Merge pull request #8229 from jumpserver/dev

v2.22.0 rc1
2022-05-12 17:02:01 +08:00 · 2022-05-12 17:02:01 +08:00 · 7f52675bd3
parent a4be0ff2f3 6409b7deee
commit 7f52675bd3
107 changed files with 2091 additions and 1280 deletions
--- a/.github/workflows/lgtm.yml
+++ b/.github/workflows/lgtm.yml
@ -1,18 +0,0 @@
 name: Send LGTM reaction
 on:
  issue_comment:
    types: [created]
  pull_request_review:
    types: [submitted]
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@1.0.0
      - uses: micnncim/action-lgtm-reaction@master
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          trigger: '["^.?lgtm$"]'
--- a/45
+++ b/45
@ -1,20 +1,5 @@
 # 编译代码
 FROM python:3.8-slim as stage-build
 MAINTAINER JumpServer Team <ibuler@qq.com>
 ARG VERSION
 ENV VERSION=$VERSION
 WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 FROM python:3.8-slim
-ARG PIP_MIRROR=https://pypi.douban.com/simple
+MAINTAINER JumpServer Team <ibuler@qq.com>
 ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
 ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 WORKDIR /opt/jumpserver
 ARG BUILD_DEPENDENCIES="              \
    g++                               \
@ -62,21 +47,37 @@ RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
    && mv /bin/sh /bin/sh.bak  \
    && ln -s /bin/bash /bin/sh
-RUN mkdir -p /opt/jumpserver/oracle/ \
+RUN mkdir -p /opt/oracle/ \
    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar \
-    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/jumpserver/oracle/ \
+    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/oracle/ \
-    && echo "/opt/jumpserver/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && echo "/opt/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
    && ldconfig \
    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
-COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+WORKDIR /tmp/build
 COPY ./requirements ./requirements
-RUN echo > config.yml \
+ARG PIP_MIRROR=https://mirrors.aliyun.com/pypi/simple/
-    && pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
+ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://mirrors.aliyun.com/pypi/simple/
 ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 # 因为以 jms 或者 jumpserver 开头的 mirror 上可能没有
 RUN pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
    && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
    && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
    && rm -rf ~/.cache/pip
 ARG VERSION
 ENV VERSION=$VERSION
 ADD . .
 RUN cd utils \
    && bash -ixeu build.sh \
    && mv ../release/jumpserver /opt/jumpserver \
    && rm -rf /tmp/build \
    && echo > /opt/jumpserver/config.yml
 WORKDIR /opt/jumpserver
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
--- a/README.md
+++ b/README.md
@ -131,4 +131,3 @@ Licensed under The GNU General Public License version 3 (GPLv3)  (the "License")
 https://www.gnu.org/licenses/gpl-3.0.html
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
--- a/apps/applications/api/account.py
+++ b/apps/applications/api/account.py
@ -6,6 +6,7 @@ from django.db.models import F, Q
 from common.drf.filters import BaseFilterSet
 from common.drf.api import JMSBulkModelViewSet
 from common.mixins import RecordViewLogMixin
 from rbac.permissions import RBACPermission
 from assets.models import SystemUser
 from ..models import Account
@ -54,7 +55,7 @@ class SystemUserAppRelationViewSet(ApplicationAccountViewSet):
    perm_model = SystemUser
-class ApplicationAccountSecretViewSet(ApplicationAccountViewSet):
+class ApplicationAccountSecretViewSet(RecordViewLogMixin, ApplicationAccountViewSet):
    serializer_class = serializers.AppAccountSecretSerializer
    permission_classes = [RBACPermission, NeedMFAVerify]
    http_method_names = ['get', 'options']
--- a/apps/applications/migrations/0001_initial.py
+++ b/apps/applications/migrations/0001_initial.py
@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-05-20 11:04
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
 import django.db.models.deletion
 import uuid
@ -23,7 +23,7 @@ class Migration(migrations.Migration):
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('type', models.CharField(choices=[('Browser', (('chrome', 'Chrome'),)), ('Database tools', (('mysql_workbench', 'MySQL Workbench'),)), ('Virtualization tools', (('vmware_client', 'vSphere Client'),)), ('custom', 'Custom')], default='chrome', max_length=128, verbose_name='App type')),
                ('path', models.CharField(max_length=128, verbose_name='App path')),
-                ('params', common.fields.model.EncryptJsonDictTextField(blank=True, default={}, max_length=4096, null=True, verbose_name='Parameters')),
+                ('params', common.db.fields.EncryptJsonDictTextField(blank=True, default={}, max_length=4096, null=True, verbose_name='Parameters')),
                ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
                ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
--- a/apps/applications/migrations/0010_appaccount_historicalappaccount.py
+++ b/apps/applications/migrations/0010_appaccount_historicalappaccount.py
@ -1,7 +1,7 @@
 # Generated by Django 3.1.12 on 2021-08-26 09:07
 import assets.models.base
-import common.fields.model
+import common.db.fields
 from django.conf import settings
 import django.core.validators
 from django.db import migrations, models
@ -26,9 +26,9 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                ('comment', models.TextField(blank=True, verbose_name='Comment')),
                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
@ -56,9 +56,9 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                ('comment', models.TextField(blank=True, verbose_name='Comment')),
                ('date_created', models.DateTimeField(auto_now_add=True, verbose_name='Date created')),
                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@ -8,6 +8,7 @@ from rest_framework.generics import CreateAPIView
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 from common.drf.filters import BaseFilterSet
 from common.mixins import RecordViewLogMixin
 from common.permissions import NeedMFAVerify
 from ..tasks.account_connectivity import test_accounts_connectivity_manual
 from ..models import AuthBook, Node
@ -79,7 +80,7 @@ class AccountViewSet(OrgBulkModelViewSet):
        return Response(data={'task': task.id})
-class AccountSecretsViewSet(AccountViewSet):
+class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
    """
    因为可能要导出所有账号，所以单独建立了一个 viewset
    """
--- a/apps/assets/api/system_user.py
+++ b/apps/assets/api/system_user.py
@ -4,7 +4,6 @@ from rest_framework.response import Response
 from rest_framework.decorators import action
 from common.utils import get_logger, get_object_or_none
 from common.utils.crypto import get_aes_crypto
 from common.permissions import IsValidUser
 from common.mixins.api import SuggestionMixin
 from orgs.mixins.api import OrgBulkModelViewSet
@ -102,27 +101,17 @@ class SystemUserTempAuthInfoApi(generics.CreateAPIView):
    permission_classes = (IsValidUser,)
    serializer_class = SystemUserTempAuthSerializer
    def decrypt_data_if_need(self, data):
        csrf_token = self.request.META.get('CSRF_COOKIE')
        aes = get_aes_crypto(csrf_token, 'ECB')
        password = data.get('password', '')
        try:
            data['password'] = aes.decrypt(password)
        except:
            pass
        return data
    def create(self, request, *args, **kwargs):
        serializer = super().get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        pk = kwargs.get('pk')
-        data = self.decrypt_data_if_need(serializer.validated_data)
+        data = serializer.validated_data
-        instance_id = data.get('instance_id')
+        asset_or_app_id = data.get('instance_id')
        with tmp_to_root_org():
            instance = get_object_or_404(SystemUser, pk=pk)
-            instance.set_temp_auth(instance_id, self.request.user.id, data)
+            instance.set_temp_auth(asset_or_app_id, self.request.user.id, data)
        return Response(serializer.data, status=201)
--- a/apps/assets/migrations/0032_auto_20190624_2108.py
+++ b/apps/assets/migrations/0032_auto_20190624_2108.py
@ -1,7 +1,7 @@
 # Generated by Django 2.1.7 on 2019-06-24 13:08
 import assets.models.utils
-import common.fields.model
+import common.db.fields
 from django.db import migrations
@ -15,61 +15,61 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='adminuser',
            name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='adminuser',
            name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='adminuser',
            name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='_password',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, validators=[assets.models.utils.private_key_validator], verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key'),
        ),
    ]
--- a/apps/assets/migrations/0035_auto_20190711_2018.py
+++ b/apps/assets/migrations/0035_auto_20190711_2018.py
@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-07-11 12:18
-import common.fields.model
+import common.db.fields
 from django.db import migrations
@ -14,21 +14,21 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='adminuser',
            name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='authbook',
            name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='gateway',
            name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
        migrations.AlterField(
            model_name='systemuser',
            name='private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key'),
        ),
    ]
--- a/apps/assets/migrations/0044_platform.py
+++ b/apps/assets/migrations/0044_platform.py
@ -1,6 +1,6 @@
 # Generated by Django 2.2.7 on 2019-12-06 07:26
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
@ -36,7 +36,7 @@ class Migration(migrations.Migration):
                ('name', models.SlugField(allow_unicode=True, unique=True, verbose_name='Name')),
                ('base', models.CharField(choices=[('Linux', 'Linux'), ('Unix', 'Unix'), ('MacOS', 'MacOS'), ('BSD', 'BSD'), ('Windows', 'Windows'), ('Other', 'Other')], default='Linux', max_length=16, verbose_name='Base')),
                ('charset', models.CharField(choices=[('utf8', 'UTF-8'), ('gbk', 'GBK')], default='utf8', max_length=8, verbose_name='Charset')),
-                ('meta', common.fields.model.JsonDictTextField(blank=True, null=True, verbose_name='Meta')),
+                ('meta', common.db.fields.JsonDictTextField(blank=True, null=True, verbose_name='Meta')),
                ('internal', models.BooleanField(default=False, verbose_name='Internal')),
                ('comment', models.TextField(blank=True, null=True, verbose_name='Comment')),
            ],
--- a/apps/assets/migrations/0072_historicalauthbook.py
+++ b/apps/assets/migrations/0072_historicalauthbook.py
@ -1,6 +1,6 @@
 # Generated by Django 3.1.6 on 2021-06-05 16:10
-import common.fields.model
+import common.db.fields
 from django.conf import settings
 import django.core.validators
 from django.db import migrations, models
@ -58,9 +58,9 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, validators=[django.core.validators.RegexValidator('^[0-9a-zA-Z_@\\-\\.]*$', 'Special char not allowed')], verbose_name='Username')),
-                ('password', common.fields.model.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
+                ('password', common.db.fields.EncryptCharField(blank=True, max_length=256, null=True, verbose_name='Password')),
-                ('private_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
+                ('private_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH private key')),
-                ('public_key', common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
+                ('public_key', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='SSH public key')),
                ('comment', models.TextField(blank=True, verbose_name='Comment')),
                ('date_created', models.DateTimeField(blank=True, editable=False, verbose_name='Date created')),
                ('date_updated', models.DateTimeField(blank=True, editable=False, verbose_name='Date updated')),
--- a/apps/assets/migrations/0090_auto_20220412_1145.py
+++ b/apps/assets/migrations/0090_auto_20220412_1145.py
@ -3,6 +3,20 @@
 from django.db import migrations, models
 def create_internal_platform(apps, schema_editor):
    model = apps.get_model("assets", "Platform")
    db_alias = schema_editor.connection.alias
    type_platforms = (
        ('AIX', 'Unix', None),
    )
    for name, base, meta in type_platforms:
        defaults = {'name': name, 'base': base, 'meta': meta, 'internal': True}
        model.objects.using(db_alias).update_or_create(
            name=name, defaults=defaults
        )
        migrations.RunPython(create_internal_platform)
 class Migration(migrations.Migration):
    dependencies = [
@ -15,4 +29,5 @@ class Migration(migrations.Migration):
            name='number',
            field=models.CharField(blank=True, max_length=128, null=True, verbose_name='Asset number'),
        ),
        migrations.RunPython(create_internal_platform)
    ]
--- a/apps/assets/models/asset.py
+++ b/apps/assets/models/asset.py
@ -11,7 +11,7 @@ from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from rest_framework.exceptions import ValidationError
-from common.fields.model import JsonDictTextField
+from common.db.fields import JsonDictTextField
 from common.utils import lazyproperty
 from orgs.mixins.models import OrgModelMixin, OrgManager
@ -301,7 +301,7 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
            'private_key': auth_user.private_key_file
        }
-        if not with_become:
+        if not with_become or self.is_windows():
            return info
        if become_user:
--- a/apps/assets/models/base.py
+++ b/apps/assets/models/base.py
@ -19,7 +19,7 @@ from common.utils import (
 )
 from common.utils.encode import ssh_pubkey_gen
 from common.validators import alphanumeric
-from common import fields
+from common.db import fields
 from orgs.mixins.models import OrgModelMixin
--- a/apps/assets/serializers/base.py
+++ b/apps/assets/serializers/base.py
@ -6,12 +6,13 @@ from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 from common.utils import ssh_pubkey_gen, ssh_private_key_gen, validate_ssh_private_key
 from common.drf.fields import EncryptedField
 from assets.models import Type
 class AuthSerializer(serializers.ModelSerializer):
-    password = serializers.CharField(required=False, allow_blank=True, allow_null=True, max_length=1024)
+    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
-    private_key = serializers.CharField(required=False, allow_blank=True, allow_null=True, max_length=4096)
+    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096)
    def gen_keys(self, private_key=None, password=None):
        if private_key is None:
@ -31,6 +32,8 @@ class AuthSerializer(serializers.ModelSerializer):
 class AuthSerializerMixin(serializers.ModelSerializer):
    password = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=1024)
    private_key = EncryptedField(required=False, allow_blank=True, allow_null=True, max_length=4096)
    passphrase = serializers.CharField(
        allow_blank=True, allow_null=True, required=False, max_length=512,
        write_only=True, label=_('Key password')
--- a/apps/assets/tasks/push_system_user.py
+++ b/apps/assets/tasks/push_system_user.py
@ -32,9 +32,9 @@ def _dump_args(args: dict):
    return ' '.join([f'{k}={v}' for k, v in args.items() if v is not Empty])
-def get_push_unixlike_system_user_tasks(system_user, username=None):
+def get_push_unixlike_system_user_tasks(system_user, username=None, **kwargs):
    comment = system_user.name
-
+    algorithm = kwargs.get('algorithm')
    if username is None:
        username = system_user.username
@ -104,7 +104,7 @@ def get_push_unixlike_system_user_tasks(system_user, username=None):
                'module': 'user',
                'args': 'name={} shell={} state=present password={}'.format(
                    username, system_user.shell,
-                    encrypt_password(password, salt="K3mIlKK"),
+                    encrypt_password(password, salt="K3mIlKK", algorithm=algorithm),
                ),
            }
        })
@ -138,7 +138,7 @@ def get_push_unixlike_system_user_tasks(system_user, username=None):
    return tasks
-def get_push_windows_system_user_tasks(system_user: SystemUser, username=None):
+def get_push_windows_system_user_tasks(system_user: SystemUser, username=None, **kwargs):
    if username is None:
        username = system_user.username
    password = system_user.password
@ -176,7 +176,7 @@ def get_push_windows_system_user_tasks(system_user: SystemUser, username=None):
    return tasks
-def get_push_system_user_tasks(system_user, platform="unixlike", username=None):
+def get_push_system_user_tasks(system_user, platform="unixlike", username=None, algorithm=None):
    """
    获取推送系统用户的 ansible 命令，跟资产无关
    :param system_user:
@ -190,16 +190,16 @@ def get_push_system_user_tasks(system_user, platform="unixlike", username=None):
    }
    get_tasks = get_task_map.get(platform, get_push_unixlike_system_user_tasks)
    if not system_user.username_same_with_user:
-        return get_tasks(system_user)
+        return get_tasks(system_user, algorithm=algorithm)
    tasks = []
