label.py:12
-#: assets/serializers/system_user.py:64
+#: assets/serializers/system_user.py:63
 #: perms/serializers/asset/permission.py:49
 msgid "Assets amount"
 msgstr "資産額"
@@ -1173,78 +1173,78 @@ msgstr "含まれない:/"
 msgid "The same level node name cannot be the same"
 msgstr "同じレベルのノード名を同じにすることはできません。"
 
-#: assets/serializers/system_user.py:30
+#: assets/serializers/system_user.py:35
 msgid "SSH key fingerprint"
 msgstr "SSHキー指紋"
 
-#: assets/serializers/system_user.py:35
+#: assets/serializers/system_user.py:40
 #: perms/serializers/application/permission.py:46
 msgid "Apps amount"
 msgstr "アプリの量"
 
-#: assets/serializers/system_user.py:63
+#: assets/serializers/system_user.py:62
 #: perms/serializers/asset/permission.py:50
 msgid "Nodes amount"
 msgstr "ノード量"
 
-#: assets/serializers/system_user.py:65 assets/serializers/system_user.py:270
+#: assets/serializers/system_user.py:64 assets/serializers/system_user.py:269
 msgid "Login mode display"
 msgstr "ログインモード表示"
 
-#: assets/serializers/system_user.py:67
+#: assets/serializers/system_user.py:66
 msgid "Ad domain"
 msgstr "広告ドメイン"
 
-#: assets/serializers/system_user.py:68
+#: assets/serializers/system_user.py:67
 msgid "Is asset protocol"
 msgstr "資産プロトコルです"
 
-#: assets/serializers/system_user.py:69
+#: assets/serializers/system_user.py:68
 msgid "Only ssh and automatic login system users are supported"
 msgstr "sshと自動ログインシステムのユーザーのみがサポートされています"
 
-#: assets/serializers/system_user.py:109
+#: assets/serializers/system_user.py:108
 msgid "Username same with user with protocol {} only allow 1"
 msgstr "プロトコル {} のユーザーと同じユーザー名は1のみ許可します"
 
-#: assets/serializers/system_user.py:122 common/validators.py:14
+#: assets/serializers/system_user.py:121 common/validators.py:14
 msgid "Special char not allowed"
 msgstr "特別なcharは許可されていません"
 
-#: assets/serializers/system_user.py:132
+#: assets/serializers/system_user.py:131
 msgid "* Automatic login mode must fill in the username."
 msgstr "* 自動ログインモードはユーザー名を入力する必要があります。"
 
-#: assets/serializers/system_user.py:147
+#: assets/serializers/system_user.py:146
 msgid "Path should starts with /"
 msgstr "パスは/で始まる必要があります"
 
-#: assets/serializers/system_user.py:159
+#: assets/serializers/system_user.py:158
 msgid "Password or private key required"
 msgstr "パスワードまたは秘密鍵が必要"
 
-#: assets/serializers/system_user.py:173
+#: assets/serializers/system_user.py:172
 msgid "Only ssh protocol system users are allowed"
 msgstr "Sshプロトコルシステムユーザーのみが許可されています"
 
-#: assets/serializers/system_user.py:177
+#: assets/serializers/system_user.py:176
 msgid "The protocol must be consistent with the current user: {}"
 msgstr "プロトコルは現在のユーザーと一致している必要があります: {}"
 
-#: assets/serializers/system_user.py:181
+#: assets/serializers/system_user.py:180
 msgid "Only system users with automatic login are allowed"
 msgstr "自動ログインを持つシステムユーザーのみが許可されます"
 
-#: assets/serializers/system_user.py:289
+#: assets/serializers/system_user.py:288
 msgid "System user name"
 msgstr "システムユーザー名"
 
-#: assets/serializers/system_user.py:290 orgs/mixins/serializers.py:26
+#: assets/serializers/system_user.py:289 orgs/mixins/serializers.py:26
 #: rbac/serializers/rolebinding.py:23
 msgid "Org name"
 msgstr "組織名"
 
-#: assets/serializers/system_user.py:299
+#: assets/serializers/system_user.py:298
 msgid "Asset hostname"
 msgstr "資産ホスト名"
 
@@ -1313,24 +1313,24 @@ msgstr ""
 "セルフチェックのタスクはすでに実行されており、繰り返し開始することはできませ"
 "ん"
 
-#: assets/tasks/push_system_user.py:200
+#: assets/tasks/push_system_user.py:201
 msgid "System user is dynamic: {}"
 msgstr "システムユーザーは動的です: {}"
 
-#: assets/tasks/push_system_user.py:241
+#: assets/tasks/push_system_user.py:242
 msgid "Start push system user for platform: [{}]"
 msgstr "プラットフォームのプッシュシステムユーザーを開始: [{}]"
 
-#: assets/tasks/push_system_user.py:242
+#: assets/tasks/push_system_user.py:243
 #: assets/tasks/system_user_connectivity.py:106
 msgid "Hosts count: {}"
 msgstr "ホスト数: {}"
 
-#: assets/tasks/push_system_user.py:263 assets/tasks/push_system_user.py:296
+#: assets/tasks/push_system_user.py:264 assets/tasks/push_system_user.py:297
 msgid "Push system users to assets: "
 msgstr "システムユーザーを資産にプッシュする:"
 
-#: assets/tasks/push_system_user.py:275
+#: assets/tasks/push_system_user.py:276
 msgid "Push system users to asset: "
 msgstr "システムユーザーをアセットにプッシュする:"
 
@@ -1562,202 +1562,216 @@ msgstr "ディスプレイとして実行する"
 msgid "User display"
 msgstr "ユーザー表示"
 
-#: audits/signal_handlers.py:47
+#: audits/signal_handlers.py:49
 msgid "SSH Key"
 msgstr "SSHキー"
 
-#: audits/signal_handlers.py:49
+#: audits/signal_handlers.py:51
 msgid "SSO"
 msgstr "SSO"
 
-#: audits/signal_handlers.py:50
+#: audits/signal_handlers.py:52
 msgid "Auth Token"
 msgstr "認証トークン"
 
-#: audits/signal_handlers.py:51 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:182
+#: audits/signal_handlers.py:53 authentication/notifications.py:73
+#: authentication/views/login.py:164 authentication/views/wecom.py:177
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
 
-#: audits/signal_handlers.py:52 authentication/views/dingtalk.py:183
+#: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "DingTalk"
 
-#: audits/signal_handlers.py:53 authentication/models.py:76
+#: audits/signal_handlers.py:55 authentication/models.py:76
 msgid "Temporary token"
 msgstr "仮パスワード"
 
-#: audits/signal_handlers.py:65
+#: audits/signal_handlers.py:67
 msgid "User and Group"
 msgstr "ユーザーとグループ"
 
-#: audits/signal_handlers.py:66
+#: audits/signal_handlers.py:68
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} に参加 {UserGroup}"
 
-#: audits/signal_handlers.py:67
+#: audits/signal_handlers.py:69
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} のそばを通る {UserGroup}"
 
-#: audits/signal_handlers.py:70
+#: audits/signal_handlers.py:72
 msgid "Asset and SystemUser"
 msgstr "資産およびシステム・ユーザー"
 
-#: audits/signal_handlers.py:71
+#: audits/signal_handlers.py:73
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:72
+#: audits/signal_handlers.py:74
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:75
+#: audits/signal_handlers.py:77
 msgid "Node and Asset"
 msgstr "ノードと資産"
 
-#: audits/signal_handlers.py:76
+#: audits/signal_handlers.py:78
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 追加 {Asset}"
 
-#: audits/signal_handlers.py:77
+#: audits/signal_handlers.py:79
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 削除 {Asset}"
 
-#: audits/signal_handlers.py:80
+#: audits/signal_handlers.py:82
 msgid "User asset permissions"
 msgstr "ユーザー資産の権限"
 
-#: audits/signal_handlers.py:81
+#: audits/signal_handlers.py:83
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:82
+#: audits/signal_handlers.py:84
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:85
+#: audits/signal_handlers.py:87
 msgid "User group asset permissions"
 msgstr "ユーザーグループの資産権限"
 
-#: audits/signal_handlers.py:86
+#: audits/signal_handlers.py:88
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:87
+#: audits/signal_handlers.py:89
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:90 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:92 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "資産権限"
 
-#: audits/signal_handlers.py:91
+#: audits/signal_handlers.py:93
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 追加 {Asset}"
 
-#: audits/signal_handlers.py:92
+#: audits/signal_handlers.py:94
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 削除 {Asset}"
 
-#: audits/signal_handlers.py:95
+#: audits/signal_handlers.py:97
 msgid "Node permission"
 msgstr "ノード権限"
 
-#: audits/signal_handlers.py:96
+#: audits/signal_handlers.py:98
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 追加 {Node}"
 
-#: audits/signal_handlers.py:97
+#: audits/signal_handlers.py:99
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 削除 {Node}"
 
-#: audits/signal_handlers.py:100
+#: audits/signal_handlers.py:102
 msgid "Asset permission and SystemUser"
 msgstr "資産権限とSystemUser"
 
-#: audits/signal_handlers.py:101
+#: audits/signal_handlers.py:103
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:102
+#: audits/signal_handlers.py:104
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:105
+#: audits/signal_handlers.py:107
 msgid "User application permissions"
 msgstr "ユーザーアプリケーションの権限"
 
-#: audits/signal_handlers.py:106
+#: audits/signal_handlers.py:108
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:109
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:110
+#: audits/signal_handlers.py:112
 msgid "User group application permissions"
 msgstr "ユーザーグループアプリケーションの権限"
 
-#: audits/signal_handlers.py:111
+#: audits/signal_handlers.py:113
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:114
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:115 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:117 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "申請許可"
 
-#: audits/signal_handlers.py:116
+#: audits/signal_handlers.py:118
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 追加 {Application}"
 
-#: audits/signal_handlers.py:117
+#: audits/signal_handlers.py:119
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 削除 {Application}"
 
-#: audits/signal_handlers.py:120
+#: audits/signal_handlers.py:122
 msgid "Application permission and SystemUser"
 msgstr "アプリケーション権限とSystemUser"
 
-#: audits/signal_handlers.py:121
+#: audits/signal_handlers.py:123
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:124
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
+#: authentication/api/confirm.py:40
+#, fuzzy
+#| msgid "Authentication failed (username or password incorrect): {}"
+msgid "Authentication failed password incorrect"
+msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません): {}"
+
+#: authentication/api/confirm.py:48
+msgid "Login time has exceeded {} minutes, please login again"
+msgstr ""
+
+#: authentication/api/confirm.py:72 common/exceptions.py:47
+msgid "This action require verify your MFA"
+msgstr "このアクションでは、MFAの確認が必要です。"
+
 #: authentication/api/connection_token.py:326
 msgid "Invalid token"
 msgstr "無効なトークン"
@@ -2199,7 +2213,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:304 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:305 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:23
@@ -2342,54 +2356,49 @@ msgstr "返品"
 msgid "Copy success"
 msgstr "コピー成功"
 
-#: authentication/views/dingtalk.py:40
+#: authentication/views/dingtalk.py:41
 msgid "DingTalk Error, Please contact your system administrator"
 msgstr "DingTalkエラー、システム管理者に連絡してください"
 
-#: authentication/views/dingtalk.py:43
+#: authentication/views/dingtalk.py:44
 msgid "DingTalk Error"
 msgstr "DingTalkエラー"
 
-#: authentication/views/dingtalk.py:55 authentication/views/feishu.py:50
+#: authentication/views/dingtalk.py:56 authentication/views/feishu.py:50
 #: authentication/views/wecom.py:55
 msgid ""
 "The system configuration is incorrect. Please contact your administrator"
 msgstr "システム設定が正しくありません。管理者に連絡してください"
 
-#: authentication/views/dingtalk.py:79
+#: authentication/views/dingtalk.py:80
 msgid "DingTalk is already bound"
 msgstr "DingTalkはすでにバインドされています"
 
-#: authentication/views/dingtalk.py:128 authentication/views/feishu.py:99
-#: authentication/views/wecom.py:128
-msgid "Please verify your password first"
-msgstr "最初にパスワードを確認してください"
-
-#: authentication/views/dingtalk.py:152 authentication/views/wecom.py:152
+#: authentication/views/dingtalk.py:148 authentication/views/wecom.py:147
 msgid "Invalid user_id"
 msgstr "無効なuser_id"
 
-#: authentication/views/dingtalk.py:168
+#: authentication/views/dingtalk.py:164
 msgid "DingTalk query user failed"
 msgstr "DingTalkクエリユーザーが失敗しました"
 
-#: authentication/views/dingtalk.py:177
+#: authentication/views/dingtalk.py:173
 msgid "The DingTalk is already bound to another user"
 msgstr "DingTalkはすでに別のユーザーにバインドされています"
 
-#: authentication/views/dingtalk.py:184
+#: authentication/views/dingtalk.py:180
 msgid "Binding DingTalk successfully"
 msgstr "DingTalkのバインドに成功"
 
-#: authentication/views/dingtalk.py:240 authentication/views/dingtalk.py:294
+#: authentication/views/dingtalk.py:236 authentication/views/dingtalk.py:290
 msgid "Failed to get user from DingTalk"
 msgstr "DingTalkからユーザーを取得できませんでした"
 
-#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
+#: authentication/views/dingtalk.py:242 authentication/views/dingtalk.py:296
 msgid "DingTalk is not bound"
 msgstr "DingTalkはバインドされていません"
 
-#: authentication/views/dingtalk.py:247 authentication/views/dingtalk.py:301
+#: authentication/views/dingtalk.py:243 authentication/views/dingtalk.py:297
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "パスワードでログインし、DingTalkをバインドしてください"
 
@@ -2401,32 +2410,32 @@ msgstr "FeiShuエラー"
 msgid "FeiShu is already bound"
 msgstr "FeiShuはすでにバインドされています"
 
-#: authentication/views/feishu.py:133
+#: authentication/views/feishu.py:128
 msgid "FeiShu query user failed"
 msgstr "FeiShuクエリユーザーが失敗しました"
 
-#: authentication/views/feishu.py:142
+#: authentication/views/feishu.py:137
 msgid "The FeiShu is already bound to another user"
 msgstr "FeiShuはすでに別のユーザーにバインドされています"
 
-#: authentication/views/feishu.py:148 authentication/views/login.py:176
+#: authentication/views/feishu.py:143 authentication/views/login.py:176
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "本を飛ばす"
 
-#: authentication/views/feishu.py:149
+#: authentication/views/feishu.py:144
 msgid "Binding FeiShu successfully"
 msgstr "本を飛ばすのバインドに成功"
 
-#: authentication/views/feishu.py:201
+#: authentication/views/feishu.py:196
 msgid "Failed to get user from FeiShu"
 msgstr "本を飛ばすからユーザーを取得できませんでした"
 
-#: authentication/views/feishu.py:207
+#: authentication/views/feishu.py:202
 msgid "FeiShu is not bound"
 msgstr "本を飛ばすは拘束されていません"
 
-#: authentication/views/feishu.py:208
+#: authentication/views/feishu.py:203
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "パスワードでログインしてから本を飛ばすをバインドしてください"
 
@@ -2474,27 +2483,27 @@ msgstr "企業微信エラー"
 msgid "WeCom is already bound"
 msgstr "企業の微信はすでにバインドされています"
 
-#: authentication/views/wecom.py:167
+#: authentication/views/wecom.py:162
 msgid "WeCom query user failed"
 msgstr "企業微信ユーザーの問合せに失敗しました"
 
-#: authentication/views/wecom.py:176
+#: authentication/views/wecom.py:171
 msgid "The WeCom is already bound to another user"
 msgstr "この企業の微信はすでに他のユーザーをバインドしている。"
 
-#: authentication/views/wecom.py:183
+#: authentication/views/wecom.py:178
 msgid "Binding WeCom successfully"
 msgstr "企業の微信のバインドに成功"
 
-#: authentication/views/wecom.py:235 authentication/views/wecom.py:289
+#: authentication/views/wecom.py:230 authentication/views/wecom.py:284
 msgid "Failed to get user from WeCom"
 msgstr "企業の微信からユーザーを取得できませんでした"
 
-#: authentication/views/wecom.py:241 authentication/views/wecom.py:295
+#: authentication/views/wecom.py:236 authentication/views/wecom.py:290
 msgid "WeCom is not bound"
 msgstr "企業の微信をバインドしていません"
 
-#: authentication/views/wecom.py:242 authentication/views/wecom.py:296
+#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
 msgid "Please login with a password and then bind the WeCom"
 msgstr "パスワードでログインしてからWeComをバインドしてください"
 
@@ -2577,10 +2586,6 @@ msgstr "M2Mリバースは許可されません"
 msgid "Is referenced by other objects and cannot be deleted"
 msgstr "他のオブジェクトによって参照され、削除できません。"
 
-#: common/exceptions.py:47
-msgid "This action require verify your MFA"
-msgstr "このアクションでは、MFAの確認が必要です。"
-
 #: common/exceptions.py:53
 msgid "Unexpect error occur"
 msgstr "予期しないエラーが発生します"
@@ -2670,11 +2675,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:303
+#: jumpserver/conf.py:304
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:305
+#: jumpserver/conf.py:306
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -3037,35 +3042,35 @@ msgstr "クリップボードコピーペースト"
 msgid "From ticket"
 msgstr "チケットから"
 
-#: perms/notifications.py:17
+#: perms/notifications.py:18
 msgid "You permed assets is about to expire"
 msgstr "パーマ資産の有効期限が近づいています"
 
-#: perms/notifications.py:21
+#: perms/notifications.py:23
 msgid "permed assets"
 msgstr "パーマ資産"
 
-#: perms/notifications.py:59
+#: perms/notifications.py:62
 msgid "Asset permissions is about to expire"
 msgstr "資産権限の有効期限が近づいています"
 
-#: perms/notifications.py:63
+#: perms/notifications.py:67
 msgid "asset permissions of organization {}"
 msgstr "組織 {} の資産権限"
 
-#: perms/notifications.py:89
+#: perms/notifications.py:94
 msgid "Your permed applications is about to expire"
 msgstr "パーマアプリケーションの有効期限が近づいています"
 
-#: perms/notifications.py:92
+#: perms/notifications.py:98
 msgid "permed applications"
 msgstr "Permedアプリケーション"
 
-#: perms/notifications.py:127
+#: perms/notifications.py:134
 msgid "Application permissions is about to expire"
 msgstr "アプリケーション権限の有効期限が近づいています"
 
-#: perms/notifications.py:130
+#: perms/notifications.py:137
 msgid "application permissions of organization {}"
 msgstr "Organization {} のアプリケーション権限"
 
@@ -3123,14 +3128,18 @@ msgstr "システムユーザーの表示"
 
 #: perms/templates/perms/_msg_item_permissions_expire.html:7
 #: perms/templates/perms/_msg_permed_items_expire.html:7
-#, python-format
+#, fuzzy, python-format
+#| msgid ""
+#| "\n"
+#| "        The following %(item_type)s will expire in %(count)s days\n"
+#| "    "
 msgid ""
 "\n"
-"        The following %(item_type)s will expire in 3 days\n"
+"        The following %(item_type)s will expire in %%(count)s days\n"
 "    "
 msgstr ""
 "\n"
-"        次の %(item_type)s は3日以内に期限切れになります\n"
+"        次の %(item_type)s は %(count)s 日以内に期限切れになります\n"
 "    "
 
 #: perms/templates/perms/_msg_permed_items_expire.html:21
@@ -3141,6 +3150,10 @@ msgstr "質問があったら、管理者に連絡して下さい"
 msgid "My applications"
 msgstr "私のアプリケーション"
 
+#: perms/utils/asset/user_permission.py:620 rbac/tree.py:59
+msgid "My assets"
+msgstr "私の資産"
+
 #: rbac/api/role.py:34
 msgid "Internal role, can't be destroy"
 msgstr "内部の役割は、破壊することはできません"
@@ -3149,7 +3162,7 @@ msgstr "内部の役割は、破壊することはできません"
 msgid "The role has been bound to users, can't be destroy"
 msgstr "ロールはユーザーにバインドされており、破壊することはできません"
 
-#: rbac/api/role.py:45
+#: rbac/api/role.py:60
 msgid "Internal role, can't be update"
 msgstr "内部ロール、更新できません"
 
@@ -3328,10 +3341,6 @@ msgstr "資産の改ざん"
 msgid "Terminal setting"
 msgstr "ターミナル設定"
 
-#: rbac/tree.py:59
-msgid "My assets"
-msgstr "私の資産"
-
 #: rbac/tree.py:60
 msgid "My apps"
 msgstr "マイアプリ"
@@ -3597,8 +3606,8 @@ msgid ""
 "User attr map present how to map OpenID user attr to jumpserver, username,"
 "name,email is jumpserver attr"
 msgstr ""
-"ユーザー属性マッピングは、OpenIDのユーザー属性をjumpserverユーザーにマッピング"
-"する方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
+"ユーザー属性マッピングは、OpenIDのユーザー属性をjumpserverユーザーにマッピン"
+"グする方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
 
 #: settings/serializers/auth/oidc.py:44
 msgid "Use Keycloak"
@@ -4283,7 +4292,9 @@ msgid "Enable database proxy"
 msgstr "属性マップの有効化"
 
 #: settings/serializers/terminal.py:37
-msgid "Enable XRDP"
+#, fuzzy
+#| msgid "Enable XRDP"
+msgid "Enable Razor"
 msgstr "XRDPの有効化"
 
 #: settings/serializers/terminal.py:38
@@ -5700,27 +5711,27 @@ msgstr "最終更新日パスワード"
 msgid "Need update password"
 msgstr "更新パスワードが必要"
 
-#: users/models/user.py:885
+#: users/models/user.py:890
 msgid "Can invite user"
 msgstr "ユーザーを招待できます"
 
-#: users/models/user.py:886
+#: users/models/user.py:891
 msgid "Can remove user"
 msgstr "ユーザーを削除できます"
 
-#: users/models/user.py:887
+#: users/models/user.py:892
 msgid "Can match user"
 msgstr "ユーザーに一致できます"
 
-#: users/models/user.py:896
+#: users/models/user.py:901
 msgid "Administrator"
 msgstr "管理者"
 
-#: users/models/user.py:899
+#: users/models/user.py:904
 msgid "Administrator is the super user of system"
 msgstr "管理者はシステムのスーパーユーザーです"
 
-#: users/models/user.py:924
+#: users/models/user.py:929
 msgid "User password history"
 msgstr "ユーザーパスワード履歴"
 
@@ -6829,6 +6840,9 @@ msgstr "究極のエディション"
 msgid "Community edition"
 msgstr "コミュニティ版"
 
+#~ msgid "Please verify your password first"
+#~ msgstr "最初にパスワードを確認してください"
+
 #~ msgid "AccessKey ID"
 #~ msgstr "アクセスキーID"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 65a32959d..e5b16f047 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b03f7f9c1d450f8a3012330c00d084c88465d99e355c42ec10f568a8ffa7611c
-size 105357
+oid sha256:1ab23fa4d87b928318281150ff64d9c2e3782a9169a3c3e6907808b1be63dbc3
+size 105365
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 8560a07ac..634bea865 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-05-31 16:02+0800\n"
+"POT-Creation-Date: 2022-06-14 15:48+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -37,12 +37,12 @@ msgid "Name"
 msgstr "名称"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:62
+#: assets/models/user.py:251 terminal/models/endpoint.py:62
 msgid "Priority"
 msgstr "优先级"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:247 terminal/models/endpoint.py:63
+#: assets/models/user.py:251 terminal/models/endpoint.py:63
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
@@ -92,8 +92,8 @@ msgstr "登录复核"
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:883
-#: users/models/user.py:914 users/serializers/group.py:19
+#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:888
+#: users/models/user.py:919 users/serializers/group.py:19
 msgid "User"
 msgstr "用户"
 
@@ -128,7 +128,7 @@ msgstr "系统用户"
 #: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
-#: assets/serializers/system_user.py:269 audits/models.py:39
+#: assets/serializers/system_user.py:268 audits/models.py:39
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -177,7 +177,7 @@ msgstr ""
 #: acls/serializers/login_asset_acl.py:31 acls/serializers/rules/rules.py:33
 #: applications/serializers/attrs/application_type/mysql_workbench.py:18
 #: assets/models/asset.py:210 assets/models/domain.py:60
-#: assets/serializers/account.py:14
+#: assets/serializers/account.py:13
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
@@ -186,7 +186,7 @@ msgid "IP"
 msgstr "IP"
 
 #: acls/serializers/login_asset_acl.py:35 assets/models/asset.py:211
-#: assets/serializers/account.py:15 assets/serializers/gathered_user.py:23
+#: assets/serializers/account.py:14 assets/serializers/gathered_user.py:23
 #: settings/serializers/terminal.py:7
 msgid "Hostname"
 msgstr "主机名"
@@ -198,7 +198,7 @@ msgid ""
 msgstr "格式为逗号分隔的字符串, * 表示匹配所有. 可选的协议有： {}"
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
-#: assets/models/domain.py:62 assets/models/user.py:248
+#: assets/models/domain.py:62 assets/models/user.py:252
 #: terminal/serializers/session.py:30 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "协议"
@@ -260,7 +260,7 @@ msgid "Application"
 msgstr "应用程序"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
-#: assets/models/cmd_filter.py:42 assets/models/user.py:338 audits/models.py:40
+#: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
@@ -298,7 +298,7 @@ msgstr "类别"
 
 #: applications/models/application.py:222
 #: applications/serializers/application.py:101 assets/models/backup.py:49
-#: assets/models/cmd_filter.py:82 assets/models/user.py:246
+#: assets/models/cmd_filter.py:82 assets/models/user.py:250
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
 #: terminal/models/storage.py:57 terminal/models/storage.py:141
@@ -336,7 +336,7 @@ msgstr "类别名称"
 
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
-#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:29
+#: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
 #: tickets/serializers/ticket/ticket.py:21
@@ -348,17 +348,17 @@ msgstr "类型名称"
 #: assets/models/base.py:181 assets/models/cluster.py:26
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
-#: assets/serializers/account.py:19 assets/serializers/cmd_filter.py:28
+#: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
 #: assets/serializers/cmd_filter.py:48 common/db/models.py:113
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:915
+#: users/models/group.py:18 users/models/user.py:920
 #: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "创建日期"
 
 #: applications/serializers/application.py:104 assets/models/base.py:182
-#: assets/models/gathered_user.py:20 assets/serializers/account.py:22
+#: assets/models/gathered_user.py:20 assets/serializers/account.py:21
 #: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
 #: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
@@ -408,7 +408,7 @@ msgid "Application path"
 msgstr "应用路径"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
-#: assets/serializers/system_user.py:168
+#: assets/serializers/system_user.py:167
 #: xpack/plugins/change_auth_plan/serializers/asset.py:67
 #: xpack/plugins/change_auth_plan/serializers/asset.py:70
 #: xpack/plugins/change_auth_plan/serializers/asset.py:73
@@ -505,7 +505,7 @@ msgid "Internal"
 msgstr "内部的"
 
 #: assets/models/asset.py:162 assets/models/asset.py:216
-#: assets/serializers/account.py:16 assets/serializers/asset.py:63
+#: assets/serializers/account.py:15 assets/serializers/asset.py:63
 #: perms/serializers/asset/user_permission.py:43
 msgid "Platform"
 msgstr "系统平台"
@@ -566,13 +566,13 @@ msgstr "系统架构"
 msgid "Hostname raw"
 msgstr "主机名原始"
 
-#: assets/models/asset.py:215 assets/serializers/account.py:17
+#: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
 #: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
 msgid "Protocols"
 msgstr "协议组"
 
-#: assets/models/asset.py:218 assets/models/user.py:238
+#: assets/models/asset.py:218 assets/models/user.py:242
 #: perms/models/asset_permission.py:24
 #: xpack/plugins/change_auth_plan/models/asset.py:43
 #: xpack/plugins/gathered_user/models.py:24
@@ -585,7 +585,7 @@ msgid "Is active"
 msgstr "激活"
 
 #: assets/models/asset.py:222 assets/models/cluster.py:19
-#: assets/models/user.py:235 assets/models/user.py:390
+#: assets/models/user.py:239 assets/models/user.py:394
 msgid "Admin user"
 msgstr "特权用户"
 
@@ -754,9 +754,9 @@ msgstr "可连接性"
 msgid "Date verified"
 msgstr "校验日期"
 
-#: assets/models/base.py:177 assets/serializers/base.py:14
-#: assets/serializers/base.py:36 audits/signal_handlers.py:48
-#: authentication/forms.py:32
+#: assets/models/base.py:177 assets/serializers/base.py:15
+#: assets/serializers/base.py:37 assets/serializers/system_user.py:29
+#: audits/signal_handlers.py:50 authentication/forms.py:32
 #: authentication/templates/authentication/login.html:182
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
 #: users/forms/profile.py:22 users/serializers/user.py:92
@@ -771,7 +771,7 @@ msgstr "校验日期"
 msgid "Password"
 msgstr "密码"
 
-#: assets/models/base.py:178 assets/serializers/base.py:39
+#: assets/models/base.py:178 assets/serializers/base.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:53
 #: xpack/plugins/change_auth_plan/models/asset.py:130
 #: xpack/plugins/change_auth_plan/models/asset.py:206
@@ -818,7 +818,7 @@ msgid "Default"
 msgstr "默认"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:900
+#: users/models/user.py:905
 msgid "System"
 msgstr "系统"
 
@@ -956,7 +956,7 @@ msgstr "全称"
 msgid "Parent key"
 msgstr "ssh私钥"
 
-#: assets/models/node.py:559 assets/serializers/system_user.py:268
+#: assets/models/node.py:559 assets/serializers/system_user.py:267
 #: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
 msgid "Node"
 msgstr "节点"
@@ -965,78 +965,78 @@ msgstr "节点"
 msgid "Can match node"
 msgstr "可以匹配节点"
 
-#: assets/models/user.py:229
+#: assets/models/user.py:233
 msgid "Automatic managed"
 msgstr "托管密码"
 
-#: assets/models/user.py:230
+#: assets/models/user.py:234
 msgid "Manually input"
 msgstr "手动输入"
 
-#: assets/models/user.py:234
+#: assets/models/user.py:238
 msgid "Common user"
 msgstr "普通用户"
 
-#: assets/models/user.py:237
+#: assets/models/user.py:241
 msgid "Username same with user"
 msgstr "用户名与用户相同"
 
-#: assets/models/user.py:240 assets/serializers/domain.py:30
+#: assets/models/user.py:244 assets/serializers/domain.py:30
 #: terminal/templates/terminal/_msg_command_execute_alert.html:16
 #: xpack/plugins/change_auth_plan/models/asset.py:39
 msgid "Assets"
 msgstr "资产"
 
-#: assets/models/user.py:244 users/apps.py:9
+#: assets/models/user.py:248 users/apps.py:9
 msgid "Users"
 msgstr "用户管理"
 
-#: assets/models/user.py:245
+#: assets/models/user.py:249
 msgid "User groups"
 msgstr "用户组"
 
-#: assets/models/user.py:249
+#: assets/models/user.py:253
 msgid "Auto push"
 msgstr "自动推送"
 
-#: assets/models/user.py:250
+#: assets/models/user.py:254
 msgid "Sudo"
 msgstr "Sudo"
 
-#: assets/models/user.py:251
+#: assets/models/user.py:255
 msgid "Shell"
 msgstr "Shell"
 
-#: assets/models/user.py:252
+#: assets/models/user.py:256
 msgid "Login mode"
 msgstr "认证方式"
 
-#: assets/models/user.py:253
+#: assets/models/user.py:257
 msgid "SFTP Root"
 msgstr "SFTP根路径"
 
-#: assets/models/user.py:254 assets/serializers/system_user.py:32
+#: assets/models/user.py:258 assets/serializers/system_user.py:37
 #: authentication/models.py:49
 msgid "Token"
 msgstr "Token"
 
-#: assets/models/user.py:255
+#: assets/models/user.py:259
 msgid "Home"
 msgstr "家目录"
 
-#: assets/models/user.py:256
+#: assets/models/user.py:260
 msgid "System groups"
 msgstr "用户组"
 
-#: assets/models/user.py:259
+#: assets/models/user.py:263
 msgid "User switch"
 msgstr "用户切换"
 
-#: assets/models/user.py:260
+#: assets/models/user.py:264
 msgid "Switch from"
 msgstr "切换自"
 
-#: assets/models/user.py:340
+#: assets/models/user.py:344
 msgid "Can match system user"
 msgstr "可以匹配系统用户"
 
@@ -1064,7 +1064,7 @@ msgstr ""
 "{} - 账号备份任务已完成: 未设置加密密码 - 请前往个人信息 -> 文件加密密码中设"
 "置加密密码"
 
-#: assets/serializers/account.py:41 assets/serializers/account.py:84
+#: assets/serializers/account.py:36 assets/serializers/account.py:79
 msgid "System user display"
 msgstr "系统用户名称"
 
@@ -1119,15 +1119,15 @@ msgstr "定时执行"
 msgid "Currently only mail sending is supported"
 msgstr "当前只支持邮件发送"
 
-#: assets/serializers/base.py:15 users/models/user.py:689
+#: assets/serializers/base.py:16 users/models/user.py:689
 msgid "Private key"
 msgstr "ssh私钥"
 
-#: assets/serializers/base.py:43
+#: assets/serializers/base.py:45
 msgid "Key password"
 msgstr "密钥密码"
 
-#: assets/serializers/base.py:56
+#: assets/serializers/base.py:58
 msgid "private key invalid or passphrase error"
 msgstr "密钥不合法或密钥密码错误"
 
@@ -1140,7 +1140,7 @@ msgid "Pattern"
 msgstr "模式"
 
 #: assets/serializers/domain.py:14 assets/serializers/label.py:12
-#: assets/serializers/system_user.py:64
+#: assets/serializers/system_user.py:63
 #: perms/serializers/asset/permission.py:49
 msgid "Assets amount"
 msgstr "资产数量"
@@ -1165,78 +1165,78 @@ msgstr "不能包含: /"
 msgid "The same level node name cannot be the same"
 msgstr "同级别节点名字不能重复"
 
-#: assets/serializers/system_user.py:30
+#: assets/serializers/system_user.py:35
 msgid "SSH key fingerprint"
 msgstr "密钥指纹"
 
-#: assets/serializers/system_user.py:35
+#: assets/serializers/system_user.py:40
 #: perms/serializers/application/permission.py:46
 msgid "Apps amount"
 msgstr "应用数量"
 
-#: assets/serializers/system_user.py:63
+#: assets/serializers/system_user.py:62
 #: perms/serializers/asset/permission.py:50
 msgid "Nodes amount"
 msgstr "节点数量"
 
-#: assets/serializers/system_user.py:65 assets/serializers/system_user.py:270
+#: assets/serializers/system_user.py:64 assets/serializers/system_user.py:269
 msgid "Login mode display"
 msgstr "认证方式名称"
 
-#: assets/serializers/system_user.py:67
+#: assets/serializers/system_user.py:66
 msgid "Ad domain"
 msgstr "Ad 网域"
 
-#: assets/serializers/system_user.py:68
+#: assets/serializers/system_user.py:67
 msgid "Is asset protocol"
 msgstr "资产协议"
 
-#: assets/serializers/system_user.py:69
+#: assets/serializers/system_user.py:68
 msgid "Only ssh and automatic login system users are supported"
 msgstr "仅支持ssh协议和自动登录的系统用户"
 
-#: assets/serializers/system_user.py:109
+#: assets/serializers/system_user.py:108
 msgid "Username same with user with protocol {} only allow 1"
 msgstr "用户名和用户相同的一种协议只允许存在一个"
 
-#: assets/serializers/system_user.py:122 common/validators.py:14
+#: assets/serializers/system_user.py:121 common/validators.py:14
 msgid "Special char not allowed"
 msgstr "不能包含特殊字符"
 
-#: assets/serializers/system_user.py:132
+#: assets/serializers/system_user.py:131
 msgid "* Automatic login mode must fill in the username."
 msgstr "自动登录模式，必须填写用户名"
 
-#: assets/serializers/system_user.py:147
+#: assets/serializers/system_user.py:146
 msgid "Path should starts with /"
 msgstr "路径应该以 / 开头"
 
-#: assets/serializers/system_user.py:159
+#: assets/serializers/system_user.py:158
 msgid "Password or private key required"
 msgstr "密码或密钥密码需要一个"
 
-#: assets/serializers/system_user.py:173
+#: assets/serializers/system_user.py:172
 msgid "Only ssh protocol system users are allowed"
 msgstr "仅允许ssh协议的系统用户"
 
-#: assets/serializers/system_user.py:177
+#: assets/serializers/system_user.py:176
 msgid "The protocol must be consistent with the current user: {}"
 msgstr "协议必须和当前用户保持一致: {}"
 
-#: assets/serializers/system_user.py:181
+#: assets/serializers/system_user.py:180
 msgid "Only system users with automatic login are allowed"
 msgstr "仅允许自动登录的系统用户"
 
-#: assets/serializers/system_user.py:289
+#: assets/serializers/system_user.py:288
 msgid "System user name"
 msgstr "系统用户名称"
 
-#: assets/serializers/system_user.py:290 orgs/mixins/serializers.py:26
+#: assets/serializers/system_user.py:289 orgs/mixins/serializers.py:26
 #: rbac/serializers/rolebinding.py:23
 msgid "Org name"
 msgstr "组织名称"
 
-#: assets/serializers/system_user.py:299
+#: assets/serializers/system_user.py:298
 msgid "Asset hostname"
 msgstr "资产主机名"
 
@@ -1301,24 +1301,24 @@ msgid ""
 "The task of self-checking is already running and cannot be started repeatedly"
 msgstr "自检程序已经在运行，不能重复启动"
 
-#: assets/tasks/push_system_user.py:200
+#: assets/tasks/push_system_user.py:201
 msgid "System user is dynamic: {}"
 msgstr "系统用户是动态的: {}"
 
-#: assets/tasks/push_system_user.py:241
+#: assets/tasks/push_system_user.py:242
 msgid "Start push system user for platform: [{}]"
 msgstr "推送系统用户到平台: [{}]"
 
-#: assets/tasks/push_system_user.py:242
+#: assets/tasks/push_system_user.py:243
 #: assets/tasks/system_user_connectivity.py:106
 msgid "Hosts count: {}"
 msgstr "主机数量: {}"
 
-#: assets/tasks/push_system_user.py:263 assets/tasks/push_system_user.py:296
+#: assets/tasks/push_system_user.py:264 assets/tasks/push_system_user.py:297
 msgid "Push system users to assets: "
 msgstr "推送系统用户到入资产: "
 
-#: assets/tasks/push_system_user.py:275
+#: assets/tasks/push_system_user.py:276
 msgid "Push system users to asset: "
 msgstr "推送系统用户到入资产: "
 
@@ -1550,202 +1550,214 @@ msgstr "运行用户名称"
 msgid "User display"
 msgstr "用户名称"
 
-#: audits/signal_handlers.py:47
+#: audits/signal_handlers.py:49
 msgid "SSH Key"
 msgstr "SSH 密钥"
 
-#: audits/signal_handlers.py:49
+#: audits/signal_handlers.py:51
 msgid "SSO"
 msgstr "SSO"
 
-#: audits/signal_handlers.py:50
+#: audits/signal_handlers.py:52
 msgid "Auth Token"
 msgstr "认证令牌"
 
-#: audits/signal_handlers.py:51 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:182
+#: audits/signal_handlers.py:53 authentication/notifications.py:73
+#: authentication/views/login.py:164 authentication/views/wecom.py:177
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企业微信"
 
-#: audits/signal_handlers.py:52 authentication/views/dingtalk.py:183
+#: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
 #: authentication/views/login.py:170 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "钉钉"
 
-#: audits/signal_handlers.py:53 authentication/models.py:76
+#: audits/signal_handlers.py:55 authentication/models.py:76
 msgid "Temporary token"
 msgstr "临时密码"
 
-#: audits/signal_handlers.py:65
+#: audits/signal_handlers.py:67
 msgid "User and Group"
 msgstr "用户与用户组"
 
-#: audits/signal_handlers.py:66
+#: audits/signal_handlers.py:68
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} 加入 {UserGroup}"
 
-#: audits/signal_handlers.py:67
+#: audits/signal_handlers.py:69
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} 离开 {UserGroup}"
 
-#: audits/signal_handlers.py:70
+#: audits/signal_handlers.py:72
 msgid "Asset and SystemUser"
 msgstr "资产与系统用户"
 
-#: audits/signal_handlers.py:71
+#: audits/signal_handlers.py:73
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:72
+#: audits/signal_handlers.py:74
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:75
+#: audits/signal_handlers.py:77
 msgid "Node and Asset"
 msgstr "节点与资产"
 
-#: audits/signal_handlers.py:76
+#: audits/signal_handlers.py:78
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 添加 {Asset}"
 
-#: audits/signal_handlers.py:77
+#: audits/signal_handlers.py:79
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 移除 {Asset}"
 
-#: audits/signal_handlers.py:80
+#: audits/signal_handlers.py:82
 msgid "User asset permissions"
 msgstr "用户资产授权"
 
-#: audits/signal_handlers.py:81
+#: audits/signal_handlers.py:83
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:82
+#: audits/signal_handlers.py:84
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:85
+#: audits/signal_handlers.py:87
 msgid "User group asset permissions"
 msgstr "用户组资产授权"
 
-#: audits/signal_handlers.py:86
+#: audits/signal_handlers.py:88
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:87
+#: audits/signal_handlers.py:89
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:90 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:92 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "资产授权"
 
-#: audits/signal_handlers.py:91
+#: audits/signal_handlers.py:93
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 添加 {Asset}"
 
-#: audits/signal_handlers.py:92
+#: audits/signal_handlers.py:94
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 移除 {Asset}"
 
-#: audits/signal_handlers.py:95
+#: audits/signal_handlers.py:97
 msgid "Node permission"
 msgstr "节点授权"
 
-#: audits/signal_handlers.py:96
+#: audits/signal_handlers.py:98
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 添加 {Node}"
 
-#: audits/signal_handlers.py:97
+#: audits/signal_handlers.py:99
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 移除 {Node}"
 
-#: audits/signal_handlers.py:100
+#: audits/signal_handlers.py:102
 msgid "Asset permission and SystemUser"
 msgstr "资产授权与系统用户"
 
-#: audits/signal_handlers.py:101
+#: audits/signal_handlers.py:103
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:102
+#: audits/signal_handlers.py:104
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:105
+#: audits/signal_handlers.py:107
 msgid "User application permissions"
 msgstr "用户应用授权"
 
-#: audits/signal_handlers.py:106
+#: audits/signal_handlers.py:108
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:109
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:110
+#: audits/signal_handlers.py:112
 msgid "User group application permissions"
 msgstr "用户组应用授权"
 
-#: audits/signal_handlers.py:111
+#: audits/signal_handlers.py:113
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:114
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:115 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:117 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "应用授权"
 
-#: audits/signal_handlers.py:116
+#: audits/signal_handlers.py:118
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 添加 {Application}"
 
-#: audits/signal_handlers.py:117
+#: audits/signal_handlers.py:119
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 移除 {Application}"
 
-#: audits/signal_handlers.py:120
+#: audits/signal_handlers.py:122
 msgid "Application permission and SystemUser"
 msgstr "应用授权与系统用户"
 
-#: audits/signal_handlers.py:121
+#: audits/signal_handlers.py:123
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:124
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
+#: authentication/api/confirm.py:40
+msgid "Authentication failed password incorrect"
+msgstr "认证失败 (用户名或密码不正确): {}"
+
+#: authentication/api/confirm.py:48
+msgid "Login time has exceeded {} minutes, please login again"
+msgstr ""
+
+#: authentication/api/confirm.py:72 common/exceptions.py:47
+msgid "This action require verify your MFA"
+msgstr "这个操作需要验证 MFA"
+
 #: authentication/api/connection_token.py:326
 msgid "Invalid token"
 msgstr "无效的令牌"
@@ -2178,7 +2190,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:304 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:305 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:23
@@ -2312,54 +2324,49 @@ msgstr "返回"
 msgid "Copy success"
 msgstr "复制成功"
 
-#: authentication/views/dingtalk.py:40
+#: authentication/views/dingtalk.py:41
 msgid "DingTalk Error, Please contact your system administrator"
 msgstr "钉钉错误，请联系系统管理员"
 
-#: authentication/views/dingtalk.py:43
+#: authentication/views/dingtalk.py:44
 msgid "DingTalk Error"
 msgstr "钉钉错误"
 
-#: authentication/views/dingtalk.py:55 authentication/views/feishu.py:50
+#: authentication/views/dingtalk.py:56 authentication/views/feishu.py:50
 #: authentication/views/wecom.py:55
 msgid ""
 "The system configuration is incorrect. Please contact your administrator"
 msgstr "企业配置错误，请联系系统管理员"
 
-#: authentication/views/dingtalk.py:79
+#: authentication/views/dingtalk.py:80
 msgid "DingTalk is already bound"
 msgstr "钉钉已经绑定"
 
-#: authentication/views/dingtalk.py:128 authentication/views/feishu.py:99
-#: authentication/views/wecom.py:128
-msgid "Please verify your password first"
-msgstr "请检查密码"
-
-#: authentication/views/dingtalk.py:152 authentication/views/wecom.py:152
+#: authentication/views/dingtalk.py:148 authentication/views/wecom.py:147
 msgid "Invalid user_id"
 msgstr "无效的 user_id"
 
-#: authentication/views/dingtalk.py:168
+#: authentication/views/dingtalk.py:164
 msgid "DingTalk query user failed"
 msgstr "钉钉查询用户失败"
 
-#: authentication/views/dingtalk.py:177
+#: authentication/views/dingtalk.py:173
 msgid "The DingTalk is already bound to another user"
 msgstr "该钉钉已经绑定其他用户"
 
-#: authentication/views/dingtalk.py:184
+#: authentication/views/dingtalk.py:180
 msgid "Binding DingTalk successfully"
 msgstr "绑定 钉钉 成功"
 
-#: authentication/views/dingtalk.py:240 authentication/views/dingtalk.py:294
+#: authentication/views/dingtalk.py:236 authentication/views/dingtalk.py:290
 msgid "Failed to get user from DingTalk"
 msgstr "从钉钉获取用户失败"
 
-#: authentication/views/dingtalk.py:246 authentication/views/dingtalk.py:300
+#: authentication/views/dingtalk.py:242 authentication/views/dingtalk.py:296
 msgid "DingTalk is not bound"
 msgstr "钉钉没有绑定"
 
-#: authentication/views/dingtalk.py:247 authentication/views/dingtalk.py:301
+#: authentication/views/dingtalk.py:243 authentication/views/dingtalk.py:297
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "请使用密码登录，然后绑定钉钉"
 
@@ -2371,32 +2378,32 @@ msgstr "飞书错误"
 msgid "FeiShu is already bound"
 msgstr "飞书已经绑定"
 
-#: authentication/views/feishu.py:133
+#: authentication/views/feishu.py:128
 msgid "FeiShu query user failed"
 msgstr "飞书查询用户失败"
 
-#: authentication/views/feishu.py:142
+#: authentication/views/feishu.py:137
 msgid "The FeiShu is already bound to another user"
 msgstr "该飞书已经绑定其他用户"
 
-#: authentication/views/feishu.py:148 authentication/views/login.py:176
+#: authentication/views/feishu.py:143 authentication/views/login.py:176
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "飞书"
 
-#: authentication/views/feishu.py:149
+#: authentication/views/feishu.py:144
 msgid "Binding FeiShu successfully"
 msgstr "绑定 飞书 成功"
 
-#: authentication/views/feishu.py:201
+#: authentication/views/feishu.py:196
 msgid "Failed to get user from FeiShu"
 msgstr "从飞书获取用户失败"
 
-#: authentication/views/feishu.py:207
+#: authentication/views/feishu.py:202
 msgid "FeiShu is not bound"
 msgstr "没有绑定飞书"
 
-#: authentication/views/feishu.py:208
+#: authentication/views/feishu.py:203
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "请使用密码登录，然后绑定飞书"
 
@@ -2444,27 +2451,27 @@ msgstr "企业微信错误"
 msgid "WeCom is already bound"
 msgstr "企业微信已经绑定"
 
-#: authentication/views/wecom.py:167
+#: authentication/views/wecom.py:162
 msgid "WeCom query user failed"
 msgstr "企业微信查询用户失败"
 
-#: authentication/views/wecom.py:176
+#: authentication/views/wecom.py:171
 msgid "The WeCom is already bound to another user"
 msgstr "该企业微信已经绑定其他用户"
 
-#: authentication/views/wecom.py:183
+#: authentication/views/wecom.py:178
 msgid "Binding WeCom successfully"
 msgstr "绑定 企业微信 成功"
 
-#: authentication/views/wecom.py:235 authentication/views/wecom.py:289
+#: authentication/views/wecom.py:230 authentication/views/wecom.py:284
 msgid "Failed to get user from WeCom"
 msgstr "从企业微信获取用户失败"
 
-#: authentication/views/wecom.py:241 authentication/views/wecom.py:295
+#: authentication/views/wecom.py:236 authentication/views/wecom.py:290
 msgid "WeCom is not bound"
 msgstr "没有绑定企业微信"
 
-#: authentication/views/wecom.py:242 authentication/views/wecom.py:296
+#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
 msgid "Please login with a password and then bind the WeCom"
 msgstr "请使用密码登录，然后绑定企业微信"
 
@@ -2547,10 +2554,6 @@ msgstr "多对多反向是不被允许的"
 msgid "Is referenced by other objects and cannot be deleted"
 msgstr "被其他对象关联，不能删除"
 
-#: common/exceptions.py:47
-msgid "This action require verify your MFA"
-msgstr "这个操作需要验证 MFA"
-
 #: common/exceptions.py:53
 msgid "Unexpect error occur"
 msgstr "发生意外错误"
@@ -2640,11 +2643,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:303
+#: jumpserver/conf.py:304
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:305
+#: jumpserver/conf.py:306
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -3001,35 +3004,35 @@ msgstr "剪贴板复制粘贴"
 msgid "From ticket"
 msgstr "来自工单"
 
-#: perms/notifications.py:17
+#: perms/notifications.py:18
 msgid "You permed assets is about to expire"
 msgstr "你授权的资产即将到期"
 
-#: perms/notifications.py:21
+#: perms/notifications.py:23
 msgid "permed assets"
 msgstr "授权的资产"
 
-#: perms/notifications.py:59
+#: perms/notifications.py:62
 msgid "Asset permissions is about to expire"
 msgstr "资产授权规则将要过期"
 
-#: perms/notifications.py:63
+#: perms/notifications.py:67
 msgid "asset permissions of organization {}"
 msgstr "组织 ({}) 的资产授权"
 
-#: perms/notifications.py:89
+#: perms/notifications.py:94
 msgid "Your permed applications is about to expire"
 msgstr "你授权的应用即将过期"
 
-#: perms/notifications.py:92
+#: perms/notifications.py:98
 msgid "permed applications"
 msgstr "授权的应用"
 
-#: perms/notifications.py:127
+#: perms/notifications.py:134
 msgid "Application permissions is about to expire"
 msgstr "应用授权规则即将过期"
 
-#: perms/notifications.py:130
+#: perms/notifications.py:137
 msgid "application permissions of organization {}"
 msgstr "组织 ({}) 的应用授权"
 
@@ -3085,14 +3088,13 @@ msgstr "系统用户名称"
 
 #: perms/templates/perms/_msg_item_permissions_expire.html:7
 #: perms/templates/perms/_msg_permed_items_expire.html:7
-#, python-format
 msgid ""
 "\n"
-"        The following %(item_type)s will expire in 3 days\n"
+"        The following %(item_type)s will expire in %(count)s days\n"
 "    "
 msgstr ""
 "\n"
-"        以下 %(item_type)s 即将在 3 天后过期\n"
+"        以下 %(item_type)s 即将在 %(count)s 天后过期\n"
 "    "
 
 #: perms/templates/perms/_msg_permed_items_expire.html:21
@@ -3103,6 +3105,10 @@ msgstr "如果有疑问或需求，请联系系统管理员"
 msgid "My applications"
 msgstr "我的应用"
 
+#: perms/utils/asset/user_permission.py:620 rbac/tree.py:59
+msgid "My assets"
+msgstr "我的资产"
+
 #: rbac/api/role.py:34
 msgid "Internal role, can't be destroy"
 msgstr "内部角色，不能删除"
@@ -3111,7 +3117,7 @@ msgstr "内部角色，不能删除"
 msgid "The role has been bound to users, can't be destroy"
 msgstr "角色已绑定用户，不能删除"
 
-#: rbac/api/role.py:45
+#: rbac/api/role.py:60
 msgid "Internal role, can't be update"
 msgstr "内部角色，不能更新"
 
@@ -3289,10 +3295,6 @@ msgstr "资产改密"
 msgid "Terminal setting"
 msgstr "终端设置"
 
-#: rbac/tree.py:59
-msgid "My assets"
-msgstr "我的资产"
-
 #: rbac/tree.py:60
 msgid "My apps"
 msgstr "我的应用"
@@ -4221,7 +4223,7 @@ msgid "Enable database proxy"
 msgstr "启用数据库组件"
 
 #: settings/serializers/terminal.py:37
-msgid "Enable XRDP"
+msgid "Enable Razor"
 msgstr "启用 XRDP 服务"
 
 #: settings/serializers/terminal.py:38
@@ -5622,27 +5624,27 @@ msgstr "最后更新密码日期"
 msgid "Need update password"
 msgstr "需要更新密码"
 
-#: users/models/user.py:885
+#: users/models/user.py:890
 msgid "Can invite user"
 msgstr "可以邀请用户"
 
-#: users/models/user.py:886
+#: users/models/user.py:891
 msgid "Can remove user"
 msgstr "可以移除用户"
 
-#: users/models/user.py:887
+#: users/models/user.py:892
 msgid "Can match user"
 msgstr "可以匹配用户"
 
-#: users/models/user.py:896
+#: users/models/user.py:901
 msgid "Administrator"
 msgstr "管理员"
 
-#: users/models/user.py:899
+#: users/models/user.py:904
 msgid "Administrator is the super user of system"
 msgstr "Administrator是初始的超级管理员"
 
-#: users/models/user.py:924
+#: users/models/user.py:929
 msgid "User password history"
 msgstr "用户密码历史"
 
@@ -6737,6 +6739,9 @@ msgstr "旗舰版"
 msgid "Community edition"
 msgstr "社区版"
 
+#~ msgid "Please verify your password first"
+#~ msgstr "请检查密码"
+
 #~ msgid "AccessKey ID"
 #~ msgstr "Access key ID"
 
diff --git a/apps/locale/zh/LC_MESSAGES/djangojs.po b/apps/locale/zh/LC_MESSAGES/djangojs.po
index 0cae14858..deddcbe25 100644
--- a/apps/locale/zh/LC_MESSAGES/djangojs.po
+++ b/apps/locale/zh/LC_MESSAGES/djangojs.po
@@ -3,7 +3,6 @@
 # This file is distributed under the same license as the PACKAGE package.
 # FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
 #
-#, fuzzy
 msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
diff --git a/apps/perms/notifications.py b/apps/perms/notifications.py
index 54d3f188e..4a7baf318 100644
--- a/apps/perms/notifications.py
+++ b/apps/perms/notifications.py
@@ -9,14 +9,16 @@ from notifications.notifications import UserMessage
 
 
 class PermedAssetsWillExpireUserMsg(UserMessage):
-    def __init__(self, user, assets):
+    def __init__(self, user, assets, day_count=0):
         super().__init__(user)
         self.assets = assets
+        self.count = day_count
 
     def get_html_msg(self) -> dict:
         subject = _("You permed assets is about to expire")
         context = {
             'name': self.user.name,
+            'day_count': self.day_count,
             'items': [str(asset) for asset in self.assets],
             'item_type': _("permed assets"),
             'show_help': True
@@ -38,10 +40,11 @@ class PermedAssetsWillExpireUserMsg(UserMessage):
 
 class AssetPermsWillExpireForOrgAdminMsg(UserMessage):
 
-    def __init__(self, user, perms, org):
+    def __init__(self, user, perms, org, day_count=0):
         super().__init__(user)
         self.perms = perms
         self.org = org
+        self.count = day_count
 
     def get_items_with_url(self):
         items_with_url = []
@@ -59,6 +62,7 @@ class AssetPermsWillExpireForOrgAdminMsg(UserMessage):
         subject = _("Asset permissions is about to expire")
         context = {
             'name': self.user.name,
+            'day_count': self.day_count,
             'items_with_url': items_with_url,
             'item_type': _('asset permissions of organization {}').format(self.org)
         }
@@ -81,14 +85,16 @@ class AssetPermsWillExpireForOrgAdminMsg(UserMessage):
 
 
 class PermedAppsWillExpireUserMsg(UserMessage):
-    def __init__(self, user, apps):
+    def __init__(self, user, apps, day_count=0):
         super().__init__(user)
         self.apps = apps
+        self.count = day_count
 
     def get_html_msg(self) -> dict:
         subject = _("Your permed applications is about to expire")
         context = {
             'name': self.user.name,
+            'day_count': self.day_count,
             'item_type': _('permed applications'),
             'items': [str(app) for app in self.apps]
         }
@@ -109,10 +115,11 @@ class PermedAppsWillExpireUserMsg(UserMessage):
 
 
 class AppPermsWillExpireForOrgAdminMsg(UserMessage):
-    def __init__(self, user, perms, org):
+    def __init__(self, user, perms, org, day_count=0):
         super().__init__(user)
         self.perms = perms
         self.org = org
+        self.count = day_count
 
     def get_items_with_url(self):
         items_with_url = []
diff --git a/apps/perms/tasks.py b/apps/perms/tasks.py
index 2f5edafed..237eac5ac 100644
--- a/apps/perms/tasks.py
+++ b/apps/perms/tasks.py
@@ -63,8 +63,8 @@ def check_asset_permission_will_expired():
     start = local_now()
     end = start + timedelta(days=3)
 
-    user_asset_mapper = defaultdict(set)
-    org_perm_mapper = defaultdict(set)
+    user_asset_remain_day_mapper = defaultdict(dict)
+    org_perm_remain_day_mapper = defaultdict(dict)
 
     asset_perms = AssetPermission.objects.filter(
         date_expired__gte=start,
@@ -72,23 +72,35 @@ def check_asset_permission_will_expired():
     ).distinct()
 
     for asset_perm in asset_perms:
+        date_expired = dt_parser(asset_perm.date_expired)
+        remain_days = (end - date_expired).days
+
+        org = asset_perm.org
         # 资产授权按照组织分类
-        org_perm_mapper[asset_perm.org].add(asset_perm)
+        if org in org_perm_remain_day_mapper[remain_days]:
+            org_perm_remain_day_mapper[remain_days][org].add(asset_perm)
+        else:
+            org_perm_remain_day_mapper[remain_days][org] = set()
 
         # 计算每个用户即将过期的资产
         users = asset_perm.get_all_users()
         assets = asset_perm.get_all_assets()
 
         for u in users:
-            user_asset_mapper[u].update(assets)
+            if u in user_asset_remain_day_mapper[remain_days]:
+                user_asset_remain_day_mapper[remain_days][u].update(assets)
+            else:
+                user_asset_remain_day_mapper[remain_days][u] = set()
 
-    for user, assets in user_asset_mapper.items():
-        PermedAssetsWillExpireUserMsg(user, assets).publish_async()
+    for day_count, user_asset_mapper in user_asset_remain_day_mapper.items():
+        for user, assets in user_asset_mapper.items():
+            PermedAssetsWillExpireUserMsg(user, assets, day_count).publish_async()
 
-    for org, perms in org_perm_mapper.items():
-        org_admins = org.admins.all()
-        for org_admin in org_admins:
-            AssetPermsWillExpireForOrgAdminMsg(org_admin, perms, org).publish_async()
+    for day_count, org_perm_mapper in org_perm_remain_day_mapper.items():
+        for org, perms in org_perm_mapper.items():
+            org_admins = org.admins.all()
+            for org_admin in org_admins:
+                AssetPermsWillExpireForOrgAdminMsg(org_admin, perms, org, day_count).publish_async()
 
 
 @register_as_period_task(crontab='0 10 * * *')
@@ -104,21 +116,33 @@ def check_app_permission_will_expired():
         date_expired__lte=end
     ).distinct()
 
-    user_app_mapper = defaultdict(set)
-    org_perm_mapper = defaultdict(set)
+    user_app_remain_day_mapper = defaultdict(dict)
+    org_perm_remain_day_mapper = defaultdict(dict)
 
     for app_perm in app_perms:
-        org_perm_mapper[app_perm.org].add(app_perm)
+        date_expired = dt_parser(app_perm.date_expired)
+        remain_days = (end - date_expired).days
+
+        org = app_perm.org
+        if org in org_perm_remain_day_mapper[remain_days]:
+            org_perm_remain_day_mapper[remain_days][org].add(app_perm)
+        else:
+            org_perm_remain_day_mapper[remain_days][org] = set()
 
         users = app_perm.get_all_users()
         apps = app_perm.applications.all()
         for u in users:
-            user_app_mapper[u].update(apps)
+            if u in user_app_remain_day_mapper[remain_days]:
+                user_app_remain_day_mapper[remain_days][u].update(apps)
+            else:
+                user_app_remain_day_mapper[remain_days][u] = set()
 
-    for user, apps in user_app_mapper.items():
-        PermedAppsWillExpireUserMsg(user, apps).publish_async()
+    for day_count, user_app_mapper in user_app_remain_day_mapper.items():
+        for user, apps in user_app_mapper.items():
+            PermedAppsWillExpireUserMsg(user, apps, day_count).publish_async()
 
-    for org, perms in org_perm_mapper.items():
-        org_admins = org.admins.all()
-        for org_admin in org_admins:
-            AppPermsWillExpireForOrgAdminMsg(org_admin, perms, org).publish_async()
+    for day_count, org_perm_mapper in org_perm_remain_day_mapper.items():
+        for org, perms in org_perm_mapper.items():
+            org_admins = org.admins.all()
+            for org_admin in org_admins:
+                AppPermsWillExpireForOrgAdminMsg(org_admin, perms, org, day_count).publish_async()
diff --git a/apps/perms/templates/perms/_msg_item_permissions_expire.html b/apps/perms/templates/perms/_msg_item_permissions_expire.html
index 139f958b3..aab2a3650 100644
--- a/apps/perms/templates/perms/_msg_item_permissions_expire.html
+++ b/apps/perms/templates/perms/_msg_item_permissions_expire.html
@@ -5,7 +5,7 @@
 
 <p>
     {% blocktranslate %}
-        The following {{ item_type }} will expire in 3 days
+        The following {{ item_type }} will expire in %(count)s days
     {% endblocktranslate %}
 </p>
 
diff --git a/apps/perms/templates/perms/_msg_permed_items_expire.html b/apps/perms/templates/perms/_msg_permed_items_expire.html
index f50c59933..1e5ae7b18 100644
--- a/apps/perms/templates/perms/_msg_permed_items_expire.html
+++ b/apps/perms/templates/perms/_msg_permed_items_expire.html
@@ -5,7 +5,7 @@
 
 <p>
     {% blocktranslate %}
-        The following {{ item_type }} will expire in 3 days
+        The following {{ item_type }} will expire in %(count)s days
     {% endblocktranslate %}
 </p>
 

From 2aebfa51b2ec29456fbdd9cea45d18ddca773c2b Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 14 Jun 2022 18:04:53 +0800
Subject: [PATCH 158/258] =?UTF-8?q?fix:=20=E8=BF=87=E6=BB=A4=E7=B3=BB?=
 =?UTF-8?q?=E7=BB=9F=E7=94=A8=E6=88=B7=E5=AF=86=E7=A0=81=E8=BF=87=E6=BB=A4?=
 =?UTF-8?q?ansible=E4=B8=8D=E6=94=AF=E6=8C=81=E7=9A=84=E5=AD=97=E7=AC=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/base.py        |  4 ++--
 apps/assets/serializers/system_user.py |  4 ++--
 apps/assets/serializers/utils.py       | 10 +++++++++-
 3 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/apps/assets/serializers/base.py b/apps/assets/serializers/base.py
index 92cc65f19..2c5e579b6 100644
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@@ -8,7 +8,7 @@ from rest_framework import serializers
 from common.utils import ssh_pubkey_gen, ssh_private_key_gen, validate_ssh_private_key
 from common.drf.fields import EncryptedField
 from assets.models import Type
-from .utils import validate_password_contains_left_double_curly_bracket
+from .utils import validate_password_for_ansible
 
 
 class AuthSerializer(serializers.ModelSerializer):
@@ -35,7 +35,7 @@ class AuthSerializer(serializers.ModelSerializer):
 class AuthSerializerMixin(serializers.ModelSerializer):
     password = EncryptedField(
         label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024,
-        validators=[validate_password_contains_left_double_curly_bracket]
+        validators=[validate_password_for_ansible]
     )
     private_key = EncryptedField(
         label=_('SSH private key'), required=False, allow_blank=True, allow_null=True, max_length=4096
diff --git a/apps/assets/serializers/system_user.py b/apps/assets/serializers/system_user.py
index 68ade0ebd..54aff3e82 100644
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -9,7 +9,7 @@ from common.drf.serializers import SecretReadableMixin
 from common.validators import alphanumeric_re, alphanumeric_cn_re, alphanumeric_win_re
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import SystemUser, Asset
-from .utils import validate_password_contains_left_double_curly_bracket
+from .utils import validate_password_for_ansible
 from .base import AuthSerializerMixin
 
 __all__ = [
@@ -27,7 +27,7 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     """
     password = EncryptedField(
         label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024,
-        trim_whitespace=False, validators=[validate_password_contains_left_double_curly_bracket],
+        trim_whitespace=False, validators=[validate_password_for_ansible],
         write_only=True
     )
     auto_generate_key = serializers.BooleanField(initial=True, required=False, write_only=True)
diff --git a/apps/assets/serializers/utils.py b/apps/assets/serializers/utils.py
index 9110a9978..52527e723 100644
--- a/apps/assets/serializers/utils.py
+++ b/apps/assets/serializers/utils.py
@@ -2,8 +2,16 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
 
-def validate_password_contains_left_double_curly_bracket(password):
+def validate_password_for_ansible(password):
+    """ 校验 Ansible 不支持的特殊字符 """
     # validate password contains left double curly bracket
     # check password not contains `{{`
+    # Ansible 推送的时候不支持
     if '{{' in password:
         raise serializers.ValidationError(_('Password can not contains `{{` '))
+    # Ansible Windows 推送的时候不支持
+    if "'" in password:
+        raise serializers.ValidationError(_("Password can not contains `'` "))
+    if '"' in password:
+        raise serializers.ValidationError(_('Password can not contains `"` '))
+

From 2414f34a5a9713bf3cf33da3e9de2d4507112d25 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 14 Jun 2022 19:59:00 +0800
Subject: [PATCH 159/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20apt=20(#83?=
 =?UTF-8?q?98)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* pref: 修改 oracle lib path

* perf: 优化 apt

Co-authored-by: ibuler <ibuler@qq.com>
---
 Dockerfile | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index dfbfbe0eb..de4022338 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -29,11 +29,12 @@ ARG TOOLS="                           \
     redis-tools                       \
     telnet                            \
     vim                               \
+    unzip                               \
     wget"
 
 RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
     && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
-    && apt update \
+    && apt update && sleep 1 && apt update \
     && apt -y install ${BUILD_DEPENDENCIES} \
     && apt -y install ${DEPENDENCIES} \
     && apt -y install ${TOOLS} \
@@ -47,12 +48,19 @@ RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
     && mv /bin/sh /bin/sh.bak  \
     && ln -s /bin/bash /bin/sh
 
+ARG TARGETARCH
+ARG ORACLE_LIB_MAJOR=19
+ARG ORACLE_LIB_MINOR=10
+ENV ORACLE_FILE="instantclient-basiclite-linux.${TARGETARCH:-amd64}-${ORACLE_LIB_MAJOR}.${ORACLE_LIB_MINOR}.0.0.0dbru.zip"
+
 RUN mkdir -p /opt/oracle/ \
-    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar \
-    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/oracle/ \
-    && echo "/opt/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && cd /opt/oracle/ \
+    && wget https://download.jumpserver.org/files/oracle/${ORACLE_FILE} \
+    && unzip instantclient-basiclite-linux.${TARGETARCH-amd64}-19.10.0.0.0dbru.zip \
+    && mv instantclient_${ORACLE_LIB_MAJOR}_${ORACLE_LIB_MINOR} instantclient \
+    && echo "/opt/oracle/instantclient" > /etc/ld.so.conf.d/oracle-instantclient.conf \
     && ldconfig \
-    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
+    && rm -f ${ORACLE_FILE}
 
 WORKDIR /tmp/build
 COPY ./requirements ./requirements

From e0a2d03f447e1eeac8afcf6bd51a5d5f37798c8c Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 15 Jun 2022 15:01:56 +0800
Subject: [PATCH 160/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E6=8E=88?=
 =?UTF-8?q?=E6=9D=83=E8=BF=87=E6=9C=9F=E9=80=9A=E7=9F=A5bug=20(#8404)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/perms/notifications.py | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/apps/perms/notifications.py b/apps/perms/notifications.py
index 4a7baf318..a6316eb8a 100644
--- a/apps/perms/notifications.py
+++ b/apps/perms/notifications.py
@@ -12,13 +12,13 @@ class PermedAssetsWillExpireUserMsg(UserMessage):
     def __init__(self, user, assets, day_count=0):
         super().__init__(user)
         self.assets = assets
-        self.count = day_count
+        self.day_count = day_count
 
     def get_html_msg(self) -> dict:
         subject = _("You permed assets is about to expire")
         context = {
             'name': self.user.name,
-            'day_count': self.day_count,
+            'count': self.day_count,
             'items': [str(asset) for asset in self.assets],
             'item_type': _("permed assets"),
             'show_help': True
@@ -44,7 +44,7 @@ class AssetPermsWillExpireForOrgAdminMsg(UserMessage):
         super().__init__(user)
         self.perms = perms
         self.org = org
-        self.count = day_count
+        self.day_count = day_count
 
     def get_items_with_url(self):
         items_with_url = []
@@ -62,7 +62,7 @@ class AssetPermsWillExpireForOrgAdminMsg(UserMessage):
         subject = _("Asset permissions is about to expire")
         context = {
             'name': self.user.name,
-            'day_count': self.day_count,
+            'count': self.day_count,
             'items_with_url': items_with_url,
             'item_type': _('asset permissions of organization {}').format(self.org)
         }
@@ -88,13 +88,13 @@ class PermedAppsWillExpireUserMsg(UserMessage):
     def __init__(self, user, apps, day_count=0):
         super().__init__(user)
         self.apps = apps
-        self.count = day_count
+        self.day_count = day_count
 
     def get_html_msg(self) -> dict:
         subject = _("Your permed applications is about to expire")
         context = {
             'name': self.user.name,
-            'day_count': self.day_count,
+            'count': self.day_count,
             'item_type': _('permed applications'),
             'items': [str(app) for app in self.apps]
         }
@@ -119,7 +119,7 @@ class AppPermsWillExpireForOrgAdminMsg(UserMessage):
         super().__init__(user)
         self.perms = perms
         self.org = org
-        self.count = day_count
+        self.day_count = day_count
 
     def get_items_with_url(self):
         items_with_url = []
@@ -134,6 +134,7 @@ class AppPermsWillExpireForOrgAdminMsg(UserMessage):
         subject = _('Application permissions is about to expire')
         context = {
             'name': self.user.name,
+            'count': self.day_count,
             'item_type': _('application permissions of organization {}').format(self.org),
             'items_with_url': items
         }

From a882ca0d5143800022cb4ee43299fddb1edce79a Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 15 Jun 2022 15:15:54 +0800
Subject: [PATCH 161/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E6=8E=A8?=
 =?UTF-8?q?=E9=80=81=E7=B3=BB=E7=BB=9F=E7=94=A8=E6=88=B7=E6=8F=90=E7=A4=BA?=
 =?UTF-8?q?=E6=96=87=E6=A1=88?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/tasks/push_system_user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/assets/tasks/push_system_user.py b/apps/assets/tasks/push_system_user.py
index ee4af0fd5..cd32d8e15 100644
--- a/apps/assets/tasks/push_system_user.py
+++ b/apps/assets/tasks/push_system_user.py
@@ -274,7 +274,7 @@ def push_system_user_a_asset_manual(system_user, asset, username=None):
     # if username is None:
     #     username = system_user.username
     task_name = gettext_noop("Push system users to asset: ") + "{}({}) => {}".format(
-        system_user.name, username, asset
+        system_user.name, username or '', asset
     )
     return push_system_user_util(system_user, [asset], task_name=task_name, username=username)
 

From 75c011f1c526c0424319e03a7d7147a3d4d99bce Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Wed, 15 Jun 2022 15:27:13 +0800
Subject: [PATCH 162/258] feat: add client linux arm64 version

---
 apps/templates/resource_download.html | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index 57570eb8e..dddb1143c 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -22,7 +22,8 @@ p {
         <ul>
             <li> <a href="/download/JumpServer-Client-Installer-x86_64.msi">jumpserver-client-windows-x86_64.msi</a></li>
             <li> <a href="/download/JumpServer-Client-Installer.dmg">jumpserver-client-darwin.dmg</a></li>
-            <li> <a href="/download/JumpServer-Client-Installer.run">jumpserver-client-linux.run</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer-amd64.run">jumpserver-client-linux-amd64.run</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer-arm64.run">jumpserver-client-linux-arm64.run</a></li>
         </ul>
     </div>
 

From 10adb4e6b776cedea8eed4704385251ba27c277b Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 15 Jun 2022 10:31:20 +0800
Subject: [PATCH 163/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E7=AD=BE?=
 =?UTF-8?q?=E5=90=8D=E8=AE=A4=E8=AF=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/drf.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/authentication/backends/drf.py b/apps/authentication/backends/drf.py
index 595ae35b6..10c191b1b 100644
--- a/apps/authentication/backends/drf.py
+++ b/apps/authentication/backends/drf.py
@@ -198,6 +198,6 @@ class SignatureAuthentication(signature.SignatureAuthentication):
                 return None, None
             user, secret = key.user, str(key.secret)
             return user, secret
-        except AccessKey.DoesNotExist:
+        except (AccessKey.DoesNotExist, exceptions.ValidationError):
             return None, None
 

From 8c839784fb10f203a69479e23c78462579994fcc Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 15 Jun 2022 15:13:51 +0800
Subject: [PATCH 164/258] =?UTF-8?q?pref:=20=E4=BC=98=E5=8C=96=E6=B2=A1?=
 =?UTF-8?q?=E6=9C=89=E8=8E=B7=E5=8F=96=E5=88=B0=E8=8A=82=E7=82=B9=E7=9A=84?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/perms/tree/app.py | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/apps/perms/tree/app.py b/apps/perms/tree/app.py
index 0b74c1e9b..6a6d6c74f 100644
--- a/apps/perms/tree/app.py
+++ b/apps/perms/tree/app.py
@@ -36,6 +36,22 @@ class GrantedAppTreeUtil:
         })
         return node
 
+    @staticmethod
+    def create_empty_node():
+        name = _("Empty")
+        node = TreeNode(**{
+            'id': 'empty',
+            'name': name,
+            'title': name,
+            'pId': '',
+            'isParent': True,
+            'children': [],
+            'meta': {
+                'type': 'application'
+            }
+        })
+        return node
+
     @staticmethod
     def get_children_nodes(tree_id, parent_info, user):
         tree_nodes = []
@@ -61,7 +77,7 @@ class GrantedAppTreeUtil:
     def create_tree_nodes(self, applications):
         tree_nodes = []
         if not applications:
-            return tree_nodes
+            return [self.create_empty_node()]
 
         root_node = self.create_root_node()
         organizations = self.filter_organizations(applications)

From 9e16b79abe07ed35e69d687fdd32fdb0c6f3289a Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 15 Jun 2022 19:27:51 +0800
Subject: [PATCH 165/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dopenid?=
 =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=99=BB=E5=BD=95=E6=97=B6=E9=BB=98=E8=AE=A4?=
 =?UTF-8?q?=E9=82=AE=E4=BB=B6=E5=90=8E=E7=BC=80=E4=BD=BF=E7=94=A8=E9=85=8D?=
 =?UTF-8?q?=E7=BD=AE=E9=A1=B9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/oidc/backends.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/authentication/backends/oidc/backends.py b/apps/authentication/backends/oidc/backends.py
index ec5765510..9866e84f3 100644
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -46,7 +46,7 @@ class UserMixin:
         for field, attr in settings.AUTH_OPENID_USER_ATTR_MAP.items():
             user_attrs[field] = claims.get(attr, sub)
         email = user_attrs.get('email', '')
-        email = construct_user_email(user_attrs.get('username'), email, 'jumpserver.openid')
+        email = construct_user_email(user_attrs.get('username'), email)
         user_attrs.update({'email': email})
 
         logger.debug(log_prompt.format(user_attrs))

From a024f267684c1f36dc8d2ed0e514da59000be7c7 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 16 Jun 2022 10:35:32 +0800
Subject: [PATCH 166/258] =?UTF-8?q?fix:=20=E6=8E=88=E6=9D=83=E8=BF=87?=
 =?UTF-8?q?=E6=9C=9F=E6=B6=88=E6=81=AF=E6=8F=90=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo          |  4 +-
 apps/locale/ja/LC_MESSAGES/django.po          | 60 ++++++++++---------
 apps/locale/zh/LC_MESSAGES/django.mo          |  4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 53 ++++++++++------
 .../perms/_msg_item_permissions_expire.html   |  2 +-
 .../perms/_msg_permed_items_expire.html       |  2 +-
 6 files changed, 73 insertions(+), 52 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 50947cea2..d528ec14b 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8a0e0ef94fd1cf5b3d41c378b54e8af2fb502c7f1e9d6a3e54084e8113978561
-size 127495
+oid sha256:f3bc03d3cc4de571f20944b3db7e9d89ffac34cd261bc9bbabc8d3d41e4157a5
+size 128122
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 11310178e..d3859856a 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-14 15:48+0800\n"
+"POT-Creation-Date: 2022-06-16 10:20+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -665,7 +665,7 @@ msgstr "すべて"
 #: assets/models/backup.py:52 assets/serializers/backup.py:32
 #: xpack/plugins/change_auth_plan/models/app.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:62
-#: xpack/plugins/change_auth_plan/serializers/base.py:49
+#: xpack/plugins/change_auth_plan/serializers/base.py:45
 msgid "Recipient"
 msgstr "受信者"
 
@@ -708,7 +708,7 @@ msgstr "アカウントのバックアップスナップショット"
 
 #: assets/models/backup.py:116 assets/serializers/backup.py:40
 #: xpack/plugins/change_auth_plan/models/base.py:125
-#: xpack/plugins/change_auth_plan/serializers/base.py:82
+#: xpack/plugins/change_auth_plan/serializers/base.py:78
 msgid "Trigger mode"
 msgstr "トリガーモード"
 
@@ -770,8 +770,8 @@ msgstr "確認済みの日付"
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
 #: xpack/plugins/change_auth_plan/models/base.py:196
-#: xpack/plugins/change_auth_plan/serializers/base.py:22
-#: xpack/plugins/change_auth_plan/serializers/base.py:77
+#: xpack/plugins/change_auth_plan/serializers/base.py:21
+#: xpack/plugins/change_auth_plan/serializers/base.py:73
 #: xpack/plugins/cloud/serializers/account_attrs.py:26
 msgid "Password"
 msgstr "パスワード"
@@ -1118,12 +1118,12 @@ msgstr "アクション"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
 #: settings/serializers/auth/ldap.py:65
-#: xpack/plugins/change_auth_plan/serializers/base.py:47
+#: xpack/plugins/change_auth_plan/serializers/base.py:43
 msgid "Periodic perform"
 msgstr "定期的なパフォーマンス"
 
 #: assets/serializers/backup.py:33
-#: xpack/plugins/change_auth_plan/serializers/base.py:50
+#: xpack/plugins/change_auth_plan/serializers/base.py:46
 msgid "Currently only mail sending is supported"
 msgstr "現在、メール送信のみがサポートされています"
 
@@ -1248,10 +1248,18 @@ msgstr "組織名"
 msgid "Asset hostname"
 msgstr "資産ホスト名"
 
-#: assets/serializers/utils.py:9
+#: assets/serializers/utils.py:11
 msgid "Password can not contains `{{` "
 msgstr "パスワードには '{{' を含まない"
 
+#: assets/serializers/utils.py:14
+msgid "Password can not contains `'` "
+msgstr "パスワードには '{{' を含まない"
+
+#: assets/serializers/utils.py:16
+msgid "Password can not contains `\"` "
+msgstr "パスワードには '{{' を含まない"
+
 #: assets/tasks/account_connectivity.py:30
 msgid "The asset {} system platform {} does not support run Ansible tasks"
 msgstr ""
@@ -1759,8 +1767,6 @@ msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
 #: authentication/api/confirm.py:40
-#, fuzzy
-#| msgid "Authentication failed (username or password incorrect): {}"
 msgid "Authentication failed password incorrect"
 msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません): {}"
 
@@ -3070,7 +3076,7 @@ msgstr "Permedアプリケーション"
 msgid "Application permissions is about to expire"
 msgstr "アプリケーション権限の有効期限が近づいています"
 
-#: perms/notifications.py:137
+#: perms/notifications.py:138
 msgid "application permissions of organization {}"
 msgstr "Organization {} のアプリケーション権限"
 
@@ -3128,14 +3134,10 @@ msgstr "システムユーザーの表示"
 
 #: perms/templates/perms/_msg_item_permissions_expire.html:7
 #: perms/templates/perms/_msg_permed_items_expire.html:7
-#, fuzzy, python-format
-#| msgid ""
-#| "\n"
-#| "        The following %(item_type)s will expire in %(count)s days\n"
-#| "    "
+#, python-format
 msgid ""
 "\n"
-"        The following %(item_type)s will expire in %%(count)s days\n"
+"        The following %(item_type)s will expire in %(count)s days\n"
 "    "
 msgstr ""
 "\n"
@@ -3150,6 +3152,10 @@ msgstr "質問があったら、管理者に連絡して下さい"
 msgid "My applications"
 msgstr "私のアプリケーション"
 
+#: perms/tree/app.py:41
+msgid "Empty"
+msgstr "空"
+
 #: perms/utils/asset/user_permission.py:620 rbac/tree.py:59
 msgid "My assets"
 msgstr "私の資産"
@@ -4292,8 +4298,6 @@ msgid "Enable database proxy"
 msgstr "属性マップの有効化"
 
 #: settings/serializers/terminal.py:37
-#, fuzzy
-#| msgid "Enable XRDP"
 msgid "Enable Razor"
 msgstr "XRDPの有効化"
 
@@ -4564,7 +4568,7 @@ msgstr "ホームページ"
 msgid "Cancel"
 msgstr "キャンセル"
 
-#: templates/resource_download.html:18 templates/resource_download.html:30
+#: templates/resource_download.html:18 templates/resource_download.html:31
 msgid "Client"
 msgstr "クライアント"
 
@@ -4577,15 +4581,15 @@ msgstr ""
 "るために使用されており、現在はRDP SSHクライアントのみをサポートしています。"
 "「Telnetは将来的にサポートする"
 
-#: templates/resource_download.html:30
+#: templates/resource_download.html:31
 msgid "Microsoft"
 msgstr "マイクロソフト"
 
-#: templates/resource_download.html:30
+#: templates/resource_download.html:31
 msgid "Official"
 msgstr "公式"
 
-#: templates/resource_download.html:32
+#: templates/resource_download.html:33
 msgid ""
 "macOS needs to download the client to connect RDP asset, which comes with "
 "Windows"
@@ -4593,11 +4597,11 @@ msgstr ""
 "MacOSは、Windowsに付属のRDPアセットを接続するためにクライアントをダウンロード"
 "する必要があります"
 
-#: templates/resource_download.html:41
+#: templates/resource_download.html:42
 msgid "Windows Remote application publisher tools"
 msgstr "Windowsリモートアプリケーション発行者ツール"
 
-#: templates/resource_download.html:42
+#: templates/resource_download.html:43
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -6281,15 +6285,15 @@ msgstr "パスワードの変更"
 msgid "Change SSH Key"
 msgstr "SSHキーの変更"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:48
+#: xpack/plugins/change_auth_plan/serializers/base.py:44
 msgid "Run times"
 msgstr "実行時間"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:62
+#: xpack/plugins/change_auth_plan/serializers/base.py:58
 msgid "* Please enter the correct password length"
 msgstr "* 正しいパスワードの長さを入力してください"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:65
+#: xpack/plugins/change_auth_plan/serializers/base.py:61
 msgid "* Password length range 6-30 bits"
 msgstr "* パスワードの長さの範囲6-30ビット"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index e5b16f047..80cdf63bd 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:1ab23fa4d87b928318281150ff64d9c2e3782a9169a3c3e6907808b1be63dbc3
-size 105365
+oid sha256:db8f93ff4f52dd61dd019fa9f615eb0bef6cfcf6fc0db01a08db7e2f86ca8c82
+size 105699
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 634bea865..c0ce1706c 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-14 15:48+0800\n"
+"POT-Creation-Date: 2022-06-16 10:20+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -660,7 +660,7 @@ msgstr "全部"
 #: assets/models/backup.py:52 assets/serializers/backup.py:32
 #: xpack/plugins/change_auth_plan/models/app.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:62
-#: xpack/plugins/change_auth_plan/serializers/base.py:49
+#: xpack/plugins/change_auth_plan/serializers/base.py:45
 msgid "Recipient"
 msgstr "收件人"
 
@@ -703,7 +703,7 @@ msgstr "账号备份快照"
 
 #: assets/models/backup.py:116 assets/serializers/backup.py:40
 #: xpack/plugins/change_auth_plan/models/base.py:125
-#: xpack/plugins/change_auth_plan/serializers/base.py:82
+#: xpack/plugins/change_auth_plan/serializers/base.py:78
 msgid "Trigger mode"
 msgstr "触发模式"
 
@@ -765,8 +765,8 @@ msgstr "校验日期"
 #: xpack/plugins/change_auth_plan/models/base.py:42
 #: xpack/plugins/change_auth_plan/models/base.py:121
 #: xpack/plugins/change_auth_plan/models/base.py:196
-#: xpack/plugins/change_auth_plan/serializers/base.py:22
-#: xpack/plugins/change_auth_plan/serializers/base.py:77
+#: xpack/plugins/change_auth_plan/serializers/base.py:21
+#: xpack/plugins/change_auth_plan/serializers/base.py:73
 #: xpack/plugins/cloud/serializers/account_attrs.py:26
 msgid "Password"
 msgstr "密码"
@@ -1110,12 +1110,12 @@ msgstr "动作"
 
 #: assets/serializers/backup.py:31 ops/mixin.py:106 ops/mixin.py:147
 #: settings/serializers/auth/ldap.py:65
-#: xpack/plugins/change_auth_plan/serializers/base.py:47
+#: xpack/plugins/change_auth_plan/serializers/base.py:43
 msgid "Periodic perform"
 msgstr "定时执行"
 
 #: assets/serializers/backup.py:33
-#: xpack/plugins/change_auth_plan/serializers/base.py:50
+#: xpack/plugins/change_auth_plan/serializers/base.py:46
 msgid "Currently only mail sending is supported"
 msgstr "当前只支持邮件发送"
 
@@ -1240,10 +1240,22 @@ msgstr "组织名称"
 msgid "Asset hostname"
 msgstr "资产主机名"
 
-#: assets/serializers/utils.py:9
+#: assets/serializers/utils.py:11
 msgid "Password can not contains `{{` "
 msgstr "密码不能包含 `{{` 字符"
 
+#: assets/serializers/utils.py:14
+#, fuzzy
+#| msgid "Password can not contains `{{` "
+msgid "Password can not contains `'` "
+msgstr "密码不能包含 `{{` 字符"
+
+#: assets/serializers/utils.py:16
+#, fuzzy
+#| msgid "Password can not contains `{{` "
+msgid "Password can not contains `\"` "
+msgstr "密码不能包含 `{{` 字符"
+
 #: assets/tasks/account_connectivity.py:30
 msgid "The asset {} system platform {} does not support run Ansible tasks"
 msgstr "资产 {} 系统平台 {} 不支持运行 Ansible 任务"
@@ -3032,7 +3044,7 @@ msgstr "授权的应用"
 msgid "Application permissions is about to expire"
 msgstr "应用授权规则即将过期"
 
-#: perms/notifications.py:137
+#: perms/notifications.py:138
 msgid "application permissions of organization {}"
 msgstr "组织 ({}) 的应用授权"
 
@@ -3088,6 +3100,7 @@ msgstr "系统用户名称"
 
 #: perms/templates/perms/_msg_item_permissions_expire.html:7
 #: perms/templates/perms/_msg_permed_items_expire.html:7
+#, python-format
 msgid ""
 "\n"
 "        The following %(item_type)s will expire in %(count)s days\n"
@@ -3105,6 +3118,10 @@ msgstr "如果有疑问或需求，请联系系统管理员"
 msgid "My applications"
 msgstr "我的应用"
 
+#: perms/tree/app.py:41
+msgid "Empty"
+msgstr "空"
+
 #: perms/utils/asset/user_permission.py:620 rbac/tree.py:59
 msgid "My assets"
 msgstr "我的资产"
@@ -4488,7 +4505,7 @@ msgstr "首页"
 msgid "Cancel"
 msgstr "取消"
 
-#: templates/resource_download.html:18 templates/resource_download.html:30
+#: templates/resource_download.html:18 templates/resource_download.html:31
 msgid "Client"
 msgstr "客户端"
 
@@ -4500,25 +4517,25 @@ msgstr ""
 "JumpServer 客户端，目前用来唤起 特定客户端程序 连接资产, 目前仅支持 RDP SSH "
 "客户端，Telnet 会在未来支持"
 
-#: templates/resource_download.html:30
+#: templates/resource_download.html:31
 msgid "Microsoft"
 msgstr "微软"
 
-#: templates/resource_download.html:30
+#: templates/resource_download.html:31
 msgid "Official"
 msgstr "官方"
 
-#: templates/resource_download.html:32
+#: templates/resource_download.html:33
 msgid ""
 "macOS needs to download the client to connect RDP asset, which comes with "
 "Windows"
 msgstr "macOS 需要下载客户端来连接 RDP 资产，Windows 系统默认安装了该程序"
 
-#: templates/resource_download.html:41
+#: templates/resource_download.html:42
 msgid "Windows Remote application publisher tools"
 msgstr "Windows 远程应用发布服务器工具"
 
-#: templates/resource_download.html:42
+#: templates/resource_download.html:43
 msgid ""
 "Jmservisor is the program used to pull up remote applications in Windows "
 "Remote Application publisher"
@@ -6181,15 +6198,15 @@ msgstr "更改密码"
 msgid "Change SSH Key"
 msgstr "修改 SSH Key"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:48
+#: xpack/plugins/change_auth_plan/serializers/base.py:44
 msgid "Run times"
 msgstr "执行次数"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:62
+#: xpack/plugins/change_auth_plan/serializers/base.py:58
 msgid "* Please enter the correct password length"
 msgstr "* 请输入正确的密码长度"
 
-#: xpack/plugins/change_auth_plan/serializers/base.py:65
+#: xpack/plugins/change_auth_plan/serializers/base.py:61
 msgid "* Password length range 6-30 bits"
 msgstr "* 密码长度范围 6-30 位"
 
diff --git a/apps/perms/templates/perms/_msg_item_permissions_expire.html b/apps/perms/templates/perms/_msg_item_permissions_expire.html
index aab2a3650..9a9dc8244 100644
--- a/apps/perms/templates/perms/_msg_item_permissions_expire.html
+++ b/apps/perms/templates/perms/_msg_item_permissions_expire.html
@@ -5,7 +5,7 @@
 
 <p>
     {% blocktranslate %}
-        The following {{ item_type }} will expire in %(count)s days
+        The following {{ item_type }} will expire in {{ count }} days
     {% endblocktranslate %}
 </p>
 
diff --git a/apps/perms/templates/perms/_msg_permed_items_expire.html b/apps/perms/templates/perms/_msg_permed_items_expire.html
index 1e5ae7b18..f4229b7eb 100644
--- a/apps/perms/templates/perms/_msg_permed_items_expire.html
+++ b/apps/perms/templates/perms/_msg_permed_items_expire.html
@@ -5,7 +5,7 @@
 
 <p>
     {% blocktranslate %}
-        The following {{ item_type }} will expire in %(count)s days
+        The following {{ item_type }} will expire in {{ count }} days
     {% endblocktranslate %}
 </p>
 

From 4c2274b14e7873bb84d326d4210970ddac15f27f Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 16 Jun 2022 11:18:27 +0800
Subject: [PATCH 167/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo |  4 ++--
 apps/locale/ja/LC_MESSAGES/django.po | 22 +++-------------------
 apps/locale/zh/LC_MESSAGES/django.mo |  4 ++--
 apps/locale/zh/LC_MESSAGES/django.po | 24 +++---------------------
 4 files changed, 10 insertions(+), 44 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index d528ec14b..4618d1b80 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f3bc03d3cc4de571f20944b3db7e9d89ffac34cd261bc9bbabc8d3d41e4157a5
-size 128122
+oid sha256:449dcbd8e4b4f133d45e01642bb42a20477b09309d2b916f1aff9e854e6864e8
+size 128120
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index d3859856a..c79aac704 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-16 10:20+0800\n"
+"POT-Creation-Date: 2022-06-16 11:12+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1254,11 +1254,11 @@ msgstr "パスワードには '{{' を含まない"
 
 #: assets/serializers/utils.py:14
 msgid "Password can not contains `'` "
-msgstr "パスワードには '{{' を含まない"
+msgstr "パスワードには `'` を含まない"
 
 #: assets/serializers/utils.py:16
 msgid "Password can not contains `\"` "
-msgstr "パスワードには '{{' を含まない"
+msgstr "パスワードには `\"` を含まない"
 
 #: assets/tasks/account_connectivity.py:30
 msgid "The asset {} system platform {} does not support run Ansible tasks"
@@ -6843,19 +6843,3 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
-
-#~ msgid "Please verify your password first"
-#~ msgstr "最初にパスワードを確認してください"
-
-#~ msgid "AccessKey ID"
-#~ msgstr "アクセスキーID"
-
-#~ msgid "Unknown ip"
-#~ msgstr "不明なip"
-
-#~ msgid ""
-#~ "Windows needs to download the client to connect SSH assets, and the MacOS "
-#~ "system uses its own terminal"
-#~ msgstr ""
-#~ "WindowsはクライアントをダウンロードしてSSH資産に接続する必要があり、macOS"
-#~ "システムは独自のTerminalを採用している。"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 80cdf63bd..a35dad64a 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:db8f93ff4f52dd61dd019fa9f615eb0bef6cfcf6fc0db01a08db7e2f86ca8c82
-size 105699
+oid sha256:2ea5daa59f376f85ad67dde8332499637e0e82999dcf051853589d1ebf22eca3
+size 105893
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index c0ce1706c..3b3aeb02f 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-16 10:20+0800\n"
+"POT-Creation-Date: 2022-06-16 11:12+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -1245,16 +1245,12 @@ msgid "Password can not contains `{{` "
 msgstr "密码不能包含 `{{` 字符"
 
 #: assets/serializers/utils.py:14
-#, fuzzy
-#| msgid "Password can not contains `{{` "
 msgid "Password can not contains `'` "
-msgstr "密码不能包含 `{{` 字符"
+msgstr "密码不能包含 `'` 字符"
 
 #: assets/serializers/utils.py:16
-#, fuzzy
-#| msgid "Password can not contains `{{` "
 msgid "Password can not contains `\"` "
-msgstr "密码不能包含 `{{` 字符"
+msgstr "密码不能包含 `\"` 字符"
 
 #: assets/tasks/account_connectivity.py:30
 msgid "The asset {} system platform {} does not support run Ansible tasks"
@@ -6755,17 +6751,3 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
-
-#~ msgid "Please verify your password first"
-#~ msgstr "请检查密码"
-
-#~ msgid "AccessKey ID"
-#~ msgstr "Access key ID"
-
-#~ msgid "Unknown ip"
-#~ msgstr "未知ip"
-
-#~ msgid ""
-#~ "Windows needs to download the client to connect SSH assets, and the MacOS "
-#~ "system uses its own terminal"
-#~ msgstr "Windows 需要下载客户端来连接SSH资产，macOS系统采用自带的Terminal"

From 75a72fb18231b8be4baab37555f65ccf05ac5933 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 16 Jun 2022 11:28:34 +0800
Subject: [PATCH 168/258] fix: user confirm bug

---
 apps/authentication/api/confirm.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/authentication/api/confirm.py b/apps/authentication/api/confirm.py
index c77a1d533..9041f6e85 100644
--- a/apps/authentication/api/confirm.py
+++ b/apps/authentication/api/confirm.py
@@ -22,7 +22,7 @@ class ConfirmViewSet(ListCreateAPIView):
 
     def check(self, confirm_type: str):
         if confirm_type == ConfirmType.MFA:
-            return bool(MFAOtp(self.user).is_active())
+            return self.user.mfa_enabled
 
         if confirm_type == ConfirmType.PASSWORD:
             return self.user.is_password_authenticate()

From 2be74c4b84d27b4f63cd5cb8adf52461cb2706d5 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 16 Jun 2022 13:16:25 +0800
Subject: [PATCH 169/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4=E5=88=97=E8=A1=A8=E6=A8=A1=E7=B3=8A=E6=90=9C=E7=B4=A2?=
 =?UTF-8?q?=E6=8A=A5=E9=94=99500=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

fix: 修复命令列表模糊搜索报错500的问题
---
 apps/terminal/backends/command/es.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/terminal/backends/command/es.py b/apps/terminal/backends/command/es.py
index ae76b2974..1387f6656 100644
--- a/apps/terminal/backends/command/es.py
+++ b/apps/terminal/backends/command/es.py
@@ -297,6 +297,9 @@ class QuerySet(DJQuerySet):
         self._command_store_config = command_store_config
         self._storage = CommandStore(command_store_config)
 
+        # 命令列表模糊搜索时报错
+        super().__init__()
+
     @lazyproperty
     def _grouped_method_calls(self):
         _method_calls = {k: list(v) for k, v in groupby(self._method_calls, lambda x: x[0])}

From 1e3da5097935cb6aad71a1b689d29a182d3c143d Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 16 Jun 2022 16:47:17 +0800
Subject: [PATCH 170/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E4=BC=9A?=
 =?UTF-8?q?=E8=AF=9D=E5=8A=A0=E5=85=A5=E8=AE=B0=E5=BD=95=E6=9B=B4=E6=96=B0?=
 =?UTF-8?q?=E5=A4=B1=E8=B4=A5=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/api/sharing.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/terminal/api/sharing.py b/apps/terminal/api/sharing.py
index 114a00da1..1a9545e54 100644
--- a/apps/terminal/api/sharing.py
+++ b/apps/terminal/api/sharing.py
@@ -43,6 +43,9 @@ class SessionJoinRecordsViewSet(OrgModelViewSet):
     )
     filterset_fields = search_fields
     model = models.SessionJoinRecord
+    rbac_perms = {
+        'finished': 'terminal.change_sessionjoinrecord'
+    }
 
     def create(self, request, *args, **kwargs):
         try:

From adc8a8f7d3fbc64623fbf6a7c4dec499c6a1c79c Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 16 Jun 2022 14:19:58 +0800
Subject: [PATCH 171/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo | 4 ++--
 apps/locale/ja/LC_MESSAGES/django.po | 2 +-
 apps/locale/zh/LC_MESSAGES/django.mo | 4 ++--
 apps/locale/zh/LC_MESSAGES/django.po | 2 +-
 4 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 4618d1b80..d0d6aaf5d 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:449dcbd8e4b4f133d45e01642bb42a20477b09309d2b916f1aff9e854e6864e8
-size 128120
+oid sha256:132e7f59a56d1cf5b2358b21b547861e872fa456164f2e0809120fb2b13f0ec1
+size 128122
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index c79aac704..ab8d5b532 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -4299,7 +4299,7 @@ msgstr "属性マップの有効化"
 
 #: settings/serializers/terminal.py:37
 msgid "Enable Razor"
-msgstr "XRDPの有効化"
+msgstr "Razor の有効化"
 
 #: settings/serializers/terminal.py:38
 msgid "Enable SSH Client"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index a35dad64a..5bafa0526 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:2ea5daa59f376f85ad67dde8332499637e0e82999dcf051853589d1ebf22eca3
-size 105893
+oid sha256:002f6953ebbe368642f0ea3c383f617b5f998edf2238341be63393123d4be8a9
+size 105894
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 3b3aeb02f..874df532d 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -4237,7 +4237,7 @@ msgstr "启用数据库组件"
 
 #: settings/serializers/terminal.py:37
 msgid "Enable Razor"
-msgstr "启用 XRDP 服务"
+msgstr "启用 Razor 服务"
 
 #: settings/serializers/terminal.py:38
 msgid "Enable SSH Client"

From 8e43e9ee2b08ee67eb9806a3096368c208677108 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 16 Jun 2022 17:49:40 +0800
Subject: [PATCH 172/258] =?UTF-8?q?fix:=20=E6=8E=88=E6=9D=83=E8=BF=87?=
 =?UTF-8?q?=E6=9C=9F=E9=80=9A=E7=9F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/perms/tasks.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/perms/tasks.py b/apps/perms/tasks.py
index 237eac5ac..da96beb68 100644
--- a/apps/perms/tasks.py
+++ b/apps/perms/tasks.py
@@ -80,7 +80,7 @@ def check_asset_permission_will_expired():
         if org in org_perm_remain_day_mapper[remain_days]:
             org_perm_remain_day_mapper[remain_days][org].add(asset_perm)
         else:
-            org_perm_remain_day_mapper[remain_days][org] = set()
+            org_perm_remain_day_mapper[remain_days][org] = {asset_perm, }
 
         # 计算每个用户即将过期的资产
         users = asset_perm.get_all_users()
@@ -90,7 +90,7 @@ def check_asset_permission_will_expired():
             if u in user_asset_remain_day_mapper[remain_days]:
                 user_asset_remain_day_mapper[remain_days][u].update(assets)
             else:
-                user_asset_remain_day_mapper[remain_days][u] = set()
+                user_asset_remain_day_mapper[remain_days][u] = set(assets)
 
     for day_count, user_asset_mapper in user_asset_remain_day_mapper.items():
         for user, assets in user_asset_mapper.items():
@@ -127,7 +127,7 @@ def check_app_permission_will_expired():
         if org in org_perm_remain_day_mapper[remain_days]:
             org_perm_remain_day_mapper[remain_days][org].add(app_perm)
         else:
-            org_perm_remain_day_mapper[remain_days][org] = set()
+            org_perm_remain_day_mapper[remain_days][org] = {app_perm, }
 
         users = app_perm.get_all_users()
         apps = app_perm.applications.all()
@@ -135,7 +135,7 @@ def check_app_permission_will_expired():
             if u in user_app_remain_day_mapper[remain_days]:
                 user_app_remain_day_mapper[remain_days][u].update(apps)
             else:
-                user_app_remain_day_mapper[remain_days][u] = set()
+                user_app_remain_day_mapper[remain_days][u] = set(apps)
 
     for day_count, user_app_mapper in user_app_remain_day_mapper.items():
         for user, apps in user_app_mapper.items():

From 298f6ba41d63b8e7f56e7ec415da472cb84e6fca Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 16 Jun 2022 17:23:49 +0800
Subject: [PATCH 173/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.po | 4 ++--
 apps/locale/zh/LC_MESSAGES/django.po | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index ab8d5b532..6b94dad82 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -1768,11 +1768,11 @@ msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
 #: authentication/api/confirm.py:40
 msgid "Authentication failed password incorrect"
-msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません): {}"
+msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません)"
 
 #: authentication/api/confirm.py:48
 msgid "Login time has exceeded {} minutes, please login again"
-msgstr ""
+msgstr "ログイン時間が {} 分を超えました。もう一度ログインしてください"
 
 #: authentication/api/confirm.py:72 common/exceptions.py:47
 msgid "This action require verify your MFA"
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 874df532d..d0944cb51 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -1756,11 +1756,11 @@ msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
 #: authentication/api/confirm.py:40
 msgid "Authentication failed password incorrect"
-msgstr "认证失败 (用户名或密码不正确): {}"
+msgstr "认证失败 (用户名或密码不正确)"
 
 #: authentication/api/confirm.py:48
 msgid "Login time has exceeded {} minutes, please login again"
-msgstr ""
+msgstr "登录时长已超过 {} 分钟，请重新登录"
 
 #: authentication/api/confirm.py:72 common/exceptions.py:47
 msgid "This action require verify your MFA"

From 81598a526429f58a2d663cc1579808846eabe119 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 16 Jun 2022 18:02:43 +0800
Subject: [PATCH 174/258] =?UTF-8?q?perf:=20=E6=8E=A8=E9=80=81=E7=B3=BB?=
 =?UTF-8?q?=E7=BB=9F=E7=94=A8=E6=88=B7=E7=94=A8=E6=88=B7=E5=90=8D=E6=8F=90?=
 =?UTF-8?q?=E7=A4=BA=E4=BF=A1=E6=81=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/tasks/push_system_user.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/assets/tasks/push_system_user.py b/apps/assets/tasks/push_system_user.py
index cd32d8e15..8834a29e9 100644
--- a/apps/assets/tasks/push_system_user.py
+++ b/apps/assets/tasks/push_system_user.py
@@ -274,7 +274,7 @@ def push_system_user_a_asset_manual(system_user, asset, username=None):
     # if username is None:
     #     username = system_user.username
     task_name = gettext_noop("Push system users to asset: ") + "{}({}) => {}".format(
-        system_user.name, username or '', asset
+        system_user.name, username or system_user.username, asset
     )
     return push_system_user_util(system_user, [asset], task_name=task_name, username=username)
 

From 3fde31f2e0a3c459fdcc852629b5cf2595974c04 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 17 Jun 2022 15:21:13 +0800
Subject: [PATCH 175/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E8=87=AA=E5=AE=9A=E4=B9=89=E6=90=9C=E7=B4=A2=E6=97=B6?=
 =?UTF-8?q?500=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/tickets/api/ticket.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py
index 586188898..00e30f899 100644
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -27,7 +27,7 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
     }
     filterset_class = TicketFilter
     search_fields = [
-        'title', 'action', 'type', 'status', 'applicant_display'
+        'title', 'type', 'status', 'applicant_display'
     ]
     ordering_fields = (
         'title', 'applicant_display', 'status', 'state', 'action_display',

From 710cd0fb3b2bf6359ac93d2695b53e18b6680f2c Mon Sep 17 00:00:00 2001
From: Eric <xplzv@126.com>
Date: Mon, 20 Jun 2022 13:50:16 +0800
Subject: [PATCH 176/258] =?UTF-8?q?fix=EF=BC=9A=E4=BF=AE=E5=A4=8Des?=
 =?UTF-8?q?=E6=97=A5=E6=9C=9F=E7=B4=A2=E5=BC=95=E5=BF=BD=E7=95=A5=E8=AF=81?=
 =?UTF-8?q?=E4=B9=A6=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/models/storage.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/terminal/models/storage.py b/apps/terminal/models/storage.py
index 311a55fda..857d3c77d 100644
--- a/apps/terminal/models/storage.py
+++ b/apps/terminal/models/storage.py
@@ -84,7 +84,7 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
         config = self.config
         if self.type_es and config.get('INDEX_BY_DATE'):
             engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])
-            store = engine_mod.CommandStore(config)
+            store = engine_mod.CommandStore(dict(**config))
             store._ensure_index_exists()
             index_prefix = config.get('INDEX') or 'jumpserver'
             date = local_now_date_display()

From 379c7198daa17b2095c27e03551768fecd531abf Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 20 Jun 2022 13:42:23 +0800
Subject: [PATCH 177/258] =?UTF-8?q?pref:=20=E5=8E=BB=E6=8E=89=20django-red?=
 =?UTF-8?q?is-cache=20=E4=BE=9D=E8=B5=96?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 1 -
 1 file changed, 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 8833b6e60..1dd12283b 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -21,7 +21,6 @@ django-celery-beat==2.2.1
 django-filter==2.4.0
 django-formtools==2.2
 django-ranged-response==0.2.0
-django-redis-cache==2.1.1
 django-rest-swagger==2.2.0
 django-simple-captcha==0.5.13
 django-timezone-field==4.1.0

From d1420de4c2d2d65f0f9713a08c573834c21c9fed Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 20 Jun 2022 14:37:31 +0800
Subject: [PATCH 178/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Des=E7=B1=BB?=
 =?UTF-8?q?=E5=9E=8B=E7=9A=84=E5=91=BD=E4=BB=A4=E5=AD=98=E5=82=A8=E6=9B=B4?=
 =?UTF-8?q?=E6=96=B0=E5=BF=BD=E7=95=A5=E8=AF=81=E4=B9=A6=E5=AD=97=E6=AE=B5?=
 =?UTF-8?q?=E4=B8=8D=E6=88=90=E5=8A=9F=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/models/storage.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/apps/terminal/models/storage.py b/apps/terminal/models/storage.py
index 857d3c77d..4ddab1bcc 100644
--- a/apps/terminal/models/storage.py
+++ b/apps/terminal/models/storage.py
@@ -1,5 +1,6 @@
 from __future__ import unicode_literals
 
+import copy
 import os
 
 from importlib import import_module
@@ -77,14 +78,14 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
     def config(self):
         config = self.meta
         config.update({'TYPE': self.type})
-        return config
+        return copy.deepcopy(config)
 
     @property
     def valid_config(self):
         config = self.config
         if self.type_es and config.get('INDEX_BY_DATE'):
             engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])
-            store = engine_mod.CommandStore(dict(**config))
+            store = engine_mod.CommandStore(config)
             store._ensure_index_exists()
             index_prefix = config.get('INDEX') or 'jumpserver'
             date = local_now_date_display()

From 8b819f377993f97e4a377c42fe9d9bc5b0a7614c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 20 Jun 2022 19:22:48 +0800
Subject: [PATCH 179/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/backends/base.py          |   2 +
 .../templates/authentication/login.html       |  44 +++---
 apps/authentication/views/login.py            |  28 +++-
 apps/common/utils/encode.py                   |   1 +
 apps/jumpserver/settings/base.py              |  16 +-
 apps/jumpserver/settings/libs.py              |   2 +
 requirements/requirements.txt                 | 139 +++++++++---------
 7 files changed, 129 insertions(+), 103 deletions(-)

diff --git a/apps/authentication/backends/base.py b/apps/authentication/backends/base.py
index 84cdeab27..351f9edc1 100644
--- a/apps/authentication/backends/base.py
+++ b/apps/authentication/backends/base.py
@@ -52,6 +52,8 @@ class JMSBaseAuthBackend:
             logger.debug(info)
         return allow
 
+from redis_lock.django_cache import RedisCache
+from redis import StrictRedis
 
 class JMSModelBackend(JMSBaseAuthBackend, ModelBackend):
     pass
diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index 823f22201..e5e4a7a4e 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -87,11 +87,11 @@
         }
 
         .jms-title {
-            padding: 40px 10px 10px;
+            padding: 60px 10px 10px 60px;
         }
 
         .no-captcha-challenge .jms-title {
-            padding: 60px 10px 10px;
+            padding: 60px 10px 10px 60px;
         }
 
         .no-captcha-challenge .welcome-message {
@@ -125,15 +125,27 @@
             font-weight: 350 !important;
             min-height: auto !important;
         }
+
+        .right-image {
+            height: 100%;
+            width: 100%
+        }
+
+        .jms-title {
+            font-size: 21px;
+            font-weight:400;
+            color: #151515;
+            letter-spacing: 0;
+            text-align: left;
+        }
     </style>
 </head>
 
 <body>
-
 <div class="login-content">
     <div class="right-image-box">
-        <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver{% endif %}">
-            <img src="{{ LOGIN_IMAGE_URL }}" style="height: 100%; width: 100%"/>
+        <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver.git{% endif %}">
+            <img src="{{ LOGIN_IMAGE_URL }}" class="right-image"  alt="screen-image"/>
         </a>
     </div>
     <div class="left-form-box {% if not form.challenge and not form.captcha %} no-captcha-challenge {% endif %}">
@@ -142,26 +154,23 @@
                 <li class="dropdown">
                     <a class="dropdown-toggle login-page-language" data-toggle="dropdown" href="#" target="_blank">
                         <i class="fa fa-globe fa-lg" style="margin-right: 2px"></i>
-                        {% if request.COOKIES.django_language == 'en' %}
-                            <span>English<b class="caret"></b></span>
-                        {% elif request.COOKIES.django_language == 'ja' %}
-                            <span>日本語<b class="caret"></b></span>
-                        {% else %}
-                            <span>中文(简体)<b class="caret"></b></span>
-                        {% endif %}
+                        <span>{{ current_lang.title }}<b class="caret"></b></span>
                     </a>
                     <ul class="dropdown-menu profile-dropdown dropdown-menu-right">
-                        <li> <a id="switch_cn" href="{% url 'i18n-switch' lang='zh-hans' %}"> <span>中文(简体)</span> </a> </li>
-                        <li> <a id="switch_en" href="{% url 'i18n-switch' lang='en' %}"> <span>English</span> </a> </li>
-                        <li> <a id="switch_ja" href="{% url 'i18n-switch' lang='ja' %}"> <span>日本語</span> </a> </li>
+                        {% for lang in langs %}
+                        <li>
+                            <a href="{% url 'i18n-switch' lang=lang.code %}">
+                                <span>{{ lang.title }}</span>
+                            </a>
+                        </li>
+                        {% endfor %}
                     </ul>
                 </li>
             </ul>
             <div class="jms-title">
-                <span style="font-size: 21px;font-weight:400;color: #151515;letter-spacing: 0;">{{ JMS_TITLE }}</span>
+                <span style="">{% trans 'Login' %}</span>
             </div>
             <div class="contact-form col-md-10 col-md-offset-1">
-
                 <form id="login-form" action="" method="post" role="form" novalidate="novalidate">
                     {% csrf_token %}
                     <div style="line-height: 17px;margin-bottom: 20px;color: #999999;">
@@ -177,7 +186,6 @@
                     </div>
 
                     {% bootstrap_field form.username show_label=False %}
-
                     <div class="form-group {% if form.password.errors %} has-error {% endif %}">
                         <input type="password" class="form-control" id="password" placeholder="{% trans 'Password' %}" required>
                         <input id="password-hidden" type="text" style="display:none" name="{{ form.password.html_name }}">
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index ae32b14ab..226a12b99 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -10,8 +10,7 @@ from django.contrib.auth import login as auth_login, logout as auth_logout
 from django.http import HttpResponse
 from django.shortcuts import reverse, redirect
 from django.utils.decorators import method_decorator
-from django.db import transaction
-from django.utils.translation import ugettext as _
+from django.utils.translation import ugettext as _, get_language
 from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_protect
 from django.views.decorators.debug import sensitive_post_parameters
@@ -181,6 +180,29 @@ class UserLoginView(mixins.AuthMixin, FormView):
         ]
         return [method for method in auth_methods if method['enabled']]
 
+    @staticmethod
+    def get_support_langs():
+        langs = [
+            {
+                'title': '中文(简体)',
+                'code': 'zh-hans'
+            },
+            {
+                'title': 'English',
+                'code': 'en'
+            },
+            {
+                'title': '日本語',
+                'code': 'ja'
+            }
+        ]
+        return langs
+
+    def get_current_lang(self):
+        langs = self.get_support_langs()
+        matched_lang = filter(lambda x: x['code'] == get_language(), langs)
+        return next(matched_lang, langs[0])
+
     @staticmethod
     def get_forgot_password_url():
         forgot_password_url = reverse('authentication:forgot-password')
@@ -191,6 +213,8 @@ class UserLoginView(mixins.AuthMixin, FormView):
         context = {
             'demo_mode': os.environ.get("DEMO_MODE"),
             'auth_methods': self.get_support_auth_methods(),
+            'langs': self.get_support_langs(),
+            'current_lang': self.get_current_lang(),
             'forgot_password_url': self.get_forgot_password_url(),
             **self.get_user_mfa_context(self.request.user)
         }
diff --git a/apps/common/utils/encode.py b/apps/common/utils/encode.py
index 4178e4a0d..72600ff08 100644
--- a/apps/common/utils/encode.py
+++ b/apps/common/utils/encode.py
@@ -13,6 +13,7 @@ from itertools import chain
 import paramiko
 import sshpubkeys
 from itsdangerous import (
+    TimedSerializer,
     TimedJSONWebSignatureSerializer, JSONWebSignatureSerializer,
     BadSignature, SignatureExpired
 )
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index c1baf2882..ff42eda4b 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -148,19 +148,8 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 # 自定义的配置，SESSION_EXPIRE_AT_BROWSER_CLOSE 始终为 True, 下面这个来控制是否强制关闭后过期 cookie
 SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE = CONFIG.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE
 SESSION_SAVE_EVERY_REQUEST = CONFIG.SESSION_SAVE_EVERY_REQUEST
-SESSION_ENGINE = 'jumpserver.rewriting.session'
-SESSION_REDIS = {
-    'url': '%(protocol)s://:%(password)s@%(host)s:%(port)s/%(db)s' % {
-        'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
-        'password': CONFIG.REDIS_PASSWORD,
-        'host': CONFIG.REDIS_HOST,
-        'port': CONFIG.REDIS_PORT,
-        'db': CONFIG.REDIS_DB_CACHE,
-    },
-    'prefix': 'auth_session',
-    'socket_timeout': 1,
-    'retry_on_timeout': False
-}
+SESSION_ENGINE = "django.contrib.sessions.backends.cache"
+SESSION_CACHE_ALIAS = "default"
 
 MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.CookieStorage'
 # Database
@@ -283,7 +272,6 @@ REDIS_SSL_REQUIRED = CONFIG.REDIS_SSL_REQUIRED or 'none'
 
 CACHES = {
     'default': {
-        # 'BACKEND': 'redis_cache.RedisCache',
         'BACKEND': 'redis_lock.django_cache.RedisCache',
         'LOCATION': '%(protocol)s://:%(password)s@%(host)s:%(port)s/%(db)s' % {
             'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index c67c21f0b..e5a5e90e5 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -153,3 +153,5 @@ ANSIBLE_LOG_DIR = os.path.join(PROJECT_DIR, 'data', 'ansible')
 REDIS_HOST = CONFIG.REDIS_HOST
 REDIS_PORT = CONFIG.REDIS_PORT
 REDIS_PASSWORD = CONFIG.REDIS_PASSWORD
+
+DJANGO_REDIS_SCAN_ITERSIZE = 1000
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 1dd12283b..b79cd370e 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -3,9 +3,9 @@ ansible==2.10.7
 asn1crypto==0.24.0
 bcrypt==3.1.4
 billiard==3.6.4.0
-boto3==1.18.11
-botocore==1.21.11
-celery==5.2.2
+boto3==1.24.12
+botocore==1.27.12
+celery==5.2.7
 certifi==2018.1.18
 cffi==1.13.2
 chardet==3.0.4
@@ -17,117 +17,118 @@ decorator==4.1.2
 Django==3.1.14
 django-auth-ldap==2.2.0
 django-bootstrap3==14.2.0
-django-celery-beat==2.2.1
+django-celery-beat==2.3.0
 django-filter==2.4.0
 django-formtools==2.2
 django-ranged-response==0.2.0
 django-rest-swagger==2.2.0
-django-simple-captcha==0.5.13
-django-timezone-field==4.1.0
-djangorestframework==3.12.2
+django-simple-captcha==0.5.17
+django-timezone-field==5.0
+djangorestframework==3.13.1
 djangorestframework-bulk==0.2.1
 docutils==0.14
 ecdsa==0.13.3
 enum-compat==0.0.2
 ephem==3.7.6.0
-eventlet==0.31.1
+eventlet==0.33.1
 future==0.16.0
 ForgeryPy3==0.3.1
-greenlet==0.4.14
-gunicorn==19.9.0
+greenlet==1.1.2
+gunicorn==20.1.0
 idna==2.6
-itsdangerous==0.24
-itypes==1.1.0
-Jinja2==2.11.3
-jmespath==0.9.3
-kombu==5.2.2
-ldap3==2.4
-MarkupSafe==1.1.1
-mysqlclient==2.0.1
-olefile==0.44
+itsdangerous==1.1.0
+itypes==1.2.0
+Jinja2==3.1.2
+jmespath==1.0.1
+kombu==5.2.4
+ldap3==2.9.1
+MarkupSafe==2.1.1
+mysqlclient==2.1.0
+olefile==0.46
 openapi-codec==1.3.2
-paramiko==2.10.1
-passlib==1.7.1
-Pillow==9.0.1
+paramiko==2.11.0
+passlib==1.7.4
+Pillow==9.1.1
 pyasn1==0.4.8
-pycparser==2.19
-pycryptodome==3.12.0
-pycryptodomex==3.12.0
-pyotp==2.2.6
+pycparser==2.21
+pycryptodome==3.14.1
+pycryptodomex==3.14.1
+pyotp==2.6.0
 PyNaCl==1.5.0
 python-dateutil==2.8.2
-pytz==2018.3
+pytz==2022.1
 PyYAML==6.0
-redis==4.3.1
-requests==2.25.1
-jms-storage==0.0.42
-s3transfer==0.5.0
-simplejson==3.13.2
-six==1.11.0
-sshpubkeys==3.1.0
-uritemplate==3.0.0
-urllib3==1.26.5
+redis==4.3.3
+requests==2.28.0
+# jms-storage==0.0.42
+s3transfer==0.6.0
+simplejson==3.17.6
+six==1.16.0
+sshpubkeys==3.3.1
+uritemplate==4.1.1
+urllib3==1.26.9
 vine==5.0.0
 drf-yasg==1.20.0
-Werkzeug==0.15.3
-drf-nested-routers==0.91
-aliyun-python-sdk-core-v3==2.9.1
-aliyun-python-sdk-ecs==4.10.1
+Werkzeug==2.1.2
+drf-nested-routers==0.93.4
 rest_condition==1.0.3
 python-ldap==3.4.0
-tencentcloud-sdk-python==3.0.477
-django-radius==1.4.0
-django-redis-sessions==0.6.1
+django-radius==1.5.0
 unicodecsv==0.14.1
-python-daemon==2.2.3
+python-daemon==2.3.0
 httpsig==1.3.0
-treelib==1.5.3
+treelib==1.6.1
 django-proxy==1.2.1
 flower==1.0.0
-channels-redis==3.2.0
-channels==2.4.0
-daphne==2.4.1
-psutil==5.6.6
+channels-redis==3.4.0
+channels==3.0.4
+daphne==3.0.2
+psutil==5.9.1
 django-cas-ng==4.0.1
 python-cas==1.5.0
 ipython
-huaweicloud-sdk-python==1.0.21
-django-redis==4.11.0
+django-redis==5.2.0
 python-redis-lock==3.7.0
 jumpserver-django-oidc-rp==0.3.7.8
 django-mysql==3.9.0
 gmssl==3.2.1
-azure-mgmt-compute==4.6.2
-azure-mgmt-network==2.7.0
 msrestazure==0.6.4
 adal==1.2.5
-openpyxl==3.0.5
-pyexcel==0.6.6
+openpyxl==3.0.10
+pyexcel==0.7.0
 pyexcel-xlsx==0.6.0
 data-tree==0.0.1
 pyvmomi==7.0.1
 termcolor==1.1.0
-azure-identity==1.5.0
-azure-mgmt-subscription==1.0.0
-qingcloud-sdk==1.2.12
-django-simple-history==3.0.0
-google-cloud-compute==0.5.0
-PyMySQL==1.0.2
-cx-Oracle==8.2.1
-psycopg2-binary==2.9.1
-alibabacloud_dysmsapi20170525==2.0.2
-geoip2==4.4.0
+django-simple-history==3.1.1
+geoip2==4.5.0
 html2text==2020.1.16
-python-novaclient==11.0.1
 pyzipper==0.3.5
 python3-saml==1.12.0
-python-keystoneclient==4.3.0
-pymssql==2.1.5
 kubernetes==21.7.0
 websocket-client==1.2.3
 numpy==1.22.0
 pandas==1.3.5
 pyjwkest==1.4.2
 jsonfield2==4.0.0.post0
-bce-python-sdk==0.8.64
 ipip-ipdb==1.6.1
+# Cloud req
+qingcloud-sdk==1.2.12
+azure-mgmt-subscription==1.0.0
+azure-identity==1.5.0
+azure-mgmt-compute==4.6.2
+azure-mgmt-network==2.7.0
+google-cloud-compute==0.5.0
+alibabacloud_dysmsapi20170525==2.0.2
+python-novaclient==11.0.1
+python-keystoneclient==4.3.0
+bce-python-sdk==0.8.64
+tencentcloud-sdk-python==3.0.477
+aliyun-python-sdk-core-v3==2.9.1
+aliyun-python-sdk-ecs==4.10.1
+huaweicloud-sdk-python==1.0.21
+# DB requirements
+PyMySQL==1.0.2
+cx-Oracle==8.2.1
+psycopg2-binary==2.9.1
+pymssql==2.1.5

From 97baeebb2ac7b2897293041ab796a550710b592c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 20 Jun 2022 19:26:49 +0800
Subject: [PATCH 180/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20redis=20sc?=
 =?UTF-8?q?an=20counter?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/settings/libs.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index c67c21f0b..e5a5e90e5 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -153,3 +153,5 @@ ANSIBLE_LOG_DIR = os.path.join(PROJECT_DIR, 'data', 'ansible')
 REDIS_HOST = CONFIG.REDIS_HOST
 REDIS_PORT = CONFIG.REDIS_PORT
 REDIS_PASSWORD = CONFIG.REDIS_PASSWORD
+
+DJANGO_REDIS_SCAN_ITERSIZE = 1000

From 7c1882bb5358c287eb15b6223e75ae37f0a8176c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 21 Jun 2022 10:08:14 +0800
Subject: [PATCH 181/258] perf: login

---
 apps/authentication/backends/base.py |  2 --
 apps/jumpserver/settings/libs.py     | 11 +----------
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/apps/authentication/backends/base.py b/apps/authentication/backends/base.py
index 351f9edc1..84cdeab27 100644
--- a/apps/authentication/backends/base.py
+++ b/apps/authentication/backends/base.py
@@ -52,8 +52,6 @@ class JMSBaseAuthBackend:
             logger.debug(info)
         return allow
 
-from redis_lock.django_cache import RedisCache
-from redis import StrictRedis
 
 class JMSModelBackend(JMSBaseAuthBackend, ModelBackend):
     pass
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index e5a5e90e5..9450b724c 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -6,6 +6,7 @@ import ssl
 from .base import REDIS_SSL_CA_CERTS, REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE, REDIS_SSL_REQUIRED
 from ..const import CONFIG, PROJECT_DIR
 
+
 REST_FRAMEWORK = {
     # Use Django's standard `django.contrib.auth` permissions,
     # or allow read-only access for unauthenticated users.
@@ -14,7 +15,6 @@ REST_FRAMEWORK = {
     ),
     'DEFAULT_RENDERER_CLASSES': (
         'rest_framework.renderers.JSONRenderer',
-        # 'rest_framework.renderers.BrowsableAPIRenderer',
         'common.drf.renders.CSVFileRenderer',
         'common.drf.renders.ExcelFileRenderer',
 
@@ -47,9 +47,6 @@ REST_FRAMEWORK = {
     'DATETIME_INPUT_FORMATS': ['%Y/%m/%d %H:%M:%S %z', 'iso-8601', '%Y-%m-%d %H:%M:%S %z'],
     'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.LimitOffsetPagination',
     'EXCEPTION_HANDLER': 'common.drf.exc_handlers.common_exception_handler',
-    # 'PAGE_SIZE': 100,
-    # 'MAX_PAGE_SIZE': 5000
-
 }
 
 SWAGGER_SETTINGS = {
@@ -127,17 +124,11 @@ CELERY_RESULT_SERIALIZER = 'pickle'
 CELERY_RESULT_BACKEND = CELERY_BROKER_URL
 CELERY_ACCEPT_CONTENT = ['json', 'pickle']
 CELERY_RESULT_EXPIRES = 600
-# CELERY_WORKER_LOG_FORMAT = '%(asctime)s [%(module)s %(levelname)s] %(message)s'
-# CELERY_WORKER_LOG_FORMAT = '%(message)s'
-# CELERY_WORKER_TASK_LOG_FORMAT = '%(task_id)s %(task_name)s %(message)s'
 CELERY_WORKER_TASK_LOG_FORMAT = '%(message)s'
-# CELERY_WORKER_LOG_FORMAT = '%(asctime)s [%(module)s %(levelname)s] %(message)s'
 CELERY_WORKER_LOG_FORMAT = '%(message)s'
 CELERY_TASK_EAGER_PROPAGATES = True
 CELERY_WORKER_REDIRECT_STDOUTS = True
 CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
-# CELERY_WORKER_HIJACK_ROOT_LOGGER = True
-# CELERY_WORKER_MAX_TASKS_PER_CHILD = 40
 CELERY_TASK_SOFT_TIME_LIMIT = 3600
 if CONFIG.REDIS_USE_SSL:
     CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {

From f1a22575d3f62026720ee760a76458f9a4faaf01 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 21 Jun 2022 16:18:13 +0800
Subject: [PATCH 182/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95=E9=A1=B5=E9=9D=A2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../templates/authentication/login.html       | 70 +++++++++++++----
 apps/jumpserver/routing.py                    |  2 +
 apps/jumpserver/settings/base.py              | 75 ++++++++++---------
 apps/jumpserver/settings/libs.py              |  3 +-
 apps/notifications/urls/ws_urls.py            |  4 +-
 apps/ops/urls/ws_urls.py                      |  2 +-
 data/certs/redis_ca.crt                       | 29 +++++++
 data/certs/redis_client.crt                   | 24 ++++++
 data/certs/redis_client.key                   | 27 +++++++
 9 files changed, 180 insertions(+), 56 deletions(-)
 create mode 100755 data/certs/redis_ca.crt
 create mode 100755 data/certs/redis_client.crt
 create mode 100755 data/certs/redis_client.key

diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index e5e4a7a4e..98e11732d 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -38,6 +38,8 @@
             background-color: #ffffff;
             height: 1px;
             margin: 20px 0;
+            width: 30%;
+            display: inline-block;
         }
 
         .login-content {
@@ -78,7 +80,7 @@
             margin-bottom: 0;
         }
 
-        .captch-field .has-error .help-block {
+        .captcha-field .has-error .help-block {
             margin-top: -8px !important;
         }
 
@@ -87,25 +89,32 @@
         }
 
         .jms-title {
-            padding: 60px 10px 10px 60px;
+            padding: 60px 10px 10px;
         }
 
         .no-captcha-challenge .jms-title {
-            padding: 60px 10px 10px 60px;
+            padding: 60px 10px 10px;
         }
 
         .no-captcha-challenge .welcome-message {
             padding-top: 10px;
         }
 
+        .more-login-items {
+            margin-top: 10px;
+        }
+
         .more-login-item {
             border-right: 1px dashed #dedede;
-            padding-left: 5px;
-            padding-right: 5px;
+            padding: 2px 5px;
         }
 
         .more-login-item:last-child {
-            border: none;
+            border-right: none;
+        }
+
+        .more-login-item:hover {
+            color: #334554;
         }
 
         .select-con {
@@ -117,6 +126,7 @@
         }
 
         .login-page-language {
+            font-size: 12px!important;
             margin-right: -11px !important;
             padding-top: 12px !important;
             padding-left: 0 !important;
@@ -136,7 +146,32 @@
             font-weight:400;
             color: #151515;
             letter-spacing: 0;
-            text-align: left;
+        }
+        .more-methods-title {
+            position: relative;
+        }
+        .more-methods-title:before, .more-methods-title:after {
+            position: absolute;
+            top: 50%;
+            transform: translateY(-50%);
+            content: '';
+            border: 1px dashed #e7eaec;
+            width: 35%;
+        }
+        .more-methods-title:before {
+            left: 0;
+        }
+        .more-methods-title:after {
+            right: 0;
+        }
+        .more-methods-title.ja:before, .more-methods-title.ja:after{
+            width: 26%;
+        }
+        .captcha-field .form-group {
+            margin-bottom: 5px;
+        }
+        .auto-login.form-group .checkbox {
+            margin: 5px 0;
         }
     </style>
 </head>
@@ -168,7 +203,7 @@
                 </li>
             </ul>
             <div class="jms-title">
-                <span style="">{% trans 'Login' %}</span>
+                <span style="">{{ JMS_TITLE }}</span>
             </div>
             <div class="contact-form col-md-10 col-md-offset-1">
                 <form id="login-form" action="" method="post" role="form" novalidate="novalidate">
@@ -202,18 +237,18 @@
                         {% include '_mfa_login_field.html' %}
                         </div>
                     {% elif form.captcha %}
-                        <div class="captch-field">
+                        <div class="captcha-field">
                             {% bootstrap_field form.captcha show_label=False %}
                         </div>
                     {% endif %}
-                    <div class="form-group" style="padding-top: 5px; margin-bottom: 10px">
+                    <div class="form-group auto-login" style="padding-top: 5px; margin-bottom: 0">
                         <div class="row">
                             <div class="col-md-6" style="text-align: left">
                                 {% if form.auto_login %}
                                     {% bootstrap_field form.auto_login form_group_class='' %}
                                 {% endif %}
                             </div>
-                            <div class="col-md-6">
+                            <div class="col-md-6" style="line-height: 25px">
                                 <a id="forgot_password" href="{{ forgot_password_url }}" style="float: right">
                                     <small>{% trans 'Forgot password' %}?</small>
                                 </a>
@@ -221,15 +256,18 @@
                         </div>
                     </div>
 
-                    <div class="form-group" style="">
-                        <button type="submit" class="btn btn-transparent" onclick="doLogin();return false;">{% trans 'Login' %}</button>
+                    <div class="form-group" style="margin-bottom: 10px;margin-top: 5px">
+                        <button type="submit" class="btn btn-transparent" onclick="doLogin();return false;">
+                            {% trans 'Login' %}
+                        </button>
                     </div>
 
                     <div>
                         {% if auth_methods %}
-                            <div class="hr-line-dashed"></div>
-                            <div style="display: inline-block; float: left">
-                            <b class="text-muted text-left" >{% trans "More login options" %}</b>
+                            <div class="more-methods-title {{ current_lang.code }}">
+                                    {% trans "More login options" %}
+                            </div>
+                            <div class="more-login-items">
                             {% for method in auth_methods %}
                                 <a href="{{ method.url }}" class="more-login-item">
                                     <i class="fa"><img src="{{ method.logo }}" height="13" width="13"></i> {{ method.name }}
diff --git a/apps/jumpserver/routing.py b/apps/jumpserver/routing.py
index 5deae804e..1d1de2230 100644
--- a/apps/jumpserver/routing.py
+++ b/apps/jumpserver/routing.py
@@ -1,5 +1,6 @@
 from channels.auth import AuthMiddlewareStack
 from channels.routing import ProtocolTypeRouter, URLRouter
+from django.core.asgi import get_asgi_application
 
 from ops.urls.ws_urls import urlpatterns as ops_urlpatterns
 from notifications.urls.ws_urls import urlpatterns as notifications_urlpatterns
@@ -12,4 +13,5 @@ application = ProtocolTypeRouter({
     'websocket': AuthMiddlewareStack(
         URLRouter(urlpatterns)
     ),
+    "http": get_asgi_application(),
 })
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index ff42eda4b..2b1bbdf13 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -11,10 +11,19 @@ from django.urls import reverse_lazy
 from .. import const
 from ..const import CONFIG
 
+
+def exist_or_default(path, default):
+    if not os.path.exists(path):
+        path = default
+    return path
+
+
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 VERSION = const.VERSION
 BASE_DIR = const.BASE_DIR
 PROJECT_DIR = const.PROJECT_DIR
+DATA_DIR = os.path.join(PROJECT_DIR, 'data')
+CERTS_DIR = os.path.join(DATA_DIR, 'certs')
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/1.10/howto/deployment/checklist/
@@ -149,7 +158,6 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE = CONFIG.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE
 SESSION_SAVE_EVERY_REQUEST = CONFIG.SESSION_SAVE_EVERY_REQUEST
 SESSION_ENGINE = "django.contrib.sessions.backends.cache"
-SESSION_CACHE_ALIAS = "default"
 
 MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.CookieStorage'
 # Database
@@ -169,7 +177,6 @@ DATABASES = {
     }
 }
 
-
 DB_CA_PATH = os.path.join(PROJECT_DIR, 'data', 'certs', 'db_ca.pem')
 if CONFIG.DB_ENGINE.lower() == 'mysql':
     DB_OPTIONS['init_command'] = "SET sql_mode='STRICT_TRANS_TABLES'"
@@ -253,44 +260,40 @@ FILE_UPLOAD_PERMISSIONS = 0o644
 FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755
 
 # Cache use redis
-REDIS_SSL_KEYFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.key')
-if not os.path.exists(REDIS_SSL_KEYFILE):
-    REDIS_SSL_KEYFILE = None
-
-REDIS_SSL_CERTFILE = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_client.crt')
-if not os.path.exists(REDIS_SSL_CERTFILE):
-    REDIS_SSL_CERTFILE = None
-
-REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.crt')
-if not os.path.exists(REDIS_SSL_CA_CERTS):
-    REDIS_SSL_CA_CERTS = os.path.join(PROJECT_DIR, 'data', 'certs', 'redis_ca.pem')
-
-if not os.path.exists(REDIS_SSL_CA_CERTS):
-    REDIS_SSL_CA_CERTS = None
-
+REDIS_SSL_KEYFILE = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.key'), None)
+REDIS_SSL_CERTFILE = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.crt'), None)
+REDIS_SSL_CA_CERTS = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.pem'), None)
+REDIS_SSL_CA_CERTS = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.crt'), REDIS_SSL_CA_CERTS)
 REDIS_SSL_REQUIRED = CONFIG.REDIS_SSL_REQUIRED or 'none'
+REDIS_LOCATION_NO_DB = '%(protocol)s://:%(password)s@%(host)s:%(port)s/{}' % {
+    'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
+    'password': CONFIG.REDIS_PASSWORD,
+    'host': CONFIG.REDIS_HOST,
+    'port': CONFIG.REDIS_PORT,
+}
 
-CACHES = {
-    'default': {
-        'BACKEND': 'redis_lock.django_cache.RedisCache',
-        'LOCATION': '%(protocol)s://:%(password)s@%(host)s:%(port)s/%(db)s' % {
-            'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
-            'password': CONFIG.REDIS_PASSWORD,
-            'host': CONFIG.REDIS_HOST,
-            'port': CONFIG.REDIS_PORT,
-            'db': CONFIG.REDIS_DB_CACHE,
-        },
-        'OPTIONS': {
-            "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
-            "CONNECTION_POOL_KWARGS": {
-                'ssl_cert_reqs': REDIS_SSL_REQUIRED,
-                "ssl_keyfile": REDIS_SSL_KEYFILE,
-                "ssl_certfile": REDIS_SSL_CERTFILE,
-                "ssl_ca_certs": REDIS_SSL_CA_CERTS
-            } if CONFIG.REDIS_USE_SSL else {}
-        }
+REDIS_CACHE_DEFAULT = {
+    'BACKEND': 'redis_lock.django_cache.RedisCache',
+    'LOCATION': REDIS_LOCATION_NO_DB.format(CONFIG.REDIS_DB_CACHE),
+    'OPTIONS': {
+        "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
+        "CONNECTION_POOL_KWARGS": {
+            'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+            "ssl_keyfile": REDIS_SSL_KEYFILE,
+            "ssl_certfile": REDIS_SSL_CERTFILE,
+            "ssl_ca_certs": REDIS_SSL_CA_CERTS
+        } if CONFIG.REDIS_USE_SSL else {}
     }
 }
+REDIS_CACHE_SESSION = dict(REDIS_CACHE_DEFAULT)
+REDIS_CACHE_SESSION['LOCATION'] = REDIS_LOCATION_NO_DB.format(CONFIG.REDIS_DB_SESSION)
+
+CACHES = {
+    'default': REDIS_CACHE_DEFAULT,
+    'session': REDIS_CACHE_SESSION
+}
+
+SESSION_CACHE_ALIAS = "session"
 
 FORCE_SCRIPT_NAME = CONFIG.FORCE_SCRIPT_NAME
 SESSION_COOKIE_SECURE = CONFIG.SESSION_COOKIE_SECURE
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 9450b724c..25434e048 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -64,7 +64,7 @@ SWAGGER_SETTINGS = {
 
 
 # Captcha settings, more see https://django-simple-captcha.readthedocs.io/en/latest/advanced.html
-CAPTCHA_IMAGE_SIZE = (140, 34)
+CAPTCHA_IMAGE_SIZE = (180, 34)
 CAPTCHA_FOREGROUND_COLOR = '#001100'
 CAPTCHA_NOISE_FUNCTIONS = ('captcha.helpers.noise_dots',)
 CAPTCHA_CHALLENGE_FUNCT = 'captcha.helpers.math_challenge'
@@ -130,6 +130,7 @@ CELERY_TASK_EAGER_PROPAGATES = True
 CELERY_WORKER_REDIRECT_STDOUTS = True
 CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
 CELERY_TASK_SOFT_TIME_LIMIT = 3600
+
 if CONFIG.REDIS_USE_SSL:
     CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
         'ssl_cert_reqs': REDIS_SSL_REQUIRED,
diff --git a/apps/notifications/urls/ws_urls.py b/apps/notifications/urls/ws_urls.py
index dfd457e52..69ff5783a 100644
--- a/apps/notifications/urls/ws_urls.py
+++ b/apps/notifications/urls/ws_urls.py
@@ -5,5 +5,5 @@ from .. import ws
 app_name = 'notifications'
 
 urlpatterns = [
-    path('ws/notifications/site-msg/', ws.SiteMsgWebsocket, name='site-msg-ws'),
-]
\ No newline at end of file
+    path('ws/notifications/site-msg/', ws.SiteMsgWebsocket.as_asgi(), name='site-msg-ws'),
+]
diff --git a/apps/ops/urls/ws_urls.py b/apps/ops/urls/ws_urls.py
index e1d44dd7c..8e9af1636 100644
--- a/apps/ops/urls/ws_urls.py
+++ b/apps/ops/urls/ws_urls.py
@@ -5,5 +5,5 @@ from .. import ws
 app_name = 'ops'
 
 urlpatterns = [
-    path('ws/ops/tasks/log/', ws.TaskLogWebsocket, name='task-log-ws'),
+    path('ws/ops/tasks/log/', ws.TaskLogWebsocket.as_asgi(), name='task-log-ws'),
 ]
diff --git a/data/certs/redis_ca.crt b/data/certs/redis_ca.crt
new file mode 100755
index 000000000..62fa7497d
--- /dev/null
+++ b/data/certs/redis_ca.crt
@@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIE5jCCAs4CCQCtb8sSCTlXlzANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKDApS
+ZWRpcyBUZXN0MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIw
+NjIxMDM0NTIzWhcNMzIwNjE4MDM0NTIzWjA1MRMwEQYDVQQKDApSZWRpcyBUZXN0
+MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQD5mFMSqN9pG1jRrT8vZPyb1umWMMjaOIIwJ5+Rj7b/
+AvtBOKX5eragRMLPdlZQ+L5VCyQUu7BS7z7YZ/voDf8in50DVpSjNCpYHPX7olQp
+ASPgjGd+hHe8dNTmSeNQArboGpJs9q5ygJRXiS+SHGyvzLsuA3AmO3NO9guumy6o
+pc3AkWtBNcHapL8ZJ14/rfqDENXkhaVdjrv0nB1jwenx9y5IGyMUnVLjxfjaZeTT
+qNOJwdp5kSr7lnZhy++F5BtWn3J+gGO0jbWUIj1FawqMPn0Oqh1OL/h6Mtvin4y3
+UeRJhMK3SwkK7aCJzXWTEyBWnB5rUoBFIoBisdr2NSkG/h/5p66wQ24c+d1pf1Vi
+km32+7UZjBzoCadP0MiBSOi39e6hUdGDuB/IV0moJ+w4qQbjO6DcqACmeDlKpcAr
++8w8XV3GIBKDcihlxExBGE0kwQ+Z99pRfSQlA5sYPVggU96y3Cqmw93pV3HPy8H0
+fDia35EEvgEJsbB8+lkBUUtvn/MkqfBpTvV/U0ZwlEAEH6K4psgygbSGChj98yEE
+WGll/RlfbLvW5rAOWSgdeE0SVcwL6VEjCasKUSqc1SU+3tdfymSwprnaiNsDVnPt
+x0A/QhNPSXyz4Hw2NULDbLVwpN9IT7n3EisWhXMEJFgJvrdCQD82SGYK0qgbNk1H
+WQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQDPHV6Ruha9ubIlfotnBD4wioFQDj7Y
+rQO3HJ5lnL7Byd6p6v7oIkACjOrD1qwoiaA7r1RKPyTKJfRLZRXoGW7z+4LB2sSa
+tejIT7rnHs0WIFJsvyahUj36qBmdSnTd+gZgctLp9x4gI6OCjgTWKhgQCbmLOHbg
+kIfFOISV7bCCd19/qx6f2zQm2Di6rGsNbpRLl9TrkDravriBrogoHttzhVcd0Z8A
+j8NiGIWwJGd/UjklK7tsFZgrjHyIgXDrEmq1a8/cM3U0AWEg50YCgpLILwNTBBYo
+9mskfbvT+Ml9NVt4Mhtmn4ei1QfRQiJ78+l8rTh2ca/fAKmPAc7wIdwxRoHTYUqU
+iYBuCDcRvGW/hXTGtfs+nQUIYzjRPVNHiw8wUCEE4FEcPl7eDe1w+yQfUYRHE33p
+N0s/7k7Zo0o7ykXFMvQx3aghIEovWxFvL79ksfRsHmXAg+Y9fL2tmnlJS1jMGks4
+oOzJcL08PyJ2YvKVnJtRpfBjAzRSf+uwKzjS5fw5EY03eYZ3jH0FNU8VuR5doEfl
+nAe8n8d7tU8OJiWgXdidoyFH2gJ9uQouswyRrSuuuYcakAYZNfxBcYJG6QXKCS4c
+zRGCoEBT3CyHr94utkeEpeb1vuWYnURmhK4XD/kj89sFmrt1QAGYBTkyGLf4qrSc
+ZUMT2ZjXaobfSA==
+-----END CERTIFICATE-----
diff --git a/data/certs/redis_client.crt b/data/certs/redis_client.crt
new file mode 100755
index 000000000..f5ab6fc4a
--- /dev/null
+++ b/data/certs/redis_client.crt
@@ -0,0 +1,24 @@
+-----BEGIN CERTIFICATE-----
+MIIEEDCCAfigAwIBAgIUXAg7+ejbaulXINeL9RuhJ9Qa8zkwDQYJKoZIhvcNAQEL
+BQAwNTETMBEGA1UECgwKUmVkaXMgVGVzdDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUg
+QXV0aG9yaXR5MB4XDTIyMDYyMTAzNDUyM1oXDTIzMDYyMTAzNDUyM1owKzETMBEG
+A1UECgwKUmVkaXMgVGVzdDEUMBIGA1UEAwwLQ2xpZW50LW9ubHkwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVimXUfrkWzrHicPSKc+qnFJJbZENYkMPn
+PmTySdkuv5opc5aE4LTjDVA63QHi61b1Lt1xw4b+JHNRQ9ocqG+bMhefLnfVjsN2
+jPI7W7pzeSfhdXHbr32UuUHixpCov2/67MdUlI0LS3ZkeynG2tXHvXmfgUzinz2K
+Hs08qmmo3jz8JwTnhb76yC+lw6yvZRM3f/S62fF/bWXQDhJZfLH+3hPiiCaFkTOl
+z9P8bPqJzaHVw7odeQEuZF6wkr1quY8DhRpvQ8WmVMTLbJPge2VIt8aGQ/Y5d1X7
+bV1k4I1ZNr85R0yNk5r5f1wQS1QeYi4aoQcrNWwp+cUmNBqYv423AgMBAAGjIjAg
+MAsGA1UdDwQEAwIFoDARBglghkgBhvhCAQEEBAMCB4AwDQYJKoZIhvcNAQELBQAD
+ggIBAIFVuPNIwAuAYmwgV6942YR9n4jgyQENY2mnG2yQLXe3gP12ABZtlIhK1VQM
++trGnFQ5g2pcDuLdqN8MuRcu4axJOUOBf3pEVnQlC6yACD4r+b5xe4itJvYvZpuO
+70YGoKOyBRZxtulxqCfFIoSOpDCZa14AL8RwOwMGyL6FT9ni9jDE+NNgNy3DMciA
+89iOwGe/NhUcrs07i1S/sb9dsfmd7PH+3EC2FtEEa5/ls8dp/S911XXfFsYNAy5B
+D/qZo2nSiLB/8RJk9wJNG6DHB1KG8tmPxYOlji+H3wESFkW6Laa7Sd4sk4ebi7sr
+jPUVvfhDETRn63+qP8x56xUIWi2DADKg73TFeKyT0uOZMWtcBFKckE4KGkM5KkCI
+2lrCE+HeoA0Tu0nq41PxvarAMc2/Js8xa8DJstECVZe4nBQMbNRrYPb0uSywm7aq
+jyC5Rn71BIpE+nRIXNM9jum/bQR6W37epUzmqrQhjILb6S4AzZKzMHxdhUfpDnVJ
+mw3ky9kMabYfL3PMPdE9aNPau56Tds2sT9M8p8sT/g/nayrhFujzyGgByqgCD0tD
+2i5ukT7B2I4yDNiaeEQrEKcoQD+QH32aNlk7ch4D6Ghv8ABCToV/IViqvERd5HZL
+LfISko9/FJ/aOzd/6CryTnElpQzA8PgORwlcEyV9It57AgDd
+-----END CERTIFICATE-----
diff --git a/data/certs/redis_client.key b/data/certs/redis_client.key
new file mode 100755
index 000000000..d7669c737
--- /dev/null
+++ b/data/certs/redis_client.key
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA1Ypl1H65Fs6x4nD0inPqpxSSW2RDWJDD5z5k8knZLr+aKXOW
+hOC04w1QOt0B4utW9S7dccOG/iRzUUPaHKhvmzIXny531Y7DdozyO1u6c3kn4XVx
+2699lLlB4saQqL9v+uzHVJSNC0t2ZHspxtrVx715n4FM4p89ih7NPKppqN48/CcE
+54W++sgvpcOsr2UTN3/0utnxf21l0A4SWXyx/t4T4ogmhZEzpc/T/Gz6ic2h1cO6
+HXkBLmResJK9armPA4Uab0PFplTEy2yT4HtlSLfGhkP2OXdV+21dZOCNWTa/OUdM
+jZOa+X9cEEtUHmIuGqEHKzVsKfnFJjQamL+NtwIDAQABAoIBAEBUPA8CygF77Qy5
+WIHpH7SLtvd/QeaJXero2gI/iwTRRcDdCGgpRXTtCtFgyPOyT/T21FE0RROEqZS+
+qxNdDpojQgh7ODCGnI23MjX9kTK+OexqtA0pVdya3qVRijy7xyFBeV8ajU7swdLN
+Y617OVG928jYa/ANZr2YP93ZvJDZLP1+If9lAZktMdZk2yxnTnT9mYHOwtuLzHG4
+kYMlJ285QZw2vINl2hPCTfNfVMCqLowqa9C0fztT5OiZp++eBKbB8NbsU1k4EDyn
+WSVsOTkT1mSXrJsLmAy4NGIWWqq8i+yEl6cY5/g/pAn/7BTHVh5rf+MKoYDI58yA
+xZIQZSECgYEA/0rQkY/Z+dVkp7vsm0DrXG/W9DmgpJX/5BFQCvSdC7bBzCYqpw+4
+cL0soppuGDzdKOWUulFZHoysYa08jcHbSolXycCoPFTklmSlMT1X8CmY6T3IZow7
+OqCOSfUmWAgsFzzRLESmvi2tZKsvfhThuYYxl/8NTxq1VGOalfm2+9ECgYEA1iHz
+gkXuvieYhnq+/qO5H2C3qSgF4RCAKnkV3+1nTH7zSCuqjJFewJRtYpu4KZP/TbCl
+xhF97tk6KDzCLZ7OhcRglyT6Sv5UbUEdvt8uoFkvLupYGE9DWp1zohdm8+lo3PQ4
+jvIvLEQ/CbINnFOZwS1DzDAhd7DgxX3h1Po9uwcCgYBAo97fnH7ixWdxGSI1xWBS
+zXat7BGC2wAp7UBJJdrF5oZ3fIp8NnzK/vtYSKXruS1+d3MLIiHgnFnheY3FjvpJ
+izERQpjWfeBLPDyflRq5Eq9HD3+4h3VPyOt+SnZk/9y6HYoRHWji6onm3XlvATaO
+VS4lgE0MZITZU0cHBm2QoQKBgQCUvji8gX95r1+P6qvJjkkFttVdN2P+FswwtLOx
+POPIi1bLByoNQt2iwHfLS4f9ucRaXx6IG5Zy14pCcRIhRnMHEIZX92O1vD1BNz5G
+XBmzYMAZwsc2+7g5ta2hJshpHfWtpiezhB+ojC+NuJUjxh7DxYGW0MgusDsydGLu
+4nUG+QKBgFSCE9J1pueDawCpg4zAsOgC+13lbDQ+l8koGEgGdjF3xd5OfZvGTtUG
+Ea4Z8F3eNN+fus/IksoyKk1EISAhHVzj3bRKoavfTb716kFeRQ0xePQ0dabpFBxp
+xdKCUo37KFQDNknPZXX3AamdkiQdy5/C7hkpWjMtHYYV6CAK1Z16
+-----END RSA PRIVATE KEY-----

From 2366da14856a60110385fe48882ba6c3fb8bf6ae Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 21 Jun 2022 18:43:48 +0800
Subject: [PATCH 183/258] perf: redis AND login page

---
 .../templates/authentication/login.html       | 70 ++++++++++++-------
 apps/authentication/views/login.py            |  8 +--
 apps/jumpserver/settings/libs.py              |  2 +-
 3 files changed, 50 insertions(+), 30 deletions(-)

diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index 98e11732d..dd4aabe96 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -32,14 +32,33 @@
             font-weight: normal;
         }
 
-        .hr-line-dashed {
-            border-top: 1px dashed #e7eaec;
-            color: #ffffff;
-            background-color: #ffffff;
-            height: 1px;
-            margin: 20px 0;
-            width: 30%;
-            display: inline-block;
+        .form-group {
+            margin-bottom: 30px;
+            margin-top: 10px;
+        }
+
+        .auth-methods .form-group, .addition .form-group, .has-error .form-group  {
+            margin-bottom: 20px;
+            margin-top: 10px;
+        }
+
+        .form-group.auto-login {
+            margin-bottom: 10px;
+        }
+
+        .auth-methods.addition .form-group {
+            margin-bottom: 15px;
+            margin-top: 5px;
+        }
+
+        .auth-methods.has-error .form-group, .addition.has-error .form-group {
+            margin-bottom: 20px;
+            margin-top: 5px;
+        }
+
+        .auth-methods.has-error.addition .form-group {
+            margin-bottom: 10px;
+            margin-top: 5px;
         }
 
         .login-content {
@@ -84,22 +103,10 @@
             margin-top: -8px !important;
         }
 
-        .no-captcha-challenge .form-group {
-            margin-bottom: 20px;
-        }
-
         .jms-title {
             padding: 60px 10px 10px;
         }
 
-        .no-captcha-challenge .jms-title {
-            padding: 60px 10px 10px;
-        }
-
-        .no-captcha-challenge .welcome-message {
-            padding-top: 10px;
-        }
-
         .more-login-items {
             margin-top: 10px;
         }
@@ -149,6 +156,7 @@
         }
         .more-methods-title {
             position: relative;
+            margin-top: 20px;
         }
         .more-methods-title:before, .more-methods-title:after {
             position: absolute;
@@ -173,11 +181,23 @@
         .auto-login.form-group .checkbox {
             margin: 5px 0;
         }
+
+        .more-login {
+            margin-top: 20px;
+        }
+
+        .has-error .more-login {
+            margin-top: 0;
+        }
     </style>
 </head>
 
 <body>
-<div class="login-content">
+<div class="login-content
+    {% if form.errors or form.non_field_error %} has-error {% endif %}
+    {% if auth_methods %} auth-methods {% endif %}
+    {% if form.captcha or form.mfa_type or form.challenge %} addition {% endif %}
+">
     <div class="right-image-box">
         <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver.git{% endif %}">
             <img src="{{ LOGIN_IMAGE_URL }}" class="right-image"  alt="screen-image"/>
@@ -241,7 +261,7 @@
                             {% bootstrap_field form.captcha show_label=False %}
                         </div>
                     {% endif %}
-                    <div class="form-group auto-login" style="padding-top: 5px; margin-bottom: 0">
+                    <div class="form-group auto-login" style="margin-bottom: 10px">
                         <div class="row">
                             <div class="col-md-6" style="text-align: left">
                                 {% if form.auto_login %}
@@ -256,13 +276,13 @@
                         </div>
                     </div>
 
-                    <div class="form-group" style="margin-bottom: 10px;margin-top: 5px">
+                    <div class="form-group">
                         <button type="submit" class="btn btn-transparent" onclick="doLogin();return false;">
                             {% trans 'Login' %}
                         </button>
                     </div>
 
-                    <div>
+                    <div class="more-login">
                         {% if auth_methods %}
                             <div class="more-methods-title {{ current_lang.code }}">
                                     {% trans "More login options" %}
@@ -270,7 +290,7 @@
                             <div class="more-login-items">
                             {% for method in auth_methods %}
                                 <a href="{{ method.url }}" class="more-login-item">
-                                    <i class="fa"><img src="{{ method.logo }}" height="13" width="13"></i> {{ method.name }}
+                                    <i class="fa"><img src="{{ method.logo }}" height="15" width="15"></i> {{ method.name }}
                                 </a>
                             {% endfor %}
                             </div>
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index 226a12b99..3b8f2c60c 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -210,16 +210,16 @@ class UserLoginView(mixins.AuthMixin, FormView):
         return forgot_password_url
 
     def get_context_data(self, **kwargs):
-        context = {
+        context = super().get_context_data(**kwargs)
+        context.update({
             'demo_mode': os.environ.get("DEMO_MODE"),
             'auth_methods': self.get_support_auth_methods(),
             'langs': self.get_support_langs(),
             'current_lang': self.get_current_lang(),
             'forgot_password_url': self.get_forgot_password_url(),
             **self.get_user_mfa_context(self.request.user)
-        }
-        kwargs.update(context)
-        return super().get_context_data(**kwargs)
+        })
+        return context
 
 
 class UserLoginGuardView(mixins.AuthMixin, RedirectView):
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 25434e048..52c0d93b6 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -64,7 +64,7 @@ SWAGGER_SETTINGS = {
 
 
 # Captcha settings, more see https://django-simple-captcha.readthedocs.io/en/latest/advanced.html
-CAPTCHA_IMAGE_SIZE = (180, 34)
+CAPTCHA_IMAGE_SIZE = (180, 38)
 CAPTCHA_FOREGROUND_COLOR = '#001100'
 CAPTCHA_NOISE_FUNCTIONS = ('captcha.helpers.noise_dots',)
 CAPTCHA_CHALLENGE_FUNCT = 'captcha.helpers.math_challenge'

From 8f59bb2a48bb7f73033db4093643009cf61ca1c4 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 21 Jun 2022 19:06:06 +0800
Subject: [PATCH 184/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E7=99=BB?=
 =?UTF-8?q?=E9=99=86?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../templates/authentication/login.html        | 18 +++++-------------
 apps/authentication/views/login.py             |  2 +-
 2 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index dd4aabe96..3c95332a2 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -33,30 +33,26 @@
         }
 
         .form-group {
-            margin-bottom: 30px;
+            margin-bottom: 40px;
             margin-top: 10px;
         }
 
-        .auth-methods .form-group, .addition .form-group, .has-error .form-group  {
+        .addition .form-group, .has-error .form-group  {
             margin-bottom: 20px;
             margin-top: 10px;
         }
 
-        .form-group.auto-login {
-            margin-bottom: 10px;
-        }
-
-        .auth-methods.addition .form-group {
+        .auth-methods.has-error .form-group, .auth-methods.addition .form-group {
             margin-bottom: 15px;
             margin-top: 5px;
         }
 
-        .auth-methods.has-error .form-group, .addition.has-error .form-group {
+        .has-error.addition .form-group {
             margin-bottom: 20px;
             margin-top: 5px;
         }
 
-        .auth-methods.has-error.addition .form-group {
+        .auth-methods.addition.has-error .form-group {
             margin-bottom: 10px;
             margin-top: 5px;
         }
@@ -120,10 +116,6 @@
             border-right: none;
         }
 
-        .more-login-item:hover {
-            color: #334554;
-        }
-
         .select-con {
             width: 35%;
         }
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index 3b8f2c60c..288f88551 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -178,7 +178,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
                 'logo': static('img/login_feishu_logo.png')
             }
         ]
-        return [method for method in auth_methods if method['enabled']]
+        return [method for method in auth_methods]
 
     @staticmethod
     def get_support_langs():

From fa51465485ae6f4e16a34340b0dee2e670348e3e Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 21 Jun 2022 19:23:29 +0800
Subject: [PATCH 185/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E5=8E=BB?=
 =?UTF-8?q?=E6=8E=89=20=E5=AF=BC=E5=85=A5=20certs?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/views/login.py |  2 +-
 apps/common/utils/encode.py        |  1 -
 data/certs/redis_ca.crt            | 29 -----------------------------
 data/certs/redis_client.crt        | 24 ------------------------
 data/certs/redis_client.key        | 27 ---------------------------
 5 files changed, 1 insertion(+), 82 deletions(-)
 delete mode 100755 data/certs/redis_ca.crt
 delete mode 100755 data/certs/redis_client.crt
 delete mode 100755 data/certs/redis_client.key

diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index 288f88551..3b8f2c60c 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -178,7 +178,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
                 'logo': static('img/login_feishu_logo.png')
             }
         ]
-        return [method for method in auth_methods]
+        return [method for method in auth_methods if method['enabled']]
 
     @staticmethod
     def get_support_langs():
diff --git a/apps/common/utils/encode.py b/apps/common/utils/encode.py
index 72600ff08..4178e4a0d 100644
--- a/apps/common/utils/encode.py
+++ b/apps/common/utils/encode.py
@@ -13,7 +13,6 @@ from itertools import chain
 import paramiko
 import sshpubkeys
 from itsdangerous import (
-    TimedSerializer,
     TimedJSONWebSignatureSerializer, JSONWebSignatureSerializer,
     BadSignature, SignatureExpired
 )
diff --git a/data/certs/redis_ca.crt b/data/certs/redis_ca.crt
deleted file mode 100755
index 62fa7497d..000000000
--- a/data/certs/redis_ca.crt
+++ /dev/null
@@ -1,29 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIE5jCCAs4CCQCtb8sSCTlXlzANBgkqhkiG9w0BAQsFADA1MRMwEQYDVQQKDApS
-ZWRpcyBUZXN0MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjIw
-NjIxMDM0NTIzWhcNMzIwNjE4MDM0NTIzWjA1MRMwEQYDVQQKDApSZWRpcyBUZXN0
-MR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggIiMA0GCSqGSIb3DQEB
-AQUAA4ICDwAwggIKAoICAQD5mFMSqN9pG1jRrT8vZPyb1umWMMjaOIIwJ5+Rj7b/
-AvtBOKX5eragRMLPdlZQ+L5VCyQUu7BS7z7YZ/voDf8in50DVpSjNCpYHPX7olQp
-ASPgjGd+hHe8dNTmSeNQArboGpJs9q5ygJRXiS+SHGyvzLsuA3AmO3NO9guumy6o
-pc3AkWtBNcHapL8ZJ14/rfqDENXkhaVdjrv0nB1jwenx9y5IGyMUnVLjxfjaZeTT
-qNOJwdp5kSr7lnZhy++F5BtWn3J+gGO0jbWUIj1FawqMPn0Oqh1OL/h6Mtvin4y3
-UeRJhMK3SwkK7aCJzXWTEyBWnB5rUoBFIoBisdr2NSkG/h/5p66wQ24c+d1pf1Vi
-km32+7UZjBzoCadP0MiBSOi39e6hUdGDuB/IV0moJ+w4qQbjO6DcqACmeDlKpcAr
-+8w8XV3GIBKDcihlxExBGE0kwQ+Z99pRfSQlA5sYPVggU96y3Cqmw93pV3HPy8H0
-fDia35EEvgEJsbB8+lkBUUtvn/MkqfBpTvV/U0ZwlEAEH6K4psgygbSGChj98yEE
-WGll/RlfbLvW5rAOWSgdeE0SVcwL6VEjCasKUSqc1SU+3tdfymSwprnaiNsDVnPt
-x0A/QhNPSXyz4Hw2NULDbLVwpN9IT7n3EisWhXMEJFgJvrdCQD82SGYK0qgbNk1H
-WQIDAQABMA0GCSqGSIb3DQEBCwUAA4ICAQDPHV6Ruha9ubIlfotnBD4wioFQDj7Y
-rQO3HJ5lnL7Byd6p6v7oIkACjOrD1qwoiaA7r1RKPyTKJfRLZRXoGW7z+4LB2sSa
-tejIT7rnHs0WIFJsvyahUj36qBmdSnTd+gZgctLp9x4gI6OCjgTWKhgQCbmLOHbg
-kIfFOISV7bCCd19/qx6f2zQm2Di6rGsNbpRLl9TrkDravriBrogoHttzhVcd0Z8A
-j8NiGIWwJGd/UjklK7tsFZgrjHyIgXDrEmq1a8/cM3U0AWEg50YCgpLILwNTBBYo
-9mskfbvT+Ml9NVt4Mhtmn4ei1QfRQiJ78+l8rTh2ca/fAKmPAc7wIdwxRoHTYUqU
-iYBuCDcRvGW/hXTGtfs+nQUIYzjRPVNHiw8wUCEE4FEcPl7eDe1w+yQfUYRHE33p
-N0s/7k7Zo0o7ykXFMvQx3aghIEovWxFvL79ksfRsHmXAg+Y9fL2tmnlJS1jMGks4
-oOzJcL08PyJ2YvKVnJtRpfBjAzRSf+uwKzjS5fw5EY03eYZ3jH0FNU8VuR5doEfl
-nAe8n8d7tU8OJiWgXdidoyFH2gJ9uQouswyRrSuuuYcakAYZNfxBcYJG6QXKCS4c
-zRGCoEBT3CyHr94utkeEpeb1vuWYnURmhK4XD/kj89sFmrt1QAGYBTkyGLf4qrSc
-ZUMT2ZjXaobfSA==
------END CERTIFICATE-----
diff --git a/data/certs/redis_client.crt b/data/certs/redis_client.crt
deleted file mode 100755
index f5ab6fc4a..000000000
--- a/data/certs/redis_client.crt
+++ /dev/null
@@ -1,24 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIEEDCCAfigAwIBAgIUXAg7+ejbaulXINeL9RuhJ9Qa8zkwDQYJKoZIhvcNAQEL
-BQAwNTETMBEGA1UECgwKUmVkaXMgVGVzdDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUg
-QXV0aG9yaXR5MB4XDTIyMDYyMTAzNDUyM1oXDTIzMDYyMTAzNDUyM1owKzETMBEG
-A1UECgwKUmVkaXMgVGVzdDEUMBIGA1UEAwwLQ2xpZW50LW9ubHkwggEiMA0GCSqG
-SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVimXUfrkWzrHicPSKc+qnFJJbZENYkMPn
-PmTySdkuv5opc5aE4LTjDVA63QHi61b1Lt1xw4b+JHNRQ9ocqG+bMhefLnfVjsN2
-jPI7W7pzeSfhdXHbr32UuUHixpCov2/67MdUlI0LS3ZkeynG2tXHvXmfgUzinz2K
-Hs08qmmo3jz8JwTnhb76yC+lw6yvZRM3f/S62fF/bWXQDhJZfLH+3hPiiCaFkTOl
-z9P8bPqJzaHVw7odeQEuZF6wkr1quY8DhRpvQ8WmVMTLbJPge2VIt8aGQ/Y5d1X7
-bV1k4I1ZNr85R0yNk5r5f1wQS1QeYi4aoQcrNWwp+cUmNBqYv423AgMBAAGjIjAg
-MAsGA1UdDwQEAwIFoDARBglghkgBhvhCAQEEBAMCB4AwDQYJKoZIhvcNAQELBQAD
-ggIBAIFVuPNIwAuAYmwgV6942YR9n4jgyQENY2mnG2yQLXe3gP12ABZtlIhK1VQM
-+trGnFQ5g2pcDuLdqN8MuRcu4axJOUOBf3pEVnQlC6yACD4r+b5xe4itJvYvZpuO
-70YGoKOyBRZxtulxqCfFIoSOpDCZa14AL8RwOwMGyL6FT9ni9jDE+NNgNy3DMciA
-89iOwGe/NhUcrs07i1S/sb9dsfmd7PH+3EC2FtEEa5/ls8dp/S911XXfFsYNAy5B
-D/qZo2nSiLB/8RJk9wJNG6DHB1KG8tmPxYOlji+H3wESFkW6Laa7Sd4sk4ebi7sr
-jPUVvfhDETRn63+qP8x56xUIWi2DADKg73TFeKyT0uOZMWtcBFKckE4KGkM5KkCI
-2lrCE+HeoA0Tu0nq41PxvarAMc2/Js8xa8DJstECVZe4nBQMbNRrYPb0uSywm7aq
-jyC5Rn71BIpE+nRIXNM9jum/bQR6W37epUzmqrQhjILb6S4AzZKzMHxdhUfpDnVJ
-mw3ky9kMabYfL3PMPdE9aNPau56Tds2sT9M8p8sT/g/nayrhFujzyGgByqgCD0tD
-2i5ukT7B2I4yDNiaeEQrEKcoQD+QH32aNlk7ch4D6Ghv8ABCToV/IViqvERd5HZL
-LfISko9/FJ/aOzd/6CryTnElpQzA8PgORwlcEyV9It57AgDd
------END CERTIFICATE-----
diff --git a/data/certs/redis_client.key b/data/certs/redis_client.key
deleted file mode 100755
index d7669c737..000000000
--- a/data/certs/redis_client.key
+++ /dev/null
@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA1Ypl1H65Fs6x4nD0inPqpxSSW2RDWJDD5z5k8knZLr+aKXOW
-hOC04w1QOt0B4utW9S7dccOG/iRzUUPaHKhvmzIXny531Y7DdozyO1u6c3kn4XVx
-2699lLlB4saQqL9v+uzHVJSNC0t2ZHspxtrVx715n4FM4p89ih7NPKppqN48/CcE
-54W++sgvpcOsr2UTN3/0utnxf21l0A4SWXyx/t4T4ogmhZEzpc/T/Gz6ic2h1cO6
-HXkBLmResJK9armPA4Uab0PFplTEy2yT4HtlSLfGhkP2OXdV+21dZOCNWTa/OUdM
-jZOa+X9cEEtUHmIuGqEHKzVsKfnFJjQamL+NtwIDAQABAoIBAEBUPA8CygF77Qy5
-WIHpH7SLtvd/QeaJXero2gI/iwTRRcDdCGgpRXTtCtFgyPOyT/T21FE0RROEqZS+
-qxNdDpojQgh7ODCGnI23MjX9kTK+OexqtA0pVdya3qVRijy7xyFBeV8ajU7swdLN
-Y617OVG928jYa/ANZr2YP93ZvJDZLP1+If9lAZktMdZk2yxnTnT9mYHOwtuLzHG4
-kYMlJ285QZw2vINl2hPCTfNfVMCqLowqa9C0fztT5OiZp++eBKbB8NbsU1k4EDyn
-WSVsOTkT1mSXrJsLmAy4NGIWWqq8i+yEl6cY5/g/pAn/7BTHVh5rf+MKoYDI58yA
-xZIQZSECgYEA/0rQkY/Z+dVkp7vsm0DrXG/W9DmgpJX/5BFQCvSdC7bBzCYqpw+4
-cL0soppuGDzdKOWUulFZHoysYa08jcHbSolXycCoPFTklmSlMT1X8CmY6T3IZow7
-OqCOSfUmWAgsFzzRLESmvi2tZKsvfhThuYYxl/8NTxq1VGOalfm2+9ECgYEA1iHz
-gkXuvieYhnq+/qO5H2C3qSgF4RCAKnkV3+1nTH7zSCuqjJFewJRtYpu4KZP/TbCl
-xhF97tk6KDzCLZ7OhcRglyT6Sv5UbUEdvt8uoFkvLupYGE9DWp1zohdm8+lo3PQ4
-jvIvLEQ/CbINnFOZwS1DzDAhd7DgxX3h1Po9uwcCgYBAo97fnH7ixWdxGSI1xWBS
-zXat7BGC2wAp7UBJJdrF5oZ3fIp8NnzK/vtYSKXruS1+d3MLIiHgnFnheY3FjvpJ
-izERQpjWfeBLPDyflRq5Eq9HD3+4h3VPyOt+SnZk/9y6HYoRHWji6onm3XlvATaO
-VS4lgE0MZITZU0cHBm2QoQKBgQCUvji8gX95r1+P6qvJjkkFttVdN2P+FswwtLOx
-POPIi1bLByoNQt2iwHfLS4f9ucRaXx6IG5Zy14pCcRIhRnMHEIZX92O1vD1BNz5G
-XBmzYMAZwsc2+7g5ta2hJshpHfWtpiezhB+ojC+NuJUjxh7DxYGW0MgusDsydGLu
-4nUG+QKBgFSCE9J1pueDawCpg4zAsOgC+13lbDQ+l8koGEgGdjF3xd5OfZvGTtUG
-Ea4Z8F3eNN+fus/IksoyKk1EISAhHVzj3bRKoavfTb716kFeRQ0xePQ0dabpFBxp
-xdKCUo37KFQDNknPZXX3AamdkiQdy5/C7hkpWjMtHYYV6CAK1Z16
------END RSA PRIVATE KEY-----

From 1aa58e14860d7ac48c796b6d3f0fccab078d09f4 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 21 Jun 2022 19:25:56 +0800
Subject: [PATCH 186/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20ignore?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index ecbb47960..491009b9d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -40,3 +40,4 @@ logs/*
 release/*
 releashe
 /apps/script.py
+data/certs

From ba6b1bf6921d8215b763b91a7d8a2ce711e3f649 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 22 Jun 2022 14:30:52 +0800
Subject: [PATCH 187/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/zh/LC_MESSAGES/django.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index d0944cb51..37617c5aa 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -2298,7 +2298,7 @@ msgstr "登录"
 
 #: authentication/templates/authentication/login.html:224
 msgid "More login options"
-msgstr "更多登录方式"
+msgstr "其他方式登录"
 
 #: authentication/templates/authentication/login_mfa.html:6
 msgid "MFA Auth"

From 5ed65ca2ffd8fa5a36f48c384662454f9527b50f Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 22 Jun 2022 17:06:53 +0800
Subject: [PATCH 188/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dpost=E6=96=B9?=
 =?UTF-8?q?=E6=B3=95=E8=B0=83=E7=94=A8AuthBook=E6=8E=A5=E5=8F=A3=E6=97=B65?=
 =?UTF-8?q?00=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/account.py | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/apps/assets/serializers/account.py b/apps/assets/serializers/account.py
index 5cbb26d88..e4e320f33 100644
--- a/apps/assets/serializers/account.py
+++ b/apps/assets/serializers/account.py
@@ -53,7 +53,15 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         return attrs
 
     def get_protocols(self, v):
-        return v.protocols.replace(' ', ', ')
+        """ protocols 是 queryset 中返回的，Post 创建成功后返回序列化时没有这个字段 """
+        if hasattr(v, 'protocols'):
+            protocols = v.protocols
+        elif hasattr(v, 'asset') and v.asset:
+            protocols = v.asset.protocols
+        else:
+            protocols = ''
+        protocols = protocols.replace(' ', ', ')
+        return protocols
 
     @classmethod
     def setup_eager_loading(cls, queryset):

From e6abdbdadc04845b1de5f7becaee5cbb359feeb5 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 22 Jun 2022 18:17:57 +0800
Subject: [PATCH 189/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20req=20vers?=
 =?UTF-8?q?ion?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index b79cd370e..c19bb76e5 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -60,7 +60,7 @@ pytz==2022.1
 PyYAML==6.0
 redis==4.3.3
 requests==2.28.0
-# jms-storage==0.0.42
+jms-storage==0.0.43
 s3transfer==0.6.0
 simplejson==3.17.6
 six==1.16.0

From 7e2f81a418c3141b387e27be827076d2a48a503e Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 23 Jun 2022 13:52:28 +0800
Subject: [PATCH 190/258] =?UTF-8?q?perf:=20=E9=87=8D=E6=9E=84=20ticket=20(?=
 =?UTF-8?q?#8281)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 重构 ticket

* perf: 优化 tickets

* perf: 暂存

* perf: 建立 ticket model

* perf: 暂存一下

* perf: 修改 tickets

* perf: 修改 import

* perf: 修改model

* perf: 暂存一波

* perf: 修改...

