Merge pull request #8645 from jumpserver/dev

v2.24.0
fix: 修复密码可能解密失败报错
2025-12-16 00:52:41 +00:00 · 2022-07-21 15:40:57 +08:00 · 2022-07-21 15:37:32 +08:00 · 2022-07-21 15:37:06 +08:00 · 2022-07-21 13:51:15 +08:00 · 2022-07-20 19:07:18 +08:00
286 changed files with 7692 additions and 6018 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -31,12 +31,13 @@ media
 celerybeat.pid
 django.db
 celerybeat-schedule.db
-data/static
 docs/_build/
 xpack
+xpack.bak
 logs/*
 ### Vagrant ###
 .vagrant/
 release/*
 releashe
 /apps/script.py
+data/*
--- a/18
+++ b/18
@@ -29,11 +29,12 @@ ARG TOOLS="                           \
    redis-tools                       \
    telnet                            \
    vim                               \
+    unzip                               \
    wget"

 RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
    && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
-    && apt update \
+    && apt update && sleep 1 && apt update \
    && apt -y install ${BUILD_DEPENDENCIES} \
    && apt -y install ${DEPENDENCIES} \
    && apt -y install ${TOOLS} \
@@ -47,12 +48,19 @@ RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
    && mv /bin/sh /bin/sh.bak  \
    && ln -s /bin/bash /bin/sh

+ARG TARGETARCH
+ARG ORACLE_LIB_MAJOR=19
+ARG ORACLE_LIB_MINOR=10
+ENV ORACLE_FILE="instantclient-basiclite-linux.${TARGETARCH:-amd64}-${ORACLE_LIB_MAJOR}.${ORACLE_LIB_MINOR}.0.0.0dbru.zip"
+
 RUN mkdir -p /opt/oracle/ \
-    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar \
-    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/oracle/ \
-    && echo "/opt/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && cd /opt/oracle/ \
+    && wget https://download.jumpserver.org/files/oracle/${ORACLE_FILE} \
+    && unzip instantclient-basiclite-linux.${TARGETARCH-amd64}-19.10.0.0.0dbru.zip \
+    && mv instantclient_${ORACLE_LIB_MAJOR}_${ORACLE_LIB_MINOR} instantclient \
+    && echo "/opt/oracle/instantclient" > /etc/ld.so.conf.d/oracle-instantclient.conf \
    && ldconfig \
-    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
+    && rm -f ${ORACLE_FILE}

 WORKDIR /tmp/build
 COPY ./requirements ./requirements
--- a/README.md
+++ b/README.md
@@ -1,10 +1,13 @@
-<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
+<p align="center">
+  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
+</p>
 <h3 align="center">多云环境下更好用的堡垒机</h3>

 <p align="center">
  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
+  <a href="https://github.com/jumpserver/jumpserver/commits"><img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/jumpserver/jumpserver.svg" /></a>
  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>

@@ -15,7 +18,7 @@

 JumpServer 是全球首款开源的堡垒机，使用 GPLv3 开源协议，是符合 4A 规范的运维安全审计系统。

-JumpServer 使用 Python 开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
+JumpServer 使用 Python 开发，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。

 JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。

@@ -28,9 +31,9 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - 开源: 零门槛，线上快速获取和安装；
 - 分布式: 轻松支持大规模并发访问；
 - 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
+- 多租户: 一套系统，多个子公司或部门同时使用；
 - 多云支持: 一套系统，同时管理不同云上面的资产；
 - 云端存储: 审计录像云端存储，永不丢失；
- 多租户: 一套系统，多个子公司和部门同时使用；
 - 多应用支持: 数据库，Windows远程应用，Kubernetes。

 ### UI 展示
@@ -55,12 +58,15 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - [手动安装](https://github.com/jumpserver/installer)

 ### 组件项目
- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI 项目
- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal 项目
- [KoKo](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
- [Lion](https://github.com/jumpserver/lion-release) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
- [Clients](https://github.com/jumpserver/clients) JumpServer 客户端 项目
- [Installer](https://github.com/jumpserver/installer) JumpServer 安装包 项目
+| 项目                                                                          |  状态          | 描述                                     |
+| ---------------------------------------------------------------------------  |  -------------------   | ---------------------------------------- |
+| [Lina](https://github.com/jumpserver/lina) | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a> | JumpServer Web UI 项目 |
+| [Luna](https://github.com/jumpserver/luna) | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a> | JumpServer Web Terminal 项目 |
+| [KoKo](https://github.com/jumpserver/koko) | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a> | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
+| [Lion](https://github.com/jumpserver/lion-release) | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>  | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
+| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目 |
+| [Clients](https://github.com/jumpserver/clients) | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" /> | JumpServer 客户端 项目 |
+| [Installer](https://github.com/jumpserver/installer)| <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" /> | JumpServer 安装包 项目 |

 ### 社区

@@ -75,27 +81,13 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向

 感谢以下贡献者，让 JumpServer 更加完善

-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
-</a>
-
-<a href="https://github.com/jumpserver/koko/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
-</a>
-
-<a href="https://github.com/jumpserver/lina/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
-</a>
-
-<a href="https://github.com/jumpserver/luna/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
-</a>
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>



 ### 致谢
- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC协议设备，JumpServer 图形化组件 Lion 依赖 
- [OmniDB](https://omnidb.org/) Web页面连接使用数据库，JumpServer Web数据库依赖
+- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC 协议设备，JumpServer 图形化组件 Lion 依赖 
+- [OmniDB](https://omnidb.org/) Web 页面连接使用数据库，JumpServer Web 数据库依赖


 ### JumpServer 企业版 
@@ -103,14 +95,14 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向

 ### 案例研究

- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。
+- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
+- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
+- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
+- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
+- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)

 ### 安全说明

--- a/apps/acls/api/login_asset_check.py
+++ b/apps/acls/api/login_asset_check.py
@@ -47,7 +47,7 @@ class LoginAssetCheckAPI(CreateAPIView):
            asset=self.serializer.asset,
            system_user=self.serializer.system_user,
            assignees=acl.reviewers.all(),
-            org_id=self.serializer.org.id
+            org_id=self.serializer.org.id,
        )
        confirm_status_url = reverse(
            view_name='api-tickets:super-ticket-status',
@@ -59,7 +59,7 @@ class LoginAssetCheckAPI(CreateAPIView):
            external=True, api_to_ui=True
        )
        ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
+        ticket_assignees = ticket.current_step.ticket_assignees.all()
        data = {
            'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
            'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
--- a/apps/acls/models/login_acl.py
+++ b/apps/acls/models/login_acl.py
@@ -97,34 +97,25 @@ class LoginACL(BaseACL):

        return allow, reject_type

-    @staticmethod
-    def construct_confirm_ticket_meta(request=None):
+    def create_confirm_ticket(self, request):
+        from tickets import const
+        from tickets.models import ApplyLoginTicket
+        from orgs.models import Organization
+        title = _('Login confirm') + ' {}'.format(self.user)
        login_ip = get_request_ip(request) if request else ''
        login_ip = login_ip or '0.0.0.0'
        login_city = get_ip_city(login_ip)
        login_datetime = local_now_display()
-        ticket_meta = {
-            'apply_login_ip': login_ip,
-            'apply_login_city': login_city,
-            'apply_login_datetime': login_datetime,
-        }
-        return ticket_meta
-
-    def create_confirm_ticket(self, request=None):
-        from tickets import const
-        from tickets.models import Ticket
-        from orgs.models import Organization
-        ticket_title = _('Login confirm') + ' {}'.format(self.user)
-        ticket_meta = self.construct_confirm_ticket_meta(request)
        data = {
-            'title': ticket_title,
-            'type': const.TicketType.login_confirm.value,
-            'meta': ticket_meta,
+            'title': title,
+            'type': const.TicketType.login_confirm,
+            'applicant': self.user,
+            'apply_login_city': login_city,
+            'apply_login_ip': login_ip,
+            'apply_login_datetime': login_datetime,
            'org_id': Organization.ROOT_ID,
        }
-        ticket = Ticket.objects.create(**data)
-        applicant = self.user
+        ticket = ApplyLoginTicket.objects.create(**data)
        assignees = self.reviewers.all()
-        ticket.create_process_map_and_node(assignees, applicant)
-        ticket.open(applicant)
+        ticket.open_by_system(assignees)
        return ticket
--- a/apps/acls/models/login_asset_acl.py
+++ b/apps/acls/models/login_asset_acl.py
@@ -85,19 +85,18 @@ class LoginAssetACL(BaseACL, OrgModelMixin):
    @classmethod
    def create_login_asset_confirm_ticket(cls, user, asset, system_user, assignees, org_id):
        from tickets.const import TicketType
-        from tickets.models import Ticket
+        from tickets.models import ApplyLoginAssetTicket
+        title = _('Login asset confirm') + ' ({})'.format(user)
        data = {
-            'title': _('Login asset confirm') + ' ({})'.format(user),
+            'title': title,
            'type': TicketType.login_asset_confirm,
-            'meta': {
-                'apply_login_user': str(user),
-                'apply_login_asset': str(asset),
-                'apply_login_system_user': str(system_user),
-            },
+            'applicant': user,
+            'apply_login_user': user,
+            'apply_login_asset': asset,
+            'apply_login_system_user': system_user,
            'org_id': org_id,
        }
-        ticket = Ticket.objects.create(**data)
-        ticket.create_process_map_and_node(assignees, user)
-        ticket.open(applicant=user)
+        ticket = ApplyLoginAssetTicket.objects.create(**data)
+        ticket.open_by_system(assignees)
        return ticket

--- a/apps/applications/api/account.py
+++ b/apps/applications/api/account.py
@@ -2,15 +2,16 @@
 #

 from django_filters import rest_framework as filters
-from django.db.models import F, Q
+from django.db.models import Q

 from common.drf.filters import BaseFilterSet
 from common.drf.api import JMSBulkModelViewSet
 from common.mixins import RecordViewLogMixin
+from common.permissions import UserConfirmation
+from authentication.const import ConfirmType
 from rbac.permissions import RBACPermission
 from assets.models import SystemUser
 from ..models import Account
-from ..hands import NeedMFAVerify
 from .. import serializers


@@ -57,7 +58,7 @@ class SystemUserAppRelationViewSet(ApplicationAccountViewSet):

 class ApplicationAccountSecretViewSet(RecordViewLogMixin, ApplicationAccountViewSet):
    serializer_class = serializers.AppAccountSecretSerializer
-    permission_classes = [RBACPermission, NeedMFAVerify]
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
    http_method_names = ['get', 'options']
    rbac_perms = {
        'retrieve': 'applications.view_applicationaccountsecret',
--- a/apps/applications/api/application.py
+++ b/apps/applications/api/application.py
@@ -1,6 +1,5 @@
 # coding: utf-8
 #
-from django.shortcuts import get_object_or_404
 from orgs.mixins.api import OrgBulkModelViewSet
 from rest_framework.decorators import action
 from rest_framework.response import Response
--- a/apps/applications/const.py
+++ b/apps/applications/const.py
@@ -83,3 +83,9 @@ class AppType(models.TextChoices):
        if AppCategory.is_xpack(category):
            return True
        return tp in ['oracle', 'postgresql', 'sqlserver']
+
+
+class OracleVersion(models.TextChoices):
+    version_11g = '11g', '11g'
+    version_12c = '12c', '12c'
+    version_other = 'other', _('Other')
--- a/apps/applications/hands.py
+++ b/apps/applications/hands.py
@@ -11,5 +11,4 @@
 """


-from common.permissions import NeedMFAVerify
 from users.models import User, UserGroup
--- a/apps/applications/migrations/0021_auto_20220629_1826.py
+++ b/apps/applications/migrations/0021_auto_20220629_1826.py
@@ -0,0 +1,22 @@
+# Generated by Django 3.1.14 on 2022-06-29 10:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0020_auto_20220316_2028'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='historicalaccount',
+            options={'get_latest_by': ('history_date', 'history_id'), 'ordering': ('-history_date', '-history_id'), 'verbose_name': 'historical Application account', 'verbose_name_plural': 'historical Application accounts'},
+        ),
+        migrations.AlterField(
+            model_name='historicalaccount',
+            name='history_date',
+            field=models.DateTimeField(db_index=True),
+        ),
+    ]
--- a/apps/applications/migrations/0022_auto_20220714_1046.py
+++ b/apps/applications/migrations/0022_auto_20220714_1046.py
@@ -0,0 +1,23 @@
+# Generated by Django 3.2.12 on 2022-07-14 02:46
+
+from django.db import migrations
+
+
+def migrate_db_oracle_version_to_attrs(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    model = apps.get_model("applications", "Application")
+    oracles = list(model.objects.using(db_alias).filter(type='oracle'))
+    for o in oracles:
+        o.attrs['version'] = '12c'
+    model.objects.using(db_alias).bulk_update(oracles, ['attrs'])
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0021_auto_20220629_1826'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_db_oracle_version_to_attrs)
+    ]
--- a/apps/applications/migrations/0023_auto_20220715_1556.py
+++ b/apps/applications/migrations/0023_auto_20220715_1556.py
@@ -0,0 +1,48 @@
+# Generated by Django 3.1.14 on 2022-07-15 07:56
+import time
+from collections import defaultdict
+
+from django.db import migrations
+
+
+def migrate_account_dirty_data(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    account_model = apps.get_model('applications', 'Account')
+
+    count = 0
+    bulk_size = 1000
+
+    while True:
+        accounts = account_model.objects.using(db_alias) \
+                       .filter(org_id='')[count:count + bulk_size]
+
+        if not accounts:
+            break
+
+        accounts = list(accounts)
+        start = time.time()
+        for i in accounts:
+            if i.app:
+                org_id = i.app.org_id
+            elif i.systemuser:
+                org_id = i.systemuser.org_id
+            else:
+                org_id = ''
+            if org_id:
+                i.org_id = org_id
+
+        account_model.objects.bulk_update(accounts, ['org_id', ])
+        print("Update account org is empty: {}-{} using: {:.2f}s".format(
+            count, count + len(accounts), time.time() - start
+        ))
+        count += len(accounts)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('applications', '0022_auto_20220714_1046'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_account_dirty_data),
+    ]
--- a/apps/applications/models/application.py
+++ b/apps/applications/models/application.py
@@ -10,6 +10,7 @@ from common.mixins import CommonModelMixin
 from common.tree import TreeNode
 from common.utils import is_uuid
 from assets.models import Asset, SystemUser
+from ..const import OracleVersion

 from ..utils import KubernetesTree
 from .. import const
@@ -214,6 +215,8 @@ class ApplicationTreeNodeMixin:


 class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
+    APP_TYPE = const.AppType
+
    name = models.CharField(max_length=128, verbose_name=_('Name'))
    category = models.CharField(
        max_length=16, choices=const.AppCategory.choices, verbose_name=_('Category')
@@ -255,6 +258,9 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
    def category_db(self):
        return self.category == const.AppCategory.db.value

+    def is_type(self, tp):
+        return self.type == tp
+
    def get_rdp_remote_app_setting(self):
        from applications.serializers.attrs import get_serializer_class_by_application_type
        if not self.category_remote_app:
@@ -298,6 +304,15 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
            target_ip = self.attrs.get('host')
        return target_ip

+    def get_target_protocol_for_oracle(self):
+        """ Oracle 类型需要单独处理，因为要携带版本号 """
+        if not self.is_type(self.APP_TYPE.oracle):
+            return
+        version = self.attrs.get('version', OracleVersion.version_12c)
+        if version == OracleVersion.version_other:
+            return
+        return 'oracle_%s' % version
+

 class ApplicationUser(SystemUser):
    class Meta:
--- a/apps/applications/serializers/attrs/application_category/remote_app.py
+++ b/apps/applications/serializers/attrs/application_category/remote_app.py
@@ -31,7 +31,7 @@ class ExistAssetPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):


 class RemoteAppSerializer(serializers.Serializer):
-    asset_info = serializers.SerializerMethodField()
+    asset_info = serializers.SerializerMethodField(label=_('Asset Info'))
    asset = ExistAssetPrimaryKeyRelatedField(
        queryset=Asset.objects, required=True, label=_("Asset"), allow_null=True
    )
--- a/apps/applications/serializers/attrs/application_type/chrome.py
+++ b/apps/applications/serializers/attrs/application_type/chrome.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

 __all__ = ['ChromeSerializer', 'ChromeSecretSerializer']
@@ -13,19 +14,21 @@ class ChromeSerializer(RemoteAppSerializer):
        max_length=128, label=_('Application path'), default=CHROME_PATH, allow_null=True,
    )
    chrome_target = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, label=_('Target URL'), allow_null=True,
+        max_length=128, allow_blank=True, required=False,
+        label=_('Target URL'), allow_null=True,
    )
    chrome_username = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, label=_('Chrome username'), allow_null=True,
+        max_length=128, allow_blank=True, required=False,
+        label=_('Chrome username'), allow_null=True,
    )
-    chrome_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Chrome password'),
-        allow_null=True
+    chrome_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Chrome password'), allow_null=True
    )


 class ChromeSecretSerializer(ChromeSerializer):
-    chrome_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Chrome password'),
-        allow_null=True
+    chrome_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Chrome password'), allow_null=True, write_only=False
    )
--- a/apps/applications/serializers/attrs/application_type/custom.py
+++ b/apps/applications/serializers/attrs/application_type/custom.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

 __all__ = ['CustomSerializer', 'CustomSecretSerializer']
@@ -19,14 +20,14 @@ class CustomSerializer(RemoteAppSerializer):
        max_length=128, allow_blank=True, required=False, label=_('Custom Username'),
        allow_null=True,
    )
-    custom_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Custom password'),
-        allow_null=True,
+    custom_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Custom password'), allow_null=True,
    )


 class CustomSecretSerializer(RemoteAppSerializer):
-    custom_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Custom password'),
-        allow_null=True,
+    custom_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False, write_only=False,
+        label=_('Custom password'), allow_null=True,
    )
--- a/apps/applications/serializers/attrs/application_type/mysql_workbench.py
+++ b/apps/applications/serializers/attrs/application_type/mysql_workbench.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

 __all__ = ['MySQLWorkbenchSerializer', 'MySQLWorkbenchSecretSerializer']
@@ -29,14 +30,14 @@ class MySQLWorkbenchSerializer(RemoteAppSerializer):
        max_length=128, allow_blank=True, required=False, label=_('Mysql workbench username'),
        allow_null=True,
    )
-    mysql_workbench_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Mysql workbench password'),
-        allow_null=True,
+    mysql_workbench_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Mysql workbench password'), allow_null=True,
    )


 class MySQLWorkbenchSecretSerializer(RemoteAppSerializer):
-    mysql_workbench_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Mysql workbench password'),
-        allow_null=True,
+    mysql_workbench_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False, write_only=False,
+        label=_('Mysql workbench password'), allow_null=True,
    )
--- a/apps/applications/serializers/attrs/application_type/oracle.py
+++ b/apps/applications/serializers/attrs/application_type/oracle.py
@@ -2,9 +2,15 @@ from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _

 from ..application_category import DBSerializer
+from applications.const import OracleVersion

 __all__ = ['OracleSerializer']


 class OracleSerializer(DBSerializer):
+    version = serializers.ChoiceField(
+        choices=OracleVersion.choices, default=OracleVersion.version_12c,
+        allow_null=True, label=_('Version'),
+        help_text=_('Magnus currently supports only 11g and 12c connections')
+    )
    port = serializers.IntegerField(default=1521, label=_('Port'), allow_null=True)
--- a/apps/applications/serializers/attrs/application_type/vmware_client.py
+++ b/apps/applications/serializers/attrs/application_type/vmware_client.py
@@ -1,6 +1,7 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

+from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

 __all__ = ['VMwareClientSerializer', 'VMwareClientSecretSerializer']
@@ -25,14 +26,14 @@ class VMwareClientSerializer(RemoteAppSerializer):
        max_length=128, allow_blank=True, required=False, label=_('Vmware username'),
        allow_null=True
    )
-    vmware_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Vmware password'),
-        allow_null=True
+    vmware_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False,
+        label=_('Vmware password'), allow_null=True
    )


 class VMwareClientSecretSerializer(RemoteAppSerializer):
-    vmware_password = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, read_only=True, label=_('Vmware password'),
-        allow_null=True
+    vmware_password = EncryptedField(
+        max_length=128, allow_blank=True, required=False, write_only=False,
+        label=_('Vmware password'), allow_null=True
    )
--- a/apps/assets/api/init.py
+++ b/apps/assets/api/init.py
@@ -11,3 +11,4 @@ from .cmd_filter import *
 from .gathered_user import *
 from .favorite_asset import *
 from .account_backup import *
+from .account_history import *
--- a/apps/assets/api/account_history.py
+++ b/apps/assets/api/account_history.py
@@ -0,0 +1,50 @@
+from django.db.models import F
+
+from assets.api.accounts import (
+    AccountFilterSet, AccountViewSet, AccountSecretsViewSet
+)
+from common.mixins import RecordViewLogMixin
+from .. import serializers
+from ..models import AuthBook
+
+__all__ = ['AccountHistoryViewSet', 'AccountHistorySecretsViewSet']
+
+
+class AccountHistoryFilterSet(AccountFilterSet):
+    class Meta:
+        model = AuthBook.history.model
+        fields = AccountFilterSet.Meta.fields
+
+
+class AccountHistoryViewSet(AccountViewSet):
+    model = AuthBook.history.model
+    filterset_class = AccountHistoryFilterSet
+    serializer_classes = {
+        'default': serializers.AccountHistorySerializer,
+    }
+    rbac_perms = {
+        'list': 'assets.view_assethistoryaccount',
+        'retrieve': 'assets.view_assethistoryaccount',
+    }
+
+    http_method_names = ['get', 'options']
+
+    def get_queryset(self):
+        queryset = self.model.objects.all() \
+            .annotate(ip=F('asset__ip')) \
+            .annotate(hostname=F('asset__hostname')) \
+            .annotate(platform=F('asset__platform__name')) \
+            .annotate(protocols=F('asset__protocols'))
+        return queryset
+
+
+class AccountHistorySecretsViewSet(RecordViewLogMixin, AccountHistoryViewSet):
+    serializer_classes = {
+        'default': serializers.AccountHistorySecretSerializer
+    }
+    http_method_names = ['get']
+    permission_classes = AccountSecretsViewSet.permission_classes
+    rbac_perms = {
+        'list': 'assets.view_assethistoryaccountsecret',
+        'retrieve': 'assets.view_assethistoryaccountsecret',
+    }
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@@ -1,4 +1,4 @@
-from django.db.models import F, Q
+from django.db.models import Q
 from django.shortcuts import get_object_or_404
 from django_filters import rest_framework as filters
 from rest_framework.decorators import action
@@ -9,12 +9,13 @@ from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 from common.drf.filters import BaseFilterSet
 from common.mixins import RecordViewLogMixin
-from common.permissions import NeedMFAVerify
+from common.permissions import UserConfirmation
+from authentication.const import ConfirmType
 from ..tasks.account_connectivity import test_accounts_connectivity_manual
 from ..models import AuthBook, Node
 from .. import serializers