    # 仅推送这个username
    if username is not None:
-        tasks.extend(get_tasks(system_user, username))
+        tasks.extend(get_tasks(system_user, username, algorithm=algorithm))
        return tasks
    users = system_user.users.all().values_list('username', flat=True)
    print(_("System user is dynamic: {}").format(list(users)))
    for _username in users:
-        tasks.extend(get_tasks(system_user, _username))
+        tasks.extend(get_tasks(system_user, _username, algorithm=algorithm))
    return tasks
@ -244,7 +244,11 @@ def push_system_user_util(system_user, assets, task_name, username=None):
        for u in usernames:
            for a in _assets:
                system_user.load_asset_special_auth(a, u)
-                tasks = get_push_system_user_tasks(system_user, platform, username=u)
+                algorithm = 'des' if a.platform.name == 'AIX' else 'sha512'
                tasks = get_push_system_user_tasks(
                    system_user, platform, username=u,
                    algorithm=algorithm
                )
                run_task(tasks, [a])
--- a/apps/audits/const.py
+++ b/apps/audits/const.py
@ -3,3 +3,23 @@
 from django.utils.translation import ugettext_lazy as _
 DEFAULT_CITY = _("Unknown")
 MODELS_NEED_RECORD = (
    # users
    'User', 'UserGroup',
    # acls
    'LoginACL', 'LoginAssetACL', 'LoginConfirmSetting',
    # assets
    'Asset', 'Node', 'AdminUser', 'SystemUser', 'Domain', 'Gateway', 'CommandFilterRule',
    'CommandFilter', 'Platform', 'AuthBook',
    # applications
    'Application',
    # orgs
    'Organization',
    # settings
    'Setting',
    # perms
    'AssetPermission', 'ApplicationPermission',
    # xpack
    'License', 'Account', 'SyncInstanceTask', 'ChangeAuthPlan', 'GatherUserTask',
 )
--- a/apps/audits/migrations/0014_auto_20220505_1902.py
+++ b/apps/audits/migrations/0014_auto_20220505_1902.py
@ -0,0 +1,18 @@
 # Generated by Django 3.1.14 on 2022-05-05 11:02
 from django.db import migrations, models
 class Migration(migrations.Migration):
    dependencies = [
        ('audits', '0013_auto_20211130_1037'),
    ]
    operations = [
        migrations.AlterField(
            model_name='operatelog',
            name='action',
            field=models.CharField(choices=[('create', 'Create'), ('view', 'View'), ('update', 'Update'), ('delete', 'Delete')], max_length=16, verbose_name='Action'),
        ),
    ]
--- a/apps/audits/models.py
+++ b/apps/audits/models.py
@ -49,10 +49,12 @@ class FTPLog(OrgModelMixin):
 class OperateLog(OrgModelMixin):
    ACTION_CREATE = 'create'
    ACTION_VIEW = 'view'
    ACTION_UPDATE = 'update'
    ACTION_DELETE = 'delete'
    ACTION_CHOICES = (
        (ACTION_CREATE, _("Create")),
        (ACTION_VIEW, _("View")),
        (ACTION_UPDATE, _("Update")),
        (ACTION_DELETE, _("Delete"))
    )
--- a/apps/audits/signal_handlers.py
+++ b/apps/audits/signal_handlers.py
@ -21,7 +21,7 @@ from jumpserver.utils import current_request
 from users.models import User
 from users.signals import post_user_change_password
 from terminal.models import Session, Command
-from .utils import write_login_log
+from .utils import write_login_log, create_operate_log
 from . import models, serializers
 from .models import OperateLog
 from orgs.utils import current_org
@ -36,26 +36,6 @@ logger = get_logger(__name__)
 sys_logger = get_syslogger(__name__)
 json_render = JSONRenderer()
 MODELS_NEED_RECORD = (
    # users
    'User', 'UserGroup',
    # acls
    'LoginACL', 'LoginAssetACL', 'LoginConfirmSetting',
    # assets
    'Asset', 'Node', 'AdminUser', 'SystemUser', 'Domain', 'Gateway', 'CommandFilterRule',
    'CommandFilter', 'Platform', 'AuthBook',
    # applications
    'Application',
    # orgs
    'Organization',
    # settings
    'Setting',
    # perms
    'AssetPermission', 'ApplicationPermission',
    # xpack
    'License', 'Account', 'SyncInstanceTask', 'ChangeAuthPlan', 'GatherUserTask',
 )
 class AuthBackendLabelMapping(LazyObject):
    @staticmethod
@ -80,28 +60,6 @@ class AuthBackendLabelMapping(LazyObject):
 AUTH_BACKEND_LABEL_MAPPING = AuthBackendLabelMapping()
 def create_operate_log(action, sender, resource):
    user = current_request.user if current_request else None
    if not user or not user.is_authenticated:
        return
    model_name = sender._meta.object_name
    if model_name not in MODELS_NEED_RECORD:
        return
    with translation.override('en'):
        resource_type = sender._meta.verbose_name
    remote_addr = get_request_ip(current_request)
    data = {
        "user": str(user), 'action': action, 'resource_type': resource_type,
        'resource': str(resource), 'remote_addr': remote_addr,
    }
    with transaction.atomic():
        try:
            models.OperateLog.objects.create(**data)
        except Exception as e:
            logger.error("Create operate log error: {}".format(e))
 M2M_NEED_RECORD = {
    User.groups.through._meta.object_name: (
        _('User and Group'),
--- a/apps/audits/utils.py
+++ b/apps/audits/utils.py
@ -1,9 +1,17 @@
 import csv
 import codecs
 from django.http import HttpResponse
-from .const import DEFAULT_CITY
+from django.http import HttpResponse
-from common.utils import validate_ip, get_ip_city
+from django.db import transaction
 from django.utils import translation
 from audits.models import OperateLog
 from common.utils import validate_ip, get_ip_city, get_request_ip, get_logger
 from jumpserver.utils import current_request
 from .const import DEFAULT_CITY, MODELS_NEED_RECORD
 logger = get_logger(__name__)
 def get_excel_response(filename):
@ -36,3 +44,25 @@ def write_login_log(*args, **kwargs):
        city = get_ip_city(ip) or DEFAULT_CITY
    kwargs.update({'ip': ip, 'city': city})
    UserLoginLog.objects.create(**kwargs)
 def create_operate_log(action, sender, resource):
    user = current_request.user if current_request else None
    if not user or not user.is_authenticated:
        return
    model_name = sender._meta.object_name
    if model_name not in MODELS_NEED_RECORD:
        return
    with translation.override('en'):
        resource_type = sender._meta.verbose_name
    remote_addr = get_request_ip(current_request)
    data = {
        "user": str(user), 'action': action, 'resource_type': resource_type,
        'resource': str(resource), 'remote_addr': remote_addr,
    }
    with transaction.atomic():
        try:
            OperateLog.objects.create(**data)
        except Exception as e:
            logger.error("Create operate log error: {}".format(e))
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@ -7,7 +7,6 @@ import os
 import base64
 import ctypes
 from django.conf import settings
 from django.core.cache import cache
 from django.shortcuts import get_object_or_404
 from django.http import HttpResponse
@ -33,11 +32,11 @@ from perms.utils.asset.permission import get_asset_actions
 from common.const.http import PATCH
 from terminal.models import EndpointRule
 from ..serializers import (
-    ConnectionTokenSerializer, ConnectionTokenSecretSerializer,
+    ConnectionTokenSerializer, ConnectionTokenSecretSerializer, SuperConnectionTokenSerializer
 )
 logger = get_logger(__name__)
-__all__ = ['UserConnectionTokenViewSet', 'TokenCacheMixin']
+__all__ = ['UserConnectionTokenViewSet', 'UserSuperConnectionTokenViewSet', 'TokenCacheMixin']
 class ClientProtocolMixin:
@ -70,8 +69,7 @@ class ClientProtocolMixin:
        system_user = serializer.validated_data['system_user']
        user = serializer.validated_data.get('user')
-        if not user or not self.request.user.is_superuser:
+        user = user if user else self.request.user
            user = self.request.user
        return asset, application, system_user, user
    @staticmethod
@ -105,7 +103,7 @@ class ClientProtocolMixin:
            'bookmarktype:i': '3',
            'use redirection server name:i': '0',
            'smart sizing:i': '1',
-            #'drivestoredirect:s': '*',
+            # 'drivestoredirect:s': '*',
            # 'domain:s': ''
            # 'alternate shell:s:': '||MySQLWorkbench',
            # 'remoteapplicationname:s': 'Firefox',
@ -206,21 +204,6 @@ class ClientProtocolMixin:
        rst = rst.decode('ascii')
        return rst
    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
    def get_rdp_file(self, request, *args, **kwargs):
        if self.request.method == 'GET':
            data = self.request.query_params
        else:
            data = self.request.data
        serializer = self.get_serializer(data=data)
        serializer.is_valid(raise_exception=True)
        name, data = self.get_rdp_file_content(serializer)
        response = HttpResponse(data, content_type='application/octet-stream')
        filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
        filename = urllib.parse.quote(filename)
        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
        return response
    def get_valid_serializer(self):
        if self.request.method == 'GET':
            data = self.request.query_params
@ -252,6 +235,21 @@ class ClientProtocolMixin:
        }
        return data
    @action(methods=['POST', 'GET'], detail=False, url_path='rdp/file')
    def get_rdp_file(self, request, *args, **kwargs):
        if self.request.method == 'GET':
            data = self.request.query_params
        else:
            data = self.request.data
        serializer = self.get_serializer(data=data)
        serializer.is_valid(raise_exception=True)
        name, data = self.get_rdp_file_content(serializer)
        response = HttpResponse(data, content_type='application/octet-stream')
        filename = "{}-{}-jumpserver.rdp".format(self.request.user.username, name)
        filename = urllib.parse.quote(filename)
        response['Content-Disposition'] = 'attachment; filename*=UTF-8\'\'%s' % filename
        return response
    @action(methods=['POST', 'GET'], detail=False, url_path='client-url')
    def get_client_protocol_url(self, request, *args, **kwargs):
        serializer = self.get_valid_serializer()
@ -370,7 +368,7 @@ class TokenCacheMixin:
        key = self.get_token_cache_key(token)
        return cache.ttl(key)
-    def set_token_to_cache(self, token, value, ttl=5*60):
+    def set_token_to_cache(self, token, value, ttl=5 * 60):
        key = self.get_token_cache_key(token)
        cache.set(key, value, timeout=ttl)
@ -379,7 +377,7 @@ class TokenCacheMixin:
        value = cache.get(key, None)
        return value
-    def renewal_token(self, token, ttl=5*60):
+    def renewal_token(self, token, ttl=5 * 60):
        value = self.get_token_from_cache(token)
        if value:
            pre_ttl = self.get_token_ttl(token)
@ -397,22 +395,10 @@ class TokenCacheMixin:
        return data
-class UserConnectionTokenViewSet(
+class BaseUserConnectionTokenViewSet(
    RootOrgViewMixin, SerializerMixin, ClientProtocolMixin,
-    SecretDetailMixin, TokenCacheMixin, GenericViewSet
+    TokenCacheMixin, GenericViewSet
 ):
    serializer_classes = {
        'default': ConnectionTokenSerializer,
        'get_secret_detail': ConnectionTokenSecretSerializer,
    }
    rbac_perms = {
        'GET': 'authentication.view_connectiontoken',
        'create': 'authentication.add_connectiontoken',
        'renewal': 'authentication.add_superconnectiontoken',
        'get_secret_detail': 'authentication.view_connectiontokensecret',
        'get_rdp_file': 'authentication.add_connectiontoken',
        'get_client_protocol_url': 'authentication.add_connectiontoken',
    }
    @staticmethod
    def check_resource_permission(user, asset, application, system_user):
@ -429,22 +415,7 @@ class UserConnectionTokenViewSet(
            raise PermissionDenied(error)
        return True
-    @action(methods=[PATCH], detail=False)
+    def create_token(self, user, asset, application, system_user, ttl=5 * 60):
    def renewal(self, request, *args, **kwargs):
        """ 续期 Token """
        perm_required = 'authentication.add_superconnectiontoken'
        if not request.user.has_perm(perm_required):
            raise PermissionDenied('No permissions for authentication.add_superconnectiontoken')
        token = request.data.get('token', '')
        data = self.renewal_token(token)
        status_code = 200 if data.get('ok') else 404
        return Response(data=data, status=status_code)
    def create_token(self, user, asset, application, system_user, ttl=5*60):
        # 再次强调一下权限
        perm_required = 'authentication.add_superconnectiontoken'
        if user != self.request.user and not self.request.user.has_perm(perm_required):
            raise PermissionDenied('Only can create user token')
        self.check_resource_permission(user, asset, application, system_user)
        token = random_string(36)
        secret = random_string(16)
@ -489,6 +460,20 @@ class UserConnectionTokenViewSet(
        }
        return Response(data, status=201)
 class UserConnectionTokenViewSet(BaseUserConnectionTokenViewSet, SecretDetailMixin):
    serializer_classes = {
        'default': ConnectionTokenSerializer,
        'get_secret_detail': ConnectionTokenSecretSerializer,
    }
    rbac_perms = {
        'GET': 'authentication.view_connectiontoken',
        'create': 'authentication.add_connectiontoken',
        'get_secret_detail': 'authentication.view_connectiontokensecret',
        'get_rdp_file': 'authentication.add_connectiontoken',
        'get_client_protocol_url': 'authentication.add_connectiontoken',
    }
    def valid_token(self, token):
        from users.models import User
        from assets.models import SystemUser, Asset
@ -526,3 +511,23 @@ class UserConnectionTokenViewSet(
        if not value:
            return Response('', status=404)
        return Response(value)
 class UserSuperConnectionTokenViewSet(
    BaseUserConnectionTokenViewSet, TokenCacheMixin, GenericViewSet
 ):
    serializer_classes = {
        'default': SuperConnectionTokenSerializer,
    }
    rbac_perms = {
        'create': 'authentication.add_superconnectiontoken',
        'renewal': 'authentication.add_superconnectiontoken'
    }
    @action(methods=[PATCH], detail=False)
    def renewal(self, request, *args, **kwargs):
        """ 续期 Token """
        token = request.data.get('token', '')
        data = self.renewal_token(token)
        status_code = 200 if data.get('ok') else 404
        return Response(data=data, status=status_code)
--- a/apps/authentication/api/token.py
+++ b/apps/authentication/api/token.py
@ -27,8 +27,10 @@ class TokenCreateApi(AuthMixin, CreateAPIView):
    def create(self, request, *args, **kwargs):
        self.create_session_if_need()
        # 如果认证没有过，检查账号密码
        serializer = self.get_serializer(data=request.data)
        serializer.is_valid(raise_exception=True)
        try:
-            user = self.check_user_auth_if_need()
+            user = self.get_user_or_auth(serializer.validated_data)
            self.check_user_mfa_if_need(user)
            self.check_user_login_confirm_if_need(user)
            self.send_auth_signal(success=True, user=user)
--- a/apps/authentication/backends/oidc/backends.py
+++ b/apps/authentication/backends/oidc/backends.py
@ -103,21 +103,44 @@ class OIDCAuthCodeBackend(OIDCBaseBackend):
        # Prepares the token payload that will be used to request an authentication token to the
        # token endpoint of the OIDC provider.
        logger.debug(log_prompt.format('Prepares token payload'))
        """ 
        The reason for need not client_id and client_secret in token_payload.
        OIDC protocol indicate client's token_endpoint_auth_method only accept one type in
            - client_secret_basic
            - client_secret_post
            - client_secret_jwt
            - private_key_jwt
            - none
        If the client offer more than one auth method type to OIDC, OIDC will auth client failed.
        OIDC default use client_secret_basic, 
        this type only need in headers add Authorization=Basic xxx.
        More info see: https://github.com/jumpserver/jumpserver/issues/8165
        More info see: https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
        """
        token_payload = {
            'client_id': settings.AUTH_OPENID_CLIENT_ID,
            'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
            'grant_type': 'authorization_code',
            'code': code,
            'redirect_uri': build_absolute_uri(
                request, path=reverse(settings.AUTH_OPENID_AUTH_LOGIN_CALLBACK_URL_NAME)
            )
        }
-
+        if settings.AUTH_OPENID_CLIENT_AUTH_METHOD == 'client_secret_post':
            token_payload.update({
                'client_id': settings.AUTH_OPENID_CLIENT_ID,
                'client_secret': settings.AUTH_OPENID_CLIENT_SECRET,
            })
            headers = None
        else:
            # Prepares the token headers that will be used to request an authentication token to the
            # token endpoint of the OIDC provider.
            logger.debug(log_prompt.format('Prepares token headers'))
-        basic_token = "{}:{}".format(settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET)
+            basic_token = "{}:{}".format(
-        headers = {"Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())}
+                settings.AUTH_OPENID_CLIENT_ID, settings.AUTH_OPENID_CLIENT_SECRET
            )
            headers = {
                "Authorization": "Basic {}".format(base64.b64encode(basic_token.encode()).decode())
