fix: 消息订阅redis连接未关闭

fix: Authbook 取认证信息bug
feat: rdp协议新增username表达式，匹配更多特殊字符
2025-12-25 13:32:36 +00:00 · 2022-02-10 11:43:21 +08:00 · 2022-02-10 11:41:44 +08:00 · 2021-12-30 09:59:26 +08:00 · 2021-12-24 11:35:24 +08:00 · 2021-12-17 15:53:44 +08:00
881 changed files with 73369 additions and 32692 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -7,5 +7,4 @@ django.db
 celerybeat.pid
 ### Vagrant ###
 .vagrant/
-apps/xpack/.git
-
+apps/xpack/.git
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,4 +1,2 @@
 *.mmdb filter=lfs diff=lfs merge=lfs -text
 *.mo filter=lfs diff=lfs merge=lfs -text
-*.ipdb filter=lfs diff=lfs merge=lfs -text
-
--- a/.github/PULL_REQUEST_TEMPLATE.md
+++ b/.github/PULL_REQUEST_TEMPLATE.md
@@ -1,9 +0,0 @@
-#### What this PR does / why we need it?
-
-#### Summary of your change
-
-#### Please indicate you've done the following:
-
- [ ] Made sure tests are passing and test coverage is added if needed.
- [ ] Made sure commit message follow the rule of [Conventional Commits specification](https://www.conventionalcommits.org/).
- [ ] Considered the docs impact and opened a new docs issue or PR with docs changes if needed.
--- a/.github/release-config.yml
+++ b/.github/release-config.yml
@@ -41,5 +41,4 @@ version-resolver:
  default: patch
 template: |
  ## 版本变化  What’s Changed
-  $CHANGES
-
+  $CHANGES
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -20,8 +20,6 @@ jobs:
        run: |
          TAG=$(basename ${GITHUB_REF})
          VERSION=${TAG/v/}
-          wget https://raw.githubusercontent.com/jumpserver/installer/master/quick_start.sh
-          sed -i "s@Version=.*@Version=v${VERSION}@g" quick_start.sh
          echo "::set-output name=TAG::$TAG"
          echo "::set-output name=VERSION::$VERSION"
      - name: Create Release
@@ -33,16 +31,6 @@ jobs:
          config-name: release-config.yml
          version: ${{ steps.get_version.outputs.TAG }}
          tag: ${{ steps.get_version.outputs.TAG }}
-      - name: Upload Quick Start Script
-        id: upload-release-quick-start-shell
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ steps.create_release.outputs.upload_url }} # This pulls from the CREATE RELEASE step above, referencing it's ID to get its outputs object, which include a `upload_url`. See this blog post for more info: https://jasonet.co/posts/new-features-of-github-actions/#passing-data-to-future-steps
-          asset_path: ./quick_start.sh
-          asset_name: quick_start.sh
-          asset_content_type: application/text

  build-and-release:
    needs: create-realese
@@ -55,4 +43,4 @@ jobs:
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
-          upload_url: ${{ needs.create-realese.outputs.upload_url }}
+          upload_url: ${{ needs.create-realese.outputs.upload_url }}
--- a/.github/workflows/sync-gitee.yml
+++ b/.github/workflows/sync-gitee.yml
@@ -1,23 +0,0 @@
-name: 🔀 Sync mirror to Gitee
-
-on:
-  push:
-    branches:
-      - master
-      - dev
-  create:
-
-jobs:
-  mirror:
-    runs-on: ubuntu-latest
-    if: github.repository == 'jumpserver/jumpserver'
-    steps:
-      - name: mirror
-        continue-on-error: true
-        if: github.event_name == 'push' || (github.event_name == 'create' && github.event.ref_type == 'tag')
-        uses: wearerequired/git-mirror-action@v1
-        env:
-          SSH_PRIVATE_KEY: ${{ secrets.GITEE_SSH_PRIVATE_KEY }}
-        with:
-          source-repo: 'git@github.com:jumpserver/jumpserver.git'
-          destination-repo: 'git@gitee.com:jumpserver/jumpserver.git'
--- a/.gitignore
+++ b/.gitignore
@@ -31,14 +31,12 @@ media
 celerybeat.pid
 django.db
 celerybeat-schedule.db
+data/static
 docs/_build/
 xpack
-xpack.bak
 logs/*
 ### Vagrant ###
 .vagrant/
 release/*
 releashe
 /apps/script.py
-data/*
-
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -1,129 +0,0 @@
-# Contributor Covenant Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, religion, or sexual identity
-and orientation.
-
-We pledge to act and interact in ways that contribute to an open, welcoming,
-diverse, inclusive, and healthy community.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment for our
-community include:
-
-* Demonstrating empathy and kindness toward other people
-* Being respectful of differing opinions, viewpoints, and experiences
-* Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes,
-  and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the
-  overall community
-
-Examples of unacceptable behavior include:
-
-* The use of sexualized language or imagery, and sexual attention or
-  advances of any kind
-* Trolling, insulting or derogatory comments, and personal or political attacks
-* Public or private harassment
-* Publishing others' private information, such as a physical or email
-  address, without their explicit permission
-* Other conduct which could reasonably be considered inappropriate in a
-  professional setting
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-Community leaders have the right and responsibility to remove, edit, or reject
-comments, commits, code, wiki edits, issues, and other contributions that are
-not aligned to this Code of Conduct, and will communicate reasons for moderation
-decisions when appropriate.
-
-## Scope
-
-This Code of Conduct applies within all community spaces, and also applies when
-an individual is officially representing the community in public spaces.
-Examples of representing our community include using an official e-mail address,
-posting via an official social media account, or acting as an appointed
-representative at an online or offline event.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-.
-All complaints will be reviewed and investigated promptly and fairly.
-
-All community leaders are obligated to respect the privacy and security of the
-reporter of any incident.
-
-## Enforcement Guidelines
-
-Community leaders will follow these Community Impact Guidelines in determining
-the consequences for any action they deem in violation of this Code of Conduct:
-
-### 1. Correction
-
-**Community Impact**: Use of inappropriate language or other behavior deemed
-unprofessional or unwelcome in the community.
-
-**Consequence**: A private, written warning from community leaders, providing
-clarity around the nature of the violation and an explanation of why the
-behavior was inappropriate. A public apology may be requested.
-
-### 2. Warning
-
-**Community Impact**: A violation through a single incident or series
-of actions.
-
-**Consequence**: A warning with consequences for continued behavior. No
-interaction with the people involved, including unsolicited interaction with
-those enforcing the Code of Conduct, for a specified period of time. This
-includes avoiding interactions in community spaces as well as external channels
-like social media. Violating these terms may lead to a temporary or
-permanent ban.
-
-### 3. Temporary Ban
-
-**Community Impact**: A serious violation of community standards, including
-sustained inappropriate behavior.
-
-**Consequence**: A temporary ban from any sort of interaction or public
-communication with the community for a specified period of time. No public or
-private interaction with the people involved, including unsolicited interaction
-with those enforcing the Code of Conduct, is allowed during this period.
-Violating these terms may lead to a permanent ban.
-
-### 4. Permanent Ban
-
-**Community Impact**: Demonstrating a pattern of violation of community
-standards, including sustained inappropriate behavior,  harassment of an
-individual, or aggression toward or disparagement of classes of individuals.
-
-**Consequence**: A permanent ban from any sort of public interaction within
-the community.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant][homepage],
-version 2.0, available at
-https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
-
-Community Impact Guidelines were inspired by [Mozilla's code of conduct
-enforcement ladder](https://github.com/mozilla/diversity).
-
-[homepage]: https://www.contributor-covenant.org
-
-For answers to common questions about this code of conduct, see the FAQ at
-https://www.contributor-covenant.org/faq. Translations are available at
-https://www.contributor-covenant.org/translations.
-
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,26 +0,0 @@
-# Contributing
-
-## Create pull request
-PR are always welcome, even if they only contain small fixes like typos or a few lines of code. If there will be a significant effort, please document it as an issue and get a discussion going before starting to work on it.
-
-Please submit a PR broken down into small changes bit by bit. A PR consisting of a lot features and code changes may be hard to review. It is recommended to submit PRs in an incremental fashion.
-
-This [development guideline](https://docs.jumpserver.org/zh/master/dev/rest_api/) contains information about repository structure, how to setup development environment, how to run it, and more.
-
-Note: If you split your pull request to small changes, please make sure any of the changes goes to master will not break anything. Otherwise, it can not be merged until this feature complete.
-
-## Report issues
-It is a great way to contribute by reporting an issue. Well-written and complete bug reports are always welcome! Please open an issue and follow the template to fill in required information.
-
-Before opening any issue, please look up the existing issues to avoid submitting a duplication.
-If you find a match, you can "subscribe" to it to get notified on updates. If you have additional helpful information about the issue, please leave a comment.
-
-When reporting issues, always include:
-
-* Which version you are using.
-* Steps to reproduce the issue.
-* Snapshots or log files if needed
-
-Because the issues are open to the public, when submitting files, be sure to remove any sensitive information, e.g. user name, password, IP address, and company name. You can
-replace those parts with "REDACTED" or other strings like "****".
-
--- a/119
+++ b/119
@@ -1,6 +1,6 @@
-FROM python:3.8-slim as stage-build
-ARG TARGETARCH
-
+# 编译代码
+FROM python:3.8.6-slim as stage-build
+MAINTAINER JumpServer Team <ibuler@qq.com>
 ARG VERSION
 ENV VERSION=$VERSION

@@ -8,93 +8,48 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh

-FROM python:3.8-slim
-ARG TARGETARCH
-MAINTAINER JumpServer Team <ibuler@qq.com>
-
-ARG BUILD_DEPENDENCIES="              \
-        g++                           \
-        make                          \
-        pkg-config"
-
-ARG DEPENDENCIES="                    \
-        default-libmysqlclient-dev    \
-        freetds-dev                   \
-        libpq-dev                     \
-        libffi-dev                    \
-        libjpeg-dev                   \
-        libldap2-dev                  \
-        libsasl2-dev                  \
-        libxml2-dev                   \
-        libxmlsec1-dev                \
-        libxmlsec1-openssl            \
-        libaio-dev                    \
-        openssh-client                \
-        sshpass"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-mysql-client          \
-        iputils-ping                  \
-        locales                       \
-        procps                        \
-        redis-tools                   \
-        telnet                        \
-        vim                           \
-        unzip                         \
-        wget"
-
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
-    sed -i 's@http://.*.debian.org@http://mirrors.ustc.edu.cn@g' /etc/apt/sources.list \
-    && rm -f /etc/apt/apt.conf.d/docker-clean \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
-    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
-    && echo "set mouse-=a" > ~/.vimrc \
-    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && rm -rf /var/lib/apt/lists/*
-
-ARG ORACLE_LIB_MAJOR=19
-ARG ORACLE_LIB_MINOR=10
-ENV ORACLE_FILE="instantclient-basiclite-linux.${TARGETARCH:-amd64}-${ORACLE_LIB_MAJOR}.${ORACLE_LIB_MINOR}.0.0.0dbru.zip"
-
-RUN mkdir -p /opt/oracle/ \
-    && cd /opt/oracle/ \
-    && wget https://download.jumpserver.org/files/oracle/${ORACLE_FILE} \
-    && unzip instantclient-basiclite-linux.${TARGETARCH-amd64}-19.10.0.0.0dbru.zip \
-    && mv instantclient_${ORACLE_LIB_MAJOR}_${ORACLE_LIB_MINOR} instantclient \
-    && echo "/opt/oracle/instantclient" > /etc/ld.so.conf.d/oracle-instantclient.conf \
-    && ldconfig \
-    && rm -f ${ORACLE_FILE}
-
-WORKDIR /tmp/build
-COPY ./requirements ./requirements
-
+# 构建运行时环境
+FROM python:3.8.6-slim
 ARG PIP_MIRROR=https://pypi.douban.com/simple
 ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
 ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR

-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip config set global.index-url ${PIP_MIRROR} \
-    && pip install --upgrade pip \
-    && pip install --upgrade setuptools wheel \
-    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install -r requirements/requirements.txt
+WORKDIR /opt/jumpserver
+
+COPY ./requirements/deb_requirements.txt ./requirements/deb_requirements.txt
+RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
+    && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
+    && apt update \
+    && apt -y install telnet iproute2 redis-tools default-mysql-client vim wget curl locales procps \
+    && apt -y install $(cat requirements/deb_requirements.txt) \
+    && rm -rf /var/lib/apt/lists/* \
+    && localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
+    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
+    && echo "set mouse-=a" > ~/.vimrc
+
+COPY ./requirements/requirements.txt ./requirements/requirements.txt
+RUN pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
+    && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
+    && rm -rf ~/.cache/pip

 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
-RUN echo > /opt/jumpserver/config.yml \
-    && rm -rf /tmp/build
+RUN mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
+    && mv /bin/sh /bin/sh.bak  \
+    && ln -s /bin/bash /bin/sh
+
+RUN mkdir -p /opt/jumpserver/oracle/ \
+    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar > /dev/null \
+    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/jumpserver/oracle/ \
+    && echo "/opt/jumpserver/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && ldconfig \
+    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
+
+RUN echo > config.yml

-WORKDIR /opt/jumpserver
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs

--- a/Dockerfile.loong64
+++ b/Dockerfile.loong64
@@ -1,95 +0,0 @@
-FROM python:3.8-slim as stage-build
-ARG TARGETARCH
-
-ARG VERSION
-ENV VERSION=$VERSION
-
-WORKDIR /opt/jumpserver
-ADD . .
-RUN cd utils && bash -ixeu build.sh
-
-FROM python:3.8-slim
-ARG TARGETARCH
-MAINTAINER JumpServer Team <ibuler@qq.com>
-
-ARG BUILD_DEPENDENCIES="              \
-        g++                           \
-        make                          \
-        pkg-config"
-
-ARG DEPENDENCIES="                    \
-        default-libmysqlclient-dev    \
-        freetds-dev                   \
-        libpq-dev                     \
-        libffi-dev                    \
-        libjpeg-dev                   \
-        libldap2-dev                  \
-        libsasl2-dev                  \
-        libxml2-dev                   \
-        libxmlsec1-dev                \
-        libxmlsec1-openssl            \
-        libaio-dev                    \
-        openssh-client                \
-        sshpass"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-mysql-client          \
-        iputils-ping                  \
-        locales                       \
-        procps                        \
-        redis-tools                   \
-        telnet                        \
-        vim                           \
-        unzip                         \
-        wget"
-
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
-    set -ex \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
-    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
-    && echo "set mouse-=a" > ~/.vimrc \
-    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /tmp/build
-COPY ./requirements ./requirements
-
-ARG PIP_MIRROR=https://pypi.douban.com/simple
-ENV PIP_MIRROR=$PIP_MIRROR
-ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
-ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
-
-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip config set global.index-url ${PIP_MIRROR} \
-    && pip install --upgrade pip \
-    && pip install --upgrade setuptools wheel \
-    && pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-36.0.1-cp38-cp38-linux_loongarch64.whl \
-    && pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp38-cp38-linux_loongarch64.whl \
-    && pip install $(grep 'PyNaCl' requirements/requirements.txt) \
-    && GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=true pip install grpcio \
-    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install -r requirements/requirements.txt
-
-COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
-RUN echo > /opt/jumpserver/config.yml \
-    && rm -rf /tmp/build
-
-WORKDIR /opt/jumpserver
-VOLUME /opt/jumpserver/data
-VOLUME /opt/jumpserver/logs
-
-ENV LANG=zh_CN.UTF-8
-
-EXPOSE 8070
-EXPOSE 8080
-ENTRYPOINT ["./entrypoint.sh"]
--- a/1
+++ b/1
@@ -1 +0,0 @@
-3f9a17347d8d6ac785054088f7113ab9a9c506cb
--- a/3
+++ b/3
@@ -671,5 +671,4 @@ into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
-<https://www.gnu.org/licenses/why-not-lgpl.html>.
-
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
--- a/README.md
+++ b/README.md
@@ -1,13 +1,10 @@
-<p align="center">
-  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
-</p>
+<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
 <h3 align="center">多云环境下更好用的堡垒机</h3>

 <p align="center">
  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
-  <a href="https://github.com/jumpserver/jumpserver/commits"><img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/jumpserver/jumpserver.svg" /></a>
  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>

@@ -16,22 +13,24 @@



-JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
+JumpServer 是全球首款开源的堡垒机，使用 GPLv3 开源协议，是符合 4A 规范的运维安全审计系统。

-JumpServer 使用 Python 开发，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
+JumpServer 使用 Python 开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。

 JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。

+改变世界，从一点点开始 ...

