Merge pull request #3033 from jumpserver/dev

Dev

apps/authentication/backends/ldap.py

@@ -8,6 +8,7 @@ from django_auth_ldap.backend import _LDAPUser, LDAPBackend
 from django_auth_ldap.config import _LDAPConfig, LDAPSearch, LDAPSearchUnion
 
 from users.utils import construct_user_email
+from common.const import LDAP_AD_ACCOUNT_DISABLE
 
 logger = _LDAPConfig.get_logger()
 
@@ -17,6 +18,15 @@ class LDAPAuthorizationBackend(LDAPBackend):
     Override this class to override _LDAPUser to LDAPUser
     """
 
+    @staticmethod
+    def user_can_authenticate(user):
+        """
+        Reject users with is_active=False. Custom user models that don't have
+        that attribute are allowed.
+        """
+        is_valid = getattr(user, 'is_valid', None)
+        return is_valid or is_valid is None
+
     def authenticate(self, request=None, username=None, password=None, **kwargs):
         logger.info('Authentication LDAP backend')
         if not username:
@@ -25,34 +35,29 @@ class LDAPAuthorizationBackend(LDAPBackend):
         ldap_user = LDAPUser(self, username=username.strip(), request=request)
         user = self.authenticate_ldap_user(ldap_user, password)
         logger.info('Authenticate user: {}'.format(user))
-        return user
+        return user if self.user_can_authenticate(user) else None
 
     def get_user(self, user_id):
         user = None
-
         try:
             user = self.get_user_model().objects.get(pk=user_id)
             LDAPUser(self, user=user)  # This sets user.ldap_user
         except ObjectDoesNotExist:
             pass
-
         return user
 
     def get_group_permissions(self, user, obj=None):
         if not hasattr(user, 'ldap_user') and self.settings.AUTHORIZE_ALL_USERS:
             LDAPUser(self, user=user)  # This sets user.ldap_user
-
         if hasattr(user, 'ldap_user'):
             permissions = user.ldap_user.get_group_permissions()
         else:
             permissions = set()
-
         return permissions
 
     def populate_user(self, username):
         ldap_user = LDAPUser(self, username=username)
         user = ldap_user.populate_user()
-
         return user
 
 
@@ -91,13 +96,19 @@ class LDAPUser(_LDAPUser):
         for field, attr in self.settings.USER_ATTR_MAP.items():
             try:
                 value = self.attrs[attr][0]
+                if attr.lower() == 'useraccountcontrol' \
+                        and field == 'is_active' and value:
+                    value = int(value) & LDAP_AD_ACCOUNT_DISABLE \
+                            != LDAP_AD_ACCOUNT_DISABLE
             except LookupError:
                 logger.warning("{} does not have a value for the attribute {}".format(self.dn, attr))
             else:
                 if not hasattr(self._user, field):
                     continue
                 if isinstance(getattr(self._user, field), bool):
-                    value = value.lower() in ['true', '1']
+                    if isinstance(value, str):
+                        value = value.lower()
+                    value = value in ['true', '1', True]
                 setattr(self._user, field, value)
 
         email = getattr(self._user, 'email', '')

apps/authentication/backends/openid/backends.py

@@ -26,8 +26,8 @@ class BaseOpenIDAuthorizationBackend(object):
         Reject users with is_active=False. Custom user models that don't have
         that attribute are allowed.
         """
-        is_active = getattr(user, 'is_active', None)
-        return is_active or is_active is None
+        is_valid = getattr(user, 'is_valid', None)
+        return is_valid or is_valid is None
 
     def get_user(self, user_id):
         try:

apps/authentication/signals_handlers.py

+from rest_framework.request import Request
 from django.http.request import QueryDict
 from django.conf import settings
 from django.dispatch import receiver
@@ -52,14 +53,15 @@ def on_ldap_create_user(sender, user, ldap_user, **kwargs):
 
 
 def generate_data(username, request):
-    if not request.user.is_anonymous and request.user.is_app:
+    user_agent = request.META.get('HTTP_USER_AGENT', '')
+
+    if isinstance(request, Request):
         login_ip = request.data.get('remote_addr', None)
         login_type = request.data.get('login_type', '')
-        user_agent = request.data.get('HTTP_USER_AGENT', '')
     else:
         login_ip = get_request_ip(request)
-        user_agent = request.META.get('HTTP_USER_AGENT', '')
         login_type = 'W'
+
     data = {
         'username': username,
         'ip': login_ip,

apps/common/const.py

@@ -8,3 +8,7 @@ update_success_msg = _("%(name)s was updated successfully")
 FILE_END_GUARD = ">>> Content End <<<"
 celery_task_pre_key = "CELERY_"
 KEY_CACHE_RESOURCES_ID = "RESOURCES_ID_{}"
+
+# AD User AccountDisable
+# https://blog.csdn.net/bytxl/article/details/17763975
+LDAP_AD_ACCOUNT_DISABLE = 2

apps/common/permissions.py

@@ -137,6 +137,16 @@ class PermissionsMixin(UserPassesTestMixin):
         return True
 
 
+class UserCanUpdatePassword:
+    def has_permission(self, request, view):
+        return request.user.can_update_password()
+
+
+class UserCanUpdateSSHKey:
+    def has_permission(self, request, view):
+        return request.user.can_update_ssh_key()
+
+
 class NeedMFAVerify(permissions.BasePermission):
     def has_permission(self, request, view):
         mfa_verify_time = request.session.get('MFA_VERIFY_TIME', 0)

apps/common/renders/csv.py

@@ -58,8 +58,8 @@ class JMSCSVRender(BaseRenderer):
         template = request.query_params.get('template', 'export')
         view = renderer_context['view']
 
-        if isinstance(data, dict) and data.get("count"):
-            data = data["results"]
+        if isinstance(data, dict):
+            data = data.get("results", [])
 