            }
        # Calls the token endpoint.
        logger.debug(log_prompt.format('Call the token endpoint'))
--- a/apps/authentication/backends/saml2/views.py
+++ b/apps/authentication/backends/saml2/views.py
@ -74,16 +74,28 @@ class PrepareRequestMixin:
        return idp_settings
    @staticmethod
-    def get_attribute_consuming_service():
+    def get_request_attributes():
-        attr_mapping = settings.SAML2_RENAME_ATTRIBUTES
+        attr_mapping = settings.SAML2_RENAME_ATTRIBUTES or {}
-        if attr_mapping and isinstance(attr_mapping, dict):
+        attr_map_reverse = {v: k for k, v in attr_mapping.items()}
-            attr_list = [
+        need_attrs = (
-                {
+            ('username', 'username', True),
-                    "name": sp_key,
+            ('email', 'email', True),
-                    "friendlyName": idp_key, "isRequired": True
+            ('name', 'name', False),
-                }
+            ('phone', 'phone', False),
-                for idp_key, sp_key in attr_mapping.items()
+            ('comment', 'comment', False),
-            ]
+        )
        attr_list = []
        for name, friend_name, is_required in need_attrs:
            rename_name = attr_map_reverse.get(friend_name)
            name = rename_name if rename_name else name
            attr_list.append({
                "name": name, "isRequired": is_required,
                "friendlyName": friend_name,
            })
        return attr_list
    def get_attribute_consuming_service(self):
        attr_list = self.get_request_attributes()
        request_attribute_template = {
            "attributeConsumingService": {
                "isDefault": False,
@ -93,8 +105,6 @@ class PrepareRequestMixin:
            }
        }
        return request_attribute_template
        else:
            return {}
    @staticmethod
    def get_advanced_settings():
@ -167,11 +177,14 @@ class PrepareRequestMixin:
    def get_attributes(self, saml_instance):
        user_attrs = {}
        attr_mapping = settings.SAML2_RENAME_ATTRIBUTES
        attrs = saml_instance.get_attributes()
        valid_attrs = ['username', 'name', 'email', 'comment', 'phone']
        for attr, value in attrs.items():
            attr = attr.rsplit('/', 1)[-1]
            if attr_mapping and attr_mapping.get(attr):
                attr = attr_mapping.get(attr)
            if attr not in valid_attrs:
                continue
            user_attrs[attr] = self.value_to_str(value)
--- a/apps/authentication/forms.py
+++ b/apps/authentication/forms.py
@ -1,15 +1,25 @@
 # -*- coding: utf-8 -*-
 #
 from django import forms
 from django.conf import settings
 from django.utils.translation import ugettext_lazy as _
 from captcha.fields import CaptchaField, CaptchaTextInput
 from common.utils import get_logger, decrypt_password
 logger = get_logger(__name__)
 class EncryptedField(forms.CharField):
    def to_python(self, value):
        value = super().to_python(value)
        return decrypt_password(value)
 class UserLoginForm(forms.Form):
    days_auto_login = int(settings.SESSION_COOKIE_AGE / 3600 / 24)
-    disable_days_auto_login = settings.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE or days_auto_login < 1
+    disable_days_auto_login = settings.SESSION_EXPIRE_AT_BROWSER_CLOSE_FORCE \
                              or days_auto_login < 1
    username = forms.CharField(
        label=_('Username'), max_length=100,
@ -18,7 +28,7 @@ class UserLoginForm(forms.Form):
            'autofocus': 'autofocus'
        })
    )
-    password = forms.CharField(
+    password = EncryptedField(
        label=_('Password'), widget=forms.PasswordInput,
        max_length=1024, strip=False
    )
--- a/apps/authentication/middleware.py
+++ b/apps/authentication/middleware.py
@ -1,8 +1,12 @@
 import base64
 from django.shortcuts import redirect, reverse
 from django.utils.deprecation import MiddlewareMixin
 from django.http import HttpResponse
 from django.conf import settings
 from common.utils import gen_key_pair
 class MFAMiddleware:
    """
@ -48,3 +52,28 @@ class SessionCookieMiddleware(MiddlewareMixin):
            return response
        response.set_cookie(key, value)
        return response
 class EncryptedMiddleware:
    def __init__(self, get_response):
        self.get_response = get_response
    @staticmethod
    def check_key_pair(request, response):
        pub_key_name = settings.SESSION_RSA_PUBLIC_KEY_NAME
        public_key = request.session.get(pub_key_name)
        cookie_key = request.COOKIES.get(pub_key_name)
        if public_key and public_key == cookie_key:
            return
        pri_key_name = settings.SESSION_RSA_PRIVATE_KEY_NAME
        private_key, public_key = gen_key_pair()
        public_key_decode = base64.b64encode(public_key.encode()).decode()
        request.session[pub_key_name] = public_key_decode
        request.session[pri_key_name] = private_key
        response.set_cookie(pub_key_name, public_key_decode)
    def __call__(self, request):
        response = self.get_response(request)
        self.check_key_pair(request, response)
        return response
--- a/apps/authentication/mixins.py
+++ b/apps/authentication/mixins.py
@ -23,9 +23,7 @@ from acls.models import LoginACL
 from users.models import User
 from users.utils import LoginBlockUtil, MFABlockUtils, LoginIpBlockUtil
 from . import errors
 from .utils import rsa_decrypt, gen_key_pair
 from .signals import post_auth_success, post_auth_failed
 from .const import RSA_PRIVATE_KEY, RSA_PUBLIC_KEY
 logger = get_logger(__name__)
@ -58,6 +56,7 @@ def authenticate(request=None, **credentials):
    for backend, backend_path in _get_backends(return_tuples=True):
        # 检查用户名是否允许认证 (预先检查，不浪费认证时间)
        logger.info('Try using auth backend: {}'.format(str(backend)))
        if not backend.username_allow_authenticate(username):
            continue
@ -91,46 +90,8 @@ def authenticate(request=None, **credentials):
 auth.authenticate = authenticate
-class PasswordEncryptionViewMixin:
+class CommonMixin:
-    request = None
+    request: Request
    def get_decrypted_password(self, password=None, username=None):
        request = self.request
        if hasattr(request, 'data'):
            data = request.data
        else:
            data = request.POST
        username = username or data.get('username')
        password = password or data.get('password')
        password = self.decrypt_passwd(password)
        if not password:
            self.raise_password_decrypt_failed(username=username)
        return password
    def raise_password_decrypt_failed(self, username):
        ip = self.get_request_ip()
        raise errors.CredentialError(
            error=errors.reason_password_decrypt_failed,
            username=username, ip=ip, request=self.request
        )
    def decrypt_passwd(self, raw_passwd):
        # 获取解密密钥，对密码进行解密
        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
        if rsa_private_key is None:
            return raw_passwd
        try:
            return rsa_decrypt(raw_passwd, rsa_private_key)
        except Exception as e:
            logger.error(e, exc_info=True)
            logger.error(
                f'Decrypt password failed: password[{raw_passwd}] '
                f'rsa_private_key[{rsa_private_key}]'
            )
            return None
    def get_request_ip(self):
        ip = ''
@ -139,26 +100,6 @@ class PasswordEncryptionViewMixin:
        ip = ip or get_request_ip(self.request)
        return ip
    def get_context_data(self, **kwargs):
        # 生成加解密密钥对，public_key传递给前端，private_key存入session中供解密使用
        rsa_public_key = self.request.session.get(RSA_PUBLIC_KEY)
        rsa_private_key = self.request.session.get(RSA_PRIVATE_KEY)
        if not all([rsa_private_key, rsa_public_key]):
            rsa_private_key, rsa_public_key = gen_key_pair()
            rsa_public_key = rsa_public_key.replace('\n', '\\n')
            self.request.session[RSA_PRIVATE_KEY] = rsa_private_key
            self.request.session[RSA_PUBLIC_KEY] = rsa_public_key
        kwargs.update({
            'rsa_public_key': rsa_public_key,
        })
        return super().get_context_data(**kwargs)
 class CommonMixin(PasswordEncryptionViewMixin):
    request: Request
    get_request_ip: Callable
    def raise_credential_error(self, error):
        raise self.partial_credential_error(error=error)
@ -193,20 +134,13 @@ class CommonMixin(PasswordEncryptionViewMixin):
        user.backend = self.request.session.get("auth_backend")
        return user
-    def get_auth_data(self, decrypt_passwd=False):
+    def get_auth_data(self, data):
        request = self.request
        if hasattr(request, 'data'):
            data = request.data
        else:
            data = request.POST
        items = ['username', 'password', 'challenge', 'public_key', 'auto_login']
        username, password, challenge, public_key, auto_login = bulk_get(data, items, default='')
        ip = self.get_request_ip()
        self._set_partial_credential_error(username=username, ip=ip, request=request)
        if decrypt_passwd:
            password = self.get_decrypted_password()
        password = password + challenge.strip()
        return username, password, public_key, ip, auto_login
@ -482,10 +416,10 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
        need = cache.get(self.key_prefix_captcha.format(ip))
        return need
-    def check_user_auth(self, decrypt_passwd=False):
+    def check_user_auth(self, valid_data=None):
        # pre check
        self.check_is_block()
-        username, password, public_key, ip, auto_login = self.get_auth_data(decrypt_passwd)
+        username, password, public_key, ip, auto_login = self.get_auth_data(valid_data)
        self._check_only_allow_exists_user_auth(username)
        # check auth
@ -537,11 +471,12 @@ class AuthMixin(CommonMixin, AuthPreCheckMixin, AuthACLMixin, MFAMixin, AuthPost
        self.mark_password_ok(user, False)
        return user
-    def check_user_auth_if_need(self, decrypt_passwd=False):
+    def get_user_or_auth(self, valid_data):
        request = self.request
-        if not request.session.get('auth_password'):
+        if request.session.get('auth_password'):
            return self.check_user_auth(decrypt_passwd=decrypt_passwd)
            return self.get_user_from_session()
        else:
            return self.check_user_auth(valid_data)
    def clear_auth_mark(self):
        keys = ['auth_password', 'user_id', 'auth_confirm', 'auth_ticket_id']
--- a/apps/authentication/serializers/connect_token.py
+++ b/apps/authentication/serializers/connect_token.py
@ -13,24 +13,16 @@ __all__ = [
    'ConnectionTokenUserSerializer', 'ConnectionTokenFilterRuleSerializer',
    'ConnectionTokenAssetSerializer', 'ConnectionTokenSystemUserSerializer',
    'ConnectionTokenDomainSerializer', 'ConnectionTokenRemoteAppSerializer',
-    'ConnectionTokenGatewaySerializer', 'ConnectionTokenSecretSerializer'
+    'ConnectionTokenGatewaySerializer', 'ConnectionTokenSecretSerializer',
    'SuperConnectionTokenSerializer'
 ]
 class ConnectionTokenSerializer(serializers.Serializer):
    user = serializers.CharField(max_length=128, required=False, allow_blank=True)
    system_user = serializers.CharField(max_length=128, required=True)
    asset = serializers.CharField(max_length=128, required=False)
    application = serializers.CharField(max_length=128, required=False)
    @staticmethod
    def validate_user(user_id):
        from users.models import User
        user = User.objects.filter(id=user_id).first()
        if user is None:
            raise serializers.ValidationError('user id not exist')
        return user
    @staticmethod
    def validate_system_user(system_user_id):
        from assets.models import SystemUser
@ -65,6 +57,18 @@ class ConnectionTokenSerializer(serializers.Serializer):
        return super().validate(attrs)
 class SuperConnectionTokenSerializer(ConnectionTokenSerializer):
    user = serializers.CharField(max_length=128, required=False, allow_blank=True)
    @staticmethod
    def validate_user(user_id):
        from users.models import User
        user = User.objects.filter(id=user_id).first()
        if user is None:
            raise serializers.ValidationError('user id not exist')
        return user
 class ConnectionTokenUserSerializer(serializers.ModelSerializer):
    class Meta:
        model = User
@ -114,7 +118,6 @@ class ConnectionTokenDomainSerializer(serializers.ModelSerializer):
 class ConnectionTokenFilterRuleSerializer(serializers.ModelSerializer):
    class Meta:
        model = CommandFilterRule
        fields = [
--- a/apps/authentication/serializers/password_mfa.py
+++ b/apps/authentication/serializers/password_mfa.py
@ -2,6 +2,8 @@
 #
 from rest_framework import serializers
 from common.drf.fields import EncryptedField
 __all__ = [
    'OtpVerifySerializer', 'MFAChallengeSerializer', 'MFASelectTypeSerializer',
@ -10,7 +12,7 @@ __all__ = [
 class PasswordVerifySerializer(serializers.Serializer):
-    password = serializers.CharField()
+    password = EncryptedField()
 class MFASelectTypeSerializer(serializers.Serializer):
--- a/apps/authentication/templates/authentication/login.html
+++ b/apps/authentication/templates/authentication/login.html
@ -161,6 +161,7 @@
                <span style="font-size: 21px;font-weight:400;color: #151515;letter-spacing: 0;">{{ JMS_TITLE }}</span>
            </div>
            <div class="contact-form col-md-10 col-md-offset-1">
                <form id="login-form" action="" method="post" role="form" novalidate="novalidate">
                    {% csrf_token %}
                    <div style="line-height: 17px;margin-bottom: 20px;color: #999999;">
@ -240,21 +241,13 @@
 </body>
 {% include '_foot_js.html' %}
 <script type="text/javascript" src="/static/js/plugins/jsencrypt/jsencrypt.min.js"></script>
 <script type="text/javascript" src="/static/js/plugins/cryptojs/crypto-js.min.js"></script>
 <script type="text/javascript" src="/static/js/plugins/buffer/buffer.min.js"></script>
 <script>
    function encryptLoginPassword(password, rsaPublicKey) {
        if (!password) {
            return ''
        }
        var jsencrypt = new JSEncrypt(); //加密对象
        jsencrypt.setPublicKey(rsaPublicKey); // 设置密钥
        return jsencrypt.encrypt(password); //加密
    }
    function doLogin() {
        //公钥加密
        var rsaPublicKey = "{{ rsa_public_key }}"
        var password = $('#password').val(); //明文密码
-        var passwordEncrypted = encryptLoginPassword(password, rsaPublicKey)
+        var passwordEncrypted = encryptPassword(password)
        $('#password-hidden').val(passwordEncrypted); //返回给密码输入input
        $('#login-form').submit(); //post提交
    }
--- a/apps/authentication/urls/api_urls.py
+++ b/apps/authentication/urls/api_urls.py
@ -11,6 +11,7 @@ router.register('access-keys', api.AccessKeyViewSet, 'access-key')
 router.register('sso', api.SSOViewSet, 'sso')
 router.register('temp-tokens', api.TempTokenViewSet, 'temp-token')
 router.register('connection-token', api.UserConnectionTokenViewSet, 'connection-token')
 router.register('super-connection-token', api.UserSuperConnectionTokenViewSet, 'super-connection-token')
 urlpatterns = [
--- a/apps/authentication/utils.py
+++ b/apps/authentication/utils.py
@ -1,62 +1,22 @@
 # -*- coding: utf-8 -*-
 #
 import base64
 from Cryptodome.PublicKey import RSA
 from Cryptodome.Cipher import PKCS1_v1_5
 from Cryptodome import Random
 from django.conf import settings
-from .notifications import DifferentCityLoginMessage
+
 from audits.models import UserLoginLog
 from audits.const import DEFAULT_CITY
 from common.utils import validate_ip, get_ip_city, get_request_ip
 from common.utils import get_logger
 from audits.models import UserLoginLog
 from audits.const import DEFAULT_CITY
 from .notifications import DifferentCityLoginMessage
 logger = get_logger(__file__)
 def gen_key_pair():
    """ 生成加密key
    用于登录页面提交用户名/密码时，对密码进行加密（前端）/解密（后端）
    """
    random_generator = Random.new().read
    rsa = RSA.generate(1024, random_generator)
    rsa_private_key = rsa.exportKey().decode()
    rsa_public_key = rsa.publickey().exportKey().decode()
    return rsa_private_key, rsa_public_key
 def rsa_encrypt(message, rsa_public_key):
    """ 加密登录密码 """
    key = RSA.importKey(rsa_public_key)
    cipher = PKCS1_v1_5.new(key)
    cipher_text = base64.b64encode(cipher.encrypt(message.encode())).decode()
    return cipher_text
 def rsa_decrypt(cipher_text, rsa_private_key=None):
    """ 解密登录密码 """
    if rsa_private_key is None:
        # rsa_private_key 为 None，可以能是API请求认证，不需要解密
        return cipher_text
    key = RSA.importKey(rsa_private_key)
    cipher = PKCS1_v1_5.new(key)
    cipher_decoded = base64.b64decode(cipher_text.encode())
    # Todo: 弄明白为何要以下这么写，https://xbuba.com/questions/57035263
    if len(cipher_decoded) == 127:
        hex_fixed = '00' + cipher_decoded.hex()
        cipher_decoded = base64.b16decode(hex_fixed.upper())
    message = cipher.decrypt(cipher_decoded, b'error').decode()
    return message
 def check_different_city_login_if_need(user, request):
    if not settings.SECURITY_CHECK_DIFFERENT_CITY_LOGIN:
        return
    ip = get_request_ip(request) or '0.0.0.0'
    if not (ip and validate_ip(ip)):
        city = DEFAULT_CITY
    else:
--- a/apps/authentication/views/dingtalk.py
+++ b/apps/authentication/views/dingtalk.py
@ -21,6 +21,7 @@ from authentication.mixins import AuthMixin
 from common.sdk.im.dingtalk import DingTalk
 from common.utils.common import get_request_ip
 from authentication.notifications import OAuthBindMessage
 from .mixins import METAMixin
 logger = get_logger(__file__)
@ -200,14 +201,17 @@ class DingTalkEnableStartView(UserVerifyPasswordView):
        return success_url
-class DingTalkQRLoginView(DingTalkQRMixin, View):
+class DingTalkQRLoginView(DingTalkQRMixin, METAMixin, View):
    permission_classes = (AllowAny,)
    def get(self,  request: HttpRequest):
        redirect_url = request.GET.get('redirect_url')
        redirect_uri = reverse('authentication:dingtalk-qr-login-callback', external=True)
-        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
+        redirect_uri += '?' + urlencode({
            'redirect_url': redirect_url,
            'next': self.get_next_url_from_meta()
        })
        url = self.get_qr_url(redirect_uri)
        return HttpResponseRedirect(url)
--- a/apps/authentication/views/login.py
+++ b/apps/authentication/views/login.py
@ -96,7 +96,7 @@ class UserLoginView(mixins.AuthMixin, FormView):
        self.request.session.delete_test_cookie()
        try:
-            self.check_user_auth(decrypt_passwd=True)
+            self.check_user_auth(form.cleaned_data)
        except errors.AuthFailedError as e:
            form.add_error(None, e.msg)
            self.set_login_failed_mark()
@ -219,7 +219,7 @@ class UserLoginGuardView(mixins.AuthMixin, RedirectView):
    def get_redirect_url(self, *args, **kwargs):
        try:
-            user = self.check_user_auth_if_need()
+            user = self.get_user_from_session()
            self.check_user_mfa_if_need(user)
            self.check_user_login_confirm_if_need(user)
