fix(common) 修复管理员未设置Email主题前缀导致发送邮件失败的问题

This reverts commit 550107c456.

.github/ISSUE_TEMPLATE.md

@@ -2,7 +2,7 @@
 
 
 ##### 使用版本
-[请提供你使用的Jumpserver版本 1.x.x 注: 0.3.x不再提供支持]
+[请提供你使用的JumpServer版本 如 2.0.1 注: 1.4及以下版本不再提供支持]
 
 ##### 问题复现步骤
 1. [步骤1]

.github/release-config.yml

@@ -0,0 +1,44 @@
+name-template: 'v$RESOLVED_VERSION'
+tag-template: 'v$RESOLVED_VERSION'
+categories:
+  - title: '🌱 新功能 Features'
+    labels:
+      - 'feature'
+      - 'enhancement'
+      - 'feat'
+      - '新功能'
+  - title: '🚀 性能优化 Optimization'
+    labels:
+      - 'perf'
+      - 'opt'
+      - 'refactor'
+      - 'Optimization'
+      - '优化'
+  - title: '🐛 Bug修复 Bug Fixes'
+    labels:
+      - 'fix'
+      - 'bugfix'
+      - 'bug'
+  - title: '🧰 其它 Maintenance'
+    labels:
+      - 'chore'
+      - 'docs'
+exclude-labels:
+  - 'no'
+  - '无需处理'
+  - 'wontfix'
+change-template: '- $TITLE @$AUTHOR (#$NUMBER)'
+version-resolver:
+  major:
+    labels:
+      - 'major'
+  minor:
+    labels:
+      - 'minor'
+  patch:
+    labels:
+      - 'patch'
+  default: patch
+template: |
+  ## 版本变化  What’s Changed
+  $CHANGES

.github/workflows/jms-generic-action-handler.yml

@@ -0,0 +1,12 @@
+on: [push, pull_request, release]
+
+name: JumpServer repos generic handler
+
+jobs:
+  generic_handler:
+    name: Run generic handler
+    runs-on: ubuntu-latest
+    steps:
+      - uses: jumpserver/action-generic-handler@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}

.github/workflows/release-drafter.yml

@@ -0,0 +1,46 @@
+on:
+  push:
+    # Sequence of patterns matched against refs/tags
+    tags:
+      - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
+
+name: Create Release And Upload assets
+
+jobs:
+  create-realese:
+    name: Create Release
+    runs-on: ubuntu-latest
+    outputs:
+      upload_url: ${{ steps.create_release.outputs.upload_url }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+      - name: Get version
+        id: get_version
+        run: |
+          TAG=$(basename ${GITHUB_REF})
+          VERSION=${TAG/v/}
+          echo "::set-output name=TAG::$TAG"
+          echo "::set-output name=VERSION::$VERSION"
+      - name: Create Release
+        id: create_release
+        uses: release-drafter/release-drafter@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          config-name: release-config.yml
+          version: ${{ steps.get_version.outputs.TAG }}
+          tag: ${{ steps.get_version.outputs.TAG }}
+
+  build-and-release:
+    needs: create-realese
+    name: Build and Release
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Build it and upload
+        uses: jumpserver/action-build-upload-assets@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-realese.outputs.upload_url }}

.gitignore

@@ -35,4 +35,6 @@ docs/_build/
 xpack
 logs/*
 ### Vagrant ###
-.vagrant/
+.vagrant/
+release/*
+releashe

Dockerfile

@@ -1,19 +1,33 @@
-FROM registry.fit2cloud.com/public/python:v3
+FROM registry.fit2cloud.com/public/python:v3 as stage-build
 MAINTAINER Jumpserver Team <ibuler@qq.com>
+ARG VERSION
+ENV VERSION=$VERSION
 
 WORKDIR /opt/jumpserver
+ADD . .
+RUN cd utils && bash -ixeu build.sh
+
+
+FROM registry.fit2cloud.com/public/python:v3
+ARG PIP_MIRROR=https://pypi.douban.com/simple
+ENV PIP_MIRROR=$PIP_MIRROR
+ARG MYSQL_MIRROR=https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el6/
+ENV MYSQL_MIRROR=$MYSQL_MIRROR
+
+WORKDIR /opt/jumpserver
+
+COPY ./requirements ./requirements
 RUN useradd jumpserver
-
-COPY ./requirements /tmp/requirements
-
 RUN yum -y install epel-release && \
-      echo -e "[mysql]\nname=mysql\nbaseurl=https://mirrors.tuna.tsinghua.edu.cn/mysql/yum/mysql57-community-el6/\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/mysql.repo
-RUN cd /tmp/requirements && yum -y install $(cat rpm_requirements.txt)
-RUN cd /tmp/requirements && pip install --upgrade pip setuptools && pip install wheel && \
-    pip install -i https://pypi.tuna.tsinghua.edu.cn/simple -r requirements.txt || pip install -r requirements.txt
+      echo -e "[mysql]\nname=mysql\nbaseurl=${MYSQL_MIRROR}\ngpgcheck=0\nenabled=1" > /etc/yum.repos.d/mysql.repo
+RUN yum -y install $(cat requirements/rpm_requirements.txt)
+RUN pip install --upgrade pip setuptools wheel -i ${PIP_MIRROR} && \
+    pip config set global.index-url ${PIP_MIRROR}
+RUN pip install -r requirements/requirements.txt || pip install -r requirements/requirements.txt
+
+COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 RUN mkdir -p /root/.ssh/ && echo -e "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config
 
-COPY . /opt/jumpserver
 RUN echo > config.yml
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs

README.md

@@ -2,6 +2,7 @@
 
 [![Python3](https://img.shields.io/badge/python-3.6-green.svg?style=plastic)](https://www.python.org/)
 [![Django](https://img.shields.io/badge/django-2.2-brightgreen.svg?style=plastic)](https://www.djangoproject.com/)
+[![Docker Pulls](https://img.shields.io/docker/pulls/jumpserver/jms_all.svg)](https://hub.docker.com/u/jumpserver)
 
 JumpServer 是全球首款开源的堡垒机，使用 GNU GPL v2.0 开源协议，是符合 4A 规范的运维安全审计系统。
 

apps/assets/api/gathered_user.py

@@ -18,5 +18,5 @@ class GatheredUserViewSet(OrgModelViewSet):
     permission_classes = [IsOrgAdmin]
     extra_filter_backends = [AssetRelatedByNodeFilterBackend]
 
-    filter_fields = ['asset', 'username', 'present', 'asset__ip', 'asset__hostname']
+    filter_fields = ['asset', 'username', 'present', 'asset__ip', 'asset__hostname', 'asset_id']
     search_fields = ['username', 'asset__ip', 'asset__hostname']

apps/assets/api/system_user.py

@@ -28,7 +28,7 @@ class SystemUserViewSet(OrgBulkModelViewSet):
     System user api set, for add,delete,update,list,retrieve resource
     """
     model = SystemUser
-    filter_fields = ("name", "username")
+    filter_fields = ("name", "username", "protocol")
     search_fields = filter_fields
     serializer_class = serializers.SystemUserSerializer
     serializer_classes = {

apps/assets/migrations/0050_auto_20200711_1740.py

@@ -0,0 +1,18 @@
+# Generated by Django 2.2.10 on 2020-07-11 09:40
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0049_systemuser_sftp_root'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='asset',
+            name='created_by',
+            field=models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by'),
+        ),
+    ]

apps/assets/models/asset.py

@@ -221,7 +221,7 @@ class Asset(ProtocolsMixin, NodesRelationMixin, OrgModelMixin):
     hostname_raw = models.CharField(max_length=128, blank=True, null=True, verbose_name=_('Hostname raw'))
 
     labels = models.ManyToManyField('assets.Label', blank=True, related_name='assets', verbose_name=_("Labels"))
-    created_by = models.CharField(max_length=32, null=True, blank=True, verbose_name=_('Created by'))
+    created_by = models.CharField(max_length=128, null=True, blank=True, verbose_name=_('Created by'))
     date_created = models.DateTimeField(auto_now_add=True, null=True, blank=True, verbose_name=_('Date created'))
     comment = models.TextField(max_length=128, default='', blank=True, verbose_name=_('Comment'))
 