* del process_map field

* 工单重构

* 资产 应用对接前端

* perf: 修改 ticket

* fix: bug

* 修改迁移文件

* 添加其他api

* 去掉process_map

* perf: 优化去掉 signal

* perf: 修改这里

* 修改一点

* perf: 修改工单

* perf: 修改状态

* perf: 修改工单流转

* step 状态切换

* perf: 修改 ticket open

* perf: 修改流程

* perf: stash it

* 改又改

* stash it

* perf: stash

* stash

* migrate

* perf migrate

* 调整一下

* 修复bug

* 修改一点

* 修改一点

* 优化一波

* perf: ticket migrations

Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/acls/api/login_asset_check.py            |   4 +-
 apps/acls/models/login_acl.py                 |  35 +-
 apps/acls/models/login_asset_acl.py           |  19 +-
 apps/assets/api/cmd_filter.py                 |   2 +-
 apps/assets/models/cmd_filter.py              |  25 +-
 apps/authentication/api/login_confirm.py      |   2 +-
 apps/authentication/mixins.py                 |  15 +-
 .../serializers/connect_token.py              |   8 +-
 apps/authentication/views/login.py            |   3 +-
 apps/common/db/encoder.py                     |  24 +-
 apps/common/db/models.py                      |  27 ++
 apps/common/utils/common.py                   |   4 +
 apps/terminal/utils.py                        |   2 +-
 apps/tickets/api/__init__.py                  |   1 +
 apps/tickets/api/flow.py                      |  31 ++
 apps/tickets/api/ticket.py                    |  83 ++--
 apps/tickets/const.py                         |  27 +-
 apps/tickets/filters.py                       |  38 +-
 apps/tickets/handler/apply_application.py     | 108 -----
 apps/tickets/handler/apply_asset.py           | 106 -----
 apps/tickets/handler/base.py                  | 135 ------
 apps/tickets/handler/command_confirm.py       |  33 --
 apps/tickets/handler/login_asset_confirm.py   |  21 -
 .../tickets/{handler => handlers}/__init__.py |   2 +-
 apps/tickets/handlers/apply_application.py    |  63 +++
 apps/tickets/handlers/apply_asset.py          |  64 +++
 apps/tickets/handlers/base.py                 |  81 ++++
 apps/tickets/handlers/command_confirm.py      |   6 +
 apps/tickets/{handler => handlers}/general.py |   0
 apps/tickets/handlers/login_asset_confirm.py  |   6 +
 .../{handler => handlers}/login_confirm.py    |   9 +-
 .../migrations/0007_auto_20201224_1821.py     |   6 +-
 .../migrations/0016_auto_20220609_1758.py     | 189 +++++++++
 .../migrations/0017_auto_20220623_1027.py     | 339 +++++++++++++++
 apps/tickets/models/comment.py                |   8 +
 apps/tickets/models/flow.py                   |   9 +-
 apps/tickets/models/ticket.py                 | 328 ---------------
 apps/tickets/models/ticket/__init__.py        |   6 +
 .../models/ticket/apply_application.py        |  34 ++
 apps/tickets/models/ticket/apply_asset.py     |  28 ++
 apps/tickets/models/ticket/command_confirm.py |  33 ++
 apps/tickets/models/ticket/general.py         | 389 ++++++++++++++++++
 .../models/ticket/login_asset_confirm.py      |  21 +
 apps/tickets/models/ticket/login_confirm.py   |  12 +
 apps/tickets/notifications.py                 |  71 +++-
 apps/tickets/serializers/__init__.py          |   3 +-
 apps/tickets/serializers/flow.py              | 103 +++++
 apps/tickets/serializers/super_ticket.py      |   6 +-
 apps/tickets/serializers/ticket/__init__.py   |   7 +-
 .../serializers/ticket/apply_application.py   |  57 +++
 .../tickets/serializers/ticket/apply_asset.py |  70 ++++
 .../serializers/ticket/command_confirm.py     |  16 +
 apps/tickets/serializers/ticket/common.py     |  63 +++
 .../serializers/ticket/login_asset_confirm.py |  14 +
 .../serializers/ticket/login_confirm.py       |  14 +
 .../serializers/ticket/meta/__init__.py       |   1 -
 apps/tickets/serializers/ticket/meta/meta.py  |  43 --
 .../ticket/meta/ticket_type/__init__.py       |   0
 .../meta/ticket_type/apply_application.py     |  93 -----
 .../ticket/meta/ticket_type/apply_asset.py    |  92 -----
 .../meta/ticket_type/command_confirm.py       |  26 --
 .../ticket/meta/ticket_type/common.py         |  30 --
 .../meta/ticket_type/login_asset_confirm.py   |  21 -
 .../ticket/meta/ticket_type/login_confirm.py  |  25 --
 apps/tickets/serializers/ticket/ticket.py     | 184 +--------
 apps/tickets/signal_handlers/ticket.py        |  25 +-
 apps/tickets/signals.py                       |   3 +-
 .../templates/tickets/_base_ticket_body.html  |  20 -
 .../templates/tickets/_msg_ticket.html        |  10 +-
 .../tickets/approve_check_password.html       |  12 +-
 apps/tickets/urls/api_urls.py                 |   5 +
 apps/tickets/utils.py                         |  17 +-
 apps/tickets/views/approve.py                 |   4 +-
 73 files changed, 2004 insertions(+), 1417 deletions(-)
 create mode 100644 apps/tickets/api/flow.py
 delete mode 100644 apps/tickets/handler/apply_application.py
 delete mode 100644 apps/tickets/handler/apply_asset.py
 delete mode 100644 apps/tickets/handler/base.py
 delete mode 100644 apps/tickets/handler/command_confirm.py
 delete mode 100644 apps/tickets/handler/login_asset_confirm.py
 rename apps/tickets/{handler => handlers}/__init__.py (70%)
 create mode 100644 apps/tickets/handlers/apply_application.py
 create mode 100644 apps/tickets/handlers/apply_asset.py
 create mode 100644 apps/tickets/handlers/base.py
 create mode 100644 apps/tickets/handlers/command_confirm.py
 rename apps/tickets/{handler => handlers}/general.py (100%)
 create mode 100644 apps/tickets/handlers/login_asset_confirm.py
 rename apps/tickets/{handler => handlers}/login_confirm.py (65%)
 create mode 100644 apps/tickets/migrations/0016_auto_20220609_1758.py
 create mode 100644 apps/tickets/migrations/0017_auto_20220623_1027.py
 delete mode 100644 apps/tickets/models/ticket.py
 create mode 100644 apps/tickets/models/ticket/__init__.py
 create mode 100644 apps/tickets/models/ticket/apply_application.py
 create mode 100644 apps/tickets/models/ticket/apply_asset.py
 create mode 100644 apps/tickets/models/ticket/command_confirm.py
 create mode 100644 apps/tickets/models/ticket/general.py
 create mode 100644 apps/tickets/models/ticket/login_asset_confirm.py
 create mode 100644 apps/tickets/models/ticket/login_confirm.py
 create mode 100644 apps/tickets/serializers/flow.py
 create mode 100644 apps/tickets/serializers/ticket/apply_application.py
 create mode 100644 apps/tickets/serializers/ticket/apply_asset.py
 create mode 100644 apps/tickets/serializers/ticket/command_confirm.py
 create mode 100644 apps/tickets/serializers/ticket/common.py
 create mode 100644 apps/tickets/serializers/ticket/login_asset_confirm.py
 create mode 100644 apps/tickets/serializers/ticket/login_confirm.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/__init__.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/meta.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/ticket_type/__init__.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/ticket_type/apply_application.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/ticket_type/apply_asset.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/ticket_type/command_confirm.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/ticket_type/common.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py
 delete mode 100644 apps/tickets/serializers/ticket/meta/ticket_type/login_confirm.py
 delete mode 100644 apps/tickets/templates/tickets/_base_ticket_body.html

diff --git a/apps/acls/api/login_asset_check.py b/apps/acls/api/login_asset_check.py
index fc5f4157f..a7e8990c7 100644
--- a/apps/acls/api/login_asset_check.py
+++ b/apps/acls/api/login_asset_check.py
@@ -47,7 +47,7 @@ class LoginAssetCheckAPI(CreateAPIView):
             asset=self.serializer.asset,
             system_user=self.serializer.system_user,
             assignees=acl.reviewers.all(),
-            org_id=self.serializer.org.id
+            org_id=self.serializer.org.id,
         )
         confirm_status_url = reverse(
             view_name='api-tickets:super-ticket-status',
@@ -59,7 +59,7 @@ class LoginAssetCheckAPI(CreateAPIView):
             external=True, api_to_ui=True
         )
         ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
+        ticket_assignees = ticket.current_step.ticket_assignees.all()
         data = {
             'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
             'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
diff --git a/apps/acls/models/login_acl.py b/apps/acls/models/login_acl.py
index f9b24e426..1887ecd33 100644
--- a/apps/acls/models/login_acl.py
+++ b/apps/acls/models/login_acl.py
@@ -97,34 +97,25 @@ class LoginACL(BaseACL):
 
         return allow, reject_type
 
-    @staticmethod
-    def construct_confirm_ticket_meta(request=None):
+    def create_confirm_ticket(self, request):
+        from tickets import const
+        from tickets.models import ApplyLoginTicket
+        from orgs.models import Organization
+        title = _('Login confirm') + ' {}'.format(self.user)
         login_ip = get_request_ip(request) if request else ''
         login_ip = login_ip or '0.0.0.0'
         login_city = get_ip_city(login_ip)
         login_datetime = local_now_display()
-        ticket_meta = {
-            'apply_login_ip': login_ip,
-            'apply_login_city': login_city,
-            'apply_login_datetime': login_datetime,
-        }
-        return ticket_meta
-
-    def create_confirm_ticket(self, request=None):
-        from tickets import const
-        from tickets.models import Ticket
-        from orgs.models import Organization
-        ticket_title = _('Login confirm') + ' {}'.format(self.user)
-        ticket_meta = self.construct_confirm_ticket_meta(request)
         data = {
-            'title': ticket_title,
-            'type': const.TicketType.login_confirm.value,
-            'meta': ticket_meta,
+            'title': title,
+            'type': const.TicketType.login_confirm,
+            'applicant': self.user,
+            'apply_login_city': login_city,
+            'apply_login_ip': login_ip,
+            'apply_login_datetime': login_datetime,
             'org_id': Organization.ROOT_ID,
         }
-        ticket = Ticket.objects.create(**data)
-        applicant = self.user
+        ticket = ApplyLoginTicket.objects.create(**data)
         assignees = self.reviewers.all()
-        ticket.create_process_map_and_node(assignees, applicant)
-        ticket.open(applicant)
+        ticket.open_by_system(assignees)
         return ticket
diff --git a/apps/acls/models/login_asset_acl.py b/apps/acls/models/login_asset_acl.py
index dda9d97c1..9cf7989f9 100644
--- a/apps/acls/models/login_asset_acl.py
+++ b/apps/acls/models/login_asset_acl.py
@@ -85,19 +85,18 @@ class LoginAssetACL(BaseACL, OrgModelMixin):
     @classmethod
     def create_login_asset_confirm_ticket(cls, user, asset, system_user, assignees, org_id):
         from tickets.const import TicketType
-        from tickets.models import Ticket
+        from tickets.models import ApplyLoginAssetTicket
+        title = _('Login asset confirm') + ' ({})'.format(user)
         data = {
-            'title': _('Login asset confirm') + ' ({})'.format(user),
+            'title': title,
             'type': TicketType.login_asset_confirm,
-            'meta': {
-                'apply_login_user': str(user),
-                'apply_login_asset': str(asset),
-                'apply_login_system_user': str(system_user),
-            },
+            'applicant': user,
+            'apply_login_user': user,
+            'apply_login_asset': asset,
+            'apply_login_system_user': system_user,
             'org_id': org_id,
         }
-        ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(assignees, user)
-        ticket.open(applicant=user)
+        ticket = ApplyLoginAssetTicket.objects.create(**data)
+        ticket.open_by_system(assignees)
         return ticket
 
diff --git a/apps/assets/api/cmd_filter.py b/apps/assets/api/cmd_filter.py
index dcb2d77c9..0e09d5c73 100644
--- a/apps/assets/api/cmd_filter.py
+++ b/apps/assets/api/cmd_filter.py
@@ -69,7 +69,7 @@ class CommandConfirmAPI(CreateAPIView):
             external=True, api_to_ui=True
         )
         ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
+        ticket_assignees = ticket.current_step.ticket_assignees.all()
         return {
             'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
             'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
diff --git a/apps/assets/models/cmd_filter.py b/apps/assets/models/cmd_filter.py
index c92a25109..235a4f331 100644
--- a/apps/assets/models/cmd_filter.py
+++ b/apps/assets/models/cmd_filter.py
@@ -165,26 +165,23 @@ class CommandFilterRule(OrgModelMixin):
 
     def create_command_confirm_ticket(self, run_command, session, cmd_filter_rule, org_id):
         from tickets.const import TicketType
-        from tickets.models import Ticket
+        from tickets.models import ApplyCommandTicket
         data = {
             'title': _('Command confirm') + ' ({})'.format(session.user),
             'type': TicketType.command_confirm,
-            'meta': {
-                'apply_run_user': session.user,
-                'apply_run_asset': session.asset,
-                'apply_run_system_user': session.system_user,
-                'apply_run_command': run_command,
-                'apply_from_session_id': str(session.id),
-                'apply_from_cmd_filter_rule_id': str(cmd_filter_rule.id),
-                'apply_from_cmd_filter_id': str(cmd_filter_rule.filter.id)
-            },
+            'applicant': session.user_obj,
+            'apply_run_user_id': session.user_id,
+            'apply_run_asset_id': session.asset_id,
+            'apply_run_system_user_id': session.system_user_id,
+            'apply_run_command': run_command,
+            'apply_from_session_id': str(session.id),
+            'apply_from_cmd_filter_rule_id': str(cmd_filter_rule.id),
+            'apply_from_cmd_filter_id': str(cmd_filter_rule.filter.id),
             'org_id': org_id,
         }
-        ticket = Ticket.objects.create(**data)
-        applicant = session.user_obj
+        ticket = ApplyCommandTicket.objects.create(**data)
         assignees = self.reviewers.all()
-        ticket.create_process_map_and_node(assignees, applicant)
-        ticket.open(applicant)
+        ticket.open_by_system(assignees)
         return ticket
 
     @classmethod
diff --git a/apps/authentication/api/login_confirm.py b/apps/authentication/api/login_confirm.py
index 9adedb1e0..22594b88e 100644
--- a/apps/authentication/api/login_confirm.py
+++ b/apps/authentication/api/login_confirm.py
@@ -25,5 +25,5 @@ class TicketStatusApi(mixins.AuthMixin, APIView):
         ticket = self.get_ticket()
         if ticket:
             request.session.pop('auth_ticket_id', '')
-            ticket.close(processor=self.get_user_from_session())
+            ticket.close()
         return Response('', status=200)
diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py
index 2f4f1d6e0..f1989b181 100644
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -337,18 +337,18 @@ class AuthACLMixin:
             raise errors.TimePeriodNotAllowed(username=user.username, request=self.request)
 
     def get_ticket(self):
-        from tickets.models import Ticket
+        from tickets.models import ApplyLoginTicket
         ticket_id = self.request.session.get("auth_ticket_id")
         logger.debug('Login confirm ticket id: {}'.format(ticket_id))
         if not ticket_id:
             ticket = None
         else:
-            ticket = Ticket.all().filter(id=ticket_id).first()
+            ticket = ApplyLoginTicket.all().filter(id=ticket_id).first()
         return ticket
 
     def get_ticket_or_create(self, confirm_setting):
         ticket = self.get_ticket()
-        if not ticket or ticket.status_closed:
+        if not ticket or ticket.is_status(ticket.Status.closed):
             ticket = confirm_setting.create_confirm_ticket(self.request)
             self.request.session['auth_ticket_id'] = str(ticket.id)
         return ticket
@@ -357,16 +357,17 @@ class AuthACLMixin:
         ticket = self.get_ticket()
         if not ticket:
             raise errors.LoginConfirmOtherError('', "Not found")
-        if ticket.status_open:
+
+        if ticket.is_status(ticket.Status.open):
             raise errors.LoginConfirmWaitError(ticket.id)
-        elif ticket.state_approve:
+        elif ticket.is_state(ticket.State.approved):
             self.request.session["auth_confirm"] = "1"
             return
-        elif ticket.state_reject:
+        elif ticket.is_state(ticket.State.rejected):
             raise errors.LoginConfirmOtherError(
                 ticket.id, ticket.get_state_display()
             )
-        elif ticket.state_close:
+        elif ticket.is_state(ticket.State.closed):
             raise errors.LoginConfirmOtherError(
                 ticket.id, ticket.get_state_display()
             )
diff --git a/apps/authentication/serializers/connect_token.py b/apps/authentication/serializers/connect_token.py
index d9694b5bd..36fc024b1 100644
--- a/apps/authentication/serializers/connect_token.py
+++ b/apps/authentication/serializers/connect_token.py
@@ -86,7 +86,10 @@ class ConnectionTokenAssetSerializer(serializers.ModelSerializer):
 class ConnectionTokenSystemUserSerializer(serializers.ModelSerializer):
     class Meta:
         model = SystemUser
-        fields = ['id', 'name', 'username', 'password', 'private_key', 'protocol', 'ad_domain', 'org_id']
+        fields = [
+            'id', 'name', 'username', 'password', 'private_key',
+            'protocol', 'ad_domain', 'org_id'
+        ]
 
 
 class ConnectionTokenGatewaySerializer(serializers.ModelSerializer):
@@ -122,8 +125,7 @@ class ConnectionTokenFilterRuleSerializer(serializers.ModelSerializer):
         model = CommandFilterRule
         fields = [
             'id', 'type', 'content', 'ignore_case', 'pattern',
-            'priority', 'action',
-            'date_created',
+            'priority', 'action', 'date_created',
         ]
 
 
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index 3b8f2c60c..e6fe6b6cf 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -282,8 +282,7 @@ class UserLoginWaitConfirmView(TemplateView):
         if ticket:
             timestamp_created = datetime.datetime.timestamp(ticket.date_created)
             ticket_detail_url = TICKET_DETAIL_URL.format(id=ticket_id, type=ticket.type)
-            assignees = ticket.current_node.first().ticket_assignees.all()
-            assignees_display = ', '.join([str(i.assignee) for i in assignees])
+            assignees_display = ', '.join([str(assignee) for assignee in ticket.current_assignees])
             msg = _("""Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>
                   Don't close this page""").format(assignees_display)
         else:
diff --git a/apps/common/db/encoder.py b/apps/common/db/encoder.py
index 314ea071d..673b8aeca 100644
--- a/apps/common/db/encoder.py
+++ b/apps/common/db/encoder.py
@@ -1,20 +1,30 @@
 import json
-from datetime import datetime
 import uuid
+import logging
+from datetime import datetime
 
 from django.utils.translation import ugettext_lazy as _
+from django.db import models
 from django.conf import settings
 
+lazy_type = type(_('ugettext_lazy'))
+
 
 class ModelJSONFieldEncoder(json.JSONEncoder):
     """ 解决一些类型的字段不能序列化的问题 """
 
     def default(self, obj):
-        if isinstance(obj, datetime):
+        str_cls = (models.Model, lazy_type, models.ImageField, uuid.UUID)
+        if isinstance(obj, str_cls):
+            return str(obj)
+        elif isinstance(obj, datetime):
             return obj.strftime(settings.DATETIME_DISPLAY_FORMAT)
-        if isinstance(obj, uuid.UUID):
-            return str(obj)
-        if isinstance(obj, type(_("ugettext_lazy"))):
-            return str(obj)
+        elif isinstance(obj, (list, tuple)) and len(obj) > 0 \
+                and isinstance(obj[0], models.Model):
+            return [str(i) for i in obj]
         else:
-            return super().default(obj)
+            try:
+                return super().default(obj)
+            except TypeError:
+                logging.error('Type error: ', type(obj))
+                return str(obj)
diff --git a/apps/common/db/models.py b/apps/common/db/models.py
index 2989f734e..92b6c4803 100644
--- a/apps/common/db/models.py
+++ b/apps/common/db/models.py
@@ -13,6 +13,7 @@ import uuid
 from functools import reduce, partial
 import inspect
 
+from django.db import transaction
 from django.db.models import *
 from django.db.models import QuerySet
 from django.db.models.functions import Concat
@@ -211,3 +212,29 @@ class UnionQuerySet(QuerySet):
 
         qs = cls(assets1, assets2)
         return qs
+
+
+class MultiTableChildQueryset(QuerySet):
+
+    def bulk_create(self, objs, batch_size=None):
+        assert batch_size is None or batch_size > 0
+        if not objs:
+            return objs
+
+        self._for_write = True
+        objs = list(objs)
+        parent_model = self.model._meta.pk.related_model
+
+        parent_objs = []
+        for obj in objs:
+            parent_values = {}
+            for field in [f for f in parent_model._meta.fields if hasattr(obj, f.name)]:
+                parent_values[field.name] = getattr(obj, field.name)
+            parent_objs.append(parent_model(**parent_values))
+            setattr(obj, self.model._meta.pk.attname, obj.id)
+        parent_model.objects.bulk_create(parent_objs, batch_size=batch_size)
+
+        with transaction.atomic(using=self.db, savepoint=False):
+            self._batched_insert(objs, self.model._meta.local_fields, batch_size)
+
+        return objs
diff --git a/apps/common/utils/common.py b/apps/common/utils/common.py
index 3982b1349..5b2180ec0 100644
--- a/apps/common/utils/common.py
+++ b/apps/common/utils/common.py
@@ -361,3 +361,7 @@ def pretty_string(data: str, max_length=128, ellipsis_str='...'):
     end = data[-half:]
     data = f'{start}{ellipsis_str}{end}'
     return data
+
+
+def group_by_count(it, count):
+    return [it[i:i+count] for i in range(0, len(it), count)]
diff --git a/apps/terminal/utils.py b/apps/terminal/utils.py
index e6fa17068..abdfbd738 100644
--- a/apps/terminal/utils.py
+++ b/apps/terminal/utils.py
@@ -12,7 +12,7 @@ from common.utils import get_logger
 from . import const
 from .models import ReplayStorage
 from tickets.models import TicketSession, TicketStep, TicketAssignee
-from tickets.const import ProcessStatus
+from tickets.const import StepState
 
 
 logger = get_logger(__name__)
diff --git a/apps/tickets/api/__init__.py b/apps/tickets/api/__init__.py
index 0342771e0..bec6f21d1 100644
--- a/apps/tickets/api/__init__.py
+++ b/apps/tickets/api/__init__.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 from .ticket import *
+from .flow import *
 from .comment import *
 from .super_ticket import *
 from .relation import *
diff --git a/apps/tickets/api/flow.py b/apps/tickets/api/flow.py
new file mode 100644
index 000000000..b45479187
--- /dev/null
+++ b/apps/tickets/api/flow.py
@@ -0,0 +1,31 @@
+from rest_framework.exceptions import MethodNotAllowed
+
+from tickets import serializers
+from tickets.models import TicketFlow
+from common.drf.api import JMSBulkModelViewSet
+
+__all__ = ['TicketFlowViewSet']
+
+
+class TicketFlowViewSet(JMSBulkModelViewSet):
+    serializer_class = serializers.TicketFlowSerializer
+
+    filterset_fields = ['id', 'type']
+    search_fields = ['id', 'type']
+
+    def destroy(self, request, *args, **kwargs):
+        raise MethodNotAllowed(self.action)
+
+    def get_queryset(self):
+        queryset = TicketFlow.get_org_related_flows()
+        return queryset
+
+    def perform_create_or_update(self, serializer):
+        instance = serializer.save()
+        instance.save()
+
+    def perform_create(self, serializer):
+        self.perform_create_or_update(serializer)
+
+    def perform_update(self, serializer):
+        self.perform_create_or_update(serializer)
diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py
index 00e30f899..747066b0c 100644
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -2,36 +2,43 @@
 #
 from rest_framework import viewsets
 from rest_framework.decorators import action
-from rest_framework.exceptions import MethodNotAllowed
 from rest_framework.response import Response
+from rest_framework.exceptions import MethodNotAllowed
 
 from common.const.http import POST, PUT
 from common.mixins.api import CommonApiMixin
-from common.drf.api import JMSBulkModelViewSet
+from orgs.utils import tmp_to_root_org
 
 from rbac.permissions import RBACPermission
 
 from tickets import serializers
-from tickets.models import Ticket, TicketFlow
-from tickets.filters import TicketFilter
+from tickets import filters
 from tickets.permissions.ticket import IsAssignee, IsApplicant
+from tickets.models import (
+    Ticket, ApplyAssetTicket, ApplyApplicationTicket,
+    ApplyLoginTicket, ApplyLoginAssetTicket, ApplyCommandTicket
+)
 
-__all__ = ['TicketViewSet', 'TicketFlowViewSet']
+__all__ = [
+    'TicketViewSet', 'ApplyAssetTicketViewSet', 'ApplyApplicationTicketViewSet',
+    'ApplyLoginTicketViewSet', 'ApplyLoginAssetTicketViewSet', 'ApplyCommandTicketViewSet'
+]
 
 
 class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
     serializer_class = serializers.TicketDisplaySerializer
     serializer_classes = {
-        'open': serializers.TicketApplySerializer,
-        'approve': serializers.TicketApproveSerializer,
+        'list': serializers.TicketListSerializer,
+        'open': serializers.TicketApplySerializer
     }
-    filterset_class = TicketFilter
+    model = Ticket
+    filterset_class = filters.TicketFilter
     search_fields = [
         'title', 'type', 'status', 'applicant_display'
     ]
     ordering_fields = (
-        'title', 'applicant_display', 'status', 'state', 'action_display',
-        'date_created', 'serial_num',
+        'title', 'applicant_display', 'status', 'state',
+        'action_display', 'date_created', 'serial_num',
     )
     ordering = ('-date_created',)
     rbac_perms = {
@@ -48,15 +55,15 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
         raise MethodNotAllowed(self.action)
 
     def get_queryset(self):
-        queryset = Ticket.get_user_related_tickets(self.request.user)
+        with tmp_to_root_org():
+            queryset = self.model.get_user_related_tickets(self.request.user)
         return queryset
 
     def perform_create(self, serializer):
         instance = serializer.save()
-        applicant = self.request.user
-        instance.create_related_node(applicant)
-        instance.process_map = instance.create_process_map(applicant)
-        instance.open(applicant)
+        instance.applicant = self.request.user
+        instance.save(update_fields=['applicant'])
+        instance.open()
 
     @action(detail=False, methods=[POST], permission_classes=[RBACPermission, ])
     def open(self, request, *args, **kwargs):
@@ -80,29 +87,41 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
     def close(self, request, *args, **kwargs):
         instance = self.get_object()
         serializer = self.get_serializer(instance)
-        instance.close(processor=request.user)
+        instance.close()
         return Response(serializer.data)
 
 
-class TicketFlowViewSet(JMSBulkModelViewSet):
-    serializer_class = serializers.TicketFlowSerializer
+class ApplyAssetTicketViewSet(TicketViewSet):
+    serializer_class = serializers.ApplyAssetDisplaySerializer
+    serializer_classes = {
+        'open': serializers.ApplyAssetSerializer
+    }
+    model = ApplyAssetTicket
+    filterset_class = filters.ApplyAssetTicketFilter
 
-    filterset_fields = ['id', 'type']
-    search_fields = ['id', 'type']
 
-    def destroy(self, request, *args, **kwargs):
-        raise MethodNotAllowed(self.action)
+class ApplyApplicationTicketViewSet(TicketViewSet):
+    serializer_class = serializers.ApplyApplicationDisplaySerializer
+    serializer_classes = {
+        'open': serializers.ApplyApplicationSerializer
+    }
+    model = ApplyApplicationTicket
+    filterset_class = filters.ApplyApplicationTicketFilter
 
-    def get_queryset(self):
-        queryset = TicketFlow.get_org_related_flows()
-        return queryset
 
-    def perform_create_or_update(self, serializer):
-        instance = serializer.save()
-        instance.save()
+class ApplyLoginTicketViewSet(TicketViewSet):
+    serializer_class = serializers.LoginConfirmSerializer
+    model = ApplyLoginTicket
+    filterset_class = filters.ApplyLoginTicketFilter
 
-    def perform_create(self, serializer):
-        self.perform_create_or_update(serializer)
 
-    def perform_update(self, serializer):
-        self.perform_create_or_update(serializer)
+class ApplyLoginAssetTicketViewSet(TicketViewSet):
+    serializer_class = serializers.LoginAssetConfirmSerializer
+    model = ApplyLoginAssetTicket
+    filterset_class = filters.ApplyLoginAssetTicketFilter
+
+
+class ApplyCommandTicketViewSet(TicketViewSet):
+    serializer_class = serializers.ApplyCommandConfirmSerializer
+    model = ApplyCommandTicket
+    filterset_class = filters.ApplyCommandTicketFilter
diff --git a/apps/tickets/const.py b/apps/tickets/const.py
index 9bfaf795e..d97e6716e 100644
--- a/apps/tickets/const.py
+++ b/apps/tickets/const.py
@@ -14,20 +14,29 @@ class TicketType(TextChoices):
 
 
 class TicketState(TextChoices):
-    open = 'open', _('Open')
-    approved = 'approved', _('Approved')
-    rejected = 'rejected', _('Rejected')
-    closed = 'closed', _('Closed')
-
-
-class ProcessStatus(TextChoices):
-    notified = 'notified', _('Notified')
+    pending = 'pending', _('Open')
     approved = 'approved', _('Approved')
     rejected = 'rejected', _('Rejected')
+    closed = 'closed', _("Cancel")
+    reopen = 'reopen', _("Reopen")
 
 
 class TicketStatus(TextChoices):
     open = 'open', _("Open")
+    closed = 'closed', _("Finished")
+
+
+class StepState(TextChoices):
+    pending = 'pending', _('Pending')
+    approved = 'approved', _('Approved')
+    rejected = 'rejected', _('Rejected')
+    closed = 'closed', _("Closed")
+    reopen = 'reopen', _("Reopen")
+
+
+class StepStatus(TextChoices):
+    pending = 'pending', _('Pending')
+    active = 'active', _('Active')
     closed = 'closed', _("Closed")
 
 
@@ -38,7 +47,7 @@ class TicketAction(TextChoices):
     reject = 'reject', _('Reject')
 
 
-class TicketApprovalLevel(IntegerChoices):
+class TicketLevel(IntegerChoices):
     one = 1, _("One level")
     two = 2, _("Two level")
 
diff --git a/apps/tickets/filters.py b/apps/tickets/filters.py
index 3c795f0df..255908305 100644
--- a/apps/tickets/filters.py
+++ b/apps/tickets/filters.py
@@ -1,7 +1,10 @@
 from django_filters import rest_framework as filters
 from common.drf.filters import BaseFilterSet
 
-from tickets.models import Ticket
+from tickets.models import (
+    Ticket, ApplyAssetTicket, ApplyApplicationTicket,
+    ApplyLoginTicket, ApplyLoginAssetTicket, ApplyCommandTicket
+)
 
 
 class TicketFilter(BaseFilterSet):
@@ -10,9 +13,38 @@ class TicketFilter(BaseFilterSet):
     class Meta:
         model = Ticket
         fields = (
-            'id', 'title', 'type', 'status', 'state', 'applicant', 'assignees__id',
-            'applicant_display',
+            'id', 'title', 'type', 'status', 'state', 'applicant', 'assignees__id'
         )
 
     def filter_assignees_id(self, queryset, name, value):
         return queryset.filter(ticket_steps__ticket_assignees__assignee__id=value)
+
+
+class ApplyAssetTicketFilter(BaseFilterSet):
+    class Meta:
+        model = ApplyAssetTicket
+        fields = ('id',)
+
+
+class ApplyApplicationTicketFilter(BaseFilterSet):
+    class Meta:
+        model = ApplyApplicationTicket
+        fields = ('id',)
+
+
+class ApplyLoginTicketFilter(BaseFilterSet):
+    class Meta:
+        model = ApplyLoginTicket
+        fields = ('id',)
+
+
+class ApplyLoginAssetTicketFilter(BaseFilterSet):
+    class Meta:
+        model = ApplyLoginAssetTicket
+        fields = ('id',)
+
+
+class ApplyCommandTicketFilter(BaseFilterSet):
+    class Meta:
+        model = ApplyCommandTicket
+        fields = ('id',)
diff --git a/apps/tickets/handler/apply_application.py b/apps/tickets/handler/apply_application.py
deleted file mode 100644
index 5e20e89f9..000000000
--- a/apps/tickets/handler/apply_application.py
+++ /dev/null
@@ -1,108 +0,0 @@
-from django.utils.translation import ugettext as _
-
-from orgs.utils import tmp_to_org, tmp_to_root_org
-from applications.const import AppCategory, AppType
-from applications.models import Application
-from perms.models import ApplicationPermission
-from assets.models import SystemUser
-
-from .base import BaseHandler
-
-
-class Handler(BaseHandler):
-
-    def _on_approve(self):
-        is_finished = super()._on_approve()
-        if is_finished:
-            self._create_application_permission()
-
-    # display
-    def _construct_meta_display_of_open(self):
-        meta_display_fields = ['apply_category_display', 'apply_type_display']
-        apply_category = self.ticket.meta.get('apply_category')
-        apply_category_display = AppCategory.get_label(apply_category)
-        apply_type = self.ticket.meta.get('apply_type')
-        apply_type_display = AppType.get_label(apply_type)
-        meta_display_values = [apply_category_display, apply_type_display]
-        meta_display = dict(zip(meta_display_fields, meta_display_values))
-        apply_system_users = self.ticket.meta.get('apply_system_users')
-        apply_applications = self.ticket.meta.get('apply_applications')
-        with tmp_to_org(self.ticket.org_id):
-            meta_display.update({
-                'apply_system_users_display': [str(i) for i in SystemUser.objects.filter(id__in=apply_system_users)],
-                'apply_applications_display': [str(i) for i in Application.objects.filter(id__in=apply_applications)]
-            })
-
-        return meta_display
-
-    # body
-    def _construct_meta_body_of_open(self):
-        apply_category_display = self.ticket.meta.get('apply_category_display')
-        apply_type_display = self.ticket.meta.get('apply_type_display')
-        apply_applications = self.ticket.meta.get('apply_applications_display', [])
-        apply_system_users = self.ticket.meta.get('apply_system_users_display', [])
-        apply_date_start = self.ticket.meta.get('apply_date_start')
-        apply_date_expired = self.ticket.meta.get('apply_date_expired')
-        applied_body = '''{}: {},
-            {}: {}
-            {}: {}
-            {}: {}
-            {}: {}
-            {}: {}
-        '''.format(
-            _('Applied category'), apply_category_display,
-            _('Applied type'), apply_type_display,
-            _('Applied application group'), ','.join(apply_applications),
-            _('Applied system user group'), ','.join(apply_system_users),
-            _('Applied date start'), apply_date_start,
-            _('Applied date expired'), apply_date_expired,
-        )
-        return applied_body
-
-    # permission
-    def _create_application_permission(self):
-        with tmp_to_root_org():
-            application_permission = ApplicationPermission.objects.filter(id=self.ticket.id).first()
-            if application_permission:
-                return application_permission
-
-        apply_category = self.ticket.meta.get('apply_category')
-        apply_type = self.ticket.meta.get('apply_type')
-        apply_permission_name = self.ticket.meta.get('apply_permission_name', '')
-        apply_applications = self.ticket.meta.get('apply_applications', [])
-        apply_system_users = self.ticket.meta.get('apply_system_users', [])
-        apply_date_start = self.ticket.meta.get('apply_date_start')
-        apply_date_expired = self.ticket.meta.get('apply_date_expired')
-        permission_created_by = '{}:{}'.format(
-            str(self.ticket.__class__.__name__), str(self.ticket.id)
-        )
-        permission_comment = _(
-            'Created by the ticket, '
-            'ticket title: {}, '
-            'ticket applicant: {}, '
-            'ticket processor: {}, '
-            'ticket ID: {}'
-        ).format(
-            self.ticket.title,
-            self.ticket.applicant_display,
-            ','.join([i['processor_display'] for i in self.ticket.process_map]),
-            str(self.ticket.id)
-        )
-        permissions_data = {
-            'id': self.ticket.id,
-            'name': apply_permission_name,
-            'from_ticket': True,
-            'category': apply_category,
-            'type': apply_type,
-            'comment': str(permission_comment),
-            'created_by': permission_created_by,
-            'date_start': apply_date_start,
-            'date_expired': apply_date_expired,
-        }
-        with tmp_to_org(self.ticket.org_id):
-            application_permission = ApplicationPermission.objects.create(**permissions_data)
-            application_permission.users.add(self.ticket.applicant)
-            application_permission.applications.set(apply_applications)
-            application_permission.system_users.set(apply_system_users)
-
-        return application_permission
diff --git a/apps/tickets/handler/apply_asset.py b/apps/tickets/handler/apply_asset.py
deleted file mode 100644
index a13f6e008..000000000
--- a/apps/tickets/handler/apply_asset.py
+++ /dev/null
@@ -1,106 +0,0 @@
-from django.utils.translation import ugettext as _
-
-from assets.models import Node, Asset, SystemUser
-from perms.models import AssetPermission, Action
-from orgs.utils import tmp_to_org, tmp_to_root_org
-from .base import BaseHandler
-
-
-class Handler(BaseHandler):
-
-    def _on_approve(self):
-        is_finished = super()._on_approve()
-        if is_finished:
-            self._create_asset_permission()
-
-    # display
-    def _construct_meta_display_of_open(self):
-        meta_display_fields = ['apply_actions_display']
-        apply_actions = self.ticket.meta.get('apply_actions', Action.NONE)
-        apply_actions_display = Action.value_to_choices_display(apply_actions)
-        meta_display_values = [apply_actions_display]
-        meta_display = dict(zip(meta_display_fields, meta_display_values))
-        apply_nodes = self.ticket.meta.get('apply_nodes', [])
-        apply_assets = self.ticket.meta.get('apply_assets', [])
-        apply_system_users = self.ticket.meta.get('apply_system_users')
-        with tmp_to_org(self.ticket.org_id):
-            meta_display.update({
-                'apply_nodes_display': [str(i) for i in Node.objects.filter(id__in=apply_nodes)],
-                'apply_assets_display': [str(i) for i in Asset.objects.filter(id__in=apply_assets)],
-                'apply_system_users_display': [
-                    str(i) for i in SystemUser.objects.filter(id__in=apply_system_users)
-                ]
-            })
-        return meta_display
-
-    # body
-    def _construct_meta_body_of_open(self):
-        apply_nodes = self.ticket.meta.get('apply_nodes_display', [])
-        apply_assets = self.ticket.meta.get('apply_assets_display', [])
-        apply_system_users = self.ticket.meta.get('apply_system_users_display', [])
-        apply_actions_display = self.ticket.meta.get('apply_actions_display', [])
-        apply_date_start = self.ticket.meta.get('apply_date_start')
-        apply_date_expired = self.ticket.meta.get('apply_date_expired')
-        applied_body = '''{}: {},
-            {}: {},
-            {}: {},
-            {}: {},
-            {}: {}
-        '''.format(
-            _("Applied node group"), ','.join(apply_nodes),
-            _("Applied hostname group"), ','.join(apply_assets),
-            _("Applied system user group"), ','.join(apply_system_users),
-            _("Applied actions"), ','.join(apply_actions_display),
-            _('Applied date start'), apply_date_start,
-            _('Applied date expired'), apply_date_expired,
-        )
-        return applied_body
-
-    # permission
-    def _create_asset_permission(self):
-        with tmp_to_root_org():
-            asset_permission = AssetPermission.objects.filter(id=self.ticket.id).first()
-            if asset_permission:
-                return asset_permission
-
-        apply_permission_name = self.ticket.meta.get('apply_permission_name', )
-        apply_nodes = self.ticket.meta.get('apply_nodes', [])
-        apply_assets = self.ticket.meta.get('apply_assets', [])
-        apply_system_users = self.ticket.meta.get('apply_system_users', [])
-        apply_actions = self.ticket.meta.get('apply_actions', Action.NONE)
-        apply_date_start = self.ticket.meta.get('apply_date_start')
-        apply_date_expired = self.ticket.meta.get('apply_date_expired')
-        permission_created_by = '{}:{}'.format(
-            str(self.ticket.__class__.__name__), str(self.ticket.id)
-        )
-        permission_comment = _(
-            'Created by the ticket '
-            'ticket title: {} '
-            'ticket applicant: {} '
-            'ticket processor: {} '
-            'ticket ID: {}'
-        ).format(
-            self.ticket.title,
-            self.ticket.applicant_display,
-            ','.join([i['processor_display'] for i in self.ticket.process_map]),
-            str(self.ticket.id)
-        )
-
-        permission_data = {
-            'id': self.ticket.id,
-            'name': apply_permission_name,
-            'from_ticket': True,
-            'comment': str(permission_comment),
-            'created_by': permission_created_by,
-            'actions': apply_actions,
-            'date_start': apply_date_start,
-            'date_expired': apply_date_expired,
-        }
-        with tmp_to_org(self.ticket.org_id):
-            asset_permission = AssetPermission.objects.create(**permission_data)
-            asset_permission.users.add(self.ticket.applicant)
-            asset_permission.nodes.set(apply_nodes)
-            asset_permission.assets.set(apply_assets)
-            asset_permission.system_users.set(apply_system_users)
-
-        return asset_permission
diff --git a/apps/tickets/handler/base.py b/apps/tickets/handler/base.py
deleted file mode 100644
index 1855a2f6c..000000000
--- a/apps/tickets/handler/base.py
+++ /dev/null
@@ -1,135 +0,0 @@
-from django.utils.translation import ugettext as _
-from common.utils import get_logger
-from tickets.utils import (
-    send_ticket_processed_mail_to_applicant, send_ticket_applied_mail_to_assignees
-)
-from tickets.const import TicketAction
-
-logger = get_logger(__name__)
-
-
-class BaseHandler(object):
-
-    def __init__(self, ticket):
-        self.ticket = ticket
-
-    # on action
-    def _on_open(self):
-        self.ticket.applicant_display = str(self.ticket.applicant)
-        meta_display = getattr(self, '_construct_meta_display_of_open', lambda: {})()
-        self.ticket.meta.update(meta_display)
-        self.ticket.save()
-        self._send_applied_mail_to_assignees()
-
-    def _on_approve(self):
-        if self.ticket.approval_step != len(self.ticket.process_map):
-            self._send_processed_mail_to_applicant(self.ticket.processor)
-            self.ticket.approval_step += 1
-            self.ticket.create_related_node()
-            self._send_applied_mail_to_assignees()
-            is_finished = False
-        else:
-            self.ticket.set_state_approve()
-            self.ticket.set_status_closed()
-            self._send_processed_mail_to_applicant(self.ticket.processor)
-            is_finished = True
-
-        self.ticket.save()
-        return is_finished
-
-    def _on_reject(self):
-        self.ticket.set_state_reject()
-        self.ticket.set_status_closed()
-        self.__on_process(self.ticket.processor)
-
-    def _on_close(self):
-        self.ticket.set_state_closed()
-        self.ticket.set_status_closed()
-        self.__on_process(self.ticket.processor)
-
-    def __on_process(self, processor):
-        self._send_processed_mail_to_applicant(processor)
-        self.ticket.save()
-
-    def dispatch(self, action):
-        processor = self.ticket.processor
-        current_node = self.ticket.current_node.first()
-        self.ticket.process_map[self.ticket.approval_step - 1].update({
-            'approval_date': str(current_node.date_updated),
-            'state': current_node.state,
-            'processor': processor.id if processor else '',
-            'processor_display': str(processor) if processor else '',
-        })
-        self.ticket.save()
-        self._create_comment_on_action(action)
-        method = getattr(self, f'_on_{action}', lambda: None)
-        return method()
-
-    # email
-    def _send_applied_mail_to_assignees(self):
-        assignees = self.ticket.current_node.first().ticket_assignees.all()
-        assignees_display = ', '.join([str(i.assignee) for i in assignees])
-        logger.debug('Send applied email to assignees: {}'.format(assignees_display))
-        send_ticket_applied_mail_to_assignees(self.ticket)
-
-    def _send_processed_mail_to_applicant(self, processor):
-        logger.debug('Send processed mail to applicant: {}'.format(self.ticket.applicant_display))
-        send_ticket_processed_mail_to_applicant(self.ticket, processor)
-
-    # comments
-    def _create_comment_on_action(self, action):
-        user = self.ticket.processor
-        # 打开或关闭工单，备注显示是自己，其他是受理人
-        if action == TicketAction.open or action == TicketAction.close:
-            user = self.ticket.applicant
-        user_display = str(user)
-        action_display = getattr(TicketAction, action).label
-        data = {
-            'body': _('{} {} the ticket').format(user_display, action_display),
-            'user': user,
-            'user_display': user_display
-        }
-        return self.ticket.comments.create(**data)
-
-    # body
-    body_html_format = '''
-        {}:
-        <div style="margin-left: 20px;">{}</div>
-    '''
-
-    def get_body(self):
-        old_body = self.ticket.meta.get('body')
-        if old_body:
-            # 之前版本的body
-            return old_body
-        basic_body = self._construct_basic_body()
-        meta_body = self._construct_meta_body()
-        return basic_body + meta_body
-
-    def _construct_basic_body(self):
-        basic_body = '''
-            {}: {}
-            {}: {}
-            {}: {}
-            {}: {}
-        '''.format(
-            _('Ticket title'), self.ticket.title,
-            _('Ticket type'), self.ticket.get_type_display(),
-            _('Ticket status'), self.ticket.get_status_display(),
-            _('Ticket applicant'), self.ticket.applicant_display,
-        ).strip()
-        body = self.body_html_format.format(_("Ticket basic info"), basic_body)
-        return body
-
-    def _construct_meta_body(self):
-        body = ''
-        open_body = self._base_construct_meta_body_of_open().strip()
-        body += open_body
-        return body
-
-    def _base_construct_meta_body_of_open(self):
-        meta_body_of_open = getattr(
-            self, '_construct_meta_body_of_open', lambda: _('No content')
-        )().strip()
-        body = self.body_html_format.format(_('Ticket applied info'), meta_body_of_open)
-        return body
diff --git a/apps/tickets/handler/command_confirm.py b/apps/tickets/handler/command_confirm.py
deleted file mode 100644
index 6fb27dcfe..000000000
--- a/apps/tickets/handler/command_confirm.py
+++ /dev/null
@@ -1,33 +0,0 @@
-from django.utils.translation import ugettext as _
-from .base import BaseHandler
-
-
-class Handler(BaseHandler):
-
-    # body
-    def _construct_meta_body_of_open(self):
-        apply_run_user = self.ticket.meta.get('apply_run_user')
-        apply_run_asset = self.ticket.meta.get('apply_run_asset')
-        apply_run_system_user = self.ticket.meta.get('apply_run_system_user')
-        apply_run_command = self.ticket.meta.get('apply_run_command')
-        apply_from_session_id = self.ticket.meta.get('apply_from_session_id')
-        apply_from_cmd_filter_rule_id = self.ticket.meta.get('apply_from_cmd_filter_rule_id')
-        apply_from_cmd_filter_id = self.ticket.meta.get('apply_from_cmd_filter_id')
-
-        applied_body = '''
-            {}: {}
-            {}: {}
-            {}: {}
-            {}: {}
-            {}: {}
-            {}: {}
-        '''.format(
-            _("Applied run user"), apply_run_user,
-            _("Applied run asset"), apply_run_asset,
-            _("Applied run system user"), apply_run_system_user,
-            _("Applied run command"), apply_run_command,
-            _("Applied from session"), apply_from_session_id,
-            _("Applied from command filter rules"), apply_from_cmd_filter_rule_id,
-            _("Applied from command filter"), apply_from_cmd_filter_id,
-        )
-        return applied_body
diff --git a/apps/tickets/handler/login_asset_confirm.py b/apps/tickets/handler/login_asset_confirm.py
deleted file mode 100644
index 039f7ce50..000000000
--- a/apps/tickets/handler/login_asset_confirm.py
+++ /dev/null
@@ -1,21 +0,0 @@
-from django.utils.translation import ugettext as _
-from .base import BaseHandler
-
-
-class Handler(BaseHandler):
-
-    # body
-    def _construct_meta_body_of_open(self):
-        apply_login_user = self.ticket.meta.get('apply_login_user')
-        apply_login_asset = self.ticket.meta.get('apply_login_asset')
-        apply_login_system_user = self.ticket.meta.get('apply_login_system_user')
-        applied_body = '''
-            {}: {}
-            {}: {}
-            {}: {}
-        '''.format(
-            _("Applied login user"), apply_login_user,
-            _("Applied login asset"), apply_login_asset,
-            _("Applied login system user"), apply_login_system_user,
-        )
-        return applied_body
diff --git a/apps/tickets/handler/__init__.py b/apps/tickets/handlers/__init__.py
similarity index 70%
rename from apps/tickets/handler/__init__.py
rename to apps/tickets/handlers/__init__.py
index 42ef0d871..4400d043d 100644
--- a/apps/tickets/handler/__init__.py
+++ b/apps/tickets/handlers/__init__.py
@@ -2,6 +2,6 @@ from django.utils.module_loading import import_string
 
 
 def get_ticket_handler(ticket):
-    handler_class_path = 'tickets.handler.{}.Handler'.format(ticket.type)
+    handler_class_path = 'tickets.handlers.{}.Handler'.format(ticket.type)
     handler_class = import_string(handler_class_path)
     return handler_class(ticket=ticket)
diff --git a/apps/tickets/handlers/apply_application.py b/apps/tickets/handlers/apply_application.py
new file mode 100644
index 000000000..15c76c7e5
--- /dev/null
+++ b/apps/tickets/handlers/apply_application.py
@@ -0,0 +1,63 @@
+from django.utils.translation import ugettext as _
+
+from orgs.utils import tmp_to_org, tmp_to_root_org
+from perms.models import ApplicationPermission
+from tickets.models import ApplyApplicationTicket
+from .base import BaseHandler
+
+
+class Handler(BaseHandler):
+    ticket: ApplyApplicationTicket
+
+    def _on_step_approved(self, step):
+        is_finished = super()._on_step_approved(step)
+        if is_finished:
+            self._create_application_permission()
+
+    # permission
+    def _create_application_permission(self):
+        with tmp_to_root_org():
+            application_permission = ApplicationPermission.objects.filter(id=self.ticket.id).first()
+            if application_permission:
+                return application_permission
+
+        apply_permission_name = self.ticket.apply_permission_name
+        apply_category = self.ticket.apply_category
+        apply_type = self.ticket.apply_type
+        apply_applications = self.ticket.apply_applications.all()
+        apply_system_users = self.ticket.apply_system_users.all()
+        apply_date_start = self.ticket.apply_date_start
+        apply_date_expired = self.ticket.apply_date_expired
+        permission_created_by = '{}:{}'.format(
+            str(self.ticket.__class__.__name__), str(self.ticket.id)
+        )
+        permission_comment = _(
+            'Created by the ticket, '
+            'ticket title: {}, '
+            'ticket applicant: {}, '
+            'ticket processor: {}, '
+            'ticket ID: {}'
+        ).format(
+            self.ticket.title,
+            self.ticket.applicant,
+            ','.join([i['processor_display'] for i in self.ticket.process_map]),
+            str(self.ticket.id)
+        )
+        permissions_data = {
+            'id': self.ticket.id,
+            'name': apply_permission_name,
+            'from_ticket': True,
+            'category': apply_category,
+            'type': apply_type,
+            'comment': str(permission_comment),
+            'created_by': permission_created_by,
+            'date_start': apply_date_start,
+            'date_expired': apply_date_expired,
+        }
+        with tmp_to_org(self.ticket.org_id):
+            application_permission = ApplicationPermission.objects.create(**permissions_data)
+            application_permission.users.add(self.ticket.applicant)
+            application_permission.applications.set(apply_applications)
+            application_permission.system_users.set(apply_system_users)
+
+        return application_permission
diff --git a/apps/tickets/handlers/apply_asset.py b/apps/tickets/handlers/apply_asset.py
new file mode 100644
index 000000000..136347782
--- /dev/null
+++ b/apps/tickets/handlers/apply_asset.py
@@ -0,0 +1,64 @@
+from django.utils.translation import ugettext as _
+
+from perms.models import AssetPermission
+from orgs.utils import tmp_to_org, tmp_to_root_org
+from tickets.models import ApplyAssetTicket
+from .base import BaseHandler
+
+
+class Handler(BaseHandler):
+    ticket: ApplyAssetTicket
+
+    def _on_step_approved(self, step):
+        is_finished = super()._on_step_approved(step)
+        if is_finished:
+            self._create_asset_permission()
+
+    # permission
+    def _create_asset_permission(self):
+        with tmp_to_root_org():
+            asset_permission = AssetPermission.objects.filter(id=self.ticket.id).first()
+            if asset_permission:
+                return asset_permission
+
+        apply_permission_name = self.ticket.apply_permission_name
+        apply_nodes = self.ticket.apply_nodes.all()
+        apply_assets = self.ticket.apply_assets.all()
+        apply_system_users = self.ticket.apply_system_users.all()
+        apply_actions = self.ticket.apply_actions
+        apply_date_start = self.ticket.apply_date_start
+        apply_date_expired = self.ticket.apply_date_expired
+        permission_created_by = '{}:{}'.format(
+            str(self.ticket.__class__.__name__), str(self.ticket.id)
+        )
+        permission_comment = _(
+            'Created by the ticket '
+            'ticket title: {} '
+            'ticket applicant: {} '
+            'ticket processor: {} '
+            'ticket ID: {}'
+        ).format(
+            self.ticket.title,
+            self.ticket.applicant,
+            ','.join([i['processor_display'] for i in self.ticket.process_map]),
+            str(self.ticket.id)
+        )
+
+        permission_data = {
+            'id': self.ticket.id,
+            'name': apply_permission_name,
+            'from_ticket': True,
+            'comment': str(permission_comment),
+            'created_by': permission_created_by,
+            'actions': apply_actions,
+            'date_start': apply_date_start,
+            'date_expired': apply_date_expired,
+        }
+        with tmp_to_org(self.ticket.org_id):
+            asset_permission = AssetPermission.objects.create(**permission_data)
+            asset_permission.users.add(self.ticket.applicant)
+            asset_permission.nodes.set(apply_nodes)
+            asset_permission.assets.set(apply_assets)
+            asset_permission.system_users.set(apply_system_users)
+
+        return asset_permission
diff --git a/apps/tickets/handlers/base.py b/apps/tickets/handlers/base.py
new file mode 100644
index 000000000..308f9f914
--- /dev/null
+++ b/apps/tickets/handlers/base.py
@@ -0,0 +1,81 @@
+from django.utils.translation import ugettext as _
+
+from common.utils import get_logger
+from tickets.utils import (
+    send_ticket_processed_mail_to_applicant,
+    send_ticket_applied_mail_to_assignees
+)
+from tickets.const import TicketState, TicketStatus
+
+logger = get_logger(__name__)
+
+
+class BaseHandler:
+
+    def __init__(self, ticket):
+        self.ticket = ticket
+
+    def on_change_state(self, state):
+        self._create_state_change_comment(state)
+        handler = getattr(self, f'_on_{state}', lambda: None)
+        return handler()
+
+    def _on_pending(self):
+        self._send_applied_mail_to_assignees()
+
+    def on_step_state_change(self, step, state):
+        self._create_state_change_comment(state)
+        handler = getattr(self, f'_on_step_{state}', lambda: None)
+        return handler(step)
+
+    def _on_step_approved(self, step):
+        next_step = step.next()
+        is_finished = not next_step
+        if is_finished:
+            self._send_processed_mail_to_applicant(step)
+        else:
+            self._send_processed_mail_to_applicant(step)
+            self._send_applied_mail_to_assignees(next_step)
+        return is_finished
+
+    def _on_step_rejected(self, step):
+        self._send_processed_mail_to_applicant(step)
+
+    def _on_step_closed(self, step):
+        self._send_processed_mail_to_applicant()
+
+    def _send_applied_mail_to_assignees(self, step=None):
+        if step:
+            assignees = [step.assignee for step in step.ticket_assignees.all()]
+        else:
+            assignees = self.ticket.current_assignees
+        assignees_display = ', '.join([str(assignee) for assignee in assignees])
+        logger.debug('Send applied email to assignees: {}'.format(assignees_display))
+        send_ticket_applied_mail_to_assignees(self.ticket, assignees)
+
+    def _send_processed_mail_to_applicant(self, step=None):
+        applicant = self.ticket.applicant
+        if self.ticket.status == TicketStatus.closed:
+            processor = applicant
+        else:
+            processor = step.processor if step else self.ticket.processor
+        logger.debug('Send processed mail to applicant: {}'.format(applicant))
+        send_ticket_processed_mail_to_applicant(self.ticket, processor)
+
+    def _create_state_change_comment(self, state):
+        # 打开或关闭工单，备注显示是自己，其他是受理人
+        if state in [TicketState.reopen, TicketState.pending, TicketState.closed]:
+            user = self.ticket.applicant
+        else:
+            user = self.ticket.processor
+
+        user_display = str(user)
+        state_display = getattr(TicketState, state).label
+        data = {
+            'body': _('{} {} the ticket').format(user_display, state_display),
+            'user': user,
+            'user_display': str(user),
+            'type': 'state',
+            'state': state
+        }
+        return self.ticket.comments.create(**data)
diff --git a/apps/tickets/handlers/command_confirm.py b/apps/tickets/handlers/command_confirm.py
new file mode 100644
index 000000000..a34751b9d
--- /dev/null
+++ b/apps/tickets/handlers/command_confirm.py
@@ -0,0 +1,6 @@
+from tickets.models import ApplyCommandTicket
+from .base import BaseHandler
+
+
+class Handler(BaseHandler):
+    ticket: ApplyCommandTicket
diff --git a/apps/tickets/handler/general.py b/apps/tickets/handlers/general.py
similarity index 100%
rename from apps/tickets/handler/general.py
rename to apps/tickets/handlers/general.py
diff --git a/apps/tickets/handlers/login_asset_confirm.py b/apps/tickets/handlers/login_asset_confirm.py
new file mode 100644
index 000000000..16f156d4d
--- /dev/null
+++ b/apps/tickets/handlers/login_asset_confirm.py
@@ -0,0 +1,6 @@
+from tickets.models import ApplyLoginAssetTicket
+from .base import BaseHandler
+
+
+class Handler(BaseHandler):
+    ticket: ApplyLoginAssetTicket
diff --git a/apps/tickets/handler/login_confirm.py b/apps/tickets/handlers/login_confirm.py
similarity index 65%
rename from apps/tickets/handler/login_confirm.py
rename to apps/tickets/handlers/login_confirm.py
index 65c46fb56..ad33ce476 100644
--- a/apps/tickets/handler/login_confirm.py
+++ b/apps/tickets/handlers/login_confirm.py
@@ -1,14 +1,15 @@
 from django.utils.translation import ugettext as _
+from tickets.models import ApplyLoginTicket
 from .base import BaseHandler
 
 
 class Handler(BaseHandler):
+    ticket: ApplyLoginTicket
 
-    # body
     def _construct_meta_body_of_open(self):
-        apply_login_ip = self.ticket.meta.get('apply_login_ip')
-        apply_login_city = self.ticket.meta.get('apply_login_city')
-        apply_login_datetime = self.ticket.meta.get('apply_login_datetime')
+        apply_login_ip = self.ticket.apply_login_ip
+        apply_login_city = self.ticket.apply_login_city
+        apply_login_datetime = self.ticket.apply_login_datetime
         applied_body = '''
             {}: {}
             {}: {}
diff --git a/apps/tickets/migrations/0007_auto_20201224_1821.py b/apps/tickets/migrations/0007_auto_20201224_1821.py
index a16771ef9..31645b00f 100644
--- a/apps/tickets/migrations/0007_auto_20201224_1821.py
+++ b/apps/tickets/migrations/0007_auto_20201224_1821.py
@@ -3,7 +3,7 @@
 from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
-import tickets.models.ticket
+import common.db.encoder
 
 TICKET_TYPE_APPLY_ASSET = 'apply_asset'
 
@@ -116,7 +116,7 @@ class Migration(migrations.Migration):
         migrations.AddField(
             model_name='ticket',
             name='assignees_display_new',
-            field=models.JSONField(default=list, encoder=tickets.models.ticket.ModelJSONFieldEncoder, verbose_name='Assignees display'),
+            field=models.JSONField(default=list, encoder=common.db.encoder.ModelJSONFieldEncoder, verbose_name='Assignees display'),
         ),
         migrations.AlterField(
             model_name='ticket',
@@ -126,7 +126,7 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='ticket',
             name='meta',
-            field=models.JSONField(default=dict, encoder=tickets.models.ticket.ModelJSONFieldEncoder, verbose_name='Meta'),
+            field=models.JSONField(default=dict, encoder=common.db.encoder.ModelJSONFieldEncoder, verbose_name='Meta'),
         ),
         migrations.AlterField(
             model_name='ticket',
diff --git a/apps/tickets/migrations/0016_auto_20220609_1758.py b/apps/tickets/migrations/0016_auto_20220609_1758.py
new file mode 100644
index 000000000..55d88385e
--- /dev/null
+++ b/apps/tickets/migrations/0016_auto_20220609_1758.py
@@ -0,0 +1,189 @@
+# Generated by Django 3.1.14 on 2022-06-09 09:58
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('terminal', '0049_endpoint_redis_port'),
+        ('assets', '0090_auto_20220412_1145'),
+        ('applications', '0020_auto_20220316_2028'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('tickets', '0015_superticket'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ApplyLoginTicket',
+            fields=[
+                ('ticket_ptr',
+                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
+                                      primary_key=True, serialize=False, to='tickets.ticket')),
+                ('apply_login_ip', models.GenericIPAddressField(null=True, verbose_name='Login ip')),
+                ('apply_login_city', models.CharField(max_length=64, null=True, verbose_name='Login city')),
+                ('apply_login_datetime', models.DateTimeField(null=True, verbose_name='Login datetime')),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=('tickets.ticket',),
+        ),
+        migrations.RemoveField(
+            model_name='ticket',
+            name='process_map',
+        ),
+        migrations.AddField(
+            model_name='comment',
+            name='state',
+            field=models.CharField(max_length=16, null=True),
+        ),
+        migrations.AddField(
+            model_name='comment',
+            name='type',
+            field=models.CharField(choices=[('state', 'State'), ('common', 'common')], default='common', max_length=16,
+                                   verbose_name='Type'),
+        ),
+        migrations.AddField(
+            model_name='ticket',
+            name='rel_snapshot',
+            field=models.JSONField(default=dict, verbose_name='Relation snapshot'),
+        ),
+        migrations.AddField(
+            model_name='ticketstep',
+            name='status',
+            field=models.CharField(choices=[('pending', 'Pending'), ('active', 'Active'), ('closed', 'Closed')],
+                                   default='pending', max_length=16),
+        ),
+        migrations.AlterField(
+            model_name='ticket',
+            name='state',
+            field=models.CharField(choices=[('pending', 'Pending'), ('approved', 'Approved'), ('rejected', 'Rejected'),
+                                            ('closed', 'Cancel'), ('reopen', 'Reopen')], default='pending',
+                                   max_length=16, verbose_name='State'),
+        ),
+        migrations.AlterField(
+            model_name='ticket',
+            name='status',
+            field=models.CharField(choices=[('open', 'Open'), ('closed', 'Finished')], default='open', max_length=16,
+                                   verbose_name='Status'),
+        ),
+        migrations.AlterField(
+            model_name='ticketassignee',
+            name='state',
+            field=models.CharField(choices=[('pending', 'Pending'), ('approved', 'Approved'), ('rejected', 'Rejected'),
+                                            ('closed', 'Cancel'), ('reopen', 'Reopen')], default='pending',
+                                   max_length=64),
+        ),
+        migrations.AlterField(
+            model_name='ticketstep',
+            name='state',
+            field=models.CharField(choices=[('pending', 'Pending'), ('approved', 'Approved'), ('rejected', 'Rejected'),
+                                            ('closed', 'Closed')], default='pending', max_length=64,
+                                   verbose_name='State'),
+        ),
+        migrations.CreateModel(
+            name='ApplyLoginAssetTicket',
+            fields=[
+                ('ticket_ptr',
+                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
+                                      primary_key=True, serialize=False, to='tickets.ticket')),
+                ('apply_login_asset',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.asset',
+                                   verbose_name='Login asset')),
+                ('apply_login_system_user',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.systemuser',
+                                   verbose_name='Login system user')),
+                ('apply_login_user',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL,
+                                   verbose_name='Login user')),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=('tickets.ticket',),
+        ),
+        migrations.CreateModel(
+            name='ApplyCommandTicket',
+            fields=[
+                ('ticket_ptr',
+                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
+                                      primary_key=True, serialize=False, to='tickets.ticket')),
+                ('apply_run_command', models.CharField(max_length=4096, verbose_name='Run command')),
+                ('apply_from_cmd_filter',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.commandfilter',
+                                   verbose_name='From cmd filter')),
+                ('apply_from_cmd_filter_rule',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL,
+                                   to='assets.commandfilterrule', verbose_name='From cmd filter rule')),
+                ('apply_from_session',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='terminal.session',
+                                   verbose_name='Session')),
+                ('apply_run_asset',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.asset',
+                                   verbose_name='Run asset')),
+                ('apply_run_system_user',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.systemuser',
+                                   verbose_name='Run system user')),
+                ('apply_run_user',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to=settings.AUTH_USER_MODEL,
+                                   verbose_name='Run user')),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=('tickets.ticket',),
+        ),
+        migrations.CreateModel(
+            name='ApplyAssetTicket',
+            fields=[
+                ('ticket_ptr',
+                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
+                                      primary_key=True, serialize=False, to='tickets.ticket')),
+                ('apply_permission_name', models.CharField(max_length=128, verbose_name='Apply name')),
+                ('apply_actions', models.IntegerField(
+                    choices=[(255, 'All'), (1, 'Connect'), (2, 'Upload file'), (4, 'Download file'),
+                             (6, 'Upload download'), (8, 'Clipboard copy'), (16, 'Clipboard paste'),
+                             (24, 'Clipboard copy paste')], default=255, verbose_name='Actions')),
+                ('apply_date_start', models.DateTimeField(null=True, verbose_name='Date start')),
+                ('apply_date_expired', models.DateTimeField(null=True, verbose_name='Date expired')),
+                ('apply_assets', models.ManyToManyField(to='assets.Asset', verbose_name='Apply assets')),
+                ('apply_nodes', models.ManyToManyField(to='assets.Node', verbose_name='Apply nodes')),
+                ('apply_system_users',
+                 models.ManyToManyField(to='assets.SystemUser', verbose_name='Apply system users')),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=('tickets.ticket',),
+        ),
+        migrations.CreateModel(
+            name='ApplyApplicationTicket',
+            fields=[
+                ('ticket_ptr',
+                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
+                                      primary_key=True, serialize=False, to='tickets.ticket')),
+                ('apply_permission_name', models.CharField(max_length=128, verbose_name='Apply name')),
+                ('apply_category',
+                 models.CharField(choices=[('db', 'Database'), ('remote_app', 'Remote app'), ('cloud', 'Cloud')],
+                                  max_length=16, verbose_name='Category')),
+                ('apply_type', models.CharField(
+                    choices=[('mysql', 'MySQL'), ('mariadb', 'MariaDB'), ('oracle', 'Oracle'),
+                             ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'),
+                             ('mongodb', 'MongoDB'), ('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'),
+                             ('vmware_client', 'vSphere Client'), ('custom', 'Custom'), ('k8s', 'Kubernetes')],
+                    max_length=16, verbose_name='Type')),
+                ('apply_date_start', models.DateTimeField(null=True, verbose_name='Date start')),
+                ('apply_date_expired', models.DateTimeField(null=True, verbose_name='Date expired')),
+                ('apply_applications',
+                 models.ManyToManyField(to='applications.Application', verbose_name='Apply applications')),
+                ('apply_system_users',
+                 models.ManyToManyField(to='assets.SystemUser', verbose_name='Apply system users')),
+            ],
+            options={
+                'abstract': False,
+            },
+            bases=('tickets.ticket',),
+        ),
+    ]
diff --git a/apps/tickets/migrations/0017_auto_20220623_1027.py b/apps/tickets/migrations/0017_auto_20220623_1027.py
new file mode 100644
index 000000000..7ac1c9eb2
--- /dev/null
+++ b/apps/tickets/migrations/0017_auto_20220623_1027.py
@@ -0,0 +1,339 @@
+# Generated by Django 3.1.14 on 2022-06-23 02:27
+
+import re
+from datetime import datetime
+from collections import defaultdict
+
+from django.utils import timezone as dj_timezone
+from django.db import migrations
+
+from perms.models import Action
+from tickets.const import TicketType
+
+pt = re.compile(r'(\w+)\((\w+)\)')
+
+
+def time_conversion(t):
+    if not t:
+        return
+    try:
+        return datetime.strptime(t, '%Y-%m-%d %H:%M:%S'). \
+            astimezone(dj_timezone.get_current_timezone())
+    except Exception:
+        return
+
+
+nodes_dict = defaultdict(set)
+assets_dict = defaultdict(set)
+system_users_dict = defaultdict(set)
+apps_dict = defaultdict(set)
+global_inited = {}
+
+
+def init_global_dict(apps):
+    if global_inited:
+        return
+    node_model = apps.get_model('assets', 'Node')
+    asset_model = apps.get_model('assets', 'Asset')
+    system_user_model = apps.get_model('assets', 'SystemUser')
+    application_model = apps.get_model('applications', 'Application')
+
+    node_qs = node_model.objects.values('id', 'org_id')
+    asset_qs = asset_model.objects.values('id', 'org_id')
+    system_user_qs = system_user_model.objects.values('id', 'org_id')
+    app_qs = application_model.objects.values('id', 'org_id')
+
+    for d, qs in [
+        (nodes_dict, node_qs),
+        (assets_dict, asset_qs),
+        (system_users_dict, system_user_qs),
+        (apps_dict, app_qs)
+    ]:
+        for i in qs:
+            _id = str(i['id'])
+            org_id = str(i['org_id'])
+            d[org_id].add(_id)
+    global_inited['inited'] = True
+
+
+def apply_asset_migrate(apps, *args):
+    init_global_dict(apps)
+
+    ticket_model = apps.get_model('tickets', 'Ticket')
+    tickets = ticket_model.objects.filter(type=TicketType.apply_asset)
+    ticket_apply_asset_model = apps.get_model('tickets', 'ApplyAssetTicket')
+
+    for instance in tickets:
+        meta = instance.meta
+        org_id = instance.org_id
+        apply_actions = meta.get('apply_actions')
+
+        # 数据库中数据结构有问题，可能是 list，可能是 int
+        if isinstance(apply_actions, list):
+            apply_actions = Action.choices_to_value(value=apply_actions)
+        elif isinstance(apply_actions, int):
+            apply_actions = apply_actions
+        else:
+            apply_actions = 0
+
+        data = {
+            'ticket_ptr_id': instance.pk,
+            'apply_permission_name': meta.get('apply_permission_name', ''),
+            'apply_date_start': time_conversion(meta.get('apply_date_start')),
+            'apply_date_expired': time_conversion(meta.get('apply_date_expired')),
+            'apply_actions': apply_actions,
+        }
+
+        child = ticket_apply_asset_model(**data)
+        child.__dict__.update(instance.__dict__)
+        child.save()
+
+        apply_nodes = list(set(meta.get('apply_nodes', [])) & nodes_dict[org_id])
+        apply_assets = list(set(meta.get('apply_assets', [])) & assets_dict[org_id])
+        apply_system_users = list(set(meta.get('apply_system_users', [])) & system_users_dict[org_id])
+        child.apply_nodes.set(apply_nodes)
+        child.apply_assets.set(apply_assets)
+        child.apply_system_users.set(apply_system_users)
+
+        if (not apply_nodes and not apply_assets) or not apply_system_users:
+            continue
+
+        rel_snapshot = {
+            'applicant': instance.applicant_display,
+            'apply_nodes': meta.get('apply_nodes_display', []),
+            'apply_assets': meta.get('apply_assets_display', []),
+            'apply_system_users': meta.get('apply_system_users', []),
+        }
+        instance.rel_snapshot = rel_snapshot
+        instance.save(update_fields=['rel_snapshot'])
+
+
+def apply_application_migrate(apps, *args):
+    init_global_dict(apps)
+
+    ticket_model = apps.get_model('tickets', 'Ticket')
+    tickets = ticket_model.objects.filter(type=TicketType.apply_application)
+    ticket_apply_app_model = apps.get_model('tickets', 'ApplyApplicationTicket')
+
+    for instance in tickets:
+        meta = instance.meta
+        org_id = instance.org_id
+        data = {
+            'ticket_ptr_id': instance.pk,
+            'apply_permission_name': meta.get('apply_permission_name', ''),
+            'apply_category': meta.get('apply_category'),
+            'apply_type': meta.get('apply_type'),
+            'apply_date_start': time_conversion(meta.get('apply_date_start')),
+            'apply_date_expired': time_conversion(meta.get('apply_date_expired')),
+        }
+        child = ticket_apply_app_model(**data)
+        child.__dict__.update(instance.__dict__)
+        child.save()
+
+        apply_applications = list(set(meta.get('apply_applications', [])) & apps_dict[org_id])
+        apply_system_users = list(set(meta.get('apply_system_users', [])) & system_users_dict[org_id])
+        if not apply_applications or not apply_system_users:
+            continue
+        child.apply_applications.set(apply_applications)
+        child.apply_system_users.set(apply_system_users)
+
+        rel_snapshot = {
+            'applicant': instance.applicant_display,
+            'apply_applications': meta.get('apply_applications_display', []),
+            'apply_system_users': meta.get('apply_system_users', []),
+        }
+        instance.rel_snapshot = rel_snapshot
+        instance.save(update_fields=['rel_snapshot'])
+
+
+def login_confirm_migrate(apps, *args):
+    ticket_model = apps.get_model('tickets', 'Ticket')
+    tickets = ticket_model.objects.filter(type=TicketType.login_confirm)
+    ticket_apply_login_model = apps.get_model('tickets', 'ApplyLoginTicket')
+
+    for instance in tickets:
+        meta = instance.meta
+        data = {
+            'ticket_ptr_id': instance.pk,
+            'apply_login_ip': meta.get('apply_login_ip'),
+            'apply_login_city': meta.get('apply_login_city'),
+            'apply_login_datetime': time_conversion(meta.get('apply_login_datetime')),
+        }
+        rel_snapshot = {
+            'applicant': instance.applicant_display
+        }
+        instance.rel_snapshot = rel_snapshot
+        instance.save(update_fields=['rel_snapshot'])
+        child = ticket_apply_login_model(**data)
+        child.__dict__.update(instance.__dict__)
+        child.save()
+
+
+def analysis_instance_name(name: str):
+    if not name:
+        return None
+    matched = pt.match(name)
+    if not matched:
+        return None
+    return matched.groups()
+
+
+def login_asset_confirm_migrate(apps, *args):
+    user_model = apps.get_model('users', 'User')
+    asset_model = apps.get_model('assets', 'Asset')
+    system_user_model = apps.get_model('assets', 'SystemUser')
+    ticket_model = apps.get_model('tickets', 'Ticket')
+    tickets = ticket_model.objects.filter(type=TicketType.login_asset_confirm)
+    ticket_apply_login_asset_model = apps.get_model('tickets', 'ApplyLoginAssetTicket')
+
+    for instance in tickets:
+        meta = instance.meta
+
+        name_username = analysis_instance_name(meta.get('apply_login_user'))
+        apply_login_user = user_model.objects.filter(
+            name=name_username[0],
+            username=name_username[1]
+        ).first() if name_username else None
+
+        hostname_ip = analysis_instance_name(meta.get('apply_login_asset'))
+        apply_login_asset = asset_model.objects.filter(
+            org_id=instance.org_id,
+            hostname=hostname_ip[0],
+            ip=hostname_ip[1]
+        ).first() if hostname_ip else None
+
+        name_username = analysis_instance_name(meta.get('apply_login_system_user'))
+        apply_login_system_user = system_user_model.objects.filter(
+            org_id=instance.org_id,
+            name=name_username[0],
+            username=name_username[1]
+        ).first() if name_username else None
+
+        data = {
+            'ticket_ptr_id': instance.pk,
+            'apply_login_user': apply_login_user,
+            'apply_login_asset': apply_login_asset,
+            'apply_login_system_user': apply_login_system_user,
+        }
+        child = ticket_apply_login_asset_model(**data)
+        child.__dict__.update(instance.__dict__)
+        child.save()
+
+        rel_snapshot = {
+            'applicant': instance.applicant_display,
+            'apply_login_user': meta.get('apply_login_user', ''),
+            'apply_login_asset': meta.get('apply_login_asset', ''),
+            'apply_login_system_user': meta.get('apply_login_system_user', ''),
+        }
+        instance.rel_snapshot = rel_snapshot
+        instance.save(update_fields=['rel_snapshot'])
+
+
+def command_confirm_migrate(apps, *args):
+    user_model = apps.get_model('users', 'User')
+    asset_model = apps.get_model('assets', 'Asset')
+    system_user_model = apps.get_model('assets', 'SystemUser')
+    ticket_model = apps.get_model('tickets', 'Ticket')
+    session_model = apps.get_model('terminal', 'Session')
+    command_filter_model = apps.get_model('assets', 'CommandFilter')
+    command_filter_rule_model = apps.get_model('assets', 'CommandFilterRule')
+
+    tickets = ticket_model.objects.filter(type=TicketType.command_confirm)
+    session_ids = tickets.values_list('meta__apply_from_session_id', flat=True)
+    session_ids = session_model.objects.filter(id__in=session_ids).values_list('id', flat=True)
+
+    command_filter_ids = tickets.values_list('meta__apply_from_cmd_filter_id', flat=True)
+    command_filter_ids = command_filter_model.objects\
+        .filter(id__in=command_filter_ids)\
+        .values_list('id', flat=True)
+
+    command_filter_rule_ids = tickets.values_list('meta__apply_from_cmd_filter_rule_id', flat=True)
+    command_filter_rule_ids = command_filter_rule_model.objects\
+        .filter(id__in=command_filter_rule_ids)\
+        .values_list('id', flat=True)
+    ticket_apply_command_model = apps.get_model('tickets', 'ApplyCommandTicket')
+
+    for instance in tickets:
+        meta = instance.meta
+
+        name_username = analysis_instance_name(meta.get('apply_run_user'))
+        apply_run_user = user_model.objects.filter(
+            name=name_username[0], username=name_username[1]
+        ).first() if name_username else None
+
+        hostname_ip = analysis_instance_name(meta.get('apply_run_asset'))
+        apply_run_asset = asset_model.objects.filter(
+            org_id=instance.org_id, hostname=hostname_ip[0], ip=hostname_ip[1]
+        ).first() if hostname_ip else None
+
+        name_username = analysis_instance_name(meta.get('apply_run_system_user'))
+        apply_run_system_user = system_user_model.objects.filter(
+            org_id=instance.org_id, name=name_username[0], username=name_username[1]
+        ).first() if name_username else None
+
+        apply_from_session_id = meta.get('apply_from_session_id')
+        apply_from_cmd_filter_id = meta.get('apply_from_cmd_filter_id')
+        apply_from_cmd_filter_rule_id = meta.get('apply_from_cmd_filter_rule_id')
+
+        if apply_from_session_id not in session_ids:
+            apply_from_session_id = None
+        if apply_from_cmd_filter_id not in command_filter_ids:
+            apply_from_cmd_filter_id = None
+        if apply_from_cmd_filter_rule_id not in command_filter_rule_ids:
+            apply_from_cmd_filter_rule_id = None
+
+        data = {
+            'ticket_ptr_id': instance.pk,
+            'apply_run_user': apply_run_user,
+            'apply_run_asset': apply_run_asset,
+            'apply_run_system_user': apply_run_system_user,
+            'apply_run_command': meta.get('apply_run_command', ''),
+            'apply_from_session_id': apply_from_session_id,
+            'apply_from_cmd_filter_id': apply_from_cmd_filter_id,
+            'apply_from_cmd_filter_rule_id': apply_from_cmd_filter_rule_id,
+        }
+
+        rel_snapshot = {
+            'applicant': instance.applicant_display,
+            'apply_run_user': meta.get('apply_run_user', ''),
+            'apply_run_asset': meta.get('apply_run_asset', ''),
+            'apply_run_system_user': meta.get('apply_run_system_user', ''),
+            'apply_from_session': meta.get('apply_from_session_id', ''),
+            'apply_from_cmd_filter': meta.get('apply_from_cmd_filter_id', ''),
+            'apply_from_cmd_filter_rule': meta.get('apply_from_cmd_filter_rule_id', ''),
+        }
+        child = ticket_apply_command_model(**data)
+        child.__dict__.update(instance.__dict__)
+        child.save()
+
+        instance.rel_snapshot = rel_snapshot
+        instance.save(update_fields=['rel_snapshot'])
+
+
+def migrate_ticket_state(apps, *args):
+    ticket_model = apps.get_model('tickets', 'Ticket')
+    ticket_step_model = apps.get_model('tickets', 'TicketStep')
+    ticket_assignee_model = apps.get_model('tickets', 'TicketAssignee')
+    ticket_model.objects.filter(state='open').update(state='pending')
+    ticket_step_model.objects.filter(state='notified').update(state='pending')
+    ticket_assignee_model.objects.filter(state='notified').update(state='pending')
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('tickets', '0016_auto_20220609_1758'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_ticket_state),
+        migrations.RunPython(apply_asset_migrate),
+        migrations.RunPython(apply_application_migrate),
+        migrations.RunPython(login_confirm_migrate),
+        migrations.RunPython(login_asset_confirm_migrate),
+        migrations.RunPython(command_confirm_migrate),
+        migrations.RemoveField(
+            model_name='ticket',
+            name='applicant_display',
+        ),
+    ]
diff --git a/apps/tickets/models/comment.py b/apps/tickets/models/comment.py
index c08b29dbe..f15057d7e 100644
--- a/apps/tickets/models/comment.py
+++ b/apps/tickets/models/comment.py
@@ -9,6 +9,10 @@ __all__ = ['Comment']
 
 
 class Comment(CommonModelMixin):
+    class Type(models.TextChoices):
+        state = 'state', _('State')
+        common = 'common', _('common')
+
     ticket = models.ForeignKey(
         'tickets.Ticket', on_delete=models.CASCADE, related_name='comments'
     )
@@ -18,6 +22,10 @@ class Comment(CommonModelMixin):
     )
     user_display = models.CharField(max_length=256, verbose_name=_("User display name"))
     body = models.TextField(verbose_name=_("Body"))
+    type = models.CharField(
+        max_length=16, choices=Type.choices, default=Type.common, verbose_name=_("Type")
+    )
+    state = models.CharField(max_length=16, null=True)
 
     class Meta:
         ordering = ('date_created', )
diff --git a/apps/tickets/models/flow.py b/apps/tickets/models/flow.py
index 69aa6c432..4dd468f57 100644
--- a/apps/tickets/models/flow.py
+++ b/apps/tickets/models/flow.py
@@ -5,17 +5,18 @@ from django.utils.translation import ugettext_lazy as _
 
 from users.models import User
 from common.mixins.models import CommonModelMixin
+
 from orgs.mixins.models import OrgModelMixin
 from orgs.models import Organization
 from orgs.utils import tmp_to_org, get_current_org_id
-from ..const import TicketType, TicketApprovalLevel, TicketApprovalStrategy
+from ..const import TicketType, TicketLevel, TicketApprovalStrategy
 
 __all__ = ['TicketFlow', 'ApprovalRule']
 
 
 class ApprovalRule(CommonModelMixin):
     level = models.SmallIntegerField(
-        default=TicketApprovalLevel.one, choices=TicketApprovalLevel.choices,
+        default=TicketLevel.one, choices=TicketLevel.choices,
         verbose_name=_('Approve level')
     )
     strategy = models.CharField(
@@ -56,8 +57,8 @@ class TicketFlow(CommonModelMixin, OrgModelMixin):
         default=TicketType.general, verbose_name=_("Type")
     )
     approval_level = models.SmallIntegerField(
-        default=TicketApprovalLevel.one,
-        choices=TicketApprovalLevel.choices,
+        default=TicketLevel.one,
+        choices=TicketLevel.choices,
         verbose_name=_('Approve level')
     )
     rules = models.ManyToManyField(ApprovalRule, related_name='ticket_flows')
diff --git a/apps/tickets/models/ticket.py b/apps/tickets/models/ticket.py
deleted file mode 100644
index c05fa8b3b..000000000
--- a/apps/tickets/models/ticket.py
+++ /dev/null
@@ -1,328 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from typing import Callable
-
-from django.db import models
-from django.db.models import Q
-from django.utils.translation import ugettext_lazy as _
-from django.db.utils import IntegrityError
-
-from common.exceptions import JMSException
-from common.utils.timezone import as_current_tz
-from common.mixins.models import CommonModelMixin
-from common.db.encoder import ModelJSONFieldEncoder
-from orgs.mixins.models import OrgModelMixin
-from orgs.utils import tmp_to_root_org, tmp_to_org
-from tickets.const import TicketType, TicketStatus, TicketState, TicketApprovalLevel, ProcessStatus, TicketAction
-from tickets.signals import post_change_ticket_action
-from tickets.handler import get_ticket_handler
-from tickets.errors import AlreadyClosed
-
-__all__ = ['Ticket', 'TicketStep', 'TicketAssignee', 'SuperTicket']
-
-
-class TicketStep(CommonModelMixin):
-    ticket = models.ForeignKey(
-        'Ticket', related_name='ticket_steps', on_delete=models.CASCADE, verbose_name='Ticket'
-    )
-    level = models.SmallIntegerField(
-        default=TicketApprovalLevel.one, choices=TicketApprovalLevel.choices,
-        verbose_name=_('Approve level')
-    )
-    state = models.CharField(choices=ProcessStatus.choices, max_length=64, default=ProcessStatus.notified)
-
-    class Meta:
-        verbose_name = _("Ticket step")
-
-
-class TicketAssignee(CommonModelMixin):
-    assignee = models.ForeignKey(
-        'users.User', related_name='ticket_assignees', on_delete=models.CASCADE, verbose_name='Assignee'
-    )
-    state = models.CharField(choices=ProcessStatus.choices, max_length=64, default=ProcessStatus.notified)
-    step = models.ForeignKey('tickets.TicketStep', related_name='ticket_assignees', on_delete=models.CASCADE)
-
-    class Meta:
-        verbose_name = _('Ticket assignee')
-
-    def __str__(self):
-        return '{0.assignee.name}({0.assignee.username})_{0.step}'.format(self)
-
-
-class StatusMixin:
-    state: str
-    status: str
-    applicant: models.ForeignKey
-    current_node: models.Manager
-    save: Callable
-
-    def set_state_approve(self):
-        self.state = TicketState.approved
-
-    def set_state_reject(self):
-        self.state = TicketState.rejected
-
-    def set_state_closed(self):
-        self.state = TicketState.closed
-
-    def set_status_closed(self):
-        self.status = TicketStatus.closed
-
-    # status
-    @property
-    def status_open(self):
-        return self.status == TicketStatus.open.value
-
-    @property
-    def status_closed(self):
-        return self.status == TicketStatus.closed.value
-
-    @property
-    def state_open(self):
-        return self.state == TicketState.open.value
-
-    @property
-    def state_approve(self):
-        return self.state == TicketState.approved.value
-
-    @property
-    def state_reject(self):
-        return self.state == TicketState.rejected.value
-
-    @property
-    def state_close(self):
-        return self.state == TicketState.closed.value
-
-    # action changed
-    def open(self, applicant):
-        self.applicant = applicant
-        self._change_action(TicketAction.open)
-
-    def approve(self, processor):
-        self.update_current_step_state_and_assignee(processor, TicketState.approved)
-        self._change_action(TicketAction.approve)
-
-    def reject(self, processor):
-        self.update_current_step_state_and_assignee(processor, TicketState.rejected)
-        self._change_action(TicketAction.reject)
-
-    def close(self, processor):
-        self.update_current_step_state_and_assignee(processor, TicketState.closed)
-        self._change_action(TicketAction.close)
-
-    def update_current_step_state_and_assignee(self, processor, state):
-        if self.status_closed:
-            raise AlreadyClosed
-        if state != TicketState.approved:
-            self.state = state
-        current_node = self.current_node
-        current_node.update(state=state)
-        current_node.first().ticket_assignees.filter(assignee=processor).update(state=state)
-
-    def _change_action(self, action):
-        self.save()
-        post_change_ticket_action.send(sender=self.__class__, ticket=self, action=action)
-
-
-class Ticket(CommonModelMixin, StatusMixin, OrgModelMixin):
-    title = models.CharField(max_length=256, verbose_name=_("Title"))
-    type = models.CharField(
-        max_length=64, choices=TicketType.choices,
-        default=TicketType.general, verbose_name=_("Type")
-    )
-    meta = models.JSONField(encoder=ModelJSONFieldEncoder, default=dict, verbose_name=_("Meta"))
-    state = models.CharField(
-        max_length=16, choices=TicketState.choices,
-        default=TicketState.open, verbose_name=_("State")
-    )
-    status = models.CharField(
-        max_length=16, choices=TicketStatus.choices,
-        default=TicketStatus.open, verbose_name=_("Status")
-    )
-    approval_step = models.SmallIntegerField(
-        default=TicketApprovalLevel.one, choices=TicketApprovalLevel.choices,
-        verbose_name=_('Approval step')
-    )
-    # 申请人
-    applicant = models.ForeignKey(
-        'users.User', related_name='applied_tickets', on_delete=models.SET_NULL, null=True,
-        verbose_name=_("Applicant")
-    )
-    applicant_display = models.CharField(max_length=256, default='', verbose_name=_("Applicant display"))
-    process_map = models.JSONField(encoder=ModelJSONFieldEncoder, default=list, verbose_name=_("Process"))
-    # 评论
-    comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
-    flow = models.ForeignKey(
-        'TicketFlow', related_name='tickets', on_delete=models.SET_NULL, null=True,
-        verbose_name=_("TicketFlow")
-    )
-    serial_num = models.CharField(max_length=128, unique=True, null=True, verbose_name=_('Serial number'))
-
-    class Meta:
-        ordering = ('-date_created',)
-        verbose_name = _('Ticket')
-
-    def __str__(self):
-        return '{}({})'.format(self.title, self.applicant_display)
-
-    # type
-    @property
-    def type_apply_asset(self):
-        return self.type == TicketType.apply_asset.value
-
-    @property
-    def type_apply_application(self):
-        return self.type == TicketType.apply_application.value
-
-    @property
-    def type_login_confirm(self):
-        return self.type == TicketType.login_confirm.value
-
-    @property
-    def current_node(self):
-        return self.ticket_steps.filter(level=self.approval_step)
-
-    @property
-    def processor(self):
-        processor = self.current_node.first().ticket_assignees\
-            .exclude(state=ProcessStatus.notified).first()
-        return processor.assignee if processor else None
-
-    def ignore_applicant(self, assignees, applicant=None):
-        applicant = applicant if applicant else self.applicant
-        if len(assignees) != 1:
-            assignees = set(assignees) - {applicant, }
-        return list(assignees)
-
-    def create_related_node(self, applicant=None):
-        org_id = self.flow.org_id
-        approval_rule = self.get_current_ticket_flow_approve()
-        ticket_step = TicketStep.objects.create(ticket=self, level=self.approval_step)
-        ticket_assignees = []
-        assignees = approval_rule.get_assignees(org_id=org_id)
-        assignees = self.ignore_applicant(assignees, applicant)
-        for assignee in assignees:
-            ticket_assignees.append(TicketAssignee(step=ticket_step, assignee=assignee))
-        TicketAssignee.objects.bulk_create(ticket_assignees)
-
-    def create_process_map(self, applicant=None):
-        org_id = self.flow.org_id
-        approval_rules = self.flow.rules.order_by('level')
-        nodes = list()
-        for node in approval_rules:
-            assignees = node.get_assignees(org_id=org_id)
-            assignees = self.ignore_applicant(assignees, applicant)
-            assignee_ids = [assignee.id for assignee in assignees]
-            assignees_display = [str(assignee) for assignee in assignees]
-            nodes.append(
-                {
-                    'approval_level': node.level,
-                    'state': ProcessStatus.notified,
-                    'assignees': assignee_ids,
-                    'assignees_display': assignees_display
-                }
-            )
-        return nodes
-
-    # TODO 兼容不存在流的工单
-    def create_process_map_and_node(self, assignees, applicant):
-        assignees = self.ignore_applicant(assignees, applicant)
-        self.process_map = [{
-            'approval_level': 1,
-            'state': 'notified',
-            'assignees': [assignee.id for assignee in assignees],
-            'assignees_display': [str(assignee) for assignee in assignees]
-        }, ]
-        self.save()
-        ticket_step = TicketStep.objects.create(ticket=self, level=1)
-        ticket_assignees = []
-        for assignee in assignees:
-            ticket_assignees.append(TicketAssignee(step=ticket_step, assignee=assignee))
-        TicketAssignee.objects.bulk_create(ticket_assignees)
-
-    def has_current_assignee(self, assignee):
-        return self.ticket_steps.filter(ticket_assignees__assignee=assignee, level=self.approval_step).exists()
-
-    def has_all_assignee(self, assignee):
-        return self.ticket_steps.filter(ticket_assignees__assignee=assignee).exists()
-
-    @classmethod
-    def get_user_related_tickets(cls, user):
-        queries = Q(applicant=user) | Q(ticket_steps__ticket_assignees__assignee=user)
-        tickets = cls.all().filter(queries).distinct()
-        return tickets
-
-    def get_current_ticket_flow_approve(self):
-        return self.flow.rules.filter(level=self.approval_step).first()
-
-    @classmethod
-    def all(cls):
-        with tmp_to_root_org():
-            return Ticket.objects.all()
-
-    def save(self, *args, **kwargs):
-        """ 确保保存的org_id的是自身的值 """
-        with tmp_to_org(self.org_id):
-            return super().save(*args, **kwargs)
-
-    @property
-    def handler(self):
-        return get_ticket_handler(ticket=self)
-
-    # body
-    @property
-    def body(self):
-        _body = self.handler.get_body()
-        return _body
-
-    def get_serial_num_date(self):
-        date_created = as_current_tz(self.date_created)
-        date = date_created.strftime('%Y%m%d')
-        return date
-
-    def get_last_serail_num(self):
-        date_created = as_current_tz(self.date_created)
-        date_prefix = date_created.strftime('%Y%m%d')
-
-        ticket = Ticket.all().select_for_update().filter(
-            serial_num__startswith=date_prefix
-        ).order_by('-date_created').first()
-
-        if ticket:
-            # 202212010001
-            num_str = ticket.serial_num[8:]
-            num = int(num_str)
-            return num
-        return None
-
-    def get_next_serail_num(self):
-        num = self.get_last_serail_num()
-        if num is None:
-            num = 0
-        return '%04d' % (num + 1)
-
-    def construct_serial_num(self):
-        date_prefix = self.get_serial_num_date()
-        num_suffix = self.get_next_serail_num()
-        return date_prefix + num_suffix
-
-    def update_serial_num_if_need(self):
-        if self.serial_num:
-            return
-
-        try:
-            self.serial_num = self.construct_serial_num()
-            self.save(update_fields=('serial_num',))
-        except IntegrityError as e:
-            if e.args[0] == 1062:
-                # 虽然做了 `select_for_update` 但是每天的第一条工单仍可能造成冲突
-                # 但概率小，这里只报错，用户重新提交即可
-                raise JMSException(detail=_('Please try again'), code='please_try_again')
-
-            raise e
-
-
-class SuperTicket(Ticket):
-    class Meta:
-        proxy = True
-        verbose_name = _("Super ticket")
diff --git a/apps/tickets/models/ticket/__init__.py b/apps/tickets/models/ticket/__init__.py
new file mode 100644
index 000000000..c13cea9b1
--- /dev/null
+++ b/apps/tickets/models/ticket/__init__.py
@@ -0,0 +1,6 @@
+from .general import *
+from .apply_asset import *
+from .apply_application import *
+from .command_confirm import *
+from .login_asset_confirm import *
+from .login_confirm import *
diff --git a/apps/tickets/models/ticket/apply_application.py b/apps/tickets/models/ticket/apply_application.py
new file mode 100644
index 000000000..de041c8da
--- /dev/null
+++ b/apps/tickets/models/ticket/apply_application.py
@@ -0,0 +1,34 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from .general import Ticket
+from applications.const import AppCategory, AppType
+
+__all__ = ['ApplyApplicationTicket']
+
+
+class ApplyApplicationTicket(Ticket):
+    apply_permission_name = models.CharField(max_length=128, verbose_name=_('Apply name'))
+    # 申请信息
+    apply_category = models.CharField(
+        max_length=16, choices=AppCategory.choices, verbose_name=_('Category')
+    )
+    apply_type = models.CharField(
+        max_length=16, choices=AppType.choices, verbose_name=_('Type')
+    )
+    apply_applications = models.ManyToManyField(
+        'applications.Application', verbose_name=_('Apply applications'),
+    )
+    apply_system_users = models.ManyToManyField(
+        'assets.SystemUser', verbose_name=_('Apply system users'),
+    )
+    apply_date_start = models.DateTimeField(verbose_name=_('Date start'), null=True)
+    apply_date_expired = models.DateTimeField(verbose_name=_('Date expired'), null=True)
+
+    @property
+    def apply_category_display(self):
+        return AppCategory.get_label(self.apply_category)
+
+    @property
+    def apply_type_display(self):
+        return AppType.get_label(self.apply_type)
diff --git a/apps/tickets/models/ticket/apply_asset.py b/apps/tickets/models/ticket/apply_asset.py
new file mode 100644
index 000000000..45cad4dca
--- /dev/null
+++ b/apps/tickets/models/ticket/apply_asset.py
@@ -0,0 +1,28 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from perms.models import Action
+from .general import Ticket
+
+__all__ = ['ApplyAssetTicket']
+
+asset_or_node_help_text = _("Select at least one asset or node")
+
+
+class ApplyAssetTicket(Ticket):
+    apply_permission_name = models.CharField(max_length=128, verbose_name=_('Apply name'))
+    apply_nodes = models.ManyToManyField('assets.Node', verbose_name=_('Apply nodes'))
+    # 申请信息
+    apply_assets = models.ManyToManyField('assets.Asset', verbose_name=_('Apply assets'))
+    apply_system_users = models.ManyToManyField(
+        'assets.SystemUser', verbose_name=_('Apply system users')
+    )
+    apply_actions = models.IntegerField(
+        choices=Action.DB_CHOICES, default=Action.ALL, verbose_name=_('Actions')
+    )
+    apply_date_start = models.DateTimeField(verbose_name=_('Date start'), null=True)
+    apply_date_expired = models.DateTimeField(verbose_name=_('Date expired'), null=True)
+
+    @property
+    def apply_actions_display(self):
+        return Action.value_to_choices_display(self.apply_actions)
diff --git a/apps/tickets/models/ticket/command_confirm.py b/apps/tickets/models/ticket/command_confirm.py
new file mode 100644
index 000000000..94d27fde7
--- /dev/null
+++ b/apps/tickets/models/ticket/command_confirm.py
@@ -0,0 +1,33 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from .general import Ticket
+
+
+class ApplyCommandTicket(Ticket):
+    apply_run_user = models.ForeignKey(
+        'users.User', on_delete=models.SET_NULL,
+        null=True, verbose_name=_('Run user')
+    )
+    apply_run_asset = models.ForeignKey(
+        'assets.Asset', on_delete=models.SET_NULL,
+        null=True, verbose_name=_('Run asset')
+    )
+    apply_run_system_user = models.ForeignKey(
+        'assets.SystemUser', on_delete=models.SET_NULL,
+        null=True, verbose_name=_('Run system user')
+    )
+    apply_run_command = models.CharField(max_length=4096, verbose_name=_('Run command'))
+    apply_from_session = models.ForeignKey(
+        'terminal.Session', on_delete=models.SET_NULL,
+        null=True, verbose_name=_("Session")
+    )
+    apply_from_cmd_filter = models.ForeignKey(
+        'assets.CommandFilter', on_delete=models.SET_NULL,
+        null=True, verbose_name=_('From cmd filter')
+    )
+    apply_from_cmd_filter_rule = models.ForeignKey(
+        'assets.CommandFilterRule', on_delete=models.SET_NULL,
+        null=True, verbose_name=_('From cmd filter rule')
+    )
+
diff --git a/apps/tickets/models/ticket/general.py b/apps/tickets/models/ticket/general.py
new file mode 100644
index 000000000..b8f192a9d
--- /dev/null
+++ b/apps/tickets/models/ticket/general.py
@@ -0,0 +1,389 @@
+# -*- coding: utf-8 -*-
+#
+from typing import Callable
+
+from django.db import models
+from django.db.models import Q
+from django.utils.translation import ugettext_lazy as _
+from django.db.utils import IntegrityError
+from django.db.models.fields import related
+
+from common.exceptions import JMSException
+from common.utils.timezone import as_current_tz
+from common.mixins.models import CommonModelMixin
+from common.db.encoder import ModelJSONFieldEncoder
+from orgs.models import Organization
+from tickets.const import (
+    TicketType, TicketStatus, TicketState,
+    TicketLevel, StepState, StepStatus
+)
+from tickets.handlers import get_ticket_handler
+from tickets.errors import AlreadyClosed
+from ..flow import TicketFlow
+
+__all__ = ['Ticket', 'TicketStep', 'TicketAssignee', 'SuperTicket', 'SubTicketManager']
+
+
+class TicketStep(CommonModelMixin):
+    ticket = models.ForeignKey(
+        'Ticket', related_name='ticket_steps',
+        on_delete=models.CASCADE, verbose_name='Ticket'
+    )
+    level = models.SmallIntegerField(
+        default=TicketLevel.one, choices=TicketLevel.choices,
+        verbose_name=_('Approve level')
+    )
+    state = models.CharField(
+        max_length=64, choices=StepState.choices,
+        default=StepState.pending, verbose_name=_("State")
+    )
+    status = models.CharField(
+        max_length=16, choices=StepStatus.choices,
+        default=StepStatus.pending
+    )
+
+    def change_state(self, state, processor):
+        if state != StepState.closed:
+            assignees = self.ticket_assignees.filter(assignee=processor)
+            if not assignees:
+                raise PermissionError('Only assignees can do this')
+            assignees.update(state=state)
+        self.status = StepStatus.closed
+        self.state = state
+        self.save(update_fields=['state', 'status'])
+
+    def set_active(self):
+        self.status = StepStatus.active
+        self.save(update_fields=['status'])
+
+    def next(self):
+        kwargs = dict(ticket=self.ticket, level=self.level + 1, status=StepStatus.pending)
+        return self.__class__.objects.filter(**kwargs).first()
+
+    @property
+    def processor(self):
+        processor = self.ticket_assignees.exclude(state=StepState.pending).first()
+        return processor.assignee if processor else None
+
+    class Meta:
+        verbose_name = _("Ticket step")
+
+
+class TicketAssignee(CommonModelMixin):
+    assignee = models.ForeignKey(
+        'users.User', related_name='ticket_assignees',
+        on_delete=models.CASCADE, verbose_name='Assignee'
+    )
+    state = models.CharField(
+        choices=TicketState.choices, max_length=64,
+        default=TicketState.pending
+    )
+    step = models.ForeignKey(
+        'tickets.TicketStep', related_name='ticket_assignees',
+        on_delete=models.CASCADE
+    )
+
+    class Meta:
+        verbose_name = _('Ticket assignee')
+
+    def __str__(self):
+        return '{0.assignee.name}({0.assignee.username})_{0.step}'.format(self)
+
+
+class StatusMixin:
+    State = TicketState
+    Status = TicketStatus
+
+    state: str
+    status: str
+    applicant: models.ForeignKey
+    current_step: TicketStep
+    save: Callable
+    create_process_steps_by_flow: Callable
+    create_process_steps_by_assignees: Callable
+    assignees: Callable
+    set_serial_num: Callable
+    set_rel_snapshot: Callable
+    approval_step: int
+    handler: None
+    flow: TicketFlow
+    ticket_steps: models.Manager
+
+    def is_state(self, state: TicketState):
+        return self.state == state
+
+    def is_status(self, status: TicketStatus):
+        return self.status == status
+
+    def _open(self):
+        self.set_serial_num()
+        self.set_rel_snapshot()
+        self._change_state_by_applicant(TicketState.pending)
+
+    def open(self):
+        self.create_process_steps_by_flow()
+        self._open()
+
+    def open_by_system(self, assignees):
+        self.create_process_steps_by_assignees(assignees)
+        self._open()
+
+    def approve(self, processor):
+        self._change_state(StepState.approved, processor)
+
+    def reject(self, processor):
+        self._change_state(StepState.rejected, processor)
+
+    def reopen(self):
+        self._change_state_by_applicant(TicketState.reopen)
+
+    def close(self):
+        self._change_state(TicketState.closed, self.applicant)
+
+    def _change_state_by_applicant(self, state):
+        if state == TicketState.closed:
+            self.status = TicketStatus.closed
+        elif state in [TicketState.reopen, TicketState.pending]:
+            self.status = TicketStatus.open
+        else:
+            raise ValueError("Not supported state: {}".format(state))
+
+        self.state = state
+        self.save(update_fields=['state', 'status'])
+        self.handler.on_change_state(state)
+
+    def _change_state(self, state, processor):
+        if self.is_status(self.Status.closed):
+            raise AlreadyClosed
+        current_step = self.current_step
+        current_step.change_state(state, processor)
+        self._finish_or_next(current_step, state)
+
+    def _finish_or_next(self, current_step, state):
+        next_step = current_step.next()
+
+        # 提前结束，或者最后一步
+        if state in [TicketState.rejected, TicketState.closed] or not next_step:
+            self.state = state
+            self.status = Ticket.Status.closed
+            self.save(update_fields=['state', 'status'])
+            self.handler.on_step_state_change(current_step, state)
+        else:
+            self.handler.on_step_state_change(current_step, state)
+            next_step.set_active()
+            self.approval_step += 1
+            self.save(update_fields=['approval_step'])
+
+    @property
+    def process_map(self):
+        process_map = []
+        steps = self.ticket_steps.all()
+        for step in steps:
+            assignee_ids = []
+            assignees_display = []
+            ticket_assignees = step.ticket_assignees.all()
+            processor = None
+            state = step.state
+            for i in ticket_assignees:
+                assignee_ids.append(i.assignee_id)
+                assignees_display.append(str(i.assignee))
+                if state != StepState.pending and state == i.state:
+                    processor = i.assignee
+                if state != StepState.closed:
+                    processor = self.applicant
+            step_info = {
+                'state': state,
+                'approval_level': step.level,
+                'assignees': assignee_ids,
+                'assignees_display': assignees_display,
+                'approval_date': str(step.date_updated),
+                'processor': processor.id if processor else '',
+                'processor_display': str(processor) if processor else ''
+            }
+            process_map.append(step_info)
+        return process_map
+
+    def exclude_applicant(self, assignees, applicant=None):
+        applicant = applicant if applicant else self.applicant
+        if len(assignees) != 1:
+            assignees = set(assignees) - {applicant, }
+        return list(assignees)
+
+    def create_process_steps_by_flow(self):
+        org_id = self.flow.org_id
+        flow_rules = self.flow.rules.order_by('level')
+        for rule in flow_rules:
+            step = TicketStep.objects.create(ticket=self, level=rule.level)
+            assignees = rule.get_assignees(org_id=org_id)
+            assignees = self.exclude_applicant(assignees, self.applicant)
+            step_assignees = [TicketAssignee(step=step, assignee=user) for user in assignees]
+            TicketAssignee.objects.bulk_create(step_assignees)
+
+    def create_process_steps_by_assignees(self, assignees):
+        assignees = self.exclude_applicant(assignees, self.applicant)
+        step = TicketStep.objects.create(ticket=self, level=1)
+        ticket_assignees = [TicketAssignee(step=step, assignee=user) for user in assignees]
+        TicketAssignee.objects.bulk_create(ticket_assignees)
+
+    @property
+    def current_step(self):
+        return self.ticket_steps.filter(level=self.approval_step).first()
+
+    @property
+    def current_assignees(self):
+        ticket_assignees = self.current_step.ticket_assignees.all()
+        return [i.assignee for i in ticket_assignees]
+
+    @property
+    def processor(self):
+        processor = self.current_step.ticket_assignees \
+            .exclude(state=StepState.pending) \
+            .first()
+        return processor.assignee if processor else None
+
+    def has_current_assignee(self, assignee):
+        return self.ticket_steps.filter(
+            ticket_assignees__assignee=assignee,
+            level=self.approval_step
+        ).exists()
+
+    def has_all_assignee(self, assignee):
+        return self.ticket_steps.filter(ticket_assignees__assignee=assignee).exists()
+
+    @property
+    def handler(self):
+        return get_ticket_handler(ticket=self)
+
+
+class Ticket(StatusMixin, CommonModelMixin):
+    title = models.CharField(max_length=256, verbose_name=_('Title'))
+    type = models.CharField(
+        max_length=64, choices=TicketType.choices,
+        default=TicketType.general, verbose_name=_('Type')
+    )
+    state = models.CharField(
+        max_length=16, choices=TicketState.choices,
+        default=TicketState.pending, verbose_name=_('State')
+    )
+    status = models.CharField(
+        max_length=16, choices=TicketStatus.choices,
+        default=TicketStatus.open, verbose_name=_('Status')
+    )
+    # 申请人
+    applicant = models.ForeignKey(
+        'users.User', related_name='applied_tickets', on_delete=models.SET_NULL,
+        null=True, verbose_name=_("Applicant")
+    )
+    comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
+    flow = models.ForeignKey(
+        'TicketFlow', related_name='tickets', on_delete=models.SET_NULL,
+        null=True, verbose_name=_('TicketFlow')
+    )
+    approval_step = models.SmallIntegerField(
+        default=TicketLevel.one, choices=TicketLevel.choices, verbose_name=_('Approval step')
+    )
+    serial_num = models.CharField(_('Serial number'), max_length=128, unique=True, null=True)
+    rel_snapshot = models.JSONField(verbose_name=_('Relation snapshot'), default=dict)
+    meta = models.JSONField(encoder=ModelJSONFieldEncoder, default=dict, verbose_name=_("Meta"))
+    org_id = models.CharField(
+        max_length=36, blank=True, default='', verbose_name=_('Organization'), db_index=True
+    )
+
+    class Meta:
+        ordering = ('-date_created',)
+        verbose_name = _('Ticket')
+
+    def __str__(self):
+        return '{}({})'.format(self.title, self.applicant)
+
+    @property
+    def spec_ticket(self):
+        attr = self.type.replace('_', '') + 'ticket'
+        return getattr(self, attr)
+
+    # TODO 先单独处理一下
+    @property
+    def org_name(self):
+        org = Organization.get_instance(self.org_id)
+        return org.name
+
+    def is_type(self, tp: TicketType):
+        return self.type == tp
+
+    @classmethod
+    def get_user_related_tickets(cls, user):
+        queries = Q(applicant=user) | Q(ticket_steps__ticket_assignees__assignee=user)
+        tickets = cls.objects.all().filter(queries).distinct()
+        return tickets
+
+    def get_current_ticket_flow_approve(self):
+        return self.flow.rules.filter(level=self.approval_step).first()
+
+    @classmethod
+    def all(cls):
+        return cls.objects.all()
+
+    def set_rel_snapshot(self, save=True):
+        rel_fields = set()
+        m2m_fields = set()
+        excludes = ['ticket_ptr_id', 'ticket_ptr', 'flow_id', 'flow', 'applicant_id']
+        for name, field in self._meta._forward_fields_map.items():
+            if name in excludes:
+                continue
+            if isinstance(field, related.RelatedField):
+                rel_fields.add(name)
+            if isinstance(field, related.ManyToManyField):
+                m2m_fields.add(name)
+
+        snapshot = {}
+        for field in rel_fields:
+            value = getattr(self, field)
+
+            if field in m2m_fields:
+                value = [str(v) for v in value.all()]
+            else:
+                value = str(value) if value else ''
+            snapshot[field] = value
+
+        self.rel_snapshot.update(snapshot)
+        if save:
+            self.save(update_fields=('rel_snapshot',))
+
+    def get_next_serial_num(self):
+        date_created = as_current_tz(self.date_created)
+        date_prefix = date_created.strftime('%Y%m%d')
+
+        ticket = Ticket.objects.all().select_for_update().filter(
+            serial_num__startswith=date_prefix
+        ).order_by('-date_created').first()
+
+        last_num = 0
+        if ticket:
+            last_num = ticket.serial_num[8:]
+            last_num = int(last_num)
+        num = '%04d' % (last_num + 1)
+        return '{}{}'.format(date_prefix, num)
+
+    def set_serial_num(self):
+        if self.serial_num:
+            return
+
+        try:
+            self.serial_num = self.get_next_serial_num()
+            self.save(update_fields=('serial_num',))
+        except IntegrityError as e:
+            if e.args[0] == 1062:
+                # 虽然做了 `select_for_update` 但是每天的第一条工单仍可能造成冲突
+                # 但概率小，这里只报错，用户重新提交即可
+                raise JMSException(detail=_('Please try again'), code='please_try_again')
+            raise e
+
+
+class SuperTicket(Ticket):
+    class Meta:
+        proxy = True
+        verbose_name = _("Super ticket")
+
+
+class SubTicketManager(models.Manager):
+    pass
diff --git a/apps/tickets/models/ticket/login_asset_confirm.py b/apps/tickets/models/ticket/login_asset_confirm.py
new file mode 100644
index 000000000..5e5c53a47
--- /dev/null
+++ b/apps/tickets/models/ticket/login_asset_confirm.py
@@ -0,0 +1,21 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from .general import Ticket
+
+__all__ = ['ApplyLoginAssetTicket']
+
+
+class ApplyLoginAssetTicket(Ticket):
+    apply_login_user = models.ForeignKey(
+        'users.User', on_delete=models.SET_NULL, null=True,
+        verbose_name=_('Login user'),
+    )
+    apply_login_asset = models.ForeignKey(
+        'assets.Asset', on_delete=models.SET_NULL, null=True,
+        verbose_name=_('Login asset'),
+    )
+    apply_login_system_user = models.ForeignKey(
+        'assets.SystemUser', on_delete=models.SET_NULL, null=True,
+        verbose_name=_('Login system user'),
+    )
diff --git a/apps/tickets/models/ticket/login_confirm.py b/apps/tickets/models/ticket/login_confirm.py
new file mode 100644
index 000000000..89fb32e94
--- /dev/null
+++ b/apps/tickets/models/ticket/login_confirm.py
@@ -0,0 +1,12 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from .general import Ticket, SubTicketManager
+
+__all__ = ['ApplyLoginTicket']
+
+
+class ApplyLoginTicket(Ticket):
+    apply_login_ip = models.GenericIPAddressField(verbose_name=_('Login ip'), null=True)
+    apply_login_city = models.CharField(max_length=64, verbose_name=_('Login city'), null=True)
+    apply_login_datetime = models.DateTimeField(verbose_name=_('Login datetime'), null=True)
diff --git a/apps/tickets/notifications.py b/apps/tickets/notifications.py
index c29c8d00e..728510280 100644
--- a/apps/tickets/notifications.py
+++ b/apps/tickets/notifications.py
@@ -1,13 +1,17 @@
 from urllib.parse import urljoin
+import json
 
 from django.conf import settings
 from django.core.cache import cache
 from django.shortcuts import reverse
+from django.db.models.fields import related
 from django.template.loader import render_to_string
+from django.forms import model_to_dict
 from django.utils.translation import ugettext_lazy as _
 
 from notifications.notifications import UserMessage
 from common.utils import get_logger, random_string
+from common.db.encoder import ModelJSONFieldEncoder
 from .models import Ticket
 from . import const
 
@@ -41,8 +45,8 @@ class BaseTicketMessage(UserMessage):
     def get_html_msg(self) -> dict:
         context = dict(
             title=self.content_title,
-            ticket_detail_url=self.ticket_detail_url,
-            body=self.ticket.body.replace('\n', '<br/>'),
+            content=self.content,
+            ticket_detail_url=self.ticket_detail_url
         )
         message = render_to_string('tickets/_msg_ticket.html', context)
         return {
@@ -54,8 +58,48 @@ class BaseTicketMessage(UserMessage):
     def gen_test_msg(cls):
         return None
 
+    @property
+    def content(self):
+        content = [
+            {'title': _('Ticket basic info'), 'content': self.basic_items},
+            {'title': _('Ticket applied info'), 'content': self.spec_items},
+        ]
+        return content
 
-class TicketAppliedToAssignee(BaseTicketMessage):
+    def _get_fields_items(self, item_names):
+        fields = self.ticket._meta._forward_fields_map
+        json_data = json.dumps(model_to_dict(self.ticket), cls=ModelJSONFieldEncoder)
+        data = json.loads(json_data)
+        items = []
+
+        for name in item_names:
+            field = fields[name]
+            item = {'name': name, 'title': field.verbose_name}
+            value = data.get(name)
+            if hasattr(self.ticket, f'get_{name}_display'):
+                value = getattr(self.ticket, f'get_{name}_display')()
+            elif isinstance(field, related.ForeignKey):
+                value = self.ticket.rel_snapshot[name]
+            elif isinstance(field, related.ManyToManyField):
+                value = ', '.join(self.ticket.rel_snapshot[name])
+            item['value'] = value
+            items.append(item)
+        return items
+
+    @property
+    def basic_items(self):
+        item_names = ['serial_num', 'title', 'type', 'state', 'applicant', 'comment']
+        return self._get_fields_items(item_names)
+
+    @property
+    def spec_items(self):
+        fields = self.ticket._meta.local_fields + self.ticket._meta.local_many_to_many
+        excludes = ['ticket_ptr']
+        item_names = [field.name for field in fields if field.name not in excludes]
+        return self._get_fields_items(item_names)
+
+
+class TicketAppliedToAssigneeMessage(BaseTicketMessage):
     def __init__(self, user, ticket):
         self.ticket = ticket
         super().__init__(user)
@@ -69,14 +113,14 @@ class TicketAppliedToAssignee(BaseTicketMessage):
 
     @property
     def content_title(self):
-        return _('Your has a new ticket, applicant - {}').format(
-            str(self.ticket.applicant_display)
-        )
+        return _('Your has a new ticket')
 
     @property
     def subject(self):
-        title = _('New Ticket - {} ({})').format(
-            self.ticket.title, self.ticket.get_type_display()
+        title = _('{}: New Ticket - {} ({})').format(
+            self.ticket.applicant,
+            self.ticket.title,
+            self.ticket.get_type_display()
         )
         return title
 
@@ -85,19 +129,16 @@ class TicketAppliedToAssignee(BaseTicketMessage):
         return urljoin(settings.SITE_URL, url)
 
     def get_html_msg(self) -> dict:
-        body = self.ticket.body.replace('\n', '<br/>')
         context = dict(
             title=self.content_title,
-            ticket_detail_url=self.ticket_detail_url,
-            body=body,
+            content=self.content,
+            ticket_detail_url=self.ticket_detail_url
         )
 
         ticket_approval_url = self.get_ticket_approval_url()
         context.update({'ticket_approval_url': ticket_approval_url})
         message = render_to_string('tickets/_msg_ticket.html', context)
-        cache.set(self.token, {
-            'body': body, 'ticket_id': self.ticket.id
-        }, 3600)
+        cache.set(self.token, {'ticket_id': self.ticket.id, 'content': self.content}, 3600)
         return {
             'subject': self.subject,
             'message': message
@@ -112,7 +153,7 @@ class TicketAppliedToAssignee(BaseTicketMessage):
         return cls(user, ticket)
 
 
-class TicketProcessedToApplicant(BaseTicketMessage):
+class TicketProcessedToApplicantMessage(BaseTicketMessage):
     def __init__(self, user, ticket, processor):
         self.ticket = ticket
         self.processor = processor
diff --git a/apps/tickets/serializers/__init__.py b/apps/tickets/serializers/__init__.py
index 853feafd1..26a4b9aa6 100644
--- a/apps/tickets/serializers/__init__.py
+++ b/apps/tickets/serializers/__init__.py
@@ -1,6 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 from .ticket import *
+from .flow import *
 from .comment import *
 from .relation import *
-from .super_ticket import *
\ No newline at end of file
+from .super_ticket import *
diff --git a/apps/tickets/serializers/flow.py b/apps/tickets/serializers/flow.py
new file mode 100644
index 000000000..42c7bed15
--- /dev/null
+++ b/apps/tickets/serializers/flow.py
@@ -0,0 +1,103 @@
+from django.db.transaction import atomic
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import serializers
+
+from orgs.models import Organization
+from orgs.mixins.serializers import OrgResourceModelSerializerMixin
+from tickets.models import TicketFlow, ApprovalRule
+from tickets.const import TicketApprovalStrategy
+
+__all__ = ['TicketFlowSerializer']
+
+
+class TicketFlowApproveSerializer(serializers.ModelSerializer):
+    strategy_display = serializers.ReadOnlyField(source='get_strategy_display', label=_('Approve strategy'))
+    assignees_read_only = serializers.SerializerMethodField(label=_('Assignees'))
+    assignees_display = serializers.SerializerMethodField(label=_('Assignees display'))
+
+    class Meta:
+        model = ApprovalRule
+        fields_small = [
+            'level', 'strategy', 'assignees_read_only', 'assignees_display', 'strategy_display'
+        ]
+        fields_m2m = ['assignees', ]
+        fields = fields_small + fields_m2m
+        read_only_fields = ['level', 'assignees_display']
+        extra_kwargs = {
+            'assignees': {'write_only': True, 'allow_empty': True, 'required': False}
+        }
+
+    @staticmethod
+    def get_assignees_display(instance):
+        return [str(assignee) for assignee in instance.get_assignees()]
+
+    @staticmethod
+    def get_assignees_read_only(instance):
+        if instance.strategy == TicketApprovalStrategy.custom_user:
+            return instance.assignees.values_list('id', flat=True)
+        return []
+
+    def validate(self, attrs):
+        if attrs['strategy'] == TicketApprovalStrategy.custom_user and not attrs.get('assignees'):
+            error = _('Please select the Assignees')
+            raise serializers.ValidationError({'assignees': error})
+        return super().validate(attrs)
+
+
+class TicketFlowSerializer(OrgResourceModelSerializerMixin):
+    type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
+    rules = TicketFlowApproveSerializer(many=True, required=True)
+
+    class Meta:
+        model = TicketFlow
+        fields_mini = ['id', ]
+        fields_small = fields_mini + [
+            'type', 'type_display', 'approval_level', 'created_by', 'date_created', 'date_updated',
+            'org_id', 'org_name'
+        ]
+        fields = fields_small + ['rules', ]
+        read_only_fields = ['created_by', 'org_id', 'date_created', 'date_updated']
+        extra_kwargs = {
+            'type': {'required': True},
+            'approval_level': {'required': True}
+        }
+
+    def validate_type(self, value):
+        if not self.instance or (self.instance and self.instance.type != value):
+            if self.Meta.model.objects.filter(type=value).exists():
+                error = _('The current organization type already exists')
+                raise serializers.ValidationError(error)
+        return value
+
+    def create_or_update(self, action, validated_data, instance=None):
+        related = 'rules'
+        assignees = 'assignees'
+        childs = validated_data.pop(related, [])
+        if not instance:
+            instance = getattr(super(), action)(validated_data)
+        else:
+            instance = getattr(super(), action)(instance, validated_data)
+            getattr(instance, related).all().delete()
+        instance_related = getattr(instance, related)
+        child_instances = []
+        related_model = instance_related.model
+        # Todo: 这个权限的判断
+        for level, data in enumerate(childs, 1):
+            data_m2m = data.pop(assignees, None)
+            child_instance = related_model.objects.create(**data, level=level)
+            getattr(child_instance, assignees).set(data_m2m)
+            child_instances.append(child_instance)
+        instance_related.set(child_instances)
+        return instance
+
+    @atomic
+    def create(self, validated_data):
+        return self.create_or_update('create', validated_data)
+
+    @atomic
+    def update(self, instance, validated_data):
+        if instance.org_id == Organization.ROOT_ID:
+            instance = self.create(validated_data)
+        else:
+            instance = self.create_or_update('update', validated_data, instance)
+        return instance
diff --git a/apps/tickets/serializers/super_ticket.py b/apps/tickets/serializers/super_ticket.py
index 9d84728e4..9200c3f28 100644
--- a/apps/tickets/serializers/super_ticket.py
+++ b/apps/tickets/serializers/super_ticket.py
@@ -15,7 +15,7 @@ class SuperTicketSerializer(serializers.ModelSerializer):
         fields = ['id', 'status', 'state', 'processor']
 
     @staticmethod
-    def get_processor(ticket):
-        if not ticket.processor:
+    def get_processor(instance):
+        if not instance.processor:
             return ''
-        return str(ticket.processor)
+        return str(instance.processor)
diff --git a/apps/tickets/serializers/ticket/__init__.py b/apps/tickets/serializers/ticket/__init__.py
index bb2ee74d6..698906d3a 100644
--- a/apps/tickets/serializers/ticket/__init__.py
+++ b/apps/tickets/serializers/ticket/__init__.py
@@ -1,2 +1,7 @@
 from .ticket import *
-from .meta import *
+from .apply_asset import *
+from .apply_application import *
+from .login_confirm import *
+from .login_asset_confirm import *
+from .command_confirm import *
+from .common import *
diff --git a/apps/tickets/serializers/ticket/apply_application.py b/apps/tickets/serializers/ticket/apply_application.py
new file mode 100644
index 000000000..b2774e420
--- /dev/null
+++ b/apps/tickets/serializers/ticket/apply_application.py
@@ -0,0 +1,57 @@
+from rest_framework import serializers
+
+from perms.models import ApplicationPermission
+from orgs.utils import tmp_to_org
+from applications.models import Application
+from tickets.models import ApplyApplicationTicket
+from .ticket import TicketApplySerializer
+from .common import BaseApplyAssetApplicationSerializer
+
+__all__ = ['ApplyApplicationSerializer', 'ApplyApplicationDisplaySerializer']
+
+
+class ApplyApplicationSerializer(BaseApplyAssetApplicationSerializer, TicketApplySerializer):
+    permission_model = ApplicationPermission
+
+    class Meta:
+        model = ApplyApplicationTicket
+        writeable_fields = [
+            'id', 'title', 'type', 'apply_category',
+            'apply_type', 'apply_applications', 'apply_system_users',
+            'apply_date_start', 'apply_date_expired', 'org_id'
+        ]
+        fields = TicketApplySerializer.Meta.fields + writeable_fields + ['apply_permission_name']
+        read_only_fields = list(set(fields) - set(writeable_fields))
+        ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
+        extra_kwargs = {}
+        extra_kwargs.update(ticket_extra_kwargs)
+
+    def validate_apply_applications(self, apply_applications):
+        type = self.initial_data.get('apply_type')
+        org_id = self.initial_data.get('org_id')
+        application_ids = [app.id for app in apply_applications]
+        with tmp_to_org(org_id):
+            applications = Application.objects.filter(
+                id__in=application_ids, type=type
+            ).values_list('id', flat=True)
+        return list(applications)
+
+
+class ApplyApplicationDisplaySerializer(ApplyApplicationSerializer):
+    apply_applications = serializers.SerializerMethodField()
+    apply_system_users = serializers.SerializerMethodField()
+
+    class Meta:
+        model = ApplyApplicationSerializer.Meta.model
+        fields = ApplyApplicationSerializer.Meta.fields
+        read_only_fields = fields
+
+    @staticmethod
+    def get_apply_applications(instance):
+        with tmp_to_org(instance.org_id):
+            return instance.apply_applications.values_list('id', flat=True)
+
+    @staticmethod
+    def get_apply_system_users(instance):
+        with tmp_to_org(instance.org_id):
+            return instance.apply_system_users.values_list('id', flat=True)
diff --git a/apps/tickets/serializers/ticket/apply_asset.py b/apps/tickets/serializers/ticket/apply_asset.py
new file mode 100644
index 000000000..3c8e0aade
--- /dev/null
+++ b/apps/tickets/serializers/ticket/apply_asset.py
@@ -0,0 +1,70 @@
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import serializers
+
+from perms.serializers.base import ActionsField
+from perms.models import AssetPermission
+from orgs.utils import tmp_to_org
+
+from tickets.models import ApplyAssetTicket
+from .ticket import TicketApplySerializer
+from .common import BaseApplyAssetApplicationSerializer
+
+__all__ = ['ApplyAssetSerializer', 'ApplyAssetDisplaySerializer']
+
+asset_or_node_help_text = _("Select at least one asset or node")
+
+
+class ApplyAssetSerializer(BaseApplyAssetApplicationSerializer, TicketApplySerializer):
+    apply_actions = ActionsField(required=True, allow_null=True)
+    permission_model = AssetPermission
+
+    class Meta:
+        model = ApplyAssetTicket
+        writeable_fields = [
+            'id', 'title', 'type', 'apply_nodes', 'apply_assets',
+            'apply_system_users', 'apply_actions', 'apply_actions_display',
+            'apply_date_start', 'apply_date_expired', 'org_id'
+        ]
+        fields = TicketApplySerializer.Meta.fields + writeable_fields + ['apply_permission_name']
+        read_only_fields = list(set(fields) - set(writeable_fields))
+        ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
+        extra_kwargs = {
+            'apply_nodes': {'required': False, 'help_text': asset_or_node_help_text},
+            'apply_assets': {'required': False, 'help_text': asset_or_node_help_text}
+        }
+        extra_kwargs.update(ticket_extra_kwargs)
+
+    def validate(self, attrs):
+        attrs = super().validate(attrs)
+        if not attrs.get('apply_nodes') and not attrs.get('apply_assets'):
+            raise serializers.ValidationError({
+                'apply_nodes': asset_or_node_help_text,
+                'apply_assets': asset_or_node_help_text,
+            })
+        return attrs
+
+
+class ApplyAssetDisplaySerializer(ApplyAssetSerializer):
+    apply_nodes = serializers.SerializerMethodField()
+    apply_assets = serializers.SerializerMethodField()
+    apply_system_users = serializers.SerializerMethodField()
+
+    class Meta:
+        model = ApplyAssetSerializer.Meta.model
+        fields = ApplyAssetSerializer.Meta.fields
+        read_only_fields = fields
+
+    @staticmethod
+    def get_apply_nodes(instance):
+        with tmp_to_org(instance.org_id):
+            return instance.apply_nodes.values_list('id', flat=True)
+
+    @staticmethod
+    def get_apply_assets(instance):
+        with tmp_to_org(instance.org_id):
+            return instance.apply_assets.values_list('id', flat=True)
+
+    @staticmethod
+    def get_apply_system_users(instance):
+        with tmp_to_org(instance.org_id):
+            return instance.apply_system_users.values_list('id', flat=True)
diff --git a/apps/tickets/serializers/ticket/command_confirm.py b/apps/tickets/serializers/ticket/command_confirm.py
new file mode 100644
index 000000000..c52bfd153
--- /dev/null
+++ b/apps/tickets/serializers/ticket/command_confirm.py
@@ -0,0 +1,16 @@
+from tickets.models import ApplyCommandTicket
+from .ticket import TicketApplySerializer
+
+__all__ = [
+    'ApplyCommandConfirmSerializer',
+]
+
+
+class ApplyCommandConfirmSerializer(TicketApplySerializer):
+    class Meta:
+        model = ApplyCommandTicket
+        fields = TicketApplySerializer.Meta.fields + [
+            'apply_run_user', 'apply_run_asset', 'apply_run_system_user',
+            'apply_run_command', 'apply_from_session', 'apply_from_cmd_filter',
+            'apply_from_cmd_filter_rule'
+        ]
diff --git a/apps/tickets/serializers/ticket/common.py b/apps/tickets/serializers/ticket/common.py
new file mode 100644
index 000000000..ef52c14d3
--- /dev/null
+++ b/apps/tickets/serializers/ticket/common.py
@@ -0,0 +1,63 @@
+from django.db.transaction import atomic
+from django.db.models import Model
+from django.utils.translation import ugettext as _
+from rest_framework import serializers
+
+from orgs.utils import tmp_to_org
+from tickets.models import Ticket
+
+__all__ = ['DefaultPermissionName', 'get_default_permission_name', 'BaseApplyAssetApplicationSerializer']
+
+
+def get_default_permission_name(ticket):
+    name = ''
+    if isinstance(ticket, Ticket):
+        name = _('Created by ticket ({}-{})').format(ticket.title, str(ticket.id)[:4])
+    return name
+
+
+class DefaultPermissionName(object):
+    default = None
+
+    @staticmethod
+    def _construct_default_permission_name(serializer_field):
+        permission_name = ''
+        ticket = serializer_field.root.instance
+        if isinstance(ticket, Ticket):
+            permission_name = get_default_permission_name(ticket)
+        return permission_name
+
+    def set_context(self, serializer_field):
+        self.default = self._construct_default_permission_name(serializer_field)
+
+    def __call__(self):
+        return self.default
+
+
+class BaseApplyAssetApplicationSerializer(serializers.Serializer):
+    permission_model: Model
+
+    def validate(self, attrs):
+        attrs = super().validate(attrs)
+
+        apply_date_start = attrs['apply_date_start'].strftime('%Y-%m-%d %H:%M:%S')
+        apply_date_expired = attrs['apply_date_expired'].strftime('%Y-%m-%d %H:%M:%S')
+
+        if apply_date_expired <= apply_date_start:
+            error = _('The expiration date should be greater than the start date')
+            raise serializers.ValidationError({'apply_date_expired': error})
+
+        attrs['apply_date_start'] = apply_date_start
+        attrs['apply_date_expired'] = apply_date_expired
+        return attrs
+
+    @atomic
+    def create(self, validated_data):
+        instance = super().create(validated_data)
+        name = _('Created by ticket ({}-{})').format(instance.title, str(instance.id)[:4])
+        with tmp_to_org(instance.org_id):
+            if not self.permission_model.objects.filter(name=name).exists():
+                instance.apply_permission_name = name
+                instance.save()
+                return instance
+        raise serializers.ValidationError(_('Permission named `{}` already exists'.format(name)))
diff --git a/apps/tickets/serializers/ticket/login_asset_confirm.py b/apps/tickets/serializers/ticket/login_asset_confirm.py
new file mode 100644
index 000000000..9e3076f0f
--- /dev/null
+++ b/apps/tickets/serializers/ticket/login_asset_confirm.py
@@ -0,0 +1,14 @@
+from tickets.models import ApplyLoginAssetTicket
+from .ticket import TicketApplySerializer
+
+__all__ = [
+    'LoginAssetConfirmSerializer'
+]
+
+
+class LoginAssetConfirmSerializer(TicketApplySerializer):
+    class Meta:
+        model = ApplyLoginAssetTicket
+        fields = TicketApplySerializer.Meta.fields + [
+            'apply_login_user', 'apply_login_asset', 'apply_login_system_user'
+        ]
diff --git a/apps/tickets/serializers/ticket/login_confirm.py b/apps/tickets/serializers/ticket/login_confirm.py
new file mode 100644
index 000000000..e760c653f
--- /dev/null
+++ b/apps/tickets/serializers/ticket/login_confirm.py
@@ -0,0 +1,14 @@
+from tickets.models import ApplyLoginTicket
+from .ticket import TicketApplySerializer
+
+__all__ = [
+    'LoginConfirmSerializer'
+]
+
+
+class LoginConfirmSerializer(TicketApplySerializer):
+    class Meta:
+        model = ApplyLoginTicket
+        fields = TicketApplySerializer.Meta.fields + [
+            'apply_login_ip', 'apply_login_city', 'apply_login_datetime'
+        ]
diff --git a/apps/tickets/serializers/ticket/meta/__init__.py b/apps/tickets/serializers/ticket/meta/__init__.py
deleted file mode 100644
index 7b5fbad28..000000000
--- a/apps/tickets/serializers/ticket/meta/__init__.py
+++ /dev/null
@@ -1 +0,0 @@
-from .meta import *
diff --git a/apps/tickets/serializers/ticket/meta/meta.py b/apps/tickets/serializers/ticket/meta/meta.py
deleted file mode 100644
index 936977dfc..000000000
--- a/apps/tickets/serializers/ticket/meta/meta.py
+++ /dev/null
@@ -1,43 +0,0 @@
-from tickets import const
-from .ticket_type import (
-    apply_asset, apply_application, login_confirm,
-    login_asset_confirm, command_confirm
-)
-
-__all__ = [
-    'type_serializer_classes_mapping',
-]
-
-# ticket action
-# -------------
-
-action_open = const.TicketAction.open.value
-action_approve = const.TicketAction.approve.value
-
-
-# defines `meta` field dynamic mapping serializers
-# ------------------------------------------------
-
-type_serializer_classes_mapping = {
-    const.TicketType.apply_asset.value: {
-        'default': apply_asset.ApplySerializer
-    },
-    const.TicketType.apply_application.value: {
-        'default': apply_application.ApplySerializer
-    },
-    const.TicketType.login_confirm.value: {
-        'default': login_confirm.LoginConfirmSerializer,
-        action_open: login_confirm.ApplySerializer,
-        action_approve: login_confirm.LoginConfirmSerializer(read_only=True),
-    },
-    const.TicketType.login_asset_confirm.value: {
-        'default': login_asset_confirm.LoginAssetConfirmSerializer,
-        action_open: login_asset_confirm.ApplySerializer,
-        action_approve: login_asset_confirm.LoginAssetConfirmSerializer(read_only=True),
-    },
-    const.TicketType.command_confirm.value: {
-        'default': command_confirm.CommandConfirmSerializer,
-        action_open: command_confirm.ApplySerializer,
-        action_approve: command_confirm.CommandConfirmSerializer(read_only=True)
-    }
-}
diff --git a/apps/tickets/serializers/ticket/meta/ticket_type/__init__.py b/apps/tickets/serializers/ticket/meta/ticket_type/__init__.py
deleted file mode 100644
index e69de29bb..000000000
diff --git a/apps/tickets/serializers/ticket/meta/ticket_type/apply_application.py b/apps/tickets/serializers/ticket/meta/ticket_type/apply_application.py
deleted file mode 100644
index a7f60ae82..000000000
--- a/apps/tickets/serializers/ticket/meta/ticket_type/apply_application.py
+++ /dev/null
@@ -1,93 +0,0 @@
-from django.utils.translation import ugettext_lazy as _
-from rest_framework import serializers
-
-from perms.models import ApplicationPermission
-from applications.const import AppCategory, AppType
-from orgs.utils import tmp_to_org
-from tickets.models import Ticket
-from applications.models import Application
-from .common import DefaultPermissionName
-
-__all__ = [
-    'ApplySerializer',
-]
-
-
-class ApplySerializer(serializers.Serializer):
-    apply_permission_name = serializers.CharField(
-        max_length=128, default=DefaultPermissionName(), label=_('Apply name')
-    )
-    # 申请信息
-    apply_category = serializers.ChoiceField(
-        required=True, choices=AppCategory.choices, label=_('Category'),
-        allow_null=True,
-    )
-    apply_category_display = serializers.CharField(
-        read_only=True, label=_('Category display'), allow_null=True,
-    )
-    apply_type = serializers.ChoiceField(
-        required=True, choices=AppType.choices, label=_('Type'),
-        allow_null=True
-    )
-    apply_type_display = serializers.CharField(
-        required=False, read_only=True, label=_('Type display'),
-        allow_null=True
-    )
-    apply_applications = serializers.ListField(
-        required=True, child=serializers.UUIDField(), label=_('Apply applications'),
-        allow_null=True
-    )
-    apply_applications_display = serializers.ListField(
-        required=False, read_only=True, child=serializers.CharField(),
-        label=_('Apply applications display'), allow_null=True,
-        default=list
-    )
-    apply_system_users = serializers.ListField(
-        required=True, child=serializers.UUIDField(), label=_('Apply system users'),
-        allow_null=True
-    )
-    apply_system_users_display = serializers.ListField(
-        required=False, read_only=True, child=serializers.CharField(),
-        label=_('Apply system user display'), allow_null=True,
-        default=list
-    )
-    apply_date_start = serializers.DateTimeField(
-        required=True, label=_('Date start'), allow_null=True
-    )
-    apply_date_expired = serializers.DateTimeField(
-        required=True, label=_('Date expired'), allow_null=True
-    )
-
-    def validate_approve_permission_name(self, permission_name):
-        if not isinstance(self.root.instance, Ticket):
-            return permission_name
-
-        with tmp_to_org(self.root.instance.org_id):
-            already_exists = ApplicationPermission.objects.filter(name=permission_name).exists()
-            if not already_exists:
-                return permission_name
-
-        raise serializers.ValidationError(_(
-            'Permission named `{}` already exists'.format(permission_name)
-        ))
-
-    def validate_apply_applications(self, apply_applications):
-        type = self.root.initial_data['meta'].get('apply_type')
-        org_id = self.root.initial_data.get('org_id')
-        with tmp_to_org(org_id):
-            applications = Application.objects.filter(
-                id__in=apply_applications, type=type
-            ).values_list('id', flat=True)
-        return list(applications)
-
-    def validate(self, attrs):
-        apply_date_start = attrs['apply_date_start'].strftime('%Y-%m-%d %H:%M:%S')
-        apply_date_expired = attrs['apply_date_expired'].strftime('%Y-%m-%d %H:%M:%S')
-
-        if apply_date_expired <= apply_date_start:
-            error = _('The expiration date should be greater than the start date')
-            raise serializers.ValidationError({'apply_date_expired': error})
-
-        attrs['apply_date_start'] = apply_date_start
-        attrs['apply_date_expired'] = apply_date_expired
-        return attrs
diff --git a/apps/tickets/serializers/ticket/meta/ticket_type/apply_asset.py b/apps/tickets/serializers/ticket/meta/ticket_type/apply_asset.py
deleted file mode 100644
index ddd77d769..000000000
--- a/apps/tickets/serializers/ticket/meta/ticket_type/apply_asset.py
+++ /dev/null
@@ -1,92 +0,0 @@
-from django.utils.translation import ugettext_lazy as _
-from rest_framework import serializers
-
-from perms.serializers.base import ActionsField
-from perms.models import AssetPermission
-from orgs.utils import tmp_to_org
-from tickets.models import Ticket
-from .common import DefaultPermissionName
-
-__all__ = [
-    'ApplySerializer',
-]
-
-asset_or_node_help_text = _("Select at least one asset or node")
-
-
-class ApplySerializer(serializers.Serializer):
-    apply_permission_name = serializers.CharField(
-        max_length=128, default=DefaultPermissionName(), label=_('Apply name')
-    )
-    apply_nodes = serializers.ListField(
-        required=False, allow_null=True, child=serializers.UUIDField(),
-        label=_('Apply nodes'), help_text=asset_or_node_help_text,
-        default=list
-    )
-    apply_nodes_display = serializers.ListField(
-        child=serializers.CharField(), label=_('Apply nodes display'), required=False
-    )
-    # 申请信息
-    apply_assets = serializers.ListField(
-        required=False, allow_null=True, child=serializers.UUIDField(),
-        label=_('Apply assets'), help_text=asset_or_node_help_text
-    )
-    apply_assets_display = serializers.ListField(
-        required=False, read_only=True, child=serializers.CharField(),
-        label=_('Apply assets display'), allow_null=True,
-        default=list
-    )
-    apply_system_users = serializers.ListField(
-        required=True, allow_null=True, child=serializers.UUIDField(),
-        label=_('Apply system users')
-    )
-    apply_system_users_display = serializers.ListField(
-        required=False, read_only=True, child=serializers.CharField(),
-        label=_('Apply assets display'), allow_null=True,
-        default=list,
-    )
-    apply_actions = ActionsField(
-        required=True, allow_null=True
-    )
-    apply_actions_display = serializers.ListField(
-        required=False, read_only=True, child=serializers.CharField(),
-        label=_('Apply assets display'), allow_null=True,
-        default=list,
-    )
-    apply_date_start = serializers.DateTimeField(
-        required=True, label=_('Date start'), allow_null=True,
-    )
-    apply_date_expired = serializers.DateTimeField(
-        required=True, label=_('Date expired'), allow_null=True,
-    )
-
-    def validate_approve_permission_name(self, permission_name):
-        if not isinstance(self.root.instance, Ticket):
-            return permission_name
-
-        with tmp_to_org(self.root.instance.org_id):
-            already_exists = AssetPermission.objects.filter(name=permission_name).exists()
-            if not already_exists:
-                return permission_name
-
-        raise serializers.ValidationError(_(
-            'Permission named `{}` already exists'.format(permission_name)
-        ))
-
-    def validate(self, attrs):
-        if not attrs.get('apply_nodes') and not attrs.get('apply_assets'):
-            raise serializers.ValidationError({
-                'apply_nodes': asset_or_node_help_text,
-                'apply_assets': asset_or_node_help_text,
-            })
-
-        apply_date_start = attrs['apply_date_start'].strftime('%Y-%m-%d %H:%M:%S')
-        apply_date_expired = attrs['apply_date_expired'].strftime('%Y-%m-%d %H:%M:%S')
-
-        if apply_date_expired <= apply_date_start:
-            error = _('The expiration date should be greater than the start date')
-            raise serializers.ValidationError({'apply_date_expired': error})
-
-        attrs['apply_date_start'] = apply_date_start
-        attrs['apply_date_expired'] = apply_date_expired
-        return attrs
diff --git a/apps/tickets/serializers/ticket/meta/ticket_type/command_confirm.py b/apps/tickets/serializers/ticket/meta/ticket_type/command_confirm.py
deleted file mode 100644
index eb631fe98..000000000
--- a/apps/tickets/serializers/ticket/meta/ticket_type/command_confirm.py
+++ /dev/null
@@ -1,26 +0,0 @@
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
-
-
-__all__ = [
-    'ApplySerializer', 'CommandConfirmSerializer',
-]
-
-
-class ApplySerializer(serializers.Serializer):
-    # 申请信息
-    apply_run_user = serializers.CharField(required=True, label=_('Run user'))
-    apply_run_asset = serializers.CharField(required=True, label=_('Run asset'))
-    apply_run_system_user = serializers.CharField(
-        required=True, max_length=64, label=_('Run system user')
-    )
-    apply_run_command = serializers.CharField(required=True, label=_('Run command'))
-    apply_from_session_id = serializers.UUIDField(required=False, label=_('From session'))
-    apply_from_cmd_filter_rule_id = serializers.UUIDField(
-        required=False, label=_('From cmd filter rule')
-    )
-    apply_from_cmd_filter_id = serializers.UUIDField(required=False, label=_('From cmd filter'))
-
-
-class CommandConfirmSerializer(ApplySerializer):
-    pass
diff --git a/apps/tickets/serializers/ticket/meta/ticket_type/common.py b/apps/tickets/serializers/ticket/meta/ticket_type/common.py
deleted file mode 100644
index 2d43f6a81..000000000
--- a/apps/tickets/serializers/ticket/meta/ticket_type/common.py
+++ /dev/null
@@ -1,30 +0,0 @@
-from django.utils.translation import ugettext as _
-from tickets.models import Ticket
-
-
-__all__ = ['DefaultPermissionName', 'get_default_permission_name']
-
-
-def get_default_permission_name(ticket):
-    name = ''
-    if isinstance(ticket, Ticket):
-        name = _('Created by ticket ({}-{})').format(ticket.title, str(ticket.id)[:4])
-    return name
-
-
-class DefaultPermissionName(object):
-    default = None
-
-    @staticmethod
-    def _construct_default_permission_name(serializer_field):
-        permission_name = ''
-        ticket = serializer_field.root.instance
-        if isinstance(ticket, Ticket):
-            permission_name = get_default_permission_name(ticket)
-        return permission_name
-
-    def set_context(self, serializer_field):
-        self.default = self._construct_default_permission_name(serializer_field)
-
-    def __call__(self):
-        return self.default
diff --git a/apps/tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py b/apps/tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py
deleted file mode 100644
index 2570e4792..000000000
--- a/apps/tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py
+++ /dev/null
@@ -1,21 +0,0 @@
-
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
-
-
-__all__ = [
-    'ApplySerializer', 'LoginAssetConfirmSerializer',
-]
-
-
-class ApplySerializer(serializers.Serializer):
-    # 申请信息
-    apply_login_user = serializers.CharField(required=True, label=_('Login user'))
-    apply_login_asset = serializers.CharField(required=True, label=_('Login asset'))
-    apply_login_system_user = serializers.CharField(
-        required=True, max_length=64, label=_('Login system user')
-    )
-
-
-class LoginAssetConfirmSerializer(ApplySerializer):
-    pass
diff --git a/apps/tickets/serializers/ticket/meta/ticket_type/login_confirm.py b/apps/tickets/serializers/ticket/meta/ticket_type/login_confirm.py
deleted file mode 100644
index 9308d0ee2..000000000
--- a/apps/tickets/serializers/ticket/meta/ticket_type/login_confirm.py
+++ /dev/null
@@ -1,25 +0,0 @@
-
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
-
-
-__all__ = [
-    'ApplySerializer', 'LoginConfirmSerializer',
-]
-
-
-class ApplySerializer(serializers.Serializer):
-    # 申请信息
-    apply_login_ip = serializers.IPAddressField(
-        required=True, label=_('Login ip'), allow_null=True
-    )
-    apply_login_city = serializers.CharField(
-        required=True, max_length=64, label=_('Login city'), allow_null=True
-    )
-    apply_login_datetime = serializers.DateTimeField(
-        required=True, label=_('Login datetime'), allow_null=True
-    )
-
-
-class LoginConfirmSerializer(ApplySerializer):
-    pass
diff --git a/apps/tickets/serializers/ticket/ticket.py b/apps/tickets/serializers/ticket/ticket.py
index aec89cfae..5b71cb783 100644
--- a/apps/tickets/serializers/ticket/ticket.py
+++ b/apps/tickets/serializers/ticket/ticket.py
@@ -1,68 +1,42 @@
 # -*- coding: utf-8 -*-
 #
 from django.utils.translation import ugettext_lazy as _
-from django.db.transaction import atomic
 from rest_framework import serializers
-from common.drf.serializers import MethodSerializer
-from orgs.mixins.serializers import OrgResourceModelSerializerMixin
-from perms.models import AssetPermission
+
 from orgs.models import Organization
-from orgs.utils import tmp_to_org
-from tickets.models import Ticket, TicketFlow, ApprovalRule
-from tickets.const import TicketApprovalStrategy
-from .meta import type_serializer_classes_mapping
+from orgs.mixins.serializers import OrgResourceModelSerializerMixin
+from tickets.models import Ticket, TicketFlow
 
 __all__ = [
-    'TicketDisplaySerializer', 'TicketApplySerializer', 'TicketApproveSerializer', 'TicketFlowSerializer'
+    'TicketDisplaySerializer', 'TicketApplySerializer', 'TicketListSerializer'
 ]
 
 
 class TicketSerializer(OrgResourceModelSerializerMixin):
     type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
     status_display = serializers.ReadOnlyField(source='get_status_display', label=_('Status display'))
-    meta = MethodSerializer()
 
     class Meta:
         model = Ticket
         fields_mini = ['id', 'title']
         fields_small = fields_mini + [
-            'type', 'type_display', 'meta', 'state', 'approval_step',
-            'status', 'status_display', 'applicant_display', 'process_map',
-            'date_created', 'date_updated', 'comment', 'org_id', 'org_name', 'body',
-            'serial_num',
+            'type', 'type_display', 'status', 'status_display',
+            'state', 'approval_step', 'rel_snapshot', 'comment',
+            'date_created', 'date_updated', 'org_id', 'rel_snapshot',
+            'process_map', 'org_name', 'serial_num'
         ]
         fields_fk = ['applicant', ]
         fields = fields_small + fields_fk
 
-    def get_meta_serializer(self):
-        default_serializer = serializers.Serializer(read_only=True)
-        if isinstance(self.instance, Ticket):
-            _type = self.instance.type
-        else:
-            _type = self.context['request'].query_params.get('type')
 
-        if _type:
-            action_serializer_classes_mapping = type_serializer_classes_mapping.get(_type)
-            if action_serializer_classes_mapping:
-                query_action = self.context['request'].query_params.get('action')
-                action = query_action if query_action else self.context['view'].action
-                serializer_class = action_serializer_classes_mapping.get(action)
-                if not serializer_class:
-                    serializer_class = action_serializer_classes_mapping.get('default')
-            else:
-                serializer_class = default_serializer
-        else:
-            serializer_class = default_serializer
-
-        if not serializer_class:
-            serializer_class = default_serializer
-
-        if isinstance(serializer_class, type):
-            serializer = serializer_class()
-        else:
-            serializer = serializer_class
-
-        return serializer
+class TicketListSerializer(TicketSerializer):
+    class Meta:
+        model = Ticket
+        fields = [
+            'id', 'title', 'serial_num', 'type', 'type_display', 'status',
+            'state', 'rel_snapshot', 'date_created', 'rel_snapshot'
+        ]
+        read_only_fields = fields
 
 
 class TicketDisplaySerializer(TicketSerializer):
@@ -80,24 +54,10 @@ class TicketApplySerializer(TicketSerializer):
     class Meta:
         model = Ticket
         fields = TicketSerializer.Meta.fields
-        writeable_fields = [
-            'id', 'title', 'type', 'meta', 'comment', 'org_id'
-        ]
-        read_only_fields = list(set(fields) - set(writeable_fields))
         extra_kwargs = {
-            'type': {'required': True},
+            'type': {'required': True}
         }
 
-    def validate_type(self, tp):
-        request_type = self.context['request'].query_params.get('type')
-        if tp != request_type:
-            error = _(
-                'The `type` in the submission data (`{}`) is different from the type '
-                'in the request url (`{}`)'.format(tp, request_type)
-            )
-            raise serializers.ValidationError(error)
-        return tp
-
     @staticmethod
     def validate_org_id(org_id):
         org = Organization.get_instance(org_id)
@@ -116,113 +76,3 @@ class TicketApplySerializer(TicketSerializer):
             error = _('The ticket flow `{}` does not exist'.format(ticket_type))
             raise serializers.ValidationError(error)
         return attrs
-
-    @atomic
-    def create(self, validated_data):
-        instance = super().create(validated_data)
-        name = _('Created by ticket ({}-{})').format(instance.title, str(instance.id)[:4])
-        with tmp_to_org(instance.org_id):
-            if not AssetPermission.objects.filter(name=name).exists():
-                instance.meta.update({'apply_permission_name': name})
-                return instance
-        raise serializers.ValidationError(_('Permission named `{}` already exists'.format(name)))
-
-
-class TicketApproveSerializer(TicketSerializer):
-    meta = serializers.ReadOnlyField()
-
-    class Meta:
-        model = Ticket
-        fields = TicketSerializer.Meta.fields
-        read_only_fields = fields
-
-
-class TicketFlowApproveSerializer(serializers.ModelSerializer):
-    strategy_display = serializers.ReadOnlyField(source='get_strategy_display', label=_('Approve strategy'))
-    assignees_read_only = serializers.SerializerMethodField(label=_('Assignees'))
-    assignees_display = serializers.SerializerMethodField(label=_('Assignees display'))
-
-    class Meta:
-        model = ApprovalRule
-        fields_small = [
-            'level', 'strategy', 'assignees_read_only', 'assignees_display', 'strategy_display'
-        ]
-        fields_m2m = ['assignees', ]
-        fields = fields_small + fields_m2m
-        read_only_fields = ['level', 'assignees_display']
-        extra_kwargs = {
-            'assignees': {'write_only': True, 'allow_empty': True, 'required': False}
-        }
-
-    def get_assignees_display(self, obj):
-        return [str(assignee) for assignee in obj.get_assignees()]
-
-    def get_assignees_read_only(self, obj):
-        if obj.strategy == TicketApprovalStrategy.custom_user:
-            return obj.assignees.values_list('id', flat=True)
-        return []
-
-    def validate(self, attrs):
-        if attrs['strategy'] == TicketApprovalStrategy.custom_user and not attrs.get('assignees'):
-            error = _('Please select the Assignees')
-            raise serializers.ValidationError({'assignees': error})
-        return super().validate(attrs)
-
-
-class TicketFlowSerializer(OrgResourceModelSerializerMixin):
-    type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
-    rules = TicketFlowApproveSerializer(many=True, required=True)
-
-    class Meta:
-        model = TicketFlow
-        fields_mini = ['id', ]
-        fields_small = fields_mini + [
-            'type', 'type_display', 'approval_level', 'created_by', 'date_created', 'date_updated',
-            'org_id', 'org_name'
-        ]
-        fields = fields_small + ['rules', ]
-        read_only_fields = ['created_by', 'org_id', 'date_created', 'date_updated']
-        extra_kwargs = {
-            'type': {'required': True},
-            'approval_level': {'required': True}
-        }
-
-    def validate_type(self, value):
-        if not self.instance or (self.instance and self.instance.type != value):
-            if self.Meta.model.objects.filter(type=value).exists():
-                error = _('The current organization type already exists')
-                raise serializers.ValidationError(error)
-        return value
-
-    def create_or_update(self, action, validated_data, instance=None):
-        related = 'rules'
-        assignees = 'assignees'
-        childs = validated_data.pop(related, [])
-        if not instance:
-            instance = getattr(super(), action)(validated_data)
-        else:
-            instance = getattr(super(), action)(instance, validated_data)
-            getattr(instance, related).all().delete()
-        instance_related = getattr(instance, related)
-        child_instances = []
-        related_model = instance_related.model
-        # Todo: 这个权限的判断
-        for level, data in enumerate(childs, 1):
-            data_m2m = data.pop(assignees, None)
-            child_instance = related_model.objects.create(**data, level=level)
-            getattr(child_instance, assignees).set(data_m2m)
-            child_instances.append(child_instance)
-        instance_related.set(child_instances)
-        return instance
-
-    @atomic
-    def create(self, validated_data):
-        return self.create_or_update('create', validated_data)
-
-    @atomic
-    def update(self, instance, validated_data):
-        if instance.org_id == Organization.ROOT_ID:
-            instance = self.create(validated_data)
-        else:
-            instance = self.create_or_update('update', validated_data, instance)
-        return instance
diff --git a/apps/tickets/signal_handlers/ticket.py b/apps/tickets/signal_handlers/ticket.py
index 1a343b18f..8d9a9ef32 100644
--- a/apps/tickets/signal_handlers/ticket.py
+++ b/apps/tickets/signal_handlers/ticket.py
@@ -1,19 +1,28 @@
 # -*- coding: utf-8 -*-
 #
 from django.dispatch import receiver
-from django.db.models.signals import post_save
+from django.db.models.signals import post_save, m2m_changed
+
+from common.decorator import on_transaction_commit
 from common.utils import get_logger
 from tickets.models import Ticket
-from ..signals import post_change_ticket_action
 
 logger = get_logger(__name__)
 
 
-@receiver(post_change_ticket_action, sender=Ticket)
-def on_post_change_ticket_action(sender, ticket, action, **kwargs):
-    ticket.handler.dispatch(action)
+@on_transaction_commit
+def after_save_set_rel_snapshot(sender, instance, update_fields=None, **kwargs):
+    if update_fields and list(update_fields)[0] == 'rel_snapshot':
+        return
+    instance.set_rel_snapshot()
 
 
-@receiver(post_save, sender=Ticket)
-def on_pre_save_ensure_serial_num(sender, instance: Ticket, **kwargs):
-    instance.update_serial_num_if_need()
+@on_transaction_commit
+def on_m2m_change(sender, action, instance, reverse=False, **kwargs):
+    if action.startswith('post'):
+        instance.set_rel_snapshot()
+
+
+for ticket_cls in Ticket.__subclasses__():
+    post_save.connect(after_save_set_rel_snapshot, sender=ticket_cls)
+    m2m_changed.connect(on_m2m_change, sender=ticket_cls)
diff --git a/apps/tickets/signals.py b/apps/tickets/signals.py
index b626cfa35..6fa73d8d5 100644
--- a/apps/tickets/signals.py
+++ b/apps/tickets/signals.py
@@ -1,5 +1,4 @@
 from django.dispatch import Signal
 
-post_change_ticket_action = Signal()
-
+active_step = Signal()
 post_or_update_change_ticket_flow_approval = Signal()
diff --git a/apps/tickets/templates/tickets/_base_ticket_body.html b/apps/tickets/templates/tickets/_base_ticket_body.html
deleted file mode 100644
index 593a1d35e..000000000
--- a/apps/tickets/templates/tickets/_base_ticket_body.html
+++ /dev/null
@@ -1,20 +0,0 @@
-{% load i18n %}
-<div>
-    <p class="ticket-info">
-        {{ ticket_info }}
-    </p>
-    <div>
-        <p>
-        </p>
-        <p>
-
-        </p>
-
-        {{ body | safe }}
-    </div>
-    <div>
-        <a href={{ ticket_detail_url }}>
-            {% trans 'Click here to review' %}
-        </a>
-    </div>
-</div>
\ No newline at end of file
diff --git a/apps/tickets/templates/tickets/_msg_ticket.html b/apps/tickets/templates/tickets/_msg_ticket.html
index 5f268592c..75d205080 100644
--- a/apps/tickets/templates/tickets/_msg_ticket.html
+++ b/apps/tickets/templates/tickets/_msg_ticket.html
@@ -4,7 +4,15 @@
         {{ title | safe }}
     </p>
     <div>
-        {{ body | safe }}
+        {% for child in content %}
+            <h2>{{ child.title }}</h2>
+            <hr>
+            {% for item in child.content %}
+                <li style="list-style-type:none">
+                    <b>{{ item.title }}: </b> {{ item.value }}
+                </li>
+            {% endfor %}
+        {% endfor %}
     </div>
     <br>
     <div>
diff --git a/apps/tickets/templates/tickets/approve_check_password.html b/apps/tickets/templates/tickets/approve_check_password.html
index d75e9f956..78eadbf6f 100644
--- a/apps/tickets/templates/tickets/approve_check_password.html
+++ b/apps/tickets/templates/tickets/approve_check_password.html
@@ -10,7 +10,17 @@
         <div class="ibox-content">
             <h2 class="font-bold" style="display: inline">{% trans 'Ticket information' %}</h2>
             <h1></h1>
-            <div style="word-break: break-all">{{ ticket_info | safe }}</div>
+            <div>
+                {% for child in content %}
+                    <h2>{{ child.title }}</h2>
+                    <hr>
+                    {% for item in child.content %}
+                        <li style="list-style-type:none">
+                            <b>{{ item.title }}: </b> {{ item.value }}
+                        </li>
+                    {% endfor %}
+                {% endfor %}
+            </div>
         </div>
     </div>
     <div class="col-lg-6">
diff --git a/apps/tickets/urls/api_urls.py b/apps/tickets/urls/api_urls.py
index bc6bb7f54..22715c527 100644
--- a/apps/tickets/urls/api_urls.py
+++ b/apps/tickets/urls/api_urls.py
@@ -10,6 +10,11 @@ app_name = 'tickets'
 router = BulkRouter()
 
 router.register('tickets', api.TicketViewSet, 'ticket')
+router.register('apply-asset-tickets', api.ApplyAssetTicketViewSet, 'apply-asset-ticket')
+router.register('apply-app-tickets', api.ApplyApplicationTicketViewSet, 'apply-app-ticket')
+router.register('apply-login-tickets', api.ApplyLoginTicketViewSet, 'apply-login-ticket')
+router.register('apply-login-asset-tickets', api.ApplyLoginAssetTicketViewSet, 'apply-login-asset-ticket')
+router.register('apply-command-tickets', api.ApplyCommandTicketViewSet, 'apply-command-ticket')
 router.register('flows', api.TicketFlowViewSet, 'flows')
 router.register('comments', api.CommentViewSet, 'comment')
 router.register('ticket-session-relation', api.TicketSessionRelationViewSet, 'ticket-session-relation')
diff --git a/apps/tickets/utils.py b/apps/tickets/utils.py
index 66edb3828..231881846 100644
--- a/apps/tickets/utils.py
+++ b/apps/tickets/utils.py
@@ -3,21 +3,22 @@
 from django.conf import settings
 
 from common.utils import get_logger
-from .notifications import TicketAppliedToAssignee, TicketProcessedToApplicant
+from .notifications import TicketAppliedToAssigneeMessage, TicketProcessedToApplicantMessage
 
 logger = get_logger(__file__)
 
 
-def send_ticket_applied_mail_to_assignees(ticket):
-    ticket_assignees = ticket.current_node.first().ticket_assignees.all()
-    if not ticket_assignees:
+def send_ticket_applied_mail_to_assignees(ticket, assignees):
+    if not assignees:
         logger.debug(
-            "Not found assignees, ticket: {}({}), assignees: {}".format(ticket, str(ticket.id), ticket_assignees)
+            "Not found assignees, ticket: {}({}), assignees: {}".format(
+                ticket, str(ticket.id), assignees
+            )
         )
         return
 
-    for ticket_assignee in ticket_assignees:
-        instance = TicketAppliedToAssignee(ticket_assignee.assignee, ticket)
+    for user in assignees:
+        instance = TicketAppliedToAssigneeMessage(user, ticket)
         if settings.DEBUG:
             logger.debug(instance)
         instance.publish_async()
@@ -28,7 +29,7 @@ def send_ticket_processed_mail_to_applicant(ticket, processor):
         logger.error("Not found applicant: {}({})".format(ticket.title, ticket.id))
         return
 
-    instance = TicketProcessedToApplicant(ticket.applicant, ticket, processor)
+    instance = TicketProcessedToApplicantMessage(ticket.applicant, ticket, processor)
     if settings.DEBUG:
         logger.debug(instance)
     instance.publish_async()
diff --git a/apps/tickets/views/approve.py b/apps/tickets/views/approve.py
index 6632dc813..5be230f0a 100644
--- a/apps/tickets/views/approve.py
+++ b/apps/tickets/views/approve.py
@@ -50,13 +50,13 @@ class TicketDirectApproveView(TemplateView):
     def get_context_data(self, **kwargs):
         # 放入工单信息
         token = kwargs.get('token')
-        ticket_info = cache.get(token, {}).get('body', '')
+        content = cache.get(token, {}).get('content', [])
         if self.request.user.is_authenticated:
             prompt_msg = _('Click the button below to approve or reject')
         else:
             prompt_msg = _('After successful authentication, this ticket can be approved directly')
         kwargs.update({
-            'ticket_info': ticket_info, 'prompt_msg': prompt_msg,
+            'content': content, 'prompt_msg': prompt_msg,
             'login_url': '%s&next=%s' % (
                 self.login_url,
                 reverse('tickets:direct-approve', kwargs={'token': token})

From ac20bc05ba88e4158aa208f8e5ee1239406243ef Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 23 Jun 2022 15:00:49 +0800
Subject: [PATCH 191/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20css?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../templates/authentication/login.html       | 31 +++------
 apps/authentication/views/login.py            | 14 ++++
 apps/jumpserver/conf.py                       |  2 +-
 config_example.yml                            | 68 +++----------------
 4 files changed, 35 insertions(+), 80 deletions(-)

diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index 3c95332a2..2fd518462 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -33,28 +33,23 @@
         }
 
         .form-group {
-            margin-bottom: 40px;
-            margin-top: 10px;
+            margin-bottom: 30px;
+            margin-top: 20px;
         }
 
-        .addition .form-group, .has-error .form-group  {
+        .extra-fields-1 .form-group {
+            margin-bottom: 30px;
+            margin-top: 15px;
+        }
+
+        .extra-fields-2 .form-group {
             margin-bottom: 20px;
             margin-top: 10px;
         }
 
-        .auth-methods.has-error .form-group, .auth-methods.addition .form-group {
-            margin-bottom: 15px;
-            margin-top: 5px;
-        }
-
-        .has-error.addition .form-group {
-            margin-bottom: 20px;
-            margin-top: 5px;
-        }
-
-        .auth-methods.addition.has-error .form-group {
+        .extra-fields-3 .form-group {
             margin-bottom: 10px;
-            margin-top: 5px;
+            margin-top: 10px;
         }
 
         .login-content {
@@ -185,11 +180,7 @@
 </head>
 
 <body>
-<div class="login-content
-    {% if form.errors or form.non_field_error %} has-error {% endif %}
-    {% if auth_methods %} auth-methods {% endif %}
-    {% if form.captcha or form.mfa_type or form.challenge %} addition {% endif %}
-">
+<div class="login-content extra-fields-{{ extra_fields_count }}">
     <div class="right-image-box">
         <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver.git{% endif %}">
             <img src="{{ LOGIN_IMAGE_URL }}" class="right-image"  alt="screen-image"/>
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index e6fe6b6cf..0736a994d 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -209,6 +209,19 @@ class UserLoginView(mixins.AuthMixin, FormView):
         forgot_password_url = settings.FORGOT_PASSWORD_URL or forgot_password_url
         return forgot_password_url
 
+    def get_extra_fields_count(self, context):
+        count = 0
+        if self.get_support_auth_methods():
+            count += 1
+        form = context.get('form')
+        if not form:
+            return count
+        if set(form.fields.keys()) & {'captcha', 'challenge', 'mfa_type'}:
+            count += 1
+        if form.errors or form.non_field_errors():
+            count += 1
+        return count
+
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         context.update({
@@ -217,6 +230,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
             'langs': self.get_support_langs(),
             'current_lang': self.get_current_lang(),
             'forgot_password_url': self.get_forgot_password_url(),
+            'extra_fields_count': self.get_extra_fields_count(context),
             **self.get_user_mfa_context(self.request.user)
         })
         return context
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index df8b5f287..b88bd45fe 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -158,7 +158,7 @@ class Config(dict):
         'SESSION_COOKIE_DOMAIN': None,
         'CSRF_COOKIE_DOMAIN': None,
         'SESSION_COOKIE_NAME_PREFIX': None,
-        'SESSION_COOKIE_AGE': 3600 * 24,
+        'SESSION_COOKIE_AGE': 3600,
         'SESSION_EXPIRE_AT_BROWSER_CLOSE': False,
         'LOGIN_URL': reverse_lazy('authentication:login'),
         'CONNECTION_TOKEN_EXPIRATION': 5 * 60,
diff --git a/config_example.yml b/config_example.yml
index c3075a8b6..f8f458a80 100644
--- a/config_example.yml
+++ b/config_example.yml
@@ -1,11 +1,11 @@
 # SECURITY WARNING: keep the secret key used in production secret!
 # 加密密钥 生产环境中请修改为随机字符串，请勿外泄, 可使用命令生成
 # $ cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 49;echo
-SECRET_KEY: 
+SECRET_KEY:
 
 # SECURITY WARNING: keep the bootstrap token used in production secret!
 # 预共享Token coco和guacamole用来注册服务账号，不在使用原来的注册接受机制
-BOOTSTRAP_TOKEN: 
+BOOTSTRAP_TOKEN:
 
 # Development env open this, when error occur display the full process track, Production disable it
 # DEBUG 模式 开启DEBUG后遇到错误时可以看到更多日志
@@ -14,11 +14,11 @@ BOOTSTRAP_TOKEN:
 # DEBUG, INFO, WARNING, ERROR, CRITICAL can set. See https://docs.djangoproject.com/en/1.10/topics/logging/
 # 日志级别
 # LOG_LEVEL: DEBUG
-# LOG_DIR: 
+# LOG_DIR:
 