+> 如需进一步了解 JumpServer 开源项目，推荐阅读 [JumpServer 的初心和使命](https://mp.weixin.qq.com/s/S6q_2rP_9MwaVwyqLQnXzA)

 ### 特色优势

 - 开源: 零门槛，线上快速获取和安装；
 - 分布式: 轻松支持大规模并发访问；
 - 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
- 多租户: 一套系统，多个子公司或部门同时使用；
 - 多云支持: 一套系统，同时管理不同云上面的资产；
 - 云端存储: 审计录像云端存储，永不丢失；
+- 多租户: 一套系统，多个子公司和部门同时使用；
 - 多应用支持: 数据库，Windows远程应用，Kubernetes。

 ### UI 展示
@@ -56,15 +55,12 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - [手动安装](https://github.com/jumpserver/installer)

 ### 组件项目
-| 项目                                                                          |  状态          | 描述                                     |
-| ---------------------------------------------------------------------------  |  -------------------   | ---------------------------------------- |
-| [Lina](https://github.com/jumpserver/lina) | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a> | JumpServer Web UI 项目 |
-| [Luna](https://github.com/jumpserver/luna) | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a> | JumpServer Web Terminal 项目 |
-| [KoKo](https://github.com/jumpserver/koko) | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a> | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
-| [Lion](https://github.com/jumpserver/lion-release) | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>  | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
-| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目 |
-| [Clients](https://github.com/jumpserver/clients) | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" /> | JumpServer 客户端 项目 |
-| [Installer](https://github.com/jumpserver/installer)| <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" /> | JumpServer 安装包 项目 |
+- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI 项目
+- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal 项目
+- [KoKo](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
+- [Lion](https://github.com/jumpserver/lion-release) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
+- [Clients](https://github.com/jumpserver/clients) JumpServer 客户端 项目
+- [Installer](https://github.com/jumpserver/installer) JumpServer 安装包 项目

 ### 社区

@@ -79,13 +75,27 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向

 感谢以下贡献者，让 JumpServer 更加完善

-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
+</a>
+
+<a href="https://github.com/jumpserver/koko/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
+</a>
+
+<a href="https://github.com/jumpserver/lina/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
+</a>
+
+<a href="https://github.com/jumpserver/luna/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
+</a>



 ### 致谢
- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC 协议设备，JumpServer 图形化组件 Lion 依赖 
- [OmniDB](https://omnidb.org/) Web 页面连接使用数据库，JumpServer Web 数据库依赖
+- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC协议设备，JumpServer 图形化组件 Lion 依赖 
+- [OmniDB](https://omnidb.org/) Web页面连接使用数据库，JumpServer Web数据库依赖


 ### JumpServer 企业版 
@@ -93,18 +103,14 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向

 ### 案例研究

- [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
- [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
- [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
- [顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
- [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
- [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
- [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
- [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
- [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
+- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
+- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
+- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
+- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
+- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。

 ### 安全说明

@@ -118,10 +124,11 @@ JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.ju

 ### License & Copyright

-Copyright (c) 2014-2022 飞致云 FIT2CLOUD, All rights reserved.
+Copyright (c) 2014-2021 飞致云 FIT2CLOUD, All rights reserved.

 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

 https://www.gnu.org/licenses/gpl-3.0.html

 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
--- a/README_EN.md
+++ b/README_EN.md
@@ -85,10 +85,11 @@ If you find a security problem, please contact us directly：
 - 400-052-0755

 ### License & Copyright
-Copyright (c) 2014-2022 FIT2CLOUD Tech, Inc., All rights reserved.
+Copyright (c) 2014-2021 FIT2CLOUD Tech, Inc., All rights reserved.

 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

 https://www.gnu.org/licenses/gpl-3.0.htmll

 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -7,15 +7,3 @@ JumpServer 是一款正在成长的安全产品， 请参考 [基本安全建议
 - ibuler@fit2cloud.com
 - support@fit2cloud.com
 - 400-052-0755
-
-
-# Security Policy
-JumpServer is a security product, The installation and development should follow our security tips.
-
-## Reporting a Vulnerability
-All security bugs should be reported to the contact as below:
-
- ibuler@fit2cloud.com
- support@fit2cloud.com
- 400-052-0755
-
--- a/56
+++ b/56
@@ -0,0 +1,56 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box_check_update = false
+  config.vm.box = "centos/7"
+  config.vm.hostname = "jumpserver"
+  config.vm.network "private_network", ip: "172.17.8.101"
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = "4096"
+    vb.cpus = 2
+    vb.name = "jumpserver"
+  end
+
+  config.vm.synced_folder ".", "/vagrant", type: "rsync",
+    rsync__verbose: true,
+    rsync__exclude: ['.git*', 'node_modules*','*.log','*.box','Vagrantfile']
+
+  config.vm.provision "shell", inline: <<-SHELL
+## 设置yum的阿里云源
+sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
+sudo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
+sudo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
+sudo yum makecache
+
+## 安装依赖包
+sudo yum install -y python36 python36-devel python36-pip \
+		 libtiff-devel libjpeg-devel libzip-devel freetype-devel \
+     lcms2-devel libwebp-devel tcl-devel tk-devel sshpass \
+     openldap-devel mariadb-devel mysql-devel libffi-devel \
+     openssh-clients telnet openldap-clients gcc
+
+## 配置pip阿里云源
+mkdir /home/vagrant/.pip
+cat << EOF | sudo tee -a /home/vagrant/.pip/pip.conf
+[global]
+timeout = 6000
+index-url = https://mirrors.aliyun.com/pypi/simple/
+
+[install]
+use-mirrors = true
+mirrors = https://mirrors.aliyun.com/pypi/simple/
+trusted-host=mirrors.aliyun.com
+EOF
+
+python3.6 -m venv /home/vagrant/venv
+source /home/vagrant/venv/bin/activate
+echo 'source /home/vagrant/venv/bin/activate' >> /home/vagrant/.bash_profile
+  SHELL
+end
--- a/apps/acls/api/login_acl.py
+++ b/apps/acls/api/login_acl.py
@@ -1,14 +1,20 @@
+from common.permissions import IsOrgAdmin, HasQueryParamsUserAndIsCurrentOrgMember
 from common.drf.api import JMSBulkModelViewSet
 from ..models import LoginACL
 from .. import serializers
 from ..filters import LoginAclFilter

-__all__ = ['LoginACLViewSet']
+__all__ = ['LoginACLViewSet', ]


 class LoginACLViewSet(JMSBulkModelViewSet):
    queryset = LoginACL.objects.all()
    filterset_class = LoginAclFilter
    search_fields = ('name',)
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.LoginACLSerializer

+    def get_permissions(self):
+        if self.action in ["retrieve", "list"]:
+            self.permission_classes = (IsOrgAdmin, HasQueryParamsUserAndIsCurrentOrgMember)
+        return super().get_permissions()
--- a/apps/acls/api/login_asset_acl.py
+++ b/apps/acls/api/login_asset_acl.py
@@ -1,4 +1,5 @@
 from orgs.mixins.api import OrgBulkModelViewSet
+from common.permissions import IsOrgAdmin
 from .. import models, serializers


@@ -9,4 +10,5 @@ class LoginAssetACLViewSet(OrgBulkModelViewSet):
    model = models.LoginAssetACL
    filterset_fields = ('name', )
    search_fields = filterset_fields
+    permission_classes = (IsOrgAdmin, )
    serializer_class = serializers.LoginAssetACLSerializer
--- a/apps/acls/api/login_asset_check.py
+++ b/apps/acls/api/login_asset_check.py
@@ -1,23 +1,19 @@
 from rest_framework.response import Response
 from rest_framework.generics import CreateAPIView

+from common.permissions import IsAppUser
 from common.utils import reverse, lazyproperty
 from orgs.utils import tmp_to_org
+from tickets.api import GenericTicketStatusRetrieveCloseAPI
 from ..models import LoginAssetACL
 from .. import serializers

-__all__ = ['LoginAssetCheckAPI']
+__all__ = ['LoginAssetCheckAPI', 'LoginAssetConfirmStatusAPI']


 class LoginAssetCheckAPI(CreateAPIView):
+    permission_classes = (IsAppUser,)
    serializer_class = serializers.LoginAssetCheckSerializer
-    model = LoginAssetACL
-    rbac_perms = {
-        'POST': 'tickets.add_superticket'
-    }
-
-    def get_queryset(self):
-        return LoginAssetACL.objects.all()

    def create(self, request, *args, **kwargs):
        is_need_confirm, response_data = self.check_if_need_confirm()
@@ -47,10 +43,10 @@ class LoginAssetCheckAPI(CreateAPIView):
            asset=self.serializer.asset,
            system_user=self.serializer.system_user,
            assignees=acl.reviewers.all(),
-            org_id=self.serializer.org.id,
+            org_id=self.serializer.org.id
        )
        confirm_status_url = reverse(
-            view_name='api-tickets:super-ticket-status',
+            view_name='api-acls:login-asset-confirm-status',
            kwargs={'pk': str(ticket.id)}
        )
        ticket_detail_url = reverse(
@@ -59,13 +55,12 @@ class LoginAssetCheckAPI(CreateAPIView):
            external=True, api_to_ui=True
        )
        ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_step.ticket_assignees.all()
+        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
        data = {
            'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
            'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
            'ticket_detail_url': ticket_detail_url,
-            'reviewers': [str(ticket_assignee.assignee) for ticket_assignee in ticket_assignees],
-            'ticket_id': str(ticket.id)
+            'reviewers': [str(ticket_assignee.assignee) for ticket_assignee in ticket_assignees]
        }
        return data

@@ -75,3 +70,6 @@ class LoginAssetCheckAPI(CreateAPIView):
        serializer.is_valid(raise_exception=True)
        return serializer

+
+class LoginAssetConfirmStatusAPI(GenericTicketStatusRetrieveCloseAPI):
+    pass
--- a/apps/acls/apps.py
+++ b/apps/acls/apps.py
@@ -1,7 +1,5 @@
 from django.apps import AppConfig
-from django.utils.translation import ugettext_lazy as _


 class AclsConfig(AppConfig):
    name = 'acls'
-    verbose_name = _('Acls')
--- a/apps/acls/migrations/0003_auto_20211130_1037.py
+++ b/apps/acls/migrations/0003_auto_20211130_1037.py
@@ -1,21 +0,0 @@
-# Generated by Django 3.1.13 on 2021-11-30 02:37
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('acls', '0002_auto_20210926_1047'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='loginacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login acl'},
-        ),
-        migrations.AlterModelOptions(
-            name='loginassetacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login asset acl'},
-        ),
-    ]
--- a/apps/acls/models/login_acl.py
+++ b/apps/acls/models/login_acl.py
@@ -44,49 +44,85 @@ class LoginACL(BaseACL):
    def __str__(self):
        return self.name

-    def is_action(self, action):
-        return self.action == action
+    @property
+    def action_reject(self):
+        return self.action == self.ActionChoices.reject
+
+    @property
+    def action_allow(self):
+        return self.action == self.ActionChoices.allow

    @classmethod
    def filter_acl(cls, user):
        return user.login_acls.all().valid().distinct()

    @staticmethod
-    def match(user, ip):
-        acls = LoginACL.filter_acl(user)
-        if not acls:
-            return
+    def allow_user_confirm_if_need(user, ip):
+        acl = LoginACL.filter_acl(user).filter(
+            action=LoginACL.ActionChoices.confirm
+        ).first()
+        acl = acl if acl and acl.reviewers.exists() else None
+        if not acl:
+            return False, acl
+        ip_group = acl.rules.get('ip_group')
+        time_periods = acl.rules.get('time_period')
+        is_contain_ip = contains_ip(ip, ip_group)
+        is_contain_time_period = contains_time_period(time_periods)
+        return is_contain_ip and is_contain_time_period, acl

-        for acl in acls:
-            if acl.is_action(LoginACL.ActionChoices.confirm) and not acl.reviewers.exists():
-                continue
-            ip_group = acl.rules.get('ip_group')
-            time_periods = acl.rules.get('time_period')
-            is_contain_ip = contains_ip(ip, ip_group)
-            is_contain_time_period = contains_time_period(time_periods)
-            if is_contain_ip and is_contain_time_period:
-                # 满足条件，则返回
-                return acl
+    @staticmethod
+    def allow_user_to_login(user, ip):
+        acl = LoginACL.filter_acl(user).exclude(
+            action=LoginACL.ActionChoices.confirm
+        ).first()
+        if not acl:
+            return True, ''
+        ip_group = acl.rules.get('ip_group')
+        time_periods = acl.rules.get('time_period')
+        is_contain_ip = contains_ip(ip, ip_group)
+        is_contain_time_period = contains_time_period(time_periods)

-    def create_confirm_ticket(self, request):
-        from tickets import const
-        from tickets.models import ApplyLoginTicket
-        from orgs.models import Organization
-        title = _('Login confirm') + ' {}'.format(self.user)
+        reject_type = ''
+        if is_contain_ip and is_contain_time_period:
+            # 满足条件
+            allow = acl.action_allow
+            if not allow:
+                reject_type = 'ip' if is_contain_ip else 'time'
+        else:
+            # 不满足条件
+            # 如果acl本身允许，那就拒绝；如果本身拒绝，那就允许
+            allow = not acl.action_allow
+            if not allow:
+                reject_type = 'ip' if not is_contain_ip else 'time'
+
+        return allow, reject_type
+
+    @staticmethod
+    def construct_confirm_ticket_meta(request=None):
        login_ip = get_request_ip(request) if request else ''
        login_ip = login_ip or '0.0.0.0'
        login_city = get_ip_city(login_ip)
        login_datetime = local_now_display()
-        data = {
-            'title': title,
-            'type': const.TicketType.login_confirm,
-            'applicant': self.user,
-            'apply_login_city': login_city,
+        ticket_meta = {
            'apply_login_ip': login_ip,
+            'apply_login_city': login_city,
            'apply_login_datetime': login_datetime,
+        }
+        return ticket_meta
+
+    def create_confirm_ticket(self, request=None):
+        from tickets import const
+        from tickets.models import Ticket
+        from orgs.models import Organization
+        ticket_title = _('Login confirm') + ' {}'.format(self.user)
+        ticket_meta = self.construct_confirm_ticket_meta(request)
+        data = {
+            'title': ticket_title,
+            'type': const.TicketType.login_confirm.value,
+            'meta': ticket_meta,
            'org_id': Organization.ROOT_ID,
        }
-        ticket = ApplyLoginTicket.objects.create(**data)
-        assignees = self.reviewers.all()
-        ticket.open_by_system(assignees)
+        ticket = Ticket.objects.create(**data)
+        ticket.create_process_map_and_node(self.reviewers.all())
+        ticket.open(self.user)
        return ticket
--- a/apps/acls/models/login_asset_acl.py
+++ b/apps/acls/models/login_asset_acl.py
@@ -85,18 +85,19 @@ class LoginAssetACL(BaseACL, OrgModelMixin):
    @classmethod
    def create_login_asset_confirm_ticket(cls, user, asset, system_user, assignees, org_id):
        from tickets.const import TicketType
-        from tickets.models import ApplyLoginAssetTicket
-        title = _('Login asset confirm') + ' ({})'.format(user)
+        from tickets.models import Ticket
        data = {
-            'title': title,
+            'title': _('Login asset confirm') + ' ({})'.format(user),
            'type': TicketType.login_asset_confirm,
-            'applicant': user,
-            'apply_login_user': user,
-            'apply_login_asset': asset,
-            'apply_login_system_user': system_user,
+            'meta': {
+                'apply_login_user': str(user),
+                'apply_login_asset': str(asset),
+                'apply_login_system_user': str(system_user),
+            },
            'org_id': org_id,
        }
-        ticket = ApplyLoginAssetTicket.objects.create(**data)
-        ticket.open_by_system(assignees)
+        ticket = Ticket.objects.create(**data)
+        ticket.create_process_map_and_node(assignees)
+        ticket.open(applicant=user)
        return ticket

--- a/apps/acls/serializers/login_acl.py
+++ b/apps/acls/serializers/login_acl.py
@@ -1,4 +1,4 @@
-from django.utils.translation import ugettext_lazy as _
+from django.utils.translation import ugettext as _
 from rest_framework import serializers
 from common.drf.serializers import BulkModelSerializer
 from common.drf.serializers import MethodSerializer
--- a/apps/acls/urls/api_urls.py
+++ b/apps/acls/urls/api_urls.py
@@ -12,6 +12,7 @@ router.register(r'login-asset-acls', api.LoginAssetACLViewSet, 'login-asset-acl'

 urlpatterns = [
    path('login-asset/check/', api.LoginAssetCheckAPI.as_view(), name='login-asset-check'),
+    path('login-asset-confirm/<uuid:pk>/status/', api.LoginAssetConfirmStatusAPI.as_view(), name='login-asset-confirm-status')
 ]

 urlpatterns += router.urls
--- a/apps/applications/api/init.py
+++ b/apps/applications/api/init.py
@@ -1,3 +1,4 @@
 from .application import *
 from .account import *
+from .mixin import *
 from .remote_app import *
--- a/apps/applications/api/account.py
+++ b/apps/applications/api/account.py
@@ -2,16 +2,12 @@
 #

 from django_filters import rest_framework as filters
-from django.db.models import Q
+from django.db.models import F, Q

 from common.drf.filters import BaseFilterSet
 from common.drf.api import JMSBulkModelViewSet
-from common.mixins import RecordViewLogMixin
-from common.permissions import UserConfirmation
-from authentication.const import ConfirmType
-from rbac.permissions import RBACPermission
-from assets.models import SystemUser
 from ..models import Account
+from ..hands import IsOrgAdminOrAppUser, IsOrgAdmin, NeedMFAVerify
 from .. import serializers