apps/assets/tasks/const.py

@@ -64,7 +64,7 @@ GATHER_ASSET_USERS_TASKS = [
         "action": {
             "module": "shell",
             "args": "users=$(getent passwd | grep -v 'nologin' | "
-                    "grep -v 'shudown' | awk -F: '{ print $1 }');for i in $users;do last -F $i -1 | "
+                    "grep -v 'shudown' | awk -F: '{ print $1 }');for i in $users;do last -w -F $i -1 | "
                     "head -1 | grep -v '^$'  | awk '{ print $1\"@\"$3\"@\"$5,$6,$7,$8 }';done"
         }
     }

apps/audits/api.py

@@ -27,6 +27,7 @@ class FTPLogViewSet(CreateModelMixin,
     ]
     filter_fields = ['user', 'asset', 'system_user', 'filename']
     search_fields = filter_fields
+    ordering = ['-date_start']
 
 
 class UserLoginLogViewSet(ListModelMixin, CommonGenericViewSet):

apps/audits/serializers.py

@@ -17,7 +17,7 @@ class FTPLogSerializer(serializers.ModelSerializer):
         model = models.FTPLog
         fields = (
             'id', 'user', 'remote_addr', 'asset', 'system_user',
-            'operate', 'filename', 'is_success', 'date_start'
+            'operate', 'filename', 'is_success', 'date_start', 'org_id'
         )
 
 
@@ -39,7 +39,7 @@ class OperateLogSerializer(serializers.ModelSerializer):
         model = models.OperateLog
         fields = (
             'id', 'user', 'action', 'resource_type', 'resource',
-            'remote_addr', 'datetime'
+            'remote_addr', 'datetime', 'org_id'
         )
 
 
@@ -65,7 +65,7 @@ class CommandExecutionSerializer(serializers.ModelSerializer):
         fields_mini = ['id']
         fields_small = fields_mini + [
             'run_as', 'command', 'user', 'is_finished',
-            'date_start', 'result', 'is_success'
+            'date_start', 'result', 'is_success', 'org_id'
         ]
         fields = fields_small + ['hosts', 'run_as_display', 'user_display']
         extra_kwargs = {

apps/authentication/backends/radius.py

@@ -1,17 +1,17 @@
 # -*- coding: utf-8 -*-
 #
+import traceback
 
 from django.contrib.auth import get_user_model
 from radiusauth.backends import RADIUSBackend, RADIUSRealmBackend
 from django.conf import settings
 
-from pyrad.packet import AccessRequest
 
 User = get_user_model()
 
 
 class CreateUserMixin:
-    def get_django_user(self, username, password=None):
+    def get_django_user(self, username, password=None, *args, **kwargs):
         if isinstance(username, bytes):
             username = username.decode()
         try:
@@ -27,6 +27,23 @@ class CreateUserMixin:
             user.save()
         return user
 
+    def _perform_radius_auth(self, client, packet):
+        # TODO: 等待官方库修复这个BUG
+        try:
+            return super()._perform_radius_auth(client, packet)
+        except UnicodeError as e:
+            import sys
+            tb = ''.join(traceback.format_exception(*sys.exc_info(), limit=2, chain=False))
+            if tb.find("cl.decode") != -1:
+                return [], False, False
+            return None
+
+    def authenticate(self, *args, **kwargs):
+        # 校验用户时，会传入public_key参数，父类authentication中不接受public_key参数，所以要pop掉
+        # TODO:需要优化各backend的authenticate方法，django进行调用前会检测各authenticate的参数
+        kwargs.pop('public_key', None)
+        return super().authenticate(*args, **kwargs)
+
 
 class RadiusBackend(CreateUserMixin, RADIUSBackend):
     pass

apps/common/drf/parsers/csv.py

@@ -38,9 +38,9 @@ class JMSCSVParser(BaseParser):
             yield row
 
     @staticmethod
-    def _get_fields_map(serializer):
+    def _get_fields_map(serializer_cls):
         fields_map = {}
-        fields = serializer.fields
+        fields = serializer_cls().fields
         fields_map.update({v.label: k for k, v in fields.items()})
         fields_map.update({k: k for k, _ in fields.items()})
         return fields_map
@@ -82,7 +82,8 @@ class JMSCSVParser(BaseParser):
     def parse(self, stream, media_type=None, parser_context=None):
         parser_context = parser_context or {}
         try:
-            serializer = parser_context["view"].get_serializer()
+            view = parser_context['view']
+            serializer_cls = view.get_serializer_class()
         except Exception as e:
             logger.debug(e, exc_info=True)
             raise ParseError('The resource does not support imports!')
@@ -96,7 +97,7 @@ class JMSCSVParser(BaseParser):
             rows = self._gen_rows(binary, charset=encoding)
 
             header = next(rows)
-            fields_map = self._get_fields_map(serializer)
+            fields_map = self._get_fields_map(serializer_cls)
             header = [fields_map.get(name.strip('*'), '') for name in header]
 
             data = []

apps/common/drf/renders/csv.py

@@ -30,7 +30,7 @@ class JMSCSVRender(BaseRenderer):
 
     @staticmethod
     def _gen_table(data, fields):
-        data = data[:100]
+        data = data[:10000]
         yield ['*{}'.format(f.label) if f.required else f.label for f in fields]
 
         for item in data:

apps/common/http.py

@@ -10,3 +10,7 @@ class HttpResponseTemporaryRedirect(HttpResponse):
     def __init__(self, redirect_to):
         HttpResponse.__init__(self)
         self['Location'] = iri_to_uri(redirect_to)
+
+
+def get_remote_addr(request):
+    return request.META.get("HTTP_X_FORWARDED_HOST") or request.META.get("REMOTE_ADDR")

apps/common/tasks.py

@@ -24,7 +24,7 @@ def send_mail_async(*args, **kwargs):
     """
     if len(args) == 3:
         args = list(args)
-        args[0] = settings.EMAIL_SUBJECT_PREFIX + args[0]
+        args[0] = (settings.EMAIL_SUBJECT_PREFIX or '') + args[0]
         email_from = settings.EMAIL_FROM or settings.EMAIL_HOST_USER
         args.insert(2, email_from)
         args = tuple(args)

apps/jumpserver/conf.py

@@ -241,7 +241,7 @@ class Config(dict):
         'HTTP_BIND_HOST': '0.0.0.0',
         'HTTP_LISTEN_PORT': 8080,
         'WS_LISTEN_PORT': 8070,
-        'LOGIN_LOG_KEEP_DAYS': 90,
+        'LOGIN_LOG_KEEP_DAYS': 9999,
         'TASK_LOG_KEEP_DAYS': 10,
         'ASSETS_PERM_CACHE_TIME': 3600 * 24,
         'SECURITY_MFA_VERIFY_TTL': 3600,
@@ -259,7 +259,8 @@ class Config(dict):
         'WINDOWS_SKIP_ALL_MANUAL_PASSWORD': False,
         'ORG_CHANGE_TO_URL': '',
         'LANGUAGE_CODE': 'zh',
-        'TIME_ZONE': 'Asia/Shanghai'
+        'TIME_ZONE': 'Asia/Shanghai',
+        'CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED': True
     }
 
     def compatible_auth_openid_of_key(self):

apps/jumpserver/settings/auth.py

@@ -92,6 +92,7 @@ CAS_LOGGED_MSG = None
 CAS_LOGOUT_COMPLETELY = CONFIG.CAS_LOGOUT_COMPLETELY
 CAS_VERSION = CONFIG.CAS_VERSION
 CAS_ROOT_PROXIED_AS = CONFIG.CAS_ROOT_PROXIED_AS
+CAS_CHECK_NEXT = lambda: lambda _next_page: True
 