-# Session expiration setting, Default 24 hour, Also set expired on on browser close
-# 浏览器Session过期时间，默认24小时, 也可以设置浏览器关闭则过期
-# SESSION_COOKIE_AGE: 86400
+# Session expiration setting, Default 1 hour, Also set expired on on browser close
+# 浏览器Session过期时间，默认 1 小时, 也可以设置浏览器关闭则过期
+# SESSION_COOKIE_AGE: 3600
 # SESSION_EXPIRE_AT_BROWSER_CLOSE: false
 
 # Database setting, Support sqlite3, mysql, postgres ....
@@ -28,14 +28,14 @@ BOOTSTRAP_TOKEN:
 # SQLite setting:
 # 使用单文件sqlite数据库
 # DB_ENGINE: sqlite3
-# DB_NAME: 
+# DB_NAME:
 # MySQL or postgres setting like:
 # 使用Mysql作为数据库
 DB_ENGINE: mysql
 DB_HOST: 127.0.0.1
 DB_PORT: 3306
 DB_USER: jumpserver
-DB_PASSWORD: 
+DB_PASSWORD:
 DB_NAME: jumpserver
 
 # When Django start it will bind this host and port
@@ -49,47 +49,10 @@ WS_LISTEN_PORT: 8070
 # Redis配置
 REDIS_HOST: 127.0.0.1
 REDIS_PORT: 6379
-# REDIS_PASSWORD: 
+# REDIS_PASSWORD:
 # REDIS_DB_CELERY: 3
 # REDIS_DB_CACHE: 4
 
-# Use OpenID Authorization
-# 使用 OpenID 进行认证设置
-# AUTH_OPENID: False # True or False
-# BASE_SITE_URL: None
-# AUTH_OPENID_CLIENT_ID: client-id
-# AUTH_OPENID_CLIENT_SECRET: client-secret
-# AUTH_OPENID_PROVIDER_ENDPOINT: https://op-example.com/
-# AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT: https://op-example.com/authorize
-# AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT: https://op-example.com/token
-# AUTH_OPENID_PROVIDER_JWKS_ENDPOINT: https://op-example.com/jwks
-# AUTH_OPENID_PROVIDER_USERINFO_ENDPOINT: https://op-example.com/userinfo
-# AUTH_OPENID_PROVIDER_END_SESSION_ENDPOINT: https://op-example.com/logout
-# AUTH_OPENID_PROVIDER_SIGNATURE_ALG: HS256
-# AUTH_OPENID_PROVIDER_SIGNATURE_KEY: None
-# AUTH_OPENID_SCOPES: "openid profile email"
-# AUTH_OPENID_ID_TOKEN_MAX_AGE: 60
-# AUTH_OPENID_ID_TOKEN_INCLUDE_CLAIMS: True
-# AUTH_OPENID_USE_STATE: True
-# AUTH_OPENID_USE_NONCE: True
-# AUTH_OPENID_SHARE_SESSION: True
-# AUTH_OPENID_IGNORE_SSL_VERIFICATION: True
-# AUTH_OPENID_ALWAYS_UPDATE_USER: True
-
-# Use Radius authorization
-# 使用Radius来认证
-# AUTH_RADIUS: false
-# RADIUS_SERVER: localhost
-# RADIUS_PORT: 1812
-# RADIUS_SECRET: 
-
-# CAS 配置
-# AUTH_CAS': False,
-# CAS_SERVER_URL': "http://host/cas/",
-# CAS_ROOT_PROXIED_AS': 'http://jumpserver-host:port',  
-# CAS_LOGOUT_COMPLETELY': True,
-# CAS_VERSION': 3,
-
 # LDAP/AD settings
 # LDAP 搜索分页数量
 # AUTH_LDAP_SEARCH_PAGED_SIZE: 1000
@@ -114,13 +77,6 @@ REDIS_PORT: 6379
 # OTP_VALID_WINDOW: 0
 # OTP_ISSUER_NAME: Jumpserver
 
-# Perm show single asset to ungrouped node
-# 是否把未授权节点资产放入到 未分组 节点中
-# PERM_SINGLE_ASSET_TO_UNGROUP_NODE: False
-#
-# 同一账号仅允许在一台设备登录
-# USER_LOGIN_SINGLE_MACHINE_ENABLED: False
-#
 # 启用定时任务
 # PERIOD_TASK_ENABLED: True
 #
@@ -130,18 +86,12 @@ REDIS_PORT: 6379
 # 是否开启 Luna 水印
 # SECURITY_WATERMARK_ENABLED: False
 
-# 健康检查的token，默认是空
-# HEALTH_CHECK_TOKEN: ''
-
 # 浏览器关闭页面后，会话过期
 # SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE: False
 
 # 每次api请求，session续期
 # SESSION_SAVE_EVERY_REQUEST: True
 
-# 硬盘检查
-# DISK_CHECK_ENABLED: True
-
 # 仅允许用户从来源处登录
 # ONLY_ALLOW_AUTH_FROM_SOURCE: False
 

From dbc5b7bdc38de3f348db2d49a65c19fa93c5450c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 23 Jun 2022 16:02:38 +0800
Subject: [PATCH 192/258] =?UTF-8?q?perf:=20=E5=8D=87=E7=BA=A7=20tencent=20?=
 =?UTF-8?q?sdk?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index c19bb76e5..fa611a170 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -123,7 +123,7 @@ alibabacloud_dysmsapi20170525==2.0.2
 python-novaclient==11.0.1
 python-keystoneclient==4.3.0
 bce-python-sdk==0.8.64
-tencentcloud-sdk-python==3.0.477
+tencentcloud-sdk-python==3.0.66
 aliyun-python-sdk-core-v3==2.9.1
 aliyun-python-sdk-ecs==4.10.1
 huaweicloud-sdk-python==1.0.21

From b264db3e7e6e9e9d3c5c0a6a96b2a7f844b7ac00 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 23 Jun 2022 17:43:54 +0800
Subject: [PATCH 193/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E8=BF=81=E7=A7=BB=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/models/cmd_filter.py                   | 2 +-
 apps/tickets/migrations/0017_auto_20220623_1027.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/assets/models/cmd_filter.py b/apps/assets/models/cmd_filter.py
index 235a4f331..4e8e20cd9 100644
--- a/apps/assets/models/cmd_filter.py
+++ b/apps/assets/models/cmd_filter.py
@@ -173,7 +173,7 @@ class CommandFilterRule(OrgModelMixin):
             'apply_run_user_id': session.user_id,
             'apply_run_asset_id': session.asset_id,
             'apply_run_system_user_id': session.system_user_id,
-            'apply_run_command': run_command,
+            'apply_run_command': run_command[:4096],
             'apply_from_session_id': str(session.id),
             'apply_from_cmd_filter_rule_id': str(cmd_filter_rule.id),
             'apply_from_cmd_filter_id': str(cmd_filter_rule.filter.id),
diff --git a/apps/tickets/migrations/0017_auto_20220623_1027.py b/apps/tickets/migrations/0017_auto_20220623_1027.py
index 7ac1c9eb2..1738de35a 100644
--- a/apps/tickets/migrations/0017_auto_20220623_1027.py
+++ b/apps/tickets/migrations/0017_auto_20220623_1027.py
@@ -287,7 +287,7 @@ def command_confirm_migrate(apps, *args):
             'apply_run_user': apply_run_user,
             'apply_run_asset': apply_run_asset,
             'apply_run_system_user': apply_run_system_user,
-            'apply_run_command': meta.get('apply_run_command', ''),
+            'apply_run_command': meta.get('apply_run_command', '')[:4096],
             'apply_from_session_id': apply_from_session_id,
             'apply_from_cmd_filter_id': apply_from_cmd_filter_id,
             'apply_from_cmd_filter_rule_id': apply_from_cmd_filter_rule_id,

From 9388f37c39ffc8480047d3fa488e03971bb39f66 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 23 Jun 2022 18:32:36 +0800
Subject: [PATCH 194/258] fix: ticket bug

---
 apps/assets/models/cmd_filter.py                   |  2 +-
 apps/tickets/migrations/0017_auto_20220623_1027.py | 14 ++++++++------
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/apps/assets/models/cmd_filter.py b/apps/assets/models/cmd_filter.py
index 4e8e20cd9..d91d50988 100644
--- a/apps/assets/models/cmd_filter.py
+++ b/apps/assets/models/cmd_filter.py
@@ -173,7 +173,7 @@ class CommandFilterRule(OrgModelMixin):
             'apply_run_user_id': session.user_id,
             'apply_run_asset_id': session.asset_id,
             'apply_run_system_user_id': session.system_user_id,
-            'apply_run_command': run_command[:4096],
+            'apply_run_command': run_command[:4090],
             'apply_from_session_id': str(session.id),
             'apply_from_cmd_filter_rule_id': str(cmd_filter_rule.id),
             'apply_from_cmd_filter_id': str(cmd_filter_rule.filter.id),
diff --git a/apps/tickets/migrations/0017_auto_20220623_1027.py b/apps/tickets/migrations/0017_auto_20220623_1027.py
index 1738de35a..258ff676a 100644
--- a/apps/tickets/migrations/0017_auto_20220623_1027.py
+++ b/apps/tickets/migrations/0017_auto_20220623_1027.py
@@ -240,17 +240,19 @@ def command_confirm_migrate(apps, *args):
 
     tickets = ticket_model.objects.filter(type=TicketType.command_confirm)
     session_ids = tickets.values_list('meta__apply_from_session_id', flat=True)
-    session_ids = session_model.objects.filter(id__in=session_ids).values_list('id', flat=True)
-
+    session_ids = session_model.objects.filter(id__in=list(session_ids)).values_list('id', flat=True)
+    session_ids = [str(i) for i in session_ids]
     command_filter_ids = tickets.values_list('meta__apply_from_cmd_filter_id', flat=True)
     command_filter_ids = command_filter_model.objects\
-        .filter(id__in=command_filter_ids)\
+        .filter(id__in=list(command_filter_ids))\
         .values_list('id', flat=True)
-
+    command_filter_ids = [str(i) for i in command_filter_ids]
     command_filter_rule_ids = tickets.values_list('meta__apply_from_cmd_filter_rule_id', flat=True)
     command_filter_rule_ids = command_filter_rule_model.objects\
-        .filter(id__in=command_filter_rule_ids)\
+        .filter(id__in=list(command_filter_rule_ids))\
         .values_list('id', flat=True)
+    command_filter_rule_ids = [str(i) for i in command_filter_rule_ids]
+
     ticket_apply_command_model = apps.get_model('tickets', 'ApplyCommandTicket')
 
     for instance in tickets:
@@ -287,7 +289,7 @@ def command_confirm_migrate(apps, *args):
             'apply_run_user': apply_run_user,
             'apply_run_asset': apply_run_asset,
             'apply_run_system_user': apply_run_system_user,
-            'apply_run_command': meta.get('apply_run_command', '')[:4096],
+            'apply_run_command': meta.get('apply_run_command', '')[:4090],
             'apply_from_session_id': apply_from_session_id,
             'apply_from_cmd_filter_id': apply_from_cmd_filter_id,
             'apply_from_cmd_filter_rule_id': apply_from_cmd_filter_rule_id,

From 648fabbe036f333d8d2d045badb282cecd7ada54 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 23 Jun 2022 17:43:54 +0800
Subject: [PATCH 195/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E8=BF=81=E7=A7=BB=E6=96=87=E4=BB=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index fa611a170..c19bb76e5 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -123,7 +123,7 @@ alibabacloud_dysmsapi20170525==2.0.2
 python-novaclient==11.0.1
 python-keystoneclient==4.3.0
 bce-python-sdk==0.8.64
-tencentcloud-sdk-python==3.0.66
+tencentcloud-sdk-python==3.0.477
 aliyun-python-sdk-core-v3==2.9.1
 aliyun-python-sdk-ecs==4.10.1
 huaweicloud-sdk-python==1.0.21

From 8c31e8e634e3dc3527ad23f75410e142a5882db7 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 23 Jun 2022 19:17:09 +0800
Subject: [PATCH 196/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20sdk=20?=
 =?UTF-8?q?=E7=89=88=E6=9C=AC?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index c19bb76e5..9f626220e 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -123,7 +123,7 @@ alibabacloud_dysmsapi20170525==2.0.2
 python-novaclient==11.0.1
 python-keystoneclient==4.3.0
 bce-python-sdk==0.8.64
-tencentcloud-sdk-python==3.0.477
+tencentcloud-sdk-python==3.0.662
 aliyun-python-sdk-core-v3==2.9.1
 aliyun-python-sdk-ecs==4.10.1
 huaweicloud-sdk-python==1.0.21

From fd41fd78cf4e21ece15017eb596cf048b60eba46 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 24 Jun 2022 18:41:22 +0800
Subject: [PATCH 197/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=20private=5Fk?=
 =?UTF-8?q?ey=20=E7=9A=84=E5=BA=8F=E5=88=97=E7=B1=BB=E9=95=BF=E5=BA=A6?=
 =?UTF-8?q?=E4=B8=BA=2016384?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/serializers/base.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/assets/serializers/base.py b/apps/assets/serializers/base.py
index 2c5e579b6..92249705d 100644
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@@ -13,7 +13,7 @@ from .utils import validate_password_for_ansible
 
 class AuthSerializer(serializers.ModelSerializer):
     password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024, label=_('Password'))
-    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096, label=_('Private key'))
+    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=16384, label=_('Private key'))
 
     def gen_keys(self, private_key=None, password=None):
         if private_key is None:
@@ -38,7 +38,7 @@ class AuthSerializerMixin(serializers.ModelSerializer):
         validators=[validate_password_for_ansible]
     )
     private_key = EncryptedField(
-        label=_('SSH private key'), required=False, allow_blank=True, allow_null=True, max_length=4096
+        label=_('SSH private key'), required=False, allow_blank=True, allow_null=True, max_length=16384
     )
     passphrase = serializers.CharField(
         allow_blank=True, allow_null=True, required=False, max_length=512,

From 3749a0c6a1c26fd1155275edb6cfba9cd8ddf76b Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Sat, 25 Jun 2022 10:14:13 +0800
Subject: [PATCH 198/258] =?UTF-8?q?perf:=20=E4=BF=AE=E5=A4=8D=20middleware?=
 =?UTF-8?q?=20=E5=AF=BC=E8=87=B4=E7=9A=84=E5=86=85=E5=AD=98=E5=A2=9E?=
 =?UTF-8?q?=E9=95=BF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/middleware.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apps/authentication/middleware.py b/apps/authentication/middleware.py
index f1f60bbc5..b4241f12d 100644
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -46,6 +46,8 @@ class SessionCookieMiddleware(MiddlewareMixin):
 
     @staticmethod
     def set_cookie_public_key(request, response):
+        if request.path.startswith('/api'):
+            return
         pub_key_name = settings.SESSION_RSA_PUBLIC_KEY_NAME
         public_key = request.session.get(pub_key_name)
         cookie_key = request.COOKIES.get(pub_key_name)

From 8247f24d3f143d7fcaa8f6d0c3c1c7e7d52e5a2b Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 27 Jun 2022 10:15:29 +0800
Subject: [PATCH 199/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95bug=20(#8488)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/tickets/api/ticket.py                           |  7 ++++---
 apps/tickets/models/ticket/general.py                |  2 +-
 apps/tickets/serializers/ticket/apply_application.py | 12 +++---------
 apps/tickets/serializers/ticket/apply_asset.py       |  7 +++++++
 apps/tickets/serializers/ticket/common.py            | 11 +++++++++++
 5 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py
index 747066b0c..712d4b6fa 100644
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -34,10 +34,10 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
     model = Ticket
     filterset_class = filters.TicketFilter
     search_fields = [
-        'title', 'type', 'status', 'applicant_display'
+        'title', 'type', 'status'
     ]
     ordering_fields = (
-        'title', 'applicant_display', 'status', 'state',
+        'title', 'status', 'state',
         'action_display', 'date_created', 'serial_num',
     )
     ordering = ('-date_created',)
@@ -67,7 +67,8 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
 
     @action(detail=False, methods=[POST], permission_classes=[RBACPermission, ])
     def open(self, request, *args, **kwargs):
-        return super().create(request, *args, **kwargs)
+        with tmp_to_root_org():
+            return super().create(request, *args, **kwargs)
 
     @action(detail=True, methods=[PUT], permission_classes=[IsAssignee, ])
     def approve(self, request, *args, **kwargs):
diff --git a/apps/tickets/models/ticket/general.py b/apps/tickets/models/ticket/general.py
index b8f192a9d..2e8f1d886 100644
--- a/apps/tickets/models/ticket/general.py
+++ b/apps/tickets/models/ticket/general.py
@@ -189,7 +189,7 @@ class StatusMixin:
                 assignees_display.append(str(i.assignee))
                 if state != StepState.pending and state == i.state:
                     processor = i.assignee
-                if state != StepState.closed:
+                if state == StepState.closed:
                     processor = self.applicant
             step_info = {
                 'state': state,
diff --git a/apps/tickets/serializers/ticket/apply_application.py b/apps/tickets/serializers/ticket/apply_application.py
index b2774e420..1b5165bbd 100644
--- a/apps/tickets/serializers/ticket/apply_application.py
+++ b/apps/tickets/serializers/ticket/apply_application.py
@@ -26,15 +26,9 @@ class ApplyApplicationSerializer(BaseApplyAssetApplicationSerializer, TicketAppl
         extra_kwargs = {}
         extra_kwargs.update(ticket_extra_kwargs)
 
-    def validate_apply_applications(self, apply_applications):
-        type = self.initial_data.get('apply_type')
-        org_id = self.initial_data.get('org_id')
-        application_ids = [app.id for app in apply_applications]
-        with tmp_to_org(org_id):
-            applications = Application.objects.filter(
-                id__in=application_ids, type=type
-            ).values_list('id', flat=True)
-        return list(applications)
+    def validate_apply_applications(self, applications):
+        tp = self.initial_data.get('apply_type')
+        return self.filter_many_to_many_field(Application, applications, type=tp)
 
 
 class ApplyApplicationDisplaySerializer(ApplyApplicationSerializer):
diff --git a/apps/tickets/serializers/ticket/apply_asset.py b/apps/tickets/serializers/ticket/apply_asset.py
index 3c8e0aade..fe54eadeb 100644
--- a/apps/tickets/serializers/ticket/apply_asset.py
+++ b/apps/tickets/serializers/ticket/apply_asset.py
@@ -4,6 +4,7 @@ from rest_framework import serializers
 from perms.serializers.base import ActionsField
 from perms.models import AssetPermission
 from orgs.utils import tmp_to_org
+from assets.models import Asset, Node
 
 from tickets.models import ApplyAssetTicket
 from .ticket import TicketApplySerializer
@@ -34,6 +35,12 @@ class ApplyAssetSerializer(BaseApplyAssetApplicationSerializer, TicketApplySeria
         }
         extra_kwargs.update(ticket_extra_kwargs)
 
+    def validate_apply_nodes(self, nodes):
+        return self.filter_many_to_many_field(Node, nodes)
+
+    def validate_apply_assets(self, assets):
+        return self.filter_many_to_many_field(Asset, assets)
+
     def validate(self, attrs):
         attrs = super().validate(attrs)
         if not attrs.get('apply_nodes') and not attrs.get('apply_assets'):
diff --git a/apps/tickets/serializers/ticket/common.py b/apps/tickets/serializers/ticket/common.py
index ef52c14d3..4a375465e 100644
--- a/apps/tickets/serializers/ticket/common.py
+++ b/apps/tickets/serializers/ticket/common.py
@@ -3,6 +3,7 @@ from django.db.models import Model
 from django.utils.translation import ugettext as _
 from rest_framework import serializers
 
+from assets.models import SystemUser
 from orgs.utils import tmp_to_org
 from tickets.models import Ticket
 
@@ -37,6 +38,16 @@ class DefaultPermissionName(object):
 class BaseApplyAssetApplicationSerializer(serializers.Serializer):
     permission_model: Model
 
+    def filter_many_to_many_field(self, model, values: list, **kwargs):
+        org_id = self.initial_data.get('org_id')
+        ids = [instance.id for instance in values]
+        with tmp_to_org(org_id):
+            qs = model.objects.filter(id__in=ids, **kwargs).values_list('id', flat=True)
+        return list(qs)
+
+    def validate_apply_system_users(self, system_users):
+        return self.filter_many_to_many_field(SystemUser, system_users)
+
     def validate(self, attrs):
         attrs = super().validate(attrs)
 

From fd7f73a18e34e1f537f64b8084913bfaed50676a Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 27 Jun 2022 14:02:28 +0800
Subject: [PATCH 200/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E6=9D=83=E9=99=90=E9=97=AE=E9=A2=98=20(#8493)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/tickets/api/ticket.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py
index 712d4b6fa..0cf9652a6 100644
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -32,6 +32,7 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
         'open': serializers.TicketApplySerializer
     }
     model = Ticket
+    perm_model = Ticket
     filterset_class = filters.TicketFilter
     search_fields = [
         'title', 'type', 'status'

From b784d8ba87df0f4efb5c0f95c86d5f2ab906ead1 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Mon, 27 Jun 2022 19:10:20 +0800
Subject: [PATCH 201/258] =?UTF-8?q?fix:=20=E5=8D=87=E7=BA=A7=E4=BE=9D?=
 =?UTF-8?q?=E8=B5=96=E5=BA=93=E7=89=88=E6=9C=AC=EF=BC=8C=E8=A7=A3=E5=86=B3?=
 =?UTF-8?q?=E7=94=9F=E6=88=90=20key=20=E6=97=B6=E7=9A=84=E5=86=85=E5=AD=98?=
 =?UTF-8?q?=E6=B3=84=E9=9C=B2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 requirements/requirements.txt | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 9f626220e..f60fbc2f2 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -12,7 +12,6 @@ chardet==3.0.4
 configparser==3.5.0
 coreapi==2.3.3
 coreschema==0.0.4
-cryptography==36.0.1
 decorator==4.1.2
 Django==3.1.14
 django-auth-ldap==2.2.0
@@ -51,8 +50,9 @@ passlib==1.7.4
 Pillow==9.1.1
 pyasn1==0.4.8
 pycparser==2.21
-pycryptodome==3.14.1
-pycryptodomex==3.14.1
+cryptography==36.0.1
+pycryptodome==3.15.0
+pycryptodomex==3.15.0
 pyotp==2.6.0
 PyNaCl==1.5.0
 python-dateutil==2.8.2
@@ -60,7 +60,7 @@ pytz==2022.1
 PyYAML==6.0
 redis==4.3.3
 requests==2.28.0
-jms-storage==0.0.43
+jms-storage==0.0.44
 s3transfer==0.6.0
 simplejson==3.17.6
 six==1.16.0

From b619ebf423fcf8d190cd60f70335d93ac4b32deb Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Sat, 25 Jun 2022 22:14:12 +0800
Subject: [PATCH 202/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20jumpserver?=
 =?UTF-8?q?=20=E7=89=88=E6=9C=AC=E5=8F=B7=EF=BC=8C=E9=81=BF=E5=85=8D?=
 =?UTF-8?q?=E7=BC=93=E5=AD=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/templates/authentication/login.html         | 2 +-
 .../templates/authentication/login_wait_confirm.html            | 2 +-
 apps/templates/_base_double_screen.html                         | 2 +-
 apps/templates/_base_only_content.html                          | 2 +-
 apps/templates/_foot_js.html                                    | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index 2fd518462..c535509a7 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -14,7 +14,7 @@
     <!-- Stylesheets -->
     <link href="{% static 'css/login-style.css' %}" rel="stylesheet">
     <link href="{% static 'css/jumpserver.css' %}" rel="stylesheet">
-    <script src="{% static "js/jumpserver.js" %}"></script>
+    <script src="{% static "js/jumpserver.js" %}?_=9"></script>
 
     <style>
         .login-content {
diff --git a/apps/authentication/templates/authentication/login_wait_confirm.html b/apps/authentication/templates/authentication/login_wait_confirm.html
index 518e2f03e..9d2af40a5 100644
--- a/apps/authentication/templates/authentication/login_wait_confirm.html
+++ b/apps/authentication/templates/authentication/login_wait_confirm.html
@@ -10,7 +10,7 @@
     <title>{{ title }}</title>
     {% include '_head_css_js.html' %}
     <link href="{% static "css/jumpserver.css" %}" rel="stylesheet">
-    <script src="{% static "js/jumpserver.js" %}"></script>
+    <script src="{% static "js/jumpserver.js" %}?_=9"></script>
 
 </head>
 
diff --git a/apps/templates/_base_double_screen.html b/apps/templates/_base_double_screen.html
index a78f9810e..4f357f89c 100644
--- a/apps/templates/_base_double_screen.html
+++ b/apps/templates/_base_double_screen.html
@@ -11,7 +11,7 @@
 
     {% include '_head_css_js.html' %}
     <link href="{% static "css/jumpserver.css" %}" rel="stylesheet">
-    <script src="{% static "js/jumpserver.js" %}"></script>
+    <script src="{% static "js/jumpserver.js" %}?_=9"></script>
     <style>
         .outerBox {
             margin: 0 auto;
diff --git a/apps/templates/_base_only_content.html b/apps/templates/_base_only_content.html
index 8d7258966..775c1b48b 100644
--- a/apps/templates/_base_only_content.html
+++ b/apps/templates/_base_only_content.html
@@ -11,7 +11,7 @@
 
     {% include '_head_css_js.html' %}
     <link href="{% static "css/jumpserver.css" %}" rel="stylesheet">
-    <script src="{% static "js/jumpserver.js" %}"></script>
+    <script src="{% static "js/jumpserver.js" %}?_=9"></script>
     <style>
         .passwordBox {
             max-width: 560px;
diff --git a/apps/templates/_foot_js.html b/apps/templates/_foot_js.html
index ba27689b7..02c0eb5ac 100644
--- a/apps/templates/_foot_js.html
+++ b/apps/templates/_foot_js.html
@@ -6,7 +6,7 @@
 <!-- Custom and plugin javascript -->
 <script src="{% static "js/plugins/toastr/toastr.min.js" %}"></script>
 <script src="{% static "js/inspinia.js" %}"></script>
-<script src="{% static "js/jumpserver.js" %}?v=8"></script>
+<script src="{% static "js/jumpserver.js" %}?v=9"></script>
 <script src="{% static 'js/plugins/select2/select2.full.min.js' %}"></script>
 <script src="{% static 'js/plugins/select2/i18n/zh-CN.js' %}"></script>
 <script>

From b33e376c903ca6d4e005db76a98a87fc6acf65ff Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 28 Jun 2022 17:19:33 +0800
Subject: [PATCH 203/258] =?UTF-8?q?fix:=20=E8=A7=A3=E5=86=B3=E4=B8=80?=
 =?UTF-8?q?=E4=BA=9B=E5=B7=A5=E5=8D=95=E5=B7=B2=E7=9F=A5=E9=97=AE=E9=A2=98?=
 =?UTF-8?q?=20(#8501)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/tickets/filters.py                       | 12 +++++++++--
 apps/tickets/handlers/base.py                 |  5 +----
 apps/tickets/models/ticket/general.py         | 16 +++++++-------
 apps/tickets/models/ticket/login_confirm.py   |  2 +-
 .../serializers/ticket/apply_application.py   |  4 +++-
 .../tickets/serializers/ticket/apply_asset.py |  3 ++-
 apps/tickets/views/approve.py                 | 21 +++++++++++++++++--
 7 files changed, 45 insertions(+), 18 deletions(-)

diff --git a/apps/tickets/filters.py b/apps/tickets/filters.py
index 255908305..bf20014cc 100644
--- a/apps/tickets/filters.py
+++ b/apps/tickets/filters.py
@@ -1,8 +1,10 @@
 from django_filters import rest_framework as filters
+from django.db.models import Subquery, OuterRef
+
 from common.drf.filters import BaseFilterSet
 
 from tickets.models import (
-    Ticket, ApplyAssetTicket, ApplyApplicationTicket,
+    Ticket, TicketStep, ApplyAssetTicket, ApplyApplicationTicket,
     ApplyLoginTicket, ApplyLoginAssetTicket, ApplyCommandTicket
 )
 
@@ -17,7 +19,13 @@ class TicketFilter(BaseFilterSet):
         )
 
     def filter_assignees_id(self, queryset, name, value):
-        return queryset.filter(ticket_steps__ticket_assignees__assignee__id=value)
+        step_qs = TicketStep.objects.filter(
+            level=OuterRef("approval_step")
+        ).values_list('id', flat=True)
+        return queryset.filter(
+            ticket_steps__id__in=Subquery(step_qs),
+            ticket_steps__ticket_assignees__assignee__id=value
+        )
 
 
 class ApplyAssetTicketFilter(BaseFilterSet):
diff --git a/apps/tickets/handlers/base.py b/apps/tickets/handlers/base.py
index 308f9f914..6165d035b 100644
--- a/apps/tickets/handlers/base.py
+++ b/apps/tickets/handlers/base.py
@@ -55,10 +55,7 @@ class BaseHandler:
 
     def _send_processed_mail_to_applicant(self, step=None):
         applicant = self.ticket.applicant
-        if self.ticket.status == TicketStatus.closed:
-            processor = applicant
-        else:
-            processor = step.processor if step else self.ticket.processor
+        processor = step.processor if step else applicant
         logger.debug('Send processed mail to applicant: {}'.format(applicant))
         send_ticket_processed_mail_to_applicant(self.ticket, processor)
 
diff --git a/apps/tickets/models/ticket/general.py b/apps/tickets/models/ticket/general.py
index 2e8f1d886..c87b3aa7f 100644
--- a/apps/tickets/models/ticket/general.py
+++ b/apps/tickets/models/ticket/general.py
@@ -13,6 +13,7 @@ from common.utils.timezone import as_current_tz
 from common.mixins.models import CommonModelMixin
 from common.db.encoder import ModelJSONFieldEncoder
 from orgs.models import Organization
+from orgs.utils import tmp_to_org
 from tickets.const import (
     TicketType, TicketStatus, TicketState,
     TicketLevel, StepState, StepStatus
@@ -336,14 +337,15 @@ class Ticket(StatusMixin, CommonModelMixin):
                 m2m_fields.add(name)
 
         snapshot = {}
-        for field in rel_fields:
-            value = getattr(self, field)
+        with tmp_to_org(self.org_id):
+            for field in rel_fields:
+                value = getattr(self, field)
 
-            if field in m2m_fields:
-                value = [str(v) for v in value.all()]
-            else:
-                value = str(value) if value else ''
-            snapshot[field] = value
+                if field in m2m_fields:
+                    value = [str(v) for v in value.all()]
+                else:
+                    value = str(value) if value else ''
+                snapshot[field] = value
 
         self.rel_snapshot.update(snapshot)
         if save:
diff --git a/apps/tickets/models/ticket/login_confirm.py b/apps/tickets/models/ticket/login_confirm.py
index 89fb32e94..ee9d9fa80 100644
--- a/apps/tickets/models/ticket/login_confirm.py
+++ b/apps/tickets/models/ticket/login_confirm.py
@@ -1,7 +1,7 @@
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from .general import Ticket, SubTicketManager
+from .general import Ticket
 
 __all__ = ['ApplyLoginTicket']
 
diff --git a/apps/tickets/serializers/ticket/apply_application.py b/apps/tickets/serializers/ticket/apply_application.py
index 1b5165bbd..700f7b45e 100644
--- a/apps/tickets/serializers/ticket/apply_application.py
+++ b/apps/tickets/serializers/ticket/apply_application.py
@@ -23,7 +23,9 @@ class ApplyApplicationSerializer(BaseApplyAssetApplicationSerializer, TicketAppl
         fields = TicketApplySerializer.Meta.fields + writeable_fields + ['apply_permission_name']
         read_only_fields = list(set(fields) - set(writeable_fields))
         ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
-        extra_kwargs = {}
+        extra_kwargs = {
+            'apply_system_users': {'required': True},
+        }
         extra_kwargs.update(ticket_extra_kwargs)
 
     def validate_apply_applications(self, applications):
diff --git a/apps/tickets/serializers/ticket/apply_asset.py b/apps/tickets/serializers/ticket/apply_asset.py
index fe54eadeb..c32de52c1 100644
--- a/apps/tickets/serializers/ticket/apply_asset.py
+++ b/apps/tickets/serializers/ticket/apply_asset.py
@@ -31,7 +31,8 @@ class ApplyAssetSerializer(BaseApplyAssetApplicationSerializer, TicketApplySeria
         ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
         extra_kwargs = {
             'apply_nodes': {'required': False, 'help_text': asset_or_node_help_text},
-            'apply_assets': {'required': False, 'help_text': asset_or_node_help_text}
+            'apply_assets': {'required': False, 'help_text': asset_or_node_help_text},
+            'apply_system_users': {'required': True},
         }
         extra_kwargs.update(ticket_extra_kwargs)
 
diff --git a/apps/tickets/views/approve.py b/apps/tickets/views/approve.py
index 5be230f0a..f5f20e3d9 100644
--- a/apps/tickets/views/approve.py
+++ b/apps/tickets/views/approve.py
@@ -7,11 +7,17 @@ from django.shortcuts import redirect, reverse
 from django.core.cache import cache
 from django.utils.translation import ugettext as _
 
-from tickets.models import Ticket
+from orgs.utils import tmp_to_root_org
+from tickets.models import (
+    Ticket, ApplyAssetTicket, ApplyApplicationTicket,
+    ApplyLoginTicket, ApplyLoginAssetTicket, ApplyCommandTicket
+)
+from tickets.const import TicketType
 from tickets.errors import AlreadyClosed
 from common.utils import get_logger, FlashMessageUtil
 
 logger = get_logger(__name__)
+
 __all__ = ['TicketDirectApproveView']
 
 
@@ -19,6 +25,14 @@ class TicketDirectApproveView(TemplateView):
     template_name = 'tickets/approve_check_password.html'
     redirect_field_name = 'next'
 
+    TICKET_SUB_MODEL_MAP = {
+        TicketType.apply_asset: ApplyAssetTicket,
+        TicketType.apply_application: ApplyApplicationTicket,
+        TicketType.login_confirm: ApplyLoginTicket,
+        TicketType.login_asset_confirm: ApplyLoginAssetTicket,
+        TicketType.command_confirm: ApplyCommandTicket,
+    }
+
     @property
     def message_data(self):
         return {
@@ -84,7 +98,10 @@ class TicketDirectApproveView(TemplateView):
             return self.redirect_message_response(redirect_url=self.login_url)
         try:
             ticket_id = ticket_info.get('ticket_id')
-            ticket = Ticket.all().get(id=ticket_id)
+            with tmp_to_root_org():
+                ticket = Ticket.all().get(id=ticket_id)
+                ticket_sub_model = self.TICKET_SUB_MODEL_MAP[ticket.type]
+                ticket = ticket_sub_model.objects.get(id=ticket_id)
             if not ticket.has_current_assignee(user):
                 raise Exception(_("This user is not authorized to approve this ticket"))
             getattr(ticket, action)(user)

From c3c99cc5e8e6bc0678366547263bc829c89164cd Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 28 Jun 2022 17:23:20 +0800
Subject: [PATCH 204/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20redis=20(#?=
 =?UTF-8?q?8484)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 优化 redis

* perf: 优化 redis 时间

* perf: 优化时间

* perf: 修改 ssl

* perf: 修改 ssl

* perf: 修改 ssl name

* perf: 修改名称

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/common/utils/connection.py      | 21 +++---------
 apps/jumpserver/conf.py              |  1 +
 apps/jumpserver/rewriting/session.py | 50 ----------------------------
 apps/jumpserver/settings/base.py     | 11 +++---
 apps/jumpserver/settings/libs.py     | 24 +++++++------
 apps/users/models/user.py            |  4 ++-
 apps/users/tasks.py                  |  8 +++--
 utils/start_celery_beat.py           | 38 ++++++++-------------
 8 files changed, 48 insertions(+), 109 deletions(-)

diff --git a/apps/common/utils/connection.py b/apps/common/utils/connection.py
index 242b0cb21..381f29443 100644
--- a/apps/common/utils/connection.py
+++ b/apps/common/utils/connection.py
@@ -1,11 +1,9 @@
 import json
 import threading
+import redis
 
-from redis import Redis
-from django.conf import settings
+from django.core.cache import cache
 
-from jumpserver.const import CONFIG
-from common.http import is_true
 from common.db.utils import safe_db_connection
 from common.utils import get_logger
 
@@ -13,18 +11,9 @@ logger = get_logger(__name__)
 
 
 def get_redis_client(db=0):
-    params = {
-        'host': CONFIG.REDIS_HOST,
-        'port': CONFIG.REDIS_PORT,
-        'password': CONFIG.REDIS_PASSWORD,
-        'db': db,
-        "ssl": is_true(CONFIG.REDIS_USE_SSL),
-        'ssl_cert_reqs': getattr(settings, 'REDIS_SSL_REQUIRED'),
-        'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
-        'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
-        'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
-    }
-    return Redis(**params)
+    client = cache.client.get_client()
+    assert isinstance(client, redis.Redis)
+    return client
 
 
 class Subscription:
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index b88bd45fe..8b589ded7 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -139,6 +139,7 @@ class Config(dict):
         'REDIS_HOST': '127.0.0.1',
         'REDIS_PORT': 6379,
         'REDIS_PASSWORD': '',
+        'REDIS_USE_SSL': False,
         # Default value
         'REDIS_DB_CELERY': 3,
         'REDIS_DB_CACHE': 4,
diff --git a/apps/jumpserver/rewriting/session.py b/apps/jumpserver/rewriting/session.py
index f3b432657..e69de29bb 100644
--- a/apps/jumpserver/rewriting/session.py
+++ b/apps/jumpserver/rewriting/session.py
@@ -1,50 +0,0 @@
-from redis_sessions.session import (
-    force_unicode, SessionStore as RedisSessionStore,
-    RedisServer as _RedisServer, settings as redis_setting
-)
-from redis import exceptions, Redis
-from django.conf import settings
-
-from jumpserver.const import CONFIG
-
-
-class RedisServer(_RedisServer):
-    __redis = {}
-
-    def get(self):
-        if self.connection_key in self.__redis:
-            return self.__redis[self.connection_key]
-
-        ssl_params = {}
-        if CONFIG.REDIS_USE_SSL:
-            ssl_params = {
-                'ssl_cert_reqs': getattr(settings, 'REDIS_SSL_REQUIRED'),
-                'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
-                'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
-                'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
-            }
-        # 只根据 redis_url 方式连接
-        self.__redis[self.connection_key] = Redis.from_url(
-            redis_setting.SESSION_REDIS_URL, **ssl_params
-        )
-
-        return self.__redis[self.connection_key]
-
-
-class SessionStore(RedisSessionStore):
-    def __init__(self, session_key=None):
-        super(SessionStore, self).__init__(session_key)
-        self.server = RedisServer(session_key).get()
-
-    def load(self):
-        try:
-            session_data = self.server.get(
-                self.get_real_stored_key(self._get_or_create_session_key())
-            )
-            return self.decode(force_unicode(session_data))
-        except exceptions.ConnectionError as e:
-            # 解决redis服务异常(如: 主从切换时)，用户session立即过期的问题
-            raise
-        except:
-            self._session_key = None
-            return {}
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index 2b1bbdf13..ae3dea267 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -178,10 +178,12 @@ DATABASES = {
 }
 
 DB_CA_PATH = os.path.join(PROJECT_DIR, 'data', 'certs', 'db_ca.pem')
+DB_USE_SSL = False
 if CONFIG.DB_ENGINE.lower() == 'mysql':
     DB_OPTIONS['init_command'] = "SET sql_mode='STRICT_TRANS_TABLES'"
     if os.path.isfile(DB_CA_PATH):
         DB_OPTIONS['ssl'] = {'ca': DB_CA_PATH}
+        DB_USE_SSL = True
 
 # Password validation
 # https://docs.djangoproject.com/en/1.10/ref/settings/#auth-password-validators
@@ -264,9 +266,11 @@ REDIS_SSL_KEYFILE = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.key')
 REDIS_SSL_CERTFILE = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.crt'), None)
 REDIS_SSL_CA_CERTS = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.pem'), None)
 REDIS_SSL_CA_CERTS = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.crt'), REDIS_SSL_CA_CERTS)
-REDIS_SSL_REQUIRED = CONFIG.REDIS_SSL_REQUIRED or 'none'
+REDIS_SSL_REQUIRED = 'none'
+REDIS_USE_SSL = CONFIG.REDIS_USE_SSL
+
 REDIS_LOCATION_NO_DB = '%(protocol)s://:%(password)s@%(host)s:%(port)s/{}' % {
-    'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
+    'protocol': 'rediss' if REDIS_USE_SSL else 'redis',
     'password': CONFIG.REDIS_PASSWORD,
     'host': CONFIG.REDIS_HOST,
     'port': CONFIG.REDIS_PORT,
@@ -282,7 +286,7 @@ REDIS_CACHE_DEFAULT = {
             "ssl_keyfile": REDIS_SSL_KEYFILE,
             "ssl_certfile": REDIS_SSL_CERTFILE,
             "ssl_ca_certs": REDIS_SSL_CA_CERTS
-        } if CONFIG.REDIS_USE_SSL else {}
+        } if REDIS_USE_SSL else {}
     }
 }
 REDIS_CACHE_SESSION = dict(REDIS_CACHE_DEFAULT)
@@ -292,7 +296,6 @@ CACHES = {
     'default': REDIS_CACHE_DEFAULT,
     'session': REDIS_CACHE_SESSION
 }
-
 SESSION_CACHE_ALIAS = "session"
 
 FORCE_SCRIPT_NAME = CONFIG.FORCE_SCRIPT_NAME
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 52c0d93b6..8cfc0abb5 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -3,7 +3,10 @@
 import os
 import ssl
 
-from .base import REDIS_SSL_CA_CERTS, REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE, REDIS_SSL_REQUIRED
+from .base import (
+    REDIS_SSL_CA_CERTS, REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE,
+    REDIS_SSL_REQUIRED, REDIS_USE_SSL
+)
 from ..const import CONFIG, PROJECT_DIR
 
 
@@ -72,7 +75,6 @@ CAPTCHA_CHALLENGE_FUNCT = 'captcha.helpers.math_challenge'
 # Django bootstrap3 setting, more see http://django-bootstrap3.readthedocs.io/en/latest/settings.html
 BOOTSTRAP3 = {
     'horizontal_label_class': 'col-md-2',
-    # Field class to use in horizontal forms
     'horizontal_field_class': 'col-md-9',
     # Set placeholder attributes to label if no placeholder is provided
     'set_placeholder': False,
@@ -82,15 +84,15 @@ BOOTSTRAP3 = {
 
 
 # Django channels support websocket
-if not CONFIG.REDIS_USE_SSL:
-    context = None
+if not REDIS_USE_SSL:
+    redis_ssl = None
 else:
-    context = ssl.SSLContext()
-    context.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
+    redis_ssl = ssl.SSLContext()
+    redis_ssl.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
     if REDIS_SSL_CA_CERTS:
-        context.load_verify_locations(REDIS_SSL_CA_CERTS)
+        redis_ssl.load_verify_locations(REDIS_SSL_CA_CERTS)
     if REDIS_SSL_CERTFILE and REDIS_SSL_KEYFILE:
-        context.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
+        redis_ssl.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
 
 CHANNEL_LAYERS = {
     'default': {
@@ -100,7 +102,7 @@ CHANNEL_LAYERS = {
                 'address': (CONFIG.REDIS_HOST, CONFIG.REDIS_PORT),
                 'db': CONFIG.REDIS_DB_WS,
                 'password': CONFIG.REDIS_PASSWORD or None,
-                'ssl':  context
+                'ssl':  redis_ssl
             }],
         },
     },
@@ -113,7 +115,7 @@ CELERY_LOG_DIR = os.path.join(PROJECT_DIR, 'data', 'celery')
 
 # Celery using redis as broker
 CELERY_BROKER_URL = '%(protocol)s://:%(password)s@%(host)s:%(port)s/%(db)s' % {
-    'protocol': 'rediss' if CONFIG.REDIS_USE_SSL else 'redis',
+    'protocol': 'rediss' if REDIS_USE_SSL else 'redis',
     'password': CONFIG.REDIS_PASSWORD,
     'host': CONFIG.REDIS_HOST,
     'port': CONFIG.REDIS_PORT,
@@ -131,7 +133,7 @@ CELERY_WORKER_REDIRECT_STDOUTS = True
 CELERY_WORKER_REDIRECT_STDOUTS_LEVEL = "INFO"
 CELERY_TASK_SOFT_TIME_LIMIT = 3600
 
-if CONFIG.REDIS_USE_SSL:
+if REDIS_USE_SSL:
     CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
         'ssl_cert_reqs': REDIS_SSL_REQUIRED,
         'ssl_ca_certs': REDIS_SSL_CA_CERTS,
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 13c5edb0f..2fd33aa08 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -721,6 +721,8 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
     dingtalk_id = models.CharField(null=True, default=None, unique=True, max_length=128, verbose_name=_('DingTalk'))
     feishu_id = models.CharField(null=True, default=None, unique=True, max_length=128, verbose_name=_('FeiShu'))
 
+    DATE_EXPIRED_WARNING_DAYS = 5
+
     def __str__(self):
         return '{0.name}({0.username})'.format(self)
 
@@ -776,7 +778,7 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
 
     @property
     def will_expired(self):
-        if 0 <= self.expired_remain_days < 5:
+        if 0 <= self.expired_remain_days <= self.DATE_EXPIRED_WARNING_DAYS:
             return True
         else:
             return False
diff --git a/apps/users/tasks.py b/apps/users/tasks.py
index 6d9bac660..ea6426aa4 100644
--- a/apps/users/tasks.py
+++ b/apps/users/tasks.py
@@ -3,6 +3,7 @@
 
 from celery import shared_task
 from django.conf import settings
+from django.utils import timezone
 
 from users.notifications import PasswordExpirationReminderMsg
 from ops.celery.utils import (
@@ -49,7 +50,11 @@ def check_password_expired_periodic():
 
 @shared_task
 def check_user_expired():
-    users = User.get_nature_users().filter(source=User.Source.local)
+    date_expired_lt = timezone.now() + timezone.timedelta(days=User.DATE_EXPIRED_WARNING_DAYS)
+    users = User.get_nature_users()\
+        .filter(source=User.Source.local)\
+        .filter(date_expired__lt=date_expired_lt)
+
     for user in users:
         if not user.is_valid:
             continue
@@ -57,7 +62,6 @@ def check_user_expired():
             continue
         msg = "The user {} will expires in {} days"
         logger.info(msg.format(user, user.expired_remain_days))
-
         UserExpirationReminderMsg(user).publish_async()
 
 
diff --git a/utils/start_celery_beat.py b/utils/start_celery_beat.py
index 946fe9172..f56760cfe 100644
--- a/utils/start_celery_beat.py
+++ b/utils/start_celery_beat.py
@@ -10,39 +10,29 @@ from redis import Redis
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 APPS_DIR = os.path.join(BASE_DIR, 'apps')
+CERTS_DIR = os.path.join(BASE_DIR, 'data', 'certs')
 
-sys.path.insert(0, BASE_DIR)
-from apps.jumpserver.const import CONFIG
+sys.path.insert(0, APPS_DIR)
+from jumpserver import settings
 
 os.environ.setdefault('PYTHONOPTIMIZE', '1')
 if os.getuid() == 0:
     os.environ.setdefault('C_FORCE_ROOT', '1')
 
-REDIS_SSL_KEYFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.key')
-if not os.path.exists(REDIS_SSL_KEYFILE):
-    REDIS_SSL_KEYFILE = None
-
-REDIS_SSL_CERTFILE = os.path.join(BASE_DIR, 'data', 'certs', 'redis_client.crt')
-if not os.path.exists(REDIS_SSL_CERTFILE):
-    REDIS_SSL_CERTFILE = None
-
-REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.crt')
-if not os.path.exists(REDIS_SSL_CA_CERTS):
-    REDIS_SSL_CA_CERTS = os.path.join(BASE_DIR, 'data', 'certs', 'redis_ca.pem')
-
 params = {
-    'host': CONFIG.REDIS_HOST,
-    'port': CONFIG.REDIS_PORT,
-    'password': CONFIG.REDIS_PASSWORD,
-    "ssl": CONFIG.REDIS_USE_SSL,
-    'ssl_cert_reqs': CONFIG.REDIS_SSL_REQUIRED,
-    "ssl_keyfile": REDIS_SSL_KEYFILE,
-    "ssl_certfile": REDIS_SSL_CERTFILE,
-    "ssl_ca_certs": REDIS_SSL_CA_CERTS
+    'host': settings.REDIS_HOST,
+    'port': settings.REDIS_PORT,
+    'password': settings.REDIS_PASSWORD,
+    'ssl': settings.REDIS_USE_SSL,
+    'ssl_cert_reqs': settings.REDIS_SSL_REQUIRED,
+    'ssl_keyfile': settings.REDIS_SSL_KEYFILE,
+    'ssl_certfile': settings.REDIS_SSL_CERTFILE,
+    'ssl_ca_certs': settings.REDIS_SSL_CA_CERTS
 }
+print("Pamras: ", params)
 redis = Redis(**params)
 scheduler = "django_celery_beat.schedulers:DatabaseScheduler"
-
+processes = []
 cmd = [
     'celery',
     '-A', 'ops',
@@ -52,8 +42,6 @@ cmd = [
     '--max-interval', '60'
 ]
 
-processes = []
-
 
 def stop_beat_process(sig, frame):
     for p in processes:

From 3cbce63c5445a8d50397b63c6771b17b8fbbb9d5 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 28 Jun 2022 17:39:13 +0800
Subject: [PATCH 205/258] =?UTF-8?q?perf:=20=E6=8B=86=E5=88=86=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95=20View=20(#8502)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 拆分登录 View

* perf: 修改 code

Co-authored-by: ibuler <ibuler@qq.com>
---
 .gitignore                             |   1 +
 apps/authentication/errors.py          | 367 -------------------------
 apps/authentication/errors/__init__.py |   4 +
 apps/authentication/errors/const.py    |  67 +++++
 apps/authentication/errors/failed.py   | 167 +++++++++++
 apps/authentication/errors/mfa.py      |  38 +++
 apps/authentication/errors/redirect.py | 109 ++++++++
 apps/authentication/mixins.py          |   4 +-
 apps/authentication/views/login.py     | 203 +++++++-------
 9 files changed, 490 insertions(+), 470 deletions(-)
 delete mode 100644 apps/authentication/errors.py
 create mode 100644 apps/authentication/errors/__init__.py
 create mode 100644 apps/authentication/errors/const.py
 create mode 100644 apps/authentication/errors/failed.py
 create mode 100644 apps/authentication/errors/mfa.py
 create mode 100644 apps/authentication/errors/redirect.py

diff --git a/.gitignore b/.gitignore
index 491009b9d..d4f2e57bf 100644
--- a/.gitignore
+++ b/.gitignore
@@ -34,6 +34,7 @@ celerybeat-schedule.db
 data/static
 docs/_build/
 xpack
+xpack.bak
 logs/*
 ### Vagrant ###
 .vagrant/
diff --git a/apps/authentication/errors.py b/apps/authentication/errors.py
deleted file mode 100644
index 9a75b4691..000000000
--- a/apps/authentication/errors.py
+++ /dev/null
@@ -1,367 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.utils.translation import ugettext_lazy as _
-from django.urls import reverse
-from django.conf import settings
-from rest_framework import status
-
-from common.exceptions import JMSException
-from .signals import post_auth_failed
-from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
-
-reason_password_failed = 'password_failed'
-reason_password_decrypt_failed = 'password_decrypt_failed'
-reason_mfa_failed = 'mfa_failed'
-reason_mfa_unset = 'mfa_unset'
-reason_user_not_exist = 'user_not_exist'
-reason_password_expired = 'password_expired'
-reason_user_invalid = 'user_invalid'
-reason_user_inactive = 'user_inactive'
-reason_user_expired = 'user_expired'
-reason_backend_not_match = 'backend_not_match'
-reason_acl_not_allow = 'acl_not_allow'
-only_local_users_are_allowed = 'only_local_users_are_allowed'
-
-reason_choices = {
-    reason_password_failed: _('Username/password check failed'),
-    reason_password_decrypt_failed: _('Password decrypt failed'),
-    reason_mfa_failed: _('MFA failed'),
-    reason_mfa_unset: _('MFA unset'),
-    reason_user_not_exist: _("Username does not exist"),
-    reason_password_expired: _("Password expired"),
-    reason_user_invalid: _('Disabled or expired'),
-    reason_user_inactive: _("This account is inactive."),
-    reason_user_expired: _("This account is expired"),
-    reason_backend_not_match: _("Auth backend not match"),
-    reason_acl_not_allow: _("ACL is not allowed"),
-    only_local_users_are_allowed: _("Only local users are allowed")
-}
-old_reason_choices = {
-    '0': '-',
-    '1': reason_choices[reason_password_failed],
-    '2': reason_choices[reason_mfa_failed],
-    '3': reason_choices[reason_user_not_exist],
-    '4': reason_choices[reason_password_expired],
-}
-
-session_empty_msg = _("No session found, check your cookie")
-invalid_login_msg = _(
-    "The username or password you entered is incorrect, "
-    "please enter it again. "
-    "You can also try {times_try} times "
-    "(The account will be temporarily locked for {block_time} minutes)"
-)
-block_user_login_msg = _(
-    "The account has been locked "
-    "(please contact admin to unlock it or try again after {} minutes)"
-)
-block_ip_login_msg = _(
-    "The ip has been locked "
-    "(please contact admin to unlock it or try again after {} minutes)"
-)
-block_mfa_msg = _(
-    "The account has been locked "
-    "(please contact admin to unlock it or try again after {} minutes)"
-)
-mfa_error_msg = _(
-    "{error}, "
-    "You can also try {times_try} times "
-    "(The account will be temporarily locked for {block_time} minutes)"
-)
-mfa_required_msg = _("MFA required")
-mfa_unset_msg = _("MFA not set, please set it first")
-login_confirm_required_msg = _("Login confirm required")
-login_confirm_wait_msg = _("Wait login confirm ticket for accept")
-login_confirm_error_msg = _("Login confirm ticket was {}")
-
-
-class AuthFailedNeedLogMixin:
-    username = ''
-    request = None
-    error = ''
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        post_auth_failed.send(
-            sender=self.__class__, username=self.username,
-            request=self.request, reason=self.error
-        )
-
-
-class AuthFailedNeedBlockMixin:
-    username = ''
-    ip = ''
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        LoginBlockUtil(self.username, self.ip).incr_failed_count()
-
-
-class AuthFailedError(Exception):
-    username = ''
-    msg = ''
-    error = ''
-    request = None
-    ip = ''
-
-    def __init__(self, **kwargs):
-        for k, v in kwargs.items():
-            setattr(self, k, v)
-
-    def as_data(self):
-        return {
-            'error': self.error,
-            'msg': self.msg,
-        }
-
-    def __str__(self):
-        return str(self.msg)
-
-
-class BlockGlobalIpLoginError(AuthFailedError):
-    error = 'block_global_ip_login'
-
-    def __init__(self, username, ip, **kwargs):
-        self.msg = block_ip_login_msg.format(settings.SECURITY_LOGIN_IP_LIMIT_TIME)
-        LoginIpBlockUtil(ip).set_block_if_need()
-        super().__init__(username=username, ip=ip, **kwargs)
-
-
-class CredentialError(
-    AuthFailedNeedLogMixin, AuthFailedNeedBlockMixin, BlockGlobalIpLoginError, AuthFailedError
-):
-    def __init__(self, error, username, ip, request):
-        super().__init__(error=error, username=username, ip=ip, request=request)
-        util = LoginBlockUtil(username, ip)
-        times_remainder = util.get_remainder_times()
-        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
-
-        if times_remainder < 1:
-            self.msg = block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-            return
-
-        default_msg = invalid_login_msg.format(
-            times_try=times_remainder, block_time=block_time
-        )
-        if error == reason_password_failed:
-            self.msg = default_msg
-        else:
-            self.msg = reason_choices.get(error, default_msg)
-
-
-class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError):
-    error = reason_mfa_failed
-    msg: str
-
-    def __init__(self, username, request, ip, mfa_type, error):
-        super().__init__(username=username, request=request)
-
-        util = MFABlockUtils(username, ip)
-        times_remainder = util.incr_failed_count()
-        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
-
-        if times_remainder:
-            self.msg = mfa_error_msg.format(
-                error=error, times_try=times_remainder, block_time=block_time
-            )
-        else:
-            self.msg = block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-
-
-class BlockMFAError(AuthFailedNeedLogMixin, AuthFailedError):
-    error = 'block_mfa'
-
-    def __init__(self, username, request, ip):
-        self.msg = block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-        super().__init__(username=username, request=request, ip=ip)
-
-
-class MFAUnsetError(Exception):
-    error = reason_mfa_unset
-    msg = mfa_unset_msg
-
-    def __init__(self, user, request, url):
-        self.url = url
-
-
-class BlockLoginError(AuthFailedNeedBlockMixin, AuthFailedError):
-    error = 'block_login'
-
-    def __init__(self, username, ip):
-        self.msg = block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-        super().__init__(username=username, ip=ip)
-
-
-class SessionEmptyError(AuthFailedError):
-    msg = session_empty_msg
-    error = 'session_empty'
-
-
-class NeedMoreInfoError(Exception):
-    error = ''
-    msg = ''
-
-    def __init__(self, error='', msg=''):
-        if error:
-            self.error = error
-        if msg:
-            self.msg = msg
-
-    def as_data(self):
-        return {
-            'error': self.error,
-            'msg': self.msg,
-        }
-
-
-class MFARequiredError(NeedMoreInfoError):
-    msg = mfa_required_msg
-    error = 'mfa_required'
-
-    def __init__(self, error='', msg='', mfa_types=()):
-        super().__init__(error=error, msg=msg)
-        self.choices = mfa_types
-
-    def as_data(self):
-        return {
-            'error': self.error,
-            'msg': self.msg,
-            'data': {
-                'choices': self.choices,
-                'url': reverse('api-auth:mfa-challenge')
-            }
-        }
-
-
-class ACLError(AuthFailedNeedLogMixin, AuthFailedError):
-    msg = reason_acl_not_allow
-    error = 'acl_error'
-
-    def __init__(self, msg, **kwargs):
-        self.msg = msg
-        super().__init__(**kwargs)
-
-    def as_data(self):
-        return {
-            "error": reason_acl_not_allow,
-            "msg": self.msg
-        }
-
-
-class LoginIPNotAllowed(ACLError):
-    def __init__(self, username, request, **kwargs):
-        self.username = username
-        self.request = request
-        super().__init__(_("IP is not allowed"), **kwargs)
-
-
-class TimePeriodNotAllowed(ACLError):
-    def __init__(self, username, request, **kwargs):
-        self.username = username
-        self.request = request
-        super().__init__(_("Time Period is not allowed"), **kwargs)
-
-
-class LoginConfirmBaseError(NeedMoreInfoError):
-    def __init__(self, ticket_id, **kwargs):
-        self.ticket_id = ticket_id
-        super().__init__(**kwargs)
-
-    def as_data(self):
-        return {
-            "error": self.error,
-            "msg": self.msg,
-            "data": {
-                "ticket_id": self.ticket_id
-            }
-        }
-
-
-class LoginConfirmWaitError(LoginConfirmBaseError):
-    msg = login_confirm_wait_msg
-    error = 'login_confirm_wait'
-
-
-class LoginConfirmOtherError(LoginConfirmBaseError):
-    error = 'login_confirm_error'
-
-    def __init__(self, ticket_id, status):
-        msg = login_confirm_error_msg.format(status)
-        super().__init__(ticket_id=ticket_id, msg=msg)
-
-
-class SSOAuthClosed(JMSException):
-    default_code = 'sso_auth_closed'
-    default_detail = _('SSO auth closed')
-
-
-class PasswordTooSimple(JMSException):
-    default_code = 'passwd_too_simple'
-    default_detail = _('Your password is too simple, please change it for security')
-
-    def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
-
-
-class PasswordNeedUpdate(JMSException):
-    default_code = 'passwd_need_update'
-    default_detail = _('You should to change your password before login')
-
-    def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
-
-
-class PasswordRequireResetError(JMSException):
-    default_code = 'passwd_has_expired'
-    default_detail = _('Your password has expired, please reset before logging in')
-
-    def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
-
-
-class WeComCodeInvalid(JMSException):
-    default_code = 'wecom_code_invalid'
-    default_detail = 'Code invalid, can not get user info'
-
-
-class WeComBindAlready(JMSException):
-    default_code = 'wecom_bind_already'
-    default_detail = 'WeCom already binded'
-
-
-class WeComNotBound(JMSException):
-    default_code = 'wecom_not_bound'
-    default_detail = 'WeCom is not bound'
-
-
-class DingTalkNotBound(JMSException):
-    default_code = 'dingtalk_not_bound'
-    default_detail = 'DingTalk is not bound'
-
-
-class FeiShuNotBound(JMSException):
-    default_code = 'feishu_not_bound'
-    default_detail = 'FeiShu is not bound'
-
-
-class PasswordInvalid(JMSException):
-    default_code = 'passwd_invalid'
-    default_detail = _('Your password is invalid')
-
-
-class MFACodeRequiredError(AuthFailedError):
-    error = 'mfa_code_required'
-    msg = _("Please enter MFA code")
-
-
-class SMSCodeRequiredError(AuthFailedError):
-    error = 'sms_code_required'
-    msg = _("Please enter SMS code")
-
-
-class UserPhoneNotSet(AuthFailedError):
-    error = 'phone_not_set'
-    msg = _('Phone not set')
diff --git a/apps/authentication/errors/__init__.py b/apps/authentication/errors/__init__.py
new file mode 100644
index 000000000..1ab7bc8ae
--- /dev/null
+++ b/apps/authentication/errors/__init__.py
@@ -0,0 +1,4 @@
+from .const import *
+from .mfa import *
+from .failed import *
+from .redirect import *
diff --git a/apps/authentication/errors/const.py b/apps/authentication/errors/const.py
new file mode 100644
index 000000000..530bcf150
--- /dev/null
+++ b/apps/authentication/errors/const.py
@@ -0,0 +1,67 @@
+from django.utils.translation import gettext_lazy as _
+
+
+reason_password_failed = 'password_failed'
+reason_password_decrypt_failed = 'password_decrypt_failed'
+reason_mfa_failed = 'mfa_failed'
+reason_mfa_unset = 'mfa_unset'
+reason_user_not_exist = 'user_not_exist'
+reason_password_expired = 'password_expired'
+reason_user_invalid = 'user_invalid'
+reason_user_inactive = 'user_inactive'
+reason_user_expired = 'user_expired'
+reason_backend_not_match = 'backend_not_match'
+reason_acl_not_allow = 'acl_not_allow'
+only_local_users_are_allowed = 'only_local_users_are_allowed'
+
+reason_choices = {
+    reason_password_failed: _('Username/password check failed'),
+    reason_password_decrypt_failed: _('Password decrypt failed'),
+    reason_mfa_failed: _('MFA failed'),
+    reason_mfa_unset: _('MFA unset'),
+    reason_user_not_exist: _("Username does not exist"),
+    reason_password_expired: _("Password expired"),
+    reason_user_invalid: _('Disabled or expired'),
+    reason_user_inactive: _("This account is inactive."),
+    reason_user_expired: _("This account is expired"),
+    reason_backend_not_match: _("Auth backend not match"),
+    reason_acl_not_allow: _("ACL is not allowed"),
+    only_local_users_are_allowed: _("Only local users are allowed")
+}
+old_reason_choices = {
+    '0': '-',
+    '1': reason_choices[reason_password_failed],
+    '2': reason_choices[reason_mfa_failed],
+    '3': reason_choices[reason_user_not_exist],
+    '4': reason_choices[reason_password_expired],
+}
+
+session_empty_msg = _("No session found, check your cookie")
+invalid_login_msg = _(
+    "The username or password you entered is incorrect, "
+    "please enter it again. "
+    "You can also try {times_try} times "
+    "(The account will be temporarily locked for {block_time} minutes)"
+)
+block_user_login_msg = _(
+    "The account has been locked "
+    "(please contact admin to unlock it or try again after {} minutes)"
+)
+block_ip_login_msg = _(
+    "The ip has been locked "
+    "(please contact admin to unlock it or try again after {} minutes)"
+)
+block_mfa_msg = _(
+    "The account has been locked "
+    "(please contact admin to unlock it or try again after {} minutes)"
+)
+mfa_error_msg = _(
+    "{error}, "
+    "You can also try {times_try} times "
+    "(The account will be temporarily locked for {block_time} minutes)"
+)
+mfa_required_msg = _("MFA required")
+mfa_unset_msg = _("MFA not set, please set it first")
+login_confirm_required_msg = _("Login confirm required")
+login_confirm_wait_msg = _("Wait login confirm ticket for accept")
+login_confirm_error_msg = _("Login confirm ticket was {}")
diff --git a/apps/authentication/errors/failed.py b/apps/authentication/errors/failed.py
new file mode 100644
index 000000000..118fd6d6e
--- /dev/null
+++ b/apps/authentication/errors/failed.py
@@ -0,0 +1,167 @@
+# -*- coding: utf-8 -*-
+#
+from django.utils.translation import ugettext_lazy as _
+from django.conf import settings
+
+from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
+from ..signals import post_auth_failed
+from . import const
+
+
+class AuthFailedNeedLogMixin:
+    username = ''
+    request = None
+    error = ''
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        post_auth_failed.send(
+            sender=self.__class__, username=self.username,
+            request=self.request, reason=self.error
+        )
+
+
+class AuthFailedNeedBlockMixin:
+    username = ''
+    ip = ''
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        LoginBlockUtil(self.username, self.ip).incr_failed_count()
+
+
+class AuthFailedError(Exception):
+    username = ''
+    msg = ''
+    error = ''
+    request = None
+    ip = ''
+
+    def __init__(self, **kwargs):
+        for k, v in kwargs.items():
+            setattr(self, k, v)
+
+    def as_data(self):
+        return {
+            'error': self.error,
+            'msg': self.msg,
+        }
+
+    def __str__(self):
+        return str(self.msg)
+
+
+class BlockGlobalIpLoginError(AuthFailedError):
+    error = 'block_global_ip_login'
+
+    def __init__(self, username, ip, **kwargs):
+        self.msg = const.block_ip_login_msg.format(settings.SECURITY_LOGIN_IP_LIMIT_TIME)
+        LoginIpBlockUtil(ip).set_block_if_need()
+        super().__init__(username=username, ip=ip, **kwargs)
+
+
+class CredentialError(
+    AuthFailedNeedLogMixin, AuthFailedNeedBlockMixin,
+    BlockGlobalIpLoginError, AuthFailedError
+):
+    def __init__(self, error, username, ip, request):
+        super().__init__(error=error, username=username, ip=ip, request=request)
+        util = LoginBlockUtil(username, ip)
+        times_remainder = util.get_remainder_times()
+        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
+
+        if times_remainder < 1:
+            self.msg = const.block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+            return
+
+        default_msg = const.invalid_login_msg.format(
+            times_try=times_remainder, block_time=block_time
+        )
+        if error == const.reason_password_failed:
+            self.msg = default_msg
+        else:
+            self.msg = const.reason_choices.get(error, default_msg)
+
+
+class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError):
+    error = const.reason_mfa_failed
+    msg: str
+
+    def __init__(self, username, request, ip, mfa_type, error):
+        super().__init__(username=username, request=request)
+
+        util = MFABlockUtils(username, ip)
+        times_remainder = util.incr_failed_count()
+        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
+
+        if times_remainder:
+            self.msg = const.mfa_error_msg.format(
+                error=error, times_try=times_remainder, block_time=block_time
+            )
+        else:
+            self.msg = const.block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+
+
+class BlockMFAError(AuthFailedNeedLogMixin, AuthFailedError):
+    error = 'block_mfa'
+
+    def __init__(self, username, request, ip):
+        self.msg = const.block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+        super().__init__(username=username, request=request, ip=ip)
+
+
+class BlockLoginError(AuthFailedNeedBlockMixin, AuthFailedError):
+    error = 'block_login'
+
+    def __init__(self, username, ip):
+        self.msg = const.block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+        super().__init__(username=username, ip=ip)
+
+
+class SessionEmptyError(AuthFailedError):
+    msg = const.session_empty_msg
+    error = 'session_empty'
+
+
+class ACLError(AuthFailedNeedLogMixin, AuthFailedError):
+    msg = const.reason_acl_not_allow
+    error = 'acl_error'
+
+    def __init__(self, msg, **kwargs):
+        self.msg = msg
+        super().__init__(**kwargs)
+
+    def as_data(self):
+        return {
+            "error": const.reason_acl_not_allow,
+            "msg": self.msg
+        }
+
+
+class LoginIPNotAllowed(ACLError):
+    def __init__(self, username, request, **kwargs):
+        self.username = username
+        self.request = request
+        super().__init__(_("IP is not allowed"), **kwargs)
+
+
+class TimePeriodNotAllowed(ACLError):
+    def __init__(self, username, request, **kwargs):
+        self.username = username
+        self.request = request
+        super().__init__(_("Time Period is not allowed"), **kwargs)
+
+
+class MFACodeRequiredError(AuthFailedError):
+    error = 'mfa_code_required'
+    msg = _("Please enter MFA code")
+
+
+class SMSCodeRequiredError(AuthFailedError):
+    error = 'sms_code_required'
+    msg = _("Please enter SMS code")
+
+
+class UserPhoneNotSet(AuthFailedError):
+    error = 'phone_not_set'
+    msg = _('Phone not set')
diff --git a/apps/authentication/errors/mfa.py b/apps/authentication/errors/mfa.py
new file mode 100644
index 000000000..4b7f5a57e
--- /dev/null
+++ b/apps/authentication/errors/mfa.py
@@ -0,0 +1,38 @@
+from django.utils.translation import ugettext_lazy as _
+
+from common.exceptions import JMSException
+
+
+class SSOAuthClosed(JMSException):
+    default_code = 'sso_auth_closed'
+    default_detail = _('SSO auth closed')
+
+
+class WeComCodeInvalid(JMSException):
+    default_code = 'wecom_code_invalid'
+    default_detail = 'Code invalid, can not get user info'
+
+
+class WeComBindAlready(JMSException):
+    default_code = 'wecom_bind_already'
+    default_detail = 'WeCom already binded'
+
+
+class WeComNotBound(JMSException):
+    default_code = 'wecom_not_bound'
+    default_detail = 'WeCom is not bound'
+
+
+class DingTalkNotBound(JMSException):
+    default_code = 'dingtalk_not_bound'
+    default_detail = 'DingTalk is not bound'
+
+
+class FeiShuNotBound(JMSException):
+    default_code = 'feishu_not_bound'
+    default_detail = 'FeiShu is not bound'
+
+
+class PasswordInvalid(JMSException):
+    default_code = 'passwd_invalid'
+    default_detail = _('Your password is invalid')
diff --git a/apps/authentication/errors/redirect.py b/apps/authentication/errors/redirect.py
new file mode 100644
index 000000000..f41bda818
--- /dev/null
+++ b/apps/authentication/errors/redirect.py
@@ -0,0 +1,109 @@
+from django.utils.translation import ugettext_lazy as _
+from django.urls import reverse
+
+from common.exceptions import JMSException
+from . import const
+
+
+class NeedMoreInfoError(Exception):
+    error = ''
+    msg = ''
+
+    def __init__(self, error='', msg=''):
+        if error:
+            self.error = error
+        if msg:
+            self.msg = msg
+
+    def as_data(self):
+        return {
+            'error': self.error,
+            'msg': self.msg,
+        }
+
+
+class NeedRedirectError(JMSException):
+    def __init__(self, url):
+        self.url = url
+
+
+class MFARequiredError(NeedMoreInfoError):
+    msg = const.mfa_required_msg
+    error = 'mfa_required'
+
+    def __init__(self, error='', msg='', mfa_types=()):
+        super().__init__(error=error, msg=msg)
+        self.choices = mfa_types
+
+    def as_data(self):
+        return {
+            'error': self.error,
+            'msg': self.msg,
+            'data': {
+                'choices': self.choices,
+                'url': reverse('api-auth:mfa-challenge')
+            }
+        }
+
+
+class LoginConfirmBaseError(NeedMoreInfoError):
+    def __init__(self, ticket_id, **kwargs):
+        self.ticket_id = ticket_id
+        super().__init__(**kwargs)
+
+    def as_data(self):
+        return {
+            "error": self.error,
+            "msg": self.msg,
+            "data": {
+                "ticket_id": self.ticket_id
+            }
+        }
+
+
+class LoginConfirmWaitError(LoginConfirmBaseError):
+    msg = const.login_confirm_wait_msg
+    error = 'login_confirm_wait'
+
+
+class LoginConfirmOtherError(LoginConfirmBaseError):
+    error = 'login_confirm_error'
+
+    def __init__(self, ticket_id, status):
+        msg = const.login_confirm_error_msg.format(status)
+        super().__init__(ticket_id=ticket_id, msg=msg)
+
+
+class PasswordTooSimple(NeedRedirectError):
+    default_code = 'passwd_too_simple'
+    default_detail = _('Your password is too simple, please change it for security')
+
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.url = url
+
+
+class PasswordNeedUpdate(NeedRedirectError):
+    default_code = 'passwd_need_update'
+    default_detail = _('You should to change your password before login')
+
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.url = url
+
+
+class PasswordRequireResetError(NeedRedirectError):
+    default_code = 'passwd_has_expired'
+    default_detail = _('Your password has expired, please reset before logging in')
+
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.url = url
+
+
+class MFAUnsetError(NeedRedirectError):
+    error = const.reason_mfa_unset
+    msg = const.mfa_unset_msg
+
+    def __init__(self, url, user, request):
+        self.url = url
diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py
index f1989b181..58e6ccd36 100644
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -193,8 +193,8 @@ class MFAMixin:
     def _check_if_no_active_mfa(self, user):
         active_mfa_mapper = user.active_mfa_backends_mapper
         if not active_mfa_mapper:
-            url = reverse('authentication:user-otp-enable-start')
-            raise errors.MFAUnsetError(user, self.request, url)
+            set_url = reverse('authentication:user-otp-enable-start')
+            raise errors.MFAUnsetError(set_url, user, self.request)
 
     def _check_login_page_mfa_if_need(self, user):
         if not settings.SECURITY_MFA_IN_LOGIN_PAGE:
diff --git a/apps/authentication/views/login.py b/apps/authentication/views/login.py
index 0736a994d..09c842d88 100644
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -4,10 +4,11 @@
 from __future__ import unicode_literals
 import os
 import datetime
+from typing import Callable
 
 from django.templatetags.static import static
 from django.contrib.auth import login as auth_login, logout as auth_logout
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpRequest
 from django.shortcuts import reverse, redirect
 from django.utils.decorators import method_decorator
 from django.utils.translation import ugettext as _, get_language
@@ -34,106 +35,9 @@ __all__ = [
 ]
 
 
-@method_decorator(sensitive_post_parameters(), name='dispatch')
-@method_decorator(csrf_protect, name='dispatch')
-@method_decorator(never_cache, name='dispatch')
-class UserLoginView(mixins.AuthMixin, FormView):
-    redirect_field_name = 'next'
-    template_name = 'authentication/login.html'
-
-    def redirect_third_party_auth_if_need(self, request):
-        # show jumpserver login page if request http://{JUMP-SERVER}/?admin=1
-        if self.request.GET.get("admin", 0):
-            return None
-
-        auth_types = [m for m in self.get_support_auth_methods() if m.get('auto_redirect')]
-        if not auth_types:
-            return None
-
-        # 明确直接登录哪个
-        login_to = settings.LOGIN_REDIRECT_TO_BACKEND.upper()
-        if login_to == 'DIRECT':
-            return None
-
-        auth_method = next(filter(lambda x: x['name'] == login_to, auth_types), None)
-        if not auth_method:
-            auth_method = auth_types[0]
-
-        auth_name, redirect_url = auth_method['name'], auth_method['url']
-        next_url = request.GET.get('next') or '/'
-        query_string = request.GET.urlencode()
-        redirect_url = '{}?next={}&{}'.format(redirect_url, next_url, query_string)
-
-        if settings.LOGIN_REDIRECT_MSG_ENABLED:
-            message_data = {
-                'title': _('Redirecting'),
-                'message': _("Redirecting to {} authentication").format(auth_name),
-                'redirect_url': redirect_url,
-                'interval': 3,
-                'has_cancel': True,
-                'cancel_url': reverse('authentication:login') + '?admin=1'
-            }
-            redirect_url = FlashMessageUtil.gen_message_url(message_data)
-        return redirect_url
-
-    def get(self, request, *args, **kwargs):
-        if request.user.is_staff:
-            first_login_url = redirect_user_first_login_or_index(
-                request, self.redirect_field_name
-            )
-            return redirect(first_login_url)
-        redirect_url = self.redirect_third_party_auth_if_need(request)
-        if redirect_url:
-            return redirect(redirect_url)
-        request.session.set_test_cookie()
-        return super().get(request, *args, **kwargs)
-
-    def form_valid(self, form):
-        if not self.request.session.test_cookie_worked():
-            return HttpResponse(_("Please enable cookies and try again."))
-        # https://docs.djangoproject.com/en/3.1/topics/http/sessions/#setting-test-cookies
-        self.request.session.delete_test_cookie()
-
-        try:
-            self.check_user_auth(form.cleaned_data)
-        except errors.AuthFailedError as e:
-            form.add_error(None, e.msg)
-            self.set_login_failed_mark()
-            form_cls = get_user_login_form_cls(captcha=True)
-            new_form = form_cls(data=form.data)
-            new_form._errors = form.errors
-            context = self.get_context_data(form=new_form)
-            self.request.session.set_test_cookie()
-            return self.render_to_response(context)
-        except (
-                errors.MFAUnsetError,
-                errors.PasswordTooSimple,
-                errors.PasswordRequireResetError,
-                errors.PasswordNeedUpdate
-        ) as e:
-            return redirect(e.url)
-        except (
-                errors.MFAFailedError,
-                errors.BlockMFAError,
-                errors.MFACodeRequiredError,
-                errors.SMSCodeRequiredError,
-                errors.UserPhoneNotSet,
-                errors.BlockGlobalIpLoginError
-        ) as e:
-            form.add_error('code', e.msg)
-            return super().form_invalid(form)
-        self.clear_rsa_key()
-        return self.redirect_to_guard_view()
-
-    def get_form_class(self):
-        if self.check_is_need_captcha():
-            return get_user_login_form_cls(captcha=True)
-        else:
-            return get_user_login_form_cls()
-
-    def clear_rsa_key(self):
-        self.request.session[RSA_PRIVATE_KEY] = None
-        self.request.session[RSA_PUBLIC_KEY] = None
+class UserLoginContextMixin:
+    get_user_mfa_context: Callable
+    request: HttpRequest
 
     @staticmethod
     def get_support_auth_methods():
@@ -236,6 +140,103 @@ class UserLoginView(mixins.AuthMixin, FormView):
         return context
 
 
+@method_decorator(sensitive_post_parameters(), name='dispatch')
+@method_decorator(csrf_protect, name='dispatch')
+@method_decorator(never_cache, name='dispatch')
+class UserLoginView(mixins.AuthMixin, UserLoginContextMixin, FormView):
+    redirect_field_name = 'next'
+    template_name = 'authentication/login.html'
+
+    def redirect_third_party_auth_if_need(self, request):
+        # show jumpserver login page if request http://{JUMP-SERVER}/?admin=1
+        if self.request.GET.get("admin", 0):
+            return None
+
+        auth_types = [m for m in self.get_support_auth_methods() if m.get('auto_redirect')]
+        if not auth_types:
+            return None
+
+        # 明确直接登录哪个
+        login_to = settings.LOGIN_REDIRECT_TO_BACKEND.upper()
+        if login_to == 'DIRECT':
+            return None
+
+        auth_method = next(filter(lambda x: x['name'] == login_to, auth_types), None)
+        if not auth_method:
+            auth_method = auth_types[0]
+
+        auth_name, redirect_url = auth_method['name'], auth_method['url']
+        next_url = request.GET.get('next') or '/'
+        query_string = request.GET.urlencode()
+        redirect_url = '{}?next={}&{}'.format(redirect_url, next_url, query_string)
+
+        if settings.LOGIN_REDIRECT_MSG_ENABLED:
+            message_data = {
+                'title': _('Redirecting'),
+                'message': _("Redirecting to {} authentication").format(auth_name),
+                'redirect_url': redirect_url,
+                'interval': 3,
+                'has_cancel': True,
+                'cancel_url': reverse('authentication:login') + '?admin=1'
+            }
+            redirect_url = FlashMessageUtil.gen_message_url(message_data)
+        return redirect_url
+
+    def get(self, request, *args, **kwargs):
+        if request.user.is_staff:
+            first_login_url = redirect_user_first_login_or_index(
+                request, self.redirect_field_name
+            )
+            return redirect(first_login_url)
+        redirect_url = self.redirect_third_party_auth_if_need(request)
+        if redirect_url:
+            return redirect(redirect_url)
+        request.session.set_test_cookie()
+        return super().get(request, *args, **kwargs)
+
+    def form_valid(self, form):
+        if not self.request.session.test_cookie_worked():
+            return HttpResponse(_("Please enable cookies and try again."))
+        # https://docs.djangoproject.com/en/3.1/topics/http/sessions/#setting-test-cookies
+        self.request.session.delete_test_cookie()
+
+        try:
+            self.check_user_auth(form.cleaned_data)
+        except errors.AuthFailedError as e:
+            form.add_error(None, e.msg)
+            self.set_login_failed_mark()
+            form_cls = get_user_login_form_cls(captcha=True)
+            new_form = form_cls(data=form.data)
+            new_form._errors = form.errors
+            context = self.get_context_data(form=new_form)
+            self.request.session.set_test_cookie()
+            return self.render_to_response(context)
+        except errors.NeedRedirectError as e:
+            return redirect(e.url)
+        except (
+                errors.MFAFailedError,
+                errors.BlockMFAError,
+                errors.MFACodeRequiredError,
+                errors.SMSCodeRequiredError,
+                errors.UserPhoneNotSet,
+                errors.BlockGlobalIpLoginError
+        ) as e:
+            form.add_error('code', e.msg)
+            return super().form_invalid(form)
+        self.clear_rsa_key()
+        return self.redirect_to_guard_view()
+
+    def get_form_class(self):
+        if self.check_is_need_captcha():
+            return get_user_login_form_cls(captcha=True)
+        else:
+            return get_user_login_form_cls()
+
+    def clear_rsa_key(self):
+        self.request.session[RSA_PRIVATE_KEY] = None
+        self.request.session[RSA_PUBLIC_KEY] = None
+
+
 class UserLoginGuardView(mixins.AuthMixin, RedirectView):
     redirect_field_name = 'next'
     login_url = reverse_lazy('authentication:login')

From 77067f18d505652ec9609053fa9a01c17b792c56 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 27 May 2022 15:08:28 +0800
Subject: [PATCH 206/258] stash tdsql
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pref: 测试完成

perf: 修改支持 tdsql 5.7

revert: 欢迎之前的内容

revert: some

perf: 修改 tdsql

pref: 修改 。
---
 apps/jumpserver/rewriting/__init__.py         |  2 +
 apps/jumpserver/rewriting/db.py               | 35 ++++++++
 ...8_0025_squashed_0009_auto_20180903_1132.py | 35 --------
 .../migrations/0008_auto_20190911_1907.py     | 15 ----
 ...8_0025_squashed_0009_auto_20180326_0957.py | 84 -------------------
 5 files changed, 37 insertions(+), 134 deletions(-)
 create mode 100644 apps/jumpserver/rewriting/db.py
 delete mode 100644 apps/terminal/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180326_0957.py

diff --git a/apps/jumpserver/rewriting/__init__.py b/apps/jumpserver/rewriting/__init__.py
index e69de29bb..72949abe2 100644
--- a/apps/jumpserver/rewriting/__init__.py
+++ b/apps/jumpserver/rewriting/__init__.py
@@ -0,0 +1,2 @@
+from . import db
+
diff --git a/apps/jumpserver/rewriting/db.py b/apps/jumpserver/rewriting/db.py
new file mode 100644
index 000000000..6bc1b157b
--- /dev/null
+++ b/apps/jumpserver/rewriting/db.py
@@ -0,0 +1,35 @@
+import os
+import sys
+
+from django.db import models, transaction
+from django.db.transaction import atomic as db_atomic
+
+
+class ForeignKey(models.ForeignKey):
+    def __init__(self, *args, **kwargs):
+        kwargs['db_constraint'] = False
+        super().__init__(*args, **kwargs)
+
+
+def atomic(using=None, savepoint=False):
+    return db_atomic(using=using, savepoint=savepoint)
+
+
+class OneToOneField(models.OneToOneField):
+    def __init__(self, *args, **kwargs):
+        kwargs['db_constraint'] = False
+        super().__init__(*args, **kwargs)
+
+
+def set_db_constraint():
+    if os.getenv('DB_CONSTRAINT', '1') != '0':
+        return
+    if sys.argv == 2 and sys.argv[1] == 'makemigrations':
+        return
+    print("Set foreignkey db constraint False")
+    transaction.atomic = atomic
+    models.ForeignKey = ForeignKey
+    models.OneToOneField = OneToOneField
+
+
+set_db_constraint()
diff --git a/apps/perms/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180903_1132.py b/apps/perms/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180903_1132.py
index cc0a646e5..f7f191f4a 100644
--- a/apps/perms/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180903_1132.py
+++ b/apps/perms/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180903_1132.py
@@ -68,27 +68,6 @@ class Migration(migrations.Migration):
             name='users',
             field=models.ManyToManyField(blank=True, related_name='asset_permissions', to=settings.AUTH_USER_MODEL, verbose_name='User'),
         ),
-        migrations.CreateModel(
-            name='NodePermission',
-            fields=[
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('is_active', models.BooleanField(default=True, verbose_name='Active')),
-                ('date_expired', models.DateTimeField(default=common.utils.django.date_expired_default, verbose_name='Date expired')),
-                ('created_by', models.CharField(blank=True, max_length=128, verbose_name='Created by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
-                ('comment', models.TextField(blank=True, verbose_name='Comment')),
-                ('node', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.Node', verbose_name='Node')),
-                ('system_user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.SystemUser', verbose_name='System user')),
-                ('user_group', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='users.UserGroup', verbose_name='User group')),
-            ],
-            options={
-                'verbose_name': 'Asset permission',
-            },
-        ),
-        migrations.AlterUniqueTogether(
-            name='nodepermission',
-            unique_together={('node', 'user_group', 'system_user')},
-        ),
         migrations.RemoveField(
             model_name='assetpermission',
             name='asset_groups',
@@ -124,11 +103,6 @@ class Migration(migrations.Migration):
             name='org_id',
             field=models.CharField(blank=True, default=None, max_length=36, null=True),
         ),
-        migrations.AddField(
-            model_name='nodepermission',
-            name='org_id',
-            field=models.CharField(blank=True, default=None, max_length=36, null=True),
-        ),
         migrations.AlterField(
             model_name='assetpermission',
             name='name',
@@ -138,20 +112,11 @@ class Migration(migrations.Migration):
             name='assetpermission',
             unique_together={('org_id', 'name')},
         ),
-        migrations.AlterUniqueTogether(
-            name='nodepermission',
-            unique_together=set(),
-        ),
         migrations.AlterField(
             model_name='assetpermission',
             name='org_id',
             field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
         ),
-        migrations.AlterField(
-            model_name='nodepermission',
-            name='org_id',
-            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
-        ),
         migrations.AlterModelOptions(
             name='assetpermission',
             options={'verbose_name': 'Asset permission'},
diff --git a/apps/perms/migrations/0008_auto_20190911_1907.py b/apps/perms/migrations/0008_auto_20190911_1907.py
index b15a05c6c..b7b5b5776 100644
--- a/apps/perms/migrations/0008_auto_20190911_1907.py
+++ b/apps/perms/migrations/0008_auto_20190911_1907.py
@@ -10,23 +10,8 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RemoveField(
-            model_name='nodepermission',
-            name='node',
-        ),
-        migrations.RemoveField(
-            model_name='nodepermission',
-            name='system_user',
-        ),
-        migrations.RemoveField(
-            model_name='nodepermission',
-            name='user_group',
-        ),
         migrations.AlterModelOptions(
             name='assetpermission',
             options={'ordering': ('name',), 'verbose_name': 'Asset permission'},
         ),
-        migrations.DeleteModel(
-            name='NodePermission',
-        ),
     ]
diff --git a/apps/terminal/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180326_0957.py b/apps/terminal/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180326_0957.py
deleted file mode 100644
index e0e7cc8dc..000000000
--- a/apps/terminal/migrations/0002_auto_20171228_0025_squashed_0009_auto_20180326_0957.py
+++ /dev/null
@@ -1,84 +0,0 @@
-# Generated by Django 2.1.7 on 2019-02-28 10:23
-
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
-import django.utils.timezone
-
-
-class Migration(migrations.Migration):
-
-    replaces = [('terminal', '0002_auto_20171228_0025'), ('terminal', '0003_auto_20171230_0308'), ('terminal', '0004_session_remote_addr'), ('terminal', '0005_auto_20180122_1154'), ('terminal', '0006_auto_20180123_1037'), ('terminal', '0007_session_date_last_active'), ('terminal', '0008_auto_20180307_1603'), ('terminal', '0009_auto_20180326_0957')]
-
-    dependencies = [
-        ('terminal', '0001_initial'),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='session',
-            name='terminal',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='terminal.Terminal'),
-        ),
-        migrations.AddField(
-            model_name='status',
-            name='terminal',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='terminal.Terminal'),
-        ),
-        migrations.AddField(
-            model_name='task',
-            name='terminal',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='terminal.Terminal'),
-        ),
-        migrations.AddField(
-            model_name='terminal',
-            name='user',
-            field=models.OneToOneField(null=True, on_delete=django.db.models.deletion.CASCADE, related_name='terminal', to=settings.AUTH_USER_MODEL, verbose_name='Application User'),
-        ),
-        migrations.AlterField(
-            model_name='terminal',
-            name='name',
-            field=models.CharField(max_length=32, verbose_name='Name'),
-        ),
-        migrations.AlterField(
-            model_name='command',
-            name='asset',
-            field=models.CharField(db_index=True, max_length=128, verbose_name='Asset'),
-        ),
-        migrations.AlterField(
-            model_name='command',
-            name='system_user',
-            field=models.CharField(db_index=True, max_length=64, verbose_name='System user'),
-        ),
-        migrations.AlterField(
-            model_name='command',
-            name='user',
-            field=models.CharField(db_index=True, max_length=64, verbose_name='User'),
-        ),
-        migrations.AddField(
-            model_name='session',
-            name='remote_addr',
-            field=models.CharField(blank=True, max_length=15, null=True, verbose_name='Remote addr'),
-        ),
-        migrations.AddField(
-            model_name='terminal',
-            name='command_storage',
-            field=models.CharField(default='default', max_length=128, verbose_name='Command storage'),
-        ),
-        migrations.AddField(
-            model_name='terminal',
-            name='replay_storage',
-            field=models.CharField(default='default', max_length=128, verbose_name='Replay storage'),
-        ),
-        migrations.AddField(
-            model_name='session',
-            name='date_last_active',
-            field=models.DateTimeField(default=django.utils.timezone.now, verbose_name='Date last active'),
-        ),
-        migrations.AlterField(
-            model_name='session',
-            name='date_start',
-            field=models.DateTimeField(db_index=True, verbose_name='Date start'),
-        ),
-    ]

From de41747bb29001f1ac2e3b2304096bc99d6ecc68 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 29 Jun 2022 14:48:54 +0800
Subject: [PATCH 207/258] =?UTF-8?q?perf:=20=E6=B7=BB=E5=8A=A0=20debug=20to?=
 =?UTF-8?q?ol=20bar=20(#8504)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 添加 debug tool bar

* perf: 修改 config name

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/common/signal_handlers.py      |   3 +-
 apps/jumpserver/conf.py             |   1 +
 apps/jumpserver/settings/base.py    |  41 +++++++++--
 apps/jumpserver/settings/libs.py    |  16 ++--
 apps/jumpserver/settings/logging.py |   2 +-
 apps/jumpserver/urls.py             |   5 ++
 apps/rbac/tree.py                   |   8 +-
 requirements/requirements.txt       | 110 +++++++++++++++-------------
 utils/start_celery_beat.py          |   6 +-
 9 files changed, 114 insertions(+), 78 deletions(-)

diff --git a/apps/common/signal_handlers.py b/apps/common/signal_handlers.py
index 0cb3a04ad..e14a9fdf8 100644
--- a/apps/common/signal_handlers.py
+++ b/apps/common/signal_handlers.py
@@ -14,7 +14,6 @@ from .local import thread_local
 
 pattern = re.compile(r'FROM `(\w+)`')
 logger = logging.getLogger("jumpserver.common")
-DEBUG_DB = os.environ.get('DEBUG_DB', '0') == '1'
 
 
 class Counter:
@@ -66,7 +65,7 @@ def on_request_finished_release_local(sender, **kwargs):
     thread_local.__release_local__()
 
 
-if settings.DEBUG and DEBUG_DB:
+if settings.DEBUG_DEV:
     request_finished.connect(on_request_finished_logging_db_query)
 else:
     request_finished.connect(on_request_finished_release_local)
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 8b589ded7..8afa16eb5 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -128,6 +128,7 @@ class Config(dict):
         'SECRET_KEY': '',
         'BOOTSTRAP_TOKEN': '',
         'DEBUG': False,
+        'DEBUG_DEV': False,
         'LOG_LEVEL': 'DEBUG',
         'LOG_DIR': os.path.join(PROJECT_DIR, 'logs'),
         'DB_ENGINE': 'mysql',
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index ae3dea267..c66a47d98 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -36,6 +36,8 @@ BOOTSTRAP_TOKEN = CONFIG.BOOTSTRAP_TOKEN
 
 # SECURITY WARNING: don't run with debug turned on in production!
 DEBUG = CONFIG.DEBUG
+# SECURITY WARNING: If you run with debug turned on, more debug msg with be log
+DEBUG_DEV = CONFIG.DEBUG_DEV
 
 # Absolute url for some case, for example email link
 SITE_URL = CONFIG.SITE_URL
@@ -107,6 +109,8 @@ MIDDLEWARE = [
     'simple_history.middleware.HistoryRequestMiddleware',
 ]
 
+
+
 ROOT_URLCONF = 'jumpserver.urls'
 
 TEMPLATES = [
@@ -262,10 +266,10 @@ FILE_UPLOAD_PERMISSIONS = 0o644
 FILE_UPLOAD_DIRECTORY_PERMISSIONS = 0o755
 
 # Cache use redis
-REDIS_SSL_KEYFILE = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.key'), None)
-REDIS_SSL_CERTFILE = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.crt'), None)
-REDIS_SSL_CA_CERTS = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.pem'), None)
-REDIS_SSL_CA_CERTS = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.crt'), REDIS_SSL_CA_CERTS)
+REDIS_SSL_KEY = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.key'), None)
+REDIS_SSL_CERT = exist_or_default(os.path.join(CERTS_DIR, 'redis_client.crt'), None)
+REDIS_SSL_CA = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.pem'), None)
+REDIS_SSL_CA = exist_or_default(os.path.join(CERTS_DIR, 'redis_ca.crt'), REDIS_SSL_CA)
 REDIS_SSL_REQUIRED = 'none'
 REDIS_USE_SSL = CONFIG.REDIS_USE_SSL
 
@@ -283,9 +287,9 @@ REDIS_CACHE_DEFAULT = {
         "REDIS_CLIENT_KWARGS": {"health_check_interval": 30},
         "CONNECTION_POOL_KWARGS": {
             'ssl_cert_reqs': REDIS_SSL_REQUIRED,
-            "ssl_keyfile": REDIS_SSL_KEYFILE,
-            "ssl_certfile": REDIS_SSL_CERTFILE,
-            "ssl_ca_certs": REDIS_SSL_CA_CERTS
+            "ssl_keyfile": REDIS_SSL_KEY,
+            "ssl_certfile": REDIS_SSL_CERT,
+            "ssl_ca_certs": REDIS_SSL_CA
         } if REDIS_USE_SSL else {}
     }
 }
@@ -301,3 +305,26 @@ SESSION_CACHE_ALIAS = "session"
 FORCE_SCRIPT_NAME = CONFIG.FORCE_SCRIPT_NAME
 SESSION_COOKIE_SECURE = CONFIG.SESSION_COOKIE_SECURE
 CSRF_COOKIE_SECURE = CONFIG.CSRF_COOKIE_SECURE
+
+# For Debug toolbar
+INTERNAL_IPS = ["127.0.0.1"]
+if DEBUG_DEV:
+    INSTALLED_APPS = ['debug_toolbar', 'pympler'] + INSTALLED_APPS
+    MIDDLEWARE.insert(0, 'debug_toolbar.middleware.DebugToolbarMiddleware')
+    DEBUG_TOOLBAR_PANELS = [
+        'debug_toolbar.panels.history.HistoryPanel',
+        'debug_toolbar.panels.versions.VersionsPanel',
+        'debug_toolbar.panels.timer.TimerPanel',
+        'debug_toolbar.panels.settings.SettingsPanel',
+        'debug_toolbar.panels.headers.HeadersPanel',
+        'debug_toolbar.panels.request.RequestPanel',
+        'debug_toolbar.panels.sql.SQLPanel',
+        'debug_toolbar.panels.staticfiles.StaticFilesPanel',
+        'debug_toolbar.panels.templates.TemplatesPanel',
+        'debug_toolbar.panels.cache.CachePanel',
+        'debug_toolbar.panels.signals.SignalsPanel',
+        'debug_toolbar.panels.logging.LoggingPanel',
+        'debug_toolbar.panels.redirects.RedirectsPanel',
+        'debug_toolbar.panels.profiling.ProfilingPanel',
+        'pympler.panels.MemoryPanel',
+    ]
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 8cfc0abb5..03fcadfce 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -4,7 +4,7 @@ import os
 import ssl
 
 from .base import (
-    REDIS_SSL_CA_CERTS, REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE,
+    REDIS_SSL_CA, REDIS_SSL_CERT, REDIS_SSL_KEY,
     REDIS_SSL_REQUIRED, REDIS_USE_SSL
 )
 from ..const import CONFIG, PROJECT_DIR
@@ -89,10 +89,10 @@ if not REDIS_USE_SSL:
 else:
     redis_ssl = ssl.SSLContext()
     redis_ssl.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
-    if REDIS_SSL_CA_CERTS:
-        redis_ssl.load_verify_locations(REDIS_SSL_CA_CERTS)
-    if REDIS_SSL_CERTFILE and REDIS_SSL_KEYFILE:
-        redis_ssl.load_cert_chain(REDIS_SSL_CERTFILE, REDIS_SSL_KEYFILE)
+    if REDIS_SSL_CA:
+        redis_ssl.load_verify_locations(REDIS_SSL_CA)
+    if REDIS_SSL_CERT and REDIS_SSL_KEY:
+        redis_ssl.load_cert_chain(REDIS_SSL_CERT, REDIS_SSL_KEY)
 
 CHANNEL_LAYERS = {
     'default': {
@@ -136,9 +136,9 @@ CELERY_TASK_SOFT_TIME_LIMIT = 3600
 if REDIS_USE_SSL:
     CELERY_BROKER_USE_SSL = CELERY_REDIS_BACKEND_USE_SSL = {
         'ssl_cert_reqs': REDIS_SSL_REQUIRED,
-        'ssl_ca_certs': REDIS_SSL_CA_CERTS,
-        'ssl_certfile': REDIS_SSL_CERTFILE,
-        'ssl_keyfile': REDIS_SSL_KEYFILE
+        'ssl_ca_certs': REDIS_SSL_CA,
+        'ssl_certfile': REDIS_SSL_CERT,
+        'ssl_keyfile': REDIS_SSL_KEY
     }
 
 ANSIBLE_LOG_DIR = os.path.join(PROJECT_DIR, 'data', 'ansible')
diff --git a/apps/jumpserver/settings/logging.py b/apps/jumpserver/settings/logging.py
index 961cc0c38..81b22b0fc 100644
--- a/apps/jumpserver/settings/logging.py
+++ b/apps/jumpserver/settings/logging.py
@@ -136,7 +136,7 @@ LOGGING = {
     }
 }
 
-if os.environ.get("DEBUG_DB"):
+if CONFIG.DEBUG_DEV:
     LOGGING['loggers']['django.db'] = {
        'handlers': ['console', 'file'],
        'level': 'DEBUG'
diff --git a/apps/jumpserver/urls.py b/apps/jumpserver/urls.py
index be8c059ce..6c4f55949 100644
--- a/apps/jumpserver/urls.py
+++ b/apps/jumpserver/urls.py
@@ -79,6 +79,11 @@ urlpatterns += [
     re_path('api/redoc/?', views.get_swagger_view().with_ui('redoc', cache_timeout=1), name='redoc'),
 ]
 
+if settings.DEBUG_DEV:
+    urlpatterns += [
+        path('__debug__/', include('debug_toolbar.urls')),
+    ]
+
 
 # 兼容之前的
 old_app_pattern = '|'.join(apps)
diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py
index bae0b930e..0b08c565d 100644
--- a/apps/rbac/tree.py
+++ b/apps/rbac/tree.py
@@ -12,8 +12,6 @@ from django.db.models import F, Count
 from common.tree import TreeNode
 from .models import Permission, ContentType
 
-DEBUG_DB = os.environ.get('DEBUG_DB', '0') == '1'
-
 # 根节点
 root_node_data = {
     'id': '$ROOT$',
@@ -349,7 +347,7 @@ class PermissionTreeUtil:
 
             # name 要特殊处理，解决 i18n 问题
             name, icon = self._get_permission_name_icon(p, content_types_name_mapper)
-            if DEBUG_DB:
+            if settings.DEBUG_DEV:
                 name += '[{}]'.format(p.app_label_codename)
 
             pid = model_id
@@ -394,9 +392,9 @@ class PermissionTreeUtil:
         }
         node_data['title'] = node_data['id']
         node = TreeNode(**node_data)
-        if DEBUG_DB:
+        if settings.DEBUG_DEV:
             node.name += ('[' + node.id + ']')
-        if DEBUG_DB:
+        if settings.DEBUG_DEV:
             node.name += ('-' + node.id)
         return node
 
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index f60fbc2f2..7ecf78ef1 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -3,95 +3,48 @@ ansible==2.10.7
 asn1crypto==0.24.0
 bcrypt==3.1.4
 billiard==3.6.4.0
-boto3==1.24.12
-botocore==1.27.12
-celery==5.2.7
 certifi==2018.1.18
 cffi==1.13.2
 chardet==3.0.4
 configparser==3.5.0
-coreapi==2.3.3
-coreschema==0.0.4
 decorator==4.1.2
-Django==3.1.14
-django-auth-ldap==2.2.0
-django-bootstrap3==14.2.0
-django-celery-beat==2.3.0
-django-filter==2.4.0
-django-formtools==2.2
-django-ranged-response==0.2.0
-django-rest-swagger==2.2.0
-django-simple-captcha==0.5.17
-django-timezone-field==5.0
-djangorestframework==3.13.1
-djangorestframework-bulk==0.2.1
 docutils==0.14
 ecdsa==0.13.3
 enum-compat==0.0.2
 ephem==3.7.6.0
-eventlet==0.33.1
 future==0.16.0
-ForgeryPy3==0.3.1
-greenlet==1.1.2
-gunicorn==20.1.0
 idna==2.6
-itsdangerous==1.1.0
 itypes==1.2.0
 Jinja2==3.1.2
 jmespath==1.0.1
-kombu==5.2.4
-ldap3==2.9.1
 MarkupSafe==2.1.1
-mysqlclient==2.1.0
 olefile==0.46
-openapi-codec==1.3.2
 paramiko==2.11.0
 passlib==1.7.4
-Pillow==9.1.1
 pyasn1==0.4.8
 pycparser==2.21
 cryptography==36.0.1
 pycryptodome==3.15.0
 pycryptodomex==3.15.0
+gmssl==3.2.1
+itsdangerous==1.1.0
 pyotp==2.6.0
 PyNaCl==1.5.0
 python-dateutil==2.8.2
-pytz==2022.1
 PyYAML==6.0
-redis==4.3.3
 requests==2.28.0
 jms-storage==0.0.44
-s3transfer==0.6.0
 simplejson==3.17.6
 six==1.16.0
 sshpubkeys==3.3.1
 uritemplate==4.1.1
 urllib3==1.26.9
 vine==5.0.0
-drf-yasg==1.20.0
 Werkzeug==2.1.2
-drf-nested-routers==0.93.4
-rest_condition==1.0.3
-python-ldap==3.4.0
-django-radius==1.5.0
 unicodecsv==0.14.1
-python-daemon==2.3.0
 httpsig==1.3.0
 treelib==1.6.1
-django-proxy==1.2.1
-flower==1.0.0
-channels-redis==3.4.0
-channels==3.0.4
-daphne==3.0.2
 psutil==5.9.1
-django-cas-ng==4.0.1
-python-cas==1.5.0
-ipython
-django-redis==5.2.0
-python-redis-lock==3.7.0
-jumpserver-django-oidc-rp==0.3.7.8
-django-mysql==3.9.0
-gmssl==3.2.1
 msrestazure==0.6.4
 adal==1.2.5
 openpyxl==3.0.10
@@ -100,18 +53,57 @@ pyexcel-xlsx==0.6.0
 data-tree==0.0.1
 pyvmomi==7.0.1
 termcolor==1.1.0
-django-simple-history==3.1.1
-geoip2==4.5.0
 html2text==2020.1.16
 pyzipper==0.3.5
 python3-saml==1.12.0
-kubernetes==21.7.0
 websocket-client==1.2.3
 numpy==1.22.0
 pandas==1.3.5
 pyjwkest==1.4.2
 jsonfield2==4.0.0.post0
+geoip2==4.5.0
 ipip-ipdb==1.6.1
+# Django environment
+Django==3.2.12
+django-bootstrap3==14.2.0
+django-filter==2.4.0
+django-formtools==2.2
+django-ranged-response==0.2.0
+django-rest-swagger==2.2.0
+django-simple-captcha==0.5.17
+django-timezone-field==5.0
+djangorestframework==3.13.1
+djangorestframework-bulk==0.2.1
+django-simple-history==3.1.1
+drf-nested-routers==0.93.4
+rest_condition==1.0.3
+drf-yasg==1.20.0
+coreapi==2.3.3
+coreschema==0.0.4
+openapi-codec==1.3.2
+Pillow==9.1.1
+pytz==2022.1
+# Runtime
+django-proxy==1.2.1
+channels-redis==3.4.0
+channels==3.0.4
+daphne==3.0.2
+python-daemon==2.3.0
+eventlet==0.33.1
+greenlet==1.1.2
+gunicorn==20.1.0
+celery==5.2.7
+flower==1.0.0
+django-celery-beat==2.3.0
+kombu==5.2.4
+# Auth
+python-ldap==3.4.0
+ldap3==2.9.1
+django-radius==1.5.0
+jumpserver-django-oidc-rp==0.3.7.8
+django-cas-ng==4.0.1
+python-cas==1.5.0
+django-auth-ldap==2.2.0
 # Cloud req
 qingcloud-sdk==1.2.12
 azure-mgmt-subscription==1.0.0
@@ -127,8 +119,22 @@ tencentcloud-sdk-python==3.0.662
 aliyun-python-sdk-core-v3==2.9.1
 aliyun-python-sdk-ecs==4.10.1
 huaweicloud-sdk-python==1.0.21
+boto3==1.24.12
+botocore==1.27.12
+s3transfer==0.6.0
+kubernetes==21.7.0
 # DB requirements
+mysqlclient==2.1.0
 PyMySQL==1.0.2
 cx-Oracle==8.2.1
 psycopg2-binary==2.9.1
 pymssql==2.1.5
+django-mysql==3.9.0
+django-redis==5.2.0
+python-redis-lock==3.7.0
+redis==4.3.3
+# Debug
+ipython==8.4.0
+ForgeryPy3==0.3.1
+django-debug-toolbar==3.5
+Pympler==1.0.1
diff --git a/utils/start_celery_beat.py b/utils/start_celery_beat.py
index f56760cfe..f6259ddcc 100644
--- a/utils/start_celery_beat.py
+++ b/utils/start_celery_beat.py
@@ -25,9 +25,9 @@ params = {
     'password': settings.REDIS_PASSWORD,
     'ssl': settings.REDIS_USE_SSL,
     'ssl_cert_reqs': settings.REDIS_SSL_REQUIRED,
-    'ssl_keyfile': settings.REDIS_SSL_KEYFILE,
-    'ssl_certfile': settings.REDIS_SSL_CERTFILE,
-    'ssl_ca_certs': settings.REDIS_SSL_CA_CERTS
+    'ssl_keyfile': settings.REDIS_SSL_KEY,
+    'ssl_certfile': settings.REDIS_SSL_CERT,
+    'ssl_ca_certs': settings.REDIS_SSL_CA
 }
 print("Pamras: ", params)
 redis = Redis(**params)

From e8363ddff8759ebf8937253429968d2b0eef756a Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Wed, 29 Jun 2022 14:56:17 +0800
Subject: [PATCH 208/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20BASE=5FSIT?=
 =?UTF-8?q?E=5FURL=20OIDC=20=E5=8F=AF=E4=BB=A5=E4=B8=BA=E7=A9=BA=EF=BC=8C?=
 =?UTF-8?q?=E5=AE=9E=E7=8E=B0=E5=A4=9A=E4=B8=AA=E4=B8=8D=E5=90=8C=E7=AB=AF?=
 =?UTF-8?q?=E7=82=B9=E8=AE=BF=E9=97=AE=E6=97=B6=E5=9B=9E=E8=B0=83=E4=B8=BA?=
 =?UTF-8?q?=E5=BD=93=E5=89=8D=E8=AE=BF=E9=97=AE=E7=9A=84=E5=9C=B0=E5=9D=80?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/settings/serializers/auth/oidc.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/settings/serializers/auth/oidc.py b/apps/settings/serializers/auth/oidc.py
index ad30729a0..3ecf2bb6c 100644
--- a/apps/settings/serializers/auth/oidc.py
+++ b/apps/settings/serializers/auth/oidc.py
@@ -11,7 +11,8 @@ __all__ = [
 class CommonSettingSerializer(serializers.Serializer):
     # OpenID 公有配置参数 (version <= 1.5.8 或 version >= 1.5.8)
     BASE_SITE_URL = serializers.CharField(
-        required=False, allow_null=True, max_length=1024, label=_('Base site url')
+        required=False, allow_null=True, allow_blank=True,
+        max_length=1024, label=_('Base site url')
     )
     AUTH_OPENID_CLIENT_ID = serializers.CharField(
         required=False, max_length=1024, label=_('Client Id')

From 05826abf9d983384950dd8297c7313933a045e56 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 28 Jun 2022 20:12:55 +0800
Subject: [PATCH 209/258] =?UTF-8?q?feat:=20Endpoint=20=E6=94=AF=E6=8C=81?=
 =?UTF-8?q?=E6=A0=87=E7=AD=BE=E5=8C=B9=E9=85=8D?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

feat: Endpoint 支持标签匹配

feat: Endpoint 支持标签匹配

feat: Endpoint 支持标签匹配

feat: Endpoint 添加帮助信息

feat: Endpoint 添加帮助信息
---
 apps/locale/ja/LC_MESSAGES/django.mo  |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po  | 618 +++++++++++---------------
 apps/locale/zh/LC_MESSAGES/django.mo  |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po  | 616 +++++++++++--------------
 apps/terminal/api/endpoint.py         |  68 +--
 apps/terminal/models/endpoint.py      |  31 +-
 apps/terminal/models/session.py       |   6 +-
 apps/terminal/serializers/endpoint.py |   8 +-
 8 files changed, 584 insertions(+), 771 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index d0d6aaf5d..d9a6ef7bd 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:132e7f59a56d1cf5b2358b21b547861e872fa456164f2e0809120fb2b13f0ec1
-size 128122
+oid sha256:5a2f54edd26cd86ec150e5380ba8f9ac3f05ef144d11bef16459ae82a3ec0583
+size 125818
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 6b94dad82..edcdb7ac6 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-16 11:12+0800\n"
+"POT-Creation-Date: 2022-06-29 18:09+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -29,8 +29,8 @@ msgstr "Acls"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:59
-#: terminal/models/storage.py:25 terminal/models/task.py:16
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:82
+#: terminal/models/storage.py:26 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
 #: xpack/plugins/cloud/models.py:28
@@ -38,18 +38,18 @@ msgid "Name"
 msgstr "名前"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:251 terminal/models/endpoint.py:62
+#: assets/models/user.py:251 terminal/models/endpoint.py:85
 msgid "Priority"
 msgstr "優先順位"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:251 terminal/models/endpoint.py:63
+#: assets/models/user.py:251 terminal/models/endpoint.py:86
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
 #: acls/models/base.py:31 authentication/models.py:18
 #: authentication/templates/authentication/_access_key_modal.html:32
-#: perms/models/base.py:88 terminal/models/sharing.py:26
+#: perms/models/base.py:88 terminal/models/sharing.py:26 tickets/const.py:39
 msgid "Active"
 msgstr "アクティブ"
 
@@ -61,9 +61,9 @@ msgstr "アクティブ"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:21 terminal/models/endpoint.py:69
-#: terminal/models/storage.py:28 terminal/models/terminal.py:114
-#: tickets/models/comment.py:24 tickets/models/ticket.py:154
+#: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
+#: terminal/models/storage.py:29 terminal/models/terminal.py:114
+#: tickets/models/comment.py:32 tickets/models/ticket/general.py:277
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
@@ -71,8 +71,8 @@ msgstr "アクティブ"
 msgid "Comment"
 msgstr "コメント"
 
-#: acls/models/login_acl.py:18 tickets/const.py:38
-#: tickets/templates/tickets/approve_check_password.html:39
+#: acls/models/login_acl.py:18 tickets/const.py:47
+#: tickets/templates/tickets/approve_check_password.html:49
 msgid "Reject"
 msgstr "拒否"
 
@@ -80,7 +80,7 @@ msgstr "拒否"
 msgid "Allow"
 msgstr "許可"
 
-#: acls/models/login_acl.py:20 acls/models/login_acl.py:117
+#: acls/models/login_acl.py:20 acls/models/login_acl.py:104
 #: acls/models/login_asset_acl.py:17 tickets/const.py:9
 msgid "Login confirm"
 msgstr "ログイン確認"
@@ -93,7 +93,7 @@ msgstr "ログイン確認"
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:888
+#: tickets/models/comment.py:21 users/const.py:14 users/models/user.py:888
 #: users/models/user.py:919 users/serializers/group.py:19
 msgid "User"
 msgstr "ユーザー"
@@ -143,7 +143,7 @@ msgstr "資産"
 msgid "Login asset acl"
 msgstr "ログインasset acl"
 
-#: acls/models/login_asset_acl.py:90 tickets/const.py:12
+#: acls/models/login_asset_acl.py:89 tickets/const.py:12
 msgid "Login asset confirm"
 msgstr "ログイン資産の確認"
 
@@ -183,7 +183,7 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:38
+#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:42
 msgid "IP"
 msgstr "IP"
 
@@ -212,7 +212,7 @@ msgid "Unsupported protocols: {}"
 msgstr "サポートされていないプロトコル: {}"
 
 #: acls/serializers/login_asset_acl.py:98
-#: tickets/serializers/ticket/ticket.py:105
+#: tickets/serializers/ticket/ticket.py:65
 msgid "The organization `{}` does not exist"
 msgstr "組織 '{}'は存在しません"
 
@@ -296,7 +296,7 @@ msgstr "アプリケーションアカウントの秘密を変更できます"
 #: applications/serializers/application.py:99 assets/models/label.py:21
 #: perms/models/application_permission.py:21
 #: perms/serializers/application/user_permission.py:33
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:22
+#: tickets/models/ticket/apply_application.py:14
 #: xpack/plugins/change_auth_plan/models/app.py:25
 msgid "Category"
 msgstr "カテゴリ"
@@ -306,9 +306,10 @@ msgstr "カテゴリ"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:57 terminal/models/storage.py:141
-#: tickets/models/flow.py:56 tickets/models/ticket.py:131
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:29
+#: terminal/models/storage.py:58 terminal/models/storage.py:142
+#: tickets/models/comment.py:26 tickets/models/flow.py:57
+#: tickets/models/ticket/apply_application.py:17
+#: tickets/models/ticket/general.py:262
 #: xpack/plugins/change_auth_plan/models/app.py:28
 #: xpack/plugins/change_auth_plan/models/app.py:153
 msgid "Type"
@@ -335,7 +336,6 @@ msgstr "アプリケーションユーザー"
 #: applications/serializers/application.py:70
 #: applications/serializers/application.py:100 assets/serializers/label.py:13
 #: perms/serializers/application/permission.py:18
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:26
 msgid "Category display"
 msgstr "カテゴリ表示"
 
@@ -343,9 +343,7 @@ msgstr "カテゴリ表示"
 #: applications/serializers/application.py:102
 #: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
-#: tickets/serializers/ticket/ticket.py:21
-#: tickets/serializers/ticket/ticket.py:173
+#: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:16
 msgid "Type display"
 msgstr "タイプ表示"
 
@@ -354,7 +352,7 @@ msgstr "タイプ表示"
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
 #: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
-#: assets/serializers/cmd_filter.py:48 common/db/models.py:113
+#: assets/serializers/cmd_filter.py:48 common/db/models.py:114
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:920
@@ -365,7 +363,7 @@ msgstr "作成された日付"
 #: applications/serializers/application.py:104 assets/models/base.py:182
 #: assets/models/gathered_user.py:20 assets/serializers/account.py:21
 #: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
-#: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
+#: common/db/models.py:115 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
 msgid "Date updated"
 msgstr "更新日"
@@ -501,7 +499,7 @@ msgid "Charset"
 msgstr "シャーセット"
 
 #: assets/models/asset.py:141 assets/serializers/asset.py:176
-#: tickets/models/ticket.py:133
+#: tickets/models/ticket/general.py:287
 msgid "Meta"
 msgstr "メタ"
 
@@ -523,7 +521,7 @@ msgstr "ベンダー"
 msgid "Model"
 msgstr "モデル"
 
-#: assets/models/asset.py:170 tickets/models/ticket.py:159
+#: assets/models/asset.py:170 tickets/models/ticket/general.py:285
 msgid "Serial number"
 msgstr "シリアル番号"
 
@@ -609,7 +607,7 @@ msgstr "ラベル"
 #: assets/models/asset.py:229 assets/models/base.py:183
 #: assets/models/cluster.py:28 assets/models/cmd_filter.py:52
 #: assets/models/cmd_filter.py:99 assets/models/group.py:21
-#: common/db/models.py:111 common/mixins/models.py:49 orgs/models.py:66
+#: common/db/models.py:112 common/mixins/models.py:49 orgs/models.py:66
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
@@ -685,8 +683,8 @@ msgstr "タイミングトリガー"
 
 #: assets/models/backup.py:105 audits/models.py:44 ops/models/command.py:31
 #: perms/models/base.py:89 terminal/models/session.py:58
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:55
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:57
+#: tickets/models/ticket/apply_application.py:25
+#: tickets/models/ticket/apply_asset.py:23
 #: xpack/plugins/change_auth_plan/models/base.py:112
 #: xpack/plugins/change_auth_plan/models/base.py:203
 #: xpack/plugins/gathered_user/models.py:76
@@ -762,7 +760,7 @@ msgstr "確認済みの日付"
 #: assets/models/base.py:177 assets/serializers/base.py:15
 #: assets/serializers/base.py:37 assets/serializers/system_user.py:29
 #: audits/signal_handlers.py:50 authentication/forms.py:32
-#: authentication/templates/authentication/login.html:182
+#: authentication/templates/authentication/login.html:228
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
 #: users/forms/profile.py:22 users/serializers/user.py:92
 #: users/templates/users/_msg_user_created.html:13
@@ -1072,7 +1070,7 @@ msgstr ""
 "されていません-個人情報にアクセスしてください-> ファイル暗号化パスワードを設"
 "定してください暗号化パスワード"
 
-#: assets/serializers/account.py:36 assets/serializers/account.py:79
+#: assets/serializers/account.py:36 assets/serializers/account.py:87
 msgid "System user display"
 msgstr "システムユーザー表示"
 
@@ -1113,6 +1111,7 @@ msgstr "CPU情報"
 #: perms/serializers/application/permission.py:42
 #: perms/serializers/asset/permission.py:18
 #: perms/serializers/asset/permission.py:46
+#: tickets/models/ticket/apply_asset.py:21
 msgid "Actions"
 msgstr "アクション"
 
@@ -1489,14 +1488,13 @@ msgstr "-"
 msgid "Login type"
 msgstr "ログインタイプ"
 
-#: audits/models.py:123
-#: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:14
+#: audits/models.py:123 tickets/models/ticket/login_confirm.py:10
 msgid "Login ip"
 msgstr "ログインIP"
 
 #: audits/models.py:124
 #: authentication/templates/authentication/_msg_different_city.html:11
-#: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:17
+#: tickets/models/ticket/login_confirm.py:11
 msgid "Login city"
 msgstr "ログイン都市"
 
@@ -1512,7 +1510,7 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: tickets/models/ticket/general.py:270 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "ステータス"
@@ -1533,7 +1531,7 @@ msgstr "ユーザーログインログ"
 msgid "Operate display"
 msgstr "ディスプレイを操作する"
 
-#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:22
+#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:17
 msgid "Status display"
 msgstr "ステータス表示"
 
@@ -1583,13 +1581,13 @@ msgid "Auth Token"
 msgstr "認証トークン"
 
 #: audits/signal_handlers.py:53 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:177
+#: authentication/views/login.py:163 authentication/views/wecom.py:177
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
 
 #: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
-#: authentication/views/login.py:170 notifications/backends/__init__.py:12
+#: authentication/views/login.py:169 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "DingTalk"
@@ -2111,9 +2109,8 @@ msgid "Verified"
 msgstr "確認済み"
 
 #: authentication/models.py:73 perms/models/base.py:90
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
-#: users/models/user.py:703
+#: tickets/models/ticket/apply_application.py:26
+#: tickets/models/ticket/apply_asset.py:24 users/models/user.py:703
 msgid "Date expired"
 msgstr "期限切れの日付"
 
@@ -2183,7 +2180,7 @@ msgstr "削除成功"
 
 #: authentication/templates/authentication/_access_key_modal.html:155
 #: authentication/templates/authentication/_mfa_confirm_modal.html:53
-#: templates/_modal.html:22 tickets/const.py:36
+#: templates/_modal.html:22 tickets/const.py:45
 msgid "Close"
 msgstr "閉じる"
 
@@ -2222,7 +2219,7 @@ msgstr "コードエラー"
 #: jumpserver/conf.py:305 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
-#: tickets/templates/tickets/approve_check_password.html:23
+#: tickets/templates/tickets/approve_check_password.html:33
 #: users/templates/users/_msg_account_expire_reminder.html:4
 #: users/templates/users/_msg_password_expire_reminder.html:4
 #: users/templates/users/_msg_reset_mfa.html:4
@@ -2310,23 +2307,23 @@ msgstr ""
 "公開鍵の更新が開始されなかった場合、アカウントにセキュリティ上の問題がある可"
 "能性があります"
 
-#: authentication/templates/authentication/login.html:174
+#: authentication/templates/authentication/login.html:221
 msgid "Welcome back, please enter username and password to login"
 msgstr ""
 "おかえりなさい、ログインするためにユーザー名とパスワードを入力してください"
 
-#: authentication/templates/authentication/login.html:210
+#: authentication/templates/authentication/login.html:256
 #: users/templates/users/forgot_password.html:15
 #: users/templates/users/forgot_password.html:16
 msgid "Forgot password"
 msgstr "パスワードを忘れた"
 
-#: authentication/templates/authentication/login.html:217
+#: authentication/templates/authentication/login.html:264
 #: templates/_header_bar.html:89
 msgid "Login"
 msgstr "ログイン"
 
-#: authentication/templates/authentication/login.html:224
+#: authentication/templates/authentication/login.html:271
 msgid "More login options"
 msgstr "その他のログインオプション"
 
@@ -2424,7 +2421,7 @@ msgstr "FeiShuクエリユーザーが失敗しました"
 msgid "The FeiShu is already bound to another user"
 msgstr "FeiShuはすでに別のユーザーにバインドされています"
 
-#: authentication/views/feishu.py:143 authentication/views/login.py:176
+#: authentication/views/feishu.py:143 authentication/views/login.py:175
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "本を飛ばす"
@@ -2445,19 +2442,19 @@ msgstr "本を飛ばすは拘束されていません"
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "パスワードでログインしてから本を飛ばすをバインドしてください"
 
-#: authentication/views/login.py:70
+#: authentication/views/login.py:69
 msgid "Redirecting"
 msgstr "リダイレクト"
 
-#: authentication/views/login.py:71
+#: authentication/views/login.py:70
 msgid "Redirecting to {} authentication"
 msgstr "{} 認証へのリダイレクト"
 
-#: authentication/views/login.py:94
+#: authentication/views/login.py:93
 msgid "Please enable cookies and try again."
 msgstr "クッキーを有効にして、もう一度お試しください。"
 
-#: authentication/views/login.py:263
+#: authentication/views/login.py:300
 msgid ""
 "Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>\n"
 "                  Don't close this page"
@@ -2465,15 +2462,15 @@ msgstr ""
 "<b>{}</b> 確認を待ちます。彼女/彼へのリンクをコピーすることもできます <br/>\n"
 "                  このページを閉じないでください"
 
-#: authentication/views/login.py:268
+#: authentication/views/login.py:305
 msgid "No ticket found"
 msgstr "チケットが見つかりません"
 
-#: authentication/views/login.py:302
+#: authentication/views/login.py:339
 msgid "Logout success"
 msgstr "ログアウト成功"
 
-#: authentication/views/login.py:303
+#: authentication/views/login.py:340
 msgid "Logout success, return login page"
 msgstr "ログアウト成功、ログインページを返す"
 
@@ -2523,7 +2520,7 @@ msgstr "%(name)s が正常に作成されました"
 msgid "%(name)s was updated successfully"
 msgstr "%(name)s は正常に更新されました"
 
-#: common/db/encoder.py:17
+#: common/db/encoder.py:10
 msgid "ugettext_lazy"
 msgstr "ugettext_lazy"
 
@@ -2555,7 +2552,7 @@ msgstr "テキストフィールドへのマーシャルデータ"
 msgid "Encrypt field using Secret Key"
 msgstr "Secret Keyを使用したフィールドの暗号化"
 
-#: common/db/models.py:112
+#: common/db/models.py:113
 msgid "Updated by"
 msgstr "によって更新"
 
@@ -2947,7 +2944,7 @@ msgstr "アプリ組織"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/serializers/ticket/ticket.py:77
+#: tickets/models/ticket/general.py:289 tickets/serializers/ticket/ticket.py:51
 msgid "Organization"
 msgstr "組織"
 
@@ -3355,7 +3352,7 @@ msgstr "マイアプリ"
 msgid "Ticket comment"
 msgstr "チケットコメント"
 
-#: rbac/tree.py:117 tickets/models/ticket.py:163
+#: rbac/tree.py:117 tickets/models/ticket/general.py:294
 msgid "Ticket"
 msgstr "チケット"
 
@@ -4564,7 +4561,7 @@ msgstr "確認コードが送信されました"
 msgid "Home page"
 msgstr "ホームページ"
 
-#: templates/flash_message_standalone.html:25
+#: templates/flash_message_standalone.html:25 tickets/const.py:20
 msgid "Cancel"
 msgstr "キャンセル"
 
@@ -4613,7 +4610,7 @@ msgstr ""
 msgid "Filters"
 msgstr "フィルター"
 
-#: terminal/api/endpoint.py:63
+#: terminal/api/endpoint.py:26
 msgid "Not found protocol query params"
 msgstr "プロトコルクエリパラメータが見つかりません"
 
@@ -4701,6 +4698,7 @@ msgstr "出力"
 #: terminal/backends/command/models.py:25 terminal/models/replay.py:9
 #: terminal/models/sharing.py:17 terminal/models/sharing.py:64
 #: terminal/templates/terminal/_msg_command_alert.html:10
+#: tickets/models/ticket/command_confirm.py:23
 msgid "Session"
 msgstr "セッション"
 
@@ -4785,18 +4783,18 @@ msgstr "PostgreSQL ポート"
 msgid "Redis Port"
 msgstr "Redis ポート"
 
-#: terminal/models/endpoint.py:26 terminal/models/endpoint.py:67
-#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:38
+#: terminal/models/endpoint.py:26 terminal/models/endpoint.py:90
+#: terminal/serializers/endpoint.py:45 terminal/serializers/storage.py:38
 #: terminal/serializers/storage.py:50 terminal/serializers/storage.py:80
 #: terminal/serializers/storage.py:90 terminal/serializers/storage.py:98
 msgid "Endpoint"
 msgstr "エンドポイント"
 
-#: terminal/models/endpoint.py:60
+#: terminal/models/endpoint.py:83
 msgid "IP group"
 msgstr "IP グループ"
 
-#: terminal/models/endpoint.py:72
+#: terminal/models/endpoint.py:95
 msgid "Endpoint rule"
 msgstr "エンドポイントルール"
 
@@ -4824,23 +4822,23 @@ msgstr "リプレイ"
 msgid "Date end"
 msgstr "終了日"
 
-#: terminal/models/session.py:251
+#: terminal/models/session.py:255
 msgid "Session record"
 msgstr "セッション記録"
 
-#: terminal/models/session.py:253
+#: terminal/models/session.py:257
 msgid "Can monitor session"
 msgstr "セッションを監視できます"
 
-#: terminal/models/session.py:254
+#: terminal/models/session.py:258
 msgid "Can share session"
 msgstr "セッションを共有できます"
 
-#: terminal/models/session.py:255
+#: terminal/models/session.py:259
 msgid "Can terminate session"
 msgstr "セッションを終了できます"
 
-#: terminal/models/session.py:256
+#: terminal/models/session.py:260
 msgid "Can validate session action perm"
 msgstr "セッションアクションのパーマを検証できます"
 
@@ -4884,7 +4882,7 @@ msgstr "参加日"
 msgid "Date left"
 msgstr "日付が残っています"
 
-#: terminal/models/sharing.py:97
+#: terminal/models/sharing.py:97 tickets/const.py:26
 #: xpack/plugins/change_auth_plan/models/base.py:192
 msgid "Finished"
 msgstr "終了"
@@ -4925,15 +4923,15 @@ msgstr "スレッド"
 msgid "Boot Time"
 msgstr "ブート時間"
 
-#: terminal/models/storage.py:27
+#: terminal/models/storage.py:28
 msgid "Default storage"
 msgstr "デフォルトのストレージ"
 
-#: terminal/models/storage.py:135 terminal/models/terminal.py:108
+#: terminal/models/storage.py:136 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "コマンドストレージ"
 
-#: terminal/models/storage.py:195 terminal/models/terminal.py:109
+#: terminal/models/storage.py:196 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "再生ストレージ"
 
@@ -4973,6 +4971,11 @@ msgstr "レベル"
 msgid "Batch danger command alert"
 msgstr "一括危険コマンド警告"
 
+#: terminal/serializers/endpoint.py:39
+msgid ""
+"If asset IP addresses under different endpoints conflict, use asset labels"
+msgstr "異なるエンドポイントの下に競合するアセットIPがある場合は、アセットタグを使用して実装します"
+
 #: terminal/serializers/session.py:31
 msgid "User ID"
 msgstr "ユーザーID"
@@ -5103,51 +5106,57 @@ msgstr "資産の申請"
 msgid "Apply for application"
 msgstr "申し込み"
 
-#: tickets/const.py:17 tickets/const.py:30 tickets/const.py:35
+#: tickets/const.py:17 tickets/const.py:25 tickets/const.py:44
 msgid "Open"
 msgstr "オープン"
 
-#: tickets/const.py:18 tickets/const.py:25
+#: tickets/const.py:18 tickets/const.py:31
 msgid "Approved"
 msgstr "承認済み"
 
-#: tickets/const.py:19 tickets/const.py:26
+#: tickets/const.py:19 tickets/const.py:32
 msgid "Rejected"
 msgstr "拒否"
 
-#: tickets/const.py:20 tickets/const.py:31
+#: tickets/const.py:21 tickets/const.py:34
+msgid "Reopen"
+msgstr ""
+
+#: tickets/const.py:30 tickets/const.py:38
+#, fuzzy
+#| msgid "Role binding"
+msgid "Pending"
+msgstr "ロールバインディング"
+
+#: tickets/const.py:33 tickets/const.py:40
 msgid "Closed"
 msgstr "クローズ"
 
-#: tickets/const.py:24
-msgid "Notified"
-msgstr "通知"
-
-#: tickets/const.py:37
+#: tickets/const.py:46
 msgid "Approve"
 msgstr "承認"
 
-#: tickets/const.py:42
+#: tickets/const.py:51
 msgid "One level"
 msgstr "1つのレベル"
 
-#: tickets/const.py:43
+#: tickets/const.py:52
 msgid "Two level"
 msgstr "2つのレベル"
 
-#: tickets/const.py:47
+#: tickets/const.py:56
 msgid "Super admin"
 msgstr "スーパー管理者"
 
-#: tickets/const.py:48
+#: tickets/const.py:57
 msgid "Org admin"
 msgstr "Org admin"
 
-#: tickets/const.py:49
+#: tickets/const.py:58
 msgid "Super admin and org admin"
 msgstr "スーパーadminとorg admin"
 
-#: tickets/const.py:50
+#: tickets/const.py:59
 msgid "Custom user"
 msgstr "カスタムユーザー"
 
@@ -5155,31 +5164,7 @@ msgstr "カスタムユーザー"
 msgid "Ticket already closed"
 msgstr "チケットはすでに閉じています"
 
-#: tickets/handler/apply_application.py:53
-msgid "Applied category"
-msgstr "応用カテゴリ"
-
-#: tickets/handler/apply_application.py:54
-msgid "Applied type"
-msgstr "応用タイプ"
-
-#: tickets/handler/apply_application.py:55
-msgid "Applied application group"
-msgstr "応用アプリケーショングループ"
-
-#: tickets/handler/apply_application.py:56 tickets/handler/apply_asset.py:52
-msgid "Applied system user group"
-msgstr "応用システムユーザーグループ"
-
-#: tickets/handler/apply_application.py:57 tickets/handler/apply_asset.py:54
-msgid "Applied date start"
-msgstr "適用日開始"
-
-#: tickets/handler/apply_application.py:58 tickets/handler/apply_asset.py:55
-msgid "Applied date expired"
-msgstr "適用期限が切れた"
-
-#: tickets/handler/apply_application.py:80
+#: tickets/handlers/apply_application.py:35
 msgid ""
 "Created by the ticket, ticket title: {}, ticket applicant: {}, ticket "
 "processor: {}, ticket ID: {}"
@@ -5187,19 +5172,7 @@ msgstr ""
 "チケットによって作成されたチケットタイトル: {}、チケット申請者: {}、チケット"
 "処理者: {}、チケットID: {}"
 
-#: tickets/handler/apply_asset.py:50
-msgid "Applied node group"
-msgstr "適用ノードグループ"
-
-#: tickets/handler/apply_asset.py:51
-msgid "Applied hostname group"
-msgstr "応用ホスト名グループ"
-
-#: tickets/handler/apply_asset.py:53
-msgid "Applied actions"
-msgstr "応用アクション"
-
-#: tickets/handler/apply_asset.py:77
+#: tickets/handlers/apply_asset.py:35
 msgid ""
 "Created by the ticket ticket title: {} ticket applicant: {} ticket "
 "processor: {} ticket ID: {}"
@@ -5207,116 +5180,57 @@ msgstr ""
 "チケットのタイトル: {} チケット申請者: {} チケットプロセッサ: {} チケットID: "
 "{}"
 
-#: tickets/handler/base.py:88
+#: tickets/handlers/base.py:75
 msgid "{} {} the ticket"
 msgstr "{} {} チケット"
 
-#: tickets/handler/base.py:116
-msgid "Ticket title"
-msgstr "チケットタイトル"
-
-#: tickets/handler/base.py:117
-msgid "Ticket type"
-msgstr "チケットタイプ"
-
-#: tickets/handler/base.py:118
-msgid "Ticket status"
-msgstr "チケットのステータス"
-
-#: tickets/handler/base.py:119
-msgid "Ticket applicant"
-msgstr "チケット申請者"
-
-#: tickets/handler/base.py:121
-msgid "Ticket basic info"
-msgstr "チケット基本情報"
-
-#: tickets/handler/base.py:132
-msgid "No content"
-msgstr "コンテンツなし"
-
-#: tickets/handler/base.py:134
-msgid "Ticket applied info"
-msgstr "チケット適用情報"
-
-#: tickets/handler/command_confirm.py:25
-msgid "Applied run user"
-msgstr "Applied runユーザー"
-
-#: tickets/handler/command_confirm.py:26
-msgid "Applied run asset"
-msgstr "アプライドランアセット"
-
-#: tickets/handler/command_confirm.py:27
-msgid "Applied run system user"
-msgstr "Applied runシステムユーザー"
-
-#: tickets/handler/command_confirm.py:28
-msgid "Applied run command"
-msgstr "Applied runコマンド"
-
-#: tickets/handler/command_confirm.py:29
-msgid "Applied from session"
-msgstr "セッションからの応用"
-
-#: tickets/handler/command_confirm.py:30
-msgid "Applied from command filter rules"
-msgstr "コマンドフィルタルールから適用"
-
-#: tickets/handler/command_confirm.py:31
-msgid "Applied from command filter"
-msgstr "コマンドフィルタからの応用"
-
-#: tickets/handler/login_asset_confirm.py:17
-msgid "Applied login user"
-msgstr "応用ログインユーザー"
-
-#: tickets/handler/login_asset_confirm.py:18
-msgid "Applied login asset"
-msgstr "アプライドログインアセット"
-
-#: tickets/handler/login_asset_confirm.py:19
-msgid "Applied login system user"
-msgstr "応用ログインシステムユーザー"
-
-#: tickets/handler/login_confirm.py:17
+#: tickets/handlers/login_confirm.py:18
 msgid "Applied login IP"
 msgstr "応用ログインIP"
 
-#: tickets/handler/login_confirm.py:18
+#: tickets/handlers/login_confirm.py:19
 msgid "Applied login city"
 msgstr "応用ログイン都市"
 
-#: tickets/handler/login_confirm.py:19
+#: tickets/handlers/login_confirm.py:20
 msgid "Applied login datetime"
 msgstr "適用されたログインの日付時間"
 
-#: tickets/models/comment.py:19
+#: tickets/models/comment.py:13 tickets/models/ticket/general.py:38
+#: tickets/models/ticket/general.py:266
+msgid "State"
+msgstr "状態"
+
+#: tickets/models/comment.py:14
+msgid "common"
+msgstr ""
+
+#: tickets/models/comment.py:23
 msgid "User display name"
 msgstr "ユーザー表示名"
 
-#: tickets/models/comment.py:20
+#: tickets/models/comment.py:24
 msgid "Body"
 msgstr "ボディ"
 
-#: tickets/models/flow.py:19 tickets/models/flow.py:61
-#: tickets/models/ticket.py:30
+#: tickets/models/flow.py:20 tickets/models/flow.py:62
+#: tickets/models/ticket/general.py:34
 msgid "Approve level"
 msgstr "レベルを承認する"
 
-#: tickets/models/flow.py:24 tickets/serializers/ticket/ticket.py:141
+#: tickets/models/flow.py:25 tickets/serializers/flow.py:14
 msgid "Approve strategy"
 msgstr "戦略を承認する"
 
-#: tickets/models/flow.py:29 tickets/serializers/ticket/ticket.py:142
+#: tickets/models/flow.py:30 tickets/serializers/flow.py:15
 msgid "Assignees"
 msgstr "アシニーズ"
 
-#: tickets/models/flow.py:33
+#: tickets/models/flow.py:34
 msgid "Ticket flow approval rule"
 msgstr "チケットフロー承認ルール"
 
-#: tickets/models/flow.py:66
+#: tickets/models/flow.py:67
 msgid "Ticket flow"
 msgstr "チケットの流れ"
 
@@ -5324,207 +5238,177 @@ msgstr "チケットの流れ"
 msgid "Ticket session relation"
 msgstr "チケットセッションの関係"
 
-#: tickets/models/ticket.py:35
+#: tickets/models/ticket/apply_application.py:11
+#: tickets/models/ticket/apply_asset.py:13
+msgid "Apply name"
+msgstr "名前を適用"
+
+#: tickets/models/ticket/apply_application.py:20
+msgid "Apply applications"
+msgstr "アプリケーションの適用"
+
+#: tickets/models/ticket/apply_application.py:23
+#: tickets/models/ticket/apply_asset.py:18
+msgid "Apply system users"
+msgstr "システムユーザーの適用"
+
+#: tickets/models/ticket/apply_asset.py:9
+#: tickets/serializers/ticket/apply_asset.py:15
+msgid "Select at least one asset or node"
+msgstr "少なくとも1つのアセットまたはノードを選択します。"
+
+#: tickets/models/ticket/apply_asset.py:14
+msgid "Apply nodes"
+msgstr "ノードの適用"
+
+#: tickets/models/ticket/apply_asset.py:16
+msgid "Apply assets"
+msgstr "資産の適用"
+
+#: tickets/models/ticket/command_confirm.py:10
+msgid "Run user"
+msgstr "ユーザーの実行"
+
+#: tickets/models/ticket/command_confirm.py:14
+msgid "Run asset"
+msgstr "アセットの実行"
+
+#: tickets/models/ticket/command_confirm.py:18
+msgid "Run system user"
+msgstr "システムユーザーの実行"
+
+#: tickets/models/ticket/command_confirm.py:20
+msgid "Run command"
+msgstr "実行コマンド"
+
+#: tickets/models/ticket/command_confirm.py:27
+msgid "From cmd filter"
+msgstr "コマンドフィルタ規則から"
+
+#: tickets/models/ticket/command_confirm.py:31
+msgid "From cmd filter rule"
+msgstr "コマンドフィルタ規則から"
+
+#: tickets/models/ticket/general.py:69
 msgid "Ticket step"
 msgstr "チケットステップ"
 
-#: tickets/models/ticket.py:46
+#: tickets/models/ticket/general.py:87
 msgid "Ticket assignee"
 msgstr "割り当てられたチケット"
 
-#: tickets/models/ticket.py:128
+#: tickets/models/ticket/general.py:259
 msgid "Title"
 msgstr "タイトル"
 
-#: tickets/models/ticket.py:136
-msgid "State"
-msgstr "状態"
-
-#: tickets/models/ticket.py:144
-msgid "Approval step"
-msgstr "承認ステップ"
-
-#: tickets/models/ticket.py:149
+#: tickets/models/ticket/general.py:275
 msgid "Applicant"
 msgstr "応募者"
 
-#: tickets/models/ticket.py:151
-msgid "Applicant display"
-msgstr "応募者表示"
-
-#: tickets/models/ticket.py:152
-msgid "Process"
-msgstr "プロセス"
-
-#: tickets/models/ticket.py:157
+#: tickets/models/ticket/general.py:280
 msgid "TicketFlow"
 msgstr "作業指示プロセス"
 
-#: tickets/models/ticket.py:320
+#: tickets/models/ticket/general.py:283
+msgid "Approval step"
+msgstr "承認ステップ"
+
+#: tickets/models/ticket/general.py:286
+#, fuzzy
+#| msgid "Change auth plan snapshot"
+msgid "Relation snapshot"
+msgstr "計画スナップショットの暗号化"
+
+#: tickets/models/ticket/general.py:378
 msgid "Please try again"
 msgstr "もう一度お試しください"
 
-#: tickets/models/ticket.py:328
+#: tickets/models/ticket/general.py:385
 msgid "Super ticket"
 msgstr "スーパーチケット"
 
-#: tickets/notifications.py:72
-msgid "Your has a new ticket, applicant - {}"
+#: tickets/models/ticket/login_asset_confirm.py:12
+msgid "Login user"
+msgstr "ログインユーザー"
+
+#: tickets/models/ticket/login_asset_confirm.py:16
+msgid "Login asset"
+msgstr "ログイン資産"
+
+#: tickets/models/ticket/login_asset_confirm.py:20
+msgid "Login system user"
+msgstr "ログインシステムユーザー"
+
+#: tickets/models/ticket/login_confirm.py:12
+msgid "Login datetime"
+msgstr "ログイン日時"
+
+#: tickets/notifications.py:64
+msgid "Ticket basic info"
+msgstr "チケット基本情報"
+
+#: tickets/notifications.py:65
+msgid "Ticket applied info"
+msgstr "チケット適用情報"
+
+#: tickets/notifications.py:116
+#, fuzzy
+#| msgid "Your has a new ticket, applicant - {}"
+msgid "Your has a new ticket"
 msgstr "新しいチケットがあります- {}"
 
-#: tickets/notifications.py:78
-msgid "New Ticket - {} ({})"
+#: tickets/notifications.py:120
+#, fuzzy
+#| msgid "New Ticket - {} ({})"
+msgid "{}: New Ticket - {} ({})"
 msgstr "新しいチケット- {} ({})"
 
-#: tickets/notifications.py:123
+#: tickets/notifications.py:164
 msgid "Your ticket has been processed, processor - {}"
 msgstr "チケットが処理されました。プロセッサー- {}"
 
-#: tickets/notifications.py:127
+#: tickets/notifications.py:168
 msgid "Ticket has processed - {} ({})"
 msgstr "チケットが処理済み- {} ({})"
 
+#: tickets/serializers/flow.py:16
+msgid "Assignees display"
+msgstr "受付者名"
+
+#: tickets/serializers/flow.py:42
+msgid "Please select the Assignees"
+msgstr "受付をお選びください"
+
+#: tickets/serializers/flow.py:68
+msgid "The current organization type already exists"
+msgstr "現在の組織タイプは既に存在します。"
+
 #: tickets/serializers/super_ticket.py:11
 msgid "Processor"
 msgstr "プロセッサ"
 
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:18
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:19
-msgid "Apply name"
-msgstr "名前を適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:37
-msgid "Apply applications"
-msgstr "アプリケーションの適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:42
-msgid "Apply applications display"
-msgstr "アプリケーション表示の適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:46
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:41
-msgid "Apply system users"
-msgstr "システムユーザーの適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:51
-msgid "Apply system user display"
-msgstr "システムユーザー表示の適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:71
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:73
-#: tickets/serializers/ticket/ticket.py:128
-msgid "Permission named `{}` already exists"
-msgstr "'{}'という名前の権限は既に存在します"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:88
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:87
-msgid "The expiration date should be greater than the start date"
-msgstr "有効期限は開始日より大きくする必要があります"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:14
-msgid "Select at least one asset or node"
-msgstr "少なくとも1つのアセットまたはノードを選択します。"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:23
-msgid "Apply nodes"
-msgstr "ノードの適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:27
-msgid "Apply nodes display"
-msgstr "Apply nodes display"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:32
-msgid "Apply assets"
-msgstr "資産の適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:36
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:45
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:53
-msgid "Apply assets display"
-msgstr "アセット表示の適用"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:12
-msgid "Run user"
-msgstr "ユーザーの実行"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:13
-msgid "Run asset"
-msgstr "アセットの実行"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:15
-msgid "Run system user"
-msgstr "システムユーザーの実行"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:17
-msgid "Run command"
-msgstr "実行コマンド"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:18
-msgid "From session"
-msgstr "セッションから"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:20
-msgid "From cmd filter rule"
-msgstr "コマンドフィルタ規則から"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:22
-msgid "From cmd filter"
-msgstr "コマンドフィルタ規則から"
-
-#: tickets/serializers/ticket/meta/ticket_type/common.py:11
-#: tickets/serializers/ticket/ticket.py:123
+#: tickets/serializers/ticket/common.py:16
+#: tickets/serializers/ticket/common.py:68
 msgid "Created by ticket ({}-{})"
 msgstr "チケットで作成 ({}-{})"
 
-#: tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py:13
-msgid "Login user"
-msgstr "ログインユーザー"
+#: tickets/serializers/ticket/common.py:58
+msgid "The expiration date should be greater than the start date"
+msgstr "有効期限は開始日より大きくする必要があります"
 
-#: tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py:14
-msgid "Login asset"
-msgstr "ログイン資産"
+#: tickets/serializers/ticket/common.py:74
+msgid "Permission named `{}` already exists"
+msgstr "'{}'という名前の権限は既に存在します"
 
-#: tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py:16
-msgid "Login system user"
-msgstr "ログインシステムユーザー"
-
-#: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:20
-msgid "Login datetime"
-msgstr "ログイン日時"
-
-#: tickets/serializers/ticket/ticket.py:95
-msgid ""
-"The `type` in the submission data (`{}`) is different from the type in the "
-"request url (`{}`)"
-msgstr ""
-"送信データ ('{}') の「タイプ」は、リクエストURL ('{}') のタイプとは異なりま"
-"す。"
-
-#: tickets/serializers/ticket/ticket.py:116
+#: tickets/serializers/ticket/ticket.py:76
 msgid "The ticket flow `{}` does not exist"
 msgstr "チケットフロー '{}'が存在しない"
 
-#: tickets/serializers/ticket/ticket.py:143
-msgid "Assignees display"
-msgstr "受付者名"
-
-#: tickets/serializers/ticket/ticket.py:167
-msgid "Please select the Assignees"
-msgstr "受付をお選びください"
-
-#: tickets/serializers/ticket/ticket.py:193
-msgid "The current organization type already exists"
-msgstr "現在の組織タイプは既に存在します。"
-
-#: tickets/templates/tickets/_base_ticket_body.html:17
-msgid "Click here to review"
-msgstr "こちらをクリックしてご覧ください"
-
-#: tickets/templates/tickets/_msg_ticket.html:12
+#: tickets/templates/tickets/_msg_ticket.html:20
 msgid "View details"
 msgstr "詳細の表示"
 
-#: tickets/templates/tickets/_msg_ticket.html:17
+#: tickets/templates/tickets/_msg_ticket.html:25
 msgid "Direct approval"
 msgstr "直接承認"
 
@@ -5532,16 +5416,16 @@ msgstr "直接承認"
 msgid "Ticket information"
 msgstr "作業指示情報"
 
-#: tickets/templates/tickets/approve_check_password.html:19
+#: tickets/templates/tickets/approve_check_password.html:29
 #: tickets/views/approve.py:25
 msgid "Ticket approval"
 msgstr "作業指示の承認"
 
-#: tickets/templates/tickets/approve_check_password.html:35
+#: tickets/templates/tickets/approve_check_password.html:45
 msgid "Approval"
 msgstr "承認"
 
-#: tickets/templates/tickets/approve_check_password.html:44
+#: tickets/templates/tickets/approve_check_password.html:54
 msgid "Go Login"
 msgstr "ログイン"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 5bafa0526..61e856ed9 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:002f6953ebbe368642f0ea3c383f617b5f998edf2238341be63393123d4be8a9
-size 105894
+oid sha256:441fff7ae0f44b24707348210678fe723299bf5abba943ea7080ba4a789a0801
+size 103826
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 37617c5aa..c0de09c2a 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-16 11:12+0800\n"
+"POT-Creation-Date: 2022-06-29 18:09+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -28,8 +28,8 @@ msgstr "访问控制"
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:65 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:29 settings/serializers/sms.py:6
-#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:59
-#: terminal/models/storage.py:25 terminal/models/task.py:16
+#: terminal/models/endpoint.py:10 terminal/models/endpoint.py:82
+#: terminal/models/storage.py:26 terminal/models/task.py:16
 #: terminal/models/terminal.py:100 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:661
 #: xpack/plugins/cloud/models.py:28
@@ -37,18 +37,18 @@ msgid "Name"
 msgstr "名称"
 
 #: acls/models/base.py:27 assets/models/cmd_filter.py:84
-#: assets/models/user.py:251 terminal/models/endpoint.py:62
+#: assets/models/user.py:251 terminal/models/endpoint.py:85
 msgid "Priority"
 msgstr "优先级"
 
 #: acls/models/base.py:28 assets/models/cmd_filter.py:84
-#: assets/models/user.py:251 terminal/models/endpoint.py:63
+#: assets/models/user.py:251 terminal/models/endpoint.py:86
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
 #: acls/models/base.py:31 authentication/models.py:18
 #: authentication/templates/authentication/_access_key_modal.html:32
-#: perms/models/base.py:88 terminal/models/sharing.py:26
+#: perms/models/base.py:88 terminal/models/sharing.py:26 tickets/const.py:39
 msgid "Active"
 msgstr "激活中"
 
@@ -60,9 +60,9 @@ msgstr "激活中"
 #: assets/models/domain.py:64 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
-#: terminal/models/endpoint.py:21 terminal/models/endpoint.py:69
-#: terminal/models/storage.py:28 terminal/models/terminal.py:114
-#: tickets/models/comment.py:24 tickets/models/ticket.py:154
+#: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
+#: terminal/models/storage.py:29 terminal/models/terminal.py:114
+#: tickets/models/comment.py:32 tickets/models/ticket/general.py:277
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
@@ -70,8 +70,8 @@ msgstr "激活中"
 msgid "Comment"
 msgstr "备注"
 
-#: acls/models/login_acl.py:18 tickets/const.py:38
-#: tickets/templates/tickets/approve_check_password.html:39
+#: acls/models/login_acl.py:18 tickets/const.py:47
+#: tickets/templates/tickets/approve_check_password.html:49
 msgid "Reject"
 msgstr "拒绝"
 
@@ -79,7 +79,7 @@ msgstr "拒绝"
 msgid "Allow"
 msgstr "允许"
 
-#: acls/models/login_acl.py:20 acls/models/login_acl.py:117
+#: acls/models/login_acl.py:20 acls/models/login_acl.py:104
 #: acls/models/login_asset_acl.py:17 tickets/const.py:9
 msgid "Login confirm"
 msgstr "登录复核"
@@ -92,7 +92,7 @@ msgstr "登录复核"
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
 #: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:17 users/const.py:14 users/models/user.py:888
+#: tickets/models/comment.py:21 users/const.py:14 users/models/user.py:888
 #: users/models/user.py:919 users/serializers/group.py:19
 msgid "User"
 msgstr "用户"
@@ -142,7 +142,7 @@ msgstr "资产"
 msgid "Login asset acl"
 msgstr "登录资产访问控制"
 
-#: acls/models/login_asset_acl.py:90 tickets/const.py:12
+#: acls/models/login_asset_acl.py:89 tickets/const.py:12
 msgid "Login asset confirm"
 msgstr "登录资产复核"
 
@@ -181,7 +181,7 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:38
+#: settings/serializers/terminal.py:8 terminal/serializers/endpoint.py:42
 msgid "IP"
 msgstr "IP"
 
@@ -208,7 +208,7 @@ msgid "Unsupported protocols: {}"
 msgstr "不支持的协议: {}"
 
 #: acls/serializers/login_asset_acl.py:98
-#: tickets/serializers/ticket/ticket.py:105
+#: tickets/serializers/ticket/ticket.py:65
 msgid "The organization `{}` does not exist"
 msgstr "组织 `{}` 不存在"
 
@@ -291,7 +291,7 @@ msgstr "可以查看应用账号密码"
 #: applications/serializers/application.py:99 assets/models/label.py:21
 #: perms/models/application_permission.py:21
 #: perms/serializers/application/user_permission.py:33
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:22
+#: tickets/models/ticket/apply_application.py:14
 #: xpack/plugins/change_auth_plan/models/app.py:25
 msgid "Category"
 msgstr "类别"
@@ -301,9 +301,10 @@ msgstr "类别"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
 #: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:57 terminal/models/storage.py:141
-#: tickets/models/flow.py:56 tickets/models/ticket.py:131
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:29
+#: terminal/models/storage.py:58 terminal/models/storage.py:142
+#: tickets/models/comment.py:26 tickets/models/flow.py:57
+#: tickets/models/ticket/apply_application.py:17
+#: tickets/models/ticket/general.py:262
 #: xpack/plugins/change_auth_plan/models/app.py:28
 #: xpack/plugins/change_auth_plan/models/app.py:153
 msgid "Type"
@@ -330,7 +331,6 @@ msgstr "应用用户"
 #: applications/serializers/application.py:70
 #: applications/serializers/application.py:100 assets/serializers/label.py:13
 #: perms/serializers/application/permission.py:18
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:26
 msgid "Category display"
 msgstr "类别名称"
 
@@ -338,9 +338,7 @@ msgstr "类别名称"
 #: applications/serializers/application.py:102
 #: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:33
-#: tickets/serializers/ticket/ticket.py:21
-#: tickets/serializers/ticket/ticket.py:173
+#: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:16
 msgid "Type display"
 msgstr "类型名称"
 
@@ -349,7 +347,7 @@ msgstr "类型名称"
 #: assets/models/domain.py:26 assets/models/gathered_user.py:19
 #: assets/models/group.py:22 assets/models/label.py:25
 #: assets/serializers/account.py:18 assets/serializers/cmd_filter.py:28
-#: assets/serializers/cmd_filter.py:48 common/db/models.py:113
+#: assets/serializers/cmd_filter.py:48 common/db/models.py:114
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
 #: users/models/group.py:18 users/models/user.py:920
@@ -360,7 +358,7 @@ msgstr "创建日期"
 #: applications/serializers/application.py:104 assets/models/base.py:182
 #: assets/models/gathered_user.py:20 assets/serializers/account.py:21
 #: assets/serializers/cmd_filter.py:29 assets/serializers/cmd_filter.py:49
-#: common/db/models.py:114 common/mixins/models.py:51 ops/models/adhoc.py:40
+#: common/db/models.py:115 common/mixins/models.py:51 ops/models/adhoc.py:40
 #: orgs/models.py:218
 msgid "Date updated"
 msgstr "更新日期"
@@ -496,7 +494,7 @@ msgid "Charset"
 msgstr "编码"
 
 #: assets/models/asset.py:141 assets/serializers/asset.py:176
-#: tickets/models/ticket.py:133
+#: tickets/models/ticket/general.py:287
 msgid "Meta"
 msgstr "元数据"
 
@@ -518,7 +516,7 @@ msgstr "制造商"
 msgid "Model"
 msgstr "型号"
 
-#: assets/models/asset.py:170 tickets/models/ticket.py:159
+#: assets/models/asset.py:170 tickets/models/ticket/general.py:285
 msgid "Serial number"
 msgstr "序列号"
 
@@ -604,7 +602,7 @@ msgstr "标签管理"
 #: assets/models/asset.py:229 assets/models/base.py:183
 #: assets/models/cluster.py:28 assets/models/cmd_filter.py:52
 #: assets/models/cmd_filter.py:99 assets/models/group.py:21
-#: common/db/models.py:111 common/mixins/models.py:49 orgs/models.py:66
+#: common/db/models.py:112 common/mixins/models.py:49 orgs/models.py:66
 #: orgs/models.py:219 perms/models/base.py:91 users/models/user.py:706
 #: users/serializers/group.py:33
 #: xpack/plugins/change_auth_plan/models/base.py:48
@@ -680,8 +678,8 @@ msgstr "定时触发"
 
 #: assets/models/backup.py:105 audits/models.py:44 ops/models/command.py:31
 #: perms/models/base.py:89 terminal/models/session.py:58
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:55
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:57
+#: tickets/models/ticket/apply_application.py:25
+#: tickets/models/ticket/apply_asset.py:23
 #: xpack/plugins/change_auth_plan/models/base.py:112
 #: xpack/plugins/change_auth_plan/models/base.py:203
 #: xpack/plugins/gathered_user/models.py:76
@@ -757,7 +755,7 @@ msgstr "校验日期"
 #: assets/models/base.py:177 assets/serializers/base.py:15
 #: assets/serializers/base.py:37 assets/serializers/system_user.py:29
 #: audits/signal_handlers.py:50 authentication/forms.py:32
-#: authentication/templates/authentication/login.html:182
+#: authentication/templates/authentication/login.html:228
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
 #: users/forms/profile.py:22 users/serializers/user.py:92
 #: users/templates/users/_msg_user_created.html:13
@@ -1064,7 +1062,7 @@ msgstr ""
 "{} - 账号备份任务已完成: 未设置加密密码 - 请前往个人信息 -> 文件加密密码中设"
 "置加密密码"
 
-#: assets/serializers/account.py:36 assets/serializers/account.py:79
+#: assets/serializers/account.py:36 assets/serializers/account.py:87
 msgid "System user display"
 msgstr "系统用户名称"
 
@@ -1105,6 +1103,7 @@ msgstr "CPU信息"
 #: perms/serializers/application/permission.py:42
 #: perms/serializers/asset/permission.py:18
 #: perms/serializers/asset/permission.py:46
+#: tickets/models/ticket/apply_asset.py:21
 msgid "Actions"
 msgstr "动作"
 
@@ -1477,14 +1476,13 @@ msgstr "-"
 msgid "Login type"
 msgstr "登录方式"
 
-#: audits/models.py:123
-#: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:14
+#: audits/models.py:123 tickets/models/ticket/login_confirm.py:10
 msgid "Login ip"
 msgstr "登录IP"
 
 #: audits/models.py:124
 #: authentication/templates/authentication/_msg_different_city.html:11
-#: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:17
+#: tickets/models/ticket/login_confirm.py:11
 msgid "Login city"
 msgstr "登录城市"
 
@@ -1500,7 +1498,7 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket.py:140 xpack/plugins/cloud/models.py:175
+#: tickets/models/ticket/general.py:270 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "状态"
@@ -1521,7 +1519,7 @@ msgstr "用户登录日志"
 msgid "Operate display"
 msgstr "操作名称"
 
-#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:22
+#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:17
 msgid "Status display"
 msgstr "状态名称"
 
@@ -1571,13 +1569,13 @@ msgid "Auth Token"
 msgstr "认证令牌"
 
 #: audits/signal_handlers.py:53 authentication/notifications.py:73
-#: authentication/views/login.py:164 authentication/views/wecom.py:177
+#: authentication/views/login.py:163 authentication/views/wecom.py:177
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企业微信"
 
 #: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
-#: authentication/views/login.py:170 notifications/backends/__init__.py:12
+#: authentication/views/login.py:169 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "钉钉"
@@ -2090,9 +2088,8 @@ msgid "Verified"
 msgstr "已校验"
 
 #: authentication/models.py:73 perms/models/base.py:90
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:58
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:60
-#: users/models/user.py:703
+#: tickets/models/ticket/apply_application.py:26
+#: tickets/models/ticket/apply_asset.py:24 users/models/user.py:703
 msgid "Date expired"
 msgstr "失效日期"
 
@@ -2162,7 +2159,7 @@ msgstr "删除成功"
 
 #: authentication/templates/authentication/_access_key_modal.html:155
 #: authentication/templates/authentication/_mfa_confirm_modal.html:53
-#: templates/_modal.html:22 tickets/const.py:36
+#: templates/_modal.html:22 tickets/const.py:45
 msgid "Close"
 msgstr "关闭"
 
@@ -2201,7 +2198,7 @@ msgstr "代码错误"
 #: jumpserver/conf.py:305 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
-#: tickets/templates/tickets/approve_check_password.html:23
+#: tickets/templates/tickets/approve_check_password.html:33
 #: users/templates/users/_msg_account_expire_reminder.html:4
 #: users/templates/users/_msg_password_expire_reminder.html:4
 #: users/templates/users/_msg_reset_mfa.html:4
@@ -2281,22 +2278,22 @@ msgid ""
 "security issues"
 msgstr "如果这次公钥更新不是由你发起的，那么你的账号可能存在安全问题"
 
-#: authentication/templates/authentication/login.html:174
+#: authentication/templates/authentication/login.html:221
 msgid "Welcome back, please enter username and password to login"
 msgstr "欢迎回来，请输入用户名和密码登录"
 
-#: authentication/templates/authentication/login.html:210
+#: authentication/templates/authentication/login.html:256
 #: users/templates/users/forgot_password.html:15
 #: users/templates/users/forgot_password.html:16
 msgid "Forgot password"
 msgstr "忘记密码"
 
-#: authentication/templates/authentication/login.html:217
+#: authentication/templates/authentication/login.html:264
 #: templates/_header_bar.html:89
 msgid "Login"
 msgstr "登录"
 
-#: authentication/templates/authentication/login.html:224
+#: authentication/templates/authentication/login.html:271
 msgid "More login options"
 msgstr "其他方式登录"
 
@@ -2394,7 +2391,7 @@ msgstr "飞书查询用户失败"
 msgid "The FeiShu is already bound to another user"
 msgstr "该飞书已经绑定其他用户"
 
-#: authentication/views/feishu.py:143 authentication/views/login.py:176
+#: authentication/views/feishu.py:143 authentication/views/login.py:175
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "飞书"
@@ -2415,19 +2412,19 @@ msgstr "没有绑定飞书"
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "请使用密码登录，然后绑定飞书"
 
-#: authentication/views/login.py:70
+#: authentication/views/login.py:69
 msgid "Redirecting"
 msgstr "跳转中"
 
-#: authentication/views/login.py:71
+#: authentication/views/login.py:70
 msgid "Redirecting to {} authentication"
 msgstr "正在跳转到 {} 认证"
 
-#: authentication/views/login.py:94
+#: authentication/views/login.py:93
 msgid "Please enable cookies and try again."
 msgstr "设置你的浏览器支持cookie"
 
-#: authentication/views/login.py:263
+#: authentication/views/login.py:300
 msgid ""
 "Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>\n"
 "                  Don't close this page"
@@ -2435,15 +2432,15 @@ msgstr ""
 "等待 <b>{}</b> 确认, 你也可以复制链接发给他/她 <br/>\n"
 "                  不要关闭本页面"
 
-#: authentication/views/login.py:268
+#: authentication/views/login.py:305
 msgid "No ticket found"
 msgstr "没有发现工单"
 
-#: authentication/views/login.py:302
+#: authentication/views/login.py:339
 msgid "Logout success"
 msgstr "退出登录成功"
 
-#: authentication/views/login.py:303
+#: authentication/views/login.py:340
 msgid "Logout success, return login page"
 msgstr "退出登录成功，返回到登录页面"
 
@@ -2493,7 +2490,7 @@ msgstr "%(name)s 创建成功"
 msgid "%(name)s was updated successfully"
 msgstr "%(name)s 更新成功"
 
-#: common/db/encoder.py:17
+#: common/db/encoder.py:10
 msgid "ugettext_lazy"
 msgstr "ugettext_lazy"
 
@@ -2525,7 +2522,7 @@ msgstr "编码数据为 text"
 msgid "Encrypt field using Secret Key"
 msgstr "加密的字段"
 
-#: common/db/models.py:112
+#: common/db/models.py:113
 msgid "Updated by"
 msgstr "更新人"
 
@@ -2911,7 +2908,7 @@ msgstr "组织管理"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/serializers/ticket/ticket.py:77
+#: tickets/models/ticket/general.py:289 tickets/serializers/ticket/ticket.py:51
 msgid "Organization"
 msgstr "组织"
 
@@ -3316,7 +3313,7 @@ msgstr "我的应用"
 msgid "Ticket comment"
 msgstr "工单评论"
 
-#: rbac/tree.py:117 tickets/models/ticket.py:163
+#: rbac/tree.py:117 tickets/models/ticket/general.py:294
 msgid "Ticket"
 msgstr "工单管理"
 
@@ -4497,7 +4494,7 @@ msgstr "验证码已发送"
 msgid "Home page"
 msgstr "首页"
 
-#: templates/flash_message_standalone.html:25
+#: templates/flash_message_standalone.html:25 tickets/const.py:20
 msgid "Cancel"
 msgstr "取消"
 
@@ -4541,7 +4538,7 @@ msgstr "Jmservisor 是在 windows 远程应用发布服务器中用来拉起远
 msgid "Filters"
 msgstr "过滤"
 
-#: terminal/api/endpoint.py:63
+#: terminal/api/endpoint.py:26
 msgid "Not found protocol query params"
 msgstr ""
 
@@ -4629,6 +4626,7 @@ msgstr "输出"
 #: terminal/backends/command/models.py:25 terminal/models/replay.py:9
 #: terminal/models/sharing.py:17 terminal/models/sharing.py:64
 #: terminal/templates/terminal/_msg_command_alert.html:10
+#: tickets/models/ticket/command_confirm.py:23
 msgid "Session"
 msgstr "会话"
 
@@ -4713,18 +4711,18 @@ msgstr "PostgreSQL 端口"
 msgid "Redis Port"
 msgstr "Redis 端口"
 
-#: terminal/models/endpoint.py:26 terminal/models/endpoint.py:67
-#: terminal/serializers/endpoint.py:41 terminal/serializers/storage.py:38
+#: terminal/models/endpoint.py:26 terminal/models/endpoint.py:90
+#: terminal/serializers/endpoint.py:45 terminal/serializers/storage.py:38
 #: terminal/serializers/storage.py:50 terminal/serializers/storage.py:80
 #: terminal/serializers/storage.py:90 terminal/serializers/storage.py:98
 msgid "Endpoint"
 msgstr "端点"
 
-#: terminal/models/endpoint.py:60
+#: terminal/models/endpoint.py:83
 msgid "IP group"
 msgstr "IP 组"
 
-#: terminal/models/endpoint.py:72
+#: terminal/models/endpoint.py:95
 msgid "Endpoint rule"
 msgstr "端点规则"
 
@@ -4752,23 +4750,23 @@ msgstr "回放"
 msgid "Date end"
 msgstr "结束日期"
 
-#: terminal/models/session.py:251
+#: terminal/models/session.py:255
 msgid "Session record"
 msgstr "会话记录"
 
-#: terminal/models/session.py:253
+#: terminal/models/session.py:257
 msgid "Can monitor session"
 msgstr "可以监控会话"
 
-#: terminal/models/session.py:254
+#: terminal/models/session.py:258
 msgid "Can share session"
 msgstr "可以分享会话"
 
-#: terminal/models/session.py:255
+#: terminal/models/session.py:259
 msgid "Can terminate session"
 msgstr "可以终断会话"
 
-#: terminal/models/session.py:256
+#: terminal/models/session.py:260
 msgid "Can validate session action perm"
 msgstr "可以验证会话动作权限"
 
@@ -4812,7 +4810,7 @@ msgstr "加入日期"
 msgid "Date left"
 msgstr "结束日期"
 
-#: terminal/models/sharing.py:97
+#: terminal/models/sharing.py:97 tickets/const.py:26
 #: xpack/plugins/change_auth_plan/models/base.py:192
 msgid "Finished"
 msgstr "结束"
@@ -4853,15 +4851,15 @@ msgstr "线程数"
 msgid "Boot Time"
 msgstr "运行时间"
 
-#: terminal/models/storage.py:27
+#: terminal/models/storage.py:28
 msgid "Default storage"
 msgstr "默认存储"
 
-#: terminal/models/storage.py:135 terminal/models/terminal.py:108
+#: terminal/models/storage.py:136 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "命令存储"
 
-#: terminal/models/storage.py:195 terminal/models/terminal.py:109
+#: terminal/models/storage.py:196 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "录像存储"
 
@@ -4901,6 +4899,11 @@ msgstr "级别"
 msgid "Batch danger command alert"
 msgstr "批量危险命令告警"
 
+#: terminal/serializers/endpoint.py:39
+msgid ""
+"If asset IP addresses under different endpoints conflict, use asset labels"
+msgstr "如果不同端点下的资产 IP 有冲突，使用资产标签实现"
+
 #: terminal/serializers/session.py:31
 msgid "User ID"
 msgstr "用户 ID"
@@ -5031,51 +5034,57 @@ msgstr "申请资产"
 msgid "Apply for application"
 msgstr "申请应用"
 
-#: tickets/const.py:17 tickets/const.py:30 tickets/const.py:35
+#: tickets/const.py:17 tickets/const.py:25 tickets/const.py:44
 msgid "Open"
 msgstr "打开"
 
-#: tickets/const.py:18 tickets/const.py:25
+#: tickets/const.py:18 tickets/const.py:31
 msgid "Approved"
 msgstr "已同意"
 
-#: tickets/const.py:19 tickets/const.py:26
+#: tickets/const.py:19 tickets/const.py:32
 msgid "Rejected"
 msgstr "已拒绝"
 
-#: tickets/const.py:20 tickets/const.py:31
+#: tickets/const.py:21 tickets/const.py:34
+msgid "Reopen"
+msgstr ""
+
+#: tickets/const.py:30 tickets/const.py:38
+#, fuzzy
+#| msgid "Role binding"
+msgid "Pending"
+msgstr "角色绑定"
+
+#: tickets/const.py:33 tickets/const.py:40
 msgid "Closed"
 msgstr "关闭的"
 
-#: tickets/const.py:24
-msgid "Notified"
-msgstr "已通知"
-
-#: tickets/const.py:37
+#: tickets/const.py:46
 msgid "Approve"
 msgstr "同意"
 
-#: tickets/const.py:42
+#: tickets/const.py:51
 msgid "One level"
 msgstr "1 级"
 
-#: tickets/const.py:43
+#: tickets/const.py:52
 msgid "Two level"
 msgstr "2 级"
 
-#: tickets/const.py:47
+#: tickets/const.py:56
 msgid "Super admin"
 msgstr "超级管理员"
 
-#: tickets/const.py:48
+#: tickets/const.py:57
 msgid "Org admin"
 msgstr "组织管理员"
 
-#: tickets/const.py:49
+#: tickets/const.py:58
 msgid "Super admin and org admin"
 msgstr "组织管理员或超级管理员"
 
-#: tickets/const.py:50
+#: tickets/const.py:59
 msgid "Custom user"
 msgstr "自定义用户"
 
@@ -5083,166 +5092,71 @@ msgstr "自定义用户"
 msgid "Ticket already closed"
 msgstr "工单已经关闭"
 