-__all__ = ['AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']
+__all__ = ['AccountFilterSet', 'AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']


 class AccountFilterSet(BaseFilterSet):
@@ -88,7 +89,7 @@ class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
        'default': serializers.AccountSecretSerializer
    }
    http_method_names = ['get']
-    permission_classes = [RBACPermission, NeedMFAVerify]
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
    rbac_perms = {
        'list': 'assets.view_assetaccountsecret',
        'retrieve': 'assets.view_assetaccountsecret',
--- a/apps/assets/api/cmd_filter.py
+++ b/apps/assets/api/cmd_filter.py
@@ -69,7 +69,7 @@ class CommandConfirmAPI(CreateAPIView):
            external=True, api_to_ui=True
        )
        ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
+        ticket_assignees = ticket.current_step.ticket_assignees.all()
        return {
            'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
            'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
--- a/apps/assets/api/node.py
+++ b/apps/assets/api/node.py
@@ -43,7 +43,7 @@ __all__ = [
 class NodeViewSet(SuggestionMixin, OrgBulkModelViewSet):
    model = Node
    filterset_fields = ('value', 'key', 'id')
-    search_fields = ('value',)
+    search_fields = ('full_value',)
    serializer_class = serializers.NodeSerializer
    rbac_perms = {
        'match': 'assets.match_node',
--- a/apps/assets/migrations/0090_auto_20220412_1145.py
+++ b/apps/assets/migrations/0090_auto_20220412_1145.py
@@ -14,7 +14,6 @@ def create_internal_platform(apps, schema_editor):
        model.objects.using(db_alias).update_or_create(
            name=name, defaults=defaults
        )
-        migrations.RunPython(create_internal_platform)


 class Migration(migrations.Migration):
--- a/apps/assets/migrations/0091_auto_20220629_1826.py
+++ b/apps/assets/migrations/0091_auto_20220629_1826.py
@@ -0,0 +1,26 @@
+# Generated by Django 3.1.14 on 2022-06-29 10:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0090_auto_20220412_1145'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='authbook',
+            options={'permissions': [('test_authbook', 'Can test asset account connectivity'), ('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret'), ('view_assethistoryaccount', 'Can view asset history account'), ('view_assethistoryaccountsecret', 'Can view asset history account secret')], 'verbose_name': 'AuthBook'},
+        ),
+        migrations.AlterModelOptions(
+            name='historicalauthbook',
+            options={'get_latest_by': ('history_date', 'history_id'), 'ordering': ('-history_date', '-history_id'), 'verbose_name': 'historical AuthBook', 'verbose_name_plural': 'historical AuthBooks'},
+        ),
+        migrations.AlterField(
+            model_name='historicalauthbook',
+            name='history_date',
+            field=models.DateTimeField(db_index=True),
+        ),
+    ]
--- a/apps/assets/models/authbook.py
+++ b/apps/assets/models/authbook.py
@@ -29,7 +29,9 @@ class AuthBook(BaseUser, AbsConnectivity):
        permissions = [
            ('test_authbook', _('Can test asset account connectivity')),
            ('view_assetaccountsecret', _('Can view asset account secret')),
-            ('change_assetaccountsecret', _('Can change asset account secret'))
+            ('change_assetaccountsecret', _('Can change asset account secret')),
+            ('view_assethistoryaccount', _('Can view asset history account')),
+            ('view_assethistoryaccountsecret', _('Can view asset history account secret')),
        ]

    def __init__(self, *args, **kwargs):
--- a/apps/assets/models/cmd_filter.py
+++ b/apps/assets/models/cmd_filter.py
@@ -125,6 +125,9 @@ class CommandFilterRule(OrgModelMixin):
                regex.append(cmd)
                continue

+            if not cmd:
+                continue
+
            # 如果是单个字符
            if cmd[-1].isalpha():
                regex.append(r'\b{0}\b'.format(cmd))
@@ -165,26 +168,23 @@ class CommandFilterRule(OrgModelMixin):

    def create_command_confirm_ticket(self, run_command, session, cmd_filter_rule, org_id):
        from tickets.const import TicketType
-        from tickets.models import Ticket
+        from tickets.models import ApplyCommandTicket
        data = {
            'title': _('Command confirm') + ' ({})'.format(session.user),
            'type': TicketType.command_confirm,
-            'meta': {
-                'apply_run_user': session.user,
-                'apply_run_asset': session.asset,
-                'apply_run_system_user': session.system_user,
-                'apply_run_command': run_command,
-                'apply_from_session_id': str(session.id),
-                'apply_from_cmd_filter_rule_id': str(cmd_filter_rule.id),
-                'apply_from_cmd_filter_id': str(cmd_filter_rule.filter.id)
-            },
+            'applicant': session.user_obj,
+            'apply_run_user_id': session.user_id,
+            'apply_run_asset': str(session.asset),
+            'apply_run_system_user_id': session.system_user_id,
+            'apply_run_command': run_command[:4090],
+            'apply_from_session_id': str(session.id),
+            'apply_from_cmd_filter_rule_id': str(cmd_filter_rule.id),
+            'apply_from_cmd_filter_id': str(cmd_filter_rule.filter.id),
            'org_id': org_id,
        }
-        ticket = Ticket.objects.create(**data)
-        applicant = session.user_obj
+        ticket = ApplyCommandTicket.objects.create(**data)
        assignees = self.reviewers.all()
-        ticket.create_process_map_and_node(assignees, applicant)
-        ticket.open(applicant)
+        ticket.open_by_system(assignees)
        return ticket

    @classmethod
--- a/apps/assets/models/domain.py
+++ b/apps/assets/models/domain.py
@@ -9,7 +9,7 @@ import paramiko
 from django.db import models
 from django.utils.translation import ugettext_lazy as _

-from common.utils import get_logger
+from common.utils import get_logger, lazyproperty
 from orgs.mixins.models import OrgModelMixin
 from .base import BaseUser

@@ -36,7 +36,7 @@ class Domain(OrgModelMixin):
    def has_gateway(self):
        return self.gateway_set.filter(is_active=True).exists()

-    @property
+    @lazyproperty
    def gateways(self):
        return self.gateway_set.filter(is_active=True)

@@ -44,8 +44,9 @@ class Domain(OrgModelMixin):
        gateways = [gw for gw in self.gateways if gw.is_connective]
        if gateways:
            return random.choice(gateways)
-        else:
-            logger.warn(f'Gateway all bad. domain={self}, gateway_num={len(self.gateways)}.')
+
+        logger.warn(f'Gateway all bad. domain={self}, gateway_num={len(self.gateways)}.')
+        if self.gateways:
            return random.choice(self.gateways)


--- a/apps/assets/models/user.py
+++ b/apps/assets/models/user.py
@@ -133,6 +133,15 @@ class AuthMixin:
            self.password = password

    def load_app_more_auth(self, app_id=None, username=None, user_id=None):
+        # 清除认证信息
+        self._clean_auth_info_if_manual_login_mode()
+
+        # 先加载临时认证信息
+        if self.login_mode == self.LOGIN_MANUAL:
+            self._load_tmp_auth_if_has(app_id, user_id)
+            return
+
+        # Remote app
        from applications.models import Application
        app = get_object_or_none(Application, pk=app_id)
        if app and app.category_remote_app:
@@ -141,11 +150,6 @@ class AuthMixin:
            return

        # Other app
-        self._clean_auth_info_if_manual_login_mode()
-        # 加载临时认证信息
-        if self.login_mode == self.LOGIN_MANUAL:
-            self._load_tmp_auth_if_has(app_id, user_id)
-            return
        # 更新用户名
        from users.models import User
        user = get_object_or_none(User, pk=user_id) if user_id else None
--- a/apps/assets/serializers/init.py
+++ b/apps/assets/serializers/init.py
@@ -11,4 +11,5 @@ from .cmd_filter import *
 from .gathered_user import *
 from .favorite_asset import *
 from .account import *
+from .account_history import *
 from .backup import *
--- a/apps/assets/serializers/account.py
+++ b/apps/assets/serializers/account.py
@@ -5,7 +5,6 @@ from assets.models import AuthBook
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer

 from .base import AuthSerializerMixin
-from .utils import validate_password_contains_left_double_curly_bracket
 from common.utils.encode import ssh_pubkey_gen
 from common.drf.serializers import SecretReadableMixin

@@ -32,10 +31,6 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
        fields = fields_small + fields_fk
        extra_kwargs = {
            'username': {'required': True},
-            'password': {
-                'write_only': True,
-                "validators": [validate_password_contains_left_double_curly_bracket]
-            },
            'private_key': {'write_only': True},
            'public_key': {'write_only': True},
            'systemuser_display': {'label': _('System user display')}
@@ -58,7 +53,15 @@ class AccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
        return attrs

    def get_protocols(self, v):
-        return v.protocols.replace(' ', ', ')
+        """ protocols 是 queryset 中返回的，Post 创建成功后返回序列化时没有这个字段 """
+        if hasattr(v, 'protocols'):
+            protocols = v.protocols
+        elif hasattr(v, 'asset') and v.asset:
+            protocols = v.asset.protocols
+        else:
+            protocols = ''
+        protocols = protocols.replace(' ', ', ')
+        return protocols

    @classmethod
    def setup_eager_loading(cls, queryset):
--- a/apps/assets/serializers/account_history.py
+++ b/apps/assets/serializers/account_history.py
@@ -0,0 +1,38 @@
+from rest_framework import serializers
+from django.utils.translation import ugettext_lazy as _
+
+from assets.models import AuthBook
+from common.drf.serializers import SecretReadableMixin
+from .account import AccountSerializer, AccountSecretSerializer
+
+
+class AccountHistorySerializer(AccountSerializer):
+    systemuser_display = serializers.SerializerMethodField(label=_('System user display'))
+
+    class Meta:
+        model = AuthBook.history.model
+        fields = AccountSerializer.Meta.fields_mini + \
+                 AccountSerializer.Meta.fields_write_only + \
+                 AccountSerializer.Meta.fields_fk + \
+                 ['history_id', 'date_created', 'date_updated']
+        read_only_fields = fields
+        ref_name = 'AccountHistorySerializer'
+
+    @staticmethod
+    def get_systemuser_display(instance):
+        if not instance.systemuser:
+            return ''
+        return str(instance.systemuser)
+
+    def get_field_names(self, declared_fields, info):
+        fields = super().get_field_names(declared_fields, info)
+        fields = list(set(fields) - {'org_name'})
+        return fields
+
+    def to_representation(self, instance):
+        return super(AccountSerializer, self).to_representation(instance)
+
+
+class AccountHistorySecretSerializer(SecretReadableMixin, AccountHistorySerializer):
+    class Meta(AccountHistorySerializer.Meta):
+        extra_kwargs = AccountSecretSerializer.Meta.extra_kwargs
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@@ -8,11 +8,12 @@ from rest_framework import serializers
 from common.utils import ssh_pubkey_gen, ssh_private_key_gen, validate_ssh_private_key
 from common.drf.fields import EncryptedField
 from assets.models import Type
+from .utils import validate_password_for_ansible


 class AuthSerializer(serializers.ModelSerializer):
    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024, label=_('Password'))
-    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096, label=_('Private key'))
+    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=16384, label=_('Private key'))

    def gen_keys(self, private_key=None, password=None):
        if private_key is None:
@@ -33,10 +34,11 @@ class AuthSerializer(serializers.ModelSerializer):

 class AuthSerializerMixin(serializers.ModelSerializer):
    password = EncryptedField(
-        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024
+        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024,
+        validators=[validate_password_for_ansible]
    )
    private_key = EncryptedField(
-        label=_('SSH private key'), required=False, allow_blank=True, allow_null=True, max_length=4096
+        label=_('SSH private key'), required=False, allow_blank=True, allow_null=True, max_length=16384
    )
    passphrase = serializers.CharField(
        allow_blank=True, allow_null=True, required=False, max_length=512,
--- a/apps/assets/serializers/system_user.py
+++ b/apps/assets/serializers/system_user.py
@@ -9,7 +9,7 @@ from common.drf.serializers import SecretReadableMixin
 from common.validators import alphanumeric_re, alphanumeric_cn_re, alphanumeric_win_re
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from ..models import SystemUser, Asset
-from .utils import validate_password_contains_left_double_curly_bracket
+from .utils import validate_password_for_ansible
 from .base import AuthSerializerMixin

 __all__ = [
@@ -25,6 +25,11 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
    """
    系统用户
    """
+    password = EncryptedField(
+        label=_('Password'), required=False, allow_blank=True, allow_null=True, max_length=1024,
+        trim_whitespace=False, validators=[validate_password_for_ansible],
+        write_only=True
+    )
    auto_generate_key = serializers.BooleanField(initial=True, required=False, write_only=True)
    type_display = serializers.ReadOnlyField(source='get_type_display', label=_('Type display'))
    ssh_key_fingerprint = serializers.ReadOnlyField(label=_('SSH key fingerprint'))
@@ -51,15 +56,9 @@ class SystemUserSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
        fields_m2m = ['cmd_filters', 'assets_amount', 'applications_amount', 'nodes']
        fields = fields_small + fields_m2m
        extra_kwargs = {
-            'password': {
-                "write_only": True,
-                'trim_whitespace': False,
-                "validators": [validate_password_contains_left_double_curly_bracket]
-            },
            'cmd_filters': {"required": False, 'label': _('Command filter')},
            'public_key': {"write_only": True},
            'private_key': {"write_only": True},
-            'token': {"write_only": True},
            'nodes_amount': {'label': _('Nodes amount')},
            'assets_amount': {'label': _('Assets amount')},
            'login_mode_display': {'label': _('Login mode display')},
--- a/apps/assets/serializers/utils.py
+++ b/apps/assets/serializers/utils.py
@@ -2,8 +2,16 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers


-def validate_password_contains_left_double_curly_bracket(password):
+def validate_password_for_ansible(password):
+    """ 校验 Ansible 不支持的特殊字符 """
    # validate password contains left double curly bracket
    # check password not contains `{{`
+    # Ansible 推送的时候不支持
    if '{{' in password:
        raise serializers.ValidationError(_('Password can not contains `{{` '))
+    # Ansible Windows 推送的时候不支持
+    if "'" in password:
+        raise serializers.ValidationError(_("Password can not contains `'` "))
+    if '"' in password:
+        raise serializers.ValidationError(_('Password can not contains `"` '))
+
--- a/apps/assets/task_handlers/backup/handlers.py
+++ b/apps/assets/task_handlers/backup/handlers.py
@@ -1,6 +1,6 @@
 import os
 import time
-import pandas as pd
+from openpyxl import Workbook
 from collections import defaultdict, OrderedDict

 from django.conf import settings
@@ -48,7 +48,7 @@ class BaseAccountHandler:
                _fields = cls.get_header_fields(v)
                header_fields.update(_fields)
            else:
-                header_fields[field] = v.label
+                header_fields[field] = str(v.label)
        return header_fields

    @classmethod
@@ -59,7 +59,7 @@ class BaseAccountHandler:
        data = cls.unpack_data(serializer.data)
        row_dict = {}
        for field, header_name in header_fields.items():
-            row_dict[header_name] = data[field]
+            row_dict[header_name] = str(data[field])
        return row_dict


@@ -72,24 +72,24 @@ class AssetAccountHandler(BaseAccountHandler):
        return filename

    @classmethod
-    def create_df(cls):
-        df_dict = defaultdict(list)
+    def create_data_map(cls):
+        data_map = defaultdict(list)
        sheet_name = AuthBook._meta.verbose_name

        accounts = AuthBook.get_queryset().select_related('systemuser')
        if not accounts.first():
-            return df_dict
+            return data_map

        header_fields = cls.get_header_fields(AccountSecretSerializer(accounts.first()))
        for account in accounts:
            account.load_auth()
            row = cls.create_row(account, AccountSecretSerializer, header_fields)
-            df_dict[sheet_name].append(row)
-        for k, v in df_dict.items():
-            df_dict[k] = pd.DataFrame(v)
+            if sheet_name not in data_map:
+                data_map[sheet_name].append(list(row.keys()))
+            data_map[sheet_name].append(list(row.values()))

        logger.info('\n\033[33m- 共收集 {} 条资产账号\033[0m'.format(accounts.count()))
-        return df_dict
+        return data_map


 class AppAccountHandler(BaseAccountHandler):
@@ -101,19 +101,19 @@ class AppAccountHandler(BaseAccountHandler):
        return filename

    @classmethod
-    def create_df(cls):
-        df_dict = defaultdict(list)
+    def create_data_map(cls):
+        data_map = defaultdict(list)
        accounts = Account.get_queryset().select_related('systemuser')
        for account in accounts:
            account.load_auth()
            app_type = account.type
            sheet_name = AppType.get_label(app_type)
            row = cls.create_row(account, AppAccountSecretSerializer)
-            df_dict[sheet_name].append(row)
-        for k, v in df_dict.items():
-            df_dict[k] = pd.DataFrame(v)
+            if sheet_name not in data_map:
+                data_map[sheet_name].append(list(row.keys()))
+            data_map[sheet_name].append(list(row.values()))
        logger.info('\n\033[33m- 共收集{}条应用账号\033[0m'.format(accounts.count()))
-        return df_dict
+        return data_map


 handler_map = {
@@ -142,15 +142,18 @@ class AccountBackupHandler:
            if not handler:
                continue

-            df_dict = handler.create_df()
-            if not df_dict:
+            data_map = handler.create_data_map()
+            if not data_map:
                continue

            filename = handler.get_filename(self.plan_name)
-            with pd.ExcelWriter(filename) as w:
-                for sheet, df in df_dict.items():
-                    sheet = sheet.replace(' ', '-')
-                    getattr(df, 'to_excel')(w, sheet_name=sheet, index=False)
+
+            wb = Workbook(filename)
+            for sheet, data in data_map.items():
+                ws = wb.create_sheet(str(sheet))
+                for row in data:
+                    ws.append(row)
+            wb.save(filename)
            files.append(filename)
        timedelta = round((time.time() - time_start), 2)
        logger.info('步骤完成: 用时 {}s'.format(timedelta))
--- a/apps/assets/tasks/push_system_user.py
+++ b/apps/assets/tasks/push_system_user.py
@@ -33,16 +33,17 @@ def _dump_args(args: dict):


 def get_push_unixlike_system_user_tasks(system_user, username=None, **kwargs):
-    comment = system_user.name
    algorithm = kwargs.get('algorithm')
    if username is None:
        username = system_user.username

+    comment = system_user.name
    if system_user.username_same_with_user:
        from users.models import User
        user = User.objects.filter(username=username).only('name', 'username').first()
        if user:
            comment = f'{system_user.name}[{str(user)}]'
+    comment = comment.replace(' ', '')

    password = system_user.password
    public_key = system_user.public_key
@@ -273,7 +274,7 @@ def push_system_user_a_asset_manual(system_user, asset, username=None):
    # if username is None:
    #     username = system_user.username
    task_name = gettext_noop("Push system users to asset: ") + "{}({}) => {}".format(
-        system_user.name, username, asset
+        system_user.name, username or system_user.username, asset
    )
    return push_system_user_util(system_user, [asset], task_name=task_name, username=username)

--- a/apps/assets/urls/api_urls.py
+++ b/apps/assets/urls/api_urls.py
@@ -13,6 +13,8 @@ router = BulkRouter()
 router.register(r'assets', api.AssetViewSet, 'asset')
 router.register(r'accounts', api.AccountViewSet, 'account')
 router.register(r'account-secrets', api.AccountSecretsViewSet, 'account-secret')
+router.register(r'accounts-history', api.AccountHistoryViewSet, 'account-history')
+router.register(r'account-history-secrets', api.AccountHistorySecretsViewSet, 'account-history-secret')
 router.register(r'platforms', api.AssetPlatformViewSet, 'platform')
 router.register(r'system-users', api.SystemUserViewSet, 'system-user')
 router.register(r'admin-users', api.AdminUserViewSet, 'admin-user')
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@@ -1,5 +1,7 @@
 # -*- coding: utf-8 -*-
 #
+import time
+
 from django.db.models.signals import (
    post_save, m2m_changed, pre_delete
 )
@@ -49,6 +51,7 @@ class AuthBackendLabelMapping(LazyObject):
        backend_label_mapping[settings.AUTH_BACKEND_SSO] = _('SSO')
        backend_label_mapping[settings.AUTH_BACKEND_AUTH_TOKEN] = _('Auth Token')
        backend_label_mapping[settings.AUTH_BACKEND_WECOM] = _('WeCom')
+        backend_label_mapping[settings.AUTH_BACKEND_FEISHU] = _('FeiShu')
        backend_label_mapping[settings.AUTH_BACKEND_DINGTALK] = _('DingTalk')
        backend_label_mapping[settings.AUTH_BACKEND_TEMP_TOKEN] = _('Temporary token')
        return backend_label_mapping
@@ -274,6 +277,7 @@ def on_user_auth_success(sender, user, request, login_type=None, **kwargs):
    logger.debug('User login success: {}'.format(user.username))
    check_different_city_login_if_need(user, request)
    data = generate_data(user.username, request, login_type=login_type)
+    request.session['login_time'] = data['datetime'].strftime("%Y-%m-%d %H:%M:%S")
    data.update({'mfa': int(user.mfa_enabled), 'status': True})
    write_login_log(**data)

--- a/apps/audits/tasks.py
+++ b/apps/audits/tasks.py
@@ -29,7 +29,7 @@ def clean_ftp_log_period():
    now = timezone.now()
    days = get_log_keep_day('FTP_LOG_KEEP_DAYS')
    expired_day = now - datetime.timedelta(days=days)
-    FTPLog.objects.filter(datetime__lt=expired_day).delete()
+    FTPLog.objects.filter(date_start__lt=expired_day).delete()