 
 # Other setting

apps/jumpserver/settings/custom.py

@@ -86,7 +86,11 @@ TASK_LOG_KEEP_DAYS = CONFIG.TASK_LOG_KEEP_DAYS
 ORG_CHANGE_TO_URL = CONFIG.ORG_CHANGE_TO_URL
 WINDOWS_SKIP_ALL_MANUAL_PASSWORD = CONFIG.WINDOWS_SKIP_ALL_MANUAL_PASSWORD
 
+AUTH_EXPIRED_SECONDS = 60 * 5
+
 # XPACK
 XPACK_LICENSE_IS_VALID = DYNAMIC.XPACK_LICENSE_IS_VALID
 
 LOGO_URLS = DYNAMIC.LOGO_URLS
+
+CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED = CONFIG.CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED

apps/jumpserver/views/index.py

@@ -1,5 +1,4 @@
 from django.views.generic import TemplateView
-from django.utils.translation import ugettext_lazy as _
 from django.shortcuts import redirect
 from common.permissions import PermissionsMixin, IsValidUser
 
@@ -12,17 +11,3 @@ class IndexView(PermissionsMixin, TemplateView):
 
     def get(self, request, *args, **kwargs):
         return redirect('/ui/')
-
-    def dispatch(self, request, *args, **kwargs):
-        if not request.user.is_authenticated:
-            return self.handle_no_permission()
-        if request.user.is_common_user:
-            return redirect('assets:user-asset-list')
-        return super(IndexView, self).dispatch(request, *args, **kwargs)
-
-    def get_context_data(self, **kwargs):
-        context = super().get_context_data(**kwargs)
-        context.update({
-            'app': _("Dashboard"),
-        })
-        return context

apps/locale/zh/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2020-06-16 11:02+0800\n"
+"POT-Creation-Date: 2020-07-15 17:03+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -28,7 +28,7 @@ msgstr "自定义"
 #: assets/models/label.py:18 ops/mixin.py:24 orgs/models.py:12
 #: perms/models/base.py:48 settings/models.py:27 terminal/models.py:26
 #: terminal/models.py:342 terminal/models.py:374 terminal/models.py:411
-#: users/forms/profile.py:20 users/models/group.py:15 users/models/user.py:466
+#: users/forms/profile.py:20 users/models/group.py:15 users/models/user.py:467
 #: users/templates/users/_select_user_modal.html:13
 #: users/templates/users/user_asset_permission.html:37
 #: users/templates/users/user_asset_permission.html:154
@@ -77,15 +77,15 @@ msgstr "数据库"
 #: assets/models/group.py:23 assets/models/label.py:23 ops/models/adhoc.py:37
 #: orgs/models.py:18 perms/models/base.py:56 settings/models.py:32
 #: terminal/models.py:36 terminal/models.py:381 terminal/models.py:418
-#: users/models/group.py:16 users/models/user.py:499
+#: users/models/group.py:16 users/models/user.py:500
 #: users/templates/users/user_detail.html:115
 #: users/templates/users/user_granted_database_app.html:38
 #: users/templates/users/user_granted_remote_app.html:37
 #: users/templates/users/user_group_detail.html:62
 #: users/templates/users/user_group_list.html:16
 #: users/templates/users/user_profile.html:138
-#: xpack/plugins/change_auth_plan/models.py:76 xpack/plugins/cloud/models.py:53
-#: xpack/plugins/cloud/models.py:139 xpack/plugins/gathered_user/models.py:26
+#: xpack/plugins/change_auth_plan/models.py:77 xpack/plugins/cloud/models.py:53
+#: xpack/plugins/cloud/models.py:140 xpack/plugins/gathered_user/models.py:26
 msgid "Comment"
 msgstr "备注"
 
@@ -106,11 +106,12 @@ msgstr "数据库应用"
 #: assets/serializers/system_user.py:176 audits/models.py:20
 #: perms/forms/asset_permission.py:89 perms/models/asset_permission.py:80
 #: templates/index.html:82 terminal/backends/command/models.py:19
-#: terminal/models.py:187 users/templates/users/user_asset_permission.html:40
+#: terminal/backends/command/serializers.py:13 terminal/models.py:187
+#: users/templates/users/user_asset_permission.html:40
 #: users/templates/users/user_asset_permission.html:70
 #: users/templates/users/user_granted_remote_app.html:36
-#: xpack/plugins/change_auth_plan/models.py:282
-#: xpack/plugins/cloud/models.py:269
+#: xpack/plugins/change_auth_plan/models.py:283
+#: xpack/plugins/cloud/models.py:266
 msgid "Asset"
 msgstr "资产"
 
@@ -131,10 +132,10 @@ msgstr "参数"
 #: assets/models/base.py:240 assets/models/cluster.py:28
 #: assets/models/cmd_filter.py:26 assets/models/cmd_filter.py:59
 #: assets/models/group.py:21 common/mixins/models.py:49 orgs/models.py:16
-#: perms/models/base.py:54 users/models/user.py:507
+#: perms/models/base.py:54 users/models/user.py:508
 #: users/serializers/group.py:35 users/templates/users/user_detail.html:97
-#: xpack/plugins/change_auth_plan/models.py:80 xpack/plugins/cloud/models.py:56
-#: xpack/plugins/cloud/models.py:145 xpack/plugins/gathered_user/models.py:30
+#: xpack/plugins/change_auth_plan/models.py:81 xpack/plugins/cloud/models.py:56
+#: xpack/plugins/cloud/models.py:146 xpack/plugins/gathered_user/models.py:30
 msgid "Created by"
 msgstr "创建者"
 
@@ -147,7 +148,7 @@ msgstr "创建者"
 #: common/mixins/models.py:50 ops/models/adhoc.py:38 ops/models/command.py:27
 #: orgs/models.py:17 perms/models/base.py:55 users/models/group.py:18
 #: users/templates/users/user_group_detail.html:58
-#: xpack/plugins/cloud/models.py:59 xpack/plugins/cloud/models.py:148
+#: xpack/plugins/cloud/models.py:59 xpack/plugins/cloud/models.py:149
 msgid "Date created"
 msgstr "创建日期"
 
@@ -232,7 +233,7 @@ msgstr "网域"
 
 #: assets/models/asset.py:195 assets/models/user.py:109
 #: perms/models/asset_permission.py:81
-#: xpack/plugins/change_auth_plan/models.py:55
+#: xpack/plugins/change_auth_plan/models.py:56
 #: xpack/plugins/gathered_user/models.py:24
 msgid "Nodes"
 msgstr "节点"
@@ -245,7 +246,7 @@ msgstr "激活"
 
 #: assets/models/asset.py:199 assets/models/cluster.py:19
 #: assets/models/user.py:65 templates/_nav.html:44
-#: xpack/plugins/cloud/models.py:133
+#: xpack/plugins/cloud/models.py:133 xpack/plugins/cloud/serializers.py:83
 msgid "Admin user"
 msgstr "管理用户"
 
@@ -337,13 +338,13 @@ msgstr ""
 #: audits/models.py:81 authentication/forms.py:10
 #: authentication/templates/authentication/login.html:21
 #: authentication/templates/authentication/xpack_login.html:93
-#: ops/models/adhoc.py:148 users/forms/profile.py:19 users/models/user.py:464
+#: ops/models/adhoc.py:148 users/forms/profile.py:19 users/models/user.py:465
 #: users/templates/users/_select_user_modal.html:14
 #: users/templates/users/user_detail.html:53
 #: users/templates/users/user_list.html:15
 #: users/templates/users/user_profile.html:47
-#: xpack/plugins/change_auth_plan/models.py:46
-#: xpack/plugins/change_auth_plan/models.py:278
+#: xpack/plugins/change_auth_plan/models.py:47
+#: xpack/plugins/change_auth_plan/models.py:279
 msgid "Username"
 msgstr "用户名"
 