-#: tickets/handler/apply_application.py:53
-msgid "Applied category"
-msgstr "申请的类别"
-
-#: tickets/handler/apply_application.py:54
-msgid "Applied type"
-msgstr "申请的类型"
-
-#: tickets/handler/apply_application.py:55
-msgid "Applied application group"
-msgstr "申请的应用组"
-
-#: tickets/handler/apply_application.py:56 tickets/handler/apply_asset.py:52
-msgid "Applied system user group"
-msgstr "申请的系统用户组"
-
-#: tickets/handler/apply_application.py:57 tickets/handler/apply_asset.py:54
-msgid "Applied date start"
-msgstr "申请的开始日期"
-
-#: tickets/handler/apply_application.py:58 tickets/handler/apply_asset.py:55
-msgid "Applied date expired"
-msgstr "申请的失效日期"
-
-#: tickets/handler/apply_application.py:80
+#: tickets/handlers/apply_application.py:35
 msgid ""
 "Created by the ticket, ticket title: {}, ticket applicant: {}, ticket "
 "processor: {}, ticket ID: {}"
 msgstr ""
 "通过工单创建, 工单标题: {}, 工单申请人: {}, 工单处理人: {}, 工单 ID: {}"
 
-#: tickets/handler/apply_asset.py:50
-msgid "Applied node group"
-msgstr "申请的节点名称组"
-
-#: tickets/handler/apply_asset.py:51
-msgid "Applied hostname group"
-msgstr "申请的主机名称组"
-
-#: tickets/handler/apply_asset.py:53
-msgid "Applied actions"
-msgstr "申请的动作"
-
-#: tickets/handler/apply_asset.py:77
+#: tickets/handlers/apply_asset.py:35
 msgid ""
 "Created by the ticket ticket title: {} ticket applicant: {} ticket "
 "processor: {} ticket ID: {}"
 msgstr ""
 "通过工单创建, 工单标题: {}, 工单申请人: {}, 工单处理人: {}, 工单 ID: {}"
 
-#: tickets/handler/base.py:88
+#: tickets/handlers/base.py:75
 msgid "{} {} the ticket"
 msgstr "{} {} 工单"
 
-#: tickets/handler/base.py:116
-msgid "Ticket title"
-msgstr "工单标题"
-
-#: tickets/handler/base.py:117
-msgid "Ticket type"
-msgstr "工单类型"
-
-#: tickets/handler/base.py:118
-msgid "Ticket status"
-msgstr "工单状态"
-
-#: tickets/handler/base.py:119
-msgid "Ticket applicant"
-msgstr "工单申请人"
-
-#: tickets/handler/base.py:121
-msgid "Ticket basic info"
-msgstr "工单基本信息"
-
-#: tickets/handler/base.py:132
-msgid "No content"
-msgstr "无内容"
-
-#: tickets/handler/base.py:134
-msgid "Ticket applied info"
-msgstr "工单申请信息"
-
-#: tickets/handler/command_confirm.py:25
-msgid "Applied run user"
-msgstr "申请运行的用户"
-
-#: tickets/handler/command_confirm.py:26
-msgid "Applied run asset"
-msgstr "申请运行的资产"
-
-#: tickets/handler/command_confirm.py:27
-msgid "Applied run system user"
-msgstr "申请运行的系统用户"
-
-#: tickets/handler/command_confirm.py:28
-msgid "Applied run command"
-msgstr "申请运行的命令"
-
-#: tickets/handler/command_confirm.py:29
-msgid "Applied from session"
-msgstr "申请来自会话"
-
-#: tickets/handler/command_confirm.py:30
-msgid "Applied from command filter rules"
-msgstr "申请来自命令过滤规则"
-
-#: tickets/handler/command_confirm.py:31
-msgid "Applied from command filter"
-msgstr "申请来自命令过滤规则"
-
-#: tickets/handler/login_asset_confirm.py:17
-msgid "Applied login user"
-msgstr "申请登录的用户"
-
-#: tickets/handler/login_asset_confirm.py:18
-msgid "Applied login asset"
-msgstr "申请登录的资产"
-
-#: tickets/handler/login_asset_confirm.py:19
-msgid "Applied login system user"
-msgstr "申请登录的系统用户"
-
-#: tickets/handler/login_confirm.py:17
+#: tickets/handlers/login_confirm.py:18
 msgid "Applied login IP"
 msgstr "申请登录的IP"
 
-#: tickets/handler/login_confirm.py:18
+#: tickets/handlers/login_confirm.py:19
 msgid "Applied login city"
 msgstr "申请登录的城市"
 
-#: tickets/handler/login_confirm.py:19
+#: tickets/handlers/login_confirm.py:20
 msgid "Applied login datetime"
 msgstr "申请登录的日期"
 
-#: tickets/models/comment.py:19
+#: tickets/models/comment.py:13 tickets/models/ticket/general.py:38
+#: tickets/models/ticket/general.py:266
+msgid "State"
+msgstr "状态"
+
+#: tickets/models/comment.py:14
+msgid "common"
+msgstr ""
+
+#: tickets/models/comment.py:23
 msgid "User display name"
 msgstr "用户显示名称"
 
-#: tickets/models/comment.py:20
+#: tickets/models/comment.py:24
 msgid "Body"
 msgstr "内容"
 
-#: tickets/models/flow.py:19 tickets/models/flow.py:61
-#: tickets/models/ticket.py:30
+#: tickets/models/flow.py:20 tickets/models/flow.py:62
+#: tickets/models/ticket/general.py:34
 msgid "Approve level"
 msgstr "审批级别"
 
-#: tickets/models/flow.py:24 tickets/serializers/ticket/ticket.py:141
+#: tickets/models/flow.py:25 tickets/serializers/flow.py:14
 msgid "Approve strategy"
 msgstr "审批策略"
 
-#: tickets/models/flow.py:29 tickets/serializers/ticket/ticket.py:142
+#: tickets/models/flow.py:30 tickets/serializers/flow.py:15
 msgid "Assignees"
 msgstr "受理人"
 
-#: tickets/models/flow.py:33
+#: tickets/models/flow.py:34
 msgid "Ticket flow approval rule"
 msgstr "工单批准信息"
 
-#: tickets/models/flow.py:66
+#: tickets/models/flow.py:67
 msgid "Ticket flow"
 msgstr "工单流程"
 
@@ -5250,205 +5164,177 @@ msgstr "工单流程"
 msgid "Ticket session relation"
 msgstr "工单会话"
 
-#: tickets/models/ticket.py:35
+#: tickets/models/ticket/apply_application.py:11
+#: tickets/models/ticket/apply_asset.py:13
+msgid "Apply name"
+msgstr "应用名称"
+
+#: tickets/models/ticket/apply_application.py:20
+msgid "Apply applications"
+msgstr "申请应用"
+
+#: tickets/models/ticket/apply_application.py:23
+#: tickets/models/ticket/apply_asset.py:18
+msgid "Apply system users"
+msgstr "申请的系统用户"
+
+#: tickets/models/ticket/apply_asset.py:9
+#: tickets/serializers/ticket/apply_asset.py:15
+msgid "Select at least one asset or node"
+msgstr "资产或者节点至少选择一项"
+
+#: tickets/models/ticket/apply_asset.py:14
+msgid "Apply nodes"
+msgstr "申请节点"
+
+#: tickets/models/ticket/apply_asset.py:16
+msgid "Apply assets"
+msgstr "申请资产"
+
+#: tickets/models/ticket/command_confirm.py:10
+msgid "Run user"
+msgstr "运行的用户"
+
+#: tickets/models/ticket/command_confirm.py:14
+msgid "Run asset"
+msgstr "运行的资产"
+
+#: tickets/models/ticket/command_confirm.py:18
+msgid "Run system user"
+msgstr "运行的系统用户"
+
+#: tickets/models/ticket/command_confirm.py:20
+msgid "Run command"
+msgstr "运行的命令"
+
+#: tickets/models/ticket/command_confirm.py:27
+msgid "From cmd filter"
+msgstr "来自命令过滤规则"
+
+#: tickets/models/ticket/command_confirm.py:31
+msgid "From cmd filter rule"
+msgstr "来自命令过滤规则"
+
+#: tickets/models/ticket/general.py:69
 msgid "Ticket step"
 msgstr "工单步骤"
 
-#: tickets/models/ticket.py:46
+#: tickets/models/ticket/general.py:87
 msgid "Ticket assignee"
 msgstr "工单受理人"
 
-#: tickets/models/ticket.py:128
+#: tickets/models/ticket/general.py:259
 msgid "Title"
 msgstr "标题"
 
-#: tickets/models/ticket.py:136
-msgid "State"
-msgstr "状态"
-
-#: tickets/models/ticket.py:144
-msgid "Approval step"
-msgstr "审批步骤"
-
-#: tickets/models/ticket.py:149
+#: tickets/models/ticket/general.py:275
 msgid "Applicant"
 msgstr "申请人"
 
-#: tickets/models/ticket.py:151
-msgid "Applicant display"
-msgstr "申请人名称"
-
-#: tickets/models/ticket.py:152
-msgid "Process"
-msgstr "流程"
-
-#: tickets/models/ticket.py:157
+#: tickets/models/ticket/general.py:280
 msgid "TicketFlow"
 msgstr "工单流程"
 
-#: tickets/models/ticket.py:320
+#: tickets/models/ticket/general.py:283
+msgid "Approval step"
+msgstr "审批步骤"
+
+#: tickets/models/ticket/general.py:286
+#, fuzzy
+#| msgid "Change auth plan snapshot"
+msgid "Relation snapshot"
+msgstr "改密计划快照"
+
+#: tickets/models/ticket/general.py:378
 msgid "Please try again"
 msgstr "请再次尝试"
 
-#: tickets/models/ticket.py:328
+#: tickets/models/ticket/general.py:385
 msgid "Super ticket"
 msgstr "超级工单"
 
-#: tickets/notifications.py:72
-msgid "Your has a new ticket, applicant - {}"
+#: tickets/models/ticket/login_asset_confirm.py:12
+msgid "Login user"
+msgstr "登录用户"
+
+#: tickets/models/ticket/login_asset_confirm.py:16
+msgid "Login asset"
+msgstr "登录资产"
+
+#: tickets/models/ticket/login_asset_confirm.py:20
+msgid "Login system user"
+msgstr "登录系统用户"
+
+#: tickets/models/ticket/login_confirm.py:12
+msgid "Login datetime"
+msgstr "登录日期"
+
+#: tickets/notifications.py:64
+msgid "Ticket basic info"
+msgstr "工单基本信息"
+
+#: tickets/notifications.py:65
+msgid "Ticket applied info"
+msgstr "工单申请信息"
+
+#: tickets/notifications.py:116
+#, fuzzy
+#| msgid "Your has a new ticket, applicant - {}"
+msgid "Your has a new ticket"
 msgstr "你有一个新的工单, 申请人 - {}"
 
-#: tickets/notifications.py:78
-msgid "New Ticket - {} ({})"
+#: tickets/notifications.py:120
+#, fuzzy
+#| msgid "New Ticket - {} ({})"
+msgid "{}: New Ticket - {} ({})"
 msgstr "新工单 - {} ({})"
 
-#: tickets/notifications.py:123
+#: tickets/notifications.py:164
 msgid "Your ticket has been processed, processor - {}"
 msgstr "你的工单已被处理, 处理人 - {}"
 
-#: tickets/notifications.py:127
+#: tickets/notifications.py:168
 msgid "Ticket has processed - {} ({})"
 msgstr "你的工单已被处理, 处理人 - {} ({})"
 
+#: tickets/serializers/flow.py:16
+msgid "Assignees display"
+msgstr "受理人名称"
+
+#: tickets/serializers/flow.py:42
+msgid "Please select the Assignees"
+msgstr "请选择受理人"
+
+#: tickets/serializers/flow.py:68
+msgid "The current organization type already exists"
+msgstr "当前组织已存在该类型"
+
 #: tickets/serializers/super_ticket.py:11
 msgid "Processor"
 msgstr "处理人"
 
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:18
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:19
-msgid "Apply name"
-msgstr "应用名称"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:37
-msgid "Apply applications"
-msgstr "申请应用"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:42
-msgid "Apply applications display"
-msgstr "应用名称名称"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:46
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:41
-msgid "Apply system users"
-msgstr "申请的系统用户"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:51
-msgid "Apply system user display"
-msgstr "申请的系统用户名称"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:71
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:73
-#: tickets/serializers/ticket/ticket.py:128
-msgid "Permission named `{}` already exists"
-msgstr "授权名称 `{}` 已存在"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_application.py:88
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:87
-msgid "The expiration date should be greater than the start date"
-msgstr "过期时间要大于开始时间"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:14
-msgid "Select at least one asset or node"
-msgstr "资产或者节点至少选择一项"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:23
-msgid "Apply nodes"
-msgstr "申请节点"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:27
-msgid "Apply nodes display"
-msgstr "申请的节点名称"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:32
-msgid "Apply assets"
-msgstr "申请资产"
-
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:36
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:45
-#: tickets/serializers/ticket/meta/ticket_type/apply_asset.py:53
-msgid "Apply assets display"
-msgstr "申请的资产名称"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:12
-msgid "Run user"
-msgstr "运行的用户"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:13
-msgid "Run asset"
-msgstr "运行的资产"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:15
-msgid "Run system user"
-msgstr "运行的系统用户"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:17
-msgid "Run command"
-msgstr "运行的命令"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:18
-msgid "From session"
-msgstr "来自会话"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:20
-msgid "From cmd filter rule"
-msgstr "来自命令过滤规则"
-
-#: tickets/serializers/ticket/meta/ticket_type/command_confirm.py:22
-msgid "From cmd filter"
-msgstr "来自命令过滤规则"
-
-#: tickets/serializers/ticket/meta/ticket_type/common.py:11
-#: tickets/serializers/ticket/ticket.py:123
+#: tickets/serializers/ticket/common.py:16
+#: tickets/serializers/ticket/common.py:68
 msgid "Created by ticket ({}-{})"
 msgstr "通过工单创建 ({}-{})"
 
-#: tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py:13
-msgid "Login user"
-msgstr "登录用户"
+#: tickets/serializers/ticket/common.py:58
+msgid "The expiration date should be greater than the start date"
+msgstr "过期时间要大于开始时间"
 
-#: tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py:14
-msgid "Login asset"
-msgstr "登录资产"
+#: tickets/serializers/ticket/common.py:74
+msgid "Permission named `{}` already exists"
+msgstr "授权名称 `{}` 已存在"
 
-#: tickets/serializers/ticket/meta/ticket_type/login_asset_confirm.py:16
-msgid "Login system user"
-msgstr "登录系统用户"
-
-#: tickets/serializers/ticket/meta/ticket_type/login_confirm.py:20
-msgid "Login datetime"
-msgstr "登录日期"
-
-#: tickets/serializers/ticket/ticket.py:95
-msgid ""
-"The `type` in the submission data (`{}`) is different from the type in the "
-"request url (`{}`)"
-msgstr "提交数据中的类型 (`{}`) 与请求URL地址中的类型 (`{}`) 不一致"
-
-#: tickets/serializers/ticket/ticket.py:116
+#: tickets/serializers/ticket/ticket.py:76
 msgid "The ticket flow `{}` does not exist"
 msgstr "工单流程 `{}` 不存在"
 
-#: tickets/serializers/ticket/ticket.py:143
-msgid "Assignees display"
-msgstr "受理人名称"
-
-#: tickets/serializers/ticket/ticket.py:167
-msgid "Please select the Assignees"
-msgstr "请选择受理人"
-
-#: tickets/serializers/ticket/ticket.py:193
-msgid "The current organization type already exists"
-msgstr "当前组织已存在该类型"
-
-#: tickets/templates/tickets/_base_ticket_body.html:17
-msgid "Click here to review"
-msgstr "点击查看"
-
-#: tickets/templates/tickets/_msg_ticket.html:12
+#: tickets/templates/tickets/_msg_ticket.html:20
 msgid "View details"
 msgstr "查看详情"
 
-#: tickets/templates/tickets/_msg_ticket.html:17
+#: tickets/templates/tickets/_msg_ticket.html:25
 msgid "Direct approval"
 msgstr "直接批准"
 
@@ -5456,16 +5342,16 @@ msgstr "直接批准"
 msgid "Ticket information"
 msgstr "工单信息"
 
-#: tickets/templates/tickets/approve_check_password.html:19
+#: tickets/templates/tickets/approve_check_password.html:29
 #: tickets/views/approve.py:25
 msgid "Ticket approval"
 msgstr "工单审批"
 
-#: tickets/templates/tickets/approve_check_password.html:35
+#: tickets/templates/tickets/approve_check_password.html:45
 msgid "Approval"
 msgstr "同意"
 
-#: tickets/templates/tickets/approve_check_password.html:44
+#: tickets/templates/tickets/approve_check_password.html:54
 msgid "Go Login"
 msgstr "去登录"
 
diff --git a/apps/terminal/api/endpoint.py b/apps/terminal/api/endpoint.py
index 494dacbe8..8b98df67e 100644
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@@ -16,19 +16,41 @@ from .. import serializers
 __all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
 
 
-class EndpointViewSet(JMSBulkModelViewSet):
-    filterset_fields = ('name', 'host')
-    search_fields = filterset_fields
-    serializer_class = serializers.EndpointSerializer
-    queryset = Endpoint.objects.all()
+class SmartEndpointViewMixin:
+    get_serializer: callable
+
+    @action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
+    def smart(self, request, *args, **kwargs):
+        protocol = request.GET.get('protocol')
+        if not protocol:
+            error = _('Not found protocol query params')
+            return Response(data={'error': error}, status=status.HTTP_404_NOT_FOUND)
+        endpoint = self.match_endpoint(request, protocol)
+        serializer = self.get_serializer(endpoint)
+        return Response(serializer.data)
+
+    def match_endpoint(self, request, protocol):
+        instance = self.get_target_instance(request)
+        endpoint = self.match_endpoint_by_label(instance, protocol)
+        if not endpoint:
+            endpoint = self.match_endpoint_by_target_ip(request, instance, protocol)
+        return endpoint
 
     @staticmethod
-    def get_target_ip(request):
-        # 用来方便测试
-        target_ip = request.GET.get('target_ip')
-        if target_ip:
-            return target_ip
+    def match_endpoint_by_label(instance, protocol):
+        return Endpoint.match_by_instance_label(instance, protocol)
 
+    @staticmethod
+    def match_endpoint_by_target_ip(request, instance, protocol):
+        # 用来方便测试
+        target_ip = request.GET.get('target_ip', '')
+        if not target_ip and callable(getattr(instance, 'get_target_ip', None)):
+            target_ip = instance.get_target_ip(request)
+        endpoint = EndpointRule.match_endpoint(target_ip, protocol, request)
+        return endpoint
+
+    @staticmethod
+    def get_target_instance(request):
         asset_id = request.GET.get('asset_id')
         app_id = request.GET.get('app_id')
         session_id = request.GET.get('session_id')
@@ -48,25 +70,19 @@ class EndpointViewSet(JMSBulkModelViewSet):
         elif session_id:
             pk, model = session_id, Session
         else:
-            return ''
-
+            pk, model = None, None
+        if not pk or not model:
+            return None
         with tmp_to_root_org():
             instance = get_object_or_404(model, pk=pk)
-            target_ip = instance.get_target_ip()
-            return target_ip
+            return instance
 
-    @action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
-    def smart(self, request, *args, **kwargs):
-        protocol = request.GET.get('protocol')
-        if not protocol:
-            return Response(
-                data={'error': _('Not found protocol query params')},
-                status=status.HTTP_404_NOT_FOUND
-            )
-        target_ip = self.get_target_ip(request)
-        endpoint = EndpointRule.match_endpoint(target_ip, protocol, request)
-        serializer = self.get_serializer(endpoint)
-        return Response(serializer.data)
+
+class EndpointViewSet(SmartEndpointViewMixin, JMSBulkModelViewSet):
+    filterset_fields = ('name', 'host')
+    search_fields = filterset_fields
+    serializer_class = serializers.EndpointSerializer
+    queryset = Endpoint.objects.all()
 
 
 class EndpointRuleViewSet(JMSBulkModelViewSet):
diff --git a/apps/terminal/models/endpoint.py b/apps/terminal/models/endpoint.py
index ec2f0bef6..b03075abb 100644
--- a/apps/terminal/models/endpoint.py
+++ b/apps/terminal/models/endpoint.py
@@ -33,13 +33,20 @@ class Endpoint(JMSModel):
         return getattr(self, f'{protocol}_port', 0)
 
     def is_default(self):
-        return self.id == self.default_id
+        return str(self.id) == self.default_id
 
     def delete(self, using=None, keep_parents=False):
         if self.is_default():
             return
         return super().delete(using, keep_parents)
 
+    def is_valid_for(self, protocol):
+        if self.is_default():
+            return True
+        if self.host and self.get_port(protocol) != 0:
+            return True
+        return False
+
     @classmethod
     def get_or_create_default(cls, request=None):
         data = {
@@ -54,6 +61,22 @@ class Endpoint(JMSModel):
             endpoint.host = request.get_host().split(':')[0]
         return endpoint
 
+    @classmethod
+    def match_by_instance_label(cls, instance, protocol):
+        from assets.models import Asset
+        from terminal.models import Session
+        if isinstance(instance, Session):
+            instance = instance.get_asset_or_application()
+        if not isinstance(instance, Asset):
+            return None
+        values = instance.labels.filter(name='endpoint').values_list('value', flat=True)
+        if not values:
+            return None
+        endpoints = cls.objects.filter(name__in=values).order_by('-date_updated')
+        for endpoint in endpoints:
+            if endpoint.is_valid_for(protocol):
+                return endpoint
+
 
 class EndpointRule(JMSModel):
     name = models.CharField(max_length=128, verbose_name=_('Name'), unique=True)
@@ -82,11 +105,7 @@ class EndpointRule(JMSModel):
                 continue
             if not endpoint_rule.endpoint:
                 continue
-            if endpoint_rule.endpoint.is_default():
-                return endpoint_rule
-            if not endpoint_rule.endpoint.host:
-                continue
-            if endpoint_rule.endpoint.get_port(protocol) == 0:
+            if not endpoint_rule.endpoint.is_valid_for(protocol):
                 continue
             return endpoint_rule
 
diff --git a/apps/terminal/models/session.py b/apps/terminal/models/session.py
index 565c54335..50468246d 100644
--- a/apps/terminal/models/session.py
+++ b/apps/terminal/models/session.py
@@ -196,10 +196,14 @@ class Session(OrgModelMixin):
     def login_from_display(self):
         return self.get_login_from_display()
 
-    def get_target_ip(self):
+    def get_asset_or_application(self):
         instance = get_object_or_none(Asset, pk=self.asset_id)
         if not instance:
             instance = get_object_or_none(Application, pk=self.asset_id)
+        return instance
+
+    def get_target_ip(self):
+        instance = self.get_asset_or_application()
         target_ip = instance.get_target_ip() if instance else ''
         return target_ip
 
diff --git a/apps/terminal/serializers/endpoint.py b/apps/terminal/serializers/endpoint.py
index 1c51c1604..fa3e71c35 100644
--- a/apps/terminal/serializers/endpoint.py
+++ b/apps/terminal/serializers/endpoint.py
@@ -1,7 +1,7 @@
 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
 from common.drf.serializers import BulkModelSerializer
-from acls.serializers.rules import ip_group_help_text, ip_group_child_validator
+from acls.serializers.rules import ip_group_child_validator, ip_group_help_text
 from ..models import Endpoint, EndpointRule
 
 __all__ = ['EndpointSerializer', 'EndpointRuleSerializer']
@@ -34,8 +34,12 @@ class EndpointSerializer(BulkModelSerializer):
 
 
 class EndpointRuleSerializer(BulkModelSerializer):
+    _ip_group_help_text = '{} <br> {}'.format(
+        ip_group_help_text,
+        _('If asset IP addresses under different endpoints conflict, use asset labels')
+    )
     ip_group = serializers.ListField(
-        default=['*'], label=_('IP'), help_text=ip_group_help_text,
+        default=['*'], label=_('IP'), help_text=_ip_group_help_text,
         child=serializers.CharField(max_length=1024, validators=[ip_group_child_validator])
     )
     endpoint_display = serializers.ReadOnlyField(source='endpoint.name', label=_('Endpoint'))

From 067a90ff9a2fe49698995450c18c41b76860bee7 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 30 Jun 2022 11:17:12 +0800
Subject: [PATCH 210/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E6=95=B0=E6=8D=AE=E5=BA=93=E5=91=BD=E4=BB=A4=E5=A4=8D?=
 =?UTF-8?q?=E5=90=88bug=20(#8511)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/assets/models/cmd_filter.py                   |  2 +-
 apps/perms/const.py                                |  2 --
 apps/rbac/const.py                                 |  5 +++++
 apps/tickets/migrations/0016_auto_20220609_1758.py | 10 ++++------
 apps/tickets/migrations/0017_auto_20220623_1027.py |  7 +------
 apps/tickets/models/ticket/command_confirm.py      |  6 +-----
 6 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/apps/assets/models/cmd_filter.py b/apps/assets/models/cmd_filter.py
index d91d50988..b17a4263d 100644
--- a/apps/assets/models/cmd_filter.py
+++ b/apps/assets/models/cmd_filter.py
@@ -171,7 +171,7 @@ class CommandFilterRule(OrgModelMixin):
             'type': TicketType.command_confirm,
             'applicant': session.user_obj,
             'apply_run_user_id': session.user_id,
-            'apply_run_asset_id': session.asset_id,
+            'apply_run_asset': str(session.asset),
             'apply_run_system_user_id': session.system_user_id,
             'apply_run_command': run_command[:4090],
             'apply_from_session_id': str(session.id),
diff --git a/apps/perms/const.py b/apps/perms/const.py
index 5b8e1baca..ec51c5a2b 100644
--- a/apps/perms/const.py
+++ b/apps/perms/const.py
@@ -1,4 +1,2 @@
 # -*- coding: utf-8 -*-
 #
-from django.db.models import TextChoices
-from django.utils.translation import ugettext_lazy as _
diff --git a/apps/rbac/const.py b/apps/rbac/const.py
index 1a3cc93b4..20038de19 100644
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@@ -69,6 +69,11 @@ exclude_permissions = (
     ('tickets', 'ticket', 'add,delete,change', 'ticket'),
     ('tickets', 'ticketstep', '*', '*'),
     ('tickets', 'approvalrule', '*', '*'),
+    ('tickets', 'applyloginticket', '*', '*'),
+    ('tickets', 'applyloginassetticket', '*', '*'),
+    ('tickets', 'applycommandticket', '*', '*'),
+    ('tickets', 'applyassetticket', '*', '*'),
+    ('tickets', 'applyapplicationticket', '*', '*'),
     ('tickets', 'superticket', 'delete', 'superticket'),
     ('tickets', 'ticketsession', 'view,delete', 'ticketsession'),
     ('xpack', 'interface', '*', '*'),
diff --git a/apps/tickets/migrations/0016_auto_20220609_1758.py b/apps/tickets/migrations/0016_auto_20220609_1758.py
index 55d88385e..663db3a75 100644
--- a/apps/tickets/migrations/0016_auto_20220609_1758.py
+++ b/apps/tickets/migrations/0016_auto_20220609_1758.py
@@ -59,7 +59,7 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='ticket',
             name='state',
-            field=models.CharField(choices=[('pending', 'Pending'), ('approved', 'Approved'), ('rejected', 'Rejected'),
+            field=models.CharField(choices=[('pending', 'Open'), ('approved', 'Approved'), ('rejected', 'Rejected'),
                                             ('closed', 'Cancel'), ('reopen', 'Reopen')], default='pending',
                                    max_length=16, verbose_name='State'),
         ),
@@ -72,14 +72,14 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='ticketassignee',
             name='state',
-            field=models.CharField(choices=[('pending', 'Pending'), ('approved', 'Approved'), ('rejected', 'Rejected'),
+            field=models.CharField(choices=[('pending', 'Open'), ('approved', 'Approved'), ('rejected', 'Rejected'),
                                             ('closed', 'Cancel'), ('reopen', 'Reopen')], default='pending',
                                    max_length=64),
         ),
         migrations.AlterField(
             model_name='ticketstep',
             name='state',
-            field=models.CharField(choices=[('pending', 'Pending'), ('approved', 'Approved'), ('rejected', 'Rejected'),
+            field=models.CharField(choices=[('pending', 'Open'), ('approved', 'Approved'), ('rejected', 'Rejected'),
                                             ('closed', 'Closed')], default='pending', max_length=64,
                                    verbose_name='State'),
         ),
@@ -111,6 +111,7 @@ class Migration(migrations.Migration):
                  models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
                                       primary_key=True, serialize=False, to='tickets.ticket')),
                 ('apply_run_command', models.CharField(max_length=4096, verbose_name='Run command')),
+                ('apply_run_asset', models.CharField(max_length=128, verbose_name='Run asset')),
                 ('apply_from_cmd_filter',
                  models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.commandfilter',
                                    verbose_name='From cmd filter')),
@@ -120,9 +121,6 @@ class Migration(migrations.Migration):
                 ('apply_from_session',
                  models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='terminal.session',
                                    verbose_name='Session')),
-                ('apply_run_asset',
-                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.asset',
-                                   verbose_name='Run asset')),
                 ('apply_run_system_user',
                  models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.systemuser',
                                    verbose_name='Run system user')),
diff --git a/apps/tickets/migrations/0017_auto_20220623_1027.py b/apps/tickets/migrations/0017_auto_20220623_1027.py
index 258ff676a..d3a9a1953 100644
--- a/apps/tickets/migrations/0017_auto_20220623_1027.py
+++ b/apps/tickets/migrations/0017_auto_20220623_1027.py
@@ -263,11 +263,6 @@ def command_confirm_migrate(apps, *args):
             name=name_username[0], username=name_username[1]
         ).first() if name_username else None
 
-        hostname_ip = analysis_instance_name(meta.get('apply_run_asset'))
-        apply_run_asset = asset_model.objects.filter(
-            org_id=instance.org_id, hostname=hostname_ip[0], ip=hostname_ip[1]
-        ).first() if hostname_ip else None
-
         name_username = analysis_instance_name(meta.get('apply_run_system_user'))
         apply_run_system_user = system_user_model.objects.filter(
             org_id=instance.org_id, name=name_username[0], username=name_username[1]
@@ -287,7 +282,7 @@ def command_confirm_migrate(apps, *args):
         data = {
             'ticket_ptr_id': instance.pk,
             'apply_run_user': apply_run_user,
-            'apply_run_asset': apply_run_asset,
+            'apply_run_asset': meta.get('apply_run_asset', ''),
             'apply_run_system_user': apply_run_system_user,
             'apply_run_command': meta.get('apply_run_command', '')[:4090],
             'apply_from_session_id': apply_from_session_id,
diff --git a/apps/tickets/models/ticket/command_confirm.py b/apps/tickets/models/ticket/command_confirm.py
index 94d27fde7..c42e9c166 100644
--- a/apps/tickets/models/ticket/command_confirm.py
+++ b/apps/tickets/models/ticket/command_confirm.py
@@ -9,10 +9,7 @@ class ApplyCommandTicket(Ticket):
         'users.User', on_delete=models.SET_NULL,
         null=True, verbose_name=_('Run user')
     )
-    apply_run_asset = models.ForeignKey(
-        'assets.Asset', on_delete=models.SET_NULL,
-        null=True, verbose_name=_('Run asset')
-    )
+    apply_run_asset = models.CharField(max_length=128, verbose_name=_('Run asset'), default='')
     apply_run_system_user = models.ForeignKey(
         'assets.SystemUser', on_delete=models.SET_NULL,
         null=True, verbose_name=_('Run system user')
@@ -30,4 +27,3 @@ class ApplyCommandTicket(Ticket):
         'assets.CommandFilterRule', on_delete=models.SET_NULL,
         null=True, verbose_name=_('From cmd filter rule')
     )
-

From 5d80933e7bdb340444d7cd8437e641d6cefb6381 Mon Sep 17 00:00:00 2001
From: jiangweidong <80373698+F2C-Jiang@users.noreply.github.com>
Date: Thu, 30 Jun 2022 11:21:26 +0800
Subject: [PATCH 211/258] =?UTF-8?q?feat:=20=E4=BC=9A=E8=AF=9D=E5=88=86?=
 =?UTF-8?q?=E4=BA=AB=E5=8F=AF=E8=AE=BE=E7=BD=AE1=E3=80=815=E5=88=86?=
 =?UTF-8?q?=E9=92=9F=E6=97=B6=E9=99=90=EF=BC=8C=E4=B8=94=E5=8F=AF=E5=88=86?=
 =?UTF-8?q?=E4=BA=AB=E7=BB=99=E6=8C=87=E5=AE=9A=E4=BA=BA=20(#8227)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 完成会话分享可设置1、5分钟时限，且可分享给指定人

* perf: 完成会话分享可设置1、5分钟时限，且可分享给指定人

* perf: 完成会话分享可设置1、5分钟时限，且可分享给指定人

* feat: 完成会话分享可设置1、5分钟时限，且可分享给指定人
---
 .../migrations/0050_sessionsharing_users.py    | 18 ++++++++++++++++++
 apps/terminal/models/sharing.py                |  7 +++++--
 apps/terminal/serializers/sharing.py           | 11 ++++++++++-
 3 files changed, 33 insertions(+), 3 deletions(-)
 create mode 100644 apps/terminal/migrations/0050_sessionsharing_users.py

diff --git a/apps/terminal/migrations/0050_sessionsharing_users.py b/apps/terminal/migrations/0050_sessionsharing_users.py
new file mode 100644
index 000000000..9a014a62f
--- /dev/null
+++ b/apps/terminal/migrations/0050_sessionsharing_users.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.1.14 on 2022-05-17 00:52
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('terminal', '0049_endpoint_redis_port'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='sessionsharing',
+            name='users',
+            field=models.CharField(default=list, max_length=1024, verbose_name='User'),
+        ),
+    ]
diff --git a/apps/terminal/models/sharing.py b/apps/terminal/models/sharing.py
index 45d62fb92..1968b3f08 100644
--- a/apps/terminal/models/sharing.py
+++ b/apps/terminal/models/sharing.py
@@ -28,6 +28,7 @@ class SessionSharing(CommonModelMixin, OrgModelMixin):
     expired_time = models.IntegerField(
         default=0, verbose_name=_('Expired time (min)'), db_index=True
     )
+    users = models.CharField(max_length=1024, verbose_name=_("User"), default=list)
 
     class Meta:
         ordering = ('-date_created', )
@@ -49,11 +50,13 @@ class SessionSharing(CommonModelMixin, OrgModelMixin):
             return False
         return True
 
-    def can_join(self):
+    def can_join(self, joiner):
         if not self.is_active:
             return False, _('Link not active')
         if not self.is_expired:
             return False, _('Link expired')
+        if self.users and str(joiner.id) not in self.users.split(','):
+            return False, _('User not allowed to join')
         return True, ''
 
 
@@ -110,7 +113,7 @@ class SessionJoinRecord(CommonModelMixin, OrgModelMixin):
 
     def can_join(self):
         # sharing
-        sharing_can_join, reason = self.sharing.can_join()
+        sharing_can_join, reason = self.sharing.can_join(self.joiner)
         if not sharing_can_join:
             return False, reason
         # self
diff --git a/apps/terminal/serializers/sharing.py b/apps/terminal/serializers/sharing.py
index 5e8568cf5..845c35029 100644
--- a/apps/terminal/serializers/sharing.py
+++ b/apps/terminal/serializers/sharing.py
@@ -8,17 +8,26 @@ __all__ = ['SessionSharingSerializer', 'SessionJoinRecordSerializer']
 
 
 class SessionSharingSerializer(OrgResourceModelSerializerMixin):
+    users = serializers.ListSerializer(
+        child=serializers.CharField(max_length=36), write_only=True, default=list, allow_null=True
+    )
+
     class Meta:
         model = SessionSharing
         fields_mini = ['id']
         fields_small = fields_mini + [
             'verify_code', 'is_active', 'expired_time', 'created_by',
-            'date_created', 'date_updated'
+            'date_created', 'date_updated', 'users'
         ]
         fields_fk = ['session', 'creator']
         fields = fields_small + fields_fk
         read_only_fields = ['verify_code']
 
+    def save(self, **kwargs):
+        users = self.validated_data.get('users', [])
+        self.validated_data['users'] = ','.join(users)
+        return super().save(**kwargs)
+
     def create(self, validated_data):
         validated_data['verify_code'] = random_string(4)
         session = validated_data.get('session')

From 081089d63653a28898069f513bbf515c2188cff4 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 30 Jun 2022 11:23:53 +0800
Subject: [PATCH 212/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E5=91=BD=E4=BB=A4=E5=A4=8D=E5=90=88=E8=BF=81=E7=A7=BB?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98=20(#8512)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/tickets/migrations/0017_auto_20220623_1027.py | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apps/tickets/migrations/0017_auto_20220623_1027.py b/apps/tickets/migrations/0017_auto_20220623_1027.py
index d3a9a1953..3f241d54f 100644
--- a/apps/tickets/migrations/0017_auto_20220623_1027.py
+++ b/apps/tickets/migrations/0017_auto_20220623_1027.py
@@ -293,7 +293,6 @@ def command_confirm_migrate(apps, *args):
         rel_snapshot = {
             'applicant': instance.applicant_display,
             'apply_run_user': meta.get('apply_run_user', ''),
-            'apply_run_asset': meta.get('apply_run_asset', ''),
             'apply_run_system_user': meta.get('apply_run_system_user', ''),
             'apply_from_session': meta.get('apply_from_session_id', ''),
             'apply_from_cmd_filter': meta.get('apply_from_cmd_filter_id', ''),

From 9465138fafd4606e791229dc133d37e592b52819 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 30 Jun 2022 11:44:54 +0800
Subject: [PATCH 213/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=E8=BF=81=E7=A7=BB=E6=96=87=E4=BB=B6=20(#8513)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/tickets/migrations/0016_auto_20220609_1758.py | 6 +++---
 apps/tickets/models/ticket/command_confirm.py      | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/tickets/migrations/0016_auto_20220609_1758.py b/apps/tickets/migrations/0016_auto_20220609_1758.py
index 663db3a75..ecf1c85fd 100644
--- a/apps/tickets/migrations/0016_auto_20220609_1758.py
+++ b/apps/tickets/migrations/0016_auto_20220609_1758.py
@@ -79,9 +79,9 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='ticketstep',
             name='state',
-            field=models.CharField(choices=[('pending', 'Open'), ('approved', 'Approved'), ('rejected', 'Rejected'),
-                                            ('closed', 'Closed')], default='pending', max_length=64,
-                                   verbose_name='State'),
+            field=models.CharField(choices=[('pending', 'Pending'), ('approved', 'Approved'), ('rejected', 'Rejected'),
+                                            ('closed', 'Closed'), ('reopen', 'Reopen')], default='pending',
+                                   max_length=64, verbose_name='State'),
         ),
         migrations.CreateModel(
             name='ApplyLoginAssetTicket',
diff --git a/apps/tickets/models/ticket/command_confirm.py b/apps/tickets/models/ticket/command_confirm.py
index c42e9c166..eb6b838ea 100644
--- a/apps/tickets/models/ticket/command_confirm.py
+++ b/apps/tickets/models/ticket/command_confirm.py
@@ -9,7 +9,7 @@ class ApplyCommandTicket(Ticket):
         'users.User', on_delete=models.SET_NULL,
         null=True, verbose_name=_('Run user')
     )
-    apply_run_asset = models.CharField(max_length=128, verbose_name=_('Run asset'), default='')
+    apply_run_asset = models.CharField(max_length=128, verbose_name=_('Run asset'))
     apply_run_system_user = models.ForeignKey(
         'assets.SystemUser', on_delete=models.SET_NULL,
         null=True, verbose_name=_('Run system user')

From 8e65975cd7dd021c7b5fc102872d11a24aee38b5 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 30 Jun 2022 12:34:23 +0800
Subject: [PATCH 214/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E4=BC=9A?=
 =?UTF-8?q?=E8=AF=9D=E5=85=B1=E4=BA=AB=E5=8F=AF=E4=BB=A5=E6=8C=87=E5=AE=9A?=
 =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=9A=84=E4=B8=80=E4=BA=9B=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/api/storage.py                          |  2 +-
 ...nsharing_users.py => 0051_sessionsharing_users.py} |  6 +++---
 apps/terminal/models/sharing.py                       | 11 ++++++++++-
 apps/terminal/serializers/sharing.py                  |  4 ++--
 4 files changed, 16 insertions(+), 7 deletions(-)
 rename apps/terminal/migrations/{0050_sessionsharing_users.py => 0051_sessionsharing_users.py} (56%)

diff --git a/apps/terminal/api/storage.py b/apps/terminal/api/storage.py
index f6222d13a..d9694c337 100644
--- a/apps/terminal/api/storage.py
+++ b/apps/terminal/api/storage.py
@@ -24,7 +24,7 @@ class BaseStorageViewSetMixin:
 
     def destroy(self, request, *args, **kwargs):
         instance = self.get_object()
-        if instance.type_null_or_server:
+        if instance.type_null_or_server or instance.is_default:
             data = {'msg': _('Deleting the default storage is not allowed')}
             return Response(data=data, status=status.HTTP_400_BAD_REQUEST)
         if instance.is_use():
diff --git a/apps/terminal/migrations/0050_sessionsharing_users.py b/apps/terminal/migrations/0051_sessionsharing_users.py
similarity index 56%
rename from apps/terminal/migrations/0050_sessionsharing_users.py
rename to apps/terminal/migrations/0051_sessionsharing_users.py
index 9a014a62f..f32224dea 100644
--- a/apps/terminal/migrations/0050_sessionsharing_users.py
+++ b/apps/terminal/migrations/0051_sessionsharing_users.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.1.14 on 2022-05-17 00:52
+# Generated by Django 3.1.14 on 2022-06-30 03:38
 
 from django.db import migrations, models
 
@@ -6,13 +6,13 @@ from django.db import migrations, models
 class Migration(migrations.Migration):
 
     dependencies = [
-        ('terminal', '0049_endpoint_redis_port'),
+        ('terminal', '0050_auto_20220606_1745'),
     ]
 
     operations = [
         migrations.AddField(
             model_name='sessionsharing',
             name='users',
-            field=models.CharField(default=list, max_length=1024, verbose_name='User'),
+            field=models.TextField(blank=True, verbose_name='User'),
         ),
     ]
diff --git a/apps/terminal/models/sharing.py b/apps/terminal/models/sharing.py
index 1968b3f08..6976b09cf 100644
--- a/apps/terminal/models/sharing.py
+++ b/apps/terminal/models/sharing.py
@@ -3,6 +3,8 @@ import datetime
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.utils import timezone
+from orgs.utils import tmp_to_root_org
+from users.models import User
 
 from common.mixins import CommonModelMixin
 from orgs.mixins.models import OrgModelMixin
@@ -28,7 +30,7 @@ class SessionSharing(CommonModelMixin, OrgModelMixin):
     expired_time = models.IntegerField(
         default=0, verbose_name=_('Expired time (min)'), db_index=True
     )
-    users = models.CharField(max_length=1024, verbose_name=_("User"), default=list)
+    users = models.TextField(blank=True, verbose_name=_("User"))
 
     class Meta:
         ordering = ('-date_created', )
@@ -40,6 +42,13 @@ class SessionSharing(CommonModelMixin, OrgModelMixin):
     def __str__(self):
         return 'Creator: {}'.format(self.creator)
 
+    def users_display(self):
+        with tmp_to_root_org():
+            user_ids = self.users.split(',')
+            users = User.objects.filter(id__in=user_ids)
+            users = [str(user) for user in users]
+        return users
+
     @property
     def date_expired(self):
         return self.date_created + datetime.timedelta(minutes=self.expired_time)
diff --git a/apps/terminal/serializers/sharing.py b/apps/terminal/serializers/sharing.py
index 845c35029..9ae1438f3 100644
--- a/apps/terminal/serializers/sharing.py
+++ b/apps/terminal/serializers/sharing.py
@@ -9,7 +9,7 @@ __all__ = ['SessionSharingSerializer', 'SessionJoinRecordSerializer']
 
 class SessionSharingSerializer(OrgResourceModelSerializerMixin):
     users = serializers.ListSerializer(
-        child=serializers.CharField(max_length=36), write_only=True, default=list, allow_null=True
+        child=serializers.CharField(max_length=36), allow_null=True, write_only=True
     )
 
     class Meta:
@@ -17,7 +17,7 @@ class SessionSharingSerializer(OrgResourceModelSerializerMixin):
         fields_mini = ['id']
         fields_small = fields_mini + [
             'verify_code', 'is_active', 'expired_time', 'created_by',
-            'date_created', 'date_updated', 'users'
+            'date_created', 'date_updated', 'users', 'users_display'
         ]
         fields_fk = ['session', 'creator']
         fields = fields_small + fields_fk

From 011e9ffec4a4ff7e20104f7321923419a50139cc Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 30 Jun 2022 18:21:12 +0800
Subject: [PATCH 215/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=AF=BC?=
 =?UTF-8?q?=E5=85=A5=E5=AF=BC=E5=87=BA=E6=96=87=E4=BB=B6=E6=97=B6=E5=AF=B9?=
 =?UTF-8?q?=E4=BA=8Ebool=E7=B1=BB=E5=9E=8B=E5=AD=97=E6=AE=B5=E7=9A=84?=
 =?UTF-8?q?=E5=88=A4=E6=96=AD=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/drf/parsers/base.py      |  10 +-
 apps/common/drf/renders/base.py      |   5 +-
 apps/locale/ja/LC_MESSAGES/django.mo |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po | 375 ++++++++++++++-------------
 apps/locale/zh/LC_MESSAGES/django.mo |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po | 371 +++++++++++++-------------
 apps/users/api/user.py               |   2 +-
 apps/users/filters.py                |   2 +-
 apps/users/serializers/user.py       |   5 +-
 9 files changed, 410 insertions(+), 368 deletions(-)

diff --git a/apps/common/drf/parsers/base.py b/apps/common/drf/parsers/base.py
index 4e260c345..1f15ea72d 100644
--- a/apps/common/drf/parsers/base.py
+++ b/apps/common/drf/parsers/base.py
@@ -99,10 +99,16 @@ class BaseFileParser(BaseParser):
         new_row_data = {}
         serializer_fields = self.serializer_fields
         for k, v in row_data.items():
-            if type(v) in [list, dict, int] or (isinstance(v, str) and k.strip() and v.strip()):
-                # 解决类似disk_info为字符串的'{}'的问题
+            if type(v) in [list, dict, int, bool] or (isinstance(v, str) and k.strip() and v.strip()):
+                # 处理类似disk_info为字符串的'{}'的问题
                 if not isinstance(v, str) and isinstance(serializer_fields[k], serializers.CharField):
                     v = str(v)
+                # 处理 BooleanField 的问题, 导出是 'True', 'False'
+                if isinstance(v, str) and v.strip().lower() == 'true':
+                    v = True
+                elif isinstance(v, str) and v.strip().lower() == 'false':
+                    v = False
+
                 new_row_data[k] = v
         return new_row_data
 
diff --git a/apps/common/drf/renders/base.py b/apps/common/drf/renders/base.py
index 57f035f26..06867ce79 100644
--- a/apps/common/drf/renders/base.py
+++ b/apps/common/drf/renders/base.py
@@ -73,7 +73,10 @@ class BaseFileRenderer(BaseRenderer):
             row = []
             for field in render_fields:
                 value = item.get(field.field_name)
-                value = str(value) if value else ''
+                if value is None:
+                    value = ''
+                else:
+                    value = str(value)
                 row.append(value)
             yield row
 
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index d9a6ef7bd..f85e303fe 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:5a2f54edd26cd86ec150e5380ba8f9ac3f05ef144d11bef16459ae82a3ec0583
-size 125818
+oid sha256:896e5302ad4e775f9160b51385466525e67f0e5a0a8cc10981ea843626114494
+size 125939
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index edcdb7ac6..792b2412e 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-29 18:09+0800\n"
+"POT-Creation-Date: 2022-06-30 15:51+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -49,7 +49,7 @@ msgstr "1-100、低い値は最初に一致します"
 
 #: acls/models/base.py:31 authentication/models.py:18
 #: authentication/templates/authentication/_access_key_modal.html:32
-#: perms/models/base.py:88 terminal/models/sharing.py:26 tickets/const.py:39
+#: perms/models/base.py:88 terminal/models/sharing.py:28 tickets/const.py:39
 msgid "Active"
 msgstr "アクティブ"
 
@@ -63,7 +63,7 @@ msgstr "アクティブ"
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
 #: terminal/models/storage.py:29 terminal/models/terminal.py:114
-#: tickets/models/comment.py:32 tickets/models/ticket/general.py:277
+#: tickets/models/comment.py:32 tickets/models/ticket/general.py:278
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
@@ -92,9 +92,10 @@ msgstr "ログイン確認"
 #: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
-#: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:21 users/const.py:14 users/models/user.py:888
-#: users/models/user.py:919 users/serializers/group.py:19
+#: terminal/models/sharing.py:33 terminal/notifications.py:91
+#: terminal/notifications.py:139 tickets/models/comment.py:21 users/const.py:14
+#: users/models/user.py:890 users/models/user.py:921
+#: users/serializers/group.py:19
 msgid "User"
 msgstr "ユーザー"
 
@@ -309,7 +310,7 @@ msgstr "カテゴリ"
 #: terminal/models/storage.py:58 terminal/models/storage.py:142
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
 #: tickets/models/ticket/apply_application.py:17
-#: tickets/models/ticket/general.py:262
+#: tickets/models/ticket/general.py:263
 #: xpack/plugins/change_auth_plan/models/app.py:28
 #: xpack/plugins/change_auth_plan/models/app.py:153
 msgid "Type"
@@ -355,7 +356,7 @@ msgstr "タイプ表示"
 #: assets/serializers/cmd_filter.py:48 common/db/models.py:114
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:920
+#: users/models/group.py:18 users/models/user.py:922
 #: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "作成された日付"
@@ -499,7 +500,7 @@ msgid "Charset"
 msgstr "シャーセット"
 
 #: assets/models/asset.py:141 assets/serializers/asset.py:176
-#: tickets/models/ticket/general.py:287
+#: tickets/models/ticket/general.py:288
 msgid "Meta"
 msgstr "メタ"
 
@@ -521,7 +522,7 @@ msgstr "ベンダー"
 msgid "Model"
 msgstr "モデル"
 
-#: assets/models/asset.py:170 tickets/models/ticket/general.py:285
+#: assets/models/asset.py:170 tickets/models/ticket/general.py:286
 msgid "Serial number"
 msgstr "シリアル番号"
 
@@ -711,7 +712,7 @@ msgid "Trigger mode"
 msgstr "トリガーモード"
 
 #: assets/models/backup.py:119 audits/models.py:127
-#: terminal/models/sharing.py:94
+#: terminal/models/sharing.py:106
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
@@ -821,7 +822,7 @@ msgid "Default"
 msgstr "デフォルト"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:905
+#: users/models/user.py:907
 msgid "System"
 msgstr "システム"
 
@@ -1380,7 +1381,7 @@ msgstr "監査"
 
 #: audits/models.py:27 audits/models.py:59
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:228
+#: rbac/tree.py:226
 msgid "Delete"
 msgstr "削除"
 
@@ -1409,7 +1410,7 @@ msgid "Symlink"
 msgstr "Symlink"
 
 #: audits/models.py:38 audits/models.py:66 audits/models.py:89
-#: terminal/models/session.py:51 terminal/models/sharing.py:82
+#: terminal/models/session.py:51 terminal/models/sharing.py:94
 msgid "Remote addr"
 msgstr "リモートaddr"
 
@@ -1421,8 +1422,8 @@ msgstr "操作"
 msgid "Filename"
 msgstr "ファイル名"
 
-#: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:90
-#: tickets/views/approve.py:98
+#: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:102
+#: tickets/views/approve.py:115
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
 msgid "Success"
@@ -1434,15 +1435,15 @@ msgstr "ファイル転送ログ"
 
 #: audits/models.py:56
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:225
+#: rbac/tree.py:223
 msgid "Create"
 msgstr "作成"
 
-#: audits/models.py:57 rbac/tree.py:226
+#: audits/models.py:57 rbac/tree.py:224
 msgid "View"
 msgstr "表示"
 
-#: audits/models.py:58 rbac/tree.py:227 templates/_csv_import_export.html:18
+#: audits/models.py:58 rbac/tree.py:225 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@@ -1510,7 +1511,7 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket/general.py:270 xpack/plugins/cloud/models.py:175
+#: tickets/models/ticket/general.py:271 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "ステータス"
@@ -1581,13 +1582,13 @@ msgid "Auth Token"
 msgstr "認証トークン"
 
 #: audits/signal_handlers.py:53 authentication/notifications.py:73
-#: authentication/views/login.py:163 authentication/views/wecom.py:177
+#: authentication/views/login.py:67 authentication/views/wecom.py:177
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
 
 #: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
-#: authentication/views/login.py:169 notifications/backends/__init__.py:12
+#: authentication/views/login.py:73 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "DingTalk"
@@ -1845,59 +1846,59 @@ msgstr ""
 msgid "Invalid token or cache refreshed."
 msgstr "無効なトークンまたはキャッシュの更新。"
 
-#: authentication/errors.py:26
+#: authentication/errors/const.py:18
 msgid "Username/password check failed"
 msgstr "ユーザー名/パスワードのチェックに失敗しました"
 
-#: authentication/errors.py:27
+#: authentication/errors/const.py:19
 msgid "Password decrypt failed"
 msgstr "パスワードの復号化に失敗しました"
 
-#: authentication/errors.py:28
+#: authentication/errors/const.py:20
 msgid "MFA failed"
 msgstr "MFAに失敗しました"
 
-#: authentication/errors.py:29
+#: authentication/errors/const.py:21
 msgid "MFA unset"
 msgstr "MFAセットなし"
 
-#: authentication/errors.py:30
+#: authentication/errors/const.py:22
 msgid "Username does not exist"
 msgstr "ユーザー名が存在しません"
 
-#: authentication/errors.py:31
+#: authentication/errors/const.py:23
 msgid "Password expired"
 msgstr "パスワード期限切れ"
 
-#: authentication/errors.py:32
+#: authentication/errors/const.py:24
 msgid "Disabled or expired"
 msgstr "無効または期限切れ"
 
-#: authentication/errors.py:33
+#: authentication/errors/const.py:25
 msgid "This account is inactive."
 msgstr "このアカウントは非アクティブです。"
 
-#: authentication/errors.py:34
+#: authentication/errors/const.py:26
 msgid "This account is expired"
 msgstr "このアカウントは期限切れです"
 
-#: authentication/errors.py:35
+#: authentication/errors/const.py:27
 msgid "Auth backend not match"
 msgstr "Authバックエンドが一致しない"
 
-#: authentication/errors.py:36
+#: authentication/errors/const.py:28
 msgid "ACL is not allowed"
 msgstr "ACLは許可されません"
 
-#: authentication/errors.py:37
+#: authentication/errors/const.py:29
 msgid "Only local users are allowed"
 msgstr "ローカルユーザーのみが許可されています"
 
-#: authentication/errors.py:47
+#: authentication/errors/const.py:39
 msgid "No session found, check your cookie"
 msgstr "セッションが見つかりませんでした。クッキーを確認してください"
 
-#: authentication/errors.py:49
+#: authentication/errors/const.py:41
 #, python-brace-format
 msgid ""
 "The username or password you entered is incorrect, please enter it again. "
@@ -1908,7 +1909,7 @@ msgstr ""
 "{times_try} 回試すこともできます (アカウントは {block_time} 分の間一時的に"
 "ロックされます)"
 
-#: authentication/errors.py:55 authentication/errors.py:63
+#: authentication/errors/const.py:47 authentication/errors/const.py:55
 msgid ""
 "The account has been locked (please contact admin to unlock it or try again "
 "after {} minutes)"
@@ -1916,7 +1917,7 @@ msgstr ""
 "アカウントがロックされています (管理者に連絡してロックを解除するか、 {} 分後"
 "にもう一度お試しください)"
 
-#: authentication/errors.py:59
+#: authentication/errors/const.py:51
 msgid ""
 "The ip has been locked (please contact admin to unlock it or try again after "
 "{} minutes)"
@@ -1924,7 +1925,7 @@ msgstr ""
 "IPがロックされています (管理者に連絡してロックを解除するか、 {} 分後にもう一"
 "度お試しください)"
 
-#: authentication/errors.py:67
+#: authentication/errors/const.py:59
 #, python-brace-format
 msgid ""
 "{error}, You can also try {times_try} times (The account will be temporarily "
@@ -1933,67 +1934,67 @@ msgstr ""
 "{error},{times_try} 回も試すことができます (アカウントは {block_time} 分の間"
 "一時的にロックされます)"
 
-#: authentication/errors.py:71
+#: authentication/errors/const.py:63
 msgid "MFA required"
 msgstr "MFAが必要"
 
-#: authentication/errors.py:72
+#: authentication/errors/const.py:64
 msgid "MFA not set, please set it first"
 msgstr "MFAをセットしない、最初にセットしてください"
 
-#: authentication/errors.py:73
+#: authentication/errors/const.py:65
 msgid "Login confirm required"
 msgstr "ログイン確認が必要"
 
-#: authentication/errors.py:74
+#: authentication/errors/const.py:66
 msgid "Wait login confirm ticket for accept"
 msgstr "受け入れのためのログイン確認チケットを待つ"
 
-#: authentication/errors.py:75
+#: authentication/errors/const.py:67
 msgid "Login confirm ticket was {}"
 msgstr "ログイン確認チケットは {} でした"
 
-#: authentication/errors.py:255
+#: authentication/errors/failed.py:145
 msgid "IP is not allowed"
 msgstr "IPは許可されていません"
 
-#: authentication/errors.py:262
+#: authentication/errors/failed.py:152
 msgid "Time Period is not allowed"
 msgstr "期間は許可されていません"
 
-#: authentication/errors.py:295
-msgid "SSO auth closed"
-msgstr "SSO authは閉鎖されました"
-
-#: authentication/errors.py:300 authentication/mixins.py:306
-msgid "Your password is too simple, please change it for security"
-msgstr "パスワードがシンプルすぎるので、セキュリティのために変更してください"
-
-#: authentication/errors.py:309 authentication/mixins.py:313
-msgid "You should to change your password before login"
-msgstr "ログインする前にパスワードを変更する必要があります"
-
-#: authentication/errors.py:318 authentication/mixins.py:320
-msgid "Your password has expired, please reset before logging in"
-msgstr ""
-"パスワードの有効期限が切れました。ログインする前にリセットしてください。"
-
-#: authentication/errors.py:352
-msgid "Your password is invalid"
-msgstr "パスワードが無効です"
-
-#: authentication/errors.py:357
+#: authentication/errors/failed.py:157
 msgid "Please enter MFA code"
 msgstr "MFAコードを入力してください"
 
-#: authentication/errors.py:362
+#: authentication/errors/failed.py:162
 msgid "Please enter SMS code"
 msgstr "SMSコードを入力してください"
 
-#: authentication/errors.py:367 users/exceptions.py:15
+#: authentication/errors/failed.py:167 users/exceptions.py:15
 msgid "Phone not set"
 msgstr "電話が設定されていない"
 
+#: authentication/errors/mfa.py:8
+msgid "SSO auth closed"
+msgstr "SSO authは閉鎖されました"
+
+#: authentication/errors/mfa.py:38
+msgid "Your password is invalid"
+msgstr "パスワードが無効です"
+
+#: authentication/errors/redirect.py:79 authentication/mixins.py:306
+msgid "Your password is too simple, please change it for security"
+msgstr "パスワードがシンプルすぎるので、セキュリティのために変更してください"
+
+#: authentication/errors/redirect.py:88 authentication/mixins.py:313
+msgid "You should to change your password before login"
+msgstr "ログインする前にパスワードを変更する必要があります"
+
+#: authentication/errors/redirect.py:97 authentication/mixins.py:320
+msgid "Your password has expired, please reset before logging in"
+msgstr ""
+"パスワードの有効期限が切れました。ログインする前にリセットしてください。"
+
 #: authentication/forms.py:45
 msgid "{} days auto login"
 msgstr "{} 日自動ログイン"
@@ -2216,7 +2217,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:305 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:307 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:33
@@ -2421,7 +2422,7 @@ msgstr "FeiShuクエリユーザーが失敗しました"
 msgid "The FeiShu is already bound to another user"
 msgstr "FeiShuはすでに別のユーザーにバインドされています"
 
-#: authentication/views/feishu.py:143 authentication/views/login.py:175
+#: authentication/views/feishu.py:143 authentication/views/login.py:79
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "本を飛ばす"
@@ -2442,19 +2443,19 @@ msgstr "本を飛ばすは拘束されていません"
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "パスワードでログインしてから本を飛ばすをバインドしてください"
 
-#: authentication/views/login.py:69
+#: authentication/views/login.py:175
 msgid "Redirecting"
 msgstr "リダイレクト"
 
-#: authentication/views/login.py:70
+#: authentication/views/login.py:176
 msgid "Redirecting to {} authentication"
 msgstr "{} 認証へのリダイレクト"
 
-#: authentication/views/login.py:93
+#: authentication/views/login.py:199
 msgid "Please enable cookies and try again."
 msgstr "クッキーを有効にして、もう一度お試しください。"
 
-#: authentication/views/login.py:300
+#: authentication/views/login.py:301
 msgid ""
 "Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>\n"
 "                  Don't close this page"
@@ -2462,15 +2463,15 @@ msgstr ""
 "<b>{}</b> 確認を待ちます。彼女/彼へのリンクをコピーすることもできます <br/>\n"
 "                  このページを閉じないでください"
 
-#: authentication/views/login.py:305
+#: authentication/views/login.py:306
 msgid "No ticket found"
 msgstr "チケットが見つかりません"
 
-#: authentication/views/login.py:339
+#: authentication/views/login.py:340
 msgid "Logout success"
 msgstr "ログアウト成功"
 
-#: authentication/views/login.py:340
+#: authentication/views/login.py:341
 msgid "Logout success, return login page"
 msgstr "ログアウト成功、ログインページを返す"
 
@@ -2678,11 +2679,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:304
+#: jumpserver/conf.py:306
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:306
+#: jumpserver/conf.py:308
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -2937,14 +2938,14 @@ msgstr ""
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "組織のリソース ({}) は削除できません"
 
-#: orgs/apps.py:7 rbac/tree.py:115
+#: orgs/apps.py:7 rbac/tree.py:113
 msgid "App organizations"
 msgstr "アプリ組織"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:289 tickets/serializers/ticket/ticket.py:51
+#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:51
 msgid "Organization"
 msgstr "組織"
 
@@ -3153,7 +3154,7 @@ msgstr "私のアプリケーション"
 msgid "Empty"
 msgstr "空"
 
-#: perms/utils/asset/user_permission.py:620 rbac/tree.py:59
+#: perms/utils/asset/user_permission.py:620 rbac/tree.py:57
 msgid "My assets"
 msgstr "私の資産"
 
@@ -3288,83 +3289,83 @@ msgstr "ロール表示"
 msgid "Has bound this role"
 msgstr "この役割をバインドしました"
 
-#: rbac/tree.py:20 rbac/tree.py:21
+#: rbac/tree.py:18 rbac/tree.py:19
 msgid "All permissions"
 msgstr "すべての権限"
 
-#: rbac/tree.py:27
+#: rbac/tree.py:25
 msgid "Console view"
 msgstr "コンソールビュー"
 
-#: rbac/tree.py:28
+#: rbac/tree.py:26
 msgid "Workbench view"
 msgstr "ワークスペースビュー"
 
-#: rbac/tree.py:29
+#: rbac/tree.py:27
 msgid "Audit view"
 msgstr "監査ビュー"
 
-#: rbac/tree.py:30 settings/models.py:140
+#: rbac/tree.py:28 settings/models.py:140
 msgid "System setting"
 msgstr "システム設定"
 
-#: rbac/tree.py:31
+#: rbac/tree.py:29
 msgid "Other"
 msgstr "その他"
 
-#: rbac/tree.py:39
+#: rbac/tree.py:37
 msgid "Accounts"
 msgstr "アカウント"
 
-#: rbac/tree.py:43
+#: rbac/tree.py:41
 msgid "Session audits"
 msgstr "セッション監査"
 
-#: rbac/tree.py:53
+#: rbac/tree.py:51
 msgid "Cloud import"
 msgstr "クラウドインポート"
 
-#: rbac/tree.py:54
+#: rbac/tree.py:52
 msgid "Backup account"
 msgstr "バックアップアカウント"
 
-#: rbac/tree.py:55
+#: rbac/tree.py:53
 msgid "Gather account"
 msgstr "アカウントを集める"
 
-#: rbac/tree.py:56
+#: rbac/tree.py:54
 msgid "App change auth"
 msgstr "応用改密"
 
-#: rbac/tree.py:57
+#: rbac/tree.py:55
 msgid "Asset change auth"
 msgstr "資産の改ざん"
 
-#: rbac/tree.py:58
+#: rbac/tree.py:56
 msgid "Terminal setting"
 msgstr "ターミナル設定"
 
-#: rbac/tree.py:60
+#: rbac/tree.py:58
 msgid "My apps"
 msgstr "マイアプリ"
 
-#: rbac/tree.py:116
+#: rbac/tree.py:114
 msgid "Ticket comment"
 msgstr "チケットコメント"
 
-#: rbac/tree.py:117 tickets/models/ticket/general.py:294
+#: rbac/tree.py:115 tickets/models/ticket/general.py:295
 msgid "Ticket"
 msgstr "チケット"
 
-#: rbac/tree.py:118
+#: rbac/tree.py:116
 msgid "Common setting"
 msgstr "共通設定"
 
-#: rbac/tree.py:119
+#: rbac/tree.py:117
 msgid "View permission tree"
 msgstr "権限ツリーの表示"
 
-#: rbac/tree.py:120
+#: rbac/tree.py:118
 msgid "Execute batch command"
 msgstr "バッチ実行コマンド"
 
@@ -3490,7 +3491,7 @@ msgstr "ログインリダイレクトの有効化msg"
 msgid "Enable CAS Auth"
 msgstr "CAS 認証の有効化"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:47
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:48
 msgid "Server url"
 msgstr "サービス側アドレス"
 
@@ -3555,7 +3556,7 @@ msgstr "ユーザー検索フィルター"
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "選択は (cnまたはuidまたはsAMAccountName)=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:57 settings/serializers/auth/oidc.py:35
+#: settings/serializers/auth/ldap.py:57 settings/serializers/auth/oidc.py:36
 msgid "User attr map"
 msgstr "ユーザー属性マッピング"
 
@@ -3579,32 +3580,32 @@ msgstr "ページサイズを検索"
 msgid "Enable LDAP auth"
 msgstr "LDAP認証の有効化"
 
-#: settings/serializers/auth/oidc.py:14
+#: settings/serializers/auth/oidc.py:15
 msgid "Base site url"
 msgstr "ベースサイトのアドレス"
 
-#: settings/serializers/auth/oidc.py:17
+#: settings/serializers/auth/oidc.py:18
 msgid "Client Id"
 msgstr "クライアントID"
 
-#: settings/serializers/auth/oidc.py:20
+#: settings/serializers/auth/oidc.py:21
 #: xpack/plugins/cloud/serializers/account_attrs.py:36
 msgid "Client Secret"
 msgstr "クライアント秘密"
 
-#: settings/serializers/auth/oidc.py:28
+#: settings/serializers/auth/oidc.py:29
 msgid "Client authentication method"
 msgstr "クライアント認証方式"
 
-#: settings/serializers/auth/oidc.py:30
+#: settings/serializers/auth/oidc.py:31
 msgid "Share session"
 msgstr "セッションの共有"
 
-#: settings/serializers/auth/oidc.py:32
+#: settings/serializers/auth/oidc.py:33
 msgid "Ignore ssl verification"
 msgstr "Ssl検証を無視する"
 
-#: settings/serializers/auth/oidc.py:36
+#: settings/serializers/auth/oidc.py:37
 msgid ""
 "User attr map present how to map OpenID user attr to jumpserver, username,"
 "name,email is jumpserver attr"
@@ -3612,71 +3613,71 @@ msgstr ""
 "ユーザー属性マッピングは、OpenIDのユーザー属性をjumpserverユーザーにマッピン"
 "グする方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
 
-#: settings/serializers/auth/oidc.py:44
+#: settings/serializers/auth/oidc.py:45
 msgid "Use Keycloak"
 msgstr "Keycloakを使用する"
 
-#: settings/serializers/auth/oidc.py:50
+#: settings/serializers/auth/oidc.py:51
 msgid "Realm name"
 msgstr "レルム名"
 
-#: settings/serializers/auth/oidc.py:56
+#: settings/serializers/auth/oidc.py:57
 msgid "Enable OPENID Auth"
 msgstr "OIDC認証の有効化"
 
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:59
 msgid "Provider endpoint"
 msgstr "プロバイダーエンドポイント"
 
-#: settings/serializers/auth/oidc.py:61
+#: settings/serializers/auth/oidc.py:62
 msgid "Provider auth endpoint"
 msgstr "認証エンドポイントアドレス"
 
-#: settings/serializers/auth/oidc.py:64
+#: settings/serializers/auth/oidc.py:65
 msgid "Provider token endpoint"
 msgstr "プロバイダートークンエンドポイント"
 
-#: settings/serializers/auth/oidc.py:67
+#: settings/serializers/auth/oidc.py:68
 msgid "Provider jwks endpoint"
 msgstr "プロバイダーjwksエンドポイント"
 
-#: settings/serializers/auth/oidc.py:70
+#: settings/serializers/auth/oidc.py:71
 msgid "Provider userinfo endpoint"
 msgstr "プロバイダーuserinfoエンドポイント"
 
-#: settings/serializers/auth/oidc.py:73
+#: settings/serializers/auth/oidc.py:74
 msgid "Provider end session endpoint"
 msgstr "プロバイダーのセッション終了エンドポイント"
 
-#: settings/serializers/auth/oidc.py:76
+#: settings/serializers/auth/oidc.py:77
 msgid "Provider sign alg"
 msgstr "プロビダーサインalg"
 
-#: settings/serializers/auth/oidc.py:79
+#: settings/serializers/auth/oidc.py:80
 msgid "Provider sign key"
 msgstr "プロバイダ署名キー"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:82
 msgid "Scopes"
 msgstr "スコープ"
 
-#: settings/serializers/auth/oidc.py:83
+#: settings/serializers/auth/oidc.py:84
 msgid "Id token max age"
 msgstr "IDトークンの最大年齢"
 
-#: settings/serializers/auth/oidc.py:86
+#: settings/serializers/auth/oidc.py:87
 msgid "Id token include claims"
 msgstr "IDトークンにはクレームが含まれます"
 
-#: settings/serializers/auth/oidc.py:88
+#: settings/serializers/auth/oidc.py:89
 msgid "Use state"
 msgstr "使用状態"
 
-#: settings/serializers/auth/oidc.py:89
+#: settings/serializers/auth/oidc.py:90
 msgid "Use nonce"
 msgstr "Nonceを使用"
 
-#: settings/serializers/auth/oidc.py:91 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:92 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "常にユーザーを更新"
 
@@ -4696,9 +4697,9 @@ msgid "Output"
 msgstr "出力"
 
 #: terminal/backends/command/models.py:25 terminal/models/replay.py:9
-#: terminal/models/sharing.py:17 terminal/models/sharing.py:64
+#: terminal/models/sharing.py:19 terminal/models/sharing.py:76
 #: terminal/templates/terminal/_msg_command_alert.html:10
-#: tickets/models/ticket/command_confirm.py:23
+#: tickets/models/ticket/command_confirm.py:20
 msgid "Session"
 msgstr "セッション"
 
@@ -4810,7 +4811,7 @@ msgstr "セッションのリプレイをアップロードできます"
 msgid "Can download session replay"
 msgstr "セッション再生をダウンロードできます"
 
-#: terminal/models/session.py:50 terminal/models/sharing.py:87
+#: terminal/models/session.py:50 terminal/models/sharing.py:99
 msgid "Login from"
 msgstr "ログイン元"
 
@@ -4842,56 +4843,62 @@ msgstr "セッションを終了できます"
 msgid "Can validate session action perm"
 msgstr "セッションアクションのパーマを検証できます"
 
-#: terminal/models/sharing.py:22
+#: terminal/models/sharing.py:24
 msgid "Creator"
 msgstr "作成者"
 
-#: terminal/models/sharing.py:24 terminal/models/sharing.py:66
+#: terminal/models/sharing.py:26 terminal/models/sharing.py:78
 msgid "Verify code"
 msgstr "コードの確認"
 
-#: terminal/models/sharing.py:29
+#: terminal/models/sharing.py:31
 msgid "Expired time (min)"
 msgstr "期限切れ時間 (分)"
 
-#: terminal/models/sharing.py:34 terminal/models/sharing.py:69
+#: terminal/models/sharing.py:37 terminal/models/sharing.py:81
 msgid "Session sharing"
 msgstr "セッション共有"
 
-#: terminal/models/sharing.py:36
+#: terminal/models/sharing.py:39
 msgid "Can add super session sharing"
 msgstr "スーパーセッション共有を追加できます"
 
-#: terminal/models/sharing.py:54
+#: terminal/models/sharing.py:64
 msgid "Link not active"
 msgstr "リンクがアクティブでない"
 
-#: terminal/models/sharing.py:56
+#: terminal/models/sharing.py:66
 msgid "Link expired"
 msgstr "リンク期限切れ"
 
-#: terminal/models/sharing.py:73 terminal/serializers/sharing.py:49
+#: terminal/models/sharing.py:68
+#, fuzzy
+#| msgid "IP is not allowed"
+msgid "User not allowed to join"
+msgstr "IPは許可されていません"
+
+#: terminal/models/sharing.py:85 terminal/serializers/sharing.py:58
 msgid "Joiner"
 msgstr "ジョイナー"
 
-#: terminal/models/sharing.py:76
+#: terminal/models/sharing.py:88
 msgid "Date joined"
 msgstr "参加日"
 
-#: terminal/models/sharing.py:79
+#: terminal/models/sharing.py:91
 msgid "Date left"
 msgstr "日付が残っています"
 
-#: terminal/models/sharing.py:97 tickets/const.py:26
+#: terminal/models/sharing.py:109 tickets/const.py:26
 #: xpack/plugins/change_auth_plan/models/base.py:192
 msgid "Finished"
 msgstr "終了"
 
-#: terminal/models/sharing.py:102
+#: terminal/models/sharing.py:114
 msgid "Session join record"
 msgstr "セッション参加記録"
 
-#: terminal/models/sharing.py:118
+#: terminal/models/sharing.py:130
 msgid "Invalid verification code"
 msgstr "検証コードが無効"
 
@@ -4974,7 +4981,9 @@ msgstr "一括危険コマンド警告"
 #: terminal/serializers/endpoint.py:39
 msgid ""
 "If asset IP addresses under different endpoints conflict, use asset labels"
-msgstr "異なるエンドポイントの下に競合するアセットIPがある場合は、アセットタグを使用して実装します"
+msgstr ""
+"異なるエンドポイントの下に競合するアセットIPがある場合は、アセットタグを使用"
+"して実装します"
 
 #: terminal/serializers/session.py:31
 msgid "User ID"
@@ -5180,7 +5189,7 @@ msgstr ""
 "チケットのタイトル: {} チケット申請者: {} チケットプロセッサ: {} チケットID: "
 "{}"
 
-#: tickets/handlers/base.py:75
+#: tickets/handlers/base.py:72
 msgid "{} {} the ticket"
 msgstr "{} {} チケット"
 
@@ -5196,8 +5205,8 @@ msgstr "応用ログイン都市"
 msgid "Applied login datetime"
 msgstr "適用されたログインの日付時間"
 
-#: tickets/models/comment.py:13 tickets/models/ticket/general.py:38
-#: tickets/models/ticket/general.py:266
+#: tickets/models/comment.py:13 tickets/models/ticket/general.py:39
+#: tickets/models/ticket/general.py:267
 msgid "State"
 msgstr "状態"
 
@@ -5214,7 +5223,7 @@ msgid "Body"
 msgstr "ボディ"
 
 #: tickets/models/flow.py:20 tickets/models/flow.py:62
-#: tickets/models/ticket/general.py:34
+#: tickets/models/ticket/general.py:35
 msgid "Approve level"
 msgstr "レベルを承認する"
 
@@ -5269,61 +5278,61 @@ msgstr "資産の適用"
 msgid "Run user"
 msgstr "ユーザーの実行"
 
-#: tickets/models/ticket/command_confirm.py:14
+#: tickets/models/ticket/command_confirm.py:12
 msgid "Run asset"
 msgstr "アセットの実行"
 
-#: tickets/models/ticket/command_confirm.py:18
+#: tickets/models/ticket/command_confirm.py:15
 msgid "Run system user"
 msgstr "システムユーザーの実行"
 
-#: tickets/models/ticket/command_confirm.py:20
+#: tickets/models/ticket/command_confirm.py:17
 msgid "Run command"
 msgstr "実行コマンド"
 
-#: tickets/models/ticket/command_confirm.py:27
+#: tickets/models/ticket/command_confirm.py:24
 msgid "From cmd filter"
 msgstr "コマンドフィルタ規則から"
 
-#: tickets/models/ticket/command_confirm.py:31
+#: tickets/models/ticket/command_confirm.py:28
 msgid "From cmd filter rule"
 msgstr "コマンドフィルタ規則から"
 
-#: tickets/models/ticket/general.py:69
+#: tickets/models/ticket/general.py:70
 msgid "Ticket step"
 msgstr "チケットステップ"
 
-#: tickets/models/ticket/general.py:87
+#: tickets/models/ticket/general.py:88
 msgid "Ticket assignee"
 msgstr "割り当てられたチケット"
 
-#: tickets/models/ticket/general.py:259
+#: tickets/models/ticket/general.py:260
 msgid "Title"
 msgstr "タイトル"
 
-#: tickets/models/ticket/general.py:275
+#: tickets/models/ticket/general.py:276
 msgid "Applicant"
 msgstr "応募者"
 
-#: tickets/models/ticket/general.py:280
+#: tickets/models/ticket/general.py:281
 msgid "TicketFlow"
 msgstr "作業指示プロセス"
 
-#: tickets/models/ticket/general.py:283
+#: tickets/models/ticket/general.py:284
 msgid "Approval step"
 msgstr "承認ステップ"
 
-#: tickets/models/ticket/general.py:286
+#: tickets/models/ticket/general.py:287
 #, fuzzy
 #| msgid "Change auth plan snapshot"
 msgid "Relation snapshot"
 msgstr "計画スナップショットの暗号化"
 
-#: tickets/models/ticket/general.py:378
+#: tickets/models/ticket/general.py:380
 msgid "Please try again"
 msgstr "もう一度お試しください"
 
-#: tickets/models/ticket/general.py:385
+#: tickets/models/ticket/general.py:387
 msgid "Super ticket"
 msgstr "スーパーチケット"
 
@@ -5417,7 +5426,7 @@ msgid "Ticket information"
 msgstr "作業指示情報"
 
 #: tickets/templates/tickets/approve_check_password.html:29
-#: tickets/views/approve.py:25
+#: tickets/views/approve.py:39
 msgid "Ticket approval"
 msgstr "作業指示の承認"
 
@@ -5429,26 +5438,26 @@ msgstr "承認"
 msgid "Go Login"
 msgstr "ログイン"
 
-#: tickets/views/approve.py:26
+#: tickets/views/approve.py:40
 msgid ""
 "This ticket does not exist, the process has ended, or this link has expired"
 msgstr ""
 "このワークシートが存在しないか、ワークシートが終了したか、このリンクが無効に"
 "なっています"
 
-#: tickets/views/approve.py:55
+#: tickets/views/approve.py:69
 msgid "Click the button below to approve or reject"
 msgstr "下のボタンをクリックして同意または拒否。"
 
-#: tickets/views/approve.py:57
+#: tickets/views/approve.py:71
 msgid "After successful authentication, this ticket can be approved directly"
 msgstr "認証に成功した後、作業指示書は直接承認することができる。"
 
-#: tickets/views/approve.py:79
+#: tickets/views/approve.py:93
 msgid "Illegal approval action"
 msgstr "無効な承認アクション"
 
-#: tickets/views/approve.py:89
+#: tickets/views/approve.py:106
 msgid "This user is not authorized to approve this ticket"
 msgstr "このユーザーはこの作業指示を承認する権限がありません"
 
@@ -5599,27 +5608,27 @@ msgstr "最終更新日パスワード"
 msgid "Need update password"
 msgstr "更新パスワードが必要"
 
-#: users/models/user.py:890
+#: users/models/user.py:892
 msgid "Can invite user"
 msgstr "ユーザーを招待できます"
 
-#: users/models/user.py:891
+#: users/models/user.py:893
 msgid "Can remove user"
 msgstr "ユーザーを削除できます"
 
-#: users/models/user.py:892
+#: users/models/user.py:894
 msgid "Can match user"
 msgstr "ユーザーに一致できます"
 
-#: users/models/user.py:901
+#: users/models/user.py:903
 msgid "Administrator"
 msgstr "管理者"
 
-#: users/models/user.py:904
+#: users/models/user.py:906
 msgid "Administrator is the super user of system"
 msgstr "管理者はシステムのスーパーユーザーです"
 
-#: users/models/user.py:929
+#: users/models/user.py:931
 msgid "User password history"
 msgstr "ユーザーパスワード履歴"
 
@@ -5674,14 +5683,22 @@ msgstr "新しく設定されたパスワードが一致しない"
 msgid "Is first login"
 msgstr "最初のログインです"
 
-#: users/serializers/user.py:26 users/serializers/user.py:33
+#: users/serializers/user.py:26
 msgid "System roles"
 msgstr "システムの役割"
 
-#: users/serializers/user.py:31 users/serializers/user.py:34
+#: users/serializers/user.py:31
 msgid "Org roles"
 msgstr "組織ロール"
 
+#: users/serializers/user.py:33
+msgid "System roles display"
+msgstr "システムロール表示"
+
+#: users/serializers/user.py:34
+msgid "Org roles display"
+msgstr "組織ロール表示"
+
 #: users/serializers/user.py:79
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:27
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 61e856ed9..f1dae84be 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:441fff7ae0f44b24707348210678fe723299bf5abba943ea7080ba4a789a0801
-size 103826
+oid sha256:c5ff75df4d230b21b28e74f94fcbf56801f85cecc2dfba647e69182acf39295f
+size 103945
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index c0de09c2a..055027668 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-29 18:09+0800\n"
+"POT-Creation-Date: 2022-06-30 15:51+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -48,7 +48,7 @@ msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
 #: acls/models/base.py:31 authentication/models.py:18
 #: authentication/templates/authentication/_access_key_modal.html:32
-#: perms/models/base.py:88 terminal/models/sharing.py:26 tickets/const.py:39
+#: perms/models/base.py:88 terminal/models/sharing.py:28 tickets/const.py:39
 msgid "Active"
 msgstr "激活中"
 
@@ -62,7 +62,7 @@ msgstr "激活中"
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
 #: terminal/models/storage.py:29 terminal/models/terminal.py:114
-#: tickets/models/comment.py:32 tickets/models/ticket/general.py:277
+#: tickets/models/comment.py:32 tickets/models/ticket/general.py:278
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
@@ -91,9 +91,10 @@ msgstr "登录复核"
 #: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
-#: terminal/notifications.py:91 terminal/notifications.py:139
-#: tickets/models/comment.py:21 users/const.py:14 users/models/user.py:888
-#: users/models/user.py:919 users/serializers/group.py:19
+#: terminal/models/sharing.py:33 terminal/notifications.py:91
+#: terminal/notifications.py:139 tickets/models/comment.py:21 users/const.py:14
+#: users/models/user.py:890 users/models/user.py:921
+#: users/serializers/group.py:19
 msgid "User"
 msgstr "用户"
 
@@ -304,7 +305,7 @@ msgstr "类别"
 #: terminal/models/storage.py:58 terminal/models/storage.py:142
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
 #: tickets/models/ticket/apply_application.py:17
-#: tickets/models/ticket/general.py:262
+#: tickets/models/ticket/general.py:263
 #: xpack/plugins/change_auth_plan/models/app.py:28
 #: xpack/plugins/change_auth_plan/models/app.py:153
 msgid "Type"
@@ -350,7 +351,7 @@ msgstr "类型名称"
 #: assets/serializers/cmd_filter.py:48 common/db/models.py:114
 #: common/mixins/models.py:50 ops/models/adhoc.py:39 ops/models/command.py:30
 #: orgs/models.py:67 orgs/models.py:217 perms/models/base.py:92
-#: users/models/group.py:18 users/models/user.py:920
+#: users/models/group.py:18 users/models/user.py:922
 #: xpack/plugins/cloud/models.py:125
 msgid "Date created"
 msgstr "创建日期"
@@ -494,7 +495,7 @@ msgid "Charset"
 msgstr "编码"
 
 #: assets/models/asset.py:141 assets/serializers/asset.py:176
-#: tickets/models/ticket/general.py:287
+#: tickets/models/ticket/general.py:288
 msgid "Meta"
 msgstr "元数据"
 
@@ -516,7 +517,7 @@ msgstr "制造商"
 msgid "Model"
 msgstr "型号"
 
-#: assets/models/asset.py:170 tickets/models/ticket/general.py:285
+#: assets/models/asset.py:170 tickets/models/ticket/general.py:286
 msgid "Serial number"
 msgstr "序列号"
 
@@ -706,7 +707,7 @@ msgid "Trigger mode"
 msgstr "触发模式"
 
 #: assets/models/backup.py:119 audits/models.py:127
-#: terminal/models/sharing.py:94
+#: terminal/models/sharing.py:106
 #: xpack/plugins/change_auth_plan/models/base.py:201
 #: xpack/plugins/change_auth_plan/serializers/app.py:66
 #: xpack/plugins/change_auth_plan/serializers/asset.py:180
@@ -816,7 +817,7 @@ msgid "Default"
 msgstr "默认"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14 rbac/const.py:6
-#: users/models/user.py:905
+#: users/models/user.py:907
 msgid "System"
 msgstr "系统"
 
@@ -1368,7 +1369,7 @@ msgstr "日志审计"
 
 #: audits/models.py:27 audits/models.py:59
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:228
+#: rbac/tree.py:226
 msgid "Delete"
 msgstr "删除"
 
@@ -1397,7 +1398,7 @@ msgid "Symlink"
 msgstr "建立软链接"
 
 #: audits/models.py:38 audits/models.py:66 audits/models.py:89
-#: terminal/models/session.py:51 terminal/models/sharing.py:82
+#: terminal/models/session.py:51 terminal/models/sharing.py:94
 msgid "Remote addr"
 msgstr "远端地址"
 
@@ -1409,8 +1410,8 @@ msgstr "操作"
 msgid "Filename"
 msgstr "文件名"
 
-#: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:90
-#: tickets/views/approve.py:98
+#: audits/models.py:43 audits/models.py:117 terminal/models/sharing.py:102
+#: tickets/views/approve.py:115
 #: xpack/plugins/change_auth_plan/serializers/app.py:87
 #: xpack/plugins/change_auth_plan/serializers/asset.py:198
 msgid "Success"
@@ -1422,15 +1423,15 @@ msgstr "文件管理"
 
 #: audits/models.py:56
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:225
+#: rbac/tree.py:223
 msgid "Create"
 msgstr "创建"
 
-#: audits/models.py:57 rbac/tree.py:226
+#: audits/models.py:57 rbac/tree.py:224
 msgid "View"
 msgstr "查看"
 
-#: audits/models.py:58 rbac/tree.py:227 templates/_csv_import_export.html:18
+#: audits/models.py:58 rbac/tree.py:225 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 msgid "Update"
 msgstr "更新"
@@ -1498,7 +1499,7 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket/general.py:270 xpack/plugins/cloud/models.py:175
+#: tickets/models/ticket/general.py:271 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "状态"
@@ -1569,13 +1570,13 @@ msgid "Auth Token"
 msgstr "认证令牌"
 
 #: audits/signal_handlers.py:53 authentication/notifications.py:73
-#: authentication/views/login.py:163 authentication/views/wecom.py:177
+#: authentication/views/login.py:67 authentication/views/wecom.py:177
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企业微信"
 
 #: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
-#: authentication/views/login.py:169 notifications/backends/__init__.py:12
+#: authentication/views/login.py:73 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "钉钉"
@@ -1831,59 +1832,59 @@ msgstr "无效的令牌头。符号字符串不应包含无效字符。"
 msgid "Invalid token or cache refreshed."
 msgstr "刷新的令牌或缓存无效。"
 
-#: authentication/errors.py:26
+#: authentication/errors/const.py:18
 msgid "Username/password check failed"
 msgstr "用户名/密码 校验失败"
 
-#: authentication/errors.py:27
+#: authentication/errors/const.py:19
 msgid "Password decrypt failed"
 msgstr "密码解密失败"
 
-#: authentication/errors.py:28
+#: authentication/errors/const.py:20
 msgid "MFA failed"
 msgstr "MFA 校验失败"
 
-#: authentication/errors.py:29
+#: authentication/errors/const.py:21
 msgid "MFA unset"
 msgstr "MFA 没有设定"
 
-#: authentication/errors.py:30
+#: authentication/errors/const.py:22
 msgid "Username does not exist"
 msgstr "用户名不存在"
 
-#: authentication/errors.py:31
+#: authentication/errors/const.py:23
 msgid "Password expired"
 msgstr "密码已过期"
 
-#: authentication/errors.py:32
+#: authentication/errors/const.py:24
 msgid "Disabled or expired"
 msgstr "禁用或失效"
 
-#: authentication/errors.py:33
+#: authentication/errors/const.py:25
 msgid "This account is inactive."
 msgstr "此账号已禁用"
 
-#: authentication/errors.py:34
+#: authentication/errors/const.py:26
 msgid "This account is expired"
 msgstr "此账号已过期"
 
-#: authentication/errors.py:35
+#: authentication/errors/const.py:27
 msgid "Auth backend not match"
 msgstr "没有匹配到认证后端"
 
-#: authentication/errors.py:36
+#: authentication/errors/const.py:28
 msgid "ACL is not allowed"
 msgstr "ACL 不被允许"
 
-#: authentication/errors.py:37
+#: authentication/errors/const.py:29
 msgid "Only local users are allowed"
 msgstr "仅允许本地用户"
 
-#: authentication/errors.py:47
+#: authentication/errors/const.py:39
 msgid "No session found, check your cookie"
 msgstr "会话已变更，刷新页面"
 
-#: authentication/errors.py:49
+#: authentication/errors/const.py:41
 #, python-brace-format
 msgid ""
 "The username or password you entered is incorrect, please enter it again. "
@@ -1893,19 +1894,19 @@ msgstr ""
 "您输入的用户名或密码不正确，请重新输入。 您还可以尝试 {times_try} 次（账号将"
 "被临时 锁定 {block_time} 分钟）"
 
-#: authentication/errors.py:55 authentication/errors.py:63
+#: authentication/errors/const.py:47 authentication/errors/const.py:55
 msgid ""
 "The account has been locked (please contact admin to unlock it or try again "
 "after {} minutes)"
 msgstr "账号已被锁定（请联系管理员解锁或{}分钟后重试）"
 
-#: authentication/errors.py:59
+#: authentication/errors/const.py:51
 msgid ""
 "The ip has been locked (please contact admin to unlock it or try again after "
 "{} minutes)"
 msgstr "IP 已被锁定（请联系管理员解锁或{}分钟后重试）"
 
-#: authentication/errors.py:67
+#: authentication/errors/const.py:59
 #, python-brace-format
 msgid ""
 "{error}, You can also try {times_try} times (The account will be temporarily "
@@ -1913,66 +1914,66 @@ msgid ""
 msgstr ""
 "{error}，您还可以尝试 {times_try} 次（账号将被临时锁定 {block_time} 分钟）"
 
-#: authentication/errors.py:71
+#: authentication/errors/const.py:63
 msgid "MFA required"
 msgstr "需要 MFA 认证"
 
-#: authentication/errors.py:72
+#: authentication/errors/const.py:64
 msgid "MFA not set, please set it first"
 msgstr "MFA 没有设置，请先完成设置"
 
-#: authentication/errors.py:73
+#: authentication/errors/const.py:65
 msgid "Login confirm required"
 msgstr "需要登录复核"
 
-#: authentication/errors.py:74
+#: authentication/errors/const.py:66
 msgid "Wait login confirm ticket for accept"
 msgstr "等待登录复核处理"
 
-#: authentication/errors.py:75
+#: authentication/errors/const.py:67
 msgid "Login confirm ticket was {}"
 msgstr "登录复核 {}"
 
-#: authentication/errors.py:255
+#: authentication/errors/failed.py:145
 msgid "IP is not allowed"
 msgstr "来源 IP 不被允许登录"
 
-#: authentication/errors.py:262
+#: authentication/errors/failed.py:152
 msgid "Time Period is not allowed"
 msgstr "该 时间段 不被允许登录"
 
-#: authentication/errors.py:295
-msgid "SSO auth closed"
-msgstr "SSO 认证关闭了"
-
-#: authentication/errors.py:300 authentication/mixins.py:306
-msgid "Your password is too simple, please change it for security"
-msgstr "你的密码过于简单，为了安全，请修改"
-
-#: authentication/errors.py:309 authentication/mixins.py:313
-msgid "You should to change your password before login"
-msgstr "登录完成前，请先修改密码"
-
-#: authentication/errors.py:318 authentication/mixins.py:320
-msgid "Your password has expired, please reset before logging in"
-msgstr "您的密码已过期，先修改再登录"
-
-#: authentication/errors.py:352
-msgid "Your password is invalid"
-msgstr "您的密码无效"
-
-#: authentication/errors.py:357
+#: authentication/errors/failed.py:157
 msgid "Please enter MFA code"
 msgstr "请输入 MFA 验证码"
 
-#: authentication/errors.py:362
+#: authentication/errors/failed.py:162
 msgid "Please enter SMS code"
 msgstr "请输入短信验证码"
 
-#: authentication/errors.py:367 users/exceptions.py:15
+#: authentication/errors/failed.py:167 users/exceptions.py:15
 msgid "Phone not set"
 msgstr "手机号没有设置"
 
+#: authentication/errors/mfa.py:8
+msgid "SSO auth closed"
+msgstr "SSO 认证关闭了"
+
+#: authentication/errors/mfa.py:38
+msgid "Your password is invalid"
+msgstr "您的密码无效"
+
+#: authentication/errors/redirect.py:79 authentication/mixins.py:306
+msgid "Your password is too simple, please change it for security"
+msgstr "你的密码过于简单，为了安全，请修改"
+
+#: authentication/errors/redirect.py:88 authentication/mixins.py:313
+msgid "You should to change your password before login"
+msgstr "登录完成前，请先修改密码"
+
+#: authentication/errors/redirect.py:97 authentication/mixins.py:320
+msgid "Your password has expired, please reset before logging in"
+msgstr "您的密码已过期，先修改再登录"
+
 #: authentication/forms.py:45
 msgid "{} days auto login"
 msgstr "{} 天内自动登录"
@@ -2195,7 +2196,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password.html:3
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:305 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:307 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:33
@@ -2391,7 +2392,7 @@ msgstr "飞书查询用户失败"
 msgid "The FeiShu is already bound to another user"
 msgstr "该飞书已经绑定其他用户"
 
-#: authentication/views/feishu.py:143 authentication/views/login.py:175
+#: authentication/views/feishu.py:143 authentication/views/login.py:79
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "飞书"
@@ -2412,19 +2413,19 @@ msgstr "没有绑定飞书"
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "请使用密码登录，然后绑定飞书"
 
-#: authentication/views/login.py:69
+#: authentication/views/login.py:175
 msgid "Redirecting"
 msgstr "跳转中"
 
-#: authentication/views/login.py:70
+#: authentication/views/login.py:176
 msgid "Redirecting to {} authentication"
 msgstr "正在跳转到 {} 认证"
 
-#: authentication/views/login.py:93
+#: authentication/views/login.py:199
 msgid "Please enable cookies and try again."
 msgstr "设置你的浏览器支持cookie"
 
-#: authentication/views/login.py:300
+#: authentication/views/login.py:301
 msgid ""
 "Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>\n"
 "                  Don't close this page"
@@ -2432,15 +2433,15 @@ msgstr ""
 "等待 <b>{}</b> 确认, 你也可以复制链接发给他/她 <br/>\n"
 "                  不要关闭本页面"
 
-#: authentication/views/login.py:305
+#: authentication/views/login.py:306
 msgid "No ticket found"
 msgstr "没有发现工单"
 
-#: authentication/views/login.py:339
+#: authentication/views/login.py:340
 msgid "Logout success"
 msgstr "退出登录成功"
 
-#: authentication/views/login.py:340
+#: authentication/views/login.py:341
 msgid "Logout success, return login page"
 msgstr "退出登录成功，返回到登录页面"
 
@@ -2648,11 +2649,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:304
+#: jumpserver/conf.py:306
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:306
+#: jumpserver/conf.py:308
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -2901,14 +2902,14 @@ msgstr "LDAP 同步设置组织为当前组织，请切换其他组织后再进
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "组织存在资源 ({}) 不能被删除"
 
-#: orgs/apps.py:7 rbac/tree.py:115
+#: orgs/apps.py:7 rbac/tree.py:113
 msgid "App organizations"
 msgstr "组织管理"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:289 tickets/serializers/ticket/ticket.py:51
+#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:51
 msgid "Organization"
 msgstr "组织"
 
@@ -3115,7 +3116,7 @@ msgstr "我的应用"
 msgid "Empty"
 msgstr "空"
 
-#: perms/utils/asset/user_permission.py:620 rbac/tree.py:59
+#: perms/utils/asset/user_permission.py:620 rbac/tree.py:57
 msgid "My assets"
 msgstr "我的资产"
 
@@ -3249,83 +3250,83 @@ msgstr "角色显示"
 msgid "Has bound this role"
 msgstr "已经绑定"
 
-#: rbac/tree.py:20 rbac/tree.py:21
+#: rbac/tree.py:18 rbac/tree.py:19
 msgid "All permissions"
 msgstr "所有权限"
 
-#: rbac/tree.py:27
+#: rbac/tree.py:25
 msgid "Console view"
 msgstr "控制台"
 
-#: rbac/tree.py:28
+#: rbac/tree.py:26
 msgid "Workbench view"
 msgstr "工作台"
 
-#: rbac/tree.py:29
+#: rbac/tree.py:27
 msgid "Audit view"
 msgstr "审计台"
 
-#: rbac/tree.py:30 settings/models.py:140
+#: rbac/tree.py:28 settings/models.py:140
 msgid "System setting"
 msgstr "系统设置"
 
-#: rbac/tree.py:31
+#: rbac/tree.py:29
 msgid "Other"
 msgstr "其它"
 
-#: rbac/tree.py:39
+#: rbac/tree.py:37
 msgid "Accounts"
 msgstr "账号管理"
 
-#: rbac/tree.py:43
+#: rbac/tree.py:41
 msgid "Session audits"
 msgstr "会话审计"
 
-#: rbac/tree.py:53
+#: rbac/tree.py:51
 msgid "Cloud import"
 msgstr "云同步"
 
-#: rbac/tree.py:54
+#: rbac/tree.py:52
 msgid "Backup account"
 msgstr "备份账号"
 
-#: rbac/tree.py:55
+#: rbac/tree.py:53
 msgid "Gather account"
 msgstr "收集账号"
 
-#: rbac/tree.py:56
+#: rbac/tree.py:54
 msgid "App change auth"
 msgstr "应用改密"
 
-#: rbac/tree.py:57
+#: rbac/tree.py:55
 msgid "Asset change auth"
 msgstr "资产改密"
 
-#: rbac/tree.py:58
+#: rbac/tree.py:56
 msgid "Terminal setting"
 msgstr "终端设置"
 
-#: rbac/tree.py:60
+#: rbac/tree.py:58
 msgid "My apps"
 msgstr "我的应用"
 
-#: rbac/tree.py:116
+#: rbac/tree.py:114
 msgid "Ticket comment"
 msgstr "工单评论"
 
-#: rbac/tree.py:117 tickets/models/ticket/general.py:294
+#: rbac/tree.py:115 tickets/models/ticket/general.py:295
 msgid "Ticket"
 msgstr "工单管理"
 
-#: rbac/tree.py:118
+#: rbac/tree.py:116
 msgid "Common setting"
 msgstr "一般设置"
 
-#: rbac/tree.py:119
+#: rbac/tree.py:117
 msgid "View permission tree"
 msgstr "查看授权树"
 
-#: rbac/tree.py:120
+#: rbac/tree.py:118
 msgid "Execute batch command"
 msgstr "执行批量命令"
 
@@ -3451,7 +3452,7 @@ msgstr "启用登录跳转提示"
 msgid "Enable CAS Auth"
 msgstr "启用 CAS 认证"
 
-#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:47
+#: settings/serializers/auth/cas.py:11 settings/serializers/auth/oidc.py:48
 msgid "Server url"
 msgstr "服务端地址"
 
@@ -3516,7 +3517,7 @@ msgstr "用户过滤器"
 msgid "Choice may be (cn|uid|sAMAccountName)=%(user)s)"
 msgstr "可能的选项是(cn或uid或sAMAccountName=%(user)s)"
 
-#: settings/serializers/auth/ldap.py:57 settings/serializers/auth/oidc.py:35
+#: settings/serializers/auth/ldap.py:57 settings/serializers/auth/oidc.py:36
 msgid "User attr map"
 msgstr "用户属性映射"
 
@@ -3540,32 +3541,32 @@ msgstr "搜索分页数量"
 msgid "Enable LDAP auth"
 msgstr "启用 LDAP 认证"
 
-#: settings/serializers/auth/oidc.py:14
+#: settings/serializers/auth/oidc.py:15
 msgid "Base site url"
 msgstr "JumpServer 地址"
 
-#: settings/serializers/auth/oidc.py:17
+#: settings/serializers/auth/oidc.py:18
 msgid "Client Id"
 msgstr "客户端 ID"
 
-#: settings/serializers/auth/oidc.py:20
+#: settings/serializers/auth/oidc.py:21
 #: xpack/plugins/cloud/serializers/account_attrs.py:36
 msgid "Client Secret"
 msgstr "客户端密钥"
 
-#: settings/serializers/auth/oidc.py:28
+#: settings/serializers/auth/oidc.py:29
 msgid "Client authentication method"
 msgstr "客户端认证方式"
 
-#: settings/serializers/auth/oidc.py:30
+#: settings/serializers/auth/oidc.py:31
 msgid "Share session"
 msgstr "共享会话"
 
-#: settings/serializers/auth/oidc.py:32
+#: settings/serializers/auth/oidc.py:33
 msgid "Ignore ssl verification"
 msgstr "忽略 SSL 证书验证"
 
-#: settings/serializers/auth/oidc.py:36
+#: settings/serializers/auth/oidc.py:37
 msgid ""
 "User attr map present how to map OpenID user attr to jumpserver, username,"
 "name,email is jumpserver attr"
@@ -3573,71 +3574,71 @@ msgstr ""
 "用户属性映射代表怎样将OpenID中用户属性映射到jumpserver用户上，username, name,"
 "email 是jumpserver的用户需要属性"
 
-#: settings/serializers/auth/oidc.py:44
+#: settings/serializers/auth/oidc.py:45
 msgid "Use Keycloak"
 msgstr "使用 Keycloak"
 
-#: settings/serializers/auth/oidc.py:50
+#: settings/serializers/auth/oidc.py:51
 msgid "Realm name"
 msgstr "域"
 
-#: settings/serializers/auth/oidc.py:56
+#: settings/serializers/auth/oidc.py:57
 msgid "Enable OPENID Auth"
 msgstr "启用 OIDC 认证"
 
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:59
 msgid "Provider endpoint"
 msgstr "端点地址"
 
-#: settings/serializers/auth/oidc.py:61
+#: settings/serializers/auth/oidc.py:62
 msgid "Provider auth endpoint"
 msgstr "授权端点地址"
 
-#: settings/serializers/auth/oidc.py:64
+#: settings/serializers/auth/oidc.py:65
 msgid "Provider token endpoint"
 msgstr "token 端点地址"
 
-#: settings/serializers/auth/oidc.py:67
+#: settings/serializers/auth/oidc.py:68
 msgid "Provider jwks endpoint"
 msgstr "jwks 端点地址"
 
-#: settings/serializers/auth/oidc.py:70
+#: settings/serializers/auth/oidc.py:71
 msgid "Provider userinfo endpoint"
 msgstr "用户信息端点地址"
 
-#: settings/serializers/auth/oidc.py:73
+#: settings/serializers/auth/oidc.py:74
 msgid "Provider end session endpoint"
 msgstr "注销会话端点地址"
 
-#: settings/serializers/auth/oidc.py:76
+#: settings/serializers/auth/oidc.py:77
 msgid "Provider sign alg"
 msgstr "签名算法"
 
-#: settings/serializers/auth/oidc.py:79
+#: settings/serializers/auth/oidc.py:80
 msgid "Provider sign key"
 msgstr "签名 Key"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:82
 msgid "Scopes"
 msgstr "连接范围"
 
-#: settings/serializers/auth/oidc.py:83
+#: settings/serializers/auth/oidc.py:84
 msgid "Id token max age"
 msgstr "令牌有效时间"
 
-#: settings/serializers/auth/oidc.py:86
+#: settings/serializers/auth/oidc.py:87
 msgid "Id token include claims"
 msgstr "声明"
 
-#: settings/serializers/auth/oidc.py:88
+#: settings/serializers/auth/oidc.py:89
 msgid "Use state"
 msgstr "使用状态"
 
-#: settings/serializers/auth/oidc.py:89
+#: settings/serializers/auth/oidc.py:90
 msgid "Use nonce"
 msgstr "临时使用"
 
-#: settings/serializers/auth/oidc.py:91 settings/serializers/auth/saml2.py:33
+#: settings/serializers/auth/oidc.py:92 settings/serializers/auth/saml2.py:33
 msgid "Always update user"
 msgstr "总是更新用户信息"
 
@@ -4624,9 +4625,9 @@ msgid "Output"
 msgstr "输出"
 
 #: terminal/backends/command/models.py:25 terminal/models/replay.py:9
-#: terminal/models/sharing.py:17 terminal/models/sharing.py:64
+#: terminal/models/sharing.py:19 terminal/models/sharing.py:76
 #: terminal/templates/terminal/_msg_command_alert.html:10
-#: tickets/models/ticket/command_confirm.py:23
+#: tickets/models/ticket/command_confirm.py:20
 msgid "Session"
 msgstr "会话"
 
@@ -4738,7 +4739,7 @@ msgstr "可以上传会话录像"
 msgid "Can download session replay"
 msgstr "可以下载会话录像"
 
-#: terminal/models/session.py:50 terminal/models/sharing.py:87
+#: terminal/models/session.py:50 terminal/models/sharing.py:99
 msgid "Login from"
 msgstr "登录来源"
 
@@ -4770,56 +4771,62 @@ msgstr "可以终断会话"
 msgid "Can validate session action perm"
 msgstr "可以验证会话动作权限"
 
-#: terminal/models/sharing.py:22
+#: terminal/models/sharing.py:24
 msgid "Creator"
 msgstr "创建者"
 
-#: terminal/models/sharing.py:24 terminal/models/sharing.py:66
+#: terminal/models/sharing.py:26 terminal/models/sharing.py:78
 msgid "Verify code"
 msgstr "验证码"
 
-#: terminal/models/sharing.py:29
+#: terminal/models/sharing.py:31
 msgid "Expired time (min)"
 msgstr "过期时间 (分)"
 
-#: terminal/models/sharing.py:34 terminal/models/sharing.py:69
+#: terminal/models/sharing.py:37 terminal/models/sharing.py:81
 msgid "Session sharing"
 msgstr "会话分享"
 
-#: terminal/models/sharing.py:36
+#: terminal/models/sharing.py:39
 msgid "Can add super session sharing"
 msgstr "可以创建超级会话分享"
 
-#: terminal/models/sharing.py:54
+#: terminal/models/sharing.py:64
 msgid "Link not active"
 msgstr "链接失效"
 
-#: terminal/models/sharing.py:56
+#: terminal/models/sharing.py:66
 msgid "Link expired"
 msgstr "链接过期"
 
-#: terminal/models/sharing.py:73 terminal/serializers/sharing.py:49
+#: terminal/models/sharing.py:68
+#, fuzzy
+#| msgid "IP is not allowed"
+msgid "User not allowed to join"
+msgstr "来源 IP 不被允许登录"
+
+#: terminal/models/sharing.py:85 terminal/serializers/sharing.py:58
 msgid "Joiner"
 msgstr "加入者"
 
-#: terminal/models/sharing.py:76
+#: terminal/models/sharing.py:88
 msgid "Date joined"
 msgstr "加入日期"
 
-#: terminal/models/sharing.py:79
+#: terminal/models/sharing.py:91
 msgid "Date left"
 msgstr "结束日期"
 
-#: terminal/models/sharing.py:97 tickets/const.py:26
+#: terminal/models/sharing.py:109 tickets/const.py:26
 #: xpack/plugins/change_auth_plan/models/base.py:192
 msgid "Finished"
 msgstr "结束"
 
-#: terminal/models/sharing.py:102
+#: terminal/models/sharing.py:114
 msgid "Session join record"
 msgstr "会话加入记录"
 
-#: terminal/models/sharing.py:118
+#: terminal/models/sharing.py:130
 msgid "Invalid verification code"
 msgstr "验证码不正确"
 
@@ -5106,7 +5113,7 @@ msgid ""
 msgstr ""
 "通过工单创建, 工单标题: {}, 工单申请人: {}, 工单处理人: {}, 工单 ID: {}"
 
-#: tickets/handlers/base.py:75
+#: tickets/handlers/base.py:72
 msgid "{} {} the ticket"
 msgstr "{} {} 工单"
 
@@ -5122,8 +5129,8 @@ msgstr "申请登录的城市"
 msgid "Applied login datetime"
 msgstr "申请登录的日期"
 
-#: tickets/models/comment.py:13 tickets/models/ticket/general.py:38
-#: tickets/models/ticket/general.py:266
+#: tickets/models/comment.py:13 tickets/models/ticket/general.py:39
+#: tickets/models/ticket/general.py:267
 msgid "State"
 msgstr "状态"
 
@@ -5140,7 +5147,7 @@ msgid "Body"
 msgstr "内容"
 
 #: tickets/models/flow.py:20 tickets/models/flow.py:62
-#: tickets/models/ticket/general.py:34
+#: tickets/models/ticket/general.py:35
 msgid "Approve level"
 msgstr "审批级别"
 
@@ -5195,61 +5202,61 @@ msgstr "申请资产"
 msgid "Run user"
 msgstr "运行的用户"
 
-#: tickets/models/ticket/command_confirm.py:14
+#: tickets/models/ticket/command_confirm.py:12
 msgid "Run asset"
 msgstr "运行的资产"
 
-#: tickets/models/ticket/command_confirm.py:18
+#: tickets/models/ticket/command_confirm.py:15
 msgid "Run system user"
 msgstr "运行的系统用户"
 
-#: tickets/models/ticket/command_confirm.py:20
+#: tickets/models/ticket/command_confirm.py:17
 msgid "Run command"
 msgstr "运行的命令"
 
-#: tickets/models/ticket/command_confirm.py:27
+#: tickets/models/ticket/command_confirm.py:24
 msgid "From cmd filter"
 msgstr "来自命令过滤规则"
 
-#: tickets/models/ticket/command_confirm.py:31
+#: tickets/models/ticket/command_confirm.py:28
 msgid "From cmd filter rule"
 msgstr "来自命令过滤规则"
 
-#: tickets/models/ticket/general.py:69
+#: tickets/models/ticket/general.py:70
 msgid "Ticket step"
 msgstr "工单步骤"
 
-#: tickets/models/ticket/general.py:87
+#: tickets/models/ticket/general.py:88
 msgid "Ticket assignee"
 msgstr "工单受理人"
 
-#: tickets/models/ticket/general.py:259
+#: tickets/models/ticket/general.py:260
 msgid "Title"
 msgstr "标题"
 
-#: tickets/models/ticket/general.py:275
+#: tickets/models/ticket/general.py:276
 msgid "Applicant"
 msgstr "申请人"
 
-#: tickets/models/ticket/general.py:280
+#: tickets/models/ticket/general.py:281
 msgid "TicketFlow"
 msgstr "工单流程"
 
-#: tickets/models/ticket/general.py:283
+#: tickets/models/ticket/general.py:284
 msgid "Approval step"
 msgstr "审批步骤"
 
-#: tickets/models/ticket/general.py:286
+#: tickets/models/ticket/general.py:287
 #, fuzzy
 #| msgid "Change auth plan snapshot"
 msgid "Relation snapshot"
 msgstr "改密计划快照"
 
-#: tickets/models/ticket/general.py:378
+#: tickets/models/ticket/general.py:380
 msgid "Please try again"
 msgstr "请再次尝试"
 
-#: tickets/models/ticket/general.py:385
+#: tickets/models/ticket/general.py:387
 msgid "Super ticket"
 msgstr "超级工单"
 
@@ -5343,7 +5350,7 @@ msgid "Ticket information"
 msgstr "工单信息"
 
 #: tickets/templates/tickets/approve_check_password.html:29
-#: tickets/views/approve.py:25
+#: tickets/views/approve.py:39
 msgid "Ticket approval"
 msgstr "工单审批"
 
@@ -5355,24 +5362,24 @@ msgstr "同意"
 msgid "Go Login"
 msgstr "去登录"
 
-#: tickets/views/approve.py:26
+#: tickets/views/approve.py:40
 msgid ""
 "This ticket does not exist, the process has ended, or this link has expired"
 msgstr "工单不存在，或者工单流程已经结束，或者此链接已经过期"
 
-#: tickets/views/approve.py:55
+#: tickets/views/approve.py:69
 msgid "Click the button below to approve or reject"
 msgstr "点击下方按钮同意或者拒绝"
 
-#: tickets/views/approve.py:57
+#: tickets/views/approve.py:71
 msgid "After successful authentication, this ticket can be approved directly"
 msgstr "认证成功后，工单可直接审批"
 
-#: tickets/views/approve.py:79
+#: tickets/views/approve.py:93
 msgid "Illegal approval action"
 msgstr "无效的审批动作"
 
-#: tickets/views/approve.py:89
+#: tickets/views/approve.py:106
 msgid "This user is not authorized to approve this ticket"
 msgstr "此用户无权审批此工单"
 
@@ -5523,27 +5530,27 @@ msgstr "最后更新密码日期"
 msgid "Need update password"
 msgstr "需要更新密码"
 
-#: users/models/user.py:890
+#: users/models/user.py:892
 msgid "Can invite user"
 msgstr "可以邀请用户"
 
-#: users/models/user.py:891
+#: users/models/user.py:893
 msgid "Can remove user"
 msgstr "可以移除用户"
 
-#: users/models/user.py:892
+#: users/models/user.py:894
 msgid "Can match user"
 msgstr "可以匹配用户"
 
-#: users/models/user.py:901
+#: users/models/user.py:903
 msgid "Administrator"
 msgstr "管理员"
 
-#: users/models/user.py:904
+#: users/models/user.py:906
 msgid "Administrator is the super user of system"
 msgstr "Administrator是初始的超级管理员"
 
-#: users/models/user.py:929
+#: users/models/user.py:931
 msgid "User password history"
 msgstr "用户密码历史"
 
@@ -5598,14 +5605,22 @@ msgstr "两次密码不一致"
 msgid "Is first login"
 msgstr "首次登录"
 
-#: users/serializers/user.py:26 users/serializers/user.py:33
+#: users/serializers/user.py:26
 msgid "System roles"
 msgstr "系统角色"
 
-#: users/serializers/user.py:31 users/serializers/user.py:34
+#: users/serializers/user.py:31
 msgid "Org roles"
 msgstr "组织角色"
 
+#: users/serializers/user.py:33
+msgid "System roles display"
+msgstr "系统角色显示"
+
+#: users/serializers/user.py:34
+msgid "Org roles display"
+msgstr "组织角色显示"
+
 #: users/serializers/user.py:79
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:27
@@ -5614,7 +5629,7 @@ msgstr "密码策略"
 
 #: users/serializers/user.py:81
 msgid "MFA enabled"
-msgstr "MFA"
+msgstr "MFA 已启用"
 
 #: users/serializers/user.py:82
 msgid "MFA force enabled"
diff --git a/apps/users/api/user.py b/apps/users/api/user.py
index ee3b322bb..a5d726fe0 100644
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -33,7 +33,7 @@ __all__ = [
 
 class UserViewSet(CommonApiMixin, UserQuerysetMixin, SuggestionMixin, BulkModelViewSet):
     filterset_class = UserFilter
-    search_fields = ('username', 'email', 'name', 'id', 'source', 'role')
+    search_fields = ('username', 'email', 'name', 'id', 'source', 'role', 'is_active')
     serializer_classes = {
         'default': UserSerializer,
         'suggestion': MiniUserSerializer,
diff --git a/apps/users/filters.py b/apps/users/filters.py
index 5178a7c55..8359f8d2e 100644
--- a/apps/users/filters.py
+++ b/apps/users/filters.py
@@ -17,7 +17,7 @@ class UserFilter(BaseFilterSet):
         model = User
         fields = (
             'id', 'username', 'email', 'name', 'source',
-            'org_roles', 'system_roles',
+            'org_roles', 'system_roles', 'is_active',
         )
 
     @staticmethod
diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index 98abb47a6..b08b09144 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -30,8 +30,8 @@ class RolesSerializerMixin(serializers.Serializer):
         child_relation=serializers.PrimaryKeyRelatedField(queryset=Role.org_roles),
         label=_('Org roles'),
     )
-    system_roles_display = serializers.SerializerMethodField(label=_('System roles'))
-    org_roles_display = serializers.SerializerMethodField(label=_('Org roles'))
+    system_roles_display = serializers.SerializerMethodField(label=_('System roles display'))
+    org_roles_display = serializers.SerializerMethodField(label=_('Org roles display'))
 
     @staticmethod
     def get_system_roles_display(user):
@@ -142,6 +142,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
             'password': {'write_only': True, 'required': False, 'allow_null': True, 'allow_blank': True},
             'public_key': {'write_only': True},
             'is_first_login': {'label': _('Is first login'), 'read_only': True},
+            'is_active': {'label': _('Is active')},
             'is_valid': {'label': _('Is valid')},
             'is_service_account': {'label': _('Is service account')},
             'is_expired': {'label': _('Is expired')},

From af2d927c1f3cadc1d8094e8ea795a0c3e6ee2c3a Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Thu, 30 Jun 2022 17:06:50 +0800
Subject: [PATCH 216/258] perf: del pandas

---
 apps/assets/task_handlers/backup/handlers.py | 47 +++++++++++---------
 requirements/requirements.txt                |  2 -
 2 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/apps/assets/task_handlers/backup/handlers.py b/apps/assets/task_handlers/backup/handlers.py
index 600f8a2da..311d8e395 100644
--- a/apps/assets/task_handlers/backup/handlers.py
+++ b/apps/assets/task_handlers/backup/handlers.py
@@ -1,6 +1,6 @@
 import os
 import time
-import pandas as pd
+from openpyxl import Workbook
 from collections import defaultdict, OrderedDict
 
 from django.conf import settings
@@ -48,7 +48,7 @@ class BaseAccountHandler:
                 _fields = cls.get_header_fields(v)
                 header_fields.update(_fields)
             else:
-                header_fields[field] = v.label
+                header_fields[field] = str(v.label)
         return header_fields
 
     @classmethod
@@ -59,7 +59,7 @@ class BaseAccountHandler:
         data = cls.unpack_data(serializer.data)
         row_dict = {}
         for field, header_name in header_fields.items():
-            row_dict[header_name] = data[field]
+            row_dict[header_name] = str(data[field])
         return row_dict
 
 
@@ -72,24 +72,24 @@ class AssetAccountHandler(BaseAccountHandler):
         return filename
 
     @classmethod
-    def create_df(cls):
-        df_dict = defaultdict(list)
+    def create_data_map(cls):
+        data_map = defaultdict(list)
         sheet_name = AuthBook._meta.verbose_name
 
         accounts = AuthBook.get_queryset().select_related('systemuser')
         if not accounts.first():
-            return df_dict
+            return data_map
 
         header_fields = cls.get_header_fields(AccountSecretSerializer(accounts.first()))
         for account in accounts:
             account.load_auth()
             row = cls.create_row(account, AccountSecretSerializer, header_fields)
-            df_dict[sheet_name].append(row)
-        for k, v in df_dict.items():
-            df_dict[k] = pd.DataFrame(v)
+            if sheet_name not in data_map:
+                data_map[sheet_name].append(list(row.keys()))
+            data_map[sheet_name].append(list(row.values()))
 
         logger.info('\n\033[33m- 共收集 {} 条资产账号\033[0m'.format(accounts.count()))
-        return df_dict
+        return data_map
 
 
 class AppAccountHandler(BaseAccountHandler):
@@ -101,19 +101,19 @@ class AppAccountHandler(BaseAccountHandler):
         return filename
 
     @classmethod
-    def create_df(cls):
-        df_dict = defaultdict(list)
+    def create_data_map(cls):
+        data_map = defaultdict(list)
         accounts = Account.get_queryset().select_related('systemuser')
         for account in accounts:
             account.load_auth()
             app_type = account.type
             sheet_name = AppType.get_label(app_type)
             row = cls.create_row(account, AppAccountSecretSerializer)
-            df_dict[sheet_name].append(row)
-        for k, v in df_dict.items():
-            df_dict[k] = pd.DataFrame(v)
+            if sheet_name not in data_map:
+                data_map[sheet_name].append(list(row.keys()))
+            data_map[sheet_name].append(list(row.values()))
         logger.info('\n\033[33m- 共收集{}条应用账号\033[0m'.format(accounts.count()))
-        return df_dict
+        return data_map
 
 
 handler_map = {
@@ -142,15 +142,18 @@ class AccountBackupHandler:
             if not handler:
                 continue
 
-            df_dict = handler.create_df()
-            if not df_dict:
+            data_map = handler.create_data_map()
+            if not data_map:
                 continue
 
             filename = handler.get_filename(self.plan_name)
-            with pd.ExcelWriter(filename) as w:
-                for sheet, df in df_dict.items():
-                    sheet = sheet.replace(' ', '-')
-                    getattr(df, 'to_excel')(w, sheet_name=sheet, index=False)
+
+            wb = Workbook(filename)
+            for sheet, data in data_map.items():
+                ws = wb.create_sheet(str(sheet))
+                for row in data:
+                    ws.append(row)
+            wb.save(filename)
             files.append(filename)
         timedelta = round((time.time() - time_start), 2)
         logger.info('步骤完成: 用时 {}s'.format(timedelta))
diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 7ecf78ef1..6c509c88c 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -57,8 +57,6 @@ html2text==2020.1.16
 pyzipper==0.3.5
 python3-saml==1.12.0
 websocket-client==1.2.3
-numpy==1.22.0
-pandas==1.3.5
 pyjwkest==1.4.2
 jsonfield2==4.0.0.post0
 geoip2==4.5.0

From 272f64d74340b94b4ad548b42e0253494f6f3952 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Fri, 1 Jul 2022 11:25:52 +0800
Subject: [PATCH 217/258] fix: get_target_ip bug

---
 apps/terminal/api/endpoint.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/terminal/api/endpoint.py b/apps/terminal/api/endpoint.py
index 8b98df67e..aaece2222 100644
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@@ -45,7 +45,7 @@ class SmartEndpointViewMixin:
         # 用来方便测试
         target_ip = request.GET.get('target_ip', '')
         if not target_ip and callable(getattr(instance, 'get_target_ip', None)):
-            target_ip = instance.get_target_ip(request)
+            target_ip = instance.get_target_ip()
         endpoint = EndpointRule.match_endpoint(target_ip, protocol, request)
         return endpoint
 

From 927ae43af28c23544c9ddea2a5734013aa9d193e Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Fri, 1 Jul 2022 19:07:55 +0800
Subject: [PATCH 218/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E5=B7=A5?=
 =?UTF-8?q?=E5=8D=95=20(#8524)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/locale/ja/LC_MESSAGES/django.po      | 51 +++++++++++-----------
 apps/locale/zh/LC_MESSAGES/django.mo      |  4 +-
 apps/locale/zh/LC_MESSAGES/django.po      | 53 ++++++++++++-----------
 apps/tickets/serializers/ticket/ticket.py | 13 ++++++
 4 files changed, 68 insertions(+), 53 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 792b2412e..477e03eff 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-30 15:51+0800\n"
+"POT-Creation-Date: 2022-07-01 19:05+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -213,7 +213,7 @@ msgid "Unsupported protocols: {}"
 msgstr "サポートされていないプロトコル: {}"
 
 #: acls/serializers/login_asset_acl.py:98
-#: tickets/serializers/ticket/ticket.py:65
+#: tickets/serializers/ticket/ticket.py:78
 msgid "The organization `{}` does not exist"
 msgstr "組織 '{}'は存在しません"
 
@@ -344,7 +344,7 @@ msgstr "カテゴリ表示"
 #: applications/serializers/application.py:102
 #: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
-#: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:16
+#: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:17
 msgid "Type display"
 msgstr "タイプ表示"
 
@@ -585,6 +585,7 @@ msgstr "ノード"
 
 #: assets/models/asset.py:219 assets/models/cmd_filter.py:47
 #: assets/models/domain.py:65 assets/models/label.py:22
+#: users/serializers/user.py:145
 msgid "Is active"
 msgstr "アクティブです。"
 
@@ -1532,7 +1533,7 @@ msgstr "ユーザーログインログ"
 msgid "Operate display"
 msgstr "ディスプレイを操作する"
 
-#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:17
+#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:18
 msgid "Status display"
 msgstr "ステータス表示"
 
@@ -2131,7 +2132,7 @@ msgstr "バインディングリマインダー"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:145
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:146
 msgid "Is valid"
 msgstr "有効です"
 
@@ -2565,7 +2566,7 @@ msgstr "オブジェクト"
 msgid "The file content overflowed (The maximum length `{}` bytes)"
 msgstr "ファイルの内容がオーバーフローしました (最大長 '{}' バイト)"
 
-#: common/drf/parsers/base.py:153
+#: common/drf/parsers/base.py:159
 msgid "Parse file error: {}"
 msgstr "解析ファイルエラー: {}"
 
@@ -2945,7 +2946,7 @@ msgstr "アプリ組織"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:51
+#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:64
 msgid "Organization"
 msgstr "組織"
 
@@ -3082,7 +3083,7 @@ msgstr "Organization {} のアプリケーション権限"
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
 #: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
-#: users/serializers/user.py:147
+#: users/serializers/user.py:148
 msgid "Is expired"
 msgstr "期限切れです"
 
@@ -5409,7 +5410,7 @@ msgstr "有効期限は開始日より大きくする必要があります"
 msgid "Permission named `{}` already exists"
 msgstr "'{}'という名前の権限は既に存在します"
 
-#: tickets/serializers/ticket/ticket.py:76
+#: tickets/serializers/ticket/ticket.py:89
 msgid "The ticket flow `{}` does not exist"
 msgstr "チケットフロー '{}'が存在しない"
 
@@ -5580,7 +5581,7 @@ msgstr "強制有効"
 msgid "Local"
 msgstr "ローカル"
 
-#: users/models/user.py:673 users/serializers/user.py:146
+#: users/models/user.py:673 users/serializers/user.py:147
 msgid "Is service account"
 msgstr "サービスアカウントです"
 
@@ -5725,63 +5726,63 @@ msgstr "ログインブロック"
 msgid "Can public key authentication"
 msgstr "公開鍵認証が可能"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:149
 msgid "Avatar url"
 msgstr "アバターURL"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:151
 msgid "Groups name"
 msgstr "グループ名"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:152
 msgid "Source name"
 msgstr "ソース名"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:153
 msgid "Organization role name"
 msgstr "組織の役割名"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:154
 msgid "Super role name"
 msgstr "スーパーロール名"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:155
 msgid "Total role name"
 msgstr "合計ロール名"
 
-#: users/serializers/user.py:156
+#: users/serializers/user.py:157
 msgid "Is wecom bound"
 msgstr "企業の微信をバインドしているかどうか"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:158
 msgid "Is dingtalk bound"
 msgstr "ピンをバインドしているかどうか"
 
-#: users/serializers/user.py:158
+#: users/serializers/user.py:159
 msgid "Is feishu bound"
 msgstr "飛本を縛ったかどうか"
 
-#: users/serializers/user.py:159
+#: users/serializers/user.py:160
 msgid "Is OTP bound"
 msgstr "仮想MFAがバインドされているか"
 
-#: users/serializers/user.py:161
+#: users/serializers/user.py:162
 msgid "System role name"
 msgstr "システムロール名"
 
-#: users/serializers/user.py:201
+#: users/serializers/user.py:202
 msgid "User cannot self-update fields: {}"
 msgstr "ユーザーは自分のフィールドを更新できません: {}"
 
-#: users/serializers/user.py:258
+#: users/serializers/user.py:259
 msgid "Select users"
 msgstr "ユーザーの選択"
 
-#: users/serializers/user.py:259
+#: users/serializers/user.py:260
 msgid "For security, only list several users"
 msgstr "セキュリティのために、複数のユーザーのみをリストします"
 
-#: users/serializers/user.py:294
+#: users/serializers/user.py:295
 msgid "name not unique"
 msgstr "名前が一意ではない"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index f1dae84be..a0958caa0 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c5ff75df4d230b21b28e74f94fcbf56801f85cecc2dfba647e69182acf39295f
-size 103945
+oid sha256:521d1a529b430f1ac6a519f9c659abe79f25fc9b05a03519f4abe945ae2d1972
+size 103946
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 055027668..33f0febc8 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-06-30 15:51+0800\n"
+"POT-Creation-Date: 2022-07-01 19:05+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -209,7 +209,7 @@ msgid "Unsupported protocols: {}"
 msgstr "不支持的协议: {}"
 
 #: acls/serializers/login_asset_acl.py:98
-#: tickets/serializers/ticket/ticket.py:65
+#: tickets/serializers/ticket/ticket.py:78
 msgid "The organization `{}` does not exist"
 msgstr "组织 `{}` 不存在"
 
@@ -339,7 +339,7 @@ msgstr "类别名称"
 #: applications/serializers/application.py:102
 #: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
 #: audits/serializers.py:29 perms/serializers/application/permission.py:19
-#: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:16
+#: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:17
 msgid "Type display"
 msgstr "类型名称"
 
@@ -580,6 +580,7 @@ msgstr "节点"
 
 #: assets/models/asset.py:219 assets/models/cmd_filter.py:47
 #: assets/models/domain.py:65 assets/models/label.py:22
+#: users/serializers/user.py:145
 msgid "Is active"
 msgstr "激活"
 
@@ -1520,7 +1521,7 @@ msgstr "用户登录日志"
 msgid "Operate display"
 msgstr "操作名称"
 
-#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:17
+#: audits/serializers.py:30 tickets/serializers/ticket/ticket.py:18
 msgid "Status display"
 msgstr "状态名称"
 
@@ -1932,7 +1933,7 @@ msgstr "等待登录复核处理"
 
 #: authentication/errors/const.py:67
 msgid "Login confirm ticket was {}"
-msgstr "登录复核 {}"
+msgstr "登录复核: {}"
 
 #: authentication/errors/failed.py:145
 msgid "IP is not allowed"
@@ -2110,7 +2111,7 @@ msgstr "绑定提醒"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:145
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:146
 msgid "Is valid"
 msgstr "账号是否有效"
 
@@ -2535,7 +2536,7 @@ msgstr "对象"
 msgid "The file content overflowed (The maximum length `{}` bytes)"
 msgstr "文件内容太大 (最大长度 `{}` 字节)"
 
-#: common/drf/parsers/base.py:153
+#: common/drf/parsers/base.py:159
 msgid "Parse file error: {}"
 msgstr "解析文件错误: {}"
 
@@ -2909,7 +2910,7 @@ msgstr "组织管理"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:51
+#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:64
 msgid "Organization"
 msgstr "组织"
 
@@ -3046,7 +3047,7 @@ msgstr "组织 ({}) 的应用授权"
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
 #: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
-#: users/serializers/user.py:147
+#: users/serializers/user.py:148
 msgid "Is expired"
 msgstr "已过期"
 
@@ -5333,7 +5334,7 @@ msgstr "过期时间要大于开始时间"
 msgid "Permission named `{}` already exists"
 msgstr "授权名称 `{}` 已存在"
 
-#: tickets/serializers/ticket/ticket.py:76
+#: tickets/serializers/ticket/ticket.py:89
 msgid "The ticket flow `{}` does not exist"
 msgstr "工单流程 `{}` 不存在"
 
@@ -5502,7 +5503,7 @@ msgstr "强制启用"
 msgid "Local"
 msgstr "数据库"
 
-#: users/models/user.py:673 users/serializers/user.py:146
+#: users/models/user.py:673 users/serializers/user.py:147
 msgid "Is service account"
 msgstr "服务账号"
 
@@ -5647,63 +5648,63 @@ msgstr "登录被阻塞"
 msgid "Can public key authentication"
 msgstr "能否公钥认证"
 
-#: users/serializers/user.py:148
+#: users/serializers/user.py:149
 msgid "Avatar url"
 msgstr "头像路径"
 
-#: users/serializers/user.py:150
+#: users/serializers/user.py:151
 msgid "Groups name"
 msgstr "用户组名"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:152
 msgid "Source name"
 msgstr "用户来源名"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:153
 msgid "Organization role name"
 msgstr "组织角色名称"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:154
 msgid "Super role name"
 msgstr "超级角色名称"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:155
 msgid "Total role name"
 msgstr "汇总角色名称"
 
-#: users/serializers/user.py:156
+#: users/serializers/user.py:157
 msgid "Is wecom bound"
 msgstr "是否绑定了企业微信"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:158
 msgid "Is dingtalk bound"
 msgstr "是否绑定了钉钉"
 
-#: users/serializers/user.py:158
+#: users/serializers/user.py:159
 msgid "Is feishu bound"
 msgstr "是否绑定了飞书"
 
-#: users/serializers/user.py:159
+#: users/serializers/user.py:160
 msgid "Is OTP bound"
 msgstr "是否绑定了虚拟 MFA"
 
-#: users/serializers/user.py:161
+#: users/serializers/user.py:162
 msgid "System role name"
 msgstr "系统角色名称"
 
-#: users/serializers/user.py:201
+#: users/serializers/user.py:202
 msgid "User cannot self-update fields: {}"
 msgstr "用户不能更新自己的字段: {}"
 
-#: users/serializers/user.py:258
+#: users/serializers/user.py:259
 msgid "Select users"
 msgstr "选择用户"
 
-#: users/serializers/user.py:259
+#: users/serializers/user.py:260
 msgid "For security, only list several users"
 msgstr "为了安全，仅列出几个用户"
 
-#: users/serializers/user.py:294
+#: users/serializers/user.py:295
 msgid "name not unique"
 msgstr "名称重复"
 
diff --git a/apps/tickets/serializers/ticket/ticket.py b/apps/tickets/serializers/ticket/ticket.py
index 5b71cb783..2af3811ca 100644
--- a/apps/tickets/serializers/ticket/ticket.py
+++ b/apps/tickets/serializers/ticket/ticket.py
@@ -6,6 +6,7 @@ from rest_framework import serializers
 from orgs.models import Organization
 from orgs.mixins.serializers import OrgResourceModelSerializerMixin
 from tickets.models import Ticket, TicketFlow
+from tickets.const import TicketType
 
 __all__ = [
     'TicketDisplaySerializer', 'TicketApplySerializer', 'TicketListSerializer'
@@ -28,6 +29,18 @@ class TicketSerializer(OrgResourceModelSerializerMixin):
         fields_fk = ['applicant', ]
         fields = fields_small + fields_fk
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.set_type_choices()
+
+    def set_type_choices(self):
+        tp = self.fields.get('type')
+        if not tp:
+            return
+        choices = tp._choices
+        choices.pop(TicketType.general, None)
+        tp._choices = choices
+
 
 class TicketListSerializer(TicketSerializer):
     class Meta:

From 62a2a74c27672ee00488d5716cadedd5f023b0d6 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 1 Jul 2022 19:07:42 +0800
Subject: [PATCH 219/258] =?UTF-8?q?perf:=20=E4=BC=9A=E8=AF=9D=E5=88=97?=
 =?UTF-8?q?=E8=A1=A8=E6=98=BE=E7=A4=BA=E7=BB=88=E7=AB=AF=E5=90=8D=E7=A7=B0?=
 =?UTF-8?q?=EF=BC=9B=E4=BF=AE=E5=A4=8D=E5=90=AF=E5=8A=A8=20warning=20?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/utils/crypto.py          | 2 +-
 apps/jumpserver/settings/base.py     | 2 ++
 apps/terminal/api/session.py         | 6 ++++++
 apps/terminal/serializers/session.py | 8 +++++---
 4 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/apps/common/utils/crypto.py b/apps/common/utils/crypto.py
index f6a690a82..331f8b0bb 100644
--- a/apps/common/utils/crypto.py
+++ b/apps/common/utils/crypto.py
@@ -260,7 +260,7 @@ def decrypt_password(value):
     try:
         password = aes.decrypt(password_cipher)
     except UnicodeDecodeError as e:
-        logging.error("Decript password error: {}, {}".format(password_cipher, e))
+        logging.error("Decrypt password error: {}, {}".format(password_cipher, e))
         return value
     return password
 
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index c66a47d98..e34433391 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -306,6 +306,8 @@ FORCE_SCRIPT_NAME = CONFIG.FORCE_SCRIPT_NAME
 SESSION_COOKIE_SECURE = CONFIG.SESSION_COOKIE_SECURE
 CSRF_COOKIE_SECURE = CONFIG.CSRF_COOKIE_SECURE
 
+DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
+
 # For Debug toolbar
 INTERNAL_IPS = ["127.0.0.1"]
 if DEBUG_DEV:
diff --git a/apps/terminal/api/session.py b/apps/terminal/api/session.py
index 6ba0477b9..e99999ab4 100644
--- a/apps/terminal/api/session.py
+++ b/apps/terminal/api/session.py
@@ -3,6 +3,7 @@
 import os
 import tarfile
 
+from django.db.models import F
 from django.shortcuts import get_object_or_404, reverse
 from django.utils.translation import ugettext as _
 from django.utils.encoding import escape_uri_path
@@ -106,6 +107,11 @@ class SessionViewSet(OrgBulkModelViewSet):
         response["Content-Disposition"] = disposition
         return response
 
+    def get_queryset(self):
+        queryset = super().get_queryset().prefetch_related('terminal')\
+            .annotate(terminal_display=F('terminal__name'))
+        return queryset
+
     def filter_queryset(self, queryset):
         queryset = super().filter_queryset(queryset)
         # 解决guacamole更新session时并发导致幽灵会话的问题，暂不处理
diff --git a/apps/terminal/serializers/session.py b/apps/terminal/serializers/session.py
index 18ef15e68..49d7f7270 100644
--- a/apps/terminal/serializers/session.py
+++ b/apps/terminal/serializers/session.py
@@ -12,6 +12,7 @@ __all__ = [
 
 class SessionSerializer(BulkOrgResourceModelSerializer):
     org_id = serializers.CharField(allow_blank=True)
+    terminal_display = serializers.CharField(read_only=True, label=_('Terminal display'))
 
     class Meta:
         model = Session
@@ -23,8 +24,8 @@ class SessionSerializer(BulkOrgResourceModelSerializer):
             "is_success", "is_finished", "has_replay",
             "date_start", "date_end",
         ]
-        fields_fk = ["terminal",]
-        fields_custom = ["can_replay", "can_join", "can_terminate",]
+        fields_fk = ["terminal", ]
+        fields_custom = ["can_replay", "can_join", "can_terminate", 'terminal_display']
         fields = fields_small + fields_fk + fields_custom
         extra_kwargs = {
             "protocol": {'label': _('Protocol')},
@@ -38,6 +39,7 @@ class SessionSerializer(BulkOrgResourceModelSerializer):
             'terminal': {'label': _('Terminal')},
             'is_finished': {'label': _('Is finished')},
             'can_terminate': {'label': _('Can terminate')},
+            'terminal_display': {'label': _('Terminal display')},
         }
 
 
@@ -45,7 +47,7 @@ class SessionDisplaySerializer(SessionSerializer):
     command_amount = serializers.IntegerField(read_only=True, label=_('Command amount'))
 
     class Meta(SessionSerializer.Meta):
-        fields = SessionSerializer.Meta.fields + ['command_amount']
+        fields = SessionSerializer.Meta.fields + ['command_amount', ]
 
 
 class ReplaySerializer(serializers.Serializer):

From 90228e69e0d6840d57869be0026c76763deda723 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Fri, 1 Jul 2022 19:19:24 +0800
Subject: [PATCH 220/258] =?UTF-8?q?perf:=20=E4=BC=9A=E8=AF=9D=E5=88=97?=
 =?UTF-8?q?=E8=A1=A8=E6=98=BE=E7=A4=BA=E7=BB=88=E7=AB=AF=E5=90=8D=E7=A7=B0?=
 =?UTF-8?q?=EF=BC=9B=E4=BF=AE=E5=A4=8D=E5=90=AF=E5=8A=A8=20warning=20?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/models/session.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/apps/terminal/models/session.py b/apps/terminal/models/session.py
index 50468246d..8eff9368b 100644
--- a/apps/terminal/models/session.py
+++ b/apps/terminal/models/session.py
@@ -15,7 +15,7 @@ from applications.models import Application
 from users.models import User
 from orgs.mixins.models import OrgModelMixin
 from django.db.models import TextChoices
-from common.utils import get_object_or_none
+from common.utils import get_object_or_none, lazyproperty
 from ..backends import get_multi_command_storage
 
 
@@ -161,6 +161,11 @@ class Session(OrgModelMixin):
         else:
             return True
 
+    @lazyproperty
+    def terminal_display(self):
+        display = self.terminal.name if self.terminal else ''
+        return display
+
     def save_replay_to_storage_with_version(self, f, version=2):
         suffix = self.SUFFIX_MAP.get(version, '.cast.gz')
         local_path = self.get_local_storage_path_by_suffix(suffix)

From 04ceca1b838beb57e7e54ef222cacf8b11b0376d Mon Sep 17 00:00:00 2001
From: halo <wuyihuangw@gmail.com>
Date: Thu, 30 Jun 2022 20:26:02 +0800
Subject: [PATCH 221/258] =?UTF-8?q?perf:=20=E4=BF=AE=E5=A4=8D=E5=91=BD?=
 =?UTF-8?q?=E4=BB=A4=E8=A1=A8=E7=B3=BB=E7=BB=9F=E7=94=A8=E6=88=B7=E5=AD=97?=
 =?UTF-8?q?=E6=AE=B5=E9=95=BF=E5=BA=A6=E9=97=AE=E9=A2=98=EF=BC=8C=E6=88=AA?=
 =?UTF-8?q?=E5=8F=96=E6=88=9064=E5=AD=97=E7=AC=A6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/backends/command/serializers.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/apps/terminal/backends/command/serializers.py b/apps/terminal/backends/command/serializers.py
index 9c8484efb..4cc9827a1 100644
--- a/apps/terminal/backends/command/serializers.py
+++ b/apps/terminal/backends/command/serializers.py
@@ -32,7 +32,7 @@ class SessionCommandSerializer(SimpleSessionCommandSerializer):
     """使用这个类作为基础Command Log Serializer类, 用来序列化"""
 
     id = serializers.UUIDField(read_only=True)
-    system_user = serializers.CharField(max_length=64, label=_("System user"))
+    system_user = serializers.CharField(label=_("System user"))  # 限制 64 字符，不能直接迁移成 128 字符，命令表数据量会比较大
     output = serializers.CharField(max_length=2048, allow_blank=True, label=_("Output"))
     risk_level_display = serializers.SerializerMethodField(label=_('Risk level display'))
     timestamp = serializers.IntegerField(label=_('Timestamp'))
@@ -43,3 +43,8 @@ class SessionCommandSerializer(SimpleSessionCommandSerializer):
     def get_risk_level_display(obj):
         risk_mapper = dict(AbstractSessionCommand.RISK_LEVEL_CHOICES)
         return risk_mapper.get(obj.risk_level)
+
+    def validate_system_user(self, value):
+        if len(value) > 64:
+            value = value[:32] + value[-32:]
+        return value

From c5bf4075e76ba9d0fc94fed0a849d9ff344d48e4 Mon Sep 17 00:00:00 2001
From: halo <wuyihuangw@gmail.com>
Date: Fri, 1 Jul 2022 16:47:07 +0800
Subject: [PATCH 222/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E6=88=AA?=
 =?UTF-8?q?=E5=8F=96=E6=96=B9=E6=B3=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/backends/command/serializers.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/terminal/backends/command/serializers.py b/apps/terminal/backends/command/serializers.py
index 4cc9827a1..15efe6113 100644
--- a/apps/terminal/backends/command/serializers.py
+++ b/apps/terminal/backends/command/serializers.py
@@ -2,6 +2,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.utils import pretty_string
 from .models import AbstractSessionCommand
 
 __all__ = ['SessionCommandSerializer', 'InsecureCommandAlertSerializer']
@@ -46,5 +47,5 @@ class SessionCommandSerializer(SimpleSessionCommandSerializer):
 
     def validate_system_user(self, value):
         if len(value) > 64:
-            value = value[:32] + value[-32:]
+            value = pretty_string(value, 32)
         return value

From ca19e4590552614417cbdc0261e6d6236032ed34 Mon Sep 17 00:00:00 2001
From: halo <wuyihuangw@gmail.com>
Date: Fri, 1 Jul 2022 21:36:41 +0800
Subject: [PATCH 223/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E6=88=AA?=
 =?UTF-8?q?=E5=8F=96=E6=96=B9=E6=B3=95?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/backends/command/serializers.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/terminal/backends/command/serializers.py b/apps/terminal/backends/command/serializers.py
index 15efe6113..83b9d55d2 100644
--- a/apps/terminal/backends/command/serializers.py
+++ b/apps/terminal/backends/command/serializers.py
@@ -47,5 +47,5 @@ class SessionCommandSerializer(SimpleSessionCommandSerializer):
 
     def validate_system_user(self, value):
         if len(value) > 64:
-            value = pretty_string(value, 32)
+            value = pretty_string(value, 64)
         return value

From a6cc8a8b0574119f93ff9ed5adaaf1b4d90d95c4 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 4 Jul 2022 11:29:39 +0800
Subject: [PATCH 224/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96confirm?=
 =?UTF-8?q?=E6=8E=A5=E5=8F=A3=20(#8451)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 优化confirm接口

* perf: 修改 校验

* perf: 优化 confirm API 逻辑

* Delete django.po

Co-authored-by: feng626 <1304903146@qq.com>
Co-authored-by: ibuler <ibuler@qq.com>
Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
---
 apps/applications/api/account.py              |  7 +-
 apps/applications/hands.py                    |  1 -
 apps/assets/api/accounts.py                   |  7 +-
 apps/audits/signal_handlers.py                |  1 -
 apps/authentication/api/confirm.py            | 88 +++++++------------
 apps/authentication/api/dingtalk.py           |  5 +-
 apps/authentication/api/feishu.py             |  5 +-
 apps/authentication/api/mfa.py                | 34 +------
 apps/authentication/api/wecom.py              |  5 +-
 apps/authentication/confirm/__init__.py       |  5 ++
 apps/authentication/confirm/base.py           | 30 +++++++
 apps/authentication/confirm/mfa.py            | 26 ++++++
 apps/authentication/confirm/password.py       | 17 ++++
 apps/authentication/confirm/relogin.py        | 30 +++++++
 apps/authentication/const.py                  | 31 ++++++-
 apps/authentication/serializers/confirm.py    |  7 +-
 .../serializers/password_mfa.py               |  7 +-
 apps/authentication/urls/api_urls.py          |  3 +-
 apps/authentication/views/dingtalk.py         | 12 +--
 apps/authentication/views/feishu.py           | 11 +--
 apps/authentication/views/wecom.py            | 11 +--
 apps/common/exceptions.py                     | 11 ++-
 apps/common/mixins/views.py                   | 18 +++-
 apps/common/permissions.py                    | 36 +++++---
 apps/locale/ja/LC_MESSAGES/django.mo          |  4 +-
 apps/locale/zh/LC_MESSAGES/django.mo          |  4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 36 ++++----
 apps/users/permissions.py                     |  9 +-
 28 files changed, 273 insertions(+), 188 deletions(-)
 create mode 100644 apps/authentication/confirm/__init__.py
 create mode 100644 apps/authentication/confirm/base.py
 create mode 100644 apps/authentication/confirm/mfa.py
 create mode 100644 apps/authentication/confirm/password.py
 create mode 100644 apps/authentication/confirm/relogin.py

diff --git a/apps/applications/api/account.py b/apps/applications/api/account.py
index 0a1581b28..bad9a02bd 100644
--- a/apps/applications/api/account.py
+++ b/apps/applications/api/account.py
@@ -2,15 +2,16 @@
 #
 
 from django_filters import rest_framework as filters
-from django.db.models import F, Q
+from django.db.models import Q
 
 from common.drf.filters import BaseFilterSet
 from common.drf.api import JMSBulkModelViewSet
 from common.mixins import RecordViewLogMixin
+from common.permissions import UserConfirmation
+from authentication.const import ConfirmType
 from rbac.permissions import RBACPermission
 from assets.models import SystemUser
 from ..models import Account
-from ..hands import NeedMFAVerify
 from .. import serializers
 
 
@@ -57,7 +58,7 @@ class SystemUserAppRelationViewSet(ApplicationAccountViewSet):
 
 class ApplicationAccountSecretViewSet(RecordViewLogMixin, ApplicationAccountViewSet):
     serializer_class = serializers.AppAccountSecretSerializer
-    permission_classes = [RBACPermission, NeedMFAVerify]
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
     http_method_names = ['get', 'options']
     rbac_perms = {
         'retrieve': 'applications.view_applicationaccountsecret',
diff --git a/apps/applications/hands.py b/apps/applications/hands.py
index 74d6bf9cb..c2bf4fd20 100644
--- a/apps/applications/hands.py
+++ b/apps/applications/hands.py
@@ -11,5 +11,4 @@
 """
 
 
-from common.permissions import NeedMFAVerify
 from users.models import User, UserGroup
diff --git a/apps/assets/api/accounts.py b/apps/assets/api/accounts.py
index 4a3629e46..33d2f517a 100644
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@@ -1,4 +1,4 @@
-from django.db.models import F, Q
+from django.db.models import Q
 from django.shortcuts import get_object_or_404
 from django_filters import rest_framework as filters
 from rest_framework.decorators import action
@@ -9,7 +9,8 @@ from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 from common.drf.filters import BaseFilterSet
 from common.mixins import RecordViewLogMixin
-from common.permissions import NeedMFAVerify
+from common.permissions import UserConfirmation
+from authentication.const import ConfirmType
 from ..tasks.account_connectivity import test_accounts_connectivity_manual
 from ..models import AuthBook, Node
 from .. import serializers
@@ -88,7 +89,7 @@ class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
         'default': serializers.AccountSecretSerializer
     }
     http_method_names = ['get']
-    permission_classes = [RBACPermission, NeedMFAVerify]
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
     rbac_perms = {
         'list': 'assets.view_assetaccountsecret',
         'retrieve': 'assets.view_assetaccountsecret',
diff --git a/apps/audits/signal_handlers.py b/apps/audits/signal_handlers.py
index 902c0896e..9f20057a3 100644
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@@ -277,7 +277,6 @@ def on_user_auth_success(sender, user, request, login_type=None, **kwargs):
     check_different_city_login_if_need(user, request)
     data = generate_data(user.username, request, login_type=login_type)
     request.session['login_time'] = data['datetime'].strftime("%Y-%m-%d %H:%M:%S")
-    request.session["MFA_VERIFY_TIME"] = int(time.time())
     data.update({'mfa': int(user.mfa_enabled), 'status': True})
     write_login_log(**data)
 
diff --git a/apps/authentication/api/confirm.py b/apps/authentication/api/confirm.py
index 9041f6e85..c085bb017 100644
--- a/apps/authentication/api/confirm.py
+++ b/apps/authentication/api/confirm.py
@@ -1,85 +1,57 @@
 # -*- coding: utf-8 -*-
 #
 import time
-from datetime import datetime
 
-from django.utils import timezone
-from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
-from rest_framework.generics import ListCreateAPIView
+from rest_framework.generics import RetrieveAPIView, CreateAPIView
 from rest_framework.response import Response
+from rest_framework import status
 
 from common.permissions import IsValidUser
-from ..mfa import MFAOtp
 from ..const import ConfirmType
-from ..mixins import authenticate
 from ..serializers import ConfirmSerializer
 
 
-class ConfirmViewSet(ListCreateAPIView):
+class ConfirmApi(RetrieveAPIView, CreateAPIView):
     permission_classes = (IsValidUser,)
     serializer_class = ConfirmSerializer
 
-    def check(self, confirm_type: str):
-        if confirm_type == ConfirmType.MFA:
-            return self.user.mfa_enabled
+    def get_confirm_backend(self, confirm_type):
+        backend_classes = ConfirmType.get_can_confirm_backend_classes(confirm_type)
+        if not backend_classes:
+            return
+        for backend_cls in backend_classes:
+            backend = backend_cls(self.request.user, self.request)
+            if not backend.check():
+                continue
+            return backend
 
-        if confirm_type == ConfirmType.PASSWORD:
-            return self.user.is_password_authenticate()
+    def retrieve(self, request, *args, **kwargs):
+        confirm_type = request.query_params.get('confirm_type')
+        backend = self.get_confirm_backend(confirm_type)
+        if backend is None:
+            msg = _('This action require verify your MFA')
+            return Response(data={'error': msg}, status=status.HTTP_404_NOT_FOUND)
 
-        if confirm_type == ConfirmType.RELOGIN:
-            return not self.user.is_password_authenticate()
-
-    def authenticate(self, confirm_type, secret_key):
-        if confirm_type == ConfirmType.MFA:
-            ok, msg = MFAOtp(self.user).check_code(secret_key)
-            return ok, msg
-
-        if confirm_type == ConfirmType.PASSWORD:
-            ok = authenticate(self.request, username=self.user.username, password=secret_key)
-            msg = '' if ok else _('Authentication failed password incorrect')
-            return ok, msg
-
-        if confirm_type == ConfirmType.RELOGIN:
-            now = timezone.now().strftime("%Y-%m-%d %H:%M:%S")
-            now = datetime.strptime(now, '%Y-%m-%d %H:%M:%S')
-            login_time = self.request.session.get('login_time')
-            SPECIFIED_TIME = 5
-            msg = _('Login time has exceeded {} minutes, please login again').format(SPECIFIED_TIME)
-            if not login_time:
-                return False, msg
-            login_time = datetime.strptime(login_time, '%Y-%m-%d %H:%M:%S')
-            if (now - login_time).seconds >= SPECIFIED_TIME * 60:
-                return False, msg
-            return True, ''
-
-    @property
-    def user(self):
-        return self.request.user
-
-    def list(self, request, *args, **kwargs):
-        if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
-            return Response('ok')
-
-        mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
-        if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
-            return Response('ok')
-
-        data = []
-        for i, confirm_type in enumerate(ConfirmType.values, 1):
-            if self.check(confirm_type):
-                data.append({'name': confirm_type, 'level': i})
-        msg = _('This action require verify your MFA')
-        return Response({'error': msg, 'backends': data}, status=400)
+        data = {
+            'confirm_type': backend.name,
+            'content': backend.content,
+        }
+        return Response(data=data)
 
     def create(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
         validated_data = serializer.validated_data
+
         confirm_type = validated_data.get('confirm_type')
+        mfa_type = validated_data.get('mfa_type')
         secret_key = validated_data.get('secret_key')
-        ok, msg = self.authenticate(confirm_type, secret_key)
+
+        backend = self.get_confirm_backend(confirm_type)
+        ok, msg = backend.authenticate(secret_key, mfa_type)
         if ok:
-            request.session["MFA_VERIFY_TIME"] = int(time.time())
+            request.session['CONFIRM_LEVEL'] = ConfirmType.values.index(confirm_type) + 1
+            request.session['CONFIRM_TIME'] = int(time.time())
             return Response('ok')
         return Response({'error': msg}, status=400)
diff --git a/apps/authentication/api/dingtalk.py b/apps/authentication/api/dingtalk.py
index ccc3db64d..817b5276e 100644
--- a/apps/authentication/api/dingtalk.py
+++ b/apps/authentication/api/dingtalk.py
@@ -2,10 +2,11 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from users.permissions import IsAuthConfirmTimeValid
 from users.models import User
 from common.utils import get_logger
+from common.permissions import UserConfirmation
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
+from authentication.const import ConfirmType
 from authentication import errors
 
 logger = get_logger(__file__)
@@ -26,7 +27,7 @@ class DingTalkQRUnBindBase(APIView):
 
 
 class DingTalkQRUnBindForUserApi(RoleUserMixin, DingTalkQRUnBindBase):
-    permission_classes = (IsAuthConfirmTimeValid,)
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
 
 
 class DingTalkQRUnBindForAdminApi(RoleAdminMixin, DingTalkQRUnBindBase):
diff --git a/apps/authentication/api/feishu.py b/apps/authentication/api/feishu.py
index 13637b247..878ec6e2d 100644
--- a/apps/authentication/api/feishu.py
+++ b/apps/authentication/api/feishu.py
@@ -2,10 +2,11 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from users.permissions import IsAuthConfirmTimeValid
 from users.models import User
 from common.utils import get_logger
+from common.permissions import UserConfirmation
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
+from authentication.const import ConfirmType
 from authentication import errors
 
 logger = get_logger(__file__)
@@ -26,7 +27,7 @@ class FeiShuQRUnBindBase(APIView):
 
 
 class FeiShuQRUnBindForUserApi(RoleUserMixin, FeiShuQRUnBindBase):
-    permission_classes = (IsAuthConfirmTimeValid,)
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
 
 
 class FeiShuQRUnBindForAdminApi(RoleAdminMixin, FeiShuQRUnBindBase):
diff --git a/apps/authentication/api/mfa.py b/apps/authentication/api/mfa.py
index 90aeb7fc4..fe81149e3 100644
--- a/apps/authentication/api/mfa.py
+++ b/apps/authentication/api/mfa.py
@@ -10,22 +10,17 @@ from rest_framework.generics import CreateAPIView
 from rest_framework.serializers import ValidationError
 from rest_framework.response import Response
 
-from common.permissions import IsValidUser, NeedMFAVerify
 from common.utils import get_logger
 from common.exceptions import UnexpectError
 from users.models.user import User
-from ..serializers import OtpVerifySerializer
 from .. import serializers
 from .. import errors
-from ..mfa.otp import MFAOtp
 from ..mixins import AuthMixin
 
-
 logger = get_logger(__name__)
 
 __all__ = [
-    'MFAChallengeVerifyApi', 'UserOtpVerifyApi',
-    'MFASendCodeApi'
+    'MFAChallengeVerifyApi', 'MFASendCodeApi'
 ]
 
 
@@ -88,30 +83,3 @@ class MFAChallengeVerifyApi(AuthMixin, CreateAPIView):
             raise ValidationError(data)
         except errors.NeedMoreInfoError as e:
             return Response(e.as_data(), status=200)
-
-
-class UserOtpVerifyApi(CreateAPIView):
-    permission_classes = (IsValidUser,)
-    serializer_class = OtpVerifySerializer
-
-    def get(self, request, *args, **kwargs):
-        return Response({'code': 'valid', 'msg': 'verified'})
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        code = serializer.validated_data["code"]
-        otp = MFAOtp(request.user)
-
-        ok, error = otp.check_code(code)
-        if ok:
-            request.session["MFA_VERIFY_TIME"] = int(time.time())
-            return Response({"ok": "1"})
-        else:
-            return Response({"error": _("Code is invalid, {}").format(error)}, status=400)
-
-    def get_permissions(self):
-        if self.request.method.lower() == 'get' \
-                and settings.SECURITY_VIEW_AUTH_NEED_MFA:
-            self.permission_classes = [NeedMFAVerify]
-        return super().get_permissions()
diff --git a/apps/authentication/api/wecom.py b/apps/authentication/api/wecom.py
index e64bc9919..cdde00bc9 100644
--- a/apps/authentication/api/wecom.py
+++ b/apps/authentication/api/wecom.py
@@ -2,10 +2,11 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response
 
-from users.permissions import IsAuthConfirmTimeValid
 from users.models import User
 from common.utils import get_logger
+from common.permissions import UserConfirmation
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
+from authentication.const import ConfirmType
 from authentication import errors
 
 logger = get_logger(__file__)
@@ -26,7 +27,7 @@ class WeComQRUnBindBase(APIView):
 
 
 class WeComQRUnBindForUserApi(RoleUserMixin, WeComQRUnBindBase):
-    permission_classes = (IsAuthConfirmTimeValid,)
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
 
 
 class WeComQRUnBindForAdminApi(RoleAdminMixin, WeComQRUnBindBase):
diff --git a/apps/authentication/confirm/__init__.py b/apps/authentication/confirm/__init__.py
new file mode 100644
index 000000000..1c3acd05b
--- /dev/null
+++ b/apps/authentication/confirm/__init__.py
@@ -0,0 +1,5 @@
+from .mfa import ConfirmMFA
+from .password import ConfirmPassword
+from .relogin import ConfirmReLogin
+
+CONFIRM_BACKENDS = [ConfirmReLogin, ConfirmPassword, ConfirmMFA]
diff --git a/apps/authentication/confirm/base.py b/apps/authentication/confirm/base.py
new file mode 100644
index 000000000..63258abce
--- /dev/null
+++ b/apps/authentication/confirm/base.py
@@ -0,0 +1,30 @@
+import abc
+
+
+class BaseConfirm(abc.ABC):
+
+    def __init__(self, user, request):
+        self.user = user
+        self.request = request
+
+    @property
+    @abc.abstractmethod
+    def name(self) -> str:
+        return ''
+
+    @property
+    @abc.abstractmethod
+    def display_name(self) -> str:
+        return ''
+
+    @abc.abstractmethod
+    def check(self) -> bool:
+        return False
+
+    @property
+    def content(self):
+        return ''
+
+    @abc.abstractmethod
+    def authenticate(self, secret_key, mfa_type) -> tuple:
+        return False, 'Error msg'
diff --git a/apps/authentication/confirm/mfa.py b/apps/authentication/confirm/mfa.py
new file mode 100644
index 000000000..aee272e9d
--- /dev/null
+++ b/apps/authentication/confirm/mfa.py
@@ -0,0 +1,26 @@
+from users.models import User
+
+from .base import BaseConfirm
+
+
+class ConfirmMFA(BaseConfirm):
+    name = 'mfa'
+    display_name = 'MFA'
+
+    def check(self):
+        return self.user.active_mfa_backends
+
+    @property
+    def content(self):
+        backends = User.get_user_mfa_backends(self.user)
+        return [{
+            'name': backend.name,
+            'disabled': not bool(backend.is_active()),
+            'display_name': backend.display_name,
+            'placeholder': backend.placeholder,
+        } for backend in backends]
+
+    def authenticate(self, secret_key, mfa_type):
+        mfa_backend = self.user.get_mfa_backend_by_type(mfa_type)
+        ok, msg = mfa_backend.check_code(secret_key)
+        return ok, msg
diff --git a/apps/authentication/confirm/password.py b/apps/authentication/confirm/password.py
new file mode 100644
index 000000000..944ab8f24
--- /dev/null
+++ b/apps/authentication/confirm/password.py
@@ -0,0 +1,17 @@
+from django.utils.translation import ugettext_lazy as _
+
+from authentication.mixins import authenticate
+from .base import BaseConfirm
+
+
+class ConfirmPassword(BaseConfirm):
+    name = 'password'
+    display_name = _('Password')
+
+    def check(self):
+        return self.user.is_password_authenticate()
+
+    def authenticate(self, secret_key, mfa_type):
+        ok = authenticate(self.request, username=self.user.username, password=secret_key)
+        msg = '' if ok else _('Authentication failed password incorrect')
+        return ok, msg
diff --git a/apps/authentication/confirm/relogin.py b/apps/authentication/confirm/relogin.py
new file mode 100644
index 000000000..447a17ab0
--- /dev/null
+++ b/apps/authentication/confirm/relogin.py
@@ -0,0 +1,30 @@
+from datetime import datetime
+
+from django.utils import timezone
+from django.utils.translation import ugettext_lazy as _
+
+from .base import BaseConfirm
+
+SPECIFIED_TIME = 5
+
+RELOGIN_ERROR = _('Login time has exceeded {} minutes, please login again').format(SPECIFIED_TIME)
+
+
+class ConfirmReLogin(BaseConfirm):
+    name = 'relogin'
+    display_name = 'Re-Login'
+
+    def check(self):
+        return not self.user.is_password_authenticate()
+
+    def authenticate(self, secret_key, mfa_type):
+        now = timezone.now().strftime("%Y-%m-%d %H:%M:%S")
+        now = datetime.strptime(now, '%Y-%m-%d %H:%M:%S')
+        login_time = self.request.session.get('login_time')
+        msg = RELOGIN_ERROR
+        if not login_time:
+            return False, msg
+        login_time = datetime.strptime(login_time, '%Y-%m-%d %H:%M:%S')
+        if (now - login_time).seconds >= SPECIFIED_TIME * 60:
+            return False, msg
+        return True, ''
diff --git a/apps/authentication/const.py b/apps/authentication/const.py
index 4c8578dff..ffe92ffbf 100644
--- a/apps/authentication/const.py
+++ b/apps/authentication/const.py
@@ -1,10 +1,35 @@
 from django.db.models import TextChoices
 
+from authentication.confirm import CONFIRM_BACKENDS
+from .confirm import ConfirmMFA, ConfirmPassword, ConfirmReLogin
+from .mfa import MFAOtp, MFASms, MFARadius
+
 RSA_PRIVATE_KEY = 'rsa_private_key'
 RSA_PUBLIC_KEY = 'rsa_public_key'
 
+CONFIRM_BACKEND_MAP = {backend.name: backend for backend in CONFIRM_BACKENDS}
+
 
 class ConfirmType(TextChoices):
-    RELOGIN = 'relogin', 'Re-Login'
-    PASSWORD = 'password', 'Password'
-    MFA = 'mfa', 'MFA'
+    ReLogin = ConfirmReLogin.name, ConfirmReLogin.display_name
+    PASSWORD = ConfirmPassword.name, ConfirmPassword.display_name
+    MFA = ConfirmMFA.name, ConfirmMFA.display_name
+
+    @classmethod
+    def get_can_confirm_types(cls, confirm_type):
+        start = cls.values.index(confirm_type)
+        return cls.values[start:]
+
+    @classmethod
+    def get_can_confirm_backend_classes(cls, confirm_type):
+        types = cls.get_can_confirm_types(confirm_type)
+        backend_classes = [
+            CONFIRM_BACKEND_MAP[tp] for tp in types if tp in CONFIRM_BACKEND_MAP
+        ]
+        return backend_classes
+
+
+class MFAType(TextChoices):
+    OTP = MFAOtp.name, MFAOtp.display_name
+    SMS = MFASms.name, MFASms.display_name
+    Radius = MFARadius.name, MFARadius.display_name
diff --git a/apps/authentication/serializers/confirm.py b/apps/authentication/serializers/confirm.py
index fe5984190..3133a8cf4 100644
--- a/apps/authentication/serializers/confirm.py
+++ b/apps/authentication/serializers/confirm.py
@@ -1,11 +1,10 @@
 from rest_framework import serializers
 
 from common.drf.fields import EncryptedField
-from ..const import ConfirmType
+from ..const import ConfirmType, MFAType
 
 
 class ConfirmSerializer(serializers.Serializer):
-    confirm_type = serializers.ChoiceField(
-        required=True, choices=ConfirmType.choices
-    )
+    confirm_type = serializers.ChoiceField(required=True, allow_blank=True, choices=ConfirmType.choices)
+    mfa_type = serializers.ChoiceField(required=False, allow_blank=True, choices=MFAType.choices)
     secret_key = EncryptedField()
diff --git a/apps/authentication/serializers/password_mfa.py b/apps/authentication/serializers/password_mfa.py
index cf3452af3..f52274e49 100644
--- a/apps/authentication/serializers/password_mfa.py
+++ b/apps/authentication/serializers/password_mfa.py
@@ -4,9 +4,8 @@ from rest_framework import serializers
 
 from common.drf.fields import EncryptedField
 
-
 __all__ = [
-    'OtpVerifySerializer', 'MFAChallengeSerializer', 'MFASelectTypeSerializer',
+    'MFAChallengeSerializer', 'MFASelectTypeSerializer',
     'PasswordVerifySerializer',
 ]
 
@@ -29,7 +28,3 @@ class MFAChallengeSerializer(serializers.Serializer):
 
     def update(self, instance, validated_data):
         pass
-
-
-class OtpVerifySerializer(serializers.Serializer):
-    code = serializers.CharField(max_length=6, min_length=6)
diff --git a/apps/authentication/urls/api_urls.py b/apps/authentication/urls/api_urls.py
index 44a89bf97..02c920c5b 100644
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -26,13 +26,12 @@ urlpatterns = [
     path('feishu/event/subscription/callback/', api.FeiShuEventSubscriptionCallback.as_view(), name='feishu-event-subscription-callback'),
 
     path('auth/', api.TokenCreateApi.as_view(), name='user-auth'),
-    path('confirm/', api.ConfirmViewSet.as_view(), name='user-confirm'),
+    path('confirm/', api.ConfirmApi.as_view(), name='user-confirm'),
     path('tokens/', api.TokenCreateApi.as_view(), name='auth-token'),
     path('mfa/verify/', api.MFAChallengeVerifyApi.as_view(), name='mfa-verify'),
     path('mfa/challenge/', api.MFAChallengeVerifyApi.as_view(), name='mfa-challenge'),
     path('mfa/select/', api.MFASendCodeApi.as_view(), name='mfa-select'),
     path('mfa/send-code/', api.MFASendCodeApi.as_view(), name='mfa-send-codej'),
-    path('otp/verify/', api.UserOtpVerifyApi.as_view(), name='user-otp-verify'),
     path('password/verify/', api.UserPasswordVerifyApi.as_view(), name='user-password-verify'),
     path('login-confirm-ticket/status/', api.TicketStatusApi.as_view(), name='login-confirm-ticket-status'),
 ]
diff --git a/apps/authentication/views/dingtalk.py b/apps/authentication/views/dingtalk.py
index 6b93b3d4c..0d19d3fcd 100644
--- a/apps/authentication/views/dingtalk.py
+++ b/apps/authentication/views/dingtalk.py
@@ -8,17 +8,17 @@ from django.db.utils import IntegrityError
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException
 
-from users.views import UserVerifyPasswordView
-from users.utils import is_auth_confirm_time_valid
 from users.models import User
-from users.permissions import IsAuthConfirmTimeValid
+from users.views import UserVerifyPasswordView
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
 from common.sdk.im.dingtalk import URL
-from common.mixins.views import PermissionsMixin
+from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
+from common.permissions import UserConfirmation
 from authentication import errors
 from authentication.mixins import AuthMixin
+from authentication.const import ConfirmType
 from common.sdk.im.dingtalk import DingTalk
 from common.utils.common import get_request_ip
 from authentication.notifications import OAuthBindMessage
@@ -30,7 +30,7 @@ logger = get_logger(__file__)
 DINGTALK_STATE_SESSION_KEY = '_dingtalk_state'
 
 
-class DingTalkBaseMixin(PermissionsMixin, View):
+class DingTalkBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, View):
     def dispatch(self, request, *args, **kwargs):
         try:
             return super().dispatch(request, *args, **kwargs)
@@ -119,7 +119,7 @@ class DingTalkOAuthMixin(DingTalkBaseMixin, View):
 
 
 class DingTalkQRBindView(DingTalkQRMixin, View):
-    permission_classes = (IsAuthenticated, IsAuthConfirmTimeValid)
+    permission_classes = (IsAuthenticated, UserConfirmation.require(ConfirmType.ReLogin))
 
     def get(self, request: HttpRequest):
         user = request.user
diff --git a/apps/authentication/views/feishu.py b/apps/authentication/views/feishu.py
index ea0db44e1..da7999b95 100644
--- a/apps/authentication/views/feishu.py
+++ b/apps/authentication/views/feishu.py
@@ -8,16 +8,17 @@ from django.db.utils import IntegrityError
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException
 
-from users.permissions import IsAuthConfirmTimeValid
-from users.views import UserVerifyPasswordView
 from users.models import User
+from users.views import UserVerifyPasswordView
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
-from common.mixins.views import PermissionsMixin
+from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
+from common.permissions import UserConfirmation
 from common.sdk.im.feishu import FeiShu, URL
 from common.utils.common import get_request_ip
 from authentication import errors
+from authentication.const import ConfirmType
 from authentication.mixins import AuthMixin
 from authentication.notifications import OAuthBindMessage
 
@@ -27,7 +28,7 @@ logger = get_logger(__file__)
 FEISHU_STATE_SESSION_KEY = '_feishu_state'
 
 
-class FeiShuQRMixin(PermissionsMixin, View):
+class FeiShuQRMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, View):
     def dispatch(self, request, *args, **kwargs):
         try:
             return super().dispatch(request, *args, **kwargs)
@@ -89,7 +90,7 @@ class FeiShuQRMixin(PermissionsMixin, View):
 
 
 class FeiShuQRBindView(FeiShuQRMixin, View):
-    permission_classes = (IsAuthenticated, IsAuthConfirmTimeValid)
+    permission_classes = (IsAuthenticated, UserConfirmation.require(ConfirmType.ReLogin))
 
     def get(self, request: HttpRequest):
         user = request.user
diff --git a/apps/authentication/views/wecom.py b/apps/authentication/views/wecom.py
index cb5cc2178..c9315bdb5 100644
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -8,18 +8,19 @@ from django.db.utils import IntegrityError
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException
 
-from users.views import UserVerifyPasswordView
 from users.models import User
-from users.permissions import IsAuthConfirmTimeValid
+from users.views import UserVerifyPasswordView
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
 from common.sdk.im.wecom import URL
 from common.sdk.im.wecom import WeCom
-from common.mixins.views import PermissionsMixin
+from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
 from common.utils.common import get_request_ip
+from common.permissions import UserConfirmation
 from authentication import errors
 from authentication.mixins import AuthMixin
+from authentication.const import ConfirmType
 from authentication.notifications import OAuthBindMessage
 from .mixins import METAMixin
 