@register_as_period_task(interval=3600*24)
--- a/apps/authentication/api/init.py
+++ b/apps/authentication/api/init.py
@@ -5,6 +5,7 @@ from .connection_token import *
 from .token import *
 from .mfa import *
 from .access_key import *
+from .confirm import *
 from .login_confirm import *
 from .sso import *
 from .wecom import *
--- a/apps/authentication/api/confirm.py
+++ b/apps/authentication/api/confirm.py
@@ -0,0 +1,64 @@
+# -*- coding: utf-8 -*-
+#
+import time
+
+from django.utils.translation import ugettext_lazy as _
+from rest_framework.generics import RetrieveAPIView, CreateAPIView
+from rest_framework.response import Response
+from rest_framework import status
+
+from common.permissions import IsValidUser, UserConfirmation
+from ..const import ConfirmType
+from ..serializers import ConfirmSerializer
+
+
+class ConfirmBindORUNBindOAuth(RetrieveAPIView):
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)
+
+    def retrieve(self, request, *args, **kwargs):
+        return Response('ok')
+
+
+class ConfirmApi(RetrieveAPIView, CreateAPIView):
+    permission_classes = (IsValidUser,)
+    serializer_class = ConfirmSerializer
+
+    def get_confirm_backend(self, confirm_type):
+        backend_classes = ConfirmType.get_can_confirm_backend_classes(confirm_type)
+        if not backend_classes:
+            return
+        for backend_cls in backend_classes:
+            backend = backend_cls(self.request.user, self.request)
+            if not backend.check():
+                continue
+            return backend
+
+    def retrieve(self, request, *args, **kwargs):
+        confirm_type = request.query_params.get('confirm_type')
+        backend = self.get_confirm_backend(confirm_type)
+        if backend is None:
+            msg = _('This action require verify your MFA')
+            return Response(data={'error': msg}, status=status.HTTP_404_NOT_FOUND)
+
+        data = {
+            'confirm_type': backend.name,
+            'content': backend.content,
+        }
+        return Response(data=data)
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        validated_data = serializer.validated_data
+
+        confirm_type = validated_data.get('confirm_type')
+        mfa_type = validated_data.get('mfa_type')
+        secret_key = validated_data.get('secret_key')
+
+        backend = self.get_confirm_backend(confirm_type)
+        ok, msg = backend.authenticate(secret_key, mfa_type)
+        if ok:
+            request.session['CONFIRM_LEVEL'] = ConfirmType.values.index(confirm_type) + 1
+            request.session['CONFIRM_TIME'] = int(time.time())
+            return Response('ok')
+        return Response({'error': msg}, status=400)
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -1,57 +1,65 @@
-# -*- coding: utf-8 -*-
-#
-import urllib.parse
-import json
-from typing import Callable
+import abc
 import os
+import json
 import base64
-import ctypes
-
-from django.core.cache import cache
-from django.shortcuts import get_object_or_404
+import urllib.parse
 from django.http import HttpResponse
-from django.utils import timezone
-from django.utils.translation import ugettext as _
-from rest_framework.response import Response
-from rest_framework.request import Request
-from rest_framework.viewsets import GenericViewSet
-from rest_framework.decorators import action
+from django.shortcuts import get_object_or_404
 from rest_framework.exceptions import PermissionDenied
-from rest_framework import serializers
+from rest_framework.decorators import action
+from rest_framework.response import Response
+from rest_framework import status
+from rest_framework.request import Request

-from applications.models import Application
-from authentication.signals import post_auth_failed
-from common.utils import get_logger, random_string
-from common.mixins.api import SerializerMixin
-from common.utils.common import get_file_by_arch
-from orgs.mixins.api import RootOrgViewMixin
+from common.drf.api import JMSModelViewSet
 from common.http import is_true
+from orgs.mixins.api import RootOrgViewMixin
 from perms.models.base import Action
-from perms.utils.application.permission import get_application_actions
-from perms.utils.asset.permission import get_asset_actions
-from common.const.http import PATCH
 from terminal.models import EndpointRule
 from ..serializers import (
-    ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer
+    ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
+    SuperConnectionTokenSerializer, ConnectionTokenDisplaySerializer,
 )
-
-logger = get_logger(__name__)
-__all__ = ['UserConnectionTokenViewSet', 'UserSuperConnectionTokenViewSet', 'TokenCacheMixin']
+from ..models import ConnectionToken


-class ClientProtocolMixin:
-    """
-    下载客户端支持的连接文件，里面包含了 token，和 其他连接信息
+__all__ = ['ConnectionTokenViewSet', 'SuperConnectionTokenViewSet']

-    - [x] RDP
-    - [ ] KoKo

-    本质上，这里还是暴露出 token 来，进行使用
-    """
+class ConnectionTokenMixin:
    request: Request
-    get_serializer: Callable
-    create_token: Callable
-    get_serializer_context: Callable
+
+    @staticmethod
+    def check_token_valid(token: ConnectionToken):
+        is_valid, error = token.check_valid()
+        if not is_valid:
+            raise PermissionDenied(error)
+
+    @abc.abstractmethod
+    def get_request_resource_user(self, serializer):
+        raise NotImplementedError
+
+    def get_request_resources(self, serializer):
+        user = self.get_request_resource_user(serializer)
+        asset = serializer.validated_data.get('asset')
+        application = serializer.validated_data.get('application')
+        system_user = serializer.validated_data.get('system_user')
+        return user, asset, application, system_user
+
+    @staticmethod
+    def check_user_has_resource_permission(user, asset, application, system_user):
+        from perms.utils.asset import has_asset_system_permission
+        from perms.utils.application import has_application_system_permission
+
+        if asset and not has_asset_system_permission(user, asset, system_user):
+            error = f'User not has this asset and system user permission: ' \
+                    f'user={user.id} system_user={system_user.id} asset={asset.id}'
+            raise PermissionDenied(error)
+
+        if application and not has_application_system_permission(user, application, system_user):
+            error = f'User not has this application and system user permission: ' \
+                    f'user={user.id} system_user={system_user.id} application={application.id}'
+            raise PermissionDenied(error)

    def get_smart_endpoint(self, protocol, asset=None, application=None):
        if asset:
@@ -63,21 +71,32 @@ class ClientProtocolMixin:
        endpoint = EndpointRule.match_endpoint(target_ip, protocol, self.request)
        return endpoint

-    def get_request_resource(self, serializer):
-        asset = serializer.validated_data.get('asset')
-        application = serializer.validated_data.get('application')
-        system_user = serializer.validated_data['system_user']
-
-        user = serializer.validated_data.get('user')
-        user = user if user else self.request.user
-        return asset, application, system_user, user
-
    @staticmethod
    def parse_env_bool(env_key, env_default, true_value, false_value):
        return true_value if is_true(os.getenv(env_key, env_default)) else false_value

-    def get_rdp_file_content(self, serializer):
-        options = {
+    def get_client_protocol_data(self, token: ConnectionToken):
+        from assets.models import SystemUser
+        protocol = token.system_user.protocol
+        username = token.user.username
+        rdp_config = ssh_token = ''
+        if protocol == SystemUser.Protocol.rdp:
+            filename, rdp_config = self.get_rdp_file_info(token)
+        elif protocol == SystemUser.Protocol.ssh:
+            filename, ssh_token = self.get_ssh_token(token)
+        else:
+            raise ValueError('Protocol not support: {}'.format(protocol))
+
+        return {
+            "filename": filename,
+            "protocol": protocol,
+            "username": username,
+            "token": ssh_token,
+            "config": rdp_config
+        }
+
+    def get_rdp_file_info(self, token: ConnectionToken):
+        rdp_options = {
            'full address:s': '',
            'username:s': '',
            # 'screen mode id:i': '1',
@@ -110,412 +129,177 @@ class ClientProtocolMixin:
            # 'remoteapplicationcmdline:s': '',
        }

-        asset, application, system_user, user = self.get_request_resource(serializer)
+        # 设置磁盘挂载
+        drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
+        if drives_redirect:
+            actions = Action.choices_to_value(token.actions)
+            if actions & Action.UPDOWNLOAD == Action.UPDOWNLOAD:
+                rdp_options['drivestoredirect:s'] = '*'
+
+        # 设置全屏
+        full_screen = is_true(self.request.query_params.get('full_screen'))
+        rdp_options['screen mode id:i'] = '2' if full_screen else '1'
+
+        # 设置 RDP Server 地址
+        endpoint = self.get_smart_endpoint(
+            protocol='rdp', asset=token.asset, application=token.application
+        )
+        rdp_options['full address:s'] = f'{endpoint.host}:{endpoint.rdp_port}'
+
+        # 设置用户名
+        rdp_options['username:s'] = '{}|{}'.format(token.user.username, str(token.id))
+        if token.system_user.ad_domain:
+            rdp_options['domain:s'] = token.system_user.ad_domain
+
+        # 设置宽高
        height = self.request.query_params.get('height')
        width = self.request.query_params.get('width')
-        full_screen = is_true(self.request.query_params.get('full_screen'))
-        drives_redirect = is_true(self.request.query_params.get('drives_redirect'))
-        token, secret = self.create_token(user, asset, application, system_user)
-
-        # 设置磁盘挂载
-        if drives_redirect:
-            actions = 0
-            if asset:
-                actions = get_asset_actions(user, asset, system_user)
-            elif application:
-                actions = get_application_actions(user, application, system_user)
-
-            if actions & Action.UPDOWNLOAD == Action.UPDOWNLOAD:
-                options['drivestoredirect:s'] = '*'
-
-        # 全屏
-        options['screen mode id:i'] = '2' if full_screen else '1'
-
-        # RDP Server 地址
-        endpoint = self.get_smart_endpoint(
-            protocol='rdp', asset=asset, application=application
-        )
-        options['full address:s'] = f'{endpoint.host}:{endpoint.rdp_port}'
-        # 用户名
-        options['username:s'] = '{}|{}'.format(user.username, token)
-        if system_user.ad_domain:
-            options['domain:s'] = system_user.ad_domain
-        # 宽高
        if width and height:
-            options['desktopwidth:i'] = width
-            options['desktopheight:i'] = height
-            options['winposstr:s:'] = f'0,1,0,0,{width},{height}'
+            rdp_options['desktopwidth:i'] = width
+            rdp_options['desktopheight:i'] = height
+            rdp_options['winposstr:s:'] = f'0,1,0,0,{width},{height}'

-        options['session bpp:i'] = os.getenv('JUMPSERVER_COLOR_DEPTH', '32')
-        options['audiomode:i'] = self.parse_env_bool('JUMPSERVER_DISABLE_AUDIO', 'false', '2', '0')
+        # 设置其他选项
+        rdp_options['session bpp:i'] = os.getenv('JUMPSERVER_COLOR_DEPTH', '32')
+        rdp_options['audiomode:i'] = self.parse_env_bool('JUMPSERVER_DISABLE_AUDIO', 'false', '2', '0')

-        if asset:
-            name = asset.hostname
-        elif application:
-            name = application.name
-            application.get_rdp_remote_app_setting()
-
-            app = f'||jmservisor'
-            options['remoteapplicationmode:i'] = '1'
-            options['alternate shell:s'] = app
-            options['remoteapplicationprogram:s'] = app
-            options['remoteapplicationname:s'] = name
-            options['remoteapplicationcmdline:s'] = '- ' + self.get_encrypt_cmdline(application)
+        if token.asset:
+            name = token.asset.hostname
+        elif token.application and token.application.category_remote_app:
+            app = '||jmservisor'
+            name = token.application.name
+            rdp_options['remoteapplicationmode:i'] = '1'
+            rdp_options['alternate shell:s'] = app
+            rdp_options['remoteapplicationprogram:s'] = app
+            rdp_options['remoteapplicationname:s'] = name
        else:
            name = '*'

+        filename = "{}-{}-jumpserver".format(token.user.username, name)
+        filename = urllib.parse.quote(filename)
+
        content = ''
-        for k, v in options.items():
+        for k, v in rdp_options.items():
            content += f'{k}:{v}\n'
-        return name, content

-    def get_ssh_token(self, serializer):
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        token, secret = self.create_token(user, asset, application, system_user)
-        if asset:
-            name = asset.hostname
-        elif application:
-            name = application.name
+        return filename, content
+
+    def get_ssh_token(self, token: ConnectionToken):
+        if token.asset:
+            name = token.asset.hostname
+        elif token.application:
+            name = token.application.name
        else:
            name = '*'
+        filename = f'{token.user.username}-{name}-jumpserver'

        endpoint = self.get_smart_endpoint(
-            protocol='ssh', asset=asset, application=application
+            protocol='ssh', asset=token.asset, application=token.application
        )
-        content = {
+        data = {
            'ip': endpoint.host,
            'port': str(endpoint.ssh_port),
-            'username': f'JMS-{token}',
-            'password': secret
+            'username': 'JMS-{}'.format(str(token.id)),
+            'password': token.secret
        }
-        token = json.dumps(content)
-        return name, token
-
-    def get_encrypt_cmdline(self, app: Application):
-        parameters = app.get_rdp_remote_app_setting()['parameters']
-        parameters = parameters.encode('ascii')
-
-        lib_path = get_file_by_arch('xpack/libs', 'librailencrypt.so')
-        lib = ctypes.CDLL(lib_path)
-        lib.encrypt.argtypes = [ctypes.c_char_p, ctypes.c_int]
-        lib.encrypt.restype = ctypes.c_char_p
-
-        rst = lib.encrypt(parameters, len(parameters))
-        rst = rst.decode('ascii')
-        return rst
-
-    def get_valid_serializer(self):
-        if self.request.method == 'GET':
-            data = self.request.query_params
-        else:
-            data = self.request.data
-        serializer = self.get_serializer(data=data)
-        serializer.is_valid(raise_exception=True)
-        return serializer
-
-    def get_client_protocol_data(self, serializer):
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        protocol = system_user.protocol
-        username = user.username
-        config, token = '', ''
-        if protocol == 'rdp':
-            name, config = self.get_rdp_file_content(serializer)
-        elif protocol == 'ssh':
-            name, token = self.get_ssh_token(serializer)
-        else:
-            raise ValueError('Protocol not support: {}'.format(protocol))
-
-        filename = "{}-{}-jumpserver".format(username, name)
-        data = {
-            "filename": filename,
-            "protocol": system_user.protocol,
-            "username": username,
-            "token": token,
-            "config": config
-        }
-        return data
-
-    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
-    def get_rdp_file(self, request, *args, **kwargs):
-        if self.request.method == 'GET':
-            data = self.request.query_params
-        else:
-            data = self.request.data
-        serializer = self.get_serializer(data=data)
-        serializer.is_valid(raise_exception=True)
-        name, data = self.get_rdp_file_content(serializer)
-        response = HttpResponse(data, content_type='application/octet-stream')
-        filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
-        filename = urllib.parse.quote(filename)
-        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
-        return response
-
-    @action(methods=['POST', 'GET'], detail=False, url_path='client-url')
-    def get_client_protocol_url(self, request, *args, **kwargs):
-        serializer = self.get_valid_serializer()
-        try:
-            protocol_data = self.get_client_protocol_data(serializer)
-        except ValueError as e:
-            return Response({'error': str(e)}, status=401)
-
-        protocol_data = json.dumps(protocol_data).encode()
-        protocol_data = base64.b64encode(protocol_data).decode()
-        data = {
-            'url': 'jms://{}'.format(protocol_data),
-        }
-        return Response(data=data)
+        token = json.dumps(data)
+        return filename, token


-class SecretDetailMixin:
-    valid_token: Callable
-    request: Request
-    get_serializer: Callable
-
-    @staticmethod
-    def _get_application_secret_detail(application):
-        gateway = None
-        remote_app = None
-        asset = None
-
-        if application.category_remote_app:
-            remote_app = application.get_rdp_remote_app_setting()
-            asset = application.get_remote_app_asset()
-            domain = asset.domain
-        else:
-            domain = application.domain
-
-        if domain and domain.has_gateway():
-            gateway = domain.random_gateway()
-
-        return {
-            'asset': asset,
-            'application': application,
-            'gateway': gateway,
-            'domain': domain,
-            'remote_app': remote_app,
-        }
-
-    @staticmethod
-    def _get_asset_secret_detail(asset):
-        gateway = None
-        if asset and asset.domain and asset.domain.has_gateway():
-            gateway = asset.domain.random_gateway()
-
-        return {
-            'asset': asset,
-            'application': None,
-            'domain': asset.domain,
-            'gateway': gateway,
-            'remote_app': None,
-        }
-
-    @action(methods=['POST'], detail=False, url_path='secret-info/detail')
-    def get_secret_detail(self, request, *args, **kwargs):
-        perm_required = 'authentication.view_connectiontokensecret'
-
-        # 非常重要的 api，再逻辑层再判断一下，双重保险
-        if not request.user.has_perm(perm_required):
-            raise PermissionDenied('Not allow to view secret')
-
-        token = request.data.get('token', '')
-        try:
-            value, user, system_user, asset, app, expired_at, actions = self.valid_token(token)
-        except serializers.ValidationError as e:
-            post_auth_failed.send(
-                sender=self.__class__, username='', request=self.request,
-                reason=_('Invalid token')
-            )
-            raise e
-
-        data = dict(
-            id=token, secret=value.get('secret', ''),
-            user=user, system_user=system_user,
-            expired_at=expired_at, actions=actions
-        )
-        cmd_filter_kwargs = {
-            'system_user_id': system_user.id,
-            'user_id': user.id,
-        }
-        if asset:
-            asset_detail = self._get_asset_secret_detail(asset)
-            system_user.load_asset_more_auth(asset.id, user.username, user.id)
-            data['type'] = 'asset'
-            data.update(asset_detail)
-            cmd_filter_kwargs['asset_id'] = asset.id
-        else:
-            app_detail = self._get_application_secret_detail(app)
-            system_user.load_app_more_auth(app.id, user.username, user.id)
-            data['type'] = 'application'
-            data.update(app_detail)
-            cmd_filter_kwargs['application_id'] = app.id
-
-        from assets.models import CommandFilterRule
-        cmd_filter_rules = CommandFilterRule.get_queryset(**cmd_filter_kwargs)
-        data['cmd_filter_rules'] = cmd_filter_rules
-
-        serializer = self.get_serializer(data)
-        return Response(data=serializer.data, status=200)
-
-
-class TokenCacheMixin:
-    """ endpoint smart view 用到此类来解析token中的资产、应用 """
-    CACHE_KEY_PREFIX = 'CONNECTION_TOKEN_{}'
-
-    def get_token_cache_key(self, token):
-        return self.CACHE_KEY_PREFIX.format(token)
-
-    def get_token_ttl(self, token):
-        key = self.get_token_cache_key(token)
-        return cache.ttl(key)
-
-    def set_token_to_cache(self, token, value, ttl=5 * 60):
-        key = self.get_token_cache_key(token)
-        cache.set(key, value, timeout=ttl)
-
-    def get_token_from_cache(self, token):
-        key = self.get_token_cache_key(token)
-        value = cache.get(key, None)
-        return value
-
-    def renewal_token(self, token, ttl=5 * 60):
-        value = self.get_token_from_cache(token)
-        if value:
-            pre_ttl = self.get_token_ttl(token)
-            self.set_token_to_cache(token, value, ttl)
-            post_ttl = self.get_token_ttl(token)
-            ok = True
-            msg = f'{pre_ttl}s is renewed to {post_ttl}s.'
-        else:
-            ok = False
-            msg = 'Token is not found.'
-        data = {
-            'ok': ok,
-            'msg': msg
-        }
-        return data
-
-
-class BaseUserConnectionTokenViewSet(
-    RootOrgViewMixin, SerializerMixin, ClientProtocolMixin,
-    TokenCacheMixin, GenericViewSet
-):
-
-    @staticmethod
-    def check_resource_permission(user, asset, application, system_user):
-        from perms.utils.asset import has_asset_system_permission
-        from perms.utils.application import has_application_system_permission
-
-        if asset and not has_asset_system_permission(user, asset, system_user):
-            error = f'User not has this asset and system user permission: ' \
-                    f'user={user.id} system_user={system_user.id} asset={asset.id}'
-            raise PermissionDenied(error)
-        if application and not has_application_system_permission(user, application, system_user):
-            error = f'User not has this application and system user permission: ' \
-                    f'user={user.id} system_user={system_user.id} application={application.id}'
-            raise PermissionDenied(error)
-        return True
-
-    def create_token(self, user, asset, application, system_user, ttl=5 * 60):
-        self.check_resource_permission(user, asset, application, system_user)
-        token = random_string(36)
-        secret = random_string(16)
-        value = {
-            'id': token,
-            'secret': secret,
-            'user': str(user.id),
-            'username': user.username,
-            'system_user': str(system_user.id),
-            'system_user_name': system_user.name,
-            'created_by': str(self.request.user),
-            'date_created': str(timezone.now())
-        }
-
-        if asset:
-            value.update({
-                'type': 'asset',
-                'asset': str(asset.id),
-                'hostname': asset.hostname,
-            })
-        elif application:
-            value.update({
-                'type': 'application',
-                'application': application.id,
-                'application_name': str(application)
-            })
-
-        self.set_token_to_cache(token, value, ttl)
-        return token, secret
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-
-        asset, application, system_user, user = self.get_request_resource(serializer)
-        token, secret = self.create_token(user, asset, application, system_user)
-        tp = 'app' if application else 'asset'
-        data = {
-            "id": token, 'secret': secret,
-            'type': tp, 'protocol': system_user.protocol,
-            'expire_time': self.get_token_ttl(token),
-        }
-        return Response(data, status=201)
-
-
-class UserConnectionTokenViewSet(BaseUserConnectionTokenViewSet, SecretDetailMixin):
+class ConnectionTokenViewSet(ConnectionTokenMixin, RootOrgViewMixin, JMSModelViewSet):
+    filterset_fields = (
+        'type', 'user_display', 'system_user_display',
+        'application_display', 'asset_display'
+    )
+    search_fields = filterset_fields
    serializer_classes = {
        'default': ConnectionTokenSerializer,
+        'list': ConnectionTokenDisplaySerializer,
+        'retrieve': ConnectionTokenDisplaySerializer,
        'get_secret_detail': ConnectionTokenSecretSerializer,
    }
    rbac_perms = {
-        'GET': 'authentication.view_connectiontoken',
+        'retrieve': 'authentication.view_connectiontoken',
        'create': 'authentication.add_connectiontoken',
+        'expire': 'authentication.add_connectiontoken',
        'get_secret_detail': 'authentication.view_connectiontokensecret',
        'get_rdp_file': 'authentication.add_connectiontoken',
        'get_client_protocol_url': 'authentication.add_connectiontoken',
    }

-    def valid_token(self, token):
-        from users.models import User
-        from assets.models import SystemUser, Asset
-        from applications.models import Application
-        from perms.utils.asset.permission import validate_permission as asset_validate_permission
-        from perms.utils.application.permission import validate_permission as app_validate_permission
+    def get_queryset(self):
+        return ConnectionToken.objects.filter(user=self.request.user)

-        value = self.get_token_from_cache(token)
-        if not value:
-            raise serializers.ValidationError('Token not found')
+    def get_request_resource_user(self, serializer):
+        return self.request.user

-        user = get_object_or_404(User, id=value.get('user'))
-        if not user.is_valid:
-            raise serializers.ValidationError("User not valid, disabled or expired")
-
-        system_user = get_object_or_404(SystemUser, id=value.get('system_user'))
-        asset = None
-        app = None
-        if value.get('type') == 'asset':
-            asset = get_object_or_404(Asset, id=value.get('asset'))
-            if not asset.is_active:
-                raise serializers.ValidationError("Asset disabled")
-            has_perm, actions, expired_at = asset_validate_permission(user, asset, system_user)
+    def get_object(self):
+        if self.request.user.is_service_account:
+            # TODO: 组件获取 token 详情，将来放在 Super-connection-token API 中
+            obj = get_object_or_404(ConnectionToken, pk=self.kwargs.get('pk'))
        else:
-            app = get_object_or_404(Application, id=value.get('application'))
-            has_perm, actions, expired_at = app_validate_permission(user, app, system_user)
+            obj = super(ConnectionTokenViewSet, self).get_object()
+        return obj

