perf: get request ip, only using x-forwarded-for

* fix: 增加 pip 参数 --use-deprecated=legacy-resolver

* fix: 升级依赖 pymssql==2.2.7 oracledb==1.2.2

* fix: 升级依赖 git+https://github.com/marcwimmer/pymssql@fix_cython_compiler_version

* fix: 锁定依赖 Cython==0.29.22

* fix: 锁定依赖 Cython==0.29.35 --no-build-isolation pymssql==2.1.5

* fix: 锁定依赖 Cython==0.29.35 --no-build-isolation pymssql==2.1.5

* fix: 锁定依赖

* fix: 锁定依赖

* fix: 锁定依赖

* fix: 锁定依赖

* fix: 锁定依赖

---------

Co-authored-by: Bai <baijiangjie@gmail.com>

.github/workflows/release-drafter.yml

@@ -21,7 +21,7 @@ jobs:
           TAG=$(basename ${GITHUB_REF})
           VERSION=${TAG/v/}
           wget https://raw.githubusercontent.com/jumpserver/installer/master/quick_start.sh
-          sed -i "s@Version=.*@Version=v${VERSION}@g" quick_start.sh
+          sed -i "s@VERSION=dev@VERSION=v${VERSION}@g" quick_start.sh
           echo "::set-output name=TAG::$TAG"
           echo "::set-output name=VERSION::$VERSION"
       - name: Create Release

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.8-slim as stage-build
+FROM python:3.8-slim-bullseye as stage-build
 ARG TARGETARCH
 
 ARG VERSION
@@ -8,7 +8,7 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 
-FROM python:3.8-slim
+FROM python:3.8-slim-bullseye
 ARG TARGETARCH
 MAINTAINER JumpServer Team <ibuler@qq.com>
 
@@ -38,6 +38,7 @@ ARG TOOLS="                           \
         default-mysql-client          \
         iputils-ping                  \
         locales                       \
+        patch                         \
         procps                        \
         redis-tools                   \
         telnet                        \
@@ -87,8 +88,10 @@ RUN --mount=type=cache,target=/root/.cache/pip \
     && pip config set global.index-url ${PIP_MIRROR} \
     && pip install --upgrade pip \
     && pip install --upgrade setuptools wheel \
+    && pip install Cython==0.29.35 \
+    && pip install --no-build-isolation pymssql \
     && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install -r requirements/requirements.txt
+    && pip install -r requirements/requirements.txt --use-deprecated=legacy-resolver
 
 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 RUN echo > /opt/jumpserver/config.yml \

Dockerfile.loong64

@@ -38,8 +38,8 @@ ARG TOOLS="                           \
         default-mysql-client          \
         iputils-ping                  \
         locales                       \
-        netcat                        \
-        redis-server                  \
+        procps                        \
+        redis-tools                   \
         telnet                        \
         vim                           \
         unzip                         \

apps/acls/models/login_acl.py

@@ -1,7 +1,7 @@
 from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from .base import BaseACL, BaseACLQuerySet
-from common.utils import get_request_ip, get_ip_city
+from common.utils import get_request_ip_or_data, get_ip_city
 from common.utils.ip import contains_ip
 from common.utils.time_period import contains_time_period
 from common.utils.timezone import local_now_display
@@ -73,7 +73,7 @@ class LoginACL(BaseACL):
         from tickets.models import ApplyLoginTicket
         from orgs.models import Organization
         title = _('Login confirm') + ' {}'.format(self.user)
-        login_ip = get_request_ip(request) if request else ''
+        login_ip = get_request_ip_or_data(request) if request else ''
         login_ip = login_ip or '0.0.0.0'
         login_city = get_ip_city(login_ip)
         login_datetime = local_now_display()

apps/acls/serializers/login_acl.py

@@ -1,4 +1,4 @@
-from django.utils.translation import ugettext as _
+from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 from common.drf.serializers import BulkModelSerializer
 from common.drf.serializers import MethodSerializer

apps/applications/utils/kubernetes_util.py

@@ -1,18 +1,14 @@
 # -*- coding: utf-8 -*-
-from urllib3.exceptions import MaxRetryError
 from urllib.parse import urlencode
 
+from kubernetes import client
 from kubernetes.client import api_client
 from kubernetes.client.api import core_v1_api
-from kubernetes import client
-from kubernetes.client.exceptions import ApiException
-
 from rest_framework.generics import get_object_or_404
 
-from common.utils import get_logger
-from common.tree import TreeNode
 from assets.models import SystemUser
-
+from common.tree import TreeNode
+from common.utils import get_logger
 from .. import const
 
 logger = get_logger(__file__)
@@ -23,7 +19,8 @@ class KubernetesClient:
         self.url = url
         self.token = token
 
-    def get_api(self):
+    @property
+    def api(self):
         configuration = client.Configuration()
         configuration.host = self.url
         configuration.verify_ssl = False
@@ -32,63 +29,46 @@ class KubernetesClient:
         api = core_v1_api.CoreV1Api(c)
         return api
 
-    def get_namespace_list(self):
-        api = self.get_api()
-        namespace_list = []
-        for ns in api.list_namespace().items:
-            namespace_list.append(ns.metadata.name)
-        return namespace_list
+    def get_namespaces(self):
+        namespaces = []
+        resp = self.api.list_namespace()
+        for ns in resp.items:
+            namespaces.append(ns.metadata.name)
+        return namespaces
 
-    def get_services(self):
-        api = self.get_api()
-        ret = api.list_service_for_all_namespaces(watch=False)
-        for i in ret.items:
-            print("%s \t%s \t%s \t%s \t%s \n" % (
-                i.kind, i.metadata.namespace, i.metadata.name, i.spec.cluster_ip, i.spec.ports))
+    def get_pods(self, namespace):
+        pods = []
+        resp = self.api.list_namespaced_pod(namespace)
+        for pd in resp.items:
+            pods.append(pd.metadata.name)
+        return pods
 
-    def get_pod_info(self, namespace, pod):
-        api = self.get_api()
-        resp = api.read_namespaced_pod(namespace=namespace, name=pod)
-        return resp
+    def get_containers(self, namespace, pod_name):
+        containers = []
+        resp = self.api.read_namespaced_pod(pod_name, namespace)
+        for container in resp.spec.containers:
+            containers.append(container.name)
+        return containers
 
-    def get_pod_logs(self, namespace, pod):
-        api = self.get_api()
-        log_content = api.read_namespaced_pod_log(pod, namespace, pretty=True, tail_lines=200)
-        return log_content
+    @classmethod
+    def run(cls, asset, secret, tp='namespace'):
+        k8s_url = f'{asset.address}'
+        k8s = cls(k8s_url, secret)
+        func_name = f'get_{tp}s'
+        if hasattr(k8s, func_name):
+            return getattr(k8s, func_name)()
+        return []
 
-    def get_pods(self):
-        api = self.get_api()
-        try:
-            ret = api.list_pod_for_all_namespaces(watch=False, _request_timeout=(3, 3))
-        except MaxRetryError:
-            logger.warning('Kubernetes connection timed out')
-            return
-        except ApiException as e:
-            if e.status == 401:
-                logger.warning('Kubernetes User not authenticated')
-            else:
-                logger.warning(e)
-            return
-        data = {}
-        for i in ret.items:
-            namespace = i.metadata.namespace
-            pod_info = {
-                'pod_name': i.metadata.name,
-                'containers': [j.name for j in i.spec.containers]
-            }
-            if namespace in data:
-                data[namespace].append(pod_info)
-            else:
-                data[namespace] = [pod_info, ]
-        return data
-
-    @staticmethod
-    def get_kubernetes_data(app_id, system_user_id):
+    @classmethod
+    def get_kubernetes_data(cls, app_id, system_user_id, tp, *args):
         from ..models import Application
         app = get_object_or_404(Application, id=app_id)
         system_user = get_object_or_404(SystemUser, id=system_user_id)
-        k8s = KubernetesClient(app.attrs['cluster'], system_user.token)
-        return k8s.get_pods()
+        k8s = cls(app.attrs['cluster'], system_user.token)
+        func_name = f'get_{tp}s'
+        if hasattr(k8s, func_name):
+            return getattr(k8s, func_name)(*args)
+        return []
 
 
 class KubernetesTree:
@@ -118,11 +98,10 @@ class KubernetesTree:
         )
         return node
 
-    def as_namespace_pod_tree_node(self, name, meta, type, counts=0, is_container=False):
+    def as_namespace_pod_tree_node(self, name, meta, type, is_container=False):
         from ..models import ApplicationTreeNodeMixin
         i = ApplicationTreeNodeMixin.create_tree_id(self.tree_id, type, name)
         meta.update({type: name})
-        name = name if is_container else f'{name}({counts})'
         node = self.create_tree_node(
             i, self.tree_id, name, type, meta, icon='cloud', is_container=is_container
         )
@@ -157,30 +136,30 @@ class KubernetesTree:
         system_user_id = parent_info.get('system_user_id')
 
         tree_nodes = []
-        data = KubernetesClient.get_kubernetes_data(app_id, system_user_id)
-        if not data:
-            return tree_nodes
-
         if pod_name:
-            for container in next(
-                    filter(
-                        lambda x: x['pod_name'] == pod_name, data[namespace]
-                    )
-            )['containers']:
+            tp = 'container'
+            containers = KubernetesClient.get_kubernetes_data(
+                app_id, system_user_id, tp, namespace, pod_name
+            )
+            for container in containers:
                 container_node = self.as_namespace_pod_tree_node(
-                    container, parent_info, 'container', is_container=True
+                    container, parent_info, tp, is_container=True
                 )
                 tree_nodes.append(container_node)
         elif namespace:
-            for pod in data[namespace]:
-                pod_nodes = self.as_namespace_pod_tree_node(
-                    pod['pod_name'], parent_info, 'pod', len(pod['containers'])
+            tp = 'pod'
+            pods = KubernetesClient.get_kubernetes_data(app_id, system_user_id, tp, namespace)
+            for pod in pods:
+                pod_node = self.as_namespace_pod_tree_node(
+                    pod, parent_info, tp
                 )
-                tree_nodes.append(pod_nodes)
+                tree_nodes.append(pod_node)
         elif system_user_id:
-            for namespace, pods in data.items():
+            tp = 'namespace'
+            namespaces = KubernetesClient.get_kubernetes_data(app_id, system_user_id, tp)
+            for namespace in namespaces:
                 namespace_node = self.as_namespace_pod_tree_node(
-                    namespace, parent_info, 'namespace', len(pods)
+                    namespace, parent_info, tp
                 )
                 tree_nodes.append(namespace_node)
         return tree_nodes

apps/assets/models/asset.py

@@ -2,9 +2,8 @@
 # -*- coding: utf-8 -*-
 #
 
-import uuid
 import logging
-from functools import reduce
+import uuid
 from collections import OrderedDict
 
 from django.db import models
@@ -14,7 +13,6 @@ from rest_framework.exceptions import ValidationError
 from common.db.fields import JsonDictTextField
 from common.utils import lazyproperty
 from orgs.mixins.models import OrgModelMixin, OrgManager
-
 from .base import AbsConnectivity
 
 __all__ = ['Asset', 'ProtocolsMixin', 'Platform', 'AssetQuerySet']

apps/assets/models/base.py

@@ -1,28 +1,27 @@
 # -*- coding: utf-8 -*-
 #
-import io
 import os
 import uuid
 from hashlib import md5
 
 import sshpubkeys
+from django.conf import settings
 from django.core.cache import cache
 from django.db import models
+from django.db.models import QuerySet
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
-from django.conf import settings
-from django.db.models import QuerySet
 
-from common.utils import random_string, signer
+from common.db import fields
+from common.utils import random_string
 from common.utils import (
     ssh_key_string_to_obj, ssh_key_gen, get_logger, lazyproperty
 )
-from common.utils.encode import ssh_pubkey_gen
-from common.validators import alphanumeric
-from common.db import fields
+from common.utils.encode import (
+    parse_ssh_public_key_str, parse_ssh_private_key_str
+)
 from orgs.mixins.models import OrgModelMixin
 
-
 logger = get_logger(__file__)
 
 
@@ -64,16 +63,16 @@ class AuthMixin:
 
     @property
     def ssh_key_fingerprint(self):
+        public_key = None
         if self.public_key:
             public_key = self.public_key
         elif self.private_key:
             try:
-                public_key = ssh_pubkey_gen(private_key=self.private_key, password=self.password)
+                public_key = parse_ssh_public_key_str(self.private_key, password=self.password)
             except IOError as e:
                 return str(e)
-        else:
+        if not public_key:
             return ''
-
         public_key_obj = sshpubkeys.SSHKey(public_key)
         fingerprint = public_key_obj.hash_md5()
         return fingerprint
@@ -88,24 +87,29 @@ class AuthMixin:
 
     @property
     def private_key_file(self):
-        if not self.private_key_obj:
+        if not self.private_key:
+            return None
+        private_key_str = self.get_private_key()
+        if not private_key_str:
             return None
         project_dir = settings.PROJECT_DIR
         tmp_dir = os.path.join(project_dir, 'tmp')
         key_name = '.' + md5(self.private_key.encode('utf-8')).hexdigest()
         key_path = os.path.join(tmp_dir, key_name)
         if not os.path.exists(key_path):
-            self.private_key_obj.write_private_key_file(key_path)
+            with open(key_path, 'w') as f:
+                f.write(private_key_str)
             os.chmod(key_path, 0o400)
         return key_path
 
     def get_private_key(self):
-        if not self.private_key_obj:
+        if not self.private_key:
             return None
-        string_io = io.StringIO()
-        self.private_key_obj.write_private_key(string_io)
-        private_key = string_io.getvalue()
-        return private_key
+        private_key_str = parse_ssh_private_key_str(self.private_key, password=self.password)
+        if not private_key_str and self.password:
+            # 由于历史原因，密码可能是真实的密码，而非私钥的 passphrase，所以这里再尝试一次
+            private_key_str = parse_ssh_private_key_str(self.private_key)
+        return private_key_str
 
     @property
     def public_key_obj(self):
@@ -234,4 +238,3 @@ class BaseUser(OrgModelMixin, AuthMixin):
 
     class Meta:
         abstract = True
-

apps/assets/models/user.py

@@ -4,16 +4,16 @@
 
 import logging
 
-from django.db import models
-from django.utils.translation import ugettext_lazy as _
-from django.core.validators import MinValueValidator, MaxValueValidator
 from django.core.cache import cache
+from django.core.validators import MinValueValidator, MaxValueValidator
+from django.db import models
+from django.db.models import Q
+from django.utils.translation import ugettext_lazy as _
 
-from common.utils import signer, get_object_or_none
-from .base import BaseUser
+from common.utils import signer, get_object_or_none, is_uuid
 from .asset import Asset
 from .authbook import AuthBook
-
+from .base import BaseUser
 
 __all__ = ['AdminUser', 'SystemUser']
 logger = logging.getLogger(__name__)
@@ -187,22 +187,22 @@ class AuthMixin:
         if username == '':
             username = self.username
 
-        authbook = AuthBook.objects.filter(
-            asset=asset, username=username, systemuser__isnull=True
-        ).order_by('-date_created').first()
+        not_stu_query = Q(asset=asset, username=username, systemuser__isnull=True)
+        stu_query = Q(asset=asset, systemuser=self)
+        not_stu_qs = AuthBook.objects.filter(not_stu_query).order_by('-date_created')
+        stu_qs = AuthBook.objects.filter(stu_query).order_by('-date_created')
 
+        authbook = not_stu_qs.first()
         if not authbook:
-            authbook = AuthBook.objects.filter(
-                asset=asset, systemuser=self
-            ).order_by('-date_created').first()
+            authbook = stu_qs.first()
 
         if not authbook:
             return None
-
         authbook.load_auth()
-        self.password = authbook.password
-        self.private_key = authbook.private_key
-        self.public_key = authbook.public_key
+
+        self.password = authbook.password or self.password or ''
+        self.private_key = authbook.private_key or self.private_key or ''
+        self.public_key = authbook.public_key or self.public_key or ''
 
     def load_asset_more_auth(self, asset_id=None, username=None, user_id=None):
         from users.models import User
@@ -249,12 +249,19 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
     users = models.ManyToManyField('users.User', blank=True, verbose_name=_("Users"))
     groups = models.ManyToManyField('users.UserGroup', blank=True, verbose_name=_("User groups"))
     type = models.CharField(max_length=16, choices=Type.choices, default=Type.common, verbose_name=_('Type'))
-    priority = models.IntegerField(default=81, verbose_name=_("Priority"), help_text=_("1-100, the lower the value will be match first"), validators=[MinValueValidator(1), MaxValueValidator(100)])
-    protocol = models.CharField(max_length=16, choices=ProtocolMixin.Protocol.choices, default='ssh', verbose_name=_('Protocol'))
+    priority = models.IntegerField(
+        default=81, verbose_name=_("Priority"),
+        help_text=_("1-100, the lower the value will be match first"),
+        validators=[MinValueValidator(1), MaxValueValidator(100)]
+    )
+    protocol = models.CharField(max_length=16, choices=ProtocolMixin.Protocol.choices, default='ssh',
+                                verbose_name=_('Protocol'))
     auto_push = models.BooleanField(default=True, verbose_name=_('Auto push'))
     sudo = models.TextField(default='/bin/whoami', verbose_name=_('Sudo'))
-    shell = models.CharField(max_length=64,  default='/bin/bash', verbose_name=_('Shell'))
-    login_mode = models.CharField(choices=LOGIN_MODE_CHOICES, default=LOGIN_AUTO, max_length=10, verbose_name=_('Login mode'))
+    shell = models.CharField(max_length=64, default='/bin/bash', verbose_name=_('Shell'))
+    login_mode = models.CharField(
+        choices=LOGIN_MODE_CHOICES, default=LOGIN_AUTO, max_length=10, verbose_name=_('Login mode')
+    )
     sftp_root = models.CharField(default='tmp', max_length=128, verbose_name=_("SFTP Root"))
     token = models.TextField(default='', verbose_name=_('Token'))
     home = models.CharField(max_length=4096, default='', verbose_name=_('Home'), blank=True)
@@ -262,7 +269,9 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
     ad_domain = models.CharField(default='', max_length=256)
     # linux su 命令 (switch user)
     su_enabled = models.BooleanField(default=False, verbose_name=_('User switch'))
-    su_from = models.ForeignKey('self', on_delete=models.SET_NULL, related_name='su_to', null=True, verbose_name=_("Switch from"))
+    su_from = models.ForeignKey(
+        'self', on_delete=models.SET_NULL, related_name='su_to', null=True, verbose_name=_("Switch from")
+    )
 
     def __str__(self):
         username = self.username
@@ -322,9 +331,20 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
         assets = Asset.objects.filter(id__in=asset_ids)
         return assets
 
+    def filter_contain_protocol_assets(self, assets_or_ids):
+        if not assets_or_ids:
+            return assets_or_ids
+        if is_uuid(assets_or_ids[0]):
+            assets = Asset.objects.filter(id__in=assets_or_ids)
+        else:
+            assets = assets_or_ids
+        assets = [asset for asset in assets if self.protocol in asset.protocols_as_dict]
+        return assets
+
     def add_related_assets(self, assets_or_ids):
-        self.assets.add(*tuple(assets_or_ids))
-        self.add_related_assets_to_su_from_if_need(assets_or_ids)
+        assets = self.filter_contain_protocol_assets(assets_or_ids)
+        self.assets.add(*tuple(assets))
+        self.add_related_assets_to_su_from_if_need(assets)
 
     def add_related_assets_to_su_from_if_need(self, assets_or_ids):
         if self.protocol not in [self.Protocol.ssh.value]:

apps/assets/serializers/base.py

@@ -1,24 +1,24 @@
 # -*- coding: utf-8 -*-
 #
-from io import StringIO
 
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
-from common.utils import ssh_pubkey_gen, ssh_private_key_gen, validate_ssh_private_key
-from common.drf.fields import EncryptedField
 from assets.models import Type
+from common.drf.fields import EncryptedField
+from common.utils import validate_ssh_private_key, parse_ssh_private_key_str, parse_ssh_public_key_str
 from .utils import validate_password_for_ansible
 
 
 class AuthSerializer(serializers.ModelSerializer):
     password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024, label=_('Password'))
-    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=16384, label=_('Private key'))
+    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=16384,
+                                 label=_('Private key'))
 
     def gen_keys(self, private_key=None, password=None):
         if private_key is None:
             return None, None
-        public_key = ssh_pubkey_gen(private_key=private_key, password=password)
+        public_key = parse_ssh_public_key_str(text=private_key, password=password)
         return private_key, public_key
 
     def save(self, **kwargs):
@@ -57,10 +57,7 @@ class AuthSerializerMixin(serializers.ModelSerializer):
         if not valid:
             raise serializers.ValidationError(_("private key invalid or passphrase error"))
 