@@ -35,8 +31,7 @@ class AccountFilterSet(BaseFilterSet):
        username = self.get_query_param('username')
        if not username:
            return qs
-        q = Q(username=username) | Q(systemuser__username=username)
-        qs = qs.filter(q).distinct()
+        qs = qs.filter(Q(username=username) | Q(systemuser__username=username)).distinct()
        return qs


@@ -46,21 +41,18 @@ class ApplicationAccountViewSet(JMSBulkModelViewSet):
    filterset_class = AccountFilterSet
    filterset_fields = ['username', 'app_display', 'type', 'category', 'app']
    serializer_class = serializers.AppAccountSerializer
+    permission_classes = (IsOrgAdmin,)

    def get_queryset(self):
-        queryset = Account.get_queryset()
+        queryset = Account.objects.all() \
+            .annotate(type=F('app__type')) \
+            .annotate(app_display=F('app__name')) \
+            .annotate(systemuser_display=F('systemuser__name')) \
+            .annotate(category=F('app__category'))
        return queryset


-class SystemUserAppRelationViewSet(ApplicationAccountViewSet):
-    perm_model = SystemUser
-
-
-class ApplicationAccountSecretViewSet(RecordViewLogMixin, ApplicationAccountViewSet):
+class ApplicationAccountSecretViewSet(ApplicationAccountViewSet):
    serializer_class = serializers.AppAccountSecretSerializer
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    permission_classes = [IsOrgAdminOrAppUser, NeedMFAVerify]
    http_method_names = ['get', 'options']
-    rbac_perms = {
-        'retrieve': 'applications.view_applicationaccountsecret',
-        'list': 'applications.view_applicationaccountsecret',
-    }
--- a/apps/applications/api/application.py
+++ b/apps/applications/api/application.py
@@ -1,12 +1,13 @@
 # coding: utf-8
 #
+
 from orgs.mixins.api import OrgBulkModelViewSet
 from rest_framework.decorators import action
 from rest_framework.response import Response

-
 from common.tree import TreeNodeSerializer
 from common.mixins.api import SuggestionMixin
+from ..hands import IsOrgAdminOrAppUser
 from .. import serializers
 from ..models import Application

@@ -17,19 +18,16 @@ class ApplicationViewSet(SuggestionMixin, OrgBulkModelViewSet):
    model = Application
    filterset_fields = {
        'name': ['exact'],
-        'category': ['exact', 'in'],
+        'category': ['exact'],
        'type': ['exact', 'in'],
    }
    search_fields = ('name', 'type', 'category')
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_classes = {
        'default': serializers.AppSerializer,
        'get_tree': TreeNodeSerializer,
        'suggestion': serializers.MiniAppSerializer
    }
-    rbac_perms = {
-        'get_tree': 'applications.view_application',
-        'match': 'applications.match_application'
-    }

    @action(methods=['GET'], detail=False, url_path='tree')
    def get_tree(self, request, *args, **kwargs):
--- a/apps/applications/api/mixin.py
+++ b/apps/applications/api/mixin.py
@@ -0,0 +1,55 @@
+from django.utils.translation import ugettext as _
+
+from common.tree import TreeNode
+from orgs.models import Organization
+from ..models import Application
+
+__all__ = ['SerializeApplicationToTreeNodeMixin']
+
+
+class SerializeApplicationToTreeNodeMixin:
+    @staticmethod
+    def filter_organizations(applications):
+        organization_ids = set(applications.values_list('org_id', flat=True))
+        organizations = [Organization.get_instance(org_id) for org_id in organization_ids]
+        organizations.sort(key=lambda x: x.name)
+        return organizations
+
+    @staticmethod
+    def create_root_node():
+        name = _('My applications')
+        node = TreeNode(**{
+            'id': 'applications',
+            'name': name,
+            'title': name,
+            'pId': '',
+            'open': True,
+            'isParent': True,
+            'meta': {
+                'type': 'root'
+            }
+        })
+        return node
+
+    def serialize_applications_with_org(self, applications):
+        if not applications:
+            return []
+        root_node = self.create_root_node()
+        tree_nodes = [root_node]
+        organizations = self.filter_organizations(applications)
+
+        for i, org in enumerate(organizations):
+            # 组织节点
+            org_node = org.as_tree_node(pid=root_node.id)
+            tree_nodes.append(org_node)
+            org_applications = applications.filter(org_id=org.id)
+            count = org_applications.count()
+            org_node.name += '({})'.format(count)
+
+            # 各应用节点
+            apps_nodes = Application.create_tree_nodes(
+                queryset=org_applications, root_node=org_node,
+                show_empty=False
+            )
+            tree_nodes += apps_nodes
+        return tree_nodes
--- a/apps/applications/api/remote_app.py
+++ b/apps/applications/api/remote_app.py
@@ -2,8 +2,10 @@
 #

 from orgs.mixins import generics
+from ..hands import IsAppUser
 from .. import models
 from ..serializers import RemoteAppConnectionInfoSerializer
+from ..permissions import IsRemoteApp


 __all__ = [
@@ -13,4 +15,5 @@ __all__ = [

 class RemoteAppConnectionInfoApi(generics.RetrieveAPIView):
    model = models.Application
+    permission_classes = (IsAppUser, IsRemoteApp)
    serializer_class = RemoteAppConnectionInfoSerializer
--- a/apps/applications/apps.py
+++ b/apps/applications/apps.py
@@ -1,13 +1,7 @@
 from __future__ import unicode_literals

-from django.utils.translation import ugettext_lazy as _
 from django.apps import AppConfig


 class ApplicationsConfig(AppConfig):
    name = 'applications'
-    verbose_name = _('Applications')
-
-    def ready(self):
-        from . import signal_handlers
-        super().ready()
--- a/apps/applications/const.py
+++ b/apps/applications/const.py
@@ -1,10 +1,10 @@
 #  coding: utf-8
 #
-from django.db import models
+from django.db.models import TextChoices
 from django.utils.translation import ugettext_lazy as _


-class AppCategory(models.TextChoices):
+class AppCategory(TextChoices):
    db = 'db', _('Database')
    remote_app = 'remote_app', _('Remote app')
    cloud = 'cloud', 'Cloud'
@@ -13,21 +13,14 @@ class AppCategory(models.TextChoices):
    def get_label(cls, category):
        return dict(cls.choices).get(category, '')

-    @classmethod
-    def is_xpack(cls, category):
-        return category in ['remote_app']

-
-class AppType(models.TextChoices):
+class AppType(TextChoices):
    # db category
    mysql = 'mysql', 'MySQL'
-    mariadb = 'mariadb', 'MariaDB'
    oracle = 'oracle', 'Oracle'
    pgsql = 'postgresql', 'PostgreSQL'
+    mariadb = 'mariadb', 'MariaDB'
    sqlserver = 'sqlserver', 'SQLServer'
-    redis = 'redis', 'Redis'
-    mongodb = 'mongodb', 'MongoDB'
-    clickhouse = 'clickhouse', 'ClickHouse'

    # remote-app category
    chrome = 'chrome', 'Chrome'
@@ -41,14 +34,8 @@ class AppType(models.TextChoices):
    @classmethod
    def category_types_mapper(cls):
        return {
-            AppCategory.db: [
-                cls.mysql, cls.mariadb, cls.oracle, cls.pgsql,
-                cls.sqlserver, cls.redis, cls.mongodb, cls.clickhouse
-            ],
-            AppCategory.remote_app: [
-                cls.chrome, cls.mysql_workbench,
-                cls.vmware_client, cls.custom
-            ],
+            AppCategory.db: [cls.mysql, cls.oracle, cls.pgsql, cls.mariadb, cls.sqlserver],
+            AppCategory.remote_app: [cls.chrome, cls.mysql_workbench, cls.vmware_client, cls.custom],
            AppCategory.cloud: [cls.k8s]
        }

@@ -76,11 +63,6 @@ class AppType(models.TextChoices):
    def cloud_types(cls):
        return [tp.value for tp in cls.category_types_mapper()[AppCategory.cloud]]

-    @classmethod
-    def is_xpack(cls, tp):
-        tp_category_mapper = cls.type_category_mapper()
-        category = tp_category_mapper[tp]

-        if AppCategory.is_xpack(category):
-            return True
-        return tp in ['oracle', 'postgresql', 'sqlserver', 'clickhouse']
+
+
--- a/apps/applications/hands.py
+++ b/apps/applications/hands.py
@@ -11,4 +11,5 @@
 """


+from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser, NeedMFAVerify
 from users.models import User, UserGroup
--- a/apps/applications/migrations/0001_initial.py
+++ b/apps/applications/migrations/0001_initial.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-05-20 11:04

-import common.db.fields
+import common.fields.model
 from django.db import migrations, models
 import django.db.models.deletion
 import uuid
@@ -23,7 +23,7 @@ class Migration(migrations.Migration):
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('type', models.CharField(choices=[('Browser', (('chrome', 'Chrome'),)), ('Database tools', (('mysql_workbench', 'MySQL Workbench'),)), ('Virtualization tools', (('vmware_client', 'vSphere Client'),)), ('custom', 'Custom')], default='chrome', max_length=128, verbose_name='App type')),
                ('path', models.CharField(max_length=128, verbose_name='App path')),
-                ('params', common.db.fields.EncryptJsonDictTextField(blank=True, default={}, max_length=4096, null=True, verbose_name='Parameters')),
+                ('params', common.fields.model.EncryptJsonDictTextField(blank=True, default={}, max_length=4096, null=True, verbose_name='Parameters')),
                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
                ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
--- a/apps/applications/migrations/0010_appaccount_historicalappaccount.py
+++ b/apps/applications/migrations/0010_appaccount_historicalappaccount.py
@@ -1,7 +1,7 @@
 # Generated by Django 3.1.12 on 2021-08-26 09:07

 import assets.models.base
-import common.db.fields
+import common.fields.model
 from django.conf import settings
 import django.core.validators
 from django.db import migrations, models
@@ -26,9 +26,9 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                ('comment', models.TextField(blank=True, verbose_name='Comment')),
                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
@@ -56,9 +56,9 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                ('comment', models.TextField(blank=True, verbose_name='Comment')),
                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
--- a/apps/applications/migrations/0015_auto_20220112_2035.py
+++ b/apps/applications/migrations/0015_auto_20220112_2035.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.1.13 on 2022-01-12 12:35
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0014_auto_20211105_1605'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='application',
-            name='type',
-            field=models.CharField(choices=[('mysql', 'MySQL'), ('redis', 'Redis'), ('oracle', 'Oracle'), ('postgresql', 'PostgreSQL'), ('mariadb', 'MariaDB'), ('sqlserver', 'SQLServer'), ('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'), ('vmware_client', 'vSphere Client'), ('custom', 'Custom'), ('k8s', 'Kubernetes')], max_length=16, verbose_name='Type'),
-        ),
-    ]
--- a/apps/applications/migrations/0016_auto_20220118_1455.py
+++ b/apps/applications/migrations/0016_auto_20220118_1455.py
@@ -1,24 +0,0 @@
-# Generated by Django 3.1.13 on 2022-01-18 06:55
-
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0015_auto_20220112_2035'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='account',
-            name='app',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='applications.application', verbose_name='Application'),
-        ),
-        migrations.AlterField(
-            model_name='historicalaccount',
-            name='app',
-            field=models.ForeignKey(blank=True, db_constraint=False, null=True, on_delete=django.db.models.deletion.DO_NOTHING, related_name='+', to='applications.application', verbose_name='Application'),
-        ),
-    ]
--- a/apps/applications/migrations/0017_auto_20220217_2135.py
+++ b/apps/applications/migrations/0017_auto_20220217_2135.py
@@ -1,25 +0,0 @@
-# Generated by Django 3.1.13 on 2022-02-17 13:35
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0016_auto_20220118_1455'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='account',
-            options={'permissions': [('view_applicationaccountsecret', 'Can view application account secret'), ('change_appplicationaccountsecret', 'Can change application account secret')], 'verbose_name': 'Application account'},
-        ),
-        migrations.AlterModelOptions(
-            name='applicationuser',
-            options={'verbose_name': 'Application user'},
-        ),
-        migrations.AlterModelOptions(
-            name='historicalaccount',
-            options={'get_latest_by': 'history_date', 'ordering': ('-history_date', '-history_id'), 'verbose_name': 'historical Application account'},
-        ),
-    ]
--- a/apps/applications/migrations/0018_auto_20220223_1539.py
+++ b/apps/applications/migrations/0018_auto_20220223_1539.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.1.13 on 2022-02-23 07:39
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0017_auto_20220217_2135'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='application',
-            name='type',
-            field=models.CharField(choices=[('mysql', 'MySQL'), ('oracle', 'Oracle'), ('postgresql', 'PostgreSQL'), ('mariadb', 'MariaDB'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'), ('vmware_client', 'vSphere Client'), ('custom', 'Custom'), ('k8s', 'Kubernetes')], max_length=16, verbose_name='Type'),
-        ),
-    ]
--- a/apps/applications/migrations/0019_auto_20220310_1853.py
+++ b/apps/applications/migrations/0019_auto_20220310_1853.py
@@ -1,17 +0,0 @@
-# Generated by Django 3.1.14 on 2022-03-10 10:53
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0018_auto_20220223_1539'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='application',
-            options={'ordering': ('name',), 'permissions': [('match_application', 'Can match application')], 'verbose_name': 'Application'},
-        ),
-    ]
--- a/apps/applications/migrations/0020_auto_20220316_2028.py
+++ b/apps/applications/migrations/0020_auto_20220316_2028.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.1.14 on 2022-03-16 12:28
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0019_auto_20220310_1853'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='application',
-            name='type',
-            field=models.CharField(choices=[('mysql', 'MySQL'), ('mariadb', 'MariaDB'), ('oracle', 'Oracle'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'), ('vmware_client', 'vSphere Client'), ('custom', 'Custom'), ('k8s', 'Kubernetes')], max_length=16, verbose_name='Type'),
-        ),
-    ]
--- a/apps/applications/migrations/0021_auto_20220629_1826.py
+++ b/apps/applications/migrations/0021_auto_20220629_1826.py
@@ -1,22 +0,0 @@
-# Generated by Django 3.1.14 on 2022-06-29 10:26
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0020_auto_20220316_2028'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='historicalaccount',
-            options={'get_latest_by': ('history_date', 'history_id'), 'ordering': ('-history_date', '-history_id'), 'verbose_name': 'historical Application account', 'verbose_name_plural': 'historical Application accounts'},
-        ),
-        migrations.AlterField(
-            model_name='historicalaccount',
-            name='history_date',
-            field=models.DateTimeField(db_index=True),
-        ),
-    ]
--- a/apps/applications/migrations/0022_auto_20220714_1046.py
+++ b/apps/applications/migrations/0022_auto_20220714_1046.py
@@ -1,23 +0,0 @@
-# Generated by Django 3.2.12 on 2022-07-14 02:46
-
-from django.db import migrations
-
-
-def migrate_db_oracle_version_to_attrs(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    model = apps.get_model("applications", "Application")
-    oracles = list(model.objects.using(db_alias).filter(type='oracle'))
-    for o in oracles:
-        o.attrs['version'] = '12c'
-    model.objects.using(db_alias).bulk_update(oracles, ['attrs'])
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0021_auto_20220629_1826'),
-    ]
-
-    operations = [
-        migrations.RunPython(migrate_db_oracle_version_to_attrs)
-    ]
--- a/apps/applications/migrations/0023_auto_20220715_1556.py
+++ b/apps/applications/migrations/0023_auto_20220715_1556.py
@@ -1,48 +0,0 @@
-# Generated by Django 3.1.14 on 2022-07-15 07:56
-import time
-from collections import defaultdict
-
-from django.db import migrations
-
-
-def migrate_account_dirty_data(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    account_model = apps.get_model('applications', 'Account')
-
-    count = 0
-    bulk_size = 1000
-
-    while True:
-        accounts = account_model.objects.using(db_alias) \
-                       .filter(org_id='')[count:count + bulk_size]
-
-        if not accounts:
-            break
-
-        accounts = list(accounts)
-        start = time.time()
-        for i in accounts:
-            if i.app:
-                org_id = i.app.org_id
-            elif i.systemuser:
-                org_id = i.systemuser.org_id
-            else:
-                org_id = ''
-            if org_id:
-                i.org_id = org_id
-
-        account_model.objects.bulk_update(accounts, ['org_id', ])
-        print("Update account org is empty: {}-{} using: {:.2f}s".format(
-            count, count + len(accounts), time.time() - start
-        ))
-        count += len(accounts)
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('applications', '0022_auto_20220714_1046'),
-    ]
-
-    operations = [
-        migrations.RunPython(migrate_account_dirty_data),
-    ]
--- a/apps/applications/migrations/0024_alter_application_type.py
+++ b/apps/applications/migrations/0024_alter_application_type.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.2.14 on 2022-11-04 07:06
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('applications', '0023_auto_20220715_1556'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='application',
-            name='type',
-            field=models.CharField(choices=[('mysql', 'MySQL'), ('mariadb', 'MariaDB'), ('oracle', 'Oracle'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('clickhouse', 'ClickHouse'), ('chrome', 'Chrome'), ('mysql_workbench', 'MySQL Workbench'), ('vmware_client', 'vSphere Client'), ('custom', 'Custom'), ('k8s', 'Kubernetes')], max_length=16, verbose_name='Type'),
-        ),
-    ]
--- a/apps/applications/models/account.py
+++ b/apps/applications/models/account.py
@@ -1,6 +1,5 @@
 from django.db import models
 from simple_history.models import HistoricalRecords
-from django.db.models import F
 from django.utils.translation import ugettext_lazy as _

 from common.utils import lazyproperty
@@ -8,24 +7,16 @@ from assets.models.base import BaseUser


 class Account(BaseUser):
-    app = models.ForeignKey(
-        'applications.Application', on_delete=models.CASCADE, null=True, verbose_name=_('Application')
-    )
-    systemuser = models.ForeignKey(
-        'assets.SystemUser', on_delete=models.CASCADE, null=True, verbose_name=_("System user")
-    )
+    app = models.ForeignKey('applications.Application', on_delete=models.CASCADE, null=True, verbose_name=_('Database'))
+    systemuser = models.ForeignKey('assets.SystemUser', on_delete=models.CASCADE, null=True, verbose_name=_("System user"))
    version = models.IntegerField(default=1, verbose_name=_('Version'))
    history = HistoricalRecords()

    auth_attrs = ['username', 'password', 'private_key', 'public_key']

    class Meta:
-        verbose_name = _('Application account')
+        verbose_name = _('Account')
        unique_together = [('username', 'app', 'systemuser')]
-        permissions = [
-            ('view_applicationaccountsecret', _('Can view application account secret')),
-            ('change_appplicationaccountsecret', _('Can change application account secret')),
-        ]

