feat: Support automations for website, including ping, secret change, and account verification

* perf: support global search

* perf: change serach

* perf: search model add asset permission

---------

Co-authored-by: mikebofs <mikebofs@gmail.com>
Co-authored-by: ibuler <ibuler@qq.com>

Dockerfile

@@ -1,4 +1,4 @@
-FROM jumpserver/core-base:20250509_094529 AS stage-build
+FROM jumpserver/core-base:20250827_025554 AS stage-build
 
 ARG VERSION
 
@@ -33,6 +33,7 @@ ARG TOOLS="                           \
         default-libmysqlclient-dev    \
         openssh-client                \
         sshpass                       \
+        nmap                          \
         bubblewrap"
 
 ARG APT_MIRROR=http://deb.debian.org

Dockerfile-ee

@@ -14,7 +14,8 @@ ARG TOOLS="                           \
         telnet                        \
         vim                           \
         postgresql-client-13          \
-        wget"
+        wget                          \
+        poppler-utils"
 
 RUN set -ex \
     && apt-get update \
@@ -27,5 +28,5 @@ WORKDIR /opt/jumpserver
 ARG PIP_MIRROR=https://pypi.org/simple
 
 RUN set -ex \
-    && uv pip install -i${PIP_MIRROR} --group xpack
-
+    && uv pip install -i${PIP_MIRROR} --group xpack \
+    && playwright install chromium  --with-deps --only-shell

README.md

@@ -2,7 +2,7 @@
   <a name="readme-top"></a>
   <a href="https://jumpserver.com" target="_blank"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
   
-## An open-source PAM tool (Bastion Host)
+## An open-source PAM platform (Bastion Host)
 
 [![][license-shield]][license-link]
 [![][docs-shield]][docs-link]
@@ -19,7 +19,7 @@
 
 ## What is JumpServer?
 
-JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser.
+JumpServer is an open-source Privileged Access Management (PAM) platform that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser.
 
 
 <picture>

apps/accounts/api/account/account.py

@@ -41,8 +41,8 @@ class AccountViewSet(OrgBulkModelViewSet):
         'partial_update': ['accounts.change_account'],
         'su_from_accounts': 'accounts.view_account',
         'clear_secret': 'accounts.change_account',
-        'move_to_assets': 'accounts.create_account',
-        'copy_to_assets': 'accounts.create_account',
+        'move_to_assets': 'accounts.delete_account',
+        'copy_to_assets': 'accounts.add_account',
     }
     export_as_zip = True
 
@@ -190,6 +190,7 @@ class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixi
     rbac_perms = {
         'GET': 'accounts.view_accountsecret',
     }
+    queryset = Account.history.model.objects.none()
 
     @lazyproperty
     def account(self) -> Account:

apps/accounts/api/account/pam_dashboard.py

@@ -20,7 +20,7 @@ __all__ = ['PamDashboardApi']
 class PamDashboardApi(APIView):
     http_method_names = ['get']
     rbac_perms = {
-        'GET': 'accounts.view_account',
+        'GET': 'rbac.view_pam',
     }
 
     @staticmethod

apps/accounts/api/account/virtual.py

@@ -12,6 +12,8 @@ class VirtualAccountViewSet(OrgBulkModelViewSet):
     filterset_fields = ('alias',)
 
     def get_queryset(self):
+        if getattr(self, "swagger_fake_view", False):
+            return VirtualAccount.objects.none()
         return VirtualAccount.get_or_init_queryset()
 
     def get_object(self, ):

apps/accounts/api/automations/base.py

@@ -41,6 +41,7 @@ class AutomationAssetsListApi(generics.ListAPIView):
 
 class AutomationRemoveAssetApi(generics.UpdateAPIView):
     model = BaseAutomation
+    queryset = BaseAutomation.objects.all()
     serializer_class = serializers.UpdateAssetSerializer
     http_method_names = ['patch']
 
@@ -59,6 +60,7 @@ class AutomationRemoveAssetApi(generics.UpdateAPIView):
 
 class AutomationAddAssetApi(generics.UpdateAPIView):
     model = BaseAutomation
+    queryset = BaseAutomation.objects.all()
     serializer_class = serializers.UpdateAssetSerializer
     http_method_names = ['patch']
 

apps/accounts/api/automations/change_secret.py

@@ -154,12 +154,10 @@ class ChangSecretAddAssetApi(AutomationAddAssetApi):
     model = ChangeSecretAutomation
     serializer_class = serializers.ChangeSecretUpdateAssetSerializer
 
-
 class ChangSecretNodeAddRemoveApi(AutomationNodeAddRemoveApi):
     model = ChangeSecretAutomation
     serializer_class = serializers.ChangeSecretUpdateNodeSerializer
 
-
 class ChangeSecretStatusViewSet(OrgBulkModelViewSet):
     perm_model = ChangeSecretAutomation
     filterset_class = ChangeSecretStatusFilterSet

apps/accounts/api/automations/change_secret_dashboard.py

@@ -62,7 +62,8 @@ class ChangeSecretDashboardApi(APIView):
         status_counts = defaultdict(lambda: defaultdict(int))
 
         for date_finished, status in results:
-            date_str = str(date_finished.date())
+            dt_local = timezone.localtime(date_finished)
+            date_str = str(dt_local.date())
             if status == ChangeSecretRecordStatusChoice.failed:
                 status_counts[date_str]['failed'] += 1
             elif status == ChangeSecretRecordStatusChoice.success:
@@ -90,10 +91,10 @@ class ChangeSecretDashboardApi(APIView):
 
     def get_change_secret_asset_queryset(self):
         qs = self.change_secrets_queryset
-        node_ids = qs.filter(nodes__isnull=False).values_list('nodes', flat=True).distinct()
-        nodes = Node.objects.filter(id__in=node_ids)
+        node_ids = qs.values_list('nodes', flat=True).distinct()
+        nodes = Node.objects.filter(id__in=node_ids).only('id', 'key')
         node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-        direct_asset_ids = qs.filter(assets__isnull=False).values_list('assets', flat=True).distinct()
+        direct_asset_ids = qs.values_list('assets', flat=True).distinct()
         asset_ids = set(list(direct_asset_ids) + list(node_asset_ids))
         return Asset.objects.filter(id__in=asset_ids)
 

apps/accounts/api/automations/check_account.py

@@ -45,10 +45,10 @@ class CheckAccountAutomationViewSet(OrgBulkModelViewSet):
 class CheckAccountExecutionViewSet(AutomationExecutionViewSet):
     rbac_perms = (
         ("list", "accounts.view_checkaccountexecution"),
-        ("retrieve", "accounts.view_checkaccountsexecution"),
+        ("retrieve", "accounts.view_checkaccountexecution"),
         ("create", "accounts.add_checkaccountexecution"),
         ("adhoc", "accounts.add_checkaccountexecution"),
-        ("report", "accounts.view_checkaccountsexecution"),
+        ("report", "accounts.view_checkaccountexecution"),
     )
     ordering = ("-date_created",)
     tp = AutomationTypes.check_account
@@ -150,6 +150,9 @@ class CheckAccountEngineViewSet(JMSModelViewSet):
     http_method_names = ['get', 'options']
 
     def get_queryset(self):
+        if getattr(self, "swagger_fake_view", False):
+            return CheckAccountEngine.objects.none()
+
         return CheckAccountEngine.get_default_engines()
 
     def filter_queryset(self, queryset: list):

apps/accounts/api/automations/push_account.py

@@ -63,12 +63,10 @@ class PushAccountRemoveAssetApi(AutomationRemoveAssetApi):
     model = PushAccountAutomation
     serializer_class = serializers.PushAccountUpdateAssetSerializer
 
-
 class PushAccountAddAssetApi(AutomationAddAssetApi):
     model = PushAccountAutomation
     serializer_class = serializers.PushAccountUpdateAssetSerializer
 
-
 class PushAccountNodeAddRemoveApi(AutomationNodeAddRemoveApi):
     model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateNodeSerializer
+    serializer_class = serializers.PushAccountUpdateNodeSerializer

apps/accounts/automations/base/manager.py

@@ -105,6 +105,10 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
             h['account']['mode'] = 'sysdba' if account.privileged else None
         return h
 
+    def add_extra_params(self, host, **kwargs):
+        host['ssh_params'] = {}
+        return host
+
     def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
         host = super().host_callback(
             host, asset=asset, account=account, automation=automation,
@@ -113,8 +117,7 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         if host.get('error'):
             return host
 
-        host['ssh_params'] = {}
-
+        host = self.add_extra_params(host, automation=automation)
         accounts = self.get_accounts(account)
         existing_ids = set(map(str, accounts.values_list('id', flat=True)))
         missing_ids = set(map(str, self.account_ids)) - existing_ids

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -53,4 +53,6 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      when: check_conn_after_change
+      when: check_conn_after_change
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -39,7 +39,8 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
-        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+        priv: "{{ omit if db_name == '' else db_name + '.*:ALL' }}"
+        append_privs: "{{ db_name != '' | bool }}"
       ignore_errors: true
       when: db_info is succeeded
 

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -56,3 +56,5 @@
         ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
         ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
       when: check_conn_after_change
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -8,7 +8,7 @@ type:
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -24,3 +24,7 @@ i18n:
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/change_secret/host/windows_ad/manifest.yml

@@ -9,7 +9,7 @@ type:
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -25,3 +25,8 @@ i18n:
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'
+

apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml

@@ -9,7 +9,7 @@ priority: 49
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -25,3 +25,8 @@ i18n:
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'
+

apps/accounts/automations/change_secret/manager.py

@@ -5,6 +5,9 @@ from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from xlsxwriter import Workbook
 
+from assets.automations.methods import platform_automation_methods as asset_methods
+from assets.const import AutomationTypes as AssetAutomationTypes
+from accounts.automations.methods import platform_automation_methods as account_methods
 from accounts.const import (
     AutomationTypes, SecretStrategy, ChangeSecretRecordStatusChoice
 )
@@ -22,6 +25,22 @@ logger = get_logger(__name__)
 class ChangeSecretManager(BaseChangeSecretPushManager):
     ansible_account_prefer = ''
 