-        if not has_perm:
-            raise serializers.ValidationError('Permission expired or invalid')
-        return value, user, system_user, asset, app, expired_at, actions
+    def create_connection_token(self):
+        data = self.request.query_params if self.request.method == 'GET' else self.request.data
+        serializer = self.get_serializer(data=data)
+        serializer.is_valid(raise_exception=True)
+        self.perform_create(serializer)
+        token: ConnectionToken = serializer.instance
+        return token

-    def get(self, request):
-        token = request.query_params.get('token')
-        value = self.get_token_from_cache(token)
-        if not value:
-            return Response('', status=404)
-        return Response(value)
+    def perform_create(self, serializer):
+        user, asset, application, system_user = self.get_request_resources(serializer)
+        self.check_user_has_resource_permission(user, asset, application, system_user)
+        return super(ConnectionTokenViewSet, self).perform_create(serializer)
+
+    @action(methods=['POST'], detail=False, url_path='secret-info/detail')
+    def get_secret_detail(self, request, *args, **kwargs):
+        # 非常重要的 api，在逻辑层再判断一下，双重保险
+        perm_required = 'authentication.view_connectiontokensecret'
+        if not request.user.has_perm(perm_required):
+            raise PermissionDenied('Not allow to view secret')
+        token_id = request.data.get('token') or ''
+        token = get_object_or_404(ConnectionToken, pk=token_id)
+        self.check_token_valid(token)
+        token.load_system_user_auth()
+        serializer = self.get_serializer(instance=token)
+        return Response(serializer.data, status=status.HTTP_200_OK)
+
+    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
+    def get_rdp_file(self, request, *args, **kwargs):
+        token = self.create_connection_token()
+        self.check_token_valid(token)
+        filename, content = self.get_rdp_file_info(token)
+        filename = '{}.rdp'.format(filename)
+        response = HttpResponse(content, content_type='application/octet-stream')
+        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
+        return response
+
+    @action(methods=['POST', 'GET'], detail=False, url_path='client-url')
+    def get_client_protocol_url(self, request, *args, **kwargs):
+        token = self.create_connection_token()
+        self.check_token_valid(token)
+        try:
+            protocol_data = self.get_client_protocol_data(token)
+        except ValueError as e:
+            return Response(data={'error': str(e)}, status=status.HTTP_400_BAD_REQUEST)
+        protocol_data = json.dumps(protocol_data).encode()
+        protocol_data = base64.b64encode(protocol_data).decode()
+        data = {
+            'url': 'jms://{}'.format(protocol_data)
+        }
+        return Response(data=data)
+
+    @action(methods=['PATCH'], detail=True)
+    def expire(self, request, *args, **kwargs):
+        instance = self.get_object()
+        instance.expire()
+        return Response(status=status.HTTP_204_NO_CONTENT)


-class UserSuperConnectionTokenViewSet(
-    BaseUserConnectionTokenViewSet, TokenCacheMixin, GenericViewSet
-):
+class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
    serializer_classes = {
        'default': SuperConnectionTokenSerializer,
    }
@@ -524,10 +308,22 @@ class UserSuperConnectionTokenViewSet(
        'renewal': 'authentication.add_superconnectiontoken'
    }

-    @action(methods=[PATCH], detail=False)
+    def get_request_resource_user(self, serializer):
+        return serializer.validated_data.get('user')
+
+    @action(methods=['PATCH'], detail=False)
    def renewal(self, request, *args, **kwargs):
-        """ 续期 Token """
-        token = request.data.get('token', '')
-        data = self.renewal_token(token)
-        status_code = 200 if data.get('ok') else 404
-        return Response(data=data, status=status_code)
+        from common.utils.timezone import as_current_tz
+
+        token_id = request.data.get('token') or ''
+        token = get_object_or_404(ConnectionToken, pk=token_id)
+        date_expired = as_current_tz(token.date_expired)
+        if token.is_expired:
+            raise PermissionDenied('Token is expired at: {}'.format(date_expired))
+        token.renewal()
+        data = {
+            'ok': True,
+            'msg': f'Token is renewed, date expired: {date_expired}'
+        }
+        return Response(data=data, status=status.HTTP_200_OK)
+
--- a/apps/authentication/api/dingtalk.py
+++ b/apps/authentication/api/dingtalk.py
@@ -2,10 +2,11 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response

-from users.permissions import IsAuthPasswdTimeValid
 from users.models import User
 from common.utils import get_logger
+from common.permissions import UserConfirmation
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
+from authentication.const import ConfirmType
 from authentication import errors

 logger = get_logger(__file__)
@@ -26,9 +27,8 @@ class DingTalkQRUnBindBase(APIView):


 class DingTalkQRUnBindForUserApi(RoleUserMixin, DingTalkQRUnBindBase):
-    permission_classes = (IsAuthPasswdTimeValid,)
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)


 class DingTalkQRUnBindForAdminApi(RoleAdminMixin, DingTalkQRUnBindBase):
    user_id_url_kwarg = 'user_id'
-    
--- a/apps/authentication/api/feishu.py
+++ b/apps/authentication/api/feishu.py
@@ -2,10 +2,11 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response

-from users.permissions import IsAuthPasswdTimeValid
 from users.models import User
 from common.utils import get_logger
+from common.permissions import UserConfirmation
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
+from authentication.const import ConfirmType
 from authentication import errors

 logger = get_logger(__file__)
@@ -26,7 +27,7 @@ class FeiShuQRUnBindBase(APIView):


 class FeiShuQRUnBindForUserApi(RoleUserMixin, FeiShuQRUnBindBase):
-    permission_classes = (IsAuthPasswdTimeValid,)
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)


 class FeiShuQRUnBindForAdminApi(RoleAdminMixin, FeiShuQRUnBindBase):
--- a/apps/authentication/api/login_confirm.py
+++ b/apps/authentication/api/login_confirm.py
@@ -25,5 +25,5 @@ class TicketStatusApi(mixins.AuthMixin, APIView):
        ticket = self.get_ticket()
        if ticket:
            request.session.pop('auth_ticket_id', '')
-            ticket.close(processor=self.get_user_from_session())
+            ticket.close()
        return Response('', status=200)
--- a/apps/authentication/api/mfa.py
+++ b/apps/authentication/api/mfa.py
@@ -10,22 +10,17 @@ from rest_framework.generics import CreateAPIView
 from rest_framework.serializers import ValidationError
 from rest_framework.response import Response

-from common.permissions import IsValidUser, NeedMFAVerify
 from common.utils import get_logger
 from common.exceptions import UnexpectError
 from users.models.user import User
-from ..serializers import OtpVerifySerializer
 from .. import serializers
 from .. import errors
-from ..mfa.otp import MFAOtp
 from ..mixins import AuthMixin

-
 logger = get_logger(__name__)

 __all__ = [
-    'MFAChallengeVerifyApi', 'UserOtpVerifyApi',
-    'MFASendCodeApi'
+    'MFAChallengeVerifyApi', 'MFASendCodeApi'
 ]


@@ -88,30 +83,3 @@ class MFAChallengeVerifyApi(AuthMixin, CreateAPIView):
            raise ValidationError(data)
        except errors.NeedMoreInfoError as e:
            return Response(e.as_data(), status=200)
-
-
-class UserOtpVerifyApi(CreateAPIView):
-    permission_classes = (IsValidUser,)
-    serializer_class = OtpVerifySerializer
-
-    def get(self, request, *args, **kwargs):
-        return Response({'code': 'valid', 'msg': 'verified'})
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        code = serializer.validated_data["code"]
-        otp = MFAOtp(request.user)
-
-        ok, error = otp.check_code(code)
-        if ok:
-            request.session["MFA_VERIFY_TIME"] = int(time.time())
-            return Response({"ok": "1"})
-        else:
-            return Response({"error": _("Code is invalid, {}").format(error)}, status=400)
-
-    def get_permissions(self):
-        if self.request.method.lower() == 'get' \
-                and settings.SECURITY_VIEW_AUTH_NEED_MFA:
-            self.permission_classes = [NeedMFAVerify]
-        return super().get_permissions()
--- a/apps/authentication/api/wecom.py
+++ b/apps/authentication/api/wecom.py
@@ -2,10 +2,11 @@ from rest_framework.views import APIView
 from rest_framework.request import Request
 from rest_framework.response import Response

-from users.permissions import IsAuthPasswdTimeValid
 from users.models import User
 from common.utils import get_logger
+from common.permissions import UserConfirmation
 from common.mixins.api import RoleUserMixin, RoleAdminMixin
+from authentication.const import ConfirmType
 from authentication import errors

 logger = get_logger(__file__)
@@ -26,9 +27,8 @@ class WeComQRUnBindBase(APIView):


 class WeComQRUnBindForUserApi(RoleUserMixin, WeComQRUnBindBase):
-    permission_classes = (IsAuthPasswdTimeValid,)
+    permission_classes = (UserConfirmation.require(ConfirmType.ReLogin),)


 class WeComQRUnBindForAdminApi(RoleAdminMixin, WeComQRUnBindBase):
    user_id_url_kwarg = 'user_id'
-    
--- a/apps/authentication/backends/drf.py
+++ b/apps/authentication/backends/drf.py
@@ -198,6 +198,6 @@ class SignatureAuthentication(signature.SignatureAuthentication):
                return None, None
            user, secret = key.user, str(key.secret)
            return user, secret
-        except AccessKey.DoesNotExist:
+        except (AccessKey.DoesNotExist, exceptions.ValidationError):
            return None, None

--- a/apps/authentication/backends/ldap.py
+++ b/apps/authentication/backends/ldap.py
@@ -157,6 +157,8 @@ class LDAPUser(_LDAPUser):

    def _populate_user_from_attributes(self):
        for field, attr in self.settings.USER_ATTR_MAP.items():
+            if field in ['groups']:
+                continue
            try:
                value = self.attrs[attr][0]
                value = value.strip()
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@@ -18,6 +18,7 @@ from django.urls import reverse
 from django.conf import settings

 from common.utils import get_logger
+from users.utils import construct_user_email

 from ..base import JMSBaseAuthBackend
 from .utils import validate_and_return_id_token, build_absolute_uri
@@ -39,17 +40,22 @@ class UserMixin:
        logger.debug(log_prompt.format('start'))

        sub = claims['sub']
-        name = claims.get('name', sub)
-        username = claims.get('preferred_username', sub)
-        email = claims.get('email', "{}@{}".format(username, 'jumpserver.openid'))
-        logger.debug(
-            log_prompt.format(
-                "sub: {}|name: {}|username: {}|email: {}".format(sub, name, username, email)
-            )
-        )
+
+        # Construct user attrs value
+        user_attrs = {}
+        for field, attr in settings.AUTH_OPENID_USER_ATTR_MAP.items():
+            user_attrs[field] = claims.get(attr, sub)
+        email = user_attrs.get('email', '')
+        email = construct_user_email(user_attrs.get('username'), email)
+        user_attrs.update({'email': email})
+
+        logger.debug(log_prompt.format(user_attrs))
+
+        username = user_attrs.get('username')
+        name = user_attrs.get('name')

