Merge pull request #16316 from jumpserver/dev

v4.10.13-lts

.github/workflows/jms-generic-action-handler.yml

@@ -1,33 +1,10 @@
-on:
+on: [push, pull_request, release]
-  push:
-  pull_request:
-    types: [opened, synchronize, closed]
-  release:
-    types: [created]
 
 name: JumpServer repos generic handler
 
 jobs:
-  handle_pull_request:
+  generic_handler:
-    if: github.event_name == 'pull_request'
+    name: Run generic handler
-    runs-on: ubuntu-latest
-    steps:
-      - uses: jumpserver/action-generic-handler@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}
-          I18N_TOKEN: ${{ secrets.I18N_TOKEN }}
-
-  handle_push:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: jumpserver/action-generic-handler@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}
-          I18N_TOKEN: ${{ secrets.I18N_TOKEN }}
-
-  handle_release:
-    if: github.event_name == 'release'
     runs-on: ubuntu-latest
     steps:
       - uses: jumpserver/action-generic-handler@master

apps/assets/const/protocol.py

@@ -268,14 +268,6 @@ class Protocol(ChoicesMixin, models.TextChoices):
                 'port_from_addr': True,
                 'required': True,
                 'secret_types': ['token'],
-                'setting': {
-                    'namespace': {
-                        'type': 'str',
-                        'required': False,
-                        'default': '',
-                        'label': _('Namespace')
-                    }
-                }
             },
             cls.http: {
                 'port': 80,

apps/authentication/forms.py

@@ -50,7 +50,7 @@ class UserLoginForm(forms.Form):
 
 class UserCheckOtpCodeForm(forms.Form):
     code = forms.CharField(label=_('MFA Code'), max_length=128, required=False)
-    mfa_type = forms.CharField(label=_('MFA type'), max_length=128, required=False)
+    mfa_type = forms.CharField(label=_('MFA type'), max_length=128)
 
 
 class CustomCaptchaTextInput(CaptchaTextInput):

apps/authentication/mfa/base.py

@@ -72,9 +72,10 @@ class BaseMFA(abc.ABC):
     def is_active(self):
         return False
 
-    @classmethod
+    @staticmethod
-    def global_enabled(cls):
+    @abc.abstractmethod
-        return cls.name in settings.SECURITY_MFA_ENABLED_BACKENDS
+    def global_enabled():
+        return False
 
     @abc.abstractmethod
     def get_enable_url(self) -> str:

apps/authentication/mfa/custom.py

@@ -39,9 +39,9 @@ class MFACustom(BaseMFA):
     def is_active(self):
         return True
 
-    @classmethod
+    @staticmethod
-    def global_enabled(cls):
+    def global_enabled():
-        return super().global_enabled() and settings.MFA_CUSTOM and callable(mfa_custom_method)
+        return settings.MFA_CUSTOM and callable(mfa_custom_method)
 
     def get_enable_url(self) -> str:
         return ''

apps/authentication/mfa/email.py

@@ -50,9 +50,9 @@ class MFAEmail(BaseMFA):
         )
         sender_util.gen_and_send_async()
 
-    @classmethod
+    @staticmethod
-    def global_enabled(cls):
+    def global_enabled():
-        return super().global_enabled and settings.SECURITY_MFA_BY_EMAIL
+        return settings.SECURITY_MFA_BY_EMAIL
 
     def disable(self):
         return '/ui/#/profile/index'

apps/authentication/mfa/face.py

@@ -29,10 +29,9 @@ class MFAFace(BaseMFA, AuthFaceMixin):
             return True
         return bool(self.user.face_vector)
 
-    @classmethod
+    @staticmethod
-    def global_enabled(cls):
+    def global_enabled():
         return (
-                super().global_enabled() and
                 settings.XPACK_LICENSE_IS_VALID and
                 settings.XPACK_LICENSE_EDITION_ULTIMATE and
                 settings.FACE_RECOGNITION_ENABLED

apps/authentication/mfa/otp.py

@@ -25,6 +25,10 @@ class MFAOtp(BaseMFA):
             return True
         return self.user.otp_secret_key
 