+    def get_method_id_meta_mapper(self):
+        return {
+            method["id"]: method for method in self.platform_automation_methods
+        }
+
+    @property
+    def platform_automation_methods(self):
+        return asset_methods + account_methods
+
+    def add_extra_params(self, host, **kwargs):
+        host = super().add_extra_params(host, **kwargs)
+        automation = kwargs.get('automation')
+        for extra_type in [AssetAutomationTypes.ping, AutomationTypes.verify_account]:
+            host[f"{extra_type}_params"] = self.get_params(automation, extra_type)
+        return host
+
     @classmethod
     def method_type(cls):
         return AutomationTypes.change_secret

apps/accounts/automations/change_secret/web/website/main.yml

@@ -0,0 +1,36 @@
+- hosts: website
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: "{{ local_python_interpreter }}"
+
+  tasks:
+    - name: Test privileged account
+      website_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        steps: "{{ ping_params.steps }}"
+        load_state: "{{ ping_params.load_state }}"
+
+    - name: "Change {{ account.username }} password"
+      website_user:
+        login_host: "{{ jms_asset.address }}"
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        steps: "{{ params.steps }}"
+        load_state: "{{ params.load_state }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+      ignore_errors: true
+      register: change_secret_result
+
+    - name: "Verify {{ account.username }} password"
+      website_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        steps: "{{ verify_account_params.steps }}"
+        load_state: "{{ verify_account_params.load_state }}"
+      when:
+       - check_conn_after_change or change_secret_result.failed | default(false)
+      delegate_to: localhost

apps/accounts/automations/change_secret/web/website/manifest.yml

@@ -0,0 +1,51 @@
+id: change_account_website
+name: "{{ 'Website account change secret' | trans }}"
+category: web
+type:
+  - website
+method: change_secret
+priority: 50
+params:
+  - name: load_state
+    type: choice
+    label: "{{ 'Load state' | trans }}"
+    choices:
+      - [ networkidle, "{{ 'Network idle' | trans }}" ]
+      - [ domcontentloaded, "{{ 'Dom content loaded' | trans }}" ]
+      - [ load, "{{ 'Load completed' | trans }}" ]
+    default: 'load'
+  - name: steps
+    type: list
+    default: [ ]
+    label: "{{ 'Steps' | trans }}"
+    help_text: "{{ 'Params step help text' | trans }}"
+
+i18n:
+  Website account change secret:
+    zh: 使用 Playwright 模拟浏览器变更账号密码
+    ja: Playwright を使用してブラウザをシミュレートし、アカウントのパスワードを変更します
+    en: Use Playwright to simulate a browser for account password change.
+  Load state:
+    zh: 加载状态检测
+    en: Load state detection
+    ja: ロード状態の検出
+  Steps:
+    zh: 步骤
+    en: Steps
+    ja: 手順
+  Network idle:
+    zh: 网络空闲
+    en: Network idle
+    ja: ネットワークが空いた状態
+  Dom content loaded:
+    zh: 文档内容加载完成
+    en: Dom content loaded
+    ja: ドキュメントの内容がロードされた状態
+  Load completed:
+    zh: 全部加载完成
+    en: All load completed
+    ja: すべてのロードが完了した状態
+  Params step help text:
+    zh: 根据配置决定任务执行步骤
+    ja: 設定に基づいてタスクの実行ステップを決定する
+    en: Determine task execution steps based on configuration

apps/accounts/automations/check_account/manager.py

@@ -240,6 +240,11 @@ class CheckAccountManager(BaseManager):
 
                 print("Check: {} => {}".format(account, msg))
                 if not error:
+                    AccountRisk.objects.filter(
+                        asset=account.asset,
+                        username=account.username,
+                        risk=handler.risk
+                    ).delete()
                     continue
                 self.add_risk(handler.risk, account)
             self.commit_risks(_assets)

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -54,3 +54,5 @@
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
       when: check_conn_after_change
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -39,7 +39,8 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
-        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+        priv: "{{ omit if db_name == '' else db_name + '.*:ALL' }}"
+        append_privs: "{{ db_name != '' | bool }}"
       ignore_errors: true
       when: db_info is succeeded
 

apps/accounts/automations/push_account/host/windows/manifest.yml

@@ -8,7 +8,7 @@ type:
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -22,3 +22,8 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/push_account/host/windows_ad/manifest.yml

@@ -9,7 +9,7 @@ type:
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -23,3 +23,8 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml

@@ -9,7 +9,7 @@ priority: 49
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -23,3 +23,8 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -16,3 +16,5 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/verify_account/web/website/main.yml

@@ -0,0 +1,13 @@
+- hosts: website
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: "{{ local_python_interpreter }}"
+
+  tasks:
+    - name: Verify account
+      website_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        steps: "{{ params.steps }}"
+        load_state: "{{ params.load_state }}"

apps/accounts/automations/verify_account/web/website/manifest.yml

@@ -0,0 +1,50 @@
+id: verify_account_website
+name: "{{ 'Website account verify' | trans }}"
+category: web
+type:
+  - website
+method: verify_account
+priority: 50
+params:
+  - name: load_state
+    type: choice
+    label: "{{ 'Load state' | trans }}"
+    choices:
+      - [ networkidle, "{{ 'Network idle' | trans }}" ]
+      - [ domcontentloaded, "{{ 'Dom content loaded' | trans }}" ]
+      - [ load, "{{ 'Load completed' | trans }}" ]
+    default: 'load'
+  - name: steps
+    type: list
+    label: "{{ 'Steps' | trans }}"
+    help_text: "{{ 'Params step help text' | trans }}"
+    default: []
+i18n:
+  Website account verify:
+    zh: 使用 Playwright 模拟浏览器验证账号
+    ja: Playwright を使用してブラウザをシミュレートし、アカウントの検証を行います
+    en: Use Playwright to simulate a browser for account verification.
+  Load state:
+    zh: 加载状态检测
+    en: Load state detection
+    ja: ロード状態の検出
+  Steps:
+    zh: 步骤
+    en: Steps
+    ja: 手順
+  Network idle:
+    zh: 网络空闲
+    en: Network idle
+    ja: ネットワークが空いた状態
+  Dom content loaded:
+    zh: 文档内容加载完成
+    en: Dom content loaded
+    ja: ドキュメントの内容がロードされた状態
+  Load completed:
+    zh: 全部加载完成
+    en: All load completed
+    ja: すべてのロードが完了した状態
+  Params step help text:
+    zh: 配置步骤，根据配置决定任务执行步骤
+    ja: パラメータを設定し、設定に基づいてタスクの実行手順を決定します
+    en: Configure steps, and determine the task execution steps based on the configuration.

apps/accounts/backends/azure/service.py

@@ -1,8 +1,5 @@
 # -*- coding: utf-8 -*-
 #
-from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
-from azure.identity import ClientSecretCredential
-from azure.keyvault.secrets import SecretClient
 
 from common.utils import get_logger
 
@@ -14,6 +11,9 @@ __all__ = ['AZUREVaultClient']
 class AZUREVaultClient(object):
 
     def __init__(self, vault_url, tenant_id, client_id, client_secret):
+        from azure.identity import ClientSecretCredential
+        from azure.keyvault.secrets import SecretClient
+        
         authentication_endpoint = 'https://login.microsoftonline.com/' \
             if ('azure.net' in vault_url) else 'https://login.chinacloudapi.cn/'
 
@@ -23,6 +23,8 @@ class AZUREVaultClient(object):
         self.client = SecretClient(vault_url=vault_url, credential=credentials)
 
     def is_active(self):
+        from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
+
         try:
             self.client.set_secret('jumpserver', '666')
         except (ResourceNotFoundError, ClientAuthenticationError) as e:
@@ -32,6 +34,8 @@ class AZUREVaultClient(object):
             return True, ''
 
     def get(self, name, version=None):
+        from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
+
         try:
             secret = self.client.get_secret(name, version)
             return secret.value

apps/accounts/migrations/0001_initial.py

@@ -46,11 +46,16 @@ class Migration(migrations.Migration):
             ],
             options={
                 'verbose_name': 'Account',
-                'permissions': [('view_accountsecret', 'Can view asset account secret'),
-                                ('view_historyaccount', 'Can view asset history account'),
-                                ('view_historyaccountsecret', 'Can view asset history account secret'),
-                                ('verify_account', 'Can verify account'), ('push_account', 'Can push account'),
-                                ('remove_account', 'Can remove account')],
+                'permissions': [
+                    ('view_accountsecret', 'Can view asset account secret'),
+                    ('view_historyaccount', 'Can view asset history account'),
+                    ('view_historyaccountsecret', 'Can view asset history account secret'),
+                    ('verify_account', 'Can verify account'),
+                    ('push_account', 'Can push account'),
+                    ('remove_account', 'Can remove account'),
+                    ('view_accountsession', 'Can view session'),
+                    ('view_accountactivity', 'Can view activity')
+                ],
             },
         ),
         migrations.CreateModel(

apps/accounts/models/account.py

@@ -116,6 +116,8 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
             ('verify_account', _('Can verify account')),
             ('push_account', _('Can push account')),
             ('remove_account', _('Can remove account')),
+            ('view_accountsession', _('Can view session')),
+            ('view_accountactivity', _('Can view activity')),
         ]
 
     def __str__(self):
@@ -130,7 +132,7 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
         return self.asset.platform
 
     @lazyproperty
-    def alias(self):
+    def alias(self) -> str:
         """
         别称，因为有虚拟账号，@INPUT @MANUAL @USER, 否则为 id
         """
@@ -138,13 +140,13 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
             return self.username
         return str(self.id)
 
-    def is_virtual(self):
+    def is_virtual(self) -> bool:
         """
         不要用 username 去判断，因为可能是构造的 account 对象，设置了同名账号的用户名,
         """
         return self.alias.startswith('@')
 
-    def is_ds_account(self):
+    def is_ds_account(self) -> bool:
         if self.is_virtual():
             return ''
         if not self.asset.is_directory_service:
@@ -158,7 +160,7 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
         return self.asset.ds
 
     @lazyproperty
-    def ds_domain(self):
+    def ds_domain(self) -> str:
         """这个不能去掉，perm_account 会动态设置这个值，以更改 full_username"""
         if self.is_virtual():
             return ''
@@ -170,17 +172,17 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
         return '@' in self.username or '\\' in self.username
 
     @property
-    def full_username(self):
+    def full_username(self) -> str:
         if not self.username_has_domain() and self.ds_domain:
             return '{}@{}'.format(self.username, self.ds_domain)
         return self.username
 
     @lazyproperty
-    def has_secret(self):
+    def has_secret(self) -> bool:
         return bool(self.secret)
 
     @lazyproperty
-    def versions(self):
+    def versions(self) -> int:
         return self.history.count()
 
     def get_su_from_accounts(self):

apps/accounts/models/application.py

@@ -33,7 +33,7 @@ class IntegrationApplication(JMSOrgBaseModel):
         return qs.filter(*query)
 
     @property
-    def accounts_amount(self):
+    def accounts_amount(self) -> int:
         return self.get_accounts().count()
 