        user, created = get_user_model().objects.get_or_create(
-            username=username, defaults={"name": name, "email": email}
+            username=username, defaults=user_attrs
        )
        logger.debug(log_prompt.format("user: {}|created: {}".format(user, created)))
        logger.debug(log_prompt.format("Send signal => openid create or update user"))
--- a/apps/authentication/confirm/init.py
+++ b/apps/authentication/confirm/init.py
@@ -0,0 +1,5 @@
+from .mfa import ConfirmMFA
+from .password import ConfirmPassword
+from .relogin import ConfirmReLogin
+
+CONFIRM_BACKENDS = [ConfirmReLogin, ConfirmPassword, ConfirmMFA]
--- a/apps/authentication/confirm/base.py
+++ b/apps/authentication/confirm/base.py
@@ -0,0 +1,30 @@
+import abc
+
+
+class BaseConfirm(abc.ABC):
+
+    def __init__(self, user, request):
+        self.user = user
+        self.request = request
+
+    @property
+    @abc.abstractmethod
+    def name(self) -> str:
+        return ''
+
+    @property
+    @abc.abstractmethod
+    def display_name(self) -> str:
+        return ''
+
+    @abc.abstractmethod
+    def check(self) -> bool:
+        return False
+
+    @property
+    def content(self):
+        return ''
+
+    @abc.abstractmethod
+    def authenticate(self, secret_key, mfa_type) -> tuple:
+        return False, 'Error msg'
--- a/apps/authentication/confirm/mfa.py
+++ b/apps/authentication/confirm/mfa.py
@@ -0,0 +1,26 @@
+from users.models import User
+
+from .base import BaseConfirm
+
+
+class ConfirmMFA(BaseConfirm):
+    name = 'mfa'
+    display_name = 'MFA'
+
+    def check(self):
+        return self.user.active_mfa_backends and self.user.mfa_enabled
+
+    @property
+    def content(self):
+        backends = User.get_user_mfa_backends(self.user)
+        return [{
+            'name': backend.name,
+            'disabled': not bool(backend.is_active()),
+            'display_name': backend.display_name,
+            'placeholder': backend.placeholder,
+        } for backend in backends]
+
+    def authenticate(self, secret_key, mfa_type):
+        mfa_backend = self.user.get_mfa_backend_by_type(mfa_type)
+        ok, msg = mfa_backend.check_code(secret_key)
+        return ok, msg
--- a/apps/authentication/confirm/password.py
+++ b/apps/authentication/confirm/password.py
@@ -0,0 +1,17 @@
+from django.utils.translation import ugettext_lazy as _
+
+from authentication.mixins import authenticate
+from .base import BaseConfirm
+
+
+class ConfirmPassword(BaseConfirm):
+    name = 'password'
+    display_name = _('Password')
+
+    def check(self):
+        return self.user.is_password_authenticate()
+
+    def authenticate(self, secret_key, mfa_type):
+        ok = authenticate(self.request, username=self.user.username, password=secret_key)
+        msg = '' if ok else _('Authentication failed password incorrect')
+        return ok, msg
--- a/apps/authentication/confirm/relogin.py
+++ b/apps/authentication/confirm/relogin.py
@@ -0,0 +1,30 @@
+from datetime import datetime
+
+from django.utils import timezone
+from django.utils.translation import ugettext_lazy as _
+
+from .base import BaseConfirm
+
+SPECIFIED_TIME = 5
+
+RELOGIN_ERROR = _('Login time has exceeded {} minutes, please login again').format(SPECIFIED_TIME)
+
+
+class ConfirmReLogin(BaseConfirm):
+    name = 'relogin'
+    display_name = 'Re-Login'
+
+    def check(self):
+        return not self.user.is_password_authenticate()
+
+    def authenticate(self, secret_key, mfa_type):
+        now = timezone.now().strftime("%Y-%m-%d %H:%M:%S")
+        now = datetime.strptime(now, '%Y-%m-%d %H:%M:%S')
+        login_time = self.request.session.get('login_time')
+        msg = RELOGIN_ERROR
+        if not login_time:
+            return False, msg
+        login_time = datetime.strptime(login_time, '%Y-%m-%d %H:%M:%S')
+        if (now - login_time).seconds >= SPECIFIED_TIME * 60:
+            return False, msg
+        return True, ''
--- a/apps/authentication/const.py
+++ b/apps/authentication/const.py
@@ -1,2 +1,37 @@
+from django.db.models import TextChoices
+
+from authentication.confirm import CONFIRM_BACKENDS
+from .confirm import ConfirmMFA, ConfirmPassword, ConfirmReLogin
+from .mfa import MFAOtp, MFASms, MFARadius
+
 RSA_PRIVATE_KEY = 'rsa_private_key'
 RSA_PUBLIC_KEY = 'rsa_public_key'
+
+CONFIRM_BACKEND_MAP = {backend.name: backend for backend in CONFIRM_BACKENDS}
+
+
+class ConfirmType(TextChoices):
+    ReLogin = ConfirmReLogin.name, ConfirmReLogin.display_name
+    PASSWORD = ConfirmPassword.name, ConfirmPassword.display_name
+    MFA = ConfirmMFA.name, ConfirmMFA.display_name
+
+    @classmethod
+    def get_can_confirm_types(cls, confirm_type):
+        start = cls.values.index(confirm_type)
+        types = cls.values[start:]
+        types.reverse()
+        return types
+
+    @classmethod
+    def get_can_confirm_backend_classes(cls, confirm_type):
+        types = cls.get_can_confirm_types(confirm_type)
+        backend_classes = [
+            CONFIRM_BACKEND_MAP[tp] for tp in types if tp in CONFIRM_BACKEND_MAP
+        ]
+        return backend_classes
+
+
+class MFAType(TextChoices):
+    OTP = MFAOtp.name, MFAOtp.display_name
+    SMS = MFASms.name, MFASms.display_name
+    Radius = MFARadius.name, MFARadius.display_name
--- a/apps/authentication/errors.py
+++ b/apps/authentication/errors.py
@@ -1,367 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.utils.translation import ugettext_lazy as _
-from django.urls import reverse
-from django.conf import settings
-from rest_framework import status
-
-from common.exceptions import JMSException
-from .signals import post_auth_failed
-from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
-
-reason_password_failed = 'password_failed'
-reason_password_decrypt_failed = 'password_decrypt_failed'
-reason_mfa_failed = 'mfa_failed'
-reason_mfa_unset = 'mfa_unset'
-reason_user_not_exist = 'user_not_exist'
-reason_password_expired = 'password_expired'
-reason_user_invalid = 'user_invalid'
-reason_user_inactive = 'user_inactive'
-reason_user_expired = 'user_expired'
-reason_backend_not_match = 'backend_not_match'
-reason_acl_not_allow = 'acl_not_allow'
-only_local_users_are_allowed = 'only_local_users_are_allowed'
-
-reason_choices = {
-    reason_password_failed: _('Username/password check failed'),
-    reason_password_decrypt_failed: _('Password decrypt failed'),
-    reason_mfa_failed: _('MFA failed'),
-    reason_mfa_unset: _('MFA unset'),
-    reason_user_not_exist: _("Username does not exist"),
-    reason_password_expired: _("Password expired"),
-    reason_user_invalid: _('Disabled or expired'),
-    reason_user_inactive: _("This account is inactive."),
-    reason_user_expired: _("This account is expired"),
-    reason_backend_not_match: _("Auth backend not match"),
-    reason_acl_not_allow: _("ACL is not allowed"),
-    only_local_users_are_allowed: _("Only local users are allowed")
-}
-old_reason_choices = {
-    '0': '-',
-    '1': reason_choices[reason_password_failed],
-    '2': reason_choices[reason_mfa_failed],
-    '3': reason_choices[reason_user_not_exist],
-    '4': reason_choices[reason_password_expired],
-}
-
-session_empty_msg = _("No session found, check your cookie")
-invalid_login_msg = _(
-    "The username or password you entered is incorrect, "
-    "please enter it again. "
-    "You can also try {times_try} times "
-    "(The account will be temporarily locked for {block_time} minutes)"
-)
-block_user_login_msg = _(
-    "The account has been locked "
-    "(please contact admin to unlock it or try again after {} minutes)"
-)
-block_ip_login_msg = _(
-    "The ip has been locked "
-    "(please contact admin to unlock it or try again after {} minutes)"
-)
-block_mfa_msg = _(
-    "The account has been locked "
-    "(please contact admin to unlock it or try again after {} minutes)"
-)
-mfa_error_msg = _(
-    "{error}, "
-    "You can also try {times_try} times "
-    "(The account will be temporarily locked for {block_time} minutes)"
-)
-mfa_required_msg = _("MFA required")
-mfa_unset_msg = _("MFA not set, please set it first")
-login_confirm_required_msg = _("Login confirm required")
-login_confirm_wait_msg = _("Wait login confirm ticket for accept")
-login_confirm_error_msg = _("Login confirm ticket was {}")
-
-
-class AuthFailedNeedLogMixin:
-    username = ''
-    request = None
-    error = ''
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        post_auth_failed.send(
-            sender=self.__class__, username=self.username,
-            request=self.request, reason=self.error
-        )
-
-
-class AuthFailedNeedBlockMixin:
-    username = ''
-    ip = ''
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        LoginBlockUtil(self.username, self.ip).incr_failed_count()
-
-
-class AuthFailedError(Exception):
-    username = ''
-    msg = ''
-    error = ''
-    request = None
-    ip = ''
-
-    def __init__(self, **kwargs):
-        for k, v in kwargs.items():
-            setattr(self, k, v)
-
-    def as_data(self):
-        return {
-            'error': self.error,
-            'msg': self.msg,
-        }
-
-    def __str__(self):
-        return str(self.msg)
-
-
-class BlockGlobalIpLoginError(AuthFailedError):
-    error = 'block_global_ip_login'
-
-    def __init__(self, username, ip, **kwargs):
-        self.msg = block_ip_login_msg.format(settings.SECURITY_LOGIN_IP_LIMIT_TIME)
-        LoginIpBlockUtil(ip).set_block_if_need()
-        super().__init__(username=username, ip=ip, **kwargs)
-
-
-class CredentialError(
-    AuthFailedNeedLogMixin, AuthFailedNeedBlockMixin, BlockGlobalIpLoginError, AuthFailedError
-):
-    def __init__(self, error, username, ip, request):
-        super().__init__(error=error, username=username, ip=ip, request=request)
-        util = LoginBlockUtil(username, ip)
-        times_remainder = util.get_remainder_times()
-        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
-
-        if times_remainder < 1:
-            self.msg = block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-            return
-
-        default_msg = invalid_login_msg.format(
-            times_try=times_remainder, block_time=block_time
-        )
-        if error == reason_password_failed:
-            self.msg = default_msg
-        else:
-            self.msg = reason_choices.get(error, default_msg)
-
-
-class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError):
-    error = reason_mfa_failed
-    msg: str
-
-    def __init__(self, username, request, ip, mfa_type, error):
-        super().__init__(username=username, request=request)
-
-        util = MFABlockUtils(username, ip)
-        times_remainder = util.incr_failed_count()
-        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
-
-        if times_remainder:
-            self.msg = mfa_error_msg.format(
-                error=error, times_try=times_remainder, block_time=block_time
-            )
-        else:
-            self.msg = block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-
-
-class BlockMFAError(AuthFailedNeedLogMixin, AuthFailedError):
-    error = 'block_mfa'
-
-    def __init__(self, username, request, ip):
-        self.msg = block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-        super().__init__(username=username, request=request, ip=ip)
-
-
-class MFAUnsetError(Exception):
-    error = reason_mfa_unset
-    msg = mfa_unset_msg
-
-    def __init__(self, user, request, url):
-        self.url = url
-
-
-class BlockLoginError(AuthFailedNeedBlockMixin, AuthFailedError):
-    error = 'block_login'
-
-    def __init__(self, username, ip):
-        self.msg = block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
-        super().__init__(username=username, ip=ip)
-
-
-class SessionEmptyError(AuthFailedError):
-    msg = session_empty_msg
-    error = 'session_empty'
-
-
-class NeedMoreInfoError(Exception):
-    error = ''
-    msg = ''
-
-    def __init__(self, error='', msg=''):
-        if error:
-            self.error = error
-        if msg:
-            self.msg = msg
-
-    def as_data(self):
-        return {
-            'error': self.error,
-            'msg': self.msg,
-        }
-
-
-class MFARequiredError(NeedMoreInfoError):
-    msg = mfa_required_msg
-    error = 'mfa_required'
-
-    def __init__(self, error='', msg='', mfa_types=()):
-        super().__init__(error=error, msg=msg)
-        self.choices = mfa_types
-
-    def as_data(self):
-        return {
-            'error': self.error,
-            'msg': self.msg,
-            'data': {
-                'choices': self.choices,
-                'url': reverse('api-auth:mfa-challenge')
-            }
-        }
-
-
-class ACLError(AuthFailedNeedLogMixin, AuthFailedError):
-    msg = reason_acl_not_allow
-    error = 'acl_error'
-
-    def __init__(self, msg, **kwargs):
-        self.msg = msg
-        super().__init__(**kwargs)
-
-    def as_data(self):
-        return {
-            "error": reason_acl_not_allow,
-            "msg": self.msg
-        }
-
-
-class LoginIPNotAllowed(ACLError):
-    def __init__(self, username, request, **kwargs):
-        self.username = username
-        self.request = request
-        super().__init__(_("IP is not allowed"), **kwargs)
-
-
-class TimePeriodNotAllowed(ACLError):
-    def __init__(self, username, request, **kwargs):
-        self.username = username
-        self.request = request
-        super().__init__(_("Time Period is not allowed"), **kwargs)
-
-
-class LoginConfirmBaseError(NeedMoreInfoError):
-    def __init__(self, ticket_id, **kwargs):
-        self.ticket_id = ticket_id
-        super().__init__(**kwargs)
-
-    def as_data(self):
-        return {
-            "error": self.error,
-            "msg": self.msg,
-            "data": {
-                "ticket_id": self.ticket_id
-            }
-        }
-
-
-class LoginConfirmWaitError(LoginConfirmBaseError):
-    msg = login_confirm_wait_msg
-    error = 'login_confirm_wait'
-
-
-class LoginConfirmOtherError(LoginConfirmBaseError):
-    error = 'login_confirm_error'
-
-    def __init__(self, ticket_id, status):
-        msg = login_confirm_error_msg.format(status)
-        super().__init__(ticket_id=ticket_id, msg=msg)
-
-
-class SSOAuthClosed(JMSException):
-    default_code = 'sso_auth_closed'
-    default_detail = _('SSO auth closed')
-
-
-class PasswordTooSimple(JMSException):
-    default_code = 'passwd_too_simple'
-    default_detail = _('Your password is too simple, please change it for security')
-
-    def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
-
-
-class PasswordNeedUpdate(JMSException):
-    default_code = 'passwd_need_update'
-    default_detail = _('You should to change your password before login')
-
-    def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
-
-
-class PasswordRequireResetError(JMSException):
-    default_code = 'passwd_has_expired'
-    default_detail = _('Your password has expired, please reset before logging in')
-
-    def __init__(self, url, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.url = url
-
-
-class WeComCodeInvalid(JMSException):
-    default_code = 'wecom_code_invalid'
-    default_detail = 'Code invalid, can not get user info'
-
-
-class WeComBindAlready(JMSException):
-    default_code = 'wecom_bind_already'
-    default_detail = 'WeCom already binded'
-
-
-class WeComNotBound(JMSException):
-    default_code = 'wecom_not_bound'
-    default_detail = 'WeCom is not bound'
-
-
-class DingTalkNotBound(JMSException):
-    default_code = 'dingtalk_not_bound'
-    default_detail = 'DingTalk is not bound'
-
-
-class FeiShuNotBound(JMSException):
-    default_code = 'feishu_not_bound'
-    default_detail = 'FeiShu is not bound'
-
-
-class PasswordInvalid(JMSException):
-    default_code = 'passwd_invalid'
-    default_detail = _('Your password is invalid')
-
-
-class MFACodeRequiredError(AuthFailedError):
-    error = 'mfa_code_required'
-    msg = _("Please enter MFA code")
-
-
-class SMSCodeRequiredError(AuthFailedError):
-    error = 'sms_code_required'
-    msg = _("Please enter SMS code")
-
-
-class UserPhoneNotSet(AuthFailedError):
-    error = 'phone_not_set'
-    msg = _('Phone not set')
--- a/apps/authentication/errors/init.py
+++ b/apps/authentication/errors/init.py
@@ -0,0 +1,4 @@
+from .const import *
+from .mfa import *
+from .failed import *
+from .redirect import *
--- a/apps/authentication/errors/const.py
+++ b/apps/authentication/errors/const.py
@@ -0,0 +1,67 @@
+from django.utils.translation import gettext_lazy as _
+
+
+reason_password_failed = 'password_failed'
+reason_password_decrypt_failed = 'password_decrypt_failed'
+reason_mfa_failed = 'mfa_failed'
+reason_mfa_unset = 'mfa_unset'
+reason_user_not_exist = 'user_not_exist'
+reason_password_expired = 'password_expired'
+reason_user_invalid = 'user_invalid'
+reason_user_inactive = 'user_inactive'
+reason_user_expired = 'user_expired'
+reason_backend_not_match = 'backend_not_match'
+reason_acl_not_allow = 'acl_not_allow'
+only_local_users_are_allowed = 'only_local_users_are_allowed'
+
+reason_choices = {
+    reason_password_failed: _('Username/password check failed'),
+    reason_password_decrypt_failed: _('Password decrypt failed'),
+    reason_mfa_failed: _('MFA failed'),
+    reason_mfa_unset: _('MFA unset'),
+    reason_user_not_exist: _("Username does not exist"),
+    reason_password_expired: _("Password expired"),
+    reason_user_invalid: _('Disabled or expired'),
+    reason_user_inactive: _("This account is inactive."),
+    reason_user_expired: _("This account is expired"),
+    reason_backend_not_match: _("Auth backend not match"),
+    reason_acl_not_allow: _("ACL is not allowed"),
+    only_local_users_are_allowed: _("Only local users are allowed")
+}
+old_reason_choices = {
+    '0': '-',
+    '1': reason_choices[reason_password_failed],
+    '2': reason_choices[reason_mfa_failed],
+    '3': reason_choices[reason_user_not_exist],
+    '4': reason_choices[reason_password_expired],
+}
+
+session_empty_msg = _("No session found, check your cookie")
+invalid_login_msg = _(
+    "The username or password you entered is incorrect, "
+    "please enter it again. "
+    "You can also try {times_try} times "
+    "(The account will be temporarily locked for {block_time} minutes)"
+)
+block_user_login_msg = _(
+    "The account has been locked "
+    "(please contact admin to unlock it or try again after {} minutes)"
+)
+block_ip_login_msg = _(
+    "The ip has been locked "
+    "(please contact admin to unlock it or try again after {} minutes)"
+)
+block_mfa_msg = _(
+    "The account has been locked "
+    "(please contact admin to unlock it or try again after {} minutes)"
+)
+mfa_error_msg = _(
+    "{error}, "
+    "You can also try {times_try} times "
+    "(The account will be temporarily locked for {block_time} minutes)"
+)
+mfa_required_msg = _("MFA required")
+mfa_unset_msg = _("MFA not set, please set it first")
+login_confirm_required_msg = _("Login confirm required")
+login_confirm_wait_msg = _("Wait login confirm ticket for accept")
+login_confirm_error_msg = _("Login confirm ticket was {}")
--- a/apps/authentication/errors/failed.py
+++ b/apps/authentication/errors/failed.py
@@ -0,0 +1,167 @@
+# -*- coding: utf-8 -*-
+#
+from django.utils.translation import ugettext_lazy as _
+from django.conf import settings
+
+from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
+from ..signals import post_auth_failed
+from . import const
+
+
+class AuthFailedNeedLogMixin:
+    username = ''
+    request = None
+    error = ''
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        post_auth_failed.send(
+            sender=self.__class__, username=self.username,
+            request=self.request, reason=self.error
+        )
+
+
+class AuthFailedNeedBlockMixin:
+    username = ''
+    ip = ''
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        LoginBlockUtil(self.username, self.ip).incr_failed_count()
+
+
+class AuthFailedError(Exception):
+    username = ''
+    msg = ''
+    error = ''
+    request = None
+    ip = ''
+
+    def __init__(self, **kwargs):
+        for k, v in kwargs.items():
+            setattr(self, k, v)
+
+    def as_data(self):
+        return {
+            'error': self.error,
+            'msg': self.msg,
+        }
+
+    def __str__(self):
+        return str(self.msg)
+
+
+class BlockGlobalIpLoginError(AuthFailedError):
+    error = 'block_global_ip_login'
+
+    def __init__(self, username, ip, **kwargs):
+        self.msg = const.block_ip_login_msg.format(settings.SECURITY_LOGIN_IP_LIMIT_TIME)
+        LoginIpBlockUtil(ip).set_block_if_need()
+        super().__init__(username=username, ip=ip, **kwargs)
+
+
+class CredentialError(
+    AuthFailedNeedLogMixin, AuthFailedNeedBlockMixin,
+    BlockGlobalIpLoginError, AuthFailedError
+):
+    def __init__(self, error, username, ip, request):
+        super().__init__(error=error, username=username, ip=ip, request=request)
+        util = LoginBlockUtil(username, ip)
+        times_remainder = util.get_remainder_times()
+        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
+
+        if times_remainder < 1:
+            self.msg = const.block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+            return
+
+        default_msg = const.invalid_login_msg.format(
+            times_try=times_remainder, block_time=block_time
+        )
+        if error == const.reason_password_failed:
+            self.msg = default_msg
+        else:
+            self.msg = const.reason_choices.get(error, default_msg)
+
+
+class MFAFailedError(AuthFailedNeedLogMixin, AuthFailedError):
+    error = const.reason_mfa_failed
+    msg: str
+
+    def __init__(self, username, request, ip, mfa_type, error):
+        super().__init__(username=username, request=request)
+
+        util = MFABlockUtils(username, ip)
+        times_remainder = util.incr_failed_count()
+        block_time = settings.SECURITY_LOGIN_LIMIT_TIME
+
+        if times_remainder:
+            self.msg = const.mfa_error_msg.format(
+                error=error, times_try=times_remainder, block_time=block_time
+            )
+        else:
+            self.msg = const.block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+
+
+class BlockMFAError(AuthFailedNeedLogMixin, AuthFailedError):
+    error = 'block_mfa'
+
+    def __init__(self, username, request, ip):
+        self.msg = const.block_mfa_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+        super().__init__(username=username, request=request, ip=ip)
+
+
+class BlockLoginError(AuthFailedNeedBlockMixin, AuthFailedError):
+    error = 'block_login'
+
+    def __init__(self, username, ip):
+        self.msg = const.block_user_login_msg.format(settings.SECURITY_LOGIN_LIMIT_TIME)
+        super().__init__(username=username, ip=ip)
+
+
+class SessionEmptyError(AuthFailedError):
+    msg = const.session_empty_msg
+    error = 'session_empty'
+
+
+class ACLError(AuthFailedNeedLogMixin, AuthFailedError):
+    msg = const.reason_acl_not_allow
+    error = 'acl_error'
+
+    def __init__(self, msg, **kwargs):
+        self.msg = msg
+        super().__init__(**kwargs)
+
+    def as_data(self):
+        return {
+            "error": const.reason_acl_not_allow,
+            "msg": self.msg
+        }
+
+
+class LoginIPNotAllowed(ACLError):
+    def __init__(self, username, request, **kwargs):
+        self.username = username
+        self.request = request
+        super().__init__(_("IP is not allowed"), **kwargs)
+
+
+class TimePeriodNotAllowed(ACLError):
+    def __init__(self, username, request, **kwargs):
+        self.username = username
+        self.request = request
+        super().__init__(_("Time Period is not allowed"), **kwargs)
+
+
+class MFACodeRequiredError(AuthFailedError):
+    error = 'mfa_code_required'
+    msg = _("Please enter MFA code")
+
+
+class SMSCodeRequiredError(AuthFailedError):
+    error = 'sms_code_required'
+    msg = _("Please enter SMS code")
+
+
+class UserPhoneNotSet(AuthFailedError):
+    error = 'phone_not_set'
+    msg = _('Phone not set')
--- a/apps/authentication/errors/mfa.py
+++ b/apps/authentication/errors/mfa.py
@@ -0,0 +1,38 @@
+from django.utils.translation import ugettext_lazy as _
+
+from common.exceptions import JMSException
+
+
+class SSOAuthClosed(JMSException):
+    default_code = 'sso_auth_closed'
+    default_detail = _('SSO auth closed')
+
+
+class WeComCodeInvalid(JMSException):
+    default_code = 'wecom_code_invalid'
+    default_detail = 'Code invalid, can not get user info'
+
+
+class WeComBindAlready(JMSException):
+    default_code = 'wecom_not_bound'
+    default_detail = _('WeCom is already bound')
+
+
+class WeComNotBound(JMSException):
+    default_code = 'wecom_not_bound'
+    default_detail = _('WeCom is not bound')
+
+
+class DingTalkNotBound(JMSException):
+    default_code = 'dingtalk_not_bound'
+    default_detail = _('DingTalk is not bound')
+
+
+class FeiShuNotBound(JMSException):
+    default_code = 'feishu_not_bound'
+    default_detail = _('FeiShu is not bound')
+
+
+class PasswordInvalid(JMSException):
+    default_code = 'passwd_invalid'
+    default_detail = _('Your password is invalid')
--- a/apps/authentication/errors/redirect.py
+++ b/apps/authentication/errors/redirect.py
@@ -0,0 +1,106 @@
+from django.utils.translation import ugettext_lazy as _
+from django.urls import reverse
+
+from common.exceptions import JMSException
+from . import const
+
+
+class NeedMoreInfoError(Exception):
+    error = ''
+    msg = ''
+
+    def __init__(self, error='', msg=''):
+        if error:
+            self.error = error
+        if msg:
+            self.msg = msg
+
+    def as_data(self):
+        return {
+            'error': self.error,
+            'msg': self.msg,
+        }
+
+
+class NeedRedirectError(JMSException):
+    def __init__(self, url, *args, **kwargs):
+        self.url = url
+
+
+class MFARequiredError(NeedMoreInfoError):
+    msg = const.mfa_required_msg
+    error = 'mfa_required'
+
+    def __init__(self, error='', msg='', mfa_types=()):
+        super().__init__(error=error, msg=msg)
+        self.choices = mfa_types
+
+    def as_data(self):
+        return {
+            'error': self.error,
+            'msg': self.msg,
+            'data': {
+                'choices': self.choices,
+                'url': reverse('api-auth:mfa-challenge')
+            }
+        }
+
+
+class LoginConfirmBaseError(NeedMoreInfoError):
+    def __init__(self, ticket_id, **kwargs):
+        self.ticket_id = ticket_id
+        super().__init__(**kwargs)
+
+    def as_data(self):
+        return {
+            "error": self.error,
+            "msg": self.msg,
+            "data": {
+                "ticket_id": self.ticket_id
+            }
+        }
+
+
+class LoginConfirmWaitError(LoginConfirmBaseError):
+    msg = const.login_confirm_wait_msg
+    error = 'login_confirm_wait'
+
+
+class LoginConfirmOtherError(LoginConfirmBaseError):
+    error = 'login_confirm_error'
+
+    def __init__(self, ticket_id, status):
+        msg = const.login_confirm_error_msg.format(status)
+        super().__init__(ticket_id=ticket_id, msg=msg)
+
+
+class PasswordTooSimple(NeedRedirectError):
+    default_code = 'passwd_too_simple'
+    default_detail = _('Your password is too simple, please change it for security')
+
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(url, *args, **kwargs)
+
+
+class PasswordNeedUpdate(NeedRedirectError):
+    default_code = 'passwd_need_update'
+    default_detail = _('You should to change your password before login')
+
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(url, *args, **kwargs)
+
+
+class PasswordRequireResetError(NeedRedirectError):
+    default_code = 'passwd_has_expired'
+    default_detail = _('Your password has expired, please reset before logging in')
+
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(url, *args, **kwargs)
+
+
+class MFAUnsetError(NeedRedirectError):
+    error = const.reason_mfa_unset
+    msg = const.mfa_unset_msg
+
+    def __init__(self, url, *args, **kwargs):
+        super().__init__(url, *args, **kwargs)
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@@ -46,6 +46,8 @@ class SessionCookieMiddleware(MiddlewareMixin):

    @staticmethod
    def set_cookie_public_key(request, response):
+        if request.path.startswith('/api'):
+            return
        pub_key_name = settings.SESSION_RSA_PUBLIC_KEY_NAME
        public_key = request.session.get(pub_key_name)
        cookie_key = request.COOKIES.get(pub_key_name)
--- a/apps/authentication/migrations/0011_auto_20220705_1940.py
+++ b/apps/authentication/migrations/0011_auto_20220705_1940.py
@@ -0,0 +1,89 @@
+# Generated by Django 3.2.12 on 2022-07-05 11:40
+
+import authentication.models
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0021_auto_20220629_1826'),
+        ('assets', '0091_auto_20220629_1826'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('authentication', '0010_temptoken'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='application',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to='applications.application', verbose_name='Application'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='application_display',
+            field=models.CharField(default='', max_length=128, verbose_name='Application display'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='asset',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to='assets.asset', verbose_name='Asset'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='asset_display',
+            field=models.CharField(default='', max_length=128, verbose_name='Asset display'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='date_expired',
+            field=models.DateTimeField(default=authentication.models.date_expired_default, verbose_name='Date expired'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='org_id',
+            field=models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='secret',
+            field=models.CharField(default='', max_length=64, verbose_name='Secret'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='system_user',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to='assets.systemuser', verbose_name='System user'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='system_user_display',
+            field=models.CharField(default='', max_length=128, verbose_name='System user display'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='type',
+            field=models.CharField(choices=[('asset', 'Asset'), ('application', 'Application')], default='asset', max_length=16, verbose_name='Type'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='user',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='connection_tokens', to=settings.AUTH_USER_MODEL, verbose_name='User'),
+        ),
+        migrations.AddField(
+            model_name='connectiontoken',
+            name='user_display',
+            field=models.CharField(default='', max_length=128, verbose_name='User display'),
+        ),
+        migrations.AlterField(
+            model_name='connectiontoken',
+            name='id',
+            field=models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False),
+        ),
+        migrations.AlterModelOptions(
+            name='connectiontoken',
+            options={'ordering': ('-date_expired',), 'permissions': [('view_connectiontokensecret', 'Can view connection token secret')], 'verbose_name': 'Connection token'},
+        ),
+    ]
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@@ -193,8 +193,8 @@ class MFAMixin:
    def _check_if_no_active_mfa(self, user):
        active_mfa_mapper = user.active_mfa_backends_mapper
        if not active_mfa_mapper:
-            url = reverse('authentication:user-otp-enable-start')
-            raise errors.MFAUnsetError(user, self.request, url)
+            set_url = reverse('authentication:user-otp-enable-start')
+            raise errors.MFAUnsetError(set_url, user, self.request)

    def _check_login_page_mfa_if_need(self, user):
        if not settings.SECURITY_MFA_IN_LOGIN_PAGE:
@@ -337,18 +337,18 @@ class AuthACLMixin:
            raise errors.TimePeriodNotAllowed(username=user.username, request=self.request)

    def get_ticket(self):
-        from tickets.models import Ticket
+        from tickets.models import ApplyLoginTicket
        ticket_id = self.request.session.get("auth_ticket_id")
        logger.debug('Login confirm ticket id: {}'.format(ticket_id))
        if not ticket_id:
            ticket = None
        else:
-            ticket = Ticket.all().filter(id=ticket_id).first()
+            ticket = ApplyLoginTicket.all().filter(id=ticket_id).first()
        return ticket

    def get_ticket_or_create(self, confirm_setting):
        ticket = self.get_ticket()
-        if not ticket or ticket.status_closed:
+        if not ticket or ticket.is_status(ticket.Status.closed):
            ticket = confirm_setting.create_confirm_ticket(self.request)
            self.request.session['auth_ticket_id'] = str(ticket.id)
        return ticket
@@ -357,16 +357,17 @@ class AuthACLMixin:
        ticket = self.get_ticket()
        if not ticket:
            raise errors.LoginConfirmOtherError('', "Not found")
-        if ticket.status_open:
+
+        if ticket.is_status(ticket.Status.open):
            raise errors.LoginConfirmWaitError(ticket.id)
-        elif ticket.state_approve:
+        elif ticket.is_state(ticket.State.approved):
            self.request.session["auth_confirm"] = "1"
            return
-        elif ticket.state_reject:
+        elif ticket.is_state(ticket.State.rejected):
            raise errors.LoginConfirmOtherError(
                ticket.id, ticket.get_state_display()
            )
-        elif ticket.state_close:
+        elif ticket.is_state(ticket.State.closed):
            raise errors.LoginConfirmOtherError(
                ticket.id, ticket.get_state_display()
            )
@@ -442,13 +443,15 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
        LoginIpBlockUtil(ip).clean_block_if_need()
        return user

-    def mark_password_ok(self, user, auto_login=False):
+    def mark_password_ok(self, user, auto_login=False, auth_backend=None):
        request = self.request
        request.session['auth_password'] = 1
        request.session['auth_password_expired_at'] = time.time() + settings.AUTH_EXPIRED_SECONDS
        request.session['user_id'] = str(user.id)
        request.session['auto_login'] = auto_login
-        request.session['auth_backend'] = getattr(user, 'backend', settings.AUTH_BACKEND_MODEL)
+        if not auth_backend:
+            auth_backend = getattr(user, 'backend', settings.AUTH_BACKEND_MODEL)
+        request.session['auth_backend'] = auth_backend

    def check_oauth2_auth(self, user: User, auth_backend):
        ip = self.get_request_ip()
@@ -468,7 +471,7 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
        LoginIpBlockUtil(ip).clean_block_if_need()
        MFABlockUtils(user.username, ip).clean_failed_count()