-        private_key = ssh_private_key_gen(private_key, password=passphrase)
-        string_io = StringIO()
-        private_key.write_private_key(string_io)
-        private_key = string_io.getvalue()
+        private_key = parse_ssh_private_key_str(private_key, password=passphrase)
         return private_key
 
     def validate_public_key(self, public_key):

apps/assets/serializers/system_user.py

@@ -1,16 +1,16 @@
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
 from django.db.models import Count
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import serializers
 
-from common.mixins.serializers import BulkSerializerMixin
-from common.utils import ssh_pubkey_gen
 from common.drf.fields import EncryptedField
 from common.drf.serializers import SecretReadableMixin
+from common.mixins.serializers import BulkSerializerMixin
+from common.utils import parse_ssh_public_key_str
 from common.validators import alphanumeric_re, alphanumeric_cn_re, alphanumeric_win_re
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
-from ..models import SystemUser, Asset
-from .utils import validate_password_for_ansible
 from .base import AuthSerializerMixin
+from .utils import validate_password_for_ansible
+from ..models import SystemUser, Asset
 
 __all__ = [
     'SystemUserSerializer', 'MiniSystemUserSerializer',
@@ -36,9 +36,6 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     token = EncryptedField(
         label=_('Token'), required=False, write_only=True, style={'base_template': 'textarea.html'}
     )
-    applications_amount = serializers.IntegerField(
-        source='apps_amount', read_only=True, label=_('Apps amount')
-    )
 
     class Meta:
         model = SystemUser
@@ -53,7 +50,7 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
             'su_enabled', 'su_from',
             'date_created', 'date_updated', 'comment', 'created_by',
         ]
-        fields_m2m = ['cmd_filters', 'assets_amount', 'applications_amount', 'nodes']
+        fields_m2m = ['cmd_filters', 'nodes']
         fields = fields_small + fields_m2m
         extra_kwargs = {
             'cmd_filters': {"required": False, 'label': _('Command filter')},
@@ -214,7 +211,7 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
         elif attrs.get('private_key'):
             private_key = attrs['private_key']
             password = attrs.get('password')
-            public_key = ssh_pubkey_gen(private_key, password=password, username=username)
+            public_key = parse_ssh_public_key_str(private_key, password=password)
             attrs['public_key'] = public_key
         return attrs
 
@@ -241,7 +238,6 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
     def setup_eager_loading(cls, queryset):
         """ Perform necessary eager loading of data. """
         queryset = queryset \
-            .annotate(assets_amount=Count("assets")) \
             .prefetch_related('nodes', 'cmd_filters')
         return queryset
 

apps/assets/serializers/utils.py

@@ -1,6 +1,8 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
+from common.utils import validate_ssh_private_key, parse_ssh_private_key_str
+
 
 def validate_password_for_ansible(password):
     """ 校验 Ansible 不支持的特殊字符 """
@@ -15,3 +17,9 @@ def validate_password_for_ansible(password):
     if '"' in password:
         raise serializers.ValidationError(_('Password can not contains `"` '))
 
+
+def validate_ssh_key(ssh_key, passphrase=None):
+    valid = validate_ssh_private_key(ssh_key, password=passphrase)
+    if not valid:
+        raise serializers.ValidationError(_("private key invalid or passphrase error"))
+    return parse_ssh_private_key_str(ssh_key, passphrase)

apps/assets/tasks/utils.py

@@ -50,6 +50,10 @@ def clean_ansible_task_hosts(assets, system_user=None):
     for asset in assets:
         if not check_asset_can_run_ansible(asset):
             continue
+        # 资产平台不包含系统用户的协议, 不推送
+        if system_user and system_user.protocol not in asset.protocols_as_dict:
+            logger.info(_('Asset protocol not support system user protocol, skipped: {}').format(system_user.protocol))
+            continue
         cleaned_assets.append(asset)
     if not cleaned_assets:
         logger.info(_("No assets matched, stop task"))

apps/audits/handler.py

@@ -4,7 +4,7 @@ from django.db import transaction
 from django.core.cache import cache
 from django.utils.translation import ugettext_lazy as _
 
-from common.utils import get_request_ip, get_logger
+from common.utils import get_request_ip_or_data, get_logger
 from common.utils.timezone import as_current_tz
 from common.utils.encode import Singleton
 from common.local import encrypted_field_set
@@ -15,7 +15,6 @@ from orgs.utils import get_current_org_id
 
 from .backends import get_operate_log_storage
 
-
 logger = get_logger(__name__)
 
 
@@ -156,7 +155,7 @@ class OperatorLogHandler(metaclass=Singleton):
         if not user or not user.is_authenticated:
             return
 
-        remote_addr = get_request_ip(current_request)
+        remote_addr = get_request_ip_or_data(current_request)
         resource_display = self.get_resource_display(resource)
         before, after = self.data_processing(before, after)
         if not force and not any([before, after]):

apps/audits/signal_handlers.py

@@ -38,10 +38,9 @@ from .const import MODELS_NEED_RECORD
 from terminal.backends.command.serializers import SessionCommandSerializer
 from terminal.serializers import SessionSerializer
 from common.const.signals import POST_ADD, POST_REMOVE, POST_CLEAR, SKIP_SIGNAL
-from common.utils import get_request_ip, get_logger, get_syslogger
+from common.utils import get_request_ip_or_data, get_logger, get_syslogger
 from common.utils.encode import data_to_json
 
-
 logger = get_logger(__name__)
 sys_logger = get_syslogger(__name__)
 json_render = JSONRenderer()
@@ -198,7 +197,7 @@ def on_user_change_password(sender, user=None, **kwargs):
         remote_addr = '127.0.0.1'
         change_by = 'System'
     else:
-        remote_addr = get_request_ip(current_request)
+        remote_addr = get_request_ip_or_data(current_request)
         if not current_request.user.is_authenticated:
             change_by = str(user)
         else:
@@ -250,7 +249,7 @@ def get_login_backend(request):
 
 def generate_data(username, request, login_type=None):
     user_agent = request.META.get('HTTP_USER_AGENT', '')
-    login_ip = get_request_ip(request) or '0.0.0.0'
+    login_ip = get_request_ip_or_data(request) or '0.0.0.0'
 
     if login_type is None and isinstance(request, Request):
         login_type = request.META.get('HTTP_X_JMS_LOGIN_TYPE', 'U')

apps/audits/utils.py

@@ -2,13 +2,14 @@ import csv
 import codecs
 
 from itertools import chain
+from datetime import datetime
 
 from django.http import HttpResponse
 from django.db import models
 
 from settings.serializers import SettingsSerializer
+from common.utils.timezone import as_current_tz
 from common.utils import validate_ip, get_ip_city, get_logger
-from common.db import fields
 from .const import DEFAULT_CITY
 
 
@@ -78,6 +79,8 @@ def model_to_dict_for_operate_log(
             f.verbose_name = 'id'
         elif isinstance(value, list):
             value = [str(v) for v in value]
+        elif isinstance(value, datetime):
+            value = as_current_tz(value).strftime('%Y-%m-%d %H:%M:%S')
 
         if include_model_fields or getattr(f, 'primary_key', False):
             data[str(f.verbose_name)] = value

apps/authentication/api/connection_token.py

@@ -1,26 +1,27 @@
 import abc
-import os
-import json
 import base64
+import json
+import os
 import urllib.parse
+
 from django.http import HttpResponse
 from django.shortcuts import get_object_or_404
-from rest_framework.exceptions import PermissionDenied
-from rest_framework.decorators import action
-from rest_framework.response import Response
 from rest_framework import status
+from rest_framework.decorators import action
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.request import Request
+from rest_framework.response import Response
 
 from common.drf.api import JMSModelViewSet
 from common.http import is_true
 from orgs.mixins.api import RootOrgViewMixin
 from perms.models.base import Action
 from terminal.models import EndpointRule
+from ..models import ConnectionToken
 from ..serializers import (
     ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
     SuperConnectionTokenSerializer, ConnectionTokenDisplaySerializer,
 )
-from ..models import ConnectionToken
 
 __all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet']
 
@@ -124,6 +125,7 @@ class ConnectionTokenMixin:
             'bookmarktype:i': '3',
             'use redirection server name:i': '0',
             'smart sizing:i': '1',
+            'disableconnectionsharing:i': '1',
             # 'drivestoredirect:s': '*',
             # 'domain:s': ''
             # 'alternate shell:s:': '||MySQLWorkbench',
@@ -165,6 +167,9 @@ class ConnectionTokenMixin:
         rdp_options['session bpp:i'] = os.getenv('JUMPSERVER_COLOR_DEPTH', '32')
         rdp_options['audiomode:i'] = self.parse_env_bool('JUMPSERVER_DISABLE_AUDIO', 'false', '2', '0')
 
+        if token.asset and token.asset.platform.meta.get('console', None) == 'true':
+            rdp_options['administrative session:i:'] = '1'
+
         if token.asset:
             name = token.asset.hostname
         elif token.application and token.application.category_remote_app:

apps/authentication/api/login_confirm.py

@@ -20,6 +20,7 @@ class TicketStatusApi(mixins.AuthMixin, APIView):
         try:
             self.check_user_login_confirm()
             self.request.session['auth_third_party_done'] = 1
+            self.request.session.pop('auth_third_party_required', '')
             return Response({"msg": "ok"})
         except errors.LoginConfirmOtherError as e:
             reason = e.msg

apps/authentication/backends/oauth2/backends.py

@@ -2,6 +2,7 @@
 #
 import requests
 
+from django.utils.translation import gettext_lazy as _
 from django.contrib.auth import get_user_model
 from django.utils.http import urlencode
 from django.conf import settings
@@ -90,8 +91,12 @@ class OAuth2Backend(JMSModelBackend):
                 request, path=reverse(settings.AUTH_OAUTH2_AUTH_LOGIN_CALLBACK_URL_NAME)
             )
         }
-        access_token_url = '{url}?{query}'.format(
-            url=settings.AUTH_OAUTH2_ACCESS_TOKEN_ENDPOINT, query=urlencode(query_dict)
+        if '?' in settings.AUTH_OAUTH2_ACCESS_TOKEN_ENDPOINT:
+            separator = '&'
+        else:
+            separator = '?'
+        access_token_url = '{url}{separator}{query}'.format(
+            url=settings.AUTH_OAUTH2_ACCESS_TOKEN_ENDPOINT, separator=separator, query=urlencode(query_dict)
         )
         token_method = settings.AUTH_OAUTH2_ACCESS_TOKEN_METHOD.lower()
         requests_func = getattr(requests, token_method, requests.get)
@@ -114,12 +119,16 @@ class OAuth2Backend(JMSModelBackend):
 
         headers = {
             'Accept': 'application/json',
-            'Authorization': 'token {}'.format(response_data.get('access_token', ''))
+            'Authorization': 'Bearer {}'.format(response_data.get('access_token', ''))
         }
 
         logger.debug(log_prompt.format('Get userinfo endpoint'))
-        userinfo_url = '{url}?{query}'.format(
-            url=settings.AUTH_OAUTH2_PROVIDER_USERINFO_ENDPOINT,
+        if '?' in settings.AUTH_OAUTH2_PROVIDER_USERINFO_ENDPOINT:
+            separator = '&'
+        else:
+            separator = '?'
+        userinfo_url = '{url}{separator}{query}'.format(
+            url=settings.AUTH_OAUTH2_PROVIDER_USERINFO_ENDPOINT, separator=separator,
             query=urlencode(query_dict)
         )
         userinfo_response = requests.get(userinfo_url, headers=headers)

apps/authentication/backends/oauth2/views.py

@@ -26,8 +26,13 @@ class OAuth2AuthRequestView(View):
             )
         }
 
-        redirect_url = '{url}?{query}'.format(
+        if '?' in settings.AUTH_OAUTH2_PROVIDER_AUTHORIZATION_ENDPOINT:
+            separator = '&'
+        else:
+            separator = '?'
+        redirect_url = '{url}{separator}{query}'.format(
             url=settings.AUTH_OAUTH2_PROVIDER_AUTHORIZATION_ENDPOINT,
+            separator=separator,
             query=urlencode(query_dict)
         )
         logger.debug(log_prompt.format('Redirect login url'))

apps/authentication/backends/oidc/backends.py

@@ -88,7 +88,7 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
     """
 
     @ssl_verification
-    def authenticate(self, request, nonce=None, **kwargs):
+    def authenticate(self, request, nonce=None, code_verifier=None, **kwargs):
         """ Authenticates users in case of the OpenID Connect Authorization code flow. """
         log_prompt = "Process authenticate [OIDCAuthCodeBackend]: {}"
         logger.debug(log_prompt.format('start'))
@@ -134,6 +134,8 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
                 request, path=reverse(settings.AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME)
             )
         }
+        if settings.AUTH_OPENID_PKCE and code_verifier:
+            token_payload['code_verifier'] = code_verifier
         if settings.AUTH_OPENID_CLIENT_AUTH_METHOD == 'client_secret_post':
             token_payload.update({
                 'client_id': settings.AUTH_OPENID_CLIENT_ID,

apps/authentication/backends/oidc/views.py

@@ -9,7 +9,10 @@
 
 """
 
+import base64
+import hashlib
 import time
+import secrets
 
 from django.conf import settings
 from django.contrib import auth
@@ -38,6 +41,19 @@ class OIDCAuthRequestView(View):
 
     http_method_names = ['get', ]
 
+    @staticmethod
+    def gen_code_verifier(length=128):
+        # length range 43 ~ 128
+        return secrets.token_urlsafe(length-32)
+
+    @staticmethod
+    def gen_code_challenge(code_verifier, code_challenge_method):
+        if code_challenge_method == 'plain':
+            return code_verifier
+        h = hashlib.sha256(code_verifier.encode('ascii')).digest()
+        b = base64.urlsafe_b64encode(h)
+        return b.decode('ascii')[:-1]
+
     def get(self, request):
         """ Processes GET requests. """
 
@@ -56,6 +72,16 @@ class OIDCAuthRequestView(View):
             )
         })
 
+        if settings.AUTH_OPENID_PKCE:
+            code_verifier = self.gen_code_verifier()
+            code_challenge_method = settings.AUTH_OPENID_CODE_CHALLENGE_METHOD or 'S256'
+            code_challenge = self.gen_code_challenge(code_verifier, code_challenge_method)
+            authentication_request_params.update({
+                'code_challenge_method': code_challenge_method,
+                'code_challenge': code_challenge
+            })
+            request.session['oidc_auth_code_verifier'] = code_verifier
+
         # States should be used! They are recommended in order to maintain state between the
         # authentication request and the callback.
         if settings.AUTH_OPENID_USE_STATE:
@@ -138,8 +164,9 @@ class OIDCAuthCallbackView(View):
 
             # Authenticates the end-user.
             next_url = request.session.get('oidc_auth_next_url', None)
+            code_verifier = request.session.get('oidc_auth_code_verifier', None)
             logger.debug(log_prompt.format('Process authenticate'))
-            user = auth.authenticate(nonce=nonce, request=request)
+            user = auth.authenticate(nonce=nonce, request=request, code_verifier=code_verifier)
             if user and user.is_valid:
                 logger.debug(log_prompt.format('Login: {}'.format(user)))
                 auth.login(self.request, user)

apps/authentication/backends/pubkey.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 #
-from django.contrib.auth import get_user_model
 from django.conf import settings
+from django.contrib.auth import get_user_model
 
+from common.permissions import ServiceAccountSignaturePermission
 from .base import JMSBaseAuthBackend
 
 UserModel = get_user_model()
@@ -18,6 +19,10 @@ class PublicKeyAuthBackend(JMSBaseAuthBackend):
     def authenticate(self, request, username=None, public_key=None, **kwargs):
         if not public_key:
             return None
+
+        permission = ServiceAccountSignaturePermission()
+        if not permission.has_permission(request, None):
+            return None
         if username is None:
             username = kwargs.get(UserModel.USERNAME_FIELD)
         try:
@@ -26,7 +31,7 @@ class PublicKeyAuthBackend(JMSBaseAuthBackend):
             return None
         else:
             if user.check_public_key(public_key) and \
-                  self.user_can_authenticate(user):
+                    self.user_can_authenticate(user):
                 return user
 
     def get_user(self, user_id):

apps/authentication/middleware.py

@@ -9,7 +9,7 @@ from django.contrib.auth import logout as auth_logout
 
 from apps.authentication import mixins
 from common.utils import gen_key_pair
-from common.utils import get_request_ip
+from common.utils import get_request_ip_or_data
 from .signals import post_auth_failed
 
 
@@ -61,7 +61,19 @@ class ThirdPartyLoginMiddleware(mixins.AuthMixin):
             return response
         if not request.session.get('auth_third_party_required'):
             return response
-        ip = get_request_ip(request)
+
+        white_urls = [
+            'jsi18n/', '/static/',
+            'login/guard', 'login/wait-confirm',
+            'login-confirm-ticket/status',
+            'settings/public/open',
+            'core/auth/login', 'core/auth/logout'
+        ]
+        for url in white_urls:
+            if request.path.find(url) > -1:
+                return response
+
+        ip = get_request_ip_or_data(request)
         try:
             self.request = request
             self._check_login_acl(request.user, ip)
@@ -88,7 +100,6 @@ class ThirdPartyLoginMiddleware(mixins.AuthMixin):
                 guard_url = "%s?%s" % (guard_url, args)
             response = redirect(guard_url)
         finally:
-            request.session.pop('auth_third_party_required', '')
             return response
 
 

apps/authentication/mixins.py

@@ -18,7 +18,7 @@ from django.contrib.auth import (
 from django.core.exceptions import ImproperlyConfigured
 from django.shortcuts import reverse, redirect, get_object_or_404
 
-from common.utils import get_request_ip, get_logger, bulk_get, FlashMessageUtil
+from common.utils import get_request_ip_or_data, get_request_ip, get_logger, bulk_get, FlashMessageUtil
 from acls.models import LoginACL
 from users.models import User
 from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
@@ -92,13 +92,12 @@ auth.authenticate = authenticate
 
 class CommonMixin:
     request: Request
+    _ip = ''
 
     def get_request_ip(self):
-        ip = ''
-        if hasattr(self.request, 'data'):
-            ip = self.request.data.get('remote_addr', '')
-        ip = ip or get_request_ip(self.request)
-        return ip
+        if not self._ip:
+            self._ip = get_request_ip_or_data(self.request)
+        return self._ip
 
     def raise_credential_error(self, error):
         raise self.partial_credential_error(error=error)
@@ -212,7 +211,8 @@ class MFAMixin:
         self._do_check_user_mfa(code, mfa_type, user=user)
 
     def check_user_mfa_if_need(self, user):
-        if self.request.session.get('auth_mfa'):
+        if self.request.session.get('auth_mfa') and \
+                self.request.session.get('auth_mfa_username') == user.username:
             return
         if not user.mfa_enabled:
             return
@@ -220,14 +220,16 @@ class MFAMixin:
         active_mfa_names = user.active_mfa_backends_mapper.keys()
         raise errors.MFARequiredError(mfa_types=tuple(active_mfa_names))
 
-    def mark_mfa_ok(self, mfa_type):
+    def mark_mfa_ok(self, mfa_type, user):
         self.request.session['auth_mfa'] = 1
+        self.request.session['auth_mfa_username'] = user.username
         self.request.session['auth_mfa_time'] = time.time()
         self.request.session['auth_mfa_required'] = 0
         self.request.session['auth_mfa_type'] = mfa_type
+        MFABlockUtils(user.username, self.get_request_ip()).clean_failed_count()
 
     def clean_mfa_mark(self):
-        keys = ['auth_mfa', 'auth_mfa_time', 'auth_mfa_required', 'auth_mfa_type']
+        keys = ['auth_mfa', 'auth_mfa_time', 'auth_mfa_required', 'auth_mfa_type', 'auth_mfa_username']
         for k in keys:
             self.request.session.pop(k, '')
 