        except (errors.CredentialError, errors.SessionEmptyError) as e:
--- a/apps/authentication/views/mixins.py
+++ b/apps/authentication/views/mixins.py
@ -0,0 +1,12 @@
 # -*- coding: utf-8 -*-
 #
 class METAMixin:
    def get_next_url_from_meta(self):
        request_meta = self.request.META or {}
        next_url = None
        referer = request_meta.get('HTTP_REFERER', '')
        next_url_item = referer.rsplit('next=', 1)
        if len(next_url_item) > 1:
            next_url = next_url_item[-1]
        return next_url
--- a/apps/authentication/views/wecom.py
+++ b/apps/authentication/views/wecom.py
@ -21,6 +21,7 @@ from common.utils.common import get_request_ip
 from authentication import errors
 from authentication.mixins import AuthMixin
 from authentication.notifications import OAuthBindMessage
 from .mixins import METAMixin
 logger = get_logger(__file__)
@ -196,14 +197,17 @@ class WeComEnableStartView(UserVerifyPasswordView):
        return success_url
-class WeComQRLoginView(WeComQRMixin, View):
+class WeComQRLoginView(WeComQRMixin, METAMixin, View):
    permission_classes = (AllowAny,)
    def get(self,  request: HttpRequest):
        redirect_url = request.GET.get('redirect_url')
        redirect_uri = reverse('authentication:wecom-qr-login-callback', external=True)
-        redirect_uri += '?' + urlencode({'redirect_url': redirect_url})
+        redirect_uri += '?' + urlencode({
            'redirect_url': redirect_url,
            'next': self.get_next_url_from_meta()
        })
        url = self.get_qr_url(redirect_uri)
        return HttpResponseRedirect(url)
--- a/apps/common/fields/model.py
+++ b/apps/common/fields/model.py
@ -5,7 +5,7 @@ from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.utils.encoding import force_text
 from django.core.validators import MinValueValidator, MaxValueValidator
-from ..utils import signer, crypto
+from common.utils import signer, crypto
 __all__ = [
--- a/apps/common/drf/fields.py
+++ b/apps/common/drf/fields.py
@ -3,9 +3,10 @@
 from rest_framework import serializers
 from common.utils import decrypt_password
 __all__ = [
-    'ReadableHiddenField',
+    'ReadableHiddenField', 'EncryptedField'
 ]
@ -23,3 +24,9 @@ class ReadableHiddenField(serializers.HiddenField):
        if hasattr(value, 'id'):
            return getattr(value, 'id')
        return value
 class EncryptedField(serializers.CharField):
    def to_internal_value(self, value):
        value = super().to_internal_value(value)
        return decrypt_password(value)
--- a/apps/common/fields/init.py
+++ b/apps/common/fields/init.py
@ -1,4 +0,0 @@
 # -*- coding: utf-8 -*-
 #
 from .model import *
--- a/apps/common/mixins/views.py
+++ b/apps/common/mixins/views.py
@ -1,5 +1,6 @@
 # -*- coding: utf-8 -*-
 #
 from django.utils.translation import ugettext_lazy as _
 from django.contrib.auth.mixins import UserPassesTestMixin
 from rest_framework import permissions
 from rest_framework.decorators import action
@ -7,8 +8,10 @@ from rest_framework.request import Request
 from rest_framework.response import Response
 from common.permissions import IsValidUser
 from audits.utils import create_operate_log
 from audits.models import OperateLog
-__all__ = ["PermissionsMixin"]
+__all__ = ["PermissionsMixin", "RecordViewLogMixin"]
 class PermissionsMixin(UserPassesTestMixin):
@ -24,3 +27,35 @@ class PermissionsMixin(UserPassesTestMixin):
            if not permission_class().has_permission(self.request, self):
                return False
        return True
 class RecordViewLogMixin:
    ACTION = OperateLog.ACTION_VIEW
    @staticmethod
    def get_resource_display(request):
        query_params = dict(request.query_params)
        if query_params.get('format'):
            query_params.pop('format')
        spm_filter = query_params.pop('spm') if query_params.get('spm') else None
        if not query_params and not spm_filter:
            display_message = _('Export all')
        elif spm_filter:
            display_message = _('Export only selected items')
        else:
            query = ','.join(
                ['%s=%s' % (key, value) for key, value in query_params.items()]
            )
            display_message = _('Export filtered: %s') % query
        return display_message
    def list(self, request, *args, **kwargs):
        response = super().list(request, *args, **kwargs)
        resource = self.get_resource_display(request)
        create_operate_log(self.ACTION, self.model, resource)
        return response
    def retrieve(self, request, *args, **kwargs):
        response = super().retrieve(request, *args, **kwargs)
        create_operate_log(self.ACTION, self.model, self.get_object())
        return response
--- a/apps/common/utils/crypto.py
+++ b/apps/common/utils/crypto.py
@ -1,7 +1,10 @@
 import base64
-from Cryptodome.Cipher import AES
+import logging
 from Cryptodome.Cipher import AES, PKCS1_v1_5
 from Cryptodome.Util.Padding import pad
 from Cryptodome.Random import get_random_bytes
 from Cryptodome.PublicKey import RSA
 from Cryptodome import Random
 from gmssl.sm4 import CryptSM4, SM4_ENCRYPT, SM4_DECRYPT
 from django.conf import settings
@ -193,4 +196,66 @@ class Crypto:
                continue
 def gen_key_pair(length=1024):
    """ 生成加密key
    用于登录页面提交用户名/密码时，对密码进行加密（前端）/解密（后端）
    """
    random_generator = Random.new().read
    rsa = RSA.generate(length, random_generator)
    rsa_private_key = rsa.exportKey().decode()
    rsa_public_key = rsa.publickey().exportKey().decode()
    return rsa_private_key, rsa_public_key
 def rsa_encrypt(message, rsa_public_key):
    """ 加密登录密码 """
    key = RSA.importKey(rsa_public_key)
    cipher = PKCS1_v1_5.new(key)
    cipher_text = base64.b64encode(cipher.encrypt(message.encode())).decode()
    return cipher_text
 def rsa_decrypt(cipher_text, rsa_private_key=None):
    """ 解密登录密码 """
    if rsa_private_key is None:
        # rsa_private_key 为 None，可以能是API请求认证，不需要解密
        return cipher_text
    key = RSA.importKey(rsa_private_key)
    cipher = PKCS1_v1_5.new(key)
    cipher_decoded = base64.b64decode(cipher_text.encode())
    # Todo: 弄明白为何要以下这么写，https://xbuba.com/questions/57035263
    if len(cipher_decoded) == 127:
        hex_fixed = '00' + cipher_decoded.hex()
        cipher_decoded = base64.b16decode(hex_fixed.upper())
    message = cipher.decrypt(cipher_decoded, b'error').decode()
    return message
 def rsa_decrypt_by_session_pkey(value):
    from jumpserver.utils import current_request
    private_key_name = settings.SESSION_RSA_PRIVATE_KEY_NAME
    private_key = current_request.session.get(private_key_name)
    if not private_key or not value:
        return value
    try:
        value = rsa_decrypt(value, private_key)
    except Exception as e:
        logging.error('Decrypt field error: {}'.format(e))
    return value
 def decrypt_password(value):
    cipher = value.split(':')
    if len(cipher) != 2:
        return value
    key_cipher, password_cipher = cipher
    aes_key = rsa_decrypt_by_session_pkey(key_cipher)
    aes = get_aes_crypto(aes_key, 'ECB')
    password = aes.decrypt(password_cipher)
    return password
 crypto = Crypto()
--- a/apps/common/utils/encode.py
+++ b/apps/common/utils/encode.py
@ -186,10 +186,27 @@ def make_signature(access_key_secret, date=None):
    return content_md5(data)
-def encrypt_password(password, salt=None):
+def encrypt_password(password, salt=None, algorithm='sha512'):
-    from passlib.hash import sha512_crypt
+    from passlib.hash import sha512_crypt, des_crypt
-    if password:
+
    def sha512():
        return sha512_crypt.using(rounds=5000).hash(password, salt=salt)
    def des():
        return des_crypt.hash(password, salt=salt[:2])
    support_algorithm = {
        'sha512': sha512, 'des': des
    }
    if isinstance(algorithm, str):
        algorithm = algorithm.lower()
    if algorithm not in support_algorithm.keys():
        algorithm = 'sha512'
    if password and support_algorithm[algorithm]:
        return support_algorithm[algorithm]()
    return None
--- a/apps/common/utils/timezone.py
+++ b/apps/common/utils/timezone.py
@ -32,6 +32,10 @@ def local_now_display(fmt='%Y-%m-%d %H:%M:%S'):
    return local_now().strftime(fmt)
 def local_now_date_display(fmt='%Y-%m-%d'):
    return local_now().strftime(fmt)
 _rest_dt_field = DateTimeField()
 dt_parser = _rest_dt_field.to_internal_value
 dt_formatter = _rest_dt_field.to_representation
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -187,6 +187,8 @@ class Config(dict):
        'BASE_SITE_URL': None,
        'AUTH_OPENID_CLIENT_ID': 'client-id',
        'AUTH_OPENID_CLIENT_SECRET': 'client-secret',
        # https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
        'AUTH_OPENID_CLIENT_AUTH_METHOD': 'client_secret_basic',
        'AUTH_OPENID_SHARE_SESSION': True,
        'AUTH_OPENID_IGNORE_SSL_VERIFICATION': True,
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@ -55,6 +55,7 @@ AUTH_OPENID = CONFIG.AUTH_OPENID
 BASE_SITE_URL = CONFIG.BASE_SITE_URL
 AUTH_OPENID_CLIENT_ID = CONFIG.AUTH_OPENID_CLIENT_ID
 AUTH_OPENID_CLIENT_SECRET = CONFIG.AUTH_OPENID_CLIENT_SECRET
 AUTH_OPENID_CLIENT_AUTH_METHOD = CONFIG.AUTH_OPENID_CLIENT_AUTH_METHOD
 AUTH_OPENID_PROVIDER_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_ENDPOINT
 AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_AUTHORIZATION_ENDPOINT
 AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT = CONFIG.AUTH_OPENID_PROVIDER_TOKEN_ENDPOINT
--- a/apps/jumpserver/settings/base.py
+++ b/apps/jumpserver/settings/base.py
@ -95,6 +95,7 @@ MIDDLEWARE = [
    'authentication.backends.cas.middleware.CASMiddleware',
    'authentication.middleware.MFAMiddleware',
    'authentication.middleware.SessionCookieMiddleware',
    'authentication.middleware.EncryptedMiddleware',
    'simple_history.middleware.HistoryRequestMiddleware',
 ]
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@ -169,3 +169,6 @@ ANNOUNCEMENT = CONFIG.ANNOUNCEMENT
 # help
 HELP_DOCUMENT_URL = CONFIG.HELP_DOCUMENT_URL
 HELP_SUPPORT_URL = CONFIG.HELP_SUPPORT_URL
 SESSION_RSA_PRIVATE_KEY_NAME = 'jms_private_key'
 SESSION_RSA_PUBLIC_KEY_NAME = 'jms_public_key'
--- a/apps/jumpserver/urls.py
+++ b/apps/jumpserver/urls.py
@ -31,6 +31,7 @@ api_v1 = [
 app_view_patterns = [
    path('auth/', include('authentication.urls.view_urls'), name='auth'),
    path('ops/', include('ops.urls.view_urls'), name='ops'),
    path('tickets/', include('tickets.urls.view_urls'), name='tickets'),
    path('common/', include('common.urls.view_urls'), name='common'),
    re_path(r'flower/(?P<path>.*)', views.celery_flower_view, name='flower-view'),
    path('download/', views.ResourceDownload.as_view(), name='download'),
--- a/apps/locale/ja/LC_MESSAGES/django.mo
+++ b/apps/locale/ja/LC_MESSAGES/django.mo
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:f2c88ade4bfae213bdcdafad656af73f764e3b1b3f2b0c59aa39626e967730ca
+oid sha256:90a70c14fd3b546cb1ef6a96da4cd7a2acde947128bbb773527ed1845510511c
-size 125911
+size 127420
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:c75e0a1f2a047dac1374916c630bc0e8ef5ad5eea7518ffc21e93f747fc1235e
+oid sha256:f181a41eb4dd8a30a576f7903e5c9f519da2042e5e095ac27146d7b4002ba3df
-size 104165
+size 105303
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
--- a/apps/ops/migrations/0010_auto_20191217_1758.py
+++ b/apps/ops/migrations/0010_auto_20191217_1758.py
@ -1,6 +1,6 @@
 # Generated by Django 2.2.7 on 2019-12-17 09:58
-import common.fields.model
+import common.db.fields
 from django.db import migrations
@ -18,17 +18,17 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='adhoc',
            name='_become',
-            field=common.fields.model.EncryptJsonDictCharField(blank=True, null=True, default='', max_length=1024, verbose_name='Become'),
+            field=common.db.fields.EncryptJsonDictCharField(blank=True, null=True, default='', max_length=1024, verbose_name='Become'),
        ),
        migrations.AlterField(
            model_name='adhoc',
            name='_options',
-            field=common.fields.model.JsonDictCharField(default='', max_length=1024, verbose_name='Options'),
+            field=common.db.fields.JsonDictCharField(default='', max_length=1024, verbose_name='Options'),
        ),
        migrations.AlterField(
            model_name='adhoc',
            name='_tasks',
-            field=common.fields.model.JsonListTextField(verbose_name='Tasks'),
+            field=common.db.fields.JsonListTextField(verbose_name='Tasks'),
        ),
        migrations.RenameField(
            model_name='adhoc',
@ -48,12 +48,12 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='adhocrunhistory',
            name='_result',
-            field=common.fields.model.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc raw result'),
+            field=common.db.fields.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc raw result'),
        ),
        migrations.AlterField(
            model_name='adhocrunhistory',
            name='_summary',
-            field=common.fields.model.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc result summary'),
+            field=common.db.fields.JsonDictTextField(blank=True, null=True, verbose_name='Adhoc result summary'),
        ),
        migrations.RenameField(
            model_name='adhocrunhistory',
--- a/apps/ops/migrations/0011_auto_20200106_1534.py
+++ b/apps/ops/migrations/0011_auto_20200106_1534.py
@ -1,6 +1,6 @@
 # Generated by Django 2.2.7 on 2020-01-06 07:34
-import common.fields.model
+import common.db.fields
 from django.db import migrations
@ -14,6 +14,6 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='adhoc',
            name='become',
-            field=common.fields.model.EncryptJsonDictCharField(blank=True, default='', max_length=1024, null=True, verbose_name='Become'),
+            field=common.db.fields.EncryptJsonDictCharField(blank=True, default='', max_length=1024, null=True, verbose_name='Become'),
        ),
    ]
--- a/apps/ops/models/adhoc.py
+++ b/apps/ops/models/adhoc.py
@ -9,11 +9,11 @@ from celery import current_task
 from django.db import models
 from django.conf import settings
 from django.utils import timezone
-from django.utils.translation import ugettext_lazy as _, gettext
+from django.utils.translation import ugettext_lazy as _
 from common.utils import get_logger, lazyproperty
 from common.utils.translate import translate_value
-from common.fields.model import (
+from common.db.fields import (
    JsonListTextField, JsonDictCharField, EncryptJsonDictCharField,
    JsonDictTextField,
 )
--- a/apps/rbac/api/role.py
+++ b/apps/rbac/api/role.py
@ -8,6 +8,7 @@ from ..filters import RoleFilter
 from ..serializers import RoleSerializer, RoleUserSerializer
 from ..models import Role, SystemRole, OrgRole
 from .permission import PermissionViewSet
 from common.mixins.api import PaginatedResponseMixin
 __all__ = [
    'RoleViewSet', 'SystemRoleViewSet', 'OrgRoleViewSet',
@ -15,7 +16,7 @@ __all__ = [
 ]
-class RoleViewSet(JMSModelViewSet):
+class RoleViewSet(PaginatedResponseMixin, JMSModelViewSet):
    queryset = Role.objects.all()
    serializer_classes = {
        'default': RoleSerializer,
@ -54,7 +55,7 @@ class RoleViewSet(JMSModelViewSet):
    def users(self, *args, **kwargs):
        role = self.get_object()
        queryset = role.users
-        return self.get_paginated_response_with_query_set(queryset)
+        return self.get_paginated_response_from_queryset(queryset)
 class SystemRoleViewSet(RoleViewSet):
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@ -91,7 +91,7 @@ exclude_permissions = (
 only_system_permissions = (
-    ('assets', 'platform', '*', '*'),
+    ('assets', 'platform', 'add,change,delete', 'platform'),
    ('users', 'user', 'delete', 'user'),
    ('rbac', 'role', 'delete,add,change', 'role'),
    ('rbac', 'systemrole', '*', '*'),
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@ -1,6 +1,7 @@
 from django.utils.translation import gettext_lazy as _
 from django.db import models
 from django.db.models import Q
 from django.conf import settings
 from django.core.exceptions import ValidationError
 from rest_framework.serializers import ValidationError
@ -111,10 +112,13 @@ class RoleBinding(JMSModel):
        system_bindings = [b for b in bindings if b.scope == Role.Scope.system.value]
        # 工作台仅限于自己加入的组织
        if perm == 'rbac.view_workbench':
-            all_orgs = user.orgs.all()
+            all_orgs = user.orgs.all().distinct()
        else:
            all_orgs = Organization.objects.all()
        if not settings.XPACK_ENABLED:
            all_orgs = all_orgs.filter(id=Organization.DEFAULT_ID)
        # 有系统级别的绑定，就代表在所有组织有这个权限
        if system_bindings:
            orgs = all_orgs
--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@ -1,5 +1,5 @@
 from rest_framework import generics
-from rest_framework.permissions import AllowAny
+from rest_framework.permissions import AllowAny, IsAuthenticated
 from django.conf import settings
 from jumpserver.utils import has_valid_xpack_license, get_xpack_license_info
@ -9,10 +9,10 @@ from ..utils import get_interface_setting
 logger = get_logger(__name__)
-__all__ = ['PublicSettingApi']
+__all__ = ['PublicSettingApi', 'OpenPublicSettingApi']
-class PublicSettingApi(generics.RetrieveAPIView):
+class OpenPublicSettingApi(generics.RetrieveAPIView):
    permission_classes = (AllowAny,)
    serializer_class = serializers.PublicSettingSerializer
@ -28,17 +28,22 @@ class PublicSettingApi(generics.RetrieveAPIView):
        return interface['login_title']
    def get_object(self):
-        instance = {
+        return {
-            "data": {
+            "XPACK_ENABLED": settings.XPACK_ENABLED,
-                # Security
+            "LOGIN_TITLE": self.get_login_title(),
-                "WINDOWS_SKIP_ALL_MANUAL_PASSWORD": settings.WINDOWS_SKIP_ALL_MANUAL_PASSWORD,
+            "LOGO_URLS": self.get_logo_urls(),
-                "OLD_PASSWORD_HISTORY_LIMIT_COUNT": settings.OLD_PASSWORD_HISTORY_LIMIT_COUNT,
+        }
-                "SECURITY_MAX_IDLE_TIME": settings.SECURITY_MAX_IDLE_TIME,
+
-                "SECURITY_VIEW_AUTH_NEED_MFA": settings.SECURITY_VIEW_AUTH_NEED_MFA,
+
-                "SECURITY_MFA_VERIFY_TTL": settings.SECURITY_MFA_VERIFY_TTL,
+class PublicSettingApi(OpenPublicSettingApi):
-                "SECURITY_COMMAND_EXECUTION": settings.SECURITY_COMMAND_EXECUTION,
+    permission_classes = (IsAuthenticated,)
-                "SECURITY_PASSWORD_EXPIRATION_TIME": settings.SECURITY_PASSWORD_EXPIRATION_TIME,
+    serializer_class = serializers.PrivateSettingSerializer
-                "SECURITY_LUNA_REMEMBER_AUTH": settings.SECURITY_LUNA_REMEMBER_AUTH,
+
    def get_object(self):
        values = super().get_object()
        values.update({
            "XPACK_LICENSE_IS_VALID": has_valid_xpack_license(),
            "XPACK_LICENSE_INFO": get_xpack_license_info(),
            "PASSWORD_RULE": {
                'SECURITY_PASSWORD_MIN_LENGTH': settings.SECURITY_PASSWORD_MIN_LENGTH,
                'SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH': settings.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH,
@ -47,29 +52,16 @@ class PublicSettingApi(generics.RetrieveAPIView):
                'SECURITY_PASSWORD_NUMBER': settings.SECURITY_PASSWORD_NUMBER,