@@ -29,7 +30,7 @@ logger = get_logger(__file__)
 WECOM_STATE_SESSION_KEY = '_wecom_state'
 
 
-class WeComBaseMixin(PermissionsMixin, View):
+class WeComBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, View):
     def dispatch(self, request, *args, **kwargs):
         try:
             return super().dispatch(request, *args, **kwargs)
@@ -118,7 +119,7 @@ class WeComOAuthMixin(WeComBaseMixin, View):
 
 
 class WeComQRBindView(WeComQRMixin, View):
-    permission_classes = (IsAuthenticated, IsAuthConfirmTimeValid)
+    permission_classes = (IsAuthenticated, UserConfirmation.require(ConfirmType.ReLogin))
 
     def get(self, request: HttpRequest):
         user = request.user
diff --git a/apps/common/exceptions.py b/apps/common/exceptions.py
index 067750ec6..5fa8861b0 100644
--- a/apps/common/exceptions.py
+++ b/apps/common/exceptions.py
@@ -41,10 +41,13 @@ class ReferencedByOthers(JMSException):
     default_detail = _('Is referenced by other objects and cannot be deleted')
 
 
-class MFAVerifyRequired(JMSException):
-    status_code = status.HTTP_400_BAD_REQUEST
-    default_code = 'mfa_verify_required'
-    default_detail = _('This action require verify your MFA')
+class UserConfirmRequired(JMSException):
+    def __init__(self, code=None):
+        detail = {
+            'code': code,
+            'detail': _('This action require confirm current user')
+        }
+        super().__init__(detail=detail, code=code)
 
 
 class UnexpectError(JMSException):
diff --git a/apps/common/mixins/views.py b/apps/common/mixins/views.py
index 0028ccf0a..9f824e5e2 100644
--- a/apps/common/mixins/views.py
+++ b/apps/common/mixins/views.py
@@ -2,16 +2,26 @@
 #
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.auth.mixins import UserPassesTestMixin
+from django.http.response import JsonResponse
 from rest_framework import permissions
-from rest_framework.decorators import action
 from rest_framework.request import Request
-from rest_framework.response import Response
 
-from common.permissions import IsValidUser
+from common.exceptions import UserConfirmRequired
 from audits.utils import create_operate_log
 from audits.models import OperateLog
 
-__all__ = ["PermissionsMixin", "RecordViewLogMixin"]
+__all__ = ["PermissionsMixin", "RecordViewLogMixin", "UserConfirmRequiredExceptionMixin"]
+
+
+class UserConfirmRequiredExceptionMixin:
+    """
+    异常处理
+    """
+    def dispatch(self, request, *args, **kwargs):
+        try:
+            return super().dispatch(request, *args, **kwargs)
+        except UserConfirmRequired as e:
+            return JsonResponse(e.detail, status=e.status_code)
 
 
 class PermissionsMixin(UserPassesTestMixin):
diff --git a/apps/common/permissions.py b/apps/common/permissions.py
index b52c0cc5c..7242c255b 100644
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -1,9 +1,12 @@
 # -*- coding: utf-8 -*-
 #
 import time
-from rest_framework import permissions
+
 from django.conf import settings
-from common.exceptions import MFAVerifyRequired
+from rest_framework import permissions
+
+from authentication.const import ConfirmType
+from common.exceptions import UserConfirmRequired
 
 
 class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@@ -29,18 +32,23 @@ class WithBootstrapToken(permissions.BasePermission):
         return settings.BOOTSTRAP_TOKEN == request_bootstrap_token
 
 
-class NeedMFAVerify(permissions.BasePermission):
+class UserConfirmation(permissions.BasePermission):
+    ttl = 300
+    min_level = 1
+    confirm_type = ConfirmType.ReLogin
+
     def has_permission(self, request, view):
-        if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
-            return True
+        confirm_level = request.session.get('CONFIRM_LEVEL')
+        confirm_time = request.session.get('CONFIRM_TIME')
 
-        mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
-        if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
-            return True
-        raise MFAVerifyRequired()
+        if not confirm_level or not confirm_time or \
+                confirm_level < self.min_level or \
+                confirm_time < time.time() - self.ttl:
+            raise UserConfirmRequired(code=self.confirm_type)
+        return True
 
-
-class IsObjectOwner(IsValidUser):
-    def has_object_permission(self, request, view, obj):
-        return (super().has_object_permission(request, view, obj) and
-                request.user == getattr(obj, 'user', None))
+    @classmethod
+    def require(cls, confirm_type=ConfirmType.ReLogin, ttl=300):
+        min_level = ConfirmType.values.index(confirm_type) + 1
+        name = 'UserConfirmationLevel{}TTL{}'.format(min_level, ttl)
+        return type(name, (cls,), {'min_level': min_level, 'ttl': ttl, 'confirm_type': confirm_type})
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index f85e303fe..f3f84db91 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:896e5302ad4e775f9160b51385466525e67f0e5a0a8cc10981ea843626114494
-size 125939
+oid sha256:50095e2b80c1235a812856f709061dc171509a3883752af48b3c1bb0c112f025
+size 259
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index a0958caa0..c4fe0af59 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:521d1a529b430f1ac6a519f9c659abe79f25fc9b05a03519f4abe945ae2d1972
-size 103946
+oid sha256:e4ec3219881a5a03c49f988a0ea48668ff8403356d210b7e7c6fbb9e8be26a6b
+size 259
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 33f0febc8..038ddf895 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -1754,30 +1754,14 @@ msgstr "{ApplicationPermission} 添加 {SystemUser}"
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
-#: authentication/api/confirm.py:40
-msgid "Authentication failed password incorrect"
-msgstr "认证失败 (用户名或密码不正确)"
-
-#: authentication/api/confirm.py:48
-msgid "Login time has exceeded {} minutes, please login again"
-msgstr "登录时长已超过 {} 分钟，请重新登录"
-
-#: authentication/api/confirm.py:72 common/exceptions.py:47
-msgid "This action require verify your MFA"
-msgstr "这个操作需要验证 MFA"
-
 #: authentication/api/connection_token.py:326
 msgid "Invalid token"
 msgstr "无效的令牌"
 
-#: authentication/api/mfa.py:64
+#: authentication/api/mfa.py:59
 msgid "Current user not support mfa type: {}"
 msgstr "当前用户不支持 MFA 类型: {}"
 
-#: authentication/api/mfa.py:111
-msgid "Code is invalid, {}"
-msgstr "验证码无效: {}"
-
 #: authentication/apps.py:7
 msgid "Authentication"
 msgstr "认证"
@@ -1833,6 +1817,15 @@ msgstr "无效的令牌头。符号字符串不应包含无效字符。"
 msgid "Invalid token or cache refreshed."
 msgstr "刷新的令牌或缓存无效。"
 
+#: authentication/confirm/password.py:17
+msgid "Authentication failed password incorrect"
+msgstr "认证失败 (用户名或密码不正确)"
+
+#: authentication/confirm/relogin.py:10
+msgid "Login time has exceeded {} minutes, please login again"
+msgstr "登录时长已超过 {} 分钟，请重新登录"
+
+#: authentication/errors.py:26
 #: authentication/errors/const.py:18
 msgid "Username/password check failed"
 msgstr "用户名/密码 校验失败"
@@ -2561,7 +2554,11 @@ msgstr "多对多反向是不被允许的"
 msgid "Is referenced by other objects and cannot be deleted"
 msgstr "被其他对象关联，不能删除"
 
-#: common/exceptions.py:53
+#: common/exceptions.py:46
+msgid "This action require confirm current user"
+msgstr "此操作需要确认当前用户"
+
+#: common/exceptions.py:52
 msgid "Unexpect error occur"
 msgstr "发生意外错误"
 
@@ -6653,3 +6650,6 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
+
+#~ msgid "Code is invalid, {}"
+#~ msgstr "验证码无效: {}"
diff --git a/apps/users/permissions.py b/apps/users/permissions.py
index a0df71116..ee821f8d7 100644
--- a/apps/users/permissions.py
+++ b/apps/users/permissions.py
@@ -1,6 +1,6 @@
 from rest_framework import permissions
 
-from .utils import is_auth_password_time_valid, is_auth_confirm_time_valid
+from .utils import is_auth_password_time_valid
 
 
 class IsAuthPasswdTimeValid(permissions.IsAuthenticated):
@@ -8,10 +8,3 @@ class IsAuthPasswdTimeValid(permissions.IsAuthenticated):
     def has_permission(self, request, view):
         return super().has_permission(request, view) \
                and is_auth_password_time_valid(request.session)
-
-
-class IsAuthConfirmTimeValid(permissions.IsAuthenticated):
-
-    def has_permission(self, request, view):
-        return super().has_permission(request, view) \
-               and is_auth_confirm_time_valid(request.session)

From 88f60b58dd7fb4048c5772d4d34069dc8abd1491 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 4 Jul 2022 14:57:45 +0800
Subject: [PATCH 225/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91=20(#8527)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/locale/ja/LC_MESSAGES/django.mo |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po | 166 +++++++++++++--------------
 apps/locale/zh/LC_MESSAGES/django.mo |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po | 147 ++++++++++++------------
 apps/terminal/serializers/session.py |   4 +-
 5 files changed, 156 insertions(+), 169 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index f3f84db91..addc1ea3c 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:50095e2b80c1235a812856f709061dc171509a3883752af48b3c1bb0c112f025
-size 259
+oid sha256:fa4873b5acd88be4b44fbd6e6cd6d8aec30972627310b3a815ccbed475bf6dc4
+size 126353
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 477e03eff..009078aca 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-01 19:05+0800\n"
+"POT-Creation-Date: 2022-07-04 14:53+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -91,7 +91,7 @@ msgstr "ログイン確認"
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
 #: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
-#: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
+#: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
 #: terminal/models/sharing.py:33 terminal/notifications.py:91
 #: terminal/notifications.py:139 tickets/models/comment.py:21 users/const.py:14
 #: users/models/user.py:890 users/models/user.py:921
@@ -132,7 +132,7 @@ msgstr "システムユーザー"
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:268 audits/models.py:39
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
-#: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
+#: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:181
@@ -204,7 +204,7 @@ msgstr ""
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
 #: assets/models/domain.py:62 assets/models/user.py:252
-#: terminal/serializers/session.py:30 terminal/serializers/storage.py:68
+#: terminal/serializers/session.py:31 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "プロトコル"
 
@@ -269,7 +269,7 @@ msgstr "アプリケーション"
 #: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
-#: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
+#: terminal/backends/command/serializers.py:36 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
 #: xpack/plugins/change_auth_plan/models/app.py:147
 #: xpack/plugins/change_auth_plan/serializers/app.py:65
@@ -723,7 +723,7 @@ msgstr "理由"
 
 #: assets/models/backup.py:121 audits/serializers.py:82
 #: audits/serializers.py:97 ops/models/adhoc.py:260
-#: terminal/serializers/session.py:35
+#: terminal/serializers/session.py:36
 #: xpack/plugins/change_auth_plan/models/base.py:202
 #: xpack/plugins/change_auth_plan/serializers/app.py:67
 #: xpack/plugins/change_auth_plan/serializers/asset.py:182
@@ -761,7 +761,8 @@ msgstr "確認済みの日付"
 
 #: assets/models/base.py:177 assets/serializers/base.py:15
 #: assets/serializers/base.py:37 assets/serializers/system_user.py:29
-#: audits/signal_handlers.py:50 authentication/forms.py:32
+#: audits/signal_handlers.py:50 authentication/confirm/password.py:9
+#: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:228
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
 #: users/forms/profile.py:22 users/serializers/user.py:92
@@ -845,7 +846,7 @@ msgid "Regex"
 msgstr "正規情報"
 
 #: assets/models/cmd_filter.py:68 ops/models/command.py:26
-#: terminal/backends/command/serializers.py:14 terminal/models/session.py:55
+#: terminal/backends/command/serializers.py:15 terminal/models/session.py:55
 #: terminal/templates/terminal/_msg_command_alert.html:12
 #: terminal/templates/terminal/_msg_command_execute_alert.html:10
 msgid "Command"
@@ -1458,7 +1459,7 @@ msgid "Resource"
 msgstr "リソース"
 
 #: audits/models.py:67 audits/models.py:90
-#: terminal/backends/command/serializers.py:39
+#: terminal/backends/command/serializers.py:40
 msgid "Datetime"
 msgstr "時間"
 
@@ -1583,7 +1584,7 @@ msgid "Auth Token"
 msgstr "認証トークン"
 
 #: audits/signal_handlers.py:53 authentication/notifications.py:73
-#: authentication/views/login.py:67 authentication/views/wecom.py:177
+#: authentication/views/login.py:67 authentication/views/wecom.py:178
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企業微信"
@@ -1766,15 +1767,7 @@ msgstr "{ApplicationPermission} 追加 {SystemUser}"
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
-#: authentication/api/confirm.py:40
-msgid "Authentication failed password incorrect"
-msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません)"
-
-#: authentication/api/confirm.py:48
-msgid "Login time has exceeded {} minutes, please login again"
-msgstr "ログイン時間が {} 分を超えました。もう一度ログインしてください"
-
-#: authentication/api/confirm.py:72 common/exceptions.py:47
+#: authentication/api/confirm.py:33
 msgid "This action require verify your MFA"
 msgstr "このアクションでは、MFAの確認が必要です。"
 
@@ -1782,14 +1775,10 @@ msgstr "このアクションでは、MFAの確認が必要です。"
 msgid "Invalid token"
 msgstr "無効なトークン"
 
-#: authentication/api/mfa.py:64
+#: authentication/api/mfa.py:59
 msgid "Current user not support mfa type: {}"
 msgstr "現在のユーザーはmfaタイプをサポートしていません: {}"
 
-#: authentication/api/mfa.py:111
-msgid "Code is invalid, {}"
-msgstr "コードが無効です。{}"
-
 #: authentication/apps.py:7
 msgid "Authentication"
 msgstr "認証"
@@ -1847,6 +1836,14 @@ msgstr ""
 msgid "Invalid token or cache refreshed."
 msgstr "無効なトークンまたはキャッシュの更新。"
 
+#: authentication/confirm/password.py:16
+msgid "Authentication failed password incorrect"
+msgstr "認証に失敗しました (ユーザー名またはパスワードが正しくありません)"
+
+#: authentication/confirm/relogin.py:10
+msgid "Login time has exceeded {} minutes, please login again"
+msgstr "ログイン時間が {} 分を超えました。もう一度ログインしてください"
+
 #: authentication/errors/const.py:18
 msgid "Username/password check failed"
 msgstr "ユーザー名/パスワードのチェックに失敗しました"
@@ -2369,8 +2366,8 @@ msgstr "DingTalkエラー、システム管理者に連絡してください"
 msgid "DingTalk Error"
 msgstr "DingTalkエラー"
 
-#: authentication/views/dingtalk.py:56 authentication/views/feishu.py:50
-#: authentication/views/wecom.py:55
+#: authentication/views/dingtalk.py:56 authentication/views/feishu.py:51
+#: authentication/views/wecom.py:56
 msgid ""
 "The system configuration is incorrect. Please contact your administrator"
 msgstr "システム設定が正しくありません。管理者に連絡してください"
@@ -2379,7 +2376,7 @@ msgstr "システム設定が正しくありません。管理者に連絡して
 msgid "DingTalk is already bound"
 msgstr "DingTalkはすでにバインドされています"
 
-#: authentication/views/dingtalk.py:148 authentication/views/wecom.py:147
+#: authentication/views/dingtalk.py:148 authentication/views/wecom.py:148
 msgid "Invalid user_id"
 msgstr "無効なuser_id"
 
@@ -2407,40 +2404,40 @@ msgstr "DingTalkはバインドされていません"
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "パスワードでログインし、DingTalkをバインドしてください"
 
-#: authentication/views/feishu.py:38
+#: authentication/views/feishu.py:39
 msgid "FeiShu Error"
 msgstr "FeiShuエラー"
 
-#: authentication/views/feishu.py:86
+#: authentication/views/feishu.py:87
 msgid "FeiShu is already bound"
 msgstr "FeiShuはすでにバインドされています"
 
-#: authentication/views/feishu.py:128
+#: authentication/views/feishu.py:129
 msgid "FeiShu query user failed"
 msgstr "FeiShuクエリユーザーが失敗しました"
 
-#: authentication/views/feishu.py:137
+#: authentication/views/feishu.py:138
 msgid "The FeiShu is already bound to another user"
 msgstr "FeiShuはすでに別のユーザーにバインドされています"
 
-#: authentication/views/feishu.py:143 authentication/views/login.py:79
+#: authentication/views/feishu.py:144 authentication/views/login.py:79
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "本を飛ばす"
 
-#: authentication/views/feishu.py:144
+#: authentication/views/feishu.py:145
 msgid "Binding FeiShu successfully"
 msgstr "本を飛ばすのバインドに成功"
 
-#: authentication/views/feishu.py:196
+#: authentication/views/feishu.py:197
 msgid "Failed to get user from FeiShu"
 msgstr "本を飛ばすからユーザーを取得できませんでした"
 
-#: authentication/views/feishu.py:202
+#: authentication/views/feishu.py:203
 msgid "FeiShu is not bound"
 msgstr "本を飛ばすは拘束されていません"
 
-#: authentication/views/feishu.py:203
+#: authentication/views/feishu.py:204
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "パスワードでログインしてから本を飛ばすをバインドしてください"
 
@@ -2476,39 +2473,39 @@ msgstr "ログアウト成功"
 msgid "Logout success, return login page"
 msgstr "ログアウト成功、ログインページを返す"
 
-#: authentication/views/wecom.py:40
+#: authentication/views/wecom.py:41
 msgid "WeCom Error, Please contact your system administrator"
 msgstr "企業微信エラー、システム管理者に連絡してください"
 
-#: authentication/views/wecom.py:43
+#: authentication/views/wecom.py:44
 msgid "WeCom Error"
 msgstr "企業微信エラー"
 
-#: authentication/views/wecom.py:79
+#: authentication/views/wecom.py:80
 msgid "WeCom is already bound"
 msgstr "企業の微信はすでにバインドされています"
 
-#: authentication/views/wecom.py:162
+#: authentication/views/wecom.py:163
 msgid "WeCom query user failed"
 msgstr "企業微信ユーザーの問合せに失敗しました"
 
-#: authentication/views/wecom.py:171
+#: authentication/views/wecom.py:172
 msgid "The WeCom is already bound to another user"
 msgstr "この企業の微信はすでに他のユーザーをバインドしている。"
 
-#: authentication/views/wecom.py:178
+#: authentication/views/wecom.py:179
 msgid "Binding WeCom successfully"
 msgstr "企業の微信のバインドに成功"
 
-#: authentication/views/wecom.py:230 authentication/views/wecom.py:284
+#: authentication/views/wecom.py:231 authentication/views/wecom.py:285
 msgid "Failed to get user from WeCom"
 msgstr "企業の微信からユーザーを取得できませんでした"
 
-#: authentication/views/wecom.py:236 authentication/views/wecom.py:290
+#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
 msgid "WeCom is not bound"
 msgstr "企業の微信をバインドしていません"
 
-#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
+#: authentication/views/wecom.py:238 authentication/views/wecom.py:292
 msgid "Please login with a password and then bind the WeCom"
 msgstr "パスワードでログインしてからWeComをバインドしてください"
 
@@ -2591,7 +2588,11 @@ msgstr "M2Mリバースは許可されません"
 msgid "Is referenced by other objects and cannot be deleted"
 msgstr "他のオブジェクトによって参照され、削除できません。"
 
-#: common/exceptions.py:53
+#: common/exceptions.py:48
+msgid "This action require confirm current user"
+msgstr "このアクションでは、MFAの確認が必要です。"
+
+#: common/exceptions.py:56
 msgid "Unexpect error occur"
 msgstr "予期しないエラーが発生します"
 
@@ -2607,15 +2608,15 @@ msgstr "は破棄されます"
 msgid "discard time"
 msgstr "時間を捨てる"
 
-#: common/mixins/views.py:42
+#: common/mixins/views.py:52
 msgid "Export all"
 msgstr "すべてエクスポート"
 
-#: common/mixins/views.py:44
+#: common/mixins/views.py:54
 msgid "Export only selected items"
 msgstr "選択項目のみエクスポート"
 
-#: common/mixins/views.py:49
+#: common/mixins/views.py:59
 #, python-format
 msgid "Export filtered: %s"
 msgstr "検索のエクスポート: %s"
@@ -2844,7 +2845,7 @@ msgid "End time"
 msgstr "終了時間"
 
 #: ops/models/adhoc.py:259 ops/models/command.py:29
-#: terminal/serializers/session.py:39
+#: terminal/serializers/session.py:40
 msgid "Is finished"
 msgstr "終了しました"
 
@@ -4616,19 +4617,19 @@ msgstr "フィルター"
 msgid "Not found protocol query params"
 msgstr "プロトコルクエリパラメータが見つかりません"
 
-#: terminal/api/session.py:210
+#: terminal/api/session.py:216
 msgid "Session does not exist: {}"
 msgstr "セッションが存在しません: {}"
 
-#: terminal/api/session.py:213
+#: terminal/api/session.py:219
 msgid "Session is finished or the protocol not supported"
 msgstr "セッションが終了したか、プロトコルがサポートされていません"
 
-#: terminal/api/session.py:218
+#: terminal/api/session.py:224
 msgid "User does not exist: {}"
 msgstr "ユーザーが存在しない: {}"
 
-#: terminal/api/session.py:226
+#: terminal/api/session.py:232
 msgid "User does not have permission"
 msgstr "ユーザーに権限がありません"
 
@@ -4668,7 +4669,8 @@ msgstr "テスト失敗: アカウントが無効"
 msgid "Have online sessions"
 msgstr "オンラインセッションを持つ"
 
-#: terminal/apps.py:9
+#: terminal/apps.py:9 terminal/serializers/session.py:15
+#: terminal/serializers/session.py:42
 msgid "Terminals"
 msgstr "ターミナル管理"
 
@@ -4693,7 +4695,7 @@ msgid "Input"
 msgstr "入力"
 
 #: terminal/backends/command/models.py:24
-#: terminal/backends/command/serializers.py:36
+#: terminal/backends/command/serializers.py:37
 msgid "Output"
 msgstr "出力"
 
@@ -4705,23 +4707,23 @@ msgid "Session"
 msgstr "セッション"
 
 #: terminal/backends/command/models.py:26
-#: terminal/backends/command/serializers.py:17
+#: terminal/backends/command/serializers.py:18
 msgid "Risk level"
 msgstr "リスクレベル"
 
-#: terminal/backends/command/serializers.py:15
+#: terminal/backends/command/serializers.py:16
 msgid "Session ID"
 msgstr "セッションID"
 
-#: terminal/backends/command/serializers.py:37
+#: terminal/backends/command/serializers.py:38
 msgid "Risk level display"
 msgstr "リスクレベル表示"
 
-#: terminal/backends/command/serializers.py:38
+#: terminal/backends/command/serializers.py:39
 msgid "Timestamp"
 msgstr "タイムスタンプ"
 
-#: terminal/backends/command/serializers.py:40 terminal/models/terminal.py:105
+#: terminal/backends/command/serializers.py:41 terminal/models/terminal.py:105
 msgid "Remote Address"
 msgstr "リモートアドレス"
 
@@ -4824,23 +4826,23 @@ msgstr "リプレイ"
 msgid "Date end"
 msgstr "終了日"
 
-#: terminal/models/session.py:255
+#: terminal/models/session.py:260
 msgid "Session record"
 msgstr "セッション記録"
 
-#: terminal/models/session.py:257
+#: terminal/models/session.py:262
 msgid "Can monitor session"
 msgstr "セッションを監視できます"
 
-#: terminal/models/session.py:258
+#: terminal/models/session.py:263
 msgid "Can share session"
 msgstr "セッションを共有できます"
 
-#: terminal/models/session.py:259
+#: terminal/models/session.py:264
 msgid "Can terminate session"
 msgstr "セッションを終了できます"
 
-#: terminal/models/session.py:260
+#: terminal/models/session.py:265
 msgid "Can validate session action perm"
 msgstr "セッションアクションのパーマを検証できます"
 
@@ -4873,8 +4875,6 @@ msgid "Link expired"
 msgstr "リンク期限切れ"
 
 #: terminal/models/sharing.py:68
-#, fuzzy
-#| msgid "IP is not allowed"
 msgid "User not allowed to join"
 msgstr "IPは許可されていません"
 
@@ -4955,7 +4955,7 @@ msgstr "クワーグ"
 msgid "type"
 msgstr "タイプ"
 
-#: terminal/models/terminal.py:183 terminal/serializers/session.py:38
+#: terminal/models/terminal.py:183 terminal/serializers/session.py:39
 msgid "Terminal"
 msgstr "ターミナル"
 
@@ -4986,35 +4986,35 @@ msgstr ""
 "異なるエンドポイントの下に競合するアセットIPがある場合は、アセットタグを使用"
 "して実装します"
 
-#: terminal/serializers/session.py:31
+#: terminal/serializers/session.py:32
 msgid "User ID"
 msgstr "ユーザーID"
 
-#: terminal/serializers/session.py:32
+#: terminal/serializers/session.py:33
 msgid "Asset ID"
 msgstr "資産ID"
 
-#: terminal/serializers/session.py:33
+#: terminal/serializers/session.py:34
 msgid "System user ID"
 msgstr "システムユーザーID"
 
-#: terminal/serializers/session.py:34
+#: terminal/serializers/session.py:35
 msgid "Login from display"
 msgstr "表示からのログイン"
 
-#: terminal/serializers/session.py:36
+#: terminal/serializers/session.py:37
 msgid "Can replay"
 msgstr "再生できます"
 
-#: terminal/serializers/session.py:37
+#: terminal/serializers/session.py:38
 msgid "Can join"
 msgstr "参加できます"
 
-#: terminal/serializers/session.py:40
+#: terminal/serializers/session.py:41
 msgid "Can terminate"
 msgstr "終了できます"
 
-#: terminal/serializers/session.py:45
+#: terminal/serializers/session.py:47
 msgid "Command amount"
 msgstr "コマンド量"
 
@@ -5133,10 +5133,8 @@ msgid "Reopen"
 msgstr ""
 
 #: tickets/const.py:30 tickets/const.py:38
-#, fuzzy
-#| msgid "Role binding"
 msgid "Pending"
-msgstr "ロールバインディング"
+msgstr "未定"
 
 #: tickets/const.py:33 tickets/const.py:40
 msgid "Closed"
@@ -5324,10 +5322,8 @@ msgid "Approval step"
 msgstr "承認ステップ"
 
 #: tickets/models/ticket/general.py:287
-#, fuzzy
-#| msgid "Change auth plan snapshot"
 msgid "Relation snapshot"
-msgstr "計画スナップショットの暗号化"
+msgstr "製造オーダスナップショット"
 
 #: tickets/models/ticket/general.py:380
 msgid "Please try again"
@@ -5362,14 +5358,10 @@ msgid "Ticket applied info"
 msgstr "チケット適用情報"
 
 #: tickets/notifications.py:116
-#, fuzzy
-#| msgid "Your has a new ticket, applicant - {}"
 msgid "Your has a new ticket"
 msgstr "新しいチケットがあります- {}"
 
 #: tickets/notifications.py:120
-#, fuzzy
-#| msgid "New Ticket - {} ({})"
 msgid "{}: New Ticket - {} ({})"
 msgstr "新しいチケット- {} ({})"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index c4fe0af59..6f01c7d83 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:e4ec3219881a5a03c49f988a0ea48668ff8403356d210b7e7c6fbb9e8be26a6b
-size 259
+oid sha256:19a2703fcb7c19d9b907053cf4eb0bf09afc0eb95a05a9bbb84caa447dc78f76
+size 104309
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 038ddf895..c6f3ea988 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-01 19:05+0800\n"
+"POT-Creation-Date: 2022-07-04 14:53+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -90,7 +90,7 @@ msgstr "登录复核"
 #: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
 #: rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
-#: terminal/backends/command/serializers.py:12 terminal/models/session.py:44
+#: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
 #: terminal/models/sharing.py:33 terminal/notifications.py:91
 #: terminal/notifications.py:139 tickets/models/comment.py:21 users/const.py:14
 #: users/models/user.py:890 users/models/user.py:921
@@ -131,7 +131,7 @@ msgstr "系统用户"
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:268 audits/models.py:39
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
-#: terminal/backends/command/serializers.py:13 terminal/models/session.py:46
+#: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
 #: terminal/notifications.py:90
 #: xpack/plugins/change_auth_plan/models/asset.py:199
 #: xpack/plugins/change_auth_plan/serializers/asset.py:181
@@ -200,7 +200,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. 可选的协议
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
 #: assets/models/domain.py:62 assets/models/user.py:252
-#: terminal/serializers/session.py:30 terminal/serializers/storage.py:68
+#: terminal/serializers/session.py:31 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "协议"
 
@@ -264,7 +264,7 @@ msgstr "应用程序"
 #: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
 #: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
-#: terminal/backends/command/serializers.py:35 terminal/models/session.py:48
+#: terminal/backends/command/serializers.py:36 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
 #: xpack/plugins/change_auth_plan/models/app.py:147
 #: xpack/plugins/change_auth_plan/serializers/app.py:65
@@ -718,7 +718,7 @@ msgstr "原因"
 
 #: assets/models/backup.py:121 audits/serializers.py:82
 #: audits/serializers.py:97 ops/models/adhoc.py:260
-#: terminal/serializers/session.py:35
+#: terminal/serializers/session.py:36
 #: xpack/plugins/change_auth_plan/models/base.py:202
 #: xpack/plugins/change_auth_plan/serializers/app.py:67
 #: xpack/plugins/change_auth_plan/serializers/asset.py:182
@@ -756,7 +756,8 @@ msgstr "校验日期"
 
 #: assets/models/base.py:177 assets/serializers/base.py:15
 #: assets/serializers/base.py:37 assets/serializers/system_user.py:29
-#: audits/signal_handlers.py:50 authentication/forms.py:32
+#: audits/signal_handlers.py:50 authentication/confirm/password.py:9
+#: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:228
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
 #: users/forms/profile.py:22 users/serializers/user.py:92
@@ -840,7 +841,7 @@ msgid "Regex"
 msgstr "正则表达式"
 
 #: assets/models/cmd_filter.py:68 ops/models/command.py:26
-#: terminal/backends/command/serializers.py:14 terminal/models/session.py:55
+#: terminal/backends/command/serializers.py:15 terminal/models/session.py:55
 #: terminal/templates/terminal/_msg_command_alert.html:12
 #: terminal/templates/terminal/_msg_command_execute_alert.html:10
 msgid "Command"
@@ -1446,7 +1447,7 @@ msgid "Resource"
 msgstr "资源"
 
 #: audits/models.py:67 audits/models.py:90
-#: terminal/backends/command/serializers.py:39
+#: terminal/backends/command/serializers.py:40
 msgid "Datetime"
 msgstr "日期"
 
@@ -1571,7 +1572,7 @@ msgid "Auth Token"
 msgstr "认证令牌"
 
 #: audits/signal_handlers.py:53 authentication/notifications.py:73
-#: authentication/views/login.py:67 authentication/views/wecom.py:177
+#: authentication/views/login.py:67 authentication/views/wecom.py:178
 #: notifications/backends/__init__.py:11 users/models/user.py:720
 msgid "WeCom"
 msgstr "企业微信"
@@ -1754,6 +1755,10 @@ msgstr "{ApplicationPermission} 添加 {SystemUser}"
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
+#: authentication/api/confirm.py:33
+msgid "This action require verify your MFA"
+msgstr "此操作需要确认当前用户"
+
 #: authentication/api/connection_token.py:326
 msgid "Invalid token"
 msgstr "无效的令牌"
@@ -1817,7 +1822,7 @@ msgstr "无效的令牌头。符号字符串不应包含无效字符。"
 msgid "Invalid token or cache refreshed."
 msgstr "刷新的令牌或缓存无效。"
 
-#: authentication/confirm/password.py:17
+#: authentication/confirm/password.py:16
 msgid "Authentication failed password incorrect"
 msgstr "认证失败 (用户名或密码不正确)"
 
@@ -1825,7 +1830,6 @@ msgstr "认证失败 (用户名或密码不正确)"
 msgid "Login time has exceeded {} minutes, please login again"
 msgstr "登录时长已超过 {} 分钟，请重新登录"
 
-#: authentication/errors.py:26
 #: authentication/errors/const.py:18
 msgid "Username/password check failed"
 msgstr "用户名/密码 校验失败"
@@ -2332,8 +2336,8 @@ msgstr "钉钉错误，请联系系统管理员"
 msgid "DingTalk Error"
 msgstr "钉钉错误"
 
-#: authentication/views/dingtalk.py:56 authentication/views/feishu.py:50
-#: authentication/views/wecom.py:55
+#: authentication/views/dingtalk.py:56 authentication/views/feishu.py:51
+#: authentication/views/wecom.py:56
 msgid ""
 "The system configuration is incorrect. Please contact your administrator"
 msgstr "企业配置错误，请联系系统管理员"
@@ -2342,7 +2346,7 @@ msgstr "企业配置错误，请联系系统管理员"
 msgid "DingTalk is already bound"
 msgstr "钉钉已经绑定"
 
-#: authentication/views/dingtalk.py:148 authentication/views/wecom.py:147
+#: authentication/views/dingtalk.py:148 authentication/views/wecom.py:148
 msgid "Invalid user_id"
 msgstr "无效的 user_id"
 
@@ -2370,40 +2374,40 @@ msgstr "钉钉没有绑定"
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "请使用密码登录，然后绑定钉钉"
 
-#: authentication/views/feishu.py:38
+#: authentication/views/feishu.py:39
 msgid "FeiShu Error"
 msgstr "飞书错误"
 
-#: authentication/views/feishu.py:86
+#: authentication/views/feishu.py:87
 msgid "FeiShu is already bound"
 msgstr "飞书已经绑定"
 
-#: authentication/views/feishu.py:128
+#: authentication/views/feishu.py:129
 msgid "FeiShu query user failed"
 msgstr "飞书查询用户失败"
 
-#: authentication/views/feishu.py:137
+#: authentication/views/feishu.py:138
 msgid "The FeiShu is already bound to another user"
 msgstr "该飞书已经绑定其他用户"
 
-#: authentication/views/feishu.py:143 authentication/views/login.py:79
+#: authentication/views/feishu.py:144 authentication/views/login.py:79
 #: notifications/backends/__init__.py:14 users/models/user.py:722
 msgid "FeiShu"
 msgstr "飞书"
 
-#: authentication/views/feishu.py:144
+#: authentication/views/feishu.py:145
 msgid "Binding FeiShu successfully"
 msgstr "绑定 飞书 成功"
 
-#: authentication/views/feishu.py:196
+#: authentication/views/feishu.py:197
 msgid "Failed to get user from FeiShu"
 msgstr "从飞书获取用户失败"
 
-#: authentication/views/feishu.py:202
+#: authentication/views/feishu.py:203
 msgid "FeiShu is not bound"
 msgstr "没有绑定飞书"
 
-#: authentication/views/feishu.py:203
+#: authentication/views/feishu.py:204
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "请使用密码登录，然后绑定飞书"
 
@@ -2439,39 +2443,39 @@ msgstr "退出登录成功"
 msgid "Logout success, return login page"
 msgstr "退出登录成功，返回到登录页面"
 
-#: authentication/views/wecom.py:40
+#: authentication/views/wecom.py:41
 msgid "WeCom Error, Please contact your system administrator"
 msgstr "企业微信错误，请联系系统管理员"
 
-#: authentication/views/wecom.py:43
+#: authentication/views/wecom.py:44
 msgid "WeCom Error"
 msgstr "企业微信错误"
 
-#: authentication/views/wecom.py:79
+#: authentication/views/wecom.py:80
 msgid "WeCom is already bound"
 msgstr "企业微信已经绑定"
 
-#: authentication/views/wecom.py:162
+#: authentication/views/wecom.py:163
 msgid "WeCom query user failed"
 msgstr "企业微信查询用户失败"
 
-#: authentication/views/wecom.py:171
+#: authentication/views/wecom.py:172
 msgid "The WeCom is already bound to another user"
 msgstr "该企业微信已经绑定其他用户"
 
-#: authentication/views/wecom.py:178
+#: authentication/views/wecom.py:179
 msgid "Binding WeCom successfully"
 msgstr "绑定 企业微信 成功"
 
-#: authentication/views/wecom.py:230 authentication/views/wecom.py:284
+#: authentication/views/wecom.py:231 authentication/views/wecom.py:285
 msgid "Failed to get user from WeCom"
 msgstr "从企业微信获取用户失败"
 
-#: authentication/views/wecom.py:236 authentication/views/wecom.py:290
+#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
 msgid "WeCom is not bound"
 msgstr "没有绑定企业微信"
 
-#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
+#: authentication/views/wecom.py:238 authentication/views/wecom.py:292
 msgid "Please login with a password and then bind the WeCom"
 msgstr "请使用密码登录，然后绑定企业微信"
 
@@ -2554,11 +2558,11 @@ msgstr "多对多反向是不被允许的"
 msgid "Is referenced by other objects and cannot be deleted"
 msgstr "被其他对象关联，不能删除"
 
-#: common/exceptions.py:46
+#: common/exceptions.py:48
 msgid "This action require confirm current user"
 msgstr "此操作需要确认当前用户"
 
-#: common/exceptions.py:52
+#: common/exceptions.py:56
 msgid "Unexpect error occur"
 msgstr "发生意外错误"
 
@@ -2574,15 +2578,15 @@ msgstr "忽略的"
 msgid "discard time"
 msgstr "忽略时间"
 
-#: common/mixins/views.py:42
+#: common/mixins/views.py:52
 msgid "Export all"
 msgstr "导出所有"
 
-#: common/mixins/views.py:44
+#: common/mixins/views.py:54
 msgid "Export only selected items"
 msgstr "仅导出选择项"
 
-#: common/mixins/views.py:49
+#: common/mixins/views.py:59
 #, python-format
 msgid "Export filtered: %s"
 msgstr "导出搜素: %s"
@@ -2806,7 +2810,7 @@ msgid "End time"
 msgstr "完成时间"
 
 #: ops/models/adhoc.py:259 ops/models/command.py:29
-#: terminal/serializers/session.py:39
+#: terminal/serializers/session.py:40
 msgid "Is finished"
 msgstr "是否完成"
 
@@ -4541,19 +4545,19 @@ msgstr "过滤"
 msgid "Not found protocol query params"
 msgstr ""
 
-#: terminal/api/session.py:210
+#: terminal/api/session.py:216
 msgid "Session does not exist: {}"
 msgstr "会话不存在: {}"
 
-#: terminal/api/session.py:213
+#: terminal/api/session.py:219
 msgid "Session is finished or the protocol not supported"
 msgstr "会话已经完成或协议不支持"
 
-#: terminal/api/session.py:218
+#: terminal/api/session.py:224
 msgid "User does not exist: {}"
 msgstr "用户不存在: {}"
 
-#: terminal/api/session.py:226
+#: terminal/api/session.py:232
 msgid "User does not have permission"
 msgstr "用户没有权限"
 
@@ -4593,7 +4597,8 @@ msgstr "测试失败: 账号无效"
 msgid "Have online sessions"
 msgstr "有在线会话"
 
-#: terminal/apps.py:9
+#: terminal/apps.py:9 terminal/serializers/session.py:15
+#: terminal/serializers/session.py:42
 msgid "Terminals"
 msgstr "终端管理"
 
@@ -4618,7 +4623,7 @@ msgid "Input"
 msgstr "输入"
 
 #: terminal/backends/command/models.py:24
-#: terminal/backends/command/serializers.py:36
+#: terminal/backends/command/serializers.py:37
 msgid "Output"
 msgstr "输出"
 
@@ -4630,23 +4635,23 @@ msgid "Session"
 msgstr "会话"
 
 #: terminal/backends/command/models.py:26
-#: terminal/backends/command/serializers.py:17
+#: terminal/backends/command/serializers.py:18
 msgid "Risk level"
 msgstr "风险等级"
 
-#: terminal/backends/command/serializers.py:15
+#: terminal/backends/command/serializers.py:16
 msgid "Session ID"
 msgstr "会话ID"
 
-#: terminal/backends/command/serializers.py:37
+#: terminal/backends/command/serializers.py:38
 msgid "Risk level display"
 msgstr "风险等级名称"
 
-#: terminal/backends/command/serializers.py:38
+#: terminal/backends/command/serializers.py:39
 msgid "Timestamp"
 msgstr "时间戳"
 
-#: terminal/backends/command/serializers.py:40 terminal/models/terminal.py:105
+#: terminal/backends/command/serializers.py:41 terminal/models/terminal.py:105
 msgid "Remote Address"
 msgstr "远端地址"
 
@@ -4749,23 +4754,23 @@ msgstr "回放"
 msgid "Date end"
 msgstr "结束日期"
 
-#: terminal/models/session.py:255
+#: terminal/models/session.py:260
 msgid "Session record"
 msgstr "会话记录"
 
-#: terminal/models/session.py:257
+#: terminal/models/session.py:262
 msgid "Can monitor session"
 msgstr "可以监控会话"
 
-#: terminal/models/session.py:258
+#: terminal/models/session.py:263
 msgid "Can share session"
 msgstr "可以分享会话"
 
-#: terminal/models/session.py:259
+#: terminal/models/session.py:264
 msgid "Can terminate session"
 msgstr "可以终断会话"
 
-#: terminal/models/session.py:260
+#: terminal/models/session.py:265
 msgid "Can validate session action perm"
 msgstr "可以验证会话动作权限"
 
@@ -4798,8 +4803,6 @@ msgid "Link expired"
 msgstr "链接过期"
 
 #: terminal/models/sharing.py:68
-#, fuzzy
-#| msgid "IP is not allowed"
 msgid "User not allowed to join"
 msgstr "来源 IP 不被允许登录"
 
@@ -4880,7 +4883,7 @@ msgstr "其它参数"
 msgid "type"
 msgstr "类型"
 
-#: terminal/models/terminal.py:183 terminal/serializers/session.py:38
+#: terminal/models/terminal.py:183 terminal/serializers/session.py:39
 msgid "Terminal"
 msgstr "终端"
 
@@ -4909,35 +4912,35 @@ msgid ""
 "If asset IP addresses under different endpoints conflict, use asset labels"
 msgstr "如果不同端点下的资产 IP 有冲突，使用资产标签实现"
 
-#: terminal/serializers/session.py:31
+#: terminal/serializers/session.py:32
 msgid "User ID"
 msgstr "用户 ID"
 
-#: terminal/serializers/session.py:32
+#: terminal/serializers/session.py:33
 msgid "Asset ID"
 msgstr "资产 ID"
 
-#: terminal/serializers/session.py:33
+#: terminal/serializers/session.py:34
 msgid "System user ID"
 msgstr "系统用户 ID"
 
-#: terminal/serializers/session.py:34
+#: terminal/serializers/session.py:35
 msgid "Login from display"
 msgstr "登录来源名称"
 
-#: terminal/serializers/session.py:36
+#: terminal/serializers/session.py:37
 msgid "Can replay"
 msgstr "是否可重放"
 
-#: terminal/serializers/session.py:37
+#: terminal/serializers/session.py:38
 msgid "Can join"
 msgstr "是否可加入"
 
-#: terminal/serializers/session.py:40
+#: terminal/serializers/session.py:41
 msgid "Can terminate"
 msgstr "是否可中断"
 
-#: terminal/serializers/session.py:45
+#: terminal/serializers/session.py:47
 msgid "Command amount"
 msgstr "命令数量"
 
@@ -5056,10 +5059,8 @@ msgid "Reopen"
 msgstr ""
 
 #: tickets/const.py:30 tickets/const.py:38
-#, fuzzy
-#| msgid "Role binding"
 msgid "Pending"
-msgstr "角色绑定"
+msgstr "待定的"
 
 #: tickets/const.py:33 tickets/const.py:40
 msgid "Closed"
@@ -5245,10 +5246,8 @@ msgid "Approval step"
 msgstr "审批步骤"
 
 #: tickets/models/ticket/general.py:287
-#, fuzzy
-#| msgid "Change auth plan snapshot"
 msgid "Relation snapshot"
-msgstr "改密计划快照"
+msgstr "工单快照"
 
 #: tickets/models/ticket/general.py:380
 msgid "Please try again"
@@ -5283,14 +5282,10 @@ msgid "Ticket applied info"
 msgstr "工单申请信息"
 
 #: tickets/notifications.py:116
-#, fuzzy
-#| msgid "Your has a new ticket, applicant - {}"
 msgid "Your has a new ticket"
 msgstr "你有一个新的工单, 申请人 - {}"
 
 #: tickets/notifications.py:120
-#, fuzzy
-#| msgid "New Ticket - {} ({})"
 msgid "{}: New Ticket - {} ({})"
 msgstr "新工单 - {} ({})"
 
diff --git a/apps/terminal/serializers/session.py b/apps/terminal/serializers/session.py
index 49d7f7270..d8394ea26 100644
--- a/apps/terminal/serializers/session.py
+++ b/apps/terminal/serializers/session.py
@@ -12,7 +12,7 @@ __all__ = [
 
 class SessionSerializer(BulkOrgResourceModelSerializer):
     org_id = serializers.CharField(allow_blank=True)
-    terminal_display = serializers.CharField(read_only=True, label=_('Terminal display'))
+    terminal_display = serializers.CharField(read_only=True, label=_('Terminals'))
 
     class Meta:
         model = Session
@@ -39,7 +39,7 @@ class SessionSerializer(BulkOrgResourceModelSerializer):
             'terminal': {'label': _('Terminal')},
             'is_finished': {'label': _('Is finished')},
             'can_terminate': {'label': _('Can terminate')},
-            'terminal_display': {'label': _('Terminal display')},
+            'terminal_display': {'label': _('Terminals')},
         }
 
 

From 8ebcb4b73a205ff860dd66714d3773b9d059b50d Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 4 Jul 2022 15:14:59 +0800
Subject: [PATCH 226/258] fix: translate (#8529)

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/locale/ja/LC_MESSAGES/django.mo |  4 ++--
 apps/locale/ja/LC_MESSAGES/django.po | 11 +++++++----
 apps/locale/zh/LC_MESSAGES/django.mo |  4 ++--
 apps/locale/zh/LC_MESSAGES/django.po | 11 +++++++----
 apps/terminal/serializers/session.py |  4 ++--
 5 files changed, 20 insertions(+), 14 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index addc1ea3c..90cd914ec 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:fa4873b5acd88be4b44fbd6e6cd6d8aec30972627310b3a815ccbed475bf6dc4
-size 126353
+oid sha256:21921ae6acb8a8a8ea7bb3e1a24e0a730e6698d080fec98fa1416fbad925e8de
+size 126420
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 009078aca..04b4c2fc9 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-04 14:53+0800\n"
+"POT-Creation-Date: 2022-07-04 15:10+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1769,7 +1769,7 @@ msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
 #: authentication/api/confirm.py:33
 msgid "This action require verify your MFA"
-msgstr "このアクションでは、MFAの確認が必要です。"
+msgstr "この操作には、MFAを検証する必要があります"
 
 #: authentication/api/connection_token.py:326
 msgid "Invalid token"
@@ -4669,8 +4669,7 @@ msgstr "テスト失敗: アカウントが無効"
 msgid "Have online sessions"
 msgstr "オンラインセッションを持つ"
 
-#: terminal/apps.py:9 terminal/serializers/session.py:15
-#: terminal/serializers/session.py:42
+#: terminal/apps.py:9
 msgid "Terminals"
 msgstr "ターミナル管理"
 
@@ -4986,6 +4985,10 @@ msgstr ""
 "異なるエンドポイントの下に競合するアセットIPがある場合は、アセットタグを使用"
 "して実装します"
 
+#: terminal/serializers/session.py:15 terminal/serializers/session.py:42
+msgid "Terminal display"
+msgstr "ターミナルディスプレイ"
+
 #: terminal/serializers/session.py:32
 msgid "User ID"
 msgstr "ユーザーID"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 6f01c7d83..85423db9c 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:19a2703fcb7c19d9b907053cf4eb0bf09afc0eb95a05a9bbb84caa447dc78f76
-size 104309
+oid sha256:d2adfbe7d62b5a1b148450aeb6f327020a1f9fdf686cfa500db775032c3642e9
+size 104353
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index c6f3ea988..804c5c62e 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-04 14:53+0800\n"
+"POT-Creation-Date: 2022-07-04 15:10+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -1757,7 +1757,7 @@ msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
 #: authentication/api/confirm.py:33
 msgid "This action require verify your MFA"
-msgstr "此操作需要确认当前用户"
+msgstr "此操作需要验证您的 MFA"
 
 #: authentication/api/connection_token.py:326
 msgid "Invalid token"
@@ -4597,8 +4597,7 @@ msgstr "测试失败: 账号无效"
 msgid "Have online sessions"
 msgstr "有在线会话"
 
-#: terminal/apps.py:9 terminal/serializers/session.py:15
-#: terminal/serializers/session.py:42
+#: terminal/apps.py:9
 msgid "Terminals"
 msgstr "终端管理"
 
@@ -4912,6 +4911,10 @@ msgid ""
 "If asset IP addresses under different endpoints conflict, use asset labels"
 msgstr "如果不同端点下的资产 IP 有冲突，使用资产标签实现"
 
+#: terminal/serializers/session.py:15 terminal/serializers/session.py:42
+msgid "Terminal display"
+msgstr "终端显示"
+
 #: terminal/serializers/session.py:32
 msgid "User ID"
 msgstr "用户 ID"
diff --git a/apps/terminal/serializers/session.py b/apps/terminal/serializers/session.py
index d8394ea26..49d7f7270 100644
--- a/apps/terminal/serializers/session.py
+++ b/apps/terminal/serializers/session.py
@@ -12,7 +12,7 @@ __all__ = [
 
 class SessionSerializer(BulkOrgResourceModelSerializer):
     org_id = serializers.CharField(allow_blank=True)
-    terminal_display = serializers.CharField(read_only=True, label=_('Terminals'))
+    terminal_display = serializers.CharField(read_only=True, label=_('Terminal display'))
 
     class Meta:
         model = Session
@@ -39,7 +39,7 @@ class SessionSerializer(BulkOrgResourceModelSerializer):
             'terminal': {'label': _('Terminal')},
             'is_finished': {'label': _('Is finished')},
             'can_terminate': {'label': _('Can terminate')},
-            'terminal_display': {'label': _('Terminals')},
+            'terminal_display': {'label': _('Terminal display')},
         }
 
 

From 0aad0b72792ace7a12579d9eee48666084609ab9 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 4 Jul 2022 18:54:47 +0800
Subject: [PATCH 227/258] =?UTF-8?q?feat:=20=E8=B4=A6=E5=8F=B7=E5=8E=86?=
 =?UTF-8?q?=E5=8F=B2=E4=BF=A1=E6=81=AF=20(#8500)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat: 账号历史信息

* del app

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/applications/api/application.py          |  1 -
 .../migrations/0021_auto_20220629_1826.py     | 22 +++++++++
 apps/assets/api/__init__.py                   |  1 +
 apps/assets/api/account_history.py            | 46 +++++++++++++++++++
 apps/assets/api/accounts.py                   |  2 +-
 .../migrations/0091_auto_20220629_1826.py     | 26 +++++++++++
 apps/assets/models/authbook.py                |  9 ++--
 apps/assets/serializers/__init__.py           |  1 +
 apps/assets/serializers/account_history.py    | 38 +++++++++++++++
 apps/assets/urls/api_urls.py                  |  2 +
 apps/locale/ja/LC_MESSAGES/django.po          |  9 ++++
 apps/locale/zh/LC_MESSAGES/django.po          |  9 ++++
 apps/orgs/mixins/api.py                       |  2 -
 13 files changed, 161 insertions(+), 7 deletions(-)
 create mode 100644 apps/applications/migrations/0021_auto_20220629_1826.py
 create mode 100644 apps/assets/api/account_history.py
 create mode 100644 apps/assets/migrations/0091_auto_20220629_1826.py
 create mode 100644 apps/assets/serializers/account_history.py

diff --git a/apps/applications/api/application.py b/apps/applications/api/application.py
index 9d1b130ce..71315cdcf 100644
--- a/apps/applications/api/application.py
+++ b/apps/applications/api/application.py
@@ -1,6 +1,5 @@
 # coding: utf-8
 #
-from django.shortcuts import get_object_or_404
 from orgs.mixins.api import OrgBulkModelViewSet
 from rest_framework.decorators import action
 from rest_framework.response import Response
diff --git a/apps/applications/migrations/0021_auto_20220629_1826.py b/apps/applications/migrations/0021_auto_20220629_1826.py
new file mode 100644
index 000000000..b74977b7d
--- /dev/null
+++ b/apps/applications/migrations/0021_auto_20220629_1826.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.1.14 on 2022-06-29 10:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0020_auto_20220316_2028'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='historicalaccount',
+            options={'get_latest_by': ('history_date', 'history_id'), 'ordering': ('-history_date', '-history_id'), 'verbose_name': 'historical Application account', 'verbose_name_plural': 'historical Application accounts'},
+        ),
+        migrations.AlterField(
+            model_name='historicalaccount',
+            name='history_date',
+            field=models.DateTimeField(db_index=True),
+        ),
+    ]
diff --git a/apps/assets/api/__init__.py b/apps/assets/api/__init__.py
index 7a8ce9a60..3e95f59ab 100644
--- a/apps/assets/api/__init__.py
+++ b/apps/assets/api/__init__.py
@@ -11,3 +11,4 @@ from .cmd_filter import *
 from .gathered_user import *
 from .favorite_asset import *
 from .account_backup import *
+from .account_history import *
diff --git a/apps/assets/api/account_history.py b/apps/assets/api/account_history.py
new file mode 100644
index 000000000..3258dfd48
--- /dev/null
+++ b/apps/assets/api/account_history.py
@@ -0,0 +1,46 @@
+from django.db.models import F
+
+from assets.api.accounts import (
+    AccountFilterSet, AccountViewSet, AccountSecretsViewSet
+)
+from common.mixins import RecordViewLogMixin
+from .. import serializers
+from ..models import AuthBook
+
+__all__ = ['AccountHistoryViewSet', 'AccountHistorySecretsViewSet']
+
+
+class AccountHistoryFilterSet(AccountFilterSet):
+    class Meta:
+        model = AuthBook.history.model
+        fields = AccountFilterSet.Meta.fields
+
+
+class AccountHistoryViewSet(AccountViewSet):
+    model = AuthBook.history.model
+    filterset_class = AccountHistoryFilterSet
+    serializer_classes = {
+        'default': serializers.AccountHistorySerializer,
+    }
+    rbac_perms = {
+        'list': 'assets.view_assethistoryaccount',
+        'retrieve': 'assets.view_assethistoryaccount',
+    }
+
+    http_method_names = ['get', 'options']
+
+    def get_queryset(self):
+        queryset = AuthBook.get_queryset(is_history_model=True)
+        return queryset
+
+
+class AccountHistorySecretsViewSet(RecordViewLogMixin, AccountHistoryViewSet):
+    serializer_classes = {
+        'default': serializers.AccountHistorySecretSerializer
+    }
+    http_method_names = ['get']
+    permission_classes = AccountSecretsViewSet.permission_classes
+    rbac_perms = {
+        'list': 'assets.view_assethistoryaccountsecret',
+        'retrieve': 'assets.view_assethistoryaccountsecret',
+    }
diff --git a/apps/assets/api/accounts.py b/apps/assets/api/accounts.py
index 33d2f517a..6ad59ed88 100644
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@@ -15,7 +15,7 @@ from ..tasks.account_connectivity import test_accounts_connectivity_manual
 from ..models import AuthBook, Node
 from .. import serializers
 
-__all__ = ['AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']
+__all__ = ['AccountFilterSet', 'AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']
 
 
 class AccountFilterSet(BaseFilterSet):
diff --git a/apps/assets/migrations/0091_auto_20220629_1826.py b/apps/assets/migrations/0091_auto_20220629_1826.py
new file mode 100644
index 000000000..589dce2b2
--- /dev/null
+++ b/apps/assets/migrations/0091_auto_20220629_1826.py
@@ -0,0 +1,26 @@
+# Generated by Django 3.1.14 on 2022-06-29 10:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0090_auto_20220412_1145'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='authbook',
+            options={'permissions': [('test_authbook', 'Can test asset account connectivity'), ('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret'), ('view_assethistoryaccount', 'Can view asset history account'), ('view_assethistoryaccountsecret', 'Can view asset history account secret')], 'verbose_name': 'AuthBook'},
+        ),
+        migrations.AlterModelOptions(
+            name='historicalauthbook',
+            options={'get_latest_by': ('history_date', 'history_id'), 'ordering': ('-history_date', '-history_id'), 'verbose_name': 'historical AuthBook', 'verbose_name_plural': 'historical AuthBooks'},
+        ),
+        migrations.AlterField(
+            model_name='historicalauthbook',
+            name='history_date',
+            field=models.DateTimeField(db_index=True),
+        ),
+    ]
diff --git a/apps/assets/models/authbook.py b/apps/assets/models/authbook.py
index 53766d2b7..338c65a3e 100644
--- a/apps/assets/models/authbook.py
+++ b/apps/assets/models/authbook.py
@@ -29,7 +29,9 @@ class AuthBook(BaseUser, AbsConnectivity):
         permissions = [
             ('test_authbook', _('Can test asset account connectivity')),
             ('view_assetaccountsecret', _('Can view asset account secret')),
-            ('change_assetaccountsecret', _('Can change asset account secret'))
+            ('change_assetaccountsecret', _('Can change asset account secret')),
+            ('view_assethistoryaccount', _('Can view asset history account')),
+            ('view_assethistoryaccountsecret', _('Can view asset history account secret')),
         ]
 
     def __init__(self, *args, **kwargs):
@@ -123,8 +125,9 @@ class AuthBook(BaseUser, AbsConnectivity):
         logger.debug('Update asset admin user: {} {}'.format(self.asset, self.systemuser))
 
     @classmethod
-    def get_queryset(cls):
-        queryset = cls.objects.all() \
+    def get_queryset(cls, is_history_model=False):
+        model = cls.history.model if is_history_model else cls
+        queryset = model.objects.all() \
             .annotate(ip=F('asset__ip')) \
             .annotate(hostname=F('asset__hostname')) \
             .annotate(platform=F('asset__platform__name')) \
diff --git a/apps/assets/serializers/__init__.py b/apps/assets/serializers/__init__.py
index f48552c9d..3f1222fc5 100644
--- a/apps/assets/serializers/__init__.py
+++ b/apps/assets/serializers/__init__.py
@@ -11,4 +11,5 @@ from .cmd_filter import *
 from .gathered_user import *
 from .favorite_asset import *
 from .account import *
+from .account_history import *
 from .backup import *
diff --git a/apps/assets/serializers/account_history.py b/apps/assets/serializers/account_history.py
new file mode 100644
index 000000000..fb2844182
--- /dev/null
+++ b/apps/assets/serializers/account_history.py
@@ -0,0 +1,38 @@
+from rest_framework import serializers
+from django.utils.translation import ugettext_lazy as _
+
+from assets.models import AuthBook
+from common.drf.serializers import SecretReadableMixin
+from .account import AccountSerializer, AccountSecretSerializer
+
+
+class AccountHistorySerializer(AccountSerializer):
+    systemuser_display = serializers.SerializerMethodField(label=_('System user display'))
+
+    class Meta:
+        model = AuthBook.history.model
+        fields = AccountSerializer.Meta.fields_mini + \
+                 AccountSerializer.Meta.fields_write_only + \
+                 AccountSerializer.Meta.fields_fk + \
+                 ['history_id', 'date_created', 'date_updated']
+        read_only_fields = fields
+        ref_name = 'AccountHistorySerializer'
+
+    @staticmethod
+    def get_systemuser_display(instance):
+        if not instance.systemuser:
+            return ''
+        return str(instance.systemuser)
+
+    def get_field_names(self, declared_fields, info):
+        fields = super().get_field_names(declared_fields, info)
+        fields = list(set(fields) - {'org_name'})
+        return fields
+
+    def to_representation(self, instance):
+        return super(AccountSerializer, self).to_representation(instance)
+
+
+class AccountHistorySecretSerializer(SecretReadableMixin, AccountHistorySerializer):
+    class Meta(AccountHistorySerializer.Meta):
+        extra_kwargs = AccountSecretSerializer.Meta.extra_kwargs
diff --git a/apps/assets/urls/api_urls.py b/apps/assets/urls/api_urls.py
index 59d4ab171..e8658ec0f 100644
--- a/apps/assets/urls/api_urls.py
+++ b/apps/assets/urls/api_urls.py
@@ -13,6 +13,8 @@ router = BulkRouter()
 router.register(r'assets', api.AssetViewSet, 'asset')
 router.register(r'accounts', api.AccountViewSet, 'account')
 router.register(r'account-secrets', api.AccountSecretsViewSet, 'account-secret')
+router.register(r'accounts-history', api.AccountHistoryViewSet, 'account-history')
+router.register(r'account-history-secrets', api.AccountHistorySecretsViewSet, 'account-history-secret')
 router.register(r'platforms', api.AssetPlatformViewSet, 'platform')
 router.register(r'system-users', api.SystemUserViewSet, 'system-user')
 router.register(r'admin-users', api.AdminUserViewSet, 'admin-user')
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 04b4c2fc9..65f9ab3fb 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -657,6 +657,14 @@ msgstr "資産アカウントの秘密を表示できます"
 msgid "Can change asset account secret"
 msgstr "資産口座の秘密を変更できます"
 
+#: assets/models/authbook.py:33
+msgid "Can view asset history account"
+msgstr "資産履歴アカウントを表示できます"
+
+#: assets/models/authbook.py:34
+msgid "Can view asset history account secret"
+msgstr "資産履歴アカウントパスワードを表示できます"
+
 #: assets/models/backup.py:30 perms/models/base.py:54
 #: settings/serializers/terminal.py:12
 msgid "All"
@@ -1074,6 +1082,7 @@ msgstr ""
 "定してください暗号化パスワード"
 
 #: assets/serializers/account.py:36 assets/serializers/account.py:87
+#: assets/serializers/account_history.py:10
 msgid "System user display"
 msgstr "システムユーザー表示"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 804c5c62e..cba68207c 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -652,6 +652,14 @@ msgstr "可以查看资产账号密码"
 msgid "Can change asset account secret"
 msgstr "可以更改资产账号密码"
 
+#: assets/models/authbook.py:33
+msgid "Can view asset history account"
+msgstr "可以查看资产历史账号"
+
+#: assets/models/authbook.py:34
+msgid "Can view asset history account secret"
+msgstr "可以查看资产历史账号密码"
+
 #: assets/models/backup.py:30 perms/models/base.py:54
 #: settings/serializers/terminal.py:12
 msgid "All"
@@ -1066,6 +1074,7 @@ msgstr ""
 "置加密密码"
 
 #: assets/serializers/account.py:36 assets/serializers/account.py:87
+#: assets/serializers/account_history.py:10
 msgid "System user display"
 msgstr "系统用户名称"
 
diff --git a/apps/orgs/mixins/api.py b/apps/orgs/mixins/api.py
index 404038202..7d9839a20 100644
--- a/apps/orgs/mixins/api.py
+++ b/apps/orgs/mixins/api.py
@@ -2,8 +2,6 @@
 #
 from rest_framework.viewsets import ModelViewSet, GenericViewSet
 from rest_framework_bulk import BulkModelViewSet
-from rest_framework.exceptions import MethodNotAllowed
-from django.utils.translation import ugettext_lazy as _
 
 from common.mixins import CommonApiMixin, RelationMixin
 from orgs.utils import current_org

From 75aacd0da64fb8470d97d39936843026b2fbde96 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 5 Jul 2022 11:08:35 +0800
Subject: [PATCH 228/258] =?UTF-8?q?fix:=20=E7=94=A8=E6=88=B7=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95=E9=94=99=E8=AF=AF=E5=A4=84=E7=90=86bug=20(#8531)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/authentication/errors/redirect.py | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/apps/authentication/errors/redirect.py b/apps/authentication/errors/redirect.py
index f41bda818..bf334133d 100644
--- a/apps/authentication/errors/redirect.py
+++ b/apps/authentication/errors/redirect.py
@@ -23,7 +23,7 @@ class NeedMoreInfoError(Exception):
 
 
 class NeedRedirectError(JMSException):
-    def __init__(self, url):
+    def __init__(self, url, *args, **kwargs):
         self.url = url
 
 
@@ -79,8 +79,7 @@ class PasswordTooSimple(NeedRedirectError):
     default_detail = _('Your password is too simple, please change it for security')
 
     def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
+        super().__init__(url, *args, **kwargs)
 
 
 class PasswordNeedUpdate(NeedRedirectError):
@@ -88,8 +87,7 @@ class PasswordNeedUpdate(NeedRedirectError):
     default_detail = _('You should to change your password before login')
 
     def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
+        super().__init__(url, *args, **kwargs)
 
 
 class PasswordRequireResetError(NeedRedirectError):
@@ -97,13 +95,12 @@ class PasswordRequireResetError(NeedRedirectError):
     default_detail = _('Your password has expired, please reset before logging in')
 
     def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
+        super().__init__(url, *args, **kwargs)
 
 
 class MFAUnsetError(NeedRedirectError):
     error = const.reason_mfa_unset
     msg = const.mfa_unset_msg
 
-    def __init__(self, url, user, request):
-        self.url = url
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(url, *args, **kwargs)

From bbcf992531de2e7daeb22c476b5a6f0c2ff9c749 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 5 Jul 2022 11:04:12 +0800
Subject: [PATCH 229/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=20OmniDB=20E?=
 =?UTF-8?q?nabled=20=E6=8E=A7=E5=88=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

feat: 添加 OmniDB Enabled 控制
---
 apps/jumpserver/conf.py             | 1 +
 apps/jumpserver/settings/custom.py  | 1 +
 apps/settings/serializers/public.py | 1 +
 3 files changed, 3 insertions(+)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 8afa16eb5..a3583e69d 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -327,6 +327,7 @@ class Config(dict):
         'TERMINAL_MAGNUS_ENABLED': True,
         'TERMINAL_KOKO_SSH_ENABLED': True,
         'TERMINAL_RAZOR_ENABLED': True,
+        'TERMINAL_OMNIDB_ENABLED': True,
 
         # 安全配置
         'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index 9f645617b..b6f6e9863 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -140,6 +140,7 @@ LOGIN_REDIRECT_MSG_ENABLED = CONFIG.LOGIN_REDIRECT_MSG_ENABLED
 CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS = CONFIG.CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS
 
 TERMINAL_RAZOR_ENABLED = CONFIG.TERMINAL_RAZOR_ENABLED
+TERMINAL_OMNIDB_ENABLED = CONFIG.TERMINAL_OMNIDB_ENABLED
 TERMINAL_MAGNUS_ENABLED = CONFIG.TERMINAL_MAGNUS_ENABLED
 TERMINAL_KOKO_SSH_ENABLED = CONFIG.TERMINAL_KOKO_SSH_ENABLED
 
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 7e9f46b7d..25b104af5 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -38,6 +38,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
     TERMINAL_RAZOR_ENABLED = serializers.BooleanField()
     TERMINAL_MAGNUS_ENABLED = serializers.BooleanField()
     TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
+    TERMINAL_OMNIDB_ENABLED = serializers.BooleanField()
 
     ANNOUNCEMENT_ENABLED = serializers.BooleanField()
     ANNOUNCEMENT = serializers.DictField()

From 001e5d857f656f38ee53abcf41ace9d8b10dae9c Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 5 Jul 2022 14:43:56 +0800
Subject: [PATCH 230/258] =?UTF-8?q?pref:=20debug=20toolbar=20=E5=A4=AA?=
 =?UTF-8?q?=E8=B4=B9=E6=97=B6=E9=97=B4=20=E5=85=88=E7=A6=81=E7=94=A8=20(#8?=
 =?UTF-8?q?528)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 修改主题色

* pref: debug toolbar 太费时间 先禁用

* perf: 修改颜色

* perf: 优化 interface

* perf: 修改 avartar

* perf: css color

Co-authored-by: ibuler <ibuler@qq.com>
---
 .../templates/authentication/login.html       |  11 +-
 .../authentication/login_wait_confirm.html    |   6 +-
 apps/jumpserver/conf.py                       |   1 -
 apps/jumpserver/context_processor.py          |  36 ++-
 apps/jumpserver/settings/base.py              |  20 +-
 apps/jumpserver/settings/libs.py              |   1 -
 apps/ops/templates/ops/celery_task_log.html   |   4 +-
 apps/settings/api/public.py                   |  20 +-
 apps/settings/serializers/public.py           |   5 +-
 apps/settings/utils/common.py                 |  21 +-
 apps/static/css/jumpserver.css                |  14 +-
 apps/static/css/login-style.css               |   4 +-
 apps/static/css/otp.css                       |  20 +-
 .../static/css/plugins/steps/jquery.steps.css |   6 +-
 apps/static/css/style.css                     | 195 ++++++------
 apps/static/css/themes/classic.css            |   0
 apps/static/img/avatar/admin.png              | Bin 11750 -> 6093 bytes
 apps/static/img/avatar/user.png               | Bin 11750 -> 6093 bytes
 apps/static/img/logo_text_white.png           | Bin 0 -> 12116 bytes
 apps/static/img/logo_white.png                | Bin 0 -> 9950 bytes
 apps/templates/_base_double_screen.html       |   2 +-
 apps/templates/_base_only_content.html        |   4 +-
 apps/templates/_head_css_js.html              |   9 +-
 apps/templates/_without_nav_base.html         |   8 +-
 apps/templates/base.html                      |  10 +-
 apps/templates/flash_message_standalone.html  |  11 +-
 apps/templates/rest_framework/base.html       | 285 ------------------
 .../tickets/approve_check_password.html       |   2 +-
 .../templates/users/user_otp_enable_bind.html |   4 +-
 .../users/user_otp_enable_install_app.html    |   2 +-
 30 files changed, 192 insertions(+), 509 deletions(-)
 create mode 100644 apps/static/css/themes/classic.css
 create mode 100644 apps/static/img/logo_text_white.png
 create mode 100644 apps/static/img/logo_white.png
 delete mode 100644 apps/templates/rest_framework/base.html

diff --git a/apps/authentication/templates/authentication/login.html b/apps/authentication/templates/authentication/login.html
index c535509a7..27ef9d61e 100644
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -5,9 +5,9 @@
 <html>
 <head>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
     <title>
-        {{ JMS_TITLE }}
+        {{ INTERFACE.login_title }}
     </title>
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     {% include '_head_css_js.html' %}
@@ -183,7 +183,7 @@
 <div class="login-content extra-fields-{{ extra_fields_count }}">
     <div class="right-image-box">
         <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver.git{% endif %}">
-            <img src="{{ LOGIN_IMAGE_URL }}" class="right-image"  alt="screen-image"/>
+            <img src="{{ INTERFACE.login_image }}" class="right-image" alt="screen-image"/>
         </a>
     </div>
     <div class="left-form-box {% if not form.challenge and not form.captcha %} no-captcha-challenge {% endif %}">
@@ -206,7 +206,7 @@
                 </li>
             </ul>
             <div class="jms-title">
-                <span style="">{{ JMS_TITLE }}</span>
+                <span style="">{{ INTERFACE.login_title }}</span>
             </div>
             <div class="contact-form col-md-10 col-md-offset-1">
                 <form id="login-form" action="" method="post" role="form" novalidate="novalidate">
@@ -300,9 +300,6 @@
         $('#password-hidden').val(passwordEncrypted); //返回给密码输入input
         $('#login-form').submit(); //post提交
     }
-
-    $(document).ready(function () {
-    })
 </script>
 </html>
 
diff --git a/apps/authentication/templates/authentication/login_wait_confirm.html b/apps/authentication/templates/authentication/login_wait_confirm.html
index 9d2af40a5..bd94c1986 100644
--- a/apps/authentication/templates/authentication/login_wait_confirm.html
+++ b/apps/authentication/templates/authentication/login_wait_confirm.html
@@ -6,7 +6,7 @@
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
     <title>{{ title }}</title>
     {% include '_head_css_js.html' %}
     <link href="{% static "css/jumpserver.css" %}" rel="stylesheet">
@@ -20,9 +20,9 @@
         <div class="col-md-12">
             <div class="ibox-content">
                 <div>
-                    <img src="{{ LOGO_URL }}" style="margin: auto" width="82" height="82">
+                    <img src="{{ INTERFACE.logo_logout }}" style="margin: auto" width="82" height="82">
                     <h2 style="display: inline">
-                        {{ JMS_TITLE }}
+                        {{ INTERFACE.login_title }}
                     </h2>
                 </div>
                 <p></p>
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index a3583e69d..c3a0a0210 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -413,7 +413,6 @@ class Config(dict):
 
         'FORGOT_PASSWORD_URL': '',
         'HEALTH_CHECK_TOKEN': '',
-
     }
 
     @staticmethod
diff --git a/apps/jumpserver/context_processor.py b/apps/jumpserver/context_processor.py
index 54a7b856e..1df4ebb17 100644
--- a/apps/jumpserver/context_processor.py
+++ b/apps/jumpserver/context_processor.py
@@ -4,34 +4,32 @@ from django.templatetags.static import static
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 
+default_interface = dict((
+    ('logo_logout', static('img/logo.png')),
+    ('logo_index', static('img/logo_text.png')),
+    ('login_image', static('img/login_image.jpg')),
+    ('favicon', static('img/facio.ico')),
+    ('login_title', _('JumpServer Open Source Bastion Host')),
+    ('theme', 'classic'),
+    ('primary_color', '#1ab394'),
+))
+
 default_context = {
     'DEFAULT_PK': '00000000-0000-0000-0000-000000000000',
-    'LOGO_URL': static('img/logo.png'),
-    'LOGO_TEXT_URL': static('img/logo_text.png'),
-    'LOGIN_IMAGE_URL': static('img/login_image.jpg'),
-    'FAVICON_URL': static('img/facio.ico'),
-    'LOGIN_CAS_LOGO_URL': static('img/login_cas_logo.png'),
-    'LOGIN_WECOM_LOGO_URL': static('img/login_wecom_logo.png'),
-    'LOGIN_DINGTALK_LOGO_URL': static('img/login_dingtalk_logo.png'),
-    'LOGIN_FEISHU_LOGO_URL': static('img/login_feishu_logo.png'),
-    'JMS_TITLE': _('JumpServer Open Source Bastion Host'),
-}
-
-default_interface = {
-    'login_title': default_context['JMS_TITLE'],
-    'logo_logout': default_context['LOGO_URL'],
-    'logo_index': default_context['LOGO_TEXT_URL'],
-    'login_image': default_context['LOGIN_IMAGE_URL'],
-    'favicon': default_context['FAVICON_URL'],
+    'LOGIN_CAS_logo_logout': static('img/login_cas_logo.png'),
+    'LOGIN_WECOM_logo_logout': static('img/login_wecom_logo.png'),
+    'LOGIN_DINGTALK_logo_logout': static('img/login_dingtalk_logo.png'),
+    'LOGIN_FEISHU_logo_logout': static('img/login_feishu_logo.png'),
+    'COPYRIGHT': 'FIT2CLOUD 飞致云' + ' © 2014-2022',
+    'INTERFACE': default_interface,
 }
 
 
 def jumpserver_processor(request):
     # Setting default pk
-    context = default_context
+    context = {**default_context}
     context.update({
         'VERSION': settings.VERSION,
-        'COPYRIGHT': 'FIT2CLOUD 飞致云' + ' © 2014-2022',
         'SECURITY_COMMAND_EXECUTION': settings.SECURITY_COMMAND_EXECUTION,
         'SECURITY_MFA_VERIFY_TTL': settings.SECURITY_MFA_VERIFY_TTL,
         'FORCE_SCRIPT_NAME': settings.FORCE_SCRIPT_NAME,
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index e34433391..9b4cfb668 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -310,23 +310,9 @@ DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
 
 # For Debug toolbar
 INTERNAL_IPS = ["127.0.0.1"]
-if DEBUG_DEV:
-    INSTALLED_APPS = ['debug_toolbar', 'pympler'] + INSTALLED_APPS
-    MIDDLEWARE.insert(0, 'debug_toolbar.middleware.DebugToolbarMiddleware')
+if os.environ.get('DEBUG_TOOLBAR', False):
+    INSTALLED_APPS = ['debug_toolbar'] + INSTALLED_APPS
+    MIDDLEWARE.append('debug_toolbar.middleware.DebugToolbarMiddleware')
     DEBUG_TOOLBAR_PANELS = [
-        'debug_toolbar.panels.history.HistoryPanel',
-        'debug_toolbar.panels.versions.VersionsPanel',
-        'debug_toolbar.panels.timer.TimerPanel',
-        'debug_toolbar.panels.settings.SettingsPanel',
-        'debug_toolbar.panels.headers.HeadersPanel',
-        'debug_toolbar.panels.request.RequestPanel',
-        'debug_toolbar.panels.sql.SQLPanel',
-        'debug_toolbar.panels.staticfiles.StaticFilesPanel',
-        'debug_toolbar.panels.templates.TemplatesPanel',
-        'debug_toolbar.panels.cache.CachePanel',
-        'debug_toolbar.panels.signals.SignalsPanel',
-        'debug_toolbar.panels.logging.LoggingPanel',
-        'debug_toolbar.panels.redirects.RedirectsPanel',
         'debug_toolbar.panels.profiling.ProfilingPanel',
-        'pympler.panels.MemoryPanel',
     ]
diff --git a/apps/jumpserver/settings/libs.py b/apps/jumpserver/settings/libs.py
index 03fcadfce..b3cc0dfde 100644
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@@ -20,7 +20,6 @@ REST_FRAMEWORK = {
         'rest_framework.renderers.JSONRenderer',
         'common.drf.renders.CSVFileRenderer',
         'common.drf.renders.ExcelFileRenderer',
-
     ),
     'DEFAULT_PARSER_CLASSES': (
         'rest_framework.parsers.JSONParser',
diff --git a/apps/ops/templates/ops/celery_task_log.html b/apps/ops/templates/ops/celery_task_log.html
index c79ff42b2..599893db8 100644
--- a/apps/ops/templates/ops/celery_task_log.html
+++ b/apps/ops/templates/ops/celery_task_log.html
@@ -6,7 +6,7 @@
     <script src="{% static 'js/plugins/xterm/xterm.js' %}"></script>
     <script src="{% static 'js/plugins/xterm/addons/fit/fit.js' %}"></script>
     <link rel="stylesheet" href="{% static 'js/plugins/xterm/xterm.css' %}" />
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
     <style>
         body {
             background-color: black;
@@ -88,4 +88,4 @@
     }).on('resize', window, function () {
         window.fit.fit(term);
     });
-</script>
\ No newline at end of file
+</script>
diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
index 9753c1bdd..1351fd6cd 100644
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@@ -3,9 +3,9 @@ from rest_framework.permissions import AllowAny, IsAuthenticated
 from django.conf import settings
 
 from jumpserver.utils import has_valid_xpack_license, get_xpack_license_info
-from common.utils import get_logger
+from common.utils import get_logger, lazyproperty
 from .. import serializers
-from ..utils import get_interface_setting
+from ..utils import get_interface_setting_or_default
 
 logger = get_logger(__name__)
 
@@ -16,22 +16,14 @@ class OpenPublicSettingApi(generics.RetrieveAPIView):
     permission_classes = (AllowAny,)
     serializer_class = serializers.PublicSettingSerializer
 
-    @staticmethod
-    def get_logo_urls():
-        interface = get_interface_setting()
-        keys = ['logo_logout', 'logo_index', 'login_image', 'favicon']
-        return {k: interface[k] for k in keys}
-
-    @staticmethod
-    def get_login_title():
-        interface = get_interface_setting()
-        return interface['login_title']
+    @lazyproperty
+    def interface_setting(self):
+        return get_interface_setting_or_default()
 
     def get_object(self):
         return {
             "XPACK_ENABLED": settings.XPACK_ENABLED,
-            "LOGIN_TITLE": self.get_login_title(),
-            "LOGO_URLS": self.get_logo_urls(),
+            "INTERFACE": self.interface_setting
         }
 
 
diff --git a/apps/settings/serializers/public.py b/apps/settings/serializers/public.py
index 25b104af5..73b61a3bc 100644
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@@ -8,8 +8,7 @@ __all__ = ['PublicSettingSerializer', 'PrivateSettingSerializer']
 
 class PublicSettingSerializer(serializers.Serializer):
     XPACK_ENABLED = serializers.BooleanField()
-    LOGIN_TITLE = serializers.CharField()
-    LOGO_URLS = serializers.DictField()
+    INTERFACE = serializers.DictField()
 
 
 class PrivateSettingSerializer(PublicSettingSerializer):
@@ -42,5 +41,5 @@ class PrivateSettingSerializer(PublicSettingSerializer):
 
     ANNOUNCEMENT_ENABLED = serializers.BooleanField()
     ANNOUNCEMENT = serializers.DictField()
-    
+
     TICKETS_ENABLED = serializers.BooleanField()
diff --git a/apps/settings/utils/common.py b/apps/settings/utils/common.py
index 6289b2711..3d73e8cdd 100644
--- a/apps/settings/utils/common.py
+++ b/apps/settings/utils/common.py
@@ -3,24 +3,7 @@ from jumpserver.context_processor import default_interface
 from django.conf import settings
 
 
-class ObjectDict(dict):
-    def __getattr__(self, name):
-        if name in self:
-            return self[name]
-        else:
-            raise AttributeError("No such attribute: " + name)
-
-    def __setattr__(self, name, value):
-        self[name] = value
-
-    def __delattr__(self, name):
-        if name in self:
-            del self[name]
-        else:
-            raise AttributeError("No such attribute: " + name)
-
-
-def get_interface_setting():
+def get_interface_setting_or_default():
     if not settings.XPACK_ENABLED:
         return default_interface
     from xpack.plugins.interface.models import Interface
@@ -28,4 +11,4 @@ def get_interface_setting():
 
 
 def get_login_title():
-    return get_interface_setting()['login_title']
+    return get_interface_setting_or_default()['login_title']
diff --git a/apps/static/css/jumpserver.css b/apps/static/css/jumpserver.css
index 02b59aae6..22cf5ff61 100644
--- a/apps/static/css/jumpserver.css
+++ b/apps/static/css/jumpserver.css
@@ -13,11 +13,11 @@
 
 .primary-panel .ibox-title {
     color: #ffffff;
-    background-color: #1AB394;
+    background-color: var(--primary-color);
 }
 
 .primary-panel .ibox-content {
-    border: 1px solid #1AB394;
+    border: 1px solid var(--primary-color);
 }
 
 .info-panel .ibox-title {
@@ -34,7 +34,7 @@ th a {
 }
 
 .select2-container--default .select2-results__option--highlighted[aria-selected] {
-    background-color: #1ab394 !important;
+    background-color: var(--primary-color) !important;
     /*color: #333 !important;*/
 }
 
@@ -45,7 +45,7 @@ th a {
 }
 
 .select2-container--forcus {
-    border: 1px solid #1AB394 !important;
+    border: 1px solid var(--primary-color) !important;
 }
 
 .select2-selection__choice,
@@ -64,7 +64,7 @@ th a {
 }
 
 .select2-container--default.select2-container--focus .select2-selection--multiple {
-    border: 1px solid #1ab394 !important;
+    border: 1px solid var(--primary-color) !important;
     box-shadow: 0 0 5px rgba(0, 0, 0, 0.3) !important;
 }
 
@@ -79,7 +79,7 @@ th a {
 }
 
 table.dataTable tbody > tr.selected, table.dataTable tbody > tr > .selected {
-    background-color: #1ab394 !important;
+    background-color: var(--primary-color) !important;
 }
 
 table.dataTable tbody tr.selected a,
@@ -358,7 +358,7 @@ div.dataTables_wrapper div.dataTables_filter {
     width: 150px;
     float: left;
     font-size: 22px;
-    color: #1ab394;
+    color: var(--primary-color);
 }
 
 .logo-element {
diff --git a/apps/static/css/login-style.css b/apps/static/css/login-style.css
index 203bd3a9e..6eae4af51 100644
--- a/apps/static/css/login-style.css
+++ b/apps/static/css/login-style.css
@@ -272,14 +272,14 @@ fieldset[disabled] .btn-login.active {
 
 .btn-transparent {
     color: #fff;
-    border: 1px solid #1ab394;
+    border: 1px solid var(--primary-color);
     display: inline-block;
     font-size: 13px;
     letter-spacing: 1px;
     padding: 10px 30px;
     text-transform: uppercase;
     border-radius: 5px;
-    background: #259980;
+    background: var(--primary-color);
     width: 100%;
 }
 
diff --git a/apps/static/css/otp.css b/apps/static/css/otp.css
index f78916ac1..67608d309 100644
--- a/apps/static/css/otp.css
+++ b/apps/static/css/otp.css
@@ -41,7 +41,7 @@ header div:nth-child(2){
 	padding-top: 20px;
 }
 header div:nth-child(2) a:hover{
-	color:#1ab394;
+	color:var(--primary-color);
 }
 
 /*article样式*/
@@ -49,7 +49,7 @@ article{
 	padding-top: 50px;
 	padding:50px 370px
 }
-article ul{	
+article ul{
 	float: left;
 	position: relative;
 	left: 50%;
@@ -81,14 +81,14 @@ article ul li:last-child{
 	margin-left:-15px;
 }
 .active{
-	color:#1ab394;
+	color:var(--primary-color);
 }
 .clearfix:after {
-	  content:""; 
-	  height:0; 
-	  visibility:hidden; 
-	  display:block; 
-	  clear:both; 
+	  content:"";
+	  height:0;
+	  visibility:hidden;
+	  display:block;
+	  clear:both;
 }
 .verify{
 	text-align: center;
@@ -131,7 +131,7 @@ article ul li:last-child{
     display: block;
     width: 214px;
     line-height: 34px;
-    background: #1ab394;
+    background: var(--primary-color);
     text-align: center;
     border-radius: 6px;
     color: white;
@@ -147,4 +147,4 @@ footer{
     text-align:center;
 	font-size: 14px;
 	color: #1a1a1a;
-}
\ No newline at end of file
+}
diff --git a/apps/static/css/plugins/steps/jquery.steps.css b/apps/static/css/plugins/steps/jquery.steps.css
index 534a06c3a..ac0b2e1f0 100644
--- a/apps/static/css/plugins/steps/jquery.steps.css
+++ b/apps/static/css/plugins/steps/jquery.steps.css
@@ -111,7 +111,7 @@
 .wizard > .steps .current a:hover,
 .wizard > .steps .current a:active
 {
-    background: #1AB394;
+    background: var(--primary-color);
     color: #fff;
     cursor: default;
 }
@@ -250,7 +250,7 @@
 .wizard > .actions a:hover,
 .wizard > .actions a:active
 {
-    background: #1AB394;
+    background: var(--primary-color);
     color: #fff;
     display: block;
     padding: 0.5em 1em;
@@ -376,4 +376,4 @@
 .tabcontrol > .content > .body ul > li
 {
     display: list-item;
-}
\ No newline at end of file
+}
diff --git a/apps/static/css/style.css b/apps/static/css/style.css
index 2d3d54b99..272a7ac49 100644
--- a/apps/static/css/style.css
+++ b/apps/static/css/style.css
@@ -271,7 +271,7 @@ body.mini-navbar .navbar-default .nav > li > .nav-second-level li a {
   left: 65px;
 }
 .navbar-default .special_link a {
-  background: #1ab394;
+  background: var(--primary-color);
   color: white;
 }
 .navbar-default .special_link a:hover {
@@ -280,14 +280,14 @@ body.mini-navbar .navbar-default .nav > li > .nav-second-level li a {
 }
 .navbar-default .special_link a span.label {
   background: #fff;
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .navbar-default .landing_link a {
   background: #1cc09f;
   color: white;
 }
 .navbar-default .landing_link a:hover {
-  background: #1ab394 !important;
+  background: var(--primary-color) !important;
   color: white;
 }
 .navbar-default .landing_link a span.label {
@@ -381,7 +381,7 @@ body.canvas-menu .logo-element {
 }
 body.mini-navbar .nav-header {
   padding: 0;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
 }
 body.canvas-menu .nav-header {
   padding: 33px 25px;
@@ -480,7 +480,7 @@ body.canvas-menu.mini-navbar nav.navbar-static-side {
 }
 .top-navigation .navbar-nav .dropdown-menu > .active > a {
   background: white;
-  color: #1ab394;
+  color: var(--primary-color);
   font-weight: bold;
 }
 .white-bg .navbar-fixed-top,
@@ -497,14 +497,14 @@ body.canvas-menu.mini-navbar nav.navbar-static-side {
 .top-navigation .nav > li a:hover,
 .top-navigation .nav > li a:focus {
   background: #fff;
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .top-navigation .nav > li.active {
   background: #fff;
   border: none;
 }
 .top-navigation .nav > li.active > a {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .top-navigation .navbar-right {
   margin-right: 10px;
@@ -521,7 +521,7 @@ body.canvas-menu.mini-navbar nav.navbar-static-side {
   margin-top: 0;
 }
 .top-navigation .navbar-brand {
-  background: #1ab394;
+  background: var(--primary-color);
   color: #fff;
   padding: 15px 25px;
 }
@@ -550,7 +550,7 @@ body.canvas-menu.mini-navbar nav.navbar-static-side {
   padding: 40px 0 40px 0;
 }
 .navbar-toggle {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   color: #fff;
   padding: 6px 12px;
   font-size: 14px;
@@ -597,7 +597,7 @@ body.canvas-menu.mini-navbar nav.navbar-static-side {
   min-width: 120px;
 }
 .btn-primary.btn-outline {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .btn-success.btn-outline {
   color: #1c84c6;
@@ -619,8 +619,8 @@ body.canvas-menu.mini-navbar nav.navbar-static-side {
   color: #fff;
 }
 .btn-primary {
-  background-color: #1ab394;
-  border-color: #1ab394;
+  background-color: var(--primary-color);
+  border-color: var(--primary-color);
   color: #FFFFFF;
 }
 .btn-primary:hover,
@@ -632,8 +632,8 @@ body.canvas-menu.mini-navbar nav.navbar-static-side {
 .btn-primary:active:hover,
 .btn-primary.active:hover,
 .btn-primary.active:focus {
-  background-color: #18a689;
-  border-color: #18a689;
+  background-color: var(--primary-color);
+  border-color: var(--primary-color);
   color: #FFFFFF;
 }
 .btn-primary:active,
@@ -870,7 +870,7 @@ fieldset[disabled] .btn-danger.active {
 .btn-link:active,
 .btn-link.active,
 .open .dropdown-toggle.btn-link {
-  color: #1ab394;
+  color: var(--primary-color);
   text-decoration: none;
 }
 .btn-link:active,
@@ -1056,7 +1056,7 @@ button.dim:active:before {
 }
 .label-primary,
 .badge-primary {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   color: #FFFFFF;
 }
 .label-success,
@@ -1114,7 +1114,7 @@ button.dim:active:before {
   display: block;
   overflow: hidden;
   cursor: pointer;
-  border: 2px solid #1ab394;
+  border: 2px solid var(--primary-color);
   border-radius: 2px;
 }
 .onoffswitch-inner {
@@ -1143,7 +1143,7 @@ button.dim:active:before {
 .onoffswitch-inner:before {
   content: "ON";
   padding-left: 10px;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   color: #FFFFFF;
 }
 .onoffswitch-inner:after {
@@ -1157,7 +1157,7 @@ button.dim:active:before {
   width: 20px;
   margin: 0;
   background: #FFFFFF;
-  border: 2px solid #1ab394;
+  border: 2px solid var(--primary-color);
   border-radius: 2px;
   position: absolute;
   top: 0;
@@ -1187,7 +1187,6 @@ button.dim:active:before {
   background: #ffffff;
   box-shadow: none;
   -moz-box-sizing: border-box;
-  background-color: #FFFFFF;
   border: 1px solid #CBD5DD;
   border-radius: 2px;
   cursor: text;
@@ -1306,8 +1305,8 @@ button.dim:active:before {
   white-space: nowrap;
 }
 .fc-state-active {
-  background-color: #1ab394;
-  border-color: #1ab394;
+  background-color: var(--primary-color);
+  border-color: var(--primary-color);
   color: #ffffff;
 }
 .fc-header-title h2 {
@@ -1340,9 +1339,9 @@ button.dim:active:before {
 .fc-agenda .fc-event-time,
 .fc-event a {
   padding: 4px 6px;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   /* background color */
-  border-color: #1ab394;
+  border-color: var(--primary-color);
   /* border color */
 }
 .fc-event-time,
@@ -1441,8 +1440,8 @@ button.dim:active:before {
 a.list-group-item.active,
 a.list-group-item.active:hover,
 a.list-group-item.active:focus {
-  background-color: #1ab394;
-  border-color: #1ab394;
+  background-color: var(--primary-color);
+  border-color: var(--primary-color);
   color: #FFFFFF;
   z-index: 2;
 }
@@ -1717,7 +1716,7 @@ div.dt-button-info {
   display: none;
 }
 .pace .pace-progress {
-  background: #1ab394;
+  background: var(--primary-color);
   position: fixed;
   z-index: 2040;
   top: 0;
@@ -1851,10 +1850,10 @@ div.dt-button-info {
 }
 .form-control:focus,
 .single-line:focus {
-  border-color: #1ab394 !important;
+  border-color: var(--primary-color) !important;
 }
 .has-success .form-control {
-  border-color: #1ab394;
+  border-color: var(--primary-color);
 }
 .has-warning .form-control {
   border-color: #f8ac59;
@@ -1863,7 +1862,7 @@ div.dt-button-info {
   border-color: #ed5565;
 }
 .has-success .control-label {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .has-warning .control-label {
   color: #f8ac59;
@@ -1889,7 +1888,7 @@ div.dt-button-info {
   width: 20%;
 }
 .noUi-connect {
-  background: none repeat scroll 0 0 #1ab394;
+  background: none repeat scroll 0 0 var(--primary-color);
   box-shadow: none;
 }
 .slider_red .noUi-connect {
@@ -1923,7 +1922,7 @@ div.dt-button-info {
   display: block;
   overflow: hidden;
   cursor: pointer;
-  border: 2px solid #1AB394;
+  border: 2px solid var(--primary-color);
   border-radius: 3px;
 }
 .onoffswitch-inner {
@@ -1954,7 +1953,7 @@ div.dt-button-info {
 .onoffswitch-inner:before {
   content: "ON";
   padding-left: 7px;
-  background-color: #1AB394;
+  background-color: var(--primary-color);
   color: #FFFFFF;
 }
 .onoffswitch-inner:after {
@@ -1969,7 +1968,7 @@ div.dt-button-info {
   width: 18px;
   margin: 0;
   background: #FFFFFF;
-  border: 2px solid #1AB394;
+  border: 2px solid var(--primary-color);
   border-radius: 3px;
   position: absolute;
   top: 0;
@@ -2450,10 +2449,10 @@ label.error {
   cursor: pointer;
 }
 .toast {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
 }
 .toast-success {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
 }
 .toast-error {
   background-color: #ed5565;
@@ -2491,7 +2490,7 @@ label.error {
   border-left: 6px solid #ed5565;
 }
 .inspinia-notify.alert-info {
-  border-left: 6px solid #1ab394;
+  border-left: 6px solid var(--primary-color);
 }
 /* Image cropper style */
 .img-container,
@@ -2605,10 +2604,10 @@ a.forum-item-title:hover {
   color: #9b9b9b;
 }
 .forum-item.active .fa {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .forum-item.active a.forum-item-title {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 @media (max-width: 992px) {
   .forum-info {
@@ -2773,7 +2772,7 @@ a.forum-item-title:hover {
   font-weight: 500;
 }
 .vertical-date small {
-  color: #1ab394;
+  color: var(--primary-color);
   font-weight: 400;
 }
 .vertical-timeline-content::before {
@@ -3001,7 +3000,7 @@ a.forum-item-title:hover {
   position: absolute;
   left: 10px;
   border-radius: 3px;
-  background: #1ab394;
+  background: var(--primary-color);
   padding: 3px;
   color: white;
   cursor: pointer;
@@ -3093,7 +3092,7 @@ a.forum-item-title:hover {
 /*Slick Carousel */
 .slick-prev:before,
 .slick-next:before {
-  color: #1ab394 !important;
+  color: var(--primary-color) !important;
 }
 /* Payments */
 .payment-card {
@@ -3680,7 +3679,7 @@ img.circle-border {
   font-weight: 600;
   padding: 17px 20px;
   text-align: center;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
 }
 .login-panel {
   margin-top: 25%;
@@ -3855,7 +3854,7 @@ table.table-mail tr td {
   background-color: #ffffff;
 }
 .navy-bg {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   color: #ffffff;
 }
 .blue-bg {
@@ -3878,11 +3877,11 @@ table.table-mail tr td {
   background-color: #262626;
 }
 .panel-primary {
-  border-color: #1ab394;
+  border-color: var(--primary-color);
 }
 .panel-primary > .panel-heading {
-  background-color: #1ab394;
-  border-color: #1ab394;
+  background-color: var(--primary-color);
+  border-color: var(--primary-color);
 }
 .panel-success {
   border-color: #1c84c6;
@@ -3917,7 +3916,7 @@ table.table-mail tr td {
   color: #ffffff;
 }
 .progress-bar {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
 }
 .progress-small,
 .progress-small .progress-bar {
@@ -3959,7 +3958,7 @@ table.table-mail tr td {
 }
 /* COLORS */
 .text-navy {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .text-primary {
   color: inherit;
@@ -4690,7 +4689,7 @@ ul.notes li div {
   color: #3d4d5d;
 }
 .category-list li a .text-navy {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .category-list li a .text-primary {
   color: #1c84c6;
@@ -4855,7 +4854,7 @@ a.compose-mail {
   color: inherit;
 }
 .file-list li a:hover {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .user-friends img {
   width: 42px;
@@ -4963,7 +4962,7 @@ dd.project-people {
 .faq-question {
   font-size: 18px;
   font-weight: 600;
-  color: #1ab394;
+  color: var(--primary-color);
   display: block;
 }
 .faq-question:hover {
@@ -5164,7 +5163,7 @@ dd.project-people {
 }
 /* ISSUE TRACKER */
 .issue-tracker .btn-link {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 table.issue-tracker tbody tr td {
   vertical-align: middle;
@@ -5218,7 +5217,7 @@ table.issue-tracker tbody tr td {
   border-left: 3px solid #1c84c6;
 }
 .agile-list li.success-element {
-  border-left: 3px solid #1ab394;
+  border-left: 3px solid var(--primary-color);
 }
 .agile-detail {
   margin-top: 5px;
@@ -5300,13 +5299,13 @@ table.shoping-cart-table tr td:last-child {
 }
 .product-name:hover,
 .product-name:focus {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .product-price {
   font-size: 14px;
   font-weight: 600;
   color: #ffffff;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   padding: 6px 12px;
   position: absolute;
   top: -32px;
@@ -5422,7 +5421,7 @@ table.shoping-cart-table tr td:last-child {
   text-align: center;
 }
 .vote-actions a {
-  color: #1ab394;
+  color: var(--primary-color);
   font-weight: 600;
 }
 .vote-actions {
@@ -5453,7 +5452,7 @@ table.shoping-cart-table tr td:last-child {
   margin-right: 10px;
 }
 .vote-info a:hover {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .vote-icon {
   text-align: right;
@@ -5462,7 +5461,7 @@ table.shoping-cart-table tr td:last-child {
   color: #e8e9ea;
 }
 .vote-icon.active {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 body.body-small .vote-icon {
   display: none;
@@ -5488,7 +5487,7 @@ body.body-small .vote-icon {
   height: 38px;
   width: 38px;
   display: block;
-  background: #1ab394;
+  background: var(--primary-color);
   padding: 9px 8px;
   text-align: center;
   color: #fff;
@@ -5496,7 +5495,7 @@ body.body-small .vote-icon {
 }
 .open-small-chat:hover {
   color: white;
-  background: #1ab394;
+  background: var(--primary-color);
 }
 .small-chat-box {
   display: none;
@@ -5551,7 +5550,7 @@ body.body-small .vote-icon {
   margin-bottom: 10px;
 }
 .small-chat-box .content .chat-message.active {
-  background: #1ab394;
+  background: var(--primary-color);
   color: #fff;
 }
 .small-chat-box .content .left {
@@ -5643,7 +5642,7 @@ body.body-small .vote-icon {
 .sk-spinner-rotating-plane.sk-spinner {
   width: 30px;
   height: 30px;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   margin: 0 auto;
   -webkit-animation: sk-rotatePlane 1.2s infinite ease-in-out;
   animation: sk-rotatePlane 1.2s infinite ease-in-out;
@@ -5696,7 +5695,7 @@ body.body-small .vote-icon {
   width: 100%;
   height: 100%;
   border-radius: 50%;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   opacity: 0.6;
   position: absolute;
   top: 0;
@@ -5750,7 +5749,7 @@ body.body-small .vote-icon {
   font-size: 10px;
 }
 .sk-spinner-wave div {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   height: 100%;
   width: 6px;
   display: inline-block;
@@ -5814,7 +5813,7 @@ body.body-small .vote-icon {
 }
 .sk-spinner-wandering-cubes .sk-cube1,
 .sk-spinner-wandering-cubes .sk-cube2 {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   width: 10px;
   height: 10px;
   position: absolute;
@@ -5883,7 +5882,7 @@ body.body-small .vote-icon {
   width: 40px;
   height: 40px;
   margin: 0 auto;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   border-radius: 100%;
   -webkit-animation: sk-pulseScaleOut 1s infinite ease-in-out;
   animation: sk-pulseScaleOut 1s infinite ease-in-out;
@@ -5935,7 +5934,7 @@ body.body-small .vote-icon {
   display: inline-block;
   position: absolute;
   top: 0;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   border-radius: 100%;
   -webkit-animation: sk-chasingDotsBounce 2s infinite ease-in-out;
   animation: sk-chasingDotsBounce 2s infinite ease-in-out;
@@ -5998,7 +5997,7 @@ body.body-small .vote-icon {
 .sk-spinner-three-bounce div {
   width: 18px;
   height: 18px;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   border-radius: 100%;
   display: inline-block;
   -webkit-animation: sk-threeBounceDelay 1.4s infinite ease-in-out;
@@ -6077,7 +6076,7 @@ body.body-small .vote-icon {
   margin: 0 auto;
   width: 20%;
   height: 20%;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   border-radius: 100%;
   -webkit-animation: sk-circleBounceDelay 1.2s infinite ease-in-out;
   animation: sk-circleBounceDelay 1.2s infinite ease-in-out;
@@ -6240,7 +6239,7 @@ body.body-small .vote-icon {
 .sk-spinner-cube-grid .sk-cube {
   width: 33%;
   height: 33%;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   float: left;
   -webkit-animation: sk-cubeGridScaleDelay 1.3s infinite ease-in-out;
   animation: sk-cubeGridScaleDelay 1.3s infinite ease-in-out;
@@ -6314,7 +6313,7 @@ body.body-small .vote-icon {
  *
  */
 .sk-spinner-wordpress.sk-spinner {
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   width: 30px;
   height: 30px;
   border-radius: 30px;
@@ -6391,7 +6390,7 @@ body.body-small .vote-icon {
   margin: 0 auto;
   width: 18%;
   height: 18%;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   border-radius: 100%;
   -webkit-animation: sk-circleFadeDelay 1.2s infinite ease-in-out;
   animation: sk-circleFadeDelay 1.2s infinite ease-in-out;
@@ -6567,13 +6566,13 @@ body.landing-page {
   -------------------------------------------------- */
 }
 .landing-page span.navy {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .landing-page p.text-color {
   color: #676a6c;
 }
 .landing-page a.navy-link {
-  color: #1ab394;
+  color: var(--primary-color);
   text-decoration: none;
 }
 .landing-page a.navy-link:hover {
@@ -6595,7 +6594,7 @@ body.landing-page {
   width: 60px;
   height: 1px;
   margin: 60px auto 0;
-  border-bottom: 2px solid #1ab394;
+  border-bottom: 2px solid var(--primary-color);
 }
 .landing-page .navbar-wrapper {
   position: fixed;
@@ -6638,11 +6637,11 @@ body.landing-page {
 .landing-page .navbar-default .navbar-nav > .active > a:hover {
   background: transparent;
   color: #fff;
-  border-top: 6px solid #1ab394;
+  border-top: 6px solid var(--primary-color);
 }
 .landing-page .navbar-default .navbar-nav > li > a:hover,
 .landing-page .navbar-default .navbar-nav > li > a:focus {
-  color: #1ab394;
+  color: var(--primary-color);
   background: inherit;
 }
 .landing-page .navbar-default .navbar-nav > .active > a:focus {
@@ -6667,7 +6666,7 @@ body.landing-page {
   height: auto;
   display: block;
   font-size: 14px;
-  background: #1ab394;
+  background: var(--primary-color);
   padding: 15px 20px 15px 20px;
   border-radius: 0 0 5px 5px;
   font-weight: 700;
@@ -6677,7 +6676,7 @@ body.landing-page {
   color: #676a6c;
 }
 .landing-page .navbar-scroll.navbar-default .nav li a:hover {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .landing-page .navbar-wrapper .navbar.navbar-scroll {
   padding-top: 0;
@@ -6697,7 +6696,7 @@ body.landing-page {
 }
 .landing-page .navbar-default .navbar-nav > .active > a,
 .landing-page .navbar-default .navbar-nav > .active > a:hover {
-  border-top: 6px solid #1ab394;
+  border-top: 6px solid var(--primary-color);
 }
 .landing-page .navbar-fixed-top {
   border: none !important;
@@ -6838,7 +6837,7 @@ body.landing-page {
   margin-top: 40px;
 }
 .landing-page .features small {
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .landing-page .features h2 {
   font-size: 18px;
@@ -6851,12 +6850,12 @@ body.landing-page {
   font-weight: 200;
 }
 .landing-page .features-icon {
-  color: #1ab394;
+  color: var(--primary-color);
   font-size: 40px;
 }
 .landing-page .navy-section {
   margin-top: 60px;
-  background: #1ab394;
+  background: var(--primary-color);
   color: #fff;
   padding: 20px 0;
 }
@@ -6871,7 +6870,7 @@ body.landing-page {
   margin: auto;
 }
 .landing-page .social-icon a {
-  background: #1ab394;
+  background: var(--primary-color);
   color: #fff;
   padding: 4px 8px;
   height: 28px;
@@ -6902,7 +6901,7 @@ body.landing-page {
 }
 .landing-page .pricing-plan .pricing-price span {
   font-weight: 700;
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .landing-page li.pricing-desc {
   font-size: 13px;
@@ -6910,7 +6909,7 @@ body.landing-page {
   padding: 20px 16px;
 }
 .landing-page li.pricing-title {
-  background: #1ab394;
+  background: var(--primary-color);
   color: #fff;
   padding: 10px;
   border-radius: 4px 4px 0 0;
@@ -6920,14 +6919,14 @@ body.landing-page {
 .landing-page .testimonials {
   padding-top: 80px;
   padding-bottom: 90px;
-  background-color: #1ab394;
+  background-color: var(--primary-color);
   background-image: url('../img/landing/avatar_all.png');
 }
 .landing-page .big-icon {
   font-size: 56px !important;
 }
 .landing-page .features .big-icon {
-  color: #1ab394 !important;
+  color: var(--primary-color) !important;
 }
 .landing-page .contact {
   background-image: url('../img/landing/word_map.png');
@@ -6986,8 +6985,8 @@ body.landing-page {
   color: #fff;
 }
 .landing-page .btn-primary {
-  background-color: #1ab394;
-  border-color: #1ab394;
+  background-color: var(--primary-color);
+  border-color: var(--primary-color);
   color: #FFFFFF;
   font-size: 14px;
   padding: 10px 20px;
@@ -7084,7 +7083,7 @@ body.landing-page {
     color: #676a6c;
   }
   .landing-page .navbar-default .nav li a:hover {
-    color: #1ab394;
+    color: var(--primary-color);
   }
   .landing-page .navbar-wrapper .navbar {
     padding-top: 0;
@@ -7377,7 +7376,7 @@ body.rtls.top-navigation .footer.fixed {
   margin-right: 0;
 }
 .spin-icon {
-  background: #1ab394;
+  background: var(--primary-color);
   position: absolute;
   padding: 7px 10px 7px 13px;
   border-radius: 20px 0 0 20px;
@@ -7906,7 +7905,7 @@ body.md-skin {
 .md-skin .nav .open > a,
 .md-skin .nav .open > a:hover,
 .md-skin .nav .open > a:focus {
-  background: #1ab394;
+  background: var(--primary-color);
 }
 .md-skin .navbar-top-links li {
   display: inline-table;
@@ -7974,7 +7973,7 @@ body.md-skin {
 }
 .md-skin .navbar-fixed-top,
 .md-skin .navbar-static-top {
-  background-color: #1ab394 !important;
+  background-color: var(--primary-color) !important;
   box-shadow: 0 2px 2px 0 rgba(0, 0, 0, 0.14), 0 3px 1px -2px rgba(0, 0, 0, 0.2), 0 1px 5px 0 rgba(0, 0, 0, 0.12);
 }
 .md-skin .navbar-static-side {
@@ -8061,7 +8060,7 @@ body.md-skin {
 .md-skin.landing-page .navbar-default .navbar-nav > li > a:hover,
 .md-skin.landing-page .navbar-default .navbar-nav > li > a:focus {
   background: inherit;
-  color: #1ab394;
+  color: var(--primary-color);
 }
 .md-skin.landing-page.body-small .nav.navbar-right > li > a {
   color: #676a6c;
@@ -8092,11 +8091,11 @@ body.md-skin {
 .md-skin.top-navigation .nav .open > a,
 .md-skin.top-navigation .nav .open > a:hover,
 .md-skin.top-navigation .nav .open > a:focus {
-  color: #1ab394;
+  color: var(--primary-color);
   background: #ffffff;
 }
 .md-skin.top-navigation .nav > li.active a {
-  color: #1ab394;
+  color: var(--primary-color);
   background: #ffffff;
 }
 .md-skin.fixed-nav #wrapper.top-navigation #page-wrapper {
diff --git a/apps/static/css/themes/classic.css b/apps/static/css/themes/classic.css
new file mode 100644
index 000000000..e69de29bb
diff --git a/apps/static/img/avatar/admin.png b/apps/static/img/avatar/admin.png
index d81e793b21152974fffba9a5b0c6f58c321721dd..1948d1661498aa290d4f63c1474f82667fcb8eb5 100644
GIT binary patch
literal 6093
zcmV;;7c%IHP)<h;3K|Lk000e1NJLTq005f+005f^1^@s6bz$j@000-1Nkl<ZcwX&Y
zdyr&ReZI@evOz-uZm^KmqAWK7f&@ciVJt%_nwTI|w1QGe#GplDVk8!#MIK}&k;Fel
zjaINCMnV}x6Ey^ieeX=aAJgxie!r%Bre}8cJv+0rZ}#T*oxW%6J-273r>A@7o_o))
z>YM4leP{YSzVmyXbI;KxnoX_W7#|<k>SJT<_jseBjgF3LrD9R5RjXR1Qqc;90(+m&
z=e2AmqZRSKRMIkZUy-ik8s6i+bSlN}%Vo3dI_}BRYuq=QPHQRpJdsGS`+!t3sU?l~
z_?&}(hO)$>QT*OS@83qBy^sF>;czJQRlm>oLcs42c--!c*W;NQ9vV968XmqtzxAR0
z`x*A{+sDA)1NfY9hVDH;f7hhHPtgAvB0M(|4sWOLd63F|CzbUElqE{vkGjNTF;*Xx
z3-84`WKci6Ch&VuZ`KC%8p!2xTAqNv<86kv!tV@yUMZK^dv+hSBibG9U8TOLqA$<~
z^m&u|twDWNuh+GSi3wAm_5-F1{eYFohWi0}eI0e~Z^dG<&l3q=BvPc@F4r-TW#8Vt
z9RX6czg`TT?iYdYq3=83^LoR<VDMQg^QVaPw^N<2LRnEiu?~uCU0}V*#xz(u4bAmy
z@p$~NgMq*+q-`3Vh$RwdP!PYD5pZbeERnAm3I=~b<a&_Gzm02QMYb-n9%M7L*rr50
z{%$f|Pf;f($+VqY4`Ou-k$hx^Pmn2hMI(_%sUEjvsjiH8ifoHxt;mMgX(Abs?Pltr
zCy8JQ(q0#>Ot7UO5bq?J`(ZM*e?<doD>t=@Yyt*NHZ&Z4{)<GikCKUei8^L(@18x<
zk!vZm6OUYg0~EmgJGI4o%car=PBcZf=HSR?5bk>N!@fYHJ}0XNTPb)Q;d7FI=O%yd
z0cwjkERaZ%t$$==4VcTlg`&x)Xp}e6@X%ypr#Jz;-sIb5iFBVOvRnniD6*}RY(^09
zCTi5Lcs!niPS9fAg1ZfV((pvI&rmyUE)%g7*;Yt4G!FSDo5}fq1Stzevc<7LI-f5@
zq`436sL0kO*)Te3r2ZcHWI;u;?!n9}`E(RWyh!A_l|`+JY@NvllF{oMB9X}RaD<)e
zldTqLH@C|*M?utfBG{E6lp<Rj+3=c1;U~#tPS`Dlu^!+76!~)jYU}qRT6H|xj41O>
zBjNB5StBWJ)>nXV!$U)7DT;rR+WHE|k`2BDUH`Dp>n$m5HaKv<Hxvx+p@Dr1+!aTW
zjb6VlnMiCW-|T|&&DI8nFL#uJu#Y1cvpw0yYBiAUIx?F-+p8kYHHXpO7ZQoYKi6ut
z%Q5(ENwzYLCc<y{eZEnp&DIY*c!-RQyhLQ%0+VVhvLWK6i0D32<A)T{tO4{xFc26a
z&2|$aRa=m)Nd+hW>>)%&ifGot-rc)(uiM?oWwUoqPEN{AHjEY;HIJiW%0IIvpa48B
z*KrCK?wLTp$w)SsPl|k=*tbs+&FTQ*uvn9Vxcks|QjrZRc{H8=vdW*y10w-^nh5s?
z=s&Sf`vKF1)u2g*oSK?KK=6c`M3)bShC5ZMRPLRmew^qt=}Z@T!8oa1W;zMvqkT~k
zO<owu-#H@O2OCD8_RFlc{?RIdC<X~z^3gs)1!fPNh?P)~2L|D$3;Fyz(XR`HTO~{v
zdIj0~50DBzqljh?fN*}FuS{gyD)x1+FkM(Fklv`(YVYuRJku(VW-sj7y&H=$eWcl5
zkA4>Wex=ZmTj?3}55^mfYlDG65(N_rs~|s+_)Wy)&mlQ)>i-pj<->Xf{eunBX!M0W
zN~75qMzBZz_#+^k$bpr>bfH^7t7S5o$CQs|f1r=COH-v>z6%;k<U+S#k>pB&=%idO
zzXuzmIE`#Pts_Fb&u)M}?(=#p^?H4a$cJuWa^kwd*x1-L0iQ2x=YRkNLj88{+Qk5$
zl-C#gu~FpBfY-Q&&)e^{BLPvbSTy<r5J%)hH!xjT4w%YFBofcUaTE(9J3tUl8oUqq
z{qR+E3jg(~sVV)~(WCm@+?+l?Kd+xUb!q{#v$Oi4Lx*%SF?y*~(&Moh_UBk2tDOcV
z+NhAvKg6cAI`CsDm{i?Tfcd1xyoZ0OSP)skNr6WQY2@mSdYuvI!uj)huX6Ux8T~L3
zFrUj|-Ppo+$lh+Khu7_%ChPWAksr&!bYU^DWkdD)wLYJZJ)j~MLPl@`kT0TFD;51D
zX{|xXg$oz-BZm*`sbrFoO?J}3szsyG9}_1wU`k8m%3?6(LOQ}wgVb2xwgb`7(Yto;
zWF&*>J9qA!$d7@^%*+fk%_xWLxyfRo@Brh6$d^T+O~Mab1_#JK)5yPr%#8HWCpVWB
z(qwB%GEruZA7{RutXj^9PRm51tEM_|rV~s~TqiV}&5e<fk=-(nL~g!F{WE{e3Ucw{
zMW$I1(aPAiARKAw?cD|oY#H!UKr*gSD12PT(Z_*C0iey$!B!KHe<T#rcav!s%Wh?W
z6K<DlhNAUtjSk!qp^edxrBH7)t_t}51zCMHXbfnM>FH^)k1ZwVDe@gnr=>HiXy14|
z{sIC8icn4bX@^PGwPUi`)UvtUXJx8<JJ1lwcfmiBL7;UD`TRnjPX>S+*p<Cnt=_TR
z$`Dh;AOKpeBBNI0M4PjSf3^}S6^l|44*W>O<3ECO>cF9&N25&jbpV-9JSqJ-8MPYn
zK*Phs`iYqtu^*)oYI~NR5$k3}7~1VD`NY4;OlAi@0c<&UC)CHrHj`G%$fng$ag-U;
zM=}dcYBHIWM#G`a<FVNH5h#dU;xH`(0kCeVC}{+W&Y@8x_MMb+_Uu_K&6Xl9Vnn9L
zNlCpOCR5~8=OsqO%<=K@%fjKXTQ;o*qETdI$@E6Aa_rbKRyP?2KKPPOrM`+_06Y@8
zWx8NYw%>`p(`2Y12P%psKUk4rHz}9PQkYZl#q05q+g86?<P{@ZjcjQ<kbEQU@Ncqd
zH8|6?YE|qfTL^M+Snec?InCvA50E)EajUfhAqQQc-&;H$&y-C2+amfzXP{H;D$@rJ
zNI^CzDRRMfk>7mTCEOxh@&*w@Hk0|ZOy(1Si6K8h>>pdnYp=bAPP9DXj5Nrpa;bDH
zcDB5PY{rg|4An|S8wrPBmdS*&)dv)@*;%V`IUtdCODB_$gHP@JVw);+RLbSIkdr+l
zlV*cf!vwn%1dA{+u&k~OP`+Rw5Fksrv7KK`n*lJPnbFaQWg;3ctIRV6E0toQVEM?@
zFs0aj>o#Ue4UVy0yaAj`KqmAhtB;y?ATS68gSN`6Ehosk$<Rk2Tq>FT5_rWq#z+Q`
zP5mX0+s%$y6#vkwzzD}kcamUrvDf3VJmFYW8Vc<p&9;GajGcyO98z|#_y<-8oaI9Y
z4~qR^d%>Kk)dK}%`szrrSlkMZ0WE)RY)nhU<KM9QXlVy3gJ%f_^+c4Fh5F3$ej7(F
zm-|ERx3TlZ^ZEQnobM?U*-%zYQX@ihnqbwj)ioP{K8i*n-^3|0;2A%qZL4c|__$2|
z8XB9lvDgoe5ImKSHn4hs87UAC`D+_kfPkZ9M$_qgVUom~tqhnEtl4*>V9N(QS7CLs
zp?nl{9?oU6TfsA}NRC@P7Ta$1f{Osz$oz}_;0QT=`ZQbNB1@l*W-@o<7;$#GE`_K+
zk;z{JoHTPF%9%4~5a~%lHt>qvokwv#7G@4MlcSxJk!;v8$cb`BBF)Bv1Z=Z~NBPKc
zyV2!x&B;*kb}%!V%ZdHq2$9K*8bLz1TB&T*(y7#46dYU>Z?ZZZ9U#olvmB!gWMe^s
z$5YQ{GF!B0B!Yu7OgC8_NPS>0H7Ck(%#TVyGyr775k(Y)-i&Rq{zf)`4d6*#C#+)=
zWpZ*--z`B>w;hE-;kU8U<2y2vjhm1YCr*fcVS6b`_QX6u5$PXm!C>&GGLj8IgJboo
z(*)ao$uM2T0mVQr&tn>yBA*P7W+#Ab*rvcqa{AOM-7QHZ%7L<m!{Mhjx62g~Ka>R+
z-FT|XNt5x|wOlq6iqo{c9?vrxg{4iIMoBwRZs6$Aqhg=fR<H@QbY!DGBBk&$G~2YS
zWCNHf&1A$rv85oHE5ii52$YvJ+YXHiKP`SJ6A;`Wn~sjKyNuOp(rGoo$hGa%hW785
znry%>>HzGAVQ0aPMqaPi^3NVD2IARHjb2DkHgo`1LD*TlVH+^nHh6A_ZO8_|yyR>;
zF^|QP9vV!tYBdA)Frxtc0(8caBS*x(l3voOl$5?&JD6s(3)ujkcU#YsTly_ilao@-
z7Ayt|M0aWwB}kq65CIL4u}LZf^S;CT_secRTg!~x?j0KaIAABT0nh}EMnmj7sRT>E
zW!V65Ie=e&pKpiecDplnBOB_2PHHxrVjoH&NOMF+Mx^)CI1IA=r{?u|ymliS0Mi4=
zM!0k5&$C6LvYdg?El5j0jVG&i%kC2_22MCxOe*q(kx0Zg8jS<WED?`CiS=yH+Ldeo
zDvHi46bfvsP^$`p0jxZ>8__tTk;o_UfbvszCL6#B2lHgbjc6vx)XRG2Xt&5@GQY1;
z2mF~GeYQ>j;V@}GK0a=V4FoYWkWQx=$?Q7d!7Um{7m~^3ZCWCc_>gS-e5?lORFIC;
z`ns)y!$UgtdY#SZqAYeE>_(1lDwRyWSu5o8x6o)mW9JHY!XBfOu^17L#;t{5W&>O3
zBYy^x*;Sjh18q$8O_xfg&Df;vDzC@Wa2nYF?#tnKEEZ#r$RU~9Z-Mh)DVKGh*UP@o
z&c2xl45-M+$p5iZ`AWs&hEOoL*9oI+G4LcXh~Rd+^<*NUH%SA{%*^QLdzfcM3Iiq@
z#~UFzi|=rXCKG`=QxN)(>>LFApdjJvPHc!y;65EsK|mW(W3i2*K^{boczp2S^fWu-
z2M?ei;HXxr>`AW?A{Try{(nGXCt3{-)IF0<e}ruYh^>ssZ;^5fhCu@j1=4V>hpav)
zBChf448~`iTuvq!2ikz*f%$AEa}(P#t57IlkG5ZRVvwLPSb$G{zduzh7B_=u*iRR@
zg3Lu$kxikWFoJ{UjeVP28#v=Ygh(XvU&?P&=qI4OM$_rfATD4&8$wd-3P^VKQ%bWb
z^b6n;&aWaxb}J6LWvP#9rNT~3Blc}0zwM+W31>L;gNEsQZ46k+fZrb_Zfyd`fQ7Rl
ziGh~|0|CEXO({CNJ+kDHBd&2GU^2Ylz+7y58N?{ouBj0tzxH*IY~j37eux#cTPm6S
z2fL7scPvk)qT_LbAEu|U@iTH`$dTb`EF^D{<v)4yq&`1C-*?Q;&a&^oiF(M*VL>Ny
zcA3#peIy)i?fl)Am$O43VC&pMK7TjJws25d`{AP$G5k7p%6ah*WkEZ^@ID+0v5oU^
zm>O1CSaCfYR-a&s>?n~Q4<cjs!sB)?)I&zChr#0WdP_vK*I#nDEk6qqAXT@KOzDVh
zBMTkE2?kA3tJU;b(p0ZmU>Q*_f@csgOMwllVTQSO7VB+QpscZI^jka%T{v&F{lIuc
z4e3-$8dHjLBC8J*nagIGsj|X4wSEdTGB%XKDqgHq!GXSFJ6H~6Ldl}Mp9cLU{L<?6
z`X#7TDz{MQowBm}=9&zn9{v}6ExQZWz+qk%ekb?s#CEX)paA@Sf10>-rO2&Im<J#q
zLZ;{yt7<oHE^%%ZM!nMnekTG9zp*CHYDxjTA?x@!&af4^WzuXErD3l0ek)c2jf>|9
zjvqfR_JQLB3o*$LVr^p;EeFn!wV5IF`L;%*Vd9qQLcMj<8z`EnScPzCO!#HvcqGqe
zKG|vo1CN{5_3keyglHu4V<;>WuRu2HKogo16PUhw!V0Dojfe<yZgy5|XC;QfpTjv`
z>z$(;+Q0uorCh#yg2*Ov3Sd5(h&rKGtzPeOxel$@XyG|CM43)J#ibWP0D*^>*2AoV
z<l#_gs8O$P5c$MmQgs|qg~?>{TkA1W@SOmaLu^ka%LvjxUXN$Z2?ym+EEGQ0$yeiG
zCbJW0lwdW;Hn+<)yO!DwBpagNm`YO8o6Mg)iDMTRBKJW9eHIFZBE*?1L>{%nbfFzn
zlapF1mHPHtX*WhRG6RPX9~RqB$qEGz-SEIcZ0CLh%BWl_-9Jfu5jk`T*(T`6VrW9U
zH5zXx?RH|&+6_d*cN{u&NNhJHJqidnXborhYC+=4CXqiPOcz9et?6|7D}&T-AQ}EY
z99$*+6_`{^><_U2Fg5i%;EBi`5n6)+fu%4`H_`7m`h33XAPUT<o-qHXWH5qU9Nd$B
z_aFXWEE@gU1T0_&?uani)lPu#R><f7q~C=F@Cck;x0JV%U=;}_@%!Zt;r|Q|4b9fa
z#%@M1DRQP0Sc+pgAW28Q+s1G>?CNJo%@VeukfTo3TTfw!;`V7rODLXHGWjozA4uAE
z;Ef27s4L*+TCH|Rzn)XT|A1;&GXrZU7}TUNR(<3*h!*hsM~M?xi#%BhCMRwwzzG~3
z9qr3B7POj5+OEA|`8(RbSA}8x-MMnP{DE$Qf_5+y*)3pq>GzcsPDfTlIGAGWk7mVX
z+D?#4rP6ac1bvrGB%XnvCh}uBm@X^_<ld^)D$MCzFQWs017KQ3$@&Q9nuC7-ilbB9
zPl_fz-e_EHD4rF;r0Ti>)MqxE{TxrkiiKJVD*CjBAUa)1uxCV{r>d38yP<GIPILp)
zg>FG#co~_(pRTmP2nw9AjN9shXEor;bkl#_8f7z?FRs*2YlrDVw*b5AV`JC(e7<bA
z>KJ|k)?F#FhF}i5o4&(6(P;EVW)3@Wp<9?PtOQ7hkhA$N^52$S8KShB^#qSPVqxl1
z+Kr_-0)bS$UcYu-$p%2J=JWZ7IHAPCazLwL8+Iku5<EP!SY!&KdED+}wOZ}=)tFBX
z(}i9D4L6!jZ|AmMEHr@8b3`p2vYg<-87#IG`^^XlP8SP>4`Y5@?DJlrVG^|;XcF_|
zvDkMz`2Zjq)>f%$DQgO{1MS+)P#PC0Aoz2p(K_^ZFECwL4Jcr^JQj_<EIzf3ij+$w
zv5rbCBFBy%T?iDobs|gkWlS-NeY_f&F7ymilUQfooS3*KGBUES-RVT()w7<~6<8d8
zkgh?rr;Tibxt~`7(}kV^vQgoXStcLujaVUq(Siz~B5G>N+CnB%-??Llj)$B;G(37|
zd9ooqM!+yOHnxSr>Y*L4zRDiQQ(|qwxekd~>}!05k2GXMf$^FOd~G-s+A%dbDb`Ji
zwFHsdUmlp6!ZI@X$cBef@q2oDdeixH=bjd8r^GUX-FY4)uoc<Tk_`a^kxjdB{=7z&
zd5oYQZMT*jAbf~`{;?I=fR7Q@=DbBE%SncCyKWE-up8NccNrB`vVQV1;d;G|Xn-Bb
z2B4z<!)vZ&%>?_6{S#rME)Wf{E7>^ymN1W2P%?1AgSj8o&3)h)vH|ZQ#C0Wul>a5%
zsGHl~abyFoA$&tu(Q3bCn(!C8xxG8WDP-e#KOw9u>4*G;@GH8xjTeQ}$Oc?V_&b8y
z&Zsv*r2l|!Zr5euM6z*gBm9Tnno3c!ykKSO-xIFZ&28BgoJ=;3y9lr7N*0qj!ZU<l
z*3E6VA}F%`93Ld?)Rl0-lSAJlyhAs)RZmc4Gvj@P7j@_6=dgt4YlK^MbK9&6ifoJH
zHoev8PT55;O85fd2Ho5ieSsp|@<5L6j|i{oEz@ErIY@Y(@VkUfy1DLsg(BO^a1-J4
zguS}F#6!yGzX_ipyjeHbabQqn>m5jFewy$@LPKv&LR(SJ>8;$@cL?|EYfP|qD6;hj
z$UWUfcvNo%7kR>IeSHL5ZN~IgB>6Dm4#F?!<}$B26xjv?bneZBj}RUwe4ntNP}EzC
zJJ0I93pD5%y=4wZ2|M&w9_$glwJP>T!sWWTOzRFswzUDs_g2C?3HRtNje{w(e<eJp
zw|popINYVT{K0*MJ$j2sFA;vEw=@-^<1Z2ZRBz=4kpsipz1QjH@3b5SO}76B48u%m
T%H2R000000NkvXXu0mjfC_aMX

literal 11750
zcmY+q1yCJ9w=H}i!QI{6-41YYC%8KyxN~sV;1)c%yOZD$+}-Wq?(XE}yZ8S0e{ZUK
zdiS2yYfD%4p6Z!M6(t!IL_$OW0DvMVE2;LcSNTtahy8bt!?>yb*Fk~RWW)hAlf=jW
zWL;|w9ao(%ia;|*dsfqLj$h4LJ?)+Tp#T6OPvAe%-rUuc+|%C90SxpMru;7i@Spr2
zH5(=Qe?eSrg(-EusE|uIx|oymuyV7qQ-To5$;pLWzF7d(B&Gjn`oEDdrIo9z6OfI~
z!^4BsgNxPC#gdIfKtO<vos*4|ljR?R1?=VEYU;`20H*qHlK+oK(j08&V(sK=?dU-M
zA70b1j&82Pl$8H5^uO1C`{`<J@&8+L0RK-|{{m$D&l5HdR(7`k<^DHS=s#MZvWvC(
zKg<8&2XP4f7xMqn{f`|Xw*MIaznuB+NdHUwFH{hs5ZnKz4TPxJOQ#C}Fbm2_ifMR4
zEo33onJ;PPEM;G|Uv^&j3)_gZwAS-bP!Wt_rg97-nApMXisschiwy%1iWn)dC4R^!
zYcOiiNHJ2EQ&LN1Xh6e!hBqPBfD$5ak1@9!8zf{l(*;k}zJBo_z45c%d^OU?rz|gY
z*>}zLnOw0%vwinD|Fvl3ldFCFw%pn1i4ebXHdPDZYqX)Uz(Lpw&t$X=!&^vq-oG0a
z$ow)s5$z=(c4|lXEB)Y=IoCs%^K|TouE+0hRNVC~k2d<6H8~xbb9(s~1E#CsT)$@7
zN;b|ejU_3G0HgPYM44b3g$7~e8(7h#{V2tkILlc)c15ONpF5K40s-F1E?(`gjca;c
zY$MT&?p&RDnQ6p-4rRWK%8v$}(F0%x<rSeOefG!a8MSjICz`B_#oEe!!o_KaNx@H#
zHL}&^#Yn6y<`;PWzPeD!Zxuh%W}91ZX-njP^d(o4D~%-GNaTld1+iDBK7Y2yi|gR<
zNL`kgt2q48k>=B^Vf_U2(X|I)y&Fv{P}oxQKLD`e<MN}4C2y}(fzm{0huafI0FwL8
z96FsPQDd{C=fr<}Sw%`Ng0yp3z21Wzja>k_Xi{Nc@OJ|eiF6)Gxn1(K2CWUMD$9I>
zpgWR#VTh+-%$l`KSyZAnc0iYkPO{xkyEJfDY}}Nxt5!-r4VeI!W+rJfNSvC5O<?gJ
z4vCH^meConC1oSJ$>=iFqSXteyhD$cMkwXm2v>Mo2iu$H2$U~~dPIdY4WL$_R#XWn
zxih4+FYoi*orX>5_3bsTgH8{F!eGXFXR%(N`JQk=a@*j8z;<*ohL|T#iQLHWL$h3_
z*eHHmGN2ao+=2>r!ycks*wa$2dHp16%3VD`eZnDkN;FgT#f<+<D!U<8no7FRIi|c&
zt=QtEcA;u}*33iHQZOy}xmbD(JeTuYCI8Gx+E~_CCaFk=yl_ly!#{qm*Z=U+%HOme
zhtt*~V4jEO&9Tp|+^O{`9XM^94OI?_v8l%ByJm*XN|9!=sYWGVf_`S16;A8toJ@H{
za6FiNHYdL_PZ14YFag4T4y>foO>&q=A3O2H9D3j@X#UXP#-Bv7AVZ;cLMH#zZ!`X?
zTMPp)yOM1D9b79SdU7&jWF!V%T0cidQ&tgPKt7!hwynLEYfT0~n3C8Yo*JO(XHb7>
zbz<@qRS~|IJv8r@oYqDPcE6;y9QQA%W-CEiV+w8<W$AX~D+~DmbA-HTa|HZAtafMx
zt-kEu66+MARr8D-XZBF!KVmf)%lk%J6x*XP6|-2w&ThC(@)WzO;DGl0lA8+!JSPLQ
zR$TsDf}4bnej6$Eu!fl0pR{;rTq3g0b~|`siwrvWW9HU&Julzm2jM^;=vxj69z4IL
z8?AU!3m|rb0}u;n0kf`XbUXnC@`d<l0)!O9K~=Bv5QG2>d*Ccf%z)jYc$3fJPI%X?
z{*KS4r_h7CRb-=or04MC&J2Y>CbAhAf5y;eNXqDKq;TV@^Yw!s^e}Da{97<i)l7gk
zRtdRsBAv4dV~W|hXi7|hL@QnE{qGuuQ1r#3v_VjD%fnWWC)}3XXGftp;3O9<4u&0=
zmmMBsIb2e8W2rxa*lG@{PmI{^_s(#n(z^dS(eACKG1=ww*86pkvJmlF9z+TT*|Ivl
zh#aZt`%skPG_oN?)pq?o&gY?G`7|=@D+>c?VoIYwS@b!zFF(OBBmQ7Cfcm&#FHu+F
z!-n>F+~p?lXOvz5734YAV{pkJfE`sOkK+@6U=N$zh+GLnT<36pM1_KP$u3BA*1MYs
z1z^9^aAsUHXzTDA#qWF`$?tJ<yxigx)UhW9t-d;IC7VKgohdzNnfvg>ZJsz(>2^i}
z?iyBxg9rG}bp)%$R%NP@%QErK<u5R#9~OH|==TATzi(J^Vw2Fm*c|`*%225zfg*|n
z!!4arI>k}Y(M8%jorz)wPl$EWdEdq~<1|l~l42n_78G;0kDe5EGx>;AUe5iKLjuTj
zzK_g5Uw`mg4z_2HSTbIV3V8SUuz8!{+rY@qPO8V8#_z*_^eBLuP}dOc?Aqd@P=ZwO
zgK&-#55MN)c_HHZkVp4n^WIsQ1GleEj_YNa60|stz0_|~g$l3fvzPsA$ME}P`dC($
zB(2f-%vv?$IV6sHpB<WjuVz}t(3$QrWvik#pA-ZJ64ep!?tgL@n<yWusjA*qo}rXX
zM!e1xVcL<>v<!nj$fw%q+eA|kSy9QG_=)D9f7f=>7&-5lU#nk!+<V$sqK_%SIdvpD
zoRAb!-jQ)x$us;d*3s$yJ3GB>{`*YuWB)1*{&{E>?`qUGNq+J9b>omSHrTMpWrj(k
zOhhYN5@}LzLCj#`=b*>OzTobuvDX)aFounlIM1i++iQr3H+=MS2EVa!<YJE*$1(ww
zNj8OCtaR8RroD$;sJ1mmAB-F1hcL|wZ;G85_Iw+gi9>J?yOJT)74L%4LhxYUM9U#u
zm*7WV?VE$|$)5X}VrG4tJHPk1UIR(70hNTM(sLTS1)HjX%#W?uj9YdZg@T+*|3hJ#
z=*TdPL<p0ngTf{}vDeMG!O^o=75DXS+o|)|%>Gln$n%3|-`K-IN=z3|(Kg_40ZwaY
zktlv>#%!ryB3^`4zti+g9~5Yk0!$qgynYaLjN66Flxnl;p`t;OS#5QOC}4w(%209F
zugWy`d<n?i-AKH?5MA0yma0al>?^H%?tZzxD$KRikhD9$gGRwxXoKQGU4i3%R;1+2
z|IBzsWbBj7gz%gvFh-q(<hlPPsPafgZop+mLMawE$@5l|K#yeA5shyrjtS~g213Yp
z>x<v}p#8lZyy|xM`7%CV`(t)2exSMYWWS!b1Ap!URw82M)4hgd_?(h4u|^_#u_C|z
zc9yeR1bDnEj4x~98emBjK#PVCD>((U#G-o#{Bf&0Vrufz>?Hbo=GZM<bE#M;upDLX
zYJx*jy$7UG1SJ~LEc?VGXI^uM^IqaYQ%}$=u||wcc9=X!K`N6*_ewSFSbJ>86S_vE
z4c0RHg##Yfc3RrHho;37mD9I;kOAd#+$Ig3r1n+k&0Pl%{9Q5n4SuXzz%mmXB?b6C
zl}Ag|q<K|!{A_wJ{5*_;xdAqU-Xlo>KNbLxgj4N`a_bP-V{Kfz5VhDuHuQ6sUyEdL
zGhoO#k|>UO7usG5MZqZFESVD}FPPF3f#4ih5?9CIWzSE%HSNi=K{Y76yOozBNyEB!
zKCx`_n;@$4<UoAq>BKdnq7_zsIeY2CaRtw#lw-_&b+cI#$6P5UTtDF<O8DZA6C9cS
zEw;7nJk2nUjr;5JA~w2H<{&(KTOS7M9ra?pWR780AI0Sz2FZ_Ts$v2^9oyPL^uLE&
zP#V&YUx_PRcMl4ypMskGB$ywkq<tDfn%P6?s%>WO%}Fd&lh%D$<6y$}_1a>BSKN$l
zSg)r}<hRx87pOg3I4AzSrng_$@O6W_KK5;a#MaDi%5|vh>ZWmPaXlsx#g$Tca>NpQ
z=(c{}&H*-d_|?3)?Ds^2k-vp$#0pKcy^0U9>ynE;oQT%|Es)&)V=)>f)QWmgVTeWS
z(I-fH+(LzZd|Y#>3Aa;IyG|n&9GawCDAAm8d}jQwT_1=mpVF&4H|={_ai)|6vH6qy
z2-tae>Fuc|i%{(L+=3@sZa*z(tS)^gN|E0dQV7O=eUG(X_nb(4x^V0uNz2zbgbrto
z3Z=W%X+>1U>{ID;X5)oj<2Y~1u(=;uQnECI4pEPomV3A=P-p<m;7ytjF<6fqY+Yl;
z`%`>ucfT}WBR%@llWx=ugn83N!0!;wfM&nZET*}#lN0l2r{J7TF|R5p)JxKlRh;){
z8oj4DW7YJ|R*_*HPPkh9M2SUs(^8MYTjd|gROhGD(!+Cl23}8!?~iP9$m{#<<ZCbs
zUds$=x-ag+Z9dyGcp(~cf~NXta6Ups#Zq!eW?tQ>Xk@pngNvr@&ifDGJ9X^)==-5f
zo@In@Q74R=%%H{-79vdBQLcmoi7}Wx?K+7rpNC6#=>iV$c9t%DsCkdpktEG6WY@I1
za|enUR<<ol{J;HH+qavy82>f1$-lJu5nDT!*raSGo62w(=iHwL(1SF_RmB258B2*r
z!J{_$EwUSUmUXh(+hv~_{cu8Z@WXi#|J6xf&5oN2OpbaCSQcrR%ba{eiB;(=Kc(;!
zc!n&|WQpg*q^bUpDG<@zBIu94{BANpZ=`sLSk^7Kl&Yr)>T&KsO)>Rh=-FB@hxGUE
z=KIa%pz`0x&1kM9Jv&PFYF?5)Csyxjr|;dtl}mpdKZ)KoStdc+{uRHSU(Hz&soai+
z)XWz2$W-C=YEF{WL`tiOps;aq@)~+R@QwmzZR6U3PEr|HrTwT0u+PKT4>RC>?Q&6g
z%zWf-0WU0ia7g4#hOF+sIlZ#~Ws*B*1;78&_vqv3lc==pu<aa!8xm#FWZQvE2txtM
zQI%+ecc<E6i~PLTy%Tc!jV7ug(dGMc;q_F&LqNZ--7Kv+4}v-TWMyGpw#ny?8fs1?
z8=I>u<4xbk%CE-uSrsG4CP>}&o96zpIBdlvWRdeVHK{`C*m@2E6iWN2&Is?wB-DtX
zXEZ|Bh9aJ+9oo0~Ya+Tx+rrkrZ<B0IB4^a*ha(rou#<-zZC7R=E17kAv-^KEixB4u
zhfDHm6^1aT-#b$QWJK8gdhD{vFj8=pJ&73y+K8I^xOtO!)ciVrf}$LW;v1V?%-8?+
zTfFrv|5eN4!i6&7*O=B|{Gt05<>|X?+Ye30eJ3NBmR-2D>rt$we*Yy*cK1RMVaoV1
zFN@Vq+n-WuoOLzmYG0_;ud40C-=Q%2R|Kd8T;ThL*Se00IE|Va3t?fa2!a>z{Q$?i
z4l!E}%YDW~d}fsmnB6x)@k5rA6vB;48v2z8PNk8VVmJ=;n5i%*;2f-S3MH_#eG?=9
zI4oBx{&$u|;q<?<nlB+lX1GPEas8#akeJ+O$IG$2%8OriC$<M9YE@FsANu7O^%fZ>
zI5NiC2lpQ9xN{Kqn<M0s4V&I(E>cv_q~C@N<4r$;zpl}&efzg(s0biO+a^YF@y6NK
z3K2FNYilnyG=J^gn9n(=M>IL=VO0~nC^+*$Sx-~)ed;OQ@rxHCB|3kv_dTjuhVTM<
z(32Be?^vjv;>;f+Q<J4yteU0`0cCI|+~zT%im<Xp+2L!Hv16|fSg%x}o2`_P*BP1J
zB@u7n?>vST(>;}zt1TN+F|9G~88IG8Ig+;^EMsRW;?-uwH1t=CBP9&z@HbK+m?Rj#
zhD!w<)}t5O143^G!-V8k8&`tw6TdrqQob8`tW6yM7KP2&cJP-i^R|hZJDA;rw_TAb
z7m4nE$cYz1?|T4I_AAT~v2z_AsgVn`3A~wU=mIk|36f2<XXm@Is<r`SD#zAl<b=p<
zf^|?KshY=*4)%uy>PP&|OFNbU_Yi)$T3mu3Kt`9;?exNgWWIzdT=SU*SyMKnTTQxx
zIAwmRfYOuMbQS4C=@;U#HXVpUA!7khI_7>r(e=JNsA&Og#BJ<Db6_!E09B#sTg(UX
zrj)o?AxlldjQ(T*v%j?V^%(=MDjKrd>-Ib$^6@RJ{FhZ-Pge52%wa7i%&o*~CX{>4
zkNPeq&q)QBlL)~?C};zUy?CBD97;Wfs^9rZsyAGsZaw8Ne)?;IGkOiN2;R;3)wc@^
zo{yKlxPQ?n0XFik7QM%^*H+@0xBK$hI+Q4UuZO$8_>6F3uVKqBC6iPPatY?~e-<0|
zRA7;UVQCGa1;u{^6-Sh$R51DKQnTm&$hd>Scw}097~rve3fjZr+Na|JXB1S<ho5lK
z*h&s%S<sx%DT9bkpDZ;kXj(--&%x>vkO5|*FrF&~EH%5Wg;PYWoU5i+P~dq?We@3p
zO)_R}w&9+wyA6-`3)CVVZ6(*pbS}i*9&Nsodh$=AzYuY`m*^O2pGPsPQ3UR-a^CYD
zg__6g<`>JKITD1{nL!~kO_1Z^@P~zWw7ZT|1_evC6GPZzSOva}i6OG{6y2Pd4eboe
zTZ~~A#}qR}2k?e)5M6MbWe^V><_ch0>au`4fA@&<tqKxR*}%O|g3?X%#_8ng5vP8t
zrFWKiUzMw*-5}UA`e)mW#g;7{C1`1OPgt*qss|{CKWEHY?k1rL2PKL%oD;;^^(FSH
z!twhx0eesdO@7TqO29qLS$9ZU9yomw@}&N96<xq^Ky9hmp}b)kW+6LZPjOK#v)3q2
zeO6H@gA`IhwK>6bKWHiJS!^4ce4aN==6hz{@sqbN$TWDzc{Uect-C85xpHaz@`b%n
z@N`P45X6G;DY!4p4F|~1>3UodGfa=f=v{0L?MDdvlN>s<eL*))+J^>o7YSz;PPnH)
z7;Pp&yQ-;~e)M2Ew@|H349XgmyU$yrW^Cu8>G?^9Xq4mQmvuJ@b!T*71s`c6mfm*F
z$jH~7f6KXyIK8L~6~oZS5Kh<G9V_y*QaY8mvLc;5;8-O6ZV7{KfrA=j5FlF1t$)Nb
z`<V@@31KpkIwFd0D|SW#<u2(WrWDgrY>ZnMNxHnasW?&mQ24I@`17<o%=G@WtF0`0
z4kL${SuEnH9d`^98i|&1GL2>t;ZaZUBy4q<Q=-mMS~#>#z83#ze^*`(u}UQ7a?wy6
zrc~lz#x_a7$OK#IIK!75-l%kYtXW`t?5C>E&~gGxluC<I<#bGMe&MR5t*e#6rL6d>
z<iJ^so$n%%`rKb(IVl^s^10fZRJrgOcbYP?M^&;4?nq`e4XD*$J)!9`-VH?2#Pg35
zOFhFi-Ac;z@X?bU!uF^AaW7S+q;|$saKd4Dwbbt@Sf)V$z2!Y<y%UG@roiq=@e+1R
zR}X^ytdC8hZg!w&>^wb;Qj)8AjJF-~;E`C++~utE{%6r*Jp`wgV_RM6&U-pz&)~Ne
z>br;=cw<Mp@8en)EjUS}H84BN5|4ftd)6oYcreVC$eh#(lm2HCu|HCq2cZ{vxAVEi
z&y$OjHHHj>u=MB=I%_87u*?Dpe&FH}ZXeH<oAeZ$d;{;KvgXFpL4~>J9Q>6Grz+)+
zXo^QPlKUNV#j11}B`H^w>C^V92w9<Avg~v)M^*`z)<kbi_j5C$exJ4P8(6ty*LG{c
zxrVKEVWZc6Meab?tdE9bR?RRfJXd&1F+?o7;wt^eQrYjMzl^hvuM+FIZH+0g<g;7|
zd3RjV*LC)84hYFt;^ZujIaQ6wr{ia*l;%RXH50q#0Fld2cB4HL#Xh-s+ci?3si^2~
z$2ouV%O63EEU)JJP%AOKZPu6Z$X?e+p3aqXVo9;HDT^9nn}Tc|G=1FtxZEqU@!2(B
zLzMj}NX_M!cXjXcm>ToUXHuu4c@>EY0>*}ef(+X_q|guUyx5LzDD9)~V9o;|I6<tO
zR^NjwLe%z+qLwpx9&4}Y`!cE;3QTV+;l7N+(tK}}W2@a-26`;|c+40gl@^bi9`Ns?
zTd`byNDS@VEpq$EnGbEY1PCuWGqG;L=Mv8Eej^)e`+LGaF_`}-a;M?D6*L6E_u?#)
z+Q2E!cy3eFZw6HsmJ9$RfK!0skNt*{EaJ(v)Q7OU^kg%{)qB(Zp2H~CknlHw@3&Vc
zuZn}q=>nTL(`s}-!(7prYTIs;$i*j}-3kw%JH^aPmrK21(8E<o()LYC<?2$<h4!=h
zwCYAr(g}g%kV(TL*M7{~b@1t-+4-=u_<iOz+vdB-Zd|4juA}Gug!BIPyR|5(&&jv9
zYbxdbPq_iW$vUfFP2U9vT%Af~vJyYQemazdM^b&$lMYQaW)?KrtJHA~MoH8X#^@ip
z$0&iZ?DPpWSGw{3$6Aiz1o1Ny&<XfDT0v^xFl8}6;}1{-w(EL^qGERZq}ZgGRoc&T
z&u(=}Y&Sb1w&6-0OgiBM&z-_DWxs3V`@>xw#n=4SQTggf1}JGLp~{lu_ra%%g~b|F
zJV;BJrZ6Aem98RgVFcamd3Rjyb`#o?STO2La7bJIQL2>lBNGI{r_SOOuA_yx?obG-
ztBCPMT#W0mIk(Qo*>HBnH8>xW>vu*qU5}0TsqQwmsk77RTyon3TDn?ckOl@As92$b
z6+&TtKTk2-6;XZr41PdW<xP^RV&@80Cu1s;1c4uz%gDwUa5C*i%*j+Jwoa%tp$a&m
zMGfLLOQiV>eYkTx-zYn*?FlT9%PFE*9;e7Tc+%bf#>|}1qI#HF^Gt$`Ep1m%7Wf8X
zRnv$O@QFk2VrGw2(AdSuQ!^;^!MLAxsjTu`@V`!^<>iy}SU(=@4skkIueg>#P3KS9
zv2-Fq-DP*!@J>3AQ^WT{OXe#Z&{qLDbMNU5f-~}4D8pd*q1Kan)vgnqg(NU@g~6~5
z4OoqJi<$u8b<P7?XTMHbuWWsYd*3~W`w)F5-Ny8;(3-Ul46Vju>w)MHKb_l%n#{C&
zOots7<tfx8?Gh_!4?FTF=S9=xAbj!fFnt=R7ckE%DIo76;>F!+80px5qtb!F2W6y`
zDz`!ARd3^tYTE-A0B<^JqLeF=%Z-0FY=}C4R5uZTl((1mB2*b!0xug$z$WlT9S=T6
z_~x!$-Fc8)p8yTegYu{RQ9d0$0pNrH11Z^yT{0vIM-Xi(GzrFDN&()qQEm3c$~a6_
zbL=<7g8a#BFY14zSyvVC!?UzL8G--RggH!%OxQ&H3^P!$o|tyNqfDTl0sg7X3%e03
zsv#Jrek?N{OI~#MPtIG>yb6egMfs%w3$KEmRFGLZTcA7V2fe4jf`Slsg(Q6t^F4j!
zm3~E&OC5k9JS1;2cQ&6J!b^L7H&E?)KuJ;P+fH6FUp3H>mi4Oz52mqC`dVq-`8HC=
zEM)3)0PAC&j>w<ZInnZRtmh3eJ(p%&MiZfa9eaDu)1yYtgSG}(crui)ma;j5B;)#G
zHowxP$2ZLP2g#R!#5d|U#5USH7upc?A@0E{n9ApQyM|QNtk!|WKLl-?rUy+NRsCM>
zPO(SWv9_}c1oS0M4d;de19a*qoCP0SGc8*Y5CRGETY}jcj*eRKb?ox;s;YrY;VUb2
z4koxu&2IVf88naBny>Gxvg4e{P16RBt*4c{^rxr_@V0IEft6dRfQYk%ZEPip!2S^u
zj^BFKeXadYO9GBmdo@2)<0v+4*ot9(8HB*ZaY#!?=Ca>9r)fK|T6Xz{ru?{kO(k-9
zI@rOe40EIQ1bI5;zEKCKh%bi1$@+JDkzY``7#Rv61~v_)yWjed7$rX<1lo+p02sVz
z+~qSFrH>!9VaIi-+0WH3m<S$bSaimrlrF<bJ?UwtSE~H8wOG(bPn3=(4jU+rm?<9V
zP?-ljI<ITW>~hUlum<8otz8$FZ4ynvk@+!d0_^xfqD-2T@eAsxQtwg=p?y^fG0wxx
zbe4SONN(`l);Qn!10Cw&!Y58d?hGB{Dpld$4g>kas6+5wQ@!W0&^_A5UCY+a({f+d
z)vJ!l;S~nY0#S~a_UNtUzqMkq3=v{}@jG#gV9oI{@}dZdZlWldY#~qa<-VI|_-Yr=
z)sx0rRs1K7u^j$SN&m9Ng!%Ua7uWPrlJeLc6h1>N$F5sg_nlgaY4Y%Wcyz`VAuimI
z<q<geBVmoOnOF)52kzAphvNBcUCGv!;d#+E{T4Bn6UW6=>m@fFWRwaTH?myWDhwa5
z(`>$hH6uU%M|}mNxr}7Hy%nRWgie3@N~Egod9!F?p?G01aIv}VN|tVmpk-{6N~H0N
zFY#dB6>*h`t`j0WuG9MA!Z@*#BO!8PvJ8plB9H%RK(~m*K7l2bGHyO!BNsVu8nUy(
z$y1aYZdLqFc<1hy+UVN0uQWhAH~sQ5LT*f_KLQq2N+>hxX|q;nOi<^=N-wb**_fr&
z@|(+2Or!kUe6U^#19>)%RErhwE%y}*PurItZ6*sm9$%b-uxzAZMoMjY2eA!rkEn<R
zV=6$V@A3XG+v#odasct;rU}|pHd2`UU=7;w07Z(ez$>4ZEw)(;?B2@KI7iMu`c0I5
zEu?6^50Rc(*`;gTKVHzvXS@r8&UTSuG_Q**#yL~9Qk|^oBSOdiUO)QFth?7?gb!Yz
zb>NSsucHc{XUdj)(>B+Y$1V7byZKOQ-G4tJ{ta7*mCaIiHDQ~9gWQjZ>XU7616PW-
z`<qGcn(YJP(Z5ine9iako(pLOD$C5E0BSSwF7X3HA^lU#(qt8Z@@;3ogmTt+-gl@3
z!dX5QC@{0rFw@k}aBhsq_@wam?!%n^bW*&2Ng`D>zFCW?CR)RWl!SHp=p9H$9Z7BX
zyXQm07^^#U*zMI<>_N->3X+B_+dp$pt4r$`rOx3>*@9$->)$DWGo904e1RL3mee>K
z#JFHsd{~Kh6iUX$@(Y(GQFU$U)5x1z%nO@Gw*KY@yce17%gmL^;YHM&-_Eny9Q&!*
zNMQa~)u{(4hhfFRK&fUwdjIoxve>B{NR*r<i+2-K#EE9{I(%}>Q8u;26(u{;nraKR
zgmq!WaYrXJdx2PZoIE6j-aT4|4B`3TiUC1j&eI(kxL<)OII2PZ+DR1Md+a9ZWp-#B
z)xh<m0p+(?z9F>kccPtDUZUAZNi+%#&BQ@U!6*SviSjwUUQAwa+-VGj@~VrE3>i}w
zbnQ~L^xKi(CZ@<oP5UlT1Lp6XQ(ZKFsfQdIa(h%M6p>oZRNWE`A!Q;O$P4&!ls{w^
z0dlOWp`f=z&nrY$!Oj%bP0ZV9`h07Ph{y12(Dq;22SRkYI8Rf!%+b-4X+v_TchC!c
z%8J6$Medh#2l+Pru=?B~Xj-T$N`A8xbRw?Ml!HCYIxJ_RZBn)T{?tYROZG>U79@C6
zgIm2BR=dE36+acKvy0yw3|x_nliUr%F1x5>1@A}W?gbG2_|p~Bm(+HL*nqot$Cz5d
z`dl3p5?;7?i<x34v)T$X*F6O0yTmq<KbwP<Dle>c0>^j(e?Rzns23wt?y`p39m6SG
z8PoW$wi?Ij7@vog52Bt+je21$iGvF((@WOu^k~#*1$<0`5WW(!F9p~89W{{op4#rd
zb{`*TtX9?bwBSVJq5`%MvK|yfl%shq6xRq$Mt(BsJI$C*IgIbj<@zy$f}`)YcIkF~
zJwg+E4=HPZY{K3fxPOy)VDVMHSzU9C)ZTCrsu5k+xIF=`+^WF&<ccTqB5Fr$LpFuN
z-AIO7C(f6@@eMHaek1d~(|Fr~1K|i(|4MIq8pWcb{4&b`yS{zNfV~*LivEXqv{x5U
zWS@D%u1&G4*2KV8aSL4x9V-{Mp=xLlnfv$rabSXP6T7yx1e57*OYH={#7a=GzA1*K
zDEQ6)6CK|xdcBjrZfxhM`dhDm8cX-9_AZV`c7)@02mFz*4E`az8qqkS1_TbjGTeCr
zmHex%Yee4hW@{z(CHhOz*gK3Amz?;37u)5~WPBt-TTMeG+A(L}fE*R+8vami_uu%H
z4LADka;99F@i2I1ZtNY^>Fb~KnZvCf<UxO<v5nO{QS&mGcM4bTI~1Z)Qw58}vk(0L
z6zlTU*v0O4zs-4Ilt%KG+{$B1PRkr+!FrD?(Fafrk9r1D5L2HFS?wulzW68wr`du1
z_Z#vY(qM`ewK^9gM!zBW2^S4Dd?>2&sIP89Iua1pkT<}c&UW(;Lx-%2JBR+aA-<k{
z+FBC}$wFp<HyIGp&-wv3i0~DK(0M5m`IG`_f1tg1ZFhF|Sj8FvIObswj@JX{&K`~N
zbvlOYvFh*MZy~ua`}{KYf=<5#@<>1UrjuGZ7>HQh%y->uqZPBH<55^Rf6QIGwXY-g
zSEHlr&;sgvuk;5`JOCRW(G<4!!P#8-#9AQ!A?eEkPp~Zstb{nPdt0l|J+xq7&ey&<
zw){s@;Wd~Jzg7fDXOzGrjUyq_J^!P;3L@%T>SD)*X@7_)8>W>&B9B*)XU~$q^Xd-h
z4>zV(Cg9Xvl--z2STSK+=HtEd8otjl$!(2dmVI4pGzOi@4c2_9hKq~r%Vr>37IDNw
zgG0i1Dv>r=eh<TivQ2n!cAU$8&36%PnBjF*Wg|GdM7(|UFP~i;0tvq|d$-7}Rqfa}
z&^+y+(vf&O%tj_9r93Hj-}gK{Vc`{yuyU+>t#cRSf=CGBm|fq*FL9>x(C^hRT7?c<
zK8tRuAdm~X;=we~HAGSd4g7%z!o@sCcIJ{OYRC1z2Y563pKZQb_y#dVWfBk3Tf~q|
zIzA7YiNm1_Gzi);gu7pqbL8c(X#7ZLJy6&UNoFd|9uxeYp-Sc_SY70wFFi7a54(5S
z=uj2EM8~{2CpTycp=ICF+M05l+}XJ7WFy^CXQOc(jH!TJV8<53sh;rPzs{;E!5#)D
z_fpa$#3WBCs{utmax~lr!cyyl-3e|#2qzgVQ>lt|iVC;}9lVPm|2|^Udk6Bs9~S=I
zbA12hxp1v@CZV^Ak91fO%uchaMp3a{$ie$+Y&{tll6clJ0OnL3rj?OzAojV$(a{yM
z^a^yL%KBDnss0=1)aIDok!whp%Wm+HkM`R5@?BQQ<)<<ss!_(4J!e(r_?oSb(Q^g5
zZpGwMl|4uIxY`ZAoXY4c^iMJ_MrasGo|%oyj&Qmt?5&PRYiG|iHCdQ}4c=lvHAI%$
zbFNose#Sa;Ep*%2U&M3MPcahcym7DH%Va3}Di6U{FqCv;HI!9mv`*mq!)Q&I{8?(`
zi%RsVSp>u1tx&1fr4cgZwm`mNG$(`T3k2f1U)3C^M6wVv(3|4h;pS5aKM!;n4v3xl
z;?Ve>-O9wON^;>`@_FtBw;ZdMGZQmS0Cr^sy4AzrYuFd;ESF?|*6xCA@)yRj+a{|c
z%q<??He?4iJ1ntls#N{19g~hz`+xgWmnn}0vmxd_l?8l0|HuV%`t~10Cm3hfb{L#3
zx(W^jwo^F5Q8n)DpI!&rDGczke`E4ThXh|@1w#vdM-ZVBF<oa2DGzm$eMkyD&3oUi
zBne9@|2vH;nQSz~kas`qkn`cx2FPy@V{@fkw~Ce+ycdt}zfXK-46nD-vrY!w84wZ&
z|NJ7ZLNZxw%?ELMjlHgRY+<SqnU6BRd4k%)A52StJ}kRP<486iW(*euw22HJXU8=w
z#DC9-LBUrgWeO6|XqVMUvf|8V2u8JBR`t4+0TBeqZfP6RIY}Td+I5vs;?Gu2a@lD=
zJY!Ek1bTgVq`~E#i-*cQqyrrwNqVv#;KiAsp3v?QjWhhQEMsur*ba(^AId2W+*bk+
zAv2KWRf?`R?N(ECW=PRGkCkQ`2*W{lCtJAmc7`OuV|5M1gK;K9>ca@~{QGJATh7RY
zB$Y=~!-j`A_Rxyd%()z+o5XFF!#(HwbwT_XG&_zhaA3O7D71AWzY_pO6W|nPk1vR4
z)@zjJ=L=CWO}V)0T4=dltc_`RY$Y@yayD_}SyE>dXrKN=KOsx(jee#^2eeUje9pha
z-E^*MOg!kz_2L9QY?(RxCk-Pf?y)+|CG+gP-1v9tK%3sxw`s?yJ(Q^{_wrx{fmJJz
zm+->3&7sSVJ+z=Wz<{x4M|2*#l{)k&q|+mh&I=w_Bo^QR#hARlxf2MLB0~nXY5*r3
zwO-^>#Xn}5w_#%19cwo5l(%m~>T>Q4BXaKal=-F+CRC(D-4JN!%6>TEkPnu(h=9<j
zcsN;83nc@C6z-wjppQaLvH-Xei3G-5@w_h$s6nF;7;HHfVV0s3#yec(nEJRcz3P*S
z-m-BYx}P3<?$-&7+b_46L104m9KRo?f2qOdh_*o}`%W#|D_2oI{j^O~qPvKjKd)Ms
zV??ZXP<0+v+EtqRG0U|;e2CUbXUyet<i(>)6`ve$t{ePWkwm3(BXm&1U|5ta&g^Rm
zVkA#JmaUR=8C^5P$W`T|l$;j)IAy7GV9ZVCM!LU4bsk3Phwzy4AtN;1Y8VpH2pv`f
z3dgn=QKK+hOc0>@3b4*Mw@>N}7*#F|6#*kjM6k?g-!7DfgXf(EhRmVTRm2j)CFOsF
zqq+>@w3ZMB0}v_#ApI-E9hL24t_jagm1b1w_FFQGItH9gmj%ko2fF$kjoHQM<(Api
zMUdW~&ClP>|6Dyd^0ioZ^l__AyO!B&CUllGPG(b;oJ^Mp$B%{7hR!w=;N4Pj_$*eV
zfBr_JnLw?U$4-54XIqGP5&Nxj@itoiE-k?COQL4)9Uz;sqPy!Uua`URmg#YCRLXV9
zu{bQeDigsN+MsRT!@LO>@g7@#mD26salpB7cj=+p^P9Y%Dl7by#GpwCDO(@Eu3pEA
znSYMpCL*)}1NBJJ(uU6pBeP&fqY`9)fpdPhGwcyKGkS=V&IisItj}C}OMSSiun)NY
zmkym_+0h?=d?DwC`-L61+ImRaKE<D>rW7_N_Hp(2T98Z}T$^1-eu`%Bxh-GdkOQW=
z8FYA|W+ZtvRvYBdD(g0U&BONpvYOx0a$ZJ1w=x5eM1TBVDow*wr8ZOY<y1{)waaMa
zUu(k)^AO#uDf6<){zRGN9*(&`&Gv{7e=#ed3X`BM$6B2d3=OR99XufUI$C^Z^pmQw
zGcR}Svr6!oVki-60OEo%wY|Xjw~0p|?cCXl8|iJGx>SiYxJ|aWUJL7LodB9&t`U0L
zR|j9f>adO&E#k@;Q)&v<)~dJrhHO}(2zux|hoatl78D?azJj5N_Gv|$?vHfUc(t((
z5dY&jINmo?7U$1FlI)&S{!o_&gUv|2aP3+uXXX@f!5fYKSo7bdf8IE${ta#sh8;De
zaLLbnfaoa+^u=ek)0ZS~pcH|^WuC`yTS{VcwTn`wcqB?JeP*+HbTj$9uo<hG)>Bq}
zf2Eb~`EGarMFS`<vRdmF;D)B|iI*_rI?3B0pwj!HN<|-$F}7p`IRE0UWYR@XZ=K!J
zZ8bbg__-8!HKi#jk8AGryGsLUr7p#bHO|id`YO2gFC0>2=C-cx=a>Kdku4{sBv~VF
H68wJvQaziB