@@ -262,7 +264,7 @@ class MFAMixin:
             ok, msg = mfa_backend.check_code(code)
 
         if ok:
-            self.mark_mfa_ok(mfa_type)
+            self.mark_mfa_ok(mfa_type, user)
             return
 
         raise errors.MFAFailedError(
@@ -369,7 +371,7 @@ class AuthACLMixin:
     def check_user_login_confirm(self):
         ticket = self.get_ticket()
         if not ticket:
-            raise errors.LoginConfirmOtherError('', "Not found")
+            raise errors.LoginConfirmOtherError('', "Not found", '')
         elif ticket.is_state(ticket.State.approved):
             self.request.session["auth_confirm_required"] = ''
             return
@@ -512,4 +514,20 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
         args = self.request.META.get('QUERY_STRING', '')
         if args:
             guard_url = "%s?%s" % (guard_url, args)
-        return redirect(guard_url)
+        response = redirect(guard_url)
+        self.set_browser_default_language_if_need(response)
+        return response
+
+    def set_browser_default_language_if_need(self, response):
+        # en, ja, zh-CN,zh;q=0.9
+        browser_lang = self.request.headers.get('Accept-Language', '')
+        # 浏览器首选语言
+        if browser_lang.startswith('en'):
+            browser_lang = 'en'
+        elif browser_lang.startswith('ja'):
+            browser_lang = 'ja'
+        else:
+            browser_lang = 'zh'
+        request_lang = self.request.LANGUAGE_CODE
+        lang = request_lang or browser_lang
+        response.set_cookie(settings.LANGUAGE_COOKIE_NAME, lang)

apps/authentication/utils.py

@@ -6,7 +6,7 @@ from urllib.parse import urljoin, urlparse
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 
-from common.utils import validate_ip, get_ip_city, get_request_ip
+from common.utils import validate_ip, get_ip_city, get_request_ip_or_data
 from common.utils import get_logger
 from audits.models import UserLoginLog
 from audits.const import DEFAULT_CITY
@@ -19,7 +19,7 @@ def check_different_city_login_if_need(user, request):
     if not settings.SECURITY_CHECK_DIFFERENT_CITY_LOGIN:
         return
 
-    ip = get_request_ip(request) or '0.0.0.0'
+    ip = get_request_ip_or_data(request) or '0.0.0.0'
     if not (ip and validate_ip(ip)):
         city = DEFAULT_CITY
     else:

apps/authentication/views/dingtalk.py

@@ -20,13 +20,12 @@ from authentication import errors
 from authentication.mixins import AuthMixin
 from authentication.const import ConfirmType
 from common.sdk.im.dingtalk import DingTalk
-from common.utils.common import get_request_ip
+from common.utils.common import get_request_ip_or_data
 from authentication.notifications import OAuthBindMessage
 from .mixins import METAMixin
 
 logger = get_logger(__file__)
 
-
 DINGTALK_STATE_SESSION_KEY = '_dingtalk_state'
 
 
@@ -175,7 +174,7 @@ class DingTalkQRBindCallbackView(DingTalkQRMixin, View):
                 return response
             raise e
 
-        ip = get_request_ip(request)
+        ip = get_request_ip_or_data(request)
         OAuthBindMessage(user, ip, _('DingTalk'), user_id).publish_async()
         msg = _('Binding DingTalk successfully')
         response = self.get_success_response(redirect_url, msg, msg)
@@ -200,7 +199,7 @@ class DingTalkEnableStartView(UserVerifyPasswordView):
 class DingTalkQRLoginView(DingTalkQRMixin, METAMixin, View):
     permission_classes = (AllowAny,)
 
-    def get(self,  request: HttpRequest):
+    def get(self, request: HttpRequest):
         redirect_url = request.GET.get('redirect_url') or reverse('index')
         next_url = self.get_next_url_from_meta() or reverse('index')
 
@@ -258,7 +257,7 @@ class DingTalkQRLoginCallbackView(AuthMixin, DingTalkQRMixin, View):
 class DingTalkOAuthLoginView(DingTalkOAuthMixin, View):
     permission_classes = (AllowAny,)
 
-    def get(self,  request: HttpRequest):
+    def get(self, request: HttpRequest):
         redirect_url = request.GET.get('redirect_url')
 
         redirect_uri = reverse('authentication:dingtalk-oauth-login-callback', external=True)

apps/authentication/views/feishu.py

@@ -16,7 +16,7 @@ from common.utils.django import reverse, get_object_or_none
 from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
 from common.permissions import UserConfirmation
 from common.sdk.im.feishu import FeiShu, URL
-from common.utils.common import get_request_ip
+from common.utils.common import get_request_ip_or_data
 from authentication import errors
 from authentication.const import ConfirmType
 from authentication.mixins import AuthMixin
@@ -24,7 +24,6 @@ from authentication.notifications import OAuthBindMessage
 
 logger = get_logger(__file__)
 
-
 FEISHU_STATE_SESSION_KEY = '_feishu_state'
 
 
@@ -60,7 +59,7 @@ class FeiShuQRMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, View):
             'state': state,
             'redirect_uri': redirect_uri,
         }
-        url = URL.AUTHEN + '?' + urlencode(params)
+        url = URL().authen + '?' + urlencode(params)
         return url
 
     @staticmethod
@@ -140,7 +139,7 @@ class FeiShuQRBindCallbackView(FeiShuQRMixin, View):
                 return response
             raise e
 
-        ip = get_request_ip(request)
+        ip = get_request_ip_or_data(request)
         OAuthBindMessage(user, ip, _('FeiShu'), user_id).publish_async()
         msg = _('Binding FeiShu successfully')
         response = self.get_success_response(redirect_url, msg, msg)
@@ -165,7 +164,7 @@ class FeiShuEnableStartView(UserVerifyPasswordView):
 class FeiShuQRLoginView(FeiShuQRMixin, View):
     permission_classes = (AllowAny,)
 
-    def get(self,  request: HttpRequest):
+    def get(self, request: HttpRequest):
         redirect_url = request.GET.get('redirect_url') or reverse('index')
         redirect_uri = reverse('authentication:feishu-qr-login-callback', external=True)
         redirect_uri += '?' + urlencode({

apps/authentication/views/mfa.py

@@ -32,11 +32,14 @@ class UserLoginMFAView(mixins.AuthMixin, FormView):
         return super().get(*args, **kwargs)
 
     def form_valid(self, form):
+        from users.utils import MFABlockUtils
         code = form.cleaned_data.get('code')
         mfa_type = form.cleaned_data.get('mfa_type')
 
         try:
             self._do_check_user_mfa(code, mfa_type)
+            user, ip = self.get_user_from_session(), self.get_request_ip()
+            MFABlockUtils(user.username, ip).clean_failed_count()
             return redirect_to_guard_view('mfa_ok')
         except (errors.MFAFailedError, errors.BlockMFAError) as e:
             form.add_error('code', e.msg)

apps/authentication/views/wecom.py

@@ -16,7 +16,7 @@ from common.utils.django import reverse, get_object_or_none
 from common.sdk.im.wecom import URL
 from common.sdk.im.wecom import WeCom
 from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
-from common.utils.common import get_request_ip
+from common.utils.common import get_request_ip_or_data
 from common.permissions import UserConfirmation
 from authentication import errors
 from authentication.mixins import AuthMixin
@@ -26,7 +26,6 @@ from .mixins import METAMixin
 
 logger = get_logger(__file__)
 
-
 WECOM_STATE_SESSION_KEY = '_wecom_state'
 
 
@@ -174,7 +173,7 @@ class WeComQRBindCallbackView(WeComQRMixin, View):
                 return response
             raise e
 
-        ip = get_request_ip(request)
+        ip = get_request_ip_or_data(request)
         OAuthBindMessage(user, ip, _('WeCom'), wecom_userid).publish_async()
         msg = _('Binding WeCom successfully')
         response = self.get_success_response(redirect_url, msg, msg)
@@ -196,7 +195,7 @@ class WeComEnableStartView(UserVerifyPasswordView):
 class WeComQRLoginView(WeComQRMixin, METAMixin, View):
     permission_classes = (AllowAny,)
 
-    def get(self,  request: HttpRequest):
+    def get(self, request: HttpRequest):
         redirect_url = request.GET.get('redirect_url') or reverse('index')
         next_url = self.get_next_url_from_meta() or reverse('index')
         redirect_uri = reverse('authentication:wecom-qr-login-callback', external=True)
@@ -253,7 +252,7 @@ class WeComQRLoginCallbackView(AuthMixin, WeComQRMixin, View):
 class WeComOAuthLoginView(WeComOAuthMixin, View):
     permission_classes = (AllowAny,)
 
-    def get(self,  request: HttpRequest):
+    def get(self, request: HttpRequest):
         redirect_url = request.GET.get('redirect_url')
 
         redirect_uri = reverse('authentication:wecom-oauth-login-callback', external=True)

apps/common/local.py

@@ -1,7 +1,7 @@
 from werkzeug.local import Local
 
 thread_local = Local()
-encrypted_field_set = set()
+encrypted_field_set = {'password'}
 
 
 def _find(attr):

apps/common/management/commands/services/services/flower.py

@@ -9,6 +9,10 @@ class FlowerService(BaseService):
     def __init__(self, **kwargs):
         super().__init__(**kwargs)
 
+    @property
+    def db_file(self):
+        return os.path.join(BASE_DIR, 'data', 'flower')
+
     @property
     def cmd(self):
         print("\n- Start Flower as Task Monitor")
@@ -20,11 +24,11 @@ class FlowerService(BaseService):
             '-A', 'ops',
             'flower',
             '-logging=info',
+            '-db={}'.format(self.db_file),
             '--url_prefix=/core/flower',
             '--auto_refresh=False',
             '--max_tasks=1000',
             '--persistent=True',
-            '-db=/opt/jumpserver/data/flower.db',
             '--state_save_interval=600000'
         ]
         return cmd

apps/common/permissions.py

@@ -81,3 +81,38 @@ class UserConfirmation(permissions.BasePermission):
         min_level = ConfirmType.values.index(confirm_type) + 1
         name = 'UserConfirmationLevel{}TTL{}'.format(min_level, ttl)
         return type(name, (cls,), {'min_level': min_level, 'ttl': ttl, 'confirm_type': confirm_type})
+
+
+class ServiceAccountSignaturePermission(permissions.BasePermission):
+    def has_permission(self, request, view):
+        from authentication.models import AccessKey
+        from common.utils.crypto import get_aes_crypto
+        signature = request.META.get('HTTP_X_JMS_SVC', '')
+        if not signature or not signature.startswith('Sign'):
+            return False
+        data = signature[4:].strip()
+        if not data or ':' not in data:
+            return False
+        ak_id, time_sign = data.split(':', 1)
+        if not ak_id or not time_sign:
+            return False
+        ak = AccessKey.objects.filter(id=ak_id).first()
+        if not ak or not ak.is_active:
+            return False
+        if not ak.user or not ak.user.is_active or not ak.user.is_service_account:
+            return False
+        aes = get_aes_crypto(str(ak.secret).replace('-', ''), mode='ECB')
+        try:
+            timestamp = aes.decrypt(time_sign)
+            if not timestamp or not timestamp.isdigit():
+                return False
+            timestamp = int(timestamp)
+            interval = abs(int(time.time()) - timestamp)
+            if interval > 30:
+                return False
+            return True
+        except Exception:
+            return False
+
+    def has_object_permission(self, request, view, obj):
+        return False

apps/common/sdk/im/feishu/__init__.py

@@ -3,6 +3,7 @@ import json
 from django.utils.translation import ugettext_lazy as _
 from rest_framework.exceptions import APIException
 
+from django.conf import settings
 from common.utils.common import get_logger
 from common.sdk.im.utils import digest
 from common.sdk.im.mixin import RequestMixin, BaseRequest
@@ -11,14 +12,30 @@ logger = get_logger(__name__)
 
 
 class URL:
-    AUTHEN = 'https://open.feishu.cn/open-apis/authen/v1/index'
-
-    GET_TOKEN = 'https://open.feishu.cn/open-apis/auth/v3/tenant_access_token/internal/'
-
     # https://open.feishu.cn/document/ukTMukTMukTM/uEDO4UjLxgDO14SM4gTN
-    GET_USER_INFO_BY_CODE = 'https://open.feishu.cn/open-apis/authen/v1/access_token'
+    @property
+    def host(self):
+        if settings.FEISHU_VERSION == 'feishu':
+            h = 'https://open.feishu.cn'
+        else:
+            h = 'https://open.larksuite.com'
+        return h
 
-    SEND_MESSAGE = 'https://open.feishu.cn/open-apis/im/v1/messages'
+    @property
+    def authen(self):
+        return f'{self.host}/open-apis/authen/v1/index'
+
+    @property
+    def get_token(self):
+        return f'{self.host}/open-apis/auth/v3/tenant_access_token/internal/'
+
+    @property
+    def get_user_info_by_code(self):
+        return f'{self.host}/open-apis/authen/v1/access_token'
+
+    @property
+    def send_message(self):
+        return f'{self.host}/open-apis/im/v1/messages'
 
 
 class ErrorCode:
@@ -51,7 +68,7 @@ class FeishuRequests(BaseRequest):
 
     def request_access_token(self):
         data = {'app_id': self._app_id, 'app_secret': self._app_secret}
-        response = self.raw_request('post', url=URL.GET_TOKEN, data=data)
+        response = self.raw_request('post', url=URL().get_token, data=data)
         self.check_errcode_is_0(response)
 
         access_token = response['tenant_access_token']
@@ -86,7 +103,7 @@ class FeiShu(RequestMixin):
             'code': code
         }
 
-        data = self._requests.post(URL.GET_USER_INFO_BY_CODE, json=body, check_errcode_is_0=False)
+        data = self._requests.post(URL().get_user_info_by_code, json=body, check_errcode_is_0=False)
 
         self._requests.check_errcode_is_0(data)
         return data['data']['user_id']
@@ -107,7 +124,7 @@ class FeiShu(RequestMixin):
 
             try:
                 logger.info(f'Feishu send text: user_ids={user_ids} msg={msg}')
-                self._requests.post(URL.SEND_MESSAGE, params=params, json=body)
+                self._requests.post(URL().send_message, params=params, json=body)
             except APIException as e:
                 # 只处理可预知的错误
                 logger.exception(e)

apps/common/utils/common.py

@@ -76,6 +76,7 @@ def setattr_bulk(seq, key, value):
     def set_attr(obj):
         setattr(obj, key, value)
         return obj
+
     return map(set_attr, seq)
 
 
@@ -97,12 +98,12 @@ def capacity_convert(size, expect='auto', rate=1000):
     rate_mapping = (
         ('K', rate),
         ('KB', rate),
-        ('M', rate**2),
-        ('MB', rate**2),
-        ('G', rate**3),
-        ('GB', rate**3),
-        ('T', rate**4),
-        ('TB', rate**4),
+        ('M', rate ** 2),
+        ('MB', rate ** 2),
+        ('G', rate ** 3),
+        ('GB', rate ** 3),
+        ('T', rate ** 4),
+        ('TB', rate ** 4),
     )
 
     rate_mapping = OrderedDict(rate_mapping)
@@ -117,7 +118,7 @@ def capacity_convert(size, expect='auto', rate=1000):
 
     if expect == 'auto':
         for unit, rate_ in rate_mapping.items():
-            if rate > std_size/rate_ >= 1 or unit == "T":
+            if rate > std_size / rate_ >= 1 or unit == "T":
                 expect = unit
                 break
 
@@ -153,18 +154,23 @@ def is_uuid(seq):
 
 def get_request_ip(request):
     x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR', '').split(',')
-
     if x_forwarded_for and x_forwarded_for[0]:
         login_ip = x_forwarded_for[0]
-    else:
-        login_ip = request.META.get('REMOTE_ADDR', '')
+        return login_ip
+
+    login_ip = request.META.get('REMOTE_ADDR', '')
     return login_ip
 
 
 def get_request_ip_or_data(request):
+    from common.permissions import ServiceAccountSignaturePermission
+
     ip = ''
-    if hasattr(request, 'data'):
-        ip = request.data.get('remote_addr', '')
+
+    if hasattr(request, 'data') and request.data.get('remote_addr', ''):
+        permission = ServiceAccountSignaturePermission()
+        if permission.has_permission(request, None):
+            ip = request.data.get('remote_addr', '')
     ip = ip or get_request_ip(request)
     return ip
 
@@ -195,6 +201,7 @@ def with_cache(func):
         res = func(*args, **kwargs)
         cache[key] = res
         return res
+
     return wrapper
 
 
@@ -216,6 +223,7 @@ def timeit(func):
         msg = "End call {}, using: {:.1f}ms".format(name, using)
         logger.debug(msg)
         return result
+
     return wrapper
 
 
@@ -310,7 +318,7 @@ class Time:
     def print(self):
         last, *timestamps = self._timestamps
         for timestamp, msg in zip(timestamps, self._msgs):
-            logger.debug(f'TIME_IT: {msg} {timestamp-last}')
+            logger.debug(f'TIME_IT: {msg} {timestamp - last}')
             last = timestamp
 
 
@@ -366,7 +374,7 @@ def pretty_string(data: str, max_length=128, ellipsis_str='...'):
 
 
 def group_by_count(it, count):
-    return [it[i:i+count] for i in range(0, len(it), count)]
+    return [it[i:i + count] for i in range(0, len(it), count)]
 
 
 def test_ip_connectivity(host, port, timeout=0.5):

apps/common/utils/encode.py

@@ -1,24 +1,23 @@
 # -*- coding: utf-8 -*-
 #
-import re
-import json
-from six import string_types
 import base64
-import os
-import time
 import hashlib
+import json
+import os
+import re
+import time
 from io import StringIO
-from itertools import chain
 
 import paramiko
 import sshpubkeys
+from cryptography.hazmat.primitives import serialization
+from django.conf import settings
+from django.core.serializers.json import DjangoJSONEncoder
 from itsdangerous import (
     TimedJSONWebSignatureSerializer, JSONWebSignatureSerializer,
     BadSignature, SignatureExpired
 )
-from django.conf import settings
-from django.core.serializers.json import DjangoJSONEncoder
-from django.db.models.fields.files import FileField
+from six import string_types
 
 from .http import http_date
 
@@ -69,22 +68,25 @@ class Signer(metaclass=Singleton):
             return None
 
 
+_supported_paramiko_ssh_key_types = (
+    paramiko.RSAKey,
+    paramiko.DSSKey,
+    paramiko.Ed25519Key,
+    paramiko.ECDSAKey,
+)
+
+
 def ssh_key_string_to_obj(text, password=None):
     key = None
-    try:
-        key = paramiko.RSAKey.from_private_key(StringIO(text), password=password)
-    except paramiko.SSHException:
-        pass
-    else:
-        return key
-
-    try:
-        key = paramiko.DSSKey.from_private_key(StringIO(text), password=password)
-    except paramiko.SSHException:
-        pass
-    else:
-        return key
-
+    for ssh_key_type in _supported_paramiko_ssh_key_types:
+        if not issubclass(ssh_key_type, paramiko.PKey):
+            continue
+        try:
+            key = ssh_key_type.from_private_key(StringIO(text), password=password)
+        except paramiko.SSHException:
+            pass
+        else:
+            return key
     return key
 
 
@@ -98,7 +100,7 @@ def ssh_private_key_gen(private_key, password=None):
 
 def ssh_pubkey_gen(private_key=None, username='jumpserver', hostname='localhost', password=None):
     private_key = ssh_private_key_gen(private_key, password=password)
-    if not isinstance(private_key, (paramiko.RSAKey, paramiko.DSSKey)):
+    if not isinstance(private_key, _supported_paramiko_ssh_key_types):
         raise IOError('Invalid private key')
 
     public_key = "%(key_type)s %(key_content)s %(username)s@%(hostname)s" % {
@@ -137,17 +139,65 @@ def ssh_key_gen(length=2048, type='rsa', password=None, username='jumpserver', h
 
 
 def validate_ssh_private_key(text, password=None):
-    if isinstance(text, bytes):
-        try:
-            text = text.decode("utf-8")
-        except UnicodeDecodeError:
-            return False
+    key = parse_ssh_private_key_str(text, password=password)
+    return bool(key)
 