                'SECURITY_PASSWORD_SPECIAL_CHAR': settings.SECURITY_PASSWORD_SPECIAL_CHAR,
            },
-                'SECURITY_WATERMARK_ENABLED': settings.SECURITY_WATERMARK_ENABLED,
+        })
-                'SECURITY_SESSION_SHARE': settings.SECURITY_SESSION_SHARE,
+
-                # XPACK
+        serializer = self.serializer_class()
-                "XPACK_ENABLED": settings.XPACK_ENABLED,
+        field_names = list(serializer.fields.keys())
-                "XPACK_LICENSE_IS_VALID": has_valid_xpack_license(),
+        for name in field_names:
-                "XPACK_LICENSE_INFO": get_xpack_license_info(),
+            if name in values:
-                # Performance
+                continue
-                "LOGIN_TITLE": self.get_login_title(),
+            # 提前把异常爆出来
-                "LOGO_URLS": self.get_logo_urls(),
+            values[name] = getattr(settings, name)
-                "HELP_DOCUMENT_URL": settings.HELP_DOCUMENT_URL,
+        return values
-                "HELP_SUPPORT_URL": settings.HELP_SUPPORT_URL,
+
-                # Auth
+
-                "AUTH_WECOM": settings.AUTH_WECOM,
+
                "AUTH_DINGTALK": settings.AUTH_DINGTALK,
                "AUTH_FEISHU": settings.AUTH_FEISHU,
                # Terminal
                "XRDP_ENABLED": settings.XRDP_ENABLED,
                "TERMINAL_MAGNUS_ENABLED": settings.TERMINAL_MAGNUS_ENABLED,
                "TERMINAL_KOKO_SSH_ENABLED": settings.TERMINAL_KOKO_SSH_ENABLED,
                # Announcement
                "ANNOUNCEMENT_ENABLED": settings.ANNOUNCEMENT_ENABLED,
                "ANNOUNCEMENT": settings.ANNOUNCEMENT,
                "AUTH_TEMP_TOKEN": settings.AUTH_TEMP_TOKEN,
            }
        }
        return instance
--- a/apps/settings/serializers/auth/ldap.py
+++ b/apps/settings/serializers/auth/ldap.py
@ -1,6 +1,8 @@
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 from common.drf.fields import EncryptedField
 __all__ = [
    'LDAPTestConfigSerializer', 'LDAPUserSerializer', 'LDAPTestLoginSerializer',
    'LDAPSettingSerializer',
@ -20,7 +22,7 @@ class LDAPTestConfigSerializer(serializers.Serializer):
 class LDAPTestLoginSerializer(serializers.Serializer):
    username = serializers.CharField(max_length=1024, required=True)
-    password = serializers.CharField(max_length=2014, required=True)
+    password = EncryptedField(max_length=2014, required=True)
 class LDAPUserSerializer(serializers.Serializer):
@ -28,6 +30,7 @@ class LDAPUserSerializer(serializers.Serializer):
    username = serializers.CharField()
    name = serializers.CharField()
    email = serializers.CharField()
    groups = serializers.ListField(child=serializers.CharField(), default=[])
    existing = serializers.BooleanField(read_only=True)
--- a/apps/settings/serializers/auth/oidc.py
+++ b/apps/settings/serializers/auth/oidc.py
@ -17,6 +17,14 @@ class CommonSettingSerializer(serializers.Serializer):
    AUTH_OPENID_CLIENT_SECRET = serializers.CharField(
        required=False, max_length=1024,  write_only=True, label=_('Client Secret')
    )
    AUTH_OPENID_CLIENT_AUTH_METHOD = serializers.ChoiceField(
        default='client_secret_basic',
        choices=(
            ('client_secret_basic', 'Client Secret Basic'),
            ('client_secret_post', 'Client Secret Post')
        ),
        label=_('Client authentication method')
    )
    AUTH_OPENID_SHARE_SESSION = serializers.BooleanField(required=False, label=_('Share session'))
    AUTH_OPENID_IGNORE_SSL_VERIFICATION = serializers.BooleanField(
        required=False, label=_('Ignore ssl verification')
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@ -3,8 +3,41 @@
 from rest_framework import serializers
-__all__ = ['PublicSettingSerializer']
+__all__ = ['PublicSettingSerializer', 'PrivateSettingSerializer']
 class PublicSettingSerializer(serializers.Serializer):
-    data = serializers.DictField(read_only=True)
+    XPACK_ENABLED = serializers.BooleanField()
    LOGIN_TITLE = serializers.CharField()
    LOGO_URLS = serializers.DictField()
 class PrivateSettingSerializer(PublicSettingSerializer):
    WINDOWS_SKIP_ALL_MANUAL_PASSWORD = serializers.BooleanField()
    OLD_PASSWORD_HISTORY_LIMIT_COUNT = serializers.IntegerField()
    SECURITY_MAX_IDLE_TIME = serializers.IntegerField()
    SECURITY_VIEW_AUTH_NEED_MFA = serializers.BooleanField()
    SECURITY_MFA_VERIFY_TTL = serializers.IntegerField()
    SECURITY_COMMAND_EXECUTION = serializers.BooleanField()
    SECURITY_PASSWORD_EXPIRATION_TIME = serializers.IntegerField()
    SECURITY_LUNA_REMEMBER_AUTH = serializers.BooleanField()
    SECURITY_WATERMARK_ENABLED = serializers.BooleanField()
    SESSION_EXPIRE_AT_BROWSER_CLOSE = serializers.BooleanField()
    PASSWORD_RULE = serializers.DictField()
    SECURITY_SESSION_SHARE = serializers.BooleanField()
    XPACK_LICENSE_IS_VALID = serializers.BooleanField()
    XPACK_LICENSE_INFO = serializers.DictField()
    HELP_DOCUMENT_URL = serializers.CharField()
    HELP_SUPPORT_URL = serializers.CharField()
    AUTH_WECOM = serializers.BooleanField()
    AUTH_DINGTALK = serializers.BooleanField()
    AUTH_FEISHU = serializers.BooleanField()
    AUTH_TEMP_TOKEN = serializers.BooleanField()
    XRDP_ENABLED = serializers.BooleanField()
    TERMINAL_MAGNUS_ENABLED = serializers.BooleanField()
    TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField()
    ANNOUNCEMENT_ENABLED = serializers.BooleanField()
    ANNOUNCEMENT = serializers.CharField()
--- a/apps/settings/serializers/terminal.py
+++ b/apps/settings/serializers/terminal.py
@ -35,4 +35,4 @@ class TerminalSettingSerializer(serializers.Serializer):
    )
    TERMINAL_MAGNUS_ENABLED = serializers.BooleanField(label=_("Enable database proxy"))
    XRDP_ENABLED = serializers.BooleanField(label=_("Enable XRDP"))
-    TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField(label=_("Enable KoKo SSH"))
+    TERMINAL_KOKO_SSH_ENABLED = serializers.BooleanField(label=_("Enable SSH Client"))
--- a/apps/settings/urls/api_urls.py
+++ b/apps/settings/urls/api_urls.py
@ -22,4 +22,5 @@ urlpatterns = [
    path('setting/', api.SettingsApi.as_view(), name='settings-setting'),
    path('public/', api.PublicSettingApi.as_view(), name='public-setting'),
    path('public/open/', api.OpenPublicSettingApi.as_view(), name='open-public-setting'),
 ]
--- a/apps/settings/utils/ldap.py
+++ b/apps/settings/utils/ldap.py
@ -1,6 +1,7 @@
 # coding: utf-8
 #
 import os
 import json
 from ldap3 import Server, Connection, SIMPLE
 from ldap3.core.exceptions import (
@ -21,12 +22,14 @@ from django.conf import settings
 from django.core.cache import cache
 from django.utils.translation import ugettext_lazy as _
 from copy import deepcopy
 from collections import defaultdict
 from orgs.utils import tmp_to_org
 from common.const import LDAP_AD_ACCOUNT_DISABLE
 from common.utils import timeit, get_logger
 from common.db.utils import close_old_connections
 from users.utils import construct_user_email
-from users.models import User
+from users.models import User, UserGroup
 from authentication.backends.ldap import LDAPAuthorizationBackend, LDAPUser
 logger = get_logger(__file__)
@ -185,6 +188,12 @@ class LDAPServerUtil(object):
            if attr == 'is_active' and mapping.lower() == 'useraccountcontrol' \
                    and value:
                value = int(value) & LDAP_AD_ACCOUNT_DISABLE != LDAP_AD_ACCOUNT_DISABLE
            if attr == 'groups' and mapping.lower() == 'memberof':
                # AD: {'groups': 'memberOf'}
                if isinstance(value, str) and value:
                    value = [value]
                if not isinstance(value, list):
                    value = []
            user[attr] = value.strip() if isinstance(value, str) else value
        return user
@ -244,10 +253,13 @@ class LDAPCacheUtil(object):
                if user['username'] in self.search_users
            ]
        elif self.search_value:
-            filter_users = [
+            filter_users = []
-                user for user in users
+            for u in users:
-                if self.search_value.lower() in ','.join(user.values()).lower()
+                search_value = self.search_value.lower()
-            ]
+                user_all_attr_value = [v for v in u.values() if isinstance(v, str)]
                if search_value not in ','.join(user_all_attr_value).lower():
                    continue
                filter_users.append(u)
        else:
            filter_users = users
        return filter_users
@ -345,6 +357,7 @@ class LDAPSyncUtil(object):
 class LDAPImportUtil(object):
    user_group_name_prefix = 'AD '
    def __init__(self):
        pass
@ -365,23 +378,58 @@ class LDAPImportUtil(object):
        )
        return obj, created
    def get_user_group_names(self, groups) -> list:
        if not isinstance(groups, list):
            logger.error('Groups type not list')
            return []
        group_names = []
        for group in groups:
            if not group:
                continue
            if not isinstance(group, str):
                continue
            # get group name for AD, Such as: CN=Users,CN=Builtin,DC=jms,DC=com
            group_name = group.split(',')[0].split('=')[-1]
            group_name = f'{self.user_group_name_prefix}{group_name}'.strip()
            group_names.append(group_name)
        return group_names
    def perform_import(self, users, org=None):
        logger.info('Start perform import ldap users, count: {}'.format(len(users)))
        errors = []
        objs = []
        group_users_mapper = defaultdict(set)
        for user in users:
            groups = user.pop('groups', [])
            try:
                obj, created = self.update_or_create(user)
                objs.append(obj)
            except Exception as e:
                errors.append({user['username']: str(e)})
                logger.error(e)
                continue
            try:
                group_names = self.get_user_group_names(groups)
                for group_name in group_names:
                    group_users_mapper[group_name].add(obj)
            except Exception as e:
                errors.append({user['username']: str(e)})
                logger.error(e)
                continue
        if not org:
            return
        if org.is_root():
            return
        # add user to org
        for obj in objs:
            org.add_member(obj)
        # add user to group
        with tmp_to_org(org):
            for group_name, users in group_users_mapper.items():
                group, created = UserGroup.objects.get_or_create(
                    name=group_name, defaults={'name': group_name}
                )
                group.users.add(*users)
        logger.info('End perform import ldap users')
        return errors
--- a/apps/static/js/jumpserver.js
+++ b/apps/static/js/jumpserver.js
@ -1501,3 +1501,90 @@ function getStatusIcon(status, mapping, title) {
    }
    return icon;
 }
 function fillKey(key) {
    let keySize = 128
    // 如果超过 key 16 位, 最大取 32 位，需要更改填充
    if (key.length > 16) {
        key = key.slice(0, 32)
        keySize = keySize * 2
    }
    const filledKeyLength = keySize / 8
    if (key.length >= filledKeyLength) {
        return key.slice(0, filledKeyLength)
    }
    const filledKey = Buffer.alloc(keySize / 8)
    const keys = Buffer.from(key)
    for (let i = 0; i < keys.length; i++) {
        filledKey[i] = keys[i]
    }
    return filledKey
 }
 function aesEncrypt(text, originKey) {
    const key = CryptoJS.enc.Utf8.parse(fillKey(originKey));
    return CryptoJS.AES.encrypt(text, key, {
        mode: CryptoJS.mode.ECB,
        padding: CryptoJS.pad.ZeroPadding
    }).toString();
 }
 function rsaEncrypt(text, pubKey) {
    if (!text) {
        return text
    }
    const jsEncrypt = new JSEncrypt();
    jsEncrypt.setPublicKey(pubKey);
    return jsEncrypt.encrypt(text);
 }
 function rsaDecrypt(cipher, pkey) {
    const jsEncrypt = new JSEncrypt();
    jsEncrypt.setPrivateKey(pkey);
    return jsEncrypt.decrypt(cipher)
 }
 window.rsaEncrypt = rsaEncrypt
 window.rsaDecrypt = rsaDecrypt
 function encryptPassword(password) {
    if (!password) {
        return ''
    }
    const aesKey = (Math.random() + 1).toString(36).substring(2)
    // public key 是 base64 存储的
    const rsaPublicKeyText = getCookie('jms_public_key')
        .replaceAll('"', '')
    const rsaPublicKey = atob(rsaPublicKeyText)
    const keyCipher = rsaEncrypt(aesKey, rsaPublicKey)
    const passwordCipher = aesEncrypt(password, aesKey)
    return `${keyCipher}:${passwordCipher}`
 }
 function randomString(length) {
    const characters ='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
    let result = '';
    const charactersLength = characters.length;
    for ( let i = 0; i < length; i++ ) {
        result += characters.charAt(Math.floor(Math.random() * charactersLength));
    }
    return result;
 }
 function testEncrypt() {
    const radio = []
    const len2 = []
    for (let i=1;i<4096;i++) {
        const password = randomString(i)
        const cipher = encryptPassword(password)
        len2.push([password.length, cipher.length])
        radio.push(cipher.length/password.length)
    }
    return radio
 }
 window.encryptPassword = encryptPassword
--- a/apps/static/js/plugins/buffer/buffer.min.js
+++ b/apps/static/js/plugins/buffer/buffer.min.js
--- a/apps/static/js/plugins/cryptojs/crypto-js.min.js
+++ b/apps/static/js/plugins/cryptojs/crypto-js.min.js
--- a/apps/static/js/plugins/datatables/pdfmake.min.js.map
+++ b/apps/static/js/plugins/datatables/pdfmake.min.js.map
--- a/apps/static/js/plugins/xterm/addons/attach/attach.js.map
+++ b/apps/static/js/plugins/xterm/addons/attach/attach.js.map
--- a/apps/static/js/plugins/xterm/addons/fit/fit.js.map
+++ b/apps/static/js/plugins/xterm/addons/fit/fit.js.map
@ -1 +0,0 @@
 {"version":3,"file":"fit.js","sources":["../../../src/addons/fit/fit.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2014 The xterm.js authors. All rights reserved.\n * @license MIT\n *\n * Fit terminal columns and rows to the dimensions of its DOM element.\n *\n * ## Approach\n *\n *    Rows: Truncate the division of the terminal parent element height by the\n *          terminal row height.\n * Columns: Truncate the division of the terminal parent element width by the\n *          terminal character width (apply display: inline at the terminal\n *          row and truncate its width with the current number of columns).\n */\n\nimport { Terminal } from 'xterm';\n\nexport interface IGeometry {\n  rows: number;\n  cols: number;\n}\n\nexport function proposeGeometry(term: Terminal): IGeometry {\n  if (!term.element.parentElement) {\n    return null;\n  }\n  const parentElementStyle = window.getComputedStyle(term.element.parentElement);\n  const parentElementHeight = parseInt(parentElementStyle.getPropertyValue('height'));\n  const parentElementWidth = Math.max(0, parseInt(parentElementStyle.getPropertyValue('width')));\n  const elementStyle = window.getComputedStyle(term.element);\n  const elementPadding = {\n    top: parseInt(elementStyle.getPropertyValue('padding-top')),\n    bottom: parseInt(elementStyle.getPropertyValue('padding-bottom')),\n    right: parseInt(elementStyle.getPropertyValue('padding-right')),\n    left: parseInt(elementStyle.getPropertyValue('padding-left'))\n  };\n  const elementPaddingVer = elementPadding.top + elementPadding.bottom;\n  const elementPaddingHor = elementPadding.right + elementPadding.left;\n  const availableHeight = parentElementHeight - elementPaddingVer;\n  const availableWidth = parentElementWidth - elementPaddingHor - (<any>term)._core.viewport.scrollBarWidth;\n  const geometry = {\n    cols: Math.floor(availableWidth / (<any>term)._core.renderer.dimensions.actualCellWidth),\n    rows: Math.floor(availableHeight / (<any>term)._core.renderer.dimensions.actualCellHeight)\n  };\n  return geometry;\n}\n\nexport function fit(term: Terminal): void {\n  const geometry = proposeGeometry(term);\n  if (geometry) {\n    // Force a full render\n    if (term.rows !== geometry.rows || term.cols !== geometry.cols) {\n      (<any>term)._core.renderer.clear();\n      term.resize(geometry.cols, geometry.rows);\n    }\n  }\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).proposeGeometry = function (): IGeometry {\n    return proposeGeometry(this);\n  };\n\n  (<any>terminalConstructor.prototype).fit = function (): void {\n    fit(this);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADsBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAvBA;AAyBA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AATA;AAWA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AARA;"}
--- a/apps/static/js/plugins/xterm/addons/fullscreen/fullscreen.js.map
+++ b/apps/static/js/plugins/xterm/addons/fullscreen/fullscreen.js.map
@ -1 +0,0 @@
 {"version":3,"file":"fullscreen.js","sources":["../../../src/addons/fullscreen/fullscreen.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2014 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal } from 'xterm';\n\n/**\n * Toggle the given terminal's fullscreen mode.\n * @param term The terminal to toggle full screen mode\n * @param fullscreen Toggle fullscreen on (true) or off (false)\n */\nexport function toggleFullScreen(term: Terminal, fullscreen: boolean): void {\n  let fn: string;\n\n  if (typeof fullscreen === 'undefined') {\n    fn = (term.element.classList.contains('fullscreen')) ? 'remove' : 'add';\n  } else if (!fullscreen) {\n    fn = 'remove';\n  } else {\n    fn = 'add';\n  }\n\n  term.element.classList[fn]('fullscreen');\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).toggleFullScreen = function (fullscreen: boolean): void {\n    toggleFullScreen(this, fullscreen);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADYA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AAZA;AAcA;AACA;AACA;AACA;AACA;AAJA;"}
--- a/apps/static/js/plugins/xterm/addons/search/search.js.map
+++ b/apps/static/js/plugins/xterm/addons/search/search.js.map
--- a/apps/static/js/plugins/xterm/addons/terminado/terminado.js.map
+++ b/apps/static/js/plugins/xterm/addons/terminado/terminado.js.map
@ -1 +0,0 @@