         if template == 'import':
             data = [data[0]] if data else data

apps/locale/zh/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Jumpserver 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2019-07-18 13:18+0800\n"
+"POT-Creation-Date: 2019-07-25 16:16+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: Jumpserver team<ibuler@qq.com>\n"
@@ -88,8 +88,8 @@ msgstr "运行参数"
 #: audits/templates/audits/ftp_log_list.html:71
 #: perms/forms/asset_permission.py:69 perms/models/asset_permission.py:78
 #: perms/templates/perms/asset_permission_create_update.html:45
-#: perms/templates/perms/asset_permission_list.html:48
-#: perms/templates/perms/asset_permission_list.html:117
+#: perms/templates/perms/asset_permission_list.html:52
+#: perms/templates/perms/asset_permission_list.html:121
 #: terminal/backends/command/models.py:13 terminal/models.py:155
 #: terminal/templates/terminal/command_list.html:30
 #: terminal/templates/terminal/command_list.html:66
@@ -118,9 +118,9 @@ msgstr "资产"
 #: perms/forms/asset_permission.py:75 perms/models/asset_permission.py:80
 #: perms/models/asset_permission.py:114
 #: perms/templates/perms/asset_permission_detail.html:140
-#: perms/templates/perms/asset_permission_list.html:50
-#: perms/templates/perms/asset_permission_list.html:71
-#: perms/templates/perms/asset_permission_list.html:123 templates/_nav.html:25
+#: perms/templates/perms/asset_permission_list.html:54
+#: perms/templates/perms/asset_permission_list.html:75
+#: perms/templates/perms/asset_permission_list.html:127 templates/_nav.html:25
 #: terminal/backends/command/models.py:14 terminal/models.py:156
 #: terminal/templates/terminal/command_list.html:31
 #: terminal/templates/terminal/command_list.html:67
@@ -152,8 +152,8 @@ msgstr "系统用户"
 #: ops/templates/ops/task_detail.html:60 ops/templates/ops/task_list.html:27
 #: orgs/models.py:11 perms/models/base.py:35
 #: perms/templates/perms/asset_permission_detail.html:62
-#: perms/templates/perms/asset_permission_list.html:45
-#: perms/templates/perms/asset_permission_list.html:64
+#: perms/templates/perms/asset_permission_list.html:49
+#: perms/templates/perms/asset_permission_list.html:68
 #: perms/templates/perms/asset_permission_user.html:54
 #: perms/templates/perms/remote_app_permission_detail.html:62
 #: perms/templates/perms/remote_app_permission_list.html:14
@@ -167,13 +167,13 @@ msgstr "系统用户"
 #: settings/templates/settings/terminal_setting.html:105 terminal/models.py:22
 #: terminal/models.py:258 terminal/templates/terminal/terminal_detail.html:43
 #: terminal/templates/terminal/terminal_list.html:29 users/models/group.py:14
-#: users/models/user.py:324 users/templates/users/_select_user_modal.html:13
+#: users/models/user.py:327 users/templates/users/_select_user_modal.html:13
 #: users/templates/users/user_detail.html:63
 #: users/templates/users/user_group_detail.html:55
 #: users/templates/users/user_group_list.html:35
 #: users/templates/users/user_list.html:35
 #: users/templates/users/user_profile.html:51
-#: users/templates/users/user_pubkey_update.html:53
+#: users/templates/users/user_pubkey_update.html:57
 #: xpack/plugins/change_auth_plan/forms.py:98
 #: xpack/plugins/change_auth_plan/models.py:61
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_detail.html:61
@@ -218,7 +218,7 @@ msgstr "参数"
 #: perms/models/asset_permission.py:117 perms/models/base.py:41
 #: perms/templates/perms/asset_permission_detail.html:98
 #: perms/templates/perms/remote_app_permission_detail.html:90
-#: users/models/user.py:365 users/serializers/v1.py:120
+#: users/models/user.py:368 users/serializers/v1.py:120
 #: users/templates/users/user_detail.html:111
 #: xpack/plugins/change_auth_plan/models.py:106
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_detail.html:113
@@ -279,10 +279,10 @@ msgstr "创建日期"
 #: perms/templates/perms/remote_app_permission_detail.html:94
 #: settings/models.py:34 terminal/models.py:32
 #: terminal/templates/terminal/terminal_detail.html:63 users/models/group.py:15
-#: users/models/user.py:357 users/templates/users/user_detail.html:127
+#: users/models/user.py:360 users/templates/users/user_detail.html:129
 #: users/templates/users/user_group_detail.html:67
 #: users/templates/users/user_group_list.html:37
-#: users/templates/users/user_profile.html:134
+#: users/templates/users/user_profile.html:138
 #: xpack/plugins/change_auth_plan/models.py:102
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_detail.html:117
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_list.html:19
@@ -330,12 +330,12 @@ msgstr "远程应用"
 #: terminal/templates/terminal/terminal_update.html:45
 #: users/templates/users/_user.html:50
 #: users/templates/users/user_bulk_update.html:23
-#: users/templates/users/user_detail.html:176
-#: users/templates/users/user_password_update.html:71
-#: users/templates/users/user_profile.html:204
-#: users/templates/users/user_profile_update.html:63
-#: users/templates/users/user_pubkey_update.html:70
-#: users/templates/users/user_pubkey_update.html:76
+#: users/templates/users/user_detail.html:178
+#: users/templates/users/user_password_update.html:75
+#: users/templates/users/user_profile.html:209
+#: users/templates/users/user_profile_update.html:67
+#: users/templates/users/user_pubkey_update.html:74
+#: users/templates/users/user_pubkey_update.html:80
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_create_update.html:71
 #: xpack/plugins/cloud/templates/cloud/account_create_update.html:33
 #: xpack/plugins/cloud/templates/cloud/sync_instance_task_create.html:35
@@ -373,9 +373,9 @@ msgstr "重置"
 #: users/templates/users/forgot_password.html:42
 #: users/templates/users/user_bulk_update.html:24
 #: users/templates/users/user_list.html:57
-#: users/templates/users/user_password_update.html:72
-#: users/templates/users/user_profile_update.html:64
-#: users/templates/users/user_pubkey_update.html:77
+#: users/templates/users/user_password_update.html:76
+#: users/templates/users/user_profile_update.html:68
+#: users/templates/users/user_pubkey_update.html:81
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_create_update.html:72
 #: xpack/plugins/interface/templates/interface/interface.html:74
 #: xpack/plugins/vault/templates/vault/vault_create.html:46
@@ -393,7 +393,7 @@ msgstr "提交"
 #: assets/templates/assets/system_user_detail.html:18
 #: ops/templates/ops/adhoc_history.html:130
 #: ops/templates/ops/task_adhoc.html:116
-#: ops/templates/ops/task_history.html:136
+#: ops/templates/ops/task_history.html:137
 #: perms/templates/perms/asset_permission_asset.html:18
 #: perms/templates/perms/asset_permission_detail.html:18
 #: perms/templates/perms/asset_permission_user.html:18
@@ -410,13 +410,13 @@ msgstr "详情"
 