    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
@@ -69,10 +60,6 @@ class Account(BaseUser):
    def type(self):
        return self.app.type

-    @lazyproperty
-    def attrs(self):
-        return self.app.attrs
-
    @lazyproperty
    def app_display(self):
        return self.systemuser.name
@@ -97,14 +84,5 @@ class Account(BaseUser):
            app = '*'
        return '{}@{}'.format(username, app)

-    @classmethod
-    def get_queryset(cls):
-        queryset = cls.objects.all() \
-            .annotate(type=F('app__type')) \
-            .annotate(app_display=F('app__name')) \
-            .annotate(systemuser_display=F('systemuser__name')) \
-            .annotate(category=F('app__category'))
-        return queryset
-
    def __str__(self):
        return self.smart_name
--- a/apps/applications/models/application.py
+++ b/apps/applications/models/application.py
@@ -1,16 +1,12 @@
 from collections import defaultdict
-from urllib.parse import urlencode, parse_qsl

 from django.db import models
 from django.utils.translation import ugettext_lazy as _
-from django.conf import settings

 from orgs.mixins.models import OrgModelMixin
 from common.mixins import CommonModelMixin
 from common.tree import TreeNode
-from common.utils import is_uuid
 from assets.models import Asset, SystemUser
-
 from .. import const


@@ -19,14 +15,6 @@ class ApplicationTreeNodeMixin:
    name: str
    type: str
    category: str
-    attrs: dict
-
-    @staticmethod
-    def create_tree_id(pid, type, v):
-        i = dict(parse_qsl(pid))
-        i[type] = v
-        tree_id = urlencode(i)
-        return tree_id

    @classmethod
    def create_choice_node(cls, c, id_, pid, tp, opened=False, counts=None,
@@ -77,15 +65,13 @@ class ApplicationTreeNodeMixin:
        return node

    @classmethod
-    def create_category_tree_nodes(cls, pid, counts=None, show_empty=True, show_count=True):
+    def create_category_tree_nodes(cls, root_node, counts=None, show_empty=True, show_count=True):
        nodes = []
        categories = const.AppType.category_types_mapper().keys()
        for category in categories:
-            if not settings.XPACK_ENABLED and const.AppCategory.is_xpack(category):
-                continue
-            i = cls.create_tree_id(pid, 'category', category.value)
+            i = root_node.id + '_' + category.value
            node = cls.create_choice_node(
-                category, i, pid=pid, tp='category',
+                category, i, pid=root_node.id, tp='category',
                counts=counts, opened=False, show_empty=show_empty,
                show_count=show_count
            )
@@ -95,23 +81,17 @@ class ApplicationTreeNodeMixin:
        return nodes

    @classmethod
-    def create_types_tree_nodes(cls, pid, counts, show_empty=True, show_count=True):
+    def create_types_tree_nodes(cls, root_node, counts, show_empty=True, show_count=True):
        nodes = []
-        temp_pid = pid
        type_category_mapper = const.AppType.type_category_mapper()
-        types = const.AppType.type_category_mapper().keys()
-
-        for tp in types:
-            if not settings.XPACK_ENABLED and const.AppType.is_xpack(tp):
-                continue
+        for tp in const.AppType.type_category_mapper().keys():
            category = type_category_mapper.get(tp)
-            pid = cls.create_tree_id(pid, 'category', category.value)
-            i = cls.create_tree_id(pid, 'type', tp.value)
+            pid = root_node.id + '_' + category.value
+            i = root_node.id + '_' + tp.value
            node = cls.create_choice_node(
                tp, i, pid, tp='type', counts=counts, opened=False,
                show_empty=show_empty, show_count=show_count
            )
-            pid = temp_pid
            if not node:
                continue
            nodes.append(node)
@@ -128,26 +108,9 @@ class ApplicationTreeNodeMixin:
            counts[category] += 1
        return counts

-    @classmethod
-    def create_category_type_tree_nodes(cls, queryset, pid, show_empty=True, show_count=True):
-        counts = cls.get_tree_node_counts(queryset)
-        tree_nodes = []
-
-        # 类别的节点
-        tree_nodes += cls.create_category_tree_nodes(
-            pid, counts, show_empty=show_empty,
-            show_count=show_count
-        )
-
-        # 类型的节点
-        tree_nodes += cls.create_types_tree_nodes(
-            pid, counts, show_empty=show_empty,
-            show_count=show_count
-        )
-        return tree_nodes
-
    @classmethod
    def create_tree_nodes(cls, queryset, root_node=None, show_empty=True, show_count=True):
+        counts = cls.get_tree_node_counts(queryset)
        tree_nodes = []

        # 根节点有可能是组织名称
@@ -155,44 +118,31 @@ class ApplicationTreeNodeMixin:
            root_node = cls.create_root_tree_node(queryset, show_count=show_count)
            tree_nodes.append(root_node)

-        tree_nodes += cls.create_category_type_tree_nodes(
-            queryset, root_node.id, show_empty=show_empty, show_count=show_count
+        # 类别的节点
+        tree_nodes += cls.create_category_tree_nodes(
+            root_node, counts, show_empty=show_empty,
+            show_count=show_count
+        )
+
+        # 类型的节点
+        tree_nodes += cls.create_types_tree_nodes(
+            root_node, counts, show_empty=show_empty,
+            show_count=show_count
        )

        # 应用的节点
        for app in queryset:
-            if not settings.XPACK_ENABLED and const.AppType.is_xpack(app.type):
-                continue
-            node = app.as_tree_node(root_node.id)
-            tree_nodes.append(node)
+            pid = root_node.id + '_' + app.type
+            tree_nodes.append(app.as_tree_node(pid))
        return tree_nodes

-    def create_app_tree_pid(self, root_id):
-        pid = self.create_tree_id(root_id, 'category', self.category)
-        pid = self.create_tree_id(pid, 'type', self.type)
-        return pid
-
-    def as_tree_node(self, pid, k8s_as_tree=False):
-        from ..utils import KubernetesTree
-        if self.type == const.AppType.k8s and k8s_as_tree:
-            node = KubernetesTree(pid).as_tree_node(self)
-        else:
-            node = self._as_tree_node(pid)
-        return node
-
-    def _attrs_to_tree(self):
-        if self.category == const.AppCategory.db:
-            return self.attrs
-        return {}
-
-    def _as_tree_node(self, pid):
+    def as_tree_node(self, pid):
        icon_skin_category_mapper = {
            'remote_app': 'chrome',
            'db': 'database',
            'cloud': 'cloud'
        }
        icon_skin = icon_skin_category_mapper.get(self.category, 'file')
-        pid = self.create_app_tree_pid(pid)
        node = TreeNode(**{
            'id': str(self.id),
            'name': self.name,
@@ -206,7 +156,6 @@ class ApplicationTreeNodeMixin:
                'data': {
                    'category': self.category,
                    'type': self.type,
-                    'attrs': self._attrs_to_tree()
                }
            }
        })
@@ -214,8 +163,6 @@ class ApplicationTreeNodeMixin:


 class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
-    APP_TYPE = const.AppType
-
    name = models.CharField(max_length=128, verbose_name=_('Name'))
    category = models.CharField(
        max_length=16, choices=const.AppCategory.choices, verbose_name=_('Category')
@@ -236,9 +183,6 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
        verbose_name = _('Application')
        unique_together = [('org_id', 'name')]
        ordering = ('name',)
-        permissions = [
-            ('match_application', _('Can match application')),
-        ]

    def __str__(self):
        category_display = self.get_category_display()
@@ -249,17 +193,6 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
    def category_remote_app(self):
        return self.category == const.AppCategory.remote_app.value

-    @property
-    def category_cloud(self):
-        return self.category == const.AppCategory.cloud.value
-
-    @property
-    def category_db(self):
-        return self.category == const.AppCategory.db.value
-
-    def is_type(self, tp):
-        return self.type == tp
-
    def get_rdp_remote_app_setting(self):
        from applications.serializers.attrs import get_serializer_class_by_application_type
        if not self.category_remote_app:
@@ -285,26 +218,14 @@ class Application(CommonModelMixin, OrgModelMixin, ApplicationTreeNodeMixin):
            'parameters': parameters
        }

-    def get_remote_app_asset(self, raise_exception=True):
+    def get_remote_app_asset(self):
        asset_id = self.attrs.get('asset')
-        if is_uuid(asset_id):
-            return Asset.objects.filter(id=asset_id).first()
-        if raise_exception:
+        if not asset_id:
            raise ValueError("Remote App not has asset attr")
-
-    def get_target_ip(self):
-        target_ip = ''
-        if self.category_remote_app:
-            asset = self.get_remote_app_asset()
-            target_ip = asset.ip if asset else target_ip
-        elif self.category_cloud:
-            target_ip = self.attrs.get('cluster')
-        elif self.category_db:
-            target_ip = self.attrs.get('host')
-        return target_ip
+        asset = Asset.objects.filter(id=asset_id).first()
+        return asset


 class ApplicationUser(SystemUser):
    class Meta:
        proxy = True
-        verbose_name = _('Application user')
--- a/apps/applications/serializers/application.py
+++ b/apps/applications/serializers/application.py
@@ -1,54 +1,41 @@
 # coding: utf-8
 #
+
 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _

 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from assets.serializers.base import AuthSerializerMixin
-from common.drf.serializers import MethodSerializer, SecretReadableMixin
+from common.drf.serializers import MethodSerializer
 from .attrs import (
    category_serializer_classes_mapping,
-    type_serializer_classes_mapping,
-    type_secret_serializer_classes_mapping
+    type_serializer_classes_mapping
 )
 from .. import models
 from .. import const

 __all__ = [
    'AppSerializer', 'MiniAppSerializer', 'AppSerializerMixin',
-    'AppAccountSerializer', 'AppAccountSecretSerializer', 'AppAccountBackUpSerializer'
+    'AppAccountSerializer', 'AppAccountSecretSerializer'
 ]


 class AppSerializerMixin(serializers.Serializer):
    attrs = MethodSerializer()

-    @property
-    def app(self):
-        if isinstance(self.instance, models.Application):
-            instance = self.instance
-        else:
-            instance = None
-        return instance
-
    def get_attrs_serializer(self):
-        instance = self.app
-        tp = getattr(self, 'tp', None)
        default_serializer = serializers.Serializer(read_only=True)
-        if not tp:
-            if instance:
-                tp = instance.type
-                category = instance.category
-            else:
-                tp = self.context['request'].query_params.get('type')
-                category = self.context['request'].query_params.get('category')
-        if tp:
-            if isinstance(self, AppAccountBackUpSerializer):
-                serializer_class = type_secret_serializer_classes_mapping.get(tp)
-            else:
-                serializer_class = type_serializer_classes_mapping.get(tp)
-        elif category:
-            serializer_class = category_serializer_classes_mapping.get(category)
+        if isinstance(self.instance, models.Application):
+            _type = self.instance.type
+            _category = self.instance.category
+        else:
+            _type = self.context['request'].query_params.get('type')
+            _category = self.context['request'].query_params.get('category')
+
+        if _type:
+            serializer_class = type_serializer_classes_mapping.get(_type)
+        elif _category:
+            serializer_class = category_serializer_classes_mapping.get(_category)
        else:
            serializer_class = default_serializer

@@ -97,13 +84,11 @@ class MiniAppSerializer(serializers.ModelSerializer):
        fields = AppSerializer.Meta.fields_mini


-class AppAccountSerializer(AppSerializerMixin, AuthSerializerMixin, BulkOrgResourceModelSerializer):
+class AppAccountSerializer(AuthSerializerMixin, BulkOrgResourceModelSerializer):
    category = serializers.ChoiceField(label=_('Category'), choices=const.AppCategory.choices, read_only=True)
    category_display = serializers.SerializerMethodField(label=_('Category display'))
    type = serializers.ChoiceField(label=_('Type'), choices=const.AppType.choices, read_only=True)
    type_display = serializers.SerializerMethodField(label=_('Type display'))
-    date_created = serializers.DateTimeField(label=_('Date created'), format="%Y/%m/%d %H:%M:%S", read_only=True)
-    date_updated = serializers.DateTimeField(label=_('Date updated'), format="%Y/%m/%d %H:%M:%S", read_only=True)

    category_mapper = dict(const.AppCategory.choices)
    type_mapper = dict(const.AppType.choices)
@@ -111,32 +96,22 @@ class AppAccountSerializer(AppSerializerMixin, AuthSerializerMixin, BulkOrgResou
    class Meta:
        model = models.Account
        fields_mini = ['id', 'username', 'version']
-        fields_write_only = ['password', 'private_key', 'public_key', 'passphrase']
-        fields_other = ['date_created', 'date_updated']
+        fields_write_only = ['password', 'private_key']
        fields_fk = ['systemuser', 'systemuser_display', 'app', 'app_display']
-        fields = fields_mini + fields_fk + fields_write_only + fields_other + [
-            'type', 'type_display', 'category', 'category_display', 'attrs'
+        fields = fields_mini + fields_fk + fields_write_only + [
+            'type', 'type_display', 'category', 'category_display',
        ]
        extra_kwargs = {
            'username': {'default': '', 'required': False},
            'password': {'write_only': True},
            'app_display': {'label': _('Application display')},
-            'systemuser_display': {'label': _('System User')},
-            'account': {'label': _('account')}
+            'systemuser_display': {'label': _('System User')}
        }
        use_model_bulk_create = True
        model_bulk_create_kwargs = {
            'ignore_conflicts': True
        }

-    @property
-    def app(self):
-        if isinstance(self.instance, models.Account):
-            instance = self.instance.app
-        else:
-            instance = None
-        return instance
-
    def get_category_display(self, obj):
        return self.category_mapper.get(obj.category)

@@ -154,7 +129,7 @@ class AppAccountSerializer(AppSerializerMixin, AuthSerializerMixin, BulkOrgResou
        return super().to_representation(instance)


-class AppAccountSecretSerializer(SecretReadableMixin, AppAccountSerializer):
+class AppAccountSecretSerializer(AppAccountSerializer):
    class Meta(AppAccountSerializer.Meta):
        extra_kwargs = {
            'password': {'write_only': False},
@@ -163,22 +138,3 @@ class AppAccountSecretSerializer(SecretReadableMixin, AppAccountSerializer):
            'app_display': {'label': _('Application display')},
            'systemuser_display': {'label': _('System User')}
        }
-
-
-class AppAccountBackUpSerializer(AppAccountSecretSerializer):
-    class Meta(AppAccountSecretSerializer.Meta):
-        fields = [
-            'id', 'app_display', 'attrs', 'username', 'password', 'private_key',
-            'public_key', 'date_created', 'date_updated', 'version'
-        ]
-
-    def __init__(self, *args, **kwargs):
-        self.tp = kwargs.pop('tp', None)
-        super().__init__(*args, **kwargs)
-
-    @classmethod
-    def setup_eager_loading(cls, queryset):
-        return queryset
-
-    def to_representation(self, instance):
-        return super(AppAccountSerializer, self).to_representation(instance)
--- a/apps/applications/serializers/attrs/application_category/cloud.py
+++ b/apps/applications/serializers/attrs/application_category/cloud.py
@@ -1,6 +1,7 @@
 from rest_framework import serializers
 from django.utils.translation import ugettext_lazy as _