-    key = ssh_key_string_to_obj(text, password=password)
-    if key is None:
-        return False
-    else:
-        return True
+
+def parse_ssh_private_key_str(text: bytes, password=None) -> str:
+    private_key = _parse_ssh_private_key(text, password=password)
+    if private_key is None:
+        return ""
+    private_key_bytes = private_key.private_bytes(serialization.Encoding.PEM,
+                                                  serialization.PrivateFormat.OpenSSH,
+                                                  serialization.NoEncryption())
+    return private_key_bytes.decode('utf-8')
+
+
+def parse_ssh_public_key_str(text: bytes = "", password=None) -> str:
+    private_key = _parse_ssh_private_key(text, password=password)
+    if private_key is None:
+        return ""
+    public_key_bytes = private_key.public_key().public_bytes(
+        serialization.Encoding.OpenSSH,
+        serialization.PublicFormat.OpenSSH)
+    return public_key_bytes.decode('utf-8')
+
+
+def _parse_ssh_private_key(text, password=None):
+    """
+    text: bytes
+    password: str
+    return:private key types:
+                ec.EllipticCurvePrivateKey,
+                rsa.RSAPrivateKey,
+                dsa.DSAPrivateKey,
+                ed25519.Ed25519PrivateKey,
+    """
+    if not bool(password):
+        password = None
+    if isinstance(text, str):
+        try:
+            text = text.encode("utf-8")
+        except UnicodeDecodeError:
+            return None
+    if password is not None:
+        if isinstance(password, str):
+            try:
+                password = password.encode("utf-8")
+            except UnicodeDecodeError:
+                return None
+
+    try:
+        if is_openssh_format_key(text):
+            return serialization.load_ssh_private_key(text, password=password)
+        return serialization.load_pem_private_key(text, password=password)
+    except (ValueError, TypeError):
+        pass
+    return None
+
+
+def is_openssh_format_key(text: bytes):
+    return text.startswith(b"-----BEGIN OPENSSH PRIVATE KEY-----")
 
 
 def validate_ssh_public_key(text):
@@ -226,4 +276,4 @@ def ensure_last_char_is_ascii(data):
 def data_to_json(data, sort_keys=True, indent=2, cls=None):
     if cls is None:
         cls = DjangoJSONEncoder
-    return json.dumps(data, sort_keys=sort_keys, indent=indent, cls=cls)
+    return json.dumps(data, ensure_ascii=False, sort_keys=sort_keys, indent=indent, cls=cls)

apps/common/utils/random.py

@@ -1,10 +1,9 @@
 # -*- coding: utf-8 -*-
 #
-import struct
 import random
 import socket
 import string
-
+import struct
 
 string_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'
 
@@ -18,25 +17,36 @@ def random_ip():
     return socket.inet_ntoa(struct.pack('>I', random.randint(1, 0xffffffff)))
 
 
-def random_string(length, lower=True, upper=True, digit=True, special_char=False):
-    chars = string.ascii_letters
-    if digit:
-        chars += string.digits
+def random_string(length: int, lower=True, upper=True, digit=True, special_char=False):
+    random.seed()
+    args_names = ['lower', 'upper', 'digit', 'special_char']
+    args_values = [lower, upper, digit, special_char]
+    args_string = [string.ascii_lowercase, string.ascii_uppercase, string.digits, string_punctuation]
+    args_string_map = dict(zip(args_names, args_string))
+    kwargs = dict(zip(args_names, args_values))
+    kwargs_keys = list(kwargs.keys())
+    kwargs_values = list(kwargs.values())
+    args_true_count = len([i for i in kwargs_values if i])
+    assert any(kwargs_values), f'Parameters {kwargs_keys} must have at least one `True`'
+    assert length >= args_true_count, f'Expected length >= {args_true_count}, bug got {length}'
+
+    can_startswith_special_char = args_true_count == 1 and special_char
+
+    chars = ''.join([args_string_map[k] for k, v in kwargs.items() if v])
 
     while True:
         password = list(random.choice(chars) for i in range(length))
-        if upper and not any(c.upper() for c in password):
-            continue
-        if lower and not any(c.lower() for c in password):
-            continue
-        if digit and not any(c.isdigit() for c in password):
-            continue
-        break
-
-    if special_char:
-        spc = random.choice(string_punctuation)
-        i = random.choice(range(1, len(password)))
-        password[i] = spc
+        for k, v in kwargs.items():
+            if v and not (set(password) & set(args_string_map[k])):
+                # 没有包含指定的字符, retry
+                break
+        else:
+            if not can_startswith_special_char and password[0] in args_string_map['special_char']:
+                # 首位不能为特殊字符, retry
+                continue
+            else:
+                # 满足要求终止 while 循环
+                break
 
     password = ''.join(password)
     return password

apps/common/utils/verify_code.py

@@ -1,14 +1,13 @@
-from django.core.cache import cache
-from django.conf import settings
-from django.core.mail import send_mail
 from celery import shared_task
+from django.conf import settings
+from django.core.cache import cache
+from django.core.mail import send_mail
 
-from common.sdk.sms.exceptions import CodeError, CodeExpired, CodeSendTooFrequently
-from common.sdk.sms.endpoint import SMS
 from common.exceptions import JMSException
-from common.utils.random import random_string
+from common.sdk.sms.endpoint import SMS
+from common.sdk.sms.exceptions import CodeError, CodeExpired, CodeSendTooFrequently
 from common.utils import get_logger
-
+from common.utils.random import random_string
 
 logger = get_logger(__file__)
 
@@ -27,6 +26,7 @@ class SendAndVerifyCodeUtil(object):
         self.timeout = timeout
         self.backend = backend
         self.key = key or self.KEY_TMPL.format(target)
+        self.verify_key = self.key + '_verify'
         self.other_args = kwargs
 
     def gen_and_send_async(self):
@@ -47,6 +47,11 @@ class SendAndVerifyCodeUtil(object):
             raise
 
     def verify(self, code):
+        times = cache.get(self.verify_key, 0)
+        if times >= 3:
+            self.__clear()
+            raise CodeExpired
+        cache.set(self.verify_key, times + 1, timeout=self.timeout)
         right = cache.get(self.key)
         if not right:
             raise CodeExpired
@@ -59,6 +64,7 @@ class SendAndVerifyCodeUtil(object):
 
     def __clear(self):
         cache.delete(self.key)
+        cache.delete(self.verify_key)
 
     def __ttl(self):
         return cache.ttl(self.key)

apps/jumpserver/conf.py

@@ -202,6 +202,7 @@ class Config(dict):
         'REDIS_SSL_KEY': None,
         'REDIS_SSL_CERT': None,
         'REDIS_SSL_CA': None,
+        'REDIS_SSL_REQUIRED': 'none',
         # Redis Sentinel
         'REDIS_SENTINEL_HOSTS': '',
         'REDIS_SENTINEL_PASSWORD': '',
@@ -269,6 +270,8 @@ class Config(dict):
         'AUTH_OPENID_USER_ATTR_MAP': {
             'name': 'name', 'username': 'preferred_username', 'email': 'email'
         },
+        'AUTH_OPENID_PKCE': False,
+        'AUTH_OPENID_CODE_CHALLENGE_METHOD': 'S256',
 
         # OpenID 新配置参数 (version >= 1.5.9)
         'AUTH_OPENID_PROVIDER_ENDPOINT': 'https://oidc.example.com/',
@@ -373,6 +376,7 @@ class Config(dict):
         'AUTH_FEISHU': False,
         'FEISHU_APP_ID': '',
         'FEISHU_APP_SECRET': '',
+        'FEISHU_VERSION': 'feishu',
 
         'LOGIN_REDIRECT_TO_BACKEND': '',  # 'OPENID / CAS / SAML2
         'LOGIN_REDIRECT_MSG_ENABLED': True,

apps/jumpserver/settings/auth.py

@@ -78,6 +78,8 @@ AUTH_OPENID_SHARE_SESSION = CONFIG.AUTH_OPENID_SHARE_SESSION
 AUTH_OPENID_IGNORE_SSL_VERIFICATION = CONFIG.AUTH_OPENID_IGNORE_SSL_VERIFICATION
 AUTH_OPENID_ALWAYS_UPDATE_USER = CONFIG.AUTH_OPENID_ALWAYS_UPDATE_USER
 AUTH_OPENID_USER_ATTR_MAP = CONFIG.AUTH_OPENID_USER_ATTR_MAP
+AUTH_OPENID_PKCE = CONFIG.AUTH_OPENID_PKCE
+AUTH_OPENID_CODE_CHALLENGE_METHOD = CONFIG.AUTH_OPENID_CODE_CHALLENGE_METHOD
 AUTH_OPENID_AUTH_LOGIN_URL_NAME = 'authentication:openid:login'
 AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME = 'authentication:openid:login-callback'
 AUTH_OPENID_AUTH_LOGOUT_URL_NAME = 'authentication:openid:logout'
@@ -135,6 +137,7 @@ DINGTALK_APPSECRET = CONFIG.DINGTALK_APPSECRET
 AUTH_FEISHU = CONFIG.AUTH_FEISHU
 FEISHU_APP_ID = CONFIG.FEISHU_APP_ID
 FEISHU_APP_SECRET = CONFIG.FEISHU_APP_SECRET
+FEISHU_VERSION = CONFIG.FEISHU_VERSION
 
 # Saml2 auth
 AUTH_SAML2 = CONFIG.AUTH_SAML2

apps/jumpserver/settings/base.py

@@ -1,6 +1,9 @@
 import os
 import platform
 
+from redis.sentinel import SentinelManagedSSLConnection
+
+
 if platform.system() == 'Darwin' and platform.machine() == 'arm64':
     import pymysql
 
@@ -195,7 +198,7 @@ DATABASES = {
     }
 }
 
-DB_CA_PATH = os.path.join(PROJECT_DIR, 'data', 'certs', 'db_ca.pem')
+DB_CA_PATH = os.path.join(CERTS_DIR, 'db_ca.pem')
 DB_USE_SSL = False
 if CONFIG.DB_ENGINE.lower() == 'mysql':
     DB_OPTIONS['init_command'] = "SET sql_mode='STRICT_TRANS_TABLES'"
@@ -317,10 +320,19 @@ if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
         'CLIENT_CLASS': 'django_redis.client.SentinelClient',
         'SENTINELS': REDIS_SENTINELS, 'PASSWORD': CONFIG.REDIS_PASSWORD,
         'SENTINEL_KWARGS': {
+            'ssl': REDIS_USE_SSL,
+            'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+            "ssl_keyfile": REDIS_SSL_KEY,
+            "ssl_certfile": REDIS_SSL_CERT,
+            "ssl_ca_certs": REDIS_SSL_CA,
             'password': REDIS_SENTINEL_PASSWORD,
             'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
         }
     })
+    if REDIS_USE_SSL:
+        REDIS_OPTIONS['CONNECTION_POOL_KWARGS'].update({
+            'connection_class': SentinelManagedSSLConnection
+        })
     DJANGO_REDIS_CONNECTION_FACTORY = 'django_redis.pool.SentinelConnectionFactory'
 else:
     REDIS_LOCATION_NO_DB = '%(protocol)s://:%(password)s@%(host)s:%(port)s/{}' % {

apps/jumpserver/settings/libs.py

@@ -1,11 +1,11 @@
 # -*- coding: utf-8 -*-
 #
 import os
-import ssl
+from urllib.parse import urlencode
 
 from .base import (
     REDIS_SSL_CA, REDIS_SSL_CERT, REDIS_SSL_KEY, REDIS_SSL_REQUIRED, REDIS_USE_SSL,
-    REDIS_SENTINEL_SERVICE_NAME, REDIS_SENTINELS, REDIS_SENTINEL_PASSWORD,
+    REDIS_PROTOCOL, REDIS_SENTINEL_SERVICE_NAME, REDIS_SENTINELS, REDIS_SENTINEL_PASSWORD,
     REDIS_SENTINEL_SOCKET_TIMEOUT
 )
 from ..const import CONFIG, PROJECT_DIR
@@ -81,41 +81,54 @@ BOOTSTRAP3 = {
 }
 
 # Django channels support websocket
-if not REDIS_USE_SSL:
-    redis_ssl = None
-else:
-    redis_ssl = ssl.SSLContext()
-    redis_ssl.check_hostname = bool(CONFIG.REDIS_SSL_REQUIRED)
-    if REDIS_SSL_CA:
-        redis_ssl.load_verify_locations(REDIS_SSL_CA)
-    if REDIS_SSL_CERT and REDIS_SSL_KEY:
-        redis_ssl.load_cert_chain(REDIS_SSL_CERT, REDIS_SSL_KEY)
-
-REDIS_HOST = {
+REDIS_LAYERS_HOST = {
     'db': CONFIG.REDIS_DB_WS,
     'password': CONFIG.REDIS_PASSWORD or None,
-    'ssl': redis_ssl,
 }
 
+REDIS_LAYERS_SSL_PARAMS = {}
+if REDIS_USE_SSL:
+    REDIS_LAYERS_SSL_PARAMS.update({
+        'ssl': REDIS_USE_SSL,
+        'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+        "ssl_keyfile": REDIS_SSL_KEY,
+        "ssl_certfile": REDIS_SSL_CERT,
+        "ssl_ca_certs": REDIS_SSL_CA
+    })
+    REDIS_LAYERS_HOST.update(REDIS_LAYERS_SSL_PARAMS)
+
 if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
-    REDIS_HOST['sentinels'] = REDIS_SENTINELS
-    REDIS_HOST['master_name'] = REDIS_SENTINEL_SERVICE_NAME
-    REDIS_HOST['sentinel_kwargs'] = {
+    REDIS_LAYERS_HOST['sentinels'] = REDIS_SENTINELS
+    REDIS_LAYERS_HOST['master_name'] = REDIS_SENTINEL_SERVICE_NAME
+    REDIS_LAYERS_HOST['sentinel_kwargs'] = {
         'password': REDIS_SENTINEL_PASSWORD,
-        'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
+        'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT,
+        'ssl': REDIS_USE_SSL,
+        'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+        "ssl_keyfile": REDIS_SSL_KEY,
+        "ssl_certfile": REDIS_SSL_CERT,
+        "ssl_ca_certs": REDIS_SSL_CA
     }
 else:
-    REDIS_HOST['address'] = (CONFIG.REDIS_HOST, CONFIG.REDIS_PORT)
+    # More info see: https://github.com/django/channels_redis/issues/334
+    # REDIS_LAYERS_HOST['address'] = (CONFIG.REDIS_HOST, CONFIG.REDIS_PORT)
+    REDIS_LAYERS_ADDRESS = '{protocol}://:{password}@{host}:{port}/{db}'.format(
+        protocol=REDIS_PROTOCOL, password=CONFIG.REDIS_PASSWORD,
+        host=CONFIG.REDIS_HOST, port=CONFIG.REDIS_PORT, db=CONFIG.REDIS_DB_WS
+    )
+    REDIS_LAYERS_SSL_PARAMS.pop('ssl', None)
+    REDIS_LAYERS_HOST['address'] = '{}?{}'.format(REDIS_LAYERS_ADDRESS, urlencode(REDIS_LAYERS_SSL_PARAMS))
 
 
 CHANNEL_LAYERS = {
     'default': {
         'BACKEND': 'common.cache.RedisChannelLayer',
         'CONFIG': {
-            "hosts": [REDIS_HOST],
+            "hosts": [REDIS_LAYERS_HOST],
         },
     },
 }
+
 ASGI_APPLICATION = 'jumpserver.routing.application'
 
 # Dump all celery log to here
@@ -132,13 +145,18 @@ if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
         'master_name': REDIS_SENTINEL_SERVICE_NAME,
         'sentinel_kwargs': {
             'password': REDIS_SENTINEL_PASSWORD,
-            'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
+            'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT,
+            'ssl': REDIS_USE_SSL,
+            'ssl_cert_reqs': REDIS_SSL_REQUIRED,
+            "ssl_keyfile": REDIS_SSL_KEY,
+            "ssl_certfile": REDIS_SSL_CERT,
+            "ssl_ca_certs": REDIS_SSL_CA
         }
     }
     CELERY_BROKER_TRANSPORT_OPTIONS = CELERY_RESULT_BACKEND_TRANSPORT_OPTIONS = SENTINEL_OPTIONS
 else:
     CELERY_BROKER_URL = CELERY_BROKER_URL_FORMAT % {
-        'protocol': 'rediss' if REDIS_USE_SSL else 'redis',
+        'protocol': REDIS_PROTOCOL,
         'password': CONFIG.REDIS_PASSWORD,
         'host': CONFIG.REDIS_HOST,
         'port': CONFIG.REDIS_PORT,

apps/locale/ja/LC_MESSAGES/django.mo

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7db985efdf818137dafe489f339955f4d71a245ffd6becc8f6efac539a625682
-size 133463
+oid sha256:0cc37a87259f2cd3794ad628ee40497bd97beaee7219be3d9773e1e544c3e352
+size 134193

apps/locale/ja/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-11-17 17:34+0800\n"
+"POT-Creation-Date: 2023-05-08 18:10+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -24,13 +24,13 @@ msgstr "Acls"
 
 #: acls/models/base.py:25 acls/serializers/login_asset_acl.py:47
 #: applications/models/application.py:219 assets/models/asset.py:138
-#: assets/models/base.py:175 assets/models/cluster.py:18
+#: assets/models/base.py:177 assets/models/cluster.py:18
 #: assets/models/cmd_filter.py:27 assets/models/domain.py:23
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:70 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:33 settings/serializers/sms.py:6
 #: terminal/models/endpoint.py:14 terminal/models/endpoint.py:87
-#: terminal/models/storage.py:27 terminal/models/task.py:16
+#: terminal/models/storage.py:26 terminal/models/task.py:16
 #: terminal/models/terminal.py:101 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:673
 #: xpack/plugins/cloud/models.py:27
@@ -55,14 +55,14 @@ msgstr "アクティブ"
 
 #: acls/models/base.py:32 applications/models/application.py:232
 #: assets/models/asset.py:143 assets/models/asset.py:231
-#: assets/models/backup.py:54 assets/models/base.py:180
+#: assets/models/backup.py:54 assets/models/base.py:182
 #: assets/models/cluster.py:29 assets/models/cmd_filter.py:52
 #: assets/models/cmd_filter.py:100 assets/models/domain.py:24
 #: assets/models/domain.py:65 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:73
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:38
 #: terminal/models/endpoint.py:22 terminal/models/endpoint.py:97
-#: terminal/models/storage.py:30 terminal/models/terminal.py:115
+#: terminal/models/storage.py:29 terminal/models/terminal.py:115
 #: tickets/models/comment.py:32 tickets/models/ticket/general.py:288
 #: users/models/group.py:16 users/models/user.py:712
 #: xpack/plugins/change_auth_plan/models/base.py:44
@@ -131,7 +131,7 @@ msgstr "システムユーザー"
 #: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:42
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
-#: assets/serializers/system_user.py:268 audits/models.py:40
+#: assets/serializers/system_user.py:264 audits/models.py:40
 #: authentication/models.py:66 authentication/models.py:90
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:47
@@ -155,7 +155,7 @@ msgid "Format for comma-delimited string, with * indicating a match all. "
 msgstr "コンマ区切り文字列の形式。* はすべて一致することを示します。"
 
 #: acls/serializers/login_acl.py:15 acls/serializers/login_asset_acl.py:17
-#: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
+#: acls/serializers/login_asset_acl.py:51 assets/models/base.py:178
 #: assets/models/gathered_user.py:15 audits/models.py:139
 #: authentication/forms.py:25 authentication/forms.py:27
 #: authentication/models.py:260
@@ -186,7 +186,7 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:10 terminal/serializers/endpoint.py:54
+#: settings/serializers/terminal.py:10 terminal/serializers/endpoint.py:58
 msgid "IP"
 msgstr "IP"
 
@@ -269,7 +269,7 @@ msgid "Application"
 msgstr "アプリケーション"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
-#: assets/models/cmd_filter.py:46 assets/models/user.py:343 audits/models.py:41
+#: assets/models/cmd_filter.py:46 assets/models/user.py:354 audits/models.py:41
 #: authentication/models.py:83 perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:36 terminal/models/session.py:49
@@ -280,7 +280,7 @@ msgid "System user"
 msgstr "システムユーザー"
 
 #: applications/models/account.py:17 assets/models/authbook.py:21
-#: settings/serializers/auth/cas.py:20
+#: settings/serializers/auth/cas.py:20 settings/serializers/auth/feishu.py:20
 msgid "Version"
 msgstr "バージョン"
 
@@ -310,7 +310,7 @@ msgstr "カテゴリ"
 #: assets/models/cmd_filter.py:86 assets/models/user.py:251
 #: authentication/models.py:70 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:59 terminal/models/storage.py:145
+#: terminal/models/storage.py:58 terminal/models/storage.py:147
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
 #: tickets/models/ticket/apply_application.py:18
 #: tickets/models/ticket/general.py:273
@@ -353,7 +353,7 @@ msgid "Type display"
 msgstr "タイプ表示"
 
 #: applications/serializers/application.py:105 assets/models/asset.py:230
-#: assets/models/base.py:181 assets/models/cluster.py:26
+#: assets/models/base.py:183 assets/models/cluster.py:26
 #: assets/models/cmd_filter.py:53 assets/models/domain.py:26
 #: assets/models/gathered_user.py:19 assets/models/group.py:22
 #: assets/models/label.py:25 assets/serializers/account.py:18
@@ -367,7 +367,7 @@ msgstr "タイプ表示"
 msgid "Date created"
 msgstr "作成された日付"
 