@@ -358,21 +359,21 @@ msgstr "用户名"
 #: users/templates/users/user_profile_update.html:41
 #: users/templates/users/user_pubkey_update.html:41
 #: users/templates/users/user_update.html:20
-#: xpack/plugins/change_auth_plan/models.py:67
-#: xpack/plugins/change_auth_plan/models.py:190
-#: xpack/plugins/change_auth_plan/models.py:285
+#: xpack/plugins/change_auth_plan/models.py:68
+#: xpack/plugins/change_auth_plan/models.py:191
+#: xpack/plugins/change_auth_plan/models.py:286
 msgid "Password"
 msgstr "密码"
 
-#: assets/models/base.py:235 xpack/plugins/change_auth_plan/models.py:71
-#: xpack/plugins/change_auth_plan/models.py:197
-#: xpack/plugins/change_auth_plan/models.py:292
+#: assets/models/base.py:235 xpack/plugins/change_auth_plan/models.py:72
+#: xpack/plugins/change_auth_plan/models.py:198
+#: xpack/plugins/change_auth_plan/models.py:293
 msgid "SSH private key"
 msgstr "SSH密钥"
 
-#: assets/models/base.py:236 xpack/plugins/change_auth_plan/models.py:74
-#: xpack/plugins/change_auth_plan/models.py:193
-#: xpack/plugins/change_auth_plan/models.py:288
+#: assets/models/base.py:236 xpack/plugins/change_auth_plan/models.py:75
+#: xpack/plugins/change_auth_plan/models.py:194
+#: xpack/plugins/change_auth_plan/models.py:289
 msgid "SSH public key"
 msgstr "SSH公钥"
 
@@ -389,7 +390,7 @@ msgstr "带宽"
 msgid "Contact"
 msgstr "联系人"
 
-#: assets/models/cluster.py:22 users/models/user.py:485
+#: assets/models/cluster.py:22 users/models/user.py:486
 #: users/templates/users/user_detail.html:62
 msgid "Phone"
 msgstr "手机"
@@ -415,7 +416,7 @@ msgid "Default"
 msgstr "默认"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14
-#: users/models/user.py:626
+#: users/models/user.py:627
 msgid "System"
 msgstr "系统"
 
@@ -448,7 +449,7 @@ msgid "Regex"
 msgstr "正则表达式"
 
 #: assets/models/cmd_filter.py:40 ops/models/command.py:23
-#: terminal/models.py:196
+#: terminal/backends/command/serializers.py:15 terminal/models.py:196
 msgid "Command"
 msgstr "命令"
 
@@ -534,9 +535,10 @@ msgstr "默认资产组"
 #: perms/forms/asset_permission.py:83 perms/forms/database_app_permission.py:38
 #: perms/forms/remote_app_permission.py:40 perms/models/base.py:49
 #: templates/index.html:78 terminal/backends/command/models.py:18
-#: terminal/models.py:185 tickets/models/ticket.py:33
-#: tickets/models/ticket.py:128 users/forms/group.py:15
-#: users/models/user.py:159 users/models/user.py:175 users/models/user.py:614
+#: terminal/backends/command/serializers.py:12 terminal/models.py:185
+#: tickets/models/ticket.py:33 tickets/models/ticket.py:128
+#: tickets/serializers/ticket.py:27 users/forms/group.py:15
+#: users/models/user.py:160 users/models/user.py:176 users/models/user.py:615
 #: users/serializers/group.py:20
 #: users/templates/users/user_asset_permission.html:38
 #: users/templates/users/user_asset_permission.html:64
@@ -584,7 +586,7 @@ msgstr "键"
 #: users/templates/users/user_asset_permission.html:41
 #: users/templates/users/user_asset_permission.html:73
 #: users/templates/users/user_asset_permission.html:158
-#: xpack/plugins/cloud/models.py:129
+#: xpack/plugins/cloud/models.py:129 xpack/plugins/cloud/serializers.py:84
 msgid "Node"
 msgstr "节点"
 
@@ -601,12 +603,12 @@ msgid "Username same with user"
 msgstr "用户名与用户相同"
 
 #: assets/models/user.py:110 templates/_nav.html:39
-#: xpack/plugins/change_auth_plan/models.py:51
+#: xpack/plugins/change_auth_plan/models.py:52
 msgid "Assets"
 msgstr "资产管理"
 
 #: assets/models/user.py:111 templates/_nav.html:17
-#: users/views/profile/password.py:40 users/views/profile/pubkey.py:36
+#: users/views/profile/password.py:42 users/views/profile/pubkey.py:36
 msgid "Users"
 msgstr "用户管理"
 
@@ -640,7 +642,8 @@ msgstr "SFTP根路径"
 #: perms/models/asset_permission.py:82
 #: perms/models/database_app_permission.py:22
 #: perms/models/remote_app_permission.py:16 templates/_nav.html:45
-#: terminal/backends/command/models.py:20 terminal/models.py:189
+#: terminal/backends/command/models.py:20
+#: terminal/backends/command/serializers.py:14 terminal/models.py:189
 #: users/templates/users/_granted_assets.html:27
 #: users/templates/users/user_asset_permission.html:42
 #: users/templates/users/user_asset_permission.html:76
@@ -685,7 +688,7 @@ msgstr "硬件信息"
 msgid "Org name"
 msgstr "组织名称"
 
-#: assets/serializers/asset.py:144 assets/serializers/asset.py:181
+#: assets/serializers/asset.py:144 assets/serializers/asset.py:175
 msgid "Connectivity"
 msgstr "连接"
 
@@ -699,14 +702,14 @@ msgid "Backend"
 msgstr "后端"
 
 #: assets/serializers/asset_user.py:75 users/forms/profile.py:148
-#: users/models/user.py:496 users/templates/users/user_password_update.html:48
+#: users/models/user.py:497 users/templates/users/user_password_update.html:48
 #: users/templates/users/user_profile.html:69
 #: users/templates/users/user_profile_update.html:46
 #: users/templates/users/user_pubkey_update.html:46
 msgid "Public key"
 msgstr "SSH公钥"
 
-#: assets/serializers/asset_user.py:79 users/models/user.py:493
+#: assets/serializers/asset_user.py:79 users/models/user.py:494
 msgid "Private key"
 msgstr "ssh私钥"
 
@@ -874,8 +877,8 @@ msgid "Success"
 msgstr "成功"
 
 #: audits/models.py:25 ops/models/command.py:28 perms/models/base.py:52
-#: terminal/models.py:199 xpack/plugins/change_auth_plan/models.py:176
-#: xpack/plugins/change_auth_plan/models.py:307
+#: terminal/models.py:199 xpack/plugins/change_auth_plan/models.py:177
+#: xpack/plugins/change_auth_plan/models.py:308
 #: xpack/plugins/gathered_user/models.py:76
 msgid "Date start"
 msgstr "开始日期"
@@ -943,7 +946,7 @@ msgstr "启用"
 msgid "-"
 msgstr ""
 
-#: audits/models.py:78 xpack/plugins/cloud/models.py:204
+#: audits/models.py:78 xpack/plugins/cloud/models.py:201
 msgid "Failed"
 msgstr "失败"
 
@@ -966,19 +969,19 @@ msgstr "Agent"
 #: audits/models.py:86
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
 #: authentication/templates/authentication/login_otp.html:6
-#: users/forms/profile.py:52 users/models/user.py:488
+#: users/forms/profile.py:52 users/models/user.py:489
 #: users/serializers/user.py:216 users/templates/users/user_detail.html:77
 #: users/templates/users/user_profile.html:87
 msgid "MFA"
 msgstr "多因子认证"
 
-#: audits/models.py:87 xpack/plugins/change_auth_plan/models.py:303
-#: xpack/plugins/cloud/models.py:217
+#: audits/models.py:87 xpack/plugins/change_auth_plan/models.py:304
+#: xpack/plugins/cloud/models.py:214
 msgid "Reason"
 msgstr "原因"
 
 #: audits/models.py:88 tickets/serializers/ticket.py:25
-#: xpack/plugins/cloud/models.py:214 xpack/plugins/cloud/models.py:272
+#: xpack/plugins/cloud/models.py:211 xpack/plugins/cloud/models.py:269
 msgid "Status"
 msgstr "状态"
 