 #: applications/templates/applications/remote_app_detail.html:21
 #: applications/templates/applications/remote_app_list.html:56
-#: assets/templates/assets/_asset_user_list.html:70
+#: assets/templates/assets/_asset_user_list.html:69
 #: assets/templates/assets/admin_user_detail.html:24
 #: assets/templates/assets/admin_user_list.html:26
 #: assets/templates/assets/admin_user_list.html:111
 #: assets/templates/assets/asset_detail.html:27
 #: assets/templates/assets/asset_list.html:78
-#: assets/templates/assets/asset_list.html:169
+#: assets/templates/assets/asset_list.html:168
 #: assets/templates/assets/cmd_filter_detail.html:29
 #: assets/templates/assets/cmd_filter_list.html:58
 #: assets/templates/assets/cmd_filter_rule_list.html:86
@@ -429,7 +429,7 @@ msgstr "详情"
 #: assets/templates/assets/system_user_list.html:33
 #: assets/templates/assets/system_user_list.html:85 audits/models.py:33
 #: perms/templates/perms/asset_permission_detail.html:30
-#: perms/templates/perms/asset_permission_list.html:173
+#: perms/templates/perms/asset_permission_list.html:177
 #: perms/templates/perms/remote_app_permission_detail.html:30
 #: perms/templates/perms/remote_app_permission_list.html:59
 #: terminal/templates/terminal/terminal_detail.html:16
@@ -441,9 +441,9 @@ msgstr "详情"
 #: users/templates/users/user_list.html:20
 #: users/templates/users/user_list.html:102
 #: users/templates/users/user_list.html:105
-#: users/templates/users/user_profile.html:177
-#: users/templates/users/user_profile.html:187
-#: users/templates/users/user_profile.html:196
+#: users/templates/users/user_profile.html:181
+#: users/templates/users/user_profile.html:191
+#: users/templates/users/user_profile.html:201
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_detail.html:29
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_list.html:55
 #: xpack/plugins/cloud/templates/cloud/account_detail.html:23
@@ -458,7 +458,7 @@ msgstr "更新"
 #: assets/templates/assets/admin_user_detail.html:28
 #: assets/templates/assets/admin_user_list.html:112
 #: assets/templates/assets/asset_detail.html:31
-#: assets/templates/assets/asset_list.html:170
+#: assets/templates/assets/asset_list.html:169
 #: assets/templates/assets/cmd_filter_detail.html:33
 #: assets/templates/assets/cmd_filter_list.html:59
 #: assets/templates/assets/cmd_filter_rule_list.html:87
@@ -471,7 +471,7 @@ msgstr "更新"
 #: assets/templates/assets/system_user_list.html:86 audits/models.py:34
 #: ops/templates/ops/task_list.html:64
 #: perms/templates/perms/asset_permission_detail.html:34
-#: perms/templates/perms/asset_permission_list.html:174
+#: perms/templates/perms/asset_permission_list.html:178
 #: perms/templates/perms/remote_app_permission_detail.html:34
 #: perms/templates/perms/remote_app_permission_list.html:60
 #: settings/templates/settings/terminal_setting.html:93
@@ -529,8 +529,8 @@ msgstr "创建远程应用"
 #: ops/templates/ops/task_history.html:65 ops/templates/ops/task_list.html:34
 #: perms/forms/asset_permission.py:21
 #: perms/templates/perms/asset_permission_create_update.html:50
-#: perms/templates/perms/asset_permission_list.html:52
-#: perms/templates/perms/asset_permission_list.html:126
+#: perms/templates/perms/asset_permission_list.html:56
+#: perms/templates/perms/asset_permission_list.html:130
 #: perms/templates/perms/remote_app_permission_list.html:19
 #: settings/templates/settings/terminal_setting.html:85
 #: settings/templates/settings/terminal_setting.html:107
@@ -657,9 +657,9 @@ msgstr "网域"
 #: assets/templates/assets/asset_create.html:42
 #: perms/forms/asset_permission.py:72 perms/forms/asset_permission.py:79
 #: perms/models/asset_permission.py:112
-#: perms/templates/perms/asset_permission_list.html:49
-#: perms/templates/perms/asset_permission_list.html:70
-#: perms/templates/perms/asset_permission_list.html:120
+#: perms/templates/perms/asset_permission_list.html:53
+#: perms/templates/perms/asset_permission_list.html:74
+#: perms/templates/perms/asset_permission_list.html:124
 #: xpack/plugins/change_auth_plan/forms.py:116
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_execution_list.html:55
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_list.html:15
@@ -719,11 +719,11 @@ msgstr "SSH网关，支持代理SSH,RDP和VNC"
 #: audits/templates/audits/login_log_list.html:51 authentication/forms.py:11
 #: authentication/templates/authentication/login.html:64
 #: authentication/templates/authentication/new_login.html:90
-#: ops/models/adhoc.py:164 perms/templates/perms/asset_permission_list.html:66
+#: ops/models/adhoc.py:164 perms/templates/perms/asset_permission_list.html:70
 #: perms/templates/perms/asset_permission_user.html:55
 #: perms/templates/perms/remote_app_permission_user.html:54
 #: settings/templates/settings/_ldap_list_users_modal.html:37 users/forms.py:14
-#: users/models/user.py:322 users/templates/users/_select_user_modal.html:14
+#: users/models/user.py:325 users/templates/users/_select_user_modal.html:14
 #: users/templates/users/user_detail.html:67
 #: users/templates/users/user_list.html:36
 #: users/templates/users/user_profile.html:47
@@ -751,9 +751,9 @@ msgstr "密码或密钥密码"
 #: settings/forms.py:110 users/forms.py:16 users/forms.py:28
 #: users/templates/users/reset_password.html:53
 #: users/templates/users/user_password_authentication.html:18
-#: users/templates/users/user_password_update.html:43
-#: users/templates/users/user_profile_update.html:40
-#: users/templates/users/user_pubkey_update.html:40
+#: users/templates/users/user_password_update.html:44
+#: users/templates/users/user_profile_update.html:41
+#: users/templates/users/user_pubkey_update.html:41
 #: users/templates/users/user_update.html:20
 #: xpack/plugins/change_auth_plan/models.py:93
 #: xpack/plugins/change_auth_plan/models.py:264
@@ -762,7 +762,7 @@ msgstr "密码"
 
 #: assets/forms/user.py:29 assets/serializers/asset_user.py:70
 #: assets/templates/assets/_asset_user_auth_update_modal.html:27
-#: users/models/user.py:351
+#: users/models/user.py:354
 msgid "Private key"
 msgstr "ssh私钥"
 
@@ -826,7 +826,7 @@ msgstr "IP"
 #: assets/templates/assets/asset_list.html:96
 #: assets/templates/assets/user_asset_list.html:48
 #: perms/templates/perms/asset_permission_asset.html:57
-#: perms/templates/perms/asset_permission_list.html:69 settings/forms.py:139
+#: perms/templates/perms/asset_permission_list.html:73 settings/forms.py:139
 #: users/templates/users/_granted_assets.html:24
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_asset_list.html:50
 msgid "Hostname"
@@ -968,7 +968,7 @@ msgstr "带宽"
 msgid "Contact"
 msgstr "联系人"
 
-#: assets/models/cluster.py:22 users/models/user.py:343
+#: assets/models/cluster.py:22 users/models/user.py:346
 #: users/templates/users/user_detail.html:76
 msgid "Phone"
 msgstr "手机"
@@ -994,7 +994,7 @@ msgid "Default"
 msgstr "默认"
 
 #: assets/models/cluster.py:36 assets/models/label.py:14
-#: users/models/user.py:451
+#: users/models/user.py:454
 msgid "System"
 msgstr "系统"
 