-#: applications/serializers/application.py:106 assets/models/base.py:182
+#: applications/serializers/application.py:106 assets/models/base.py:184
 #: assets/models/cmd_filter.py:54 assets/models/gathered_user.py:20
 #: assets/serializers/account.py:21 assets/serializers/cmd_filter.py:29
 #: assets/serializers/cmd_filter.py:49 common/db/models.py:117
@@ -445,7 +445,7 @@ msgid "Application path"
 msgstr "アプリケーションパス"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
-#: assets/serializers/system_user.py:167
+#: assets/serializers/system_user.py:164
 #: tickets/serializers/ticket/apply_application.py:38
 #: tickets/serializers/ticket/common.py:59
 #: xpack/plugins/change_auth_plan/serializers/asset.py:67
@@ -634,7 +634,7 @@ msgid "Is active"
 msgstr "アクティブです。"
 
 #: assets/models/asset.py:222 assets/models/cluster.py:19
-#: assets/models/user.py:240 assets/models/user.py:395
+#: assets/models/user.py:240 assets/models/user.py:406
 msgid "Admin user"
 msgstr "管理ユーザー"
 
@@ -650,7 +650,7 @@ msgstr "資産番号"
 msgid "Labels"
 msgstr "ラベル"
 
-#: assets/models/asset.py:229 assets/models/base.py:183
+#: assets/models/asset.py:229 assets/models/base.py:185
 #: assets/models/cluster.py:28 assets/models/cmd_filter.py:56
 #: assets/models/cmd_filter.py:103 assets/models/group.py:21
 #: common/db/models.py:114 common/mixins/models.py:49 orgs/models.py:71
@@ -786,32 +786,32 @@ msgstr "成功は"
 msgid "Account backup execution"
 msgstr "アカウントバックアップの実行"
 
-#: assets/models/base.py:30 assets/tasks/const.py:51 audits/const.py:5
+#: assets/models/base.py:29 assets/tasks/const.py:51 audits/const.py:5
 #: common/utils/ip/geoip/utils.py:31 common/utils/ip/geoip/utils.py:37
 #: common/utils/ip/utils.py:84
 msgid "Unknown"
 msgstr "不明"
 
-#: assets/models/base.py:31
+#: assets/models/base.py:30
 msgid "Ok"
 msgstr "OK"
 
-#: assets/models/base.py:32 audits/models.py:136
+#: assets/models/base.py:31 audits/models.py:136
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:199
 #: xpack/plugins/cloud/const.py:41
 msgid "Failed"
 msgstr "失敗しました"
 
-#: assets/models/base.py:38 assets/serializers/domain.py:47
+#: assets/models/base.py:37 assets/serializers/domain.py:47
 msgid "Connectivity"
 msgstr "接続性"
 
-#: assets/models/base.py:40 authentication/models.py:263
+#: assets/models/base.py:39 authentication/models.py:263
 msgid "Date verified"
 msgstr "確認済みの日付"
 
-#: assets/models/base.py:177 assets/serializers/base.py:15
+#: assets/models/base.py:179 assets/serializers/base.py:14
 #: assets/serializers/base.py:37 assets/serializers/system_user.py:29
 #: audits/signal_handlers.py:58 authentication/confirm/password.py:9
 #: authentication/forms.py:32
@@ -829,14 +829,14 @@ msgstr "確認済みの日付"
 msgid "Password"
 msgstr "パスワード"
 
-#: assets/models/base.py:178 assets/serializers/base.py:41
+#: assets/models/base.py:180 assets/serializers/base.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:53
 #: xpack/plugins/change_auth_plan/models/asset.py:130
 #: xpack/plugins/change_auth_plan/models/asset.py:206
 msgid "SSH private key"
 msgstr "SSH秘密鍵"
 
-#: assets/models/base.py:179 xpack/plugins/change_auth_plan/models/asset.py:56
+#: assets/models/base.py:181 xpack/plugins/change_auth_plan/models/asset.py:56
 #: xpack/plugins/change_auth_plan/models/asset.py:126
 #: xpack/plugins/change_auth_plan/models/asset.py:202
 msgid "SSH public key"
@@ -889,7 +889,7 @@ msgstr "デフォルトクラスター"
 msgid "User group"
 msgstr "ユーザーグループ"
 
-#: assets/models/cmd_filter.py:64 assets/serializers/system_user.py:59
+#: assets/models/cmd_filter.py:64 assets/serializers/system_user.py:56
 msgid "Command filter"
 msgstr "コマンドフィルター"
 
@@ -954,7 +954,7 @@ msgstr "テストゲートウェイ"
 msgid "Unable to connect to port {port} on {ip}"
 msgstr "{ip} でポート {port} に接続できません"
 
-#: assets/models/domain.py:134 authentication/middleware.py:75
+#: assets/models/domain.py:134 authentication/middleware.py:87
 #: xpack/plugins/cloud/providers/fc.py:48
 msgid "Authentication failed"
 msgstr "認証に失敗しました"
@@ -1015,7 +1015,7 @@ msgstr "フルバリュー"
 msgid "Parent key"
 msgstr "親キー"
 
-#: assets/models/node.py:566 assets/serializers/system_user.py:267
+#: assets/models/node.py:566 assets/serializers/system_user.py:263
 #: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:75
 msgid "Node"
 msgstr "ノード"
@@ -1095,7 +1095,7 @@ msgstr "ユーザースイッチ"
 msgid "Switch from"
 msgstr "から切り替え"
 
-#: assets/models/user.py:345
+#: assets/models/user.py:356
 msgid "Can match system user"
 msgstr "システムユーザーに一致できます"
 
@@ -1192,7 +1192,7 @@ msgstr "ssh秘密鍵"
 msgid "Key password"
 msgstr "キーパスワード"
 
-#: assets/serializers/base.py:58
+#: assets/serializers/base.py:58 assets/serializers/utils.py:24
 msgid "private key invalid or passphrase error"
 msgstr "秘密鍵が無効またはpassphraseエラー"
 
@@ -1205,7 +1205,7 @@ msgid "Pattern"
 msgstr "パターン"
 
 #: assets/serializers/domain.py:14 assets/serializers/label.py:12
-#: assets/serializers/system_user.py:63
+#: assets/serializers/system_user.py:60
 #: perms/serializers/asset/permission.py:49
 msgid "Assets amount"
 msgstr "資産額"
@@ -1234,86 +1234,81 @@ msgstr "同じレベルのノード名を同じにすることはできません
 msgid "SSH key fingerprint"
 msgstr "SSHキー指紋"
 
-#: assets/serializers/system_user.py:40
-#: perms/serializers/application/permission.py:46
-msgid "Apps amount"
-msgstr "アプリの量"
-
-#: assets/serializers/system_user.py:62
+#: assets/serializers/system_user.py:59
 #: perms/serializers/asset/permission.py:50
 msgid "Nodes amount"
 msgstr "ノード量"
 
-#: assets/serializers/system_user.py:64 assets/serializers/system_user.py:269
+#: assets/serializers/system_user.py:61 assets/serializers/system_user.py:265
 msgid "Login mode display"
 msgstr "ログインモード表示"
 
-#: assets/serializers/system_user.py:66
+#: assets/serializers/system_user.py:63
 msgid "Ad domain"
 msgstr "広告ドメイン"
 
-#: assets/serializers/system_user.py:67
+#: assets/serializers/system_user.py:64
 msgid "Is asset protocol"
 msgstr "資産プロトコルです"
 
-#: assets/serializers/system_user.py:68
+#: assets/serializers/system_user.py:65
 msgid "Only ssh and automatic login system users are supported"
 msgstr "sshと自動ログインシステムのユーザーのみがサポートされています"
 
-#: assets/serializers/system_user.py:108
+#: assets/serializers/system_user.py:105
 msgid "Username same with user with protocol {} only allow 1"
 msgstr "プロトコル {} のユーザーと同じユーザー名は1のみ許可します"
 
-#: assets/serializers/system_user.py:121 common/validators.py:14
+#: assets/serializers/system_user.py:118 common/validators.py:14
 msgid "Special char not allowed"
 msgstr "特別なcharは許可されていません"
 
-#: assets/serializers/system_user.py:131
+#: assets/serializers/system_user.py:128
 msgid "* Automatic login mode must fill in the username."
 msgstr "* 自動ログインモードはユーザー名を入力する必要があります。"
 
-#: assets/serializers/system_user.py:146
+#: assets/serializers/system_user.py:143
 msgid "Path should starts with /"
 msgstr "パスは/で始まる必要があります"
 
-#: assets/serializers/system_user.py:158
+#: assets/serializers/system_user.py:155
 msgid "Password or private key required"
 msgstr "パスワードまたは秘密鍵が必要"
 
-#: assets/serializers/system_user.py:172
+#: assets/serializers/system_user.py:169
 msgid "Only ssh protocol system users are allowed"
 msgstr "Sshプロトコルシステムユーザーのみが許可されています"
 
-#: assets/serializers/system_user.py:176
+#: assets/serializers/system_user.py:173
 msgid "The protocol must be consistent with the current user: {}"
 msgstr "プロトコルは現在のユーザーと一致している必要があります: {}"
 
-#: assets/serializers/system_user.py:180
+#: assets/serializers/system_user.py:177
 msgid "Only system users with automatic login are allowed"
 msgstr "自動ログインを持つシステムユーザーのみが許可されます"
 
-#: assets/serializers/system_user.py:288
+#: assets/serializers/system_user.py:284
 msgid "System user name"
 msgstr "システムユーザー名"
 
-#: assets/serializers/system_user.py:289 orgs/mixins/serializers.py:26
+#: assets/serializers/system_user.py:285 orgs/mixins/serializers.py:26
 #: rbac/serializers/rolebinding.py:23
 msgid "Org name"
 msgstr "組織名"
 
-#: assets/serializers/system_user.py:298
+#: assets/serializers/system_user.py:294
 msgid "Asset hostname"
 msgstr "資産ホスト名"
 
-#: assets/serializers/utils.py:11
+#: assets/serializers/utils.py:13
 msgid "Password can not contains `{{` "
 msgstr "パスワードには '{{' を含まない"
 
-#: assets/serializers/utils.py:14
+#: assets/serializers/utils.py:16
 msgid "Password can not contains `'` "
 msgstr "パスワードには `'` を含まない"
 
-#: assets/serializers/utils.py:16
+#: assets/serializers/utils.py:18
 msgid "Password can not contains `\"` "
 msgstr "パスワードには `\"` を含まない"
 
@@ -1429,6 +1424,10 @@ msgid "For security, do not push user {}"
 msgstr "セキュリティのために、ユーザー {} をプッシュしないでください"
 
 #: assets/tasks/utils.py:55
+msgid "Asset protocol not support system user protocol, skipped: {}"
+msgstr "アセット プロトコルはシステム ユーザー プロトコルをサポートしていません。次をスキップします: {}"
+
+#: assets/tasks/utils.py:59
 msgid "No assets matched, stop task"
 msgstr "一致する資産がない、タスクを停止"
 
@@ -1664,7 +1663,8 @@ msgstr "企業微信"
 
 #: audits/signal_handlers.py:62 authentication/views/feishu.py:144
 #: authentication/views/login.py:85 notifications/backends/__init__.py:14
-#: settings/serializers/auth/feishu.py:10 users/models/user.py:736
+#: settings/serializers/auth/feishu.py:10
+#: settings/serializers/auth/feishu.py:13 users/models/user.py:736
 msgid "FeiShu"
 msgstr "本を飛ばす"
 
@@ -1722,7 +1722,7 @@ msgid "Authentication"
 msgstr "認証"
 
 #: authentication/backends/custom.py:58
-#: authentication/backends/oauth2/backends.py:158 authentication/models.py:158
+#: authentication/backends/oauth2/backends.py:167 authentication/models.py:158
 msgid "User invalid, disabled or expired"
 msgstr "ユーザーが無効、無効、または期限切れです"
 
@@ -1937,15 +1937,15 @@ msgstr "本を飛ばすは拘束されていません"
 msgid "Your password is invalid"
 msgstr "パスワードが無効です"
 
-#: authentication/errors/redirect.py:85 authentication/mixins.py:306
+#: authentication/errors/redirect.py:85 authentication/mixins.py:307
 msgid "Your password is too simple, please change it for security"
 msgstr "パスワードがシンプルすぎるので、セキュリティのために変更してください"
 
-#: authentication/errors/redirect.py:93 authentication/mixins.py:313
+#: authentication/errors/redirect.py:93 authentication/mixins.py:314
 msgid "You should to change your password before login"
 msgstr "ログインする前にパスワードを変更する必要があります"
 
-#: authentication/errors/redirect.py:101 authentication/mixins.py:320
+#: authentication/errors/redirect.py:101 authentication/mixins.py:321
 msgid "Your password has expired, please reset before logging in"
 msgstr ""
 "パスワードの有効期限が切れました。ログインする前にリセットしてください。"
@@ -2044,15 +2044,15 @@ msgstr "電話番号を設定して有効にする"
 msgid "Clear phone number to disable"
 msgstr "無効にする電話番号をクリアする"
 
-#: authentication/middleware.py:76 settings/utils/ldap.py:652
+#: authentication/middleware.py:88 settings/utils/ldap.py:652
 msgid "Authentication failed (before login check failed): {}"
 msgstr "認証に失敗しました (ログインチェックが失敗する前): {}"
 
-#: authentication/mixins.py:256
+#: authentication/mixins.py:257
 msgid "The MFA type ({}) is not enabled"
 msgstr "MFAタイプ ({}) が有効になっていない"
 
-#: authentication/mixins.py:296
+#: authentication/mixins.py:297
 msgid "Please change your password"
 msgstr "パスワードを変更してください"
 
@@ -2263,7 +2263,7 @@ msgstr "コードエラー"
 #: authentication/templates/authentication/_msg_reset_password_code.html:9
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:413 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:417 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:33
@@ -2747,11 +2747,11 @@ msgstr "特殊文字を含むべきではない"
 msgid "The mobile phone number format is incorrect"
 msgstr "携帯電話番号の形式が正しくありません"
 
-#: jumpserver/conf.py:412
+#: jumpserver/conf.py:416
 msgid "Create account successfully"
 msgstr "アカウントを正常に作成"
 
-#: jumpserver/conf.py:414
+#: jumpserver/conf.py:418
 msgid "Your account has been created successfully"
 msgstr "アカウントが正常に作成されました"
 
@@ -3198,6 +3198,10 @@ msgstr "ユーザーグループの量"
 msgid "System users amount"
 msgstr "システムユーザー数"
 
+#: perms/serializers/application/permission.py:46
+msgid "Apps amount"
+msgstr "アプリの量"
+
 #: perms/serializers/application/permission.py:79
 msgid ""
 "The application list contains applications that are different from the "
@@ -3603,7 +3607,7 @@ msgstr "CAS"
 msgid "Enable CAS Auth"
 msgstr "CAS 認証の有効化"
 
-#: settings/serializers/auth/cas.py:13 settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/cas.py:13 settings/serializers/auth/oidc.py:54
 msgid "Server url"
 msgstr "サービス側アドレス"
 
@@ -3636,7 +3640,7 @@ msgstr "そうでない場合はユーザーを作成"
 msgid "Enable DingTalk Auth"
 msgstr "ピン認証の有効化"
 
-#: settings/serializers/auth/feishu.py:14
+#: settings/serializers/auth/feishu.py:16
 msgid "Enable FeiShu Auth"
 msgstr "飛本認証の有効化"
 
@@ -3723,11 +3727,11 @@ msgstr "クライアントID"
 msgid "Client Secret"
 msgstr "クライアント秘密"
 
-#: settings/serializers/auth/oauth2.py:40 settings/serializers/auth/oidc.py:63
+#: settings/serializers/auth/oauth2.py:40 settings/serializers/auth/oidc.py:68
 msgid "Provider auth endpoint"
 msgstr "認証エンドポイントアドレス"
 
-#: settings/serializers/auth/oauth2.py:43 settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oauth2.py:43 settings/serializers/auth/oidc.py:71
 msgid "Provider token endpoint"
 msgstr "プロバイダートークンエンドポイント"
 
@@ -3735,15 +3739,15 @@ msgstr "プロバイダートークンエンドポイント"
 msgid "Client authentication method"
 msgstr "クライアント認証方式"
 
-#: settings/serializers/auth/oauth2.py:50 settings/serializers/auth/oidc.py:72
+#: settings/serializers/auth/oauth2.py:50 settings/serializers/auth/oidc.py:77
 msgid "Provider userinfo endpoint"
 msgstr "プロバイダーuserinfoエンドポイント"
 
-#: settings/serializers/auth/oauth2.py:53 settings/serializers/auth/oidc.py:75
+#: settings/serializers/auth/oauth2.py:53 settings/serializers/auth/oidc.py:80
 msgid "Provider end session endpoint"
 msgstr "プロバイダーのセッション終了エンドポイント"
 
-#: settings/serializers/auth/oauth2.py:60 settings/serializers/auth/oidc.py:93
+#: settings/serializers/auth/oauth2.py:60 settings/serializers/auth/oidc.py:98
 #: settings/serializers/auth/saml2.py:35
 msgid "Always update user"
 msgstr "常にユーザーを更新"
@@ -3772,51 +3776,59 @@ msgstr ""
 "ユーザー属性マッピングは、OpenIDのユーザー属性をjumpserverユーザーにマッピン"
 "グする方法、username, name,emailはjumpserverのユーザーが必要とする属性です"
 
-#: settings/serializers/auth/oidc.py:46
+#: settings/serializers/auth/oidc.py:41
+msgid "Enable PKCE"
+msgstr "启启PKCE"
+
+#: settings/serializers/auth/oidc.py:43
+msgid "Code challenge method"
+msgstr "Code暗号化方式です"
+
+#: settings/serializers/auth/oidc.py:51
 msgid "Use Keycloak"
 msgstr "Keycloakを使用する"
 
-#: settings/serializers/auth/oidc.py:52
+#: settings/serializers/auth/oidc.py:57
 msgid "Realm name"
 msgstr "レルム名"
 
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:63
 msgid "Enable OPENID Auth"
 msgstr "OIDC認証の有効化"
 
-#: settings/serializers/auth/oidc.py:60
+#: settings/serializers/auth/oidc.py:65
 msgid "Provider endpoint"
 msgstr "プロバイダーエンドポイント"
 
-#: settings/serializers/auth/oidc.py:69
+#: settings/serializers/auth/oidc.py:74
 msgid "Provider jwks endpoint"
 msgstr "プロバイダーjwksエンドポイント"
 
-#: settings/serializers/auth/oidc.py:78
+#: settings/serializers/auth/oidc.py:83
 msgid "Provider sign alg"
 msgstr "プロビダーサインalg"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:86
 msgid "Provider sign key"
 msgstr "プロバイダ署名キー"
 
-#: settings/serializers/auth/oidc.py:83
+#: settings/serializers/auth/oidc.py:88
 msgid "Scopes"
 msgstr "スコープ"
 
-#: settings/serializers/auth/oidc.py:85
+#: settings/serializers/auth/oidc.py:90
 msgid "Id token max age"
 msgstr "IDトークンの最大年齢"
 
-#: settings/serializers/auth/oidc.py:88
+#: settings/serializers/auth/oidc.py:93
 msgid "Id token include claims"
 msgstr "IDトークンにはクレームが含まれます"
 
-#: settings/serializers/auth/oidc.py:90
+#: settings/serializers/auth/oidc.py:95
 msgid "Use state"
 msgstr "使用状態"
 
-#: settings/serializers/auth/oidc.py:91
+#: settings/serializers/auth/oidc.py:96
 msgid "Use nonce"
 msgstr "Nonceを使用"
 
@@ -4731,8 +4743,8 @@ msgstr "期限切れです。"
 #, python-format
 msgid ""
 "\n"
-"                Your password has expired, please click <a href="
-"\"%(user_password_update_url)s\"> this link </a> update password.\n"
+"                Your password has expired, please click <a "
+"href=\"%(user_password_update_url)s\"> this link </a> update password.\n"
 "            "
 msgstr ""
 "\n"
@@ -4753,34 +4765,34 @@ msgid ""
 "            "
 msgstr ""
 "\n"
-"                クリックしてください <a href=\"%(user_password_update_url)s"
-"\"> リンク </a> パスワードの更新\n"
+"                クリックしてください <a "
+"href=\"%(user_password_update_url)s\"> リンク </a> パスワードの更新\n"
 "        "
 