@@ -991,7 +994,7 @@ msgid "Is success"
 msgstr "是否成功"
 
 #: audits/serializers.py:72 ops/models/command.py:24
-#: xpack/plugins/cloud/models.py:212
+#: xpack/plugins/cloud/models.py:209
 msgid "Result"
 msgstr "结果"
 
@@ -1106,8 +1109,8 @@ msgid ""
 "after {} minutes)"
 msgstr "账号已被锁定（请联系管理员解锁 或 {}分钟后重试）"
 
-#: authentication/errors.py:48 users/views/profile/otp.py:63
-#: users/views/profile/otp.py:102 users/views/profile/otp.py:121
+#: authentication/errors.py:48 users/views/profile/otp.py:107
+#: users/views/profile/otp.py:146 users/views/profile/otp.py:166
 msgid "MFA code invalid, or ntp sync server time"
 msgstr "MFA验证码不正确，或者服务器端时间不对"
 
@@ -1186,7 +1189,7 @@ msgid "Show"
 msgstr "显示"
 
 #: authentication/templates/authentication/_access_key_modal.html:66
-#: users/models/user.py:386 users/serializers/user.py:213
+#: users/models/user.py:387 users/serializers/user.py:213
 #: users/templates/users/user_profile.html:94
 #: users/templates/users/user_profile.html:163
 #: users/templates/users/user_profile.html:166
@@ -1195,7 +1198,7 @@ msgid "Disable"
 msgstr "禁用"
 
 #: authentication/templates/authentication/_access_key_modal.html:67
-#: users/models/user.py:387 users/serializers/user.py:214
+#: users/models/user.py:388 users/serializers/user.py:214
 #: users/templates/users/user_profile.html:92
 #: users/templates/users/user_profile.html:170
 msgid "Enable"
@@ -1397,10 +1400,6 @@ msgstr "字段必须唯一"
 msgid "<h1>Flow service unavailable, check it</h1>"
 msgstr ""
 
-#: jumpserver/views/index.py:26 templates/_nav.html:7
-msgid "Dashboard"
-msgstr "仪表盘"
-
 #: jumpserver/views/other.py:26
 msgid ""
 "<div>Luna is a separately deployed program, you need to deploy Luna, koko, "
@@ -1520,8 +1519,8 @@ msgstr "开始时间"
 msgid "End time"
 msgstr "完成时间"
 
-#: ops/models/adhoc.py:242 xpack/plugins/change_auth_plan/models.py:179
-#: xpack/plugins/change_auth_plan/models.py:310
+#: ops/models/adhoc.py:242 xpack/plugins/change_auth_plan/models.py:180
+#: xpack/plugins/change_auth_plan/models.py:311
 #: xpack/plugins/gathered_user/models.py:79
 msgid "Time"
 msgstr "时间"
@@ -1604,7 +1603,7 @@ msgstr "提示：RDP 协议不支持单独控制上传或下载文件"
 #: perms/forms/asset_permission.py:86 perms/forms/database_app_permission.py:41
 #: perms/forms/remote_app_permission.py:43 perms/models/base.py:50
 #: templates/_nav.html:21 users/forms/user.py:168 users/models/group.py:31
-#: users/models/user.py:472 users/templates/users/_select_user_modal.html:16
+#: users/models/user.py:473 users/templates/users/_select_user_modal.html:16
 #: users/templates/users/user_asset_permission.html:39
 #: users/templates/users/user_asset_permission.html:67
 #: users/templates/users/user_database_app_permission.html:38
@@ -1657,7 +1656,7 @@ msgstr "动作"
 msgid "Asset permission"
 msgstr "资产授权"
 
-#: perms/models/base.py:53 users/models/user.py:504
+#: perms/models/base.py:53 users/models/user.py:505
 #: users/templates/users/user_detail.html:93
 #: users/templates/users/user_profile.html:120
 msgid "Date expired"
@@ -1976,6 +1975,10 @@ msgstr ""
 "\"%(user_pubkey_update)s\"> 链接 </a> 更新\n"
 "        "
 
+#: templates/_nav.html:7
+msgid "Dashboard"
+msgstr "仪表盘"
+
 #: templates/_nav.html:20
 msgid "User list"
 msgstr "用户列表"
@@ -2320,14 +2323,17 @@ msgid "Input"
 msgstr "输入"
 
 #: terminal/backends/command/models.py:22
+#: terminal/backends/command/serializers.py:16
 msgid "Output"
 msgstr "输出"
 
 #: terminal/backends/command/models.py:23
+#: terminal/backends/command/serializers.py:17
 msgid "Session"
 msgstr "会话"
 
 #: terminal/backends/command/models.py:24
+#: terminal/backends/command/serializers.py:18
 msgid "Risk level"
 msgstr "风险等级"
 
@@ -2553,7 +2559,7 @@ msgstr "确认密码"
 msgid "Password does not match"
 msgstr "密码不一致"
 
-#: users/forms/profile.py:89 users/models/user.py:468
+#: users/forms/profile.py:89 users/models/user.py:469
 #: users/templates/users/user_detail.html:57
 #: users/templates/users/user_profile.html:59
 msgid "Email"
@@ -2594,7 +2600,7 @@ msgstr "不能和原来的密钥相同"
 msgid "Not a valid ssh public key"
 msgstr "SSH密钥不合法"
 
-#: users/forms/user.py:27 users/models/user.py:476
+#: users/forms/user.py:27 users/models/user.py:477
 #: users/templates/users/_select_user_modal.html:15
 #: users/templates/users/user_detail.html:73
 #: users/templates/users/user_list.html:16
@@ -2602,7 +2608,7 @@ msgstr "SSH密钥不合法"
 msgid "Role"
 msgstr "角色"
 
-#: users/forms/user.py:31 users/models/user.py:511
+#: users/forms/user.py:31 users/models/user.py:512
 #: users/templates/users/user_detail.html:89
 #: users/templates/users/user_list.html:18
 #: users/templates/users/user_profile.html:102
@@ -2617,7 +2623,7 @@ msgstr "复制用户公钥到这里"
 msgid "Join user groups"
 msgstr "添加到用户组"
 
-#: users/forms/user.py:103 users/views/profile/password.py:57
+#: users/forms/user.py:103 users/views/profile/password.py:59
 #: users/views/profile/reset.py:123
 msgid "* Your password does not meet the requirements"
 msgstr "* 您的密码不符合要求"
@@ -2631,52 +2637,52 @@ msgid "Set password"
 msgstr "设置密码"
 
 #: users/forms/user.py:132 users/serializers/user.py:38
-#: xpack/plugins/change_auth_plan/models.py:60
+#: xpack/plugins/change_auth_plan/models.py:61
 #: xpack/plugins/change_auth_plan/serializers.py:30
 msgid "Password strategy"
 msgstr "密码策略"
 
-#: users/models/user.py:158 users/models/user.py:622
+#: users/models/user.py:159 users/models/user.py:623
 msgid "Administrator"
 msgstr "管理员"
 
-#: users/models/user.py:160
+#: users/models/user.py:161
 msgid "Application"
 msgstr "应用程序"
 
-#: users/models/user.py:161
+#: users/models/user.py:162
 msgid "Auditor"
 msgstr "审计员"
 
-#: users/models/user.py:171
+#: users/models/user.py:172
 msgid "Org admin"
 msgstr "组织管理员"
 
-#: users/models/user.py:173
+#: users/models/user.py:174
 msgid "Org auditor"
 msgstr "组织审计员"
 
-#: users/models/user.py:388 users/templates/users/user_profile.html:90
+#: users/models/user.py:389 users/templates/users/user_profile.html:90
 msgid "Force enable"
 msgstr "强制启用"
 
-#: users/models/user.py:455
+#: users/models/user.py:456
 msgid "Local"
 msgstr "数据库"
 
-#: users/models/user.py:479
+#: users/models/user.py:480
 msgid "Avatar"
 msgstr "头像"
 