diff --git a/apps/static/img/avatar/user.png b/apps/static/img/avatar/user.png
index d81e793b21152974fffba9a5b0c6f58c321721dd..1948d1661498aa290d4f63c1474f82667fcb8eb5 100644
GIT binary patch
literal 6093
zcmV;;7c%IHP)<h;3K|Lk000e1NJLTq005f+005f^1^@s6bz$j@000-1Nkl<ZcwX&Y
zdyr&ReZI@evOz-uZm^KmqAWK7f&@ciVJt%_nwTI|w1QGe#GplDVk8!#MIK}&k;Fel
zjaINCMnV}x6Ey^ieeX=aAJgxie!r%Bre}8cJv+0rZ}#T*oxW%6J-273r>A@7o_o))
z>YM4leP{YSzVmyXbI;KxnoX_W7#|<k>SJT<_jseBjgF3LrD9R5RjXR1Qqc;90(+m&
z=e2AmqZRSKRMIkZUy-ik8s6i+bSlN}%Vo3dI_}BRYuq=QPHQRpJdsGS`+!t3sU?l~
z_?&}(hO)$>QT*OS@83qBy^sF>;czJQRlm>oLcs42c--!c*W;NQ9vV968XmqtzxAR0
z`x*A{+sDA)1NfY9hVDH;f7hhHPtgAvB0M(|4sWOLd63F|CzbUElqE{vkGjNTF;*Xx
z3-84`WKci6Ch&VuZ`KC%8p!2xTAqNv<86kv!tV@yUMZK^dv+hSBibG9U8TOLqA$<~
z^m&u|twDWNuh+GSi3wAm_5-F1{eYFohWi0}eI0e~Z^dG<&l3q=BvPc@F4r-TW#8Vt
z9RX6czg`TT?iYdYq3=83^LoR<VDMQg^QVaPw^N<2LRnEiu?~uCU0}V*#xz(u4bAmy
z@p$~NgMq*+q-`3Vh$RwdP!PYD5pZbeERnAm3I=~b<a&_Gzm02QMYb-n9%M7L*rr50
z{%$f|Pf;f($+VqY4`Ou-k$hx^Pmn2hMI(_%sUEjvsjiH8ifoHxt;mMgX(Abs?Pltr
zCy8JQ(q0#>Ot7UO5bq?J`(ZM*e?<doD>t=@Yyt*NHZ&Z4{)<GikCKUei8^L(@18x<
zk!vZm6OUYg0~EmgJGI4o%car=PBcZf=HSR?5bk>N!@fYHJ}0XNTPb)Q;d7FI=O%yd
z0cwjkERaZ%t$$==4VcTlg`&x)Xp}e6@X%ypr#Jz;-sIb5iFBVOvRnniD6*}RY(^09
zCTi5Lcs!niPS9fAg1ZfV((pvI&rmyUE)%g7*;Yt4G!FSDo5}fq1Stzevc<7LI-f5@
zq`436sL0kO*)Te3r2ZcHWI;u;?!n9}`E(RWyh!A_l|`+JY@NvllF{oMB9X}RaD<)e
zldTqLH@C|*M?utfBG{E6lp<Rj+3=c1;U~#tPS`Dlu^!+76!~)jYU}qRT6H|xj41O>
zBjNB5StBWJ)>nXV!$U)7DT;rR+WHE|k`2BDUH`Dp>n$m5HaKv<Hxvx+p@Dr1+!aTW
zjb6VlnMiCW-|T|&&DI8nFL#uJu#Y1cvpw0yYBiAUIx?F-+p8kYHHXpO7ZQoYKi6ut
z%Q5(ENwzYLCc<y{eZEnp&DIY*c!-RQyhLQ%0+VVhvLWK6i0D32<A)T{tO4{xFc26a
z&2|$aRa=m)Nd+hW>>)%&ifGot-rc)(uiM?oWwUoqPEN{AHjEY;HIJiW%0IIvpa48B
z*KrCK?wLTp$w)SsPl|k=*tbs+&FTQ*uvn9Vxcks|QjrZRc{H8=vdW*y10w-^nh5s?
z=s&Sf`vKF1)u2g*oSK?KK=6c`M3)bShC5ZMRPLRmew^qt=}Z@T!8oa1W;zMvqkT~k
zO<owu-#H@O2OCD8_RFlc{?RIdC<X~z^3gs)1!fPNh?P)~2L|D$3;Fyz(XR`HTO~{v
zdIj0~50DBzqljh?fN*}FuS{gyD)x1+FkM(Fklv`(YVYuRJku(VW-sj7y&H=$eWcl5
zkA4>Wex=ZmTj?3}55^mfYlDG65(N_rs~|s+_)Wy)&mlQ)>i-pj<->Xf{eunBX!M0W
zN~75qMzBZz_#+^k$bpr>bfH^7t7S5o$CQs|f1r=COH-v>z6%;k<U+S#k>pB&=%idO
zzXuzmIE`#Pts_Fb&u)M}?(=#p^?H4a$cJuWa^kwd*x1-L0iQ2x=YRkNLj88{+Qk5$
zl-C#gu~FpBfY-Q&&)e^{BLPvbSTy<r5J%)hH!xjT4w%YFBofcUaTE(9J3tUl8oUqq
z{qR+E3jg(~sVV)~(WCm@+?+l?Kd+xUb!q{#v$Oi4Lx*%SF?y*~(&Moh_UBk2tDOcV
z+NhAvKg6cAI`CsDm{i?Tfcd1xyoZ0OSP)skNr6WQY2@mSdYuvI!uj)huX6Ux8T~L3
zFrUj|-Ppo+$lh+Khu7_%ChPWAksr&!bYU^DWkdD)wLYJZJ)j~MLPl@`kT0TFD;51D
zX{|xXg$oz-BZm*`sbrFoO?J}3szsyG9}_1wU`k8m%3?6(LOQ}wgVb2xwgb`7(Yto;
zWF&*>J9qA!$d7@^%*+fk%_xWLxyfRo@Brh6$d^T+O~Mab1_#JK)5yPr%#8HWCpVWB
z(qwB%GEruZA7{RutXj^9PRm51tEM_|rV~s~TqiV}&5e<fk=-(nL~g!F{WE{e3Ucw{
zMW$I1(aPAiARKAw?cD|oY#H!UKr*gSD12PT(Z_*C0iey$!B!KHe<T#rcav!s%Wh?W
z6K<DlhNAUtjSk!qp^edxrBH7)t_t}51zCMHXbfnM>FH^)k1ZwVDe@gnr=>HiXy14|
z{sIC8icn4bX@^PGwPUi`)UvtUXJx8<JJ1lwcfmiBL7;UD`TRnjPX>S+*p<Cnt=_TR
z$`Dh;AOKpeBBNI0M4PjSf3^}S6^l|44*W>O<3ECO>cF9&N25&jbpV-9JSqJ-8MPYn
zK*Phs`iYqtu^*)oYI~NR5$k3}7~1VD`NY4;OlAi@0c<&UC)CHrHj`G%$fng$ag-U;
zM=}dcYBHIWM#G`a<FVNH5h#dU;xH`(0kCeVC}{+W&Y@8x_MMb+_Uu_K&6Xl9Vnn9L
zNlCpOCR5~8=OsqO%<=K@%fjKXTQ;o*qETdI$@E6Aa_rbKRyP?2KKPPOrM`+_06Y@8
zWx8NYw%>`p(`2Y12P%psKUk4rHz}9PQkYZl#q05q+g86?<P{@ZjcjQ<kbEQU@Ncqd
zH8|6?YE|qfTL^M+Snec?InCvA50E)EajUfhAqQQc-&;H$&y-C2+amfzXP{H;D$@rJ
zNI^CzDRRMfk>7mTCEOxh@&*w@Hk0|ZOy(1Si6K8h>>pdnYp=bAPP9DXj5Nrpa;bDH
zcDB5PY{rg|4An|S8wrPBmdS*&)dv)@*;%V`IUtdCODB_$gHP@JVw);+RLbSIkdr+l
zlV*cf!vwn%1dA{+u&k~OP`+Rw5Fksrv7KK`n*lJPnbFaQWg;3ctIRV6E0toQVEM?@
zFs0aj>o#Ue4UVy0yaAj`KqmAhtB;y?ATS68gSN`6Ehosk$<Rk2Tq>FT5_rWq#z+Q`
zP5mX0+s%$y6#vkwzzD}kcamUrvDf3VJmFYW8Vc<p&9;GajGcyO98z|#_y<-8oaI9Y
z4~qR^d%>Kk)dK}%`szrrSlkMZ0WE)RY)nhU<KM9QXlVy3gJ%f_^+c4Fh5F3$ej7(F
zm-|ERx3TlZ^ZEQnobM?U*-%zYQX@ihnqbwj)ioP{K8i*n-^3|0;2A%qZL4c|__$2|
z8XB9lvDgoe5ImKSHn4hs87UAC`D+_kfPkZ9M$_qgVUom~tqhnEtl4*>V9N(QS7CLs
zp?nl{9?oU6TfsA}NRC@P7Ta$1f{Osz$oz}_;0QT=`ZQbNB1@l*W-@o<7;$#GE`_K+
zk;z{JoHTPF%9%4~5a~%lHt>qvokwv#7G@4MlcSxJk!;v8$cb`BBF)Bv1Z=Z~NBPKc
zyV2!x&B;*kb}%!V%ZdHq2$9K*8bLz1TB&T*(y7#46dYU>Z?ZZZ9U#olvmB!gWMe^s
z$5YQ{GF!B0B!Yu7OgC8_NPS>0H7Ck(%#TVyGyr775k(Y)-i&Rq{zf)`4d6*#C#+)=
zWpZ*--z`B>w;hE-;kU8U<2y2vjhm1YCr*fcVS6b`_QX6u5$PXm!C>&GGLj8IgJboo
z(*)ao$uM2T0mVQr&tn>yBA*P7W+#Ab*rvcqa{AOM-7QHZ%7L<m!{Mhjx62g~Ka>R+
z-FT|XNt5x|wOlq6iqo{c9?vrxg{4iIMoBwRZs6$Aqhg=fR<H@QbY!DGBBk&$G~2YS
zWCNHf&1A$rv85oHE5ii52$YvJ+YXHiKP`SJ6A;`Wn~sjKyNuOp(rGoo$hGa%hW785
znry%>>HzGAVQ0aPMqaPi^3NVD2IARHjb2DkHgo`1LD*TlVH+^nHh6A_ZO8_|yyR>;
zF^|QP9vV!tYBdA)Frxtc0(8caBS*x(l3voOl$5?&JD6s(3)ujkcU#YsTly_ilao@-
z7Ayt|M0aWwB}kq65CIL4u}LZf^S;CT_secRTg!~x?j0KaIAABT0nh}EMnmj7sRT>E
zW!V65Ie=e&pKpiecDplnBOB_2PHHxrVjoH&NOMF+Mx^)CI1IA=r{?u|ymliS0Mi4=
zM!0k5&$C6LvYdg?El5j0jVG&i%kC2_22MCxOe*q(kx0Zg8jS<WED?`CiS=yH+Ldeo
zDvHi46bfvsP^$`p0jxZ>8__tTk;o_UfbvszCL6#B2lHgbjc6vx)XRG2Xt&5@GQY1;
z2mF~GeYQ>j;V@}GK0a=V4FoYWkWQx=$?Q7d!7Um{7m~^3ZCWCc_>gS-e5?lORFIC;
z`ns)y!$UgtdY#SZqAYeE>_(1lDwRyWSu5o8x6o)mW9JHY!XBfOu^17L#;t{5W&>O3
zBYy^x*;Sjh18q$8O_xfg&Df;vDzC@Wa2nYF?#tnKEEZ#r$RU~9Z-Mh)DVKGh*UP@o
z&c2xl45-M+$p5iZ`AWs&hEOoL*9oI+G4LcXh~Rd+^<*NUH%SA{%*^QLdzfcM3Iiq@
z#~UFzi|=rXCKG`=QxN)(>>LFApdjJvPHc!y;65EsK|mW(W3i2*K^{boczp2S^fWu-
z2M?ei;HXxr>`AW?A{Try{(nGXCt3{-)IF0<e}ruYh^>ssZ;^5fhCu@j1=4V>hpav)
zBChf448~`iTuvq!2ikz*f%$AEa}(P#t57IlkG5ZRVvwLPSb$G{zduzh7B_=u*iRR@
zg3Lu$kxikWFoJ{UjeVP28#v=Ygh(XvU&?P&=qI4OM$_rfATD4&8$wd-3P^VKQ%bWb
z^b6n;&aWaxb}J6LWvP#9rNT~3Blc}0zwM+W31>L;gNEsQZ46k+fZrb_Zfyd`fQ7Rl
ziGh~|0|CEXO({CNJ+kDHBd&2GU^2Ylz+7y58N?{ouBj0tzxH*IY~j37eux#cTPm6S
z2fL7scPvk)qT_LbAEu|U@iTH`$dTb`EF^D{<v)4yq&`1C-*?Q;&a&^oiF(M*VL>Ny
zcA3#peIy)i?fl)Am$O43VC&pMK7TjJws25d`{AP$G5k7p%6ah*WkEZ^@ID+0v5oU^
zm>O1CSaCfYR-a&s>?n~Q4<cjs!sB)?)I&zChr#0WdP_vK*I#nDEk6qqAXT@KOzDVh
zBMTkE2?kA3tJU;b(p0ZmU>Q*_f@csgOMwllVTQSO7VB+QpscZI^jka%T{v&F{lIuc
z4e3-$8dHjLBC8J*nagIGsj|X4wSEdTGB%XKDqgHq!GXSFJ6H~6Ldl}Mp9cLU{L<?6
z`X#7TDz{MQowBm}=9&zn9{v}6ExQZWz+qk%ekb?s#CEX)paA@Sf10>-rO2&Im<J#q
zLZ;{yt7<oHE^%%ZM!nMnekTG9zp*CHYDxjTA?x@!&af4^WzuXErD3l0ek)c2jf>|9
zjvqfR_JQLB3o*$LVr^p;EeFn!wV5IF`L;%*Vd9qQLcMj<8z`EnScPzCO!#HvcqGqe
zKG|vo1CN{5_3keyglHu4V<;>WuRu2HKogo16PUhw!V0Dojfe<yZgy5|XC;QfpTjv`
z>z$(;+Q0uorCh#yg2*Ov3Sd5(h&rKGtzPeOxel$@XyG|CM43)J#ibWP0D*^>*2AoV
z<l#_gs8O$P5c$MmQgs|qg~?>{TkA1W@SOmaLu^ka%LvjxUXN$Z2?ym+EEGQ0$yeiG
zCbJW0lwdW;Hn+<)yO!DwBpagNm`YO8o6Mg)iDMTRBKJW9eHIFZBE*?1L>{%nbfFzn
zlapF1mHPHtX*WhRG6RPX9~RqB$qEGz-SEIcZ0CLh%BWl_-9Jfu5jk`T*(T`6VrW9U
zH5zXx?RH|&+6_d*cN{u&NNhJHJqidnXborhYC+=4CXqiPOcz9et?6|7D}&T-AQ}EY
z99$*+6_`{^><_U2Fg5i%;EBi`5n6)+fu%4`H_`7m`h33XAPUT<o-qHXWH5qU9Nd$B
z_aFXWEE@gU1T0_&?uani)lPu#R><f7q~C=F@Cck;x0JV%U=;}_@%!Zt;r|Q|4b9fa
z#%@M1DRQP0Sc+pgAW28Q+s1G>?CNJo%@VeukfTo3TTfw!;`V7rODLXHGWjozA4uAE
z;Ef27s4L*+TCH|Rzn)XT|A1;&GXrZU7}TUNR(<3*h!*hsM~M?xi#%BhCMRwwzzG~3
z9qr3B7POj5+OEA|`8(RbSA}8x-MMnP{DE$Qf_5+y*)3pq>GzcsPDfTlIGAGWk7mVX
z+D?#4rP6ac1bvrGB%XnvCh}uBm@X^_<ld^)D$MCzFQWs017KQ3$@&Q9nuC7-ilbB9
zPl_fz-e_EHD4rF;r0Ti>)MqxE{TxrkiiKJVD*CjBAUa)1uxCV{r>d38yP<GIPILp)
zg>FG#co~_(pRTmP2nw9AjN9shXEor;bkl#_8f7z?FRs*2YlrDVw*b5AV`JC(e7<bA
z>KJ|k)?F#FhF}i5o4&(6(P;EVW)3@Wp<9?PtOQ7hkhA$N^52$S8KShB^#qSPVqxl1
z+Kr_-0)bS$UcYu-$p%2J=JWZ7IHAPCazLwL8+Iku5<EP!SY!&KdED+}wOZ}=)tFBX
z(}i9D4L6!jZ|AmMEHr@8b3`p2vYg<-87#IG`^^XlP8SP>4`Y5@?DJlrVG^|;XcF_|
zvDkMz`2Zjq)>f%$DQgO{1MS+)P#PC0Aoz2p(K_^ZFECwL4Jcr^JQj_<EIzf3ij+$w
zv5rbCBFBy%T?iDobs|gkWlS-NeY_f&F7ymilUQfooS3*KGBUES-RVT()w7<~6<8d8
zkgh?rr;Tibxt~`7(}kV^vQgoXStcLujaVUq(Siz~B5G>N+CnB%-??Llj)$B;G(37|
zd9ooqM!+yOHnxSr>Y*L4zRDiQQ(|qwxekd~>}!05k2GXMf$^FOd~G-s+A%dbDb`Ji
zwFHsdUmlp6!ZI@X$cBef@q2oDdeixH=bjd8r^GUX-FY4)uoc<Tk_`a^kxjdB{=7z&
zd5oYQZMT*jAbf~`{;?I=fR7Q@=DbBE%SncCyKWE-up8NccNrB`vVQV1;d;G|Xn-Bb
z2B4z<!)vZ&%>?_6{S#rME)Wf{E7>^ymN1W2P%?1AgSj8o&3)h)vH|ZQ#C0Wul>a5%
zsGHl~abyFoA$&tu(Q3bCn(!C8xxG8WDP-e#KOw9u>4*G;@GH8xjTeQ}$Oc?V_&b8y
z&Zsv*r2l|!Zr5euM6z*gBm9Tnno3c!ykKSO-xIFZ&28BgoJ=;3y9lr7N*0qj!ZU<l
z*3E6VA}F%`93Ld?)Rl0-lSAJlyhAs)RZmc4Gvj@P7j@_6=dgt4YlK^MbK9&6ifoJH
zHoev8PT55;O85fd2Ho5ieSsp|@<5L6j|i{oEz@ErIY@Y(@VkUfy1DLsg(BO^a1-J4
zguS}F#6!yGzX_ipyjeHbabQqn>m5jFewy$@LPKv&LR(SJ>8;$@cL?|EYfP|qD6;hj
z$UWUfcvNo%7kR>IeSHL5ZN~IgB>6Dm4#F?!<}$B26xjv?bneZBj}RUwe4ntNP}EzC
zJJ0I93pD5%y=4wZ2|M&w9_$glwJP>T!sWWTOzRFswzUDs_g2C?3HRtNje{w(e<eJp
zw|popINYVT{K0*MJ$j2sFA;vEw=@-^<1Z2ZRBz=4kpsipz1QjH@3b5SO}76B48u%m
T%H2R000000NkvXXu0mjfC_aMX

literal 11750
zcmY+q1yCJ9w=H}i!QI{6-41YYC%8KyxN~sV;1)c%yOZD$+}-Wq?(XE}yZ8S0e{ZUK
zdiS2yYfD%4p6Z!M6(t!IL_$OW0DvMVE2;LcSNTtahy8bt!?>yb*Fk~RWW)hAlf=jW
zWL;|w9ao(%ia;|*dsfqLj$h4LJ?)+Tp#T6OPvAe%-rUuc+|%C90SxpMru;7i@Spr2
zH5(=Qe?eSrg(-EusE|uIx|oymuyV7qQ-To5$;pLWzF7d(B&Gjn`oEDdrIo9z6OfI~
z!^4BsgNxPC#gdIfKtO<vos*4|ljR?R1?=VEYU;`20H*qHlK+oK(j08&V(sK=?dU-M
zA70b1j&82Pl$8H5^uO1C`{`<J@&8+L0RK-|{{m$D&l5HdR(7`k<^DHS=s#MZvWvC(
zKg<8&2XP4f7xMqn{f`|Xw*MIaznuB+NdHUwFH{hs5ZnKz4TPxJOQ#C}Fbm2_ifMR4
zEo33onJ;PPEM;G|Uv^&j3)_gZwAS-bP!Wt_rg97-nApMXisschiwy%1iWn)dC4R^!
zYcOiiNHJ2EQ&LN1Xh6e!hBqPBfD$5ak1@9!8zf{l(*;k}zJBo_z45c%d^OU?rz|gY
z*>}zLnOw0%vwinD|Fvl3ldFCFw%pn1i4ebXHdPDZYqX)Uz(Lpw&t$X=!&^vq-oG0a
z$ow)s5$z=(c4|lXEB)Y=IoCs%^K|TouE+0hRNVC~k2d<6H8~xbb9(s~1E#CsT)$@7
zN;b|ejU_3G0HgPYM44b3g$7~e8(7h#{V2tkILlc)c15ONpF5K40s-F1E?(`gjca;c
zY$MT&?p&RDnQ6p-4rRWK%8v$}(F0%x<rSeOefG!a8MSjICz`B_#oEe!!o_KaNx@H#
zHL}&^#Yn6y<`;PWzPeD!Zxuh%W}91ZX-njP^d(o4D~%-GNaTld1+iDBK7Y2yi|gR<
zNL`kgt2q48k>=B^Vf_U2(X|I)y&Fv{P}oxQKLD`e<MN}4C2y}(fzm{0huafI0FwL8
z96FsPQDd{C=fr<}Sw%`Ng0yp3z21Wzja>k_Xi{Nc@OJ|eiF6)Gxn1(K2CWUMD$9I>
zpgWR#VTh+-%$l`KSyZAnc0iYkPO{xkyEJfDY}}Nxt5!-r4VeI!W+rJfNSvC5O<?gJ
z4vCH^meConC1oSJ$>=iFqSXteyhD$cMkwXm2v>Mo2iu$H2$U~~dPIdY4WL$_R#XWn
zxih4+FYoi*orX>5_3bsTgH8{F!eGXFXR%(N`JQk=a@*j8z;<*ohL|T#iQLHWL$h3_
z*eHHmGN2ao+=2>r!ycks*wa$2dHp16%3VD`eZnDkN;FgT#f<+<D!U<8no7FRIi|c&
zt=QtEcA;u}*33iHQZOy}xmbD(JeTuYCI8Gx+E~_CCaFk=yl_ly!#{qm*Z=U+%HOme
zhtt*~V4jEO&9Tp|+^O{`9XM^94OI?_v8l%ByJm*XN|9!=sYWGVf_`S16;A8toJ@H{
za6FiNHYdL_PZ14YFag4T4y>foO>&q=A3O2H9D3j@X#UXP#-Bv7AVZ;cLMH#zZ!`X?
zTMPp)yOM1D9b79SdU7&jWF!V%T0cidQ&tgPKt7!hwynLEYfT0~n3C8Yo*JO(XHb7>
zbz<@qRS~|IJv8r@oYqDPcE6;y9QQA%W-CEiV+w8<W$AX~D+~DmbA-HTa|HZAtafMx
zt-kEu66+MARr8D-XZBF!KVmf)%lk%J6x*XP6|-2w&ThC(@)WzO;DGl0lA8+!JSPLQ
zR$TsDf}4bnej6$Eu!fl0pR{;rTq3g0b~|`siwrvWW9HU&Julzm2jM^;=vxj69z4IL
z8?AU!3m|rb0}u;n0kf`XbUXnC@`d<l0)!O9K~=Bv5QG2>d*Ccf%z)jYc$3fJPI%X?
z{*KS4r_h7CRb-=or04MC&J2Y>CbAhAf5y;eNXqDKq;TV@^Yw!s^e}Da{97<i)l7gk
zRtdRsBAv4dV~W|hXi7|hL@QnE{qGuuQ1r#3v_VjD%fnWWC)}3XXGftp;3O9<4u&0=
zmmMBsIb2e8W2rxa*lG@{PmI{^_s(#n(z^dS(eACKG1=ww*86pkvJmlF9z+TT*|Ivl
zh#aZt`%skPG_oN?)pq?o&gY?G`7|=@D+>c?VoIYwS@b!zFF(OBBmQ7Cfcm&#FHu+F
z!-n>F+~p?lXOvz5734YAV{pkJfE`sOkK+@6U=N$zh+GLnT<36pM1_KP$u3BA*1MYs
z1z^9^aAsUHXzTDA#qWF`$?tJ<yxigx)UhW9t-d;IC7VKgohdzNnfvg>ZJsz(>2^i}
z?iyBxg9rG}bp)%$R%NP@%QErK<u5R#9~OH|==TATzi(J^Vw2Fm*c|`*%225zfg*|n
z!!4arI>k}Y(M8%jorz)wPl$EWdEdq~<1|l~l42n_78G;0kDe5EGx>;AUe5iKLjuTj
zzK_g5Uw`mg4z_2HSTbIV3V8SUuz8!{+rY@qPO8V8#_z*_^eBLuP}dOc?Aqd@P=ZwO
zgK&-#55MN)c_HHZkVp4n^WIsQ1GleEj_YNa60|stz0_|~g$l3fvzPsA$ME}P`dC($
zB(2f-%vv?$IV6sHpB<WjuVz}t(3$QrWvik#pA-ZJ64ep!?tgL@n<yWusjA*qo}rXX
zM!e1xVcL<>v<!nj$fw%q+eA|kSy9QG_=)D9f7f=>7&-5lU#nk!+<V$sqK_%SIdvpD
zoRAb!-jQ)x$us;d*3s$yJ3GB>{`*YuWB)1*{&{E>?`qUGNq+J9b>omSHrTMpWrj(k
zOhhYN5@}LzLCj#`=b*>OzTobuvDX)aFounlIM1i++iQr3H+=MS2EVa!<YJE*$1(ww
zNj8OCtaR8RroD$;sJ1mmAB-F1hcL|wZ;G85_Iw+gi9>J?yOJT)74L%4LhxYUM9U#u
zm*7WV?VE$|$)5X}VrG4tJHPk1UIR(70hNTM(sLTS1)HjX%#W?uj9YdZg@T+*|3hJ#
z=*TdPL<p0ngTf{}vDeMG!O^o=75DXS+o|)|%>Gln$n%3|-`K-IN=z3|(Kg_40ZwaY
zktlv>#%!ryB3^`4zti+g9~5Yk0!$qgynYaLjN66Flxnl;p`t;OS#5QOC}4w(%209F
zugWy`d<n?i-AKH?5MA0yma0al>?^H%?tZzxD$KRikhD9$gGRwxXoKQGU4i3%R;1+2
z|IBzsWbBj7gz%gvFh-q(<hlPPsPafgZop+mLMawE$@5l|K#yeA5shyrjtS~g213Yp
z>x<v}p#8lZyy|xM`7%CV`(t)2exSMYWWS!b1Ap!URw82M)4hgd_?(h4u|^_#u_C|z
zc9yeR1bDnEj4x~98emBjK#PVCD>((U#G-o#{Bf&0Vrufz>?Hbo=GZM<bE#M;upDLX
zYJx*jy$7UG1SJ~LEc?VGXI^uM^IqaYQ%}$=u||wcc9=X!K`N6*_ewSFSbJ>86S_vE
z4c0RHg##Yfc3RrHho;37mD9I;kOAd#+$Ig3r1n+k&0Pl%{9Q5n4SuXzz%mmXB?b6C
zl}Ag|q<K|!{A_wJ{5*_;xdAqU-Xlo>KNbLxgj4N`a_bP-V{Kfz5VhDuHuQ6sUyEdL
zGhoO#k|>UO7usG5MZqZFESVD}FPPF3f#4ih5?9CIWzSE%HSNi=K{Y76yOozBNyEB!
zKCx`_n;@$4<UoAq>BKdnq7_zsIeY2CaRtw#lw-_&b+cI#$6P5UTtDF<O8DZA6C9cS
zEw;7nJk2nUjr;5JA~w2H<{&(KTOS7M9ra?pWR780AI0Sz2FZ_Ts$v2^9oyPL^uLE&
zP#V&YUx_PRcMl4ypMskGB$ywkq<tDfn%P6?s%>WO%}Fd&lh%D$<6y$}_1a>BSKN$l
zSg)r}<hRx87pOg3I4AzSrng_$@O6W_KK5;a#MaDi%5|vh>ZWmPaXlsx#g$Tca>NpQ
z=(c{}&H*-d_|?3)?Ds^2k-vp$#0pKcy^0U9>ynE;oQT%|Es)&)V=)>f)QWmgVTeWS
z(I-fH+(LzZd|Y#>3Aa;IyG|n&9GawCDAAm8d}jQwT_1=mpVF&4H|={_ai)|6vH6qy
z2-tae>Fuc|i%{(L+=3@sZa*z(tS)^gN|E0dQV7O=eUG(X_nb(4x^V0uNz2zbgbrto
z3Z=W%X+>1U>{ID;X5)oj<2Y~1u(=;uQnECI4pEPomV3A=P-p<m;7ytjF<6fqY+Yl;
z`%`>ucfT}WBR%@llWx=ugn83N!0!;wfM&nZET*}#lN0l2r{J7TF|R5p)JxKlRh;){
z8oj4DW7YJ|R*_*HPPkh9M2SUs(^8MYTjd|gROhGD(!+Cl23}8!?~iP9$m{#<<ZCbs
zUds$=x-ag+Z9dyGcp(~cf~NXta6Ups#Zq!eW?tQ>Xk@pngNvr@&ifDGJ9X^)==-5f
zo@In@Q74R=%%H{-79vdBQLcmoi7}Wx?K+7rpNC6#=>iV$c9t%DsCkdpktEG6WY@I1
za|enUR<<ol{J;HH+qavy82>f1$-lJu5nDT!*raSGo62w(=iHwL(1SF_RmB258B2*r
z!J{_$EwUSUmUXh(+hv~_{cu8Z@WXi#|J6xf&5oN2OpbaCSQcrR%ba{eiB;(=Kc(;!
zc!n&|WQpg*q^bUpDG<@zBIu94{BANpZ=`sLSk^7Kl&Yr)>T&KsO)>Rh=-FB@hxGUE
z=KIa%pz`0x&1kM9Jv&PFYF?5)Csyxjr|;dtl}mpdKZ)KoStdc+{uRHSU(Hz&soai+
z)XWz2$W-C=YEF{WL`tiOps;aq@)~+R@QwmzZR6U3PEr|HrTwT0u+PKT4>RC>?Q&6g
z%zWf-0WU0ia7g4#hOF+sIlZ#~Ws*B*1;78&_vqv3lc==pu<aa!8xm#FWZQvE2txtM
zQI%+ecc<E6i~PLTy%Tc!jV7ug(dGMc;q_F&LqNZ--7Kv+4}v-TWMyGpw#ny?8fs1?
z8=I>u<4xbk%CE-uSrsG4CP>}&o96zpIBdlvWRdeVHK{`C*m@2E6iWN2&Is?wB-DtX
zXEZ|Bh9aJ+9oo0~Ya+Tx+rrkrZ<B0IB4^a*ha(rou#<-zZC7R=E17kAv-^KEixB4u
zhfDHm6^1aT-#b$QWJK8gdhD{vFj8=pJ&73y+K8I^xOtO!)ciVrf}$LW;v1V?%-8?+
zTfFrv|5eN4!i6&7*O=B|{Gt05<>|X?+Ye30eJ3NBmR-2D>rt$we*Yy*cK1RMVaoV1
zFN@Vq+n-WuoOLzmYG0_;ud40C-=Q%2R|Kd8T;ThL*Se00IE|Va3t?fa2!a>z{Q$?i
z4l!E}%YDW~d}fsmnB6x)@k5rA6vB;48v2z8PNk8VVmJ=;n5i%*;2f-S3MH_#eG?=9
zI4oBx{&$u|;q<?<nlB+lX1GPEas8#akeJ+O$IG$2%8OriC$<M9YE@FsANu7O^%fZ>
zI5NiC2lpQ9xN{Kqn<M0s4V&I(E>cv_q~C@N<4r$;zpl}&efzg(s0biO+a^YF@y6NK
z3K2FNYilnyG=J^gn9n(=M>IL=VO0~nC^+*$Sx-~)ed;OQ@rxHCB|3kv_dTjuhVTM<
z(32Be?^vjv;>;f+Q<J4yteU0`0cCI|+~zT%im<Xp+2L!Hv16|fSg%x}o2`_P*BP1J
zB@u7n?>vST(>;}zt1TN+F|9G~88IG8Ig+;^EMsRW;?-uwH1t=CBP9&z@HbK+m?Rj#
zhD!w<)}t5O143^G!-V8k8&`tw6TdrqQob8`tW6yM7KP2&cJP-i^R|hZJDA;rw_TAb
z7m4nE$cYz1?|T4I_AAT~v2z_AsgVn`3A~wU=mIk|36f2<XXm@Is<r`SD#zAl<b=p<
zf^|?KshY=*4)%uy>PP&|OFNbU_Yi)$T3mu3Kt`9;?exNgWWIzdT=SU*SyMKnTTQxx
zIAwmRfYOuMbQS4C=@;U#HXVpUA!7khI_7>r(e=JNsA&Og#BJ<Db6_!E09B#sTg(UX
zrj)o?AxlldjQ(T*v%j?V^%(=MDjKrd>-Ib$^6@RJ{FhZ-Pge52%wa7i%&o*~CX{>4
zkNPeq&q)QBlL)~?C};zUy?CBD97;Wfs^9rZsyAGsZaw8Ne)?;IGkOiN2;R;3)wc@^
zo{yKlxPQ?n0XFik7QM%^*H+@0xBK$hI+Q4UuZO$8_>6F3uVKqBC6iPPatY?~e-<0|
zRA7;UVQCGa1;u{^6-Sh$R51DKQnTm&$hd>Scw}097~rve3fjZr+Na|JXB1S<ho5lK
z*h&s%S<sx%DT9bkpDZ;kXj(--&%x>vkO5|*FrF&~EH%5Wg;PYWoU5i+P~dq?We@3p
zO)_R}w&9+wyA6-`3)CVVZ6(*pbS}i*9&Nsodh$=AzYuY`m*^O2pGPsPQ3UR-a^CYD
zg__6g<`>JKITD1{nL!~kO_1Z^@P~zWw7ZT|1_evC6GPZzSOva}i6OG{6y2Pd4eboe
zTZ~~A#}qR}2k?e)5M6MbWe^V><_ch0>au`4fA@&<tqKxR*}%O|g3?X%#_8ng5vP8t
zrFWKiUzMw*-5}UA`e)mW#g;7{C1`1OPgt*qss|{CKWEHY?k1rL2PKL%oD;;^^(FSH
z!twhx0eesdO@7TqO29qLS$9ZU9yomw@}&N96<xq^Ky9hmp}b)kW+6LZPjOK#v)3q2
zeO6H@gA`IhwK>6bKWHiJS!^4ce4aN==6hz{@sqbN$TWDzc{Uect-C85xpHaz@`b%n
z@N`P45X6G;DY!4p4F|~1>3UodGfa=f=v{0L?MDdvlN>s<eL*))+J^>o7YSz;PPnH)
z7;Pp&yQ-;~e)M2Ew@|H349XgmyU$yrW^Cu8>G?^9Xq4mQmvuJ@b!T*71s`c6mfm*F
z$jH~7f6KXyIK8L~6~oZS5Kh<G9V_y*QaY8mvLc;5;8-O6ZV7{KfrA=j5FlF1t$)Nb
z`<V@@31KpkIwFd0D|SW#<u2(WrWDgrY>ZnMNxHnasW?&mQ24I@`17<o%=G@WtF0`0
z4kL${SuEnH9d`^98i|&1GL2>t;ZaZUBy4q<Q=-mMS~#>#z83#ze^*`(u}UQ7a?wy6
zrc~lz#x_a7$OK#IIK!75-l%kYtXW`t?5C>E&~gGxluC<I<#bGMe&MR5t*e#6rL6d>
z<iJ^so$n%%`rKb(IVl^s^10fZRJrgOcbYP?M^&;4?nq`e4XD*$J)!9`-VH?2#Pg35
zOFhFi-Ac;z@X?bU!uF^AaW7S+q;|$saKd4Dwbbt@Sf)V$z2!Y<y%UG@roiq=@e+1R
zR}X^ytdC8hZg!w&>^wb;Qj)8AjJF-~;E`C++~utE{%6r*Jp`wgV_RM6&U-pz&)~Ne
z>br;=cw<Mp@8en)EjUS}H84BN5|4ftd)6oYcreVC$eh#(lm2HCu|HCq2cZ{vxAVEi
z&y$OjHHHj>u=MB=I%_87u*?Dpe&FH}ZXeH<oAeZ$d;{;KvgXFpL4~>J9Q>6Grz+)+
zXo^QPlKUNV#j11}B`H^w>C^V92w9<Avg~v)M^*`z)<kbi_j5C$exJ4P8(6ty*LG{c
zxrVKEVWZc6Meab?tdE9bR?RRfJXd&1F+?o7;wt^eQrYjMzl^hvuM+FIZH+0g<g;7|
zd3RjV*LC)84hYFt;^ZujIaQ6wr{ia*l;%RXH50q#0Fld2cB4HL#Xh-s+ci?3si^2~
z$2ouV%O63EEU)JJP%AOKZPu6Z$X?e+p3aqXVo9;HDT^9nn}Tc|G=1FtxZEqU@!2(B
zLzMj}NX_M!cXjXcm>ToUXHuu4c@>EY0>*}ef(+X_q|guUyx5LzDD9)~V9o;|I6<tO
zR^NjwLe%z+qLwpx9&4}Y`!cE;3QTV+;l7N+(tK}}W2@a-26`;|c+40gl@^bi9`Ns?
zTd`byNDS@VEpq$EnGbEY1PCuWGqG;L=Mv8Eej^)e`+LGaF_`}-a;M?D6*L6E_u?#)
z+Q2E!cy3eFZw6HsmJ9$RfK!0skNt*{EaJ(v)Q7OU^kg%{)qB(Zp2H~CknlHw@3&Vc
zuZn}q=>nTL(`s}-!(7prYTIs;$i*j}-3kw%JH^aPmrK21(8E<o()LYC<?2$<h4!=h
zwCYAr(g}g%kV(TL*M7{~b@1t-+4-=u_<iOz+vdB-Zd|4juA}Gug!BIPyR|5(&&jv9
zYbxdbPq_iW$vUfFP2U9vT%Af~vJyYQemazdM^b&$lMYQaW)?KrtJHA~MoH8X#^@ip
z$0&iZ?DPpWSGw{3$6Aiz1o1Ny&<XfDT0v^xFl8}6;}1{-w(EL^qGERZq}ZgGRoc&T
z&u(=}Y&Sb1w&6-0OgiBM&z-_DWxs3V`@>xw#n=4SQTggf1}JGLp~{lu_ra%%g~b|F
zJV;BJrZ6Aem98RgVFcamd3Rjyb`#o?STO2La7bJIQL2>lBNGI{r_SOOuA_yx?obG-
ztBCPMT#W0mIk(Qo*>HBnH8>xW>vu*qU5}0TsqQwmsk77RTyon3TDn?ckOl@As92$b
z6+&TtKTk2-6;XZr41PdW<xP^RV&@80Cu1s;1c4uz%gDwUa5C*i%*j+Jwoa%tp$a&m
zMGfLLOQiV>eYkTx-zYn*?FlT9%PFE*9;e7Tc+%bf#>|}1qI#HF^Gt$`Ep1m%7Wf8X
zRnv$O@QFk2VrGw2(AdSuQ!^;^!MLAxsjTu`@V`!^<>iy}SU(=@4skkIueg>#P3KS9
zv2-Fq-DP*!@J>3AQ^WT{OXe#Z&{qLDbMNU5f-~}4D8pd*q1Kan)vgnqg(NU@g~6~5
z4OoqJi<$u8b<P7?XTMHbuWWsYd*3~W`w)F5-Ny8;(3-Ul46Vju>w)MHKb_l%n#{C&
zOots7<tfx8?Gh_!4?FTF=S9=xAbj!fFnt=R7ckE%DIo76;>F!+80px5qtb!F2W6y`
zDz`!ARd3^tYTE-A0B<^JqLeF=%Z-0FY=}C4R5uZTl((1mB2*b!0xug$z$WlT9S=T6
z_~x!$-Fc8)p8yTegYu{RQ9d0$0pNrH11Z^yT{0vIM-Xi(GzrFDN&()qQEm3c$~a6_
zbL=<7g8a#BFY14zSyvVC!?UzL8G--RggH!%OxQ&H3^P!$o|tyNqfDTl0sg7X3%e03
zsv#Jrek?N{OI~#MPtIG>yb6egMfs%w3$KEmRFGLZTcA7V2fe4jf`Slsg(Q6t^F4j!
zm3~E&OC5k9JS1;2cQ&6J!b^L7H&E?)KuJ;P+fH6FUp3H>mi4Oz52mqC`dVq-`8HC=
zEM)3)0PAC&j>w<ZInnZRtmh3eJ(p%&MiZfa9eaDu)1yYtgSG}(crui)ma;j5B;)#G
zHowxP$2ZLP2g#R!#5d|U#5USH7upc?A@0E{n9ApQyM|QNtk!|WKLl-?rUy+NRsCM>
zPO(SWv9_}c1oS0M4d;de19a*qoCP0SGc8*Y5CRGETY}jcj*eRKb?ox;s;YrY;VUb2
z4koxu&2IVf88naBny>Gxvg4e{P16RBt*4c{^rxr_@V0IEft6dRfQYk%ZEPip!2S^u
zj^BFKeXadYO9GBmdo@2)<0v+4*ot9(8HB*ZaY#!?=Ca>9r)fK|T6Xz{ru?{kO(k-9
zI@rOe40EIQ1bI5;zEKCKh%bi1$@+JDkzY``7#Rv61~v_)yWjed7$rX<1lo+p02sVz
z+~qSFrH>!9VaIi-+0WH3m<S$bSaimrlrF<bJ?UwtSE~H8wOG(bPn3=(4jU+rm?<9V
zP?-ljI<ITW>~hUlum<8otz8$FZ4ynvk@+!d0_^xfqD-2T@eAsxQtwg=p?y^fG0wxx
zbe4SONN(`l);Qn!10Cw&!Y58d?hGB{Dpld$4g>kas6+5wQ@!W0&^_A5UCY+a({f+d
z)vJ!l;S~nY0#S~a_UNtUzqMkq3=v{}@jG#gV9oI{@}dZdZlWldY#~qa<-VI|_-Yr=
z)sx0rRs1K7u^j$SN&m9Ng!%Ua7uWPrlJeLc6h1>N$F5sg_nlgaY4Y%Wcyz`VAuimI
z<q<geBVmoOnOF)52kzAphvNBcUCGv!;d#+E{T4Bn6UW6=>m@fFWRwaTH?myWDhwa5
z(`>$hH6uU%M|}mNxr}7Hy%nRWgie3@N~Egod9!F?p?G01aIv}VN|tVmpk-{6N~H0N
zFY#dB6>*h`t`j0WuG9MA!Z@*#BO!8PvJ8plB9H%RK(~m*K7l2bGHyO!BNsVu8nUy(
z$y1aYZdLqFc<1hy+UVN0uQWhAH~sQ5LT*f_KLQq2N+>hxX|q;nOi<^=N-wb**_fr&
z@|(+2Or!kUe6U^#19>)%RErhwE%y}*PurItZ6*sm9$%b-uxzAZMoMjY2eA!rkEn<R
zV=6$V@A3XG+v#odasct;rU}|pHd2`UU=7;w07Z(ez$>4ZEw)(;?B2@KI7iMu`c0I5
zEu?6^50Rc(*`;gTKVHzvXS@r8&UTSuG_Q**#yL~9Qk|^oBSOdiUO)QFth?7?gb!Yz
zb>NSsucHc{XUdj)(>B+Y$1V7byZKOQ-G4tJ{ta7*mCaIiHDQ~9gWQjZ>XU7616PW-
z`<qGcn(YJP(Z5ine9iako(pLOD$C5E0BSSwF7X3HA^lU#(qt8Z@@;3ogmTt+-gl@3
z!dX5QC@{0rFw@k}aBhsq_@wam?!%n^bW*&2Ng`D>zFCW?CR)RWl!SHp=p9H$9Z7BX
zyXQm07^^#U*zMI<>_N->3X+B_+dp$pt4r$`rOx3>*@9$->)$DWGo904e1RL3mee>K
z#JFHsd{~Kh6iUX$@(Y(GQFU$U)5x1z%nO@Gw*KY@yce17%gmL^;YHM&-_Eny9Q&!*
zNMQa~)u{(4hhfFRK&fUwdjIoxve>B{NR*r<i+2-K#EE9{I(%}>Q8u;26(u{;nraKR
zgmq!WaYrXJdx2PZoIE6j-aT4|4B`3TiUC1j&eI(kxL<)OII2PZ+DR1Md+a9ZWp-#B
z)xh<m0p+(?z9F>kccPtDUZUAZNi+%#&BQ@U!6*SviSjwUUQAwa+-VGj@~VrE3>i}w
zbnQ~L^xKi(CZ@<oP5UlT1Lp6XQ(ZKFsfQdIa(h%M6p>oZRNWE`A!Q;O$P4&!ls{w^
z0dlOWp`f=z&nrY$!Oj%bP0ZV9`h07Ph{y12(Dq;22SRkYI8Rf!%+b-4X+v_TchC!c
z%8J6$Medh#2l+Pru=?B~Xj-T$N`A8xbRw?Ml!HCYIxJ_RZBn)T{?tYROZG>U79@C6
zgIm2BR=dE36+acKvy0yw3|x_nliUr%F1x5>1@A}W?gbG2_|p~Bm(+HL*nqot$Cz5d
z`dl3p5?;7?i<x34v)T$X*F6O0yTmq<KbwP<Dle>c0>^j(e?Rzns23wt?y`p39m6SG
z8PoW$wi?Ij7@vog52Bt+je21$iGvF((@WOu^k~#*1$<0`5WW(!F9p~89W{{op4#rd
zb{`*TtX9?bwBSVJq5`%MvK|yfl%shq6xRq$Mt(BsJI$C*IgIbj<@zy$f}`)YcIkF~
zJwg+E4=HPZY{K3fxPOy)VDVMHSzU9C)ZTCrsu5k+xIF=`+^WF&<ccTqB5Fr$LpFuN
z-AIO7C(f6@@eMHaek1d~(|Fr~1K|i(|4MIq8pWcb{4&b`yS{zNfV~*LivEXqv{x5U
zWS@D%u1&G4*2KV8aSL4x9V-{Mp=xLlnfv$rabSXP6T7yx1e57*OYH={#7a=GzA1*K
zDEQ6)6CK|xdcBjrZfxhM`dhDm8cX-9_AZV`c7)@02mFz*4E`az8qqkS1_TbjGTeCr
zmHex%Yee4hW@{z(CHhOz*gK3Amz?;37u)5~WPBt-TTMeG+A(L}fE*R+8vami_uu%H
z4LADka;99F@i2I1ZtNY^>Fb~KnZvCf<UxO<v5nO{QS&mGcM4bTI~1Z)Qw58}vk(0L
z6zlTU*v0O4zs-4Ilt%KG+{$B1PRkr+!FrD?(Fafrk9r1D5L2HFS?wulzW68wr`du1
z_Z#vY(qM`ewK^9gM!zBW2^S4Dd?>2&sIP89Iua1pkT<}c&UW(;Lx-%2JBR+aA-<k{
z+FBC}$wFp<HyIGp&-wv3i0~DK(0M5m`IG`_f1tg1ZFhF|Sj8FvIObswj@JX{&K`~N
zbvlOYvFh*MZy~ua`}{KYf=<5#@<>1UrjuGZ7>HQh%y->uqZPBH<55^Rf6QIGwXY-g
zSEHlr&;sgvuk;5`JOCRW(G<4!!P#8-#9AQ!A?eEkPp~Zstb{nPdt0l|J+xq7&ey&<
zw){s@;Wd~Jzg7fDXOzGrjUyq_J^!P;3L@%T>SD)*X@7_)8>W>&B9B*)XU~$q^Xd-h
z4>zV(Cg9Xvl--z2STSK+=HtEd8otjl$!(2dmVI4pGzOi@4c2_9hKq~r%Vr>37IDNw
zgG0i1Dv>r=eh<TivQ2n!cAU$8&36%PnBjF*Wg|GdM7(|UFP~i;0tvq|d$-7}Rqfa}
z&^+y+(vf&O%tj_9r93Hj-}gK{Vc`{yuyU+>t#cRSf=CGBm|fq*FL9>x(C^hRT7?c<
zK8tRuAdm~X;=we~HAGSd4g7%z!o@sCcIJ{OYRC1z2Y563pKZQb_y#dVWfBk3Tf~q|
zIzA7YiNm1_Gzi);gu7pqbL8c(X#7ZLJy6&UNoFd|9uxeYp-Sc_SY70wFFi7a54(5S
z=uj2EM8~{2CpTycp=ICF+M05l+}XJ7WFy^CXQOc(jH!TJV8<53sh;rPzs{;E!5#)D
z_fpa$#3WBCs{utmax~lr!cyyl-3e|#2qzgVQ>lt|iVC;}9lVPm|2|^Udk6Bs9~S=I
zbA12hxp1v@CZV^Ak91fO%uchaMp3a{$ie$+Y&{tll6clJ0OnL3rj?OzAojV$(a{yM
z^a^yL%KBDnss0=1)aIDok!whp%Wm+HkM`R5@?BQQ<)<<ss!_(4J!e(r_?oSb(Q^g5
zZpGwMl|4uIxY`ZAoXY4c^iMJ_MrasGo|%oyj&Qmt?5&PRYiG|iHCdQ}4c=lvHAI%$
zbFNose#Sa;Ep*%2U&M3MPcahcym7DH%Va3}Di6U{FqCv;HI!9mv`*mq!)Q&I{8?(`
zi%RsVSp>u1tx&1fr4cgZwm`mNG$(`T3k2f1U)3C^M6wVv(3|4h;pS5aKM!;n4v3xl
z;?Ve>-O9wON^;>`@_FtBw;ZdMGZQmS0Cr^sy4AzrYuFd;ESF?|*6xCA@)yRj+a{|c
z%q<??He?4iJ1ntls#N{19g~hz`+xgWmnn}0vmxd_l?8l0|HuV%`t~10Cm3hfb{L#3
zx(W^jwo^F5Q8n)DpI!&rDGczke`E4ThXh|@1w#vdM-ZVBF<oa2DGzm$eMkyD&3oUi
zBne9@|2vH;nQSz~kas`qkn`cx2FPy@V{@fkw~Ce+ycdt}zfXK-46nD-vrY!w84wZ&
z|NJ7ZLNZxw%?ELMjlHgRY+<SqnU6BRd4k%)A52StJ}kRP<486iW(*euw22HJXU8=w
z#DC9-LBUrgWeO6|XqVMUvf|8V2u8JBR`t4+0TBeqZfP6RIY}Td+I5vs;?Gu2a@lD=
zJY!Ek1bTgVq`~E#i-*cQqyrrwNqVv#;KiAsp3v?QjWhhQEMsur*ba(^AId2W+*bk+
zAv2KWRf?`R?N(ECW=PRGkCkQ`2*W{lCtJAmc7`OuV|5M1gK;K9>ca@~{QGJATh7RY
zB$Y=~!-j`A_Rxyd%()z+o5XFF!#(HwbwT_XG&_zhaA3O7D71AWzY_pO6W|nPk1vR4
z)@zjJ=L=CWO}V)0T4=dltc_`RY$Y@yayD_}SyE>dXrKN=KOsx(jee#^2eeUje9pha
z-E^*MOg!kz_2L9QY?(RxCk-Pf?y)+|CG+gP-1v9tK%3sxw`s?yJ(Q^{_wrx{fmJJz
zm+->3&7sSVJ+z=Wz<{x4M|2*#l{)k&q|+mh&I=w_Bo^QR#hARlxf2MLB0~nXY5*r3
zwO-^>#Xn}5w_#%19cwo5l(%m~>T>Q4BXaKal=-F+CRC(D-4JN!%6>TEkPnu(h=9<j
zcsN;83nc@C6z-wjppQaLvH-Xei3G-5@w_h$s6nF;7;HHfVV0s3#yec(nEJRcz3P*S
z-m-BYx}P3<?$-&7+b_46L104m9KRo?f2qOdh_*o}`%W#|D_2oI{j^O~qPvKjKd)Ms
zV??ZXP<0+v+EtqRG0U|;e2CUbXUyet<i(>)6`ve$t{ePWkwm3(BXm&1U|5ta&g^Rm
zVkA#JmaUR=8C^5P$W`T|l$;j)IAy7GV9ZVCM!LU4bsk3Phwzy4AtN;1Y8VpH2pv`f
z3dgn=QKK+hOc0>@3b4*Mw@>N}7*#F|6#*kjM6k?g-!7DfgXf(EhRmVTRm2j)CFOsF
zqq+>@w3ZMB0}v_#ApI-E9hL24t_jagm1b1w_FFQGItH9gmj%ko2fF$kjoHQM<(Api
zMUdW~&ClP>|6Dyd^0ioZ^l__AyO!B&CUllGPG(b;oJ^Mp$B%{7hR!w=;N4Pj_$*eV
zfBr_JnLw?U$4-54XIqGP5&Nxj@itoiE-k?COQL4)9Uz;sqPy!Uua`URmg#YCRLXV9
zu{bQeDigsN+MsRT!@LO>@g7@#mD26salpB7cj=+p^P9Y%Dl7by#GpwCDO(@Eu3pEA
znSYMpCL*)}1NBJJ(uU6pBeP&fqY`9)fpdPhGwcyKGkS=V&IisItj}C}OMSSiun)NY
zmkym_+0h?=d?DwC`-L61+ImRaKE<D>rW7_N_Hp(2T98Z}T$^1-eu`%Bxh-GdkOQW=
z8FYA|W+ZtvRvYBdD(g0U&BONpvYOx0a$ZJ1w=x5eM1TBVDow*wr8ZOY<y1{)waaMa
zUu(k)^AO#uDf6<){zRGN9*(&`&Gv{7e=#ed3X`BM$6B2d3=OR99XufUI$C^Z^pmQw
zGcR}Svr6!oVki-60OEo%wY|Xjw~0p|?cCXl8|iJGx>SiYxJ|aWUJL7LodB9&t`U0L
zR|j9f>adO&E#k@;Q)&v<)~dJrhHO}(2zux|hoatl78D?azJj5N_Gv|$?vHfUc(t((
z5dY&jINmo?7U$1FlI)&S{!o_&gUv|2aP3+uXXX@f!5fYKSo7bdf8IE${ta#sh8;De
zaLLbnfaoa+^u=ek)0ZS~pcH|^WuC`yTS{VcwTn`wcqB?JeP*+HbTj$9uo<hG)>Bq}
zf2Eb~`EGarMFS`<vRdmF;D)B|iI*_rI?3B0pwj!HN<|-$F}7p`IRE0UWYR@XZ=K!J
zZ8bbg__-8!HKi#jk8AGryGsLUr7p#bHO|id`YO2gFC0>2=C-cx=a>Kdku4{sBv~VF
H68wJvQaziB

diff --git a/apps/static/img/logo_text_white.png b/apps/static/img/logo_text_white.png
new file mode 100644
index 0000000000000000000000000000000000000000..9c58eba3ecec50734ff45b845c14df8e2cd17edd
GIT binary patch
literal 12116
zcmbt)WmH?=6K!xSUfiWntXOetarptII1~s_T!K5ni$l>OMGD1=yE~LZad(0j2oNkt
zkQe@Iy|v!=_aS!I$-3vv%$=FN_e6itP{PNh#svTX_$tcs9{~Uq3*`6D*qF%o4ma@`
z0DuvoBL7~;=lgMvZvfd)+G&ujB|mokFe(d8NN5eus09rvJCS3Up<}pk3O~z-FTS4z
zQlgJ<KYv%sW&hll?K_?gp^{_!d+`D%89?*XzuF_h>xDIcc?4iM9ovEobKp%lhS3CK
z+rt%MdgbT&3Z?9HUpueeL)X*O^ZMXWyJQ@Nl_Xl8IZ65d_apgD2?g=hp9GQJ-Kvw7
z=8X-LZr^QNqv@lGOJx>RO`_l>z!y|(EEr#~QtAe=Dm5mA9U$Oe8c!0vLtnUp;W{-x
z-C~^|aQUb7>$Z)Ckdh2Fnb*T!Jp5>(`ic2q?v|^)kw2t_A-I}n2Vo58KHX|kZcG0F
zAVrBogT0m{+~5QB0+s=9IS<5x@c`o}rMl8IZQaAk{%Ou+14r)P_48<C%wY%B_A6P`
zG~E<3HtT+X#ZO-sM48~jT}laozW%lwkBOa^Te13Wm0BT148a!w%&Z-R10d+%-JWt=
za4X;ux92S&2|TYw2$Z=wR$)G%fB*f!0~$vsb+-a=xxeICFk@qVh1hd_xzjClvl;Rv
z?FgI9m(xw7NM|jM`*;2YBNq%Io&cr<d?eZk`VSMv04T<)8J7lRp&I1vNEfML)C$Ug
z2J_#Cf&cf<I$kc#qE|(6!d&&zLt3I<v;UUNnSOL~IwX)4v9V4Z*I{DPb3`%xM~=EU
zi*cohCc1`krFtUR_8(Du3|@9_92Je%&f>Rbit+4?3Fq4v`taNRyxg~|`th!bEEs2D
zLplKe_R<p&>f(Zer`iciD5{D17cNAAm8a0v(TYgRxxv*+m#mMP>r}@WhHt!$y+c`D
zTh?^W5_{vJVRDARR(ZWmq|kcT8aX0<arAjfh;zBT1&Th!{DUpUJWp#P_F|Ml>C5Gn
z6{K-8*J4wWJ3Z`Hnm`PGU5|IQH{YxY2nY$UIsIGeNXUZ3oBlS(0kus}4x^al9@i6M
z3M0R=Y+=O~0p`8TAD#e^us0QEZh4b-@1buvm5<k|H`=rk6){d_jH<+j(@#dF#kO1b
z3mFn)1S%X5xogK1)t}a3iUC_BmB$C;6?Hh4c^LsEw*)!j`t7E?W`xX00}P@7CT_K=
zFdVzcUkJO;Y<~lQ50xI0vEnpvEX=*&R%3ZtSYNJuXBVK{Yni(6(UfiWp?Dgba#MX*
zb9aAZgl6)7XPc2jJ71WD*WqV}55_B@3)T}HFa#rN?8^Z{f_}iKx{PM(0O{+H;|Nel
zgzM|zM<8PB2S72blGhZS2o1;{e2U&Mmy96kMt5x!MC=G^{#G#S@=|bT`u&BrWc!Rb
zkqzuWa?yG3WZ>>DSQm>+jd|_=FG5VvM)%H{0#DAOP$@DsP;08@wKUVG@?2*{+%2rg
zRzQU$<Ov|1=jBV<LAk?IGnsx*WvNC4`r|6z#m_0u&&}HKEnQ<FGp~8;2MU_rXs$Gi
z=m-3Yb`PAvyyMwMuJzP!?RQg3%t4nfH$A3SW;%K$uSz6|O9K%h&&T=;2(V2q!R!$c
zZ_Q%_9OqQXx#d}^5K*M3Yk&?SG@tiGTOsPkBgAAEbqfEIE}?+8KX$sJi(gq$rMUEs
zEb{XH<4=jYa<+j48t?Kmhr3@VTh-kXLA}N%bL42^EKxSWS1}7Hs{j}L4#|1kLO>i!
z^<g_Y<kz48?}1}G8nE#2+5j*S7BOB3xI?wYbRq9?2D}o#8VFHu_#LMI<4WtX8xtHM
zLona(<+D8nBwo~y<ZT4d{@O@E`40v5b9(**;9FYYF&eBaA`qo#1%g4VxPubaY+#m;
zjmpdEi|ZIEiCXb!i^7{t{$PX&i5e7_>n*=;!2Ga}Li^ShZ}RN@dEGP{OWdKZAVr7c
zYSc`PSA}-(!j>(7Wz!JFm@uE<9w_y~pDn@?<sbf|SLmq?k8JO?#5El;RWW{RRrZ{a
zP^z)f^hX0DlKpn6wM@@P3llm|igx&^gW0K@=;-nhH>d5iJ&2+NEblSbXU;wM+TXab
zGc(GWXo`bbTwY!x>h(OZ`}EhyI$MDev-mrC4Ea<Q`B<S5ZXsJULE;EbUoQhudXcl*
z*tQaqq<&ekUOncl;weSX>GnTa(YDyc55YGXW1{cmt23Z@@|Ot_ZO*R|CkYPaBE*%f
zU2GL~kqy;C8*eA`6O44bFytG)++>MXIhN~ooiZ}Jb{mRakC876O>eo{n`|6jvJulY
z8c=ZfelxaZh_X$4FBO|A$uEB?Ozgzgm8Y3ha+*Lg<=-Y@u)p|8&s6KZ|6hV8(5R<%
zX>(wm)5_!tc~93)dU}IsQ;WWBqf|4WOrz}(eEu+tTGiV+XJKSUp-eFJCRHVq3KJ2y
z^3$<aF*5@57DQym>Q%~IP)ojS5k7@q#Qr%uy0kYj@Sz82##mrQek7(LPx{~Cp<|XJ
zd?GTdQvU6q{6~}>DWVTE@8lUchwQ$zD6$(kE|6k63A8I>=tsX+F1deQ2X~n-9Fe8j
znBy5E>>DG8yO+uhGPJwvoi2A*cXkwn&Rf~&+8y7gIIVnf{^PlJc{KS}8M(^|4=W1i
z5pR)Yo_3CnwG4e7QO)w4BNKv1(exKeaE(ey6pb9>0c(mocT9v3DcC`1#Gv($e`wNY
zO(JhhCeemzcj2QE)`C{dD^EpitWfQphxsk8s0ZJS+X8YUJ@jir&t;ZrBRtQ0y%MPM
z7K(z69UDFHh9#;p*|)i`Z#r4jM(e${r#e1|?EED&F^gu<wJFljU4=$N<kz_Ep7RR}
z+Qoleub#JU-{_vha`ah2m&^&_sGq(5TKrvE33~04!{q~O)PmME&X#yiVD!$!>&ut5
zA54|yli03|TXQcJe?8`3S-(_%UjdGK)BJU#a)v(X7xyfGBdJxT+em(V2+@GUJNZ8z
zVpVzzvmd4sjw}5N)e0NNYg<RFvSg_q4(BsB|EwEoSyl6D=1G-H#IQ3vA`OOIoN>}l
zs)D;UUdT?{E=xpOyRKbrM&Vs|Vr{W`EjP_@KvQ%r-WtTy;Bkh$2mVgwV@<(^kRK62
z{fEa;jisuVrf&yOE~3zzPR8r`>GYP2+Ax`F(XH=Nfr?QEw42CEq3-=z->Ri<qI$yh
zCAB(D@vF|q|8A#PwoL{j#`H?48DeSI*^$}3xH-`E<N0Na>$V?qHSerRowfdxkIu{K
zWbNN{qMz1tk%j(pt;=Qo9-KDxYl9vR%U^FNgn~9cetJ7$?|<rwYW>DG*x)CG@Jh8#
z7XAME;)sv~b436}R6@)9b+A6*o;^54HBj3r^{HzZE&*7_!lL%U3*HR0uhj@TAnZ~^
z-v^#>bD%mJ77lXbAy)G*o>s_59#K|7L4*(%yxXA9Oo`p$vQ)!<Dz_ds^S8ytY`jS(
zTDn#$6K(6eE{jydMp_gv)6)lT3sctNOI1yYYhvY%hfwBDSIzjSvD}fzgs5hcMD(pF
zCH16%luu*iBlP;qSG2C(FBl8H4KG6*=Z}h)qHZ|P93R}6{o)PG9IWJhbu7)g>~bRf
zpfILd-Iyt9_UzfI|LD0eBo;!Kar-ui&+sj{qT>e^=B=moI1Dpkv)OMSDkJKQhGc?A
zt0z9kyWw#|HPz-md&_@Ps7N+cTeWd!R{dS|fLO*;RV|K<8DkrDQ&TgVy}kNa{MTH8
zacwZhGt4s9U%}Z<B{s(|I!eG~DWc1h?09kg*HsYvOc-la{H3=HABTVTrOiR*>SeWE
zsvzlrUpk(39|ZMaqOE*}xz0x1`nT3}o+KJoHU-I<oKkhg5^GxZyIMC50wOaTUas59
zRl=}8pI%!Zrb>POc#^6iR<AO@jd?6Y!)l99G<womJ}}gh`huG;R8}^0YJPp50itVf
z9V@V9Gmd*Ze=%`7>2AiMtgcL5$HD78)+Lu`Y}D4w%5QZO(!YDm&}u^E=bLPr(=7nr
ztC++W(<qtqLjgidrvzBz1FNVU|JHpl1@Wt*1<SEnIU%YsX?7gW%=q9`XMCe_#wZ;<
zR@^tbO{=CeZ>b2k2VWV*>dyw4*BooISuyZ0o%}V0F=qy0z;G&tR@w>j|FBMQQ9mi5
zW_<pr!FyA+RI5wnC}?c(xp@PiXUC0MF6(hkSMW$o{qnPw0(oD5e^PoXN$2V0{;{Iz
zWa^v~s7Rt-v+K+#z{4Qp3^kL3l>I78z;${H*~)P!)*i{17J1m{EzRPjun#3rSsI)k
zT<o9xmuc%|dg|ck{XR#rj}M!^MA+{#5=_Zh4=8`6op=YJ@NCKn=>i@Vrp_6o6cuCi
zfKuO*^+*ETA$gI)uXn+vv-`1`>p^V6T$6AP>D8YVYh*P!I38I9z^-06Hf-c=<JUTp
z1Xayyhk4L;FIYMNQAu}qXCET-=;&-Tyz?q5<=M1rnGc-}KT~bFB1$yCO$)Qb6K}l8
zD8M2wJ4voO@}GNV@)Lo|n;!<EAn=A@W8=4lebE<kucCLysj8qC_1!{&H!Q?-r;Q_r
z_TiCNnHIY~tmy|85E0`#YFpX=nh^DGgYuH~g1^Of0~k@D>SK;?%lGo~d7{Q{ij&*I
zr1uOxT!Y!q;?gC9u+~Etq2S8k$A5KWKcTMyS*CRD*lHkey4+$r6^=p~w{`(S+BePj
zhk2s@&Wo3zuCJh<RZ)3@pa<xIpzJi=(wtreBYk3wti9|xEwZoFHn%I=Bz04<7>SZo
zN(iuVf4}Z@^^`U@C+c10)scQJ94)V4Q>md5rb~g>`^fM}&COjwgcE3nL5M5Hwi3w0
zdKr+9-Np<CCKga}9>m`aywYaVz#Vb1GP8AVvQA=~C5z<Z8ve7&!y~pE{d|X^UuDKy
z&{p#l_Wu@>PW}i_9|KP+3?=>t8nnJX!4<tV`k!A#cobh$n79wDseA8wO3c?Topio6
z?ydKX#;)Q0I+X)fF@PcHwVPZk$pfjx38DARvi*H}gA?Da;C@(u3`&Z~XjfPFRbw?{
zqpa*Ft-q~^Rl|BO)PKjL6UM~++*^5L_vA7p#32nksjh<(GESYIM@I}tVsTgiD`W32
zzfyjGp5%Mqq!;j?Ho{b*`83M~zm=Oe$e^g28HZ(#%)NI@ss`F>v*=ZJP5<h^g81}V
zlBaWXXM#2n*5Y*S<FoTdRielT^6RajO<;}mP?-b@B?)anT~Xs;9qwoNB~|Z*&G;Q-
ze_G(Wn_SyBph0^X>M?dlJE#H?FCo=(%FDA;`}WV-4~z=`EB32!7C$L2tdI;mza`eZ
zOa>5_JzEgsI9<;wq~{3r^|BFl$u(!UD2MM|)A33qSkKhUO)DU@h~3A)fbt`0GA4tB
zYbXJ&SinM3fVthlrNnV%QMCKsQf>nd9$r7ve49fW-}3{N2oCPp_3E7v@E>DNl}T&)
z#Xi*Y;RQ0pWxKX3l!aQMnPl(v;m3@4zLynhaRyirx*Lk<&cEm}D477TW6guz?gd7e
zWN>TOQd}qSN08=K_BY0=?zI-Ei`8znA8{I)dz}k0S-<`3pNssKL=x7c4O=;RP4gS}
zwvXfW6W4QfE;Vw{41Q4q*Uzbj(!?7lJHsg^bTp3Gqn_rdJns2=DFPpfXf7xw>3Mh}
zS_$Ayzk~34#`|T$pIH9jKwOlqZ99dsGH=#GuB^7NQI&dXA1?2<Icg$8l6VeHVFRVa
zM*Gv>{Hr!P(9h(|J7d{@4|a<2zj4k=l7?3W*08kOk2f4_SK#UndQ{G6Nj^u;)bhE0
z8IH=))%j;}Itg~E+u4TMa8|%O<Syv~G;fB{T_8j2!1g{S$R9GCnkGKLBz<S*lKmsb
zWg*e3JB1!$4Y{N&H%2*HXs=hB9oz27yOl3DuCP!2ZZ(9F0WPz#?&K>M0)VxnnaCOH
zryK!}LWg-@!g~6i?thN{v^^6*$Ghv=h`<aU>&$R}K1p4yH60`>>+9<apS%YKCb&m{
zY+2tMxs8x|&%LPM_iA<eS4+wcEKVSDy&z|QwJ}GQQ&u?`ot5>&4^Q6lT*6}<d_f&-
zN&S?~^V*;)^+EX-il4jVLvp>ZzC;!m)<|5M#We~3daNg{6uP~@gO(Vl87wECgTl*b
z7p&AcN!Viv=)yM@1xC0}k`MU*H!=wDA?$hj()vrSLZ>{Uu|~&4LHrWq3<wi)4$sV`
zf^@yjqJ*NEQr)4sVDqqGhRA`|!W(Nez}v5)!oos9Ypw2Bhh#2D1BY>ymzUlD<$XIx
z)`w~lm{91l)l#xI5MS@lU|?A&QNrZb(=%nKQhkIw6MynO+vx5{x)ZGpRw4NN7*NBo
zthp_S>|C;w4|`dp>sx>%?w4#c<N4c%y&rDaq46#U_d!&SOhDGjZ(+K;WRS@E51@#i
zdJ7kHp9U)2Cl(E?7<XXE-h`@r;SH!O02P8CcB}#^nj?cy201~xw6BfPZ<tmYDoFTe
zOuTW`>Kk3Re=|9+w%9#qjfb`$=2p|?7y5U5#9Wa1ebMS-Hr7mxiH85q#x+;EoNWzS
zUrYb!m&ULtyC}E`e|M~x$e5vdpK%5fe`09Xiqs{G8u)(g`Phw1{+r*VBdAc<vl})4
z$X|g8buS$=blkK(1kw%3V|)bB`0Do>5TS7cE4!8ymlm7Ne8y;-8k?_9XOx0^MEvjK
zAV2l@pZfl=j#bq&NFnnNGZN?7A`=ahQ78kDU18-K>a3>bw>G&kkW<WtuFS(Puku(&
zf0tl-$;_nImY@k-J=I(PDBjPIUs+7@Ih4HxHKHs+OQdFL!p*DV6~Pa8@XtW1=r>?S
zf1Iu2rY2B^*dB_@0;~GpTk)P0Uu||7n$*paE{JBKaGN`|#_a5inHdbwN>|`NMep&k
z({VG{UMz3G3WMOwAgUKnPF`v~rWu!_p*^OOB$ns-$G2+nW((B{zs%Lu`S3#O5o82j
ze#w3=8!JqNa5};V4Agd*r7Ym+FnB|j+iR4PTSGNhuj67y&j!4XTPdkVqOB-;aRGMr
z^!S9lDvZ23K{3c4eiRR!p<B|mw6J(%+-QXv{2mPr&ITG}(}^`htJ#XV@HDvA0!E%h
zL8elol*xQ2uX`|S5(MxZH%SODGTo&XvT}AAD~@O<LfGRpuxvN{s<##GN8a&L*4e9X
zfxy8GrrJRIR|A|An5Fbi@N_yy{h_jz#vrry=t4{NxKM8rSHQ%1Obo$pR#uknicS0S
zXn~a@5{f!LLm?Tb88`9M63ZI}Veif`s1h9il^3fM1~JE`i2#8|8QI(EQS&?cFyVx{
zN#VktOlu8TV*w&d?2G>O20F7}gy>-(>Xz+T?dLI+4)IRAP0`~IN&!{ShW9_$2Z)uR
z7?IGZ`A4jb)LN3kfs@+B-ajE-X_o|sv7AofxoH0NulZst8)^%0mlxuRtG4>8p;?7U
ziVt5}+t^=hEwjkZG(A04fEw6&lCzhtKZ(~FHhHw#0}hml%M;YRj@CCY67T%6t1(4$
z7Tt85h-^4Ywo5cyk*p)@3QxHlpU>y5_L~ASM`bY8y|^*Ho<fG$yM+RbiarAjxGoXe
zyc$;6SZY-WJDebthcEm<7bh5WFk5Ct^#PN<?8tQyXxyo?WKD@Me*nCz=!K(Uu3QpH
zI~nJLKu+JrfP%fYHMuUV!Aj<9V?})4Tv#=9w3cIex@myyKMyY*tI`3&Ni^jR`{p%)
zV49ZG(_pjR>M*4%o8G{4j0X0IZcGGV-rv2>z7m+m22cY!O`q`Hp9=O?r(RMAQ$fHq
z7~p<7z%jTT6~YDUbf>&aIp{|D;8+7<!Fu#QXl#Z85ov$*O)suq-6yT25tE5A&mA6$
z3H43C2PKbj9*jd%+`FWtmQOf4vPD3Bjg330M33T5j-3I=_GL-kmiQ-PaxfVdf}We-
zbXeQb)$gWg90U1YbmW(GpXX7|z6}BGaRJ8r4RlFf%Wi5hH00X^sH`TU_gW?_7e4F>
zF~8yF$yt|R-TC{?G~g_T#M4rx4OzN=r|u6)(Oa#B${D^mk3}ZQpg3ASmj;vA2qYjF
z5>ZrOFMd_D2*z$f^0Wx_h*4EF)mDk5e@M9MWLLtZXu87998vQV=U&gF%_e&@;$_$4
zRKj>-6I$rP=e6TK3Blh31E2K#Mby+Ze7EG)$7-&`#vSwmN%6=B*<VnSlDZ>fM%VgP
zH<C?OKqfxpCjll7yO9Bvrf?V%uFN2*ML}2i>iP&XDZp_-a=$1u(@bRTF|Uc57byd*
zg)c<4fDH09kz8tDa%t)2p^wK%lvh-HDI*!vkD!LbY)XhSjh&WOO7rQ`8hoy(jf6+H
zN6A@VF>gJvEBo>=VCC=6Is2%x6e-f|t}eDxlRL|=%B<IHrl^gTot51%p&w+48ksuA
zygFE3ij^^)r{9qsx=!Gsyz%z&iqpd#9H0KmRtJWRWw4N`8vf?%KSAX|Pm$~Th%5l$
z@-P{YjT9`V?fz40imu=Pvew}%D1+?V%#kfK_B%QSF~m;Xer{q@p$u4(6E{&w0i%$#
zsS-gDsKGv->ly6@==if8@Ni{`x8EteI8yKuseQES*EHm_NJ`Qo^VS!{??N>-RjR;(
zV(Ud@-)qz7WL$hQ{pu$YDyiq(JAO67E|I7od3Jz?x^l9t0dvx-_ag2T^VU==(wTQi
zXJ$z_%xi3No3`ZXaI>L~?}c`(pvfXewaS^k-}-W4;!|H<H2hp>ch9Ux$}Z@s1kQYw
zFIB%wiBz0S7ttXDw!Nt>W(+oRC6>_FlCda8y1j)u-Lr-TpV9ZE2&xn<#Okq+ip9T5
zmlIZ@$G(p~VoO@3@G)8K^xMpu(?=*VGk<-Cd5E4zug3hBdc^-1@w9X^B_Zq3)(je=
zd?s1D<9jN0``$Ole??Tdmxqih*A`86A2C0qtv37MY&{dq&K~=37pd$xxlY$tKYeZH
zmaLd~Nu2Ngj7$nDi(D6|yVosCy7u<09p5avISur@ueBTI@TLe2*zvNGPmEJlS8MA2
z)8E<HaFqm$9FyHsK5;U|k`QCSHMO|M_BrroU6gUxL?1|1M(tm(3p?&2c>N6a$#iv_
zIxRj`loxs~8R~Xji6MExmq_?;ueWZfGns0fk@xFOHj-hRK>qsN&M&W{rK{jK9{$WC
zjMCx{v!?tf;HlI%*e0%i`dL2we@qD*LcrxY+e>@xSHLTIXVOgmA^BDDKsdLMkdT(P
zHmUBy>|}9(ccI?n^ZL6xzZFDvb@hT28*`uEw|*@%Gfg8zs!FjxYvn6A_592+pBhVA
zlXOX~6A`f!D}o;T^xI1n=n}7v3QhDsp_~rVRPZ!3)-<yU`al0QQ+F4uedB$ouP&tb
z)_QMmTy5&`fJ1P|`Nole?aqPc)ZREIb`K@Ex}GWcIHg1*<E7I}&wkrH3zV4CCa0BV
z!p^yQKPF*6k3U`gyL6WmLDnw-<;87k-s^-=+7jYiVD>eqnz>ZP<N|PC+B%7SFVu3V
zk;5u<lkSO+66)`RxA@nX2Rf*F;k|W7AiiH>K`Cmmuiyc#FM|AA)~ca@5GQ!Y==fo!
zr>nE^zP|zkOFMA&X96ie8VlwvzOsR?be90|H)REMqx%ofEbo7G8Mr1OIPxd1oq#`U
zJ`;&~i{3$ln=8*G|9-ZsT*Azm&gdd*`#h2CemMn>k@|B&l!dmqJ{o+2N?eLXzgjX{
z5&X2YpBLme4Vy8WYibl}?Dz>+G7r=5d4r8|VHiLm`a+^-$_p!0bD6)!UyVoU>=2UJ
zb&pB6CLxXDwZHHJ@_Mvz`gaKLFGE;3xD~@|>V`i!p4uusq%+s5A1qp;3;=~BdL|z}
zbploa^Y2y;M$iF4XmDULmB%}CK=4y}fEi9=NqremBsSRF3^R-Y)huKpJ~w-MrG|nP
zPGVr=Bu_RPmM|X-nvDPmqhw%B2z^!*yw9$==P>Z`_)-RO&jK*&Up;BLz-F#{2`!|g
zQ6L|>yg3K52*Z9zO%erKk@vD-LeH<vbB>X62{!2cJ!#F~F($}%0${=cdm^MeY-sqN
z4AxkGU&V;I_(sISU_eHOR=P$XsgGoVBc9DeY6`aU@$qRH=J#=j4&Xo~KAF-HOT$33
zvXdq{U;R33U3Z`5A_OT)8!|t=JYFw5I(K{4&;FGTfoH2VH%ueTyI<EGz^A|IA^{;k
zNIdwIV?%*`0xQu6w}*vQB7lL`hZsQq+UYF5FpWTS(c5f2#2Yeg48i+I_iqjdtXxWb
z!oGn8OB7yi|6rH6JO=UfL7Yor!8`BEG?xZp=wolQzQ>2Nf1i5kBb$q$FQ+#IJd)5M
zj&KZOzpi02GB{5C=rY_#y&(<`3RPN6{CJL!j#t?U`Jl4j6L^Vz^Zh%f4ADmLSuLWD
zK$6+1UW<(qs_z#YFAz#;6~r?lE!Y#7ga_Y{FuJV(ARg!rv>%xzAI>Cv6mw34t5rI+
z?y^-g&8T;9Fs^qwZMy@BD>|KKLpHW9(Q7Hs2r;m-b@8?+eF7*K0HQb$JD3m`Jz(oG
zr?d=Vu>VKg&_r8KL87VoP9v9?*bVPO+Z~xe{tzA>9od1Fdf`ra$M#&+rHnxylcDOj
zC%>Ob_DV}eX6(SrFP|3FJ0*o@Bu1*PiL~n88!6Kg%ci#Hr}`V-(v|FJee=~Hp2@G}
z$&@7KB`<9Q)_-)yCtlNgl=wO2?D;d=bL4T(ufyusc~=rP?a0$#r%UZR`=G%c&C4M>
z0DzG2c@|)*Fhq2@&p}lJqw7w=HEu{9E-0@Xd6$vS`9$~X#NE^AoqV~@Zo}PQ4e?*I
zh4UD=#r8WC2=aaRoN1XuNqp5@?SX}Hj4cP}$n%F|jV3W7l}{9*)^peK1N$eXZr_a_
z_|l?&-_>qNNk1HGGH*rkTHjW2s({*~+-5X&t3^c$Q#bH*Zx`+w0)Lz%aQeSIQ}xt1
zb@8p^aSywZ_qdg_R54zTAWuiv>Pd%YpRfPxpXbAVlB!^Dc?$o%#kHt>S+>J3e)eOh
z6+&_2Nb^p<Z+2IG?uq|bm9gE2X7Rkc-?dy(EV@@nA<?`1Fk{X<4)s+O-hT<#Uy?y-
zgO)R@TOp|D*qfMJD%=|#t|MNaEzC>?17nhMw}HV1L<`B@lodwj(%n*N7E!j;#I0#w
zV;{h=@K|YI{VS84sJMy5v`4rI@tNEhw;A18>+H%KbXSmW=hkZ6NAOen4LIu;G)1R7
zsQg}-d_X?@nJK?Uq6HBF3}a+y_|{g{|7aL3t1A29nJ{MM=k$Ee#m1mKb7P6ja7M31
zZW{$6P2KZV#)*GZA~+~T6q*_ih{%y3y{&}kj&9ut8-1c`t@FIPuOg|EeIIx}A&)lZ
zEPS;xNEAD?pY8Q}i1AQd;XZvc8$@{)Z=!Txlcl&0l645YTk(GB8xj{GtNDt*Pygw<
z$?cP@ayEbO??-v4Y^VQ#sy(B$Cf<M3PDLA6hr}$)D?1O09~1(l))^fJjGP171dr|y
z>TSx9@|hlw=ezeR!<Wd=Rg9HrQb5)?t2SCimcjNy?;?B?&ncYu9aGk=?{F+!XS!@Y
zMjHK#i8W7(@Pe}y3=b62o#oNJuOP2b<AKMwB+U^fo{$V2x?6JmDO5C4%gu&0W8My+
zsp9=0H~MvVQVyOJ&t=>a`SI@O`p(8#wf1sx<FV9v+@5|}GIoohQU&gepZ}zq{pRDF
zTlTN<sK<8}9{4f9K8dK)6y1@t3Z??~sOnhV0nUu10m5MMErbKNZ`A`kcl8DZ*KStG
z`QpDRGW+HXK>mL{S1bQlm)_B=kl^`$7@;f_#R#;UA?8T!rKx@yv&CUiU-AQvjo%Kv
z>3AicO%vMEgRJjg_*kF;;0C4LIFA^TWTn?ObA1+gKB$+5uu(tn$f_kYMjXeoqywef
zBbWgfB}NQ43XDj!2CDli`d!UKuO36U{-HgJabQ4xDw(x>*S-sVuw>3dWAH>tnu^lv
zs{!NDa>WWT8R_&K;E_(U_Ffyt|AbAa-Ufcrly2bY9`w+|<}HG9kLM$M83}j<7A7pD
zd6m(nMxP!Ij|)>`^#&^6eveKdjb!QFKPL*7;dr{jg1wPU@$^0wGEUG*-TnK6#_fB8
z>y#x4p}yY7x#8_h`xO4c{Q=|W>4q{=Hcj{tIpri=tl~GaI*2n$N(N4+Xkw%VYAvk^
z_g?g}Y4`;&Jg&`Je+mcljbH%4#Q{%g=VeVtPy&B*^S(J$asfRe3ai(PRrQ>c@dBHv
z=VE<)-=w#ClQ1AMz4f<cFyU>~n~=gLjl~yThJ&LInmy^rsRg|KMxa9&(qfA@%fIt5
z^M&5E5;Wx=RPQXISUzp^0!bBvD1QaSVD$ym3}?L?&___O%W4=1FIw@nbSCy#n$(l`
ztN>$UG<jxgClVj1e^_-gRYV8}uLvvOJ`e)`{+xmtB!}PbPN`xKAu&$*Os=nUt-r$o
z%|n>nm-4W1+?nR*%U<6b%g3f>e<aR2dhD;>&;PW+q`j-FyB(zHT3cbLZ`LSC$SRMZ
zqnRBS!0zGgDI^G1qTiAw6*0qWV~3S3nvquUlGy47inv2($fCUN5a}#i5?wfupb!ir
zg5boSK3xz~|Jxdl6bS9j>H{Ws$9yQp7`2aLe0#uQY4~H58_tb*0Imrl{fu>SUN5c~
zhkg?ekjRnOg_=*r9e4kJ)jt#He`yxNAi2_8?DB-Q{y>jTA0iW)03W@AAYM^8etS$v
zR^r;gfZY;BVf~GSh<rDOV2v}RZJdTxSHFa<6!@qGp!9%Ya)ksvzCj+cre*m*Kl?q)
ztR)k<b0&I@gR7NgWzoVrZO+u0g;t_<-g-K^Q_o$sRD-19zo@kVaiPlD#10<7tlyvU
z!>GU+LLC#IFrRa!at-Du_Cn~ts5!(;R?W0(?JogY{ly${3;y@5^RlLuZ{;|;|GU~y
z-IZxR>~2*xi<x~_A@{Odgyd*n;gM#5RJAj$t!dd-yY}OrN!}BJ_^7WjoduDtkz`}x
zm0xGp=$TOS!eBck3OdmkEU8D@b-l<naHr2Ke53=ydu1uVksvUvBz^T}ez-6<;05!%
zN~~B_(NA-#IXi~x7-vz|nS({K+u;^FBz#*3@0C|~++)QWct2}wy-Z9TmJG2c5|YfQ
z-dR~6ysvQQzDv26dn^B&K%!vVFYV9DEN=sd;W`zEH0+vzr@IEJ(S@(uwr00P<eC&q
zytr4ri#bOG!b%rKK91PUU1P(vm!tN3sx^f8Os9$?{eq@yiV28gzr5)aj3HjIau|Y|
zqFbcOXx&O4*xcgoYInN1U<9v0rV=1DK$8aE!>6ubCD6?qgE=O}-lxyCQi44TgJOWE
z!+IXt+z5eQ?Ejvma1)K>I;Kji<@l+CNa!fCDa)>*A5pvZz|jd@@`K=uo>*J-&R(@)
z1)9MtxI|5sCY=j2L#~4YqatDoLgw~_*5Rl3-MhBt-&@JTC!5XAsF+$9dR^MH<8!6`
z(_bdqwcScDH93{0-3gc^lp~{~XmvW7yxgjd@2cT8%g5eK_xyzMG=jxQWs%(2m9gG%
zxSW1?Nyv<JPeD&9qp#_slz3M8Azon}%W#<A-r8Z5&(~ia^95+-(SH_4Rk-MyT>>m>
zqv-sNU7h}AhDT?Do8!f=k|`_kxaiGeALVrEUDa>Xo!I;f1ClNk2NXG!IkwvkRK810
zb#M7i*ELftl-+d;Nk2t*#j`fax4sW}if-=zaNZH3kbI~v4q^I&bX_>ZZGpvEKN@B@
zEm9{zDr8wHy!L^0<j-D5YF8X@tf3I8-8`G$6W__~_4X#hO(5)t)hGd2(DuHlCmrdr
zbauj!p~T-4Z<~xw#JK`wxG{{GDQf{e9=nL3(#NMyx3t*wn^b979ZEA^H=x~m>YVHz
z4)i1cxdiXx(5r7<YW~MAMz`E`8BcPs#xrU0yH~`H=-ujLk%6%oX1RLO3L7|Fp|K-i
zY{wq}pL77J&j2MZ#A>&hEH?KYM1nA1WTJ4FLXNAtIu^zCex`Rwf(UB1LoL~MVWpaj
z2RurY0GxQJ+)(|9LC%h(NnOm|3_lMNRJXhBG9U-aewF!sV3GXU$#<~y)x-*``k4mA
z(OE3Q3T6lfLAhZ&U&+8&z}Amd07+MfgfA%$xDgKnkE}9#@i06Qtw#ek*h1rIu`4l*
zUPCmd)m75J&5jDh;(P_shsuPS?FY<p*1|-~r`oGd{@pX+2vd;Sqo^xs3Ev1U)@{=H
z=!lO2&6}y038OJ<Cgae{d5SsnHuRf#^+)8&EJfnf@hE~pZtSBBZLz(9*(gmru!VxX
z>=B#Ha}FKSc*xN|%o`>V+WQZB2!lnOlduv9|LLK9fUb!j>4?!no8G!j{;}vk)DAk1
zG7N+oP-y;C2Vn=D76taX$(}*sy-2F$x<RrXCp@yjvP7dvFW`2t9H~dpeKLgeS?n#G
zK)Y&o-wH61Xntbh)djuI+wNsk@jDiMF@e8E08s$!0?l3N1JHhXW(SoARAb`V3t2F5
z0e-&U*g2Dd@Gtpea0ld}ZMgW3oR&kf&&hlg`yybXN*^yoAT%B?eLmkP6^-?(cB-WX
zU`<W=XNYR@qAnsIUextHT{Xx95iC*`R&h7cV{MlP^D!dr6U5}UWe-+LmMsbB)gChm
z>7<3$RulD1^d@{8fgCR?6QQ5{rG>2yKA|PPRq7`lW+mai96SZXKBX7}B@BXy7UFH2
z`KH>68caSBD)l}vViHR9>?{67GuNM{S@$!OIw}VLquexgkf%j)id1Qw%(FDak-lE9
z5_*`Nx=EuoUgaA2Xt!ZC^1lHkUYS`_Bop$?Ih@$1Fxa&gY}A&Uk=C~=if`Ge=3-7S
z5aZ?iplYPHQc4<X4kM=--adVoQ}IT7&gi&#gfR%s^ZVSjI_aN6_j!kUJu@Dm*Kz~p
z3&JU#MUB=6R=N)iBzf*v&=%gIXoMI3*~g{*R9259|38ITImMjKaXzgLrTWJ~198?C
zCUB;r_yW*ef?Y+img<u3fZsUdxo9J?_>}VWyy3)$M+e5l3zqU>GrHO-dvX3e{%J-+
zVx+*5)3>bD8LD%W%a_$mtjB7qr(o*L*N(P%`EaS<=p=G@6g0ynYP)o?%?^L4=%_G9
z3aU~YS!)xFHE*uSFDdkF`EezaB?%w&@7IA?%axO6V(f?f+XR=M#VNfkrBjfFeQiL@
zkJD@+l6gHFlL$E1317|A_8E|F8NcSRkZ696Zl<UDMC+F@DC}`75oPk4FaRrnzOApy
zkI5jO5gHb;q8(hxnALkXtLgzQe-Gmhy%iGwm0KLT@kX|nWoo0msWN1L?nykj9+>y{
zThHC%UkGvgDL-Mb&F-RHjSUD2DEGPx)@6DsxaVC}>%yF1PCSEH>al#^K!ei`Z2*o;
z`+;kEQrPS1q@hGG;{w}@*RaM{0UqVV_RO^wK7s~MQnd7jj1{a63Hpq8>Nk9Qs_n)^
zc)}DrLJ5J~ZJ@PAE+_T)_>GyEEvBT^l7ZfB<3-N*kXK{vKNyZ#NGdiSkeQwH?yp--
zo6>}LH9c?GRl7sauYy5f?;VrDziw2>X|Jr2CYB^whvY4t0mEVidiE$!*j1z*kwJ}f
zh|OFX5I>l=H&FZqEnrjRpAW%0x(qb@c0~Xt8DYdAL($=~<3AZx(}B-Oe4mdyE0+5I
fKTnPbe<D0Awe*!w!r4Yn%L7ytG~}yffua8g?Lqfd

literal 0
HcmV?d00001

diff --git a/apps/static/img/logo_white.png b/apps/static/img/logo_white.png
new file mode 100644
index 0000000000000000000000000000000000000000..e47e2fcc776467231f2510d4a95e9f6fa9cc26f9
GIT binary patch
literal 9950
zcmXw9byU-DxF1SLD<F+XGn&yYsURJKbcb}uC<*Cq7!C5HQ+hN=Bhn2@2?8qJ_vPMm
z|6rUm&e;2YpZdfTp{o2E7mFMV0)gPlzmZV~zY*Xk<q0}?t!zpPg+N|H<Ygo^y$}a}
z-kQ(P7w(OprZwkr$JmoADVl27k}st%ruR(`6!S??ELnf2$FetNIIDE_Uh5F^UPB;m
z{Dqi=n8Gr!Nh~ZmmV9@5LPuDxJDv>EwhiJ1F^B(lYU$eIm^g|XQI*o!9v?N}@*lsv
zDeUE$7!^GiS@V8}QxAdsK{6=AND2t1zM7D`R2lLR@R}Y}W{KHA5o~<TM-;x+9zP@b
z%F9**_Rl4BT3pcH>3ToL8ZL{>_4)C-Q`FbE8vB!pj*Rc#e0FSA;f{odN?lV&<ENw~
zSw?fR-?z4Pe8`*ND2hxy6i8lSJ+|*7Ej|~l${%;Rsx_EfbGC{Qh?w7P-jj&kcn#|o
z<f+Hz^TUtbV^RpyK~^*dIS2%4h%dP}a%;%DD6&)wKKTz*eP$Io_ZR}1`4aQ;SYvzX
zn*0UnGVM!A7=|<_lZ_H1Ap~N+NlfmPc$qx0Hf-I%dE$~t%$Sgv?bs#19fYhNTJ$w`
zdc<7v4c&-nc6mtvgo5u>=@s)lDoveJ<Ry%!dJtl4NR^WCR~m+OP<zfN&LxOJlW$D8
zm*wy%(3{!=Gn8)_+93I;#U>`{y7Mqcym>HWcIjHTvKs^aYm(rQFL7FC@nZ-Vxzf{&
zcz(I~Q5xt3P02So39V^l$DJeu!pv65^^6y*{``vsmmr0@T%q4b6K+2r<O>L-iYS@X
zIr4AAo)FZ{ycM5Q80xp2WPWFJ1gAlxCS4Xy#we@uTt;F*AWH1^>s!?Nb|c3>iKMrl
zr;(vR+*&dJXv?l7P5mZ@uccw2GjU^*hi<8e@8;9sqK3$wdrewrAy58dYR>Skw4*^F
zr%D3dA}@=USI>7pcFUVs6S)e)XzXzqpQUB;(G-5OdAqevBrV5S6k~vV=P=C5!Skt~
z(N+w)O~KvjonS3O=-;wt&D&;N_b)0M+}i#Ke%7^)s;Zoi8yP>S>`-s0``(_`nt#|-
znl1wy`rg~ep;LgW(Cp{aBt$;lU|y1`8w2xpRLBVe69NgIe6rU}#14XZ;D>+t5ANu+
zde<H59>WfSd|Q~o75`Ya_iKY$JbBVOmxWP{N03)^YP=)(?xUnJ-On&{qI$jPRTvtD
zwwi%0Uef6q3KgZZ6?e!`M-zHj(x}xhZ7duJ1U(o<lRJXWHMDTM0AVR`Sx}SZDcoks
zS9ST#zvNh?_T5`(NqjkHxx@aieGEw8FvTe&LhjjFN7M0NxRp~<`DA#vH7aDJM{VlG
zi3?}vI_<a`E4min=__W{vUyu9Bto!fNO5R*>L-!w?2B_x8h=L|W##-Wl8kTY4t)QW
zIzGw>imBJc1Bt}qIGtrFK)o>tZMHn2CzBfGBOp3PBVo)+|MoaCoGMvul%w=8pXkPr
zlv24cy!2MtNTO-2mYFhCV^D%Y<fzT)F@dS66#iawvRZ9<Qd)qM^Unre=xdk4<++FZ
zmT(V|P4%k%O#M^{ia?m3@9ozXI=hegCLjr9&vjc%5XwTK{8uX2Nn0doWX|NJA;U?L
z=f&M1rtm!B&z`0|?Ju{Ur;v-ukK7oe_ET#0)5k{dyR}F6kvC5*prxtm)Fb4^ecf_m
zz#n536tl3BWEnokM7fWJZ}?d`t)kFqf#d{%n_tHI_iDyH>Mlo4?>S9^LAJq4dvp&m
zbLoHl-j^6gXwS|=^A?yn6#2OXQT=JuJhyn;<f9d7+8uH5N=PT#3%-{&n;GjURu^wD
z9|gw$Tl{1h72TaWILZq1QvV^&_Rvf8eVeOl(aima*|`6)Z50Rz2ASi9el3o6fmd8K
zATSZ;cNPganK7+CmCGJkyw6CfD8fdd83nY&prJ(3nqoA=Qxo)zyP(@|^Z&7J6z~bU
z3bGU=xw<C5TLmSmu1EWrDMKX*=6Z@yap2Bxax{jC=y>%#V#=5(=`lxt{GVCU7Z~{g
zAxj)SNpbfxUJBR3s%MZ<6DlJjk12vUv2$$dS;b2Q5_X4`!;mONYh-$bnN;^@=M5xi
z8?LA_ePP4C`kMb6w9<vkpk6h7_D4-&ExBCpwG+@E9UXY~n9sNqcXD4isgWY0rQlKp
zguEb+A)kBHh!3W~wWIeI<<#)qx!3o;xDZOxp*`uGTf<6Xu-x2pP86ckTvZfq=pKSL
zEQ2zS)Jyn4p4qK_9>_H0o0ObkJM-jYVYe~YD|4wuL1kF($1ZrB#;9!7tcQNdW6-O_
zpgrbzwoa%q)5R$>Jmu2{-fLWm&e|XucHIaG#0L7qo>dahhc`=-g|4D}oB*BVf}DiW
zwsQ*eUtl~zeqGly+}J$QxZR=vl6W0mDp}Q0llyPG4je_tkZpXFNZd{a&=a5jQQRb2
zTrY`iEg|Ecv)=(}=ZtlUov_7)z9U;`f0wVeA}vi0fef;<asS}OsyzvMxO9I_nbyp-
zw4rlGZSj{C%bj+^B?$OZtf$Sw8$_-iK71L%9I|g!N5fJFot^|IT|%p!M$WRwIih;i
z>X*|wU9sO%esA$WHljSqMB*&(N!G`~K|XHPy|?>#^8==4-}@vphNT=Pu=R_Y6jgz2
zbzm;WR6Dp=etRDgWGe@8{h$o$M0=PYBQ5<~D~O~#bt-8ez142}n+7V&NiF647*O?}
z@K6?drSj(XX`npX;K}aP|EhnwMWnk$_+QzE>G+&2#jEX-QJvkR-=<EeLzJ2iS^L7D
zW`nt-Pktc#ty&$)Cq6nSFl;7@f4UJ6xsuBE;l;+rjzLuvtmPW=V&9UbsEs}ozZ#?8
zk-7Jj&VBS)lG|w1y<G`cS(!#V_m!4`O11Y)DQG-FmS!RP|Md$DNHkx}9w<X|pK~T_
zYG#F0&<ghZ_E+9Db|DW9^O83Xr1l-1BQJe@G;;F(jNI0TuGm>V#2*|LvaYwmyy}1l
zWiI^o;<VvaCm(kOSwhjq%Y5T0yNqs^`U8G1jF4pPnJm>j&8h_zZBP6Q)UvYAM@JP7
zPC4|)6Uh~#j{}AF`RRq#=opi<un2h7U2Ao0^8<{(nKGT~Cu>+2a;i5uDdE_E{I}1?
zNW({+bk%xQxA(3p`~Br9IboW;oz_L&UgNXM1y3`ZgeQ{RFTlw{f|Pn~HaXqmxObHD
z7nJN|mh;|;uw3?L#`Z<)BjfjOg${=%2SXaTZTCer0`mLCK*!2HlvC@c|4{M43Cuqe
zJ73E7+hFWV=3S-y7?4AeAOU`kDjlzX<0>-Wp=iHJZc*=u1S1*BR#~$r(pVkv)Hk73
zRuOj(CtHli1sivE+FO`03f>?k;`W0`x^cA?mrl3RJ*}C-J?7i2KgI<#H0a{0K!Mfq
zjp3iS(B37%lKL<4M*5645>G)Vc=v8@VKhKMYgrmr-|De#=Ib-w_pN526<yn43DV@?
z*&{`v8j0&zKaFe5Mf#Ff++B0HgB%Q7hXeI4ld&hLWoACbWlR7&1%ttrePgnOiaS=h
z4l=A>W@58K^!8i)V^Rbyy?Sy<eI-&_v)PjW3bpKm;9SfXRV@w29vhRtgA2Q|g~)ET
zzrAKZfAXkU@S%np9qyFpN|P>|htbN%`xke;v{+4LryTexoGldL7P}k#5((WNxoDuw
zLQBHTG~%&uqd*{}${()SdQVD985CHvYY5F0bxpp6@)YmVz^F5I7wL0n0;iaJh(jfl
z{NgGto!%C~<Q`itw%PAbC60GH8?>Qc|5=d`uiHs6awo*%m%+-|QGO9X$1S!)vf&IZ
z^g&8uC9HMx=<%C9ywAWWWVRe-8TW?fxCh!~X7PN613-j-S@uoEPlZ@tyx(b^{?NnT
z@5@RF5QPwRHlHzX<|r<NT`@N!4mFfWi|@NYT}Eu%xlb39suo?!IOJaWwoZ<=cXJ>9
ztX<t^bF_c8A_AZbj!V@<OFtJZ`#<<GhuewIDnlPoX(`jxQzBO#s;r8X@6NxsN=CO`
z9oi@;A;usu+`M)MYb0R>bu5zhnme@0+&QzWbhtQp&Jx7(lmk=lDxK=a>oCy}T1KIy
zxjS6S{&mP`mY&{LAc`WtYd$G{hrkCKb-RnoDu?|6!KjgPMZwUZqVE}W05(Jpm!ZBl
zc;}xmnMfVfOA5XZmCWsXYJMgFl~u11^fa&_Q}G553(`5`Z{)bv594vHvdL>dQCrip
zK@&d=)@(y!X#Y0O+rm9N;^;*PKJu~D@Y144MOl4|ENd29$~dJ3ef^XKZy7wlN)3(S
zIV0K7?*`2dX>!WI7NHo>QdvC$OfY{;xiA*_j14op(ZguQ$`1VtCs9pmhjgJ-1C*GN
zLgbXsB}A82h51C*UY;Pp0HJgym(`q^etR6^l?STlQLpJ$5jndI^ZX_`E0c0#L*wyy
zU#(6+<mDe)LS5=-xiIn<X)u;q?t?$*7{=r83xnwn=j(ncO1qZtni|C#(l5q7%xz`F
ztW=qIb9Eb$uwGPD&${3b`eUIv<m9_Iov;AzaM>%3!L>z;Kry7>Lp7vI8QD6ikx{+|
zIHGKc%9FuY@mRW?YD<^lje2W1_<xlKDhb+}ABd(j`gHY^(J>(D(WV~dV7luwG3dRD
z{9$(#xNfVD&u=TuQ@|J3n#>g;$wpGy?MzQ(Ck5J5R-^pbI4A!PBG*Y;F`K@{x@AY<
zsuUxEh|-$0#Hdve<G(txZ_Lx!%lDZWPnMk;y`y}bV7p@Oc6GC<$5fWV09sm@-_#(P
zzR$0$ZxZQpXbrGRqGxX^JhKlK*~aA5s{i$Ki$vdiBvD-4+5yQ>w(7<~z?&r#Kl(Q`
zw!W<!1@aEmbLQ`PQpW!Nk;hUB<P``uAwutd3pp^q7>_k9FHuYPU@q8pA1+c~igH+J
zmibYE<b*C<q9+ZZ`VK##>RE4&HgXt9CZcMvAX+Srl&7rSdL3F=SXz9bN0rs5Dwi*o
zpGNq)xqt}-T(HGy#4jIxhpkdRbE4C&l;>=GBbZgVt##_xdbl3pV(rejS91(@g4cL&
zC24Ps77VT2>$0Cj`R=Npgno?0P%%CIo0*C8kn}C`@%4DXZ$lQjRQ$2lR?+r?f4dux
zvjT1kV>IsZjC;6ncp^33mEWYAic|PE{KZKB`qwP$y!~IfnpC%3c!K*~@=|Hy_p%g{
zV5xn$&vmi7^JHF40|5tmDRWa{fRh+_pzSxoJca@G+MVE|YcPJCUM{8*2GZ>iF<ONM
z@0Y)@1o*{KNI&^mq4}6xyDBd=*^7|_-sVwKIC6^!(`$ZunN+^1f*I-UxHM}uzjk}3
z6`^hYRodwOC2>abBsaJ4)g~Igr<yFOAus$YgFOp5ku552wbGNwpiH{G*&v7$3ojo3
z6qd@?9ebDicm#fZHA7#1H_Y{U$$6mHUS{w;hwn|ADo(GIh5zt$uj6l_KclH*QqMhf
z(iH;%klW4DTapkz+IYb%m)aDx(&#g`$4cFCUV>{oTk+$V>D@JH{QNrcs-eA?xtPb|
z!Ac3M<23FFk=@0mhC=|cPvdcbh_h;yaZ_uRC(`5h*kfDm3LOs3Wa$k#1H#l)ZBp-z
z<R$LfIxqz5*Ou?I)<ln|8KIhlxbnEl0^Hr#X|-n8D%pk?3$90i2_oIEm3K0Zsqg!Z
z28ASqwr0ak()Vxws7=mEg!g~8IFH4#$?06*m}QVljg~XIIaw&VKmR@S6YtAGyk>@T
z_IQZNytHqer;7`$)AAbQ=FPiXiBH@shdhrQPrz|YxNt;dS?L^*e!DSB6ffR$%0wF&
z!%$KYDdmnITHMbNVH8lgRFW8vYIg&QfW5xjQ~YXuXi8+F<oD|7;_>mIO?#bAJduO5
zLk+m$rB=y&_4_!&ulyLV8E?cuJNl4&rv3xmdYdXw5$?LS&tV!f25|AkpKhe~{ng>K
zFkXI~B(G4t7Soph=E%<ZD3TD|tFx<rJ@d1+hA>_m;$T&Zw;!DzWaVBYkbbEM>drS|
zgFy@7iiLi^ZlFyb+;vaL{aS9BCVYL)3h})<4Su6#1@N+kJcR!4;@WSd6@K*yTsgx;
zzv*-oDj<0n7;tln+(BBO4NmFthf=TJQ-s-=!~><`KYQ!To1U+SMo|er3suECd{#2|
zl8!o&4r3n-jdHPjtYIdkT?X<Y5&b>+l^=#Qpo|!&k+EaLH_4Z?Rb9GI_;ANw9-Hx4
zO--olvQkeNbLsFkF#LKkzVQA^cC(+vfBPh^v*X^uSGO@XFa11ZSjh9=MfqgJFGo41
z;{BrOID7y-({ow=Ian%pPwgn@cu7aI1<B=F8L{*G|J%Ue6g&S-T&jr(8bT%gWKx)j
zO&k=u=+5`0LH;f(D;B<j)OR#cLz{S@@Qn)gDnr9O>qM^aqB|ggLxXu#4|>k*;YU~n
z8H#xCIi*Rct6^PVS^oRq7;)l3*&cAK5!>qaX-<ur3RR(8-;?f<XU?UaQ7R)j@#>ww
z{<F911{7d37;fa=vA%K0E|)6$vgl8o<6-s1h=^mQ-f4}Qzn?A|_Q8fr)gs5~qBXCi
z{)bdNrr=e*-8n&Ophi`%Ce)B9IIcl1N(&B$Y|fmyeNfV^(kymJmUy%Mba)>5Mn+T8
zij|gil<u9baNbHOWVo6P5itG!^AX8mu!3YUdUqQTV_D){UF<UMf6~ng!=m!Jc^xN9
z>E(B>F!#k4^;aR;q$!zqXlvtHZ2gYdvW=t^<A!YEO4YtTp>kVi+xYB8D_{~=VThVX
zSvhVTYz;l$8rEipYNb@zihX03iE6uUPMSAdYiwqq*8&wJFFKOC2WoTm42}_^xnkGG
zerWkb23#xFQG+6%6(Jj2zqg34Q}4q^oR!{TS{0(;h}L$nP?B3Fd@^9`5wRi5WU&h<
zsG$F9ubBFOIMkW$e1ay^t?st?cFTVT_i*?1sdYO>`!RdD6h-*)khhON!I8Jp(!H6a
zR$b!HGWCV2P-6y-4(9#$W(+uWJ?TWT_sI2X8kP%w)H6w3@U3;q4~@?q`8$UlFMcVn
zBx!3b`Y-}YYxtde7LRjDJvOt2m&h7T{TaO^EDVS+<a#kph**=caBr^gz=&WxwJEM7
zK*))olCPMRSEchfSKhQ@mOTAYST43pSXB1KV&~(pHz13`OLslr1pf?A8qL@(I&p?i
zyY0CVK8S1_g?%I^Z)Ahy>`ZKm4Y2gbCSyaH#5iTb_yyBF3J*@zCY{f7S~{z!jOqbq
zf^qQKN>w*GoEI-}@fM+g!CWE`)2QIg?jay36oa_rk9g3?zO2>W@>)Rxd%i0WDs$6Q
zixmUes7ZA=T*U7-n7?({k?vOEqwFMJ5RP!mx4ANDQhiIq1R6H}_aj!XvZAHhRAqh#
zeqp*BLl5re5+ZqltdGwz{q-=z58~JK|FgA2$&eZndH=ux%gRaxY~&iS(f=GcI6(rR
zC#UZudn_Zr!iA{-&50n>w!4o-am8<Z%UqEVmy=3RqV`5U^kjj@my1i#{IIcas$^Rp
zwl*3~z>XE1)gm#%$-(nai9PYMHbZ@4??=>f4*{KW;Zt!R4jF{0s97S9TjOsVQL3aB
z9*M2O@@TnhaMJbBh)`ekWXkXB5Qripp$yP-j<a#z0KQ_kaEa)hwq_uQUhE1b0W?ZW
z_<g`lI1Bggn)t(BmKT0<5>Rec^2!{lZeH1vBW4Owl$Dj|bMX$0_yu{{v_oX>-U`54
zZ==JO*7d)_DJ9N|NX8Bqn*UA~HQ^rwc>PjeLS;*3bMA?~Im9J_T<DqDYz^(7DtXE^
z6q<0PPu*u#`p>@3UoOJ9a2eav!tigoZTZUK)x1!wYbPTTDa-g7-x@tESHg2o=Bw0K
zLf$AtZ=0_X2AwyTQdf(ej532*0)(lf>Rr%J3Z15%hq6FE0dyoUuc#*(P@9KlJ2=SB
ztIyi$Q0IBZ1$m|5k@KP?y*hAWKS}E7zn|)Imla)%NtjMpYR5ya;o2WM&|(S*d8&3V
z$JPIw;d9uv4h7T=-^R}BHFb|jT(JD{T``g}iNVHwk`WPl)({&X7~zcKATD?^@WQIe
z%u!8pBMt6HH0(XnBXPMKoJOeOnscrpyFx`uNl?8@+rPU@Iv~@Br>{KjyY>4ub$i{n
zzc92B!}4Z_tG1=KiMv0wui1surcAwxvDgbrACf5dA6Bjrt0XtITwh5nS+obH&O9y<
zTiciJ2<cr#f%wP7SWv6VX%co}ozB)(LpmYWh6X=eV23Bx|2qK;_@3M7(NFWr4}i&Q
zRUch#<r?{#To>3MbYTcAIhg&;XqkKHaaEw-W}oX&XRfTbn|l9^Fbiu6KM;iwyQ$Wo
z&hE0)&O`j~m*x<jN6V6z<prIj6qAR-u6un5v>p=W7G#{s{51e*ws$r60!#e27hzH=
z`|+eNUUU~|z%V{tg`FX8=MM&?zK#$Lr~ASE{WdRi9iIC+Bw=#lbg?L1P?k+%elnR~
z<SVaDI=Z(pvzI<*&yXVXyPJ+^+7Y><4)8m&G9+4T@$YRtk+}8G-M>{ePfXCWZa18}
z$n}kMY_~o;nNktkaKD?zBq<%o2dJ{^swh!_3eU=kvhjA4%x*~~=Tbw{^h)RYV7xQ?
zeqPM0%8W@wsw!!6H_BeZ`ziqc&eEBmrNZ8N0QN5`O8g;o=Lg>2t7cnR9{Y7Etgz)(
z@BN6={aIaUsv#UNVamJi_S@~dEzhG<X218RBm-!fq&eqK_m6sOINNVhGOCd$QOGEZ
zfVm}!!2aT`lV}_p|2xdMLp8&@;n7>T;oZSR4t$p7O7XCt@7*&8OyVmArJ>>a4^KO4
z8hS!BZmcAM7{ad?D@_vAJY9iF7OMO>ZvQWRM!+KNqzM>dsC)qfanioU<VuXtem{&(
z(3+<>bJorhSQvk;9KyxmBp<4Lulht(hOOP)ewxLhBmJ!JSx892epv;l7*&U|_FI(h
z+<W{u$EMn^G;XSNH^{o5^Ng#g|GqzE89%))C-;@HC{>7XL|?z={NBr2%heVh(G)Nk
zlp>cjqnCgh!_jeZ(>PUq<Uh2nr8YIWG#4jJ|G9~Lz^zkwqA+%LL_+Y`6K-@{$#)e#
z8p`k%!NtVH^wsl5ITo)D`rW09{KB#T0@()K`pav+3}pcnn#l<A4*6Wbuv1fv%+my2
zK6rGP<ij3?g%|q(?MN&Uih&;Xl8fzgnj;*|b=cD@tMb#J#U?SSQ{>;x!mMa>4;J7Q
z*bDK&g@1gnV=||&ccl>noJSC7OtV!EOZd{||0mJw?OHn1GjCffx_lbfrR#T`=KF`Y
zfRa8nd7$MkL1wsVFt(+Nj<Fr)EeO;YJN=USQ)KY`G#k~LA`zs^DYAum>&;2y8D4Wp
zPv&Lg^IoWo^RLUs0p#K8P=WJE=F$A<I%B=FH|r;j(f%IwrL|FjBJ%*n)p4N%`2QyJ
zim`jA9bS!bqosCkZvG8Ve5Y4_K#Yake))w(FtCUUlD>Z>$s`mZ`8nmv_~}!n-Ghn+
zRJ5l~A2w1EJikWD^os4G`bkm*_LM>%75|&jP|nwSuulNq80gO5K-;2-VQf~Ld%{fX
z5tx_W>pM<Emyzw})R&!OxP(ia6C0F>1%zZiY6B}eFsz5G=h7P%)%N-8A2hR75f|%}
zZsRUhbNx6Eug#gEZp!wTh2QeOQm>I-&UPbNQ(JTxTwqKD->Y{ibQjz2j?K>Rx32|I
z``dTw>=t(7D)g>@o>tkWR{LLUgdwu2d*m9-KGVbud=ufCub#9nOcNH${yBBA7-lIT
z*upj@-f%v1pqJw-wTy=OYQIuMM_t*!H=z0cQYas``LV3b%<=I45}z7QGy*(<!=>Z8
z(`930{{wU9g{CjKW3QN#ZHVustc#dg%Ihv|J>1;vT$TkpgY2PD4Q3udla?%U`KzWf
zzNQ{uTp^-BYW26+0N|@J7F1zrhv-I0zaB&X)PLeE?P{h`@8;XfLkZ+tf1t=N6=uBE
zyQTt?sXeeH>tw8G`fP|2K*wonjUH{M4Ng~n{Qo+IZa7Ge6}Qe3C7jqoAiVebt>EI?
zbfsxE>H0`6&sB)QyjaWk6;a3J-k0%E{~-FAk(upSqiyM;2gmTjKs6#P5P2>2QN5)K
zg}w3s_??zxq644NzfJ;lwRb31zh>`J)zkiKsNRq=X8woEQm18%9AT097MZC0c5dpP
zD1~z*jYj=3?wJz?3Ixc;PoEO6uok8pNS$DCofB^maG&@fTf!(K8Yes|3~=xuTx6kV
zp)yR0d{`0TDpd7u)x7WX^vvR_7l3=jjCOdm$?K8|oo{|n!Qjn;g7if@ihn9wb7Nev
zT3DoLMOv6&%Q<uhiEaM21iBAa{_vhKA><Vhg9m}s#D;VN?#zRqsK@$<i(2?_HMpxL
zT^wQBkvZYaT9Uw{%xwikEBEEoMeHxzIgV@IEAOQcQj)-917_0X0@{PbFCJh8Wpj!8
zBlZ!0jKkBgrTuOq4Bx?Ur<ItMr97mZK`SS<nVt)$_X)XLo9CgRMI70Ga)r-q?T@<1
zb#+g(SHzI5n10m8q-=VvZntI>vl6YRrDGf_4p-cbrk60ia{kcO4u3XbzWpi(^WVih
zqGg9x!6aiH$D7+<Q<4lYxZL%Jt+ln!9Vfh-Nsce!OiZle<ZlD`9-J`wam3<iUiiEu
zP3|_RICA(GMt2#~Xt{6&MG7Y7ZRRI_e%}W#2?%usfZqjy$XaMIsw7?xs0+Od4Ygke
zwl#Xj!!E$LC^~EYFRhKwAP|SfmF*Qb3t^zglmNZ|%j;u{*HX^jDZ76mf}uAp9GEL&
ze(O;^4p=E$@jxtFjaPQ$%1%!x-_e^F$<CqwnXO^m79kKD1i;A#0hTTLvx&f$8Nr~H
zYEXLslTetuoL;c5+c_D~4bV<ex)8~`)Z{blz?XTuHTYO-?jU8@?5!e$Lu5DsB;7!J
zc`jfp#z$T*sK=B`Fcw53ar>QXctzRg7f;Z#%u8`N$qy{(esoN!9{EekIplXI7UVAg
ztZt=`!7>&;i;$#S#}FqWi2-62BS^vF!Hd%5=!e#sI~l?AOCA=&jxq9{0*Ky0p0C~r
zg<nbnO7u#{?Pxds@@u;3VYIho^yotKfB#!YPxT*}su*>ypPd={59`DEoKhdr>9V7O
zYK>IlhzGj!{)1UB<iIxjT7Vi@b13N&Q(GuB&-G(<WZf$<OVYiwevHX+64;;P$LuxE
zolxY5tBhoT1p%X%KVJNx|Cy7VQI5eC_WMy!0sN9N7;6hygR#J+i3WD(Vsfb|!RvPG
zhPfYED%@66U|Rj2S<c`bMS8zqtvs+QL`YS2RJ5jK5oc@bTlUFs+j7G$T_!0gUn8Xc
zD;q#a%r4BZGs~buNG0pjTH<5q^2^&W-dJ4N16MXMotimjK5|d@xH)K?Bb{xgVZpT(
z_@P~tqvsYgmCJwP+Y8j`)?C`iT=f0kyHli1nyT!c`aFqyOSY92D^Bttz&^_r-a^Ai
zB8pPf-Z*^<S6$Uc|N4w6gGV1(K4cyQO0J{jyT!KO8vqX<=89pdv^JJPv|x;8>YiAV
zxMZ1b)#q7C@A!cd#t`5NJ0}Ak@!$YK@@iY2x8DRsg$#B>Hyz&!DELh&#e;nW>`C{}
zt1Y1na)G7)I{0g0{oqwFu=MGBfwa{eL`F#yFVaup-K#edd~JpJc(~H9tli=OlL~LK
z1o|=}$Cfk+QA&8NkQ#Z8>~;o^YybbeBJb};&)wr3H~u!gVC?^m^(5+WtB$b<k~T&o
zOI!;$e>C<6FafikWNsP!v&IH)yTjt+(&o7pYzXARTif+VXUf3F{3S$ay2AWWYtS<r
z7*_W9AYWJ!Bjd@s)r(n6HTQP*3nWkTP*^>u;NBWdUHYbC_P0nE&~)T8T71S!`Y`}q
zP+%!jQujL9;=T3)N5@b5l=9$-%+lB?>0*_e-z;JahPHbi`EHDkh<FN~;^Ua?g-rAJ
z&R^8~MkZTH$<g6kk)++vUriHA_-zj<jmK5E_NTTq8>c4`T5^%rfW|tz=>Ju7>HA_n
z6&Y^J`o>+U&aDNO#a@<UyNB`ql!_@R31jZkg$GAujp<z#pNY-Dk)MSV<r@pH{aS%@
zi58Pv;fkUH@_#^bZe8E-m-|l?0Ci)Ro*V%b(NL3lb)1?de0Jv#jYa!izAu?K??zLV
zA|)v2_f2^-YQisw?B`YvwI}>;(iEVZdW3i>rVc6u^sY`mK5byvqSs3O3p?~-Tjt%$
zfR_C8WX<#oJX=>H-REZ=f;0%61eCx9PX_*j*HXyOWkrnTOI}*?LgZjqg)LcQa0ZwO
zS^J-o!DxJ{&P9s`(v#9h$Yw7JSO@lsyBM)_f55hnv}^b%qQi`f{3B-PGAF<L5`m$)
z)PBo&9>epQ#AcP>V_>f)7$#xCNMe#+ZuKeogg(QunWYr?Uk@M{z7~vuZe?2tU<^wB
z<chxSr=n4PF)&Mt#a};&D4wwoT0!ZAi6dC#!H&=v)z<g91|Az?l|zz(6Y!^DbGUBv
zf(OMDG+SqCWPcY}oQVg`4dxJ_rKN%2+?84+*pJu(cVj$x3KR-<`jii~;MfrlD@R(~
z5gLyPevGbs^R}=Ugf?)iQt@ap@CnuQnMkXv|9x1i@!~ZdDf{rbZ1BO5Io3+p;Ei0@
zeZSng(qirR0Uu|4{6yA7;Q9*8XCPdE=dE{#0^z?MVH#_huE?kgP}kwkTnQ1nr_q3V
zaY(dWSnlG@&q2CQcrRKn7aJSDJpA0@yk(13`(`4d318yN-bRX!i46l$s@5|S(dGM*
z)vHBveACi*w7{utW`R|8yI5%pT+q5lA>Hel*!zQ@k3YKjR<S?)rJNkU{p?>MgBD+_
qUXw^{_PJABQ<LFYNHOd3JqDwH;a7fx5o)k31(BCkmZ_354*DMkye!cG

literal 0
HcmV?d00001

diff --git a/apps/templates/_base_double_screen.html b/apps/templates/_base_double_screen.html
index 4f357f89c..d0281fc84 100644
--- a/apps/templates/_base_double_screen.html
+++ b/apps/templates/_base_double_screen.html
@@ -6,7 +6,7 @@
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
     <title>{% block html_title %}{% endblock %}</title>
 
     {% include '_head_css_js.html' %}
diff --git a/apps/templates/_base_only_content.html b/apps/templates/_base_only_content.html
index 775c1b48b..f495a3b1e 100644
--- a/apps/templates/_base_only_content.html
+++ b/apps/templates/_base_only_content.html
@@ -6,7 +6,7 @@
 <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
     <title>{% block html_title %}{% endblock %}</title>
 
     {% include '_head_css_js.html' %}
@@ -27,7 +27,7 @@
         <div class="row">
             <div class="col-md-12">
                 <div class="ibox-content">
-                    <img src="{{ LOGO_URL }}" style="margin: auto" width="50" height="50">
+                    <img src="{{ INTERFACE.logo_logout }}" style="margin: auto" width="50" height="50">
                     <h2 class="font-bold" style="display: inline">{% block title %}{% endblock %}</h2>
                     <h1></h1>
                     {% block content %} {% endblock %}
diff --git a/apps/templates/_head_css_js.html b/apps/templates/_head_css_js.html
index 9bd58f864..36766bd5c 100644
--- a/apps/templates/_head_css_js.html
+++ b/apps/templates/_head_css_js.html
@@ -15,5 +15,12 @@
 <script src="{% static 'js/plugins/datatables/datatables.min.js' %}"></script>
 <script src="{% url 'javascript-catalog' %}"></script>
 <link href="{% static 'css/plugins/select2/select2.min.css' %}" rel="stylesheet">
+<style>
+    :root {
+        --primary-color: #1ab394;
+    }
+</style>
 
-
+<script>
+  document.documentElement.style.setProperty('--primary-color', "{{ PRIMARY_COLOR }}");
+</script>
diff --git a/apps/templates/_without_nav_base.html b/apps/templates/_without_nav_base.html
index f0e99902a..6e1c34484 100644
--- a/apps/templates/_without_nav_base.html
+++ b/apps/templates/_without_nav_base.html
@@ -5,8 +5,8 @@
 <html>
 	<head>
 		<meta charset="UTF-8">
-		<title> {{ JMS_TITLE }} </title>
-        <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+		<title> {{ INTERFACE.login_title }} </title>
+        <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
         {% include '_head_css_js.html' %}
         <link href="{% static 'css/jumpserver.css' %}" rel="stylesheet">
         <link href="{% static 'css/style.css' %}" rel="stylesheet">
@@ -18,9 +18,9 @@
 		 <header>
 		 	<div class="logo">
 		 		<a href="{% url 'index' %}">
-                    <img src="{{ LOGO_URL }}" alt="" width="50px" height="50px"/>
+                    <img src="{{ INTERFACE.logo_logout }}" alt="" width="50px" height="50px"/>
                 </a>
-		 		<span style="font-size: 18px; line-height: 50px">{{ JMS_TITLE }}</span>
+		 		<span style="font-size: 18px; line-height: 50px">{{ INTERFACE.login_title }}</span>
 		 	</div>
 		 	<div>
                 <a href="{% url 'index' %}">{% trans 'Home page' %}</a>
diff --git a/apps/templates/base.html b/apps/templates/base.html
index ce3e453b1..fb15cc79b 100644
--- a/apps/templates/base.html
+++ b/apps/templates/base.html
@@ -5,11 +5,16 @@
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width, initial-scale=1.0">
     <meta name="renderer" content="webkit">
-    <title>{{ JMS_TITLE }}</title>
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <title>{{ INTERFACE.login_title }}</title>
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
     {% include '_head_css_js.html' %}
     <link href="{% static 'css/jumpserver.css' %}" rel="stylesheet">
     {% block custom_head_css_js %} {% endblock %}
+    <style>
+        :root {
+            --primary-color: var(--primary-color);
+        }
+    </style>
 </head>
 <body>
 <div id="wrapper">
@@ -47,5 +52,6 @@ $(document).ready(function () {
     var pathKey = getMessagePathKey();
     window.localStorage.setItem(pathKey, '1')
 })
+
 </script>
 </html>
diff --git a/apps/templates/flash_message_standalone.html b/apps/templates/flash_message_standalone.html
index c038beb41..3b1196db1 100644
--- a/apps/templates/flash_message_standalone.html
+++ b/apps/templates/flash_message_standalone.html
@@ -5,17 +5,20 @@
 {% block title %} {{ title }}{% endblock %}
 
 {% block content %}
+    <style>
+        .alert.alert-msg {
+            background: #F5F5F7;
+        }
+    </style>
     <div>
         <p>
+            <div class="alert alert-msg" id="messages">
             {% if error %}
-            <div class="alert alert-danger" id="messages">
                 {{ error }}
-            </div>
             {% else %}
-            <div class="alert alert-success" id="messages">
                 {{ message|safe }}
-            </div>
             {% endif %}
+            </div>
         </p>
 
         <div class="row">
diff --git a/apps/templates/rest_framework/base.html b/apps/templates/rest_framework/base.html
deleted file mode 100644
index 7f5170a62..000000000
--- a/apps/templates/rest_framework/base.html
+++ /dev/null
@@ -1,285 +0,0 @@
-{% load staticfiles %}
-{% load i18n %}
-{% load rest_framework %}
-
-<!DOCTYPE html>
-<html>
-  <head>
-    {% block head %}
-
-      {% block meta %}
-        <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
-        <meta name="robots" content="NONE,NOARCHIVE" />
-      {% endblock %}
-
-      <title>{% block title %}{% if name %}{{ name }} – {% endif %}Django REST framework{% endblock %}</title>
-
-      {% block style %}
-        {% block bootstrap_theme %}
-          <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap.min.css" %}"/>
-          <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/bootstrap-tweaks.css" %}"/>
-        {% endblock %}
-
-        <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/prettify.css" %}"/>
-        <link rel="stylesheet" type="text/css" href="{% static "rest_framework/css/default.css" %}"/>
-      {% endblock %}
-
-    {% endblock %}
-  </head>
-
-  {% block body %}
-  <body class="{% block bodyclass %}{% endblock %}">
-
-    <div class="wrapper">
-      {% block navbar %}
-        <div class="navbar navbar-static-top {% block bootstrap_navbar_variant %}navbar-inverse{% endblock %}">
-          <div class="container">
-            <span>
-              {% block branding %}
-                <a class='navbar-brand' rel="nofollow" href='http://www.django-rest-framework.org'>
-                    Django REST framework
-                </a>
-              {% endblock %}
-            </span>
-            <ul class="nav navbar-nav pull-right">
-              {% block userlinks %}
-                {% if user.is_authenticated %}
-                  {% optional_logout request user %}
-                {% else %}
-                  {% optional_login request %}
-                {% endif %}
-              {% endblock %}
-            </ul>
-          </div>
-        </div>
-      {% endblock %}
-
-      <div class="container">
-        {% block breadcrumbs %}
-          <ul class="breadcrumb">
-            {% for breadcrumb_name, breadcrumb_url in breadcrumblist %}
-              {% if forloop.last %}
-                <li class="active"><a href="{{ breadcrumb_url }}">{{ breadcrumb_name }}</a></li>
-              {% else %}
-                <li><a href="{{ breadcrumb_url }}">{{ breadcrumb_name }}</a></li>
-              {% endif %}
-            {% endfor %}
-          </ul>
-        {% endblock %}
-
-        <!-- Content -->
-        <div id="content">
-
-          {% if 'GET' in allowed_methods %}
-            <form id="get-form" class="pull-right">
-              <fieldset>
-                {% if api_settings.URL_FORMAT_OVERRIDE %}
-                  <div class="btn-group format-selection">
-                    <a class="btn btn-primary js-tooltip" href="{{ request.get_full_path }}" rel="nofollow" title="Make a GET request on the {{ name }} resource">GET</a>
-
-                    <button class="btn btn-primary dropdown-toggle js-tooltip" data-toggle="dropdown" title="Specify a format for the GET request">
-                      <span class="caret"></span>
-                    </button>
-                    <ul class="dropdown-menu">
-                      {% for format in available_formats %}
-                        <li>
-                          <a class="js-tooltip format-option" href="{% add_query_param request api_settings.URL_FORMAT_OVERRIDE format %}" rel="nofollow" title="Make a GET request on the {{ name }} resource with the format set to `{{ format }}`">{{ format }}</a>
-                        </li>
-                      {% endfor %}
-                    </ul>
-                  </div>
-                {% else %}
-                  <a class="btn btn-primary js-tooltip" href="{{ request.get_full_path }}" rel="nofollow" title="Make a GET request on the {{ name }} resource">GET</a>
-                {% endif %}
-              </fieldset>
-            </form>
-          {% endif %}
-
-          {% if options_form %}
-            <form class="button-form" action="{{ request.get_full_path }}" data-method="OPTIONS">
-              <button class="btn btn-primary js-tooltip" title="Make an OPTIONS request on the {{ name }} resource">OPTIONS</button>
-            </form>
-          {% endif %}
-
-          {% if delete_form %}
-            <button class="btn btn-danger button-form js-tooltip" title="Make a DELETE request on the {{ name }} resource" data-toggle="modal" data-target="#deleteModal">DELETE</button>
-
-            <!-- Delete Modal -->
-            <div class="modal fade" id="deleteModal" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
-              <div class="modal-dialog">
-                <div class="modal-content">
-                  <div class="modal-body">
-                    <h4 class="text-center">Are you sure you want to delete this {{ name }}?</h4>
-                  </div>
-                  <div class="modal-footer">
-                    <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
-                    <form class="button-form" action="{{ request.get_full_path }}" data-method="DELETE">
-                      <button class="btn btn-danger">Delete</button>
-                    </form>
-                  </div>
-                </div>
-              </div>
-            </div>
-          {% endif %}
-
-          {% if filter_form %}
-            <button style="float: right; margin-right: 10px" data-toggle="modal" data-target="#filtersModal" class="btn btn-default">
-              <span class="glyphicon glyphicon-wrench" aria-hidden="true"></span>
-              {% trans "Filters" %}
-            </button>
-          {% endif %}
-
-            <div class="content-main">
-              <div class="page-header">
-                <h1>{{ name }}</h1>
-              </div>
-              <div style="float:left">
-                {% block description %}
-                  {{ description }}
-                {% endblock %}
-              </div>
-
-              {% if paginator %}
-                <nav style="float: right">
-                  {% get_pagination_html paginator %}
-                </nav>
-              {% endif %}
-
-              <div class="request-info" style="clear: both" >
-                <pre class="prettyprint"><b>{{ request.method }}</b> {{ request.get_full_path }}</pre>
-              </div>
-
-              <div class="response-info">
-                <pre class="prettyprint"><span class="meta nocode"><b>HTTP {{ response.status_code }} {{ response.status_text }}</b>{% autoescape off %}
-  {% for key, val in response_headers.items %}<b>{{ key }}:</b> <span class="lit">{{ val|break_long_headers|urlize_quoted_links }}</span>
-  {% endfor %}
-  </span>{{ content|urlize_quoted_links }}</pre>{% endautoescape %}
-              </div>
-            </div>
-
-            {% if display_edit_forms %}
-              {% if post_form or raw_data_post_form %}
-                <div {% if post_form %}class="tabbable"{% endif %}>
-                  {% if post_form %}
-                    <ul class="nav nav-tabs form-switcher">
-                      <li>
-                        <a name='html-tab' href="#post-object-form" data-toggle="tab">HTML form</a>
-                      </li>
-                      <li>
-                        <a name='raw-tab' href="#post-generic-content-form" data-toggle="tab">Raw data</a>
-                      </li>
-                    </ul>
-                  {% endif %}
-
-                  <div class="well tab-content">
-                    {% if post_form %}
-                      <div class="tab-pane" id="post-object-form">
-                        {% with form=post_form %}
-                          <form action="{{ request.get_full_path }}" method="POST" enctype="multipart/form-data" class="form-horizontal" novalidate>
-                            <fieldset>
-                              {% csrf_token %}
-                              {{ post_form }}
-                              <div class="form-actions">
-                                <button class="btn btn-primary" title="Make a POST request on the {{ name }} resource">POST</button>
-                              </div>
-                            </fieldset>
-                          </form>
-                        {% endwith %}
-                      </div>
-                    {% endif %}
-
-                    <div {% if post_form %}class="tab-pane"{% endif %} id="post-generic-content-form">
-                      {% with form=raw_data_post_form %}
-                        <form action="{{ request.get_full_path }}" method="POST" class="form-horizontal">
-                          <fieldset>
-                            {% include "rest_framework/raw_data_form.html" %}
-                            <div class="form-actions">
-                              <button class="btn btn-primary" title="Make a POST request on the {{ name }} resource">POST</button>
-                            </div>
-                          </fieldset>
-                        </form>
-                      {% endwith %}
-                    </div>
-                  </div>
-                </div>
-              {% endif %}
-
-              {% if put_form or raw_data_put_form or raw_data_patch_form %}
-                <div {% if put_form %}class="tabbable"{% endif %}>
-                  {% if put_form %}
-                    <ul class="nav nav-tabs form-switcher">
-                      <li>
-                        <a name='html-tab' href="#put-object-form" data-toggle="tab">HTML form</a>
-                      </li>
-                      <li>
-                        <a  name='raw-tab' href="#put-generic-content-form" data-toggle="tab">Raw data</a>
-                      </li>
-                    </ul>
-                  {% endif %}
-
-                  <div class="well tab-content">
-                    {% if put_form %}
-                      <div class="tab-pane" id="put-object-form">
-                        <form action="{{ request.get_full_path }}" data-method="PUT" enctype="multipart/form-data" class="form-horizontal" novalidate>
-                          <fieldset>
-                            {{ put_form }}
-                            <div class="form-actions">
-                              <button class="btn btn-primary js-tooltip" title="Make a PUT request on the {{ name }} resource">PUT</button>
-                            </div>
-                          </fieldset>
-                        </form>
-                      </div>
-                    {% endif %}
-
-                    <div {% if put_form %}class="tab-pane"{% endif %} id="put-generic-content-form">
-                      {% with form=raw_data_put_or_patch_form %}
-                        <form action="{{ request.get_full_path }}" data-method="PUT" class="form-horizontal">
-                          <fieldset>
-                            {% include "rest_framework/raw_data_form.html" %}
-                            <div class="form-actions">
-                              {% if raw_data_put_form %}
-                                <button class="btn btn-primary js-tooltip" title="Make a PUT request on the {{ name }} resource">PUT</button>
-                              {% endif %}
-                              {% if raw_data_patch_form %}
-                              <button data-method="PATCH" class="btn btn-primary js-tooltip" title="Make a PATCH request on the {{ name }} resource">PATCH</button>
-                                {% endif %}
-                            </div>
-                          </fieldset>
-                        </form>
-                      {% endwith %}
-                    </div>
-                  </div>
-                </div>
-              {% endif %}
-            {% endif %}
-        </div><!-- /.content -->
-      </div><!-- /.container -->
-    </div><!-- ./wrapper -->
-
-    {% if filter_form %}
-      {{ filter_form }}
-    {% endif %}
-
-    {% block script %}
-      <script>
-        window.drf = {
-          csrfHeaderName: "{{ csrf_header_name|default:'X-CSRFToken' }}",
-          csrfCookieName: "{{ csrf_cookie_name|default:'csrftoken' }}"
-        };
-      </script>
-      <script src="{% static "rest_framework/js/jquery-1.12.4.min.js" %}"></script>
-      <script src="{% static "rest_framework/js/ajax-form.js" %}"></script>
-      <script src="{% static "rest_framework/js/csrf.js" %}"></script>
-      <script src="{% static "rest_framework/js/bootstrap.min.js" %}"></script>
-      <script src="{% static "rest_framework/js/prettify-min.js" %}"></script>
-      <script src="{% static "rest_framework/js/default.js" %}"></script>
-      <script>
-        $(document).ready(function() {
-          $('form').ajaxForm();
-        });
-      </script>
-    {% endblock %}
-
-  </body>
-  {% endblock %}
-</html>
diff --git a/apps/tickets/templates/tickets/approve_check_password.html b/apps/tickets/templates/tickets/approve_check_password.html
index 78eadbf6f..9fd7e0862 100644
--- a/apps/tickets/templates/tickets/approve_check_password.html
+++ b/apps/tickets/templates/tickets/approve_check_password.html
@@ -25,7 +25,7 @@
     </div>
     <div class="col-lg-6">
         <div class="ibox-content">
-            <img src="{{ LOGO_URL }}" style="margin: auto" width="50" height="50">
+            <img src="{{ INTERFACE.logo_logout }}" style="margin: auto" width="50" height="50">
             <h2 class="font-bold" style="display: inline">{% trans 'Ticket approval' %}</h2>
             <h1></h1>
             <div class="ibox-content">
diff --git a/apps/users/templates/users/user_otp_enable_bind.html b/apps/users/templates/users/user_otp_enable_bind.html
index 11e4e01b9..665e31569 100644
--- a/apps/users/templates/users/user_otp_enable_bind.html
+++ b/apps/users/templates/users/user_otp_enable_bind.html
@@ -30,8 +30,8 @@
 
 
     <script>
-        $('.change-color li:eq(1) i').css('color', '#1ab394');
-        $('.change-color li:eq(2) i').css('color', '#1ab394');
+        $('.change-color li:eq(1) i').css('color', '{{ INTERFACE.primary_color }}');
+        $('.change-color li:eq(2) i').css('color', '{{ INTERFACE.primary_color }}');
 
         function submitForm() {
             $('#bind-form').submit()
diff --git a/apps/users/templates/users/user_otp_enable_install_app.html b/apps/users/templates/users/user_otp_enable_install_app.html
index f39ed8922..972c47c0f 100644
--- a/apps/users/templates/users/user_otp_enable_install_app.html
+++ b/apps/users/templates/users/user_otp_enable_install_app.html
@@ -30,7 +30,7 @@
 
     <script>
         $(function(){
-            $('.change-color li:eq(1) i').css('color', '#1ab394')
+            $('.change-color li:eq(1) i').css('color', '{{ INTERFACE.primary_color }}')
         })
     </script>
 

From 98644eeb6156bd6dd9e8849430f88d9168e4725c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 5 Jul 2022 19:52:00 +0800
Subject: [PATCH 231/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20logo?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/urls.py             |   3 ++-
 apps/static/img/logo_text.png       | Bin 5368 -> 8724 bytes
 apps/static/img/logo_text_white.png | Bin 12116 -> 8320 bytes
 3 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/jumpserver/urls.py b/apps/jumpserver/urls.py
index 6c4f55949..707209f7a 100644
--- a/apps/jumpserver/urls.py
+++ b/apps/jumpserver/urls.py
@@ -1,5 +1,6 @@
 # ~*~ coding: utf-8 ~*~
 from __future__ import unicode_literals
+import os
 
 from django.urls import path, include, re_path
 from django.conf import settings
@@ -79,7 +80,7 @@ urlpatterns += [
     re_path('api/redoc/?', views.get_swagger_view().with_ui('redoc', cache_timeout=1), name='redoc'),
 ]
 
-if settings.DEBUG_DEV:
+if os.environ.get('DEBUG_TOOLBAR', False):
     urlpatterns += [
         path('__debug__/', include('debug_toolbar.urls')),
     ]
diff --git a/apps/static/img/logo_text.png b/apps/static/img/logo_text.png
index 1fca6d1890c83a399e35d3e35ea2b47930e3c7d0..72ead969d0427b111643235231ee9ee24c2095ee 100644
GIT binary patch
literal 8724
zcmbuFg;SL6`}S{ALRuDSPyuO>W(h$lDd~m<qy?lKmXeZ^kXAxEmhSGB?(XicclVk3
zzW=~)W@l$-wyt}w^FGhxI6ha%X9X!7EHW$r0B~faKPm$Nk`es%7YuaxbA!F$7y!@!
zG9SfMT~iKHJ#-_kp1KW~T>>k#1*1MVNDE|1_o(Iye6^l2|N8y1)0>D(VDMc|$Wco8
zSKM}&1jA(dwiLpR7s{$bv`iLs%7Ql!C$;Pg3wk+shfOM%-Xc`Ot4$(PTetHXR}W2#
zzpn^rF#P@xkH)jvv#nu+zCfb#F}?WCZaMGa#S`|Y_yd=wSP6Vov2h?@4}Xh<Brzg#
z@j=DWxz0g!FFPmFY{|viW^}prC)I<WPO{El)jcElGAse~3AfVDt;oQJo9^8jhR)6l
zg$AySCnnpc5fV{~z0EH+Zk64SMJr=QuYUcCjbqApkVh56XHT{q3C7FHz8<Xm_EivI
zIhb{+lQO<D-Zi!n9kSpQaUaglx}T?SjY#E-aJtmYz6vBjEbN>qxMagrKp}LdnVV6x
zy7vd}f=0Nby$-XJg6b^JQpqq?lFDaw%Zd!ErJY52ZL0A(WK6^w-HAHZGTNpNdZZ6X
zr^gMSu7uG&|L)ur5E(HHDF~j`R@cgp;t4O2+UhLrr-@9;;G>?DjnvZUr{aU{Ec$9&
z6ijhS*mp;4?a$Cbd}@(qB<nh?LOv{C3@u0RSc$tLJGnQ0mMM2?j1UwQy!wauOF==R
zjue^JYaaifwz}?YyH-ap)7=}g3RO#m9y`VvNiuRWwi6R~InDOEwm{B@!cq?u5gq%E
zzoJxvHm!_S;oF<bs;Y%=w!Ssv<>q<RmpeaDRX$f&vf@x?{V9T+$W_Er@YMdGbMw?{
z(sW6V@91d$Yf{=en96%?bXn_UWNZM3Sn-$R5udy{g&6)v>x@r+uG(_zr{OLom)NjM
z(Wdz^+pm-;?M4%8D|~D?X`YAM)qG`KVDopjQ89D3jH!*F++-ep&~H&t+3{|m;!>q0
zVRcXD)5re0i}DI@BE%k&7NMSGuh(#%5h_Ml=`0C_vlG0&^v<6uta;6aw@^Q$vlmB7
z1{$>6sdfEXu;q7)mC3LhRNE0HtYu-drd{!5oL#RNJUR6W!_PIu{7ta&QI0#>ZxPs^
zKZWDL!`U9JeEpp3<LNhGTRp1Wa^gv@!RHPa_xf*(`8mN0bo{1EKXn3c)YB<F*dBAk
z``HESdEpnzLnDj7CBh8D5Gi%pNGs&7&ciKEW^g&hQWI^WIovJ`#4IH`ulyGu&l?g3
zzPeS&W$V0TK55@F2z?mUHas=Ah<uC@)Z`7Fn$m_>w_`{aO`6B%=k5IDUm~7U`7-mL
zhOZtK7vx}qw9ZEV0=F$(Z#yJQnAKK|r&fC?suvw@%Fa}$$RSof_jgn%^rwkDh<k+4
z&rg#@JRPz7m!ms&6O7OaOvi6Cf{o=<LQUdg_OAra1CXFi02wj|3Iw-B^2Wz%Ba#@J
z2k>f)CBZ9UMU}84W$;4GZe?$&;_BLWcvD+hJwJik#qqMxL1}5*h`>-79ktr4eRH&F
zPGfOoyn%CK#<+7_K|kFynkZ%L81YRbyFS4zDyS#vS`%;_lQt#3O@aoH01?3c=f`6n
zWC+He7cD9qinvfmzydgA@)0e5q$A>qBk|*JuIX`v*G?HFX`b+gB<;7PoT?!KMB#cL
zak(bss~5zz5BKofMi*?gmFO;N=TeD3la_MZj&cVMQC#(m=6!&#|HjBL9!9C((?HXJ
zuazll1kf=^J%b;_FCnb|g11`cc4V({m?yj+r`gWpxP{0=-O?yKVRye&oW<nky=ADu
zzeN9ZvQC=h#GJ>?O)lBD_I_a=lg4$9!W`jSI3ad#f~}}i0Tz_yymkS3Kxk~m^CN5L
zvBL1B&ZSw_<@{;<(lul%4SSFAM;fx++=2(Q8|3^Ux$!J4jBGl&u{Bv235c-OWRSPm
zdK}C2^V}=PJ97EyWQgK#gdKQ7)Xi5Ia~)Cr&erv!-&xP6f|s{9Y(T+9%q}`_J!=?i
z(5E?$`<u^fWt03~l8Cv<;&J}2;gV_5)iZ8eqMQD>u-`V)0#`HOL5fSeBMqsy04ho@
zGp7w76kD)?E!_Yapg{en+kN)<oJOPDfv_@a3T7eJbw*&IF>O?&5S;qbaks@sN!zlc
zadLE&o^xP<?_=K(nTP0v)pba4oIQ_Lv#Ir^Od|GaSeV=|-Qcw1Jo(uYtz@tC1<$4x
zY?Hm~?p=Q2>2R6X-WS{G?+x<K7m!j$$L2q>wzYJ(-P#|PBV!*1T5v}9`@=hQK9(U+
z6P-GfzSP88FABcD15KRlx^h>EItxP@&N7OdxYk){R)^vqap%<El)zW_mOHztZM#>_
z<#$xU2L^sL!J4meT<m<+XAv-LB?~^!iO9-4Tf6R>h>XvNx*g5&dhRK63Xu*(l^FgR
zWy%s3T3VD)2{~yA)~^j@Pa&Q0oq5SW*SdnkljnPxxoK&7Cd!r0*6cxqFNkU@=8Abr
z?Gjz;vBNE_ZQ{z(hyNII9z~wUgV_O3ugiZFwZ@p@fx~|qKPceJU-0uOh2{P$AL@Wb
z2;r1&Cu%`dugOY|okooO%Kc3;uZ<rwh56j?d~iRszsj>vG@CzI+!*F5Rc_o9BAcTI
zZ;H-3OwD~jE@UCok4~EEuiGKb<3w$3f3k4X=Y)!H*mCNBdM=`LmP-?i7=~ZZFQ0S|
zdq;MvJ)CbG<o9cGkDX@FZq&usBn4}W<e$DMhqc;P#Z(UJB;bR^O08$qL}L7y9$Dv(
zJUP~xyJ1u)eoDjKF}8BDvdJBZhazPIZ&1_yh@ouny0f8lJFdv)IDbf?^nFW3NRH^(
zYIn#jg1}VVmfQBX#*eJo$|PIS3N}{5-p9348ag+X-t9lvBzf+gcAPjJ0<FEuJ;1j(
z56jhy{*oA&gIMbuvsa<h*H?%&8u3~HFZcFKS<HG+bMl6$m{kpIEi7VO?UuKwVmIZ?
zeUk_5$N_#NP1I%ngs4Fvs_5Q}vc(PX@uxfafkZS!1n8oNRnR_eyyT@`CAn5Azy+(e
z*N`PQrSbOl9++7f$29cZ@p-J=IDF_${3ILx^hy3?&WWLOxOYEXM|{QRfP7Z}zAx`=
zSP=`GWh0<2)yuVc>`H^}hhx6g?H{iXb7A6Za=UM_ypk&yskgW5X2cCsmI_KAP7Xwn
zsFN}H*PZp7&y`55>iJ7yLacv|D>Z`jf%`XIy3dv~H|}$g_SGJBo{Gjp$Of&_>L(?i
zX0F!o0)O)VCo;AMR%*#hx_mNvJA853bj)h65*bzJDIr>p#+k3%)+br1?oI3UJiU%9
zXdzEkqTN+4PfFc-83lw*n>g{HWE7CjEuN-(A;msY1#17U2ap}!D<HMqM1p*+w(*1u
z)cIN1J45i2UI8vZ3NUtgZH@=Zm_QoXG0E_JpoYaRSph>p%^TxJYX6Dd&s%IzQPsyK
zOeh#y)mO;`d|@nc!g?S3!wRWI1A<9m^bv4X-1Mw#0|rn>aa)oBG87K9aw$>C8!zE!
z??2lqeLyl5Tv4exMB!&H0|9SUJQ^eI<&A;|3qJY4D(pCwX^$G6QSMl(04_>9QdlJL
z#ZOpsEnQ1G9c4NqIMN(;#6^t-JMtg}#-r;#Ayf|EIVtykX8b|*RoKj#ziR#Kh;WTH
z(HYm*cE_*ab8e#F)SmnEOVMJh+^AHoinGZLU+_^@1JPvB(bR-yPfp!*kiD4Nk5e)<
z0f+&N69}M)`3)rG+`G_1gCGVyK@jm9TUEAq<K!&q&`2WyjO2+0LCq@feFZ!hyYbH?
zhcW^pQT&l>98dv>jt6bLuK_*@ia9ETLo?PtR_}@hN{a98`mKkP)D;;P(D2MajT0Ro
z`I4{nm)npGut!T-u8+5G+apERmkC~cMpQ=GN(IbsRpQIR(0zqfyTxy94W3&d&7r=}
z>Uasf#I+N<r-Ld%#5Hk4AfY`zCO;@qAU|756=TmTkdN6C6#ozd*s=YK6o3cwbnux(
z+0^YUSn>s4>NZDC`IRSWm~m`8nY@74x3mk}eihuT?1t&h4Y&w-NkZIIJi?AW_Uce~
zhuuSDBSnleTDHhXCyfv;(;xylv2a1$v8aPX`(a}V3zkzU3~0dEJzqyVsA1zILcO5%
zPz$2=Skc|!nZe)4HJJ3d8(HVKz7`N%NYc7Y4@nzvXD{WCNlI%IMj?xK{CZtrst(`>
zc7ibkNNr2}EfgtDeiUH|w^mfz(i&i(eC0dkf_{J)c+>W^1Ta!>0+W6gGb=!szZbo>
zuh&r0+ouCe^=k}ZvrjV_xh?5U5QW*MC=g(ez2EAr%S>Z{@j<{D3Hn94L`ixL4QdBC
zLl^2zAboxX_ImS;d%z!CG%-&u_IkB$QT6UTEP1uvmoGuXj#rp67#Q{!rB-$yZyz|y
z?5V1Ds%`rZp$~J9DIlWS`PFLTUc+9y%=I*O?yU={8C>Nxgz6l1?e6O^ivCtZCLYpZ
zC!n?vAU*c&eh)%TDE|$0Y`UOK<whcGkBO!cXLC)8!yyXao*cVEIbz}Y<?<Mha4VH^
z(jtl4EmYw7UdRuE+xtZ1mpGRqf0t8^NtCEaUwx02QC3jOI>`M>hBW;U8g$=7B0|x+
z7?zbn@CTf59JgwZCN^J_Hq#jJ><a84es;N*0`fF-f_;7AbKE$5+Y<r(T!yH5Y`B9^
zt^98H$G?B_d_^T0BT)!Y=gysoh{IG-picP}cLocuwbLtQ(6G+Q7X89)n0AhzTB^4`
ztz~`*kfT?HH=)tTqI|yi66GGno8Hq&bvsCi$`pV3;+;p{D?0NH^A7Q%5nS;)tPF}5
z5b#^CpDK)=;j#_WZhNQi?^tDRSVVl}U=*8D*1F!kr0-f8dwQ)KsYq^+nZv$oI5!Hv
zfqeKa*8X)bd0~y*0imZ6jqL7VuIx^t5u58wwG@>gLoyw&NEyS5qdo_Jc6_et8ByO{
zYf9p?majRp<`qjB^SA}ri|Avpi&i4l`AX|(I|YqsV|55w-b>PDmqN52ehngcd7$0C
zYWAby<>q+ntL?lHJN9g=a<=rHSdXrujV_;AT=mm-rnj$cbw!2D_|&H@$ICPyQHbZW
z^fV{HDrOyKEn)vxyNixadF4wb<<4<i{u%0MqLH|e@?%dc*{wXYx>;0D=^*e}*fx*F
zu~LmSu-Qa95Y0$3@(vl|yg&yDc}3Jh(WI8Dq9dm?aukKWV<a;PiRSSPrgvZ@D8uPz
zw5vzjZwg0&$#-3!yz4R#6Mtuk{FeQi>w3_+UcCOsvt5I6uwJI$e+s1w%q{{qc6~ek
zf^+(zdNHr>yZ*Ks4^iE+F>e`?>*-a;r?ZQBzLYBmV{Wn(;I&Y<;6?EU={|#Dezo$_
zs+Dx%ATNtu>!2b|{bhgsjD`DvC1I=S#ena5Wrv$`L=|4^VmAiPRAvP7M#PvCM7wO-
zzlf-#ohGbx|95`6k0?|^J=p81!K6?vR0>ix<^f;<+<?Pze)I2eh_f>1BC^l*s?NK~
z(vYo6^eBZc(tuFfNJGf)vv1K3HTZJ!qQ7>tpaMr_ElotW0Kb+P{;&AB2{DV1Wp(qd
zqJ9*Y#X6yHN*YU~;+HeMsSV<Hye`w=!|OEaj4@lQW}J6iiVG7(ORAhW|2Zs#_xc%4
z;<WqX*y)hw<4Rbx*N;<>qG)J}4hFsB#KCD0(m8<bMCbtHc_Bdm(N-1LaQ0btNHMX%
zFcu3{{P0RUC*i&?A=Y39DBvYdHmQsMx5ApR4hn*05=c5E-Cz82g#MqxpA@uXk_5)(
z=j)a3x0G@{A;J|N&}Qp|@gZ8``=ceLRre_+B@BmqG*A_N_M7PsU^H677A1~A`b68$
zXk#5QKQqvGH`s5Mv1L>OnJ<YZjo-t*hoQF&;CFst5X8V-LHP1{t|0MLmjJzg{P*Ee
z{i3hBQK=)CFfbFkAyl569SwKl7y{u_zI3%1hPZADsRpeLTWf!k3wv<!71>t864f`#
zdP)mkbpwN8IH{-}u<w4tavPU({YWqaqk%c0k{Q21w-DNKPmSHi6D)B$<q(NkRMH>M
zu>0p}oUOI8F-2;kxH-pKHO(STng+Fx$cc%Y)FYf(x}TRme7ZlTwF}zpk!L{yUVx-c
z>L#3jTyW$haBu^2-$N~^vhi(D-Vlf84Boj>w$1igV_@?VZPeOlScbN8H*j!-TLVz<
ze<C0Au@gdG{n$!~t?hlrVwh9bt|zof5v9<ok;4?O@bv6N)y@j0si#Iu$Kb5jQ_SqN
zBnYK*&0VT~hcQ<mFz}^NHdRQ#p9y1i6Nkm-cDj=P72n3oT=U{(tHqhwd8UnoC-Y(X
zUOVG>x>VAb<7MwHETWfWpqrUWL5lI>{z#*RcdPG?oPU#(Tomz=ebf9UQqChBg#S0+
z&%l1_uW{B3T<etDoLEt=)~Z4($fX0jv{iZj0MJYmp8?J~D5=X}iYE7g3Y>JvDe33F
z4PKzzlna14Ycbgs3v2pGIni3VXzZZW9W4+%G=)ZJ7Fo1)BKnKGj0pHsPceA3*ZM%3
zp}I0;W`|7%k1G|s?~@$a1dsfY`NVa@=eJ}nWyhcn%2YZvSXyLpmAoR`|DvX(G}-%t
z-28GbwVN~MX%btEge`pq-e0UtRskhsE6c-&>&Frj;L_MvZ$VFb%z1Bu_u%8K<n)qS
zcr@?q`%Vtt(AY<?q<-;3OS8`$t*OyAWae#JNe~4!!oZ-W32<wyq2j+@YY3-$$ob)D
zPvkI)A0Xn2Wr{ZsWaIS7TvT-zum(?w>*5#C+h~f<irn{Mu3|a=oHs)Q>8|=G%a6sd
zmu(FUsPH5@BJN$vsv>Db6p_mt@}l%grLpcnn~3}+ag(G9EyenJm5AB&7Y{Ysl<41P
z46$^%##vPo9nE2QwCvt>zD*<<l1>bKltDG^<DiX8Edf(Zft|72_qJC>el$Z&u11;D
zRr~ptuZJUNYwneW95dSgGkO(ZWs}L;T-z6O@p^GODM9_AdnZ%3xnrbltO?i0U&rrV
z2ktT(G~DhY)#c6fJs&ltGmB(x4jbcG;>G?lKc_vC{k!*Bu#fD;mI-f&{7+6v@*FqL
zgaftY-@gd@7+-9(wBC5%O8<z-f5Xr{kagfSrsE%iMGX|xWheIZSK@_+=+-@KZurX9
zT_tatj-7vjr&X(nt`$^iw{Sj~*W5gn%Ue3CyE0Wc*t8r$)qlPF)Mc`G(8PE%Z>CL*
zOvv$pLR$U=ThM_cR@R}4yI6zrFIFn8;@iF=u0kw}xz%}M0eWJIKf@l(vwD&t`^qq;
zugGB}n_)>&t0s<xGtXD-qk+3aVDy5n<0sqtH$u7XsoXntf%Nu&FpR%{C3QvXXc($5
z9O`bpjkT)1;}JfK{PsB+-1u1Q9q*uEbB}1hhU-3RyRA<?35hwlRTcFRYh}JWF+*Py
zRU1<sYpzwll=;cwy+xP&e00w{JB2Vt&O4HV908J8Oosez4B21?+}t)2+&5}o;i#qj
zA6iOSz0h~w{6J2dT6`w!t%-fW(-RS;aRybCiNZQz4!Ey4NotXR6~0Tq8^IkInNj`{
z5d%?B;=F#0-yN^HqpzjIl8qoIc7DxCQz-j;Mwin$vg@*20q1_+SjB!mq2)|zj3;zw
zu)lICuh*4Ih@3~Xsb%3xXTm%f(L_(LiBxhrC=(eO82@59qB3KeKL=@;V@}q#QJ)qF
zpIF!`mnMCn(Y>$h@`C9ji~3sxKWiO8`VO(HQ_kxRT#lr*!3Axe^Jsow)Q2VY+cTG4
z_%^ih0nOiP>FgA&<-W`!ubl5~LL?$O#Gkxl>~QkFfHb7dl-0qfUsWWA2mIjaL~$+X
zsW-IPE5~6o5Mg)`mB250xV^8nl~IwW`j_-Vj*GAEZa|gqL%>oEx9f7=12&I4jrnk7
zuJ-+==<-noZQSSM%F}u4zNIdRLPS+=s=+6(WsJcB8)4KZ|NVed7a~~f`UoWH1P7LH
zS=~w~O_e!c@foks;Y=sWAXo_J-j82>wLu-y+28D6kr&plT955!op;{(M8gui1a;KI
zX9RP#9B!ZlGaT=uT0L)>qf$V_h9yzEMNLi0SaI7Ez7eWfs@3S|YF3j+)-AnG$ED;8
zN)hC4R^H&E{4ca~tk!o>9mJoqFQ;JW+&9o3v=~z3u}eXJ8q+L9LF*RZ7=FzWUXtxX
znTLZRFlLi!fB6S_7Sn?>z!KF=tnRXP3X=WnBP@u^Y%$;e^hawKWHuXl!13&NKD(CH
zXbWl*Z(^{~!_v6Gb4YH_30{kG0a2@VXq?{yc;e0!=MtY6jVq)lFT9Y47_~Ir*Ecqm
z5IU-B2kul<16w0Pm&~Pqcp0NM*9!bz5V60{1zAtv!u|^)HB~i^l<oUOJdqu!(E*G`
zP&0zC8ocHG1ss)*lOQYvuEOMUFZ*}ol!!aZc0pn_#{xk-S+8;U^KWM+(DweM(oAM;
z-WUaA8$mHOYr%8bqaX4m(T3C8T40)0UKcw=$t}6ZJWcg{6bb_hK1z&z2)Tv;3?RhB
zr(Xaw8Jecu>Kuu^#%;RNqE@4AfDhMiomD0pJj89AlJs@k{|xi)N8(xW+0HWx6rKlo
z;(oYq>Yw?m8i<2$gMkezs(~yJv;GUQSCw!!cT1xmA>2}`6dc|C=5=!}i6*9NV0iv9
zbMp^?3lFyE+@z-ei_Fx>9T9lqa(!)CJ!$CKhxQB!JufqaF+5fx|3xzUUUzfhP=94F
zBZ%VW!6#|f4~0^<>Xz3bN`+e|l<$w%z~K_UZG;;^-NP~d>PKkv=`W@o_XcmQ^+Zh1
z^!gfu;+CQQb%Fq}BsKxkAT}P3uMLst`7F&O0I=*$`WRNE?Hm$i$XACWQf)aOJ$J9W
zxa*a9s|#XDMbo;w09{JKR*U20gEx03XacoGiij8r(Lrlh#Sq~X0*N@m)2hPki*Oz7
z**AwrqWg_FUg$UlB^>$qDCYT}g}l_23-cN^6y)AgGt-t3tU@^I<BIblaH-gdid7^~
zJN7!WeFZG<TP;~--G(ZcMnW7wr`8d0gPN&Isi$KOX4_;Rb!v;6Hz&02M%iE4z};b^
zwU1`vHK2Q*L2UxgH62CTSm14Qe~vNvHu(^~%d}G7PfH#id{X&I%=~vJO3f|R{_rN*
zJ|IN={ksGQH%nQWxvNQjd3R_4lx9k8@i9{k8$iUQ)5lYPr+5_3Io=In?{U&xySKQS
zHHF$BMkQ}H{T+|Zah)b1K%JB=Bjq3W>0WvB`W@^ba~^N;^#+gWd!fS6VcxeUW}v-N
z^=GRF3Pd4mgLK737PVqTKul|Z6&EaH*Q*t^SQM%c!L8baJPbVk6gZ;9nWF7Pfi)8w
zjCgXg`4&Aj<0}%!`$wf}$}x^qs%RcQY)xlwIN7&QxvD5R9cXUf(Ky+DQDgEv*k0Ic
zB2u8%gcNbORm_gDOE-R2l=MzpXegI5wTig_!6&-6<gdl@oBRS3IBY^9uC$9lNU&^u
zA%a5rj37(o(A!c(S5C;R=RNHG<e;;&D{L@vP8*|$G$66D9!3azf64+o_==UlD4q}0
zy`*flB(6X%mnHWLWPCu`oCafqd|LzcosjmNTcik?=ET9iPHFhBsM>b2K)_~jiVmte
zmGav{CJgBGk~0@m5O%6>O-v4}qXB<6Xy5jceww5d69D(HJM;$D>j8WJV8pW~YWd1|
z`zxm)&2)D#Z1vKqwc$wu0uJbg_`N0C_q8V|Ot|M!UECyxdN~I;D+u667*542(hgfN
zTndcGy0mIb2tes>G@)^Cmg{ZtTD8UK7^lAB+=uWfU#|5>;l{LE4gVH>2FQhl=r(ci
z>^$UMT0h-3bwfW5UKzpBk(b>&`;e{?e0Z6J&ASg1TNY*Y{SWOZCkJB>OAbalFwS^(
zYcO;uq@+4-I@mfSXH_=dKV_1k=OFR0;olns#L_qi)U3&By!5w-Q->tg=biG{SUo-8
z@4v?{q*GP%Na+>xJ*AZ9)K_2)nGHtjb3tamXllgo0K)ny$tek(3pkc6?Y8unP9}&E
z@Q`zRe`V&ad-llXNMFWETwL+u+1+e)$Y)|d(i=DDyCYpMGyT<GJ6%1DaD3_0WobB7
zAf;^dxM*K}HFg2#M<)|?G?r*Q68J;`LwPj80{mmp|Dnnf8||K+;qtMXYrLRnyR@9Y
z2c1*I^olklB2@}KL;HWMKb@+YMG|u@c$wycSNXdn0!y&#T^7s~tbQ4o!Fz+b15QTQ
zd%px%lNI6)ij-P$>8MV)dJ<vdwGYXrV=f3)wFMuFjTZTC3|1~4MS}JK@o_R~e4-MT
z48NBUojbektNU*yx&MUVKq7!0OKeYpjLgVn<hXB^O=Jnn$wi%~2%{)2w=#-`USI1C
z8fW)zz;uXMNT~rr2f<2*gW4wsk<@lr8A6^1{f;e<&b|2WlV7lnfF5?Xca+qPcR2`9
z_#gD_Gs^#&ka|c+QEnR|*?9O713}N4=jO%&2C#LJT*0qn<}Vf>jROXVKNba{a-Q^M
zMAK{rH~!uw_PlNJ^D9%%{JnHaK1}isgutVmW_VsX)*~)WN$vSx;D9we<km`0+1n=O
zUxYA;6#<dlINN_0s*PzBfgsy*aI3-eZ&Jk6y2RI4SKIzCXVMF+Ul>v-&{{Lxz@a+O
zlU<Zv!H0r|2Px~49&Y&IfMLX00ILV|;MoqhV3#X8F}ZQ={5Qc!rsPx(-1l3lGgrFp
zg0A;1X2ns&ho<J5+}(e-R%MFQumjpg;KRSbz3J|+r5f*Q90Td96BN9>0TO1wD9S6N
z*^GMqW({t(mfVC-G9O6uZ0Ur0t^5R?u<9nQqC{GXH%15)QhjU|TUP0p<`F&KfMTwZ
zo{6u#D9Sp?b;ANreZ7HJGqe;(bGMpRbKwWUKRrVVzg%@k`e1?eB%Dw10q&Xo+-W^Q
z6u~XI1W7vH*S<a&U)u+1gQmm~)9gurpp+0E=la13a0#+IK?lYE=f}25<HOoZR?FtJ
zWByFKffeC!UI-F!(qhli#78jbuJ`W2m)F%_o6q3Qc}pR_D&(@>M?{E~-oAGFdICPe
z$d5D=F#tT#>$cPY4l(>E^z(dz0(*FFWv8loJ?kM6xVam*kSk6Gf6Fvq9^WBX-TAI6
z>}sBskwh|-7=!@H6M4>J1Dx=mym|aFUOhWrUDK{%8S{TQE#c=HckPoi?{94nTKfY(
P?E%P0D10myhxq+JtF7FC

literal 5368
zcma)AWl$7s*IrmUBxDikSV}r1q`Q$8q*qD_NkKunc3E1ar9;W3yW9l?9#~R3R#;MG
z0ZEb1nP=vmXTE3NZ@%;6%ynJoI`^5mf1No{BSS4pGDb2006?jut!@GU;6eUiClcVF
zoKQWo@kh`y(l^uiLvR1j5J(UCKkEOk{!{rU{%?=`KRtij{^WoA{}%sa_-}*$=>K;9
zr|X~Kf7$+~|7`z{^7pJilrItQ_|I3m`<ob=0!}D{A45j2(#V!-E&6HT%=q7B2nQP8
zpXY-?M>P*Ma%>qQ1GdLM-R%;bZ;A6(7B6w08Z`a3Hnp4LBT}yRHOPgKk3E;T(2IYq
zU4a*LIToW+`qV&EG}w)aW~as6-HxJLe^5yl$4SM5c_q&W0MP!_QCBewT0F>k{$x>^
zF1C(S(?~s`thjAGR@atVqmNKS$jg&Py-YY>&pr6^wm{%ZwNBv+&)n(sZ9OWEl+A2h
zzFcNx;=kjsu)gOTWFHIy70q5X)fk`#)f}d?bU6^|oy(D~7*$=;-{J~UMU+3hrE=bG
z2gp1=%jw7DX)N{vN;yA{Nq~q`*Q0xN73Gs?`+@c1sLsydN}PAL<?9a^>05PN7ja?;
zV6-71d!AqfZR<6B43k5{J?kIHrP9S$%e%xjgRaqZY?kR6>eoQ|se-5FezGTgD^swc
z$#>lKoN9qD6F$v0zMR$a)iCK*(2NTJ$xY^2)w9|!axG$7+HJUPLJ2dfmY3=*%$H%D
zx^<C^5)QH^srm3v62_qU*M-hDMQdp=B@QlySM$>1vQyGwCXBC2hy@2-RF~YA*UX$1
z+02Jsz`jlzsMn<g%1-CDRF=?dIibMT#VSo<3vKWkxVEMu2#?eYJxMvY(M2t5dTU_*
zmrlwnRKOwjR2H^<r=ruQZ{BV#cT*(q!4TkxOOnxYH0eY5$f>IJ{EvxonTiNsdFyAS
z0IZ%T@OR%Jv#3kzdK{7eL`Jv!?}(w7wuG7!o_dKYzOYB&eW7TT!p&Wd-^ObL`ZGV0
z-{>i>|3Z)Nf$fEpj*LqSUHV5fnuVp$PnYvYra|YN5BhINC$x-w*v|&7*R<4BISNl@
z6!g=``=rC+AJx#>FDeY*&ri+0!H*UL6Yv(XvT2^DB6bJ{0?nYnrl!}+xV9w;%7bGv
z>W&oJ;`?-JnjSztJ2TnXo`oZ1s61;f-bc$}?|v*@i{%2&33b|!-6RcU_xKX&vsoH8
zR;;cq$oP(jj&C;#f2GP{+>x2Pd|2K65XETl*~>|~1NKhgW)+txCDLkb%xUo0KZS#W
z%Q14(-Ej2lSnA~7NXk3rkD+LKqzw)V+pVD*fdMi3(&Y*K*x_$d@p*2mGopJ7fzM%=
zSw1!Tf%hfxwSy`Q_SpA~LPb&H#(>HL67zw3D<+vsQ*~i$<Kop<K~M~0TVQ<dNghFB
z8(3sfthl$rPSRT$#H8h~R`C5f_~Jq@`{ogBY36;I*}fgrDiuGm*pf%Yewy*o&p<lf
zeStxGBhn(cuhAiX#C^#Pw3&}-1$DQM?TUh3?^csTZ4ePz`}N{xx7~ewRp+>+kYGXr
z{<0si(!X9$-+G{!e$q+v^U+dpJ}d3P@VQYGvU2YMiMq?|UOqopxURkwJj4sv0PDNY
zQqXn*Fr5)5uPI5z{7`mnMmKM3LC%6UKVoD@rwTc@PRlG>w_p<%2cqWk&7v#vCXlq1
zB$X#8ZzxC=jd8gViA%pI!bDZ+6DiKocH*;&LaVAabuv3v<k5{DH=E>pa$kZPIi<3n
z&a0yZ46lJ!x3tT7z*4tv?>o^FKHb0p3zc`(<5y=zPmIR6>eRQNRxqcx7Gun*S>S<<
z9k1Cakv6`WZUD1L8?s*Qs%PEz`SM|>PsBM04-2~{pwPShD!i&QItlRB8}E_K1_SoI
z9uQ<hAa@lr`PD3sFhl3l1+WqgX;(ATw`c$}QR+T^jsLT0WLJ`mJ(>PV7YS{s7+lNf
z>Q{}tn44Ksd~zTKzy@cL@j3W;Zo#GT@BJ0?XqMn2jIjjDvEdURatU0Co}qx+DURf{
zsPsvHdVJ6zS)0(=_z>f<>VqO?M}RE`S$@SZP+sq~A{4Z>yQXSN8KlZ;pZ4n9w8#^5
z1c(@40%4v0unI=L4-Suo8s9P-a=I>u(1<@c3)fGl9<-CacxgPS?-N(e(6eeTD=$<l
zLU1BjF=3kHn85czsvXaj;(oA*8M8C)uez<Ej}Q}6Z(p^Ua-&{b8{pQ)4j+)-LU7jm
z^4<f*%`l>L?VW2D)De3Ic?|JW4U+tCXT<B0M!)*;VI1+%NklLzCcap3r}Bp_bv4xZ
z6^s<+j35rv#J@C=Z#xE~gkzGcjB#TE{B|DIK{TX8m?!}QT1po&s&%oW5ha3S-8P-#
zk{%3MxXxWZlTDR=Dmy%G(~lMNaqqZ|alZukdCCqIN1vKb9k3#a*?zC`Pfcs%9@M}W
zygm2nMD}`WdN8IfT5{bqZ(AzhHGfI`?nR96^L>DGY^jIL&pt6ZaLOh9y)3lF+RZkS
zH^1r*yl;iL<TGeX>lnEt*u~4ff?ZpU9di!k4csdda-x9EmVHa(Vw$PJ)*L7IGxb(6
zOna93(vx<t&Hk1djI-_tM<^y8Qy0cwe}T2vNc)={G<2lcb^c*Wjl2A=QO|YJSgda>
zpA@!WxkpiXz%sMS@8y@1PM9;Mi@2ziDpqUgRiN}LD*AlOZ~;zE!gaZ8&v&SrZTMMN
z=7^Lee?Kabt{|)mW?NVk-R}6bGJ<~Lo+j!p-wEpr3N9{f)@=}o&26K!kX4p3>vYpB
z$W!RxybVMlX)#vkCgYe`6PN(pSZpoJ^+q5dY2DUcq~OnMo7Qe6m_wiG0`Q>G`Yfm*
z9LBVNlzNt)*mawMA+%i>&C=q+*%J_Mz@;Oc-q-EOWget(Bq;Hh*DTK}eGDSo$;J{~
zEIPAa3ZT}EORW|c7<SzYFI<DS7vB%kpm3jWXdT*}?~xd(AJJ12q6*n_irJ}~2GeqQ
zCXtFf*wgD?VF|hY15sta=hIj6zwE&E<iKCsW7!gZ<Fy4y?ZgJ&YZCf7gUpK<`Dp%+
zVUHmX!GeL@Im!+OdU^4*qm{$P{pvFbv`dZL?^y;WlAYOnx}U9%q=1u#4O3`8trIM+
z@%iW*pLn<lFU15z!X*Ib)d9RBL)C~~nk*_=MbW$S13oYba4Z#MXH@^}2wuCh${73h
z+G0#!kJg@jDC|z&PC0*_LsbsEOHeaQ$jM2AD%iON67Kfatu@mwI(%9sJIBE0>pgcq
z)d}m%JxdIOEGzYw*Tzn!B-i)Up#^LPK3!kqdV8?f?k@8hWRXa6+aK{*le)L{c$_~`
znlH^gmtq3}y8$C9<4j&G#Eq0^W{$nvFonmaP*<Vt23Z4Jah;tPQX{O-ox_T1q)xtg
z_gLdZ1jv~z9t~b`>$33FuS<D{BNK})KD}}0KX+DVd)=Ql?hulUIg6rGjA!n-G+q4h
zj+5--$wn~Uw2W8T`S+fLgzp=g^yM@^gNl!mX>t}AsTM!@DUI^VAPQ5M@17^whe2p>
z`Pz_F6ls==3nd!3iuA4+n~#@SSMh6x=U7_uu_nm-hTt2Ml;axVH6g#5WvzMz*nT^*
zF(s2#>#<W@{mIVG<g}7A8xETDbHfHxmy(sU&DuMl7JE&yXN;u{t3k>;58d+?e_5Fv
zB)u2ij$C6G3j}(+N?$1B)!I*PN7^f`<R{(Vd+d7m!KS^~-P;MU-J3qz-pta?fUK@n
zb6Eb`jRQ3I{1Qz}WVHf43_QOHV!`sSw6why<jG#Wb%1`2y|<5o@7><o$toH^WG8Xh
zr#9Zqsc&Jtkf1SNut->pY}in)f(0e`3DvECli!;w|0n0nY%xEFSgkF?LI|lMgYNXC
zILK3S;V1fC&^MI1HTeLe-{d{SO)n64Y@g&<@weIxr1L7vggp2#ldKqadCJ&B<qjyv
zkTQS1hpAs_JOmD2I$uJHY=rGsmC;>H9-#QhVZcd~21Sm|%%IHAlvO`H$5>MdDRbg*
zjT<meIHI$$Di@r<6(mdj?Wv5)y`=+IP;XRrQMoh2HbCP$p~p1ufj5h0UfvI?a76iQ
z8lgQx>XGas2TBcEWe=7h|0py)<y%Q1a_S<3!G}vkMv&o;Iv>Fz7igz+VM#ysdyDhW
zADK`3x8ND^^yM6ji;}(*Pn97S_#S!J*zXbf_iDS=vjdjl)%D$nD@Jl5JT*!rb-#n8
z6leKWb%8h{vS*pO^WCRTr;460NSVs^4b8&8C2(}Sh_@6%Y?gB<Ko;|SY|B0KODUy}
zbs&8)l;Lwa1g(bEQO)#{)H2`gBBnd>B%q<-6|<|kM;2~a_5yWE_9r%_;8X>^#Z$aN
zVy#4-gFX<a5B}uRXvx=L`yxMWuN=;o1aCuroxv~M#Fh)0zYk~TZhO0151r$)CtufN
znG_I3D6Km#{Yh;eenZ~SE&fG!K!h(GOKuXxKJ)lo*Z62z&{(5C)c#q6YLpbQ#hKPT
z2<%B}mcrx2^`^kJ$hNq7U?n7Uw7{O2w7qaTX8y>cp($qA6=6uAjwXeB&(}k!)*m&Y
zwd4uIlU=D_L7gCFxJ`Yf{j}CP$4I2-IyE$V1CgBEvBS_Lg#e~FnBSZltG|;;$ZDSu
zj8jVo3)i3X7~i)qRAv!U*^5VOI^mQ_^H*Mg5Q})(VgeS384-?1%8#)zh!%|?!)6yT
zup-fcGI_H$GC4I~lUwTeO7M<ch(r}*ye$2di4|rB4CTs#H@xT+`W+U_J1SlYrR_wJ
z!`*1*(!pmZWIZ6!Z;uxddJ0>G7Ncjao(yqx5BItVdjK)RZC<96g<f_8S}J{0%@UB;
zTt$q298zD?ARNTcUT#kY^Xu`BhlRY!6ZCmjj+7E?0D{87z3ZDnTt#|g&H-7W$8&;E
zj%0F35LWfC9X?$O7BL%XePO2z>TmC*@QW-pG>l=EOB7_XVY%$SpdUC!en^<^f`38V
zy9pINA)M8Q#n|CCVu)OF3#MWrdXW{B@DhRXc+&@KGfknci=qK5s+c0pR5M-QBl*n+
zx0eM9myv#Vf|YXJ+R)AF%bKao>bsBt^PI+9=P8v*np&bP%fwkxEWpqyOosVGLGo`g
z-NliPB4Q|>W1My<=gR4~_fO1qzJN_86~4u?$@-)G>7AgmuQ0*a@qrCU8*{(!t6v16
zAVq)6TcHxv9r%{el<H&z-mqiA#kN7DT<pqOxnYUC3+fZh3lQ_0VT`0_UIUV=OImKK
z`7G4u4Pw8}M2qWqX?%41D#}#WD9Zj-lEWie)&he}nRQM1Lh+{+I$g={D_`#|WpVq^
zm^xr-8=()RA_tA|!-4x^ue2-sb&833zUkwqL?GajN46{lhlk?vjL#L`m8AMj-kH<5
zF^(hh%r5r45iX?bp5M2!kj}t^pImdL2|D93_li)T(9}7UBlpBmchkUFG6&yWR%FH(
z+G#&LKhP8J_sIM3sBGHzQ2r{w_D8c3jBXht6X46CSkBDe<O9%zDkHeVwv7vs6njWB
zPtDDv<Y8HY(leg1+9H&ajC3`1s$?Y6VgRdizYLsMJ@|zi<t>z_@jAiHPO~_p)y%3p
ze0+H`yaY|4gr6U_^~poia|hWOGUs(>G1Y~dPL(J49LJFY{t)C0rTLjG2gA^8lpr>~
z#Pa*kHw>BFM9I05Ak_d-1_I+4_7?&rafbKur>sBRap8ztkwa61!C^->r|j^Td547{
z&D(_QEzdg)qm?j~-09QNU!`l~Vqa|i(1Je79j;v1h;I*9pNMI-IaW6wnr_inae|Lt
zz)C~|bx5SGHkpwcH@Q=yv68vXJh^!BE~0Xb)9h-l%?Qd5OA_K#p>;@eQ=tve97U&}
zW4?BtgvjAuh?o8}=Xn~gMLvt$(DAN1nHynzrHU~GB-i&g!PkDG9l-g#NsXnIDV{;I
z8s{r#1;Gl(BS&r)>%yHzPTEs|ra|WizyN9wJ<o0F@E`9lXfqAg>S2UbEVUgGW%0Y-
z)6J)pF-sjM2en2M9z}zP4jIi06uWq-eh^cpgU^`*3!%b5@9^czc?0{#SUl<-2Wrls
zp27eaVQZ(icUjHjj5e`;n7bXPPgqlO5#I>y3s?h*_!QZ*<h5tsJW`JB&&9~*uXkYL
z8#$r8+-ev`a-Nl~hS>R2^kJQBCLcLq$WZ;^cKv1Q!v)_Wlx+{3>(S3~-<qV#dNS=)
zaBV*!5xY+)+TrIuv88t7I7tRtd|6~^d9*4cCuYn7-vFGie$_ffbad_zTcRDK%8~4a
zDx#Tzi5Y^u?&E>Su-iiut2)*%8fB<$tpBRV^w30^Ba3h59+)t)BA#}*EjBmKD_0yk
zi6rIJkt7IxRe`XHnUVw14>R}9%BDk?$x^ku<O`X&iE4kD4D!!Wwi?OaL5TsZ_UiQ9
zz8Ge-y?9ql{JQ&s+@Bh{5MAO3aOsm;w@bY#5&@?S<5y%H)!zqCiYGA;L^L1{Eoy0%
zzwl7tD>K;8tt2e5wpA1`b!TaCSj_2@@NA4u2ZQE)-!7VkXQXS{oPG*vRjT!Gxh?>5
zSlAxWs17}2^68b1cMo~B^^NOA3&hO4Ioukpn(zoeRX@!NBl;CSM|9MB@Im1XB~@}W
zy|=1YfpL@vAr!bI=6xoY@@o6gp)!<6*J;{GD#51_biMoQpeH(_AXGW-f+S{)sH)m}
t?&kKo_nxThc%G~u_RqHa4-mB>5)FP8*BXGd`g3;!=x7+K*Qz>1{tt$+o$det