 #: templates/_message.html:43
 #, python-format
 msgid ""
 "\n"
-"        Your information was incomplete. Please click <a href="
-"\"%(first_login_url)s\"> this link </a>to complete your information.\n"
+"        Your information was incomplete. Please click <a "
+"href=\"%(first_login_url)s\"> this link </a>to complete your information.\n"
 "        "
 msgstr ""
 "\n"
-"                あなたの情報が不完全なので、クリックしてください。 <a href="
-"\"%(first_login_url)s\"> リンク </a> 補完\n"
+"                あなたの情報が不完全なので、クリックしてください。 <a "
+"href=\"%(first_login_url)s\"> リンク </a> 補完\n"
 "                "
 
 #: templates/_message.html:56
 #, python-format
 msgid ""
 "\n"
-"        Your ssh public key not set or expired. Please click <a href="
-"\"%(user_pubkey_update)s\"> this link </a>to update\n"
+"        Your ssh public key not set or expired. Please click <a "
+"href=\"%(user_pubkey_update)s\"> this link </a>to update\n"
 "        "
 msgstr ""
 "\n"
-"                SSHキーが設定されていないか無効になっている場合は、 <a href="
-"\"%(user_pubkey_update)s\"> リンク </a> 更新\n"
+"                SSHキーが設定されていないか無効になっている場合は、 <a "
+"href=\"%(user_pubkey_update)s\"> リンク </a> 更新\n"
 "        "
 
 #: templates/_mfa_login_field.html:28
@@ -5000,7 +5012,7 @@ msgid "RDP Port"
 msgstr "RDP ポート"
 
 #: terminal/models/endpoint.py:27 terminal/models/endpoint.py:95
-#: terminal/serializers/endpoint.py:57 terminal/serializers/storage.py:38
+#: terminal/serializers/endpoint.py:61 terminal/serializers/storage.py:38
 #: terminal/serializers/storage.py:50 terminal/serializers/storage.py:80
 #: terminal/serializers/storage.py:90 terminal/serializers/storage.py:98
 msgid "Endpoint"
@@ -5038,23 +5050,23 @@ msgstr "リプレイ"
 msgid "Date end"
 msgstr "終了日"
 
-#: terminal/models/session.py:261
+#: terminal/models/session.py:265
 msgid "Session record"
 msgstr "セッション記録"
 
-#: terminal/models/session.py:263
+#: terminal/models/session.py:267
 msgid "Can monitor session"
 msgstr "セッションを監視できます"
 
-#: terminal/models/session.py:264
+#: terminal/models/session.py:268
 msgid "Can share session"
 msgstr "セッションを共有できます"
 
-#: terminal/models/session.py:265
+#: terminal/models/session.py:269
 msgid "Can terminate session"
 msgstr "セッションを終了できます"
 
-#: terminal/models/session.py:266
+#: terminal/models/session.py:270
 msgid "Can validate session action perm"
 msgstr "セッションアクションのパーマを検証できます"
 
@@ -5139,15 +5151,15 @@ msgstr "スレッド"
 msgid "Boot Time"
 msgstr "ブート時間"
 
-#: terminal/models/storage.py:29
+#: terminal/models/storage.py:28
 msgid "Default storage"
 msgstr "デフォルトのストレージ"
 
-#: terminal/models/storage.py:139 terminal/models/terminal.py:109
+#: terminal/models/storage.py:141 terminal/models/terminal.py:109
 msgid "Command storage"
 msgstr "コマンドストレージ"
 
-#: terminal/models/storage.py:199 terminal/models/terminal.py:110
+#: terminal/models/storage.py:201 terminal/models/terminal.py:110
 msgid "Replay storage"
 msgstr "再生ストレージ"
 
@@ -5191,15 +5203,15 @@ msgstr "レベル"
 msgid "Batch danger command alert"
 msgstr "一括危険コマンド警告"
 
-#: terminal/serializers/endpoint.py:14
+#: terminal/serializers/endpoint.py:15
 msgid "Magnus listen db port"
 msgstr "Magnus がリッスンするデータベース ポート"
 
-#: terminal/serializers/endpoint.py:17
+#: terminal/serializers/endpoint.py:18
 msgid "Magnus Listen port range"
 msgstr "Magnus がリッスンするポート範囲"
 
-#: terminal/serializers/endpoint.py:19
+#: terminal/serializers/endpoint.py:20
 msgid ""
 "The range of ports that Magnus listens on is modified in the configuration "
 "file"
@@ -5207,10 +5219,15 @@ msgstr "Magnus がリッスンするポート範囲を構成ファイルで変
 
 #: terminal/serializers/endpoint.py:51
 msgid ""
-"If asset IP addresses under different endpoints conflict, use asset labels"
+"Format for comma-delimited string, with * indicating a match all. Such as: "
+"192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:"
+"db8:1a:1110::/64<br>If asset IP addresses under different endpoints "
+"conflict, use asset labels"
 msgstr ""
-"異なるエンドポイントの下に競合するアセットIPがある場合は、アセットタグを使用"
-"して実装します"
+"コンマ区切り文字列の形式。* はすべて一致することを示します。例: "
+"192.168.10.1、192.168.1.0/24、10.1.1.1-10.1.1.20、2001:db8:2de::e13、2001:"
+"db8:1a:1110:::/64<br>異なるエンドポイントの下に競合するアセットIPがある場合"
+"は、アセットタグを使用して実装します"
 
 #: terminal/serializers/session.py:15 terminal/serializers/session.py:42
 msgid "Terminal display"
@@ -5334,7 +5351,7 @@ msgstr "見つかりません"
 msgid "view"
 msgstr "表示"
 
-#: terminal/utils/db_port_mapper.py:65
+#: terminal/utils/db_port_mapper.py:78
 msgid ""
 "No available port is matched. The number of databases may have exceeded the "
 "number of ports open to the database agent service, Contact the "
@@ -5344,7 +5361,7 @@ msgstr ""
 "サービスによって開かれたポートの数を超えた可能性があります。さらにポートを開"
 "くには、管理者に連絡してください。"
 
-#: terminal/utils/db_port_mapper.py:91
+#: terminal/utils/db_port_mapper.py:104
 msgid ""
 "No ports can be used, check and modify the limit on the number of ports that "
 "Magnus listens on in the configuration file."
@@ -5352,7 +5369,7 @@ msgstr ""
 "使用できるポートがありません。設定ファイルで Magnus がリッスンするポート数の"
 "制限を確認して変更してください. "
 
-#: terminal/utils/db_port_mapper.py:93
+#: terminal/utils/db_port_mapper.py:106
 msgid "All available port count: {}, Already use port count: {}"
 msgstr "使用可能なすべてのポート数: {}、すでに使用しているポート数: {}"
 
@@ -5444,19 +5461,19 @@ msgstr ""
 "チケットのタイトル: {} チケット申請者: {} チケットプロセッサ: {} チケットID: "
 "{}"
 
-#: tickets/handlers/base.py:84
+#: tickets/handlers/base.py:86
 msgid "Change field"
 msgstr "フィールドを変更"
 
-#: tickets/handlers/base.py:84
+#: tickets/handlers/base.py:86
 msgid "Before change"
 msgstr "変更前"
 
-#: tickets/handlers/base.py:84
+#: tickets/handlers/base.py:86
 msgid "After change"
 msgstr "変更後"
 
-#: tickets/handlers/base.py:96
+#: tickets/handlers/base.py:98
 msgid "{} {} the ticket"
 msgstr "{} {} チケット"
 
@@ -7071,3 +7088,9 @@ msgstr "究極のエディション"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "コミュニティ版"
+
+#~ msgid ""
+#~ "If asset IP addresses under different endpoints conflict, use asset labels"
+#~ msgstr ""
+#~ "異なるエンドポイントの下に競合するアセットIPがある場合は、アセットタグを使"
+#~ "用して実装します"

apps/locale/zh/LC_MESSAGES/django.mo

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:b143c62843946c3e18b623d05065f12e9d3c578efe5cd0d2016056d2b8448ae8
-size 109495
+oid sha256:62e47d2577f103b524a1ae75e3357cdeb5f90d89f89c58a8c8fa8f63d67749f8
+size 110097

apps/locale/zh/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-11-17 17:34+0800\n"
+"POT-Creation-Date: 2023-05-08 18:10+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -23,13 +23,13 @@ msgstr "访问控制"
 
 #: acls/models/base.py:25 acls/serializers/login_asset_acl.py:47
 #: applications/models/application.py:219 assets/models/asset.py:138
-#: assets/models/base.py:175 assets/models/cluster.py:18
+#: assets/models/base.py:177 assets/models/cluster.py:18
 #: assets/models/cmd_filter.py:27 assets/models/domain.py:23
 #: assets/models/group.py:20 assets/models/label.py:18 ops/mixin.py:24
 #: orgs/models.py:70 perms/models/base.py:83 rbac/models/role.py:29
 #: settings/models.py:33 settings/serializers/sms.py:6
 #: terminal/models/endpoint.py:14 terminal/models/endpoint.py:87
-#: terminal/models/storage.py:27 terminal/models/task.py:16
+#: terminal/models/storage.py:26 terminal/models/task.py:16
 #: terminal/models/terminal.py:101 users/forms/profile.py:33
 #: users/models/group.py:15 users/models/user.py:673
 #: xpack/plugins/cloud/models.py:27
@@ -54,14 +54,14 @@ msgstr "激活中"
 
 #: acls/models/base.py:32 applications/models/application.py:232
 #: assets/models/asset.py:143 assets/models/asset.py:231
-#: assets/models/backup.py:54 assets/models/base.py:180
+#: assets/models/backup.py:54 assets/models/base.py:182
 #: assets/models/cluster.py:29 assets/models/cmd_filter.py:52
 #: assets/models/cmd_filter.py:100 assets/models/domain.py:24
 #: assets/models/domain.py:65 assets/models/group.py:23
 #: assets/models/label.py:23 ops/models/adhoc.py:38 orgs/models.py:73
 #: perms/models/base.py:93 rbac/models/role.py:37 settings/models.py:38
 #: terminal/models/endpoint.py:22 terminal/models/endpoint.py:97
-#: terminal/models/storage.py:30 terminal/models/terminal.py:115
+#: terminal/models/storage.py:29 terminal/models/terminal.py:115
 #: tickets/models/comment.py:32 tickets/models/ticket/general.py:288
 #: users/models/group.py:16 users/models/user.py:712
 #: xpack/plugins/change_auth_plan/models/base.py:44
@@ -130,7 +130,7 @@ msgstr "系统用户"
 #: assets/models/asset.py:386 assets/models/authbook.py:19
 #: assets/models/backup.py:31 assets/models/cmd_filter.py:42
 #: assets/models/gathered_user.py:14 assets/serializers/label.py:30
-#: assets/serializers/system_user.py:268 audits/models.py:40
+#: assets/serializers/system_user.py:264 audits/models.py:40
 #: authentication/models.py:66 authentication/models.py:90
 #: perms/models/asset_permission.py:23 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:47
@@ -154,7 +154,7 @@ msgid "Format for comma-delimited string, with * indicating a match all. "
 msgstr "格式为逗号分隔的字符串, * 表示匹配所有. "
 
 #: acls/serializers/login_acl.py:15 acls/serializers/login_asset_acl.py:17
-#: acls/serializers/login_asset_acl.py:51 assets/models/base.py:176
+#: acls/serializers/login_asset_acl.py:51 assets/models/base.py:178
 #: assets/models/gathered_user.py:15 audits/models.py:139
 #: authentication/forms.py:25 authentication/forms.py:27
 #: authentication/models.py:260
@@ -184,7 +184,7 @@ msgstr ""
 #: authentication/templates/authentication/_msg_oauth_bind.html:12
 #: authentication/templates/authentication/_msg_rest_password_success.html:8
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:8
-#: settings/serializers/terminal.py:10 terminal/serializers/endpoint.py:54
+#: settings/serializers/terminal.py:10 terminal/serializers/endpoint.py:58
 msgid "IP"
 msgstr "IP"
 
@@ -264,7 +264,7 @@ msgid "Application"
 msgstr "应用程序"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
-#: assets/models/cmd_filter.py:46 assets/models/user.py:343 audits/models.py:41
+#: assets/models/cmd_filter.py:46 assets/models/user.py:354 audits/models.py:41
 #: authentication/models.py:83 perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:22
 #: terminal/backends/command/serializers.py:36 terminal/models/session.py:49
@@ -275,7 +275,7 @@ msgid "System user"
 msgstr "系统用户"
 
 #: applications/models/account.py:17 assets/models/authbook.py:21
-#: settings/serializers/auth/cas.py:20
+#: settings/serializers/auth/cas.py:20 settings/serializers/auth/feishu.py:20
 msgid "Version"
 msgstr "版本"
 
@@ -305,7 +305,7 @@ msgstr "类别"
 #: assets/models/cmd_filter.py:86 assets/models/user.py:251
 #: authentication/models.py:70 perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
-#: terminal/models/storage.py:59 terminal/models/storage.py:145
+#: terminal/models/storage.py:58 terminal/models/storage.py:147
 #: tickets/models/comment.py:26 tickets/models/flow.py:57
 #: tickets/models/ticket/apply_application.py:18
 #: tickets/models/ticket/general.py:273
@@ -348,7 +348,7 @@ msgid "Type display"
 msgstr "类型名称"
 
 #: applications/serializers/application.py:105 assets/models/asset.py:230
-#: assets/models/base.py:181 assets/models/cluster.py:26
+#: assets/models/base.py:183 assets/models/cluster.py:26
 #: assets/models/cmd_filter.py:53 assets/models/domain.py:26
 #: assets/models/gathered_user.py:19 assets/models/group.py:22
 #: assets/models/label.py:25 assets/serializers/account.py:18
@@ -362,7 +362,7 @@ msgstr "类型名称"
 msgid "Date created"
 msgstr "创建日期"
 
-#: applications/serializers/application.py:106 assets/models/base.py:182
+#: applications/serializers/application.py:106 assets/models/base.py:184
 #: assets/models/cmd_filter.py:54 assets/models/gathered_user.py:20
 #: assets/serializers/account.py:21 assets/serializers/cmd_filter.py:29
 #: assets/serializers/cmd_filter.py:49 common/db/models.py:117
@@ -440,7 +440,7 @@ msgid "Application path"
 msgstr "应用路径"
 
 #: applications/serializers/attrs/application_category/remote_app.py:44
-#: assets/serializers/system_user.py:167
+#: assets/serializers/system_user.py:164
 #: tickets/serializers/ticket/apply_application.py:38
 #: tickets/serializers/ticket/common.py:59
 #: xpack/plugins/change_auth_plan/serializers/asset.py:67
@@ -627,7 +627,7 @@ msgid "Is active"
 msgstr "激活"
 
 #: assets/models/asset.py:222 assets/models/cluster.py:19
-#: assets/models/user.py:240 assets/models/user.py:395
+#: assets/models/user.py:240 assets/models/user.py:406
 msgid "Admin user"
 msgstr "特权用户"
 
@@ -643,7 +643,7 @@ msgstr "资产编号"
 msgid "Labels"
 msgstr "标签管理"
 
-#: assets/models/asset.py:229 assets/models/base.py:183
+#: assets/models/asset.py:229 assets/models/base.py:185
 #: assets/models/cluster.py:28 assets/models/cmd_filter.py:56
 #: assets/models/cmd_filter.py:103 assets/models/group.py:21
 #: common/db/models.py:114 common/mixins/models.py:49 orgs/models.py:71
@@ -779,32 +779,32 @@ msgstr "是否成功"
 msgid "Account backup execution"
 msgstr "账号备份执行"
 
-#: assets/models/base.py:30 assets/tasks/const.py:51 audits/const.py:5
+#: assets/models/base.py:29 assets/tasks/const.py:51 audits/const.py:5
 #: common/utils/ip/geoip/utils.py:31 common/utils/ip/geoip/utils.py:37
 #: common/utils/ip/utils.py:84
 msgid "Unknown"
 msgstr "未知"
 
-#: assets/models/base.py:31
+#: assets/models/base.py:30
 msgid "Ok"
 msgstr "成功"
 
-#: assets/models/base.py:32 audits/models.py:136
+#: assets/models/base.py:31 audits/models.py:136
 #: xpack/plugins/change_auth_plan/serializers/app.py:88
 #: xpack/plugins/change_auth_plan/serializers/asset.py:199
 #: xpack/plugins/cloud/const.py:41
 msgid "Failed"
 msgstr "失败"
 
-#: assets/models/base.py:38 assets/serializers/domain.py:47
+#: assets/models/base.py:37 assets/serializers/domain.py:47
 msgid "Connectivity"
 msgstr "可连接性"
 
-#: assets/models/base.py:40 authentication/models.py:263
+#: assets/models/base.py:39 authentication/models.py:263
 msgid "Date verified"
 msgstr "校验日期"
 
-#: assets/models/base.py:177 assets/serializers/base.py:15
+#: assets/models/base.py:179 assets/serializers/base.py:14
 #: assets/serializers/base.py:37 assets/serializers/system_user.py:29
 #: audits/signal_handlers.py:58 authentication/confirm/password.py:9
 #: authentication/forms.py:32
@@ -822,14 +822,14 @@ msgstr "校验日期"
 msgid "Password"
 msgstr "密码"
 
-#: assets/models/base.py:178 assets/serializers/base.py:41
+#: assets/models/base.py:180 assets/serializers/base.py:41
 #: xpack/plugins/change_auth_plan/models/asset.py:53
 #: xpack/plugins/change_auth_plan/models/asset.py:130
 #: xpack/plugins/change_auth_plan/models/asset.py:206
 msgid "SSH private key"
 msgstr "SSH密钥"
 
-#: assets/models/base.py:179 xpack/plugins/change_auth_plan/models/asset.py:56
+#: assets/models/base.py:181 xpack/plugins/change_auth_plan/models/asset.py:56
 #: xpack/plugins/change_auth_plan/models/asset.py:126
 #: xpack/plugins/change_auth_plan/models/asset.py:202
 msgid "SSH public key"
@@ -882,7 +882,7 @@ msgstr "默认Cluster"
 msgid "User group"
 msgstr "用户组"
 
-#: assets/models/cmd_filter.py:64 assets/serializers/system_user.py:59
+#: assets/models/cmd_filter.py:64 assets/serializers/system_user.py:56
 msgid "Command filter"
 msgstr "命令过滤器"
 
@@ -947,7 +947,7 @@ msgstr "测试网关"
 msgid "Unable to connect to port {port} on {ip}"
 msgstr "无法连接到 {ip} 上的端口 {port}"
 
-#: assets/models/domain.py:134 authentication/middleware.py:75
+#: assets/models/domain.py:134 authentication/middleware.py:87
 #: xpack/plugins/cloud/providers/fc.py:48
 msgid "Authentication failed"
 msgstr "认证失败"
@@ -1008,7 +1008,7 @@ msgstr "全称"
 msgid "Parent key"
 msgstr "ssh私钥"
 
-#: assets/models/node.py:566 assets/serializers/system_user.py:267
+#: assets/models/node.py:566 assets/serializers/system_user.py:263
 #: xpack/plugins/cloud/models.py:95 xpack/plugins/cloud/serializers/task.py:75
 msgid "Node"
 msgstr "节点"
@@ -1088,7 +1088,7 @@ msgstr "用户切换"
 msgid "Switch from"
 msgstr "切换自"
 
-#: assets/models/user.py:345
+#: assets/models/user.py:356
 msgid "Can match system user"
 msgstr "可以匹配系统用户"
 
@@ -1182,7 +1182,7 @@ msgstr "ssh私钥"
 msgid "Key password"
 msgstr "密钥密码"
 
-#: assets/serializers/base.py:58
+#: assets/serializers/base.py:58 assets/serializers/utils.py:24
 msgid "private key invalid or passphrase error"
 msgstr "密钥不合法或密钥密码错误"
 
@@ -1195,7 +1195,7 @@ msgid "Pattern"
 msgstr "模式"
 
 #: assets/serializers/domain.py:14 assets/serializers/label.py:12
-#: assets/serializers/system_user.py:63
+#: assets/serializers/system_user.py:60
 #: perms/serializers/asset/permission.py:49
 msgid "Assets amount"
 msgstr "资产数量"
@@ -1224,86 +1224,81 @@ msgstr "同级别节点名字不能重复"
 msgid "SSH key fingerprint"
 msgstr "密钥指纹"
 
-#: assets/serializers/system_user.py:40
-#: perms/serializers/application/permission.py:46
-msgid "Apps amount"
-msgstr "应用数量"
-
-#: assets/serializers/system_user.py:62
+#: assets/serializers/system_user.py:59
 #: perms/serializers/asset/permission.py:50
 msgid "Nodes amount"
 msgstr "节点数量"
 