-#: users/models/user.py:482 users/templates/users/user_detail.html:68
+#: users/models/user.py:483 users/templates/users/user_detail.html:68
 msgid "Wechat"
 msgstr "微信"
 
-#: users/models/user.py:515
+#: users/models/user.py:516
 msgid "Date password last updated"
 msgstr "最后更新密码日期"
 
-#: users/models/user.py:625
+#: users/models/user.py:626
 msgid "Administrator is the super user of system"
 msgstr "Administrator是初始的超级管理员"
 
@@ -2738,7 +2744,7 @@ msgstr "安全令牌验证"
 
 #: users/templates/users/_base_otp.html:14 users/templates/users/_user.html:13
 #: users/templates/users/user_profile_update.html:55
-#: xpack/plugins/cloud/models.py:119
+#: xpack/plugins/cloud/models.py:119 xpack/plugins/cloud/serializers.py:82
 msgid "Account"
 msgstr "账户"
 
@@ -2902,7 +2908,7 @@ msgstr "很强"
 #: users/templates/users/user_database_app_permission.html:41
 #: users/templates/users/user_list.html:19
 #: users/templates/users/user_remote_app_permission.html:41
-#: xpack/plugins/cloud/models.py:50 xpack/plugins/cloud/serializers.py:32
+#: xpack/plugins/cloud/models.py:50
 msgid "Validity"
 msgstr "有效"
 
@@ -3453,27 +3459,27 @@ msgstr ""
 "    <br>\n"
 "    "
 
-#: users/views/profile/otp.py:145
+#: users/views/profile/otp.py:190
 msgid "MFA enable success"
 msgstr "多因子认证启用成功"
 
-#: users/views/profile/otp.py:146
+#: users/views/profile/otp.py:191
 msgid "MFA enable success, return login page"
 msgstr "多因子认证启用成功，返回到登录页面"
 
-#: users/views/profile/otp.py:148
+#: users/views/profile/otp.py:193
 msgid "MFA disable success"
 msgstr "多因子认证禁用成功"
 
-#: users/views/profile/otp.py:149
+#: users/views/profile/otp.py:194
 msgid "MFA disable success, return login page"
 msgstr "多因子认证禁用成功，返回登录页面"
 
-#: users/views/profile/password.py:41
+#: users/views/profile/password.py:43
 msgid "Password update"
 msgstr "密码更新"
 
-#: users/views/profile/password.py:72
+#: users/views/profile/password.py:74
 msgid "Password invalid"
 msgstr "用户名或密码无效"
 
@@ -3507,65 +3513,65 @@ msgid "Token invalid or expired"
 msgstr "Token错误或失效"
 
 #: xpack/plugins/change_auth_plan/meta.py:9
-#: xpack/plugins/change_auth_plan/models.py:88
-#: xpack/plugins/change_auth_plan/models.py:183
+#: xpack/plugins/change_auth_plan/models.py:89
+#: xpack/plugins/change_auth_plan/models.py:184
 msgid "Change auth plan"
 msgstr "改密计划"
 
-#: xpack/plugins/change_auth_plan/models.py:40
+#: xpack/plugins/change_auth_plan/models.py:41
 msgid "Custom password"
 msgstr "自定义密码"
 
-#: xpack/plugins/change_auth_plan/models.py:41
+#: xpack/plugins/change_auth_plan/models.py:42
 msgid "All assets use the same random password"
 msgstr "所有资产使用相同的随机密码"
 
-#: xpack/plugins/change_auth_plan/models.py:42
+#: xpack/plugins/change_auth_plan/models.py:43
 msgid "All assets use different random password"
 msgstr "所有资产使用不同的随机密码"
 
-#: xpack/plugins/change_auth_plan/models.py:64
+#: xpack/plugins/change_auth_plan/models.py:65
 msgid "Password rules"
 msgstr "密码规则"
 
-#: xpack/plugins/change_auth_plan/models.py:187
+#: xpack/plugins/change_auth_plan/models.py:188
 msgid "Change auth plan snapshot"
 msgstr "改密计划快照"
 
-#: xpack/plugins/change_auth_plan/models.py:202
-#: xpack/plugins/change_auth_plan/models.py:296
+#: xpack/plugins/change_auth_plan/models.py:203
+#: xpack/plugins/change_auth_plan/models.py:297
 msgid "Change auth plan execution"
 msgstr "改密计划执行"
 
-#: xpack/plugins/change_auth_plan/models.py:269
+#: xpack/plugins/change_auth_plan/models.py:270
 msgid "Ready"
 msgstr ""
 
-#: xpack/plugins/change_auth_plan/models.py:270
+#: xpack/plugins/change_auth_plan/models.py:271
 msgid "Preflight check"
 msgstr ""
 
-#: xpack/plugins/change_auth_plan/models.py:271
+#: xpack/plugins/change_auth_plan/models.py:272
 msgid "Change auth"
 msgstr ""
 
-#: xpack/plugins/change_auth_plan/models.py:272
+#: xpack/plugins/change_auth_plan/models.py:273
 msgid "Verify auth"
 msgstr ""
 
-#: xpack/plugins/change_auth_plan/models.py:273
+#: xpack/plugins/change_auth_plan/models.py:274
 msgid "Keep auth"
 msgstr ""
 
-#: xpack/plugins/change_auth_plan/models.py:274
+#: xpack/plugins/change_auth_plan/models.py:275
 msgid "Finished"
 msgstr "结束"
 
-#: xpack/plugins/change_auth_plan/models.py:300
+#: xpack/plugins/change_auth_plan/models.py:301
 msgid "Step"
 msgstr "步骤"
 
-#: xpack/plugins/change_auth_plan/models.py:317
+#: xpack/plugins/change_auth_plan/models.py:318
 msgid "Change auth plan task"
 msgstr "改密计划任务"
 
@@ -3609,7 +3615,7 @@ msgstr "有效"
 msgid "Unavailable"
 msgstr "无效"
 
-#: xpack/plugins/cloud/models.py:39 xpack/plugins/cloud/serializers.py:31
+#: xpack/plugins/cloud/models.py:39
 msgid "Provider"
 msgstr "云服务商"
 
@@ -3625,7 +3631,7 @@ msgstr ""
 msgid "Cloud account"
 msgstr "云账号"
 
-#: xpack/plugins/cloud/models.py:122 xpack/plugins/cloud/serializers.py:55
+#: xpack/plugins/cloud/models.py:122 xpack/plugins/cloud/serializers.py:59
 msgid "Regions"
 msgstr "地域"
 
@@ -3633,59 +3639,59 @@ msgstr "地域"
 msgid "Instances"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:136 xpack/plugins/cloud/serializers.py:77
-msgid "Covered always"
-msgstr "总是被覆盖"
+#: xpack/plugins/cloud/models.py:137 xpack/plugins/cloud/serializers.py:86
+msgid "Always update"
+msgstr "总是更新"
 
-#: xpack/plugins/cloud/models.py:142
+#: xpack/plugins/cloud/models.py:143
 msgid "Date last sync"
 msgstr "最后同步日期"
 
-#: xpack/plugins/cloud/models.py:153 xpack/plugins/cloud/models.py:210
+#: xpack/plugins/cloud/models.py:154 xpack/plugins/cloud/models.py:207
 msgid "Sync instance task"
 msgstr "同步实例任务"
 
-#: xpack/plugins/cloud/models.py:205
+#: xpack/plugins/cloud/models.py:202
 msgid "Succeed"
 msgstr "成功"
 
-#: xpack/plugins/cloud/models.py:220 xpack/plugins/cloud/models.py:275
+#: xpack/plugins/cloud/models.py:217 xpack/plugins/cloud/models.py:272
 msgid "Date sync"
 msgstr "同步日期"
 
-#: xpack/plugins/cloud/models.py:248
+#: xpack/plugins/cloud/models.py:245
 msgid "Unsync"
 msgstr "未同步"
 