+    @staticmethod
+    def global_enabled():
+        return True
+
     def get_enable_url(self) -> str:
         return reverse('authentication:user-otp-enable-start')
 

apps/authentication/mfa/passkey.py

@@ -23,9 +23,9 @@ class MFAPasskey(BaseMFA):
             return False
         return self.user.passkey_set.count()
 
-    @classmethod
+    @staticmethod
-    def global_enabled(cls):
+    def global_enabled():
-        return super().global_enabled() and settings.AUTH_PASSKEY
+        return settings.AUTH_PASSKEY
 
     def get_enable_url(self) -> str:
         return '/ui/#/profile/passkeys'

apps/authentication/mfa/radius.py

@@ -27,9 +27,9 @@ class MFARadius(BaseMFA):
     def is_active(self):
         return True
 
-    @classmethod
+    @staticmethod
-    def global_enabled(cls):
+    def global_enabled():
-        return super().global_enabled() and settings.OTP_IN_RADIUS
+        return settings.OTP_IN_RADIUS
 
     def get_enable_url(self) -> str:
         return ''

apps/authentication/mfa/sms.py

@@ -46,9 +46,9 @@ class MFASms(BaseMFA):
     def send_challenge(self):
         self.sms.gen_and_send_async()
 
-    @classmethod
+    @staticmethod
-    def global_enabled(cls):
+    def global_enabled():
-        return super().global_enabled() and settings.SMS_ENABLED
+        return settings.SMS_ENABLED
 
     def get_enable_url(self) -> str:
         return '/ui/#/profile/index'

apps/authentication/templates/authentication/login.html

@@ -376,7 +376,7 @@
                     </div>
                     {% if form.challenge %}
                         {% bootstrap_field form.challenge show_label=False %}
-                    {% elif form.mfa_type and mfa_backends %}
+                    {% elif form.mfa_type %}
                         <div class="form-group" style="display: flex">
                             {% include '_mfa_login_field.html' %}
                         </div>

apps/common/plugins/es.py

@@ -2,7 +2,6 @@
 #
 import datetime
 import inspect
-
 import sys
 
 if sys.version_info.major == 3 and sys.version_info.minor >= 10:
@@ -335,10 +334,6 @@ class ES(object):
     def is_keyword(props: dict, field: str) -> bool:
         return props.get(field, {}).get("type", "keyword") == "keyword"
 
-    @staticmethod
-    def is_long(props: dict, field: str) -> bool:
-        return props.get(field, {}).get("type") == "long"
-
     def get_query_body(self, **kwargs):
         new_kwargs = {}
         for k, v in kwargs.items():
@@ -366,10 +361,10 @@ class ES(object):
         if index_in_field in kwargs:
             index['values'] = kwargs[index_in_field]
 
-        mapping = self.es.indices.get_mapping(index=self.index)
+        mapping = self.es.indices.get_mapping(index=self.query_index)
         props = (
             mapping
-            .get(self.index, {})
+            .get(self.query_index, {})
             .get('mappings', {})
             .get('properties', {})
         )
@@ -380,9 +375,6 @@ class ES(object):
             if k in ("org_id", "session") and self.is_keyword(props, k):
                 exact[k] = v
 
-            elif self.is_long(props, k):
-                exact[k] = v
-
             elif k in common_keyword_able:
                 exact[f"{k}.keyword"] = v
 

apps/common/utils/ip/utils.py

@@ -101,7 +101,7 @@ def get_ip_city(ip):
 
     info = get_ip_city_by_ipip(ip)
     if info:
-        city = info.get('city') or _("Unknown")
+        city = info.get('city', _("Unknown"))
         country = info.get('country')
 