-        self.mark_password_ok(user, False)
+        self.mark_password_ok(user, False, auth_backend)
        return user

    def get_user_or_auth(self, valid_data):
--- a/apps/authentication/models.py
+++ b/apps/authentication/models.py
@@ -1,11 +1,14 @@
 import uuid
-
+from datetime import datetime, timedelta
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
 from rest_framework.authtoken.models import Token
+from orgs.mixins.models import OrgModelMixin

 from common.db import models
+from common.utils import lazyproperty
+from common.utils.timezone import as_current_tz


 class AccessKey(models.Model):
@@ -54,16 +57,204 @@ class SSOToken(models.JMSBaseModel):
        verbose_name = _('SSO token')


-class ConnectionToken(models.JMSBaseModel):
-    # Todo: 未来可能放到这里，不记录到 redis 了，虽然方便，但是不易于审计
-    # Todo: add connection token 可能要授权给 普通用户, 或者放开就行
+def date_expired_default():
+    return timezone.now() + timedelta(seconds=settings.CONNECTION_TOKEN_EXPIRATION)
+
+
+class ConnectionToken(OrgModelMixin, models.JMSModel):
+    class Type(models.TextChoices):
+        asset = 'asset', _('Asset')
+        application = 'application', _('Application')
+
+    type = models.CharField(
+        max_length=16, default=Type.asset, choices=Type.choices, verbose_name=_("Type")
+    )
+    secret = models.CharField(max_length=64, default='', verbose_name=_("Secret"))
+    date_expired = models.DateTimeField(
+        default=date_expired_default, verbose_name=_("Date expired")
+    )
+
+    user = models.ForeignKey(
+        'users.User', on_delete=models.SET_NULL, verbose_name=_('User'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    user_display = models.CharField(max_length=128, default='', verbose_name=_("User display"))
+    system_user = models.ForeignKey(
+        'assets.SystemUser', on_delete=models.SET_NULL, verbose_name=_('System user'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    system_user_display = models.CharField(
+        max_length=128, default='', verbose_name=_("System user display")
+    )
+    asset = models.ForeignKey(
+        'assets.Asset', on_delete=models.SET_NULL, verbose_name=_('Asset'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    asset_display = models.CharField(max_length=128, default='', verbose_name=_("Asset display"))
+    application = models.ForeignKey(
+        'applications.Application', on_delete=models.SET_NULL, verbose_name=_('Application'),
+        related_name='connection_tokens', null=True, blank=True
+    )
+    application_display = models.CharField(
+        max_length=128, default='', verbose_name=_("Application display")
+    )

    class Meta:
+        ordering = ('-date_expired',)
        verbose_name = _('Connection token')
        permissions = [
            ('view_connectiontokensecret', _('Can view connection token secret'))
        ]

+    @classmethod
+    def get_default_date_expired(cls):
+        return date_expired_default()
+
+    @property
+    def is_expired(self):
+        return self.date_expired < timezone.now()
+
+    @property
+    def expire_time(self):
+        interval = self.date_expired - timezone.now()
+        seconds = interval.total_seconds()
+        if seconds < 0:
+            seconds = 0
+        return int(seconds)
+
+    def expire(self):
+        self.date_expired = timezone.now()
+        self.save()
+
+    @property
+    def is_valid(self):
+        return not self.is_expired
+
+    def is_type(self, tp):
+        return self.type == tp
+
+    def renewal(self):
+        """ 续期 Token，将来支持用户自定义创建 token 后，续期策略要修改 """
+        self.date_expired = self.get_default_date_expired()
+        self.save()
+
+    actions = expired_at = None  # actions 和 expired_at 在 check_valid() 中赋值
+
+    def check_valid(self):
+        from perms.utils.asset.permission import validate_permission as asset_validate_permission
+        from perms.utils.application.permission import validate_permission as app_validate_permission
+
+        if self.is_expired:
+            is_valid = False
+            error = _('Connection token expired at: {}').format(as_current_tz(self.date_expired))
+            return is_valid, error
+
+        if not self.user:
+            is_valid = False
+            error = _('User not exists')
+            return is_valid, error
+        if not self.user.is_valid:
+            is_valid = False
+            error = _('User invalid, disabled or expired')
+            return is_valid, error
+
+        if not self.system_user:
+            is_valid = False
+            error = _('System user not exists')
+            return is_valid, error
+
+        if self.is_type(self.Type.asset):
+            if not self.asset:
+                is_valid = False
+                error = _('Asset not exists')
+                return is_valid, error
+            if not self.asset.is_active:
+                is_valid = False
+                error = _('Asset inactive')
+                return is_valid, error
+            has_perm, actions, expired_at = asset_validate_permission(
+                self.user, self.asset, self.system_user
+            )
+            if not has_perm:
+                is_valid = False
+                error = _('User has no permission to access asset or permission expired')
+                return is_valid, error
+            self.actions = actions
+            self.expired_at = expired_at
+
+        elif self.is_type(self.Type.application):
+            if not self.application:
+                is_valid = False
+                error = _('Application not exists')
+                return is_valid, error
+            has_perm, actions, expired_at = app_validate_permission(
+                self.user, self.application, self.system_user
+            )
+            if not has_perm:
+                is_valid = False
+                error = _('User has no permission to access application or permission expired')
+                return is_valid, error
+            self.actions = actions
+            self.expired_at = expired_at
+
+        return True, ''
+
+    @lazyproperty
+    def domain(self):
+        if self.asset:
+            return self.asset.domain
+        if not self.application:
+            return
+        if self.application.category_remote_app:
+            asset = self.application.get_remote_app_asset()
+            domain = asset.domain if asset else None
+        else:
+            domain = self.application.domain
+        return domain
+
+    @lazyproperty
+    def gateway(self):
+        from assets.models import Domain
+        if not self.domain:
+            return
+        self.domain: Domain
+        return self.domain.random_gateway()
+
+    @lazyproperty
+    def remote_app(self):
+        if not self.application:
+            return {}
+        if not self.application.category_remote_app:
+            return {}
+        return self.application.get_rdp_remote_app_setting()
+
+    @lazyproperty
+    def asset_or_remote_app_asset(self):
+        if self.asset:
+            return self.asset
+        if self.application and self.application.category_remote_app:
+            return self.application.get_remote_app_asset()
+
+    @lazyproperty
+    def cmd_filter_rules(self):
+        from assets.models import CommandFilterRule
+        kwargs = {
+            'user_id': self.user.id,
+            'system_user_id': self.system_user.id,
+        }
+        if self.asset:
+            kwargs['asset_id'] = self.asset.id
+        elif self.application:
+            kwargs['application_id'] = self.application_id
+        rules = CommandFilterRule.get_queryset(**kwargs)
+        return rules
+
+    def load_system_user_auth(self):
+        if self.asset:
+            self.system_user.load_asset_more_auth(self.asset.id, self.user.username, self.user.id)
+        elif self.application:
+            self.system_user.load_app_more_auth(self.application.id, self.user.username, self.user.id)
+

 class TempToken(models.JMSModel):
    username = models.CharField(max_length=128, verbose_name=_("Username"))
--- a/apps/authentication/serializers/init.py
+++ b/apps/authentication/serializers/init.py
@@ -1,3 +1,4 @@
 from .token import *
-from .connect_token import *
+from .connection_token import *
 from .password_mfa import *
+from .confirm import *
--- a/apps/authentication/serializers/confirm.py
+++ b/apps/authentication/serializers/confirm.py
@@ -0,0 +1,10 @@
+from rest_framework import serializers
+
+from common.drf.fields import EncryptedField
+from ..const import ConfirmType, MFAType
+
+
+class ConfirmSerializer(serializers.Serializer):
+    confirm_type = serializers.ChoiceField(required=True, allow_blank=True, choices=ConfirmType.choices)
+    mfa_type = serializers.ChoiceField(required=False, allow_blank=True, choices=MFAType.choices)
+    secret_key = EncryptedField(allow_blank=True)
--- a/apps/authentication/serializers/connect_token.py
+++ b/apps/authentication/serializers/connect_token.py
@@ -1,143 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from rest_framework import serializers
-
-from users.models import User
-from assets.models import Asset, SystemUser, Gateway, Domain, CommandFilterRule
-from applications.models import Application
-from assets.serializers import ProtocolsField
-from perms.serializers.base import ActionsField
-
-__all__ = [
-    'ConnectionTokenSerializer', 'ConnectionTokenApplicationSerializer',
-    'ConnectionTokenUserSerializer', 'ConnectionTokenFilterRuleSerializer',
-    'ConnectionTokenAssetSerializer', 'ConnectionTokenSystemUserSerializer',
-    'ConnectionTokenDomainSerializer', 'ConnectionTokenRemoteAppSerializer',
-    'ConnectionTokenGatewaySerializer', 'ConnectionTokenSecretSerializer',
-    'SuperConnectionTokenSerializer'
-]
-
-
-class ConnectionTokenSerializer(serializers.Serializer):
-    system_user = serializers.CharField(max_length=128, required=True)
-    asset = serializers.CharField(max_length=128, required=False)
-    application = serializers.CharField(max_length=128, required=False)
-
-    @staticmethod
-    def validate_system_user(system_user_id):
-        from assets.models import SystemUser
-        system_user = SystemUser.objects.filter(id=system_user_id).first()
-        if system_user is None:
-            raise serializers.ValidationError('system_user id not exist')
-        return system_user
-
-    @staticmethod
-    def validate_asset(asset_id):
-        from assets.models import Asset
-        asset = Asset.objects.filter(id=asset_id).first()
-        if asset is None:
-            raise serializers.ValidationError('asset id not exist')
-        return asset
-
-    @staticmethod
-    def validate_application(app_id):
-        from applications.models import Application
-        app = Application.objects.filter(id=app_id).first()
-        if app is None:
-            raise serializers.ValidationError('app id not exist')
-        return app
-
-    def validate(self, attrs):
-        asset = attrs.get('asset')
-        application = attrs.get('application')
-        if not asset and not application:
-            raise serializers.ValidationError('asset or application required')
-        if asset and application:
-            raise serializers.ValidationError('asset and application should only one')
-        return super().validate(attrs)
-
-
-class SuperConnectionTokenSerializer(ConnectionTokenSerializer):
-    user = serializers.CharField(max_length=128, required=False, allow_blank=True)
-
-    @staticmethod
-    def validate_user(user_id):
-        from users.models import User
-        user = User.objects.filter(id=user_id).first()
-        if user is None:
-            raise serializers.ValidationError('user id not exist')
-        return user
-
-
-class ConnectionTokenUserSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = User
-        fields = ['id', 'name', 'username', 'email']
-
-
-class ConnectionTokenAssetSerializer(serializers.ModelSerializer):
-    protocols = ProtocolsField(label='Protocols', read_only=True)
-
-    class Meta:
-        model = Asset
-        fields = ['id', 'hostname', 'ip', 'protocols', 'org_id']
-
-
-class ConnectionTokenSystemUserSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = SystemUser
-        fields = ['id', 'name', 'username', 'password', 'private_key', 'protocol', 'ad_domain', 'org_id']
-
-
-class ConnectionTokenGatewaySerializer(serializers.ModelSerializer):
-    class Meta:
-        model = Gateway
-        fields = ['id', 'ip', 'port', 'username', 'password', 'private_key']
-
-
-class ConnectionTokenRemoteAppSerializer(serializers.Serializer):
-    program = serializers.CharField()
-    working_directory = serializers.CharField()
-    parameters = serializers.CharField()
-
-
-class ConnectionTokenApplicationSerializer(serializers.ModelSerializer):
-    attrs = serializers.JSONField(read_only=True)
-
-    class Meta:
-        model = Application
-        fields = ['id', 'name', 'category', 'type', 'attrs', 'org_id']
-
-
-class ConnectionTokenDomainSerializer(serializers.ModelSerializer):
-    gateways = ConnectionTokenGatewaySerializer(many=True, read_only=True)
-
-    class Meta:
-        model = Domain
-        fields = ['id', 'name', 'gateways']
-
-
-class ConnectionTokenFilterRuleSerializer(serializers.ModelSerializer):
-    class Meta:
-        model = CommandFilterRule
-        fields = [
-            'id', 'type', 'content', 'ignore_case', 'pattern',
-            'priority', 'action',
-            'date_created',
-        ]
-
-
-class ConnectionTokenSecretSerializer(serializers.Serializer):
-    id = serializers.CharField(read_only=True)
-    secret = serializers.CharField(read_only=True)
-    type = serializers.ChoiceField(choices=[('application', 'Application'), ('asset', 'Asset')])
-    user = ConnectionTokenUserSerializer(read_only=True)
-    asset = ConnectionTokenAssetSerializer(read_only=True)
-    remote_app = ConnectionTokenRemoteAppSerializer(read_only=True)
-    application = ConnectionTokenApplicationSerializer(read_only=True)
-    system_user = ConnectionTokenSystemUserSerializer(read_only=True)
-    cmd_filter_rules = ConnectionTokenFilterRuleSerializer(many=True)
-    domain = ConnectionTokenDomainSerializer(read_only=True)
-    gateway = ConnectionTokenGatewaySerializer(read_only=True)
-    actions = ActionsField()
-    expired_at = serializers.IntegerField()
--- a/apps/authentication/serializers/connection_token.py
+++ b/apps/authentication/serializers/connection_token.py
@@ -0,0 +1,194 @@
+from rest_framework import serializers
+
+from django.utils.translation import ugettext_lazy as _
+from orgs.mixins.serializers import OrgResourceModelSerializerMixin
+from authentication.models import ConnectionToken
+from common.utils import pretty_string
+from common.utils.random import random_string
+from assets.models import Asset, SystemUser, Gateway, Domain, CommandFilterRule
+from users.models import User
+from applications.models import Application
+from assets.serializers import ProtocolsField
+from perms.serializers.base import ActionsField
+
+
+__all__ = [
+    'ConnectionTokenSerializer', 'ConnectionTokenSecretSerializer',
+    'SuperConnectionTokenSerializer', 'ConnectionTokenDisplaySerializer'
+]
+
+
+class ConnectionTokenSerializer(OrgResourceModelSerializerMixin):
+    type_display = serializers.ReadOnlyField(source='get_type_display', label=_("Type display"))
+    is_valid = serializers.BooleanField(read_only=True, label=_('Validity'))
+    expire_time = serializers.IntegerField(read_only=True, label=_('Expired time'))
+
+    class Meta:
+        model = ConnectionToken
+        fields_mini = ['id', 'type']
+        fields_small = fields_mini + [
+            'secret', 'date_expired', 'date_created', 'date_updated',
+            'created_by', 'updated_by', 'org_id', 'org_name',
+        ]
+        fields_fk = [
+            'user', 'system_user', 'asset', 'application',
+        ]
+        read_only_fields = [
+            # 普通 Token 不支持指定 user
+            'user', 'is_valid', 'expire_time',
+            'type_display', 'user_display', 'system_user_display',
+            'asset_display', 'application_display',
+        ]
+        fields = fields_small + fields_fk + read_only_fields
+
+    def validate(self, attrs):
+        fields_attrs = self.construct_internal_fields_attrs(attrs)
+        attrs.update(fields_attrs)
+        return attrs
+
+    @property
+    def request_user(self):
+        request = self.context.get('request')
+        if request:
+            return request.user
+
+    def get_user(self, attrs):
+        return self.request_user
+
+    def construct_internal_fields_attrs(self, attrs):
+        user = self.get_user(attrs)
+        system_user = attrs.get('system_user') or ''
+        asset = attrs.get('asset') or ''
+        application = attrs.get('application') or ''
+        secret = attrs.get('secret') or random_string(16)
+        date_expired = attrs.get('date_expired') or ConnectionToken.get_default_date_expired()
+
+        if isinstance(asset, Asset):
+            tp = ConnectionToken.Type.asset
+            org_id = asset.org_id
+        elif isinstance(application, Application):
+            tp = ConnectionToken.Type.application
+            org_id = application.org_id
+        else:
+            raise serializers.ValidationError(_('Asset or application required'))
+
+        return {
+            'type': tp,
+            'user': user,
+            'secret': secret,
+            'date_expired': date_expired,
+            'user_display': pretty_string(str(user), max_length=128),
+            'system_user_display': pretty_string(str(system_user), max_length=128),
+            'asset_display': pretty_string(str(asset), max_length=128),
+            'application_display': pretty_string(str(application), max_length=128),
+            'org_id': org_id,
+        }
+
+
+class ConnectionTokenDisplaySerializer(ConnectionTokenSerializer):
+    class Meta(ConnectionTokenSerializer.Meta):
+        extra_kwargs = {
+            'secret': {'write_only': True},
+        }
+
+
+#
+# SuperConnectionTokenSerializer
+#
+
+
+class SuperConnectionTokenSerializer(ConnectionTokenSerializer):
+
+    class Meta(ConnectionTokenSerializer.Meta):
+        read_only_fields = [
+            'validity', 'user_display', 'system_user_display',
+            'asset_display', 'application_display',
+        ]
+
+    def get_user(self, attrs):
+        return attrs.get('user') or self.request_user
+
+
+#
+# Connection Token Secret
+#
+
+
+class ConnectionTokenUserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = User
+        fields = ['id', 'name', 'username', 'email']
+
+
+class ConnectionTokenAssetSerializer(serializers.ModelSerializer):
+    protocols = ProtocolsField(label='Protocols', read_only=True)
+
+    class Meta:
+        model = Asset
+        fields = ['id', 'hostname', 'ip', 'protocols', 'org_id']
+
+
+class ConnectionTokenSystemUserSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = SystemUser
+        fields = [
+            'id', 'name', 'username', 'password', 'private_key',
+            'protocol', 'ad_domain', 'org_id'
+        ]
+
+
+class ConnectionTokenGatewaySerializer(serializers.ModelSerializer):
+    class Meta:
+        model = Gateway
+        fields = ['id', 'ip', 'port', 'username', 'password', 'private_key']
+
+
+class ConnectionTokenRemoteAppSerializer(serializers.Serializer):
+    program = serializers.CharField(allow_null=True, allow_blank=True)
+    working_directory = serializers.CharField(allow_null=True, allow_blank=True)
+    parameters = serializers.CharField(allow_null=True, allow_blank=True)
+
+
+class ConnectionTokenApplicationSerializer(serializers.ModelSerializer):
+    attrs = serializers.JSONField(read_only=True)
+
+    class Meta:
+        model = Application
+        fields = ['id', 'name', 'category', 'type', 'attrs', 'org_id']
+
+
+class ConnectionTokenDomainSerializer(serializers.ModelSerializer):
+    gateways = ConnectionTokenGatewaySerializer(many=True, read_only=True)
+
+    class Meta:
+        model = Domain
+        fields = ['id', 'name', 'gateways']
+
+
+class ConnectionTokenCmdFilterRuleSerializer(serializers.ModelSerializer):
+    class Meta:
+        model = CommandFilterRule
+        fields = [
+            'id', 'type', 'content', 'ignore_case', 'pattern',
+            'priority', 'action', 'date_created',
+        ]
+
+
+class ConnectionTokenSecretSerializer(OrgResourceModelSerializerMixin):
+    user = ConnectionTokenUserSerializer(read_only=True)
+    asset = ConnectionTokenAssetSerializer(read_only=True, source='asset_or_remote_app_asset')
+    application = ConnectionTokenApplicationSerializer(read_only=True)
+    remote_app = ConnectionTokenRemoteAppSerializer(read_only=True)
+    system_user = ConnectionTokenSystemUserSerializer(read_only=True)
+    gateway = ConnectionTokenGatewaySerializer(read_only=True)
+    domain = ConnectionTokenDomainSerializer(read_only=True)
+    cmd_filter_rules = ConnectionTokenCmdFilterRuleSerializer(many=True)
+    actions = ActionsField()
+    expired_at = serializers.IntegerField()
+
+    class Meta:
+        model = ConnectionToken
+        fields = [
+            'id', 'secret', 'type', 'user', 'asset', 'application', 'system_user',
+            'remote_app', 'cmd_filter_rules', 'domain', 'gateway', 'actions', 'expired_at',
+        ]
--- a/apps/authentication/serializers/password_mfa.py
+++ b/apps/authentication/serializers/password_mfa.py
@@ -4,9 +4,8 @@ from rest_framework import serializers

 from common.drf.fields import EncryptedField

-
 __all__ = [
-    'OtpVerifySerializer', 'MFAChallengeSerializer', 'MFASelectTypeSerializer',
+    'MFAChallengeSerializer', 'MFASelectTypeSerializer',
    'PasswordVerifySerializer',
 ]

@@ -29,7 +28,3 @@ class MFAChallengeSerializer(serializers.Serializer):

    def update(self, instance, validated_data):
        pass
-
-
-class OtpVerifySerializer(serializers.Serializer):
-    code = serializers.CharField(max_length=6, min_length=6)
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@@ -5,16 +5,16 @@
 <html>
 <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
    <title>
-        {{ JMS_TITLE }}
+        {{ INTERFACE.login_title }}
    </title>
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    {% include '_head_css_js.html' %}
    <!-- Stylesheets -->
    <link href="{% static 'css/login-style.css' %}" rel="stylesheet">
    <link href="{% static 'css/jumpserver.css' %}" rel="stylesheet">
-    <script src="{% static "js/jumpserver.js" %}"></script>
+    <script src="{% static "js/jumpserver.js" %}?_=9"></script>

    <style>
        .login-content {
@@ -32,12 +32,24 @@
            font-weight: normal;
        }

-        .hr-line-dashed {
-            border-top: 1px dashed #e7eaec;
-            color: #ffffff;
-            background-color: #ffffff;
-            height: 1px;
-            margin: 20px 0;
+        .form-group {
+            margin-bottom: 30px;
+            margin-top: 20px;
+        }
+
+        .extra-fields-1 .form-group {
+            margin-bottom: 30px;
+            margin-top: 15px;
+        }
+
+        .extra-fields-2 .form-group {
+            margin-bottom: 20px;
+            margin-top: 10px;
+        }
+
+        .extra-fields-3 .form-group {
+            margin-bottom: 10px;
+            margin-top: 10px;
        }

        .login-content {
@@ -78,34 +90,25 @@
            margin-bottom: 0;
        }

-        .captch-field .has-error .help-block {
+        .captcha-field .has-error .help-block {
            margin-top: -8px !important;
        }

-        .no-captcha-challenge .form-group {
-            margin-bottom: 20px;
-        }
-
        .jms-title {
-            padding: 40px 10px 10px;
-        }
-
-        .no-captcha-challenge .jms-title {
            padding: 60px 10px 10px;
        }

-        .no-captcha-challenge .welcome-message {
-            padding-top: 10px;
+        .more-login-items {
+            margin-top: 10px;
        }

        .more-login-item {
            border-right: 1px dashed #dedede;
-            padding-left: 5px;
-            padding-right: 5px;
+            padding: 2px 5px;
        }

        .more-login-item:last-child {
-            border: none;
+            border-right: none;
        }