-#: assets/serializers/system_user.py:64 assets/serializers/system_user.py:269
+#: assets/serializers/system_user.py:61 assets/serializers/system_user.py:265
 msgid "Login mode display"
 msgstr "认证方式名称"
 
-#: assets/serializers/system_user.py:66
+#: assets/serializers/system_user.py:63
 msgid "Ad domain"
 msgstr "Ad 网域"
 
-#: assets/serializers/system_user.py:67
+#: assets/serializers/system_user.py:64
 msgid "Is asset protocol"
 msgstr "资产协议"
 
-#: assets/serializers/system_user.py:68
+#: assets/serializers/system_user.py:65
 msgid "Only ssh and automatic login system users are supported"
 msgstr "仅支持ssh协议和自动登录的系统用户"
 
-#: assets/serializers/system_user.py:108
+#: assets/serializers/system_user.py:105
 msgid "Username same with user with protocol {} only allow 1"
 msgstr "用户名和用户相同的一种协议只允许存在一个"
 
-#: assets/serializers/system_user.py:121 common/validators.py:14
+#: assets/serializers/system_user.py:118 common/validators.py:14
 msgid "Special char not allowed"
 msgstr "不能包含特殊字符"
 
-#: assets/serializers/system_user.py:131
+#: assets/serializers/system_user.py:128
 msgid "* Automatic login mode must fill in the username."
 msgstr "自动登录模式，必须填写用户名"
 
-#: assets/serializers/system_user.py:146
+#: assets/serializers/system_user.py:143
 msgid "Path should starts with /"
 msgstr "路径应该以 / 开头"
 
-#: assets/serializers/system_user.py:158
+#: assets/serializers/system_user.py:155
 msgid "Password or private key required"
 msgstr "密码或密钥密码需要一个"
 
-#: assets/serializers/system_user.py:172
+#: assets/serializers/system_user.py:169
 msgid "Only ssh protocol system users are allowed"
 msgstr "仅允许ssh协议的系统用户"
 
-#: assets/serializers/system_user.py:176
+#: assets/serializers/system_user.py:173
 msgid "The protocol must be consistent with the current user: {}"
 msgstr "协议必须和当前用户保持一致: {}"
 
-#: assets/serializers/system_user.py:180
+#: assets/serializers/system_user.py:177
 msgid "Only system users with automatic login are allowed"
 msgstr "仅允许自动登录的系统用户"
 
-#: assets/serializers/system_user.py:288
+#: assets/serializers/system_user.py:284
 msgid "System user name"
 msgstr "系统用户名称"
 
-#: assets/serializers/system_user.py:289 orgs/mixins/serializers.py:26
+#: assets/serializers/system_user.py:285 orgs/mixins/serializers.py:26
 #: rbac/serializers/rolebinding.py:23
 msgid "Org name"
 msgstr "组织名称"
 
-#: assets/serializers/system_user.py:298
+#: assets/serializers/system_user.py:294
 msgid "Asset hostname"
 msgstr "资产主机名"
 
-#: assets/serializers/utils.py:11
+#: assets/serializers/utils.py:13
 msgid "Password can not contains `{{` "
 msgstr "密码不能包含 `{{` 字符"
 
-#: assets/serializers/utils.py:14
+#: assets/serializers/utils.py:16
 msgid "Password can not contains `'` "
 msgstr "密码不能包含 `'` 字符"
 
-#: assets/serializers/utils.py:16
+#: assets/serializers/utils.py:18
 msgid "Password can not contains `\"` "
 msgstr "密码不能包含 `\"` 字符"
 
@@ -1415,6 +1410,10 @@ msgid "For security, do not push user {}"
 msgstr "为了安全，禁止推送用户 {}"
 
 #: assets/tasks/utils.py:55
+msgid "Asset protocol not support system user protocol, skipped: {}"
+msgstr "资产协议不支持系统用户协议，跳过: {}"
+
+#: assets/tasks/utils.py:59
 msgid "No assets matched, stop task"
 msgstr "没有匹配到资产，结束任务"
 
@@ -1650,7 +1649,8 @@ msgstr "企业微信"
 
 #: audits/signal_handlers.py:62 authentication/views/feishu.py:144
 #: authentication/views/login.py:85 notifications/backends/__init__.py:14
-#: settings/serializers/auth/feishu.py:10 users/models/user.py:736
+#: settings/serializers/auth/feishu.py:10
+#: settings/serializers/auth/feishu.py:13 users/models/user.py:736
 msgid "FeiShu"
 msgstr "飞书"
 
@@ -1706,7 +1706,7 @@ msgid "Authentication"
 msgstr "认证"
 
 #: authentication/backends/custom.py:58
-#: authentication/backends/oauth2/backends.py:158 authentication/models.py:158
+#: authentication/backends/oauth2/backends.py:167 authentication/models.py:158
 msgid "User invalid, disabled or expired"
 msgstr "用户无效，已禁用或已过期"
 
@@ -1913,15 +1913,15 @@ msgstr "没有绑定飞书"
 msgid "Your password is invalid"
 msgstr "您的密码无效"
 
-#: authentication/errors/redirect.py:85 authentication/mixins.py:306
+#: authentication/errors/redirect.py:85 authentication/mixins.py:307
 msgid "Your password is too simple, please change it for security"
 msgstr "你的密码过于简单，为了安全，请修改"
 
-#: authentication/errors/redirect.py:93 authentication/mixins.py:313
+#: authentication/errors/redirect.py:93 authentication/mixins.py:314
 msgid "You should to change your password before login"
 msgstr "登录完成前，请先修改密码"
 
-#: authentication/errors/redirect.py:101 authentication/mixins.py:320
+#: authentication/errors/redirect.py:101 authentication/mixins.py:321
 msgid "Your password has expired, please reset before logging in"
 msgstr "您的密码已过期，先修改再登录"
 
@@ -2018,15 +2018,15 @@ msgstr "设置手机号码启用"
 msgid "Clear phone number to disable"
 msgstr "清空手机号码禁用"
 
-#: authentication/middleware.py:76 settings/utils/ldap.py:652
+#: authentication/middleware.py:88 settings/utils/ldap.py:652
 msgid "Authentication failed (before login check failed): {}"
 msgstr "认证失败（登录前检查失败）: {}"
 
-#: authentication/mixins.py:256
+#: authentication/mixins.py:257
 msgid "The MFA type ({}) is not enabled"
 msgstr "该 MFA ({}) 方式没有启用"
 
-#: authentication/mixins.py:296
+#: authentication/mixins.py:297
 msgid "Please change your password"
 msgstr "请修改密码"
 
@@ -2233,7 +2233,7 @@ msgstr "代码错误"
 #: authentication/templates/authentication/_msg_reset_password_code.html:9
 #: authentication/templates/authentication/_msg_rest_password_success.html:2
 #: authentication/templates/authentication/_msg_rest_public_key_success.html:2
-#: jumpserver/conf.py:413 ops/tasks.py:145 ops/tasks.py:148
+#: jumpserver/conf.py:417 ops/tasks.py:145 ops/tasks.py:148
 #: perms/templates/perms/_msg_item_permissions_expire.html:3
 #: perms/templates/perms/_msg_permed_items_expire.html:3
 #: tickets/templates/tickets/approve_check_password.html:33
@@ -2708,11 +2708,11 @@ msgstr "不能包含特殊字符"
 msgid "The mobile phone number format is incorrect"
 msgstr "手机号格式不正确"
 
-#: jumpserver/conf.py:412
+#: jumpserver/conf.py:416
 msgid "Create account successfully"
 msgstr "创建账号成功"
 
-#: jumpserver/conf.py:414
+#: jumpserver/conf.py:418
 msgid "Your account has been created successfully"
 msgstr "你的账号已创建成功"
 
@@ -3153,6 +3153,10 @@ msgstr "用户组数量"
 msgid "System users amount"
 msgstr "系统用户数量"
 
+#: perms/serializers/application/permission.py:46
+msgid "Apps amount"
+msgstr "应用数量"
+
 #: perms/serializers/application/permission.py:79
 msgid ""
 "The application list contains applications that are different from the "
@@ -3555,7 +3559,7 @@ msgstr "CAS"
 msgid "Enable CAS Auth"
 msgstr "启用 CAS 认证"
 
-#: settings/serializers/auth/cas.py:13 settings/serializers/auth/oidc.py:49
+#: settings/serializers/auth/cas.py:13 settings/serializers/auth/oidc.py:54
 msgid "Server url"
 msgstr "服务端地址"
 
@@ -3588,7 +3592,7 @@ msgstr "创建用户(如果不存在)"
 msgid "Enable DingTalk Auth"
 msgstr "启用钉钉认证"
 
-#: settings/serializers/auth/feishu.py:14
+#: settings/serializers/auth/feishu.py:16
 msgid "Enable FeiShu Auth"
 msgstr "启用飞书认证"
 
@@ -3675,11 +3679,11 @@ msgstr "客户端 ID"
 msgid "Client Secret"
 msgstr "客户端密钥"
 
-#: settings/serializers/auth/oauth2.py:40 settings/serializers/auth/oidc.py:63
+#: settings/serializers/auth/oauth2.py:40 settings/serializers/auth/oidc.py:68
 msgid "Provider auth endpoint"
 msgstr "授权端点地址"
 
-#: settings/serializers/auth/oauth2.py:43 settings/serializers/auth/oidc.py:66
+#: settings/serializers/auth/oauth2.py:43 settings/serializers/auth/oidc.py:71
 msgid "Provider token endpoint"
 msgstr "token 端点地址"
 
@@ -3687,15 +3691,15 @@ msgstr "token 端点地址"
 msgid "Client authentication method"
 msgstr "客户端认证方式"
 
-#: settings/serializers/auth/oauth2.py:50 settings/serializers/auth/oidc.py:72
+#: settings/serializers/auth/oauth2.py:50 settings/serializers/auth/oidc.py:77
 msgid "Provider userinfo endpoint"
 msgstr "用户信息端点地址"
 
-#: settings/serializers/auth/oauth2.py:53 settings/serializers/auth/oidc.py:75
+#: settings/serializers/auth/oauth2.py:53 settings/serializers/auth/oidc.py:80
 msgid "Provider end session endpoint"
 msgstr "注销会话端点地址"
 
-#: settings/serializers/auth/oauth2.py:60 settings/serializers/auth/oidc.py:93
+#: settings/serializers/auth/oauth2.py:60 settings/serializers/auth/oidc.py:98
 #: settings/serializers/auth/saml2.py:35
 msgid "Always update user"
 msgstr "总是更新用户信息"
@@ -3724,51 +3728,59 @@ msgstr ""
 "用户属性映射代表怎样将OpenID中用户属性映射到jumpserver用户上，username, name,"
 "email 是jumpserver的用户需要属性"
 
-#: settings/serializers/auth/oidc.py:46
+#: settings/serializers/auth/oidc.py:41
+msgid "Enable PKCE"
+msgstr "启用 PKCE"
+
+#: settings/serializers/auth/oidc.py:43
+msgid "Code challenge method"
+msgstr "Code加密方式"
+
+#: settings/serializers/auth/oidc.py:51
 msgid "Use Keycloak"
 msgstr "使用 Keycloak"
 
-#: settings/serializers/auth/oidc.py:52
+#: settings/serializers/auth/oidc.py:57
 msgid "Realm name"
 msgstr "域"
 
-#: settings/serializers/auth/oidc.py:58
+#: settings/serializers/auth/oidc.py:63
 msgid "Enable OPENID Auth"
 msgstr "启用 OIDC 认证"
 
-#: settings/serializers/auth/oidc.py:60
+#: settings/serializers/auth/oidc.py:65
 msgid "Provider endpoint"
 msgstr "端点地址"
 
-#: settings/serializers/auth/oidc.py:69
+#: settings/serializers/auth/oidc.py:74
 msgid "Provider jwks endpoint"
 msgstr "jwks 端点地址"
 
-#: settings/serializers/auth/oidc.py:78
+#: settings/serializers/auth/oidc.py:83
 msgid "Provider sign alg"
 msgstr "签名算法"
 
-#: settings/serializers/auth/oidc.py:81
+#: settings/serializers/auth/oidc.py:86
 msgid "Provider sign key"
 msgstr "签名 Key"
 
-#: settings/serializers/auth/oidc.py:83
+#: settings/serializers/auth/oidc.py:88
 msgid "Scopes"
 msgstr "连接范围"
 
-#: settings/serializers/auth/oidc.py:85
+#: settings/serializers/auth/oidc.py:90
 msgid "Id token max age"
 msgstr "令牌有效时间"
 
-#: settings/serializers/auth/oidc.py:88
+#: settings/serializers/auth/oidc.py:93
 msgid "Id token include claims"
 msgstr "声明"
 
-#: settings/serializers/auth/oidc.py:90
+#: settings/serializers/auth/oidc.py:95
 msgid "Use state"
 msgstr "使用状态"
 
-#: settings/serializers/auth/oidc.py:91
+#: settings/serializers/auth/oidc.py:96
 msgid "Use nonce"
 msgstr "临时使用"
 
@@ -4652,13 +4664,13 @@ msgstr "过期。"
 #, python-format
 msgid ""
 "\n"
-"                Your password has expired, please click <a href="
-"\"%(user_password_update_url)s\"> this link </a> update password.\n"
+"                Your password has expired, please click <a "
+"href=\"%(user_password_update_url)s\"> this link </a> update password.\n"
 "            "
 msgstr ""
 "\n"
-"                您的密码已经过期，请点击 <a href="
-"\"%(user_password_update_url)s\"> 链接 </a> 更新密码\n"
+"                您的密码已经过期，请点击 <a "
+"href=\"%(user_password_update_url)s\"> 链接 </a> 更新密码\n"
 "        "
 
 #: templates/_message.html:30
@@ -4682,8 +4694,8 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"        Your information was incomplete. Please click <a href="
-"\"%(first_login_url)s\"> this link </a>to complete your information.\n"
+"        Your information was incomplete. Please click <a "
+"href=\"%(first_login_url)s\"> this link </a>to complete your information.\n"
 "        "
 msgstr ""
 "\n"
@@ -4695,13 +4707,13 @@ msgstr ""
 #, python-format
 msgid ""
 "\n"
-"        Your ssh public key not set or expired. Please click <a href="
-"\"%(user_pubkey_update)s\"> this link </a>to update\n"
+"        Your ssh public key not set or expired. Please click <a "
+"href=\"%(user_pubkey_update)s\"> this link </a>to update\n"
 "        "
 msgstr ""
 "\n"
-"                您的SSH密钥没有设置或已失效，请点击 <a href="
-"\"%(user_pubkey_update)s\"> 链接 </a> 更新\n"
+"                您的SSH密钥没有设置或已失效，请点击 <a "
+"href=\"%(user_pubkey_update)s\"> 链接 </a> 更新\n"
 "        "
 
 #: templates/_mfa_login_field.html:28
@@ -4914,7 +4926,7 @@ msgid "RDP Port"
 msgstr "RDP 端口"
 
 #: terminal/models/endpoint.py:27 terminal/models/endpoint.py:95
-#: terminal/serializers/endpoint.py:57 terminal/serializers/storage.py:38
+#: terminal/serializers/endpoint.py:61 terminal/serializers/storage.py:38
 #: terminal/serializers/storage.py:50 terminal/serializers/storage.py:80
 #: terminal/serializers/storage.py:90 terminal/serializers/storage.py:98
 msgid "Endpoint"
@@ -4952,23 +4964,23 @@ msgstr "回放"
 msgid "Date end"
 msgstr "结束日期"
 
-#: terminal/models/session.py:261
+#: terminal/models/session.py:265
 msgid "Session record"
 msgstr "会话记录"
 
-#: terminal/models/session.py:263
+#: terminal/models/session.py:267
 msgid "Can monitor session"
 msgstr "可以监控会话"
 
-#: terminal/models/session.py:264
+#: terminal/models/session.py:268
 msgid "Can share session"
 msgstr "可以分享会话"
 
-#: terminal/models/session.py:265
+#: terminal/models/session.py:269
 msgid "Can terminate session"
 msgstr "可以终断会话"
 
-#: terminal/models/session.py:266
+#: terminal/models/session.py:270
 msgid "Can validate session action perm"
 msgstr "可以验证会话动作权限"
 
@@ -5053,15 +5065,15 @@ msgstr "线程数"
 msgid "Boot Time"
 msgstr "运行时间"
 
-#: terminal/models/storage.py:29
+#: terminal/models/storage.py:28
 msgid "Default storage"
 msgstr "默认存储"
 
-#: terminal/models/storage.py:139 terminal/models/terminal.py:109
+#: terminal/models/storage.py:141 terminal/models/terminal.py:109
 msgid "Command storage"
 msgstr "命令存储"
 
-#: terminal/models/storage.py:199 terminal/models/terminal.py:110
+#: terminal/models/storage.py:201 terminal/models/terminal.py:110
 msgid "Replay storage"
 msgstr "录像存储"
 
@@ -5105,15 +5117,15 @@ msgstr "级别"
 msgid "Batch danger command alert"
 msgstr "批量危险命令告警"
 
-#: terminal/serializers/endpoint.py:14
+#: terminal/serializers/endpoint.py:15
 msgid "Magnus listen db port"
 msgstr "Magnus 监听的数据库端口"
 
-#: terminal/serializers/endpoint.py:17
+#: terminal/serializers/endpoint.py:18
 msgid "Magnus Listen port range"
 msgstr "Magnus 监听的端口范围"
 
-#: terminal/serializers/endpoint.py:19
+#: terminal/serializers/endpoint.py:20
 msgid ""
 "The range of ports that Magnus listens on is modified in the configuration "
 "file"
@@ -5121,8 +5133,14 @@ msgstr "请在配置文件中修改 Magnus 监听的端口范围"
 
 #: terminal/serializers/endpoint.py:51
 msgid ""
-"If asset IP addresses under different endpoints conflict, use asset labels"
-msgstr "如果不同端点下的资产 IP 有冲突，使用资产标签实现"
+"Format for comma-delimited string, with * indicating a match all. Such as: "
+"192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:"
+"db8:1a:1110::/64<br>If asset IP addresses under different endpoints "
+"conflict, use asset labels"
+msgstr ""
+"格式为逗号分隔的字符串, * 表示匹配所有。例如: 192.168.10.1, 192.168.1.0/24, "
+"10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64<br>如果不同端点"
+"下的资产 IP 有冲突，使用资产标签实现"
 
 #: terminal/serializers/session.py:15 terminal/serializers/session.py:42
 msgid "Terminal display"
@@ -5246,7 +5264,7 @@ msgstr "没有发现"
 msgid "view"
 msgstr "查看"
 
-#: terminal/utils/db_port_mapper.py:65
+#: terminal/utils/db_port_mapper.py:78
 msgid ""
 "No available port is matched. The number of databases may have exceeded the "
 "number of ports open to the database agent service, Contact the "
@@ -5255,13 +5273,13 @@ msgstr ""
 "未匹配到可用端口，数据库的数量可能已经超过数据库代理服务开放的端口数量，请联"
 "系管理员开放更多端口。"
 
-#: terminal/utils/db_port_mapper.py:91
+#: terminal/utils/db_port_mapper.py:104
 msgid ""
 "No ports can be used, check and modify the limit on the number of ports that "
 "Magnus listens on in the configuration file."
 msgstr "没有端口可以使用，检查并修改配置文件中 Magnus 监听的端口数量限制。"
 
-#: terminal/utils/db_port_mapper.py:93
+#: terminal/utils/db_port_mapper.py:106
 msgid "All available port count: {}, Already use port count: {}"
 msgstr "所有可用端口数量：{}，已使用端口数量：{}"
 
@@ -5351,19 +5369,19 @@ msgid ""
 msgstr ""
 "通过工单创建, 工单标题: {}, 工单申请人: {}, 工单处理人: {}, 工单 ID: {}"
 
-#: tickets/handlers/base.py:84
+#: tickets/handlers/base.py:86
 msgid "Change field"
 msgstr "变更字段"
 
-#: tickets/handlers/base.py:84
+#: tickets/handlers/base.py:86
 msgid "Before change"
 msgstr "变更前"
 
-#: tickets/handlers/base.py:84
+#: tickets/handlers/base.py:86
 msgid "After change"
 msgstr "变更后"
 
-#: tickets/handlers/base.py:96
+#: tickets/handlers/base.py:98
 msgid "{} {} the ticket"
 msgstr "{} {} 工单"
 