     @property

apps/accounts/models/automations/check_account.py

@@ -68,8 +68,10 @@ class AccountRisk(JMSOrgBaseModel):
         related_name='risks', null=True
     )
     risk = models.CharField(max_length=128, verbose_name=_('Risk'), choices=RiskChoice.choices)
-    status = models.CharField(max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,
-                              blank=True, verbose_name=_('Status'))
+    status = models.CharField(
+        max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,
+        blank=True, verbose_name=_('Status')
+    )
     details = models.JSONField(default=list, verbose_name=_('Detail'))
 
     class Meta:

apps/accounts/models/base.py

@@ -75,11 +75,11 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
         return bool(self.secret)
 
     @property
-    def has_username(self):
+    def has_username(self) -> bool:
         return bool(self.username)
 
     @property
-    def spec_info(self):
+    def spec_info(self) -> dict:
         data = {}
         if self.secret_type != SecretType.SSH_KEY:
             return data
@@ -87,13 +87,13 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
         return data
 
     @property
-    def password(self):
+    def password(self) -> str:
         if self.secret_type == SecretType.PASSWORD:
             return self.secret
         return None
 
     @property
-    def private_key(self):
+    def private_key(self) -> str:
         if self.secret_type == SecretType.SSH_KEY:
             return self.secret
         return None
@@ -110,7 +110,7 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
         return None
 
     @property
-    def ssh_key_fingerprint(self):
+    def ssh_key_fingerprint(self) -> str:
         if self.public_key:
             public_key = self.public_key
         elif self.private_key:

apps/accounts/models/mixins/vault.py

@@ -56,7 +56,7 @@ class VaultModelMixin(models.Model):
     __secret = None
 
     @property
-    def secret(self):
+    def secret(self) -> str:
         if self.__secret:
             return self.__secret
         from accounts.backends import vault_client

apps/accounts/models/virtual.py

@@ -18,11 +18,11 @@ class VirtualAccount(JMSOrgBaseModel):
         verbose_name = _('Virtual account')
 
     @property
-    def name(self):
+    def name(self) -> str:
         return self.get_alias_display()
 
     @property
-    def username(self):
+    def username(self) -> str:
         usernames_map = {
             AliasAccount.INPUT: _("Manual input"),
             AliasAccount.USER: _("Same with user"),
@@ -32,7 +32,7 @@ class VirtualAccount(JMSOrgBaseModel):
         return usernames_map.get(self.alias, '')
 
     @property
-    def comment(self):
+    def comment(self) -> str:
         comments_map = {
             AliasAccount.INPUT: _('Non-asset account, Input username/password on connect'),
             AliasAccount.USER: _('The account username name same with user on connect'),

apps/accounts/serializers/account/account.py

@@ -456,6 +456,8 @@ class AssetAccountBulkSerializer(
 
 
 class AccountSecretSerializer(SecretReadableMixin, AccountSerializer):
+    spec_info = serializers.DictField(label=_('Spec info'), read_only=True)
+
     class Meta(AccountSerializer.Meta):
         fields = AccountSerializer.Meta.fields + ['spec_info']
         extra_kwargs = {
@@ -470,6 +472,7 @@ class AccountSecretSerializer(SecretReadableMixin, AccountSerializer):
 
 class AccountHistorySerializer(serializers.ModelSerializer):
     secret_type = LabeledChoiceField(choices=SecretType.choices, label=_('Secret type'))
+    secret = serializers.CharField(label=_('Secret'), read_only=True)
     id = serializers.IntegerField(label=_('ID'), source='history_id', read_only=True)
 
     class Meta:

apps/accounts/serializers/account/base.py

@@ -70,6 +70,8 @@ class AuthValidateMixin(serializers.Serializer):
 class BaseAccountSerializer(
     AuthValidateMixin, ResourceLabelsMixin, BulkOrgResourceModelSerializer
 ):
+    spec_info = serializers.DictField(label=_('Spec info'), read_only=True)
+
     class Meta:
         model = BaseAccount
         fields_mini = ["id", "name", "username"]

apps/accounts/serializers/automations/change_secret.py

@@ -130,7 +130,7 @@ class ChangeSecretRecordSerializer(serializers.ModelSerializer):
         read_only_fields = fields
 
     @staticmethod
-    def get_is_success(obj):
+    def get_is_success(obj) -> bool:
         return obj.status == ChangeSecretRecordStatusChoice.success
 
 
@@ -157,7 +157,7 @@ class ChangeSecretRecordBackUpSerializer(serializers.ModelSerializer):
         read_only_fields = fields
 
     @staticmethod
-    def get_asset(instance):
+    def get_asset(instance) -> str:
         return str(instance.asset)
 
     @staticmethod
@@ -165,7 +165,7 @@ class ChangeSecretRecordBackUpSerializer(serializers.ModelSerializer):
         return str(instance.account)
 
     @staticmethod
-    def get_is_success(obj):
+    def get_is_success(obj) -> str:
         if obj.status == ChangeSecretRecordStatusChoice.success.value:
             return _("Success")
         return _("Failed")
@@ -196,9 +196,9 @@ class ChangeSecretAccountSerializer(serializers.ModelSerializer):
         read_only_fields = fields
 
     @staticmethod
-    def get_meta(obj):
+    def get_meta(obj) -> dict:
         return account_secret_task_status.get(str(obj.id))
 
     @staticmethod
-    def get_ttl(obj):
+    def get_ttl(obj) -> int:
         return account_secret_task_status.get_ttl(str(obj.id))

apps/accounts/serializers/automations/check_account.py

@@ -69,7 +69,7 @@ class AssetRiskSerializer(serializers.Serializer):
     risk_summary = serializers.SerializerMethodField()
 
     @staticmethod
-    def get_risk_summary(obj):
+    def get_risk_summary(obj) -> dict:
         summary = {}
         for risk in RiskChoice.choices:
             summary[f"{risk[0]}_count"] = obj.get(f"{risk[0]}_count", 0)

apps/acls/models/base.py

@@ -5,7 +5,7 @@ from django.utils.translation import gettext_lazy as _
 from common.db.fields import JSONManyToManyField
 from common.db.models import JMSBaseModel
 from common.utils import contains_ip
-from common.utils.time_period import contains_time_period
+from common.utils.timezone import contains_time_period
 from orgs.mixins.models import OrgModelMixin, OrgManager
 from ..const import ActionChoices
 

apps/acls/models/command_acl.py

@@ -34,16 +34,16 @@ class CommandGroup(JMSOrgBaseModel):
 
     @lazyproperty
     def pattern(self):
+        content = self.content.replace('\r\n', '\n')
         if self.type == 'command':
-            s = self.construct_command_regex(self.content)
+            s = self.construct_command_regex(content)
         else:
-            s = r'{0}'.format(self.content)
+            s = r'{0}'.format(r'{}'.format('|'.join(content.split('\n'))))
         return s
 
     @classmethod
     def construct_command_regex(cls, content):
         regex = []
-        content = content.replace('\r\n', '\n')
         for _cmd in content.split('\n'):
             cmd = re.sub(r'\s+', ' ', _cmd)
             cmd = re.escape(cmd)

apps/acls/serializers/connect_method.py

@@ -1,4 +1,4 @@
-from orgs.mixins.serializers import BulkOrgResourceModelSerializer
+from common.serializers.mixin import CommonBulkModelSerializer
 from .base import BaseUserAssetAccountACLSerializer as BaseSerializer
 from ..const import ActionChoices
 from ..models import ConnectMethodACL
@@ -6,16 +6,15 @@ from ..models import ConnectMethodACL
 __all__ = ["ConnectMethodACLSerializer"]
 
 
-class ConnectMethodACLSerializer(BaseSerializer, BulkOrgResourceModelSerializer):
+class ConnectMethodACLSerializer(BaseSerializer, CommonBulkModelSerializer):
     class Meta(BaseSerializer.Meta):
         model = ConnectMethodACL
         fields = [
             i for i in BaseSerializer.Meta.fields + ['connect_methods']
-            if i not in ['assets', 'accounts']
+            if i not in ['assets', 'accounts', 'org_id']
         ]
         action_choices_exclude = BaseSerializer.Meta.action_choices_exclude + [
             ActionChoices.review,
-            ActionChoices.accept,
             ActionChoices.notice,
             ActionChoices.face_verify,
             ActionChoices.face_online,

apps/acls/serializers/login_acl.py

@@ -1,7 +1,7 @@
 from django.utils.translation import gettext as _
 
+from common.serializers import CommonBulkModelSerializer
 from common.serializers import MethodSerializer
-from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from .base import BaseUserACLSerializer
 from .rules import RuleSerializer
 from ..const import ActionChoices
@@ -12,12 +12,12 @@ __all__ = ["LoginACLSerializer"]
 common_help_text = _("With * indicating a match all. ")
 
 
-class LoginACLSerializer(BaseUserACLSerializer, BulkOrgResourceModelSerializer):
+class LoginACLSerializer(BaseUserACLSerializer, CommonBulkModelSerializer):
     rules = MethodSerializer(label=_('Rule'))
 
     class Meta(BaseUserACLSerializer.Meta):
         model = LoginACL
-        fields = BaseUserACLSerializer.Meta.fields + ['rules', ]
+        fields = list((set(BaseUserACLSerializer.Meta.fields) | {'rules'}) - {'org_id'})
         action_choices_exclude = [
             ActionChoices.warning,
             ActionChoices.notify_and_warn,

apps/assets/api/category.py

@@ -16,6 +16,7 @@ class CategoryViewSet(ListModelMixin, JMSGenericViewSet):
         'types': TypeSerializer,
     }
     permission_classes = (IsValidUser,)
+    default_limit = None
 
     def get_queryset(self):
         return AllTypes.categories()

apps/assets/api/favorite_asset.py

@@ -14,6 +14,7 @@ class FavoriteAssetViewSet(BulkModelViewSet):
     serializer_class = FavoriteAssetSerializer
     permission_classes = (IsValidUser,)
     filterset_fields = ['asset']
+    default_limit = None
 
     def dispatch(self, request, *args, **kwargs):
         with tmp_to_root_org():

apps/assets/api/platform.py

@@ -7,15 +7,18 @@ from rest_framework.decorators import action
 from rest_framework.response import Response
 
 from assets.const import AllTypes
-from assets.models import Platform, Node, Asset, PlatformProtocol
+from assets.models import Platform, Node, Asset, PlatformProtocol, PlatformAutomation
 from assets.serializers import PlatformSerializer, PlatformProtocolSerializer, PlatformListSerializer
 from common.api import JMSModelViewSet
 from common.permissions import IsValidUser
 from common.serializers import GroupedChoiceSerializer
+from rbac.models import RoleBinding
 