@@ -1104,8 +1104,8 @@ msgstr "默认资产组"
 #: perms/forms/asset_permission.py:63 perms/forms/remote_app_permission.py:31
 #: perms/models/base.py:36
 #: perms/templates/perms/asset_permission_create_update.html:41
-#: perms/templates/perms/asset_permission_list.html:46
-#: perms/templates/perms/asset_permission_list.html:111
+#: perms/templates/perms/asset_permission_list.html:50
+#: perms/templates/perms/asset_permission_list.html:115
 #: perms/templates/perms/remote_app_permission_create_update.html:43
 #: perms/templates/perms/remote_app_permission_list.html:15
 #: templates/index.html:87 terminal/backends/command/models.py:12
@@ -1113,9 +1113,9 @@ msgstr "默认资产组"
 #: terminal/templates/terminal/command_list.html:65
 #: terminal/templates/terminal/session_list.html:27
 #: terminal/templates/terminal/session_list.html:71 users/forms.py:316
-#: users/models/user.py:121 users/models/user.py:439
+#: users/models/user.py:124 users/models/user.py:442
 #: users/serializers/v1.py:109 users/templates/users/user_group_detail.html:78
-#: users/templates/users/user_group_list.html:36 users/views/user.py:251
+#: users/templates/users/user_group_list.html:36 users/views/user.py:243
 #: xpack/plugins/orgs/forms.py:26
 #: xpack/plugins/orgs/templates/orgs/org_detail.html:113
 #: xpack/plugins/orgs/templates/orgs/org_list.html:14
@@ -1153,9 +1153,9 @@ msgstr "手动登录"
 #: assets/templates/assets/system_user_detail.html:22
 #: assets/views/admin_user.py:30 assets/views/admin_user.py:49
 #: assets/views/admin_user.py:67 assets/views/admin_user.py:84
-#: assets/views/admin_user.py:109 assets/views/asset.py:40
-#: assets/views/asset.py:57 assets/views/asset.py:106 assets/views/asset.py:133
-#: assets/views/asset.py:173 assets/views/asset.py:203
+#: assets/views/admin_user.py:109 assets/views/asset.py:38
+#: assets/views/asset.py:55 assets/views/asset.py:104 assets/views/asset.py:131
+#: assets/views/asset.py:171 assets/views/asset.py:203
 #: assets/views/cmd_filter.py:31 assets/views/cmd_filter.py:48
 #: assets/views/cmd_filter.py:66 assets/views/cmd_filter.py:84
 #: assets/views/cmd_filter.py:104 assets/views/cmd_filter.py:138
@@ -1220,11 +1220,11 @@ msgid "Backend"
 msgstr "后端"
 
 #: assets/serializers/asset_user.py:66 users/forms.py:263
-#: users/models/user.py:354 users/templates/users/first_login.html:42
-#: users/templates/users/user_password_update.html:46
-#: users/templates/users/user_profile.html:68
-#: users/templates/users/user_profile_update.html:43
-#: users/templates/users/user_pubkey_update.html:43
+#: users/models/user.py:357 users/templates/users/first_login.html:42
+#: users/templates/users/user_password_update.html:49
+#: users/templates/users/user_profile.html:69
+#: users/templates/users/user_profile_update.html:46
+#: users/templates/users/user_pubkey_update.html:46
 msgid "Public key"
 msgstr "ssh公钥"
 
@@ -1237,7 +1237,7 @@ msgstr "暂不支持OPENSSH格式的密钥，使用 ssh-keygen -t rsa -m pem生
 msgid "private key invalid"
 msgstr "密钥不合法"
 
-#: assets/serializers/node.py:32
+#: assets/serializers/node.py:33
 msgid "The same level node name cannot be the same"
 msgstr "同级别节点名字不能重复"
 
@@ -1375,7 +1375,7 @@ msgstr "启用MFA"
 msgid "Import assets"
 msgstr "导入资产"
 
-#: assets/templates/assets/_asset_list_modal.html:7 assets/views/asset.py:41
+#: assets/templates/assets/_asset_list_modal.html:7 assets/views/asset.py:39
 #: templates/_nav.html:22 xpack/plugins/change_auth_plan/views.py:116
 msgid "Asset list"
 msgstr "资产列表"
@@ -1395,8 +1395,8 @@ msgstr "请输入密码"
 
 #: assets/templates/assets/_asset_user_auth_update_modal.html:68
 #: assets/templates/assets/asset_detail.html:307
-#: users/templates/users/user_detail.html:307
-#: users/templates/users/user_detail.html:334
+#: users/templates/users/user_detail.html:311
+#: users/templates/users/user_detail.html:338
 #: xpack/plugins/interface/views.py:35
 msgid "Update successfully!"
 msgstr "更新成功"
@@ -1435,11 +1435,11 @@ msgstr "日期"
 msgid "Test datetime: "
 msgstr "测试日期: "
 
-#: assets/templates/assets/_asset_user_list.html:69
+#: assets/templates/assets/_asset_user_list.html:68
 msgid "View"
 msgstr "查看"
 
-#: assets/templates/assets/_asset_user_list.html:71
+#: assets/templates/assets/_asset_user_list.html:70
 #: assets/templates/assets/admin_user_assets.html:61
 #: assets/templates/assets/asset_asset_user_list.html:57
 #: assets/templates/assets/asset_detail.html:178
@@ -1448,7 +1448,7 @@ msgstr "查看"
 msgid "Test"
 msgstr "测试"
 
-#: assets/templates/assets/_asset_user_list.html:72
+#: assets/templates/assets/_asset_user_list.html:71
 #: assets/templates/assets/system_user_assets.html:72
 #: assets/templates/assets/system_user_detail.html:142
 msgid "Push"
@@ -1478,19 +1478,19 @@ msgstr "重命名节点"
 msgid "Delete node"
 msgstr "删除节点"
 
-#: assets/templates/assets/_node_tree.html:154
+#: assets/templates/assets/_node_tree.html:160
 msgid "Create node failed"
 msgstr "创建节点失败"
 
-#: assets/templates/assets/_node_tree.html:166
+#: assets/templates/assets/_node_tree.html:172
 msgid "Have child node, cancel"
 msgstr "存在子节点，不能删除"
 
-#: assets/templates/assets/_node_tree.html:168
+#: assets/templates/assets/_node_tree.html:174
 msgid "Have assets, cancel"
 msgstr "存在资产，不能删除"
 
-#: assets/templates/assets/_node_tree.html:242
+#: assets/templates/assets/_node_tree.html:248
 msgid "Rename success"
 msgstr "重命名成功"
 
@@ -1577,7 +1577,7 @@ msgstr "选择节点"
 