diff --git a/apps/static/img/logo_text_white.png b/apps/static/img/logo_text_white.png
index 9c58eba3ecec50734ff45b845c14df8e2cd17edd..39dea6778055a6d3bae745d3c749989dad7240a5 100644
GIT binary patch
literal 8320
zcmbVybyO5@{O;2AMM_#iS{kHNLJ*{+8)T(f5Rh&V=};t>Zdd_<g{4bErMqFJyPE~>
zaDVsQzwf!{%-J)$XXl-FKKVS)XQH$;lnL=^@IfFDp~@RYZ4d~}3ON6Oiw%6XxJitI
zK#U+2MLAvX%>Ar@PbTYGo9*9zP`*vEo=tI5_QX}e{mdd(otjt^5MmuM`}v?_8~!xy
zeMz_ohP7(*%Mw;6$!5vLA-qo#k|pnFG+q>Cjq!|R4-KRjf0|FHx10+BfyH~De_>(i
ztZ`B?sG7RntqqcDiu$o2`sW)sVtF&uFLTSM)xe<rc47I{4-Gez@&EtG-`}DFQ(9XF
zNgQkOC*6!|g#GKOXbod%<46KlHN@I7@a-^dgpYDv>4dv&Gjb+tM=brkj60H-`L1$c
zvE4|FDfa_gUzgZV;a(?C?c_VXMA*1ftF@D5;bt^_YMvo4tK0h6vKnSUo*+z2-%SHk
zj+hck{!TqJ5^q=#Spc$}qP-u+Rz3_n_h4!~%etRfx!hw*638BIZR}s49leMm0d9ak
z#~G=RzIOkL?L2MqgCH*jepTEB(f&I}cTSSP8q@bVBfGid+n<&f_qHB%=h@y6V^-ta
zK^ZTw1C9e74G@Vc;e9wt3vu;1Pf_Cm6ub3yywK&5ebk$T#?#IHG<G@S?w;axi4~Pj
z*#H{>?a^IA8|dhn-?_Y)-fs(8lCyC1?Vi8sJ#VZzTRtk5=a}&hKhaG6WmNY4G$wpu
zm@TwT3%02W+>^#`Hri14g)S8sJL`bmB(qY|p}+sfN*XBzTfLYWv?;cj6{6W2jt{<a
z4WK1?v^Wd&T9ujeNho7vT~`g3t5nXSpQpfuS8IxfJ4@=<g%41CzGu{1@O^r?$L{wV
zU*;CAEdi7JOW)?x_hl#PcF2!_GZ4D($)TfH9*w?$Z5^Ym@m8X8`POPY&m&%z^}IuD
z3WjOql=9?6VLvgEh`r@KJkWXCaqb<~)@>cXbbHHPZ_CmT`0g%iD(;^tTW!y1kbCMM
zl-oF96-?K!_Nv61;gs>8plZ!Y;qtB{bLU2g$$Le}^{nEVR<UWr!_HD?ybZg4>30D-
z^R)RX(W~b%d8?lSd@4=nyrpRT3zn_w@Mqyc3(`_!dxnqBPx^v+{CIJj_I<25PS$q~
zQ6P|VG}+s$$Log1%JGzH><5Zh`quWM@3y-YqWmvlS#(MY<%a(D%FD>O3K}RQt`+MD
zOXSO<t|5d~m&*;0zM~jaTzccesgf@z3NuJthJVFjT5*_L$*@w_-<+4X=M&3OXpiNU
zWwmyt*g%%W#muvWdPiPhGZl(@#G0Qs{3|t}?3w)^Di7!yip|yeUtE<;d!0KS?!xOl
z@|pSyLcUE}-V}fLTKaZvqa9;#Nff72CJdyUK3Pqu;UD?D0nT{QE`oL=6*SWXgQJoN
z$YPLbRSq`X$PJDs9lVS^LX=DUiYPc_=V5X37Zx%Glx?0TPJ&texA7HmjD$hKQtoha
z{{vHzJ5O!&YAJt^6JV`{Xcaa5d$4EH^`s*2tz=xeC|jt^Kh=_3kr(}VuHz%6qFc#(
z-%TRPUl}X3-lCz@p_}q>O6K4!P$fFD^E#pmFBt6=^{ZmvZV)#p4Fd_gSFc2UkDB}|
zE|<xbDnd`h=Y3mYwrE^I+?{M&3w38-mG609vtZF&4zc;gr^k&{RP(l-5Ee3bk;f@D
z@qrU_1^a*;NY)Opj&z|Lui&YzAQ?O)1_&Fv$Bc&5J3_FBB0~+~{c#&L*MsqGP@1~_
zEFk2XCHE0R`Ne6tH<(3KPuZ=yYL&w7FO-}TF}7c`tqInokmWDB*B<i;Sz=inpOsHA
z%e7okVH_ENWM;Z#ct9sSdkKaGTdkq8)}raWRk|}4ho35TpN4+~GDVUOujSEInyg)#
zoE|lGUPr$~l6;axx0)@5IU^?RJckr9BG&&R#LT=*mljKa-0x#D;&Hj{$gMCz6u2CH
zL4f7Afv2o*^Y^#xhP=!O9Jbr~_$&cCx=jAwx8js_X?)>{C3*#U7l?mi<vy}bRV>LW
zR$zjDX=LG3o2gY@rp9M37iERvsp$&Yp>E~~4fZbb;;%2>%P^?%9T@DqG~skcA##UH
z>W1gqHnoo<3U8!H2$JhEHNzs31t>=O>->zRc<J^fFMj(+R9Fskipfgocjgh<Bo(QZ
z{nU9nKqhBlm)c*uSSZR(GL!0cxeXK%hD-c=UC5oUh?p-!OG~rnA>sA%=m}#(anSFz
z`nh&tz#i*6hX2u(^ez5k2I?_UYpBKiNy8kXZ^K*B;dKr#1%YoXZ&4lJigf=nqS{51
z_Lgmm*q83CR5y(rNkQhIPXOjksOaK<LD_a<DvhwMmCX|4CnHRTt9=0Wa<`wRm7(7I
z<nN@b$-ZW6qm-E~*=Qg9f&jFRfBSi=3G>}AX}drL4T7~4O;Bl!veU#i*qFwHTAga2
zp~;zzhLaOdBVq7(Yswtq%Gq+{kf*J`f2ms1|8wa;DmSIsIjrEav!c~`RZZxqcJ_nX
zq%gnU@7H=b?2!bGRewBRgBo`%Sg|wqavHh~nIaeUZ^?B2g&Wj~EY0m67`k}TA7KZ$
z7R6PK-sefDTfJX?_g<!?X!$sVBsEc`2kt~#iI5~0JsaXynh}Y%P!ozL=%}OFZNoY!
zJe30(fDDN&8*VP~L957Ohf9nrkzk!kPq>j9DDn4*z?>}HR)pGbZ9gry?Q?~o2>(j3
z#$}c2PBgvy=CD`Ol!t~gI-f&zC>2nrMI>(y&w-7wW(jrF`h22^YX&km@8a}j42j4G
zcPBPc+kCwHtX^MDv>ALP9|%Qb`WqXhSRSN_c7%S#+CVlO`0*b~9OM!z`Gxq<l|_fO
z0wKxJHnzQ!21GEt^l9+vPIQuM-VgY<#ZggjaLH)HTUgorOh+WM3Ae`MJ~$?8J=5aj
ziDDa=8_&$h@){eXMiv%)o5xk;)9grj%nM37AYIUZ#KFVCen^r-*Qcvkhi*Qeif-GI
z%j&)D(i<msCsPgieMLAQs|=2oUDI1P$F(~bE9i;~z!=QZd1`J!VyS_qJkG8bC4>Q4
z^|bN$r?Vu@tMrY*$Dk40YUu*qw&+GQlrl92F%B`7SHff$HVE3$dLxg73GhJf!_<tP
zbPze-w_|m9Ai2bef;B)`pjuEMM%!GHm1OWG+6-FTHmmPjrB1UzO>}R<4gtc`Rstz~
zWoa3ZY}xe#Rq!IHvT|q=_f=`U2WCeMO)ol#=khkTx9xkWkf8-pCHgEj(hal=`V_KT
zkR%pl#tu@m-y6rRln{9HeGtRj>^*Ns_~u6)4-Hk0bCZ7aj|f-RA^G{n1GIKZ(NI~t
zo`6!!V8*MkbB?Qk{A3=ai=sA);Ofu_pZV%A%c6PptEE8tuvwMO=7p!w*`7RS-mFZT
zK<~*qDHL}o>)Y<jl>WUe(v8!&i*3R|b-rn57s0jR>{tR#UPMk4SlqLFHsb^x%soUU
z`HSjQu-Duw)~t;GAk|^ch8ir>JL4Ezy-5w$eA#=DV&|UFg~E>&0M`w@r5V~}pqBNj
zK9r8F&aty&KN*g#CVDeaeSyn4P?sR!$*{WlqZhaqs@IDS-Xoy7i8kmn$1~A+3Etz1
zT_!X3Nw=>x^5QuA2P^a90`C#8UUvU+NUyp%Or-+P!_MLUmso_SG*jN$+LvDY$Bf`T
z!nlBHheZsU4V>PYY4V#!n6WLe)@f`tgTTF?%&#GfW>G3IPAcw-Q(411`w{J;J-goO
zmBpSdQrpB&0`2Zh{Io9coEw=0Wr`<Ug9y*1^UZpEtYhkA5mAoVTc70m_C!1PX8Aj@
zRZ$h@0sh{4yR;ZmRap-4=O&i1tWc_5negfks#|z(poU<tlHQH+!7<v@)#bZ>*_XYU
z_;>TOW8trORC;H~CQo%0T9lQAha6#DnG*-^zT$$__{IY<#xFjmfR%ndYiF6yki`uu
zeE;l_l+KkU^?v40gI0<g5jF?_MpRxz30LD$7<~n3gPtwB`x=WBCA+K2;n#bLBb0wB
zVv>M}cL;ISy&XvTYfv_M`UO>jDpUN?#ktr|?SiG%oSi{u#FFOtvkhbJQ(>Jc77}vg
z{omlp9b2!k{GG62v`Z)~Y)!1ZI%jaQNi(cn36Vh*+`hugKK4%?N&7`VT*B?rf-+b$
zET@E~b7%QQCgQ($@*2Wy`K%mc?uq(`|Ahtd8S_{aHsGU7>xE|T13)sxc}vi@nAN}R
zuFuJ(d0RPzfF#e-u8<PxD=@fxLQ`k_Dst~rMQtpQ{wcJ-X1K1#kNrI@0*VujHM&3B
z0;q@+>^xk2?pZQ4_kQf=mvM}#s^p=CS!Z>&4u>CIoODMZL&qs-D41Y<zS`fGm}~9)
zFs=q||C|&v<;w*s{>zO+sD6yk@};%R1AD2m+(alz2cPjs0%<kD4>m=vsH{ql6q%U)
zh^0h}i$7DPSlw>v>b*0M^;{se1lG53?OrAURFDUtHaGWd-!xD)@+6vnP<_JGU7k+|
zQx#tTIqPvexTv2sqM35Y;<Tk-6M%?v8_D-`R#4csTn*Iz;fqhS4R59{FbE-)IvnmH
zRd14UU-^RfJqaPS?=h}S<eJ~`k#qxHPKSf9u9({0PbAAIR(EZJJRhsOOz}$6mV!C1
z<nz>TMLXxA@%4{?*MGpKjvFg3TqgSjMRo`?6znVC6?!(CsN?TsTe-26M^G%-RhhU-
zGw5;n(R3{H6u2-q9NjvCN?>=wE2eOZA}JgsUnkvb8Jt&cu49%tgJW2M36TS6-mi<|
zXcuafqL;_`Hy)C&QKvL>GFX9&_qf3nT(Dt>(s6Dj_3Z-~SAPNn`G$*`ZEcVS=g%7(
z<%bfG|6kgZ92#Kjbq-&EU|f)Z-np+Hyq~o^csbhf9y;3MvLNkWMqnyF#~K-g)mGz&
z)zOS(Ged;Tca)bYXrNuuU%}3yli~;1)6Zc=m2;rBIs4BX4fb=p$c>NIA755saPBMV
z{SBf-N!{mmUQd8AEnYmxG<YpyXa)X^lM}D>ATfO~a=h`v?MTi2vD7H{%XIQh@UF%k
zs0Or$EKWJ!JT?0$T}FBs0l!|k6&_giBh8u3JBU4f$1UvR{|qJbfD<l~k7rYGX)Wy%
z0;R-9wnv$Rs<^8&-fXx}Pe-(Wm;b{OC-9|F7nKLp(|5m|^SBAhK9}otn{wVKQk){n
zXBWTK!$utBAqF?b;jYP^&eY&NNm9s!XCV+eEw{RJHt8td)~qrUaeu@7thob3=6Yzx
z`7iXOWsfT91FN|7__AYc6NeLnAdYlO!Cv+5wYhR57Q&j|_M~a5_F?Dpsp%8HkAlvV
z`Q77!kXFw9q2KUk{h~#c@ayvQ29<Cgz1#iQRI+`3X`xuXq?3wm+D$)XP(@E4lLtU1
z`ex6uZ_}TmjQ>05vt$wy-K_EaQ~vxfK=yD4uYp`-o<1WgqxK^k%zMhQ-A6OmFJ8dX
z>2;K>HMf|`%yD{+=*%)*+X|^y&teEY%zhvV{?l8`_U8$QWNN8(qK{7A-e=W$r7*%)
z^m~!hO{9y8@#%gK2ql{=A^O%|1lKZERkCrd*<rJI?Q;QJRR-SJnGwh<3?~1fZ>lgO
z(W-T^th{n&{bUc<`r9pY<KC)?-(oq~{+)sv01q0tr-+2}zibH_@p>eOHxdSL;wea9
zIhKC&%_lgq51vqiWQa51tXa@5hqqYP>drevNf}}W#RWVwoo*)T2$DZ#)1D56anPr7
z=$Me)DTCg>iFl#aj~XqLsbl44AKhL?zZ%A0cm6mGH-28kN*0}IZm{394?1GxZE+_5
zy$gGtArN9Vp=}@aaj$kJTb!QI-(qmRA!Vm`2GR2TfwJhES5w6Wd-=P?ctc5v%8I5}
zIR#oTRx9jEEd@TI?lh()X1V)o|IBoH%Ut#i{s;yLHMrUIX;^bOx4}`>nMv&2-9o7)
z`jzt?3Fv{&v?M^f;U1-+WidE)V*Q4|N_Yv!<IWLg7{A`D*&%xT-Kkafb5W=_LN#YR
z(ZZ~}=U@heq~-K5jw(hp6J!?~NG#qBrWM3BN<%-Zak8aGIKzYNhJnHx_K1rC1|mjo
z?tKoh2wolTy=DM~bEode=y2|3;@-&b?hj$a;r|0@#<dgE%?xj<GQ>U7+og74aHtkp
z9y8y$D!V|y%MItpy*9*3#aD$|c7#)qI>ghfUMxF)BfzYdE76Q4j6EA*11AWrNaGxh
zB%Ao*xQKHO*eawK7N*AnnEulvDK5BE@B_Gk*Y8;jj1FDze{bpyGj;oEv^C2OAHPm=
zWmU!##xLQ}+P@|4XThi>YQdgUUlxHwL|_<3df;T^zBrlE-3UI2T;>aM&**p}VCNC9
z4;x?kRzJT*0u`MC;QSR)Bbimy%F(q^TY11E*~5djnv`0PTI4L`tA16EW>_8peWofi
z)iNe8@rxo)I|1Zk{K8YSFh2RB8zuZ*R1L?~To(44C$A@<i4MNs#6!|uCLaiBGd&Ju
zJ_lR0Eu+@^ZoUflUhrNv3TiJRBCay79g@}+fa%Ek6^&1h?5?N@=}JH&Wkf{y$8>gw
z_6V;vjpB+oZIg~|S_)};KoHq-8#?B-hVQ1C^C86p{E(G~FA{@J8I+wKRfEqe+8*GH
zw(E>czPd|=+J`Ta-FVyzW_PFRKm2;@9L$?^E$kSfB5Jq0Btu3>4pCa2o}SMlqWyH!
zoi<-9o;`dZT~BpaJvGw}GBEgWuF1uRxg`-n6Q^lFC!4|#jivj~R{Ju6Fjj0~s+R(%
z%nI$0g{dljsz^bCge+T_<_wY0C@lfn8lmkX^jLT{{R*lzL1WuMVGQ9~)#1>oWwP6>
z^Kd9-wl&M|z6ANB3I3teZJ?U%&%r)o$6ue;eJJlq)fyLt9pg8QSm;edq8KZ6)9SQd
z{3;a9b#V6Vpgmh`@7Z3Owiaw(03V=ygkw(f{EJZOO8OO(arJ%}+dY2h>AG#&FE-D8
z!y2c@?9E-gcBba*7OLJJV+TaRZm^vJh9-ePk6#<}y7?AWva^`U6)Rl(atSv;YdSpY
zO*%%|_Nodompe|O!Q0DMW;oE~t3CarD`L&uYw|S?c#l*f{#upIN@|!V;&`&-X@f!f
z!ubrg^ZVSj<Xil!-cnNSWov2JK~q^9X&hiC?Vhf74M5+>KbP~s*y}7i>iQa@F@GRu
zg0PWX+`*p>wNC3EP*f<=Q0Now!&VxCbSE422(WUiIUO=Az{l%awwyU*LnAPS!sf{@
zLToD=2<Hl<RVtPyoP-a9{V78AyufCdZ5VCxDE5yY!DtH_27|)lIQFzF{T+juPlEeC
zUQv5b5mb=OI)~PGhz7$yiWiL8u!b?$MKiowy1NlPVpLWw4*K@wgGZ@&?H;-Xp=btm
zQH9-@I>2Rt!s;YTP5D<M>!3N`_dQS$G$;G_XBzyx#gDaxN&XZIq?)(9A`~DaeCC-^
zajPh-2)$-Yv2CZuN|-lE$WZ7EahSI)4;n;5pBaE5_Z;(`dUjGf`cz{?HOsmWPr{U!
zZiKG>UeO(uIvj>dCbGDi*I8l>FQ5WT`^JgW!{Cg8Mn#J@ARIIlUn#6fQB#-!UR2~j
z8ARYCw?J^-!06y>6Kv5>{GHA_@IR!?kvEa5SSL7;Ti(RDq}bjr327?RlzUiUa89^j
zxzA5W9@Y~f_~-6)drfpl552;QX^X7>f^fkU_T{m8V5Cogx%M_%7Eb-h$23>HgyDC_
z=Wl|mt}^f<HMn0pzuY%7-IBIbbni09YozK#ZwL?m_DU91>6?xnBo?z%@g(z-$`q$<
zPAC-SoT2VHhriK*W&AQbQuTUy=b9YE%2k#S+^nw|wt2-BX3;#iyMY~q>lFf1gm)`B
zXRwAER!!T_DbmnVxhmFd|4BMNg?`A#Sp-lV0Q}i^rMEKHy@j;g(j?oZWcW`?uZ+_5
zo&j(Pyn68OpOWZhN)-JLt*nE;`o?Jz;h9`@vPqxCUw?Wu%3fnZ9c~=fs;2f}f22E!
z=mZa;Vv65keW*);xEwc>+B~#M!H5{cw8J5wmd@UCuh@_#!LY<)g7gdrnVzhC8&N4q
zPx$mvpIq65(%t1W<@Z@XvU8e0OYbxpTYncbhfr1>&<XiE#k<RUOOSfY{VueME0<UE
zHRJlhc2llgivpd5m>VZYg^UbU<@ztywG?qjlrUBlllsv3hr#q>5kISJuHPl?(^RJ%
zS^2mY?oum38GZw}zh}hNmq}<^E3g*kha>rjGys{1!+;m^RCXC?_&?JJpfvkcKxLpk
zX<x1J6!$tKT;d3n0V-5x)R$<<8*CT55AMXsvSePbGep;~O3K0cy?atA{G?|(cKd@0
z9H%;Ol<&)}^Ws+9u^<ki%ksN>fjuBe$|TIII+xEm`Ntg!Ub%Jg3=Xca)Np!GliG$m
zEe2rkuQoN1N6s-8j*=Yz+Ci{lOQF!WU4DN>lz@L)u5`YX%lGvK#l>SI?Lo>tDr_zz
zloo(yGeX)~kpgHVo=j{~q8lfli~#Y<v7gg&T{T>|91L0LjX$M=v&y5W;C&o+pOb$h
zT?I&9>Y<+g4Qbx&5Or|IIFi&_7EdLpXf!pC@XT6$cJ*a+mLiVlQlj!~-l6VSqQ2ud
zn_UdlzdG6-BYAi}g;Su<=a(-w0B-&ki|gXcMsXcxbd{}Y+VF7E3en`Hmmsf{I7wO@
zUm<C-e`7a5>;1e0jIR+LPH)QFM1@4NxJ!Ej+Jiql=kwEu708TIe!@!N!zNt(*VQ0Q
z$0tgl9?>Zf8;kR8O1?#+H#N<z>D=N?Yyk!Toprdl^9VoU2Dw@nVN8s|VVNt%`cl;z
zSOAcAYA`}SftCtvAP7N2Iws%<XWBAjQa@DEq=$K@QG;<{0o*uc$NQX+B|Env)y*+n
zRkX9ZXBL(_mzgwfXnREE@Me?#XC9N><T>2>f0F}a_CszOx`2j!xb1zFULErFi)bX!
zsja}84_VqF0oviH^Nz8}hTi}>h#YsCHH-6EI7-XMPz`v@Af10$LG3*b>Q7JjCd*}n
z+(d(`kn)=`qz%s-LH8236b+p6JfJ4h0%SG5NZ4)>A<{<m-BDcYbSDqL;yBC^4ds{K
z7QZTQwnY`J$q^g$^yHvW0~Ay|QV*i1*LFU=L<1Rc!h>iiGYDF-*VVIOdC$(8sj)lT
zPy0L1KmP(rjnHps3wc2?kI=p2>ug#$9jimDww8(LOP4U{7uv}DFWW))UlK79g1Dj3
zdG!#SB-tnei_>%DW&8qE=f4w?y+JooIArd{Vnp1@`y<_VCLLM+naJmOg_R~$QsfiI
zJI^%a=Z=-sgHUV}gKN3qSVu-+hLc#*KY9pg$*UO5lnZu%tf}x?KQQ;5W2AghEcjoC
zB-lBjyv7g6<xVSp|DV(`G3j=tEKMKYCTrr~Z_C7Zm<Xi~y0~7nSBcQS#`qzjaCAxR
z5PHSQ;o@J1|FYpcgkT}B1a^~t<&cB(AP|8z0KOI<f?Ia`oXe3=vZr(#D<+(7lv18I
zWs!A*5dDOkV+mfKRD_M%$3A7cuaiQ9ZldX@FL=S=;^x{vRBr*_K-|vmr;VRe4clI}
zL1P~hoRjRmgjMVnevA7=0+L3Ac6e6~^grK#^y-pAD>Gup&`G99y!>@;l5VDa2gZ#4
z4be}Mvf5R~k(;%Cnxa%FWfnc|j?~!H=w!E|+Jb`BngjDz{iH@;K)rl#@-UKp6DLOU
zn6uOCTNfpicR<e9&!dw<!Z8J0|1iCXd_7dg^#OC%Nzjwugfk#-G%>mV^#FuDnVm@N
zfiY^+z32QQd;WXqFqtDZX?HhkOg<y_73|JR=0WdmM5h+FK_E-=m>n=+`!F-L_>uTh
z36Kp8o6=Hs(?M_bxZK=Xr?^=nqux^J$#Dw;B6q}(3rL6>XOLc%pGm6(<0Ik*MnAK5
z#>_l+vqw7fPApSW|NH-gQ+Um$*>utryBqk1;@?%W%LiA`KvPe~M*&?J0f6`syGlvc
zmQYz937<E~Ilxph8&C^=DAnpzjV~(8rva0>FB{~pJXV(8txqIs^Hv?T*}(sYgjZ3U
zST1GvJxh6ePYrlsh;8-3QZzlb%&M9iYH0<L<FZ=$R`f!Sdj&wM6}7XXL$=@2NAI5}
zY^9i5*!n#n*(y><95(Dg{3IEtK2D3-*Sc1&z~HoGn~ZUa)SScil2uOahfxZ7x!b`0
z>;j}dc02Fo1Up?tMG{a+eX!cCIO>7m1jOCU!4FF;?4O6ro=d2OS^tbs!EG<mdh78T
zPd7@qzec~iF7l6rdy!k?ywklKWJ~qy?1#PFM3u#PNd4J)M#YU)(Ew?<KdasVpVO9S
zVD+$-pHlgu?(?9#GQ~B6|CvSl=%~#qwv@~~p<ioZSm^NvEu8xiOUaxv<a&g-;#$47
zPiLeUEf?XajaE=iewRRTjspx;jf+{0gd6}YpI|5vi}*w(Az_<TtqL(5FrL8N0RrXd
zgDJ<ndT~EN@<{=hSCbO&eJCUEYvVSiN^3S6F{f?*gZ`B0bu`#r`|mP(2NLGOirTpf
z0I1mWbcO=sw<$pgc{h`B7Ed>>{r?$V*6MP+1%|0_<5FO3g;WewuDc#hw}3NG2doMO
z0X$a8b6G-0)JjLDDs9sb7!Ng()<6FG(aV?kTs2IUMItrOeuvwfkcpKX4lD{L+|Y&z
zBUd2gfFW?xU`pGkYQseQIu&5({Xa)b@|`vCN`U0!y8!?9$N%>eQ&m)u3SGq*O%$gZ
Qunb7$wT5D)yk+SB0^iX+pa1{>

literal 12116
zcmbt)WmH?=6K!xSUfiWntXOetarptII1~s_T!K5ni$l>OMGD1=yE~LZad(0j2oNkt
zkQe@Iy|v!=_aS!I$-3vv%$=FN_e6itP{PNh#svTX_$tcs9{~Uq3*`6D*qF%o4ma@`
z0DuvoBL7~;=lgMvZvfd)+G&ujB|mokFe(d8NN5eus09rvJCS3Up<}pk3O~z-FTS4z
zQlgJ<KYv%sW&hll?K_?gp^{_!d+`D%89?*XzuF_h>xDIcc?4iM9ovEobKp%lhS3CK
z+rt%MdgbT&3Z?9HUpueeL)X*O^ZMXWyJQ@Nl_Xl8IZ65d_apgD2?g=hp9GQJ-Kvw7
z=8X-LZr^QNqv@lGOJx>RO`_l>z!y|(EEr#~QtAe=Dm5mA9U$Oe8c!0vLtnUp;W{-x
z-C~^|aQUb7>$Z)Ckdh2Fnb*T!Jp5>(`ic2q?v|^)kw2t_A-I}n2Vo58KHX|kZcG0F
zAVrBogT0m{+~5QB0+s=9IS<5x@c`o}rMl8IZQaAk{%Ou+14r)P_48<C%wY%B_A6P`
zG~E<3HtT+X#ZO-sM48~jT}laozW%lwkBOa^Te13Wm0BT148a!w%&Z-R10d+%-JWt=
za4X;ux92S&2|TYw2$Z=wR$)G%fB*f!0~$vsb+-a=xxeICFk@qVh1hd_xzjClvl;Rv
z?FgI9m(xw7NM|jM`*;2YBNq%Io&cr<d?eZk`VSMv04T<)8J7lRp&I1vNEfML)C$Ug
z2J_#Cf&cf<I$kc#qE|(6!d&&zLt3I<v;UUNnSOL~IwX)4v9V4Z*I{DPb3`%xM~=EU
zi*cohCc1`krFtUR_8(Du3|@9_92Je%&f>Rbit+4?3Fq4v`taNRyxg~|`th!bEEs2D
zLplKe_R<p&>f(Zer`iciD5{D17cNAAm8a0v(TYgRxxv*+m#mMP>r}@WhHt!$y+c`D
zTh?^W5_{vJVRDARR(ZWmq|kcT8aX0<arAjfh;zBT1&Th!{DUpUJWp#P_F|Ml>C5Gn
z6{K-8*J4wWJ3Z`Hnm`PGU5|IQH{YxY2nY$UIsIGeNXUZ3oBlS(0kus}4x^al9@i6M
z3M0R=Y+=O~0p`8TAD#e^us0QEZh4b-@1buvm5<k|H`=rk6){d_jH<+j(@#dF#kO1b
z3mFn)1S%X5xogK1)t}a3iUC_BmB$C;6?Hh4c^LsEw*)!j`t7E?W`xX00}P@7CT_K=
zFdVzcUkJO;Y<~lQ50xI0vEnpvEX=*&R%3ZtSYNJuXBVK{Yni(6(UfiWp?Dgba#MX*
zb9aAZgl6)7XPc2jJ71WD*WqV}55_B@3)T}HFa#rN?8^Z{f_}iKx{PM(0O{+H;|Nel
zgzM|zM<8PB2S72blGhZS2o1;{e2U&Mmy96kMt5x!MC=G^{#G#S@=|bT`u&BrWc!Rb
zkqzuWa?yG3WZ>>DSQm>+jd|_=FG5VvM)%H{0#DAOP$@DsP;08@wKUVG@?2*{+%2rg
zRzQU$<Ov|1=jBV<LAk?IGnsx*WvNC4`r|6z#m_0u&&}HKEnQ<FGp~8;2MU_rXs$Gi
z=m-3Yb`PAvyyMwMuJzP!?RQg3%t4nfH$A3SW;%K$uSz6|O9K%h&&T=;2(V2q!R!$c
zZ_Q%_9OqQXx#d}^5K*M3Yk&?SG@tiGTOsPkBgAAEbqfEIE}?+8KX$sJi(gq$rMUEs
zEb{XH<4=jYa<+j48t?Kmhr3@VTh-kXLA}N%bL42^EKxSWS1}7Hs{j}L4#|1kLO>i!
z^<g_Y<kz48?}1}G8nE#2+5j*S7BOB3xI?wYbRq9?2D}o#8VFHu_#LMI<4WtX8xtHM
zLona(<+D8nBwo~y<ZT4d{@O@E`40v5b9(**;9FYYF&eBaA`qo#1%g4VxPubaY+#m;
zjmpdEi|ZIEiCXb!i^7{t{$PX&i5e7_>n*=;!2Ga}Li^ShZ}RN@dEGP{OWdKZAVr7c
zYSc`PSA}-(!j>(7Wz!JFm@uE<9w_y~pDn@?<sbf|SLmq?k8JO?#5El;RWW{RRrZ{a
zP^z)f^hX0DlKpn6wM@@P3llm|igx&^gW0K@=;-nhH>d5iJ&2+NEblSbXU;wM+TXab
zGc(GWXo`bbTwY!x>h(OZ`}EhyI$MDev-mrC4Ea<Q`B<S5ZXsJULE;EbUoQhudXcl*
z*tQaqq<&ekUOncl;weSX>GnTa(YDyc55YGXW1{cmt23Z@@|Ot_ZO*R|CkYPaBE*%f
zU2GL~kqy;C8*eA`6O44bFytG)++>MXIhN~ooiZ}Jb{mRakC876O>eo{n`|6jvJulY
z8c=ZfelxaZh_X$4FBO|A$uEB?Ozgzgm8Y3ha+*Lg<=-Y@u)p|8&s6KZ|6hV8(5R<%
zX>(wm)5_!tc~93)dU}IsQ;WWBqf|4WOrz}(eEu+tTGiV+XJKSUp-eFJCRHVq3KJ2y
z^3$<aF*5@57DQym>Q%~IP)ojS5k7@q#Qr%uy0kYj@Sz82##mrQek7(LPx{~Cp<|XJ
zd?GTdQvU6q{6~}>DWVTE@8lUchwQ$zD6$(kE|6k63A8I>=tsX+F1deQ2X~n-9Fe8j
znBy5E>>DG8yO+uhGPJwvoi2A*cXkwn&Rf~&+8y7gIIVnf{^PlJc{KS}8M(^|4=W1i
z5pR)Yo_3CnwG4e7QO)w4BNKv1(exKeaE(ey6pb9>0c(mocT9v3DcC`1#Gv($e`wNY
zO(JhhCeemzcj2QE)`C{dD^EpitWfQphxsk8s0ZJS+X8YUJ@jir&t;ZrBRtQ0y%MPM
z7K(z69UDFHh9#;p*|)i`Z#r4jM(e${r#e1|?EED&F^gu<wJFljU4=$N<kz_Ep7RR}
z+Qoleub#JU-{_vha`ah2m&^&_sGq(5TKrvE33~04!{q~O)PmME&X#yiVD!$!>&ut5
zA54|yli03|TXQcJe?8`3S-(_%UjdGK)BJU#a)v(X7xyfGBdJxT+em(V2+@GUJNZ8z
zVpVzzvmd4sjw}5N)e0NNYg<RFvSg_q4(BsB|EwEoSyl6D=1G-H#IQ3vA`OOIoN>}l
zs)D;UUdT?{E=xpOyRKbrM&Vs|Vr{W`EjP_@KvQ%r-WtTy;Bkh$2mVgwV@<(^kRK62
z{fEa;jisuVrf&yOE~3zzPR8r`>GYP2+Ax`F(XH=Nfr?QEw42CEq3-=z->Ri<qI$yh
zCAB(D@vF|q|8A#PwoL{j#`H?48DeSI*^$}3xH-`E<N0Na>$V?qHSerRowfdxkIu{K
zWbNN{qMz1tk%j(pt;=Qo9-KDxYl9vR%U^FNgn~9cetJ7$?|<rwYW>DG*x)CG@Jh8#
z7XAME;)sv~b436}R6@)9b+A6*o;^54HBj3r^{HzZE&*7_!lL%U3*HR0uhj@TAnZ~^
z-v^#>bD%mJ77lXbAy)G*o>s_59#K|7L4*(%yxXA9Oo`p$vQ)!<Dz_ds^S8ytY`jS(
zTDn#$6K(6eE{jydMp_gv)6)lT3sctNOI1yYYhvY%hfwBDSIzjSvD}fzgs5hcMD(pF
zCH16%luu*iBlP;qSG2C(FBl8H4KG6*=Z}h)qHZ|P93R}6{o)PG9IWJhbu7)g>~bRf
zpfILd-Iyt9_UzfI|LD0eBo;!Kar-ui&+sj{qT>e^=B=moI1Dpkv)OMSDkJKQhGc?A
zt0z9kyWw#|HPz-md&_@Ps7N+cTeWd!R{dS|fLO*;RV|K<8DkrDQ&TgVy}kNa{MTH8
zacwZhGt4s9U%}Z<B{s(|I!eG~DWc1h?09kg*HsYvOc-la{H3=HABTVTrOiR*>SeWE
zsvzlrUpk(39|ZMaqOE*}xz0x1`nT3}o+KJoHU-I<oKkhg5^GxZyIMC50wOaTUas59
zRl=}8pI%!Zrb>POc#^6iR<AO@jd?6Y!)l99G<womJ}}gh`huG;R8}^0YJPp50itVf
z9V@V9Gmd*Ze=%`7>2AiMtgcL5$HD78)+Lu`Y}D4w%5QZO(!YDm&}u^E=bLPr(=7nr
ztC++W(<qtqLjgidrvzBz1FNVU|JHpl1@Wt*1<SEnIU%YsX?7gW%=q9`XMCe_#wZ;<
zR@^tbO{=CeZ>b2k2VWV*>dyw4*BooISuyZ0o%}V0F=qy0z;G&tR@w>j|FBMQQ9mi5
zW_<pr!FyA+RI5wnC}?c(xp@PiXUC0MF6(hkSMW$o{qnPw0(oD5e^PoXN$2V0{;{Iz
zWa^v~s7Rt-v+K+#z{4Qp3^kL3l>I78z;${H*~)P!)*i{17J1m{EzRPjun#3rSsI)k
zT<o9xmuc%|dg|ck{XR#rj}M!^MA+{#5=_Zh4=8`6op=YJ@NCKn=>i@Vrp_6o6cuCi
zfKuO*^+*ETA$gI)uXn+vv-`1`>p^V6T$6AP>D8YVYh*P!I38I9z^-06Hf-c=<JUTp
z1Xayyhk4L;FIYMNQAu}qXCET-=;&-Tyz?q5<=M1rnGc-}KT~bFB1$yCO$)Qb6K}l8
zD8M2wJ4voO@}GNV@)Lo|n;!<EAn=A@W8=4lebE<kucCLysj8qC_1!{&H!Q?-r;Q_r
z_TiCNnHIY~tmy|85E0`#YFpX=nh^DGgYuH~g1^Of0~k@D>SK;?%lGo~d7{Q{ij&*I
zr1uOxT!Y!q;?gC9u+~Etq2S8k$A5KWKcTMyS*CRD*lHkey4+$r6^=p~w{`(S+BePj
zhk2s@&Wo3zuCJh<RZ)3@pa<xIpzJi=(wtreBYk3wti9|xEwZoFHn%I=Bz04<7>SZo
zN(iuVf4}Z@^^`U@C+c10)scQJ94)V4Q>md5rb~g>`^fM}&COjwgcE3nL5M5Hwi3w0
zdKr+9-Np<CCKga}9>m`aywYaVz#Vb1GP8AVvQA=~C5z<Z8ve7&!y~pE{d|X^UuDKy
z&{p#l_Wu@>PW}i_9|KP+3?=>t8nnJX!4<tV`k!A#cobh$n79wDseA8wO3c?Topio6
z?ydKX#;)Q0I+X)fF@PcHwVPZk$pfjx38DARvi*H}gA?Da;C@(u3`&Z~XjfPFRbw?{
zqpa*Ft-q~^Rl|BO)PKjL6UM~++*^5L_vA7p#32nksjh<(GESYIM@I}tVsTgiD`W32
zzfyjGp5%Mqq!;j?Ho{b*`83M~zm=Oe$e^g28HZ(#%)NI@ss`F>v*=ZJP5<h^g81}V
zlBaWXXM#2n*5Y*S<FoTdRielT^6RajO<;}mP?-b@B?)anT~Xs;9qwoNB~|Z*&G;Q-
ze_G(Wn_SyBph0^X>M?dlJE#H?FCo=(%FDA;`}WV-4~z=`EB32!7C$L2tdI;mza`eZ
zOa>5_JzEgsI9<;wq~{3r^|BFl$u(!UD2MM|)A33qSkKhUO)DU@h~3A)fbt`0GA4tB
zYbXJ&SinM3fVthlrNnV%QMCKsQf>nd9$r7ve49fW-}3{N2oCPp_3E7v@E>DNl}T&)
z#Xi*Y;RQ0pWxKX3l!aQMnPl(v;m3@4zLynhaRyirx*Lk<&cEm}D477TW6guz?gd7e
zWN>TOQd}qSN08=K_BY0=?zI-Ei`8znA8{I)dz}k0S-<`3pNssKL=x7c4O=;RP4gS}
zwvXfW6W4QfE;Vw{41Q4q*Uzbj(!?7lJHsg^bTp3Gqn_rdJns2=DFPpfXf7xw>3Mh}
zS_$Ayzk~34#`|T$pIH9jKwOlqZ99dsGH=#GuB^7NQI&dXA1?2<Icg$8l6VeHVFRVa
zM*Gv>{Hr!P(9h(|J7d{@4|a<2zj4k=l7?3W*08kOk2f4_SK#UndQ{G6Nj^u;)bhE0
z8IH=))%j;}Itg~E+u4TMa8|%O<Syv~G;fB{T_8j2!1g{S$R9GCnkGKLBz<S*lKmsb
zWg*e3JB1!$4Y{N&H%2*HXs=hB9oz27yOl3DuCP!2ZZ(9F0WPz#?&K>M0)VxnnaCOH
zryK!}LWg-@!g~6i?thN{v^^6*$Ghv=h`<aU>&$R}K1p4yH60`>>+9<apS%YKCb&m{
zY+2tMxs8x|&%LPM_iA<eS4+wcEKVSDy&z|QwJ}GQQ&u?`ot5>&4^Q6lT*6}<d_f&-
zN&S?~^V*;)^+EX-il4jVLvp>ZzC;!m)<|5M#We~3daNg{6uP~@gO(Vl87wECgTl*b
z7p&AcN!Viv=)yM@1xC0}k`MU*H!=wDA?$hj()vrSLZ>{Uu|~&4LHrWq3<wi)4$sV`
zf^@yjqJ*NEQr)4sVDqqGhRA`|!W(Nez}v5)!oos9Ypw2Bhh#2D1BY>ymzUlD<$XIx
z)`w~lm{91l)l#xI5MS@lU|?A&QNrZb(=%nKQhkIw6MynO+vx5{x)ZGpRw4NN7*NBo
zthp_S>|C;w4|`dp>sx>%?w4#c<N4c%y&rDaq46#U_d!&SOhDGjZ(+K;WRS@E51@#i
zdJ7kHp9U)2Cl(E?7<XXE-h`@r;SH!O02P8CcB}#^nj?cy201~xw6BfPZ<tmYDoFTe
zOuTW`>Kk3Re=|9+w%9#qjfb`$=2p|?7y5U5#9Wa1ebMS-Hr7mxiH85q#x+;EoNWzS
zUrYb!m&ULtyC}E`e|M~x$e5vdpK%5fe`09Xiqs{G8u)(g`Phw1{+r*VBdAc<vl})4
z$X|g8buS$=blkK(1kw%3V|)bB`0Do>5TS7cE4!8ymlm7Ne8y;-8k?_9XOx0^MEvjK
zAV2l@pZfl=j#bq&NFnnNGZN?7A`=ahQ78kDU18-K>a3>bw>G&kkW<WtuFS(Puku(&
zf0tl-$;_nImY@k-J=I(PDBjPIUs+7@Ih4HxHKHs+OQdFL!p*DV6~Pa8@XtW1=r>?S
zf1Iu2rY2B^*dB_@0;~GpTk)P0Uu||7n$*paE{JBKaGN`|#_a5inHdbwN>|`NMep&k
z({VG{UMz3G3WMOwAgUKnPF`v~rWu!_p*^OOB$ns-$G2+nW((B{zs%Lu`S3#O5o82j
ze#w3=8!JqNa5};V4Agd*r7Ym+FnB|j+iR4PTSGNhuj67y&j!4XTPdkVqOB-;aRGMr
z^!S9lDvZ23K{3c4eiRR!p<B|mw6J(%+-QXv{2mPr&ITG}(}^`htJ#XV@HDvA0!E%h
zL8elol*xQ2uX`|S5(MxZH%SODGTo&XvT}AAD~@O<LfGRpuxvN{s<##GN8a&L*4e9X
zfxy8GrrJRIR|A|An5Fbi@N_yy{h_jz#vrry=t4{NxKM8rSHQ%1Obo$pR#uknicS0S
zXn~a@5{f!LLm?Tb88`9M63ZI}Veif`s1h9il^3fM1~JE`i2#8|8QI(EQS&?cFyVx{
zN#VktOlu8TV*w&d?2G>O20F7}gy>-(>Xz+T?dLI+4)IRAP0`~IN&!{ShW9_$2Z)uR
z7?IGZ`A4jb)LN3kfs@+B-ajE-X_o|sv7AofxoH0NulZst8)^%0mlxuRtG4>8p;?7U
ziVt5}+t^=hEwjkZG(A04fEw6&lCzhtKZ(~FHhHw#0}hml%M;YRj@CCY67T%6t1(4$
z7Tt85h-^4Ywo5cyk*p)@3QxHlpU>y5_L~ASM`bY8y|^*Ho<fG$yM+RbiarAjxGoXe
zyc$;6SZY-WJDebthcEm<7bh5WFk5Ct^#PN<?8tQyXxyo?WKD@Me*nCz=!K(Uu3QpH
zI~nJLKu+JrfP%fYHMuUV!Aj<9V?})4Tv#=9w3cIex@myyKMyY*tI`3&Ni^jR`{p%)
zV49ZG(_pjR>M*4%o8G{4j0X0IZcGGV-rv2>z7m+m22cY!O`q`Hp9=O?r(RMAQ$fHq
z7~p<7z%jTT6~YDUbf>&aIp{|D;8+7<!Fu#QXl#Z85ov$*O)suq-6yT25tE5A&mA6$
z3H43C2PKbj9*jd%+`FWtmQOf4vPD3Bjg330M33T5j-3I=_GL-kmiQ-PaxfVdf}We-
zbXeQb)$gWg90U1YbmW(GpXX7|z6}BGaRJ8r4RlFf%Wi5hH00X^sH`TU_gW?_7e4F>
zF~8yF$yt|R-TC{?G~g_T#M4rx4OzN=r|u6)(Oa#B${D^mk3}ZQpg3ASmj;vA2qYjF
z5>ZrOFMd_D2*z$f^0Wx_h*4EF)mDk5e@M9MWLLtZXu87998vQV=U&gF%_e&@;$_$4
zRKj>-6I$rP=e6TK3Blh31E2K#Mby+Ze7EG)$7-&`#vSwmN%6=B*<VnSlDZ>fM%VgP
zH<C?OKqfxpCjll7yO9Bvrf?V%uFN2*ML}2i>iP&XDZp_-a=$1u(@bRTF|Uc57byd*
zg)c<4fDH09kz8tDa%t)2p^wK%lvh-HDI*!vkD!LbY)XhSjh&WOO7rQ`8hoy(jf6+H
zN6A@VF>gJvEBo>=VCC=6Is2%x6e-f|t}eDxlRL|=%B<IHrl^gTot51%p&w+48ksuA
zygFE3ij^^)r{9qsx=!Gsyz%z&iqpd#9H0KmRtJWRWw4N`8vf?%KSAX|Pm$~Th%5l$
z@-P{YjT9`V?fz40imu=Pvew}%D1+?V%#kfK_B%QSF~m;Xer{q@p$u4(6E{&w0i%$#
zsS-gDsKGv->ly6@==if8@Ni{`x8EteI8yKuseQES*EHm_NJ`Qo^VS!{??N>-RjR;(
zV(Ud@-)qz7WL$hQ{pu$YDyiq(JAO67E|I7od3Jz?x^l9t0dvx-_ag2T^VU==(wTQi
zXJ$z_%xi3No3`ZXaI>L~?}c`(pvfXewaS^k-}-W4;!|H<H2hp>ch9Ux$}Z@s1kQYw
zFIB%wiBz0S7ttXDw!Nt>W(+oRC6>_FlCda8y1j)u-Lr-TpV9ZE2&xn<#Okq+ip9T5
zmlIZ@$G(p~VoO@3@G)8K^xMpu(?=*VGk<-Cd5E4zug3hBdc^-1@w9X^B_Zq3)(je=
zd?s1D<9jN0``$Ole??Tdmxqih*A`86A2C0qtv37MY&{dq&K~=37pd$xxlY$tKYeZH
zmaLd~Nu2Ngj7$nDi(D6|yVosCy7u<09p5avISur@ueBTI@TLe2*zvNGPmEJlS8MA2
z)8E<HaFqm$9FyHsK5;U|k`QCSHMO|M_BrroU6gUxL?1|1M(tm(3p?&2c>N6a$#iv_
zIxRj`loxs~8R~Xji6MExmq_?;ueWZfGns0fk@xFOHj-hRK>qsN&M&W{rK{jK9{$WC
zjMCx{v!?tf;HlI%*e0%i`dL2we@qD*LcrxY+e>@xSHLTIXVOgmA^BDDKsdLMkdT(P
zHmUBy>|}9(ccI?n^ZL6xzZFDvb@hT28*`uEw|*@%Gfg8zs!FjxYvn6A_592+pBhVA
zlXOX~6A`f!D}o;T^xI1n=n}7v3QhDsp_~rVRPZ!3)-<yU`al0QQ+F4uedB$ouP&tb
z)_QMmTy5&`fJ1P|`Nole?aqPc)ZREIb`K@Ex}GWcIHg1*<E7I}&wkrH3zV4CCa0BV
z!p^yQKPF*6k3U`gyL6WmLDnw-<;87k-s^-=+7jYiVD>eqnz>ZP<N|PC+B%7SFVu3V
zk;5u<lkSO+66)`RxA@nX2Rf*F;k|W7AiiH>K`Cmmuiyc#FM|AA)~ca@5GQ!Y==fo!
zr>nE^zP|zkOFMA&X96ie8VlwvzOsR?be90|H)REMqx%ofEbo7G8Mr1OIPxd1oq#`U
zJ`;&~i{3$ln=8*G|9-ZsT*Azm&gdd*`#h2CemMn>k@|B&l!dmqJ{o+2N?eLXzgjX{
z5&X2YpBLme4Vy8WYibl}?Dz>+G7r=5d4r8|VHiLm`a+^-$_p!0bD6)!UyVoU>=2UJ
zb&pB6CLxXDwZHHJ@_Mvz`gaKLFGE;3xD~@|>V`i!p4uusq%+s5A1qp;3;=~BdL|z}
zbploa^Y2y;M$iF4XmDULmB%}CK=4y}fEi9=NqremBsSRF3^R-Y)huKpJ~w-MrG|nP
zPGVr=Bu_RPmM|X-nvDPmqhw%B2z^!*yw9$==P>Z`_)-RO&jK*&Up;BLz-F#{2`!|g
zQ6L|>yg3K52*Z9zO%erKk@vD-LeH<vbB>X62{!2cJ!#F~F($}%0${=cdm^MeY-sqN
z4AxkGU&V;I_(sISU_eHOR=P$XsgGoVBc9DeY6`aU@$qRH=J#=j4&Xo~KAF-HOT$33
zvXdq{U;R33U3Z`5A_OT)8!|t=JYFw5I(K{4&;FGTfoH2VH%ueTyI<EGz^A|IA^{;k
zNIdwIV?%*`0xQu6w}*vQB7lL`hZsQq+UYF5FpWTS(c5f2#2Yeg48i+I_iqjdtXxWb
z!oGn8OB7yi|6rH6JO=UfL7Yor!8`BEG?xZp=wolQzQ>2Nf1i5kBb$q$FQ+#IJd)5M
zj&KZOzpi02GB{5C=rY_#y&(<`3RPN6{CJL!j#t?U`Jl4j6L^Vz^Zh%f4ADmLSuLWD
zK$6+1UW<(qs_z#YFAz#;6~r?lE!Y#7ga_Y{FuJV(ARg!rv>%xzAI>Cv6mw34t5rI+
z?y^-g&8T;9Fs^qwZMy@BD>|KKLpHW9(Q7Hs2r;m-b@8?+eF7*K0HQb$JD3m`Jz(oG
zr?d=Vu>VKg&_r8KL87VoP9v9?*bVPO+Z~xe{tzA>9od1Fdf`ra$M#&+rHnxylcDOj
zC%>Ob_DV}eX6(SrFP|3FJ0*o@Bu1*PiL~n88!6Kg%ci#Hr}`V-(v|FJee=~Hp2@G}
z$&@7KB`<9Q)_-)yCtlNgl=wO2?D;d=bL4T(ufyusc~=rP?a0$#r%UZR`=G%c&C4M>
z0DzG2c@|)*Fhq2@&p}lJqw7w=HEu{9E-0@Xd6$vS`9$~X#NE^AoqV~@Zo}PQ4e?*I
zh4UD=#r8WC2=aaRoN1XuNqp5@?SX}Hj4cP}$n%F|jV3W7l}{9*)^peK1N$eXZr_a_
z_|l?&-_>qNNk1HGGH*rkTHjW2s({*~+-5X&t3^c$Q#bH*Zx`+w0)Lz%aQeSIQ}xt1
zb@8p^aSywZ_qdg_R54zTAWuiv>Pd%YpRfPxpXbAVlB!^Dc?$o%#kHt>S+>J3e)eOh
z6+&_2Nb^p<Z+2IG?uq|bm9gE2X7Rkc-?dy(EV@@nA<?`1Fk{X<4)s+O-hT<#Uy?y-
zgO)R@TOp|D*qfMJD%=|#t|MNaEzC>?17nhMw}HV1L<`B@lodwj(%n*N7E!j;#I0#w
zV;{h=@K|YI{VS84sJMy5v`4rI@tNEhw;A18>+H%KbXSmW=hkZ6NAOen4LIu;G)1R7
zsQg}-d_X?@nJK?Uq6HBF3}a+y_|{g{|7aL3t1A29nJ{MM=k$Ee#m1mKb7P6ja7M31
zZW{$6P2KZV#)*GZA~+~T6q*_ih{%y3y{&}kj&9ut8-1c`t@FIPuOg|EeIIx}A&)lZ
zEPS;xNEAD?pY8Q}i1AQd;XZvc8$@{)Z=!Txlcl&0l645YTk(GB8xj{GtNDt*Pygw<
z$?cP@ayEbO??-v4Y^VQ#sy(B$Cf<M3PDLA6hr}$)D?1O09~1(l))^fJjGP171dr|y
z>TSx9@|hlw=ezeR!<Wd=Rg9HrQb5)?t2SCimcjNy?;?B?&ncYu9aGk=?{F+!XS!@Y
zMjHK#i8W7(@Pe}y3=b62o#oNJuOP2b<AKMwB+U^fo{$V2x?6JmDO5C4%gu&0W8My+
zsp9=0H~MvVQVyOJ&t=>a`SI@O`p(8#wf1sx<FV9v+@5|}GIoohQU&gepZ}zq{pRDF
zTlTN<sK<8}9{4f9K8dK)6y1@t3Z??~sOnhV0nUu10m5MMErbKNZ`A`kcl8DZ*KStG
z`QpDRGW+HXK>mL{S1bQlm)_B=kl^`$7@;f_#R#;UA?8T!rKx@yv&CUiU-AQvjo%Kv
z>3AicO%vMEgRJjg_*kF;;0C4LIFA^TWTn?ObA1+gKB$+5uu(tn$f_kYMjXeoqywef
zBbWgfB}NQ43XDj!2CDli`d!UKuO36U{-HgJabQ4xDw(x>*S-sVuw>3dWAH>tnu^lv
zs{!NDa>WWT8R_&K;E_(U_Ffyt|AbAa-Ufcrly2bY9`w+|<}HG9kLM$M83}j<7A7pD
zd6m(nMxP!Ij|)>`^#&^6eveKdjb!QFKPL*7;dr{jg1wPU@$^0wGEUG*-TnK6#_fB8
z>y#x4p}yY7x#8_h`xO4c{Q=|W>4q{=Hcj{tIpri=tl~GaI*2n$N(N4+Xkw%VYAvk^
z_g?g}Y4`;&Jg&`Je+mcljbH%4#Q{%g=VeVtPy&B*^S(J$asfRe3ai(PRrQ>c@dBHv
z=VE<)-=w#ClQ1AMz4f<cFyU>~n~=gLjl~yThJ&LInmy^rsRg|KMxa9&(qfA@%fIt5
z^M&5E5;Wx=RPQXISUzp^0!bBvD1QaSVD$ym3}?L?&___O%W4=1FIw@nbSCy#n$(l`
ztN>$UG<jxgClVj1e^_-gRYV8}uLvvOJ`e)`{+xmtB!}PbPN`xKAu&$*Os=nUt-r$o
z%|n>nm-4W1+?nR*%U<6b%g3f>e<aR2dhD;>&;PW+q`j-FyB(zHT3cbLZ`LSC$SRMZ
zqnRBS!0zGgDI^G1qTiAw6*0qWV~3S3nvquUlGy47inv2($fCUN5a}#i5?wfupb!ir
zg5boSK3xz~|Jxdl6bS9j>H{Ws$9yQp7`2aLe0#uQY4~H58_tb*0Imrl{fu>SUN5c~
zhkg?ekjRnOg_=*r9e4kJ)jt#He`yxNAi2_8?DB-Q{y>jTA0iW)03W@AAYM^8etS$v
zR^r;gfZY;BVf~GSh<rDOV2v}RZJdTxSHFa<6!@qGp!9%Ya)ksvzCj+cre*m*Kl?q)
ztR)k<b0&I@gR7NgWzoVrZO+u0g;t_<-g-K^Q_o$sRD-19zo@kVaiPlD#10<7tlyvU
z!>GU+LLC#IFrRa!at-Du_Cn~ts5!(;R?W0(?JogY{ly${3;y@5^RlLuZ{;|;|GU~y
z-IZxR>~2*xi<x~_A@{Odgyd*n;gM#5RJAj$t!dd-yY}OrN!}BJ_^7WjoduDtkz`}x
zm0xGp=$TOS!eBck3OdmkEU8D@b-l<naHr2Ke53=ydu1uVksvUvBz^T}ez-6<;05!%
zN~~B_(NA-#IXi~x7-vz|nS({K+u;^FBz#*3@0C|~++)QWct2}wy-Z9TmJG2c5|YfQ
z-dR~6ysvQQzDv26dn^B&K%!vVFYV9DEN=sd;W`zEH0+vzr@IEJ(S@(uwr00P<eC&q
zytr4ri#bOG!b%rKK91PUU1P(vm!tN3sx^f8Os9$?{eq@yiV28gzr5)aj3HjIau|Y|
zqFbcOXx&O4*xcgoYInN1U<9v0rV=1DK$8aE!>6ubCD6?qgE=O}-lxyCQi44TgJOWE
z!+IXt+z5eQ?Ejvma1)K>I;Kji<@l+CNa!fCDa)>*A5pvZz|jd@@`K=uo>*J-&R(@)
z1)9MtxI|5sCY=j2L#~4YqatDoLgw~_*5Rl3-MhBt-&@JTC!5XAsF+$9dR^MH<8!6`
z(_bdqwcScDH93{0-3gc^lp~{~XmvW7yxgjd@2cT8%g5eK_xyzMG=jxQWs%(2m9gG%
zxSW1?Nyv<JPeD&9qp#_slz3M8Azon}%W#<A-r8Z5&(~ia^95+-(SH_4Rk-MyT>>m>
zqv-sNU7h}AhDT?Do8!f=k|`_kxaiGeALVrEUDa>Xo!I;f1ClNk2NXG!IkwvkRK810
zb#M7i*ELftl-+d;Nk2t*#j`fax4sW}if-=zaNZH3kbI~v4q^I&bX_>ZZGpvEKN@B@
zEm9{zDr8wHy!L^0<j-D5YF8X@tf3I8-8`G$6W__~_4X#hO(5)t)hGd2(DuHlCmrdr
zbauj!p~T-4Z<~xw#JK`wxG{{GDQf{e9=nL3(#NMyx3t*wn^b979ZEA^H=x~m>YVHz
z4)i1cxdiXx(5r7<YW~MAMz`E`8BcPs#xrU0yH~`H=-ujLk%6%oX1RLO3L7|Fp|K-i
zY{wq}pL77J&j2MZ#A>&hEH?KYM1nA1WTJ4FLXNAtIu^zCex`Rwf(UB1LoL~MVWpaj
z2RurY0GxQJ+)(|9LC%h(NnOm|3_lMNRJXhBG9U-aewF!sV3GXU$#<~y)x-*``k4mA
z(OE3Q3T6lfLAhZ&U&+8&z}Amd07+MfgfA%$xDgKnkE}9#@i06Qtw#ek*h1rIu`4l*
zUPCmd)m75J&5jDh;(P_shsuPS?FY<p*1|-~r`oGd{@pX+2vd;Sqo^xs3Ev1U)@{=H
z=!lO2&6}y038OJ<Cgae{d5SsnHuRf#^+)8&EJfnf@hE~pZtSBBZLz(9*(gmru!VxX
z>=B#Ha}FKSc*xN|%o`>V+WQZB2!lnOlduv9|LLK9fUb!j>4?!no8G!j{;}vk)DAk1
zG7N+oP-y;C2Vn=D76taX$(}*sy-2F$x<RrXCp@yjvP7dvFW`2t9H~dpeKLgeS?n#G
zK)Y&o-wH61Xntbh)djuI+wNsk@jDiMF@e8E08s$!0?l3N1JHhXW(SoARAb`V3t2F5
z0e-&U*g2Dd@Gtpea0ld}ZMgW3oR&kf&&hlg`yybXN*^yoAT%B?eLmkP6^-?(cB-WX
zU`<W=XNYR@qAnsIUextHT{Xx95iC*`R&h7cV{MlP^D!dr6U5}UWe-+LmMsbB)gChm
z>7<3$RulD1^d@{8fgCR?6QQ5{rG>2yKA|PPRq7`lW+mai96SZXKBX7}B@BXy7UFH2
z`KH>68caSBD)l}vViHR9>?{67GuNM{S@$!OIw}VLquexgkf%j)id1Qw%(FDak-lE9
z5_*`Nx=EuoUgaA2Xt!ZC^1lHkUYS`_Bop$?Ih@$1Fxa&gY}A&Uk=C~=if`Ge=3-7S
z5aZ?iplYPHQc4<X4kM=--adVoQ}IT7&gi&#gfR%s^ZVSjI_aN6_j!kUJu@Dm*Kz~p
z3&JU#MUB=6R=N)iBzf*v&=%gIXoMI3*~g{*R9259|38ITImMjKaXzgLrTWJ~198?C
zCUB;r_yW*ef?Y+img<u3fZsUdxo9J?_>}VWyy3)$M+e5l3zqU>GrHO-dvX3e{%J-+
zVx+*5)3>bD8LD%W%a_$mtjB7qr(o*L*N(P%`EaS<=p=G@6g0ynYP)o?%?^L4=%_G9
z3aU~YS!)xFHE*uSFDdkF`EezaB?%w&@7IA?%axO6V(f?f+XR=M#VNfkrBjfFeQiL@
zkJD@+l6gHFlL$E1317|A_8E|F8NcSRkZ696Zl<UDMC+F@DC}`75oPk4FaRrnzOApy
zkI5jO5gHb;q8(hxnALkXtLgzQe-Gmhy%iGwm0KLT@kX|nWoo0msWN1L?nykj9+>y{
zThHC%UkGvgDL-Mb&F-RHjSUD2DEGPx)@6DsxaVC}>%yF1PCSEH>al#^K!ei`Z2*o;
z`+;kEQrPS1q@hGG;{w}@*RaM{0UqVV_RO^wK7s~MQnd7jj1{a63Hpq8>Nk9Qs_n)^
zc)}DrLJ5J~ZJ@PAE+_T)_>GyEEvBT^l7ZfB<3-N*kXK{vKNyZ#NGdiSkeQwH?yp--
zo6>}LH9c?GRl7sauYy5f?;VrDziw2>X|Jr2CYB^whvY4t0mEVidiE$!*j1z*kwJ}f
zh|OFX5I>l=H&FZqEnrjRpAW%0x(qb@c0~Xt8DYdAL($=~<3AZx(}B-Oe4mdyE0+5I
fKTnPbe<D0Awe*!w!r4Yn%L7ytG~}yffua8g?Lqfd


From 2f71ee71b9597539d9f6295a25e02f401014953c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 29 Jun 2022 06:49:26 +0000
Subject: [PATCH 232/258] build(deps): bump django from 3.2.12 to 3.2.13 in
 /requirements

Bumps [django](https://github.com/django/django) from 3.2.12 to 3.2.13.
- [Release notes](https://github.com/django/django/releases)
- [Commits](https://github.com/django/django/compare/3.2.12...3.2.13)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 requirements/requirements.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/requirements/requirements.txt b/requirements/requirements.txt
index 6c509c88c..afe9b7179 100644
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@@ -62,7 +62,7 @@ jsonfield2==4.0.0.post0
 geoip2==4.5.0
 ipip-ipdb==1.6.1
 # Django environment
-Django==3.2.12
+Django==3.2.13
 django-bootstrap3==14.2.0
 django-filter==2.4.0
 django-formtools==2.2

From 4537e30e4afb6ec9dff7b406b34db35572ec7399 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 5 Jul 2022 20:27:04 +0800
Subject: [PATCH 233/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E9=A2=9C?=
 =?UTF-8?q?=E8=89=B2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/templates/_head_css_js.html | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/templates/_head_css_js.html b/apps/templates/_head_css_js.html
index 36766bd5c..d72e29002 100644
--- a/apps/templates/_head_css_js.html
+++ b/apps/templates/_head_css_js.html
@@ -22,5 +22,5 @@
 </style>
 
 <script>
-  document.documentElement.style.setProperty('--primary-color', "{{ PRIMARY_COLOR }}");
+  document.documentElement.style.setProperty('--primary-color', "{{ INTERFACE.primary_color }}");
 </script>

From 0f11ca9c3788a93a1ac9a7fba1af9b80c6ecefe8 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 6 Jul 2022 17:26:09 +0800
Subject: [PATCH 234/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91=20(#8543)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 修改翻译

* perf: 优化 flash msg page

* perf: 修改 i18n

* perf: 修改 i18n

Co-authored-by: ibuler <ibuler@qq.com>
---
 .gitignore                                   |  3 +-
 apps/jumpserver/context_processor.py         |  4 +-
 apps/jumpserver/urls.py                      |  4 +-
 apps/locale/ja/LC_MESSAGES/django.mo         |  4 +-
 apps/locale/ja/LC_MESSAGES/django.po         | 47 +++++++++++++-------
 apps/locale/zh/LC_MESSAGES/django.mo         |  4 +-
 apps/locale/zh/LC_MESSAGES/django.po         | 47 +++++++++++++-------
 apps/templates/_base_only_content.html       | 10 +++--
 apps/templates/_copyright.html               |  5 ++-
 apps/templates/_head_css_js.html             |  5 ++-
 apps/templates/flash_message_standalone.html |  1 -
 11 files changed, 84 insertions(+), 50 deletions(-)

diff --git a/.gitignore b/.gitignore
index d4f2e57bf..ec0378141 100644
--- a/.gitignore
+++ b/.gitignore
@@ -31,7 +31,6 @@ media
 celerybeat.pid
 django.db
 celerybeat-schedule.db
-data/static
 docs/_build/
 xpack
 xpack.bak
@@ -41,4 +40,4 @@ logs/*
 release/*
 releashe
 /apps/script.py
-data/certs
+data/*
diff --git a/apps/jumpserver/context_processor.py b/apps/jumpserver/context_processor.py
index 1df4ebb17..a02f38838 100644
--- a/apps/jumpserver/context_processor.py
+++ b/apps/jumpserver/context_processor.py
@@ -10,8 +10,8 @@ default_interface = dict((
     ('login_image', static('img/login_image.jpg')),
     ('favicon', static('img/facio.ico')),
     ('login_title', _('JumpServer Open Source Bastion Host')),
-    ('theme', 'classic'),
-    ('primary_color', '#1ab394'),
+    ('theme', 'classic_green'),
+    ('theme_info', None),
 ))
 
 default_context = {
diff --git a/apps/jumpserver/urls.py b/apps/jumpserver/urls.py
index 707209f7a..ef654fddf 100644
--- a/apps/jumpserver/urls.py
+++ b/apps/jumpserver/urls.py
@@ -46,8 +46,8 @@ if settings.XPACK_ENABLED:
 
 
 apps = [
-    'users', 'assets', 'perms', 'terminal', 'ops', 'audits', 'orgs', 'auth',
-    'applications', 'tickets', 'settings', 'xpack',
+    'users', 'assets', 'perms', 'terminal', 'ops', 'audits',
+    'orgs', 'auth', 'applications', 'tickets', 'settings', 'xpack',
     'flower', 'luna', 'koko', 'ws', 'docs', 'redocs',
 ]
 
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 90cd914ec..b1be6955d 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:21921ae6acb8a8a8ea7bb3e1a24e0a730e6698d080fec98fa1416fbad925e8de
-size 126420
+oid sha256:ba75ec2955d452a16930dbd845c8091de4d3cbe0c5b5ccb18f8deb28d7bf3809
+size 126865
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 65f9ab3fb..8668dd892 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-04 15:10+0800\n"
+"POT-Creation-Date: 2022-07-06 16:47+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1993,11 +1993,11 @@ msgstr "パスワードが無効です"
 msgid "Your password is too simple, please change it for security"
 msgstr "パスワードがシンプルすぎるので、セキュリティのために変更してください"
 
-#: authentication/errors/redirect.py:88 authentication/mixins.py:313
+#: authentication/errors/redirect.py:87 authentication/mixins.py:313
 msgid "You should to change your password before login"
 msgstr "ログインする前にパスワードを変更する必要があります"
 
-#: authentication/errors/redirect.py:97 authentication/mixins.py:320
+#: authentication/errors/redirect.py:95 authentication/mixins.py:320
 msgid "Your password has expired, please reset before logging in"
 msgstr ""
 "パスワードの有効期限が切れました。ログインする前にリセットしてください。"
@@ -2210,7 +2210,7 @@ msgid "Need MFA for view auth"
 msgstr "ビューオートのためにMFAが必要"
 
 #: authentication/templates/authentication/_mfa_confirm_modal.html:20
-#: templates/_modal.html:23 templates/flash_message_standalone.html:34
+#: templates/_modal.html:23 templates/flash_message_standalone.html:37
 #: users/templates/users/user_password_verify.html:20
 msgid "Confirm"
 msgstr "確認"
@@ -2698,7 +2698,7 @@ msgstr "アカウントを正常に作成"
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
-#: jumpserver/context_processor.py:17
+#: jumpserver/context_processor.py:12
 msgid "JumpServer Open Source Bastion Host"
 msgstr "JumpServer オープンソースの要塞ホスト"
 
@@ -4573,7 +4573,7 @@ msgstr "確認コードが送信されました"
 msgid "Home page"
 msgstr "ホームページ"
 
-#: templates/flash_message_standalone.html:25 tickets/const.py:20
+#: templates/flash_message_standalone.html:28 tickets/const.py:20
 msgid "Cancel"
 msgstr "キャンセル"
 
@@ -4618,10 +4618,6 @@ msgstr ""
 "Jmservisorはwindowsリモートアプリケーションパブリケーションサーバでリモートア"
 "プリケーションを引き出すためのプログラムです"
 
-#: templates/rest_framework/base.html:128
-msgid "Filters"
-msgstr "フィルター"
-
 #: terminal/api/endpoint.py:26
 msgid "Not found protocol query params"
 msgstr "プロトコルクエリパラメータが見つかりません"
@@ -6698,27 +6694,31 @@ msgstr "デフォルトの復元に成功しました。"
 msgid "Interface settings"
 msgstr "インターフェイスの設定"
 
-#: xpack/plugins/interface/models.py:16
+#: xpack/plugins/interface/models.py:22
 msgid "Title of login page"
 msgstr "ログインページのタイトル"
 
-#: xpack/plugins/interface/models.py:20
+#: xpack/plugins/interface/models.py:26
 msgid "Image of login page"
 msgstr "ログインページのイメージ"
 
-#: xpack/plugins/interface/models.py:24
+#: xpack/plugins/interface/models.py:30
 msgid "Website icon"
 msgstr "ウェブサイトのアイコン"
 
-#: xpack/plugins/interface/models.py:28
+#: xpack/plugins/interface/models.py:34
 msgid "Logo of management page"
 msgstr "管理ページのロゴ"
 
-#: xpack/plugins/interface/models.py:32
+#: xpack/plugins/interface/models.py:38
 msgid "Logo of logout page"
 msgstr "ログアウトページのロゴ"
 
-#: xpack/plugins/interface/models.py:36
+#: xpack/plugins/interface/models.py:40
+msgid "Theme"
+msgstr "テーマ"
+
+#: xpack/plugins/interface/models.py:43
 msgid "Interface setting"
 msgstr "インターフェイスの設定"
 
@@ -6749,3 +6749,18 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
+
+#~ msgid "Classic green"
+#~ msgstr "クラシックグリーン"
+
+#~ msgid "Chinese red"
+#~ msgstr "チャイナレッド"
+
+#~ msgid "Tech blue"
+#~ msgstr "テクノロジーブルー"
+
+#~ msgid "Deep black"
+#~ msgstr "深き黒"
+
+#~ msgid "Filters"
+#~ msgstr "フィルター"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 85423db9c..92b8e52cb 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:d2adfbe7d62b5a1b148450aeb6f327020a1f9fdf686cfa500db775032c3642e9
-size 104353
+oid sha256:bfbd815ff09d4b7c5f64af1eb745b81937a267d469ffbcba93c849feada2a8a8
+size 104695
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index cba68207c..cf215a3fb 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-04 15:10+0800\n"
+"POT-Creation-Date: 2022-07-06 16:47+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -1973,11 +1973,11 @@ msgstr "您的密码无效"
 msgid "Your password is too simple, please change it for security"
 msgstr "你的密码过于简单，为了安全，请修改"
 
-#: authentication/errors/redirect.py:88 authentication/mixins.py:313
+#: authentication/errors/redirect.py:87 authentication/mixins.py:313
 msgid "You should to change your password before login"
 msgstr "登录完成前，请先修改密码"
 
-#: authentication/errors/redirect.py:97 authentication/mixins.py:320
+#: authentication/errors/redirect.py:95 authentication/mixins.py:320
 msgid "Your password has expired, please reset before logging in"
 msgstr "您的密码已过期，先修改再登录"
 
@@ -2189,7 +2189,7 @@ msgid "Need MFA for view auth"
 msgstr "需要 MFA 认证来查看账号信息"
 
 #: authentication/templates/authentication/_mfa_confirm_modal.html:20
-#: templates/_modal.html:23 templates/flash_message_standalone.html:34
+#: templates/_modal.html:23 templates/flash_message_standalone.html:37
 #: users/templates/users/user_password_verify.html:20
 msgid "Confirm"
 msgstr "确认"
@@ -2668,7 +2668,7 @@ msgstr "创建账号成功"
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
-#: jumpserver/context_processor.py:17
+#: jumpserver/context_processor.py:12
 msgid "JumpServer Open Source Bastion Host"
 msgstr "JumpServer 开源堡垒机"
 
@@ -4506,7 +4506,7 @@ msgstr "验证码已发送"
 msgid "Home page"
 msgstr "首页"
 
-#: templates/flash_message_standalone.html:25 tickets/const.py:20
+#: templates/flash_message_standalone.html:28 tickets/const.py:20
 msgid "Cancel"
 msgstr "取消"
 
@@ -4546,10 +4546,6 @@ msgid ""
 "Remote Application publisher"
 msgstr "Jmservisor 是在 windows 远程应用发布服务器中用来拉起远程应用的程序"
 
-#: templates/rest_framework/base.html:128
-msgid "Filters"
-msgstr "过滤"
-
 #: terminal/api/endpoint.py:26
 msgid "Not found protocol query params"
 msgstr ""
@@ -6606,27 +6602,31 @@ msgstr "恢复默认成功！"
 msgid "Interface settings"
 msgstr "界面设置"
 
-#: xpack/plugins/interface/models.py:16
+#: xpack/plugins/interface/models.py:22
 msgid "Title of login page"
 msgstr "登录页面标题"
 
-#: xpack/plugins/interface/models.py:20
+#: xpack/plugins/interface/models.py:26
 msgid "Image of login page"
 msgstr "登录页面图片"
 
-#: xpack/plugins/interface/models.py:24
+#: xpack/plugins/interface/models.py:30
 msgid "Website icon"
 msgstr "网站图标"
 
-#: xpack/plugins/interface/models.py:28
+#: xpack/plugins/interface/models.py:34
 msgid "Logo of management page"
 msgstr "管理页面logo"
 
-#: xpack/plugins/interface/models.py:32
+#: xpack/plugins/interface/models.py:38
 msgid "Logo of logout page"
 msgstr "退出页面logo"
 
-#: xpack/plugins/interface/models.py:36
+#: xpack/plugins/interface/models.py:40
+msgid "Theme"
+msgstr "主题"
+
+#: xpack/plugins/interface/models.py:43
 msgid "Interface setting"
 msgstr "界面设置"
 
@@ -6658,5 +6658,20 @@ msgstr "旗舰版"
 msgid "Community edition"
 msgstr "社区版"
 
+#~ msgid "Classic green"
+#~ msgstr "经典绿"
+
+#~ msgid "Chinese red"
+#~ msgstr "中国红"
+
+#~ msgid "Tech blue"
+#~ msgstr "科技蓝"
+
+#~ msgid "Deep black"
+#~ msgstr "深邃黑"
+
+#~ msgid "Filters"
+#~ msgstr "过滤"
+
 #~ msgid "Code is invalid, {}"
 #~ msgstr "验证码无效: {}"
diff --git a/apps/templates/_base_only_content.html b/apps/templates/_base_only_content.html
index f495a3b1e..87a4c9870 100644
--- a/apps/templates/_base_only_content.html
+++ b/apps/templates/_base_only_content.html
@@ -27,10 +27,12 @@
         <div class="row">
             <div class="col-md-12">
                 <div class="ibox-content">
-                    <img src="{{ INTERFACE.logo_logout }}" style="margin: auto" width="50" height="50">
-                    <h2 class="font-bold" style="display: inline">{% block title %}{% endblock %}</h2>
-                    <h1></h1>
-                    {% block content %} {% endblock %}
+                    <h2 class="font-bold">
+                        {% block title %}{% endblock %}
+                    </h2>
+                    <div style="margin: 10px 0">
+                        {% block content %} {% endblock %}
+                    </div>
                 </div>
             </div>
         </div>
diff --git a/apps/templates/_copyright.html b/apps/templates/_copyright.html
index 241a5cfe4..d231d1e95 100644
--- a/apps/templates/_copyright.html
+++ b/apps/templates/_copyright.html
@@ -1,2 +1,3 @@
-{#{% load i18n %}#}
-{#<strong>Copyright</strong> {{ COPYRIGHT }}#}
\ No newline at end of file
+{% if not USE_XPACK %}
+<strong>Copyright</strong> {{ COPYRIGHT }}
+{% endif %}
diff --git a/apps/templates/_head_css_js.html b/apps/templates/_head_css_js.html
index d72e29002..2256882c5 100644
--- a/apps/templates/_head_css_js.html
+++ b/apps/templates/_head_css_js.html
@@ -22,5 +22,8 @@
 </style>
 
 <script>
-  document.documentElement.style.setProperty('--primary-color', "{{ INTERFACE.primary_color }}");
+  const theme = "{{ INTERFACE.theme }}";
+  if (theme && theme.colors && theme.colors['--color-primary']) {
+    document.documentElement.style.setProperty('--primary-color', theme.colors['--color-primary']);
+  }
 </script>
diff --git a/apps/templates/flash_message_standalone.html b/apps/templates/flash_message_standalone.html
index 3b1196db1..61b431b9a 100644
--- a/apps/templates/flash_message_standalone.html
+++ b/apps/templates/flash_message_standalone.html
@@ -46,7 +46,6 @@
 <script>
     var message = ''
     var time = '{{ interval }}'
-
     {% if error %}
         message = '{{ error }}'
     {% else %}

From 1b4d389f2bb4b5cb578ba6a33294692e017a4a44 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 7 Jul 2022 15:41:26 +0800
Subject: [PATCH 235/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=88=9B?=
 =?UTF-8?q?=E5=BB=BA=E5=85=B1=E4=BA=AB=E4=BC=9A=E8=AF=9D=E9=93=BE=E6=8E=A5?=
 =?UTF-8?q?=E6=97=B6=20created=5Fby=20=E5=AD=97=E6=AE=B5=E9=95=BF=E5=BA=A6?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/serializers/sharing.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/terminal/serializers/sharing.py b/apps/terminal/serializers/sharing.py
index 9ae1438f3..faf4515ad 100644
--- a/apps/terminal/serializers/sharing.py
+++ b/apps/terminal/serializers/sharing.py
@@ -2,6 +2,7 @@ from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
 from orgs.mixins.serializers import OrgResourceModelSerializerMixin
 from common.utils.random import random_string
+from common.utils.common import pretty_string
 from ..models import SessionSharing, SessionJoinRecord
 
 __all__ = ['SessionSharingSerializer', 'SessionJoinRecordSerializer']
@@ -33,7 +34,7 @@ class SessionSharingSerializer(OrgResourceModelSerializerMixin):
         session = validated_data.get('session')
         if session:
             validated_data['creator_id'] = session.user_id
-            validated_data['created_by'] = str(session.user)
+            validated_data['created_by'] = pretty_string(str(session.user), max_length=32)
             validated_data['org_id'] = session.org_id
         return super().create(validated_data)
 

From bf7c05f753db8c16cc93f16ea78c5216a4f9c878 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Thu, 7 Jul 2022 17:07:57 +0800
Subject: [PATCH 236/258] =?UTF-8?q?fix:=20=E8=B0=83=E6=95=B4confirm=20(#85?=
 =?UTF-8?q?54)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/authentication/const.py               | 4 +++-
 apps/authentication/serializers/confirm.py | 2 +-
 apps/common/permissions.py                 | 2 +-
 3 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/apps/authentication/const.py b/apps/authentication/const.py
index ffe92ffbf..d85afed75 100644
--- a/apps/authentication/const.py
+++ b/apps/authentication/const.py
@@ -18,7 +18,9 @@ class ConfirmType(TextChoices):
     @classmethod
     def get_can_confirm_types(cls, confirm_type):
         start = cls.values.index(confirm_type)
-        return cls.values[start:]
+        types = cls.values[start:]
+        types.reverse()
+        return types
 
     @classmethod
     def get_can_confirm_backend_classes(cls, confirm_type):
diff --git a/apps/authentication/serializers/confirm.py b/apps/authentication/serializers/confirm.py
index 3133a8cf4..9c0da463c 100644
--- a/apps/authentication/serializers/confirm.py
+++ b/apps/authentication/serializers/confirm.py
@@ -7,4 +7,4 @@ from ..const import ConfirmType, MFAType
 class ConfirmSerializer(serializers.Serializer):
     confirm_type = serializers.ChoiceField(required=True, allow_blank=True, choices=ConfirmType.choices)
     mfa_type = serializers.ChoiceField(required=False, allow_blank=True, choices=MFAType.choices)
-    secret_key = EncryptedField()
+    secret_key = EncryptedField(allow_blank=True)
diff --git a/apps/common/permissions.py b/apps/common/permissions.py
index 7242c255b..3000b9533 100644
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -33,7 +33,7 @@ class WithBootstrapToken(permissions.BasePermission):
 
 
 class UserConfirmation(permissions.BasePermission):
-    ttl = 300
+    ttl = 60 * 5
     min_level = 1
     confirm_type = ConfirmType.ReLogin
 

From 0e6dbb3e5d50e8ab180c802d10acec0c99bd08c7 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Thu, 7 Jul 2022 18:48:06 +0800
Subject: [PATCH 237/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20ES=20?=
 =?UTF-8?q?=E5=AD=98=E5=82=A8=20config=20=E8=A2=AB=E4=BF=AE=E6=94=B9?=
 =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/terminal/models/storage.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/terminal/models/storage.py b/apps/terminal/models/storage.py
index 4ddab1bcc..555c44aea 100644
--- a/apps/terminal/models/storage.py
+++ b/apps/terminal/models/storage.py
@@ -85,7 +85,8 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
         config = self.config
         if self.type_es and config.get('INDEX_BY_DATE'):
             engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])
-            store = engine_mod.CommandStore(config)
+            # 这里使用一个全新的 config, 防止修改当前的 config
+            store = engine_mod.CommandStore(self.config)
             store._ensure_index_exists()
             index_prefix = config.get('INDEX') or 'jumpserver'
             date = local_now_date_display()

From 06375110b9256c37780f97e480728237f1feb8bf Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 11 Jul 2022 10:48:01 +0800
Subject: [PATCH 238/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9mfa=20check=20?=
 =?UTF-8?q?=E5=88=A4=E6=96=AD=20(#8561)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/authentication/confirm/mfa.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/authentication/confirm/mfa.py b/apps/authentication/confirm/mfa.py
index aee272e9d..a9d3dd1ab 100644
--- a/apps/authentication/confirm/mfa.py
+++ b/apps/authentication/confirm/mfa.py
@@ -8,7 +8,7 @@ class ConfirmMFA(BaseConfirm):
     display_name = 'MFA'
 
     def check(self):
-        return self.user.active_mfa_backends
+        return self.user.active_mfa_backends and self.user.mfa_enabled
 
     @property
     def content(self):

From 7047e445a30713ebd789bdbc1c908e6fa82e2407 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Fri, 8 Jul 2022 13:35:32 +0800
Subject: [PATCH 239/258] =?UTF-8?q?feat:=20=E4=B8=8B=E8=BD=BD=E9=A1=B5?=
 =?UTF-8?q?=E9=9D=A2=E6=B7=BB=E5=8A=A0=E7=A6=BB=E7=BA=BF=E6=92=AD=E6=94=BE?=
 =?UTF-8?q?=E5=99=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo  | 4 ++--
 apps/locale/ja/LC_MESSAGES/django.po  | 4 ++++
 apps/locale/zh/LC_MESSAGES/django.mo  | 4 ++--
 apps/locale/zh/LC_MESSAGES/django.po  | 4 ++++
 apps/templates/resource_download.html | 9 +++++++++
 5 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index b1be6955d..d7bf5fff9 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:ba75ec2955d452a16930dbd845c8091de4d3cbe0c5b5ccb18f8deb28d7bf3809
-size 126865
+oid sha256:404cc258252754b1fbbb67b04b326369c7ca0797d5245fdd98939c2206e1d8a3
+size 126727
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 8668dd892..750b14423 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -4598,6 +4598,10 @@ msgstr "マイクロソフト"
 msgid "Official"
 msgstr "公式"
 
+#: templates/resource_download.html:51
+msgid "Offline video player"
+msgstr "オフラインビデオプレーヤー"
+
 #: templates/resource_download.html:33
 msgid ""
 "macOS needs to download the client to connect RDP asset, which comes with "
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 92b8e52cb..bb56392af 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:bfbd815ff09d4b7c5f64af1eb745b81937a267d469ffbcba93c849feada2a8a8
-size 104695
+oid sha256:603bfc1d89caaec72caf5cfba85fdc2a1ae7ac9556b4c3641353153d777ece1b
+size 104603
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index cf215a3fb..ceae873f1 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -4530,6 +4530,10 @@ msgstr "微软"
 msgid "Official"
 msgstr "官方"
 
+#: templates/resource_download.html:51
+msgid "Offline video player"
+msgstr "离线录像播放器"
+
 #: templates/resource_download.html:33
 msgid ""
 "macOS needs to download the client to connect RDP asset, which comes with "
diff --git a/apps/templates/resource_download.html b/apps/templates/resource_download.html
index dddb1143c..4b60e1e09 100644
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@@ -46,6 +46,15 @@ p {
             </ul>
         </div>
     {% endif %}
+
+    <div class="group">
+        <h2>JumpServer {% trans 'Offline video player' %} v0.1.5</h2>
+        <ul>
+            <li><a href="/download/JumpServer-Video-Player.dmg">jumpserver-video-player.dmg</a></li>
+            <li><a href="/download/JumpServer-Video-Player.exe">jumpserver-video-player.exe</a></li>
+        </ul>
+    </div>
+
 </div>
 <style>
 ul {

From 27cbbfbc79ff1814812ab04f932583fdbf9841cc Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Mon, 11 Jul 2022 18:09:06 +0800
Subject: [PATCH 240/258] =?UTF-8?q?refactor:=20=E9=87=8D=E6=9E=84=20Connec?=
 =?UTF-8?q?tion=20Token=20=E6=A8=A1=E5=9D=97=20(=E5=AE=8C=E6=88=90?=
 =?UTF-8?q?=E8=8E=B7=E5=8F=96=20Super=20connection=20token=20API=20?=
 =?UTF-8?q?=E9=80=BB=E8=BE=91)=20(#8559)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* refactor: 重构 Connection Token 模块 (完成 Model 设计和创建 Token 的API逻辑)

* refactor: 重构 Connection Token 模块 (完成获取 Token 详细信息的 API 逻辑)

* refactor: 重构 Connection Token 模块 (完成获取 RDP 文件 API 逻辑)

* refactor: 重构 Connection Token 模块 (完成获取 Client url API 逻辑)

* refactor: 重构 Connection Token 模块 (完成获取 Super connection token API 逻辑)

* refactor: 重构 Connection Token 模块 (完成删除原 Connection token 逻辑)

* refactor: 重构 Connection Token 模块 (完成删除原 Connection)

* refactor: 重构 Connection Token 模块 (完善序列类字段)

* refactor: 重构 Connection Token 模块 (完善expire API)

* refactor: 重构 Connection Token 模块 (完善迁移文件)

* refactor: 重构 Connection Token 模块 (完善翻译文件)

* refactor: 重构 Connection Token 模块 (拆分Connection ViewSet)

* refactor: 重构 Connection Token 模块 (修改翻译)

* refactor: 重构 Connection Token 模块 （优化)

Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
---
 apps/assets/models/domain.py                  |   9 +-
 apps/authentication/api/connection_token.py   | 618 ++++++------------
 .../migrations/0011_auto_20220705_1940.py     |  89 +++
 apps/authentication/models.py                 | 184 +++++-
 apps/authentication/serializers/__init__.py   |   2 +-
 .../serializers/connect_token.py              | 145 ----
 .../serializers/connection_token.py           | 186 ++++++
 apps/authentication/urls/api_urls.py          |   4 +-
 apps/locale/ja/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po          | 174 +++--
 apps/locale/zh/LC_MESSAGES/django.mo          |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po          | 173 ++---
 apps/perms/utils/application/permission.py    |  11 -
 apps/perms/utils/asset/permission.py          |   6 -
 apps/terminal/api/endpoint.py                 |  18 +-
 apps/users/urls/api_urls.py                   |   2 +-
 16 files changed, 872 insertions(+), 757 deletions(-)
 create mode 100644 apps/authentication/migrations/0011_auto_20220705_1940.py
 delete mode 100644 apps/authentication/serializers/connect_token.py
 create mode 100644 apps/authentication/serializers/connection_token.py

diff --git a/apps/assets/models/domain.py b/apps/assets/models/domain.py
index ba3b069f5..a57cbdffc 100644
--- a/apps/assets/models/domain.py
+++ b/apps/assets/models/domain.py
@@ -9,7 +9,7 @@ import paramiko
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 
-from common.utils import get_logger
+from common.utils import get_logger, lazyproperty
 from orgs.mixins.models import OrgModelMixin
 from .base import BaseUser
 
@@ -36,7 +36,7 @@ class Domain(OrgModelMixin):
     def has_gateway(self):
         return self.gateway_set.filter(is_active=True).exists()
 
-    @property
+    @lazyproperty
     def gateways(self):
         return self.gateway_set.filter(is_active=True)
 
@@ -44,8 +44,9 @@ class Domain(OrgModelMixin):
         gateways = [gw for gw in self.gateways if gw.is_connective]
         if gateways:
             return random.choice(gateways)
-        else:
-            logger.warn(f'Gateway all bad. domain={self}, gateway_num={len(self.gateways)}.')
+
+        logger.warn(f'Gateway all bad. domain={self}, gateway_num={len(self.gateways)}.')
+        if self.gateways:
             return random.choice(self.gateways)
 
 
diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index 828a93be5..abc9b538e 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -1,58 +1,60 @@
-# -*- coding: utf-8 -*-
-#
-import urllib.parse
-import json
-from typing import Callable
 import os
+import json
 import base64
-import ctypes
-
-from django.core.cache import cache
-from django.shortcuts import get_object_or_404
+import urllib.parse
 from django.http import HttpResponse
-from django.utils import timezone
-from django.utils.translation import ugettext as _
-from rest_framework.response import Response
-from rest_framework.request import Request
-from rest_framework.viewsets import GenericViewSet
-from rest_framework.decorators import action
+from django.shortcuts import get_object_or_404
 from rest_framework.exceptions import PermissionDenied
-from rest_framework import serializers
-from django.conf import settings
+from rest_framework.decorators import action
+from rest_framework.response import Response
+from rest_framework import status
+from rest_framework.request import Request
 
-from applications.models import Application
-from authentication.signals import post_auth_failed
-from common.utils import get_logger, random_string
-from common.mixins.api import SerializerMixin
-from common.utils.common import get_file_by_arch
-from orgs.mixins.api import RootOrgViewMixin
+from common.drf.api import JMSModelViewSet
 from common.http import is_true
+from orgs.mixins.api import RootOrgViewMixin
 from perms.models.base import Action
-from perms.utils.application.permission import get_application_actions
-from perms.utils.asset.permission import get_asset_actions
-from common.const.http import PATCH
 from terminal.models import EndpointRule
 from ..serializers import (
     ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer
 )
-
-logger = get_logger(__name__)
-__all__ = ['UserConnectionTokenViewSet', 'UserSuperConnectionTokenViewSet', 'TokenCacheMixin']
+from ..models import ConnectionToken
 
 
-class ClientProtocolMixin:
-    """
-    下载客户端支持的连接文件，里面包含了 token，和 其他连接信息
+__all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet']
 
-    - [x] RDP
-    - [ ] KoKo
 
-    本质上，这里还是暴露出 token 来，进行使用
-    """
+class ConnectionTokenMixin:
     request: Request
-    get_serializer: Callable
-    create_token: Callable
-    get_serializer_context: Callable
+
+    @staticmethod
+    def check_token_valid(token: ConnectionToken):
+        is_valid, error = token.check_valid()
+        if not is_valid:
+            raise PermissionDenied(error)
+
+    @staticmethod
+    def get_request_resources(serializer):
+        user = serializer.validated_data.get('user')
+        asset = serializer.validated_data.get('asset')
+        application = serializer.validated_data.get('application')
+        system_user = serializer.validated_data.get('system_user')
+        return user, asset, application, system_user
+
+    @staticmethod
+    def check_user_has_resource_permission(user, asset, application, system_user):
+        from perms.utils.asset import has_asset_system_permission
+        from perms.utils.application import has_application_system_permission
+
+        if asset and not has_asset_system_permission(user, asset, system_user):
+            error = f'User not has this asset and system user permission: ' \
+                    f'user={user.id} system_user={system_user.id} asset={asset.id}'
+            raise PermissionDenied(error)
+
+        if application and not has_application_system_permission(user, application, system_user):
+            error = f'User not has this application and system user permission: ' \
+                    f'user={user.id} system_user={system_user.id} application={application.id}'
+            raise PermissionDenied(error)
 
     def get_smart_endpoint(self, protocol, asset=None, application=None):
         if asset:
@@ -64,21 +66,32 @@ class ClientProtocolMixin:
         endpoint = EndpointRule.match_endpoint(target_ip, protocol, self.request)
         return endpoint
 
-    def get_request_resource(self, serializer):
-        asset = serializer.validated_data.get('asset')
-        application = serializer.validated_data.get('application')
-        system_user = serializer.validated_data['system_user']
-
-        user = serializer.validated_data.get('user')
-        user = user if user else self.request.user
-        return asset, application, system_user, user
-
     @staticmethod
     def parse_env_bool(env_key, env_default, true_value, false_value):
         return true_value if is_true(os.getenv(env_key, env_default)) else false_value
 
-    def get_rdp_file_content(self, serializer):
-        options = {
+    def get_client_protocol_data(self, token: ConnectionToken):
+        from assets.models import SystemUser
+        protocol = token.system_user.protocol
+        username = token.user.username
+        rdp_config = ssh_token = ''
+        if protocol == SystemUser.Protocol.rdp:
+            filename, rdp_config = self.get_rdp_file_info(token)
+        elif protocol == SystemUser.Protocol.ssh:
+            filename, ssh_token = self.get_ssh_token(token)
+        else:
+            raise ValueError('Protocol not support: {}'.format(protocol))
+
+        return {
+            "filename": filename,
+            "protocol": protocol,
+            "username": username,
+            "token": ssh_token,
+            "config": rdp_config
+        }
+
+    def get_rdp_file_info(self, token: ConnectionToken):
+        rdp_options = {
             'full address:s': '',
             'username:s': '',
             # 'screen mode id:i': '1',
@@ -111,412 +124,162 @@ class ClientProtocolMixin:
             # 'remoteapplicationcmdline:s': '',
         }
 
-        asset, application, system_user, user = self.get_request_resource(serializer)
+        # 设置磁盘挂载
+        drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
+        if drives_redirect:
+            actions = Action.choices_to_value(token.actions)
+            if actions & Action.UPDOWNLOAD == Action.UPDOWNLOAD:
+                rdp_options['drivestoredirect:s'] = '*'
+
+        # 设置全屏
+        full_screen = is_true(self.request.query_params.get('full_screen'))
+        rdp_options['screen mode id:i'] = '2' if full_screen else '1'
+
+        # 设置 RDP Server 地址
+        endpoint = self.get_smart_endpoint(
+            protocol='rdp', asset=token.asset, application=token.application
+        )
+        rdp_options['full address:s'] = f'{endpoint.host}:{endpoint.rdp_port}'
+
+        # 设置用户名
+        rdp_options['username:s'] = '{}|{}'.format(token.user.username, str(token.id))
+        if token.system_user.ad_domain:
+            rdp_options['domain:s'] = token.system_user.ad_domain
+
+        # 设置宽高
         height = self.request.query_params.get('height')
         width = self.request.query_params.get('width')
-        full_screen = is_true(self.request.query_params.get('full_screen'))
-        drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
-        token, secret = self.create_token(user, asset, application, system_user)
-
-        # 设置磁盘挂载
-        if drives_redirect:
-            actions = 0
-            if asset:
-                actions = get_asset_actions(user, asset, system_user)
-            elif application:
-                actions = get_application_actions(user, application, system_user)
-
-            if actions & Action.UPDOWNLOAD == Action.UPDOWNLOAD:
-                options['drivestoredirect:s'] = '*'
-
-        # 全屏
-        options['screen mode id:i'] = '2' if full_screen else '1'
-
-        # RDP Server 地址
-        endpoint = self.get_smart_endpoint(
-            protocol='rdp', asset=asset, application=application
-        )
-        options['full address:s'] = f'{endpoint.host}:{endpoint.rdp_port}'
-        # 用户名
-        options['username:s'] = '{}|{}'.format(user.username, token)
-        if system_user.ad_domain:
-            options['domain:s'] = system_user.ad_domain
-        # 宽高
         if width and height:
-            options['desktopwidth:i'] = width
-            options['desktopheight:i'] = height
-            options['winposstr:s:'] = f'0,1,0,0,{width},{height}'
+            rdp_options['desktopwidth:i'] = width
+            rdp_options['desktopheight:i'] = height
+            rdp_options['winposstr:s:'] = f'0,1,0,0,{width},{height}'
 
-        options['session bpp:i'] = os.getenv('JUMPSERVER_COLOR_DEPTH', '32')
-        options['audiomode:i'] = self.parse_env_bool('JUMPSERVER_DISABLE_AUDIO', 'false', '2', '0')
+        # 设置其他选项
+        rdp_options['session bpp:i'] = os.getenv('JUMPSERVER_COLOR_DEPTH', '32')
+        rdp_options['audiomode:i'] = self.parse_env_bool('JUMPSERVER_DISABLE_AUDIO', 'false', '2', '0')
 
-        if asset:
-            name = asset.hostname
-        elif application:
-            name = application.name
-            application.get_rdp_remote_app_setting()
-
-            app = f'||jmservisor'
-            options['remoteapplicationmode:i'] = '1'
-            options['alternate shell:s'] = app
-            options['remoteapplicationprogram:s'] = app
-            options['remoteapplicationname:s'] = name
+        if token.asset:
+            name = token.asset.hostname
+        elif token.application and token.application.category_remote_app:
+            app = '||jmservisor'
+            name = token.application.name
+            rdp_options['remoteapplicationmode:i'] = '1'
+            rdp_options['alternate shell:s'] = app
+            rdp_options['remoteapplicationprogram:s'] = app
+            rdp_options['remoteapplicationname:s'] = name
         else:
             name = '*'
 
+        filename = "{}-{}-jumpserver".format(token.user.username, name)
+        filename = urllib.parse.quote(filename)
+
         content = ''
-        for k, v in options.items():
+        for k, v in rdp_options.items():
             content += f'{k}:{v}\n'
-        return name, content
 
-    def get_ssh_token(self, serializer):
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        token, secret = self.create_token(user, asset, application, system_user)
-        if asset:
-            name = asset.hostname
-        elif application:
-            name = application.name
+        return filename, content
+
+    def get_ssh_token(self, token: ConnectionToken):
+        if token.asset:
+            name = token.asset.hostname
+        elif token.application:
+            name = token.application.name
         else:
             name = '*'
+        filename = f'{token.user.username}-{name}-jumpserver'
 
         endpoint = self.get_smart_endpoint(
-            protocol='ssh', asset=asset, application=application
+            protocol='ssh', asset=token.asset, application=token.application
         )
-        content = {
+        data = {
             'ip': endpoint.host,
             'port': str(endpoint.ssh_port),
-            'username': f'JMS-{token}',
-            'password': secret
+            'username': 'JMS-{}'.format(str(token.id)),
+            'password': token.secret
         }
-        token = json.dumps(content)
-        return name, token
-
-    def get_encrypt_cmdline(self, app: Application):
-        parameters = app.get_rdp_remote_app_setting()['parameters']
-        parameters = parameters.encode('ascii')
-
-        lib_path = get_file_by_arch('xpack/libs', 'librailencrypt.so')
-        lib = ctypes.CDLL(lib_path)
-        lib.encrypt.argtypes = [ctypes.c_char_p, ctypes.c_int]
-        lib.encrypt.restype = ctypes.c_char_p
-
-        rst = lib.encrypt(parameters, len(parameters))
-        rst = rst.decode('ascii')
-        return rst
-
-    def get_valid_serializer(self):
-        if self.request.method == 'GET':
-            data = self.request.query_params
-        else:
-            data = self.request.data
-        serializer = self.get_serializer(data=data)
-        serializer.is_valid(raise_exception=True)
-        return serializer
-
-    def get_client_protocol_data(self, serializer):
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        protocol = system_user.protocol
-        username = user.username
-        config, token = '', ''
-        if protocol == 'rdp':
-            name, config = self.get_rdp_file_content(serializer)
-        elif protocol == 'ssh':
-            name, token = self.get_ssh_token(serializer)
-        else:
-            raise ValueError('Protocol not support: {}'.format(protocol))
-
-        filename = "{}-{}-jumpserver".format(username, name)
-        data = {
-            "filename": filename,
-            "protocol": system_user.protocol,
-            "username": username,
-            "token": token,
-            "config": config
-        }
-        return data
-
-    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
-    def get_rdp_file(self, request, *args, **kwargs):
-        if self.request.method == 'GET':
-            data = self.request.query_params
-        else:
-            data = self.request.data
-        serializer = self.get_serializer(data=data)
-        serializer.is_valid(raise_exception=True)
-        name, data = self.get_rdp_file_content(serializer)
-        response = HttpResponse(data, content_type='application/octet-stream')
-        filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
-        filename = urllib.parse.quote(filename)
-        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
-        return response
-
-    @action(methods=['POST', 'GET'], detail=False, url_path='client-url')
-    def get_client_protocol_url(self, request, *args, **kwargs):
-        serializer = self.get_valid_serializer()
-        try:
-            protocol_data = self.get_client_protocol_data(serializer)
-        except ValueError as e:
-            return Response({'error': str(e)}, status=401)
-
-        protocol_data = json.dumps(protocol_data).encode()
-        protocol_data = base64.b64encode(protocol_data).decode()
-        data = {
-            'url': 'jms://{}'.format(protocol_data),
-        }
-        return Response(data=data)
+        token = json.dumps(data)
+        return filename, token
 
 
-class SecretDetailMixin:
-    valid_token: Callable
-    request: Request
-    get_serializer: Callable
-
-    @staticmethod
-    def _get_application_secret_detail(application):
-        gateway = None
-        remote_app = None
-        asset = None
-
-        if application.category_remote_app:
-            remote_app = application.get_rdp_remote_app_setting()
-            asset = application.get_remote_app_asset()
-            domain = asset.domain
-        else:
-            domain = application.domain
-
-        if domain and domain.has_gateway():
-            gateway = domain.random_gateway()
-
-        return {
-            'asset': asset,
-            'application': application,
-            'gateway': gateway,
-            'domain': domain,
-            'remote_app': remote_app,
-        }
-
-    @staticmethod
-    def _get_asset_secret_detail(asset):
-        gateway = None
-        if asset and asset.domain and asset.domain.has_gateway():
-            gateway = asset.domain.random_gateway()
-
-        return {
-            'asset': asset,
-            'application': None,
-            'domain': asset.domain,
-            'gateway': gateway,
-            'remote_app': None,
-        }
-
-    @action(methods=['POST'], detail=False, url_path='secret-info/detail')
-    def get_secret_detail(self, request, *args, **kwargs):
-        perm_required = 'authentication.view_connectiontokensecret'
-
-        # 非常重要的 api，再逻辑层再判断一下，双重保险
-        if not request.user.has_perm(perm_required):
-            raise PermissionDenied('Not allow to view secret')
-
-        token = request.data.get('token', '')
-        try:
-            value, user, system_user, asset, app, expired_at, actions = self.valid_token(token)
-        except serializers.ValidationError as e:
-            post_auth_failed.send(
-                sender=self.__class__, username='', request=self.request,
-                reason=_('Invalid token')
-            )
-            raise e
-
-        data = dict(
-            id=token, secret=value.get('secret', ''),
-            user=user, system_user=system_user,
-            expired_at=expired_at, actions=actions
-        )
-        cmd_filter_kwargs = {
-            'system_user_id': system_user.id,
-            'user_id': user.id,
-        }
-        if asset:
-            asset_detail = self._get_asset_secret_detail(asset)
-            system_user.load_asset_more_auth(asset.id, user.username, user.id)
-            data['type'] = 'asset'
-            data.update(asset_detail)
-            cmd_filter_kwargs['asset_id'] = asset.id
-        else:
-            app_detail = self._get_application_secret_detail(app)
-            system_user.load_app_more_auth(app.id, user.username, user.id)
-            data['type'] = 'application'
-            data.update(app_detail)
-            cmd_filter_kwargs['application_id'] = app.id
-
-        from assets.models import CommandFilterRule
-        cmd_filter_rules = CommandFilterRule.get_queryset(**cmd_filter_kwargs)
-        data['cmd_filter_rules'] = cmd_filter_rules
-
-        serializer = self.get_serializer(data)
-        return Response(data=serializer.data, status=200)
-
-
-class TokenCacheMixin:
-    """ endpoint smart view 用到此类来解析token中的资产、应用 """
-    CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
-
-    def renewal_token(self, token, ttl=None):
-        value = self.get_token_from_cache(token)
-        if value:
-            pre_ttl = self.get_token_ttl(token)
-            self.set_token_to_cache(token, value, ttl)
-            post_ttl = self.get_token_ttl(token)
-            ok = True
-            msg = f'{pre_ttl}s is renewed to {post_ttl}s.'
-        else:
-            ok = False
-            msg = 'Token is not found.'
-        data = {
-            'ok': ok,
-            'msg': msg
-        }
-        return data
-
-    def get_token_ttl(self, token):
-        key = self.get_token_cache_key(token)
-        return cache.ttl(key)
-
-    def set_token_to_cache(self, token, value, ttl=None):
-        key = self.get_token_cache_key(token)
-        ttl = ttl or settings.CONNECTION_TOKEN_EXPIRATION
-        cache.set(key, value, timeout=ttl)
-
-    def get_token_from_cache(self, token):
-        key = self.get_token_cache_key(token)
-        value = cache.get(key, None)
-        return value
-
-    def get_token_cache_key(self, token):
-        return self.CACHE_KEY_PREFIX.format(token)
-
-
-class BaseUserConnectionTokenViewSet(
-    RootOrgViewMixin, SerializerMixin, ClientProtocolMixin,
-    TokenCacheMixin, GenericViewSet
-):
-
-    @staticmethod
-    def check_resource_permission(user, asset, application, system_user):
-        from perms.utils.asset import has_asset_system_permission
-        from perms.utils.application import has_application_system_permission
-
-        if asset and not has_asset_system_permission(user, asset, system_user):
-            error = f'User not has this asset and system user permission: ' \
-                    f'user={user.id} system_user={system_user.id} asset={asset.id}'
-            raise PermissionDenied(error)
-        if application and not has_application_system_permission(user, application, system_user):
-            error = f'User not has this application and system user permission: ' \
-                    f'user={user.id} system_user={system_user.id} application={application.id}'
-            raise PermissionDenied(error)
-        return True
-
-    def create_token(self, user, asset, application, system_user, ttl=None):
-        self.check_resource_permission(user, asset, application, system_user)
-        token = random_string(36)
-        secret = random_string(16)
-        value = {
-            'id': token,
-            'secret': secret,
-            'user': str(user.id),
-            'username': user.username,
-            'system_user': str(system_user.id),
-            'system_user_name': system_user.name,
-            'created_by': str(self.request.user),
-            'date_created': str(timezone.now())
-        }
-
-        if asset:
-            value.update({
-                'type': 'asset',
-                'asset': str(asset.id),
-                'hostname': asset.hostname,
-            })
-        elif application:
-            value.update({
-                'type': 'application',
-                'application': application.id,
-                'application_name': str(application)
-            })
-
-        self.set_token_to_cache(token, value, ttl)
-        return token, secret
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        token, secret = self.create_token(user, asset, application, system_user)
-        tp = 'app' if application else 'asset'
-        data = {
-            "id": token, 'secret': secret,
-            'type': tp, 'protocol': system_user.protocol,
-            'expire_time': self.get_token_ttl(token),
-        }
-        return Response(data, status=201)
-
-
-class UserConnectionTokenViewSet(BaseUserConnectionTokenViewSet, SecretDetailMixin):
+class ConnectionTokenViewSet(ConnectionTokenMixin, RootOrgViewMixin, JMSModelViewSet):
+    filterset_fields = (
+        'type',
+        'user_display', 'system_user_display', 'application_display', 'asset_display'
+    )
+    search_fields = filterset_fields
     serializer_classes = {
         'default': ConnectionTokenSerializer,
         'get_secret_detail': ConnectionTokenSecretSerializer,
     }
     rbac_perms = {
-        'GET': 'authentication.view_connectiontoken',
+        'retrieve': 'authentication.view_connectiontoken',
         'create': 'authentication.add_connectiontoken',
+        'expire': 'authentication.add_connectiontoken',
         'get_secret_detail': 'authentication.view_connectiontokensecret',
         'get_rdp_file': 'authentication.add_connectiontoken',
         'get_client_protocol_url': 'authentication.add_connectiontoken',
     }
+    queryset = ConnectionToken.objects.all()
 
-    def valid_token(self, token):
-        from users.models import User
-        from assets.models import SystemUser, Asset
-        from applications.models import Application
-        from perms.utils.asset.permission import validate_permission as asset_validate_permission
-        from perms.utils.application.permission import validate_permission as app_validate_permission
+    def create_connection_token(self):
+        data = self.request.query_params if self.request.method == 'GET' else self.request.data
+        serializer = self.get_serializer(data=data)
+        serializer.is_valid(raise_exception=True)
+        self.perform_create(serializer)
+        token: ConnectionToken = serializer.instance
+        return token
 
-        value = self.get_token_from_cache(token)
-        if not value:
-            raise serializers.ValidationError('Token not found')
+    def perform_create(self, serializer):
+        user, asset, application, system_user = self.get_request_resources(serializer)
+        self.check_user_has_resource_permission(user, asset, application, system_user)
+        return super(ConnectionTokenViewSet, self).perform_create(serializer)
 
-        user = get_object_or_404(User, id=value.get('user'))
-        if not user.is_valid:
-            raise serializers.ValidationError("User not valid, disabled or expired")
+    @action(methods=['POST'], detail=False, url_path='secret-info/detail')
+    def get_secret_detail(self, request, *args, **kwargs):
+        # 非常重要的 api，在逻辑层再判断一下，双重保险
+        perm_required = 'authentication.view_connectiontokensecret'
+        if not request.user.has_perm(perm_required):
+            raise PermissionDenied('Not allow to view secret')
+        token_id = request.data.get('token') or ''
+        token = get_object_or_404(ConnectionToken, pk=token_id)
+        self.check_token_valid(token)
+        token.load_system_user_auth()
+        serializer = self.get_serializer(instance=token)
+        return Response(serializer.data, status=status.HTTP_200_OK)
 
-        system_user = get_object_or_404(SystemUser, id=value.get('system_user'))
-        asset = None
-        app = None
-        if value.get('type') == 'asset':
-            asset = get_object_or_404(Asset, id=value.get('asset'))
-            if not asset.is_active:
-                raise serializers.ValidationError("Asset disabled")
-            has_perm, actions, expired_at = asset_validate_permission(user, asset, system_user)
-        else:
-            app = get_object_or_404(Application, id=value.get('application'))
-            has_perm, actions, expired_at = app_validate_permission(user, app, system_user)
+    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
+    def get_rdp_file(self, request, *args, **kwargs):
+        token = self.create_connection_token()
+        self.check_token_valid(token)
+        filename, content = self.get_rdp_file_info(token)
+        filename = '{}.rdp'.format(filename)
+        response = HttpResponse(content, content_type='application/octet-stream')
+        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
+        return response
 
-        if not has_perm:
-            raise serializers.ValidationError('Permission expired or invalid')
-        return value, user, system_user, asset, app, expired_at, actions
+    @action(methods=['POST', 'GET'], detail=False, url_path='client-url')
+    def get_client_protocol_url(self, request, *args, **kwargs):
+        token = self.create_connection_token()
+        self.check_token_valid(token)
+        try:
+            protocol_data = self.get_client_protocol_data(token)
+        except ValueError as e:
+            return Response(data={'error': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+        protocol_data = json.dumps(protocol_data).encode()
+        protocol_data = base64.b64encode(protocol_data).decode()
+        data = {
+            'url': 'jms://{}'.format(protocol_data)
+        }
+        return Response(data=data)
 
-    def get(self, request):
-        token = request.query_params.get('token')
-        value = self.get_token_from_cache(token)
-        if not value:
-            return Response('', status=404)
-        return Response(value)
+    @action(methods=['PATCH'], detail=True)
+    def expire(self, request, *args, **kwargs):
+        instance = self.get_object()
+        instance.expire()
+        return Response(status=status.HTTP_204_NO_CONTENT)
 
 
-class UserSuperConnectionTokenViewSet(
-    BaseUserConnectionTokenViewSet, TokenCacheMixin, GenericViewSet
-):
+class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
     serializer_classes = {
         'default': SuperConnectionTokenSerializer,
     }
@@ -525,10 +288,19 @@ class UserSuperConnectionTokenViewSet(
         'renewal': 'authentication.add_superconnectiontoken'
     }
 
-    @action(methods=[PATCH], detail=False)
+    @action(methods=['PATCH'], detail=False)
     def renewal(self, request, *args, **kwargs):
-        """ 续期 Token """
-        token = request.data.get('token', '')
-        data = self.renewal_token(token)
-        status_code = 200 if data.get('ok') else 404
-        return Response(data=data, status=status_code)
+        from common.utils.timezone import as_current_tz
+
+        token_id = request.data.get('token') or ''
+        token = get_object_or_404(ConnectionToken, pk=token_id)
+        date_expired = as_current_tz(token.date_expired)
+        if token.is_expired:
+            raise PermissionDenied('Token is expired at: {}'.format(date_expired))
+        token.renewal()
+        data = {
+            'ok': True,
+            'msg': f'Token is renewed, date expired: {date_expired}'
+        }
+        return Response(data=data, status=status.HTTP_200_OK)
+
diff --git a/apps/authentication/migrations/0011_auto_20220705_1940.py b/apps/authentication/migrations/0011_auto_20220705_1940.py
new file mode 100644
index 000000000..527003d9e
--- /dev/null
+++ b/apps/authentication/migrations/0011_auto_20220705_1940.py
@@ -0,0 +1,89 @@
+# Generated by Django 3.2.12 on 2022-07-05 11:40
+
+import authentication.models
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0021_auto_20220629_1826'),
+        ('assets', '0091_auto_20220629_1826'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('authentication', '0010_temptoken'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='application',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to='applications.application', verbose_name='Application'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='application_display',
+            field=models.CharField(default='', max_length=128, verbose_name='Application display'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='asset',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to='assets.asset', verbose_name='Asset'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='asset_display',
+            field=models.CharField(default='', max_length=128, verbose_name='Asset display'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='date_expired',
+            field=models.DateTimeField(default=authentication.models.date_expired_default, verbose_name='Date expired'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='secret',
+            field=models.CharField(default='', max_length=64, verbose_name='Secret'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='system_user',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to='assets.systemuser', verbose_name='System user'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='system_user_display',
+            field=models.CharField(default='', max_length=128, verbose_name='System user display'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='type',
+            field=models.CharField(choices=[('asset', 'Asset'), ('application', 'Application')], default='asset', max_length=16, verbose_name='Type'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='user',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to=settings.AUTH_USER_MODEL, verbose_name='User'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='user_display',
+            field=models.CharField(default='', max_length=128, verbose_name='User display'),
+        ),
+        migrations.AlterField(
+            model_name='connectiontoken',
+            name='id',
+            field=models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False),
+        ),
+        migrations.AlterModelOptions(
+            name='connectiontoken',
+            options={'ordering': ('-date_expired',), 'permissions': [('view_connectiontokensecret', 'Can view connection token secret')], 'verbose_name': 'Connection token'},
+        ),
+    ]
diff --git a/apps/authentication/models.py b/apps/authentication/models.py
index 54cab4fbd..c0713ac1a 100644
--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@@ -1,11 +1,14 @@
 import uuid
-
+from datetime import datetime, timedelta
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
 from rest_framework.authtoken.models import Token
+from orgs.mixins.models import OrgModelMixin
 
 from common.db import models
+from common.utils import lazyproperty
+from common.utils.timezone import as_current_tz
 
 
 class AccessKey(models.Model):
@@ -54,16 +57,189 @@ class SSOToken(models.JMSBaseModel):
         verbose_name = _('SSO token')
 
 
-class ConnectionToken(models.JMSBaseModel):
-    # Todo: 未来可能放到这里，不记录到 redis 了，虽然方便，但是不易于审计
-    # Todo: add connection token 可能要授权给 普通用户, 或者放开就行
+def date_expired_default():
+    return timezone.now() + timedelta(seconds=settings.CONNECTION_TOKEN_EXPIRATION)
+
+
+class ConnectionToken(OrgModelMixin, models.JMSModel):
+    class Type(models.TextChoices):
+        asset = 'asset', _('Asset')
+        application = 'application', _('Application')
+
+    type = models.CharField(
+        max_length=16, default=Type.asset, choices=Type.choices, verbose_name=_("Type")
+    )
+    secret = models.CharField(max_length=64, default='', verbose_name=_("Secret"))
+    date_expired = models.DateTimeField(
+        default=date_expired_default, verbose_name=_("Date expired")
+    )
+
+    user = models.ForeignKey(
+        'users.User', on_delete=models.SET_NULL, verbose_name=_('User'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    user_display = models.CharField(max_length=128, default='', verbose_name=_("User display"))
+    system_user = models.ForeignKey(
+        'assets.SystemUser', on_delete=models.SET_NULL, verbose_name=_('System user'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    system_user_display = models.CharField(
+        max_length=128, default='', verbose_name=_("System user display")
+    )
+    asset = models.ForeignKey(
+        'assets.Asset', on_delete=models.SET_NULL, verbose_name=_('Asset'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    asset_display = models.CharField(max_length=128, default='', verbose_name=_("Asset display"))
+    application = models.ForeignKey(
+        'applications.Application', on_delete=models.SET_NULL, verbose_name=_('Application'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    application_display = models.CharField(
+        max_length=128, default='', verbose_name=_("Application display")
+    )
 
     class Meta:
+        ordering = ('-date_expired',)
         verbose_name = _('Connection token')
         permissions = [
             ('view_connectiontokensecret', _('Can view connection token secret'))
         ]
 
+    @classmethod
+    def get_default_date_expired(cls):
+        return date_expired_default()
+
+    @property
+    def is_expired(self):
+        return self.date_expired < timezone.now()
+
+    def expire(self):
+        self.date_expired = timezone.now()
+        self.save()
+
+    @property
+    def is_valid(self):
+        return not self.is_expired
+
+    def is_type(self, tp):
+        return self.type == tp
+
+    def renewal(self):
+        """ 续期 Token，将来支持用户自定义创建 token 后，续期策略要修改 """
+        self.date_expired = self.get_default_date_expired()
+        self.save()
+
+    actions = expired_at = None  # actions 和 expired_at 在 check_valid() 中赋值
+
+    def check_valid(self):
+        from perms.utils.asset.permission import validate_permission as asset_validate_permission
+        from perms.utils.application.permission import validate_permission as app_validate_permission
+
+        if self.is_expired:
+            is_valid = False
+            error = _('Connection token expired at: {}').format(as_current_tz(self.date_expired))
+            return is_valid, error
+
+        if not self.user:
+            is_valid = False
+            error = _('User not exists')
+            return is_valid, error
+        if not self.user.is_valid:
+            is_valid = False
+            error = _('User invalid, disabled or expired')
+            return is_valid, error
+
+        if not self.system_user:
+            is_valid = False
+            error = _('System user not exists')
+            return is_valid, error
+
+        if self.is_type(self.Type.asset):
+            if not self.asset:
+                is_valid = False
+                error = _('Asset not exists')
+                return is_valid, error
+            if not self.asset.is_active:
+                is_valid = False
+                error = _('Asset inactive')
+                return is_valid, error
+            has_perm, actions, expired_at = asset_validate_permission(
+                self.user, self.asset, self.system_user
+            )
+            if not has_perm:
+                is_valid = False
+                error = _('User has no permission to access asset or permission expired')
+                return is_valid, error
+            self.actions = actions
+            self.expired_at = expired_at
+
+        elif self.is_type(self.Type.application):
+            if not self.application:
+                is_valid = False
+                error = _('Application not exists')
+                return is_valid, error
+            has_perm, actions, expired_at = app_validate_permission(
+                self.user, self.application, self.system_user
+            )
+            if not has_perm:
+                is_valid = False
+                error = _('User has no permission to access application or permission expired')
+                return is_valid, error
+            self.actions = actions
+            self.expired_at = expired_at
+
+        return True, ''
+
+    @lazyproperty
+    def domain(self):
+        if self.asset:
+            return self.asset.domain
+        if not self.application:
+            return
+        if self.application.category_remote_app:
+            asset = self.application.get_remote_app_asset()
+            domain = asset.domain if asset else None
+        else:
+            domain = self.application.domain
+        return domain
+
+    @lazyproperty
+    def gateway(self):
+        from assets.models import Domain
+        if not self.domain:
+            return
+        self.domain: Domain
+        return self.domain.random_gateway()
+
+    @lazyproperty
+    def remote_app(self):
+        if not self.application:
+            return {}
+        if not self.application.category_remote_app:
+            return {}
+        return self.application.get_rdp_remote_app_setting()
+
+    @lazyproperty
+    def cmd_filter_rules(self):
+        from assets.models import CommandFilterRule
+        kwargs = {
+            'user_id': self.user.id,
+            'system_user_id': self.system_user.id,
+        }
+        if self.asset:
+            kwargs['asset_id'] = self.asset.id
+        elif self.application:
+            kwargs['application_id'] = self.application_id
+        rules = CommandFilterRule.get_queryset(**kwargs)
+        return rules
+
+    def load_system_user_auth(self):
+        if self.asset:
+            self.system_user.load_asset_more_auth(self.asset.id, self.user.username, self.user.id)
+        elif self.application:
+            self.system_user.load_app_more_auth(self.application.id, self.user.username, self.user.id)
+
 
 class TempToken(models.JMSModel):
     username = models.CharField(max_length=128, verbose_name=_("Username"))
diff --git a/apps/authentication/serializers/__init__.py b/apps/authentication/serializers/__init__.py
index aa94f0fc8..65994a58c 100644
--- a/apps/authentication/serializers/__init__.py
+++ b/apps/authentication/serializers/__init__.py
@@ -1,4 +1,4 @@
 from .token import *
-from .connect_token import *
+from .connection_token import *
 from .password_mfa import *
 from .confirm import *
diff --git a/apps/authentication/serializers/connect_token.py b/apps/authentication/serializers/connect_token.py
deleted file mode 100644
index 36fc024b1..000000000
--- a/apps/authentication/serializers/connect_token.py
+++ /dev/null
@@ -1,145 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from rest_framework import serializers
-
-from users.models import User
-from assets.models import Asset, SystemUser, Gateway, Domain, CommandFilterRule
-from applications.models import Application
-from assets.serializers import ProtocolsField
-from perms.serializers.base import ActionsField
-
-__all__ = [
-    'ConnectionTokenSerializer', 'ConnectionTokenApplicationSerializer',
-    'ConnectionTokenUserSerializer', 'ConnectionTokenFilterRuleSerializer',
-    'ConnectionTokenAssetSerializer', 'ConnectionTokenSystemUserSerializer',
-    'ConnectionTokenDomainSerializer', 'ConnectionTokenRemoteAppSerializer',
-    'ConnectionTokenGatewaySerializer', 'ConnectionTokenSecretSerializer',
-    'SuperConnectionTokenSerializer'
-]
-
-
-class ConnectionTokenSerializer(serializers.Serializer):
-    system_user = serializers.CharField(max_length=128, required=True)
-    asset = serializers.CharField(max_length=128, required=False)
-    application = serializers.CharField(max_length=128, required=False)
-
-    @staticmethod
-    def validate_system_user(system_user_id):
-        from assets.models import SystemUser
-        system_user = SystemUser.objects.filter(id=system_user_id).first()
-        if system_user is None:
-            raise serializers.ValidationError('system_user id not exist')
-        return system_user
-
-    @staticmethod
-    def validate_asset(asset_id):
-        from assets.models import Asset
-        asset = Asset.objects.filter(id=asset_id).first()
-        if asset is None:
-            raise serializers.ValidationError('asset id not exist')
-        return asset
-
-    @staticmethod
-    def validate_application(app_id):
-        from applications.models import Application
-        app = Application.objects.filter(id=app_id).first()
-        if app is None:
-            raise serializers.ValidationError('app id not exist')
-        return app
-
-    def validate(self, attrs):
-        asset = attrs.get('asset')
-        application = attrs.get('application')
-        if not asset and not application:
-            raise serializers.ValidationError('asset or application required')
-        if asset and application:
-            raise serializers.ValidationError('asset and application should only one')
-        return super().validate(attrs)
-
-
-class SuperConnectionTokenSerializer(ConnectionTokenSerializer):
-    user = serializers.CharField(max_length=128, required=False, allow_blank=True)
-
-    @staticmethod
-    def validate_user(user_id):
-        from users.models import User
-        user = User.objects.filter(id=user_id).first()
-        if user is None:
-            raise serializers.ValidationError('user id not exist')
-        return user
-
-
-class ConnectionTokenUserSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = User
-        fields = ['id', 'name', 'username', 'email']
-
-
-class ConnectionTokenAssetSerializer(serializers.ModelSerializer):
-    protocols = ProtocolsField(label='Protocols', read_only=True)
-
-    class Meta:
-        model = Asset
-        fields = ['id', 'hostname', 'ip', 'protocols', 'org_id']
-
-
-class ConnectionTokenSystemUserSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = SystemUser
-        fields = [
-            'id', 'name', 'username', 'password', 'private_key',
-            'protocol', 'ad_domain', 'org_id'
-        ]
-
-
-class ConnectionTokenGatewaySerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Gateway
-        fields = ['id', 'ip', 'port', 'username', 'password', 'private_key']
-
-
-class ConnectionTokenRemoteAppSerializer(serializers.Serializer):
-    program = serializers.CharField()
-    working_directory = serializers.CharField()
-    parameters = serializers.CharField()
-
-
-class ConnectionTokenApplicationSerializer(serializers.ModelSerializer):
-    attrs = serializers.JSONField(read_only=True)
-
-    class Meta:
-        model = Application
-        fields = ['id', 'name', 'category', 'type', 'attrs', 'org_id']
-
-
-class ConnectionTokenDomainSerializer(serializers.ModelSerializer):
-    gateways = ConnectionTokenGatewaySerializer(many=True, read_only=True)
-
-    class Meta:
-        model = Domain
-        fields = ['id', 'name', 'gateways']
-
-
-class ConnectionTokenFilterRuleSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = CommandFilterRule
-        fields = [
-            'id', 'type', 'content', 'ignore_case', 'pattern',
-            'priority', 'action', 'date_created',
-        ]
-
-
-class ConnectionTokenSecretSerializer(serializers.Serializer):
-    id = serializers.CharField(read_only=True)
-    secret = serializers.CharField(read_only=True)
-    type = serializers.ChoiceField(choices=[('application', 'Application'), ('asset', 'Asset')])
-    user = ConnectionTokenUserSerializer(read_only=True)
-    asset = ConnectionTokenAssetSerializer(read_only=True)
-    remote_app = ConnectionTokenRemoteAppSerializer(read_only=True)
-    application = ConnectionTokenApplicationSerializer(read_only=True)
-    system_user = ConnectionTokenSystemUserSerializer(read_only=True)
-    cmd_filter_rules = ConnectionTokenFilterRuleSerializer(many=True)
-    domain = ConnectionTokenDomainSerializer(read_only=True)
-    gateway = ConnectionTokenGatewaySerializer(read_only=True)
-    actions = ActionsField()
-    expired_at = serializers.IntegerField()
diff --git a/apps/authentication/serializers/connection_token.py b/apps/authentication/serializers/connection_token.py
new file mode 100644
index 000000000..33e99677c
--- /dev/null
+++ b/apps/authentication/serializers/connection_token.py
@@ -0,0 +1,186 @@
+from rest_framework import serializers
+
+from django.utils.translation import ugettext_lazy as _
+from orgs.mixins.serializers import OrgResourceModelSerializerMixin
+from authentication.models import ConnectionToken
+from common.utils import pretty_string
+from common.utils.random import random_string
+from assets.models import Asset, SystemUser, Gateway, Domain, CommandFilterRule
+from users.models import User
+from applications.models import Application
+from assets.serializers import ProtocolsField
+from perms.serializers.base import ActionsField
+
+
+__all__ = [
+    'ConnectionTokenSerializer', 'ConnectionTokenSecretSerializer',
+    'SuperConnectionTokenSerializer'
+]
+
+
+class ConnectionTokenSerializer(OrgResourceModelSerializerMixin):
+    type_display = serializers.ReadOnlyField(source='get_type_display', label=_("Type display"))
+    validity = serializers.BooleanField(source='is_valid', read_only=True, label=_('Validity'))
+
+    class Meta:
+        model = ConnectionToken
+        fields_mini = ['id', 'type']
+        fields_small = fields_mini + [
+            'secret', 'date_expired',
+            'date_created', 'date_updated', 'created_by', 'updated_by',
+            'org_id', 'org_name',
+        ]
+        fields_fk = [
+            'user', 'system_user', 'asset', 'application',
+        ]
+        read_only_fields = [
+            # 普通 Token 不支持指定 user
+            'user', 'validity',
+            'type_display', 'user_display', 'system_user_display', 'asset_display',
+            'application_display',
+        ]
+        fields = fields_small + fields_fk + read_only_fields
+
+    def validate(self, attrs):
+        fields_attrs = self.construct_internal_fields_attrs(attrs)
+        attrs.update(fields_attrs)
+        return attrs
+
+    @property
+    def request_user(self):
+        request = self.context.get('request')
+        if request:
+            return request.user
+
+    def get_user(self, attrs):
+        return self.request_user
+
+    def construct_internal_fields_attrs(self, attrs):
+        user = self.get_user(attrs)
+        system_user = attrs.get('system_user') or ''
+        asset = attrs.get('asset') or ''
+        application = attrs.get('application') or ''
+        secret = attrs.get('secret') or random_string(64)
+        date_expired = attrs.get('date_expired') or ConnectionToken.get_default_date_expired()
+
+        if isinstance(asset, Asset):
+            tp = ConnectionToken.Type.asset
+            org_id = asset.org_id
+        elif isinstance(application, Application):
+            tp = ConnectionToken.Type.application
+            org_id = application.org_id
+        else:
+            raise serializers.ValidationError(_('Asset or application required'))
+
+        return {
+            'type': tp,
+            'user': user,
+            'secret': secret,
+            'date_expired': date_expired,
+            'user_display': pretty_string(str(user), max_length=128),
+            'system_user_display': pretty_string(str(system_user), max_length=128),
+            'asset_display': pretty_string(str(asset), max_length=128),
+            'application_display': pretty_string(str(application), max_length=128),
+            'org_id': org_id,
+        }
+
+
+#
+# SuperConnectionTokenSerializer
+#
+
+
+class SuperConnectionTokenSerializer(ConnectionTokenSerializer):
+
+    class Meta(ConnectionTokenSerializer.Meta):
+        read_only_fields = [
+            'validity',
+            'user_display', 'system_user_display', 'asset_display', 'application_display',
+        ]
+
+    def get_user(self, attrs):
+        return attrs.get('user') or self.request_user
+
+
+#
+# Connection Token Secret
+#
+
+
+class ConnectionTokenUserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = ['id', 'name', 'username', 'email']
+
+
+class ConnectionTokenAssetSerializer(serializers.ModelSerializer):
+    protocols = ProtocolsField(label='Protocols', read_only=True)
+
+    class Meta:
+        model = Asset
+        fields = ['id', 'hostname', 'ip', 'protocols', 'org_id']
+
+
+class ConnectionTokenSystemUserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = SystemUser
+        fields = [
+            'id', 'name', 'username', 'password', 'private_key',
+            'protocol', 'ad_domain', 'org_id'
+        ]
+
+
+class ConnectionTokenGatewaySerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Gateway
+        fields = ['id', 'ip', 'port', 'username', 'password', 'private_key']
+
+
+class ConnectionTokenRemoteAppSerializer(serializers.Serializer):
+    program = serializers.CharField(allow_null=True, allow_blank=True)
+    working_directory = serializers.CharField(allow_null=True, allow_blank=True)
+    parameters = serializers.CharField(allow_null=True, allow_blank=True)
+
+
+class ConnectionTokenApplicationSerializer(serializers.ModelSerializer):
+    attrs = serializers.JSONField(read_only=True)
+
+    class Meta:
+        model = Application
+        fields = ['id', 'name', 'category', 'type', 'attrs', 'org_id']
+
+
+class ConnectionTokenDomainSerializer(serializers.ModelSerializer):
+    gateways = ConnectionTokenGatewaySerializer(many=True, read_only=True)
+
+    class Meta:
+        model = Domain
+        fields = ['id', 'name', 'gateways']
+
+
+class ConnectionTokenCmdFilterRuleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = CommandFilterRule
+        fields = [
+            'id', 'type', 'content', 'ignore_case', 'pattern',
+            'priority', 'action', 'date_created',
+        ]
+
+
+class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin):
+    user = ConnectionTokenUserSerializer(read_only=True)
+    asset = ConnectionTokenAssetSerializer(read_only=True)
+    application = ConnectionTokenApplicationSerializer(read_only=True)
+    remote_app = ConnectionTokenRemoteAppSerializer(read_only=True)
+    system_user = ConnectionTokenSystemUserSerializer(read_only=True)
+    gateway = ConnectionTokenGatewaySerializer(read_only=True)
+    domain = ConnectionTokenDomainSerializer(read_only=True)
+    cmd_filter_rules = ConnectionTokenCmdFilterRuleSerializer(many=True)
+    actions = ActionsField()
+
+    class Meta:
+        model = ConnectionToken
+        fields = [
+            'id', 'secret', 'type', 'user', 'asset', 'application', 'system_user',
+            'remote_app', 'cmd_filter_rules', 'domain', 'gateway', 'actions', 'expired_at',
+        ]
diff --git a/apps/authentication/urls/api_urls.py b/apps/authentication/urls/api_urls.py
index 02c920c5b..dd1faff28 100644
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -10,8 +10,8 @@ router = DefaultRouter()
 router.register('access-keys', api.AccessKeyViewSet, 'access-key')
 router.register('sso', api.SSOViewSet, 'sso')
 router.register('temp-tokens', api.TempTokenViewSet, 'temp-token')
-router.register('connection-token', api.UserConnectionTokenViewSet, 'connection-token')
-router.register('super-connection-token', api.UserSuperConnectionTokenViewSet, 'super-connection-token')
+router.register('connection-token', api.ConnectionTokenViewSet, 'connection-token')
+router.register('super-connection-token', api.SuperConnectionTokenViewSet, 'super-connection-token')
 
 
 urlpatterns = [
diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index d7bf5fff9..125de4e86 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:404cc258252754b1fbbb67b04b326369c7ca0797d5245fdd98939c2206e1d8a3
-size 126727
+oid sha256:9abfbe0feec22996ffa184b7865f99d1357bad8c022bfba5b28c3f5bfbd0783f
+size 127716
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 750b14423..0f9e3d288 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-06 16:47+0800\n"
+"POT-Creation-Date: 2022-07-11 17:46+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -47,7 +47,7 @@ msgstr "優先順位"
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
-#: acls/models/base.py:31 authentication/models.py:18
+#: acls/models/base.py:31 authentication/models.py:20
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:28 tickets/const.py:39
 msgid "Active"
@@ -58,7 +58,7 @@ msgstr "アクティブ"
 #: assets/models/backup.py:54 assets/models/base.py:180
 #: assets/models/cluster.py:29 assets/models/cmd_filter.py:48
 #: assets/models/cmd_filter.py:96 assets/models/domain.py:24
-#: assets/models/domain.py:64 assets/models/group.py:23
+#: assets/models/domain.py:65 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
@@ -88,8 +88,8 @@ msgstr "ログイン確認"
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
-#: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:118 rbac/models/rolebinding.py:41
+#: authentication/models.py:53 authentication/models.py:77 orgs/models.py:214
+#: perms/models/base.py:84 rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
 #: terminal/models/sharing.py:33 terminal/notifications.py:91
@@ -131,6 +131,7 @@ msgstr "システムユーザー"
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:268 audits/models.py:39
+#: authentication/models.py:65 authentication/models.py:89
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -156,7 +157,7 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:121
 #: authentication/forms.py:25 authentication/forms.py:27
-#: authentication/models.py:69
+#: authentication/models.py:244
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:32 users/models/user.py:659
@@ -179,7 +180,7 @@ msgstr ""
 
 #: acls/serializers/login_asset_acl.py:31 acls/serializers/rules/rules.py:33
 #: applications/serializers/attrs/application_type/mysql_workbench.py:18
-#: assets/models/asset.py:210 assets/models/domain.py:60
+#: assets/models/asset.py:210 assets/models/domain.py:61
 #: assets/serializers/account.py:13
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
@@ -203,7 +204,7 @@ msgstr ""
 "ション: {}"
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
-#: assets/models/domain.py:62 assets/models/user.py:252
+#: assets/models/domain.py:63 assets/models/user.py:252
 #: terminal/serializers/session.py:31 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "プロトコル"
@@ -261,13 +262,14 @@ msgstr "カスタム"
 
 #: applications/models/account.py:12 applications/models/application.py:234
 #: assets/models/backup.py:32 assets/models/cmd_filter.py:45
+#: authentication/models.py:66 authentication/models.py:94
 #: perms/models/application_permission.py:28
 msgid "Application"
 msgstr "アプリケーション"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
 #: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
-#: perms/models/application_permission.py:33
+#: authentication/models.py:82 perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:36 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
@@ -305,7 +307,7 @@ msgstr "カテゴリ"
 #: applications/models/application.py:222
 #: applications/serializers/application.py:101 assets/models/backup.py:49
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
-#: perms/models/application_permission.py:24
+#: authentication/models.py:69 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
 #: terminal/models/storage.py:58 terminal/models/storage.py:142
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
@@ -317,7 +319,7 @@ msgid "Type"
 msgstr "タイプ"
 
 #: applications/models/application.py:226 assets/models/asset.py:217
-#: assets/models/domain.py:29 assets/models/domain.py:63
+#: assets/models/domain.py:29 assets/models/domain.py:64
 msgid "Domain"
 msgstr "ドメイン"
 
@@ -343,7 +345,8 @@ msgstr "カテゴリ表示"
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
 #: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
-#: audits/serializers.py:29 perms/serializers/application/permission.py:19
+#: audits/serializers.py:29 authentication/serializers/connection_token.py:22
+#: perms/serializers/application/permission.py:19
 #: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:17
 msgid "Type display"
 msgstr "タイプ表示"
@@ -370,7 +373,7 @@ msgid "Date updated"
 msgstr "更新日"
 
 #: applications/serializers/application.py:121
-#: applications/serializers/application.py:166
+#: applications/serializers/application.py:166 authentication/models.py:98
 msgid "Application display"
 msgstr "アプリケーション表示"
 
@@ -398,7 +401,7 @@ msgstr "ホスト"
 #: applications/serializers/attrs/application_type/pgsql.py:10
 #: applications/serializers/attrs/application_type/redis.py:10
 #: applications/serializers/attrs/application_type/sqlserver.py:10
-#: assets/models/asset.py:214 assets/models/domain.py:61
+#: assets/models/asset.py:214 assets/models/domain.py:62
 #: settings/serializers/auth/radius.py:15
 #: xpack/plugins/cloud/serializers/account_attrs.py:71
 msgid "Port"
@@ -584,7 +587,7 @@ msgid "Nodes"
 msgstr "ノード"
 
 #: assets/models/asset.py:219 assets/models/cmd_filter.py:47
-#: assets/models/domain.py:65 assets/models/label.py:22
+#: assets/models/domain.py:66 assets/models/label.py:22
 #: users/serializers/user.py:145
 msgid "Is active"
 msgstr "アクティブです。"
@@ -763,7 +766,7 @@ msgstr "失敗しました"
 msgid "Connectivity"
 msgstr "接続性"
 
-#: assets/models/base.py:40 authentication/models.py:72
+#: assets/models/base.py:40 authentication/models.py:247
 msgid "Date verified"
 msgstr "確認済みの日付"
 
@@ -897,24 +900,24 @@ msgstr "生成された正規表現が正しくありません: {}"
 msgid "Command confirm"
 msgstr "コマンドの確認"
 
-#: assets/models/domain.py:72
+#: assets/models/domain.py:73
 msgid "Gateway"
 msgstr "ゲートウェイ"
 
-#: assets/models/domain.py:74
+#: assets/models/domain.py:75
 msgid "Test gateway"
 msgstr "テストゲートウェイ"
 
-#: assets/models/domain.py:130
+#: assets/models/domain.py:131
 #, python-brace-format
 msgid "Unable to connect to port {port} on {ip}"
 msgstr "{ip} でポート {port} に接続できません"
 
-#: assets/models/domain.py:133 xpack/plugins/cloud/providers/fc.py:48
+#: assets/models/domain.py:134 xpack/plugins/cloud/providers/fc.py:48
 msgid "Authentication failed"
 msgstr "認証に失敗しました"
 
-#: assets/models/domain.py:135 assets/models/domain.py:157
+#: assets/models/domain.py:136 assets/models/domain.py:158
 msgid "Connect failed"
 msgstr "接続に失敗しました"
 
@@ -1030,7 +1033,7 @@ msgid "SFTP Root"
 msgstr "SFTPルート"
 
 #: assets/models/user.py:258 assets/serializers/system_user.py:37
-#: authentication/models.py:49
+#: authentication/models.py:51
 msgid "Token"
 msgstr "トークン"
 
@@ -1082,7 +1085,7 @@ msgstr ""
 "定してください暗号化パスワード"
 
 #: assets/serializers/account.py:36 assets/serializers/account.py:87
-#: assets/serializers/account_history.py:10
+#: assets/serializers/account_history.py:10 authentication/models.py:86
 msgid "System user display"
 msgstr "システムユーザー表示"
 
@@ -1576,7 +1579,8 @@ msgstr "として実行"
 msgid "Run as display"
 msgstr "ディスプレイとして実行する"
 
-#: audits/serializers.py:102 rbac/serializers/rolebinding.py:21
+#: audits/serializers.py:102 authentication/models.py:80
+#: rbac/serializers/rolebinding.py:21
 msgid "User display"
 msgstr "ユーザー表示"
 
@@ -1604,7 +1608,7 @@ msgstr "企業微信"
 msgid "DingTalk"
 msgstr "DingTalk"
 
-#: audits/signal_handlers.py:55 authentication/models.py:76
+#: audits/signal_handlers.py:55 authentication/models.py:251
 msgid "Temporary token"
 msgstr "仮パスワード"
 
@@ -1780,10 +1784,6 @@ msgstr "{ApplicationPermission} 削除 {SystemUser}"
 msgid "This action require verify your MFA"
 msgstr "この操作には、MFAを検証する必要があります"
 
-#: authentication/api/connection_token.py:326
-msgid "Invalid token"
-msgstr "無効なトークン"
-
 #: authentication/api/mfa.py:59
 msgid "Current user not support mfa type: {}"
 msgstr "現在のユーザーはmfaタイプをサポートしていません: {}"
@@ -2082,47 +2082,91 @@ msgstr "MFAタイプ ({}) が有効になっていない"
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
-#: authentication/models.py:34
+#: authentication/models.py:36
 msgid "Access key"
 msgstr "アクセスキー"
 
-#: authentication/models.py:41
+#: authentication/models.py:43
 msgid "Private Token"
 msgstr "プライベートトークン"
 
-#: authentication/models.py:50
+#: authentication/models.py:52
 msgid "Expired"
 msgstr "期限切れ"
 
-#: authentication/models.py:54
+#: authentication/models.py:56
 msgid "SSO token"
 msgstr "SSO token"
 
-#: authentication/models.py:62
-msgid "Connection token"
-msgstr "接続トークン"
-
-#: authentication/models.py:64
-msgid "Can view connection token secret"
-msgstr "接続トークンの秘密を表示できます"
-
-#: authentication/models.py:70
+#: authentication/models.py:71 authentication/models.py:245
 #: authentication/templates/authentication/_access_key_modal.html:31
 #: settings/serializers/auth/radius.py:17
 msgid "Secret"
 msgstr "ひみつ"
 
-#: authentication/models.py:71
-msgid "Verified"
-msgstr "確認済み"
-
-#: authentication/models.py:73 perms/models/base.py:90
-#: tickets/models/ticket/apply_application.py:26
+#: authentication/models.py:73 authentication/models.py:248
+#: perms/models/base.py:90 tickets/models/ticket/apply_application.py:26
 #: tickets/models/ticket/apply_asset.py:24 users/models/user.py:703
 msgid "Date expired"
 msgstr "期限切れの日付"
 
 #: authentication/models.py:92
+msgid "Asset display"
+msgstr "アセット名"
+
+#: authentication/models.py:103
+msgid "Connection token"
+msgstr "接続トークン"
+
+#: authentication/models.py:105
+msgid "Can view connection token secret"
+msgstr "接続トークンの秘密を表示できます"
+
+#: authentication/models.py:140
+msgid "Connection token expired at: {}"
+msgstr "接続トークンの有効期限: {}"
+
+#: authentication/models.py:145
+msgid "User not exists"
+msgstr "ユーザーは存在しません"
+
+#: authentication/models.py:149
+msgid "User invalid, disabled or expired"
+msgstr "ユーザーが無効、無効、または期限切れです"
+
+#: authentication/models.py:154
+msgid "System user not exists"
+msgstr "システムユーザーが存在しません"
+
+#: authentication/models.py:160
+msgid "Asset not exists"
+msgstr "アセットが存在しません"
+
+#: authentication/models.py:164
+msgid "Asset inactive"
+msgstr "アセットがアクティブ化されていません"
+
+#: authentication/models.py:171
+msgid "User has no permission to access asset or permission expired"
+msgstr ""
+"ユーザーがアセットにアクセスする権限を持っていないか、権限の有効期限が切れて"
+"います"
+
+#: authentication/models.py:179
+msgid "Application not exists"
+msgstr "アプリが存在しません"
+
+#: authentication/models.py:186
+msgid "User has no permission to access application or permission expired"
+msgstr ""
+"ユーザーがアプリにアクセスする権限を持っていないか、権限の有効期限が切れてい"
+"ます"
+
+#: authentication/models.py:246
+msgid "Verified"
+msgstr "確認済み"
+
+#: authentication/models.py:267
 msgid "Super connection token"
 msgstr "スーパー接続トークン"
 
@@ -2134,6 +2178,15 @@ msgstr "異なる都市ログインのリマインダー"
 msgid "binding reminder"
 msgstr "バインディングリマインダー"
 
+#: authentication/serializers/connection_token.py:23
+#: xpack/plugins/cloud/models.py:34
+msgid "Validity"
+msgstr "有効性"
+
+#: authentication/serializers/connection_token.py:73
+msgid "Asset or application required"
+msgstr "アセットまたはアプリが必要"
+
 #: authentication/serializers/token.py:79
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
@@ -6327,10 +6380,6 @@ msgstr "クラウドセンター"
 msgid "Provider"
 msgstr "プロバイダー"
 
-#: xpack/plugins/cloud/models.py:34
-msgid "Validity"
-msgstr "有効性"
-
 #: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "クラウドアカウント"
@@ -6686,11 +6735,7 @@ msgstr "資産は空です。ノードを変更してください"
 msgid "Executed times"
 msgstr "実行時間"
 
-#: xpack/plugins/interface/api.py:50
-msgid "It is already in the default setting state!"
-msgstr "すでにデフォルトの設定状態です!"
-
-#: xpack/plugins/interface/api.py:53
+#: xpack/plugins/interface/api.py:52
 msgid "Restore default successfully."
 msgstr "デフォルトの復元に成功しました。"
 
@@ -6753,18 +6798,3 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
-
-#~ msgid "Classic green"
-#~ msgstr "クラシックグリーン"
-
-#~ msgid "Chinese red"
-#~ msgstr "チャイナレッド"
-
-#~ msgid "Tech blue"
-#~ msgstr "テクノロジーブルー"
-
-#~ msgid "Deep black"
-#~ msgstr "深き黒"
-
-#~ msgid "Filters"
-#~ msgstr "フィルター"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index bb56392af..951c7182d 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:603bfc1d89caaec72caf5cfba85fdc2a1ae7ac9556b4c3641353153d777ece1b
-size 104603
+oid sha256:393289b7bc2842cf9190af0783281a8e8acdb636b0ff4e88ef4ff931c2c11f5c
+size 105290
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index ceae873f1..89123d879 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-06 16:47+0800\n"
+"POT-Creation-Date: 2022-07-11 17:46+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -46,7 +46,7 @@ msgstr "优先级"
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
-#: acls/models/base.py:31 authentication/models.py:18
+#: acls/models/base.py:31 authentication/models.py:20
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:28 tickets/const.py:39
 msgid "Active"
@@ -57,7 +57,7 @@ msgstr "激活中"
 #: assets/models/backup.py:54 assets/models/base.py:180
 #: assets/models/cluster.py:29 assets/models/cmd_filter.py:48
 #: assets/models/cmd_filter.py:96 assets/models/domain.py:24
-#: assets/models/domain.py:64 assets/models/group.py:23
+#: assets/models/domain.py:65 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:68
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
@@ -87,8 +87,8 @@ msgstr "登录复核"
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
-#: authentication/models.py:51 orgs/models.py:214 perms/models/base.py:84
-#: rbac/builtin.py:118 rbac/models/rolebinding.py:41
+#: authentication/models.py:53 authentication/models.py:77 orgs/models.py:214
+#: perms/models/base.py:84 rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
 #: terminal/models/sharing.py:33 terminal/notifications.py:91
@@ -130,6 +130,7 @@ msgstr "系统用户"
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:268 audits/models.py:39
+#: authentication/models.py:65 authentication/models.py:89
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -155,7 +156,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:121
 #: authentication/forms.py:25 authentication/forms.py:27
-#: authentication/models.py:69
+#: authentication/models.py:244
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:32 users/models/user.py:659
@@ -177,7 +178,7 @@ msgstr ""
 
 #: acls/serializers/login_asset_acl.py:31 acls/serializers/rules/rules.py:33
 #: applications/serializers/attrs/application_type/mysql_workbench.py:18
-#: assets/models/asset.py:210 assets/models/domain.py:60
+#: assets/models/asset.py:210 assets/models/domain.py:61
 #: assets/serializers/account.py:13
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
@@ -199,7 +200,7 @@ msgid ""
 msgstr "格式为逗号分隔的字符串, * 表示匹配所有. 可选的协议有： {}"
 
 #: acls/serializers/login_asset_acl.py:55 assets/models/asset.py:213
-#: assets/models/domain.py:62 assets/models/user.py:252
+#: assets/models/domain.py:63 assets/models/user.py:252
 #: terminal/serializers/session.py:31 terminal/serializers/storage.py:68
 msgid "Protocol"
 msgstr "协议"
@@ -256,13 +257,14 @@ msgstr "自定义"
 
 #: applications/models/account.py:12 applications/models/application.py:234
 #: assets/models/backup.py:32 assets/models/cmd_filter.py:45
+#: authentication/models.py:66 authentication/models.py:94
 #: perms/models/application_permission.py:28
 msgid "Application"
 msgstr "应用程序"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
 #: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
-#: perms/models/application_permission.py:33
+#: authentication/models.py:82 perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:36 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
@@ -300,7 +302,7 @@ msgstr "类别"
 #: applications/models/application.py:222
 #: applications/serializers/application.py:101 assets/models/backup.py:49
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
-#: perms/models/application_permission.py:24
+#: authentication/models.py:69 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
 #: terminal/models/storage.py:58 terminal/models/storage.py:142
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
@@ -312,7 +314,7 @@ msgid "Type"
 msgstr "类型"
 
 #: applications/models/application.py:226 assets/models/asset.py:217
-#: assets/models/domain.py:29 assets/models/domain.py:63
+#: assets/models/domain.py:29 assets/models/domain.py:64
 msgid "Domain"
 msgstr "网域"
 
@@ -338,7 +340,8 @@ msgstr "类别名称"
 #: applications/serializers/application.py:71
 #: applications/serializers/application.py:102
 #: assets/serializers/cmd_filter.py:34 assets/serializers/system_user.py:34
-#: audits/serializers.py:29 perms/serializers/application/permission.py:19
+#: audits/serializers.py:29 authentication/serializers/connection_token.py:22
+#: perms/serializers/application/permission.py:19
 #: tickets/serializers/flow.py:48 tickets/serializers/ticket/ticket.py:17
 msgid "Type display"
 msgstr "类型名称"
@@ -365,7 +368,7 @@ msgid "Date updated"
 msgstr "更新日期"
 
 #: applications/serializers/application.py:121
-#: applications/serializers/application.py:166
+#: applications/serializers/application.py:166 authentication/models.py:98
 msgid "Application display"
 msgstr "应用名称"
 
@@ -393,7 +396,7 @@ msgstr "主机"
 #: applications/serializers/attrs/application_type/pgsql.py:10
 #: applications/serializers/attrs/application_type/redis.py:10
 #: applications/serializers/attrs/application_type/sqlserver.py:10
-#: assets/models/asset.py:214 assets/models/domain.py:61
+#: assets/models/asset.py:214 assets/models/domain.py:62
 #: settings/serializers/auth/radius.py:15
 #: xpack/plugins/cloud/serializers/account_attrs.py:71
 msgid "Port"
@@ -579,7 +582,7 @@ msgid "Nodes"
 msgstr "节点"
 
 #: assets/models/asset.py:219 assets/models/cmd_filter.py:47
-#: assets/models/domain.py:65 assets/models/label.py:22
+#: assets/models/domain.py:66 assets/models/label.py:22
 #: users/serializers/user.py:145
 msgid "Is active"
 msgstr "激活"
@@ -758,7 +761,7 @@ msgstr "失败"
 msgid "Connectivity"
 msgstr "可连接性"
 
-#: assets/models/base.py:40 authentication/models.py:72
+#: assets/models/base.py:40 authentication/models.py:247
 msgid "Date verified"
 msgstr "校验日期"
 
@@ -892,24 +895,24 @@ msgstr "生成的正则表达式有误"
 msgid "Command confirm"
 msgstr "命令复核"
 
-#: assets/models/domain.py:72
+#: assets/models/domain.py:73
 msgid "Gateway"
 msgstr "网关"
 
-#: assets/models/domain.py:74
+#: assets/models/domain.py:75
 msgid "Test gateway"
 msgstr "测试网关"
 
-#: assets/models/domain.py:130
+#: assets/models/domain.py:131
 #, python-brace-format
 msgid "Unable to connect to port {port} on {ip}"
 msgstr "无法连接到 {ip} 上的端口 {port}"
 
-#: assets/models/domain.py:133 xpack/plugins/cloud/providers/fc.py:48
+#: assets/models/domain.py:134 xpack/plugins/cloud/providers/fc.py:48
 msgid "Authentication failed"
 msgstr "认证失败"
 
-#: assets/models/domain.py:135 assets/models/domain.py:157
+#: assets/models/domain.py:136 assets/models/domain.py:158
 msgid "Connect failed"
 msgstr "连接失败"
 
@@ -1025,7 +1028,7 @@ msgid "SFTP Root"
 msgstr "SFTP根路径"
 
 #: assets/models/user.py:258 assets/serializers/system_user.py:37
-#: authentication/models.py:49
+#: authentication/models.py:51
 msgid "Token"
 msgstr "Token"
 
@@ -1074,7 +1077,7 @@ msgstr ""
 "置加密密码"
 
 #: assets/serializers/account.py:36 assets/serializers/account.py:87
-#: assets/serializers/account_history.py:10
+#: assets/serializers/account_history.py:10 authentication/models.py:86
 msgid "System user display"
 msgstr "系统用户名称"
 
@@ -1564,7 +1567,8 @@ msgstr "运行用户"
 msgid "Run as display"
 msgstr "运行用户名称"
 
-#: audits/serializers.py:102 rbac/serializers/rolebinding.py:21
+#: audits/serializers.py:102 authentication/models.py:80
+#: rbac/serializers/rolebinding.py:21
 msgid "User display"
 msgstr "用户名称"
 
@@ -1592,7 +1596,7 @@ msgstr "企业微信"
 msgid "DingTalk"
 msgstr "钉钉"
 
-#: audits/signal_handlers.py:55 authentication/models.py:76
+#: audits/signal_handlers.py:55 authentication/models.py:251
 msgid "Temporary token"
 msgstr "临时密码"
 
@@ -1768,10 +1772,6 @@ msgstr "{ApplicationPermission} 移除 {SystemUser}"
 msgid "This action require verify your MFA"
 msgstr "此操作需要验证您的 MFA"
 
-#: authentication/api/connection_token.py:326
-msgid "Invalid token"
-msgstr "无效的令牌"
-
 #: authentication/api/mfa.py:59
 msgid "Current user not support mfa type: {}"
 msgstr "当前用户不支持 MFA 类型: {}"
@@ -2061,47 +2061,87 @@ msgstr "该 MFA ({}) 方式没有启用"
 msgid "Please change your password"
 msgstr "请修改密码"
 
-#: authentication/models.py:34
+#: authentication/models.py:36
 msgid "Access key"
 msgstr "Access key"
 
-#: authentication/models.py:41
+#: authentication/models.py:43
 msgid "Private Token"
 msgstr "SSH密钥"
 
-#: authentication/models.py:50
+#: authentication/models.py:52
 msgid "Expired"
 msgstr "过期时间"
 
-#: authentication/models.py:54
+#: authentication/models.py:56
 msgid "SSO token"
 msgstr "SSO token"
 
-#: authentication/models.py:62
-msgid "Connection token"
-msgstr "连接令牌"
-
-#: authentication/models.py:64
-msgid "Can view connection token secret"
-msgstr "可以查看连接令牌密文"
-
-#: authentication/models.py:70
+#: authentication/models.py:71 authentication/models.py:245
 #: authentication/templates/authentication/_access_key_modal.html:31
 #: settings/serializers/auth/radius.py:17
 msgid "Secret"
 msgstr "密钥"
 
-#: authentication/models.py:71
-msgid "Verified"
-msgstr "已校验"
-
-#: authentication/models.py:73 perms/models/base.py:90
-#: tickets/models/ticket/apply_application.py:26
+#: authentication/models.py:73 authentication/models.py:248
+#: perms/models/base.py:90 tickets/models/ticket/apply_application.py:26
 #: tickets/models/ticket/apply_asset.py:24 users/models/user.py:703
 msgid "Date expired"
 msgstr "失效日期"
 
 #: authentication/models.py:92
+msgid "Asset display"
+msgstr "资产名称"
+
+#: authentication/models.py:103
+msgid "Connection token"
+msgstr "连接令牌"
+
+#: authentication/models.py:105
+msgid "Can view connection token secret"
+msgstr "可以查看连接令牌密文"
+
+#: authentication/models.py:140
+msgid "Connection token expired at: {}"
+msgstr "连接令牌过期: {}"
+
+#: authentication/models.py:145
+msgid "User not exists"
+msgstr "用户不存在"
+
+#: authentication/models.py:149
+msgid "User invalid, disabled or expired"
+msgstr "用户无效，已禁用或已过期"
+
+#: authentication/models.py:154
+msgid "System user not exists"
+msgstr "系统用户不存在"
+
+#: authentication/models.py:160
+msgid "Asset not exists"
+msgstr "资产不存在"
+
+#: authentication/models.py:164
+msgid "Asset inactive"
+msgstr "资产未激活"
+
+#: authentication/models.py:171
+msgid "User has no permission to access asset or permission expired"
+msgstr "用户没有权限访问资产或权限已过期"
+
+#: authentication/models.py:179
+msgid "Application not exists"
+msgstr "应用不存在"
+
+#: authentication/models.py:186
+msgid "User has no permission to access application or permission expired"
+msgstr "用户没有权限访问应用或权限已过期"
+
+#: authentication/models.py:246
+msgid "Verified"
+msgstr "已校验"
+
+#: authentication/models.py:267
 msgid "Super connection token"
 msgstr "超级连接令牌"
 
@@ -2113,6 +2153,15 @@ msgstr "异地登录提醒"
 msgid "binding reminder"
 msgstr "绑定提醒"
 
+#: authentication/serializers/connection_token.py:23
+#: xpack/plugins/cloud/models.py:34
+msgid "Validity"
+msgstr "有效"
+
+#: authentication/serializers/connection_token.py:73
+msgid "Asset or application required"
+msgstr "资产或应用必填"
+
 #: authentication/serializers/token.py:79
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
@@ -6236,10 +6285,6 @@ msgstr "云管中心"
 msgid "Provider"
 msgstr "云服务商"
 
-#: xpack/plugins/cloud/models.py:34
-msgid "Validity"
-msgstr "有效"
-
 #: xpack/plugins/cloud/models.py:39
 msgid "Cloud account"
 msgstr "云账号"
@@ -6594,11 +6639,7 @@ msgstr "资产为空，请更改节点"
 msgid "Executed times"
 msgstr "执行次数"
 
-#: xpack/plugins/interface/api.py:50
-msgid "It is already in the default setting state!"
-msgstr "当前已经是初始化状态！"
-
-#: xpack/plugins/interface/api.py:53
+#: xpack/plugins/interface/api.py:52
 msgid "Restore default successfully."
 msgstr "恢复默认成功！"
 
@@ -6661,21 +6702,3 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
-
-#~ msgid "Classic green"
-#~ msgstr "经典绿"
-
-#~ msgid "Chinese red"
-#~ msgstr "中国红"
-
-#~ msgid "Tech blue"
-#~ msgstr "科技蓝"
-
-#~ msgid "Deep black"
-#~ msgstr "深邃黑"
-
-#~ msgid "Filters"
-#~ msgstr "过滤"
-
-#~ msgid "Code is invalid, {}"
-#~ msgstr "验证码无效: {}"
diff --git a/apps/perms/utils/application/permission.py b/apps/perms/utils/application/permission.py
index f37ca62b1..955743e25 100644
--- a/apps/perms/utils/application/permission.py
+++ b/apps/perms/utils/application/permission.py
@@ -80,14 +80,3 @@ def get_application_system_user_ids(user, application):
 def has_application_system_permission(user, application, system_user):
     system_user_ids = get_application_system_user_ids(user, application)
     return system_user.id in system_user_ids
-
-
-def get_application_actions(user, application, system_user):
-    perm_ids = get_user_all_app_perm_ids(user)
-    actions = ApplicationPermission.objects.filter(
-        applications=application, system_users=system_user,
-        id__in=list(perm_ids)
-    ).values_list('actions', flat=True)
-
-    actions = reduce(lambda x, y: x | y, actions, 0)
-    return actions
diff --git a/apps/perms/utils/asset/permission.py b/apps/perms/utils/asset/permission.py
index 86e297426..e749e630b 100644
--- a/apps/perms/utils/asset/permission.py
+++ b/apps/perms/utils/asset/permission.py
@@ -109,9 +109,3 @@ def get_asset_system_user_ids_with_actions_by_group(group: UserGroup, asset: Ass
         user_groups=group
     ).valid().values_list('id', flat=True).distinct()
     return get_asset_system_user_ids_with_actions(asset_perm_ids, asset)
-
-
-def get_asset_actions(user, asset, system_user):
-    systemuser_actions_mapper = get_asset_system_user_ids_with_actions_by_user(user, asset)
-    actions = systemuser_actions_mapper.get(system_user.id, 0)
-    return actions
diff --git a/apps/terminal/api/endpoint.py b/apps/terminal/api/endpoint.py
index aaece2222..5e4c7542d 100644
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@@ -54,15 +54,15 @@ class SmartEndpointViewMixin:
         asset_id = request.GET.get('asset_id')
         app_id = request.GET.get('app_id')
         session_id = request.GET.get('session_id')
-        token = request.GET.get('token')
-        if token:
-            from authentication.api.connection_token import TokenCacheMixin as TokenUtil
-            value = TokenUtil().get_token_from_cache(token)
-            if value:
-                if value.get('type') == 'asset':
-                    asset_id = value.get('asset')
-                else:
-                    app_id = value.get('application')
+        token_id = request.GET.get('token')
+        if token_id:
+            from authentication.models import ConnectionToken
+            token = ConnectionToken.objects.filter(id=token_id).first()
+            if token:
+                if token.asset:
+                    asset_id = token.asset.id
+                elif token.application:
+                    app_id = token.application.id
         if asset_id:
             pk, model = asset_id, Asset
         elif app_id:
diff --git a/apps/users/urls/api_urls.py b/apps/users/urls/api_urls.py
index 8453ec819..284482a63 100644
--- a/apps/users/urls/api_urls.py
+++ b/apps/users/urls/api_urls.py
@@ -16,7 +16,7 @@ router.register(r'users', api.UserViewSet, 'user')
 router.register(r'groups', api.UserGroupViewSet, 'user-group')
 router.register(r'users-groups-relations', api.UserUserGroupRelationViewSet, 'users-groups-relation')
 router.register(r'service-account-registrations', api.ServiceAccountRegistrationViewSet, 'service-account-registration')
-router.register(r'connection-token', auth_api.UserConnectionTokenViewSet, 'connection-token')
+router.register(r'connection-token', auth_api.ConnectionTokenViewSet, 'connection-token')
 
 
 urlpatterns = [

From f3cf071362633a87ff580717845e1b9ebfa8bacd Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Mon, 11 Jul 2022 19:34:08 +0800
Subject: [PATCH 241/258] =?UTF-8?q?feat:=20=E4=BF=AE=E6=94=B9connection=20?=
 =?UTF-8?q?token=20secret=E4=B8=8D=E6=98=BE=E7=A4=BA?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/api/connection_token.py         | 5 ++++-
 apps/authentication/serializers/connection_token.py | 9 ++++++++-
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py
index abc9b538e..f0a7e0a63 100644
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -16,7 +16,8 @@ from orgs.mixins.api import RootOrgViewMixin
 from perms.models.base import Action
 from terminal.models import EndpointRule
 from ..serializers import (
-    ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer
+    ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer,
+    ConnectionTokenDisplaySerializer,
 )
 from ..models import ConnectionToken
 
@@ -209,6 +210,8 @@ class ConnectionTokenViewSet(ConnectionTokenMixin, RootOrgViewMixin, JMSModelVie
     search_fields = filterset_fields
     serializer_classes = {
         'default': ConnectionTokenSerializer,
+        'list': ConnectionTokenDisplaySerializer,
+        'retrieve': ConnectionTokenDisplaySerializer,
         'get_secret_detail': ConnectionTokenSecretSerializer,
     }
     rbac_perms = {
diff --git a/apps/authentication/serializers/connection_token.py b/apps/authentication/serializers/connection_token.py
index 33e99677c..c2af89aff 100644
--- a/apps/authentication/serializers/connection_token.py
+++ b/apps/authentication/serializers/connection_token.py
@@ -14,7 +14,7 @@ from perms.serializers.base import ActionsField
 
 __all__ = [
     'ConnectionTokenSerializer', 'ConnectionTokenSecretSerializer',
-    'SuperConnectionTokenSerializer'
+    'SuperConnectionTokenSerializer', 'ConnectionTokenDisplaySerializer'
 ]
 
 
@@ -85,6 +85,13 @@ class ConnectionTokenSerializer(OrgResourceModelSerializerMixin):
         }
 
 
+class ConnectionTokenDisplaySerializer(ConnectionTokenSerializer):
+    class Meta(ConnectionTokenSerializer.Meta):
+        extra_kwargs = {
+            'secret': {'write_only': True},
+        }
+
+
 #
 # SuperConnectionTokenSerializer
 #

From e89765a9adec9a630c31bc48ec772529afa5d09b Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 12 Jul 2022 10:54:23 +0800
Subject: [PATCH 242/258] =?UTF-8?q?refactor:=20=E9=87=8D=E6=9E=84=E7=B3=BB?=
 =?UTF-8?q?=E7=BB=9F=E7=94=A8=E6=88=B7?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../migrations/0092_auto_20220711_1409.py     | 77 +++++++++++++++++++
 .../migrations/0093_auto_20220711_1413.py     | 18 +++++
 apps/assets/models/__init__.py                |  1 +
 apps/assets/models/account.py                 | 27 +++++++
 apps/assets/models/authbook.py                |  1 +
 apps/assets/models/user.py                    |  2 +-
 6 files changed, 125 insertions(+), 1 deletion(-)
 create mode 100644 apps/assets/migrations/0092_auto_20220711_1409.py
 create mode 100644 apps/assets/migrations/0093_auto_20220711_1413.py
 create mode 100644 apps/assets/models/account.py

diff --git a/apps/assets/migrations/0092_auto_20220711_1409.py b/apps/assets/migrations/0092_auto_20220711_1409.py
new file mode 100644
index 000000000..5fb8704bd
--- /dev/null
+++ b/apps/assets/migrations/0092_auto_20220711_1409.py
@@ -0,0 +1,77 @@
+# Generated by Django 3.2.12 on 2022-07-11 06:08
+
+import assets.models.base
+import assets.models.user
+import common.db.fields
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import simple_history.models
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('assets', '0091_auto_20220629_1826'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='HistoricalAccount',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('protocol', models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol')),
+                ('version', models.IntegerField(default=1, verbose_name='Version')),
+                ('history_id', models.AutoField(primary_key=True, serialize=False)),
+                ('history_date', models.DateTimeField(db_index=True)),
+                ('history_change_reason', models.CharField(max_length=100, null=True)),
+                ('history_type', models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
+                ('asset', models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='assets.asset', verbose_name='Asset')),
+                ('history_user', models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+', to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'historical Account',
+                'verbose_name_plural': 'historical Accounts',
+                'ordering': ('-history_date', '-history_id'),
+                'get_latest_by': ('history_date', 'history_id'),
+            },
+            bases=(simple_history.models.HistoricalChanges, models.Model),
+        ),
+        migrations.CreateModel(
+            name='Account',
+            fields=[
+                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('comment', models.TextField(blank=True, verbose_name='Comment')),
+                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
+                ('protocol', models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol')),
+                ('version', models.IntegerField(default=1, verbose_name='Version')),
+                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.asset', verbose_name='Asset')),
+            ],
+            options={
+                'verbose_name': 'Account',
+                'permissions': [('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret'), ('view_assethistoryaccount', 'Can view asset history account'), ('view_assethistoryaccountsecret', 'Can view asset history account secret')],
+                'unique_together': {('username', 'asset')},
+            },
+            bases=(models.Model, assets.models.base.AuthMixin, assets.models.user.ProtocolMixin),
+        ),
+    ]
diff --git a/apps/assets/migrations/0093_auto_20220711_1413.py b/apps/assets/migrations/0093_auto_20220711_1413.py
new file mode 100644
index 000000000..c8cb17160
--- /dev/null
+++ b/apps/assets/migrations/0093_auto_20220711_1413.py
@@ -0,0 +1,18 @@
+# Generated by Django 3.2.12 on 2022-07-11 06:13
+
+from django.db import migrations
+
+
+def migrate_accounts(apps, schema_editor):
+    auth_book_model = apps.get_model('assets', 'AuthBook')
+    account_model = apps.get_model('assets', 'Account')
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0092_auto_20220711_1409'),
+    ]
+
+    operations = [
+    ]
diff --git a/apps/assets/models/__init__.py b/apps/assets/models/__init__.py
index d2dd03885..9d1df04a1 100644
--- a/apps/assets/models/__init__.py
+++ b/apps/assets/models/__init__.py
@@ -13,3 +13,4 @@ from .authbook import *
 from .gathered_user import *
 from .favorite_asset import *
 from .backup import *
+from .account import *
diff --git a/apps/assets/models/account.py b/apps/assets/models/account.py
new file mode 100644
index 000000000..0d6e999cc
--- /dev/null
+++ b/apps/assets/models/account.py
@@ -0,0 +1,27 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+from simple_history.models import HistoricalRecords
+
+from .user import ProtocolMixin
+from .base import BaseUser
+
+
+__all__ = ['Account']
+
+
+class Account(BaseUser, ProtocolMixin):
+    protocol = models.CharField(max_length=16, choices=ProtocolMixin.Protocol.choices,
+                                default='ssh', verbose_name=_('Protocol'))
+    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, verbose_name=_('Asset'))
+    version = models.IntegerField(default=1, verbose_name=_('Version'))
+    history = HistoricalRecords()
+
+    class Meta:
+        verbose_name = _('Account')
+        unique_together = [('username', 'asset')]
+        permissions = [
+            ('view_assetaccountsecret', _('Can view asset account secret')),
+            ('change_assetaccountsecret', _('Can change asset account secret')),
+            ('view_assethistoryaccount', _('Can view asset history account')),
+            ('view_assethistoryaccountsecret', _('Can view asset history account secret')),
+        ]
diff --git a/apps/assets/models/authbook.py b/apps/assets/models/authbook.py
index 338c65a3e..f5d9e457d 100644
--- a/apps/assets/models/authbook.py
+++ b/apps/assets/models/authbook.py
@@ -137,3 +137,4 @@ class AuthBook(BaseUser, AbsConnectivity):
     def __str__(self):
         return self.smart_name
 