@@ -6961,3 +6979,7 @@ msgstr "旗舰版"
 #: xpack/plugins/license/models.py:77
 msgid "Community edition"
 msgstr "社区版"
+
+#~ msgid ""
+#~ "If asset IP addresses under different endpoints conflict, use asset labels"
+#~ msgstr "如果不同端点下的资产 IP 有冲突，使用资产标签实现"

apps/ops/api/adhoc.py

@@ -24,7 +24,7 @@ __all__ = [
 
 class TaskViewSet(OrgBulkModelViewSet):
     model = Task
-    filterset_fields = ("name",)
+    filterset_fields = ("name", "adhoc__execution__celery_task_id")
     search_fields = filterset_fields
     serializer_class = TaskSerializer
 
@@ -54,6 +54,7 @@ class TaskRun(generics.RetrieveAPIView):
 
 class AdHocViewSet(viewsets.ModelViewSet):
     queryset = AdHoc.objects.all()
+    filterset_fields = ('execution__celery_task_id', )
     serializer_class = AdHocSerializer
 
     def get_serializer_class(self):

apps/ops/api/celery.py

@@ -82,7 +82,7 @@ class CeleryResultApi(generics.RetrieveAPIView):
 
     def get_object(self):
         pk = self.kwargs.get('pk')
-        return AsyncResult(pk)
+        return AsyncResult(str(pk))
 
 
 class CeleryPeriodTaskViewSet(CommonApiMixin, viewsets.ModelViewSet):

apps/ops/celery/beat/schedulers.py

@@ -0,0 +1,80 @@
+import logging
+from celery.utils.log import get_logger
+from django.db import close_old_connections
+from django.core.exceptions import ObjectDoesNotExist
+from django.db.utils import DatabaseError, InterfaceError
+
+from django_celery_beat.schedulers import DatabaseScheduler as DJDatabaseScheduler
+
+logger = get_logger(__name__)
+debug, info, warning = logger.debug, logger.info, logger.warning
+
+
+__all__ = ['DatabaseScheduler']
+
+
+class DatabaseScheduler(DJDatabaseScheduler):
+
+    def sync(self):
+        if logger.isEnabledFor(logging.DEBUG):
+            debug('Writing entries...')
+        _tried = set()
+        _failed = set()
+        try:
+            close_old_connections()
+
+            while self._dirty:
+                name = self._dirty.pop()
+                try:
+                    # 源码
+                    # self.schedule[name].save()
+                    # _tried.add(name)
+
+                    """
+                    ::Debug Description (2023.07.10)::
+                    
+                    如果调用 self.schedule 可能会导致 self.save() 方法之前重新获取数据库中的数据, 而不是临时设置的 last_run_at 数据
+                    
+                    如果这里调用 self.schedule
+                    那么可能会导致调用 save 的 self.schedule[name] 的 last_run_at 是从数据库中获取回来的老数据
+                    而不是任务执行后临时设置的 last_run_at (在 __next__() 方法中设置的)
+                    当 `max_interval` 间隔之后, 下一个任务检测周期还是会再次执行任务
+                    
+                    ::Demo::
+                    任务信息:
+                        beat config: max_interval = 60s
+                        
+                        任务名称: cap
+                        任务执行周期: 每 3 分钟执行一次
+                        任务最后执行时间: 18:00
+                        
+                    任务第一次执行: 18:03 (执行时设置 last_run_at = 18:03, 此时在内存中)
+                    
+                    任务执行完成后, 
+                    检测到需要 sync, sync 中调用了 self.schedule,
+                    self.schedule 中发现 schedule_changed() 为 True, 需要调用 all_as_schedule()
+                    此时，sync 中调用的 self.schedule[name] 的 last_run_at 是 18:00
+                    这时候在 self.sync() 进行 self.save()
+                    
+                    
+                    beat: Waking up 60s ...
+                    
+                    任务第二次执行: 18:04 (因为获取回来的 last_run_at 是 18:00, entry.is_due() == True)
+                    
+                    ::解决方法::
+                    所以这里为了避免从数据库中获取，直接使用 _schedule #
+                    """
+                    self._schedule[name].save()
+                    _tried.add(name)
+                except (KeyError, TypeError, ObjectDoesNotExist):
+                    _failed.add(name)
+        except DatabaseError as exc:
+            logger.exception('Database error while sync: %r', exc)
+        except InterfaceError:
+            warning(
+                'DatabaseScheduler: InterfaceError in sync(), '
+                'waiting to retry in next call...'
+            )
+        finally:
+            # retry later, only for the failed ones
+            self._dirty |= _failed

apps/ops/inventory.py

@@ -2,9 +2,9 @@
 #
 
 from django.conf import settings
-from .ansible.inventory import BaseInventory
 
 from common.utils import get_logger
+from .ansible.inventory import BaseInventory
 
 __all__ = [
     'JMSInventory', 'JMSCustomInventory',
@@ -110,7 +110,10 @@ class JMSInventory(JMSBaseInventory):
 
         if self.system_user:
             self.system_user.load_asset_special_auth(asset=asset, username=self.run_as)
-            return self.system_user._to_secret_json()
+            info = self.system_user._to_secret_json()
+            if self.run_as:
+                info['username'] = self.run_as
+            return info
         else:
             return {}
 

apps/ops/serializers/adhoc.py

@@ -17,7 +17,7 @@ class AdHocExecutionSerializer(serializers.ModelSerializer):
         fields_mini = ['id']
         fields_small = fields_mini + [
             'hosts_amount', 'timedelta', 'result', 'summary', 'short_id',
-            'is_finished', 'is_success',
+            'is_finished', 'is_success', 'celery_task_id',
             'date_start', 'date_finished',
         ]
         fields_fk = ['task', 'task_display', 'adhoc', 'adhoc_short_id',]

apps/rbac/builtin.py

@@ -149,7 +149,7 @@ class BuiltinRole:
                 'User': cls.system_user.get_role(),
                 'Auditor': cls.system_auditor.get_role()
             }
-        return cls.system_role_mapper[name]
+        return cls.system_role_mapper.get(name, cls.system_role_mapper['User'])
 
     @classmethod
     def get_org_role_by_old_name(cls, name):
@@ -159,7 +159,7 @@ class BuiltinRole:
                 'User': cls.org_user.get_role(),
                 'Auditor': cls.org_auditor.get_role(),
             }
-        return cls.org_role_mapper[name]
+        return cls.org_role_mapper.get(name, cls.org_role_mapper['User'])
 
     @classmethod
     def sync_to_db(cls, show_msg=False):

apps/settings/serializers/auth/feishu.py

@@ -9,7 +9,13 @@ __all__ = ['FeiShuSettingSerializer']
 class FeiShuSettingSerializer(serializers.Serializer):
     PREFIX_TITLE = '%s-%s' % (_('Authentication'), _('FeiShu'))
 
+    VERSION_CHOICES = (
+        ('feishu', _('FeiShu')),
+        ('lark', 'Lark')
+    )
+    AUTH_FEISHU = serializers.BooleanField(default=False, label=_('Enable FeiShu Auth'))
     FEISHU_APP_ID = serializers.CharField(max_length=256, required=True, label='App ID')
     FEISHU_APP_SECRET = EncryptedField(max_length=256, required=False, label='App Secret')
-    AUTH_FEISHU = serializers.BooleanField(default=False, label=_('Enable FeiShu Auth'))
-
+    FEISHU_VERSION = serializers.ChoiceField(
+        choices=VERSION_CHOICES, default='feishu', label=_('Version')
+    )

apps/settings/serializers/auth/oidc.py

@@ -38,6 +38,11 @@ class CommonSettingSerializer(serializers.Serializer):
         help_text=_('User attr map present how to map OpenID user attr to '
                     'jumpserver, username,name,email is jumpserver attr')
     )
+    AUTH_OPENID_PKCE = serializers.BooleanField(required=False, label=_('Enable PKCE'))
+    AUTH_OPENID_CODE_CHALLENGE_METHOD = serializers.ChoiceField(
+        default='S256', label=_('Code challenge method'),
+        choices=(('S256', 'HS256'), ('plain', 'Plain'))
+    )
 
 
 class KeycloakSettingSerializer(CommonSettingSerializer):

apps/terminal/models/endpoint.py

@@ -79,7 +79,7 @@ class Endpoint(JMSModel):
             return None
         endpoints = cls.objects.filter(name__in=values).order_by('-date_updated')
         for endpoint in endpoints:
-            if endpoint.is_valid_for(protocol):
+            if endpoint.is_valid_for(instance, protocol):
                 return endpoint
 
 

apps/terminal/models/session.py

@@ -118,9 +118,13 @@ class Session(OrgModelMixin):
     def find_ok_relative_path_in_storage(self, storage):
         session_paths = self.get_all_possible_relative_path()
         for rel_path in session_paths:
-            if storage.exists(rel_path):
-                return rel_path
-
+            # storage 为多个外部存储时, 可能会因部分不可用，
+            # 抛出异常, 影响录像的获取
+            try:
+                if storage.exists(rel_path):
+                    return rel_path
+            except:
+                pass
     @property
     def asset_obj(self):
         return Asset.objects.get(id=self.asset_id)

apps/terminal/models/storage.py

@@ -19,7 +19,6 @@ from .terminal import Terminal
 from .command import Command
 from .. import const
 
-
 logger = get_logger(__file__)
 
 
@@ -37,10 +36,10 @@ class CommonStorageModelMixin(models.Model):
 
     def set_to_default(self):
         self.is_default = True
-        self.save()
-        self.__class__.objects.select_for_update()\
-            .filter(is_default=True)\
-            .exclude(id=self.id)\
+        self.save(update_fields=['is_default'])
+        self.__class__.objects.select_for_update() \
+            .filter(is_default=True) \
+            .exclude(id=self.id) \
             .update(is_default=False)
 
     @classmethod
@@ -128,7 +127,10 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
 
     def save(self, force_insert=False, force_update=False, using=None,
              update_fields=None):
-        super().save()
+        super().save(
+            force_insert=force_insert, force_update=force_update,
+            using=using, update_fields=update_fields
+        )
 
         if self.type in TYPE_ENGINE_MAPPING:
             engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])

apps/terminal/serializers/endpoint.py

@@ -1,6 +1,7 @@
 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _
 from common.drf.serializers import BulkModelSerializer
+from common.utils import lazyproperty
 from acls.serializers.rules import ip_group_child_validator, ip_group_help_text
 from ..utils import db_port_manager
 from ..models import Endpoint, EndpointRule
@@ -46,9 +47,12 @@ class EndpointSerializer(BulkModelSerializer):
 
 
 class EndpointRuleSerializer(BulkModelSerializer):
-    _ip_group_help_text = '{} <br> {}'.format(
-        ip_group_help_text,
-        _('If asset IP addresses under different endpoints conflict, use asset labels')
+    _ip_group_help_text = _(
+        'Format for comma-delimited string, with * indicating a match all. '
+        'Such as: '
+        '192.168.10.1, 192.168.1.0/24, 10.1.1.1-10.1.1.20, 2001:db8:2de::e13, 2001:db8:1a:1110::/64'
+        '<br>'
+        'If asset IP addresses under different endpoints conflict, use asset labels'
     )
     ip_group = serializers.ListField(
         default=['*'], label=_('IP'), help_text=_ip_group_help_text,

apps/terminal/serializers/terminal.py

@@ -4,7 +4,7 @@ from django.utils.translation import ugettext_lazy as _
 from common.drf.serializers import BulkModelSerializer, AdaptedBulkListSerializer
 from common.utils import is_uuid
 from users.serializers import ServiceAccountSerializer
-from common.utils import get_request_ip, pretty_string
+from common.utils import get_request_ip_or_data, pretty_string
 from .. import const
 
 from ..models import (
@@ -129,7 +129,7 @@ class TerminalRegistrationSerializer(serializers.ModelSerializer):
         request = self.context.get('request')
         instance.is_accepted = True
         if request:
-            instance.remote_addr = get_request_ip(request)
+            instance.remote_addr = get_request_ip_or_data(request)
         sa = self.service_account.create(validated_data)
         sa.system_roles.add_role_system_component()
         instance.user = sa

apps/terminal/signal_handlers.py

@@ -16,10 +16,10 @@ logger = get_logger(__file__)
 
 
 @receiver(django_ready)
-def init_db_port_mapper(sender, **kwargs):
+def check_db_port_mapper(sender, **kwargs):
     logger.info('Init db port mapper')
     try:
-        db_port_manager.init()
+        db_port_manager.check()
     except (ProgrammingError,) as e:
         pass
 

apps/terminal/utils/db_port_mapper.py

@@ -35,9 +35,22 @@ class DBPortManager(object):
     def magnus_listen_port_range(self):
         return settings.MAGNUS_PORTS
 
-    def init(self):
+    @staticmethod
+    def fetch_dbs():
         with tmp_to_root_org():
-            db_ids = Application.objects.filter(category=AppCategory.db).values_list('id', flat=True)
+            dbs = Application.objects.filter(category=AppCategory.db)
+            return dbs
+
+    def check(self):
+        dbs = self.fetch_dbs()
+        for db in dbs:
+            port = self.get_port_by_db(db, raise_exception=False)
+            if not port:
+                self.add(db)
+
+    def init(self):
+        dbs = self.fetch_dbs()
+        db_ids = dbs.values_list('id', flat=True)
         db_ids = [str(i) for i in db_ids]
         mapper = dict(zip(self.all_available_ports, list(db_ids)))
         self.set_mapper(mapper)

apps/tickets/handlers/base.py

@@ -1,12 +1,13 @@
-from django.utils.translation import ugettext as _
+import html2text
 from django.template.loader import render_to_string
+from django.utils.translation import ugettext as _
 
 from common.utils import get_logger
+from tickets.const import TicketState, TicketType
 from tickets.utils import (
     send_ticket_processed_mail_to_applicant,
     send_ticket_applied_mail_to_assignees
 )
-from tickets.const import TicketState, TicketType
 
 logger = get_logger(__name__)
 
@@ -96,11 +97,20 @@ class BaseHandler:
         approve_info = _('{} {} the ticket').format(user_display, state_display)
         context = self._diff_prev_approve_context(state)
         context.update({'approve_info': approve_info})
+        body = self.safe_html_script(
+            render_to_string('tickets/ticket_approve_diff.html', context)
+        )
         data = {
-            'body': render_to_string('tickets/ticket_approve_diff.html', context),
+            'body': body,
             'user': user,
             'user_display': str(user),
             'type': 'state',
             'state': state
         }
         return self.ticket.comments.create(**data)
+
+    @staticmethod
+    def safe_html_script(unsafe_html):
+        unsafe_html = unsafe_html.replace('\n', '')
+        html_str = html2text.html2text(unsafe_html)
+        return html_str

apps/tickets/serializers/ticket/common.py

@@ -1,5 +1,5 @@
-from django.db.transaction import atomic
 from django.db.models import Model
+from django.db.transaction import atomic
 from django.utils.translation import ugettext as _
 from rest_framework import serializers
 
@@ -69,8 +69,6 @@ class BaseApplyAssetApplicationSerializer(serializers.Serializer):
             error = _('The expiration date should be greater than the start date')
             raise serializers.ValidationError({'apply_date_expired': error})
 
-        attrs['apply_date_start'] = apply_date_start
-        attrs['apply_date_expired'] = apply_date_expired
         return attrs
 
     @atomic

apps/tickets/templates/tickets/ticket_approve_diff.html

@@ -18,7 +18,6 @@
                 {% endfor %}
             </tr>
         {% endfor %}
-
     </table>
 </div>
 {% endif %}

apps/users/models/user.py

@@ -1,30 +1,27 @@
 #!/usr/bin/env python
 # -*- coding: utf-8 -*-
 #
-import uuid
 import base64
-import string
-import random
 import datetime
+import uuid
 from typing import Callable
 
-from django.db import models
 from django.conf import settings
-from django.utils import timezone
-from django.core.cache import cache
-from django.contrib.auth.models import AbstractUser
 from django.contrib.auth.hashers import check_password
-from django.utils.translation import ugettext_lazy as _
+from django.contrib.auth.models import AbstractUser
+from django.core.cache import cache
+from django.db import models
 from django.shortcuts import reverse
+from django.utils import timezone
 from django.utils.module_loading import import_string
+from django.utils.translation import ugettext_lazy as _
 
-from orgs.utils import current_org
-from orgs.models import Organization
-from rbac.const import Scope
 from common.db import fields, models as jms_models
 from common.utils import (
     date_expired_default, get_logger, lazyproperty, random_string, bulk_create_with_signal
 )
+from orgs.utils import current_org
+from rbac.const import Scope
 from ..signals import post_user_change_password, post_user_leave_org, pre_user_leave_org
 
 __all__ = ['User', 'UserPasswordHistory']
@@ -37,6 +34,7 @@ class AuthMixin:
     history_passwords: models.Manager
     need_update_password: bool
     public_key: str
+    username: str
     is_local: bool
     set_password: Callable
     save: Callable
@@ -57,8 +55,9 @@ class AuthMixin:
 
     def set_password(self, raw_password):
         if self.can_update_password():
-            self.date_password_last_updated = timezone.now()
-            post_user_change_password.send(self.__class__, user=self)
+            if self.username:
+                self.date_password_last_updated = timezone.now()
+                post_user_change_password.send(self.__class__, user=self)
             super().set_password(raw_password)
 
     def set_public_key(self, public_key):
@@ -518,8 +517,7 @@ class TokenMixin:
         return self.access_keys.first()
 
     def generate_reset_token(self):
-        letter = string.ascii_letters + string.digits
-        token = ''.join([random.choice(letter) for _ in range(50)])
+        token = random_string(50)
         self.set_cache(token)
         return token
 

apps/users/tasks.py

@@ -4,6 +4,7 @@
 from celery import shared_task
 from django.conf import settings
 from django.utils import timezone
+from django.db import transaction
 
 from users.notifications import PasswordExpirationReminderMsg
 from ops.celery.utils import (

requirements/requirements.txt

@@ -63,7 +63,7 @@ jsonfield2==4.0.0.post0
 geoip2==4.5.0
 ipip-ipdb==1.6.1
 # Django environment
-Django==3.2.16
+Django==3.2.15
 django-bootstrap3==14.2.0
 django-filter==2.4.0
 django-formtools==2.2
@@ -128,14 +128,14 @@ kubernetes==21.7.0
 # DB requirements
 mysqlclient==2.1.0
 PyMySQL==1.0.2
-oracledb==1.0.1
+oracledb==1.2.2
 psycopg2-binary==2.9.1
-pymssql==2.1.5
+# pymssql==2.2.7
 django-mysql==3.9.0
 django-redis==5.2.0
 python-redis-lock==3.7.0
 pyOpenSSL==22.0.0
-redis==4.3.3
+redis@https://github.com/jumpserver-dev/redis-py/archive/refs/tags/v4.3.3.zip
 pymongo==4.2.0
 # Debug
 ipython==8.4.0

utils/start_celery_beat.py

@@ -26,7 +26,7 @@ connection_params = {
 
 if settings.REDIS_USE_SSL:
     connection_params['ssl'] = settings.REDIS_USE_SSL
-    connection_params['ssl_cert_reqs'] =  settings.REDIS_SSL_REQUIRED
+    connection_params['ssl_cert_reqs'] = settings.REDIS_SSL_REQUIRED
     connection_params['ssl_keyfile'] = settings.REDIS_SSL_KEY
     connection_params['ssl_certfile'] = settings.REDIS_SSL_CERT
     connection_params['ssl_ca_certs'] = settings.REDIS_SSL_CA
@@ -39,6 +39,11 @@ if REDIS_SENTINEL_SERVICE_NAME and REDIS_SENTINELS:
     connection_params['sentinels'] = REDIS_SENTINELS
     sentinel_client = Sentinel(
         **connection_params, sentinel_kwargs={
+            'ssl': settings.REDIS_USE_SSL,
+            'ssl_cert_reqs': settings.REDIS_SSL_REQUIRED,
+            'ssl_keyfile': settings.REDIS_SSL_KEY,
+            'ssl_certfile': settings.REDIS_SSL_CERT,
+            'ssl_ca_certs': settings.REDIS_SSL_CA,
             'password': REDIS_SENTINEL_PASSWORD,
             'socket_timeout': REDIS_SENTINEL_SOCKET_TIMEOUT
         }
@@ -49,7 +54,7 @@ else:
     connection_params['port'] = settings.REDIS_PORT
     redis_client = Redis(**connection_params)
 
-scheduler = "django_celery_beat.schedulers:DatabaseScheduler"
+scheduler = "ops.celery.beat.schedulers:DatabaseScheduler"
 processes = []
 cmd = [
     'celery',