 {"version":3,"file":"terminado.js","sources":["../../../src/addons/terminado/terminado.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2016 The xterm.js authors. All rights reserved.\n * @license MIT\n *\n * This module provides methods for attaching a terminal to a terminado\n * WebSocket stream.\n */\n\nimport { Terminal } from 'xterm';\nimport { ITerminadoAddonTerminal } from './Interfaces';\n\n/**\n * Attaches the given terminal to the given socket.\n *\n * @param term The terminal to be attached to the given socket.\n * @param socket The socket to attach the current terminal.\n * @param bidirectional Whether the terminal should send data to the socket as well.\n * @param buffered Whether the rendering of incoming data should happen instantly or at a maximum\n * frequency of 1 rendering per 10ms.\n */\nexport function terminadoAttach(term: Terminal, socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n  const addonTerminal = <ITerminadoAddonTerminal>term;\n  bidirectional = (typeof bidirectional === 'undefined') ? true : bidirectional;\n  addonTerminal.__socket = socket;\n\n  addonTerminal.__flushBuffer = () => {\n    addonTerminal.write(addonTerminal.__attachSocketBuffer);\n    addonTerminal.__attachSocketBuffer = null;\n  };\n\n  addonTerminal.__pushToBuffer = (data: string) => {\n    if (addonTerminal.__attachSocketBuffer) {\n      addonTerminal.__attachSocketBuffer += data;\n    } else {\n      addonTerminal.__attachSocketBuffer = data;\n      setTimeout(addonTerminal.__flushBuffer, 10);\n    }\n  };\n\n  addonTerminal.__getMessage = (ev: MessageEvent) => {\n    const data = JSON.parse(ev.data);\n    if (data[0] === 'stdout') {\n      if (buffered) {\n        addonTerminal.__pushToBuffer(data[1]);\n      } else {\n        addonTerminal.write(data[1]);\n      }\n    }\n  };\n\n  addonTerminal.__sendData = (data: string) => {\n    socket.send(JSON.stringify(['stdin', data]));\n  };\n\n  addonTerminal.__setSize = (size: {rows: number, cols: number}) => {\n    socket.send(JSON.stringify(['set_size', size.rows, size.cols]));\n  };\n\n  socket.addEventListener('message', addonTerminal.__getMessage);\n\n  if (bidirectional) {\n    addonTerminal.on('data', addonTerminal.__sendData);\n  }\n  addonTerminal.on('resize', addonTerminal.__setSize);\n\n  socket.addEventListener('close', () => terminadoDetach(addonTerminal, socket));\n  socket.addEventListener('error', () => terminadoDetach(addonTerminal, socket));\n}\n\n/**\n * Detaches the given terminal from the given socket\n *\n * @param term The terminal to be detached from the given socket.\n * @param socket The socket from which to detach the current terminal.\n */\nexport function terminadoDetach(term: Terminal, socket: WebSocket): void {\n  const addonTerminal = <ITerminadoAddonTerminal>term;\n  addonTerminal.off('data', addonTerminal.__sendData);\n\n  socket = (typeof socket === 'undefined') ? addonTerminal.__socket : socket;\n\n  if (socket) {\n    socket.removeEventListener('message', addonTerminal.__getMessage);\n  }\n\n  delete addonTerminal.__socket;\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  /**\n   * Attaches the current terminal to the given socket\n   *\n   * @param socket - The socket to attach the current terminal.\n   * @param bidirectional - Whether the terminal should send data to the socket as well.\n   * @param buffered - Whether the rendering of incoming data should happen instantly or at a\n   * maximum frequency of 1 rendering per 10ms.\n   */\n  (<any>terminalConstructor.prototype).terminadoAttach = function (socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n    return terminadoAttach(this, socket, bidirectional, buffered);\n  };\n\n  /**\n   * Detaches the current terminal from the given socket.\n   *\n   * @param socket The socket from which to detach the current terminal.\n   */\n  (<any>terminalConstructor.prototype).terminadoDetach = function (socket: WebSocket): void {\n    return terminadoDetach(this, socket);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADoBA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AA/CA;AAuDA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AAXA;AAaA;AASA;AACA;AACA;AAOA;AACA;AACA;AACA;AArBA;"}
--- a/apps/static/js/plugins/xterm/addons/webLinks/webLinks.js.map
+++ b/apps/static/js/plugins/xterm/addons/webLinks/webLinks.js.map
@ -1 +0,0 @@
 {"version":3,"file":"webLinks.js","sources":["../../../src/addons/webLinks/webLinks.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal, ILinkMatcherOptions } from 'xterm';\n\nconst protocolClause = '(https?:\\\\/\\\\/)';\nconst domainCharacterSet = '[\\\\da-z\\\\.-]+';\nconst negatedDomainCharacterSet = '[^\\\\da-z\\\\.-]+';\nconst domainBodyClause = '(' + domainCharacterSet + ')';\nconst tldClause = '([a-z\\\\.]{2,6})';\nconst ipClause = '((\\\\d{1,3}\\\\.){3}\\\\d{1,3})';\nconst localHostClause = '(localhost)';\nconst portClause = '(:\\\\d{1,5})';\nconst hostClause = '((' + domainBodyClause + '\\\\.' + tldClause + ')|' + ipClause + '|' + localHostClause + ')' + portClause + '?';\nconst pathClause = '(\\\\/[\\\\/\\\\w\\\\.\\\\-%~]*)*';\nconst queryStringHashFragmentCharacterSet = '[0-9\\\\w\\\\[\\\\]\\\\(\\\\)\\\\/\\\\?\\\\!#@$%&\\'*+,:;~\\\\=\\\\.\\\\-]*';\nconst queryStringClause = '(\\\\?' + queryStringHashFragmentCharacterSet + ')?';\nconst hashFragmentClause = '(#' + queryStringHashFragmentCharacterSet + ')?';\nconst negatedPathCharacterSet = '[^\\\\/\\\\w\\\\.\\\\-%]+';\nconst bodyClause = hostClause + pathClause + queryStringClause + hashFragmentClause;\nconst start = '(?:^|' + negatedDomainCharacterSet + ')(';\nconst end = ')($|' + negatedPathCharacterSet + ')';\nconst strictUrlRegex = new RegExp(start + protocolClause + bodyClause + end);\n\nfunction handleLink(event: MouseEvent, uri: string): void {\n  window.open(uri, '_blank');\n}\n\n/**\n * Initialize the web links addon, registering the link matcher.\n * @param term The terminal to use web links within.\n * @param handler A custom handler to use.\n * @param options Custom options to use, matchIndex will always be ignored.\n */\nexport function webLinksInit(term: Terminal, handler: (event: MouseEvent, uri: string) => void = handleLink, options: ILinkMatcherOptions = {}): void {\n  options.matchIndex = 1;\n  term.registerLinkMatcher(strictUrlRegex, handler, options);\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).webLinksInit = function (handler?: (event: MouseEvent, uri: string) => void, options?: ILinkMatcherOptions): void {\n    webLinksInit(this, handler, options);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAQA;AAAA;AAAA;AACA;AACA;AACA;AAHA;AAKA;AACA;AACA;AACA;AACA;AAJA;"}
--- a/apps/static/js/plugins/xterm/addons/winptyCompat/winptyCompat.js.map
+++ b/apps/static/js/plugins/xterm/addons/winptyCompat/winptyCompat.js.map
@ -1 +0,0 @@
 {"version":3,"file":"winptyCompat.js","sources":["../../../src/addons/winptyCompat/winptyCompat.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal } from 'xterm';\nimport { IWinptyCompatAddonTerminal } from './Interfaces';\n\nexport function winptyCompatInit(terminal: Terminal): void {\n  const addonTerminal = <IWinptyCompatAddonTerminal>terminal;\n\n  // Don't do anything when the platform is not Windows\n  const isWindows = ['Windows', 'Win16', 'Win32', 'WinCE'].indexOf(navigator.platform) >= 0;\n  if (!isWindows) {\n    return;\n  }\n\n  // Winpty does not support wraparound mode which means that lines will never\n  // be marked as wrapped. This causes issues for things like copying a line\n  // retaining the wrapped new line characters or if consumers are listening\n  // in on the data stream.\n  //\n  // The workaround for this is to listen to every incoming line feed and mark\n  // the line as wrapped if the last character in the previous line is not a\n  // space. This is certainly not without its problems, but generally on\n  // Windows when text reaches the end of the terminal it's likely going to be\n  // wrapped.\n  addonTerminal.on('linefeed', () => {\n    const line = addonTerminal._core.buffer.lines.get(addonTerminal._core.buffer.ybase + addonTerminal._core.buffer.y - 1);\n    const lastChar = line[addonTerminal.cols - 1];\n\n    if (lastChar[3] !== 32 /* ' ' */) {\n      const nextLine = addonTerminal._core.buffer.lines.get(addonTerminal._core.buffer.ybase + addonTerminal._core.buffer.y);\n      (<any>nextLine).isWrapped = true;\n    }\n  });\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  (<any>terminalConstructor.prototype).winptyCompatInit = function (): void {\n    winptyCompatInit(this);\n  };\n}\n",null],"names":[],"mappings":"ACAA;;;ADQA;AACA;AAGA;AACA;AACA;AACA;AAYA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AA5BA;AA8BA;AACA;AACA;AACA;AACA;AAJA;"}
--- a/apps/static/js/plugins/xterm/addons/zmodem/zmodem.js.map
+++ b/apps/static/js/plugins/xterm/addons/zmodem/zmodem.js.map
@ -1 +0,0 @@
 {"version":3,"file":"zmodem.js","sources":["../../../src/addons/zmodem/zmodem.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/**\n * Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n */\n\nimport { Terminal } from 'xterm';\n\n/**\n *\n * Allow xterm.js to handle ZMODEM uploads and downloads.\n *\n * This addon is a wrapper around zmodem.js. It adds the following to the\n *  Terminal class:\n *\n * - function `zmodemAttach(<WebSocket>, <Object>)` - creates a Zmodem.Sentry\n *      on the passed WebSocket object. The Object passed is optional and\n *      can contain:\n *          - noTerminalWriteOutsideSession: Suppress writes from the Sentry\n *            object to the Terminal while there is no active Session. This\n *            is necessary for compatibility with, for example, the\n *            `attach.js` addon.\n *\n * - event `zmodemDetect` - fired on Zmodem.Sentry’s `on_detect` callback.\n *      Passes the zmodem.js Detection object.\n *\n * - event `zmodemRetract` - fired on Zmodem.Sentry’s `on_retract` callback.\n *\n * You’ll need to provide logic to handle uploads and downloads.\n * See zmodem.js’s documentation for more details.\n *\n * **IMPORTANT:** After you confirm() a zmodem.js Detection, if you have\n *  used the `attach` or `terminado` addons, you’ll need to suspend their\n *  operation for the duration of the ZMODEM session. (The demo does this\n *  via `detach()` and a re-`attach()`.)\n */\n\nlet zmodem;\n\nexport interface IZmodemOptions {\n  noTerminalWriteOutsideSession?: boolean;\n}\n\nfunction zmodemAttach(ws: WebSocket, opts: IZmodemOptions = {}): void {\n  const term = this;\n  const senderFunc = (octets: ArrayLike<number>) => ws.send(new Uint8Array(octets));\n\n  let zsentry;\n\n  function shouldWrite(): boolean {\n    return !!zsentry.get_confirmed_session() || !opts.noTerminalWriteOutsideSession;\n  }\n\n  zsentry = new zmodem.Sentry({\n    to_terminal: (octets: ArrayLike<number>) => {\n      if (shouldWrite()) {\n        term.write(\n          String.fromCharCode.apply(String, octets)\n        );\n      }\n    },\n    sender: senderFunc,\n    on_retract: () => (<any>term).emit('zmodemRetract'),\n    on_detect: (detection: any) => (<any>term).emit('zmodemDetect', detection)\n  });\n\n  function handleWSMessage(evt: MessageEvent): void {\n\n    // In testing with xterm.js’s demo the first message was\n    // always text even if the rest were binary. While that\n    // may be specific to xterm.js’s demo, ultimately we\n    // should reject anything that isn’t binary.\n    if (typeof evt.data === 'string') {\n      if (shouldWrite()) {\n        term.write(evt.data);\n      }\n    }\n    else {\n      zsentry.consume(evt.data);\n    }\n  }\n\n  ws.binaryType = 'arraybuffer';\n  ws.addEventListener('message', handleWSMessage);\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n  zmodem = (typeof window === 'object') ? (<any>window).Zmodem : {Browser: null};  // Nullify browser for tests\n\n  (<any>terminalConstructor.prototype).zmodemAttach = zmodemAttach;\n  (<any>terminalConstructor.prototype).zmodemBrowser = zmodem.Browser;\n}\n",null],"names":[],"mappings":"ACAA;;;ADoCA;AAMA;AAAA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAEA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AALA;"}
--- a/apps/static/js/plugins/xterm/xterm.js.map
+++ b/apps/static/js/plugins/xterm/xterm.js.map
--- a/apps/templates/_base_double_screen.html
+++ b/apps/templates/_base_double_screen.html
@ -0,0 +1,41 @@
 {% load static %}
 {% load i18n %}
 <!DOCTYPE html>
 <html>
 <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <link rel="shortcut icon" href="{{ FAVICON_URL }}" type="image/x-icon">
    <title>{% block html_title %}{% endblock %}</title>
    {% include '_head_css_js.html' %}
    <link href="{% static "css/jumpserver.css" %}" rel="stylesheet">
    <script src="{% static "js/jumpserver.js" %}"></script>
    <style>
        .outerBox {
            margin: 0 auto;
            padding: 100px 20px 20px 20px;
        }
    </style>
    {% block custom_head_css_js %} {% endblock %}
 </head>
 <body class="gray-bg">
    <div class="outerBox animated fadeInDown">
        <div class="row">
            <div class="col-md-12">
                    {% block content %} {% endblock %}
            </div>
        </div>
        <hr/>
        <div class="row">
            <div class="col-md-12">
                 {% include '_copyright.html' %}
            </div>
        </div>
    </div>
 </body>
 {% include '_foot_js.html' %}
 {% block custom_foot_js %} {% endblock %}
 </html>
--- a/apps/templates/resource_download.html
+++ b/apps/templates/resource_download.html
@ -15,45 +15,33 @@ p {
 </style>
 <div style="margin: 0 200px">
    <div class="group">
-        <h2>JumpServer {% trans 'Client' %}</h2>
+        <h2>JumpServer {% trans 'Client' %} v1.1.5</h2>
        <p>
            {% trans 'JumpServer Client, currently used to launch the client, now only support launch RDP SSH client, The Telnet client will next' %}
 {#            //JumpServer 客户端，支持 RDP 的本地拉起，后续会支持拉起 ssh。#}
        </p>
        <ul>
-            <li> <a href="/download/JumpServer-Client-Installer.msi">Windows {% trans 'Client' %}</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer-x86_64.msi">jumpserver-client-windows-x86_64.msi</a></li>
-            <li> <a href="/download/JumpServer-Client-Installer.dmg">macOS {% trans 'Client' %}</a></li>
+            <li> <a href="/download/JumpServer-Client-Installer-arm64.msi">jumpserver-client-windows-arm64.msi</a></li>
            <li> <a href="/download/JumpServer-Client-Installer.dmg">jumpserver-client-darwin.dmg</a></li>
        </ul>
    </div>
    <div class="group">
-        <h2>{% trans 'Microsoft' %} RDP {% trans 'Official' %}{% trans 'Client' %}</h2>
+        <h2>{% trans 'Microsoft' %} RDP {% trans 'Official' %}{% trans 'Client' %} v10.6.7</h2>
        <p>
            {% trans 'macOS needs to download the client to connect RDP asset, which comes with Windows' %}
        </p>
        <ul>
-            <li><a href="/download/Microsoft_Remote_Desktop_10.6.7_installer.pkg">Microsoft_Remote_Desktop_10.6.7_installer.pkg</a></li>
+            <li><a href="/download/Microsoft_Remote_Desktop_10.6.7_installer.pkg">microsoft-remote-desktop-installer.pkg</a></li>
        </ul>
    </div>
    <div class="group">
        <h2>SSH {% trans 'Client' %}</h2>
        <p>
            {% trans 'Windows needs to download the client to connect SSH assets, and the MacOS system uses its own terminal' %}
        </p>
        <ul>
            <li><a href="/download/putty/w64/putty.exe">64-bit x86:  Putty.exe</a></li>
            <li><a href="/download/putty/wa64/putty.exe">64-bit Arm: Putty.exe</a></li>
            <li><a href="/download/putty/w32/putty.exe">32-bit x86:  Putty.exe</a></li>
        </ul>
    </div>
    {% if XPACK_ENABLED  %}
        <div class="group">
-            <h2>{% trans 'Windows Remote application publisher tools' %}</h2>
+            <h2>{% trans 'Windows Remote application publisher tools' %} v2.0</h2>
            <p>{% trans 'Jmservisor is the program used to pull up remote applications in Windows Remote Application publisher' %}</p>
            <ul>
-                <li><a href="/download/Jmservisor.msi">Jmservisor</a></li>
+                <li><a href="/download/Jmservisor.msi">jmservisor.msi</a></li>
            </ul>
        </div>
    {% endif %}
--- a/apps/terminal/backends/command/es.py
+++ b/apps/terminal/backends/command/es.py
@ -1,11 +1,12 @@
 # -*- coding: utf-8 -*-
 #
 import pytz
 import inspect
 from datetime import datetime
 from functools import reduce, partial
 from itertools import groupby
 import pytz
 from uuid import UUID
 import inspect
 from django.utils.translation import gettext_lazy as _
 from django.db.models import QuerySet as DJQuerySet
@ -15,6 +16,7 @@ from elasticsearch.exceptions import RequestError, NotFoundError
 from common.utils.common import lazyproperty
 from common.utils import get_logger
 from common.utils.timezone import local_now_date_display, utc_now
 from common.exceptions import JMSException
 from .models import AbstractSessionCommand
@ -28,12 +30,13 @@ class InvalidElasticsearch(JMSException):
 class CommandStore(object):
    def __init__(self, config):
        hosts = config.get("HOSTS")
        kwargs = config.get("OTHER", {})
        self.index = config.get("INDEX") or 'jumpserver'
        self.doc_type = config.get("DOC_TYPE") or '_doc'
        self.index_prefix = config.get('INDEX') or 'jumpserver'
        self.is_index_by_date = bool(config.get('INDEX_BY_DATE'))
        self.exact_fields = {}
        self.match_fields = {}
        hosts = config.get("HOSTS")
        kwargs = config.get("OTHER", {})
        ignore_verify_certs = kwargs.pop('IGNORE_VERIFY_CERTS', False)
        if ignore_verify_certs:
@ -50,6 +53,17 @@ class CommandStore(object):
        else:
            self.match_fields.update(may_exact_fields)
        self.init_index(config)
    def init_index(self, config):
        if self.is_index_by_date:
            date = local_now_date_display()
            self.index = '%s-%s' % (self.index_prefix, date)
            self.query_index = '%s-alias' % self.index_prefix
        else:
            self.index = config.get("INDEX") or 'jumpserver'
            self.query_index = config.get("INDEX") or 'jumpserver'
    def is_new_index_type(self):
        if not self.ping(timeout=3):
            return False
@ -101,10 +115,17 @@ class CommandStore(object):
        else:
            mappings = {'mappings': {'properties': properties}}
        if self.is_index_by_date:
            mappings['aliases'] = {
                self.query_index: {}
            }
        try:
            self.es.indices.create(self.index, body=mappings)
            return
        except RequestError as e:
            if e.error == 'resource_already_exists_exception':
                logger.warning(e)
            else:
                logger.exception(e)
    @staticmethod
@ -141,7 +162,7 @@ class CommandStore(object):
        body = self.get_query_body(**query)
        data = self.es.search(
-            index=self.index, doc_type=self.doc_type, body=body, from_=from_, size=size,
+            index=self.query_index, doc_type=self.doc_type, body=body, from_=from_, size=size,
            sort=sort
        )
        source_data = []
@ -154,7 +175,7 @@ class CommandStore(object):
    def count(self, **query):
        body = self.get_query_body(**query)
-        data = self.es.count(index=self.index, doc_type=self.doc_type, body=body)
+        data = self.es.count(index=self.query_index, doc_type=self.doc_type, body=body)
        return data["count"]
    def __getattr__(self, item):
--- a/apps/terminal/migrations/0016_commandstorage_replaystorage.py
+++ b/apps/terminal/migrations/0016_commandstorage_replaystorage.py
@ -1,6 +1,6 @@
 # Generated by Django 2.2.5 on 2019-11-22 10:07
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
 import uuid
@ -21,7 +21,7 @@ class Migration(migrations.Migration):
                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                ('name', models.CharField(max_length=32, unique=True, verbose_name='Name')),
                ('type', models.CharField(choices=[('null', 'Null'), ('server', 'Server'), ('es', 'Elasticsearch')], default='server', max_length=16, verbose_name='Type')),