         # 国内城市 并且 语言是中文就使用国内

apps/jumpserver/conf.py

@@ -569,7 +569,7 @@ class Config(dict):
         'SAFE_MODE': False,
         'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
         'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
-        'SECURITY_MFA_ENABLED_BACKENDS': [],
+        'SECURITY_MFA_BY_EMAIL': False,
         'SECURITY_COMMAND_EXECUTION': False,
         'SECURITY_COMMAND_BLACKLIST': [
             'reboot', 'shutdown', 'poweroff', 'halt', 'dd', 'half', 'top'

apps/settings/api/i18n.py

@@ -43,7 +43,6 @@ class ComponentI18nApi(RetrieveAPIView):
         if not lang:
             return Response(data)
 
-        lang = lang.lower()
         if lang not in dict(Language.get_code_mapper()).keys():
             lang = 'en'
 

apps/settings/migrations/0003_refresh_pg_collation_version.py

@@ -1,23 +0,0 @@
-# Generated by Django 4.1.13 on 2025-11-27 02:54
-
-from django.db import migrations, connections
-
-
-def refresh_pg_collation(apps, schema_editor):
-    for alias, conn in connections.databases.items():
-        if connections[alias].vendor == "postgresql":
-            dbname = connections[alias].settings_dict["NAME"]
-            connections[alias].cursor().execute(
-                f'ALTER DATABASE "{dbname}" REFRESH COLLATION VERSION;'
-            )
-            print(f"Refreshed postgresql collation version for database: {dbname} successfully.")
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('settings', '0002_leakpasswords'),
-    ]
-
-    operations = [
-        migrations.RunPython(refresh_pg_collation, migrations.RunPython.noop),
-    ]

apps/settings/serializers/security.py

@@ -1,7 +1,3 @@
-import importlib
-import os
-
-from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
@@ -121,35 +117,6 @@ class SecurityLoginLimitSerializer(serializers.Serializer):
     )
 
 
-class DynamicMFAChoiceField(serializers.MultipleChoiceField):
-    def __init__(self, **kwargs):
-        _choices = self._get_dynamic_choices()
-        super().__init__(choices=_choices, **kwargs)
-
-    @staticmethod
-    def _get_dynamic_choices():
-        choices = []
-        mfa_dir = os.path.join(settings.APPS_DIR, 'authentication', 'mfa')
-        for filename in os.listdir(mfa_dir):
-            if not filename.endswith('.py') or filename.startswith('__init__'):
-                continue
-
-            module_name = f'authentication.mfa.{filename[:-3]}'
-            try:
-                module = importlib.import_module(module_name)
-            except ImportError:
-                continue
-
-            for attr_name in dir(module):
-                item = getattr(module, attr_name)
-                if not isinstance(item, type) or not attr_name.startswith('MFA'):
-                    continue
-                if 'BaseMFA' != item.__base__.__name__:
-                    continue
-                choices.append((item.name, item.display_name))
-        return choices
-
-
 class SecurityAuthSerializer(serializers.Serializer):
     SECURITY_MFA_AUTH = serializers.ChoiceField(
         choices=(
@@ -163,10 +130,10 @@ class SecurityAuthSerializer(serializers.Serializer):
         required=False, default=True,
         label=_('Third-party login MFA'),
     )
-    SECURITY_MFA_ENABLED_BACKENDS = DynamicMFAChoiceField(
+    SECURITY_MFA_BY_EMAIL = serializers.BooleanField(
-        default=[], allow_empty=True,
+        required=False, default=False,
-        label=_('MFA Backends'),
+        label=_('MFA via Email'),
-        help_text=_('MFA methods supported for user login')
+        help_text=_('Email as a method for multi-factor authentication')
     )
     OTP_ISSUER_NAME = serializers.CharField(
         required=False, max_length=16, label=_('OTP issuer name'),