 #: assets/templates/assets/admin_user_detail.html:100
 #: assets/templates/assets/asset_detail.html:207
-#: assets/templates/assets/asset_list.html:387
+#: assets/templates/assets/asset_list.html:386
 #: assets/templates/assets/cmd_filter_detail.html:106
 #: assets/templates/assets/system_user_assets.html:100
 #: assets/templates/assets/system_user_detail.html:182
@@ -1585,10 +1585,10 @@ msgstr "选择节点"
 #: authentication/templates/authentication/_mfa_confirm_modal.html:20
 #: settings/templates/settings/terminal_setting.html:168
 #: templates/_modal.html:23 terminal/templates/terminal/session_detail.html:108
-#: users/templates/users/user_detail.html:388
-#: users/templates/users/user_detail.html:414
-#: users/templates/users/user_detail.html:437
-#: users/templates/users/user_detail.html:482
+#: users/templates/users/user_detail.html:392
+#: users/templates/users/user_detail.html:418
+#: users/templates/users/user_detail.html:441
+#: users/templates/users/user_detail.html:486
 #: users/templates/users/user_group_create_update.html:32
 #: users/templates/users/user_group_list.html:119
 #: users/templates/users/user_list.html:255
@@ -1640,8 +1640,8 @@ msgstr "创建管理用户"
 
 #: assets/templates/assets/admin_user_list.html:162
 #: assets/templates/assets/admin_user_list.html:193
-#: assets/templates/assets/asset_list.html:268
-#: assets/templates/assets/asset_list.html:305
+#: assets/templates/assets/asset_list.html:267
+#: assets/templates/assets/asset_list.html:304
 #: assets/templates/assets/system_user_list.html:192
 #: assets/templates/assets/system_user_list.html:223
 #: users/templates/users/user_group_list.html:163
@@ -1653,7 +1653,7 @@ msgid "Please select file"
 msgstr "选择文件"
 
 #: assets/templates/assets/asset_asset_user_list.html:16
-#: assets/templates/assets/asset_detail.html:23 assets/views/asset.py:58
+#: assets/templates/assets/asset_detail.html:23 assets/views/asset.py:56
 msgid "Asset user list"
 msgstr "资产用户列表"
 
@@ -1664,8 +1664,8 @@ msgstr "资产用户"
 #: assets/templates/assets/asset_asset_user_list.html:47
 #: assets/templates/assets/asset_detail.html:144
 #: terminal/templates/terminal/session_detail.html:81
-#: users/templates/users/user_detail.html:138
-#: users/templates/users/user_profile.html:146
+#: users/templates/users/user_detail.html:140
+#: users/templates/users/user_profile.html:150
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_detail.html:128
 #: xpack/plugins/license/templates/license/license_detail.html:102
 msgid "Quick modify"
@@ -1691,7 +1691,7 @@ msgstr "硬盘"
 
 #: assets/templates/assets/asset_detail.html:128
 #: users/templates/users/user_detail.html:115
-#: users/templates/users/user_profile.html:104
+#: users/templates/users/user_profile.html:106
 msgid "Date joined"
 msgstr "创建日期"
 
@@ -1703,7 +1703,7 @@ msgstr "创建日期"
 #: perms/templates/perms/remote_app_permission_detail.html:112
 #: terminal/templates/terminal/terminal_list.html:34
 #: users/templates/users/_select_user_modal.html:18
-#: users/templates/users/user_detail.html:144
+#: users/templates/users/user_detail.html:146
 #: users/templates/users/user_profile.html:63
 msgid "Active"
 msgstr "激活中"
@@ -1725,7 +1725,7 @@ msgstr ""
 "左侧是资产树，右击可以新建、删除、更改树节点，授权资产也是以节点方式组织的，"
 "右侧是属于该节点下的资产"
 
-#: assets/templates/assets/asset_list.html:61 assets/views/asset.py:107
+#: assets/templates/assets/asset_list.html:61 assets/views/asset.py:105
 msgid "Create asset"
 msgstr "创建资产"
 
@@ -1757,51 +1757,51 @@ msgstr "禁用所选"
 msgid "Active selected"
 msgstr "激活所选"
 
-#: assets/templates/assets/asset_list.html:191
+#: assets/templates/assets/asset_list.html:190
 msgid "Add assets to node"
 msgstr "添加资产到节点"
 
-#: assets/templates/assets/asset_list.html:192
+#: assets/templates/assets/asset_list.html:191
 msgid "Move assets to node"
 msgstr "移动资产到节点"
 
-#: assets/templates/assets/asset_list.html:194
+#: assets/templates/assets/asset_list.html:193
 msgid "Refresh node hardware info"
 msgstr "更新节点资产硬件信息"
 
-#: assets/templates/assets/asset_list.html:195
+#: assets/templates/assets/asset_list.html:194
 msgid "Test node connective"
 msgstr "测试节点资产可连接性"
 
-#: assets/templates/assets/asset_list.html:197
+#: assets/templates/assets/asset_list.html:196
 msgid "Display only current node assets"
 msgstr "仅显示当前节点资产"
 
-#: assets/templates/assets/asset_list.html:198
+#: assets/templates/assets/asset_list.html:197
 msgid "Displays all child node assets"
 msgstr "显示所有子节点资产"
 
-#: assets/templates/assets/asset_list.html:381
+#: assets/templates/assets/asset_list.html:380
 #: assets/templates/assets/system_user_list.html:133
-#: users/templates/users/user_detail.html:382
-#: users/templates/users/user_detail.html:408
-#: users/templates/users/user_detail.html:476
+#: users/templates/users/user_detail.html:386
+#: users/templates/users/user_detail.html:412
+#: users/templates/users/user_detail.html:480
 #: users/templates/users/user_group_list.html:113
 #: users/templates/users/user_list.html:249
 #: xpack/plugins/interface/templates/interface/interface.html:97
 msgid "Are you sure?"
 msgstr "你确认吗?"
 
-#: assets/templates/assets/asset_list.html:382
+#: assets/templates/assets/asset_list.html:381
 msgid "This will delete the selected assets !!!"
 msgstr "删除选择资产"
 
-#: assets/templates/assets/asset_list.html:385
+#: assets/templates/assets/asset_list.html:384
 #: assets/templates/assets/system_user_list.html:137
 #: settings/templates/settings/terminal_setting.html:166
-#: users/templates/users/user_detail.html:386
-#: users/templates/users/user_detail.html:412
-#: users/templates/users/user_detail.html:480
+#: users/templates/users/user_detail.html:390
+#: users/templates/users/user_detail.html:416
+#: users/templates/users/user_detail.html:484
 #: users/templates/users/user_group_create_update.html:31
 #: users/templates/users/user_group_list.html:117
 #: users/templates/users/user_list.html:253
@@ -1810,16 +1810,16 @@ msgstr "删除选择资产"
 msgid "Cancel"
 msgstr "取消"
 
-#: assets/templates/assets/asset_list.html:398
+#: assets/templates/assets/asset_list.html:397
 msgid "Asset Deleted."
 msgstr "已被删除"
 
-#: assets/templates/assets/asset_list.html:399
-#: assets/templates/assets/asset_list.html:403
+#: assets/templates/assets/asset_list.html:398
+#: assets/templates/assets/asset_list.html:402
 msgid "Asset Delete"
 msgstr "删除"
 