-                ('meta', common.fields.model.EncryptJsonDictTextField(default={})),
+                ('meta', common.db.fields.EncryptJsonDictTextField(default={})),
                ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
            ],
            options={
@ -37,7 +37,7 @@ class Migration(migrations.Migration):
                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                ('name', models.CharField(max_length=32, unique=True, verbose_name='Name')),
                ('type', models.CharField(choices=[('null', 'Null'), ('server', 'Server'), ('s3', 'S3'), ('ceph', 'Ceph'), ('swift', 'Swift'), ('oss', 'OSS'), ('azure', 'Azure')], default='server', max_length=16, verbose_name='Type')),
-                ('meta', common.fields.model.EncryptJsonDictTextField(default={})),
+                ('meta', common.db.fields.EncryptJsonDictTextField(default={})),
                ('comment', models.TextField(blank=True, default='', max_length=128, verbose_name='Comment')),
            ],
            options={
--- a/apps/terminal/migrations/0048_endpoint_endpointrule.py
+++ b/apps/terminal/migrations/0048_endpoint_endpointrule.py
@ -1,7 +1,6 @@
 # Generated by Django 3.1.14 on 2022-04-12 07:39
-import copy
+import common.db.fields
 import common.fields.model
 import django.core.validators
 from django.db import migrations, models
 import django.db.models.deletion
@ -83,13 +82,13 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
                ('host', models.CharField(max_length=256, verbose_name='Host', blank=True)),
-                ('https_port', common.fields.model.PortField(default=443, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTPS Port')),
+                ('https_port', common.db.fields.PortField(default=443, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTPS Port')),
-                ('http_port', common.fields.model.PortField(default=80, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTP Port')),
+                ('http_port', common.db.fields.PortField(default=80, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='HTTP Port')),
-                ('ssh_port', common.fields.model.PortField(default=2222, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='SSH Port')),
+                ('ssh_port', common.db.fields.PortField(default=2222, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='SSH Port')),
-                ('rdp_port', common.fields.model.PortField(default=3389, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='RDP Port')),
+                ('rdp_port', common.db.fields.PortField(default=3389, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='RDP Port')),
-                ('mysql_port', common.fields.model.PortField(default=33060, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MySQL Port')),
+                ('mysql_port', common.db.fields.PortField(default=33060, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MySQL Port')),
-                ('mariadb_port', common.fields.model.PortField(default=33061, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MariaDB Port')),
+                ('mariadb_port', common.db.fields.PortField(default=33061, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='MariaDB Port')),
-                ('postgresql_port', common.fields.model.PortField(default=54320, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='PostgreSQL Port')),
+                ('postgresql_port', common.db.fields.PortField(default=54320, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='PostgreSQL Port')),
                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
            ],
            options={
--- a/apps/terminal/migrations/0049_endpoint_redis_port.py
+++ b/apps/terminal/migrations/0049_endpoint_redis_port.py
@ -0,0 +1,20 @@
 # Generated by Django 3.1.14 on 2022-05-12 06:35
 import common.db.fields
 import django.core.validators
 from django.db import migrations
 class Migration(migrations.Migration):
    dependencies = [
        ('terminal', '0048_endpoint_endpointrule'),
    ]
    operations = [
        migrations.AddField(
            model_name='endpoint',
            name='redis_port',
            field=common.db.fields.PortField(default=63790, validators=[django.core.validators.MinValueValidator(0), django.core.validators.MaxValueValidator(65535)], verbose_name='Redis Port'),
        ),
    ]
--- a/apps/terminal/models/endpoint.py
+++ b/apps/terminal/models/endpoint.py
@ -2,7 +2,7 @@ from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from django.core.validators import MinValueValidator, MaxValueValidator
 from common.db.models import JMSModel
-from common.fields.model import PortField
+from common.db.fields import PortField
 from common.utils.ip import contains_ip
@ -17,6 +17,7 @@ class Endpoint(JMSModel):
    mysql_port = PortField(default=33060, verbose_name=_('MySQL Port'))
    mariadb_port = PortField(default=33061, verbose_name=_('MariaDB Port'))
    postgresql_port = PortField(default=54320, verbose_name=_('PostgreSQL Port'))
    redis_port = PortField(default=63790, verbose_name=_('Redis Port'))
    comment = models.TextField(default='', blank=True, verbose_name=_('Comment'))
    default_id = '00000000-0000-0000-0000-000000000001'
--- a/apps/terminal/models/storage.py
+++ b/apps/terminal/models/storage.py
@ -1,6 +1,7 @@
 from __future__ import unicode_literals
 import os
 from importlib import import_module
 import jms_storage
@ -9,7 +10,8 @@ from django.utils.translation import ugettext_lazy as _
 from django.conf import settings
 from common.mixins import CommonModelMixin
 from common.utils import get_logger
-from common.fields.model import EncryptJsonDictTextField
+from common.db.fields import EncryptJsonDictTextField
 from common.utils.timezone import local_now_date_display
 from terminal.backends import TYPE_ENGINE_MAPPING
 from .terminal import Terminal
 from .command import Command
@ -63,6 +65,10 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
    def type_server(self):
        return self.type == const.CommandStorageTypeChoices.server.value
    @property
    def type_es(self):
        return self.type == const.CommandStorageTypeChoices.es.value
    @property
    def type_null_or_server(self):
        return self.type_null or self.type_server
@ -73,6 +79,18 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
        config.update({'TYPE': self.type})
        return config
    @property
    def valid_config(self):
        config = self.config
        if self.type_es and config.get('INDEX_BY_DATE'):
            engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])
            store = engine_mod.CommandStore(config)
            store._ensure_index_exists()
            index_prefix = config.get('INDEX') or 'jumpserver'
            date = local_now_date_display()
            config['INDEX'] = '%s-%s' % (index_prefix, date)
        return config
    def is_valid(self):
        if self.type_null_or_server:
            return True
@ -89,17 +107,21 @@ class CommandStorage(CommonStorageModelMixin, CommonModelMixin):
        return Terminal.objects.filter(command_storage=self.name, is_deleted=False).exists()
    def get_command_queryset(self):
-        if self.type_server:
+        if self.type_null:
            qs = Command.objects.all()
        else:
            if self.type not in TYPE_ENGINE_MAPPING:
                logger.error(f'Command storage `{self.type}` not support')
            return Command.objects.none()
        if self.type_server:
            return Command.objects.all()
        if self.type in TYPE_ENGINE_MAPPING:
            engine_mod = import_module(TYPE_ENGINE_MAPPING[self.type])
            qs = engine_mod.QuerySet(self.config)
            qs.model = Command
            return qs
        logger.error(f'Command storage `{self.type}` not support')
        return Command.objects.none()
    def save(self, force_insert=False, force_update=False, using=None,
             update_fields=None):
        super().save()
--- a/apps/terminal/models/terminal.py
+++ b/apps/terminal/models/terminal.py
@ -68,7 +68,7 @@ class StorageMixin:
    def get_command_storage_config(self):
        s = self.get_command_storage()
        if s:
-            config = s.config
+            config = s.valid_config
        else:
            config = settings.DEFAULT_TERMINAL_COMMAND_STORAGE
        return config
--- a/apps/terminal/serializers/endpoint.py
+++ b/apps/terminal/serializers/endpoint.py
@ -16,7 +16,7 @@ class EndpointSerializer(BulkModelSerializer):
            'host',
            'https_port', 'http_port', 'ssh_port',
            'rdp_port', 'mysql_port', 'mariadb_port',
-            'postgresql_port',
+            'postgresql_port', 'redis_port',
        ]
        fields = fields_mini + fields_small + [
            'comment', 'date_created', 'date_updated', 'created_by'
@ -29,6 +29,7 @@ class EndpointSerializer(BulkModelSerializer):
            'mysql_port': {'default': 33060},
            'mariadb_port': {'default': 33061},
            'postgresql_port': {'default': 54320},
            'redis_port': {'default': 63790},
        }
--- a/apps/terminal/serializers/storage.py
+++ b/apps/terminal/serializers/storage.py
@ -155,6 +155,10 @@ class CommandStorageTypeESSerializer(serializers.Serializer):
        child=serializers.CharField(validators=[command_storage_es_host_format_validator]),
        label=_('Hosts'), help_text=_(hosts_help_text), allow_null=True
    )
    INDEX_BY_DATE = serializers.BooleanField(
        default=False, label=_('Index by date'),
        help_text=_('Whether to create an index by date')
    )
    INDEX = serializers.CharField(
        max_length=1024, default='jumpserver', label=_('Index'), allow_null=True
    )
--- a/apps/tickets/migrations/0001_initial.py
+++ b/apps/tickets/migrations/0001_initial.py
@ -1,6 +1,6 @@
 # Generated by Django 2.2.5 on 2019-11-15 06:57
-import common.fields.model
+import common.db.fields
 from django.conf import settings
 from django.db import migrations, models
 import django.db.models.deletion
@ -26,7 +26,7 @@ class Migration(migrations.Migration):
                ('user_display', models.CharField(max_length=128, verbose_name='User display name')),
                ('title', models.CharField(max_length=256, verbose_name='Title')),
                ('body', models.TextField(verbose_name='Body')),
-                ('meta', common.fields.model.JsonDictTextField(default='{}', verbose_name='Meta')),
+                ('meta', common.db.fields.JsonDictTextField(default='{}', verbose_name='Meta')),
                ('assignee_display', models.CharField(blank=True, max_length=128, null=True, verbose_name='Assignee display name')),
                ('assignees_display', models.CharField(blank=True, max_length=128, verbose_name='Assignees display name')),
                ('type', models.CharField(choices=[('general', 'General'), ('login_confirm', 'Login confirm')], default='general', max_length=16, verbose_name='Type')),
--- a/apps/tickets/notifications.py
+++ b/apps/tickets/notifications.py
@ -1,13 +1,15 @@
 from urllib.parse import urljoin
 from django.conf import settings
 from django.core.cache import cache
 from django.shortcuts import reverse
 from django.template.loader import render_to_string
 from django.utils.translation import ugettext_lazy as _
 from . import const
 from notifications.notifications import UserMessage
-from common.utils import get_logger
+from common.utils import get_logger, random_string
 from .models import Ticket
 from . import const
 logger = get_logger(__file__)
@ -57,6 +59,13 @@ class TicketAppliedToAssignee(BaseTicketMessage):
    def __init__(self, user, ticket):
        self.ticket = ticket
        super().__init__(user)
        self._token = None
    @property
    def token(self):
        if self._token is None:
            self._token = random_string(32)
        return self._token
    @property
    def content_title(self):
@ -71,6 +80,29 @@ class TicketAppliedToAssignee(BaseTicketMessage):
        )
        return title
    def get_ticket_approval_url(self):
        url = reverse('tickets:direct-approve', kwargs={'token': self.token})
        return urljoin(settings.SITE_URL, url)
    def get_html_msg(self) -> dict:
        body = self.ticket.body.replace('\n', '<br/>')
        context = dict(
            title=self.content_title,
            ticket_detail_url=self.ticket_detail_url,
            body=body,
        )
        ticket_approval_url = self.get_ticket_approval_url()
        context.update({'ticket_approval_url': ticket_approval_url})
        message = render_to_string('tickets/_msg_ticket.html', context)
        cache.set(self.token, {
            'body': body, 'ticket_id': self.ticket.id
        }, 3600)
        return {
            'subject': self.subject,
            'message': message
        }
    @classmethod
    def gen_test_msg(cls):
        from .models import Ticket
--- a/apps/tickets/templates/tickets/_msg_ticket.html
+++ b/apps/tickets/templates/tickets/_msg_ticket.html
@ -9,7 +9,13 @@
    <br>
    <div>
        <a href="{{ ticket_detail_url }}" target="_blank">
-            {% trans 'Click here to review' %}
+            {% trans 'View details' %}
        </a>
        <br>
        {% if ticket_approval_url %}
            <a href="{{ ticket_approval_url }}" target="_blank">
                {% trans 'Direct approval' %}
            </a>
        {% endif %}
    </div>
 </div>
--- a/apps/tickets/templates/tickets/approve_check_password.html
+++ b/apps/tickets/templates/tickets/approve_check_password.html
@ -0,0 +1,56 @@
 {% extends '_base_double_screen.html' %}
 {% load bootstrap3 %}
 {% load static %}
 {% load i18n %}
 {% block content %}
 <div class="col-lg-12">
    <div class="col-lg-6">
        <div class="ibox-content">
            <h2 class="font-bold" style="display: inline">{% trans 'Ticket information' %}</h2>
            <h1></h1>
            <div style="word-break: break-all">{{ ticket_info | safe }}</div>
        </div>
    </div>
    <div class="col-lg-6">
        <div class="ibox-content">
            <img src="{{ LOGO_URL }}" style="margin: auto" width="50" height="50">
            <h2 class="font-bold" style="display: inline">{% trans 'Ticket approval' %}</h2>
            <h1></h1>
            <div class="ibox-content">
                <p>
                    {% trans 'Hello' %} {{ user.name }},
                </p>
                <p style="text-indent: 3em">
                    {{ prompt_msg }}
                </p>
                <br>
                <form id="approve-form" action="" method="post" role="form" novalidate="novalidate">
                    {% csrf_token %}
                    <div class="form-group" style="">
                        {% if user.is_authenticated %}
                        <button class="btn btn-primary block full-width m-b" name="action" value="approve"
                        type="submit">
                            {% trans 'Ticket direct approval' %}
                        </button>
                        <button class="btn btn-primary block full-width m-b" name="action" value="reject"
                        type="submit">
                            {% trans 'Ticket direct reject' %}
                        </button>
                        {% else %}
                        <a id='login_button' class="btn btn-primary block full-width m-b"
                           href="{{ login_url }}">
                            {% trans 'Go Login' %}
                        </a>
                        {% endif %}
                    </div>
                </form>
            </div>
        </div>
    </div>
 </div>
 <style>
 </style>
 {% endblock %}
--- a/apps/tickets/urls/view_urls.py
+++ b/apps/tickets/urls/view_urls.py
@ -0,0 +1,12 @@
 # coding:utf-8
 #
 from django.urls import path
 from .. import views
 app_name = 'tickets'
 urlpatterns = [
    path('direct-approve/<str:token>/', views.TicketDirectApproveView.as_view(), name='direct-approve'),
 ]
--- a/apps/tickets/views/init.py
+++ b/apps/tickets/views/init.py
@ -0,0 +1 @@
 from .approve import *
--- a/apps/tickets/views/approve.py
+++ b/apps/tickets/views/approve.py
@ -0,0 +1,98 @@
 # -*- coding: utf-8 -*-
 #
 from __future__ import unicode_literals
 from django.views.generic.base import TemplateView
 from django.shortcuts import redirect, reverse
 from django.core.cache import cache
 from django.utils.translation import ugettext as _
 from tickets.models import Ticket
 from tickets.errors import AlreadyClosed
 from common.utils import get_logger, FlashMessageUtil
 logger = get_logger(__name__)
 __all__ = ['TicketDirectApproveView']
 class TicketDirectApproveView(TemplateView):
    template_name = 'tickets/approve_check_password.html'
    redirect_field_name = 'next'
    @property
    def message_data(self):
        return {
            'title': _('Ticket approval'),
            'error': _("This ticket does not exist, "
                       "the process has ended, or this link has expired"),
            'redirect_url': self.login_url,
            'auto_redirect': False
        }
    @property
    def login_url(self):
        return reverse('authentication:login') + '?admin=1'
    def redirect_message_response(self, **kwargs):
        message_data = self.message_data
        for key, value in kwargs.items():
            if isinstance(value, str):
                message_data[key] = value
        if message_data.get('message'):
            message_data.pop('error')
        redirect_url = FlashMessageUtil.gen_message_url(message_data)
        return redirect(redirect_url)
    @staticmethod
    def clear(token):
        cache.delete(token)
    def get_context_data(self, **kwargs):
        # 放入工单信息
        token = kwargs.get('token')
        ticket_info = cache.get(token, {}).get('body', '')
        if self.request.user.is_authenticated:
            prompt_msg = _('Click the button below to approve or reject')
        else:
            prompt_msg = _('After successful authentication, this ticket can be approved directly')
        kwargs.update({
            'ticket_info': ticket_info, 'prompt_msg': prompt_msg,
            'login_url': '%s&next=%s' % (
                self.login_url,
                reverse('tickets:direct-approve', kwargs={'token': token})
            ),
        })
        return super().get_context_data(**kwargs)
    def get(self, request, *args, **kwargs):
        token = kwargs.get('token')
        ticket_info = cache.get(token)
        if not ticket_info:
            return self.redirect_message_response(redirect_url=self.login_url)
        return super().get(request, *args, **kwargs)
    def post(self, request, **kwargs):
        user = request.user
        token = kwargs.get('token')
        action = request.POST.get('action')
        if action not in ['approve', 'reject']:
            msg = _('Illegal approval action')
            return self.redirect_message_response(error=str(msg))
        ticket_info = cache.get(token)
        if not ticket_info:
            return self.redirect_message_response(redirect_url=self.login_url)
        try:
            ticket_id = ticket_info.get('ticket_id')
            ticket = Ticket.all().get(id=ticket_id)
            if not ticket.has_current_assignee(user):