apps/templates/resource_download.html

@@ -22,13 +22,13 @@ p {
             {% trans 'JumpServerClient, currently used to launch the client' %}
         </p>
         <ul>
-            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_x64_en-US.msi">JumpServerClient_{{ CLIENT_VERSION }}_x64_en-US.msi</a></li>
+            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_x64_en-US.msi">JumpServerClient-x64_en-US.msi</a></li>
-            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_x64-setup.exe">JumpServerClient_{{ CLIENT_VERSION }}_x64-setup.exe</a></li>
+            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_x64-setup.exe">JumpServerClient-x64-setup.exe</a></li>
-            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_aarch64.dmg">JumpServerClient_{{ CLIENT_VERSION }}_aarch64.dmg</a></li>
+            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_aarch64.dmg">JumpServerClient-aarch64.dmg</a></li>
-            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_x64.dmg">JumpServerClient_{{ CLIENT_VERSION }}_x64.dmg</a></li>
+            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_x64.dmg">JumpServerClient-x64.dmg</a></li>
-            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_amd64.AppImage">JumpServerClient_{{ CLIENT_VERSION }}_amd64.AppImage</a></li>
+            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_amd64.AppImage">JumpServerClient-amd64.AppImage</a></li>
-            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_amd64.deb">JumpServerClient_{{ CLIENT_VERSION }}_amd64.deb</a></li>
+            <li> <a href="/download/public/JumpServerClient_{{ CLIENT_VERSION }}_amd64.deb">JumpServerClient-amd64.deb</a></li>
-            <li> <a href="/download/public/JumpServerClient-{{ CLIENT_VERSION }}-1.x86_64.rpm">JumpServerClient-{{ CLIENT_VERSION }}-1.x86_64.rpm</a></li>
+            <li> <a href="/download/public/JumpServerClient-{{ CLIENT_VERSION }}-1.x86_64.rpm">JumpServerClient-1.x86_64.rpm</a></li>
         </ul>
     </div>
 

apps/terminal/backends/command/es.py

@@ -1,11 +1,12 @@
 # -*- coding: utf-8 -*-
 #
-from datetime import datetime
-
 import pytz
 
-from common.plugins.es import ES
+from datetime import datetime
+
 from common.utils import get_logger
+from common.plugins.es import ES
+
 
 logger = get_logger(__file__)
 
@@ -26,8 +27,8 @@ class CommandStore(ES):
                 "type": "long"
             }
         }
-        exact_fields = {'risk_level'}
+        exact_fields = {}
-        fuzzy_fields = {'input', 'user', 'asset', 'account'}
+        fuzzy_fields = {'input', 'risk_level', 'user', 'asset', 'account'}
         match_fields = {'input'}
         keyword_fields = {'session', 'org_id'}
 

apps/terminal/serializers/session.py

@@ -160,8 +160,7 @@ class SessionSerializer(BulkOrgResourceModelSerializer):
         )
 
         validated_data['user'] = str(user)
-        # web 资产 url 太长，超出限制
+        validated_data['asset'] = str(asset)
-        validated_data['asset'] = str(asset)[:128]
         return super().create(validated_data)
 
     def update(self, instance, validated_data):

apps/users/utils.py

@@ -6,7 +6,6 @@ import os
 import re
 import time
 from contextlib import contextmanager
-from urllib.parse import unquote
 
 import pyotp
 from django.conf import settings
@@ -61,8 +60,6 @@ def redirect_user_first_login_or_index(request, redirect_field_name):
     # 防止 next 地址为 None
     if not url or url.lower() in ['none']:
         url = reverse('index')
-    # 处理下载地址编码问题 '%2Fui%2F'
-    url = unquote(url)
     return url
 
 

apps/users/views/profile/otp.py

@@ -37,25 +37,12 @@ logger = get_logger(__name__)
 class UserOtpEnableStartView(AuthMixin, TemplateView):
     template_name = 'users/user_otp_check_password.html'
 
-    @staticmethod
-    def get_redirect_url():
-        message_data = {
-            'title': _('Redirecting'),
-            'message': _('No MFA services are available. Please contact the administrator'),
-            'redirect_url': reverse('authentication:login'),
-            'auto_redirect': True,
-        }
-        return FlashMessageUtil.gen_message_url(message_data)
-
     def get(self, request, *args, **kwargs):
         try:
             self.get_user_from_session()
         except SessionEmptyError:
             url = reverse('authentication:login') + '?_=otp_enable_start'
             return redirect(url)
-
-        if not MFAOtp.global_enabled():
-            return redirect(self.get_redirect_url())
         return super().get(request, *args, **kwargs)