-#: assets/templates/assets/asset_list.html:402
+#: assets/templates/assets/asset_list.html:401
 msgid "Asset Deleting failed."
 msgstr "删除失败"
 
@@ -2024,19 +2024,19 @@ msgstr "管理用户列表"
 msgid "Admin user detail"
 msgstr "管理用户详情"
 
-#: assets/views/asset.py:70 templates/_nav_user.html:4
+#: assets/views/asset.py:68 templates/_nav_user.html:4
 msgid "My assets"
 msgstr "我的资产"
 
-#: assets/views/asset.py:134
+#: assets/views/asset.py:132
 msgid "Update asset"
 msgstr "更新资产"
 
-#: assets/views/asset.py:146
+#: assets/views/asset.py:144
 msgid "Bulk update asset success"
 msgstr "批量更新资产成功"
 
-#: assets/views/asset.py:174
+#: assets/views/asset.py:172
 msgid "Bulk update asset"
 msgstr "批量更新资产"
 
@@ -2131,7 +2131,7 @@ msgstr "文件名"
 #: audits/templates/audits/ftp_log_list.html:76
 #: ops/templates/ops/command_execution_list.html:65
 #: ops/templates/ops/task_list.html:31
-#: users/templates/users/user_detail.html:458
+#: users/templates/users/user_detail.html:462
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_execution_subtask_list.html:14
 #: xpack/plugins/cloud/api.py:62
 msgid "Success"
@@ -2206,7 +2206,7 @@ msgstr "Agent"
 
 #: audits/models.py:99 audits/templates/audits/login_log_list.html:56
 #: authentication/templates/authentication/_mfa_confirm_modal.html:14
-#: users/forms.py:175 users/models/user.py:346
+#: users/forms.py:175 users/models/user.py:349
 #: users/templates/users/first_login.html:45
 msgid "MFA"
 msgstr "MFA"
@@ -2493,7 +2493,7 @@ msgstr ""
 
 #: authentication/templates/authentication/login_otp.html:46
 #: users/templates/users/user_detail.html:91
-#: users/templates/users/user_profile.html:85
+#: users/templates/users/user_profile.html:87
 msgid "MFA certification"
 msgstr "MFA认证"
 
@@ -2516,7 +2516,7 @@ msgid "Six figures"
 msgstr "6位数字"
 
 #: authentication/templates/authentication/login_otp.html:67
-#: users/templates/users/first_login.html:105
+#: users/templates/users/first_login.html:108
 #: users/templates/users/user_otp_authentication.html:26
 #: users/templates/users/user_otp_enable_bind.html:29
 #: users/templates/users/user_otp_enable_install_app.html:26
@@ -2536,8 +2536,8 @@ msgstr "欢迎回来，请输入用户名和密码登录"
 msgid "Please enable cookies and try again."
 msgstr "设置你的浏览器支持cookie"
 
-#: authentication/views/login.py:172 users/views/user.py:399
-#: users/views/user.py:424
+#: authentication/views/login.py:172 users/views/user.py:386
+#: users/views/user.py:411
 msgid "MFA code invalid, or ntp sync server time"
 msgstr "MFA验证码不正确，或者服务器端时间不对"
 
@@ -2988,23 +2988,23 @@ msgstr "命令执行"
 msgid "Organization"
 msgstr "组织"
 
-#: perms/api/mixin.py:142
+#: perms/api/mixin.py:148
 msgid "ungrouped"
 msgstr "未分组"
 
-#: perms/api/mixin.py:147
+#: perms/api/mixin.py:153
 msgid "empty"
 msgstr "空"
 
 #: perms/forms/asset_permission.py:66 perms/forms/remote_app_permission.py:34
 #: perms/models/asset_permission.py:113 perms/models/base.py:37
-#: perms/templates/perms/asset_permission_list.html:47
-#: perms/templates/perms/asset_permission_list.html:67
-#: perms/templates/perms/asset_permission_list.html:114
+#: perms/templates/perms/asset_permission_list.html:51
+#: perms/templates/perms/asset_permission_list.html:71
+#: perms/templates/perms/asset_permission_list.html:118
 #: perms/templates/perms/remote_app_permission_list.html:16
 #: templates/_nav.html:14 users/forms.py:286 users/models/group.py:26
-#: users/models/user.py:330 users/templates/users/_select_user_modal.html:16
-#: users/templates/users/user_detail.html:213
+#: users/models/user.py:333 users/templates/users/_select_user_modal.html:16
+#: users/templates/users/user_detail.html:217
 #: users/templates/users/user_list.html:38
 #: xpack/plugins/orgs/templates/orgs/org_list.html:15
 msgid "User group"
@@ -3052,8 +3052,8 @@ msgstr "资产授权"
 #: perms/models/asset_permission.py:116 perms/models/base.py:40
 #: perms/templates/perms/asset_permission_detail.html:90
 #: perms/templates/perms/remote_app_permission_detail.html:82
-#: users/models/user.py:362 users/templates/users/user_detail.html:107
-#: users/templates/users/user_profile.html:116
+#: users/models/user.py:365 users/templates/users/user_detail.html:107
+#: users/templates/users/user_profile.html:120
 msgid "Date expired"
 msgstr "失效日期"
 
@@ -3104,7 +3104,7 @@ msgid "Add node to this permission"
 msgstr "添加节点"
 
 #: perms/templates/perms/asset_permission_asset.html:112
-#: users/templates/users/user_detail.html:230
+#: users/templates/users/user_detail.html:234
 #: xpack/plugins/change_auth_plan/templates/change_auth_plan/plan_asset_list.html:121
 msgid "Join"
 msgstr "加入"
@@ -3147,8 +3147,12 @@ msgstr "选择系统用户"
 msgid "Create permission"
 msgstr "创建授权规则"
 
-#: perms/templates/perms/asset_permission_list.html:51
-#: perms/templates/perms/asset_permission_list.html:65
+#: perms/templates/perms/asset_permission_list.html:42
+msgid "Refresh permission cache"
+msgstr "刷新授权缓存"
+
+#: perms/templates/perms/asset_permission_list.html:55
+#: perms/templates/perms/asset_permission_list.html:69
 #: perms/templates/perms/remote_app_permission_list.html:18
 #: users/templates/users/user_list.html:40 xpack/plugins/cloud/models.py:53
 #: xpack/plugins/cloud/templates/cloud/account_detail.html:58
@@ -3156,6 +3160,10 @@ msgstr "创建授权规则"
 msgid "Validity"
 msgstr "有效"
 
+#: perms/templates/perms/asset_permission_list.html:244
+msgid "Refresh success"
+msgstr "刷新成功"
+
 #: perms/templates/perms/asset_permission_user.html:35
 #: perms/templates/perms/remote_app_permission_user.html:34
 msgid "User list of "
@@ -3198,9 +3206,9 @@ msgstr "添加用户"
 msgid "Add user group to this permission"
 msgstr "添加用户组"
 