                raise Exception(_("This user is not authorized to approve this ticket"))
            getattr(ticket, action)(user)
        except AlreadyClosed as e:
            self.clear(token)
            return self.redirect_message_response(error=str(e), redirect_url=self.login_url)
        except Exception as e:
            return self.redirect_message_response(error=str(e), redirect_url=self.login_url)
        self.clear(token)
        return self.redirect_message_response(message=_("Success"), redirect_url=self.login_url)
--- a/apps/users/forms/profile.py
+++ b/apps/users/forms/profile.py
@ -5,6 +5,7 @@ from django.utils.translation import gettext_lazy as _
 from captcha.fields import CaptchaField
 from common.utils import validate_ssh_public_key
 from authentication.forms import EncryptedField
 from ..models import User
@ -17,7 +18,7 @@ __all__ = [
 class UserCheckPasswordForm(forms.Form):
-    password = forms.CharField(
+    password = EncryptedField(
        label=_('Password'), widget=forms.PasswordInput,
        max_length=1024, strip=False
    )
@ -77,12 +78,12 @@ UserFirstLoginFinishForm.verbose_name = _("Finish")
 class UserTokenResetPasswordForm(forms.Form):
-    new_password = forms.CharField(
+    new_password = EncryptedField(
        min_length=5, max_length=128,
        widget=forms.PasswordInput,
        label=_("New password")
    )
-    confirm_password = forms.CharField(
+    confirm_password = EncryptedField(
        min_length=5, max_length=128,
        widget=forms.PasswordInput,
        label=_("Confirm password")
@ -103,7 +104,7 @@ class UserForgotPasswordForm(forms.Form):
 class UserPasswordForm(UserTokenResetPasswordForm):
-    old_password = forms.CharField(
+    old_password = EncryptedField(
        max_length=128, widget=forms.PasswordInput,
        label=_("Old password")
    )
--- a/apps/users/migrations/0021_auto_20190625_1104.py
+++ b/apps/users/migrations/0021_auto_20190625_1104.py
@ -1,6 +1,6 @@
 # Generated by Django 2.1.7 on 2019-06-25 03:04
-import common.fields.model
+import common.db.fields
 from django.db import migrations, models
@ -14,17 +14,17 @@ class Migration(migrations.Migration):
        migrations.AlterField(
            model_name='user',
            name='_otp_secret_key',
-            field=common.fields.model.EncryptCharField(blank=True, max_length=128, null=True),
+            field=common.db.fields.EncryptCharField(blank=True, max_length=128, null=True),
        ),
        migrations.AlterField(
            model_name='user',
            name='_private_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='Private key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Private key'),
        ),
        migrations.AlterField(
            model_name='user',
            name='_public_key',
-            field=common.fields.model.EncryptTextField(blank=True, null=True, verbose_name='Public key'),
+            field=common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Public key'),
        ),
        migrations.AlterField(
            model_name='user',
--- a/Show More
+++ b/Show More
`@ -131,4 +131,3 @@ Licensed under The GNU General Public License version 3 (GPLv3) (the "License")`
	`https://www.gnu.org/licenses/gpl-3.0.html`	`https://www.gnu.org/licenses/gpl-3.0.html`

	`Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.`	`Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.`
		`@ -1 +0,0 @@`
			{"version":3,"file":"fit.js","sources":["../../../src/addons/fit/fit.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/*\n Copyright (c) 2014 The xterm.js authors. All rights reserved.\n * @license MIT\n \n Fit terminal columns and rows to the dimensions of its DOM element.\n \n ## Approach\n \n Rows: Truncate the division of the terminal parent element height by the\n * terminal row height.\n * Columns: Truncate the division of the terminal parent element width by the\n * terminal character width (apply display: inline at the terminal\n * row and truncate its width with the current number of columns).\n */\n\nimport { Terminal } from 'xterm';\n\nexport interface IGeometry {\n rows: number;\n cols: number;\n}\n\nexport function proposeGeometry(term: Terminal): IGeometry {\n if (!term.element.parentElement) {\n return null;\n }\n const parentElementStyle = window.getComputedStyle(term.element.parentElement);\n const parentElementHeight = parseInt(parentElementStyle.getPropertyValue('height'));\n const parentElementWidth = Math.max(0, parseInt(parentElementStyle.getPropertyValue('width')));\n const elementStyle = window.getComputedStyle(term.element);\n const elementPadding = {\n top: parseInt(elementStyle.getPropertyValue('padding-top')),\n bottom: parseInt(elementStyle.getPropertyValue('padding-bottom')),\n right: parseInt(elementStyle.getPropertyValue('padding-right')),\n left: parseInt(elementStyle.getPropertyValue('padding-left'))\n };\n const elementPaddingVer = elementPadding.top + elementPadding.bottom;\n const elementPaddingHor = elementPadding.right + elementPadding.left;\n const availableHeight = parentElementHeight - elementPaddingVer;\n const availableWidth = parentElementWidth - elementPaddingHor - (<any>term)._core.viewport.scrollBarWidth;\n const geometry = {\n cols: Math.floor(availableWidth / (<any>term)._core.renderer.dimensions.actualCellWidth),\n rows: Math.floor(availableHeight / (<any>term)._core.renderer.dimensions.actualCellHeight)\n };\n return geometry;\n}\n\nexport function fit(term: Terminal): void {\n const geometry = proposeGeometry(term);\n if (geometry) {\n // Force a full render\n if (term.rows !== geometry.rows \|\| term.cols !== geometry.cols) {\n (<any>term)._core.renderer.clear();\n term.resize(geometry.cols, geometry.rows);\n }\n }\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n (<any>terminalConstructor.prototype).proposeGeometry = function (): IGeometry {\n return proposeGeometry(this);\n };\n\n (<any>terminalConstructor.prototype).fit = function (): void {\n fit(this);\n };\n}\n",null],"names":[],"mappings":"ACAA;;;ADsBA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAvBA;AAyBA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AATA;AAWA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AARA;"}
		`@ -1 +0,0 @@`
			{"version":3,"file":"fullscreen.js","sources":["../../../src/addons/fullscreen/fullscreen.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/*\n Copyright (c) 2014 The xterm.js authors. All rights reserved.\n * @license MIT\n /\n\nimport { Terminal } from 'xterm';\n\n/\n Toggle the given terminal's fullscreen mode.\n * @param term The terminal to toggle full screen mode\n * @param fullscreen Toggle fullscreen on (true) or off (false)\n */\nexport function toggleFullScreen(term: Terminal, fullscreen: boolean): void {\n let fn: string;\n\n if (typeof fullscreen === 'undefined') {\n fn = (term.element.classList.contains('fullscreen')) ? 'remove' : 'add';\n } else if (!fullscreen) {\n fn = 'remove';\n } else {\n fn = 'add';\n }\n\n term.element.classList[fn]('fullscreen');\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n (<any>terminalConstructor.prototype).toggleFullScreen = function (fullscreen: boolean): void {\n toggleFullScreen(this, fullscreen);\n };\n}\n",null],"names":[],"mappings":"ACAA;;;ADYA;AACA;AAEA;AACA;AACA;AAAA;AACA;AACA;AAAA;AACA;AACA;AAEA;AACA;AAZA;AAcA;AACA;AACA;AACA;AACA;AAJA;"}
		`@ -1 +0,0 @@`
			{"version":3,"file":"terminado.js","sources":["../../../src/addons/terminado/terminado.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/*\n Copyright (c) 2016 The xterm.js authors. All rights reserved.\n * @license MIT\n \n This module provides methods for attaching a terminal to a terminado\n * WebSocket stream.\n /\n\nimport { Terminal } from 'xterm';\nimport { ITerminadoAddonTerminal } from './Interfaces';\n\n/\n Attaches the given terminal to the given socket.\n \n @param term The terminal to be attached to the given socket.\n * @param socket The socket to attach the current terminal.\n * @param bidirectional Whether the terminal should send data to the socket as well.\n * @param buffered Whether the rendering of incoming data should happen instantly or at a maximum\n * frequency of 1 rendering per 10ms.\n /\nexport function terminadoAttach(term: Terminal, socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n const addonTerminal = <ITerminadoAddonTerminal>term;\n bidirectional = (typeof bidirectional === 'undefined') ? true : bidirectional;\n addonTerminal.__socket = socket;\n\n addonTerminal.__flushBuffer = () => {\n addonTerminal.write(addonTerminal.__attachSocketBuffer);\n addonTerminal.__attachSocketBuffer = null;\n };\n\n addonTerminal.__pushToBuffer = (data: string) => {\n if (addonTerminal.__attachSocketBuffer) {\n addonTerminal.__attachSocketBuffer += data;\n } else {\n addonTerminal.__attachSocketBuffer = data;\n setTimeout(addonTerminal.__flushBuffer, 10);\n }\n };\n\n addonTerminal.__getMessage = (ev: MessageEvent) => {\n const data = JSON.parse(ev.data);\n if (data[0] === 'stdout') {\n if (buffered) {\n addonTerminal.__pushToBuffer(data[1]);\n } else {\n addonTerminal.write(data[1]);\n }\n }\n };\n\n addonTerminal.__sendData = (data: string) => {\n socket.send(JSON.stringify(['stdin', data]));\n };\n\n addonTerminal.__setSize = (size: {rows: number, cols: number}) => {\n socket.send(JSON.stringify(['set_size', size.rows, size.cols]));\n };\n\n socket.addEventListener('message', addonTerminal.__getMessage);\n\n if (bidirectional) {\n addonTerminal.on('data', addonTerminal.__sendData);\n }\n addonTerminal.on('resize', addonTerminal.__setSize);\n\n socket.addEventListener('close', () => terminadoDetach(addonTerminal, socket));\n socket.addEventListener('error', () => terminadoDetach(addonTerminal, socket));\n}\n\n/\n Detaches the given terminal from the given socket\n \n @param term The terminal to be detached from the given socket.\n * @param socket The socket from which to detach the current terminal.\n /\nexport function terminadoDetach(term: Terminal, socket: WebSocket): void {\n const addonTerminal = <ITerminadoAddonTerminal>term;\n addonTerminal.off('data', addonTerminal.__sendData);\n\n socket = (typeof socket === 'undefined') ? addonTerminal.__socket : socket;\n\n if (socket) {\n socket.removeEventListener('message', addonTerminal.__getMessage);\n }\n\n delete addonTerminal.__socket;\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n /\n Attaches the current terminal to the given socket\n \n @param socket - The socket to attach the current terminal.\n * @param bidirectional - Whether the terminal should send data to the socket as well.\n * @param buffered - Whether the rendering of incoming data should happen instantly or at a\n * maximum frequency of 1 rendering per 10ms.\n /\n (<any>terminalConstructor.prototype).terminadoAttach = function (socket: WebSocket, bidirectional: boolean, buffered: boolean): void {\n return terminadoAttach(this, socket, bidirectional, buffered);\n };\n\n /\n Detaches the current terminal from the given socket.\n \n @param socket The socket from which to detach the current terminal.\n */\n (<any>terminalConstructor.prototype).terminadoDetach = function (socket: WebSocket): void {\n return terminadoDetach(this, socket);\n };\n}\n",null],"names":[],"mappings":"ACAA;;;ADoBA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AAAA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AACA;AAEA;AAEA;AACA;AACA;AACA;AAEA;AACA;AACA;AA/CA;AAuDA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AAXA;AAaA;AASA;AACA;AACA;AAOA;AACA;AACA;AACA;AArBA;"}
		`@ -1 +0,0 @@`
			{"version":3,"file":"webLinks.js","sources":["../../../src/addons/webLinks/webLinks.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/*\n Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n /\n\nimport { Terminal, ILinkMatcherOptions } from 'xterm';\n\nconst protocolClause = '(https?:\\\\/\\\\/)';\nconst domainCharacterSet = '[\\\\da-z\\\\.-]+';\nconst negatedDomainCharacterSet = '[^\\\\da-z\\\\.-]+';\nconst domainBodyClause = '(' + domainCharacterSet + ')';\nconst tldClause = '([a-z\\\\.]{2,6})';\nconst ipClause = '((\\\\d{1,3}\\\\.){3}\\\\d{1,3})';\nconst localHostClause = '(localhost)';\nconst portClause = '(:\\\\d{1,5})';\nconst hostClause = '((' + domainBodyClause + '\\\\.' + tldClause + ')\|' + ipClause + '\|' + localHostClause + ')' + portClause + '?';\nconst pathClause = '(\\\\/[\\\\/\\\\w\\\\.\\\\-%~])';\nconst queryStringHashFragmentCharacterSet = '[0-9\\\\w\\\\[\\\\]\\\\(\\\\)\\\\/\\\\?\\\\!#@$%&\\'+,:;~\\\\=\\\\.\\\\-]';\nconst queryStringClause = '(\\\\?' + queryStringHashFragmentCharacterSet + ')?';\nconst hashFragmentClause = '(#' + queryStringHashFragmentCharacterSet + ')?';\nconst negatedPathCharacterSet = '[^\\\\/\\\\w\\\\.\\\\-%]+';\nconst bodyClause = hostClause + pathClause + queryStringClause + hashFragmentClause;\nconst start = '(?:^\|' + negatedDomainCharacterSet + ')(';\nconst end = ')($\|' + negatedPathCharacterSet + ')';\nconst strictUrlRegex = new RegExp(start + protocolClause + bodyClause + end);\n\nfunction handleLink(event: MouseEvent, uri: string): void {\n window.open(uri, '_blank');\n}\n\n/\n Initialize the web links addon, registering the link matcher.\n * @param term The terminal to use web links within.\n * @param handler A custom handler to use.\n * @param options Custom options to use, matchIndex will always be ignored.\n */\nexport function webLinksInit(term: Terminal, handler: (event: MouseEvent, uri: string) => void = handleLink, options: ILinkMatcherOptions = {}): void {\n options.matchIndex = 1;\n term.registerLinkMatcher(strictUrlRegex, handler, options);\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n (<any>terminalConstructor.prototype).webLinksInit = function (handler?: (event: MouseEvent, uri: string) => void, options?: ILinkMatcherOptions): void {\n webLinksInit(this, handler, options);\n };\n}\n",null],"names":[],"mappings":"ACAA;;;ADOA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAQA;AAAA;AAAA;AACA;AACA;AACA;AAHA;AAKA;AACA;AACA;AACA;AACA;AAJA;"}
		`@ -1 +0,0 @@`
			{"version":3,"file":"winptyCompat.js","sources":["../../../src/addons/winptyCompat/winptyCompat.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/*\n Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n /\n\nimport { Terminal } from 'xterm';\nimport { IWinptyCompatAddonTerminal } from './Interfaces';\n\nexport function winptyCompatInit(terminal: Terminal): void {\n const addonTerminal = <IWinptyCompatAddonTerminal>terminal;\n\n // Don't do anything when the platform is not Windows\n const isWindows = ['Windows', 'Win16', 'Win32', 'WinCE'].indexOf(navigator.platform) >= 0;\n if (!isWindows) {\n return;\n }\n\n // Winpty does not support wraparound mode which means that lines will never\n // be marked as wrapped. This causes issues for things like copying a line\n // retaining the wrapped new line characters or if consumers are listening\n // in on the data stream.\n //\n // The workaround for this is to listen to every incoming line feed and mark\n // the line as wrapped if the last character in the previous line is not a\n // space. This is certainly not without its problems, but generally on\n // Windows when text reaches the end of the terminal it's likely going to be\n // wrapped.\n addonTerminal.on('linefeed', () => {\n const line = addonTerminal._core.buffer.lines.get(addonTerminal._core.buffer.ybase + addonTerminal._core.buffer.y - 1);\n const lastChar = line[addonTerminal.cols - 1];\n\n if (lastChar[3] !== 32 / ' ' */) {\n const nextLine = addonTerminal._core.buffer.lines.get(addonTerminal._core.buffer.ybase + addonTerminal._core.buffer.y);\n (<any>nextLine).isWrapped = true;\n }\n });\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n (<any>terminalConstructor.prototype).winptyCompatInit = function (): void {\n winptyCompatInit(this);\n };\n}\n",null],"names":[],"mappings":"ACAA;;;ADQA;AACA;AAGA;AACA;AACA;AACA;AAYA;AACA;AACA;AAEA;AACA;AACA;AACA;AACA;AACA;AA5BA;AA8BA;AACA;AACA;AACA;AACA;AAJA;"}
		`@ -1 +0,0 @@`
			{"version":3,"file":"zmodem.js","sources":["../../../src/addons/zmodem/zmodem.ts","../../../node_modules/browser-pack/_prelude.js"],"sourcesContent":["/*\n Copyright (c) 2017 The xterm.js authors. All rights reserved.\n * @license MIT\n /\n\nimport { Terminal } from 'xterm';\n\n/\n \n * Allow xterm.js to handle ZMODEM uploads and downloads.\n \n This addon is a wrapper around zmodem.js. It adds the following to the\n * Terminal class:\n \n - function `zmodemAttach(<WebSocket>, <Object>)` - creates a Zmodem.Sentry\n * on the passed WebSocket object. The Object passed is optional and\n * can contain:\n * - noTerminalWriteOutsideSession: Suppress writes from the Sentry\n * object to the Terminal while there is no active Session. This\n * is necessary for compatibility with, for example, the\n * `attach.js` addon.\n \n - event `zmodemDetect` - fired on Zmodem.Sentry’s `on_detect` callback.\n * Passes the zmodem.js Detection object.\n \n - event `zmodemRetract` - fired on Zmodem.Sentry’s `on_retract` callback.\n \n You’ll need to provide logic to handle uploads and downloads.\n * See zmodem.js’s documentation for more details.\n \n IMPORTANT: After you confirm() a zmodem.js Detection, if you have\n * used the `attach` or `terminado` addons, you’ll need to suspend their\n * operation for the duration of the ZMODEM session. (The demo does this\n * via `detach()` and a re-`attach()`.)\n */\n\nlet zmodem;\n\nexport interface IZmodemOptions {\n noTerminalWriteOutsideSession?: boolean;\n}\n\nfunction zmodemAttach(ws: WebSocket, opts: IZmodemOptions = {}): void {\n const term = this;\n const senderFunc = (octets: ArrayLike<number>) => ws.send(new Uint8Array(octets));\n\n let zsentry;\n\n function shouldWrite(): boolean {\n return !!zsentry.get_confirmed_session() \|\| !opts.noTerminalWriteOutsideSession;\n }\n\n zsentry = new zmodem.Sentry({\n to_terminal: (octets: ArrayLike<number>) => {\n if (shouldWrite()) {\n term.write(\n String.fromCharCode.apply(String, octets)\n );\n }\n },\n sender: senderFunc,\n on_retract: () => (<any>term).emit('zmodemRetract'),\n on_detect: (detection: any) => (<any>term).emit('zmodemDetect', detection)\n });\n\n function handleWSMessage(evt: MessageEvent): void {\n\n // In testing with xterm.js’s demo the first message was\n // always text even if the rest were binary. While that\n // may be specific to xterm.js’s demo, ultimately we\n // should reject anything that isn’t binary.\n if (typeof evt.data === 'string') {\n if (shouldWrite()) {\n term.write(evt.data);\n }\n }\n else {\n zsentry.consume(evt.data);\n }\n }\n\n ws.binaryType = 'arraybuffer';\n ws.addEventListener('message', handleWSMessage);\n}\n\nexport function apply(terminalConstructor: typeof Terminal): void {\n zmodem = (typeof window === 'object') ? (<any>window).Zmodem : {Browser: null}; // Nullify browser for tests\n\n (<any>terminalConstructor.prototype).zmodemAttach = zmodemAttach;\n (<any>terminalConstructor.prototype).zmodemBrowser = zmodem.Browser;\n}\n",null],"names":[],"mappings":"ACAA;;;ADoCA;AAMA;AAAA;AACA;AACA;AAEA;AAEA;AACA;AACA;AAEA;AACA;AACA;AACA;AAGA;AACA;AACA;AACA;AACA;AACA;AAEA;AAMA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AAEA;AACA;AACA;AAEA;AACA;AAEA;AACA;AACA;AALA;"}