-#: xpack/plugins/cloud/models.py:249 xpack/plugins/cloud/models.py:250
+#: xpack/plugins/cloud/models.py:246 xpack/plugins/cloud/models.py:247
 msgid "Synced"
 msgstr "已同步"
 
-#: xpack/plugins/cloud/models.py:251
+#: xpack/plugins/cloud/models.py:248
 msgid "Released"
 msgstr "已释放"
 
-#: xpack/plugins/cloud/models.py:256
+#: xpack/plugins/cloud/models.py:253
 msgid "Sync task"
 msgstr "同步任务"
 
-#: xpack/plugins/cloud/models.py:260
+#: xpack/plugins/cloud/models.py:257
 msgid "Sync instance task history"
 msgstr "同步实例任务历史"
 
-#: xpack/plugins/cloud/models.py:263
+#: xpack/plugins/cloud/models.py:260
 msgid "Instance"
 msgstr "实例"
 
-#: xpack/plugins/cloud/models.py:266
+#: xpack/plugins/cloud/models.py:263
 msgid "Region"
 msgstr "地域"
 
-#: xpack/plugins/cloud/providers/aliyun.py:19
+#: xpack/plugins/cloud/providers/aliyun.py:22
 msgid "Alibaba Cloud"
 msgstr "阿里云"
 
-#: xpack/plugins/cloud/providers/aws.py:15
+#: xpack/plugins/cloud/providers/aws.py:18
 msgid "AWS (International)"
 msgstr "AWS (国际)"
 
@@ -3693,79 +3699,75 @@ msgstr "AWS (国际)"
 msgid "AWS (China)"
 msgstr "AWS (中国)"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:17
+#: xpack/plugins/cloud/providers/huaweicloud.py:20
 msgid "Huawei Cloud"
 msgstr "华为云"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:20
+#: xpack/plugins/cloud/providers/huaweicloud.py:23
 msgid "AF-Johannesburg"
 msgstr "非洲-约翰内斯堡"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:21
+#: xpack/plugins/cloud/providers/huaweicloud.py:24
 msgid "AP-Bangkok"
 msgstr "亚太-曼谷"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:22
+#: xpack/plugins/cloud/providers/huaweicloud.py:25
 msgid "AP-Hong Kong"
 msgstr "亚太-香港"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:23
+#: xpack/plugins/cloud/providers/huaweicloud.py:26
 msgid "AP-Singapore"
 msgstr "亚太-新加坡"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:24
+#: xpack/plugins/cloud/providers/huaweicloud.py:27
 msgid "CN East-Shanghai1"
 msgstr "华东-上海1"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:25
+#: xpack/plugins/cloud/providers/huaweicloud.py:28
 msgid "CN East-Shanghai2"
 msgstr "华东-上海2"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:26
+#: xpack/plugins/cloud/providers/huaweicloud.py:29
 msgid "CN North-Beijing1"
 msgstr "华北-北京1"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:27
+#: xpack/plugins/cloud/providers/huaweicloud.py:30
 msgid "CN North-Beijing4"
 msgstr "华北-北京4"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:28
+#: xpack/plugins/cloud/providers/huaweicloud.py:31
 msgid "CN Northeast-Dalian"
 msgstr "华北-大连"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:29
+#: xpack/plugins/cloud/providers/huaweicloud.py:32
 msgid "CN South-Guangzhou"
 msgstr "华南-广州"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:30
+#: xpack/plugins/cloud/providers/huaweicloud.py:33
 msgid "CN Southwest-Guiyang1"
 msgstr "西南-贵阳1"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:31
+#: xpack/plugins/cloud/providers/huaweicloud.py:34
 msgid "EU-Paris"
 msgstr "欧洲-巴黎"
 
-#: xpack/plugins/cloud/providers/huaweicloud.py:32
+#: xpack/plugins/cloud/providers/huaweicloud.py:35
 msgid "LA-Santiago"
 msgstr "拉美-圣地亚哥"
 
-#: xpack/plugins/cloud/providers/qcloud.py:17
+#: xpack/plugins/cloud/providers/qcloud.py:20
 msgid "Tencent Cloud"
 msgstr "腾讯云"
 
-#: xpack/plugins/cloud/serializers.py:53
+#: xpack/plugins/cloud/serializers.py:57
 msgid "History count"
-msgstr "用户数量"
+msgstr "执行次数"
 
-#: xpack/plugins/cloud/serializers.py:54
+#: xpack/plugins/cloud/serializers.py:58
 msgid "Instance count"
 msgstr "实例个数"
 
-#: xpack/plugins/cloud/serializers.py:75
-msgid "Account name"
-msgstr "账户名称"
-
-#: xpack/plugins/cloud/serializers.py:76
+#: xpack/plugins/cloud/serializers.py:85
 #: xpack/plugins/gathered_user/serializers.py:20
 msgid "Periodic display"
 msgstr "定时执行"
@@ -3854,6 +3856,30 @@ msgstr "企业版"
 msgid "Ultimate edition"
 msgstr "旗舰版"
 
+#~ msgid "Upload"
+#~ msgstr "上传文件"
+
+#~ msgid "Download"
+#~ msgstr "下载文件"
+
+#~ msgid "Rmdir"
+#~ msgstr "删除目录"
+
+#~ msgid "Rename"
+#~ msgstr "重命名"
+
+#~ msgid "Mkdir"
+#~ msgstr "创建目录"
+
+#~ msgid "Symlink"
+#~ msgstr "建立软链接"
+
+#~ msgid "Covered always"
+#~ msgstr "总是被覆盖"
+
+#~ msgid "Account name"
+#~ msgstr "账户名称"
+
 #~ msgid "Target URL"
 #~ msgstr "目标URL"
 
@@ -5020,9 +5046,6 @@ msgstr "旗舰版"
 #~ msgid "Download replay"
 #~ msgstr "下载录像"
 
-#~ msgid "Download"
-#~ msgstr "下载"
-
 #~ msgid "Monitor session"
 #~ msgstr "监控"
 
@@ -5032,9 +5055,6 @@ msgstr "旗舰版"
 #~ msgid "Terminate success"
 #~ msgstr "终断成功"
 
-#~ msgid "Duration"
-#~ msgstr "时长"
-
 #~ msgid "Terminate selected"
 #~ msgstr "终断所选"
 
@@ -5809,9 +5829,6 @@ msgstr "旗舰版"
 #~ msgid "Gather user plan"
 #~ msgstr "收集用户计划"
 
-#~ msgid "Task update"
-#~ msgstr "更新"
-
 #~ msgid "Task create"
 #~ msgstr "创建"
 

apps/perms/api/mixin.py

@@ -21,7 +21,7 @@ class UserPermissionMixin:
     obj = None
 
     def initial(self, *args, **kwargs):
-        super().initial(*args, *kwargs)
+        super().initial(*args, **kwargs)
         self.obj = self.get_obj()
 
     def get_obj(self):

apps/terminal/api/command.py

@@ -55,21 +55,17 @@ class CommandQueryMixin:
         q = self.request.query_params
         multi_command_storage = get_multi_command_storage()
         queryset = multi_command_storage.filter(
-            date_from=date_from, date_to=date_to, input=q.get("input"),
-            user=q.get("user"), asset=q.get("asset"),
-            system_user=q.get("system_user"),
+            date_from=date_from, date_to=date_to,
+            user=q.get("user"), asset=q.get("asset"), system_user=q.get("system_user"),
+            input=q.get("input"), session=q.get("session_id"),
             risk_level=self.get_query_risk_level(), org_id=self.get_org_id(),
         )
         return queryset
 
     def filter_queryset(self, queryset):
+        # 解决es存储命令时，父类根据filter_fields过滤出现异常的问题，返回的queryset类型list
         return queryset
 
-    def get_filter_fields(self, request):
-        fields = self.filter_fields
-        fields.extend(["date_from", "date_to"])
-        return fields
-
     def get_date_range(self):
         now = timezone.now()
         days_ago = now - timezone.timedelta(days=self.default_days_ago)

apps/terminal/backends/command/base.py

@@ -16,7 +16,7 @@ class CommandBase(object):
     @abc.abstractmethod
     def filter(self, date_from=None, date_to=None,
                user=None, asset=None, system_user=None,
-               input=None, session=None):
+               input=None, session=None, risk_level=None, org_id=None):
         pass
 