 __all__ = ['AssetPlatformViewSet', 'PlatformAutomationMethodsApi', 'PlatformProtocolViewSet']
 
 
+
+
 class PlatformFilter(filters.FilterSet):
     name__startswith = filters.CharFilter(field_name='name', lookup_expr='istartswith')
 
@@ -40,6 +43,7 @@ class AssetPlatformViewSet(JMSModelViewSet):
         'ops_methods': 'assets.view_platform',
         'filter_nodes_assets': 'assets.view_platform',
     }
+    default_limit = None
 
     def get_queryset(self):
         # 因为没有走分页逻辑，所以需要这里 prefetch
@@ -63,6 +67,13 @@ class AssetPlatformViewSet(JMSModelViewSet):
             return super().get_object()
         return self.get_queryset().get(name=pk)
 
+
+    def check_permissions(self, request):
+        if self.action == 'list' and RoleBinding.is_org_admin(request.user):
+            return True
+        else:
+            return super().check_permissions(request)
+
     def check_object_permissions(self, request, obj):
         if request.method.lower() in ['delete', 'put', 'patch'] and obj.internal:
             self.permission_denied(
@@ -102,6 +113,7 @@ class PlatformProtocolViewSet(JMSModelViewSet):
 
 class PlatformAutomationMethodsApi(generics.ListAPIView):
     permission_classes = (IsValidUser,)
+    queryset = PlatformAutomation.objects.none()
 
     @staticmethod
     def automation_methods():

apps/assets/api/protocol.py

@@ -1,8 +1,8 @@
 from rest_framework.generics import ListAPIView
 
 from assets import serializers
-from assets.const import Protocol
 from common.permissions import IsValidUser
+from assets.models import Protocol
 
 __all__ = ['ProtocolListApi']
 
@@ -13,3 +13,13 @@ class ProtocolListApi(ListAPIView):
 
     def get_queryset(self):
         return list(Protocol.protocols())
+
+    def filter_queryset(self, queryset):
+        search = self.request.query_params.get("search", "").lower().strip()
+        if not search:
+            return queryset
+        queryset = [
+            p for p in queryset
+            if search in p['label'].lower() or search in p['value'].lower()
+        ]
+        return queryset

apps/assets/api/tree.py

@@ -161,6 +161,7 @@ class CategoryTreeApi(SerializeToTreeNodeMixin, generics.ListAPIView):
         'GET': 'assets.view_asset',
         'list': 'assets.view_asset',
     }
+    queryset = Node.objects.none()
 
     def get_assets(self):
         key = self.request.query_params.get('key')

apps/assets/automations/base/manager.py

@@ -201,14 +201,17 @@ class PlaybookPrepareMixin:
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         # example: {'gather_fact_windows': {'id': 'gather_fact_windows', 'name': '', 'method': 'gather_fact', ...} }
-        self.method_id_meta_mapper = {
+        self.method_id_meta_mapper = self.get_method_id_meta_mapper()
+        # 根据执行方式就行分组, 不同资产的改密、推送等操作可能会使用不同的执行方式
+        # 然后根据执行方式分组, 再根据 bulk_size 分组, 生成不同的 playbook
+        self.playbooks = []
+
+    def get_method_id_meta_mapper(self):
+        return {
             method["id"]: method
             for method in self.platform_automation_methods
             if method["method"] == self.__class__.method_type()
         }
-        # 根据执行方式就行分组, 不同资产的改密、推送等操作可能会使用不同的执行方式
-        # 然后根据执行方式分组, 再根据 bulk_size 分组, 生成不同的 playbook
-        self.playbooks = []
 
     @classmethod
     def method_type(cls):

apps/assets/automations/gather_facts/format_asset_info.py

@@ -11,15 +11,20 @@ class FormatAssetInfo:
     @staticmethod
     def get_cpu_model_count(cpus):
         try:
-            models = [cpus[i + 1] + " " + cpus[i + 2] for i in range(0, len(cpus), 3)]
+            if len(cpus) % 3 == 0:
+                step = 3
+                models = [cpus[i + 2] for i in range(0, len(cpus), step)]
+            elif len(cpus) % 2 == 0:
+                step = 2
+                models = [cpus[i + 1] for i in range(0, len(cpus), step)]
+            else:
+                raise ValueError("CPU list format not recognized")
 
             model_counts = Counter(models)
-
             result = ', '.join([f"{model} x{count}" for model, count in model_counts.items()])
         except Exception as e:
             print(f"Error processing CPU model list: {e}")
             result = ''
-
         return result
 
     @staticmethod

apps/assets/automations/ping/custom/rdp/main.yml

@@ -4,6 +4,7 @@
     ansible_shell_type: sh
     ansible_connection: local
     ansible_python_interpreter: "{{ local_python_interpreter }}"
+    ansible_timeout: 30
 
   tasks:
     - name: Test asset connection (pyfreerdp)

apps/assets/automations/ping/custom/ssh/main.yml

@@ -4,7 +4,7 @@
     ansible_connection: local
     ansible_shell_type: sh
     ansible_become: false
-
+    ansible_timeout: 30
   tasks:
     - name: Test asset connection (paramiko)
       ssh_ping:

apps/assets/automations/ping/custom/telnet/main.yml

@@ -3,7 +3,7 @@
   vars:
     ansible_connection: local
     ansible_shell_type: sh
-
+    ansible_timeout: 30
   tasks:
     - name: Test asset connection (telnet)
       telnet_ping:

apps/assets/automations/ping/database/mongodb/main.yml

@@ -2,6 +2,7 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: "{{ local_python_interpreter }}"
+    ansible_timeout: 30
 
   tasks:
     - name: Test MongoDB connection
@@ -16,3 +17,5 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+      register: result
+      failed_when: not result.is_available

apps/assets/automations/ping/database/mysql/main.yml

@@ -6,6 +6,7 @@
     ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
     ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
     ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
+    ansible_timeout: 30
 
   tasks:
     - name: Test MySQL connection

apps/assets/automations/ping/database/oracle/main.yml

@@ -2,6 +2,7 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: "{{ local_python_interpreter }}"
+    ansible_timeout: 30
 
   tasks:
     - name: Test Oracle connection

apps/assets/automations/ping/database/postgresql/main.yml

@@ -6,7 +6,7 @@
     ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
     ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
     ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
-
+    ansible_timeout: 30
   tasks:
     - name: Test PostgreSQL connection
       community.postgresql.postgresql_ping:

apps/assets/automations/ping/database/sqlserver/main.yml

@@ -2,6 +2,7 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: "{{ local_python_interpreter }}"
+    ansible_timeout: 30
 
   tasks:
     - name: Test SQLServer connection

apps/assets/automations/ping/web/website/main.yml

@@ -0,0 +1,13 @@
+- hosts: website
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: "{{ local_python_interpreter }}"
+
+  tasks:
+    - name: Test Website connection
+      website_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        steps: "{{ params.steps }}"
+        load_state: "{{ params.load_state }}"

apps/assets/automations/ping/web/website/manifest.yml

@@ -0,0 +1,50 @@
+id: website_ping
+name: "{{ 'Website ping' | trans }}"
+method: ping
+category:
+  - web
+type:
+  - website
+params:
+  - name: load_state
+    type: choice
+    label: "{{ 'Load state' | trans }}"
+    choices:
+      - [ networkidle, "{{ 'Network idle' | trans }}" ]
+      - [ domcontentloaded, "{{ 'Dom content loaded' | trans }}" ]
+      - [ load, "{{ 'Load completed' | trans }}" ]
+    default: 'load'
+  - name: steps
+    type: list
+    default: []
+    label: "{{ 'Steps' | trans }}"
+    help_text: "{{ 'Params step help text' | trans }}"
+i18n:
+  Website ping:
+    zh: 使用 Playwright 模拟浏览器测试可连接性
+    en: Use Playwright to simulate a browser for connectivity testing
+    ja: Playwright を使用してブラウザをシミュレートし、接続性テストを実行する
+  Load state:
+    zh: 加载状态检测
+    en: Load state detection
+    ja: ロード状態の検出
+  Steps:
+    zh: 步骤
+    en: Steps
+    ja: 手順
+  Network idle:
+    zh: 网络空闲
+    en: Network idle
+    ja: ネットワークが空いた状態
+  Dom content loaded:
+    zh: 文档内容加载完成
+    en: Dom content loaded
+    ja: ドキュメントの内容がロードされた状態
+  Load completed:
+    zh: 全部加载完成
+    en: All load completed
+    ja: すべてのロードが完了した状態
+  Params step help text:
+    zh: 配置步骤，根据配置决定任务执行步骤
+    ja: パラメータを設定し、設定に基づいてタスクの実行手順を決定します
+    en: Configure steps, and determine the task execution steps based on the configuration.

apps/assets/const/automation.py

@@ -14,6 +14,10 @@ class Connectivity(TextChoices):
     NTLM_ERR = 'ntlm_err', _('NTLM credentials rejected error')
     CREATE_TEMPORARY_ERR = 'create_temp_err', _('Create temporary error')
 
+    @classmethod
+    def as_dict(cls):
+        return {choice.value: choice.label for choice in cls}
+
 
 class AutomationTypes(TextChoices):
     ping = 'ping', _('Ping')

apps/assets/const/category.py

@@ -20,3 +20,7 @@ class Category(ChoicesMixin, models.TextChoices):
         _category = getattr(cls, category.upper(), None)
         choices = [(_category.value, _category.label)] if _category else cls.choices
         return choices
+
+    @classmethod
+    def as_dict(cls):
+        return {choice.value: choice.label for choice in cls}

apps/assets/const/protocol.py

@@ -349,7 +349,7 @@ class Protocol(ChoicesMixin, models.TextChoices):
         for protocol, config in cls.settings().items():
             if not xpack_enabled and config.get('xpack', False):
                 continue
-            protocols.append(protocol)
+            protocols.append({'label': protocol.label, 'value': protocol.value})
 
         from assets.models.platform import PlatformProtocol
         custom_protocols = (

apps/assets/const/web.py

@@ -20,13 +20,17 @@ class WebTypes(BaseType):
     def _get_automation_constrains(cls) -> dict:
         constrains = {
             '*': {
-                'ansible_enabled': False,
-                'ping_enabled': False,
+                'ansible_enabled': True,
+                'ansible_config': {
+                    'ansible_connection': 'local',
+                },
+                'ping_enabled': True,
                 'gather_facts_enabled': False,
-                'verify_account_enabled': False,
-                'change_secret_enabled': False,
+                'verify_account_enabled': True,
+                'change_secret_enabled': True,
                 'push_account_enabled': False,
                 'gather_accounts_enabled': False,
+                'remove_account_enabled': False,
             }
         }
         return constrains

apps/assets/models/asset/common.py

@@ -112,7 +112,7 @@ class Protocol(models.Model):
         return protocols[0] if len(protocols) > 0 else {}
 