+
 __all__ = ['CloudSerializer']


--- a/apps/applications/serializers/attrs/application_category/db.py
+++ b/apps/applications/serializers/attrs/application_category/db.py
@@ -13,14 +13,3 @@ class DBSerializer(serializers.Serializer):
    database = serializers.CharField(
        max_length=128, required=True, allow_null=True, label=_('Database')
    )
-    use_ssl = serializers.BooleanField(default=False, label=_('Use SSL'))
-    ca_cert = serializers.CharField(
-        required=False, allow_null=True, label=_('CA certificate')
-    )
-    client_cert = serializers.CharField(
-        required=False, allow_null=True, label=_('Client certificate file')
-    )
-    cert_key = serializers.CharField(
-        required=False, allow_null=True, label=_('Certificate key file')
-    )
-    allow_invalid_cert = serializers.BooleanField(default=False, label=_('Allow invalid cert'))
--- a/apps/applications/serializers/attrs/application_category/remote_app.py
+++ b/apps/applications/serializers/attrs/application_category/remote_app.py
@@ -10,6 +10,7 @@ from assets.models import Asset

 logger = get_logger(__file__)

+
 __all__ = ['RemoteAppSerializer']


@@ -31,7 +32,7 @@ class ExistAssetPrimaryKeyRelatedField(serializers.PrimaryKeyRelatedField):


 class RemoteAppSerializer(serializers.Serializer):
-    asset_info = serializers.SerializerMethodField(label=_('Asset Info'))
+    asset_info = serializers.SerializerMethodField()
    asset = ExistAssetPrimaryKeyRelatedField(
        queryset=Asset.objects, required=True, label=_("Asset"), allow_null=True
    )
--- a/apps/applications/serializers/attrs/application_type/init.py
+++ b/apps/applications/serializers/attrs/application_type/init.py
@@ -4,9 +4,6 @@ from .mariadb import *
 from .oracle import *
 from .pgsql import *
 from .sqlserver import *
-from .redis import *
-from .mongodb import *
-from .clickhouse import *

 from .chrome import *
 from .mysql_workbench import *
--- a/apps/applications/serializers/attrs/application_type/chrome.py
+++ b/apps/applications/serializers/attrs/application_type/chrome.py
@@ -1,10 +1,10 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

-from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

-__all__ = ['ChromeSerializer', 'ChromeSecretSerializer']
+
+__all__ = ['ChromeSerializer']


 class ChromeSerializer(RemoteAppSerializer):
@@ -14,21 +14,13 @@ class ChromeSerializer(RemoteAppSerializer):
        max_length=128, label=_('Application path'), default=CHROME_PATH, allow_null=True,
    )
    chrome_target = serializers.CharField(
-        max_length=128, allow_blank=True, required=False,
-        label=_('Target URL'), allow_null=True,
+        max_length=128, allow_blank=True, required=False, label=_('Target URL'), allow_null=True,
    )
    chrome_username = serializers.CharField(
-        max_length=128, allow_blank=True, required=False,
-        label=_('Chrome username'), allow_null=True,
+        max_length=128, allow_blank=True, required=False, label=_('Username'), allow_null=True,
    )
-    chrome_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False,
-        label=_('Chrome password'), allow_null=True, encrypted_key='chrome_password'
+    chrome_password = serializers.CharField(
+        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Password'),
+        allow_null=True
    )

-
-class ChromeSecretSerializer(ChromeSerializer):
-    chrome_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False,
-        label=_('Chrome password'), allow_null=True, write_only=False
-    )
--- a/apps/applications/serializers/attrs/application_type/clickhouse.py
+++ b/apps/applications/serializers/attrs/application_type/clickhouse.py
@@ -1,16 +0,0 @@
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
-
-from ..application_category import DBSerializer
-
-__all__ = ['ClickHouseSerializer']
-
-
-class ClickHouseSerializer(DBSerializer):
-    port = serializers.IntegerField(
-        default=9000, label=_('Port'), allow_null=True,
-        help_text=_(
-            'Typically, the port is 9000，'
-            'the HTTP interface and the native interface use different ports'
-        ),
-    )
--- a/apps/applications/serializers/attrs/application_type/custom.py
+++ b/apps/applications/serializers/attrs/application_type/custom.py
@@ -1,10 +1,11 @@
+
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

-from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

-__all__ = ['CustomSerializer', 'CustomSecretSerializer']
+
+__all__ = ['CustomSerializer']


 class CustomSerializer(RemoteAppSerializer):
@@ -17,17 +18,10 @@ class CustomSerializer(RemoteAppSerializer):
        allow_null=True,
    )
    custom_username = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, label=_('Custom Username'),
+        max_length=128, allow_blank=True, required=False, label=_('Username'),
        allow_null=True,
    )
-    custom_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False,
-        label=_('Custom password'), allow_null=True,
-    )
-
-
-class CustomSecretSerializer(RemoteAppSerializer):
-    custom_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False, write_only=False,
-        label=_('Custom password'), allow_null=True,
+    custom_password = serializers.CharField(
+        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Password'),
+        allow_null=True,
    )
--- a/apps/applications/serializers/attrs/application_type/k8s.py
+++ b/apps/applications/serializers/attrs/application_type/k8s.py
@@ -1,5 +1,6 @@
 from ..application_category import CloudSerializer

+
 __all__ = ['K8SSerializer']


--- a/apps/applications/serializers/attrs/application_type/mariadb.py
+++ b/apps/applications/serializers/attrs/application_type/mariadb.py
@@ -1,5 +1,6 @@
 from .mysql import MySQLSerializer

+
 __all__ = ['MariaDBSerializer']


--- a/apps/applications/serializers/attrs/application_type/mongodb.py
+++ b/apps/applications/serializers/attrs/application_type/mongodb.py
@@ -1,11 +0,0 @@
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
-
-from ..application_category import DBSerializer
-
-__all__ = ['MongoDBSerializer']
-
-
-class MongoDBSerializer(DBSerializer):
-    port = serializers.IntegerField(default=27017, label=_('Port'), allow_null=True)
-
--- a/apps/applications/serializers/attrs/application_type/mysql.py
+++ b/apps/applications/serializers/attrs/application_type/mysql.py
@@ -3,9 +3,13 @@ from django.utils.translation import ugettext_lazy as _

 from ..application_category import DBSerializer

+
 __all__ = ['MySQLSerializer']


 class MySQLSerializer(DBSerializer):
    port = serializers.IntegerField(default=3306, label=_('Port'), allow_null=True)

+
+
+
--- a/apps/applications/serializers/attrs/application_type/mysql_workbench.py
+++ b/apps/applications/serializers/attrs/application_type/mysql_workbench.py
@@ -1,10 +1,10 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

-from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

-__all__ = ['MySQLWorkbenchSerializer', 'MySQLWorkbenchSecretSerializer']
+
+__all__ = ['MySQLWorkbenchSerializer']


 class MySQLWorkbenchSerializer(RemoteAppSerializer):
@@ -27,17 +27,10 @@ class MySQLWorkbenchSerializer(RemoteAppSerializer):
        allow_null=True,
    )
    mysql_workbench_username = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, label=_('Mysql workbench username'),
+        max_length=128, allow_blank=True, required=False, label=_('Username'),
        allow_null=True,
    )
-    mysql_workbench_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False,
-        label=_('Mysql workbench password'), allow_null=True,
-    )
-
-
-class MySQLWorkbenchSecretSerializer(RemoteAppSerializer):
-    mysql_workbench_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False, write_only=False,
-        label=_('Mysql workbench password'), allow_null=True,
+    mysql_workbench_password = serializers.CharField(
+        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Password'),
+        allow_null=True,
    )
--- a/apps/applications/serializers/attrs/application_type/oracle.py
+++ b/apps/applications/serializers/attrs/application_type/oracle.py
@@ -3,8 +3,10 @@ from django.utils.translation import ugettext_lazy as _

 from ..application_category import DBSerializer

+
 __all__ = ['OracleSerializer']


 class OracleSerializer(DBSerializer):
    port = serializers.IntegerField(default=1521, label=_('Port'), allow_null=True)
+
--- a/apps/applications/serializers/attrs/application_type/pgsql.py
+++ b/apps/applications/serializers/attrs/application_type/pgsql.py
@@ -3,8 +3,10 @@ from django.utils.translation import ugettext_lazy as _

 from ..application_category import DBSerializer

+
 __all__ = ['PostgreSerializer']


 class PostgreSerializer(DBSerializer):
    port = serializers.IntegerField(default=5432, label=_('Port'), allow_null=True)
+
--- a/apps/applications/serializers/attrs/application_type/redis.py
+++ b/apps/applications/serializers/attrs/application_type/redis.py
@@ -1,11 +0,0 @@
-from rest_framework import serializers
-from django.utils.translation import ugettext_lazy as _
-
-from ..application_category import DBSerializer
-
-__all__ = ['RedisSerializer']
-
-
-class RedisSerializer(DBSerializer):
-    port = serializers.IntegerField(default=6379, label=_('Port'), allow_null=True)
-
--- a/apps/applications/serializers/attrs/application_type/sqlserver.py
+++ b/apps/applications/serializers/attrs/application_type/sqlserver.py
@@ -3,6 +3,7 @@ from django.utils.translation import ugettext_lazy as _

 from ..application_category import DBSerializer

+
 __all__ = ['SQLServerSerializer']


--- a/apps/applications/serializers/attrs/application_type/vmware_client.py
+++ b/apps/applications/serializers/attrs/application_type/vmware_client.py
@@ -1,10 +1,10 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers

-from common.drf.fields import EncryptedField
 from ..application_category import RemoteAppSerializer

-__all__ = ['VMwareClientSerializer', 'VMwareClientSecretSerializer']
+
+__all__ = ['VMwareClientSerializer']


 class VMwareClientSerializer(RemoteAppSerializer):
@@ -23,17 +23,10 @@ class VMwareClientSerializer(RemoteAppSerializer):
        allow_null=True
    )
    vmware_username = serializers.CharField(
-        max_length=128, allow_blank=True, required=False, label=_('Vmware username'),
+        max_length=128, allow_blank=True, required=False, label=_('Username'),
        allow_null=True
    )
-    vmware_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False,
-        label=_('Vmware password'), allow_null=True
-    )
-
-
-class VMwareClientSecretSerializer(RemoteAppSerializer):
-    vmware_password = EncryptedField(
-        max_length=128, allow_blank=True, required=False, write_only=False,
-        label=_('Vmware password'), allow_null=True
+    vmware_password = serializers.CharField(
+        max_length=128, allow_blank=True, required=False, write_only=True, label=_('Password'),
+        allow_null=True
    )
--- a/apps/applications/serializers/attrs/attrs.py
+++ b/apps/applications/serializers/attrs/attrs.py
@@ -1,15 +1,15 @@
-import copy
-
+from rest_framework import serializers
 from applications import const
 from . import application_category, application_type

+
 __all__ = [
    'category_serializer_classes_mapping',
    'type_serializer_classes_mapping',
    'get_serializer_class_by_application_type',
-    'type_secret_serializer_classes_mapping'
 ]

+
 # define `attrs` field `category serializers mapping`
 # ---------------------------------------------------

@@ -29,35 +29,15 @@ type_serializer_classes_mapping = {
    const.AppType.oracle.value: application_type.OracleSerializer,
    const.AppType.pgsql.value: application_type.PostgreSerializer,
    const.AppType.sqlserver.value: application_type.SQLServerSerializer,
-    const.AppType.redis.value: application_type.RedisSerializer,
-    const.AppType.mongodb.value: application_type.MongoDBSerializer,
-    const.AppType.clickhouse.value: application_type.ClickHouseSerializer,
-    # cloud
-    const.AppType.k8s.value: application_type.K8SSerializer
-}
-
-remote_app_serializer_classes_mapping = {
    # remote-app
    const.AppType.chrome.value: application_type.ChromeSerializer,
    const.AppType.mysql_workbench.value: application_type.MySQLWorkbenchSerializer,
    const.AppType.vmware_client.value: application_type.VMwareClientSerializer,
-    const.AppType.custom.value: application_type.CustomSerializer
+    const.AppType.custom.value: application_type.CustomSerializer,
+    # cloud
+    const.AppType.k8s.value: application_type.K8SSerializer
 }

-type_serializer_classes_mapping.update(remote_app_serializer_classes_mapping)
-
-remote_app_secret_serializer_classes_mapping = {
-    # remote-app
-    const.AppType.chrome.value: application_type.ChromeSecretSerializer,
-    const.AppType.mysql_workbench.value: application_type.MySQLWorkbenchSecretSerializer,
-    const.AppType.vmware_client.value: application_type.VMwareClientSecretSerializer,
-    const.AppType.custom.value: application_type.CustomSecretSerializer
-}
-
-type_secret_serializer_classes_mapping = copy.deepcopy(type_serializer_classes_mapping)
-
-type_secret_serializer_classes_mapping.update(remote_app_secret_serializer_classes_mapping)
-

 def get_serializer_class_by_application_type(_application_type):
    return type_serializer_classes_mapping.get(_application_type)
--- a/apps/applications/urls/api_urls.py
+++ b/apps/applications/urls/api_urls.py
@@ -11,7 +11,6 @@ app_name = 'applications'
 router = BulkRouter()
 router.register(r'applications', api.ApplicationViewSet, 'application')
 router.register(r'accounts', api.ApplicationAccountViewSet, 'application-account')
-router.register(r'system-users-apps-relations', api.SystemUserAppRelationViewSet, 'system-users-apps-relation')
 router.register(r'account-secrets', api.ApplicationAccountSecretViewSet, 'application-account-secret')