-#: perms/views/asset_permission.py:33 perms/views/asset_permission.py:64
-#: perms/views/asset_permission.py:81 perms/views/asset_permission.py:98
-#: perms/views/asset_permission.py:135 perms/views/asset_permission.py:169
+#: perms/views/asset_permission.py:34 perms/views/asset_permission.py:65
+#: perms/views/asset_permission.py:82 perms/views/asset_permission.py:99
+#: perms/views/asset_permission.py:136 perms/views/asset_permission.py:173
 #: perms/views/remote_app_permission.py:33
 #: perms/views/remote_app_permission.py:49
 #: perms/views/remote_app_permission.py:66
@@ -3211,27 +3219,27 @@ msgstr "添加用户组"
 msgid "Perms"
 msgstr "权限管理"
 
-#: perms/views/asset_permission.py:34
+#: perms/views/asset_permission.py:35
 msgid "Asset permission list"
 msgstr "资产授权列表"
 
-#: perms/views/asset_permission.py:65
+#: perms/views/asset_permission.py:66
 msgid "Create asset permission"
 msgstr "创建权限规则"
 
-#: perms/views/asset_permission.py:82
+#: perms/views/asset_permission.py:83
 msgid "Update asset permission"
 msgstr "更新资产授权"
 
-#: perms/views/asset_permission.py:99
+#: perms/views/asset_permission.py:100
 msgid "Asset permission detail"
 msgstr "资产授权详情"
 
-#: perms/views/asset_permission.py:136
+#: perms/views/asset_permission.py:137
 msgid "Asset permission user list"
 msgstr "资产授权用户列表"
 
-#: perms/views/asset_permission.py:170
+#: perms/views/asset_permission.py:174
 msgid "Asset permission asset list"
 msgstr "资产授权资产列表"
 
@@ -3598,7 +3606,7 @@ msgid "Please submit the LDAP configuration before import"
 msgstr "请先提交LDAP配置再进行导入"
 
 #: settings/templates/settings/_ldap_list_users_modal.html:39
-#: users/models/user.py:326 users/templates/users/user_detail.html:71
+#: users/models/user.py:329 users/templates/users/user_detail.html:71
 #: users/templates/users/user_profile.html:59
 msgid "Email"
 msgstr "邮件"
@@ -3792,11 +3800,11 @@ msgstr "删除失败"
 msgid "Are you sure about deleting it?"
 msgstr "您确定删除吗?"
 
-#: settings/utils.py:84
+#: settings/utils.py:90
 msgid "Search no entry matched in ou {}"
 msgstr "在ou:{}中没有匹配条目"
 
-#: settings/utils.py:112
+#: settings/utils.py:120
 msgid "The user source is not LDAP"
 msgstr "用户来源不是LDAP"
 
@@ -3837,8 +3845,8 @@ msgstr "商业支持"
 #: users/templates/users/user_password_update.html:40
 #: users/templates/users/user_profile.html:17
 #: users/templates/users/user_profile_update.html:37
-#: users/templates/users/user_profile_update.html:57
-#: users/templates/users/user_pubkey_update.html:37 users/views/user.py:232
+#: users/templates/users/user_profile_update.html:61
+#: users/templates/users/user_pubkey_update.html:37 users/views/user.py:224
 msgid "Profile"
 msgstr "个人信息"
 
@@ -3928,13 +3936,13 @@ msgstr ""
 
 #: templates/_nav.html:10 users/views/group.py:28 users/views/group.py:45
 #: users/views/group.py:63 users/views/group.py:81 users/views/group.py:98
-#: users/views/login.py:154 users/views/user.py:68 users/views/user.py:85
-#: users/views/user.py:129 users/views/user.py:196 users/views/user.py:218
-#: users/views/user.py:270 users/views/user.py:311
+#: users/views/login.py:154 users/views/user.py:60 users/views/user.py:77
+#: users/views/user.py:121 users/views/user.py:188 users/views/user.py:210
+#: users/views/user.py:263 users/views/user.py:298
 msgid "Users"
 msgstr "用户管理"
 
-#: templates/_nav.html:13 users/views/user.py:69
+#: templates/_nav.html:13 users/views/user.py:61
 msgid "User list"
 msgstr "用户列表"
 
@@ -4253,7 +4261,7 @@ msgstr "参数"
 msgid "Export command"
 msgstr "导出命令"
 
-#: terminal/templates/terminal/command_list.html:189
+#: terminal/templates/terminal/command_list.html:191
 msgid "Goto"
 msgstr "转到"
 
@@ -4381,7 +4389,7 @@ msgstr "你没有权限"
 msgid "Could not reset self otp, use profile reset instead"
 msgstr "不能再该页面重置MFA, 请去个人信息页面重置"
 
-#: users/forms.py:33 users/models/user.py:334
+#: users/forms.py:33 users/models/user.py:337
 #: users/templates/users/_select_user_modal.html:15
 #: users/templates/users/user_detail.html:87
 #: users/templates/users/user_list.html:37
@@ -4390,6 +4398,7 @@ msgid "Role"
 msgstr "角色"
 
 #: users/forms.py:36 users/forms.py:233
+#: users/templates/users/user_update.html:30
 msgid "ssh public key"
 msgstr "ssh公钥"
 
@@ -4401,7 +4410,7 @@ msgstr ""
 msgid "Paste user id_rsa.pub here."
 msgstr "复制用户公钥到这里"
 
-#: users/forms.py:52 users/templates/users/user_detail.html:221
+#: users/forms.py:52 users/templates/users/user_detail.html:225
 msgid "Join user groups"
 msgstr "添加到用户组"
 
@@ -4413,7 +4422,7 @@ msgstr "不能和原来的密钥相同"
 msgid "Not a valid ssh public key"
 msgstr "ssh密钥不合法"
 
-#: users/forms.py:104 users/views/login.py:114 users/views/user.py:293
+#: users/forms.py:104 users/views/login.py:114 users/views/user.py:280
 msgid "* Your password does not meet the requirements"
 msgstr "* 您的密码不符合要求"
 
@@ -4435,16 +4444,16 @@ msgstr "密码策略"
 
 #: users/forms.py:160
 msgid ""
-"Tip: when enabled, you will enter the MFA binding process the next time you "
-"log in. you can also directly bind in \"personal information -> quick "
+"When enabled, you will enter the MFA binding process the next time you log "
+"in. you can also directly bind in \"personal information -> quick "
 "modification -> change MFA Settings\"!"
 msgstr ""
-"提示：启用之后您将会在下次登录时进入MFA绑定流程；您也可以在（个人信息->快速修"
-"改->更改MFA设置）中直接绑定!"
+"启用之后您将会在下次登录时进入MFA绑定流程；您也可以在（个人信息->快速修改->更"
+"改MFA设置）中直接绑定！"
 