        .select-con {
@@ -117,6 +120,7 @@
        }

        .login-page-language {
+            font-size: 12px!important;
            margin-right: -11px !important;
            padding-top: 12px !important;
            padding-left: 0 !important;
@@ -125,15 +129,61 @@
            font-weight: 350 !important;
            min-height: auto !important;
        }
+
+        .right-image {
+            height: 100%;
+            width: 100%
+        }
+
+        .jms-title {
+            font-size: 21px;
+            font-weight:400;
+            color: #151515;
+            letter-spacing: 0;
+        }
+        .more-methods-title {
+            position: relative;
+            margin-top: 20px;
+        }
+        .more-methods-title:before, .more-methods-title:after {
+            position: absolute;
+            top: 50%;
+            transform: translateY(-50%);
+            content: '';
+            border: 1px dashed #e7eaec;
+            width: 35%;
+        }
+        .more-methods-title:before {
+            left: 0;
+        }
+        .more-methods-title:after {
+            right: 0;
+        }
+        .more-methods-title.ja:before, .more-methods-title.ja:after{
+            width: 26%;
+        }
+        .captcha-field .form-group {
+            margin-bottom: 5px;
+        }
+        .auto-login.form-group .checkbox {
+            margin: 5px 0;
+        }
+
+        .more-login {
+            margin-top: 20px;
+        }
+
+        .has-error .more-login {
+            margin-top: 0;
+        }
    </style>
 </head>

 <body>
-
-<div class="login-content">
+<div class="login-content extra-fields-{{ extra_fields_count }}">
    <div class="right-image-box">
-        <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver{% endif %}">
-            <img src="{{ LOGIN_IMAGE_URL }}" style="height: 100%; width: 100%"/>
+        <a href="{% if not XPACK_ENABLED %}https://github.com/jumpserver/jumpserver.git{% endif %}">
+            <img src="{{ INTERFACE.login_image }}" class="right-image" alt="screen-image"/>
        </a>
    </div>
    <div class="left-form-box {% if not form.challenge and not form.captcha %} no-captcha-challenge {% endif %}">
@@ -142,26 +192,23 @@
                <li class="dropdown">
                    <a class="dropdown-toggle login-page-language" data-toggle="dropdown" href="#" target="_blank">
                        <i class="fa fa-globe fa-lg" style="margin-right: 2px"></i>
-                        {% if request.COOKIES.django_language == 'en' %}
-                            <span>English<b class="caret"></b></span>
-                        {% elif request.COOKIES.django_language == 'ja' %}
-                            <span>日本語<b class="caret"></b></span>
-                        {% else %}
-                            <span>中文(简体)<b class="caret"></b></span>
-                        {% endif %}
+                        <span>{{ current_lang.title }}<b class="caret"></b></span>
                    </a>
                    <ul class="dropdown-menu profile-dropdown dropdown-menu-right">
-                        <li> <a id="switch_cn" href="{% url 'i18n-switch' lang='zh-hans' %}"> <span>中文(简体)</span> </a> </li>
-                        <li> <a id="switch_en" href="{% url 'i18n-switch' lang='en' %}"> <span>English</span> </a> </li>
-                        <li> <a id="switch_ja" href="{% url 'i18n-switch' lang='ja' %}"> <span>日本語</span> </a> </li>
+                        {% for lang in langs %}
+                        <li>
+                            <a href="{% url 'i18n-switch' lang=lang.code %}">
+                                <span>{{ lang.title }}</span>
+                            </a>
+                        </li>
+                        {% endfor %}
                    </ul>
                </li>
            </ul>
            <div class="jms-title">
-                <span style="font-size: 21px;font-weight:400;color: #151515;letter-spacing: 0;">{{ JMS_TITLE }}</span>
+                <span style="">{{ INTERFACE.login_title }}</span>
            </div>
            <div class="contact-form col-md-10 col-md-offset-1">
-
                <form id="login-form" action="" method="post" role="form" novalidate="novalidate">
                    {% csrf_token %}
                    <div style="line-height: 17px;margin-bottom: 20px;color: #999999;">
@@ -177,7 +224,6 @@
                    </div>

                    {% bootstrap_field form.username show_label=False %}
-
                    <div class="form-group {% if form.password.errors %} has-error {% endif %}">
                        <input type="password" class="form-control" id="password" placeholder="{% trans 'Password' %}" required>
                        <input id="password-hidden" type="text" style="display:none" name="{{ form.password.html_name }}">
@@ -194,18 +240,18 @@
                        {% include '_mfa_login_field.html' %}
                        </div>
                    {% elif form.captcha %}
-                        <div class="captch-field">
+                        <div class="captcha-field">
                            {% bootstrap_field form.captcha show_label=False %}
                        </div>
                    {% endif %}
-                    <div class="form-group" style="padding-top: 5px; margin-bottom: 10px">
+                    <div class="form-group auto-login" style="margin-bottom: 10px">
                        <div class="row">
                            <div class="col-md-6" style="text-align: left">
                                {% if form.auto_login %}
                                    {% bootstrap_field form.auto_login form_group_class='' %}
                                {% endif %}
                            </div>
-                            <div class="col-md-6">
+                            <div class="col-md-6" style="line-height: 25px">
                                <a id="forgot_password" href="{{ forgot_password_url }}" style="float: right">
                                    <small>{% trans 'Forgot password' %}?</small>
                                </a>
@@ -213,18 +259,21 @@
                        </div>
                    </div>

-                    <div class="form-group" style="">
-                        <button type="submit" class="btn btn-transparent" onclick="doLogin();return false;">{% trans 'Login' %}</button>
+                    <div class="form-group">
+                        <button type="submit" class="btn btn-transparent" onclick="doLogin();return false;">
+                            {% trans 'Login' %}
+                        </button>
                    </div>

-                    <div>
+                    <div class="more-login">
                        {% if auth_methods %}
-                            <div class="hr-line-dashed"></div>
-                            <div style="display: inline-block; float: left">
-                            <b class="text-muted text-left" >{% trans "More login options" %}</b>
+                            <div class="more-methods-title {{ current_lang.code }}">
+                                    {% trans "More login options" %}
+                            </div>
+                            <div class="more-login-items">
                            {% for method in auth_methods %}
                                <a href="{{ method.url }}" class="more-login-item">
-                                    <i class="fa"><img src="{{ method.logo }}" height="13" width="13"></i> {{ method.name }}
+                                    <i class="fa"><img src="{{ method.logo }}" height="15" width="15"></i> {{ method.name }}
                                </a>
                            {% endfor %}
                            </div>
@@ -251,9 +300,6 @@
        $('#password-hidden').val(passwordEncrypted); //返回给密码输入input
        $('#login-form').submit(); //post提交
    }
-
-    $(document).ready(function () {
-    })
 </script>
 </html>

--- a/apps/authentication/templates/authentication/login_wait_confirm.html
+++ b/apps/authentication/templates/authentication/login_wait_confirm.html
@@ -6,11 +6,11 @@
 <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
-    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
+    <link rel="shortcut icon" href="{{ INTERFACE.favicon }}" type="image/x-icon">
    <title>{{ title }}</title>
    {% include '_head_css_js.html' %}
    <link href="{% static "css/jumpserver.css" %}" rel="stylesheet">
-    <script src="{% static "js/jumpserver.js" %}"></script>
+    <script src="{% static "js/jumpserver.js" %}?_=9"></script>

 </head>

@@ -20,9 +20,9 @@
        <div class="col-md-12">
            <div class="ibox-content">
                <div>
-                    <img src="{{ LOGO_URL }}" style="margin: auto" width="82" height="82">
+                    <img src="{{ INTERFACE.logo_logout }}" style="margin: auto" width="82" height="82">
                    <h2 style="display: inline">
-                        {{ JMS_TITLE }}
+                        {{ INTERFACE.login_title }}
                    </h2>
                </div>
                <p></p>
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@@ -10,8 +10,8 @@ router = DefaultRouter()
 router.register('access-keys', api.AccessKeyViewSet, 'access-key')
 router.register('sso', api.SSOViewSet, 'sso')
 router.register('temp-tokens', api.TempTokenViewSet, 'temp-token')
-router.register('connection-token', api.UserConnectionTokenViewSet, 'connection-token')
-router.register('super-connection-token', api.UserSuperConnectionTokenViewSet, 'super-connection-token')
+router.register('connection-token', api.ConnectionTokenViewSet, 'connection-token')
+router.register('super-connection-token', api.SuperConnectionTokenViewSet, 'super-connection-token')


 urlpatterns = [
@@ -26,12 +26,13 @@ urlpatterns = [
    path('feishu/event/subscription/callback/', api.FeiShuEventSubscriptionCallback.as_view(), name='feishu-event-subscription-callback'),

    path('auth/', api.TokenCreateApi.as_view(), name='user-auth'),
+    path('confirm/', api.ConfirmApi.as_view(), name='user-confirm'),
+    path('confirm-oauth/', api.ConfirmBindORUNBindOAuth.as_view(), name='confirm-oauth'),
    path('tokens/', api.TokenCreateApi.as_view(), name='auth-token'),
    path('mfa/verify/', api.MFAChallengeVerifyApi.as_view(), name='mfa-verify'),
    path('mfa/challenge/', api.MFAChallengeVerifyApi.as_view(), name='mfa-challenge'),
    path('mfa/select/', api.MFASendCodeApi.as_view(), name='mfa-select'),
    path('mfa/send-code/', api.MFASendCodeApi.as_view(), name='mfa-send-codej'),
-    path('otp/verify/', api.UserOtpVerifyApi.as_view(), name='user-otp-verify'),
    path('password/verify/', api.UserPasswordVerifyApi.as_view(), name='user-password-verify'),
    path('login-confirm-ticket/status/', api.TicketStatusApi.as_view(), name='login-confirm-ticket-status'),
 ]
--- a/apps/authentication/views/dingtalk.py
+++ b/apps/authentication/views/dingtalk.py
@@ -8,16 +8,17 @@ from django.db.utils import IntegrityError
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException

-from users.views import UserVerifyPasswordView
-from users.utils import is_auth_password_time_valid
 from users.models import User
+from users.views import UserVerifyPasswordView
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
 from common.sdk.im.dingtalk import URL
-from common.mixins.views import PermissionsMixin
+from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
+from common.permissions import UserConfirmation
 from authentication import errors
 from authentication.mixins import AuthMixin
+from authentication.const import ConfirmType
 from common.sdk.im.dingtalk import DingTalk
 from common.utils.common import get_request_ip
 from authentication.notifications import OAuthBindMessage
@@ -29,7 +30,7 @@ logger = get_logger(__file__)
 DINGTALK_STATE_SESSION_KEY = '_dingtalk_state'


-class DingTalkBaseMixin(PermissionsMixin, View):
+class DingTalkBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, View):
    def dispatch(self, request, *args, **kwargs):
        try:
            return super().dispatch(request, *args, **kwargs)
@@ -118,17 +119,12 @@ class DingTalkOAuthMixin(DingTalkBaseMixin, View):


 class DingTalkQRBindView(DingTalkQRMixin, View):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, UserConfirmation.require(ConfirmType.ReLogin))

    def get(self, request: HttpRequest):
        user = request.user
        redirect_url = request.GET.get('redirect_url')

-        if not is_auth_password_time_valid(request.session):
-            msg = _('Please verify your password first')
-            response = self.get_failed_response(redirect_url, msg, msg)
-            return response
-
        redirect_uri = reverse('authentication:dingtalk-qr-bind-callback', kwargs={'user_id': user.id}, external=True)
        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})

--- a/apps/authentication/views/feishu.py
+++ b/apps/authentication/views/feishu.py
@@ -8,16 +8,17 @@ from django.db.utils import IntegrityError
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException

-from users.utils import is_auth_password_time_valid
-from users.views import UserVerifyPasswordView
 from users.models import User
+from users.views import UserVerifyPasswordView
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
-from common.mixins.views import PermissionsMixin
+from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
+from common.permissions import UserConfirmation
 from common.sdk.im.feishu import FeiShu, URL
 from common.utils.common import get_request_ip
 from authentication import errors
+from authentication.const import ConfirmType
 from authentication.mixins import AuthMixin
 from authentication.notifications import OAuthBindMessage

@@ -27,7 +28,7 @@ logger = get_logger(__file__)
 FEISHU_STATE_SESSION_KEY = '_feishu_state'


-class FeiShuQRMixin(PermissionsMixin, View):
+class FeiShuQRMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, View):
    def dispatch(self, request, *args, **kwargs):
        try:
            return super().dispatch(request, *args, **kwargs)
@@ -89,17 +90,12 @@ class FeiShuQRMixin(PermissionsMixin, View):


 class FeiShuQRBindView(FeiShuQRMixin, View):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, UserConfirmation.require(ConfirmType.ReLogin))

    def get(self, request: HttpRequest):
        user = request.user
        redirect_url = request.GET.get('redirect_url')

-        if not is_auth_password_time_valid(request.session):
-            msg = _('Please verify your password first')
-            response = self.get_failed_response(redirect_url, msg, msg)
-            return response
-
        redirect_uri = reverse('authentication:feishu-qr-bind-callback', external=True)
        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})

--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@@ -4,14 +4,14 @@
 from __future__ import unicode_literals
 import os
 import datetime
+from typing import Callable

 from django.templatetags.static import static
 from django.contrib.auth import login as auth_login, logout as auth_logout
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpRequest
 from django.shortcuts import reverse, redirect
 from django.utils.decorators import method_decorator
-from django.db import transaction
-from django.utils.translation import ugettext as _
+from django.utils.translation import ugettext as _, get_language
 from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_protect
 from django.views.decorators.debug import sensitive_post_parameters
@@ -35,10 +35,115 @@ __all__ = [
 ]


+class UserLoginContextMixin:
+    get_user_mfa_context: Callable
+    request: HttpRequest
+
+    @staticmethod
+    def get_support_auth_methods():
+        auth_methods = [
+            {
+                'name': 'OpenID',
+                'enabled': settings.AUTH_OPENID,
+                'url': reverse('authentication:openid:login'),
+                'logo': static('img/login_oidc_logo.png'),
+                'auto_redirect': True  # 是否支持自动重定向
+            },
+            {
+                'name': 'CAS',
+                'enabled': settings.AUTH_CAS,
+                'url': reverse('authentication:cas:cas-login'),
+                'logo': static('img/login_cas_logo.png'),
+                'auto_redirect': True
+            },
+            {
+                'name': 'SAML2',
+                'enabled': settings.AUTH_SAML2,
+                'url': reverse('authentication:saml2:saml2-login'),
+                'logo': static('img/login_saml2_logo.png'),
+                'auto_redirect': True
+            },
+            {
+                'name': _('WeCom'),
+                'enabled': settings.AUTH_WECOM,
+                'url': reverse('authentication:wecom-qr-login'),
+                'logo': static('img/login_wecom_logo.png'),
+            },
+            {
+                'name': _('DingTalk'),
+                'enabled': settings.AUTH_DINGTALK,
+                'url': reverse('authentication:dingtalk-qr-login'),
+                'logo': static('img/login_dingtalk_logo.png')
+            },
+            {
+                'name': _('FeiShu'),
+                'enabled': settings.AUTH_FEISHU,
+                'url': reverse('authentication:feishu-qr-login'),
+                'logo': static('img/login_feishu_logo.png')
+            }
+        ]
+        return [method for method in auth_methods if method['enabled']]
+
+    @staticmethod
+    def get_support_langs():
+        langs = [
+            {
+                'title': '中文(简体)',
+                'code': 'zh-hans'
+            },
+            {
+                'title': 'English',
+                'code': 'en'
+            },
+            {
+                'title': '日本語',
+                'code': 'ja'
+            }
+        ]
+        return langs
+
+    def get_current_lang(self):
+        langs = self.get_support_langs()
+        matched_lang = filter(lambda x: x['code'] == get_language(), langs)
+        return next(matched_lang, langs[0])
+
+    @staticmethod
+    def get_forgot_password_url():
+        forgot_password_url = reverse('authentication:forgot-password')
+        forgot_password_url = settings.FORGOT_PASSWORD_URL or forgot_password_url
+        return forgot_password_url
+
+    def get_extra_fields_count(self, context):
+        count = 0
+        if self.get_support_auth_methods():
+            count += 1
+        form = context.get('form')
+        if not form:
+            return count
+        if set(form.fields.keys()) & {'captcha', 'challenge', 'mfa_type'}:
+            count += 1
+        if form.errors or form.non_field_errors():
+            count += 1
+        return count
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context.update({
+            'demo_mode': os.environ.get("DEMO_MODE"),
+            'auth_methods': self.get_support_auth_methods(),
+            'langs': self.get_support_langs(),
+            'current_lang': self.get_current_lang(),
+            'forgot_password_url': self.get_forgot_password_url(),
+            'extra_fields_count': self.get_extra_fields_count(context),
+            **self.get_user_mfa_context(self.request.user)
+        })
+        return context
+
+
@method_decorator(sensitive_post_parameters(), name='dispatch')
@method_decorator(csrf_protect, name='dispatch')
@method_decorator(never_cache, name='dispatch')
-class UserLoginView(mixins.AuthMixin, FormView):
+class UserLoginView(mixins.AuthMixin, UserLoginContextMixin, FormView):
    redirect_field_name = 'next'
    template_name = 'authentication/login.html'

@@ -106,12 +211,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
            context = self.get_context_data(form=new_form)
            self.request.session.set_test_cookie()
            return self.render_to_response(context)
-        except (
-                errors.MFAUnsetError,
-                errors.PasswordTooSimple,
-                errors.PasswordRequireResetError,
-                errors.PasswordNeedUpdate
-        ) as e:
+        except errors.NeedRedirectError as e:
            return redirect(e.url)
        except (
                errors.MFAFailedError,
@@ -136,67 +236,6 @@ class UserLoginView(mixins.AuthMixin, FormView):
        self.request.session[RSA_PRIVATE_KEY] = None
        self.request.session[RSA_PUBLIC_KEY] = None

-    @staticmethod
-    def get_support_auth_methods():
-        auth_methods = [
-            {
-                'name': 'OpenID',
-                'enabled': settings.AUTH_OPENID,
-                'url': reverse('authentication:openid:login'),
-                'logo': static('img/login_oidc_logo.png'),
-                'auto_redirect': True  # 是否支持自动重定向
-            },
-            {
-                'name': 'CAS',
-                'enabled': settings.AUTH_CAS,
-                'url': reverse('authentication:cas:cas-login'),
-                'logo': static('img/login_cas_logo.png'),
-                'auto_redirect': True
-            },
-            {
-                'name': 'SAML2',
-                'enabled': settings.AUTH_SAML2,
-                'url': reverse('authentication:saml2:saml2-login'),
-                'logo': static('img/login_saml2_logo.png'),
-                'auto_redirect': True
-            },
-            {
-                'name': _('WeCom'),
-                'enabled': settings.AUTH_WECOM,
-                'url': reverse('authentication:wecom-qr-login'),
-                'logo': static('img/login_wecom_logo.png'),
-            },
-            {
-                'name': _('DingTalk'),
-                'enabled': settings.AUTH_DINGTALK,
-                'url': reverse('authentication:dingtalk-qr-login'),
-                'logo': static('img/login_dingtalk_logo.png')
-            },
-            {
-                'name': _('FeiShu'),
-                'enabled': settings.AUTH_FEISHU,
-                'url': reverse('authentication:feishu-qr-login'),
-                'logo': static('img/login_feishu_logo.png')
-            }
-        ]
-        return [method for method in auth_methods if method['enabled']]
-
-    @staticmethod
-    def get_forgot_password_url():
-        forgot_password_url = reverse('authentication:forgot-password')
-        forgot_password_url = settings.FORGOT_PASSWORD_URL or forgot_password_url
-        return forgot_password_url
-
-    def get_context_data(self, **kwargs):
-        context = {
-            'demo_mode': os.environ.get("DEMO_MODE"),
-            'auth_methods': self.get_support_auth_methods(),
-            'forgot_password_url': self.get_forgot_password_url(),
-            **self.get_user_mfa_context(self.request.user)
-        }
-        kwargs.update(context)
-        return super().get_context_data(**kwargs)
-

 class UserLoginGuardView(mixins.AuthMixin, RedirectView):
    redirect_field_name = 'next'
@@ -258,8 +297,7 @@ class UserLoginWaitConfirmView(TemplateView):
        if ticket:
            timestamp_created = datetime.datetime.timestamp(ticket.date_created)
            ticket_detail_url = TICKET_DETAIL_URL.format(id=ticket_id, type=ticket.type)
-            assignees = ticket.current_node.first().ticket_assignees.all()
-            assignees_display = ', '.join([str(i.assignee) for i in assignees])
+            assignees_display = ', '.join([str(assignee) for assignee in ticket.current_assignees])
            msg = _("""Wait for <b>{}</b> confirm, You also can copy link to her/him <br/>
                  Don't close this page""").format(assignees_display)
        else:
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@@ -8,18 +8,19 @@ from django.db.utils import IntegrityError
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.exceptions import APIException

-from users.views import UserVerifyPasswordView
-from users.utils import is_auth_password_time_valid
 from users.models import User
+from users.views import UserVerifyPasswordView
 from common.utils import get_logger, FlashMessageUtil
 from common.utils.random import random_string
 from common.utils.django import reverse, get_object_or_none
 from common.sdk.im.wecom import URL
 from common.sdk.im.wecom import WeCom
-from common.mixins.views import PermissionsMixin
+from common.mixins.views import UserConfirmRequiredExceptionMixin, PermissionsMixin
 from common.utils.common import get_request_ip
+from common.permissions import UserConfirmation
 from authentication import errors
 from authentication.mixins import AuthMixin
+from authentication.const import ConfirmType
 from authentication.notifications import OAuthBindMessage
 from .mixins import METAMixin

@@ -29,7 +30,7 @@ logger = get_logger(__file__)
 WECOM_STATE_SESSION_KEY = '_wecom_state'


-class WeComBaseMixin(PermissionsMixin, View):
+class WeComBaseMixin(UserConfirmRequiredExceptionMixin, PermissionsMixin, View):
    def dispatch(self, request, *args, **kwargs):
        try:
            return super().dispatch(request, *args, **kwargs)
@@ -118,17 +119,12 @@ class WeComOAuthMixin(WeComBaseMixin, View):


 class WeComQRBindView(WeComQRMixin, View):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsAuthenticated, UserConfirmation.require(ConfirmType.ReLogin))

    def get(self, request: HttpRequest):
        user = request.user
        redirect_url = request.GET.get('redirect_url')

-        if not is_auth_password_time_valid(request.session):
-            msg = _('Please verify your password first')
-            response = self.get_failed_response(redirect_url, msg, msg)
-            return response
-
        redirect_uri = reverse('authentication:wecom-qr-bind-callback', kwargs={'user_id': user.id}, external=True)
        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})