--- a/apps/applications/utils/init.py
+++ b/apps/applications/utils/init.py
@@ -1,4 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from .kubernetes_util import *
--- a/apps/applications/utils/kubernetes_util.py
+++ b/apps/applications/utils/kubernetes_util.py
@@ -1,165 +0,0 @@
-# -*- coding: utf-8 -*-
-from urllib.parse import urlencode
-
-from kubernetes import client
-from kubernetes.client import api_client
-from kubernetes.client.api import core_v1_api
-from rest_framework.generics import get_object_or_404
-
-from assets.models import SystemUser
-from common.tree import TreeNode
-from common.utils import get_logger
-from .. import const
-
-logger = get_logger(__file__)
-
-
-class KubernetesClient:
-    def __init__(self, url, token):
-        self.url = url
-        self.token = token
-
-    @property
-    def api(self):
-        configuration = client.Configuration()
-        configuration.host = self.url
-        configuration.verify_ssl = False
-        configuration.api_key = {"authorization": "Bearer " + self.token}
-        c = api_client.ApiClient(configuration=configuration)
-        api = core_v1_api.CoreV1Api(c)
-        return api
-
-    def get_namespaces(self):
-        namespaces = []
-        resp = self.api.list_namespace()
-        for ns in resp.items:
-            namespaces.append(ns.metadata.name)
-        return namespaces
-
-    def get_pods(self, namespace):
-        pods = []
-        resp = self.api.list_namespaced_pod(namespace)
-        for pd in resp.items:
-            pods.append(pd.metadata.name)
-        return pods
-
-    def get_containers(self, namespace, pod_name):
-        containers = []
-        resp = self.api.read_namespaced_pod(pod_name, namespace)
-        for container in resp.spec.containers:
-            containers.append(container.name)
-        return containers
-
-    @classmethod
-    def run(cls, asset, secret, tp='namespace'):
-        k8s_url = f'{asset.address}'
-        k8s = cls(k8s_url, secret)
-        func_name = f'get_{tp}s'
-        if hasattr(k8s, func_name):
-            return getattr(k8s, func_name)()
-        return []
-
-    @classmethod
-    def get_kubernetes_data(cls, app_id, system_user_id, tp, *args):
-        from ..models import Application
-        app = get_object_or_404(Application, id=app_id)
-        system_user = get_object_or_404(SystemUser, id=system_user_id)
-        k8s = cls(app.attrs['cluster'], system_user.token)
-        func_name = f'get_{tp}s'
-        if hasattr(k8s, func_name):
-            return getattr(k8s, func_name)(*args)
-        return []
-
-
-class KubernetesTree:
-    def __init__(self, tree_id):
-        self.tree_id = tree_id
-
-    def as_tree_node(self, app):
-        pid = app.create_app_tree_pid(self.tree_id)
-        app_id = str(app.id)
-        parent_info = {'app_id': app_id}
-        node = self.create_tree_node(
-            app_id, pid, app.name, 'k8s', parent_info
-        )
-        return node
-
-    def as_system_user_tree_node(self, system_user, parent_info):
-        from ..models import ApplicationTreeNodeMixin
-        system_user_id = str(system_user.id)
-        username = system_user.username
-        username = username if username else '*'
-        name = f'{system_user.name}({username})'
-        pid = urlencode({'app_id': self.tree_id})
-        i = ApplicationTreeNodeMixin.create_tree_id(pid, 'system_user_id', system_user_id)
-        parent_info.update({'system_user_id': system_user_id})
-        node = self.create_tree_node(
-            i, pid, name, 'system_user', parent_info, icon='user-tie'
-        )
-        return node
-
-    def as_namespace_pod_tree_node(self, name, meta, type, is_container=False):
-        from ..models import ApplicationTreeNodeMixin
-        i = ApplicationTreeNodeMixin.create_tree_id(self.tree_id, type, name)
-        meta.update({type: name})
-        node = self.create_tree_node(
-            i, self.tree_id, name, type, meta, icon='cloud', is_container=is_container
-        )
-        return node
-
-    @staticmethod
-    def create_tree_node(id_, pid, name, identity, parent_info, icon='', is_container=False):
-        node = TreeNode(**{
-            'id': id_,
-            'name': name,
-            'title': name,
-            'pId': pid,
-            'isParent': not is_container,
-            'open': False,
-            'iconSkin': icon,
-            'parentInfo': urlencode(parent_info),
-            'meta': {
-                'type': 'application',
-                'data': {
-                    'category': const.AppCategory.cloud,
-                    'type': const.AppType.k8s,
-                    'identity': identity
-                }
-            }
-        })
-        return node
-
-    def async_tree_node(self, parent_info):
-        pod_name = parent_info.get('pod')
-        app_id = parent_info.get('app_id')
-        namespace = parent_info.get('namespace')
-        system_user_id = parent_info.get('system_user_id')
-
-        tree_nodes = []
-        if pod_name:
-            tp = 'container'
-            containers = KubernetesClient.get_kubernetes_data(
-                app_id, system_user_id, tp, namespace, pod_name
-            )
-            for container in containers:
-                container_node = self.as_namespace_pod_tree_node(
-                    container, parent_info, tp, is_container=True
-                )
-                tree_nodes.append(container_node)
-        elif namespace:
-            tp = 'pod'
-            pods = KubernetesClient.get_kubernetes_data(app_id, system_user_id, tp, namespace)
-            for pod in pods:
-                pod_node = self.as_namespace_pod_tree_node(
-                    pod, parent_info, tp
-                )
-                tree_nodes.append(pod_node)
-        elif system_user_id:
-            tp = 'namespace'
-            namespaces = KubernetesClient.get_kubernetes_data(app_id, system_user_id, tp)
-            for namespace in namespaces:
-                namespace_node = self.as_namespace_pod_tree_node(
-                    namespace, parent_info, tp
-                )
-                tree_nodes.append(namespace_node)
-        return tree_nodes
--- a/apps/assets/api/init.py
+++ b/apps/assets/api/init.py
@@ -10,5 +10,3 @@ from .domain import *
 from .cmd_filter import *
 from .gathered_user import *
 from .favorite_asset import *
-from .account_backup import *
-from .account_history import *
--- a/apps/assets/api/account_backup.py
+++ b/apps/assets/api/account_backup.py
@@ -1,49 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from rest_framework import status, viewsets
-from rest_framework.response import Response
-
-from orgs.mixins.api import OrgBulkModelViewSet
-from .. import serializers
-from ..tasks import execute_account_backup_plan
-from ..models import (
-    AccountBackupPlan, AccountBackupPlanExecution
-)
-
-__all__ = [
-    'AccountBackupPlanViewSet', 'AccountBackupPlanExecutionViewSet'
-]
-
-
-class AccountBackupPlanViewSet(OrgBulkModelViewSet):
-    model = AccountBackupPlan
-    filter_fields = ('name',)
-    search_fields = filter_fields
-    ordering_fields = ('name',)
-    ordering = ('name',)
-    serializer_class = serializers.AccountBackupPlanSerializer
-
-
-class AccountBackupPlanExecutionViewSet(viewsets.ModelViewSet):
-    serializer_class = serializers.AccountBackupPlanExecutionSerializer
-    search_fields = ('trigger',)
-    filterset_fields = ('trigger', 'plan_id')
-    http_method_names = ['get', 'post', 'options']
-
-    def get_queryset(self):
-        queryset = AccountBackupPlanExecution.objects.all()
-        return queryset
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        pid = serializer.data.get('plan')
-        task = execute_account_backup_plan.delay(
-            pid=pid, trigger=AccountBackupPlanExecution.Trigger.manual
-        )
-        return Response({'task': task.id}, status=status.HTTP_201_CREATED)
-
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        queryset = queryset.order_by('-date_start')
-        return queryset
--- a/apps/assets/api/account_history.py
+++ b/apps/assets/api/account_history.py
@@ -1,50 +0,0 @@
-from django.db.models import F
-
-from assets.api.accounts import (
-    AccountFilterSet, AccountViewSet, AccountSecretsViewSet
-)
-from common.mixins import RecordViewLogMixin
-from .. import serializers
-from ..models import AuthBook
-
-__all__ = ['AccountHistoryViewSet', 'AccountHistorySecretsViewSet']
-
-
-class AccountHistoryFilterSet(AccountFilterSet):
-    class Meta:
-        model = AuthBook.history.model
-        fields = AccountFilterSet.Meta.fields
-
-
-class AccountHistoryViewSet(AccountViewSet):
-    model = AuthBook.history.model
-    filterset_class = AccountHistoryFilterSet
-    serializer_classes = {
-        'default': serializers.AccountHistorySerializer,
-    }
-    rbac_perms = {
-        'list': 'assets.view_assethistoryaccount',
-        'retrieve': 'assets.view_assethistoryaccount',
-    }
-
-    http_method_names = ['get', 'options']
-
-    def get_queryset(self):
-        queryset = self.model.objects.all() \
-            .annotate(ip=F('asset__ip')) \
-            .annotate(hostname=F('asset__hostname')) \
-            .annotate(platform=F('asset__platform__name')) \
-            .annotate(protocols=F('asset__protocols'))
-        return queryset
-
-
-class AccountHistorySecretsViewSet(RecordViewLogMixin, AccountHistoryViewSet):
-    serializer_classes = {
-        'default': serializers.AccountHistorySecretSerializer
-    }
-    http_method_names = ['get']
-    permission_classes = AccountSecretsViewSet.permission_classes
-    rbac_perms = {
-        'list': 'assets.view_assethistoryaccountsecret',
-        'retrieve': 'assets.view_assethistoryaccountsecret',
-    }
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@@ -1,21 +1,18 @@
-from django.db.models import Q
-from django.shortcuts import get_object_or_404
-from django_filters import rest_framework as filters
+from django.db.models import F, Q
 from rest_framework.decorators import action
+from django_filters import rest_framework as filters
 from rest_framework.response import Response
+from django.shortcuts import get_object_or_404
 from rest_framework.generics import CreateAPIView

 from orgs.mixins.api import OrgBulkModelViewSet
-from rbac.permissions import RBACPermission
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, NeedMFAVerify
 from common.drf.filters import BaseFilterSet
-from common.mixins import RecordViewLogMixin
-from common.permissions import UserConfirmation
-from authentication.const import ConfirmType
 from ..tasks.account_connectivity import test_accounts_connectivity_manual
 from ..models import AuthBook, Node
 from .. import serializers

-__all__ = ['AccountFilterSet', 'AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']
+__all__ = ['AccountViewSet', 'AccountSecretsViewSet', 'AccountTaskCreateAPI']


 class AccountFilterSet(BaseFilterSet):
@@ -29,7 +26,6 @@ class AccountFilterSet(BaseFilterSet):
        qs = super().qs
        qs = self.filter_username(qs)
        qs = self.filter_node(qs)
-        qs = qs.distinct()
        return qs

    def filter_username(self, qs):
@@ -65,13 +61,12 @@ class AccountViewSet(OrgBulkModelViewSet):
        'default': serializers.AccountSerializer,
        'verify_account': serializers.AssetTaskSerializer
    }
-    rbac_perms = {
-        'verify_account': 'assets.test_authbook',
-        'partial_update': 'assets.change_assetaccountsecret',
-    }
+    permission_classes = (IsOrgAdmin,)

    def get_queryset(self):
-        queryset = AuthBook.get_queryset()
+        queryset = super().get_queryset() \
+            .annotate(ip=F('asset__ip')) \
+            .annotate(hostname=F('asset__hostname'))
        return queryset

    @action(methods=['post'], detail=True, url_path='verify')
@@ -81,30 +76,24 @@ class AccountViewSet(OrgBulkModelViewSet):
        return Response(data={'task': task.id})


-class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
+class AccountSecretsViewSet(AccountViewSet):
    """
    因为可能要导出所有账号，所以单独建立了一个 viewset
    """
    serializer_classes = {
        'default': serializers.AccountSecretSerializer
    }
+    permission_classes = (IsOrgAdmin, NeedMFAVerify)
    http_method_names = ['get']
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
-    rbac_perms = {
-        'list': 'assets.view_assetaccountsecret',
-        'retrieve': 'assets.view_assetaccountsecret',
-    }


 class AccountTaskCreateAPI(CreateAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.AccountTaskSerializer
    filterset_fields = AccountViewSet.filterset_fields
    search_fields = AccountViewSet.search_fields
    filterset_class = AccountViewSet.filterset_class

-    def check_permissions(self, request):
-        return request.user.has_perm('assets.test_assetconnectivity')
-
    def get_accounts(self):
        queryset = AuthBook.objects.all()
        queryset = self.filter_queryset(queryset)
@@ -121,4 +110,5 @@ class AccountTaskCreateAPI(CreateAPIView):
    def get_exception_handler(self):
        def handler(e, context):
            return Response({"error": str(e)}, status=400)
+
        return handler
--- a/apps/assets/api/admin_user.py
+++ b/apps/assets/api/admin_user.py
@@ -2,9 +2,9 @@ from django.db.models import Count

 from orgs.mixins.api import OrgBulkModelViewSet
 from common.utils import get_logger
+from ..hands import IsOrgAdmin
 from ..models import SystemUser
 from .. import serializers
-from rbac.permissions import RBACPermission


 logger = get_logger(__file__)
@@ -20,7 +20,7 @@ class AdminUserViewSet(OrgBulkModelViewSet):
    filterset_fields = ("name", "username")
    search_fields = filterset_fields
    serializer_class = serializers.AdminUserSerializer
-    permission_classes = (RBACPermission,)
+    permission_classes = (IsOrgAdmin,)
    ordering_fields = ('name',)
    ordering = ('name', )

--- a/apps/assets/api/asset.py
+++ b/apps/assets/api/asset.py
@@ -1,12 +1,14 @@
 # -*- coding: utf-8 -*-
 #
+from assets.api import FilterAssetByNodeMixin
 from rest_framework.viewsets import ModelViewSet
 from rest_framework.generics import RetrieveAPIView, ListAPIView
 from django.shortcuts import get_object_or_404
 from django.db.models import Q

 from common.utils import get_logger, get_object_or_none
-from common.mixins.api import SuggestionMixin, RenderToJsonMixin
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsSuperUser
+from common.mixins.api import SuggestionMixin
 from users.models import User, UserGroup
 from users.serializers import UserSerializer, UserGroupSerializer
 from users.filters import UserFilter
@@ -15,8 +17,7 @@ from perms.serializers import AssetPermissionSerializer
 from perms.filters import AssetPermissionFilter
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.mixins import generics
-from assets.api import FilterAssetByNodeMixin
-from ..models import Asset, Node, Platform, Gateway
+from ..models import Asset, Node, Platform
 from .. import serializers
 from ..tasks import (
    update_assets_hardware_info_manual, test_assets_connectivity_manual,
@@ -54,9 +55,7 @@ class AssetViewSet(SuggestionMixin, FilterAssetByNodeMixin, OrgBulkModelViewSet)
        'default': serializers.AssetSerializer,
        'suggestion': serializers.MiniAssetSerializer
    }
-    rbac_perms = {
-        'match': 'assets.match_asset'
-    }
+    permission_classes = (IsOrgAdminOrAppUser,)
    extra_filter_backends = [FilterAssetByNodeFilterBackend, LabelFilterBackend, IpInFilterBackend]

    def set_assets_node(self, assets):
@@ -77,10 +76,8 @@ class AssetViewSet(SuggestionMixin, FilterAssetByNodeMixin, OrgBulkModelViewSet)

 class AssetPlatformRetrieveApi(RetrieveAPIView):
    queryset = Platform.objects.all()
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.PlatformSerializer
-    rbac_perms = {
-        'retrieve': 'assets.view_gateway'
-    }

    def get_object(self):
        asset_pk = self.kwargs.get('pk')
@@ -88,12 +85,18 @@ class AssetPlatformRetrieveApi(RetrieveAPIView):
        return asset.platform


-class AssetPlatformViewSet(ModelViewSet, RenderToJsonMixin):
+class AssetPlatformViewSet(ModelViewSet):
    queryset = Platform.objects.all()
+    permission_classes = (IsSuperUser,)
    serializer_class = serializers.PlatformSerializer
    filterset_fields = ['name', 'base']
    search_fields = ['name']

+    def get_permissions(self):
+        if self.request.method.lower() in ['get', 'options']:
+            self.permission_classes = (IsOrgAdmin,)
+        return super().get_permissions()
+
    def check_object_permissions(self, request, obj):
        if request.method.lower() in ['delete', 'put', 'patch'] and obj.internal:
            self.permission_denied(
@@ -128,6 +131,7 @@ class AssetsTaskMixin:
 class AssetTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
    model = Asset
    serializer_class = serializers.AssetTaskSerializer
+    permission_classes = (IsOrgAdmin,)

    def create(self, request, *args, **kwargs):
        pk = self.kwargs.get('pk')
@@ -135,26 +139,11 @@ class AssetTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
        request.data['assets'] = [pk]
        return super().create(request, *args, **kwargs)

-    def check_permissions(self, request):
-        action = request.data.get('action')
-        action_perm_require = {
-            'refresh': 'assets.refresh_assethardwareinfo',
-            'push_system_user': 'assets.push_assetsystemuser',
-            'test': 'assets.test_assetconnectivity',
-            'test_system_user': 'assets.test_assetconnectivity'
-        }
-        perm_required = action_perm_require.get(action)
-        has = self.request.user.has_perm(perm_required)
-
-        if not has:
-            self.permission_denied(request)
-
    def perform_asset_task(self, serializer):
        data = serializer.validated_data
        action = data['action']
        if action not in ['push_system_user', 'test_system_user']:
            return
-
        asset = data['asset']
        system_users = data.get('system_users')
        if not system_users:
@@ -177,37 +166,24 @@ class AssetTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
 class AssetsTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
    model = Asset
    serializer_class = serializers.AssetsTaskSerializer
-
-    def check_permissions(self, request):
-        action = request.data.get('action')
-        action_perm_require = {
-            'refresh': 'assets.refresh_assethardwareinfo',
-        }
-        perm_required = action_perm_require.get(action)
-        has = self.request.user.has_perm(perm_required)
-        if not has:
-            self.permission_denied(request)
+    permission_classes = (IsOrgAdmin,)


 class AssetGatewayListApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.GatewayWithAuthSerializer
-    rbac_perms = {
-        'list': 'assets.view_gateway'
-    }

    def get_queryset(self):
        asset_id = self.kwargs.get('pk')
        asset = get_object_or_404(Asset, pk=asset_id)
        if not asset.domain:
-            return Gateway.objects.none()
+            return []
        queryset = asset.domain.gateways.filter(protocol='ssh')
        return queryset


 class BaseAssetPermUserOrUserGroupListApi(ListAPIView):
-    rbac_perms = {
-        'GET': 'perms.view_assetpermission'
-    }
+    permission_classes = (IsOrgAdmin,)

    def get_object(self):
        asset_id = self.kwargs.get('pk')
@@ -225,9 +201,6 @@ class AssetPermUserListApi(BaseAssetPermUserOrUserGroupListApi):
    filterset_class = UserFilter
    search_fields = ('username', 'email', 'name', 'id', 'source', 'role')
    serializer_class = UserSerializer
-    rbac_perms = {
-        'GET': 'perms.view_assetpermission'
-    }

    def get_queryset(self):
        perms = self.get_asset_related_perms()
@@ -247,13 +220,11 @@ class AssetPermUserGroupListApi(BaseAssetPermUserOrUserGroupListApi):


 class BaseAssetPermUserOrUserGroupPermissionsListApiMixin(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
    model = AssetPermission
    serializer_class = AssetPermissionSerializer
    filterset_class = AssetPermissionFilter
    search_fields = ('name',)
-    rbac_perms = {
-        'list': 'perms.view_assetpermission'
-    }

    def get_object(self):
        asset_id = self.kwargs.get('pk')
--- a/apps/assets/api/cmd_filter.py
+++ b/apps/assets/api/cmd_filter.py
@@ -8,11 +8,14 @@ from django.shortcuts import get_object_or_404
 from common.utils import reverse
 from common.utils import lazyproperty
 from orgs.mixins.api import OrgBulkModelViewSet
+from tickets.api import GenericTicketStatusRetrieveCloseAPI
+from ..hands import IsOrgAdmin, IsAppUser
 from ..models import CommandFilter, CommandFilterRule
 from .. import serializers