     @property
-    def setting(self):
+    def setting(self) -> dict:
         if self._setting is not None:
             return self._setting
         return self.asset_platform_protocol.get('setting', {})
@@ -122,7 +122,7 @@ class Protocol(models.Model):
         self._setting = value
 
     @property
-    def public(self):
+    def public(self) -> bool:
         return self.asset_platform_protocol.get('public', True)
 
 
@@ -210,7 +210,7 @@ class Asset(NodesRelationMixin, LabeledMixin, AbsConnectivity, JSONFilterMixin,
         return self.category == const.Category.DS and hasattr(self, 'ds')
 
     @lazyproperty
-    def spec_info(self):
+    def spec_info(self) -> dict:
         instance = getattr(self, self.category, None)
         if not instance:
             return {}
@@ -240,7 +240,7 @@ class Asset(NodesRelationMixin, LabeledMixin, AbsConnectivity, JSONFilterMixin,
         return info
 
     @lazyproperty
-    def auto_config(self):
+    def auto_config(self) -> dict:
         platform = self.platform
         auto_config = {
             'su_enabled': platform.su_enabled,
@@ -343,11 +343,11 @@ class Asset(NodesRelationMixin, LabeledMixin, AbsConnectivity, JSONFilterMixin,
         return names
 
     @lazyproperty
-    def type(self):
+    def type(self) -> str:
         return self.platform.type
 
     @lazyproperty
-    def category(self):
+    def category(self) -> str:
         return self.platform.category
 
     def is_category(self, category):

apps/assets/models/automations/base.py

@@ -53,7 +53,7 @@ class BaseAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
                 return name
 
     def get_all_assets(self):
-        nodes = self.nodes.all()
+        nodes = self.nodes.only("id", "key")
         node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list("id", flat=True)
         direct_asset_ids = self.assets.all().values_list("id", flat=True)
         asset_ids = set(list(direct_asset_ids) + list(node_asset_ids))

apps/assets/models/node.py

@@ -573,7 +573,7 @@ class Node(JMSOrgBaseModel, SomeNodesMixin, FamilyMixin, NodeAssetsMixin):
         return not self.__gt__(other)
 
     @property
-    def name(self):
+    def name(self) -> str:
         return self.value
 
     def computed_full_value(self):

apps/assets/models/platform.py

@@ -25,7 +25,7 @@ class PlatformProtocol(models.Model):
         return '{}/{}'.format(self.name, self.port)
 
     @property
-    def secret_types(self):
+    def secret_types(self) -> list:
         return Protocol.settings().get(self.name, {}).get('secret_types', ['password'])
 
     @lazyproperty

apps/assets/serializers/asset/common.py

@@ -147,6 +147,7 @@ class AssetSerializer(BulkOrgResourceModelSerializer, ResourceLabelsMixin, Writa
     protocols = AssetProtocolsSerializer(many=True, required=False, label=_('Protocols'), default=())
     accounts = AssetAccountSerializer(many=True, required=False, allow_null=True, write_only=True, label=_('Accounts'))
     nodes_display = NodeDisplaySerializer(read_only=False, required=False, label=_("Node path"))
+    auto_config = serializers.DictField(read_only=True, label=_('Auto info'))
     platform = ObjectRelatedField(queryset=Platform.objects, required=True, label=_('Platform'),
                                   attrs=('id', 'name', 'type'))
     accounts_amount = serializers.IntegerField(read_only=True, label=_('Accounts amount'))
@@ -425,6 +426,18 @@ class DetailMixin(serializers.Serializer):
     gathered_info = MethodSerializer(label=_('Gathered info'), read_only=True)
     auto_config = serializers.DictField(read_only=True, label=_('Auto info'))
 
+    @staticmethod
+    def get_auto_config(obj) -> dict:
+        return obj.auto_config
+
+    @staticmethod
+    def get_gathered_info(obj) -> dict:
+        return obj.gathered_info
+
+    @staticmethod
+    def get_spec_info(obj) -> dict:
+        return obj.spec_info
+
     def get_instance(self):
         request = self.context.get('request')
         if not self.instance and UUID_PATTERN.findall(request.path):

apps/assets/serializers/asset/custom.py

@@ -1,10 +1,11 @@
 from django.db.models import QuerySet
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext_lazy as _, get_language
 
 from assets.models import Custom, Platform, Asset
 from common.const import UUID_PATTERN
 from common.serializers import create_serializer_class
 from common.serializers.common import DictSerializer, MethodSerializer
+from terminal.models import Applet
 from .common import AssetSerializer
 
 __all__ = ['CustomSerializer']
@@ -47,8 +48,38 @@ class CustomSerializer(AssetSerializer):
 
         if not platform:
             return default_field
+
         custom_fields = platform.custom_fields
+
         if not custom_fields:
             return default_field
         name = platform.name.title() + 'CustomSerializer'
+
+        applet = Applet.objects.filter(
+            name=platform.created_by.replace('Applet:', '')
+        ).first()
+
+        if not applet:
+            return create_serializer_class(name, custom_fields)()
+
+        i18n = applet.manifest.get('i18n', {})
+
+        lang = get_language()
+        lang_short = lang[:2]
+
+        def translate_text(key):
+            return (
+                    i18n.get(key, {}).get(lang)
+                    or i18n.get(key, {}).get(lang_short)
+                    or key
+            )
+
+        for field in custom_fields:
+            label = field.get('label')
+            help_text = field.get('help_text')
+            if label:
+                field['label'] = translate_text(label)
+            if help_text:
+                field['help_text'] = translate_text(help_text)
+
         return create_serializer_class(name, custom_fields)()

apps/assets/serializers/automations/base.py

@@ -19,11 +19,13 @@ __all__ = [
 class BaseAutomationSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSerializer):
     assets = ObjectRelatedField(many=True, required=False, queryset=Asset.objects, label=_('Assets'))
     nodes = ObjectRelatedField(many=True, required=False, queryset=Node.objects, label=_('Nodes'))
+    executed_amount = serializers.IntegerField(read_only=True, label=_('Executed amount'))
 
     class Meta:
         read_only_fields = [
             'date_created', 'date_updated', 'created_by',
-            'periodic_display', 'executed_amount', 'type', 'last_execution_date'
+            'periodic_display', 'executed_amount', 'type', 
+            'last_execution_date',
         ]
         mini_fields = [
             'id', 'name', 'type', 'is_periodic', 'interval',

apps/audits/api.py

@@ -172,10 +172,7 @@ class UserLoginLogViewSet(UserLoginCommonMixin, OrgReadonlyModelViewSet):
 
     def get_queryset(self):
         queryset = super().get_queryset()
-        if current_org.is_root() or not settings.XPACK_ENABLED:
-            return queryset
-        users = self.get_org_member_usernames()
-        queryset = queryset.filter(username__in=users)
+        queryset = queryset.model.filter_queryset_by_org(queryset)
         return queryset
 
 
@@ -297,12 +294,7 @@ class PasswordChangeLogViewSet(OrgReadonlyModelViewSet):
 
     def get_queryset(self):
         queryset = super().get_queryset()
-        if not current_org.is_root():
-            users = current_org.get_members()
-            queryset = queryset.filter(
-                user__in=[str(user) for user in users]
-            )
-        return queryset
+        return self.model.filter_queryset_by_org(queryset)
 
 
 class UserSessionViewSet(CommonApiMixin, viewsets.ModelViewSet):

apps/audits/models.py

@@ -1,6 +1,6 @@
 import os
 import uuid
-from datetime import timedelta
+from datetime import timedelta, datetime
 from importlib import import_module
 
 from django.conf import settings
@@ -40,7 +40,7 @@ __all__ = [
 
 class JobLog(JobExecution):
     @property
-    def creator_name(self):
+    def creator_name(self) -> str:
         return self.creator.name
 
     class Meta:
@@ -189,6 +189,15 @@ class PasswordChangeLog(models.Model):
     class Meta:
         verbose_name = _("Password change log")
 
+    @staticmethod
+    def filter_queryset_by_org(queryset):
+        if not current_org.is_root():
+            users = current_org.get_members()
+            queryset = queryset.filter(
+                user__in=[str(user) for user in users]
+            )
+        return queryset
+
 
 class UserLoginLog(models.Model):
     id = models.UUIDField(default=uuid.uuid4, primary_key=True)
@@ -223,7 +232,7 @@ class UserLoginLog(models.Model):
         return '%s(%s)' % (self.username, self.city)
 
     @property
-    def backend_display(self):
+    def backend_display(self) -> str:
         return gettext(self.backend)
 
     @classmethod
@@ -249,7 +258,7 @@ class UserLoginLog(models.Model):
         return login_logs
 
     @property
-    def reason_display(self):
+    def reason_display(self) -> str:
         from authentication.errors import reason_choices, old_reason_choices
 
         reason = reason_choices.get(self.reason)
@@ -258,6 +267,15 @@ class UserLoginLog(models.Model):
         reason = old_reason_choices.get(self.reason, self.reason)
         return reason
 
+    @staticmethod
+    def filter_queryset_by_org(queryset):
+        from audits.utils import construct_userlogin_usernames
+        if current_org.is_root() or not settings.XPACK_ENABLED:
+            return queryset
+        user_queryset = current_org.get_members()
+        users = construct_userlogin_usernames(user_queryset)
+        return queryset.filter(username__in=users)
+
     class Meta:
         ordering = ["-datetime", "username"]
         verbose_name = _("User login log")
@@ -282,15 +300,15 @@ class UserSession(models.Model):
         return '%s(%s)' % (self.user, self.ip)
 
     @property
-    def backend_display(self):
+    def backend_display(self) -> str:
         return gettext(self.backend)
 
     @property
-    def is_active(self):
+    def is_active(self) -> bool:
         return user_session_manager.check_active(self.key)
 
     @property
-    def date_expired(self):
+    def date_expired(self) -> datetime:
         session_store_cls = import_module(settings.SESSION_ENGINE).SessionStore
         session_store = session_store_cls(session_key=self.key)
         cache_key = session_store.cache_key

apps/audits/serializers.py

@@ -119,11 +119,11 @@ class OperateLogSerializer(BulkOrgResourceModelSerializer):
         fields = fields_small
 
     @staticmethod
-    def get_resource_type(instance):
+    def get_resource_type(instance) -> str:
         return _(instance.resource_type)
 