     @abc.abstractmethod

apps/users/utils.py

@@ -5,8 +5,8 @@ import re
 import pyotp
 import base64
 import logging
+import time
 
-from django.http import Http404
 from django.conf import settings
 from django.utils.translation import ugettext as _
 from django.core.cache import cache
@@ -333,3 +333,15 @@ def get_source_choices():
     if settings.AUTH_CAS:
         choices.append((User.SOURCE_CAS, choices_all[User.SOURCE_CAS]))
     return choices
+
+
+def is_auth_time_valid(session, key):
+    return True if session.get(key, 0) > time.time() else False
+
+
+def is_auth_password_time_valid(session):
+    return is_auth_time_valid(session, 'auth_password_expired_at')
+
+
+def is_auth_otp_time_valid(session):
+    return is_auth_time_valid(session, 'auth_opt_expired_at')

apps/users/views/profile/otp.py

@@ -1,4 +1,5 @@
 # ~*~ coding: utf-8 ~*~
+import time
 
 from django.urls import reverse_lazy, reverse
 from django.utils.translation import ugettext as _
@@ -6,13 +7,17 @@ from django.views.generic.base import TemplateView
 from django.views.generic.edit import FormView
 from django.contrib.auth import logout as auth_logout
 from django.conf import settings
+from django.http.response import HttpResponseForbidden
 
-from common.utils import get_logger
+from authentication.mixins import AuthMixin
+from users.models import User
+from common.utils import get_logger, get_object_or_none
 from common.permissions import IsValidUser
 from ... import forms
 from .password import UserVerifyPasswordView
 from ...utils import (
     generate_otp_uri, check_otp_code, get_user_or_pre_auth_user,
+    is_auth_password_time_valid, is_auth_otp_time_valid
 )
 
 __all__ = [
@@ -46,11 +51,50 @@ class UserOtpEnableInstallAppView(TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class UserOtpEnableBindView(TemplateView, FormView):
+class UserOtpEnableBindView(AuthMixin, TemplateView, FormView):
     template_name = 'users/user_otp_enable_bind.html'
     form_class = forms.UserCheckOtpCodeForm
     success_url = reverse_lazy('authentication:user-otp-settings-success')
 
+    def get(self, request, *args, **kwargs):
+        if self._check_can_bind():
+            return super().get(request, *args, **kwargs)
+        return HttpResponseForbidden()
+
+    def post(self, request, *args, **kwargs):
+        if self._check_can_bind():
+            return super().post(request, *args, **kwargs)
+        return HttpResponseForbidden()
+
+    def _check_authenticated_user_can_bind(self):
+        user = self.request.user
+        session = self.request.session
+
+        if not user.mfa_enabled:
+            return is_auth_password_time_valid(session)
+
+        if not user.otp_secret_key:
+            return is_auth_password_time_valid(session)
+
+        return is_auth_otp_time_valid(session)
+
+    def _check_unauthenticated_user_can_bind(self):
+        session_user = None
+        if not self.request.session.is_empty():
+            user_id = self.request.session.get('user_id')
+            session_user = get_object_or_none(User, pk=user_id)
+
+        if session_user:
+            if all((is_auth_password_time_valid(self.request.session), session_user.mfa_enabled, not session_user.otp_secret_key)):
+                return True
+        return False
+
+    def _check_can_bind(self):
+        if self.request.user.is_authenticated:
+            return self._check_authenticated_user_can_bind()
+        else:
+            return self._check_unauthenticated_user_can_bind()
+
     def form_valid(self, form):
         otp_code = form.cleaned_data.get('otp_code')
         otp_secret_key = self.request.session.get('otp_secret_key', '')
@@ -116,6 +160,7 @@ class UserOtpUpdateView(FormView):
 
         valid = user.check_mfa(otp_code)
         if valid:
+            self.request.session['auth_opt_expired_at'] = time.time() + settings.AUTH_EXPIRED_SECONDS
             return super().form_valid(form)
         else:
             error = _('MFA code invalid, or ntp sync server time')

apps/users/views/profile/password.py

@@ -1,8 +1,10 @@
 # ~*~ coding: utf-8 ~*~
+import time
 
+from django.conf import settings
 from django.contrib.auth import authenticate
 from django.shortcuts import redirect
-from django.urls import reverse_lazy, reverse
+from django.urls import reverse_lazy
 from django.utils.translation import ugettext as _
 from django.views.generic.edit import UpdateView, FormView
 from django.contrib.auth import logout as auth_logout
@@ -76,6 +78,7 @@ class UserVerifyPasswordView(FormView):
             user.save()
         self.request.session['user_id'] = str(user.id)
         self.request.session['auth_password'] = 1
+        self.request.session['auth_password_expired_at'] = time.time() + settings.AUTH_EXPIRED_SECONDS
         return redirect(self.get_success_url())
 
     def get_success_url(self):

build.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-#
-
-version=$1
-if [ -z "$version" ];then
-    echo "Usage: sh build version"
-    exit
-fi
-
-
-docker build -t jumpserver/jumpserver:$version .

requirements/requirements.txt

@@ -61,7 +61,7 @@ pytz==2018.3
 PyYAML==5.1
 redis==3.2.0
 requests==2.22.0
-jms-storage==0.0.29
+jms-storage==0.0.31
 s3transfer==0.3.3
 simplejson==3.13.2
 six==1.11.0

utils/build.sh

@@ -0,0 +1,32 @@
+#!/bin/bash
+#
+# 该build基于registry.fit2cloud.com/public/python:3
+utils_dir=$(pwd)
+project_dir=$(dirname "$utils_dir")
+release_dir=${project_dir}/release
+
+# 打包
+cd "${project_dir}" || exit 3
+rm -rf "${release_dir:?}"/*
+to_dir="${release_dir}/jumpserver"
+mkdir -p "${to_dir}"
+
+if [[ -d '.git' ]];then
+  command -v git || yum -y install git
+  git archive --format tar HEAD | tar x -C "${to_dir}"
+else
+  cp -R . /tmp/jumpserver
+  mv /tmp/jumpserver/* "${to_dir}"
+fi
+
+if [[ $(uname) == 'Darwin' ]];then
+  alias sedi="sed -i ''"
+else
+  alias sedi='sed -i'
+fi
+
+# 修改版本号文件
+if [[ -n ${VERSION} ]]; then
+  sedi "s@VERSION = .*@VERSION = \"${VERSION}\"@g" "${to_dir}/apps/jumpserver/const.py"
+fi
+

utils/build_docker.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+#
+utils_dir=$(dirname "$0")
+project_dir=$(dirname "${utils_dir}")
+
+version=$1
+if [ -z "$version" ]; then
+  echo "Usage: sh build version"
+  exit
+fi
+
+cd "${project_dir}" && docker build -t "jumpserver/jumpserver:${version}" .

utils/example_api.py

@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+import requests
+
+# 私有token页面上目前不允许创建，只能后台生成，见 https://docs.jumpserver.org/zh/master/dev/rest_api/
+private_token = '10659d70a223235b8f76d45a3023eca1147488d7'
+
+
+def do_request(url, data=None, method='get', params=None, org_id=''):
+    authorization = 'Token {}'.format(private_token)
+    headers = {'Authorization': authorization, 'Content-Type': 'application/json'}
+    if org_id:
+        headers['X-JMS-ORG'] = org_id
+    resp = requests.request(method=method, url=url, data=data, params=params, headers=headers)
+    return resp
+
+
+def get_assets_list():
+    url = 'http://localhost:8080/api/v1/assets/assets/?limit=10'
+    resp = do_request(url)
+    print(resp.status_code)
+    print(resp.json())
+    print(resp)
+
+
+if __name__ == '__main__':
+    get_assets_list()