 __all__ = [
    'CommandFilterViewSet', 'CommandFilterRuleViewSet', 'CommandConfirmAPI',
+    'CommandConfirmStatusAPI'
 ]


@@ -20,6 +23,7 @@ class CommandFilterViewSet(OrgBulkModelViewSet):
    model = CommandFilter
    filterset_fields = ("name",)
    search_fields = filterset_fields
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.CommandFilterSerializer


@@ -27,6 +31,7 @@ class CommandFilterRuleViewSet(OrgBulkModelViewSet):
    model = CommandFilterRule
    filterset_fields = ('content',)
    search_fields = filterset_fields
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.CommandFilterRuleSerializer

    def get_queryset(self):
@@ -38,10 +43,8 @@ class CommandFilterRuleViewSet(OrgBulkModelViewSet):


 class CommandConfirmAPI(CreateAPIView):
+    permission_classes = (IsAppUser,)
    serializer_class = serializers.CommandConfirmSerializer
-    rbac_perms = {
-        'POST': 'tickets.add_superticket'
-    }

    def create(self, request, *args, **kwargs):
        ticket = self.create_command_confirm_ticket()
@@ -53,14 +56,14 @@ class CommandConfirmAPI(CreateAPIView):
            run_command=self.serializer.data.get('run_command'),
            session=self.serializer.session,
            cmd_filter_rule=self.serializer.cmd_filter_rule,
-            org_id=self.serializer.org.id,
+            org_id=self.serializer.org.id
        )
        return ticket

    @staticmethod
    def get_response_data(ticket):
        confirm_status_url = reverse(
-            view_name='api-tickets:super-ticket-status',
+            view_name='api-assets:command-confirm-status',
            kwargs={'pk': str(ticket.id)}
        )
        ticket_detail_url = reverse(
@@ -69,7 +72,7 @@ class CommandConfirmAPI(CreateAPIView):
            external=True, api_to_ui=True
        )
        ticket_detail_url = '{url}?type={type}'.format(url=ticket_detail_url, type=ticket.type)
-        ticket_assignees = ticket.current_step.ticket_assignees.all()
+        ticket_assignees = ticket.current_node.first().ticket_assignees.all()
        return {
            'check_confirm_status': {'method': 'GET', 'url': confirm_status_url},
            'close_confirm': {'method': 'DELETE', 'url': confirm_status_url},
@@ -83,3 +86,6 @@ class CommandConfirmAPI(CreateAPIView):
        serializer.is_valid(raise_exception=True)
        return serializer

+
+class CommandConfirmStatusAPI(GenericTicketStatusRetrieveCloseAPI):
+    pass
--- a/apps/assets/api/domain.py
+++ b/apps/assets/api/domain.py
@@ -6,6 +6,7 @@ from rest_framework.views import APIView, Response
 from rest_framework.serializers import ValidationError

 from common.utils import get_logger
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser
 from orgs.mixins.api import OrgBulkModelViewSet
 from ..models import Domain, Gateway
 from .. import serializers
@@ -19,6 +20,7 @@ class DomainViewSet(OrgBulkModelViewSet):
    model = Domain
    filterset_fields = ("name", )
    search_fields = filterset_fields
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.DomainSerializer
    ordering_fields = ('name',)
    ordering = ('name', )
@@ -33,15 +35,13 @@ class GatewayViewSet(OrgBulkModelViewSet):
    model = Gateway
    filterset_fields = ("domain__name", "name", "username", "ip", "domain")
    search_fields = ("domain__name", "name", "username", "ip")
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.GatewaySerializer


 class GatewayTestConnectionApi(SingleObjectMixin, APIView):
-    queryset = Gateway.objects.all()
+    permission_classes = (IsOrgAdmin,)
    object = None
-    rbac_perms = {
-        'POST': 'assets.test_gateway'
-    }

    def post(self, request, *args, **kwargs):
        self.object = self.get_object(Gateway.objects.all())
--- a/apps/assets/api/gathered_user.py
+++ b/apps/assets/api/gathered_user.py
@@ -3,6 +3,7 @@

 from orgs.mixins.api import OrgModelViewSet
 from assets.models import GatheredUser
+from common.permissions import IsOrgAdmin

 from ..serializers import GatheredUserSerializer
 from ..filters import AssetRelatedByNodeFilterBackend
@@ -14,6 +15,7 @@ __all__ = ['GatheredUserViewSet']
 class GatheredUserViewSet(OrgModelViewSet):
    model = GatheredUser
    serializer_class = GatheredUserSerializer
+    permission_classes = [IsOrgAdmin]
    extra_filter_backends = [AssetRelatedByNodeFilterBackend]

    filterset_fields = ['asset', 'username', 'present', 'asset__ip', 'asset__hostname', 'asset_id']
--- a/apps/assets/api/label.py
+++ b/apps/assets/api/label.py
@@ -17,6 +17,7 @@ from django.db.models import Count

 from common.utils import get_logger
 from orgs.mixins.api import OrgBulkModelViewSet
+from ..hands import IsOrgAdmin
 from ..models import Label
 from .. import serializers

@@ -29,6 +30,7 @@ class LabelViewSet(OrgBulkModelViewSet):
    model = Label
    filterset_fields = ("name", "value")
    search_fields = filterset_fields
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.LabelSerializer

    def list(self, request, *args, **kwargs):
--- a/apps/assets/api/mixin.py
+++ b/apps/assets/api/mixin.py
@@ -24,7 +24,7 @@ class SerializeToTreeNodeMixin:
                'title': _name(node),
                'pId': node.parent_key,
                'isParent': True,
-                'open': True,
+                'open': node.is_org_root(),
                'meta': {
                    'data': {
                        "id": node.id,
--- a/apps/assets/api/node.py
+++ b/apps/assets/api/node.py
@@ -17,9 +17,10 @@ from common.mixins.api import SuggestionMixin
 from assets.models import Asset
 from common.utils import get_logger, get_object_or_none
 from common.tree import TreeNodeSerializer
-from orgs.mixins.api import OrgBulkModelViewSet
+from orgs.mixins.api import OrgModelViewSet
 from orgs.mixins import generics
 from orgs.utils import current_org
+from ..hands import IsOrgAdmin
 from ..models import Node
 from ..tasks import (
    update_node_assets_hardware_info_manual,
@@ -30,6 +31,7 @@ from .. import serializers
 from .mixin import SerializeToTreeNodeMixin
 from assets.locks import NodeAddChildrenLock

+
 logger = get_logger(__file__)
 __all__ = [
    'NodeViewSet', 'NodeChildrenApi', 'NodeAssetsApi',
@@ -40,15 +42,18 @@ __all__ = [
 ]


-class NodeViewSet(SuggestionMixin, OrgBulkModelViewSet):
+class NodeViewSet(SuggestionMixin, OrgModelViewSet):
    model = Node
    filterset_fields = ('value', 'key', 'id')
-    search_fields = ('full_value',)
+    search_fields = ('value', )
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeSerializer
-    rbac_perms = {
-        'match': 'assets.match_node',
-        'check_assets_amount_task': 'assets.change_node'
-    }
+
+    # 仅支持根节点指直接创建，子节点下的节点需要通过children接口创建
+    def perform_create(self, serializer):
+        child_key = Node.org_root().get_next_child_key()
+        serializer.validated_data["key"] = child_key
+        serializer.save()

    @action(methods=[POST], detail=False, url_path='check_assets_amount_task')
    def check_assets_amount_task(self, request):
@@ -86,6 +91,7 @@ class NodeListAsTreeApi(generics.ListAPIView):
    ]
    """
    model = Node
+    permission_classes = (IsOrgAdmin,)
    serializer_class = TreeNodeSerializer

    @staticmethod
@@ -100,9 +106,8 @@ class NodeListAsTreeApi(generics.ListAPIView):


 class NodeChildrenApi(generics.ListCreateAPIView):
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeSerializer
-    search_fields = ('value',)
-
    instance = None
    is_initial = False

@@ -181,15 +186,8 @@ class NodeChildrenAsTreeApi(SerializeToTreeNodeMixin, NodeChildrenApi):
    """
    model = Node

-    def filter_queryset(self, queryset):
-        if not self.request.GET.get('search'):
-            return queryset
-        queryset = super().filter_queryset(queryset)
-        queryset = self.model.get_ancestor_queryset(queryset)
-        return queryset
-
    def list(self, request, *args, **kwargs):
-        nodes = self.filter_queryset(self.get_queryset()).order_by('value')
+        nodes = self.get_queryset().order_by('value')
        nodes = self.serialize_nodes(nodes, with_asset_amount=True)
        assets = self.get_assets()
        data = [*nodes, *assets]
@@ -207,6 +205,7 @@ class NodeChildrenAsTreeApi(SerializeToTreeNodeMixin, NodeChildrenApi):


 class NodeAssetsApi(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.AssetSerializer

    def get_queryset(self):
@@ -221,6 +220,7 @@ class NodeAssetsApi(generics.ListAPIView):

 class NodeAddChildrenApi(generics.UpdateAPIView):
    model = Node
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.NodeAddChildrenSerializer
    instance = None

@@ -237,6 +237,7 @@ class NodeAddChildrenApi(generics.UpdateAPIView):
 class NodeAddAssetsApi(generics.UpdateAPIView):
    model = Node
    serializer_class = serializers.NodeAssetsSerializer
+    permission_classes = (IsOrgAdmin,)
    instance = None

    def perform_update(self, serializer):
@@ -248,6 +249,7 @@ class NodeAddAssetsApi(generics.UpdateAPIView):
 class NodeRemoveAssetsApi(generics.UpdateAPIView):
    model = Node
    serializer_class = serializers.NodeAssetsSerializer
+    permission_classes = (IsOrgAdmin,)
    instance = None

    def perform_update(self, serializer):
@@ -266,6 +268,7 @@ class NodeRemoveAssetsApi(generics.UpdateAPIView):
 class MoveAssetsToNodeApi(generics.UpdateAPIView):
    model = Node
    serializer_class = serializers.NodeAssetsSerializer
+    permission_classes = (IsOrgAdmin,)
    instance = None

    def perform_update(self, serializer):
@@ -306,21 +309,9 @@ class MoveAssetsToNodeApi(generics.UpdateAPIView):


 class NodeTaskCreateApi(generics.CreateAPIView):
-    perm_model = Asset
    model = Node
    serializer_class = serializers.NodeTaskSerializer
-
-    def check_permissions(self, request):
-        action = request.data.get('action')
-        action_perm_require = {
-            'refresh': 'assets.refresh_assethardwareinfo',
-            'test': 'assets.test_assetconnectivity'
-        }
-        perm_required = action_perm_require.get(action)
-        has = self.request.user.has_perm(perm_required)
-
-        if not has:
-            self.permission_denied(request)
+    permission_classes = (IsOrgAdmin,)

    def get_object(self):
        node_id = self.kwargs.get('pk')
@@ -353,3 +344,4 @@ class NodeTaskCreateApi(generics.CreateAPIView):
        else:
            task = test_node_assets_connectivity_manual.delay(node)
        self.set_serializer_data(serializer, task)
+
--- a/apps/assets/api/system_user.py
+++ b/apps/assets/api/system_user.py
@@ -1,15 +1,18 @@
 # ~*~ coding: utf-8 ~*~
 from django.shortcuts import get_object_or_404
 from rest_framework.response import Response
-from rest_framework.decorators import action
+from django.db.models import Q

 from common.utils import get_logger, get_object_or_none
-from common.permissions import IsValidUser
-from common.mixins.api import SuggestionMixin
+from common.permissions import IsOrgAdmin, IsOrgAdminOrAppUser, IsValidUser
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.mixins import generics
+from common.mixins.api import SuggestionMixin
 from orgs.utils import tmp_to_root_org
-from ..models import SystemUser, CommandFilterRule
+from rest_framework.decorators import action
+from users.models import User, UserGroup
+from applications.models import Application
+from ..models import SystemUser, Asset, CommandFilter, CommandFilterRule
 from .. import serializers
 from ..serializers import SystemUserWithAuthInfoSerializer, SystemUserTempAuthSerializer
 from ..tasks import (
@@ -44,11 +47,7 @@ class SystemUserViewSet(SuggestionMixin, OrgBulkModelViewSet):
    }
    ordering_fields = ('name', 'protocol', 'login_mode')
    ordering = ('name', )
-    rbac_perms = {
-        'su_from': 'assets.view_systemuser',
-        'su_to': 'assets.view_systemuser',
-        'match': 'assets.match_systemuser'
-    }
+    permission_classes = (IsOrgAdminOrAppUser,)

    @action(methods=['get'], detail=False, url_path='su-from')
    def su_from(self, request, *args, **kwargs):
@@ -82,13 +81,8 @@ class SystemUserAuthInfoApi(generics.RetrieveUpdateDestroyAPIView):
    Get system user auth info
    """
    model = SystemUser
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = SystemUserWithAuthInfoSerializer
-    rbac_perms = {
-        'retrieve': 'assets.view_systemusersecret',
-        'list': 'assets.view_systemusersecret',
-        'change': 'assets.change_systemuser',
-        'destroy': 'assets.change_systemuser',
-    }

    def destroy(self, request, *args, **kwargs):
        instance = self.get_object()
@@ -104,14 +98,14 @@ class SystemUserTempAuthInfoApi(generics.CreateAPIView):
    def create(self, request, *args, **kwargs):
        serializer = super().get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)
-
        pk = kwargs.get('pk')
+        user = self.request.user
        data = serializer.validated_data
-        asset_or_app_id = data.get('instance_id')
+        instance_id = data.get('instance_id')

        with tmp_to_root_org():
            instance = get_object_or_404(SystemUser, pk=pk)
-            instance.set_temp_auth(asset_or_app_id, self.request.user.id, data)
+            instance.set_temp_auth(instance_id, user.id, data)
        return Response(serializer.data, status=201)


@@ -120,6 +114,7 @@ class SystemUserAssetAuthInfoApi(generics.RetrieveAPIView):
    Get system user with asset auth info
    """
    model = SystemUser
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = SystemUserWithAuthInfoSerializer

    def get_object(self):
@@ -136,10 +131,8 @@ class SystemUserAppAuthInfoApi(generics.RetrieveAPIView):
    Get system user with asset auth info
    """
    model = SystemUser
+    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = SystemUserWithAuthInfoSerializer
-    rbac_perms = {
-        'retrieve': 'assets.view_systemusersecret',
-    }

    def get_object(self):
        instance = super().get_object()
@@ -151,6 +144,7 @@ class SystemUserAppAuthInfoApi(generics.RetrieveAPIView):


 class SystemUserTaskApi(generics.CreateAPIView):
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.SystemUserTaskSerializer

    def do_push(self, system_user, asset_ids=None):
@@ -172,18 +166,6 @@ class SystemUserTaskApi(generics.CreateAPIView):
        pk = self.kwargs.get('pk')
        return get_object_or_404(SystemUser, pk=pk)