     @staticmethod
-    def get_resource(instance):
+    def get_resource(instance) -> str:
         return i18n_trans(instance.resource)
 
 
@@ -147,11 +147,11 @@ class ActivityUnionLogSerializer(serializers.Serializer):
     r_type = serializers.CharField(read_only=True)
 
     @staticmethod
-    def get_timestamp(obj):
+    def get_timestamp(obj) -> str:
         return as_current_tz(obj['datetime']).strftime('%Y-%m-%d %H:%M:%S')
 
     @staticmethod
-    def get_content(obj):
+    def get_content(obj) -> str:
         if not obj['r_detail']:
             action = obj['r_action'].replace('_', ' ').capitalize()
             ctn = _('%s %s this resource') % (obj['r_user'], _(action).lower())
@@ -160,7 +160,7 @@ class ActivityUnionLogSerializer(serializers.Serializer):
         return ctn
 
     @staticmethod
-    def get_detail_url(obj):
+    def get_detail_url(obj) -> str:
         detail_url = ''
         detail_id, obj_type = obj['r_detail_id'], obj['r_type']
         if not detail_id:
@@ -210,7 +210,7 @@ class UserSessionSerializer(serializers.ModelSerializer):
             "backend_display": {"label": _("Auth backend display")},
         }
 
-    def get_is_current_user_session(self, obj):
+    def get_is_current_user_session(self, obj) -> bool:
         request = self.context.get('request')
         if not request:
             return False

apps/audits/tasks.py

@@ -2,18 +2,19 @@
 #
 import datetime
 import os
-import subprocess
 
 from celery import shared_task
 from django.conf import settings
 from django.core.files.storage import default_storage
 from django.db import transaction
 from django.utils import timezone
+from django.utils._os import safe_join
 from django.utils.translation import gettext_lazy as _
 
 from common.const.crontab import CRONTAB_AT_AM_TWO
 from common.storage.ftp_file import FTPFileStorageHandler
 from common.utils import get_log_keep_day, get_logger
+from common.utils.safe import safe_run_cmd
 from ops.celery.decorator import register_as_period_task
 from ops.models import CeleryTaskExecution
 from orgs.utils import tmp_to_root_org
@@ -57,14 +58,12 @@ def clean_ftp_log_period():
     now = timezone.now()
     days = get_log_keep_day('FTP_LOG_KEEP_DAYS')
     expired_day = now - datetime.timedelta(days=days)
-    file_store_dir = os.path.join(default_storage.base_location, FTPLog.upload_to)
+    file_store_dir = safe_join(default_storage.base_location, FTPLog.upload_to)
     FTPLog.objects.filter(date_start__lt=expired_day).delete()
-    command = "find %s -mtime +%s -type f -exec rm -f {} \\;" % (
-        file_store_dir, days
-    )
-    subprocess.call(command, shell=True)
-    command = "find %s -type d -empty -delete;" % file_store_dir
-    subprocess.call(command, shell=True)
+    command = "find %s -mtime +%s -type f -exec rm -f {} \\;"
+    safe_run_cmd(command, (file_store_dir, days))
+    command = "find %s -type d -empty -delete;"
+    safe_run_cmd(command, (file_store_dir,))
     logger.info("Clean FTP file done")
 
 
@@ -76,12 +75,11 @@ def clean_celery_tasks_period():
     tasks.delete()
     tasks = CeleryTaskExecution.objects.filter(date_start__isnull=True)
     tasks.delete()
-    command = "find %s -mtime +%s -name '*.log' -type f -exec rm -f {} \\;" % (
-        settings.CELERY_LOG_DIR, expire_days
-    )
-    subprocess.call(command, shell=True)
-    command = "echo > {}".format(os.path.join(settings.LOG_DIR, 'celery.log'))
-    subprocess.call(command, shell=True)
+    command = "find %s -mtime +%s -name '*.log' -type f -exec rm -f {} \\;"
+    safe_run_cmd(command, (settings.CELERY_LOG_DIR, expire_days))
+    celery_log_path = safe_join(settings.LOG_DIR, 'celery.log')
+    command = "echo > %s"
+    safe_run_cmd(command, (celery_log_path,))
 
 
 def batch_delete(queryset, batch_size=3000):
@@ -119,15 +117,15 @@ def clean_expired_session_period():
     expired_sessions = Session.objects.filter(date_start__lt=expire_date)
     timestamp = expire_date.timestamp()
     expired_commands = Command.objects.filter(timestamp__lt=timestamp)
-    replay_dir = os.path.join(default_storage.base_location, 'replay')
+    replay_dir = safe_join(default_storage.base_location, 'replay')
 
     batch_delete(expired_sessions)
     logger.info("Clean session item done")
     batch_delete(expired_commands)
     logger.info("Clean session command done")
     remove_files_by_days(replay_dir, days)
-    command = "find %s -type d -empty -delete;" % replay_dir
-    subprocess.call(command, shell=True)
+    command = "find %s -type d -empty -delete;"
+    safe_run_cmd(command, (replay_dir,))
     logger.info("Clean session replay done")
 
 

apps/authentication/api/connection_token.py

@@ -618,6 +618,8 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
 
         token_id = request.data.get('id') or ''
         token = ConnectionToken.get_typed_connection_token(token_id)
+        if not token:
+            raise PermissionDenied('Token {} is not valid'.format(token))
         token.is_valid()
         serializer = self.get_serializer(instance=token)
 

apps/authentication/backends/base.py

@@ -1,9 +1,9 @@
-from django.contrib.auth.backends import ModelBackend
 from django.contrib.auth import get_user_model
+from django.contrib.auth.backends import ModelBackend
+from django.views import View
 
-from users.models import User
 from common.utils import get_logger
-
+from users.models import User
 
 UserModel = get_user_model()
 logger = get_logger(__file__)
@@ -61,4 +61,13 @@ class JMSBaseAuthBackend:
 
 
 class JMSModelBackend(JMSBaseAuthBackend, ModelBackend):
-    pass
+     def user_can_authenticate(self, user):
+        return True
+
+
+class BaseAuthCallbackClientView(View):
+    http_method_names = ['get']
+
+    def get(self, request):
+        from authentication.views.utils import redirect_to_guard_view
+        return redirect_to_guard_view(query_string='next=client')

apps/authentication/backends/cas/backends.py

@@ -1,14 +1,51 @@
 # -*- coding: utf-8 -*-
 #
-from django_cas_ng.backends import CASBackend as _CASBackend
-from django.conf import settings
 
+import threading
+
+from django.conf import settings
+from django.contrib.auth import get_user_model
+from django_cas_ng.backends import CASBackend as _CASBackend
+
+from common.utils import get_logger
 from ..base import JMSBaseAuthBackend
 
-__all__ = ['CASBackend']
+__all__ = ['CASBackend', 'CASUserDoesNotExist']
+logger = get_logger(__name__)
+
+
+class CASUserDoesNotExist(Exception):
+    """Exception raised when a CAS user does not exist."""
+    pass
 
 
 class CASBackend(JMSBaseAuthBackend, _CASBackend):
     @staticmethod
     def is_enabled():
         return settings.AUTH_CAS
+
+    def authenticate(self, request, ticket, service):
+        UserModel = get_user_model()
+        manager = UserModel._default_manager
+        original_get_by_natural_key = manager.get_by_natural_key
+        thread_local = threading.local()
+        thread_local.thread_id = threading.get_ident()
+        logger.debug(f"CASBackend.authenticate: thread_id={thread_local.thread_id}")
+
+        def get_by_natural_key(self, username):
+            logger.debug(f"CASBackend.get_by_natural_key: thread_id={threading.get_ident()}, username={username}")
+            if threading.get_ident() != thread_local.thread_id:
+                return original_get_by_natural_key(username)
+
+            try:
+                user = original_get_by_natural_key(username)
+            except UserModel.DoesNotExist:
+                raise CASUserDoesNotExist(username)
+            return user
+
+        try:
+            manager.get_by_natural_key = get_by_natural_key.__get__(manager, type(manager))
+            user = super().authenticate(request, ticket=ticket, service=service)
+        finally:
+            manager.get_by_natural_key = original_get_by_natural_key
+        return user

apps/authentication/backends/cas/views.py

@@ -1,23 +1,33 @@
 from django.core.exceptions import PermissionDenied
 from django.http import HttpResponseRedirect
-from django.views.generic import View
+from django.utils.translation import gettext_lazy as _
 from django_cas_ng.views import LoginView
 
-__all__ = ['LoginView']
+from authentication.backends.base import BaseAuthCallbackClientView
+from common.utils import FlashMessageUtil
+from .backends import CASUserDoesNotExist
 
-from authentication.views.utils import redirect_to_guard_view
+__all__ = ['LoginView']
 
 
 class CASLoginView(LoginView):
     def get(self, request):
         try:
-            return super().get(request)
+            resp = super().get(request)
+            return resp
         except PermissionDenied:
             return HttpResponseRedirect('/')
+        except CASUserDoesNotExist as e:
+            message_data = {
+                'title': _('User does not exist: {}').format(e),
+                'error': _(
+                    'CAS login was successful, but no corresponding local user was found in the system, and automatic '
+                    'user creation is disabled in the CAS authentication configuration. Login failed.'),
+                'interval': 10,
+                'redirect_url': '/',
+            }
+            return FlashMessageUtil.gen_and_redirect_to(message_data)
 
 
-class CASCallbackClientView(View):
-    http_method_names = ['get', ]
-
-    def get(self, request):
-        return redirect_to_guard_view(query_string='next=client')
+class CASCallbackClientView(BaseAuthCallbackClientView):
+    pass

apps/authentication/backends/oauth2/views.py

@@ -5,10 +5,10 @@ from django.urls import reverse
 from django.utils.http import urlencode
 from django.views import View
 
+from authentication.backends.base import BaseAuthCallbackClientView
 from authentication.mixins import authenticate
 from authentication.utils import build_absolute_uri
 from authentication.views.mixins import FlashMessageMixin
-from authentication.views.utils import redirect_to_guard_view
 from common.utils import get_logger
 
 logger = get_logger(__file__)
@@ -67,11 +67,8 @@ class OAuth2AuthCallbackView(View, FlashMessageMixin):
         return HttpResponseRedirect(redirect_url)
 
 
-class OAuth2AuthCallbackClientView(View):
-    http_method_names = ['get', ]
-
-    def get(self, request):
-        return redirect_to_guard_view(query_string='next=client')
+class OAuth2AuthCallbackClientView(BaseAuthCallbackClientView):
+    pass
 
 
 class OAuth2EndSessionView(View):

apps/authentication/backends/oidc/views.py

@@ -29,7 +29,7 @@ from authentication.utils import build_absolute_uri_for_oidc
 from authentication.views.mixins import FlashMessageMixin
 from common.utils import safe_next_url
 from .utils import get_logger
-from ...views.utils import redirect_to_guard_view
+from ..base import BaseAuthCallbackClientView
 
 logger = get_logger(__file__)
 