@@ -304,5 +300,4 @@ class WeComOAuthLoginCallbackView(AuthMixin, WeComOAuthMixin, View):
            msg = e.msg
            response = self.get_failed_response(login_url, title=msg, msg=msg)
            return response
-
        return self.redirect_to_guard_view()
--- a/apps/common/db/encoder.py
+++ b/apps/common/db/encoder.py
@@ -1,20 +1,32 @@
 import json
-from datetime import datetime
 import uuid
+import logging
+from datetime import datetime

 from django.utils.translation import ugettext_lazy as _
+from django.utils import timezone as dj_timezone
+from django.db import models
 from django.conf import settings

+lazy_type = type(_('ugettext_lazy'))
+

 class ModelJSONFieldEncoder(json.JSONEncoder):
    """ 解决一些类型的字段不能序列化的问题 """

    def default(self, obj):
-        if isinstance(obj, datetime):
+        str_cls = (models.Model, lazy_type, models.ImageField, uuid.UUID)
+        if isinstance(obj, str_cls):
+            return str(obj)
+        elif isinstance(obj, datetime):
+            obj = dj_timezone.localtime(obj)
            return obj.strftime(settings.DATETIME_DISPLAY_FORMAT)
-        if isinstance(obj, uuid.UUID):
-            return str(obj)
-        if isinstance(obj, type(_("ugettext_lazy"))):
-            return str(obj)
+        elif isinstance(obj, (list, tuple)) and len(obj) > 0 \
+                and isinstance(obj[0], models.Model):
+            return [str(i) for i in obj]
        else:
-            return super().default(obj)
+            try:
+                return super().default(obj)
+            except TypeError:
+                logging.error('Type error: ', type(obj))
+                return str(obj)
--- a/apps/common/db/models.py
+++ b/apps/common/db/models.py
@@ -13,6 +13,7 @@ import uuid
 from functools import reduce, partial
 import inspect

+from django.db import transaction
 from django.db.models import *
 from django.db.models import QuerySet
 from django.db.models.functions import Concat
@@ -211,3 +212,29 @@ class UnionQuerySet(QuerySet):

        qs = cls(assets1, assets2)
        return qs
+
+
+class MultiTableChildQueryset(QuerySet):
+
+    def bulk_create(self, objs, batch_size=None):
+        assert batch_size is None or batch_size > 0
+        if not objs:
+            return objs
+
+        self._for_write = True
+        objs = list(objs)
+        parent_model = self.model._meta.pk.related_model
+
+        parent_objs = []
+        for obj in objs:
+            parent_values = {}
+            for field in [f for f in parent_model._meta.fields if hasattr(obj, f.name)]:
+                parent_values[field.name] = getattr(obj, field.name)
+            parent_objs.append(parent_model(**parent_values))
+            setattr(obj, self.model._meta.pk.attname, obj.id)
+        parent_model.objects.bulk_create(parent_objs, batch_size=batch_size)
+
+        with transaction.atomic(using=self.db, savepoint=False):
+            self._batched_insert(objs, self.model._meta.local_fields, batch_size)
+
+        return objs
--- a/apps/common/drf/parsers/base.py
+++ b/apps/common/drf/parsers/base.py
@@ -99,10 +99,16 @@ class BaseFileParser(BaseParser):
        new_row_data = {}
        serializer_fields = self.serializer_fields
        for k, v in row_data.items():
-            if type(v) in [list, dict, int] or (isinstance(v, str) and k.strip() and v.strip()):
-                # 解决类似disk_info为字符串的'{}'的问题
+            if type(v) in [list, dict, int, bool] or (isinstance(v, str) and k.strip() and v.strip()):
+                # 处理类似disk_info为字符串的'{}'的问题
                if not isinstance(v, str) and isinstance(serializer_fields[k], serializers.CharField):
                    v = str(v)
+                # 处理 BooleanField 的问题, 导出是 'True', 'False'
+                if isinstance(v, str) and v.strip().lower() == 'true':
+                    v = True
+                elif isinstance(v, str) and v.strip().lower() == 'false':
+                    v = False
+
                new_row_data[k] = v
        return new_row_data

--- a/apps/common/drf/renders/base.py
+++ b/apps/common/drf/renders/base.py
@@ -73,7 +73,10 @@ class BaseFileRenderer(BaseRenderer):
            row = []
            for field in render_fields:
                value = item.get(field.field_name)
-                value = str(value) if value else ''
+                if value is None:
+                    value = ''
+                else:
+                    value = str(value)
                row.append(value)
            yield row

--- a/apps/common/exceptions.py
+++ b/apps/common/exceptions.py
@@ -41,10 +41,13 @@ class ReferencedByOthers(JMSException):
    default_detail = _('Is referenced by other objects and cannot be deleted')


-class MFAVerifyRequired(JMSException):
-    status_code = status.HTTP_400_BAD_REQUEST
-    default_code = 'mfa_verify_required'
-    default_detail = _('This action require verify your MFA')
+class UserConfirmRequired(JMSException):
+    def __init__(self, code=None):
+        detail = {
+            'code': code,
+            'detail': _('This action require confirm current user')
+        }
+        super().__init__(detail=detail, code=code)


 class UnexpectError(JMSException):
--- a/apps/common/mixins/views.py
+++ b/apps/common/mixins/views.py
@@ -2,16 +2,26 @@
 #
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.auth.mixins import UserPassesTestMixin
+from django.http.response import JsonResponse
 from rest_framework import permissions
-from rest_framework.decorators import action
 from rest_framework.request import Request
-from rest_framework.response import Response

-from common.permissions import IsValidUser
+from common.exceptions import UserConfirmRequired
 from audits.utils import create_operate_log
 from audits.models import OperateLog

-__all__ = ["PermissionsMixin", "RecordViewLogMixin"]
+__all__ = ["PermissionsMixin", "RecordViewLogMixin", "UserConfirmRequiredExceptionMixin"]
+
+
+class UserConfirmRequiredExceptionMixin:
+    """
+    异常处理
+    """
+    def dispatch(self, request, *args, **kwargs):
+        try:
+            return super().dispatch(request, *args, **kwargs)
+        except UserConfirmRequired as e:
+            return JsonResponse(e.detail, status=e.status_code)


 class PermissionsMixin(UserPassesTestMixin):
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -1,9 +1,15 @@
 # -*- coding: utf-8 -*-
 #
 import time
-from rest_framework import permissions
+
 from django.conf import settings
-from common.exceptions import MFAVerifyRequired
+from rest_framework import permissions
+
+from authentication.const import ConfirmType
+from common.exceptions import UserConfirmRequired
+from orgs.utils import tmp_to_root_org
+from authentication.models import ConnectionToken
+from common.utils import get_object_or_none


 class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@@ -14,6 +20,22 @@ class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
               and request.user.is_valid


+class IsValidUserOrConnectionToken(IsValidUser):
+
+    def has_permission(self, request, view):
+        return super(IsValidUserOrConnectionToken, self).has_permission(request, view) \
+               or self.is_valid_connection_token(request)
+
+    @staticmethod
+    def is_valid_connection_token(request):
+        token_id = request.query_params.get('token')
+        if not token_id:
+            return False
+        with tmp_to_root_org():
+            token = get_object_or_none(ConnectionToken, id=token_id)
+        return token and token.is_valid
+
+
 class OnlySuperUser(IsValidUser):
    def has_permission(self, request, view):
        return super().has_permission(request, view) \
@@ -29,18 +51,26 @@ class WithBootstrapToken(permissions.BasePermission):
        return settings.BOOTSTRAP_TOKEN == request_bootstrap_token


-class NeedMFAVerify(permissions.BasePermission):
+class UserConfirmation(permissions.BasePermission):
+    ttl = 60 * 5
+    min_level = 1
+    confirm_type = ConfirmType.ReLogin
+
    def has_permission(self, request, view):
        if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
            return True

-        mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)
-        if time.time() - mfa_verify_time < settings.SECURITY_MFA_VERIFY_TTL:
-            return True
-        raise MFAVerifyRequired()
+        confirm_level = request.session.get('CONFIRM_LEVEL')
+        confirm_time = request.session.get('CONFIRM_TIME')

+        if not confirm_level or not confirm_time or \
+                confirm_level < self.min_level or \
+                confirm_time < time.time() - self.ttl:
+            raise UserConfirmRequired(code=self.confirm_type)
+        return True

-class IsObjectOwner(IsValidUser):
-    def has_object_permission(self, request, view, obj):
-        return (super().has_object_permission(request, view, obj) and
-                request.user == getattr(obj, 'user', None))
+    @classmethod
+    def require(cls, confirm_type=ConfirmType.ReLogin, ttl=300):
+        min_level = ConfirmType.values.index(confirm_type) + 1
+        name = 'UserConfirmationLevel{}TTL{}'.format(min_level, ttl)
+        return type(name, (cls,), {'min_level': min_level, 'ttl': ttl, 'confirm_type': confirm_type})
--- a/apps/common/signal_handlers.py
+++ b/apps/common/signal_handlers.py
@@ -14,7 +14,6 @@ from .local import thread_local

 pattern = re.compile(r'FROM `(\w+)`')
 logger = logging.getLogger("jumpserver.common")
-DEBUG_DB = os.environ.get('DEBUG_DB', '0') == '1'


 class Counter:
@@ -66,7 +65,7 @@ def on_request_finished_release_local(sender, **kwargs):
    thread_local.__release_local__()


-if settings.DEBUG and DEBUG_DB:
+if settings.DEBUG_DEV:
    request_finished.connect(on_request_finished_logging_db_query)
 else:
    request_finished.connect(on_request_finished_release_local)
--- a/apps/common/utils/common.py
+++ b/apps/common/utils/common.py
@@ -361,3 +361,7 @@ def pretty_string(data: str, max_length=128, ellipsis_str='...'):
    end = data[-half:]
    data = f'{start}{ellipsis_str}{end}'
    return data
+
+
+def group_by_count(it, count):
+    return [it[i:i+count] for i in range(0, len(it), count)]
--- a/apps/common/utils/connection.py
+++ b/apps/common/utils/connection.py
@@ -1,11 +1,9 @@
 import json
 import threading
+import redis

-from redis import Redis
-from django.conf import settings
+from django.core.cache import cache

-from jumpserver.const import CONFIG
-from common.http import is_true
 from common.db.utils import safe_db_connection
 from common.utils import get_logger

@@ -13,18 +11,9 @@ logger = get_logger(__name__)


 def get_redis_client(db=0):
-    params = {
-        'host': CONFIG.REDIS_HOST,
-        'port': CONFIG.REDIS_PORT,
-        'password': CONFIG.REDIS_PASSWORD,
-        'db': db,
-        "ssl": is_true(CONFIG.REDIS_USE_SSL),
-        'ssl_cert_reqs': getattr(settings, 'REDIS_SSL_REQUIRED'),
-        'ssl_keyfile': getattr(settings, 'REDIS_SSL_KEYFILE'),
-        'ssl_certfile': getattr(settings, 'REDIS_SSL_CERTFILE'),
-        'ssl_ca_certs': getattr(settings, 'REDIS_SSL_CA_CERTS'),
-    }
-    return Redis(**params)
+    client = cache.client.get_client()
+    assert isinstance(client, redis.Redis)
+    return client


 class Subscription:
--- a/apps/common/utils/crypto.py
+++ b/apps/common/utils/crypto.py
@@ -259,8 +259,8 @@ def decrypt_password(value):
    aes = get_aes_crypto(aes_key, 'ECB')
    try:
        password = aes.decrypt(password_cipher)
-    except UnicodeDecodeError as e:
-        logging.error("Decript password error: {}, {}".format(password_cipher, e))
+    except Exception as e:
+        logging.error("Decrypt password error: {}, {}".format(password_cipher, e))
        return value
    return password

--- a/apps/common/utils/django.py
+++ b/apps/common/utils/django.py
@@ -8,12 +8,14 @@ from django.utils import timezone
 from django.db import models
 from django.db.models.signals import post_save, pre_save

-
 UUID_PATTERN = re.compile(r'[0-9a-zA-Z\-]{36}')


-def reverse(view_name, urlconf=None, args=None, kwargs=None,
-            current_app=None, external=False, api_to_ui=False):
+def reverse(
+        view_name, urlconf=None, args=None, kwargs=None,
+        current_app=None, external=False, api_to_ui=False,
+        is_console=False, is_audit=False, is_workbench=False
+):
    url = dj_reverse(view_name, urlconf=urlconf, args=args,
                     kwargs=kwargs, current_app=current_app)

@@ -21,7 +23,15 @@ def reverse(view_name, urlconf=None, args=None, kwargs=None,
        site_url = settings.SITE_URL
        url = site_url.strip('/') + url
    if api_to_ui:
-        url = url.replace('api/v1', 'ui/#').rstrip('/')
+        replace_str = 'ui/#'
+        if is_console:
+            replace_str += '/console'
+        elif is_audit:
+            replace_str += '/audit'
+        elif is_workbench:
+            replace_str += '/workbench'
+
+        url = url.replace('api/v1', replace_str).rstrip('/')
    return url


@@ -38,7 +48,7 @@ def date_expired_default():
        years = int(settings.DEFAULT_EXPIRED_YEARS)
    except TypeError:
        years = 70
-    return timezone.now() + timezone.timedelta(days=365*years)
+    return timezone.now() + timezone.timedelta(days=365 * years)


 def union_queryset(*args, base_queryset=None):
--- a/apps/common/utils/file.py
+++ b/apps/common/utils/file.py
@@ -1,6 +1,8 @@
 import os
 import csv
+
 import pyzipper
+import requests


 def create_csv_file(filename, headers, rows, ):
@@ -18,3 +20,11 @@ def encrypt_and_compress_zip_file(filename, secret_password, encrypted_filenames
        for encrypted_filename in encrypted_filenames:
            with open(encrypted_filename, 'rb') as f:
                zf.writestr(os.path.basename(encrypted_filename), f.read())
+
+
+def download_file(src, path):
+    with requests.get(src, stream=True) as r:
+        r.raise_for_status()
+        with open(path, 'wb') as f:
+            for chunk in r.iter_content(chunk_size=8192):
+                f.write(chunk)
--- a/apps/common/utils/ip/geoip/utils.py
+++ b/apps/common/utils/ip/geoip/utils.py
@@ -13,10 +13,6 @@ reader = None


 def get_ip_city_by_geoip(ip):
-    if not ip or '.' not in ip or not isinstance(ip, str):
-        return _("Invalid ip")
-    if ':' in ip:
-        return 'IPv6'
    global reader
    if reader is None:
        path = os.path.join(os.path.dirname(__file__), 'GeoLite2-City.mmdb')
@@ -32,7 +28,7 @@ def get_ip_city_by_geoip(ip):
    try:
        response = reader.city(ip)
    except GeoIP2Error:
-        return {}
+        return _("Unknown")

    city_names = response.city.names or {}
    lang = settings.LANGUAGE_CODE[:2]
--- a/apps/common/utils/ip/ipip/utils.py
+++ b/apps/common/utils/ip/ipip/utils.py
@@ -1,7 +1,6 @@
 # -*- coding: utf-8 -*-
 #
 import os
-from django.utils.translation import ugettext as _

 import ipdb

@@ -11,13 +10,13 @@ ipip_db = None

 def get_ip_city_by_ipip(ip):
    global ipip_db
-    if not ip or not isinstance(ip, str):
-        return _("Invalid ip")
-    if ':' in ip:
-        return 'IPv6'
    if ipip_db is None:
        ipip_db_path = os.path.join(os.path.dirname(__file__), 'ipipfree.ipdb')
        ipip_db = ipdb.City(ipip_db_path)
-
-    info = ipip_db.find_info(ip, 'CN')
+    try:
+        info = ipip_db.find_info(ip, 'CN')
+    except ValueError:
+        return None
+    if not info:
+        raise None
    return {'city': info.city_name, 'country': info.country_name}
--- a/apps/common/utils/ip/utils.py
+++ b/apps/common/utils/ip/utils.py
@@ -74,13 +74,18 @@ def contains_ip(ip, ip_group):


 def get_ip_city(ip):
-    info = get_ip_city_by_ipip(ip)
-    city = info.get('city', _("Unknown"))
-    country = info.get('country')
+    if not ip or not isinstance(ip, str):
+        return _("Invalid ip")
+    if ':' in ip:
+        return 'IPv6'

-    # 国内城市 并且 语言是中文就使用国内
-    is_zh = settings.LANGUAGE_CODE.startswith('zh')
-    if country == '中国' and is_zh:
-        return city
-    else:
-        return get_ip_city_by_geoip(ip)
+    info = get_ip_city_by_ipip(ip)
+    if info:
+        city = info.get('city', _("Unknown"))
+        country = info.get('country')
+
+        # 国内城市 并且 语言是中文就使用国内
+        is_zh = settings.LANGUAGE_CODE.startswith('zh')
+        if country == '中国' and is_zh:
+            return city
+    return get_ip_city_by_geoip(ip)
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -128,6 +128,7 @@ class Config(dict):
        'SECRET_KEY': '',
        'BOOTSTRAP_TOKEN': '',
        'DEBUG': False,
+        'DEBUG_DEV': False,
        'LOG_LEVEL': 'DEBUG',
        'LOG_DIR': os.path.join(PROJECT_DIR, 'logs'),
        'DB_ENGINE': 'mysql',
@@ -139,6 +140,7 @@ class Config(dict):
        'REDIS_HOST': '127.0.0.1',
        'REDIS_PORT': 6379,
        'REDIS_PASSWORD': '',
+        'REDIS_USE_SSL': False,
        # Default value
        'REDIS_DB_CELERY': 3,
        'REDIS_DB_CACHE': 4,
@@ -158,9 +160,10 @@ class Config(dict):
        'SESSION_COOKIE_DOMAIN': None,
        'CSRF_COOKIE_DOMAIN': None,
        'SESSION_COOKIE_NAME_PREFIX': None,
-        'SESSION_COOKIE_AGE': 3600 * 24,
+        'SESSION_COOKIE_AGE': 3600,
        'SESSION_EXPIRE_AT_BROWSER_CLOSE': False,
        'LOGIN_URL': reverse_lazy('authentication:login'),
+        'CONNECTION_TOKEN_EXPIRATION': 5 * 60,

        # Custom Config
        # Auth LDAP settings
@@ -191,6 +194,9 @@ class Config(dict):
        'AUTH_OPENID_CLIENT_AUTH_METHOD': 'client_secret_basic',
        'AUTH_OPENID_SHARE_SESSION': True,
        'AUTH_OPENID_IGNORE_SSL_VERIFICATION': True,
+        'AUTH_OPENID_USER_ATTR_MAP': {
+            'name': 'name', 'username': 'preferred_username', 'email': 'email'
+        },

        # OpenID 新配置参数 (version >= 1.5.9)
        'AUTH_OPENID_PROVIDER_ENDPOINT': 'https://oidc.example.com/',
@@ -320,8 +326,8 @@ class Config(dict):
        # 保留(Luna还在用)
        'TERMINAL_MAGNUS_ENABLED': True,
        'TERMINAL_KOKO_SSH_ENABLED': True,
-        # 保留(Luna还在用)
-        'XRDP_ENABLED': True,
+        'TERMINAL_RAZOR_ENABLED': True,
+        'TERMINAL_OMNIDB_ENABLED': True,

        # 安全配置
        'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
@@ -377,6 +383,7 @@ class Config(dict):
        'SESSION_COOKIE_SECURE': False,
        'CSRF_COOKIE_SECURE': False,
        'REFERER_CHECK_ENABLED': False,
+        'SESSION_ENGINE': 'cache',
        'SESSION_SAVE_EVERY_REQUEST': True,
        'SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE': False,
        'SERVER_REPLAY_STORAGE': {},
@@ -407,7 +414,6 @@ class Config(dict):

        'FORGOT_PASSWORD_URL': '',
        'HEALTH_CHECK_TOKEN': '',
-
    }

    @staticmethod
--- a/apps/jumpserver/context_processor.py
+++ b/apps/jumpserver/context_processor.py
@@ -4,34 +4,32 @@ from django.templatetags.static import static
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _

+default_interface = dict((
+    ('logo_logout', static('img/logo.png')),
+    ('logo_index', static('img/logo_text.png')),
+    ('login_image', static('img/login_image.jpg')),
+    ('favicon', static('img/facio.ico')),
+    ('login_title', _('JumpServer Open Source Bastion Host')),
+    ('theme', 'classic_green'),
+    ('theme_info', {}),
+))
+
 default_context = {
    'DEFAULT_PK': '00000000-0000-0000-0000-000000000000',
-    'LOGO_URL': static('img/logo.png'),
-    'LOGO_TEXT_URL': static('img/logo_text.png'),
-    'LOGIN_IMAGE_URL': static('img/login_image.jpg'),
-    'FAVICON_URL': static('img/facio.ico'),
-    'LOGIN_CAS_LOGO_URL': static('img/login_cas_logo.png'),
-    'LOGIN_WECOM_LOGO_URL': static('img/login_wecom_logo.png'),
-    'LOGIN_DINGTALK_LOGO_URL': static('img/login_dingtalk_logo.png'),
-    'LOGIN_FEISHU_LOGO_URL': static('img/login_feishu_logo.png'),
-    'JMS_TITLE': _('JumpServer Open Source Bastion Host'),
-}
-
-default_interface = {
-    'login_title': default_context['JMS_TITLE'],
-    'logo_logout': default_context['LOGO_URL'],
-    'logo_index': default_context['LOGO_TEXT_URL'],
-    'login_image': default_context['LOGIN_IMAGE_URL'],
-    'favicon': default_context['FAVICON_URL'],
+    'LOGIN_CAS_logo_logout': static('img/login_cas_logo.png'),
+    'LOGIN_WECOM_logo_logout': static('img/login_wecom_logo.png'),
+    'LOGIN_DINGTALK_logo_logout': static('img/login_dingtalk_logo.png'),
+    'LOGIN_FEISHU_logo_logout': static('img/login_feishu_logo.png'),
+    'COPYRIGHT': 'FIT2CLOUD 飞致云' + ' © 2014-2022',
+    'INTERFACE': default_interface,
 }


 def jumpserver_processor(request):
    # Setting default pk
-    context = default_context
+    context = {**default_context}
    context.update({
        'VERSION': settings.VERSION,
-        'COPYRIGHT': 'FIT2CLOUD 飞致云' + ' © 2014-2022',
        'SECURITY_COMMAND_EXECUTION': settings.SECURITY_COMMAND_EXECUTION,
        'SECURITY_MFA_VERIFY_TTL': settings.SECURITY_MFA_VERIFY_TTL,
        'FORCE_SCRIPT_NAME': settings.FORCE_SCRIPT_NAME,
--- a/apps/jumpserver/rewriting/init.py
+++ b/apps/jumpserver/rewriting/init.py
@@ -0,0 +1,2 @@
+from . import db
+
--- a/Show More
+++ b/Show More