-    def check_permissions(self, request):
-        action = request.data.get('action')
-        action_perm_require = {
-            'push': 'assets.push_assetsystemuser',
-            'test': 'assets.test_assetconnectivity'
-        }
-        perm_required = action_perm_require.get(action)
-        has = self.request.user.has_perm(perm_required)
-
-        if not has:
-            self.permission_denied(request)
-
    def perform_create(self, serializer):
        action = serializer.validated_data["action"]
        asset = serializer.validated_data.get('asset')
@@ -207,42 +189,56 @@ class SystemUserTaskApi(generics.CreateAPIView):


 class SystemUserCommandFilterRuleListApi(generics.ListAPIView):
-    rbac_perms = {
-        'list': 'assets.view_commandfilterule',
-    }
+    permission_classes = (IsOrgAdminOrAppUser,)

    def get_serializer_class(self):
        from ..serializers import CommandFilterRuleSerializer
        return CommandFilterRuleSerializer

    def get_queryset(self):
+        user_groups = []
        user_id = self.request.query_params.get('user_id')
+        user = get_object_or_none(User, pk=user_id)
+        if user:
+            user_groups.extend(list(user.groups.all()))
        user_group_id = self.request.query_params.get('user_group_id')
+        user_group = get_object_or_none(UserGroup, pk=user_group_id)
+        if user_group:
+            user_groups.append(user_group)
        system_user_id = self.kwargs.get('pk', None)
        system_user = get_object_or_none(SystemUser, pk=system_user_id)
        if not system_user:
            system_user_id = self.request.query_params.get('system_user_id')
+            system_user = get_object_or_none(SystemUser, pk=system_user_id)
        asset_id = self.request.query_params.get('asset_id')
-        node_id = self.request.query_params.get('node_id')
+        asset = get_object_or_none(Asset, pk=asset_id)
        application_id = self.request.query_params.get('application_id')
-        rules = CommandFilterRule.get_queryset(
-            user_id=user_id,
-            user_group_id=user_group_id,
-            system_user_id=system_user_id,
-            asset_id=asset_id,
-            node_id=node_id,
-            application_id=application_id
-        )
+        application = get_object_or_none(Application, pk=application_id)
+        q = Q()
+        if user:
+            q |= Q(users=user)
+        if user_groups:
+            q |= Q(user_groups__in=set(user_groups))
+        if system_user:
+            q |= Q(system_users=system_user)
+        if asset:
+            q |= Q(assets=asset)
+        if application:
+            q |= Q(applications=application)
+        if q:
+            cmd_filters = CommandFilter.objects.filter(q).filter(is_active=True)
+            rule_ids = cmd_filters.values_list('rules', flat=True)
+            rules = CommandFilterRule.objects.filter(id__in=rule_ids)
+        else:
+            rules = CommandFilterRule.objects.none()
        return rules


 class SystemUserAssetsListView(generics.ListAPIView):
+    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.AssetSimpleSerializer
    filterset_fields = ("hostname", "ip")
    search_fields = filterset_fields
-    rbac_perms = {
-        'list': 'assets.view_asset'
-    }

    def get_object(self):
        pk = self.kwargs.get('pk')
--- a/apps/assets/api/system_user_relation.py
+++ b/apps/assets/api/system_user_relation.py
@@ -5,6 +5,7 @@ from django.db.models import F, Value, Model
 from django.db.models.signals import m2m_changed
 from django.db.models.functions import Concat

+from common.permissions import IsOrgAdmin
 from common.utils import get_logger
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.utils import current_org
@@ -64,13 +65,13 @@ class RelationMixin:


 class BaseRelationViewSet(RelationMixin, OrgBulkModelViewSet):
-    perm_model = models.SystemUser
+    pass


 class SystemUserAssetRelationViewSet(BaseRelationViewSet):
-    perm_model = models.AuthBook
    serializer_class = serializers.SystemUserAssetRelationSerializer
    model = models.SystemUser.assets.through
+    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'asset', 'systemuser',
    ]
@@ -96,6 +97,7 @@ class SystemUserAssetRelationViewSet(BaseRelationViewSet):
 class SystemUserNodeRelationViewSet(BaseRelationViewSet):
    serializer_class = serializers.SystemUserNodeRelationSerializer
    model = models.SystemUser.nodes.through
+    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'node', 'systemuser',
    ]
@@ -116,6 +118,7 @@ class SystemUserNodeRelationViewSet(BaseRelationViewSet):
 class SystemUserUserRelationViewSet(BaseRelationViewSet):
    serializer_class = serializers.SystemUserUserRelationSerializer
    model = models.SystemUser.users.through
+    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'user', 'systemuser',
    ]
@@ -137,3 +140,4 @@ class SystemUserUserRelationViewSet(BaseRelationViewSet):
            )
        )
        return queryset
+
--- a/apps/assets/apps.py
+++ b/apps/assets/apps.py
@@ -1,16 +1,11 @@
 from __future__ import unicode_literals
-from django.utils.translation import ugettext_lazy as _

 from django.apps import AppConfig


 class AssetsConfig(AppConfig):
    name = 'assets'
-    verbose_name = _('App assets')
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)

    def ready(self):
        super().ready()
-        from . import signal_handlers
+        from . import signals_handler
--- a/apps/assets/hands.py
+++ b/apps/assets/hands.py
@@ -11,4 +11,5 @@
 """


+from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
 from users.models import User, UserGroup
--- a/apps/assets/migrations/0022_auto_20181012_1717.py
+++ b/apps/assets/migrations/0022_auto_20181012_1717.py
@@ -21,8 +21,8 @@ class Migration(migrations.Migration):
                ('name', models.CharField(max_length=64, verbose_name='Name')),
                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('date_created', models.DateTimeField(auto_now_add=True)),
+                ('date_updated', models.DateTimeField(auto_now=True)),
                ('created_by', models.CharField(blank=True, default='', max_length=128, verbose_name='Created by')),
            ],
            options={
--- a/apps/assets/migrations/0032_auto_20190624_2108.py
+++ b/apps/assets/migrations/0032_auto_20190624_2108.py
@@ -1,7 +1,7 @@
 # Generated by Django 2.1.7 on 2019-06-24 13:08

 import assets.models.utils
-import common.db.fields
+import common.fields.model
 from django.db import migrations


@@ -15,61 +15,61 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='adminuser',
            name='_password',
-            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='adminuser',
            name='_private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='adminuser',
            name='_public_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='_password',
-            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='_private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='_public_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='_password',
-            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='_private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='_public_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='_password',
-            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='_private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='_public_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
    ]
--- a/apps/assets/migrations/0035_auto_20190711_2018.py
+++ b/apps/assets/migrations/0035_auto_20190711_2018.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-07-11 12:18

-import common.db.fields
+import common.fields.model
 from django.db import migrations


@@ -14,21 +14,21 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='adminuser',
            name='private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='private_key',
-            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
    ]
--- a/apps/assets/migrations/0044_platform.py
+++ b/apps/assets/migrations/0044_platform.py
@@ -1,6 +1,6 @@
 # Generated by Django 2.2.7 on 2019-12-06 07:26

-import common.db.fields
+import common.fields.model
 from django.db import migrations, models


@@ -36,7 +36,7 @@ class Migration(migrations.Migration):
                ('name', models.SlugField(allow_unicode=True, unique=True, verbose_name='Name')),
                ('base', models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Other', 'Other')], default='Linux', max_length=16, verbose_name='Base')),
                ('charset', models.CharField(choices=[('utf8', 'UTF-8'), ('gbk', 'GBK')], default='utf8', max_length=8, verbose_name='Charset')),
-                ('meta', common.db.fields.JsonDictTextField(blank=True, null=True, verbose_name='Meta')),
+                ('meta', common.fields.model.JsonDictTextField(blank=True, null=True, verbose_name='Meta')),
                ('internal', models.BooleanField(default=False, verbose_name='Internal')),
                ('comment', models.TextField(blank=True, null=True, verbose_name='Comment')),
            ],
--- a/apps/assets/migrations/0072_historicalauthbook.py
+++ b/apps/assets/migrations/0072_historicalauthbook.py
@@ -1,6 +1,6 @@
 # Generated by Django 3.1.6 on 2021-06-05 16:10

-import common.db.fields
+import common.fields.model
 from django.conf import settings
 import django.core.validators
 from django.db import migrations, models
@@ -58,9 +58,9 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                ('comment', models.TextField(blank=True, verbose_name='Comment')),
                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
--- a/apps/assets/migrations/0084_auto_20220112_1959.py
+++ b/apps/assets/migrations/0084_auto_20220112_1959.py
@@ -1,62 +0,0 @@
-# Generated by Django 3.1.13 on 2022-01-12 11:59
-
-import common.db.encoder
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('assets', '0083_auto_20211215_1436'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='AccountBackupPlan',
-            fields=[
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('is_periodic', models.BooleanField(default=False, verbose_name='Periodic perform')),
-                ('interval', models.IntegerField(blank=True, default=24, null=True, verbose_name='Cycle perform')),
-                ('crontab', models.CharField(blank=True, max_length=128, null=True, verbose_name='Regularly perform')),
-                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('types', models.IntegerField(choices=[(255, 'All'), (1, 'Asset'), (2, 'Application')], default=255, verbose_name='Type')),
-                ('comment', models.TextField(blank=True, verbose_name='Comment')),
-                ('recipients', models.ManyToManyField(blank=True, related_name='recipient_escape_route_plans', to=settings.AUTH_USER_MODEL, verbose_name='Recipient')),
-            ],
-            options={
-                'verbose_name': 'Account backup plan',
-                'ordering': ['name'],
-                'unique_together': {('name', 'org_id')},
-            },
-        ),
-        migrations.AlterField(
-            model_name='systemuser',
-            name='protocol',
-            field=models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('redis', 'Redis'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol'),
-        ),
-        migrations.CreateModel(
-            name='AccountBackupPlanExecution',
-            fields=[
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('date_start', models.DateTimeField(auto_now_add=True, verbose_name='Date start')),
-                ('timedelta', models.FloatField(default=0.0, null=True, verbose_name='Time')),
-                ('plan_snapshot', models.JSONField(blank=True, default=dict, encoder=common.db.encoder.ModelJSONFieldEncoder, null=True, verbose_name='Account backup snapshot')),
-                ('trigger', models.CharField(choices=[('manual', 'Manual trigger'), ('timing', 'Timing trigger')], default='manual', max_length=128, verbose_name='Trigger mode')),
-                ('reason', models.CharField(blank=True, max_length=1024, null=True, verbose_name='Reason')),
-                ('is_success', models.BooleanField(default=False, verbose_name='Is success')),
-                ('plan', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='execution', to='assets.accountbackupplan', verbose_name='Account backup plan')),
-            ],
-            options={
-                'verbose_name': 'Account backup execution',
-            },
-        ),
-    ]
--- a/apps/assets/migrations/0085_commandfilterrule_ignore_case.py
+++ b/apps/assets/migrations/0085_commandfilterrule_ignore_case.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.1.13 on 2022-02-08 02:57
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0084_auto_20220112_1959'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='commandfilterrule',
-            name='ignore_case',
-            field=models.BooleanField(default=True, verbose_name='Ignore case'),
-        ),
-    ]
--- a/apps/assets/migrations/0086_auto_20220217_2135.py
+++ b/apps/assets/migrations/0086_auto_20220217_2135.py
@@ -1,25 +0,0 @@
-# Generated by Django 3.1.13 on 2022-02-17 13:35
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0085_commandfilterrule_ignore_case'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='asset',
-            options={'ordering': ['hostname'], 'permissions': [('test_assetconnectivity', 'Can test asset connectivity'), ('push_assetsystemuser', 'Can push system user to asset')], 'verbose_name': 'Asset'},
-        ),
-        migrations.AlterModelOptions(
-            name='authbook',
-            options={'permissions': [('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret')], 'verbose_name': 'AuthBook'},
-        ),
-        migrations.AlterModelOptions(
-            name='label',
-            options={'verbose_name': 'Label'},
-        ),
-    ]
--- a/apps/assets/migrations/0087_auto_20220223_1539.py
+++ b/apps/assets/migrations/0087_auto_20220223_1539.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.1.13 on 2022-02-23 07:39
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0086_auto_20220217_2135'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='systemuser',
-            name='protocol',
-            field=models.CharField(choices=[('ssh', 'SSH'), ('rdp', 'RDP'), ('telnet', 'Telnet'), ('vnc', 'VNC'), ('mysql', 'MySQL'), ('oracle', 'Oracle'), ('mariadb', 'MariaDB'), ('postgresql', 'PostgreSQL'), ('sqlserver', 'SQLServer'), ('redis', 'Redis'), ('mongodb', 'MongoDB'), ('k8s', 'K8S')], default='ssh', max_length=16, verbose_name='Protocol'),
-        ),
-    ]
--- a/apps/assets/migrations/0088_auto_20220303_1612.py
+++ b/apps/assets/migrations/0088_auto_20220303_1612.py
@@ -1,25 +0,0 @@
-# Generated by Django 3.1.14 on 2022-03-03 08:12
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0087_auto_20220223_1539'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='asset',
-            options={'ordering': ['hostname'], 'permissions': [('refresh_assethardwareinfo', 'Can refresh asset hardware info'), ('test_assetconnectivity', 'Can test asset connectivity'), ('push_assetsystemuser', 'Can push system user to asset'), ('match_asset', 'Can match asset')], 'verbose_name': 'Asset'},
-        ),
-        migrations.AlterModelOptions(
-            name='node',
-            options={'ordering': ['parent_key', 'value'], 'permissions': [('match_node', 'Can match node')], 'verbose_name': 'Node'},
-        ),
-        migrations.AlterModelOptions(
-            name='systemuser',
-            options={'ordering': ['name'], 'permissions': [('match_systemuser', 'Can match system user')], 'verbose_name': 'System user'},
-        ),
-    ]
--- a/apps/assets/migrations/0089_auto_20220310_0616.py
+++ b/apps/assets/migrations/0089_auto_20220310_0616.py
@@ -1,29 +0,0 @@
-# Generated by Django 3.1.14 on 2022-03-09 22:16
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0088_auto_20220303_1612'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='authbook',
-            options={'permissions': [('test_authbook', 'Can test asset account connectivity'), ('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret')], 'verbose_name': 'AuthBook'},
-        ),
-        migrations.AlterModelOptions(
-            name='systemuser',
-            options={'ordering': ['name'], 'permissions': [('match_systemuser', 'Can match system user')], 'verbose_name': 'System user'},
-        ),
-        migrations.AlterModelOptions(
-            name='asset',
-            options={'ordering': ['hostname'], 'permissions': [('refresh_assethardwareinfo', 'Can refresh asset hardware info'), ('test_assetconnectivity', 'Can test asset connectivity'), ('push_assetsystemuser', 'Can push system user to asset'), ('match_asset', 'Can match asset'), ('add_assettonode', 'Add asset to node'), ('move_assettonode', 'Move asset to node')], 'verbose_name': 'Asset'},
-        ),
-        migrations.AlterModelOptions(
-            name='gateway',
-            options={'permissions': [('test_gateway', 'Test gateway')], 'verbose_name': 'Gateway'},
-        ),
-    ]
--- a/apps/assets/migrations/0090_auto_20220412_1145.py
+++ b/apps/assets/migrations/0090_auto_20220412_1145.py
@@ -1,32 +0,0 @@
-# Generated by Django 3.1.14 on 2022-04-12 03:45
-
-from django.db import migrations, models
-
-
-def create_internal_platform(apps, schema_editor):
-    model = apps.get_model("assets", "Platform")
-    db_alias = schema_editor.connection.alias
-    type_platforms = (
-        ('AIX', 'Unix', None),
-    )
-    for name, base, meta in type_platforms:
-        defaults = {'name': name, 'base': base, 'meta': meta, 'internal': True}
-        model.objects.using(db_alias).update_or_create(
-            name=name, defaults=defaults
-        )
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0089_auto_20220310_0616'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='asset',
-            name='number',
-            field=models.CharField(blank=True, max_length=128, null=True, verbose_name='Asset number'),
-        ),
-        migrations.RunPython(create_internal_platform)
-    ]
--- a/apps/assets/migrations/0091_auto_20220629_1826.py
+++ b/apps/assets/migrations/0091_auto_20220629_1826.py
@@ -1,26 +0,0 @@
-# Generated by Django 3.1.14 on 2022-06-29 10:26
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0090_auto_20220412_1145'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='authbook',
-            options={'permissions': [('test_authbook', 'Can test asset account connectivity'), ('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret'), ('view_assethistoryaccount', 'Can view asset history account'), ('view_assethistoryaccountsecret', 'Can view asset history account secret')], 'verbose_name': 'AuthBook'},
-        ),
-        migrations.AlterModelOptions(
-            name='historicalauthbook',
-            options={'get_latest_by': ('history_date', 'history_id'), 'ordering': ('-history_date', '-history_id'), 'verbose_name': 'historical AuthBook', 'verbose_name_plural': 'historical AuthBooks'},
-        ),
-        migrations.AlterField(
-            model_name='historicalauthbook',
-            name='history_date',
-            field=models.DateTimeField(db_index=True),
-        ),
-    ]
--- a/apps/assets/migrations/0092_commandfilter_nodes.py
+++ b/apps/assets/migrations/0092_commandfilter_nodes.py
@@ -1,18 +0,0 @@
-# Generated by Django 3.2.15 on 2022-10-09 09:55
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0091_auto_20220629_1826'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='commandfilter',
-            name='nodes',
-            field=models.ManyToManyField(blank=True, related_name='cmd_filters', to='assets.Node', verbose_name='Nodes'),
-        ),
-    ]
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
xinwen	e86f84aaee	fix: 消息订阅redis连接未关闭	2022-02-10 11:43:21 +08:00
xinwen	8b158d39b6	fix: Authbook 取认证信息bug	2022-02-10 11:41:44 +08:00
halo	5adbbeb868	feat: rdp协议新增username表达式，匹配更多特殊字符	2021-12-30 09:59:26 +08:00
Eric	c8b049349c	perf: 修改 Jmservisor 的下载地址名称	2021-12-24 11:35:24 +08:00
Michael Bai	2ff92c5141	fix: 下载页面添加Jmservisor拉起脚本	2021-12-17 15:53:44 +08:00
Michael Bai	3260f0eba8	fix: 修改SAML2.0 Logo	2021-12-17 15:25:00 +08:00