+
diff --git a/apps/assets/models/user.py b/apps/assets/models/user.py
index e20664071..0eb27e912 100644
--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -15,7 +15,7 @@ from .asset import Asset
 from .authbook import AuthBook
 
 
-__all__ = ['AdminUser', 'SystemUser']
+__all__ = ['AdminUser', 'SystemUser', 'ProtocolMixin']
 logger = logging.getLogger(__name__)
 
 

From c7c0374c78d55ab6e1bc04b0a44130462129d555 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Jul 2022 13:45:48 +0800
Subject: [PATCH 243/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E4=B8=BB?=
 =?UTF-8?q?=E9=A2=98=20(#8569)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* perf: 优化登录 backend

* perf: 修改主题

Co-authored-by: ibuler <ibuler@qq.com>
---
 apps/authentication/mixins.py      | 8 +++++---
 apps/authentication/views/wecom.py | 1 -
 apps/templates/_head_css_js.html   | 6 +++---
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/apps/authentication/mixins.py b/apps/authentication/mixins.py
index 58e6ccd36..403f7186d 100644
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -443,13 +443,15 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
         LoginIpBlockUtil(ip).clean_block_if_need()
         return user
 
-    def mark_password_ok(self, user, auto_login=False):
+    def mark_password_ok(self, user, auto_login=False, auth_backend=None):
         request = self.request
         request.session['auth_password'] = 1
         request.session['auth_password_expired_at'] = time.time() + settings.AUTH_EXPIRED_SECONDS
         request.session['user_id'] = str(user.id)
         request.session['auto_login'] = auto_login
-        request.session['auth_backend'] = getattr(user, 'backend', settings.AUTH_BACKEND_MODEL)
+        if not auth_backend:
+            auth_backend = getattr(user, 'backend', settings.AUTH_BACKEND_MODEL)
+        request.session['auth_backend'] = auth_backend
 
     def check_oauth2_auth(self, user: User, auth_backend):
         ip = self.get_request_ip()
@@ -469,7 +471,7 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
         LoginIpBlockUtil(ip).clean_block_if_need()
         MFABlockUtils(user.username, ip).clean_failed_count()
 
-        self.mark_password_ok(user, False)
+        self.mark_password_ok(user, False, auth_backend)
         return user
 
     def get_user_or_auth(self, valid_data):
diff --git a/apps/authentication/views/wecom.py b/apps/authentication/views/wecom.py
index c9315bdb5..b896aa19e 100644
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -300,5 +300,4 @@ class WeComOAuthLoginCallbackView(AuthMixin, WeComOAuthMixin, View):
             msg = e.msg
             response = self.get_failed_response(login_url, title=msg, msg=msg)
             return response
-
         return self.redirect_to_guard_view()
diff --git a/apps/templates/_head_css_js.html b/apps/templates/_head_css_js.html
index 2256882c5..718115dc8 100644
--- a/apps/templates/_head_css_js.html
+++ b/apps/templates/_head_css_js.html
@@ -22,8 +22,8 @@
 </style>
 
 <script>
-  const theme = "{{ INTERFACE.theme }}";
-  if (theme && theme.colors && theme.colors['--color-primary']) {
-    document.documentElement.style.setProperty('--primary-color', theme.colors['--color-primary']);
+  const themeInfo = {{ INTERFACE.theme_info | safe }};
+  if (themeInfo && themeInfo.colors && themeInfo.colors['--color-primary']) {
+    document.documentElement.style.setProperty('--primary-color', themeInfo.colors['--color-primary']);
   }
 </script>

From b64727e04c867c3365b16679413e60ec12ebe32a Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 12 Jul 2022 14:09:08 +0800
Subject: [PATCH 244/258] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E7=94=A8?=
 =?UTF-8?q?=E6=88=B7=E8=87=AA=E6=9B=B4=E6=96=B0=E5=A4=B1=E8=B4=A5=E7=9A=84?=
 =?UTF-8?q?=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/users/serializers/user.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py
index b08b09144..eb03a0e6f 100644
--- a/apps/users/serializers/user.py
+++ b/apps/users/serializers/user.py
@@ -6,7 +6,7 @@ from rest_framework import serializers
 
 from common.mixins import CommonBulkSerializerMixin
 from common.validators import PhoneValidator
-from common.utils import pretty_string
+from common.utils import pretty_string, get_logger
 from common.drf.fields import EncryptedField
 from rbac.builtin import BuiltinRole
 from rbac.permissions import RBACPermission
@@ -19,6 +19,8 @@ __all__ = [
     'InviteSerializer', 'ServiceAccountSerializer',
 ]
 
+logger = get_logger(__file__)
+
 
 class RolesSerializerMixin(serializers.Serializer):
     system_roles = serializers.ManyRelatedField(
@@ -199,8 +201,10 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
         if not disallow_fields:
             return attrs
         # 用户自己不能更新自己的一些字段
-        error = _('User cannot self-update fields: {}').format(disallow_fields)
-        raise serializers.ValidationError(error)
+        logger.debug('Disallow update self fields: %s', disallow_fields)
+        for field in disallow_fields:
+            attrs.pop(field, None)
+        return attrs
 
     def validate(self, attrs):
         attrs = self.check_disallow_self_update_fields(attrs)

From b5cfc6831b3efc6a255815af6ab5483f02c809e0 Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Jul 2022 15:28:42 +0800
Subject: [PATCH 245/258] =?UTF-8?q?feat:=20=E5=B7=A5=E5=8D=95=E6=94=AF?=
 =?UTF-8?q?=E6=8C=81=E5=AE=A1=E6=89=B9=E6=97=B6=E4=BF=AE=E6=94=B9=E8=B5=84?=
 =?UTF-8?q?=E4=BA=A7=20(#8549)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
Co-authored-by: feng626 <57284900+feng626@users.noreply.github.com>
---
 apps/common/db/encoder.py                     |  2 +
 apps/locale/ja/LC_MESSAGES/django.po          | 90 +++++++++++--------
 apps/locale/zh/LC_MESSAGES/django.po          | 90 +++++++++++--------
 apps/perms/serializers/base.py                |  6 +-
 apps/tickets/api/ticket.py                    | 23 ++---
 apps/tickets/handlers/base.py                 | 27 +++++-
 .../migrations/0017_auto_20220623_1027.py     |  4 +-
 .../models/ticket/apply_application.py        |  2 +-
 apps/tickets/models/ticket/apply_asset.py     |  5 +-
 apps/tickets/models/ticket/general.py         | 56 +++++++++---
 apps/tickets/notifications.py                 | 11 +--
 .../serializers/ticket/apply_application.py   | 13 ++-
 .../tickets/serializers/ticket/apply_asset.py | 20 +++--
 apps/tickets/serializers/ticket/common.py     | 20 ++++-
 apps/tickets/serializers/ticket/ticket.py     |  3 +
 .../tickets/ticket_approve_diff.html          | 24 +++++
 16 files changed, 274 insertions(+), 122 deletions(-)
 create mode 100644 apps/tickets/templates/tickets/ticket_approve_diff.html

diff --git a/apps/common/db/encoder.py b/apps/common/db/encoder.py
index 673b8aeca..e09ffd60e 100644
--- a/apps/common/db/encoder.py
+++ b/apps/common/db/encoder.py
@@ -4,6 +4,7 @@ import logging
 from datetime import datetime
 
 from django.utils.translation import ugettext_lazy as _
+from django.utils import timezone as dj_timezone
 from django.db import models
 from django.conf import settings
 
@@ -18,6 +19,7 @@ class ModelJSONFieldEncoder(json.JSONEncoder):
         if isinstance(obj, str_cls):
             return str(obj)
         elif isinstance(obj, datetime):
+            obj = dj_timezone.localtime(obj)
             return obj.strftime(settings.DATETIME_DISPLAY_FORMAT)
         elif isinstance(obj, (list, tuple)) and len(obj) > 0 \
                 and isinstance(obj[0], models.Model):
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 0f9e3d288..88cb86c95 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -63,7 +63,7 @@ msgstr "アクティブ"
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
 #: terminal/models/storage.py:29 terminal/models/terminal.py:114
-#: tickets/models/comment.py:32 tickets/models/ticket/general.py:278
+#: tickets/models/comment.py:32 tickets/models/ticket/general.py:288
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
@@ -309,10 +309,10 @@ msgstr "カテゴリ"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
 #: authentication/models.py:69 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:58 terminal/models/storage.py:142
+#: terminal/models/storage.py:58 terminal/models/storage.py:143
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
 #: tickets/models/ticket/apply_application.py:17
-#: tickets/models/ticket/general.py:263
+#: tickets/models/ticket/general.py:273
 #: xpack/plugins/change_auth_plan/models/app.py:28
 #: xpack/plugins/change_auth_plan/models/app.py:153
 msgid "Type"
@@ -416,6 +416,8 @@ msgstr "アプリケーションパス"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
 #: assets/serializers/system_user.py:167
+#: tickets/serializers/ticket/apply_application.py:35
+#: tickets/serializers/ticket/common.py:59
 #: xpack/plugins/change_auth_plan/serializers/asset.py:67
 #: xpack/plugins/change_auth_plan/serializers/asset.py:70
 #: xpack/plugins/change_auth_plan/serializers/asset.py:73
@@ -503,7 +505,7 @@ msgid "Charset"
 msgstr "シャーセット"
 
 #: assets/models/asset.py:141 assets/serializers/asset.py:176
-#: tickets/models/ticket/general.py:288
+#: tickets/models/ticket/general.py:298
 msgid "Meta"
 msgstr "メタ"
 
@@ -525,7 +527,7 @@ msgstr "ベンダー"
 msgid "Model"
 msgstr "モデル"
 
-#: assets/models/asset.py:170 tickets/models/ticket/general.py:286
+#: assets/models/asset.py:170 tickets/models/ticket/general.py:296
 msgid "Serial number"
 msgstr "シリアル番号"
 
@@ -1525,7 +1527,7 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket/general.py:271 xpack/plugins/cloud/models.py:175
+#: tickets/models/ticket/general.py:281 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "ステータス"
@@ -2581,7 +2583,7 @@ msgstr "%(name)s が正常に作成されました"
 msgid "%(name)s was updated successfully"
 msgstr "%(name)s は正常に更新されました"
 
-#: common/db/encoder.py:10
+#: common/db/encoder.py:11
 msgid "ugettext_lazy"
 msgstr "ugettext_lazy"
 
@@ -3009,7 +3011,7 @@ msgstr "アプリ組織"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:64
+#: tickets/models/ticket/general.py:300 tickets/serializers/ticket/ticket.py:64
 msgid "Organization"
 msgstr "組織"
 
@@ -3417,7 +3419,7 @@ msgstr "マイアプリ"
 msgid "Ticket comment"
 msgstr "チケットコメント"
 
-#: rbac/tree.py:115 tickets/models/ticket/general.py:295
+#: rbac/tree.py:115 tickets/models/ticket/general.py:305
 msgid "Ticket"
 msgstr "チケット"
 
@@ -4939,7 +4941,7 @@ msgstr "リンク期限切れ"
 msgid "User not allowed to join"
 msgstr "IPは許可されていません"
 
-#: terminal/models/sharing.py:85 terminal/serializers/sharing.py:58
+#: terminal/models/sharing.py:85 terminal/serializers/sharing.py:59
 msgid "Joiner"
 msgstr "ジョイナー"
 
@@ -4996,11 +4998,11 @@ msgstr "ブート時間"
 msgid "Default storage"
 msgstr "デフォルトのストレージ"
 
-#: terminal/models/storage.py:136 terminal/models/terminal.py:108
+#: terminal/models/storage.py:137 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "コマンドストレージ"
 
-#: terminal/models/storage.py:196 terminal/models/terminal.py:109
+#: terminal/models/storage.py:197 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "再生ストレージ"
 
@@ -5253,7 +5255,19 @@ msgstr ""
 "チケットのタイトル: {} チケット申請者: {} チケットプロセッサ: {} チケットID: "
 "{}"
 
-#: tickets/handlers/base.py:72
+#: tickets/handlers/base.py:79
+msgid "Change field"
+msgstr "フィールドを変更"
+
+#: tickets/handlers/base.py:79
+msgid "Before change"
+msgstr "変更前"
+
+#: tickets/handlers/base.py:79
+msgid "After change"
+msgstr "変更後"
+
+#: tickets/handlers/base.py:91
 msgid "{} {} the ticket"
 msgstr "{} {} チケット"
 
@@ -5269,8 +5283,8 @@ msgstr "応用ログイン都市"
 msgid "Applied login datetime"
 msgstr "適用されたログインの日付時間"
 
-#: tickets/models/comment.py:13 tickets/models/ticket/general.py:39
-#: tickets/models/ticket/general.py:267
+#: tickets/models/comment.py:13 tickets/models/ticket/general.py:41
+#: tickets/models/ticket/general.py:277
 msgid "State"
 msgstr "状態"
 
@@ -5287,7 +5301,7 @@ msgid "Body"
 msgstr "ボディ"
 
 #: tickets/models/flow.py:20 tickets/models/flow.py:62
-#: tickets/models/ticket/general.py:35
+#: tickets/models/ticket/general.py:37
 msgid "Approve level"
 msgstr "レベルを承認する"
 
@@ -5313,8 +5327,8 @@ msgstr "チケットセッションの関係"
 
 #: tickets/models/ticket/apply_application.py:11
 #: tickets/models/ticket/apply_asset.py:13
-msgid "Apply name"
-msgstr "名前を適用"
+msgid "Permission name"
+msgstr "認可ルール名"
 
 #: tickets/models/ticket/apply_application.py:20
 msgid "Apply applications"
@@ -5362,39 +5376,39 @@ msgstr "コマンドフィルタ規則から"
 msgid "From cmd filter rule"
 msgstr "コマンドフィルタ規則から"
 
-#: tickets/models/ticket/general.py:70
+#: tickets/models/ticket/general.py:72
 msgid "Ticket step"
 msgstr "チケットステップ"
 
-#: tickets/models/ticket/general.py:88
+#: tickets/models/ticket/general.py:90
 msgid "Ticket assignee"
 msgstr "割り当てられたチケット"
 
-#: tickets/models/ticket/general.py:260
+#: tickets/models/ticket/general.py:270
 msgid "Title"
 msgstr "タイトル"
 
-#: tickets/models/ticket/general.py:276
+#: tickets/models/ticket/general.py:286
 msgid "Applicant"
 msgstr "応募者"
 
-#: tickets/models/ticket/general.py:281
+#: tickets/models/ticket/general.py:291
 msgid "TicketFlow"
 msgstr "作業指示プロセス"
 
-#: tickets/models/ticket/general.py:284
+#: tickets/models/ticket/general.py:294
 msgid "Approval step"
 msgstr "承認ステップ"
 
-#: tickets/models/ticket/general.py:287
+#: tickets/models/ticket/general.py:297
 msgid "Relation snapshot"
 msgstr "製造オーダスナップショット"
 
-#: tickets/models/ticket/general.py:380
+#: tickets/models/ticket/general.py:390
 msgid "Please try again"
 msgstr "もう一度お試しください"
 
-#: tickets/models/ticket/general.py:387
+#: tickets/models/ticket/general.py:421
 msgid "Super ticket"
 msgstr "スーパーチケット"
 
@@ -5414,27 +5428,27 @@ msgstr "ログインシステムユーザー"
 msgid "Login datetime"
 msgstr "ログイン日時"
 
-#: tickets/notifications.py:64
+#: tickets/notifications.py:63
 msgid "Ticket basic info"
 msgstr "チケット基本情報"
 
-#: tickets/notifications.py:65
+#: tickets/notifications.py:64
 msgid "Ticket applied info"
 msgstr "チケット適用情報"
 
-#: tickets/notifications.py:116
-msgid "Your has a new ticket"
+#: tickets/notifications.py:109
+msgid "Your has a new ticket, applicant - {}"
 msgstr "新しいチケットがあります- {}"
 
-#: tickets/notifications.py:120
+#: tickets/notifications.py:113
 msgid "{}: New Ticket - {} ({})"
 msgstr "新しいチケット- {} ({})"
 
-#: tickets/notifications.py:164
+#: tickets/notifications.py:157
 msgid "Your ticket has been processed, processor - {}"
 msgstr "チケットが処理されました。プロセッサー- {}"
 
-#: tickets/notifications.py:168
+#: tickets/notifications.py:161
 msgid "Ticket has processed - {} ({})"
 msgstr "チケットが処理済み- {} ({})"
 
@@ -5455,19 +5469,19 @@ msgid "Processor"
 msgstr "プロセッサ"
 
 #: tickets/serializers/ticket/common.py:16
-#: tickets/serializers/ticket/common.py:68
+#: tickets/serializers/ticket/common.py:79
 msgid "Created by ticket ({}-{})"
 msgstr "チケットで作成 ({}-{})"
 
-#: tickets/serializers/ticket/common.py:58
+#: tickets/serializers/ticket/common.py:69
 msgid "The expiration date should be greater than the start date"
 msgstr "有効期限は開始日より大きくする必要があります"
 
-#: tickets/serializers/ticket/common.py:74
+#: tickets/serializers/ticket/common.py:85
 msgid "Permission named `{}` already exists"
 msgstr "'{}'という名前の権限は既に存在します"
 
-#: tickets/serializers/ticket/ticket.py:89
+#: tickets/serializers/ticket/ticket.py:92
 msgid "The ticket flow `{}` does not exist"
 msgstr "チケットフロー '{}'が存在しない"
 
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index 89123d879..ab6fe167e 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -62,7 +62,7 @@ msgstr "激活中"
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:34
 #: terminal/models/endpoint.py:21 terminal/models/endpoint.py:92
 #: terminal/models/storage.py:29 terminal/models/terminal.py:114
-#: tickets/models/comment.py:32 tickets/models/ticket/general.py:278
+#: tickets/models/comment.py:32 tickets/models/ticket/general.py:288
 #: users/models/group.py:16 users/models/user.py:698
 #: xpack/plugins/change_auth_plan/models/base.py:44
 #: xpack/plugins/cloud/models.py:35 xpack/plugins/cloud/models.py:116
@@ -304,10 +304,10 @@ msgstr "类别"
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
 #: authentication/models.py:69 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:58 terminal/models/storage.py:142
+#: terminal/models/storage.py:58 terminal/models/storage.py:143
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
 #: tickets/models/ticket/apply_application.py:17
-#: tickets/models/ticket/general.py:263
+#: tickets/models/ticket/general.py:273
 #: xpack/plugins/change_auth_plan/models/app.py:28
 #: xpack/plugins/change_auth_plan/models/app.py:153
 msgid "Type"
@@ -411,6 +411,8 @@ msgstr "应用路径"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
 #: assets/serializers/system_user.py:167
+#: tickets/serializers/ticket/apply_application.py:35
+#: tickets/serializers/ticket/common.py:59
 #: xpack/plugins/change_auth_plan/serializers/asset.py:67
 #: xpack/plugins/change_auth_plan/serializers/asset.py:70
 #: xpack/plugins/change_auth_plan/serializers/asset.py:73
@@ -498,7 +500,7 @@ msgid "Charset"
 msgstr "编码"
 
 #: assets/models/asset.py:141 assets/serializers/asset.py:176
-#: tickets/models/ticket/general.py:288
+#: tickets/models/ticket/general.py:298
 msgid "Meta"
 msgstr "元数据"
 
@@ -520,7 +522,7 @@ msgstr "制造商"
 msgid "Model"
 msgstr "型号"
 
-#: assets/models/asset.py:170 tickets/models/ticket/general.py:286
+#: assets/models/asset.py:170 tickets/models/ticket/general.py:296
 msgid "Serial number"
 msgstr "序列号"
 
@@ -1513,7 +1515,7 @@ msgid "MFA"
 msgstr "MFA"
 
 #: audits/models.py:128 terminal/models/status.py:33
-#: tickets/models/ticket/general.py:271 xpack/plugins/cloud/models.py:175
+#: tickets/models/ticket/general.py:281 xpack/plugins/cloud/models.py:175
 #: xpack/plugins/cloud/models.py:227
 msgid "Status"
 msgstr "状态"
@@ -2547,7 +2549,7 @@ msgstr "%(name)s 创建成功"
 msgid "%(name)s was updated successfully"
 msgstr "%(name)s 更新成功"
 
-#: common/db/encoder.py:10
+#: common/db/encoder.py:11
 msgid "ugettext_lazy"
 msgstr "ugettext_lazy"
 
@@ -2969,7 +2971,7 @@ msgstr "组织管理"
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:290 tickets/serializers/ticket/ticket.py:64
+#: tickets/models/ticket/general.py:300 tickets/serializers/ticket/ticket.py:64
 msgid "Organization"
 msgstr "组织"
 
@@ -3374,7 +3376,7 @@ msgstr "我的应用"
 msgid "Ticket comment"
 msgstr "工单评论"
 
-#: rbac/tree.py:115 tickets/models/ticket/general.py:295
+#: rbac/tree.py:115 tickets/models/ticket/general.py:305
 msgid "Ticket"
 msgstr "工单管理"
 
@@ -4863,7 +4865,7 @@ msgstr "链接过期"
 msgid "User not allowed to join"
 msgstr "来源 IP 不被允许登录"
 
-#: terminal/models/sharing.py:85 terminal/serializers/sharing.py:58
+#: terminal/models/sharing.py:85 terminal/serializers/sharing.py:59
 msgid "Joiner"
 msgstr "加入者"
 
@@ -4920,11 +4922,11 @@ msgstr "运行时间"
 msgid "Default storage"
 msgstr "默认存储"
 
-#: terminal/models/storage.py:136 terminal/models/terminal.py:108
+#: terminal/models/storage.py:137 terminal/models/terminal.py:108
 msgid "Command storage"
 msgstr "命令存储"
 
-#: terminal/models/storage.py:196 terminal/models/terminal.py:109
+#: terminal/models/storage.py:197 terminal/models/terminal.py:109
 msgid "Replay storage"
 msgstr "录像存储"
 
@@ -5173,7 +5175,19 @@ msgid ""
 msgstr ""
 "通过工单创建, 工单标题: {}, 工单申请人: {}, 工单处理人: {}, 工单 ID: {}"
 
-#: tickets/handlers/base.py:72
+#: tickets/handlers/base.py:79
+msgid "Change field"
+msgstr "变更字段"
+
+#: tickets/handlers/base.py:79
+msgid "Before change"
+msgstr "变更前"
+
+#: tickets/handlers/base.py:79
+msgid "After change"
+msgstr "变更后"
+
+#: tickets/handlers/base.py:91
 msgid "{} {} the ticket"
 msgstr "{} {} 工单"
 
@@ -5189,8 +5203,8 @@ msgstr "申请登录的城市"
 msgid "Applied login datetime"
 msgstr "申请登录的日期"
 
-#: tickets/models/comment.py:13 tickets/models/ticket/general.py:39
-#: tickets/models/ticket/general.py:267
+#: tickets/models/comment.py:13 tickets/models/ticket/general.py:41
+#: tickets/models/ticket/general.py:277
 msgid "State"
 msgstr "状态"
 
@@ -5207,7 +5221,7 @@ msgid "Body"
 msgstr "内容"
 
 #: tickets/models/flow.py:20 tickets/models/flow.py:62
-#: tickets/models/ticket/general.py:35
+#: tickets/models/ticket/general.py:37
 msgid "Approve level"
 msgstr "审批级别"
 
@@ -5233,8 +5247,8 @@ msgstr "工单会话"
 
 #: tickets/models/ticket/apply_application.py:11
 #: tickets/models/ticket/apply_asset.py:13
-msgid "Apply name"
-msgstr "应用名称"
+msgid "Permission name"
+msgstr "授权规则名称"
 
 #: tickets/models/ticket/apply_application.py:20
 msgid "Apply applications"
@@ -5282,39 +5296,39 @@ msgstr "来自命令过滤规则"
 msgid "From cmd filter rule"
 msgstr "来自命令过滤规则"
 
-#: tickets/models/ticket/general.py:70
+#: tickets/models/ticket/general.py:72
 msgid "Ticket step"
 msgstr "工单步骤"
 
-#: tickets/models/ticket/general.py:88
+#: tickets/models/ticket/general.py:90
 msgid "Ticket assignee"
 msgstr "工单受理人"
 
-#: tickets/models/ticket/general.py:260
+#: tickets/models/ticket/general.py:270
 msgid "Title"
 msgstr "标题"
 
-#: tickets/models/ticket/general.py:276
+#: tickets/models/ticket/general.py:286
 msgid "Applicant"
 msgstr "申请人"
 
-#: tickets/models/ticket/general.py:281
+#: tickets/models/ticket/general.py:291
 msgid "TicketFlow"
 msgstr "工单流程"
 
-#: tickets/models/ticket/general.py:284
+#: tickets/models/ticket/general.py:294
 msgid "Approval step"
 msgstr "审批步骤"
 
-#: tickets/models/ticket/general.py:287
+#: tickets/models/ticket/general.py:297
 msgid "Relation snapshot"
 msgstr "工单快照"
 
-#: tickets/models/ticket/general.py:380
+#: tickets/models/ticket/general.py:390
 msgid "Please try again"
 msgstr "请再次尝试"
 
-#: tickets/models/ticket/general.py:387
+#: tickets/models/ticket/general.py:421
 msgid "Super ticket"
 msgstr "超级工单"
 
@@ -5334,27 +5348,27 @@ msgstr "登录系统用户"
 msgid "Login datetime"
 msgstr "登录日期"
 
-#: tickets/notifications.py:64
+#: tickets/notifications.py:63
 msgid "Ticket basic info"
 msgstr "工单基本信息"
 
-#: tickets/notifications.py:65
+#: tickets/notifications.py:64
 msgid "Ticket applied info"
 msgstr "工单申请信息"
 
-#: tickets/notifications.py:116
-msgid "Your has a new ticket"
+#: tickets/notifications.py:109
+msgid "Your has a new ticket, applicant - {}"
 msgstr "你有一个新的工单, 申请人 - {}"
 
-#: tickets/notifications.py:120
+#: tickets/notifications.py:113
 msgid "{}: New Ticket - {} ({})"
 msgstr "新工单 - {} ({})"
 
-#: tickets/notifications.py:164
+#: tickets/notifications.py:157
 msgid "Your ticket has been processed, processor - {}"
 msgstr "你的工单已被处理, 处理人 - {}"
 
-#: tickets/notifications.py:168
+#: tickets/notifications.py:161
 msgid "Ticket has processed - {} ({})"
 msgstr "你的工单已被处理, 处理人 - {} ({})"
 
@@ -5375,19 +5389,19 @@ msgid "Processor"
 msgstr "处理人"
 
 #: tickets/serializers/ticket/common.py:16
-#: tickets/serializers/ticket/common.py:68
+#: tickets/serializers/ticket/common.py:79
 msgid "Created by ticket ({}-{})"
 msgstr "通过工单创建 ({}-{})"
 
-#: tickets/serializers/ticket/common.py:58
+#: tickets/serializers/ticket/common.py:69
 msgid "The expiration date should be greater than the start date"
 msgstr "过期时间要大于开始时间"
 
-#: tickets/serializers/ticket/common.py:74
+#: tickets/serializers/ticket/common.py:85
 msgid "Permission named `{}` already exists"
 msgstr "授权名称 `{}` 已存在"
 
-#: tickets/serializers/ticket/ticket.py:89
+#: tickets/serializers/ticket/ticket.py:92
 msgid "The ticket flow `{}` does not exist"
 msgstr "工单流程 `{}` 不存在"
 
diff --git a/apps/perms/serializers/base.py b/apps/perms/serializers/base.py
index 3d48447fb..cbed4a2f8 100644
--- a/apps/perms/serializers/base.py
+++ b/apps/perms/serializers/base.py
@@ -21,8 +21,12 @@ class ActionsField(serializers.MultipleChoiceField):
         return Action.value_to_choices(value)
 
     def to_internal_value(self, data):
-        if data is None:
+        if not self.allow_empty and not data:
+            self.fail('empty')
+
+        if not data:
             return data
+
         return Action.choices_to_value(data)
 
 
diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py
index 0cf9652a6..ee6b76534 100644
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -5,7 +5,7 @@ from rest_framework.decorators import action
 from rest_framework.response import Response
 from rest_framework.exceptions import MethodNotAllowed
 
-from common.const.http import POST, PUT
+from common.const.http import POST, PUT, PATCH
 from common.mixins.api import CommonApiMixin
 from orgs.utils import tmp_to_root_org
 
@@ -71,32 +71,34 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):
         with tmp_to_root_org():
             return super().create(request, *args, **kwargs)
 
-    @action(detail=True, methods=[PUT], permission_classes=[IsAssignee, ])
+    @action(detail=True, methods=[PUT, PATCH], permission_classes=[IsAssignee, ])
     def approve(self, request, *args, **kwargs):
+        partial = kwargs.pop('partial', False)
         instance = self.get_object()
-        serializer = self.get_serializer(instance)
+        serializer = self.get_serializer(instance, data=request.data, partial=partial)
+        serializer.is_valid(raise_exception=True)
+        instance = serializer.save()
         instance.approve(processor=request.user)
-        return Response(serializer.data)
+        return Response('ok')
 
     @action(detail=True, methods=[PUT], permission_classes=[IsAssignee, ])
     def reject(self, request, *args, **kwargs):
         instance = self.get_object()
-        serializer = self.get_serializer(instance)
         instance.reject(processor=request.user)
-        return Response(serializer.data)
+        return Response('ok')
 
     @action(detail=True, methods=[PUT], permission_classes=[IsApplicant, ])
     def close(self, request, *args, **kwargs):
         instance = self.get_object()
-        serializer = self.get_serializer(instance)
         instance.close()
-        return Response(serializer.data)
+        return Response('ok')
 
 
 class ApplyAssetTicketViewSet(TicketViewSet):
     serializer_class = serializers.ApplyAssetDisplaySerializer
     serializer_classes = {
-        'open': serializers.ApplyAssetSerializer
+        'open': serializers.ApplyAssetSerializer,
+        'approve': serializers.ApproveAssetSerializer
     }
     model = ApplyAssetTicket
     filterset_class = filters.ApplyAssetTicketFilter
@@ -105,7 +107,8 @@ class ApplyAssetTicketViewSet(TicketViewSet):
 class ApplyApplicationTicketViewSet(TicketViewSet):
     serializer_class = serializers.ApplyApplicationDisplaySerializer
     serializer_classes = {
-        'open': serializers.ApplyApplicationSerializer
+        'open': serializers.ApplyApplicationSerializer,
+        'approve': serializers.ApproveApplicationSerializer
     }
     model = ApplyApplicationTicket
     filterset_class = filters.ApplyApplicationTicketFilter
diff --git a/apps/tickets/handlers/base.py b/apps/tickets/handlers/base.py
index 6165d035b..c48ce350b 100644
--- a/apps/tickets/handlers/base.py
+++ b/apps/tickets/handlers/base.py
@@ -1,11 +1,12 @@
 from django.utils.translation import ugettext as _
+from django.template.loader import render_to_string
 
 from common.utils import get_logger
 from tickets.utils import (
     send_ticket_processed_mail_to_applicant,
     send_ticket_applied_mail_to_assignees
 )
-from tickets.const import TicketState, TicketStatus
+from tickets.const import TicketState, TicketType
 
 logger = get_logger(__name__)
 
@@ -59,6 +60,25 @@ class BaseHandler:
         logger.debug('Send processed mail to applicant: {}'.format(applicant))
         send_ticket_processed_mail_to_applicant(self.ticket, processor)
 
+    def _diff_prev_approve_context(self, state):
+        diff_context = {}
+        if state != TicketState.approved:
+            return diff_context
+        if self.ticket.type not in [TicketType.apply_asset, TicketType.apply_application]:
+            return diff_context
+
+        old_rel_snapshot = self.ticket.old_rel_snapshot
+        current_rel_snapshot = self.ticket.get_local_snapshot()
+        diff = set(current_rel_snapshot.items()) - set(old_rel_snapshot.items())
+        if not diff:
+            return diff_context
+
+        content = []
+        for k, v in sorted(list(diff), reverse=True):
+            content.append([k, old_rel_snapshot[k], v])
+        headers = [_('Change field'), _('Before change'), _('After change')]
+        return {'headers': headers, 'content': content}
+
     def _create_state_change_comment(self, state):
         # 打开或关闭工单，备注显示是自己，其他是受理人
         if state in [TicketState.reopen, TicketState.pending, TicketState.closed]:
@@ -68,8 +88,11 @@ class BaseHandler:
 
         user_display = str(user)
         state_display = getattr(TicketState, state).label
+        approve_info = _('{} {} the ticket').format(user_display, state_display)
+        context = self._diff_prev_approve_context(state)
+        context.update({'approve_info': approve_info})
         data = {
-            'body': _('{} {} the ticket').format(user_display, state_display),
+            'body': render_to_string('tickets/ticket_approve_diff.html', context),
             'user': user,
             'user_display': str(user),
             'type': 'state',
diff --git a/apps/tickets/migrations/0017_auto_20220623_1027.py b/apps/tickets/migrations/0017_auto_20220623_1027.py
index 3f241d54f..746d267c8 100644
--- a/apps/tickets/migrations/0017_auto_20220623_1027.py
+++ b/apps/tickets/migrations/0017_auto_20220623_1027.py
@@ -102,7 +102,7 @@ def apply_asset_migrate(apps, *args):
             'applicant': instance.applicant_display,
             'apply_nodes': meta.get('apply_nodes_display', []),
             'apply_assets': meta.get('apply_assets_display', []),
-            'apply_system_users': meta.get('apply_system_users', []),
+            'apply_system_users': meta.get('apply_system_users_display', []),
         }
         instance.rel_snapshot = rel_snapshot
         instance.save(update_fields=['rel_snapshot'])
@@ -140,7 +140,7 @@ def apply_application_migrate(apps, *args):
         rel_snapshot = {
             'applicant': instance.applicant_display,
             'apply_applications': meta.get('apply_applications_display', []),
-            'apply_system_users': meta.get('apply_system_users', []),
+            'apply_system_users': meta.get('apply_system_users_display', []),
         }
         instance.rel_snapshot = rel_snapshot
         instance.save(update_fields=['rel_snapshot'])
diff --git a/apps/tickets/models/ticket/apply_application.py b/apps/tickets/models/ticket/apply_application.py
index de041c8da..6bd721677 100644
--- a/apps/tickets/models/ticket/apply_application.py
+++ b/apps/tickets/models/ticket/apply_application.py
@@ -8,7 +8,7 @@ __all__ = ['ApplyApplicationTicket']
 
 
 class ApplyApplicationTicket(Ticket):
-    apply_permission_name = models.CharField(max_length=128, verbose_name=_('Apply name'))
+    apply_permission_name = models.CharField(max_length=128, verbose_name=_('Permission name'))
     # 申请信息
     apply_category = models.CharField(
         max_length=16, choices=AppCategory.choices, verbose_name=_('Category')
diff --git a/apps/tickets/models/ticket/apply_asset.py b/apps/tickets/models/ticket/apply_asset.py
index 45cad4dca..c3759dc9a 100644
--- a/apps/tickets/models/ticket/apply_asset.py
+++ b/apps/tickets/models/ticket/apply_asset.py
@@ -10,7 +10,7 @@ asset_or_node_help_text = _("Select at least one asset or node")
 
 
 class ApplyAssetTicket(Ticket):
-    apply_permission_name = models.CharField(max_length=128, verbose_name=_('Apply name'))
+    apply_permission_name = models.CharField(max_length=128, verbose_name=_('Permission name'))
     apply_nodes = models.ManyToManyField('assets.Node', verbose_name=_('Apply nodes'))
     # 申请信息
     apply_assets = models.ManyToManyField('assets.Asset', verbose_name=_('Apply assets'))
@@ -26,3 +26,6 @@ class ApplyAssetTicket(Ticket):
     @property
     def apply_actions_display(self):
         return Action.value_to_choices_display(self.apply_actions)
+
+    def get_apply_actions_display(self):
+        return ', '.join(self.apply_actions_display)
diff --git a/apps/tickets/models/ticket/general.py b/apps/tickets/models/ticket/general.py
index c87b3aa7f..e58ffa04a 100644
--- a/apps/tickets/models/ticket/general.py
+++ b/apps/tickets/models/ticket/general.py
@@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 #
+import json
 from typing import Callable
 
 from django.db import models
@@ -7,6 +8,7 @@ from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
 from django.db.utils import IntegrityError
 from django.db.models.fields import related
+from django.forms import model_to_dict
 
 from common.exceptions import JMSException
 from common.utils.timezone import as_current_tz
@@ -97,6 +99,7 @@ class StatusMixin:
 
     state: str
     status: str
+    applicant_id: str
     applicant: models.ForeignKey
     current_step: TicketStep
     save: Callable
@@ -130,6 +133,7 @@ class StatusMixin:
         self._open()
 
     def approve(self, processor):
+        self.set_rel_snapshot()
         self._change_state(StepState.approved, processor)
 
     def reject(self, processor):
@@ -178,28 +182,34 @@ class StatusMixin:
     @property
     def process_map(self):
         process_map = []
-        steps = self.ticket_steps.all()
-        for step in steps:
+        for step in self.ticket_steps.all():
+            processor_id = ''
             assignee_ids = []
+            processor_display = ''
             assignees_display = []
-            ticket_assignees = step.ticket_assignees.all()
-            processor = None
             state = step.state
-            for i in ticket_assignees:
-                assignee_ids.append(i.assignee_id)
-                assignees_display.append(str(i.assignee))
+            for i in step.ticket_assignees.all().prefetch_related('assignee'):
+                assignee_id = i.assignee_id
+                assignee_display = str(i.assignee)
+
                 if state != StepState.pending and state == i.state:
-                    processor = i.assignee
+                    processor_id = assignee_id
+                    processor_display = assignee_display
                 if state == StepState.closed:
-                    processor = self.applicant
+                    processor_id = self.applicant_id
+                    processor_display = str(self.applicant)
+
+                assignee_ids.append(assignee_id)
+                assignees_display.append(assignee_display)
+
             step_info = {
                 'state': state,
                 'approval_level': step.level,
                 'assignees': assignee_ids,
                 'assignees_display': assignees_display,
                 'approval_date': str(step.date_updated),
-                'processor': processor.id if processor else '',
-                'processor_display': str(processor) if processor else ''
+                'processor': processor_id,
+                'processor_display': processor_display
             }
             process_map.append(step_info)
         return process_map
@@ -380,6 +390,30 @@ class Ticket(StatusMixin, CommonModelMixin):
                 raise JMSException(detail=_('Please try again'), code='please_try_again')
             raise e
 
+    def get_field_display(self, name, field, data: dict):
+        value = data.get(name)
+        if hasattr(self, f'get_{name}_display'):
+            value = getattr(self, f'get_{name}_display')()
+        elif isinstance(field, related.ForeignKey):
+            value = self.rel_snapshot[name]
+        elif isinstance(field, related.ManyToManyField):
+            value = ', '.join(self.rel_snapshot[name])
+        return value
+
+    def get_local_snapshot(self):
+        fields = self._meta._forward_fields_map
+        json_data = json.dumps(model_to_dict(self), cls=ModelJSONFieldEncoder)
+        data = json.loads(json_data)
+        snapshot = {}
+        local_fields = self._meta.local_fields + self._meta.local_many_to_many
+        excludes = ['ticket_ptr']
+        item_names = [field.name for field in local_fields if field.name not in excludes]
+        for name in item_names:
+            field = fields[name]
+            value = self.get_field_display(name, field, data)
+            snapshot[field.verbose_name] = value
+        return snapshot
+
 
 class SuperTicket(Ticket):
     class Meta:
diff --git a/apps/tickets/notifications.py b/apps/tickets/notifications.py
index 728510280..3fa0e5a82 100644
--- a/apps/tickets/notifications.py
+++ b/apps/tickets/notifications.py
@@ -4,7 +4,6 @@ import json
 from django.conf import settings
 from django.core.cache import cache
 from django.shortcuts import reverse
-from django.db.models.fields import related
 from django.template.loader import render_to_string
 from django.forms import model_to_dict
 from django.utils.translation import ugettext_lazy as _
@@ -75,13 +74,7 @@ class BaseTicketMessage(UserMessage):
         for name in item_names:
             field = fields[name]
             item = {'name': name, 'title': field.verbose_name}
-            value = data.get(name)
-            if hasattr(self.ticket, f'get_{name}_display'):
-                value = getattr(self.ticket, f'get_{name}_display')()
-            elif isinstance(field, related.ForeignKey):
-                value = self.ticket.rel_snapshot[name]
-            elif isinstance(field, related.ManyToManyField):
-                value = ', '.join(self.ticket.rel_snapshot[name])
+            value = self.ticket.get_field_display(name, field, data)
             item['value'] = value
             items.append(item)
         return items
@@ -113,7 +106,7 @@ class TicketAppliedToAssigneeMessage(BaseTicketMessage):
 
     @property
     def content_title(self):
-        return _('Your has a new ticket')
+        return _('Your has a new ticket, applicant - {}').format(self.ticket.applicant)
 
     @property
     def subject(self):
diff --git a/apps/tickets/serializers/ticket/apply_application.py b/apps/tickets/serializers/ticket/apply_application.py
index 700f7b45e..c713f21d6 100644
--- a/apps/tickets/serializers/ticket/apply_application.py
+++ b/apps/tickets/serializers/ticket/apply_application.py
@@ -1,3 +1,4 @@
+from django.utils.translation import ugettext as _
 from rest_framework import serializers
 
 from perms.models import ApplicationPermission
@@ -7,7 +8,7 @@ from tickets.models import ApplyApplicationTicket
 from .ticket import TicketApplySerializer
 from .common import BaseApplyAssetApplicationSerializer
 
-__all__ = ['ApplyApplicationSerializer', 'ApplyApplicationDisplaySerializer']
+__all__ = ['ApplyApplicationSerializer', 'ApplyApplicationDisplaySerializer', 'ApproveApplicationSerializer']
 
 
 class ApplyApplicationSerializer(BaseApplyAssetApplicationSerializer, TicketApplySerializer):
@@ -24,15 +25,23 @@ class ApplyApplicationSerializer(BaseApplyAssetApplicationSerializer, TicketAppl
         read_only_fields = list(set(fields) - set(writeable_fields))
         ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
         extra_kwargs = {
-            'apply_system_users': {'required': True},
+            'apply_applications': {'required': False, 'allow_empty': True},
+            'apply_system_users': {'required': False, 'allow_empty': True},
         }
         extra_kwargs.update(ticket_extra_kwargs)
 
     def validate_apply_applications(self, applications):
+        if self.is_final_approval and not applications:
+            raise serializers.ValidationError(_('This field is required.'))
         tp = self.initial_data.get('apply_type')
         return self.filter_many_to_many_field(Application, applications, type=tp)
 
 
+class ApproveApplicationSerializer(ApplyApplicationSerializer):
+    class Meta(ApplyApplicationSerializer.Meta):
+        read_only_fields = ApplyApplicationSerializer.Meta.read_only_fields + ['title', 'type']
+
+
 class ApplyApplicationDisplaySerializer(ApplyApplicationSerializer):
     apply_applications = serializers.SerializerMethodField()
     apply_system_users = serializers.SerializerMethodField()
diff --git a/apps/tickets/serializers/ticket/apply_asset.py b/apps/tickets/serializers/ticket/apply_asset.py
index c32de52c1..b8a007e8d 100644
--- a/apps/tickets/serializers/ticket/apply_asset.py
+++ b/apps/tickets/serializers/ticket/apply_asset.py
@@ -10,13 +10,13 @@ from tickets.models import ApplyAssetTicket
 from .ticket import TicketApplySerializer
 from .common import BaseApplyAssetApplicationSerializer
 
-__all__ = ['ApplyAssetSerializer', 'ApplyAssetDisplaySerializer']
+__all__ = ['ApplyAssetSerializer', 'ApplyAssetDisplaySerializer', 'ApproveAssetSerializer']
 
 asset_or_node_help_text = _("Select at least one asset or node")
 
 
 class ApplyAssetSerializer(BaseApplyAssetApplicationSerializer, TicketApplySerializer):
-    apply_actions = ActionsField(required=True, allow_null=True)
+    apply_actions = ActionsField(required=True, allow_empty=False)
     permission_model = AssetPermission
 
     class Meta:
@@ -30,9 +30,9 @@ class ApplyAssetSerializer(BaseApplyAssetApplicationSerializer, TicketApplySeria
         read_only_fields = list(set(fields) - set(writeable_fields))
         ticket_extra_kwargs = TicketApplySerializer.Meta.extra_kwargs
         extra_kwargs = {
-            'apply_nodes': {'required': False, 'help_text': asset_or_node_help_text},
-            'apply_assets': {'required': False, 'help_text': asset_or_node_help_text},
-            'apply_system_users': {'required': True},
+            'apply_nodes': {'required': False, 'allow_empty': True},
+            'apply_assets': {'required': False, 'allow_empty': True},
+            'apply_system_users': {'required': False, 'allow_empty': True},
         }
         extra_kwargs.update(ticket_extra_kwargs)
 
@@ -44,14 +44,22 @@ class ApplyAssetSerializer(BaseApplyAssetApplicationSerializer, TicketApplySeria
 
     def validate(self, attrs):
         attrs = super().validate(attrs)
-        if not attrs.get('apply_nodes') and not attrs.get('apply_assets'):
+        if self.is_final_approval and (
+                not attrs.get('apply_nodes') and not attrs.get('apply_assets')
+        ):
             raise serializers.ValidationError({
                 'apply_nodes': asset_or_node_help_text,
                 'apply_assets': asset_or_node_help_text,
             })
+
         return attrs
 
 
+class ApproveAssetSerializer(ApplyAssetSerializer):
+    class Meta(ApplyAssetSerializer.Meta):
+        read_only_fields = ApplyAssetSerializer.Meta.read_only_fields + ['title', 'type']
+
+
 class ApplyAssetDisplaySerializer(ApplyAssetSerializer):
     apply_nodes = serializers.SerializerMethodField()
     apply_assets = serializers.SerializerMethodField()
diff --git a/apps/tickets/serializers/ticket/common.py b/apps/tickets/serializers/ticket/common.py
index 4a375465e..6957da3b0 100644
--- a/apps/tickets/serializers/ticket/common.py
+++ b/apps/tickets/serializers/ticket/common.py
@@ -38,14 +38,25 @@ class DefaultPermissionName(object):
 class BaseApplyAssetApplicationSerializer(serializers.Serializer):
     permission_model: Model
 
+    @property
+    def is_final_approval(self):
+        instance = self.instance
+        if not instance:
+            return False
+        if instance.approval_step == instance.ticket_steps.count():
+            return True
+        return False
+
     def filter_many_to_many_field(self, model, values: list, **kwargs):
-        org_id = self.initial_data.get('org_id')
+        org_id = self.instance.org_id if self.instance else self.initial_data.get('org_id')
         ids = [instance.id for instance in values]
         with tmp_to_org(org_id):
             qs = model.objects.filter(id__in=ids, **kwargs).values_list('id', flat=True)
         return list(qs)
 
     def validate_apply_system_users(self, system_users):
+        if self.is_final_approval and not system_users:
+            raise serializers.ValidationError(_('This field is required.'))
         return self.filter_many_to_many_field(SystemUser, system_users)
 
     def validate(self, attrs):
@@ -72,3 +83,10 @@ class BaseApplyAssetApplicationSerializer(serializers.Serializer):
                 instance.save()
                 return instance
         raise serializers.ValidationError(_('Permission named `{}` already exists'.format(name)))
+
+    @atomic
+    def update(self, instance, validated_data):
+        old_rel_snapshot = instance.get_local_snapshot()
+        instance = super().update(instance, validated_data)
+        instance.old_rel_snapshot = old_rel_snapshot
+        return instance
diff --git a/apps/tickets/serializers/ticket/ticket.py b/apps/tickets/serializers/ticket/ticket.py
index 2af3811ca..facf3fcec 100644
--- a/apps/tickets/serializers/ticket/ticket.py
+++ b/apps/tickets/serializers/ticket/ticket.py
@@ -80,6 +80,9 @@ class TicketApplySerializer(TicketSerializer):
         return org_id
 
     def validate(self, attrs):
+        if self.instance:
+            return attrs
+
         ticket_type = attrs.get('type')
         org_id = attrs.get('org_id')
         flow = TicketFlow.get_org_related_flows(org_id=org_id).filter(type=ticket_type).first()
diff --git a/apps/tickets/templates/tickets/ticket_approve_diff.html b/apps/tickets/templates/tickets/ticket_approve_diff.html
new file mode 100644
index 000000000..9fe6b80e0
--- /dev/null
+++ b/apps/tickets/templates/tickets/ticket_approve_diff.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html lang="en">
+<body>
+<p> {{ approve_info }}</p>
+<br>
+<div style="width:100%; overflow-x:scroll;">
+    <table style="width:1000px; text-align:left">
+        <tr>
+            {% for item in headers %}
+                <th> {{ item }} </th>
+            {% endfor %}
+        </tr>
+        {% for item in content %}
+            <tr>
+                {% for child in item %}
+                    <td>{{ child }}</td>
+                {% endfor %}
+            </tr>
+        {% endfor %}
+
+    </table>
+</div>
+</body>
+</html>

From d78981098412cfeacba94a4100b184d8695aca8f Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Jul 2022 16:02:41 +0800
Subject: [PATCH 246/258] fix: condirm (#8572)

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/authentication/api/confirm.py   | 9 ++++++++-
 apps/authentication/urls/api_urls.py | 1 +
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/apps/authentication/api/confirm.py b/apps/authentication/api/confirm.py
index c085bb017..d3a32a7c8 100644
--- a/apps/authentication/api/confirm.py
+++ b/apps/authentication/api/confirm.py
@@ -7,11 +7,18 @@ from rest_framework.generics import RetrieveAPIView, CreateAPIView
 from rest_framework.response import Response
 from rest_framework import status
 
-from common.permissions import IsValidUser
+from common.permissions import IsValidUser, UserConfirmation
 from ..const import ConfirmType
 from ..serializers import ConfirmSerializer
 
 
+class ConfirmBindORUNBindOAuth(RetrieveAPIView):
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
+
+    def retrieve(self, request, *args, **kwargs):
+        return Response('ok')
+
+
 class ConfirmApi(RetrieveAPIView, CreateAPIView):
     permission_classes = (IsValidUser,)
     serializer_class = ConfirmSerializer
diff --git a/apps/authentication/urls/api_urls.py b/apps/authentication/urls/api_urls.py
index dd1faff28..cfbac879f 100644
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -27,6 +27,7 @@ urlpatterns = [
 
     path('auth/', api.TokenCreateApi.as_view(), name='user-auth'),
     path('confirm/', api.ConfirmApi.as_view(), name='user-confirm'),
+    path('confirm-oauth/', api.ConfirmBindORUNBindOAuth.as_view(), name='confirm-oauth'),
     path('tokens/', api.TokenCreateApi.as_view(), name='auth-token'),
     path('mfa/verify/', api.MFAChallengeVerifyApi.as_view(), name='mfa-verify'),
     path('mfa/challenge/', api.MFAChallengeVerifyApi.as_view(), name='mfa-challenge'),

From cd119a2999b48655bd8c376d1e31567fe90d74af Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Tue, 12 Jul 2022 17:36:40 +0800
Subject: [PATCH 247/258] =?UTF-8?q?fix:=20=E9=A3=9E=E4=B9=A6=E7=99=BB?=
 =?UTF-8?q?=E5=BD=95=E7=99=BB=E5=BD=95=E6=97=A5=E5=BF=97=E4=B8=8D=E8=AE=B0?=
 =?UTF-8?q?=E5=BD=95=E8=AE=A4=E8=AF=81=E6=96=B9=E5=BC=8F=20(#8574)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/audits/signal_handlers.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apps/audits/signal_handlers.py b/apps/audits/signal_handlers.py
index 9f20057a3..9ac565bc6 100644
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@@ -51,6 +51,7 @@ class AuthBackendLabelMapping(LazyObject):
         backend_label_mapping[settings.AUTH_BACKEND_SSO] = _('SSO')
         backend_label_mapping[settings.AUTH_BACKEND_AUTH_TOKEN] = _('Auth Token')
         backend_label_mapping[settings.AUTH_BACKEND_WECOM] = _('WeCom')
+        backend_label_mapping[settings.AUTH_BACKEND_FEISHU] = _('FeiShu')
         backend_label_mapping[settings.AUTH_BACKEND_DINGTALK] = _('DingTalk')
         backend_label_mapping[settings.AUTH_BACKEND_TEMP_TOKEN] = _('Temporary token')
         return backend_label_mapping

From b262643f0aa560278f9ce464e6a4f2b729125323 Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 12 Jul 2022 18:27:07 +0800
Subject: [PATCH 248/258] =?UTF-8?q?fix:=20=E8=BF=9E=E6=8E=A5=E4=BB=A4?=
 =?UTF-8?q?=E7=89=8C=E6=B7=BB=E5=8A=A0=20expire=5Ftime=20=E5=92=8C=20is=5F?=
 =?UTF-8?q?valid=20=E5=AD=97=E6=AE=B5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/authentication/models.py                       | 8 ++++++++
 apps/authentication/serializers/connection_token.py | 6 ++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/apps/authentication/models.py b/apps/authentication/models.py
index c0713ac1a..d04a3fa4e 100644
--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@@ -114,6 +114,14 @@ class ConnectionToken(OrgModelMixin, models.JMSModel):
     def is_expired(self):
         return self.date_expired < timezone.now()
 
+    @property
+    def expire_time(self):
+        interval = self.date_expired - timezone.now()
+        seconds = interval.total_seconds()
+        if seconds < 0:
+            seconds = 0
+        return int(seconds)
+
     def expire(self):
         self.date_expired = timezone.now()
         self.save()
diff --git a/apps/authentication/serializers/connection_token.py b/apps/authentication/serializers/connection_token.py
index c2af89aff..1b639bec6 100644
--- a/apps/authentication/serializers/connection_token.py
+++ b/apps/authentication/serializers/connection_token.py
@@ -20,7 +20,8 @@ __all__ = [
 
 class ConnectionTokenSerializer(OrgResourceModelSerializerMixin):
     type_display = serializers.ReadOnlyField(source='get_type_display', label=_("Type display"))
-    validity = serializers.BooleanField(source='is_valid', read_only=True, label=_('Validity'))
+    is_valid = serializers.BooleanField(read_only=True, label=_('Validity'))
+    expire_time = serializers.IntegerField(read_only=True, label=_('Expired time'))
 
     class Meta:
         model = ConnectionToken
@@ -35,7 +36,7 @@ class ConnectionTokenSerializer(OrgResourceModelSerializerMixin):
         ]
         read_only_fields = [
             # 普通 Token 不支持指定 user
-            'user', 'validity',
+            'user', 'is_valid', 'expire_time',
             'type_display', 'user_display', 'system_user_display', 'asset_display',
             'application_display',
         ]
@@ -184,6 +185,7 @@ class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin):
     domain = ConnectionTokenDomainSerializer(read_only=True)
     cmd_filter_rules = ConnectionTokenCmdFilterRuleSerializer(many=True)
     actions = ActionsField()
+    expired_at = serializers.IntegerField()
 
     class Meta:
         model = ConnectionToken

From 602192696cc064af4dc7eebfc6a18efaa332248f Mon Sep 17 00:00:00 2001
From: "Jiangjie.Bai" <bugatti_it@163.com>
Date: Tue, 12 Jul 2022 18:03:54 +0800
Subject: [PATCH 249/258] =?UTF-8?q?feat:=20=E6=B7=BB=E5=8A=A0=E7=BF=BB?=
 =?UTF-8?q?=E8=AF=91=E4=BF=A1=E6=81=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/locale/ja/LC_MESSAGES/django.mo |   4 +-
 apps/locale/ja/LC_MESSAGES/django.po | 275 ++++++++++++++-------------
 apps/locale/zh/LC_MESSAGES/django.mo |   4 +-
 apps/locale/zh/LC_MESSAGES/django.po | 272 +++++++++++++-------------
 4 files changed, 282 insertions(+), 273 deletions(-)

diff --git a/apps/locale/ja/LC_MESSAGES/django.mo b/apps/locale/ja/LC_MESSAGES/django.mo
index 125de4e86..6d3f88208 100644
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:9abfbe0feec22996ffa184b7865f99d1357bad8c022bfba5b28c3f5bfbd0783f
-size 127716
+oid sha256:326eef1f3134c1500a6641c6616a9d509befd5db42ead551fe5ca01b3e0273c0
+size 128150
diff --git a/apps/locale/ja/LC_MESSAGES/django.po b/apps/locale/ja/LC_MESSAGES/django.po
index 88cb86c95..9205fb974 100644
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-11 17:46+0800\n"
+"POT-Creation-Date: 2022-07-12 17:58+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -47,7 +47,7 @@ msgstr "優先順位"
 msgid "1-100, the lower the value will be match first"
 msgstr "1-100、低い値は最初に一致します"
 
-#: acls/models/base.py:31 authentication/models.py:20
+#: acls/models/base.py:31 authentication/models.py:21
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:28 tickets/const.py:39
 msgid "Active"
@@ -88,7 +88,7 @@ msgstr "ログイン確認"
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
-#: authentication/models.py:53 authentication/models.py:77 orgs/models.py:214
+#: authentication/models.py:54 authentication/models.py:78 orgs/models.py:214
 #: perms/models/base.py:84 rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
@@ -131,7 +131,7 @@ msgstr "システムユーザー"
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:268 audits/models.py:39
-#: authentication/models.py:65 authentication/models.py:89
+#: authentication/models.py:66 authentication/models.py:90
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -157,7 +157,7 @@ msgstr "コンマ区切り文字列の形式。* はすべて一致すること
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:121
 #: authentication/forms.py:25 authentication/forms.py:27
-#: authentication/models.py:244
+#: authentication/models.py:245
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:32 users/models/user.py:659
@@ -262,14 +262,14 @@ msgstr "カスタム"
 
 #: applications/models/account.py:12 applications/models/application.py:234
 #: assets/models/backup.py:32 assets/models/cmd_filter.py:45
-#: authentication/models.py:66 authentication/models.py:94
+#: authentication/models.py:67 authentication/models.py:95
 #: perms/models/application_permission.py:28
 msgid "Application"
 msgstr "アプリケーション"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
 #: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
-#: authentication/models.py:82 perms/models/application_permission.py:33
+#: authentication/models.py:83 perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:36 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
@@ -307,7 +307,7 @@ msgstr "カテゴリ"
 #: applications/models/application.py:222
 #: applications/serializers/application.py:101 assets/models/backup.py:49
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
-#: authentication/models.py:69 perms/models/application_permission.py:24
+#: authentication/models.py:70 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
 #: terminal/models/storage.py:58 terminal/models/storage.py:143
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
@@ -373,7 +373,7 @@ msgid "Date updated"
 msgstr "更新日"
 
 #: applications/serializers/application.py:121
-#: applications/serializers/application.py:166 authentication/models.py:98
+#: applications/serializers/application.py:166 authentication/models.py:99
 msgid "Application display"
 msgstr "アプリケーション表示"
 
@@ -577,7 +577,7 @@ msgstr "ホスト名生"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:43
 msgid "Protocols"
 msgstr "プロトコル"
 
@@ -590,7 +590,7 @@ msgstr "ノード"
 
 #: assets/models/asset.py:219 assets/models/cmd_filter.py:47
 #: assets/models/domain.py:66 assets/models/label.py:22
-#: users/serializers/user.py:145
+#: users/serializers/user.py:147
 msgid "Is active"
 msgstr "アクティブです。"
 
@@ -768,7 +768,7 @@ msgstr "失敗しました"
 msgid "Connectivity"
 msgstr "接続性"
 
-#: assets/models/base.py:40 authentication/models.py:247
+#: assets/models/base.py:40 authentication/models.py:248
 msgid "Date verified"
 msgstr "確認済みの日付"
 
@@ -778,7 +778,7 @@ msgstr "確認済みの日付"
 #: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:228
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
-#: users/forms/profile.py:22 users/serializers/user.py:92
+#: users/forms/profile.py:22 users/serializers/user.py:94
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -976,7 +976,7 @@ msgid "Parent key"
 msgstr "親キー"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:267
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:70
 msgid "Node"
 msgstr "ノード"
 
@@ -1035,7 +1035,7 @@ msgid "SFTP Root"
 msgstr "SFTPルート"
 
 #: assets/models/user.py:258 assets/serializers/system_user.py:37
-#: authentication/models.py:51
+#: authentication/models.py:52
 msgid "Token"
 msgstr "トークン"
 
@@ -1087,7 +1087,7 @@ msgstr ""
 "定してください暗号化パスワード"
 
 #: assets/serializers/account.py:36 assets/serializers/account.py:87
-#: assets/serializers/account_history.py:10 authentication/models.py:86
+#: assets/serializers/account_history.py:10 authentication/models.py:87
 msgid "System user display"
 msgstr "システムユーザー表示"
 
@@ -1581,7 +1581,7 @@ msgstr "として実行"
 msgid "Run as display"
 msgstr "ディスプレイとして実行する"
 
-#: audits/serializers.py:102 authentication/models.py:80
+#: audits/serializers.py:102 authentication/models.py:81
 #: rbac/serializers/rolebinding.py:21
 msgid "User display"
 msgstr "ユーザー表示"
@@ -1604,185 +1604,191 @@ msgstr "認証トークン"
 msgid "WeCom"
 msgstr "企業微信"
 
-#: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
+#: audits/signal_handlers.py:54 authentication/views/feishu.py:144
+#: authentication/views/login.py:79 notifications/backends/__init__.py:14
+#: users/models/user.py:722
+msgid "FeiShu"
+msgstr "本を飛ばす"
+
+#: audits/signal_handlers.py:55 authentication/views/dingtalk.py:179
 #: authentication/views/login.py:73 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "DingTalk"
 
-#: audits/signal_handlers.py:55 authentication/models.py:251
+#: audits/signal_handlers.py:56 authentication/models.py:252
 msgid "Temporary token"
 msgstr "仮パスワード"
 
-#: audits/signal_handlers.py:67
+#: audits/signal_handlers.py:68
 msgid "User and Group"
 msgstr "ユーザーとグループ"
 
-#: audits/signal_handlers.py:68
+#: audits/signal_handlers.py:69
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} に参加 {UserGroup}"
 
-#: audits/signal_handlers.py:69
+#: audits/signal_handlers.py:70
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} のそばを通る {UserGroup}"
 
-#: audits/signal_handlers.py:72
+#: audits/signal_handlers.py:73
 msgid "Asset and SystemUser"
 msgstr "資産およびシステム・ユーザー"
 
-#: audits/signal_handlers.py:73
+#: audits/signal_handlers.py:74
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:74
+#: audits/signal_handlers.py:75
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:77
+#: audits/signal_handlers.py:78
 msgid "Node and Asset"
 msgstr "ノードと資産"
 
-#: audits/signal_handlers.py:78
+#: audits/signal_handlers.py:79
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 追加 {Asset}"
 
-#: audits/signal_handlers.py:79
+#: audits/signal_handlers.py:80
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 削除 {Asset}"
 
-#: audits/signal_handlers.py:82
+#: audits/signal_handlers.py:83
 msgid "User asset permissions"
 msgstr "ユーザー資産の権限"
 
-#: audits/signal_handlers.py:83
+#: audits/signal_handlers.py:84
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:84
+#: audits/signal_handlers.py:85
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:87
+#: audits/signal_handlers.py:88
 msgid "User group asset permissions"
 msgstr "ユーザーグループの資産権限"
 
-#: audits/signal_handlers.py:88
+#: audits/signal_handlers.py:89
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:89
+#: audits/signal_handlers.py:90
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:92 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:93 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "資産権限"
 
-#: audits/signal_handlers.py:93
+#: audits/signal_handlers.py:94
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 追加 {Asset}"
 
-#: audits/signal_handlers.py:94
+#: audits/signal_handlers.py:95
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 削除 {Asset}"
 
-#: audits/signal_handlers.py:97
+#: audits/signal_handlers.py:98
 msgid "Node permission"
 msgstr "ノード権限"
 
-#: audits/signal_handlers.py:98
+#: audits/signal_handlers.py:99
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 追加 {Node}"
 
-#: audits/signal_handlers.py:99
+#: audits/signal_handlers.py:100
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 削除 {Node}"
 
-#: audits/signal_handlers.py:102
+#: audits/signal_handlers.py:103
 msgid "Asset permission and SystemUser"
 msgstr "資産権限とSystemUser"
 
-#: audits/signal_handlers.py:103
+#: audits/signal_handlers.py:104
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:104
+#: audits/signal_handlers.py:105
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 削除 {SystemUser}"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:108
 msgid "User application permissions"
 msgstr "ユーザーアプリケーションの権限"
 
-#: audits/signal_handlers.py:108
+#: audits/signal_handlers.py:109
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 追加 {User}"
 
-#: audits/signal_handlers.py:109
+#: audits/signal_handlers.py:110
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 削除 {User}"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:113
 msgid "User group application permissions"
 msgstr "ユーザーグループアプリケーションの権限"
 
-#: audits/signal_handlers.py:113
+#: audits/signal_handlers.py:114
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 追加 {UserGroup}"
 
-#: audits/signal_handlers.py:114
+#: audits/signal_handlers.py:115
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 削除 {UserGroup}"
 
-#: audits/signal_handlers.py:117 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:118 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "申請許可"
 
-#: audits/signal_handlers.py:118
+#: audits/signal_handlers.py:119
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 追加 {Application}"
 
-#: audits/signal_handlers.py:119
+#: audits/signal_handlers.py:120
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 削除 {Application}"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:123
 msgid "Application permission and SystemUser"
 msgstr "アプリケーション権限とSystemUser"
 
-#: audits/signal_handlers.py:123
+#: audits/signal_handlers.py:124
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 追加 {SystemUser}"
 
-#: audits/signal_handlers.py:124
+#: audits/signal_handlers.py:125
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 削除 {SystemUser}"
 
-#: authentication/api/confirm.py:33
+#: authentication/api/confirm.py:40
 msgid "This action require verify your MFA"
 msgstr "この操作には、MFAを検証する必要があります"
 
@@ -2084,91 +2090,91 @@ msgstr "MFAタイプ ({}) が有効になっていない"
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
-#: authentication/models.py:36
+#: authentication/models.py:37
 msgid "Access key"
 msgstr "アクセスキー"
 
-#: authentication/models.py:43
+#: authentication/models.py:44
 msgid "Private Token"
 msgstr "プライベートトークン"
 
-#: authentication/models.py:52
+#: authentication/models.py:53
 msgid "Expired"
 msgstr "期限切れ"
 
-#: authentication/models.py:56
+#: authentication/models.py:57
 msgid "SSO token"
 msgstr "SSO token"
 
-#: authentication/models.py:71 authentication/models.py:245
+#: authentication/models.py:72 authentication/models.py:246
 #: authentication/templates/authentication/_access_key_modal.html:31
 #: settings/serializers/auth/radius.py:17
 msgid "Secret"
 msgstr "ひみつ"
 
-#: authentication/models.py:73 authentication/models.py:248
+#: authentication/models.py:74 authentication/models.py:249
 #: perms/models/base.py:90 tickets/models/ticket/apply_application.py:26
 #: tickets/models/ticket/apply_asset.py:24 users/models/user.py:703
 msgid "Date expired"
 msgstr "期限切れの日付"
 
-#: authentication/models.py:92
+#: authentication/models.py:93
 msgid "Asset display"
 msgstr "アセット名"
 
-#: authentication/models.py:103
+#: authentication/models.py:104
 msgid "Connection token"
 msgstr "接続トークン"
 
-#: authentication/models.py:105
+#: authentication/models.py:106
 msgid "Can view connection token secret"
 msgstr "接続トークンの秘密を表示できます"
 
-#: authentication/models.py:140
+#: authentication/models.py:141
 msgid "Connection token expired at: {}"
 msgstr "接続トークンの有効期限: {}"
 
-#: authentication/models.py:145
+#: authentication/models.py:146
 msgid "User not exists"
 msgstr "ユーザーは存在しません"
 
-#: authentication/models.py:149
+#: authentication/models.py:150
 msgid "User invalid, disabled or expired"
 msgstr "ユーザーが無効、無効、または期限切れです"
 
-#: authentication/models.py:154
+#: authentication/models.py:155
 msgid "System user not exists"
 msgstr "システムユーザーが存在しません"
 
-#: authentication/models.py:160
+#: authentication/models.py:161
 msgid "Asset not exists"
 msgstr "アセットが存在しません"
 
-#: authentication/models.py:164
+#: authentication/models.py:165
 msgid "Asset inactive"
 msgstr "アセットがアクティブ化されていません"
 
-#: authentication/models.py:171
+#: authentication/models.py:172
 msgid "User has no permission to access asset or permission expired"
 msgstr ""
 "ユーザーがアセットにアクセスする権限を持っていないか、権限の有効期限が切れて"
 "います"
 
-#: authentication/models.py:179
+#: authentication/models.py:180
 msgid "Application not exists"
 msgstr "アプリが存在しません"
 
-#: authentication/models.py:186
+#: authentication/models.py:187
 msgid "User has no permission to access application or permission expired"
 msgstr ""
 "ユーザーがアプリにアクセスする権限を持っていないか、権限の有効期限が切れてい"
 "ます"
 
-#: authentication/models.py:246
+#: authentication/models.py:247
 msgid "Verified"
 msgstr "確認済み"
 
-#: authentication/models.py:267
+#: authentication/models.py:268
 msgid "Super connection token"
 msgstr "スーパー接続トークン"
 
@@ -2193,7 +2199,7 @@ msgstr "アセットまたはアプリが必要"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:146
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:148
 msgid "Is valid"
 msgstr "有効です"
 
@@ -2484,11 +2490,6 @@ msgstr "FeiShuクエリユーザーが失敗しました"
 msgid "The FeiShu is already bound to another user"
 msgstr "FeiShuはすでに別のユーザーにバインドされています"
 
-#: authentication/views/feishu.py:144 authentication/views/login.py:79
-#: notifications/backends/__init__.py:14 users/models/user.py:722
-msgid "FeiShu"
-msgstr "本を飛ばす"
-
 #: authentication/views/feishu.py:145
 msgid "Binding FeiShu successfully"
 msgstr "本を飛ばすのバインドに成功"
@@ -3147,8 +3148,8 @@ msgstr "Organization {} のアプリケーション権限"
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
-#: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
-#: users/serializers/user.py:148
+#: perms/serializers/asset/permission.py:44 users/serializers/user.py:89
+#: users/serializers/user.py:150
 msgid "Is expired"
 msgstr "期限切れです"
 
@@ -4653,10 +4654,6 @@ msgstr "マイクロソフト"
 msgid "Official"
 msgstr "公式"
 
-#: templates/resource_download.html:51
-msgid "Offline video player"
-msgstr "オフラインビデオプレーヤー"
-
 #: templates/resource_download.html:33
 msgid ""
 "macOS needs to download the client to connect RDP asset, which comes with "
@@ -4677,6 +4674,10 @@ msgstr ""
 "Jmservisorはwindowsリモートアプリケーションパブリケーションサーバでリモートア"
 "プリケーションを引き出すためのプログラムです"
 
+#: templates/resource_download.html:51
+msgid "Offline video player"
+msgstr "オフラインビデオプレーヤー"
+
 #: terminal/api/endpoint.py:26
 msgid "Not found protocol query params"
 msgstr "プロトコルクエリパラメータが見つかりません"
@@ -5652,7 +5653,7 @@ msgstr "強制有効"
 msgid "Local"
 msgstr "ローカル"
 
-#: users/models/user.py:673 users/serializers/user.py:147
+#: users/models/user.py:673 users/serializers/user.py:149
 msgid "Is service account"
 msgstr "サービスアカウントです"
 
@@ -5751,109 +5752,105 @@ msgstr "新しいパスワードを最後の {} 個のパスワードにする
 msgid "The newly set password is inconsistent"
 msgstr "新しく設定されたパスワードが一致しない"
 
-#: users/serializers/profile.py:149 users/serializers/user.py:144
+#: users/serializers/profile.py:149 users/serializers/user.py:146
 msgid "Is first login"
 msgstr "最初のログインです"
 
-#: users/serializers/user.py:26
+#: users/serializers/user.py:28
 msgid "System roles"
 msgstr "システムの役割"
 
-#: users/serializers/user.py:31
+#: users/serializers/user.py:33
 msgid "Org roles"
 msgstr "組織ロール"
 
-#: users/serializers/user.py:33
+#: users/serializers/user.py:35
 msgid "System roles display"
 msgstr "システムロール表示"
 
-#: users/serializers/user.py:34
+#: users/serializers/user.py:36
 msgid "Org roles display"
 msgstr "組織ロール表示"
 
-#: users/serializers/user.py:79
+#: users/serializers/user.py:81
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:27
 msgid "Password strategy"
 msgstr "パスワード戦略"
 
-#: users/serializers/user.py:81
+#: users/serializers/user.py:83
 msgid "MFA enabled"
 msgstr "MFA有効化"
 
-#: users/serializers/user.py:82
+#: users/serializers/user.py:84
 msgid "MFA force enabled"
 msgstr "MFAフォース有効化"
 
-#: users/serializers/user.py:84
+#: users/serializers/user.py:86
 msgid "MFA level display"
 msgstr "MFAレベル表示"
 
-#: users/serializers/user.py:86
+#: users/serializers/user.py:88
 msgid "Login blocked"
 msgstr "ログインブロック"
 
-#: users/serializers/user.py:89
+#: users/serializers/user.py:91
 msgid "Can public key authentication"
 msgstr "公開鍵認証が可能"
 
-#: users/serializers/user.py:149
+#: users/serializers/user.py:151
 msgid "Avatar url"
 msgstr "アバターURL"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:153
 msgid "Groups name"
 msgstr "グループ名"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Source name"
 msgstr "ソース名"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:155
 msgid "Organization role name"
 msgstr "組織の役割名"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:156
 msgid "Super role name"
 msgstr "スーパーロール名"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "Total role name"
 msgstr "合計ロール名"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:159
 msgid "Is wecom bound"
 msgstr "企業の微信をバインドしているかどうか"
 
-#: users/serializers/user.py:158
+#: users/serializers/user.py:160
 msgid "Is dingtalk bound"
 msgstr "ピンをバインドしているかどうか"
 
-#: users/serializers/user.py:159
+#: users/serializers/user.py:161
 msgid "Is feishu bound"
 msgstr "飛本を縛ったかどうか"
 
-#: users/serializers/user.py:160
+#: users/serializers/user.py:162
 msgid "Is OTP bound"
 msgstr "仮想MFAがバインドされているか"
 
-#: users/serializers/user.py:162
+#: users/serializers/user.py:164
 msgid "System role name"
 msgstr "システムロール名"
 
-#: users/serializers/user.py:202
-msgid "User cannot self-update fields: {}"
-msgstr "ユーザーは自分のフィールドを更新できません: {}"
-
-#: users/serializers/user.py:259
+#: users/serializers/user.py:263
 msgid "Select users"
 msgstr "ユーザーの選択"
 
-#: users/serializers/user.py:260
+#: users/serializers/user.py:264
 msgid "For security, only list several users"
 msgstr "セキュリティのために、複数のユーザーのみをリストします"
 
-#: users/serializers/user.py:295
+#: users/serializers/user.py:299
 msgid "name not unique"
 msgstr "名前が一意ではない"
 
@@ -6402,11 +6399,11 @@ msgstr "クラウドアカウント"
 msgid "Test cloud account"
 msgstr "クラウドアカウントのテスト"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:67
 msgid "Account"
 msgstr "アカウント"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:38
 msgid "Regions"
 msgstr "リージョン"
 
@@ -6414,19 +6411,19 @@ msgstr "リージョン"
 msgid "Hostname strategy"
 msgstr "ホスト名戦略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:68
 msgid "Unix admin user"
 msgstr "Unix adminユーザー"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:69
 msgid "Windows admin user"
 msgstr "Windows管理者"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:46
 msgid "IP network segment group"
 msgstr "IPネットワークセグメントグループ"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:72
 msgid "Always update"
 msgstr "常に更新"
 
@@ -6700,32 +6697,37 @@ msgstr "ファイルはJSON形式です。"
 
 #: xpack/plugins/cloud/serializers/task.py:29
 msgid ""
-"The IP address that is first matched to will be used as the IP of the "
-"created asset. <br>The default * indicates a random match. <br>Format for "
-"comma-delimited string, Such as: 192.168.1.0/24, 10.1.1.1-10.1.1.20"
+"Only instances matching the IP range will be synced. <br>If the instance "
+"contains multiple IP addresses, the first IP address that matches will be "
+"used as the IP for the created asset. <br>The default value of * means sync "
+"all instances and randomly match IP addresses. <br>Format for comma-"
+"delimited string, Such as: 192.168.1.0/24, 10.1.1.1-10.1.1.20"
 msgstr ""
-"最初に一致するIPアドレスは、作成された資産のIPとして使用されます。<br>デフォ"
-"ルト*はランダムマッチングを表します。<br> カンマで区切られた文字列で書式設"
-"定，たとえば:192.168.1.0/24,10.1.1.1-10.1.1.20"
+"IP範囲に一致するインスタンスのみが同期されます。<br>"
+"インスタンスに複数のIPアドレスが含まれている場合、一致する最初のIPアドレスが作成されたアセットのIPとして使用されます。 <br>"
+"デフォルト値の*は、すべてのインスタンスを同期し、IPアドレスをランダムに一致させることを意味します。 <br>"
+"形式はコンマ区切りの文字列です。例：192.168.1.0/24,10.1.1.1-10.1.1.20"
 
-#: xpack/plugins/cloud/serializers/task.py:35
+
+
+#: xpack/plugins/cloud/serializers/task.py:36
 msgid "History count"
 msgstr "実行回数"
 
-#: xpack/plugins/cloud/serializers/task.py:36
+#: xpack/plugins/cloud/serializers/task.py:37
 msgid "Instance count"
 msgstr "インスタンス数"
 
-#: xpack/plugins/cloud/serializers/task.py:65
+#: xpack/plugins/cloud/serializers/task.py:66
 msgid "Linux admin user"
 msgstr "Linux管理者"
 
-#: xpack/plugins/cloud/serializers/task.py:70
+#: xpack/plugins/cloud/serializers/task.py:71
 #: xpack/plugins/gathered_user/serializers.py:20
 msgid "Periodic display"
 msgstr "定期的な表示"
 
-#: xpack/plugins/cloud/utils.py:68
+#: xpack/plugins/cloud/utils.py:69
 msgid "Account unavailable"
 msgstr "利用できないアカウント"
 
@@ -6812,3 +6814,6 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
+
+#~ msgid "User cannot self-update fields: {}"
+#~ msgstr "ユーザーは自分のフィールドを更新できません: {}"
diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo
index 951c7182d..dcc55a77c 100644
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:393289b7bc2842cf9190af0783281a8e8acdb636b0ff4e88ef4ff931c2c11f5c
-size 105290
+oid sha256:1efe7f07b0877357a42a7f93e075c152e2bd8ee7adc20bcab17427a86cce5ed3
+size 105644
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index ab6fe167e..1cf1383be 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-11 17:46+0800\n"
+"POT-Creation-Date: 2022-07-12 17:58+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -46,7 +46,7 @@ msgstr "优先级"
 msgid "1-100, the lower the value will be match first"
 msgstr "优先级可选范围为 1-100 (数值越小越优先)"
 
-#: acls/models/base.py:31 authentication/models.py:20
+#: acls/models/base.py:31 authentication/models.py:21
 #: authentication/templates/authentication/_access_key_modal.html:32
 #: perms/models/base.py:88 terminal/models/sharing.py:28 tickets/const.py:39
 msgid "Active"
@@ -87,7 +87,7 @@ msgstr "登录复核"
 #: acls/models/login_acl.py:24 acls/models/login_asset_acl.py:20
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
-#: authentication/models.py:53 authentication/models.py:77 orgs/models.py:214
+#: authentication/models.py:54 authentication/models.py:78 orgs/models.py:214
 #: perms/models/base.py:84 rbac/builtin.py:118 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
@@ -130,7 +130,7 @@ msgstr "系统用户"
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:38
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
 #: assets/serializers/system_user.py:268 audits/models.py:39
-#: authentication/models.py:65 authentication/models.py:89
+#: authentication/models.py:66 authentication/models.py:90
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
 #: terminal/notifications.py:90
@@ -156,7 +156,7 @@ msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 #: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
 #: assets/models/gathered_user.py:15 audits/models.py:121
 #: authentication/forms.py:25 authentication/forms.py:27
-#: authentication/models.py:244
+#: authentication/models.py:245
 #: authentication/templates/authentication/_msg_different_city.html:9
 #: authentication/templates/authentication/_msg_oauth_bind.html:9
 #: ops/models/adhoc.py:159 users/forms/profile.py:32 users/models/user.py:659
@@ -257,14 +257,14 @@ msgstr "自定义"
 
 #: applications/models/account.py:12 applications/models/application.py:234
 #: assets/models/backup.py:32 assets/models/cmd_filter.py:45
-#: authentication/models.py:66 authentication/models.py:94
+#: authentication/models.py:67 authentication/models.py:95
 #: perms/models/application_permission.py:28
 msgid "Application"
 msgstr "应用程序"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
 #: assets/models/cmd_filter.py:42 assets/models/user.py:342 audits/models.py:40
-#: authentication/models.py:82 perms/models/application_permission.py:33
+#: authentication/models.py:83 perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:36 terminal/models/session.py:48
 #: xpack/plugins/change_auth_plan/models/app.py:36
@@ -302,7 +302,7 @@ msgstr "类别"
 #: applications/models/application.py:222
 #: applications/serializers/application.py:101 assets/models/backup.py:49
 #: assets/models/cmd_filter.py:82 assets/models/user.py:250
-#: authentication/models.py:69 perms/models/application_permission.py:24
+#: authentication/models.py:70 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
 #: terminal/models/storage.py:58 terminal/models/storage.py:143
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
@@ -368,7 +368,7 @@ msgid "Date updated"
 msgstr "更新日期"
 
 #: applications/serializers/application.py:121
-#: applications/serializers/application.py:166 authentication/models.py:98
+#: applications/serializers/application.py:166 authentication/models.py:99
 msgid "Application display"
 msgstr "应用名称"
 
@@ -572,7 +572,7 @@ msgstr "主机名原始"
 
 #: assets/models/asset.py:215 assets/serializers/account.py:16
 #: assets/serializers/asset.py:65 perms/serializers/asset/user_permission.py:41
-#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:42
+#: xpack/plugins/cloud/models.py:107 xpack/plugins/cloud/serializers/task.py:43
 msgid "Protocols"
 msgstr "协议组"
 
@@ -585,7 +585,7 @@ msgstr "节点"
 
 #: assets/models/asset.py:219 assets/models/cmd_filter.py:47
 #: assets/models/domain.py:66 assets/models/label.py:22
-#: users/serializers/user.py:145
+#: users/serializers/user.py:147
 msgid "Is active"
 msgstr "激活"
 
@@ -763,7 +763,7 @@ msgstr "失败"
 msgid "Connectivity"
 msgstr "可连接性"
 
-#: assets/models/base.py:40 authentication/models.py:247
+#: assets/models/base.py:40 authentication/models.py:248
 msgid "Date verified"
 msgstr "校验日期"
 
@@ -773,7 +773,7 @@ msgstr "校验日期"
 #: authentication/forms.py:32
 #: authentication/templates/authentication/login.html:228
 #: settings/serializers/auth/ldap.py:25 settings/serializers/auth/ldap.py:46
-#: users/forms/profile.py:22 users/serializers/user.py:92
+#: users/forms/profile.py:22 users/serializers/user.py:94
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_verify.html:18
 #: xpack/plugins/change_auth_plan/models/base.py:42
@@ -971,7 +971,7 @@ msgid "Parent key"
 msgstr "ssh私钥"
 
 #: assets/models/node.py:559 assets/serializers/system_user.py:267
-#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:69
+#: xpack/plugins/cloud/models.py:96 xpack/plugins/cloud/serializers/task.py:70
 msgid "Node"
 msgstr "节点"
 
@@ -1030,7 +1030,7 @@ msgid "SFTP Root"
 msgstr "SFTP根路径"
 
 #: assets/models/user.py:258 assets/serializers/system_user.py:37
-#: authentication/models.py:51
+#: authentication/models.py:52
 msgid "Token"
 msgstr "Token"
 
@@ -1079,7 +1079,7 @@ msgstr ""
 "置加密密码"
 
 #: assets/serializers/account.py:36 assets/serializers/account.py:87
-#: assets/serializers/account_history.py:10 authentication/models.py:86
+#: assets/serializers/account_history.py:10 authentication/models.py:87
 msgid "System user display"
 msgstr "系统用户名称"
 
@@ -1569,7 +1569,7 @@ msgstr "运行用户"
 msgid "Run as display"
 msgstr "运行用户名称"
 
-#: audits/serializers.py:102 authentication/models.py:80
+#: audits/serializers.py:102 authentication/models.py:81
 #: rbac/serializers/rolebinding.py:21
 msgid "User display"
 msgstr "用户名称"
@@ -1592,185 +1592,191 @@ msgstr "认证令牌"
 msgid "WeCom"
 msgstr "企业微信"
 
-#: audits/signal_handlers.py:54 authentication/views/dingtalk.py:179
+#: audits/signal_handlers.py:54 authentication/views/feishu.py:144
+#: authentication/views/login.py:79 notifications/backends/__init__.py:14
+#: users/models/user.py:722
+msgid "FeiShu"
+msgstr "飞书"
+
+#: audits/signal_handlers.py:55 authentication/views/dingtalk.py:179
 #: authentication/views/login.py:73 notifications/backends/__init__.py:12
 #: users/models/user.py:721
 msgid "DingTalk"
 msgstr "钉钉"
 
-#: audits/signal_handlers.py:55 authentication/models.py:251
+#: audits/signal_handlers.py:56 authentication/models.py:252
 msgid "Temporary token"
 msgstr "临时密码"
 
-#: audits/signal_handlers.py:67
+#: audits/signal_handlers.py:68
 msgid "User and Group"
 msgstr "用户与用户组"
 
-#: audits/signal_handlers.py:68
+#: audits/signal_handlers.py:69
 #, python-brace-format
 msgid "{User} JOINED {UserGroup}"
 msgstr "{User} 加入 {UserGroup}"
 
-#: audits/signal_handlers.py:69
+#: audits/signal_handlers.py:70
 #, python-brace-format
 msgid "{User} LEFT {UserGroup}"
 msgstr "{User} 离开 {UserGroup}"
 
-#: audits/signal_handlers.py:72
+#: audits/signal_handlers.py:73
 msgid "Asset and SystemUser"
 msgstr "资产与系统用户"
 
-#: audits/signal_handlers.py:73
+#: audits/signal_handlers.py:74
 #, python-brace-format
 msgid "{Asset} ADD {SystemUser}"
 msgstr "{Asset} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:74
+#: audits/signal_handlers.py:75
 #, python-brace-format
 msgid "{Asset} REMOVE {SystemUser}"
 msgstr "{Asset} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:77
+#: audits/signal_handlers.py:78
 msgid "Node and Asset"
 msgstr "节点与资产"
 
-#: audits/signal_handlers.py:78
+#: audits/signal_handlers.py:79
 #, python-brace-format
 msgid "{Node} ADD {Asset}"
 msgstr "{Node} 添加 {Asset}"
 
-#: audits/signal_handlers.py:79
+#: audits/signal_handlers.py:80
 #, python-brace-format
 msgid "{Node} REMOVE {Asset}"
 msgstr "{Node} 移除 {Asset}"
 
-#: audits/signal_handlers.py:82
+#: audits/signal_handlers.py:83
 msgid "User asset permissions"
 msgstr "用户资产授权"
 
-#: audits/signal_handlers.py:83
+#: audits/signal_handlers.py:84
 #, python-brace-format
 msgid "{AssetPermission} ADD {User}"
 msgstr "{AssetPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:84
+#: audits/signal_handlers.py:85
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {User}"
 msgstr "{AssetPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:87
+#: audits/signal_handlers.py:88
 msgid "User group asset permissions"
 msgstr "用户组资产授权"
 
-#: audits/signal_handlers.py:88
+#: audits/signal_handlers.py:89
 #, python-brace-format
 msgid "{AssetPermission} ADD {UserGroup}"
 msgstr "{AssetPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:89
+#: audits/signal_handlers.py:90
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {UserGroup}"
 msgstr "{AssetPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:92 perms/models/asset_permission.py:29
+#: audits/signal_handlers.py:93 perms/models/asset_permission.py:29
 msgid "Asset permission"
 msgstr "资产授权"
 
-#: audits/signal_handlers.py:93
+#: audits/signal_handlers.py:94
 #, python-brace-format
 msgid "{AssetPermission} ADD {Asset}"
 msgstr "{AssetPermission} 添加 {Asset}"
 
-#: audits/signal_handlers.py:94
+#: audits/signal_handlers.py:95
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Asset}"
 msgstr "{AssetPermission} 移除 {Asset}"
 
-#: audits/signal_handlers.py:97
+#: audits/signal_handlers.py:98
 msgid "Node permission"
 msgstr "节点授权"
 
-#: audits/signal_handlers.py:98
+#: audits/signal_handlers.py:99
 #, python-brace-format
 msgid "{AssetPermission} ADD {Node}"
 msgstr "{AssetPermission} 添加 {Node}"
 
-#: audits/signal_handlers.py:99
+#: audits/signal_handlers.py:100
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {Node}"
 msgstr "{AssetPermission} 移除 {Node}"
 
-#: audits/signal_handlers.py:102
+#: audits/signal_handlers.py:103
 msgid "Asset permission and SystemUser"
 msgstr "资产授权与系统用户"
 
-#: audits/signal_handlers.py:103
+#: audits/signal_handlers.py:104
 #, python-brace-format
 msgid "{AssetPermission} ADD {SystemUser}"
 msgstr "{AssetPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:104
+#: audits/signal_handlers.py:105
 #, python-brace-format
 msgid "{AssetPermission} REMOVE {SystemUser}"
 msgstr "{AssetPermission} 移除 {SystemUser}"
 
-#: audits/signal_handlers.py:107
+#: audits/signal_handlers.py:108
 msgid "User application permissions"
 msgstr "用户应用授权"
 
-#: audits/signal_handlers.py:108
+#: audits/signal_handlers.py:109
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {User}"
 msgstr "{ApplicationPermission} 添加 {User}"
 
-#: audits/signal_handlers.py:109
+#: audits/signal_handlers.py:110
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {User}"
 msgstr "{ApplicationPermission} 移除 {User}"
 
-#: audits/signal_handlers.py:112
+#: audits/signal_handlers.py:113
 msgid "User group application permissions"
 msgstr "用户组应用授权"
 
-#: audits/signal_handlers.py:113
+#: audits/signal_handlers.py:114
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {UserGroup}"
 msgstr "{ApplicationPermission} 添加 {UserGroup}"
 
-#: audits/signal_handlers.py:114
+#: audits/signal_handlers.py:115
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:117 perms/models/application_permission.py:38
+#: audits/signal_handlers.py:118 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "应用授权"
 
-#: audits/signal_handlers.py:118
+#: audits/signal_handlers.py:119
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {Application}"
 msgstr "{ApplicationPermission} 添加 {Application}"
 
-#: audits/signal_handlers.py:119
+#: audits/signal_handlers.py:120
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {Application}"
 msgstr "{ApplicationPermission} 移除 {Application}"
 
-#: audits/signal_handlers.py:122
+#: audits/signal_handlers.py:123
 msgid "Application permission and SystemUser"
 msgstr "应用授权与系统用户"
 
-#: audits/signal_handlers.py:123
+#: audits/signal_handlers.py:124
 #, python-brace-format
 msgid "{ApplicationPermission} ADD {SystemUser}"
 msgstr "{ApplicationPermission} 添加 {SystemUser}"
 
-#: audits/signal_handlers.py:124
+#: audits/signal_handlers.py:125
 #, python-brace-format
 msgid "{ApplicationPermission} REMOVE {SystemUser}"
 msgstr "{ApplicationPermission} 移除 {SystemUser}"
 
-#: authentication/api/confirm.py:33
+#: authentication/api/confirm.py:40
 msgid "This action require verify your MFA"
 msgstr "此操作需要验证您的 MFA"
 
@@ -2063,87 +2069,87 @@ msgstr "该 MFA ({}) 方式没有启用"
 msgid "Please change your password"
 msgstr "请修改密码"
 
-#: authentication/models.py:36
+#: authentication/models.py:37
 msgid "Access key"
 msgstr "Access key"
 
-#: authentication/models.py:43
+#: authentication/models.py:44
 msgid "Private Token"
 msgstr "SSH密钥"
 
-#: authentication/models.py:52
+#: authentication/models.py:53
 msgid "Expired"
 msgstr "过期时间"
 
-#: authentication/models.py:56
+#: authentication/models.py:57
 msgid "SSO token"
 msgstr "SSO token"
 
-#: authentication/models.py:71 authentication/models.py:245
+#: authentication/models.py:72 authentication/models.py:246
 #: authentication/templates/authentication/_access_key_modal.html:31
 #: settings/serializers/auth/radius.py:17
 msgid "Secret"
 msgstr "密钥"
 
-#: authentication/models.py:73 authentication/models.py:248
+#: authentication/models.py:74 authentication/models.py:249
 #: perms/models/base.py:90 tickets/models/ticket/apply_application.py:26
 #: tickets/models/ticket/apply_asset.py:24 users/models/user.py:703
 msgid "Date expired"
 msgstr "失效日期"
 
-#: authentication/models.py:92
+#: authentication/models.py:93
 msgid "Asset display"
 msgstr "资产名称"
 
-#: authentication/models.py:103
+#: authentication/models.py:104
 msgid "Connection token"
 msgstr "连接令牌"
 
-#: authentication/models.py:105
+#: authentication/models.py:106
 msgid "Can view connection token secret"
 msgstr "可以查看连接令牌密文"
 
-#: authentication/models.py:140
+#: authentication/models.py:141
 msgid "Connection token expired at: {}"
 msgstr "连接令牌过期: {}"
 
-#: authentication/models.py:145
+#: authentication/models.py:146
 msgid "User not exists"
 msgstr "用户不存在"
 
-#: authentication/models.py:149
+#: authentication/models.py:150
 msgid "User invalid, disabled or expired"
 msgstr "用户无效，已禁用或已过期"
 
-#: authentication/models.py:154
+#: authentication/models.py:155
 msgid "System user not exists"
 msgstr "系统用户不存在"
 
-#: authentication/models.py:160
+#: authentication/models.py:161
 msgid "Asset not exists"
 msgstr "资产不存在"
 
-#: authentication/models.py:164
+#: authentication/models.py:165
 msgid "Asset inactive"
 msgstr "资产未激活"
 
-#: authentication/models.py:171
+#: authentication/models.py:172
 msgid "User has no permission to access asset or permission expired"
 msgstr "用户没有权限访问资产或权限已过期"
 
-#: authentication/models.py:179
+#: authentication/models.py:180
 msgid "Application not exists"
 msgstr "应用不存在"
 
-#: authentication/models.py:186
+#: authentication/models.py:187
 msgid "User has no permission to access application or permission expired"
 msgstr "用户没有权限访问应用或权限已过期"
 
-#: authentication/models.py:246
+#: authentication/models.py:247
 msgid "Verified"
 msgstr "已校验"
 
-#: authentication/models.py:267
+#: authentication/models.py:268
 msgid "Super connection token"
 msgstr "超级连接令牌"
 
@@ -2168,7 +2174,7 @@ msgstr "资产或应用必填"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:146
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:148
 msgid "Is valid"
 msgstr "账号是否有效"
 
@@ -2450,11 +2456,6 @@ msgstr "飞书查询用户失败"
 msgid "The FeiShu is already bound to another user"
 msgstr "该飞书已经绑定其他用户"
 
-#: authentication/views/feishu.py:144 authentication/views/login.py:79
-#: notifications/backends/__init__.py:14 users/models/user.py:722
-msgid "FeiShu"
-msgstr "飞书"
-
 #: authentication/views/feishu.py:145
 msgid "Binding FeiShu successfully"
 msgstr "绑定 飞书 成功"
@@ -3107,8 +3108,8 @@ msgstr "组织 ({}) 的应用授权"
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
-#: perms/serializers/asset/permission.py:44 users/serializers/user.py:87
-#: users/serializers/user.py:148
+#: perms/serializers/asset/permission.py:44 users/serializers/user.py:89
+#: users/serializers/user.py:150
 msgid "Is expired"
 msgstr "已过期"
 
@@ -4581,10 +4582,6 @@ msgstr "微软"
 msgid "Official"
 msgstr "官方"
 
-#: templates/resource_download.html:51
-msgid "Offline video player"
-msgstr "离线录像播放器"
-
 #: templates/resource_download.html:33
 msgid ""
 "macOS needs to download the client to connect RDP asset, which comes with "
@@ -4601,6 +4598,10 @@ msgid ""
 "Remote Application publisher"
 msgstr "Jmservisor 是在 windows 远程应用发布服务器中用来拉起远程应用的程序"
 
+#: templates/resource_download.html:51
+msgid "Offline video player"
+msgstr "离线录像播放器"
+
 #: terminal/api/endpoint.py:26
 msgid "Not found protocol query params"
 msgstr ""
@@ -5570,7 +5571,7 @@ msgstr "强制启用"
 msgid "Local"
 msgstr "数据库"
 
-#: users/models/user.py:673 users/serializers/user.py:147
+#: users/models/user.py:673 users/serializers/user.py:149
 msgid "Is service account"
 msgstr "服务账号"
 
@@ -5669,109 +5670,105 @@ msgstr "新密码不能是最近 {} 次的密码"
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:149 users/serializers/user.py:144
+#: users/serializers/profile.py:149 users/serializers/user.py:146
 msgid "Is first login"
 msgstr "首次登录"
 
-#: users/serializers/user.py:26
+#: users/serializers/user.py:28
 msgid "System roles"
 msgstr "系统角色"
 
-#: users/serializers/user.py:31
+#: users/serializers/user.py:33
 msgid "Org roles"
 msgstr "组织角色"
 
-#: users/serializers/user.py:33
+#: users/serializers/user.py:35
 msgid "System roles display"
 msgstr "系统角色显示"
 
-#: users/serializers/user.py:34
+#: users/serializers/user.py:36
 msgid "Org roles display"
 msgstr "组织角色显示"
 
-#: users/serializers/user.py:79
+#: users/serializers/user.py:81
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:27
 msgid "Password strategy"
 msgstr "密码策略"
 
-#: users/serializers/user.py:81
+#: users/serializers/user.py:83
 msgid "MFA enabled"
 msgstr "MFA 已启用"
 
-#: users/serializers/user.py:82
+#: users/serializers/user.py:84
 msgid "MFA force enabled"
 msgstr "强制 MFA"
 
-#: users/serializers/user.py:84
+#: users/serializers/user.py:86
 msgid "MFA level display"
 msgstr "MFA 等级名称"
 
-#: users/serializers/user.py:86
+#: users/serializers/user.py:88
 msgid "Login blocked"
 msgstr "登录被阻塞"
 
-#: users/serializers/user.py:89
+#: users/serializers/user.py:91
 msgid "Can public key authentication"
 msgstr "能否公钥认证"
 
-#: users/serializers/user.py:149
+#: users/serializers/user.py:151
 msgid "Avatar url"
 msgstr "头像路径"
 
-#: users/serializers/user.py:151
+#: users/serializers/user.py:153
 msgid "Groups name"
 msgstr "用户组名"
 
-#: users/serializers/user.py:152
+#: users/serializers/user.py:154
 msgid "Source name"
 msgstr "用户来源名"
 
-#: users/serializers/user.py:153
+#: users/serializers/user.py:155
 msgid "Organization role name"
 msgstr "组织角色名称"
 
-#: users/serializers/user.py:154
+#: users/serializers/user.py:156
 msgid "Super role name"
 msgstr "超级角色名称"
 
-#: users/serializers/user.py:155
+#: users/serializers/user.py:157
 msgid "Total role name"
 msgstr "汇总角色名称"
 
-#: users/serializers/user.py:157
+#: users/serializers/user.py:159
 msgid "Is wecom bound"
 msgstr "是否绑定了企业微信"
 
-#: users/serializers/user.py:158
+#: users/serializers/user.py:160
 msgid "Is dingtalk bound"
 msgstr "是否绑定了钉钉"
 
-#: users/serializers/user.py:159
+#: users/serializers/user.py:161
 msgid "Is feishu bound"
 msgstr "是否绑定了飞书"
 
-#: users/serializers/user.py:160
+#: users/serializers/user.py:162
 msgid "Is OTP bound"
 msgstr "是否绑定了虚拟 MFA"
 
-#: users/serializers/user.py:162
+#: users/serializers/user.py:164
 msgid "System role name"
 msgstr "系统角色名称"
 
-#: users/serializers/user.py:202
-msgid "User cannot self-update fields: {}"
-msgstr "用户不能更新自己的字段: {}"
-
-#: users/serializers/user.py:259
+#: users/serializers/user.py:263
 msgid "Select users"
 msgstr "选择用户"
 
-#: users/serializers/user.py:260
+#: users/serializers/user.py:264
 msgid "For security, only list several users"
 msgstr "为了安全，仅列出几个用户"
 
-#: users/serializers/user.py:295
+#: users/serializers/user.py:299
 msgid "name not unique"
 msgstr "名称重复"
 
@@ -6307,11 +6304,11 @@ msgstr "云账号"
 msgid "Test cloud account"
 msgstr "测试云账号"
 
-#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:66
+#: xpack/plugins/cloud/models.py:85 xpack/plugins/cloud/serializers/task.py:67
 msgid "Account"
 msgstr "账号"
 
-#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:37
+#: xpack/plugins/cloud/models.py:88 xpack/plugins/cloud/serializers/task.py:38
 msgid "Regions"
 msgstr "地域"
 
@@ -6319,19 +6316,19 @@ msgstr "地域"
 msgid "Hostname strategy"
 msgstr "主机名策略"
 
-#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:67
+#: xpack/plugins/cloud/models.py:100 xpack/plugins/cloud/serializers/task.py:68
 msgid "Unix admin user"
 msgstr "Unix 管理员"
 
-#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:68
+#: xpack/plugins/cloud/models.py:104 xpack/plugins/cloud/serializers/task.py:69
 msgid "Windows admin user"
 msgstr "Windows 管理员"
 
-#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:45
+#: xpack/plugins/cloud/models.py:110 xpack/plugins/cloud/serializers/task.py:46
 msgid "IP network segment group"
 msgstr "IP网段组"
 
-#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:71
+#: xpack/plugins/cloud/models.py:113 xpack/plugins/cloud/serializers/task.py:72
 msgid "Always update"
 msgstr "总是更新"
 
@@ -6605,31 +6602,35 @@ msgstr "JSON 格式的文件"
 
 #: xpack/plugins/cloud/serializers/task.py:29
 msgid ""
-"The IP address that is first matched to will be used as the IP of the "
-"created asset. <br>The default * indicates a random match. <br>Format for "
-"comma-delimited string, Such as: 192.168.1.0/24, 10.1.1.1-10.1.1.20"
+"Only instances matching the IP range will be synced. <br>If the instance "
+"contains multiple IP addresses, the first IP address that matches will be "
+"used as the IP for the created asset. <br>The default value of * means sync "
+"all instances and randomly match IP addresses. <br>Format for comma-"
+"delimited string, Such as: 192.168.1.0/24, 10.1.1.1-10.1.1.20"
 msgstr ""
-"第一个匹配到的 IP 地址将被用作创建的资产的 IP。<br> 默认值 * 表示随机匹配。"
-"<br> 格式为以逗号分隔的字符串，例如:192.168.1.0/24,10.1.1.1-10.1.1.20"
+"只有匹配到 IP 段的实例会被同步。<br>"
+"如果实例包含多个 IP 地址，那么第一个匹配到的 IP 地址将被用作创建的资产的 IP。<br>"
+"默认值 * 表示同步所有实例和随机匹配 IP 地址。<br>"
+"格式为以逗号分隔的字符串，例如:192.168.1.0/24,10.1.1.1-10.1.1.20"
 
-#: xpack/plugins/cloud/serializers/task.py:35
+#: xpack/plugins/cloud/serializers/task.py:36
 msgid "History count"
 msgstr "执行次数"
 
-#: xpack/plugins/cloud/serializers/task.py:36
+#: xpack/plugins/cloud/serializers/task.py:37
 msgid "Instance count"
 msgstr "实例个数"
 
-#: xpack/plugins/cloud/serializers/task.py:65
+#: xpack/plugins/cloud/serializers/task.py:66
 msgid "Linux admin user"
 msgstr "Linux 管理员"
 
-#: xpack/plugins/cloud/serializers/task.py:70
+#: xpack/plugins/cloud/serializers/task.py:71
 #: xpack/plugins/gathered_user/serializers.py:20
 msgid "Periodic display"
 msgstr "定时执行"
 
-#: xpack/plugins/cloud/utils.py:68
+#: xpack/plugins/cloud/utils.py:69
 msgid "Account unavailable"
 msgstr "账号无效"
 
@@ -6716,3 +6717,6 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
+
+#~ msgid "User cannot self-update fields: {}"
+#~ msgstr "用户不能更新自己的字段: {}"

From 191d37dd56567b0c25f31779767eecede86e3ae4 Mon Sep 17 00:00:00 2001
From: halo <wuyihuangw@gmail.com>
Date: Wed, 13 Jul 2022 09:32:17 +0800
Subject: [PATCH 250/258] =?UTF-8?q?feat:=20=E6=94=AF=E6=8C=81session?=
 =?UTF-8?q?=E5=AD=98=E5=82=A8=E6=96=B9=E5=BC=8F=E5=8F=AF=E9=85=8D=E7=BD=AE?=
 =?UTF-8?q?=EF=BC=8C=E5=8F=AF=E9=80=89cache=E6=88=96db?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/conf.py          | 1 +
 apps/jumpserver/settings/base.py | 5 ++---
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index c3a0a0210..551076192 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -383,6 +383,7 @@ class Config(dict):
         'SESSION_COOKIE_SECURE': False,
         'CSRF_COOKIE_SECURE': False,
         'REFERER_CHECK_ENABLED': False,
+        'SESSION_ENGINE': 'cache',
         'SESSION_SAVE_EVERY_REQUEST': True,
         'SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE': False,
         'SERVER_REPLAY_STORAGE': {},
diff --git a/apps/jumpserver/settings/base.py b/apps/jumpserver/settings/base.py
index 9b4cfb668..519623ac9 100644
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@@ -3,6 +3,7 @@ import platform
 
 if platform.system() == 'Darwin' and platform.machine() == 'arm64':
     import pymysql
+
     pymysql.version_info = (1, 4, 2, "final", 0)
     pymysql.install_as_MySQLdb()
 
@@ -109,8 +110,6 @@ MIDDLEWARE = [
     'simple_history.middleware.HistoryRequestMiddleware',
 ]
 
-
-
 ROOT_URLCONF = 'jumpserver.urls'
 
 TEMPLATES = [
@@ -161,7 +160,7 @@ SESSION_EXPIRE_AT_BROWSER_CLOSE = True
 # 自定义的配置，SESSION_EXPIRE_AT_BROWSER_CLOSE 始终为 True, 下面这个来控制是否强制关闭后过期 cookie
 SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE = CONFIG.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE
 SESSION_SAVE_EVERY_REQUEST = CONFIG.SESSION_SAVE_EVERY_REQUEST
-SESSION_ENGINE = "django.contrib.sessions.backends.cache"
+SESSION_ENGINE = "django.contrib.sessions.backends.{}".format(CONFIG.SESSION_ENGINE)
 
 MESSAGE_STORAGE = 'django.contrib.messages.storage.cookie.CookieStorage'
 # Database

From e724cdf53d9831bbaccecfc8aa8a91286c2b6851 Mon Sep 17 00:00:00 2001
From: feng626 <1304903146@qq.com>
Date: Wed, 13 Jul 2022 10:43:20 +0800
Subject: [PATCH 251/258] fix: OrgManager add bulk_create method

---
 apps/orgs/mixins/models.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/apps/orgs/mixins/models.py b/apps/orgs/mixins/models.py
index d3dc4529d..bb98f7a98 100644
--- a/apps/orgs/mixins/models.py
+++ b/apps/orgs/mixins/models.py
@@ -41,6 +41,14 @@ class OrgManager(models.Manager):
         return self
 
 
+    def bulk_create(self, objs, batch_size=None, ignore_conflicts=False):
+        org = get_current_org()
+        org_id = org.id
+        for obj in objs:
+            obj.org_id = org_id
+        return super().bulk_create(objs, batch_size, ignore_conflicts)
+
+
 class OrgModelMixin(models.Model):
     org_id = models.CharField(max_length=36, blank=True, default='',
                               verbose_name=_("Organization"), db_index=True)

From 5155b3c18494b8a08b9cda4d6d5d0c0725364c4c Mon Sep 17 00:00:00 2001
From: fit2bot <68588906+fit2bot@users.noreply.github.com>
Date: Wed, 13 Jul 2022 11:00:12 +0800
Subject: [PATCH 252/258] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dbluk=5Fcreate?=
 =?UTF-8?q?=20root=20=E7=BB=84=E7=BB=87=E4=B8=8B=E5=88=A4=E6=96=AD=20(#858?=
 =?UTF-8?q?1)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-authored-by: feng626 <1304903146@qq.com>
---
 apps/orgs/mixins/models.py | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/apps/orgs/mixins/models.py b/apps/orgs/mixins/models.py
index bb98f7a98..3406271b6 100644
--- a/apps/orgs/mixins/models.py
+++ b/apps/orgs/mixins/models.py
@@ -43,15 +43,19 @@ class OrgManager(models.Manager):
 
     def bulk_create(self, objs, batch_size=None, ignore_conflicts=False):
         org = get_current_org()
-        org_id = org.id
         for obj in objs:
-            obj.org_id = org_id
+            if org.is_root():
+                if not self.org_id:
+                    raise ValidationError('Please save in a organization')
+            else:
+                obj.org_id = org.id
         return super().bulk_create(objs, batch_size, ignore_conflicts)
 
 
 class OrgModelMixin(models.Model):
-    org_id = models.CharField(max_length=36, blank=True, default='',
-                              verbose_name=_("Organization"), db_index=True)
+    org_id = models.CharField(
+        max_length=36, blank=True, default='', verbose_name=_("Organization"), db_index=True
+    )
     objects = OrgManager()
 
     sep = '@'

From dac0b44b9948588036c2b02962befbf1a03d73ff Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Wed, 13 Jul 2022 16:36:49 +0800
Subject: [PATCH 253/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=E9=87=8D?=
 =?UTF-8?q?=E6=9E=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../migrations/0093_auto_20220711_1413.py     | 45 +++++++++++++++++++
 apps/assets/models/account.py                 |  3 ++
 2 files changed, 48 insertions(+)

diff --git a/apps/assets/migrations/0093_auto_20220711_1413.py b/apps/assets/migrations/0093_auto_20220711_1413.py
index c8cb17160..2a9e1b856 100644
--- a/apps/assets/migrations/0093_auto_20220711_1413.py
+++ b/apps/assets/migrations/0093_auto_20220711_1413.py
@@ -1,5 +1,6 @@
 # Generated by Django 3.2.12 on 2022-07-11 06:13
 
+import time
 from django.db import migrations
 
 
@@ -7,6 +8,49 @@ def migrate_accounts(apps, schema_editor):
     auth_book_model = apps.get_model('assets', 'AuthBook')
     account_model = apps.get_model('assets', 'Account')
 
+    count = 0
+    bulk_size = 1000
+    while True:
+        auth_books = auth_book_model.objects \
+                    .prefetch_related('systemuser') \
+                    .all()[count:count+bulk_size]
+        if not auth_books:
+            break
+
+        accounts = []
+        start = time.time()
+        # authbook 和 account 相同的属性
+        same_attrs = [
+            'id', 'comment', 'date_created', 'date_updated',
+            'created_by', 'asset_id', 'org_id',
+        ]
+        # 认证的属性，可能是 authbook 的，可能是 systemuser 的
+        auth_attrs = ['username', 'password', 'private_key', 'public_key']
+
+        for auth_book in auth_books:
+            values = {attr: getattr(auth_book, attr) for attr in same_attrs}
+            values['protocol'] = 'ssh'
+            values['version'] = 1
+
+            system_user = auth_book.systemuser
+            if auth_book.systemuser:
+                values.update({attr: getattr(system_user, attr) for attr in auth_attrs})
+                values['protocol'] = system_user.protocol
+                values['created_by'] = str(system_user.id)
+
+            auth_book_auth = {attr: getattr(auth_book, attr) for attr in auth_attrs}
+            auth_book_auth = {attr: value for attr, value in auth_book_auth.items() if value}
+            values.update(auth_book_auth)
+
+            account = account_model(**values)
+            accounts.append(account)
+
+        account_model.objects.bulk_create(accounts, ignore_conflicts=True)
+        print("Create accounts: {}-{} using: {:.2f}s".format(
+            count, count + len(accounts), time.time()-start
+        ))
+        count += len(auth_books)
+
 
 class Migration(migrations.Migration):
 
@@ -15,4 +59,5 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
+        migrations.RunPython(migrate_accounts)
     ]
diff --git a/apps/assets/models/account.py b/apps/assets/models/account.py
index 0d6e999cc..7732c50a2 100644
--- a/apps/assets/models/account.py
+++ b/apps/assets/models/account.py
@@ -25,3 +25,6 @@ class Account(BaseUser, ProtocolMixin):
             ('view_assethistoryaccount', _('Can view asset history account')),
             ('view_assethistoryaccountsecret', _('Can view asset history account secret')),
         ]
+
+    def __str__(self):
+        return '{}//{}@{}'.format(self.protocol, self.username, self.asset.hostname)

From d3c67d2f04fab687e0ae24f718e3ccc6ad8468ef Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 14 Jul 2022 10:56:09 +0800
Subject: [PATCH 254/258] =?UTF-8?q?perf:=20=E6=9A=82=E5=AD=98=E4=B8=80?=
 =?UTF-8?q?=E4=B8=8B?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/api/account_history.py            | 13 ++----
 apps/assets/api/accounts.py                   | 18 +++-----
 apps/assets/api/system_user_relation.py       |  1 -
 .../migrations/0092_auto_20220711_1409.py     |  8 +++-
 .../migrations/0093_auto_20220711_1413.py     | 13 +++---
 .../0094_alter_systemuser_assets.py           | 22 +++++++++
 .../migrations/0095_auto_20220713_1746.py     | 45 +++++++++++++++++++
 apps/assets/models/account.py                 |  9 +++-
 apps/assets/models/user.py                    |  1 -
 apps/assets/serializers/system_user.py        |  2 +-
 apps/assets/tasks/asset_connectivity.py       | 11 ++---
 apps/assets/tasks/common.py                   |  3 +-
 apps/assets/tasks/system_user_connectivity.py | 10 ++---
 13 files changed, 112 insertions(+), 44 deletions(-)
 create mode 100644 apps/assets/migrations/0094_alter_systemuser_assets.py
 create mode 100644 apps/assets/migrations/0095_auto_20220713_1746.py

diff --git a/apps/assets/api/account_history.py b/apps/assets/api/account_history.py
index 3258dfd48..6ca4fd349 100644
--- a/apps/assets/api/account_history.py
+++ b/apps/assets/api/account_history.py
@@ -1,23 +1,21 @@
-from django.db.models import F
-
 from assets.api.accounts import (
     AccountFilterSet, AccountViewSet, AccountSecretsViewSet
 )
 from common.mixins import RecordViewLogMixin
 from .. import serializers
-from ..models import AuthBook
+from ..models import Account
 
 __all__ = ['AccountHistoryViewSet', 'AccountHistorySecretsViewSet']
 
 
 class AccountHistoryFilterSet(AccountFilterSet):
     class Meta:
-        model = AuthBook.history.model
+        model = Account.history.model
         fields = AccountFilterSet.Meta.fields
 
 
 class AccountHistoryViewSet(AccountViewSet):
-    model = AuthBook.history.model
+    model = Account.history.model
     filterset_class = AccountHistoryFilterSet
     serializer_classes = {
         'default': serializers.AccountHistorySerializer,
@@ -26,13 +24,8 @@ class AccountHistoryViewSet(AccountViewSet):
         'list': 'assets.view_assethistoryaccount',
         'retrieve': 'assets.view_assethistoryaccount',
     }
-
     http_method_names = ['get', 'options']
 
-    def get_queryset(self):
-        queryset = AuthBook.get_queryset(is_history_model=True)
-        return queryset
-
 
 class AccountHistorySecretsViewSet(RecordViewLogMixin, AccountHistoryViewSet):
     serializer_classes = {
diff --git a/apps/assets/api/accounts.py b/apps/assets/api/accounts.py
index 6ad59ed88..be6833e7b 100644
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@@ -12,7 +12,7 @@ from common.mixins import RecordViewLogMixin
 from common.permissions import UserConfirmation
 from authentication.const import ConfirmType
 from ..tasks.account_connectivity import test_accounts_connectivity_manual
-from ..models import AuthBook, Node
+from ..models import Node, Account
 from .. import serializers
 
 __all__ = ['AccountFilterSet', 'AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']
@@ -50,16 +50,16 @@ class AccountFilterSet(BaseFilterSet):
         return qs
 
     class Meta:
-        model = AuthBook
+        model = Account
         fields = [
-            'asset', 'systemuser', 'id',
+            'asset', 'id',
         ]
 
 
 class AccountViewSet(OrgBulkModelViewSet):
-    model = AuthBook
-    filterset_fields = ("username", "asset", "systemuser", 'ip', 'hostname')
-    search_fields = ('username', 'ip', 'hostname', 'systemuser__username')
+    model = Account
+    filterset_fields = ("username", "asset", 'ip', 'hostname')
+    search_fields = ('username', 'ip', 'hostname')
     filterset_class = AccountFilterSet
     serializer_classes = {
         'default': serializers.AccountSerializer,
@@ -70,10 +70,6 @@ class AccountViewSet(OrgBulkModelViewSet):
         'partial_update': 'assets.change_assetaccountsecret',
     }
 
-    def get_queryset(self):
-        queryset = AuthBook.get_queryset()
-        return queryset
-
     @action(methods=['post'], detail=True, url_path='verify')
     def verify_account(self, request, *args, **kwargs):
         account = super().get_object()
@@ -106,7 +102,7 @@ class AccountTaskCreateAPI(CreateAPIView):
         return request.user.has_perm('assets.test_assetconnectivity')
 
     def get_accounts(self):
-        queryset = AuthBook.objects.all()
+        queryset = Account.objects.all()
         queryset = self.filter_queryset(queryset)
         return queryset
 
diff --git a/apps/assets/api/system_user_relation.py b/apps/assets/api/system_user_relation.py
index 2d8018e4d..36c16a09b 100644
--- a/apps/assets/api/system_user_relation.py
+++ b/apps/assets/api/system_user_relation.py
@@ -68,7 +68,6 @@ class BaseRelationViewSet(RelationMixin, OrgBulkModelViewSet):
 
 
 class SystemUserAssetRelationViewSet(BaseRelationViewSet):
-    perm_model = models.AuthBook
     serializer_class = serializers.SystemUserAssetRelationSerializer
     model = models.SystemUser.assets.through
     filterset_fields = [
diff --git a/apps/assets/migrations/0092_auto_20220711_1409.py b/apps/assets/migrations/0092_auto_20220711_1409.py
index 5fb8704bd..d6076b6c3 100644
--- a/apps/assets/migrations/0092_auto_20220711_1409.py
+++ b/apps/assets/migrations/0092_auto_20220711_1409.py
@@ -1,4 +1,4 @@
-# Generated by Django 3.2.12 on 2022-07-11 06:08
+# Generated by Django 3.2.12 on 2022-07-11 08:59
 
 import assets.models.base
 import assets.models.user
@@ -22,6 +22,8 @@ class Migration(migrations.Migration):
             name='HistoricalAccount',
             fields=[
                 ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('connectivity', models.CharField(choices=[('unknown', 'Unknown'), ('ok', 'Ok'), ('failed', 'Failed')], default='unknown', max_length=16, verbose_name='Connectivity')),
+                ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
                 ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
                 ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
@@ -33,6 +35,7 @@ class Migration(migrations.Migration):
                 ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
                 ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
                 ('protocol', models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol')),
+                ('type', models.CharField(choices=[('common', 'Common user'), ('admin', 'Admin user')], default='common', max_length=16, verbose_name='Type')),
                 ('version', models.IntegerField(default=1, verbose_name='Version')),
                 ('history_id', models.AutoField(primary_key=True, serialize=False)),
                 ('history_date', models.DateTimeField(db_index=True)),
@@ -53,6 +56,8 @@ class Migration(migrations.Migration):
             name='Account',
             fields=[
                 ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('connectivity', models.CharField(choices=[('unknown', 'Unknown'), ('ok', 'Ok'), ('failed', 'Failed')], default='unknown', max_length=16, verbose_name='Connectivity')),
+                ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
                 ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
@@ -64,6 +69,7 @@ class Migration(migrations.Migration):
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                 ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
                 ('protocol', models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol')),
+                ('type', models.CharField(choices=[('common', 'Common user'), ('admin', 'Admin user')], default='common', max_length=16, verbose_name='Type')),
                 ('version', models.IntegerField(default=1, verbose_name='Version')),
                 ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.asset', verbose_name='Asset')),
             ],
diff --git a/apps/assets/migrations/0093_auto_20220711_1413.py b/apps/assets/migrations/0093_auto_20220711_1413.py
index 2a9e1b856..ecb4b47e6 100644
--- a/apps/assets/migrations/0093_auto_20220711_1413.py
+++ b/apps/assets/migrations/0093_auto_20220711_1413.py
@@ -10,16 +10,18 @@ def migrate_accounts(apps, schema_editor):
 
     count = 0
     bulk_size = 1000
+    print("\nStart migrate accounts")
     while True:
+        start = time.time()
         auth_books = auth_book_model.objects \
-                    .prefetch_related('systemuser') \
-                    .all()[count:count+bulk_size]
+            .prefetch_related('systemuser') \
+            .all()[count:count+bulk_size]
+        count += len(auth_books)
         if not auth_books:
             break
 
         accounts = []
-        start = time.time()
-        # authbook 和 account 相同的属性
+        # auth book 和 account 相同的属性
         same_attrs = [
             'id', 'comment', 'date_created', 'date_updated',
             'created_by', 'asset_id', 'org_id',
@@ -47,9 +49,8 @@ def migrate_accounts(apps, schema_editor):
 
         account_model.objects.bulk_create(accounts, ignore_conflicts=True)
         print("Create accounts: {}-{} using: {:.2f}s".format(
-            count, count + len(accounts), time.time()-start
+            count - bulk_size, count, time.time()-start
         ))
-        count += len(auth_books)
 
 
 class Migration(migrations.Migration):
diff --git a/apps/assets/migrations/0094_alter_systemuser_assets.py b/apps/assets/migrations/0094_alter_systemuser_assets.py
new file mode 100644
index 000000000..c3f2f2cfc
--- /dev/null
+++ b/apps/assets/migrations/0094_alter_systemuser_assets.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.2.12 on 2022-07-13 09:38
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0093_auto_20220711_1413'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='systemuser',
+            name='assets',
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='assets',
+            field=models.ManyToManyField(blank=True, related_name='system_users', to='assets.Asset', verbose_name='Assets'),
+        ),
+    ]
diff --git a/apps/assets/migrations/0095_auto_20220713_1746.py b/apps/assets/migrations/0095_auto_20220713_1746.py
new file mode 100644
index 000000000..b803dae51
--- /dev/null
+++ b/apps/assets/migrations/0095_auto_20220713_1746.py
@@ -0,0 +1,45 @@
+# Generated by Django 3.2.12 on 2022-07-13 09:46
+
+import time
+from django.db import migrations
+
+
+def migrate_asset_system_user_relations(apps, schema_editor):
+    system_user_model = apps.get_model('assets', 'SystemUser')
+    old_model = apps.get_model('assets', 'AuthBook')
+    new_model = system_user_model.assets.through
+
+    count = 0
+    bulk_size = 1000
+    print("\nStart migrate asset system user relations")
+    while True:
+        start = time.time()
+        auth_books = old_model.objects.only('asset_id', 'systemuser_id')[count:count+bulk_size]
+        auth_books = list(auth_books)
+        count += len(auth_books)
+        if not auth_books:
+            break
+        asset_system_users = []
+        for auth_book in auth_books:
+            if not auth_book.asset_id or not auth_book.systemuser_id:
+                continue
+            asset_system_user = new_model(
+                asset_id=auth_book.asset_id,
+                systemuser_id=auth_book.systemuser_id
+            )
+            asset_system_users.append(asset_system_user)
+        new_model.objects.bulk_create(asset_system_users, ignore_conflicts=True)
+        print("Create asset system user relations: {}-{} using: {:.2f}s".format(
+            count - bulk_size, count, time.time()-start
+        ))
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0094_alter_systemuser_assets'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_asset_system_user_relations)
+    ]
diff --git a/apps/assets/models/account.py b/apps/assets/models/account.py
index 7732c50a2..d060ec40d 100644
--- a/apps/assets/models/account.py
+++ b/apps/assets/models/account.py
@@ -3,15 +3,20 @@ from django.utils.translation import gettext_lazy as _
 from simple_history.models import HistoricalRecords
 
 from .user import ProtocolMixin
-from .base import BaseUser
+from .base import BaseUser, AbsConnectivity
 
 
 __all__ = ['Account']
 
 
-class Account(BaseUser, ProtocolMixin):
+class Account(BaseUser, AbsConnectivity, ProtocolMixin):
+    class Type(models.TextChoices):
+        common = 'common', _('Common user')
+        admin = 'admin', _('Admin user')
+
     protocol = models.CharField(max_length=16, choices=ProtocolMixin.Protocol.choices,
                                 default='ssh', verbose_name=_('Protocol'))
+    type = models.CharField(max_length=16, choices=Type.choices, default=Type.common, verbose_name=_("Type"))
     asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, verbose_name=_('Asset'))
     version = models.IntegerField(default=1, verbose_name=_('Version'))
     history = HistoricalRecords()
diff --git a/apps/assets/models/user.py b/apps/assets/models/user.py
index 0eb27e912..29f7b5972 100644
--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -242,7 +242,6 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
     nodes = models.ManyToManyField('assets.Node', blank=True, verbose_name=_("Nodes"))
     assets = models.ManyToManyField(
         'assets.Asset', blank=True, verbose_name=_("Assets"),
-        through='assets.AuthBook', through_fields=['systemuser', 'asset'],
         related_name='system_users'
     )
     users = models.ManyToManyField('users.User', blank=True, verbose_name=_("Users"))
diff --git a/apps/assets/serializers/system_user.py b/apps/assets/serializers/system_user.py
index 54aff3e82..aa17b0585 100644
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -298,7 +298,7 @@ class SystemUserAssetRelationSerializer(RelationMixin, serializers.ModelSerializ
     asset_display = serializers.ReadOnlyField(label=_('Asset hostname'))
 
     class Meta:
-        model = SystemUser.assets.through
+        model = SystemUser
         fields = [
             "id", "asset", "asset_display", 'systemuser', 'systemuser_display',
             "connectivity", 'date_verified', 'org_id'
diff --git a/apps/assets/tasks/asset_connectivity.py b/apps/assets/tasks/asset_connectivity.py
index 0038c38d3..491792095 100644
--- a/apps/assets/tasks/asset_connectivity.py
+++ b/apps/assets/tasks/asset_connectivity.py
@@ -6,7 +6,7 @@ from django.utils.translation import gettext_noop
 
 from common.utils import get_logger
 from orgs.utils import org_aware_func
-from ..models import Asset, Connectivity, AuthBook
+from ..models import Asset, Connectivity, Account
 from . import const
 from .utils import clean_ansible_task_hosts, group_asset_by_platform
 
@@ -18,6 +18,7 @@ __all__ = [
 ]
 
 
+# Todo: 这里可能有问题了
 def set_assets_accounts_connectivity(assets, results_summary):
     asset_ids_ok = set()
     asset_ids_failed = set()
@@ -33,11 +34,11 @@ def set_assets_accounts_connectivity(assets, results_summary):
     Asset.bulk_set_connectivity(asset_ids_ok, Connectivity.ok)
     Asset.bulk_set_connectivity(asset_ids_failed, Connectivity.failed)
 
-    accounts_ok = AuthBook.objects.filter(asset_id__in=asset_ids_ok, systemuser__type='admin')
-    accounts_failed = AuthBook.objects.filter(asset_id__in=asset_ids_failed, systemuser__type='admin')
+    accounts_ok = Account.objects.filter(asset_id__in=asset_ids_ok,)
+    accounts_failed = Account.objects.filter(asset_id__in=asset_ids_faile)
 
-    AuthBook.bulk_set_connectivity(accounts_ok, Connectivity.ok)
-    AuthBook.bulk_set_connectivity(accounts_failed, Connectivity.failed)
+    Account.bulk_set_connectivity(accounts_ok, Connectivity.ok)
+    Account.bulk_set_connectivity(accounts_failed, Connectivity.failed)
 
 
 @shared_task(queue="ansible")
diff --git a/apps/assets/tasks/common.py b/apps/assets/tasks/common.py
index b6c2326e9..a1bd79e11 100644
--- a/apps/assets/tasks/common.py
+++ b/apps/assets/tasks/common.py
@@ -17,6 +17,7 @@ def add_nodes_assets_to_system_users(nodes_keys, system_users):
 
     nodes = Node.objects.filter(key__in=nodes_keys)
     assets = Node.get_nodes_all_assets(*nodes)
+
     for system_user in system_users:
         """ 解决资产和节点进行关联时，已经关联过的节点不会触发 authbook post_save 信号， 
         无法更新节点下所有资产的管理用户的问题 """
@@ -28,7 +29,7 @@ def add_nodes_assets_to_system_users(nodes_keys, system_users):
             )
             if created:
                 need_push_asset_ids.append(asset.id)
-            # # 不再自动更新资产管理用户，只允许用户手动指定。
+            # 不再自动更新资产管理用户，只允许用户手动指定。
             # 只要关联都需要更新资产的管理用户
             # instance.update_asset_admin_user_if_need()
 
diff --git a/apps/assets/tasks/system_user_connectivity.py b/apps/assets/tasks/system_user_connectivity.py
index 893081163..2213bfa26 100644
--- a/apps/assets/tasks/system_user_connectivity.py
+++ b/apps/assets/tasks/system_user_connectivity.py
@@ -8,7 +8,7 @@ from django.utils.translation import ugettext as _, gettext_noop
 from assets.models import Asset
 from common.utils import get_logger
 from orgs.utils import tmp_to_org, org_aware_func
-from ..models import SystemUser, Connectivity, AuthBook
+from ..models import SystemUser, Connectivity, Account
 from . import const
 from .utils import (
     clean_ansible_task_hosts, group_asset_by_platform
@@ -34,11 +34,11 @@ def set_assets_accounts_connectivity(system_user, assets, results_summary):
         else:
             asset_ids_failed.add(asset.id)
 
-    accounts_ok = AuthBook.objects.filter(asset_id__in=asset_ids_ok, systemuser=system_user)
-    accounts_failed = AuthBook.objects.filter(asset_id__in=asset_ids_failed, systemuser=system_user)
+    accounts_ok = Account.objects.filter(asset_id__in=asset_ids_ok, systemuser=system_user)
+    accounts_failed = Account.objects.filter(asset_id__in=asset_ids_failed, systemuser=system_user)
 
-    AuthBook.bulk_set_connectivity(accounts_ok, Connectivity.ok)
-    AuthBook.bulk_set_connectivity(accounts_failed, Connectivity.failed)
+    Account.bulk_set_connectivity(accounts_ok, Connectivity.ok)
+    Account.bulk_set_connectivity(accounts_failed, Connectivity.failed)
 
 
 @org_aware_func("system_user")

From 29c9c6d68029e695df3fb43fd25e4aacf62d8c09 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 15 Jul 2022 18:03:32 +0800
Subject: [PATCH 255/258] =?UTF-8?q?perf:=20=E4=BC=98=E5=8C=96=20accounts?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../migrations/0093_auto_20220711_1413.py     |   1 +
 .../migrations/0096_auto_20220714_1627.py     |  23 +++
 apps/assets/models/account.py                 |   2 +-
 apps/assets/models/asset.py                   |  10 --
 apps/assets/models/user.py                    | 168 ++----------------
 apps/assets/serializers/account.py            |  35 ++--
 apps/assets/serializers/account_history.py    |  19 +-
 apps/assets/serializers/asset.py              |  23 ++-
 apps/assets/serializers/system_user.py        |   8 +-
 apps/assets/signal_handlers/asset.py          |  34 ++--
 apps/assets/signal_handlers/authbook.py       |  44 +----
 apps/assets/signal_handlers/system_user.py    |  33 +---
 apps/assets/task_handlers/backup/handlers.py  |   6 +-
 apps/assets/tasks/common.py                   |   1 +
 apps/assets/tasks/utils.py                    |   2 +-
 apps/audits/const.py                          |   2 +-
 apps/jumpserver/settings/custom.py            |   1 -
 apps/locale/zh/LC_MESSAGES/django.po          |  12 +-
 .../serializers/system_user_permission.py     |   2 +-
 utils/create_assets_user/bulk_create_user.py  |   2 +-
 20 files changed, 118 insertions(+), 310 deletions(-)
 create mode 100644 apps/assets/migrations/0096_auto_20220714_1627.py

diff --git a/apps/assets/migrations/0093_auto_20220711_1413.py b/apps/assets/migrations/0093_auto_20220711_1413.py
index ecb4b47e6..ba7d7e0c0 100644
--- a/apps/assets/migrations/0093_auto_20220711_1413.py
+++ b/apps/assets/migrations/0093_auto_20220711_1413.py
@@ -39,6 +39,7 @@ def migrate_accounts(apps, schema_editor):
                 values.update({attr: getattr(system_user, attr) for attr in auth_attrs})
                 values['protocol'] = system_user.protocol
                 values['created_by'] = str(system_user.id)
+                values['type'] = system_user.type
 
             auth_book_auth = {attr: getattr(auth_book, attr) for attr in auth_attrs}
             auth_book_auth = {attr: value for attr, value in auth_book_auth.items() if value}
diff --git a/apps/assets/migrations/0096_auto_20220714_1627.py b/apps/assets/migrations/0096_auto_20220714_1627.py
new file mode 100644
index 000000000..4637128ff
--- /dev/null
+++ b/apps/assets/migrations/0096_auto_20220714_1627.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.12 on 2022-07-14 08:27
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0095_auto_20220713_1746'),
+    ]
+
+    operations = [
+        migrations.RenameField(
+            model_name='systemuser',
+            old_name='auto_push',
+            new_name='auto_push_account',
+        ),
+        migrations.AddField(
+            model_name='systemuser',
+            name='auto_create_account',
+            field=models.BooleanField(default=False, verbose_name='Auto account if not exist'),
+        ),
+    ]
diff --git a/apps/assets/models/account.py b/apps/assets/models/account.py
index d060ec40d..9d503c99b 100644
--- a/apps/assets/models/account.py
+++ b/apps/assets/models/account.py
@@ -32,4 +32,4 @@ class Account(BaseUser, AbsConnectivity, ProtocolMixin):
         ]
 
     def __str__(self):
-        return '{}//{}@{}'.format(self.protocol, self.username, self.asset.hostname)
+        return '{}://{}@{}'.format(self.protocol, self.username, self.asset.hostname)
diff --git a/apps/assets/models/asset.py b/apps/assets/models/asset.py
index 7dde0862f..157895dae 100644
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@@ -238,16 +238,6 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
     def get_target_ip(self):
         return self.ip
 
-    def set_admin_user_relation(self):
-        from .authbook import AuthBook
-        if not self.admin_user:
-            return
-        if self.admin_user.type != 'admin':
-            raise ValidationError('System user should be type admin')
-
-        defaults = {'asset': self, 'systemuser': self.admin_user, 'org_id': self.org_id}
-        AuthBook.objects.get_or_create(defaults=defaults, asset=self, systemuser=self.admin_user)
-
     @property
     def admin_user_display(self):
         if not self.admin_user:
diff --git a/apps/assets/models/user.py b/apps/assets/models/user.py
index 29f7b5972..bfa4dd3af 100644
--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -7,12 +7,10 @@ import logging
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.core.validators import MinValueValidator, MaxValueValidator
-from django.core.cache import cache
 
-from common.utils import signer, get_object_or_none
+from common.utils import signer
 from .base import BaseUser
 from .asset import Asset
-from .authbook import AuthBook
 
 
 __all__ = ['AdminUser', 'SystemUser', 'ProtocolMixin']
@@ -82,155 +80,11 @@ class ProtocolMixin:
         return self.protocol in self.ASSET_CATEGORY_PROTOCOLS
 
 
-class AuthMixin:
-    username_same_with_user: bool
-    protocol: str
-    ASSET_CATEGORY_PROTOCOLS: list
-    login_mode: str
-    LOGIN_MANUAL: str
-    id: str
-    username: str
-    password: str
-    private_key: str
-    public_key: str
-
-    def set_temp_auth(self, asset_or_app_id, user_id, auth, ttl=300):
-        if not auth:
-            raise ValueError('Auth not set')
-        key = 'TEMP_PASSWORD_{}_{}_{}'.format(self.id, asset_or_app_id, user_id)
-        logger.debug(f'Set system user temp auth: {key}')
-        cache.set(key, auth, ttl)
-
-    def get_temp_auth(self, asset_or_app_id, user_id):
-        key = 'TEMP_PASSWORD_{}_{}_{}'.format(self.id, asset_or_app_id, user_id)
-        logger.debug(f'Get system user temp auth: {key}')
-        password = cache.get(key)
-        return password
-
-    def _clean_auth_info_if_manual_login_mode(self):
-        if self.login_mode == self.LOGIN_MANUAL:
-            self.password = ''
-            self.private_key = ''
-            self.public_key = ''
-
-    def _load_tmp_auth_if_has(self, asset_or_app_id, user_id):
-        if self.login_mode != self.LOGIN_MANUAL:
-            return
-
-        if not asset_or_app_id or not user_id:
-            return
-
-        auth = self.get_temp_auth(asset_or_app_id, user_id)
-        if not auth:
-            return
-
-        username = auth.get('username')
-        password = auth.get('password')
-
-        if username:
-            self.username = username
-        if password:
-            self.password = password
-
-    def load_app_more_auth(self, app_id=None, username=None, user_id=None):
-        # 清除认证信息
-        self._clean_auth_info_if_manual_login_mode()
-
-        # 先加载临时认证信息
-        if self.login_mode == self.LOGIN_MANUAL:
-            self._load_tmp_auth_if_has(app_id, user_id)
-            return
-
-        # Remote app
-        from applications.models import Application
-        app = get_object_or_none(Application, pk=app_id)
-        if app and app.category_remote_app:
-            # Remote app
-            self._load_remoteapp_more_auth(app, username, user_id)
-            return
-
-        # Other app
-        # 更新用户名
-        from users.models import User
-        user = get_object_or_none(User, pk=user_id) if user_id else None
-        if self.username_same_with_user:
-            if user and not username:
-                _username = user.username
-            else:
-                _username = username
-            self.username = _username
-
-    def _load_remoteapp_more_auth(self, app, username, user_id):
-        asset = app.get_remote_app_asset(raise_exception=False)
-        if asset:
-            self.load_asset_more_auth(asset_id=asset.id, username=username, user_id=user_id)
-
-    def load_asset_special_auth(self, asset, username=''):
-        """
-        AuthBook 的数据状态
-            | asset | systemuser | username |
-        1   |   *   |     *      |     x    |
-        2   |   *   |     x      |     *    |
-
-        当前 AuthBook 只有以上两种状态，systemuser 与 username 不会并存。
-        正常的资产与系统用户关联产生的是第1种状态，改密则产生第2种状态。改密之后
-        只有 username 而没有 systemuser 。
-
-        Freq: 关联同一资产的多个系统用户指定同一用户名时，修改用户密码会影响所有系统用户
-
-        这里有一个不对称的行为，同名系统用户密码覆盖
-        当有相同 username 的多个系统用户时，有改密动作之后，所有的同名系统用户都使用最后
-        一次改动，但如果没有发生过改密，同名系统用户使用的密码还是各自的。
-
-        """
-        if username == '':
-            username = self.username
-
-        authbook = AuthBook.objects.filter(
-            asset=asset, username=username, systemuser__isnull=True
-        ).order_by('-date_created').first()
-
-        if not authbook:
-            authbook = AuthBook.objects.filter(
-                asset=asset, systemuser=self
-            ).order_by('-date_created').first()
-
-        if not authbook:
-            return None
-
-        authbook.load_auth()
-        self.password = authbook.password
-        self.private_key = authbook.private_key
-        self.public_key = authbook.public_key
-
-    def load_asset_more_auth(self, asset_id=None, username=None, user_id=None):
-        from users.models import User
-        self._clean_auth_info_if_manual_login_mode()
-        # 加载临时认证信息
-        if self.login_mode == self.LOGIN_MANUAL:
-            self._load_tmp_auth_if_has(asset_id, user_id)
-            return
-        # 更新用户名
-        user = get_object_or_none(User, pk=user_id) if user_id else None
-        if self.username_same_with_user:
-            if user and not username:
-                _username = user.username
-            else:
-                _username = username
-            self.username = _username
-        # 加载某个资产的特殊配置认证信息
-        asset = get_object_or_none(Asset, pk=asset_id) if asset_id else None
-        if not asset:
-            logger.debug('Asset not found, pass')
-            return
-        self.load_asset_special_auth(asset, self.username)
-
-
-class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
+class SystemUser(ProtocolMixin, BaseUser):
     LOGIN_AUTO = 'auto'
     LOGIN_MANUAL = 'manual'
     LOGIN_MODE_CHOICES = (
-        (LOGIN_AUTO, _('Automatic managed')),
+        (LOGIN_AUTO, _('使用账号')),
         (LOGIN_MANUAL, _('Manually input'))
     )
 
@@ -246,13 +100,19 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
     )
     users = models.ManyToManyField('users.User', blank=True, verbose_name=_("Users"))
     groups = models.ManyToManyField('users.UserGroup', blank=True, verbose_name=_("User groups"))
-    type = models.CharField(max_length=16, choices=Type.choices, default=Type.common, verbose_name=_('Type'))
-    priority = models.IntegerField(default=81, verbose_name=_("Priority"), help_text=_("1-100, the lower the value will be match first"), validators=[MinValueValidator(1), MaxValueValidator(100)])
+    priority = models.IntegerField(
+        default=81, verbose_name=_("Priority"),
+        help_text=_("1-100, the lower the value will be match first"),
+        validators=[MinValueValidator(1), MaxValueValidator(100)]
+    )
     protocol = models.CharField(max_length=16, choices=ProtocolMixin.Protocol.choices, default='ssh', verbose_name=_('Protocol'))
-    auto_push = models.BooleanField(default=True, verbose_name=_('Auto push'))
+
+    login_mode = models.CharField(choices=LOGIN_MODE_CHOICES, default=LOGIN_AUTO, max_length=10, verbose_name=_('Login mode'))
+    auto_create_account = models.BooleanField(default=False, verbose_name=_("自动创建账号"))
+    auto_push_account = models.BooleanField(default=True, verbose_name=_('推送账号到资产'))
+    type = models.CharField(max_length=16, choices=Type.choices, default=Type.common, verbose_name=_('Type'))
     sudo = models.TextField(default='/bin/whoami', verbose_name=_('Sudo'))
     shell = models.CharField(max_length=64,  default='/bin/bash', verbose_name=_('Shell'))
-    login_mode = models.CharField(choices=LOGIN_MODE_CHOICES, default=LOGIN_AUTO, max_length=10, verbose_name=_('Login mode'))
     sftp_root = models.CharField(default='tmp', max_length=128, verbose_name=_("SFTP Root"))
     token = models.TextField(default='', verbose_name=_('Token'))
     home = models.CharField(max_length=4096, default='', verbose_name=_('Home'), blank=True)
@@ -277,7 +137,7 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
         return self.get_login_mode_display()
 
     def is_need_push(self):
-        if self.auto_push and self.is_protocol_support_push:
+        if self.auto_push_account and self.is_protocol_support_push:
             return True
         else:
             return False
diff --git a/apps/assets/serializers/account.py b/apps/assets/serializers/account.py
index e4e320f33..33632d0c9 100644
--- a/apps/assets/serializers/account.py
+++ b/apps/assets/serializers/account.py
@@ -1,7 +1,8 @@
 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
+from django.db.models import F
 
-from assets.models import AuthBook
+from assets.models import Account
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 
 from .base import AuthSerializerMixin
@@ -13,7 +14,6 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     ip = serializers.ReadOnlyField(label=_("IP"))
     hostname = serializers.ReadOnlyField(label=_("Hostname"))
     platform = serializers.ReadOnlyField(label=_("Platform"))
-    protocols = serializers.SerializerMethodField(label=_("Protocols"))
     date_created = serializers.DateTimeField(
         label=_('Date created'), format="%Y/%m/%d %H:%M:%S", read_only=True
     )
@@ -22,18 +22,20 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     )
 
     class Meta:
-        model = AuthBook
-        fields_mini = ['id', 'username', 'ip', 'hostname', 'platform', 'protocols', 'version']
-        fields_write_only = ['password', 'private_key', "public_key", 'passphrase']
+        model = Account
+        fields_mini = [
+            'id', 'type', 'username', 'ip', 'hostname',
+            'platform', 'protocol', 'version'
+        ]
+        fields_write_only = ['password', 'private_key', 'public_key', 'passphrase']
         fields_other = ['date_created', 'date_updated', 'connectivity', 'date_verified', 'comment']
         fields_small = fields_mini + fields_write_only + fields_other
-        fields_fk = ['asset', 'systemuser', 'systemuser_display']
+        fields_fk = ['asset']
         fields = fields_small + fields_fk
         extra_kwargs = {
             'username': {'required': True},
             'private_key': {'write_only': True},
             'public_key': {'write_only': True},
-            'systemuser_display': {'label': _('System user display')}
         }
         ref_name = 'AssetAccountSerializer'
 
@@ -52,27 +54,14 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         attrs = self._validate_gen_key(attrs)
         return attrs
 
-    def get_protocols(self, v):
-        """ protocols 是 queryset 中返回的，Post 创建成功后返回序列化时没有这个字段 """
-        if hasattr(v, 'protocols'):
-            protocols = v.protocols
-        elif hasattr(v, 'asset') and v.asset:
-            protocols = v.asset.protocols
-        else:
-            protocols = ''
-        protocols = protocols.replace(' ', ', ')
-        return protocols
-
     @classmethod
     def setup_eager_loading(cls, queryset):
         """ Perform necessary eager loading of data. """
-        queryset = queryset.prefetch_related('systemuser', 'asset')
+        queryset = queryset.prefetch_related('asset')\
+            .annotate(ip=F('asset__ip')) \
+            .annotate(hostname=F('asset__hostname'))
         return queryset
 
-    def to_representation(self, instance):
-        instance.load_auth()
-        return super().to_representation(instance)
-
 
 class AccountSecretSerializer(SecretReadableMixin, AccountSerializer):
     class Meta(AccountSerializer.Meta):
diff --git a/apps/assets/serializers/account_history.py b/apps/assets/serializers/account_history.py
index fb2844182..b0846c04d 100644
--- a/apps/assets/serializers/account_history.py
+++ b/apps/assets/serializers/account_history.py
@@ -1,29 +1,20 @@
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
 
-from assets.models import AuthBook
+from assets.models import Account
 from common.drf.serializers import SecretReadableMixin
 from .account import AccountSerializer, AccountSecretSerializer
 
 
 class AccountHistorySerializer(AccountSerializer):
-    systemuser_display = serializers.SerializerMethodField(label=_('System user display'))
 
     class Meta:
-        model = AuthBook.history.model
+        model = Account.history.model
         fields = AccountSerializer.Meta.fields_mini + \
-                 AccountSerializer.Meta.fields_write_only + \
-                 AccountSerializer.Meta.fields_fk + \
-                 ['history_id', 'date_created', 'date_updated']
+            AccountSerializer.Meta.fields_write_only + \
+            AccountSerializer.Meta.fields_fk + \
+            ['history_id', 'date_created', 'date_updated']
         read_only_fields = fields
         ref_name = 'AccountHistorySerializer'
 
-    @staticmethod
-    def get_systemuser_display(instance):
-        if not instance.systemuser:
-            return ''
-        return str(instance.systemuser)
-
     def get_field_names(self, declared_fields, info):
         fields = super().get_field_names(declared_fields, info)
         fields = list(set(fields) - {'org_name'})
diff --git a/apps/assets/serializers/asset.py b/apps/assets/serializers/asset.py
index 427d0e470..da1a0a0fc 100644
--- a/apps/assets/serializers/asset.py
+++ b/apps/assets/serializers/asset.py
@@ -6,6 +6,7 @@ from django.utils.translation import ugettext_lazy as _
 
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import Asset, Node, Platform, SystemUser
+from .account import AccountSerializer
 
 __all__ = [
     'AssetSerializer', 'AssetSimpleSerializer', 'MiniAssetSerializer',
@@ -70,6 +71,7 @@ class AssetSerializer(BulkOrgResourceModelSerializer):
     labels_display = serializers.ListField(
         child=serializers.CharField(), label=_('Labels name'), required=False, read_only=True
     )
+    accounts = AccountSerializer(many=True, write_only=True, required=False)
 
     """
     资产的数据结构
@@ -92,7 +94,7 @@ class AssetSerializer(BulkOrgResourceModelSerializer):
             'domain', 'domain_display', 'platform', 'admin_user', 'admin_user_display'
         ]
         fields_m2m = [
-            'nodes', 'nodes_display', 'labels', 'labels_display',
+            'nodes', 'nodes_display', 'labels', 'labels_display', 'accounts'
         ]
         read_only_fields = [
             'connectivity', 'date_verified', 'cpu_info', 'hardware_info',
@@ -107,6 +109,11 @@ class AssetSerializer(BulkOrgResourceModelSerializer):
             'cpu_info': {'label': _('CPU info')},
         }
 
+    def __init__(self, *args, **kwargs):
+        data = kwargs.get('data', {})
+        self.accounts_data = data.pop('accounts', [])
+        super().__init__(*args, **kwargs)
+
     def get_fields(self):
         fields = super().get_fields()
 
@@ -151,10 +158,24 @@ class AssetSerializer(BulkOrgResourceModelSerializer):
             nodes_to_set.append(node)
         instance.nodes.set(nodes_to_set)
 
+    @staticmethod
+    def add_accounts(instance, accounts_data):
+        for data in accounts_data:
+            data['asset'] = instance.id
+        print("Data: ", accounts_data)
+        serializer = AccountSerializer(data=accounts_data, many=True)
+        try:
+            serializer.is_valid(raise_exception=True)
+        except Exception as e:
+            raise serializers.ValidationError({'accounts': e})
+        serializer.save()
+
     def create(self, validated_data):
         self.compatible_with_old_protocol(validated_data)
         nodes_display = validated_data.pop('nodes_display', '')
         instance = super().create(validated_data)
+        if self.accounts_data:
+            self.add_accounts(instance, self.accounts_data)
         self.perform_nodes_display_create(instance, nodes_display)
         return instance
 
diff --git a/apps/assets/serializers/system_user.py b/apps/assets/serializers/system_user.py
index aa17b0585..a572a1736 100644
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -47,9 +47,9 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         fields_small = fields_mini + fields_write_only + [
             'token', 'ssh_key_fingerprint',
             'type', 'type_display', 'protocol', 'is_asset_protocol',
-            'login_mode', 'login_mode_display', 'priority',
+            'auto_create_account', 'login_mode', 'login_mode_display', 'priority',
             'sudo', 'shell', 'sftp_root', 'home', 'system_groups', 'ad_domain',
-            'username_same_with_user', 'auto_push', 'auto_generate_key',
+            'username_same_with_user', 'auto_push_account', 'auto_generate_key',
             'su_enabled', 'su_from',
             'date_created', 'date_updated', 'comment', 'created_by',
         ]
@@ -191,7 +191,7 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         attrs['protocol'] = SystemUser.Protocol.ssh
         attrs['login_mode'] = SystemUser.LOGIN_AUTO
         attrs['username_same_with_user'] = False
-        attrs['auto_push'] = False
+        attrs['auto_push_account'] = False
         return attrs
 
     def _validate_gen_key(self, attrs):
@@ -259,7 +259,7 @@ class SystemUserWithAuthInfoSerializer(SecretReadableMixin, SystemUserSerializer
         fields_small = fields_mini + fields_write_only + [
             'protocol', 'login_mode', 'login_mode_display', 'priority',
             'sudo', 'shell', 'ad_domain', 'sftp_root', 'token',
-            "username_same_with_user", 'auto_push', 'auto_generate_key',
+            "username_same_with_user", 'auto_push_account', 'auto_generate_key',
             'comment',
         ]
         fields = fields_small
diff --git a/apps/assets/signal_handlers/asset.py b/apps/assets/signal_handlers/asset.py
index 97f727a46..a7e466c9b 100644
--- a/apps/assets/signal_handlers/asset.py
+++ b/apps/assets/signal_handlers/asset.py
@@ -52,8 +52,6 @@ def on_asset_created_or_update(sender, instance=None, created=False, **kwargs):
         if not has_node:
             instance.nodes.add(Node.org_root())
 
-    instance.set_admin_user_relation()
-
 
 @receiver(m2m_changed, sender=Asset.nodes.through)
 def on_asset_nodes_add(instance, action, reverse, pk_set, **kwargs):
@@ -89,22 +87,22 @@ def on_asset_nodes_add(instance, action, reverse, pk_set, **kwargs):
         systemuser_id__in=system_user_ids, asset_id__in=asset_ids
     ).values_list('systemuser_id', 'asset_id'))
     # TODO 优化
-    to_create = []
-    for system_user_id in system_user_ids:
-        asset_ids_to_push = []
-        for asset_id in asset_ids:
-            if (system_user_id, asset_id) in exist:
-                continue
-            asset_ids_to_push.append(asset_id)
-            to_create.append(m2m_model(
-                systemuser_id=system_user_id,
-                asset_id=asset_id,
-                org_id=instance.org_id
-            ))
-        if asset_ids_to_push:
-            push_system_user_to_assets.delay(system_user_id, asset_ids_to_push)
-    m2m_model.objects.bulk_create(to_create)
-
+    # to_create = []
+    # for system_user_id in system_user_ids:
+    #     asset_ids_to_push = []
+    #     for asset_id in asset_ids:
+    #         if (system_user_id, asset_id) in exist:
+    #             continue
+    #         asset_ids_to_push.append(asset_id)
+    #         to_create.append(m2m_model(
+    #             systemuser_id=system_user_id,
+    #             asset_id=asset_id,
+    #             org_id=instance.org_id
+    #         ))
+    #     if asset_ids_to_push:
+    #         push_system_user_to_assets.delay(system_user_id, asset_ids_to_push)
+    # m2m_model.objects.bulk_create(to_create)
+    #
 
 RELATED_NODE_IDS = '_related_node_ids'
 
diff --git a/apps/assets/signal_handlers/authbook.py b/apps/assets/signal_handlers/authbook.py
index 513488763..8020e4087 100644
--- a/apps/assets/signal_handlers/authbook.py
+++ b/apps/assets/signal_handlers/authbook.py
@@ -1,50 +1,14 @@
 from django.dispatch import receiver
-from django.apps import apps
-from simple_history.signals import pre_create_historical_record
-from django.db.models.signals import post_save, pre_save, pre_delete
+from django.db.models.signals import pre_save
 
 from common.utils import get_logger
-from ..models import AuthBook, SystemUser
+from ..models import Account
 
-AuthBookHistory = apps.get_model('assets', 'HistoricalAuthBook')
 logger = get_logger(__name__)
 
 
-@receiver(pre_create_historical_record, sender=AuthBookHistory)
-def pre_create_historical_record_callback(sender, history_instance=None, **kwargs):
-    attrs_to_copy = ['username', 'password', 'private_key']
-
-    for attr in attrs_to_copy:
-        if getattr(history_instance, attr):
-            continue
-        try:
-            system_user = history_instance.systemuser
-        except SystemUser.DoesNotExist:
-            continue
-        if not system_user:
-            continue
-        system_user_attr_value = getattr(history_instance.systemuser, attr)
-        if system_user_attr_value:
-            setattr(history_instance, attr, system_user_attr_value)
-
-
-@receiver(pre_delete, sender=AuthBook)
-def on_authbook_post_delete(sender, instance, **kwargs):
-    instance.remove_asset_admin_user_if_need()
-
-
-@receiver(post_save, sender=AuthBook)
-def on_authbook_post_create(sender, instance, created, **kwargs):
-    instance.sync_to_system_user_account()
-    if created:
-        pass
-        # # 不再自动更新资产管理用户，只允许用户手动指定。
-        # 只在创建时进行更新资产的管理用户
-        # instance.update_asset_admin_user_if_need()
-
-
-@receiver(pre_save, sender=AuthBook)
-def on_authbook_pre_create(sender, instance, **kwargs):
+@receiver(pre_save, sender=Account)
+def on_account_pre_create(sender, instance, **kwargs):
     # 升级版本号
     instance.version += 1
     # 即使在 root 组织也不怕
diff --git a/apps/assets/signal_handlers/system_user.py b/apps/assets/signal_handlers/system_user.py
index 00b19e110..64a656c29 100644
--- a/apps/assets/signal_handlers/system_user.py
+++ b/apps/assets/signal_handlers/system_user.py
@@ -9,9 +9,8 @@ from common.exceptions import M2MReverseNotAllowed
 from common.const.signals import POST_ADD
 from common.utils import get_logger
 from common.decorator import on_transaction_commit
-from assets.models import Asset, SystemUser, Node, AuthBook
+from assets.models import Asset, SystemUser, Node
 from users.models import User
-from orgs.utils import tmp_to_root_org
 from assets.tasks import (
     push_system_user_to_assets_manual,
     push_system_user_to_assets,
@@ -39,35 +38,7 @@ def on_system_user_assets_change(instance, action, model, pk_set, **kwargs):
     else:
         system_user_ids = pk_set
         asset_ids = [instance.id]
-
-    org_id = instance.org_id
-
-    # 关联创建的 authbook 没有系统用户id
-    with tmp_to_root_org():
-        authbooks = AuthBook.objects.filter(
-            asset_id__in=asset_ids,
-            systemuser_id__in=system_user_ids
-        )
-        if action == POST_ADD:
-            authbooks.update(org_id=org_id)
-
-    save_action_mapper = {
-        'pre_add': pre_save,
-        'post_add': post_save,
-        'pre_remove': pre_delete,
-        'post_remove': post_delete
-    }
-
-    for ab in authbooks:
-        ab.org_id = org_id
-
-        save_action = save_action_mapper[action]
-        logger.debug('Send AuthBook post save signal: {} -> {}'.format(action, ab.id))
-        save_action.send(sender=AuthBook, instance=ab, created=True)
-
-    if action == POST_ADD:
-        for system_user_id in system_user_ids:
-            push_system_user_to_assets.delay(system_user_id, asset_ids)
+    # todo: Auto create account if need
 
 
 @receiver(m2m_changed, sender=SystemUser.users.through)
diff --git a/apps/assets/task_handlers/backup/handlers.py b/apps/assets/task_handlers/backup/handlers.py
index 311d8e395..969ed5433 100644
--- a/apps/assets/task_handlers/backup/handlers.py
+++ b/apps/assets/task_handlers/backup/handlers.py
@@ -7,7 +7,7 @@ from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
-from assets.models import AuthBook
+from assets.models import Account
 from assets.serializers import AccountSecretSerializer
 from assets.notifications import AccountBackupExecutionTaskMsg
 from applications.models import Account
@@ -74,9 +74,9 @@ class AssetAccountHandler(BaseAccountHandler):
     @classmethod
     def create_data_map(cls):
         data_map = defaultdict(list)
-        sheet_name = AuthBook._meta.verbose_name
+        sheet_name = Account._meta.verbose_name
 
-        accounts = AuthBook.get_queryset().select_related('systemuser')
+        accounts = Account.get_queryset()
         if not accounts.first():
             return data_map
 
diff --git a/apps/assets/tasks/common.py b/apps/assets/tasks/common.py
index a1bd79e11..6ad17b4c3 100644
--- a/apps/assets/tasks/common.py
+++ b/apps/assets/tasks/common.py
@@ -9,6 +9,7 @@ from assets.models import AuthBook
 __all__ = ['add_nodes_assets_to_system_users']
 
 
+# Todo: 等待优化
 @shared_task
 @tmp_to_root_org()
 def add_nodes_assets_to_system_users(nodes_keys, system_users):
diff --git a/apps/assets/tasks/utils.py b/apps/assets/tasks/utils.py
index 93aaa4bfc..a60f1b494 100644
--- a/apps/assets/tasks/utils.py
+++ b/apps/assets/tasks/utils.py
@@ -25,7 +25,7 @@ def check_asset_can_run_ansible(asset):
 
 
 def check_system_user_can_run_ansible(system_user):
-    if not system_user.auto_push:
+    if not system_user.auto_push_account:
         logger.warn(f'Push system user task skip, auto push not enable: system_user={system_user.name}')
         return False
     if not system_user.is_protocol_support_push:
diff --git a/apps/audits/const.py b/apps/audits/const.py
index 9ff993556..eaed75fc0 100644
--- a/apps/audits/const.py
+++ b/apps/audits/const.py
@@ -11,7 +11,7 @@ MODELS_NEED_RECORD = (
     'LoginACL', 'LoginAssetACL', 'LoginConfirmSetting',
     # assets
     'Asset', 'Node', 'AdminUser', 'SystemUser', 'Domain', 'Gateway', 'CommandFilterRule',
-    'CommandFilter', 'Platform', 'AuthBook',
+    'CommandFilter', 'Platform', 'Account',
     # applications
     'Application',
     # orgs
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index b6f6e9863..28c740189 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -81,7 +81,6 @@ TERMINAL_HOST_KEY = CONFIG.TERMINAL_HOST_KEY
 TERMINAL_HEADER_TITLE = CONFIG.TERMINAL_HEADER_TITLE
 TERMINAL_TELNET_REGEX = CONFIG.TERMINAL_TELNET_REGEX
 
-# Asset user auth external backend, default AuthBook backend
 BACKEND_ASSET_USER_AUTH_VAULT = False
 
 PERM_SINGLE_ASSET_TO_UNGROUP_NODE = CONFIG.PERM_SINGLE_ASSET_TO_UNGROUP_NODE
diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po
index cf215a3fb..c66a34a44 100644
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@@ -785,13 +785,13 @@ msgstr "密码"
 #: xpack/plugins/change_auth_plan/models/asset.py:130
 #: xpack/plugins/change_auth_plan/models/asset.py:206
 msgid "SSH private key"
-msgstr "SSH密钥"
+msgstr "SSH 密钥"
 
 #: assets/models/base.py:179 xpack/plugins/change_auth_plan/models/asset.py:56
 #: xpack/plugins/change_auth_plan/models/asset.py:126
 #: xpack/plugins/change_auth_plan/models/asset.py:202
 msgid "SSH public key"
-msgstr "SSH公钥"
+msgstr "SSH 公钥"
 
 #: assets/models/cluster.py:20
 msgid "Bandwidth"
@@ -2067,7 +2067,7 @@ msgstr "Access key"
 
 #: authentication/models.py:41
 msgid "Private Token"
-msgstr "SSH密钥"
+msgstr "SSH 密钥"
 
 #: authentication/models.py:50
 msgid "Expired"
@@ -5468,7 +5468,7 @@ msgstr "原来密码错误"
 
 #: users/forms/profile.py:129
 msgid "Automatically configure and download the SSH key"
-msgstr "自动配置并下载SSH密钥"
+msgstr "自动配置并下载 SSH 密钥"
 
 #: users/forms/profile.py:131
 msgid "ssh public key"
@@ -5489,11 +5489,11 @@ msgstr "不能和原来的密钥相同"
 #: users/forms/profile.py:150 users/serializers/profile.py:100
 #: users/serializers/profile.py:183 users/serializers/profile.py:210
 msgid "Not a valid ssh public key"
-msgstr "SSH密钥不合法"
+msgstr "SSH 密钥不合法"
 
 #: users/forms/profile.py:161 users/models/user.py:692
 msgid "Public key"
-msgstr "SSH公钥"
+msgstr "SSH 公钥"
 
 #: users/models/user.py:558
 msgid "Force enable"
diff --git a/apps/perms/serializers/system_user_permission.py b/apps/perms/serializers/system_user_permission.py
index 3452d7af3..def2516d6 100644
--- a/apps/perms/serializers/system_user_permission.py
+++ b/apps/perms/serializers/system_user_permission.py
@@ -13,7 +13,7 @@ class SystemUserSerializer(serializers.ModelSerializer):
             'id', 'name', 'username', 'protocol',
             'login_mode', 'login_mode_display',
             'priority', 'username_same_with_user',
-            'auto_push', 'cmd_filters', 'sudo', 'shell', 'comment',
+            'auto_push_account', 'cmd_filters', 'sudo', 'shell', 'comment',
             'sftp_root', 'date_created', 'created_by'
         ]
         ref_name = 'PermedSystemUserSerializer'
diff --git a/utils/create_assets_user/bulk_create_user.py b/utils/create_assets_user/bulk_create_user.py
index 14cbca820..2897d4f0c 100644
--- a/utils/create_assets_user/bulk_create_user.py
+++ b/utils/create_assets_user/bulk_create_user.py
@@ -113,7 +113,7 @@ class UserCreation:
                 "username": username,
                 "password": password,
                 "protocol": protocol,
-                "auto_push": bool(int(auto_push)),
+                "auto_push_account": bool(int(auto_push)),
                 "login_mode": "auto"
             }
             users.append(info)

From 0d46834fbf3e235f4bce4d96ae6a4742e2ddb0f5 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Fri, 15 Jul 2022 18:57:52 +0800
Subject: [PATCH 256/258] =?UTF-8?q?pref:=20=E4=BF=AE=E6=94=B9=E6=9A=82?=
 =?UTF-8?q?=E5=AD=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/migrations/0092_auto_20220711_1409.py | 2 +-
 apps/assets/models/account.py                     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/assets/migrations/0092_auto_20220711_1409.py b/apps/assets/migrations/0092_auto_20220711_1409.py
index d6076b6c3..8036cc09f 100644
--- a/apps/assets/migrations/0092_auto_20220711_1409.py
+++ b/apps/assets/migrations/0092_auto_20220711_1409.py
@@ -70,7 +70,7 @@ class Migration(migrations.Migration):
                 ('created_by', models.CharField(max_length=128, null=True, verbose_name='Created by')),
                 ('protocol', models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol')),
                 ('type', models.CharField(choices=[('common', 'Common user'), ('admin', 'Admin user')], default='common', max_length=16, verbose_name='Type')),
-                ('version', models.IntegerField(default=1, verbose_name='Version')),
+                ('version', models.IntegerField(default=0, verbose_name='Version')),
                 ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.asset', verbose_name='Asset')),
             ],
             options={
diff --git a/apps/assets/models/account.py b/apps/assets/models/account.py
index 9d503c99b..7660ff682 100644
--- a/apps/assets/models/account.py
+++ b/apps/assets/models/account.py
@@ -18,7 +18,7 @@ class Account(BaseUser, AbsConnectivity, ProtocolMixin):
                                 default='ssh', verbose_name=_('Protocol'))
     type = models.CharField(max_length=16, choices=Type.choices, default=Type.common, verbose_name=_("Type"))
     asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, verbose_name=_('Asset'))
-    version = models.IntegerField(default=1, verbose_name=_('Version'))
+    version = models.IntegerField(default=0, verbose_name=_('Version'))
     history = HistoricalRecords()
 
     class Meta:

From 008b18eced879182ad05bef9dcfbe0fb4869fd5e Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Sun, 17 Jul 2022 13:57:13 +0800
Subject: [PATCH 257/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E4=B8=BA?=
 =?UTF-8?q?=E8=B4=A6=E5=8F=B7=E6=A8=A1=E7=89=88?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/migrations/0096_auto_20220714_1627.py | 2 +-
 apps/assets/models/user.py                        | 4 ++--
 apps/assets/serializers/system_user.py            | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/assets/migrations/0096_auto_20220714_1627.py b/apps/assets/migrations/0096_auto_20220714_1627.py
index 4637128ff..274b2d8ef 100644
--- a/apps/assets/migrations/0096_auto_20220714_1627.py
+++ b/apps/assets/migrations/0096_auto_20220714_1627.py
@@ -17,7 +17,7 @@ class Migration(migrations.Migration):
         ),
         migrations.AddField(
             model_name='systemuser',
-            name='auto_create_account',
+            name='account_template_enabled',
             field=models.BooleanField(default=False, verbose_name='Auto account if not exist'),
         ),
     ]
diff --git a/apps/assets/models/user.py b/apps/assets/models/user.py
index bfa4dd3af..418840e6a 100644
--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -108,8 +108,8 @@ class SystemUser(ProtocolMixin, BaseUser):
     protocol = models.CharField(max_length=16, choices=ProtocolMixin.Protocol.choices, default='ssh', verbose_name=_('Protocol'))
 
     login_mode = models.CharField(choices=LOGIN_MODE_CHOICES, default=LOGIN_AUTO, max_length=10, verbose_name=_('Login mode'))
-    auto_create_account = models.BooleanField(default=False, verbose_name=_("自动创建账号"))
-    auto_push_account = models.BooleanField(default=True, verbose_name=_('推送账号到资产'))
+    account_template_enabled = models.BooleanField(default=False, verbose_name=_("启用账号模版"))
+    auto_push_account = models.BooleanField(default=True, verbose_name=_('自动推送账号'))
     type = models.CharField(max_length=16, choices=Type.choices, default=Type.common, verbose_name=_('Type'))
     sudo = models.TextField(default='/bin/whoami', verbose_name=_('Sudo'))
     shell = models.CharField(max_length=64,  default='/bin/bash', verbose_name=_('Shell'))
diff --git a/apps/assets/serializers/system_user.py b/apps/assets/serializers/system_user.py
index a572a1736..7bdd13fe1 100644
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -47,7 +47,7 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         fields_small = fields_mini + fields_write_only + [
             'token', 'ssh_key_fingerprint',
             'type', 'type_display', 'protocol', 'is_asset_protocol',
-            'auto_create_account', 'login_mode', 'login_mode_display', 'priority',
+            'account_template_enabled', 'login_mode', 'login_mode_display', 'priority',
             'sudo', 'shell', 'sftp_root', 'home', 'system_groups', 'ad_domain',
             'username_same_with_user', 'auto_push_account', 'auto_generate_key',
             'su_enabled', 'su_from',

From 8b188f020dffebe5d0deac90fff29c9604909a9c Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Sun, 17 Jul 2022 14:17:16 +0800
Subject: [PATCH 258/258] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=E5=A4=87?=
 =?UTF-8?q?=E6=B3=A8?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/assets/models/user.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/assets/models/user.py b/apps/assets/models/user.py
index 418840e6a..661f89480 100644
--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -106,8 +106,10 @@ class SystemUser(ProtocolMixin, BaseUser):
         validators=[MinValueValidator(1), MaxValueValidator(100)]
     )
     protocol = models.CharField(max_length=16, choices=ProtocolMixin.Protocol.choices, default='ssh', verbose_name=_('Protocol'))
-
     login_mode = models.CharField(choices=LOGIN_MODE_CHOICES, default=LOGIN_AUTO, max_length=10, verbose_name=_('Login mode'))
+
+    # Todo: 重构平台后或许这里也得变化
+    # 账号模版
     account_template_enabled = models.BooleanField(default=False, verbose_name=_("启用账号模版"))
     auto_push_account = models.BooleanField(default=True, verbose_name=_('自动推送账号'))
     type = models.CharField(max_length=16, choices=Type.choices, default=Type.common, verbose_name=_('Type'))
@@ -118,7 +120,9 @@ class SystemUser(ProtocolMixin, BaseUser):
     home = models.CharField(max_length=4096, default='', verbose_name=_('Home'), blank=True)
     system_groups = models.CharField(default='', max_length=4096, verbose_name=_('System groups'), blank=True)
     ad_domain = models.CharField(default='', max_length=256)
+
     # linux su 命令 (switch user)
+    # Todo: 修改为 username, 不必系统用户了
     su_enabled = models.BooleanField(default=False, verbose_name=_('User switch'))
     su_from = models.ForeignKey('self', on_delete=models.SET_NULL, related_name='su_to', null=True, verbose_name=_("Switch from"))