@@ -210,11 +210,8 @@ class OIDCAuthCallbackView(View, FlashMessageMixin):
         return HttpResponseRedirect(settings.AUTH_OPENID_AUTHENTICATION_FAILURE_REDIRECT_URI)
 
 
-class OIDCAuthCallbackClientView(View):
-    http_method_names = ['get', ]
-
-    def get(self, request):
-        return redirect_to_guard_view(query_string='next=client')
+class OIDCAuthCallbackClientView(BaseAuthCallbackClientView):
+    pass
 
 
 class OIDCEndSessionView(View):

apps/authentication/backends/passkey/api.py

@@ -71,7 +71,8 @@ class PasskeyViewSet(AuthMixin, FlashMessageMixin, JMSModelViewSet):
             return self.redirect_to_error(_('Auth failed'))
 
         confirm_mfa = request.session.get('passkey_confirm_mfa')
-        if confirm_mfa:
+        # 如果开启了安全模式，Passkey 不能作为 MFA
+        if confirm_mfa and not settings.SAFE_MODE:
             request.session['CONFIRM_LEVEL'] = ConfirmType.values.index('mfa') + 1
             request.session['CONFIRM_TIME'] = int(time.time())
             request.session['CONFIRM_TYPE'] = ConfirmType.MFA
@@ -80,7 +81,9 @@ class PasskeyViewSet(AuthMixin, FlashMessageMixin, JMSModelViewSet):
 
         try:
             self.check_oauth2_auth(user, settings.AUTH_BACKEND_PASSKEY)
-            self.mark_mfa_ok('passkey', user)
+            # 如果开启了安全模式，passkey 不能作为 MFA
+            if not settings.SAFE_MODE:
+                self.mark_mfa_ok('passkey', user)
             return self.redirect_to_guard_view()
         except Exception as e:
             msg = getattr(e, 'msg', '') or str(e)

apps/authentication/backends/saml2/views.py

@@ -19,7 +19,7 @@ from onelogin.saml2.idp_metadata_parser import (
 from authentication.views.mixins import FlashMessageMixin
 from common.utils import get_logger
 from .settings import JmsSaml2Settings
-from ...views.utils import redirect_to_guard_view
+from ..base import BaseAuthCallbackClientView
 
 logger = get_logger(__file__)
 
@@ -300,11 +300,8 @@ class Saml2AuthCallbackView(View, PrepareRequestMixin, FlashMessageMixin):
         return super().dispatch(*args, **kwargs)
 
 
-class Saml2AuthCallbackClientView(View):
-    http_method_names = ['get', ]
-
-    def get(self, request):
-        return redirect_to_guard_view(query_string='next=client')
+class Saml2AuthCallbackClientView(BaseAuthCallbackClientView):
+    pass
 
 
 class Saml2AuthMetadataView(View, PrepareRequestMixin):

apps/authentication/backends/token.py

@@ -14,7 +14,9 @@ class TempTokenAuthBackend(JMSBaseAuthBackend):
         return settings.AUTH_TEMP_TOKEN
 
     def authenticate(self, request, username='', password=''):
-        token = self.model.objects.filter(username=username, secret=password).first()
+        tokens = self.model.objects.filter(username=username).order_by('-date_created')[:500]
+        token = next((t for t in tokens if t.secret == password), None)
+
         if not token:
             return None
         if not token.is_valid:

apps/authentication/mfa/base.py

@@ -1,5 +1,6 @@
 import abc
 
+from django.conf import settings
 from django.core.cache import cache
 from django.utils.translation import gettext_lazy as _
 
@@ -23,17 +24,21 @@ class BaseMFA(abc.ABC):
 
         cache_key = f'{self.name}_{self.user.username}'
         cache_code = cache.get(cache_key)
-        if cache_code == code:
+
+        is_match = cache_code == code
+
+        if settings.SAFE_MODE and is_match:
             return False, _(
                 "The two-factor code you entered has either already been used or has expired. "
                 "Please request a new one."
             )
 
         ok, msg = self._check_code(code)
+
         if not ok:
             return False, msg
 
-        cache.set(cache_key, code, 60 * 5)
+        cache.set(cache_key, code, 60)
         return True, msg
 
     def is_authenticated(self):

apps/authentication/mfa/passkey.py

@@ -19,6 +19,8 @@ class MFAPasskey(BaseMFA):
     def is_active(self):
         if not self.is_authenticated():
             return True
+        if settings.SAFE_MODE:
+            return False
         return self.user.passkey_set.count()
 
     @staticmethod

apps/authentication/migrations/0007_connectiontoken_remote_addr.py

@@ -0,0 +1,20 @@
+# Generated by Django 4.1.13 on 2025-08-04 06:20
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentication", "0006_connectiontoken_type"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="connectiontoken",
+            name="remote_addr",
+            field=models.CharField(
+                blank=True, max_length=128, null=True, verbose_name="Remote addr"
+            ),
+        ),
+    ]

apps/authentication/migrations/0008_alter_accesskey_secret_alter_temptoken_secret.py

@@ -0,0 +1,50 @@
+# Generated by Django 4.1.13 on 2025-08-14 06:39
+
+import authentication.models.access_key
+import common.db.fields
+from django.db import migrations
+
+old_access_key_secrets_mapper = {}
+
+def fetch_access_key_secrets(apps, schema_editor):
+    AccessKey = apps.get_model("authentication", "AccessKey")
+
+    for id, secret in AccessKey.objects.all().values_list('id', 'secret'):
+        old_access_key_secrets_mapper[str(id)] = secret
+
+
+def save_access_key_secrets(apps, schema_editor):
+    AccessKey = apps.get_model("authentication", "AccessKey")
+    aks = AccessKey.objects.filter(id__in=list(old_access_key_secrets_mapper.keys()))
+    for ak in aks:
+        old_value = old_access_key_secrets_mapper.get(str(ak.id))
+        if not old_value:
+            continue
+        ak.secret = old_value
+        ak.save(update_fields=["secret"])
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("authentication", "0007_connectiontoken_remote_addr"),
+    ]
+
+    operations = [
+        migrations.RunPython(fetch_access_key_secrets),
+        migrations.AlterField(
+            model_name="accesskey",
+            name="secret",
+            field=common.db.fields.EncryptTextField(
+                default=authentication.models.access_key.default_secret,
+                verbose_name="AccessKeySecret",
+            ),
+        ),
+        migrations.AlterField(
+            model_name="temptoken",
+            name="secret",
+            field=common.db.fields.EncryptTextField(
+                verbose_name="Secret"
+            ),
+        ),
+        migrations.RunPython(save_access_key_secrets),
+    ]

apps/authentication/models/access_key.py

@@ -4,6 +4,7 @@ from django.conf import settings
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
+from common.db.fields import EncryptTextField
 import common.db.models
 
 from common.db.utils import default_ip_group
@@ -16,7 +17,7 @@ def default_secret():
 
 class AccessKey(models.Model):
     id = models.UUIDField(verbose_name='AccessKeyID', primary_key=True, default=uuid.uuid4, editable=False)
-    secret = models.CharField(verbose_name='AccessKeySecret', default=default_secret, max_length=36)
+    secret = EncryptTextField(verbose_name='AccessKeySecret', default=default_secret)
     ip_group = models.JSONField(default=default_ip_group, verbose_name=_('IP group'))
     user = models.ForeignKey(settings.AUTH_USER_MODEL, verbose_name='User',
                              on_delete=common.db.models.CASCADE_SIGNAL_SKIP, related_name='access_keys')

apps/authentication/models/connection_token.py

@@ -4,6 +4,7 @@ from datetime import timedelta
 
 from django.conf import settings
 from django.core.cache import cache
+from django.core.exceptions import ValidationError
 from django.db import models
 from django.shortcuts import get_object_or_404
 from django.utils import timezone
@@ -57,6 +58,9 @@ class ConnectionToken(JMSOrgBaseModel):
     )
     face_monitor_token = models.CharField(max_length=128, null=True, blank=True, verbose_name=_("Face monitor token"))
     is_active = models.BooleanField(default=True, verbose_name=_("Active"))
+    remote_addr = models.CharField(
+        max_length=128, verbose_name=_("Remote addr"), blank=True, null=True
+    )
 
     type = models.CharField(
         max_length=16, choices=ConnectionTokenType.choices,
@@ -73,7 +77,10 @@ class ConnectionToken(JMSOrgBaseModel):
 
     @classmethod
     def get_typed_connection_token(cls, token_id):
-        token = get_object_or_404(cls, id=token_id)
+        try:
+            token = get_object_or_404(cls, id=token_id)
+        except ValidationError:
+            return None
 
         if token.type == ConnectionTokenType.ADMIN.value:
             token = AdminConnectionToken.objects.get(id=token_id)
@@ -82,11 +89,11 @@ class ConnectionToken(JMSOrgBaseModel):
         return token
 
     @property
-    def is_expired(self):
+    def is_expired(self) -> bool:
         return self.date_expired < timezone.now()
 
     @property
-    def expire_time(self):
+    def expire_time(self) -> int:
         interval = self.date_expired - timezone.now()
         seconds = interval.total_seconds()
         if seconds < 0:
@@ -158,7 +165,7 @@ class ConnectionToken(JMSOrgBaseModel):
     def expire_at(self):
         return self.permed_account.date_expired.timestamp()
 
-    def is_valid(self):
+    def is_valid(self) -> bool:
         if not self.is_active:
             error = _('Connection token inactive')
             raise PermissionDenied(error)

apps/authentication/models/temp_token.py

@@ -3,11 +3,12 @@ from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
 from common.db.models import JMSBaseModel
+from common.db.fields import EncryptTextField
 
 
 class TempToken(JMSBaseModel):
     username = models.CharField(max_length=128, verbose_name=_("Username"))
-    secret = models.CharField(max_length=64, verbose_name=_("Secret"))
+    secret = EncryptTextField(verbose_name=_("Secret"))
     verified = models.BooleanField(default=False, verbose_name=_("Verified"))
     date_verified = models.DateTimeField(null=True, verbose_name=_("Date verified"))
     date_expired = models.DateTimeField(verbose_name=_("Date expired"))

apps/authentication/permissions.py

@@ -20,9 +20,10 @@ class UserConfirmation(permissions.BasePermission):
         if not settings.SECURITY_VIEW_AUTH_NEED_MFA:
             return True
 
-        confirm_level = request.session.get('CONFIRM_LEVEL')
-        confirm_type = request.session.get('CONFIRM_TYPE')
-        confirm_time = request.session.get('CONFIRM_TIME')
+        session = getattr(request, 'session', {})
+        confirm_level = session.get('CONFIRM_LEVEL')
+        confirm_type = session.get('CONFIRM_TYPE')
+        confirm_time = session.get('CONFIRM_TIME')
 
         ttl = self.get_ttl(confirm_type)
         now = int(time.time())

apps/authentication/serializers/connect_token_secret.py

@@ -60,7 +60,7 @@ class _ConnectionTokenAccountSerializer(serializers.ModelSerializer):
         ]
 
     @staticmethod
-    def get_su_from(account):
+    def get_su_from(account) -> dict:
         if not hasattr(account, 'asset'):
             return {}
         su_enabled = account.asset.platform.su_enabled
@@ -104,6 +104,8 @@ class _ConnectionTokenCommandFilterACLSerializer(serializers.ModelSerializer):
 class _ConnectionTokenPlatformSerializer(PlatformSerializer):
     class Meta(PlatformSerializer.Meta):
         model = Platform
+        fields = [field for field in PlatformSerializer.Meta.fields
+                   if field not in PlatformSerializer.Meta.fields_m2m]
 
     def get_field_names(self, declared_fields, info):
         names = super().get_field_names(declared_fields, info)

apps/authentication/serializers/connection_token.py

@@ -1,10 +1,12 @@
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
+from common.utils import get_request_ip
 from common.serializers import CommonModelSerializer
 from common.serializers.fields import EncryptedField
 from perms.serializers.permission import ActionChoicesField
 from ..models import ConnectionToken, AdminConnectionToken
+from orgs.mixins.serializers import OrgResourceModelSerializerMixin
 
 __all__ = [
     'ConnectionTokenSerializer', 'SuperConnectionTokenSerializer',
@@ -12,7 +14,7 @@ __all__ = [
 ]
 
 
-class ConnectionTokenSerializer(CommonModelSerializer):
+class ConnectionTokenSerializer(OrgResourceModelSerializerMixin):
     expire_time = serializers.IntegerField(read_only=True, label=_('Expired time'))
     input_secret = EncryptedField(
         label=_("Input secret"), max_length=40960, required=False, allow_blank=True
@@ -29,6 +31,7 @@ class ConnectionTokenSerializer(CommonModelSerializer):
             'is_active', 'is_reusable', 'from_ticket', 'from_ticket_info',
             'date_expired', 'date_created', 'date_updated', 'created_by',
             'updated_by', 'org_id', 'org_name', 'face_monitor_token',
+            'remote_addr',
         ]
         read_only_fields = [
             # 普通 Token 不支持指定 user
@@ -52,7 +55,13 @@ class ConnectionTokenSerializer(CommonModelSerializer):
     def get_user(self, attrs):
         return self.get_request_user()
 
-    def get_from_ticket_info(self, instance):
+    def create(self, validated_data):
+        request = self.context.get('request')
+        if request:
+            validated_data['remote_addr'] = get_request_ip(request)
+        return super().create(validated_data)
+
+    def get_from_ticket_info(self, instance) -> dict:
         if not instance.from_ticket:
             return {}
         user = self.get_request_user()

apps/authentication/serializers/token.py

@@ -46,7 +46,7 @@ class BearerTokenSerializer(serializers.Serializer):
     user = UserProfileSerializer(read_only=True)
 
     @staticmethod
-    def get_keyword(obj):
+    def get_keyword(obj) -> str:
         return 'Bearer'
 
     @staticmethod

apps/authentication/templates/authentication/login.html

@@ -18,7 +18,7 @@
 
     <style>
         .login-content {
-        {#box-shadow: 0 5px 5px -3px rgb(0 0 0 / 15%), 0 8px 10px 1px rgb(0 0 0 / 14%), 0 3px 14px 2px rgb(0 0 0 / 12%);#}
+            {% comment %} box-shadow: 0 5px 5px -3px rgb(0 0 0 / 15%), 0 8px 10px 1px rgb(0 0 0 / 14%), 0 3px 14px 2px rgb(0 0 0 / 12%); {% endcomment %}
         }
 
         .login-footer {
@@ -69,23 +69,27 @@
         }
 
         .login-content {
-            position: absolute;
-            left: 50%;
-            top: 50%;
-            transform: translate(-50%, -50%);
             height: 500px;
             width: 1000px;
+            margin-top: auto;
+            margin-bottom: auto;
         }
 
 
         body {
-            position: relative;
+            box-sizing: border-box;
+            min-height: 100%;
+            display: flex;
+            align-items: center;
+            justify-content: center;
+            flex-direction: column;
             width: 100vw;
             height: 100vh;
             background-color: #f3f3f3;
             {#height: calc(100vh - (100vh - 470px) / 3);#}
         }
 
+
         .captcha {
             float: right;
         }
@@ -138,7 +142,7 @@
         }
 
         .jms-title {
-            {#padding: 22px 10px 10px;#}
+        {#padding: 22px 10px 10px;#}
         }
 
         .more-login-items {
@@ -318,7 +322,7 @@
     </div>
     <div class="left-form-box {% if not form.challenge and not form.captcha %} no-captcha-challenge {% endif %}">
         <div class="mobile-logo" style="padding-bottom: 45px; box-sizing: border-box">
-	        <div class="jms-title">
+            <div class="jms-title">
                 <img style="width: 60px; height: 60px" src="{{ INTERFACE.logo_logout }}" alt="Logo"/>
                 <span style="padding-left: 10px">{{ INTERFACE.login_title }}</span>
             </div>
@@ -330,17 +334,18 @@
                 </h2>
                 <ul class=" nav navbar-top-links navbar-right">
                     <li class="dropdown">
-                        <a class="dropdown-toggle login-page-language" data-bs-toggle="dropdown" href="#" target="_blank">
+                        <a class="dropdown-toggle login-page-language" data-bs-toggle="dropdown" href="#"
+                           target="_blank">
                             <i class="fa fa-globe fa-lg" style="margin-right: 2px"></i>
                             <span>{{ current_lang.title }}<b class="caret"></b></span>
                         </a>
                         <ul class="dropdown-menu profile-dropdown dropdown-menu-right">
                             {% for lang in langs %}
                                 <li>
-                                <a href="{% url 'i18n-switch' lang=lang.code %}">
-                                    <span>{{ lang.title }}</span>
-                                </a>
-                            </li>
+                                    <a href="{% url 'i18n-switch' lang=lang.code %}">
+                                        <span>{{ lang.title }}</span>
+                                    </a>
+                                </li>
                             {% endfor %}
                         </ul>
                     </li>
@@ -350,11 +355,11 @@
                 <form id="login-form" action="" method="post" role="form" novalidate="novalidate">
                     {% csrf_token %}
                     <div style="line-height: 17px;margin-bottom: 20px;color: #999999;">
-                    {% if form.non_field_errors %}
-                        <p class="help-block red-fonts">
-                            {{ form.non_field_errors.as_text }}
-                        </p>
-                    {% endif %}
+                        {% if form.non_field_errors %}
+                            <p class="help-block red-fonts">
+                                {{ form.non_field_errors.as_text }}
+                            </p>
+                        {% endif %}
                     </div>
 
                     {% bootstrap_field form.username show_label=False %}
@@ -365,15 +370,15 @@
                                name="{{ form.password.html_name }}">
                         {% if form.password.errors %}
                             <p class="help-block" style="text-align: left">
-                            {{ form.password.errors.as_text }}
-                        </p>
+                                {{ form.password.errors.as_text }}
+                            </p>
                         {% endif %}
                     </div>
                     {% if form.challenge %}
                         {% bootstrap_field form.challenge show_label=False %}
                     {% elif form.mfa_type %}
                         <div class="form-group" style="display: flex">
-                        {% include '_mfa_login_field.html' %}
+                            {% include '_mfa_login_field.html' %}
                         </div>
                     {% elif form.captcha %}
                         <div class="captcha-field">
@@ -403,25 +408,25 @@
                     </div>
 
                     {% if demo_mode %}
-                    <div>
-                        <p class="red-fonts" style='text-align: center;'>
-                            {% trans 'Username' %}: demo {% trans 'Password' %}: jumpserver
-                        </p>
-                    </div>
+                        <div>
+                            <p class="red-fonts" style='text-align: center;'>
+                                {% trans 'Username' %}: demo {% trans 'Password' %}: jumpserver
+                            </p>
+                        </div>
                     {% endif %}
 
                     <div class="more-login">
                         {% if auth_methods %}
                             <div class="more-methods-title {{ current_lang.code }}">
-                                    {% trans "More login options" %}
+                                {% trans "More login options" %}
                             </div>
                             <div class="more-login-items">
-                            {% for method in auth_methods %}
-                                <a href="{{ method.url }}" class="more-login-item">
-                                    <i class="fa"><img src="{{ method.logo }}" height="15" width="15"/> </i>
-                                    {{ method.name }}
-                                </a>
-                            {% endfor %}
+                                {% for method in auth_methods %}
+                                    <a href="{{ method.url }}" class="more-login-item">
+                                        <i class="fa"><img src="{{ method.logo }}" height="15" width="15"/> </i>
+                                        {{ method.name }}
+                                    </a>
+                                {% endfor %}
                             </div>
                         {% else %}
                             <div class="text-center" style="display: inline-block;">
@@ -447,14 +452,16 @@
         $('#password-hidden').val(passwordEncrypted); //返回给密码输入input
         $('#login-form').submit(); //post提交
     }
+
     function checkHealth() {
-        let url =  "{% url 'health' %}";
+        let url = "{% url 'health' %}";
         requestApi({
             url: url,
             method: "GET",
             flash_message: false,
         })
     }
+
     setInterval(checkHealth, 30 * 1000);
 </script>
 </html>

apps/authentication/templates/authentication/login_wait_confirm.html

@@ -15,6 +15,33 @@
         .btn-sm i {
             margin-right: 6px;
         }
+
+        .passwordBox2 {
+            max-width: 560px;
+            margin-bottom: auto;
+            padding: 100px 20px 20px 20px;
+            width: 100%;
+        }
+
+        .ibox-content {
+            padding: 30px;
+        }
+
+        .ibox-context-margin {
+            margin: 20px 0 0 0;
+        }
+
+        body {
+            box-sizing: border-box;
+            min-height: 100%;
+            display: flex;
+            align-items: center;
+            flex-direction: column;
+        }
+
+        .wrapper {
+            margin: auto;
+        }
     </style>
 
 </head>