 #: users/forms.py:170
 msgid "* Enable MFA authentication to make the account more secure."
-msgstr "* 启用MFA认证，使账号更加安全."
+msgstr "* 启用MFA认证，使账号更加安全。"
 
 #: users/forms.py:180
 msgid ""
@@ -4456,8 +4465,8 @@ msgstr ""
 "设置复杂密码，启用MFA认证）"
 
 #: users/forms.py:187 users/templates/users/first_login.html:48
-#: users/templates/users/first_login.html:107
-#: users/templates/users/first_login.html:130
+#: users/templates/users/first_login.html:110
+#: users/templates/users/first_login.html:139
 msgid "Finish"
 msgstr "完成"
 
@@ -4495,56 +4504,56 @@ msgid "Select users"
 msgstr "选择用户"
 
 #: users/models/user.py:50 users/templates/users/user_update.html:22
-#: users/views/login.py:46 users/views/login.py:107 users/views/user.py:283
+#: users/views/login.py:46 users/views/login.py:107
 msgid "User auth from {}, go there change password"
 msgstr "用户认证源来自 {}, 请去相应系统修改密码"
 
-#: users/models/user.py:120 users/models/user.py:447
+#: users/models/user.py:123 users/models/user.py:450
 msgid "Administrator"
 msgstr "管理员"
 
-#: users/models/user.py:122
+#: users/models/user.py:125
 msgid "Application"
 msgstr "应用程序"
 
-#: users/models/user.py:123
+#: users/models/user.py:126
 msgid "Auditor"
 msgstr "审计员"
 
-#: users/models/user.py:281 users/templates/users/user_profile.html:92
-#: users/templates/users/user_profile.html:159
-#: users/templates/users/user_profile.html:162
+#: users/models/user.py:284 users/templates/users/user_profile.html:94
+#: users/templates/users/user_profile.html:163
+#: users/templates/users/user_profile.html:166
 msgid "Disable"
 msgstr "禁用"
 
-#: users/models/user.py:282 users/templates/users/user_profile.html:90
-#: users/templates/users/user_profile.html:166
+#: users/models/user.py:285 users/templates/users/user_profile.html:92
+#: users/templates/users/user_profile.html:170
 msgid "Enable"
 msgstr "启用"
 
-#: users/models/user.py:283 users/templates/users/user_profile.html:88
+#: users/models/user.py:286 users/templates/users/user_profile.html:90
 msgid "Force enable"
 msgstr "强制启用"
 
-#: users/models/user.py:337
+#: users/models/user.py:340
 msgid "Avatar"
 msgstr "头像"
 
-#: users/models/user.py:340 users/templates/users/user_detail.html:82
+#: users/models/user.py:343 users/templates/users/user_detail.html:82
 msgid "Wechat"
 msgstr "微信"
 
-#: users/models/user.py:369 users/templates/users/user_detail.html:103
+#: users/models/user.py:372 users/templates/users/user_detail.html:103
 #: users/templates/users/user_list.html:39
-#: users/templates/users/user_profile.html:100
+#: users/templates/users/user_profile.html:102
 msgid "Source"
 msgstr "用户来源"
 
-#: users/models/user.py:373
+#: users/models/user.py:376
 msgid "Date password last updated"
 msgstr "最后更新密码日期"
 
-#: users/models/user.py:450
+#: users/models/user.py:453
 msgid "Administrator is the super user of system"
 msgstr "Administrator是初始的超级管理员"
 
@@ -4597,7 +4606,7 @@ msgid "Security token validation"
 msgstr "安全令牌验证"
 
 #: users/templates/users/_base_otp.html:44 users/templates/users/_user.html:13
-#: users/templates/users/user_profile_update.html:51
+#: users/templates/users/user_profile_update.html:55
 #: xpack/plugins/cloud/models.py:120
 #: xpack/plugins/cloud/templates/cloud/sync_instance_task_detail.html:57
 #: xpack/plugins/cloud/templates/cloud/sync_instance_task_list.html:13
@@ -4634,7 +4643,7 @@ msgid "Import users"
 msgstr "导入用户"
 
 #: users/templates/users/_user_update_modal.html:4
-#: users/templates/users/user_update.html:4 users/views/user.py:130
+#: users/templates/users/user_update.html:4 users/views/user.py:122
 msgid "Update user"
 msgstr "更新用户"
 
@@ -4655,7 +4664,12 @@ msgstr "我同意条款和条件"
 msgid "Please choose the terms and conditions."
 msgstr "请选择同意条款和条件"
 
-#: users/templates/users/first_login.html:101
+#: users/templates/users/first_login.html:77
+#: users/templates/users/user_update.html:32
+msgid "User auth from {}, ssh key login is not supported"
+msgstr "用户认证源来自 {}, 不支持使用 SSH Key 登录"
+
+#: users/templates/users/first_login.html:104
 msgid "Previous"
 msgstr "上一步"
 
@@ -4707,20 +4721,20 @@ msgid "Always young, always with tears in my eyes. Stay foolish Stay hungry"
 msgstr "永远年轻，永远热泪盈眶 stay foolish stay hungry"
 
 #: users/templates/users/reset_password.html:46
-#: users/templates/users/user_detail.html:373 users/utils.py:88
+#: users/templates/users/user_detail.html:377 users/utils.py:88
 msgid "Reset password"
 msgstr "重置密码"
 
 #: users/templates/users/reset_password.html:59
 #: users/templates/users/user_create.html:13
-#: users/templates/users/user_password_update.html:61
+#: users/templates/users/user_password_update.html:65
 #: users/templates/users/user_update.html:13
 msgid "Your password must satisfy"
 msgstr "您的密码必须满足："
 
 #: users/templates/users/reset_password.html:60
 #: users/templates/users/user_create.html:14
-#: users/templates/users/user_password_update.html:62
+#: users/templates/users/user_password_update.html:66
 #: users/templates/users/user_update.html:14
 msgid "Password strength"
 msgstr "密码强度："
@@ -4731,53 +4745,53 @@ msgstr "再次输入密码"
 
 #: users/templates/users/reset_password.html:105
 #: users/templates/users/user_create.html:33
-#: users/templates/users/user_password_update.html:99
-#: users/templates/users/user_update.html:46
+#: users/templates/users/user_password_update.html:103
+#: users/templates/users/user_update.html:55
 msgid "Very weak"
 msgstr "很弱"
 
 #: users/templates/users/reset_password.html:106
 #: users/templates/users/user_create.html:34
-#: users/templates/users/user_password_update.html:100
-#: users/templates/users/user_update.html:47
+#: users/templates/users/user_password_update.html:104
+#: users/templates/users/user_update.html:56
 msgid "Weak"
 msgstr "弱"
 
 #: users/templates/users/reset_password.html:107
 #: users/templates/users/user_create.html:35
-#: users/templates/users/user_password_update.html:101
-#: users/templates/users/user_update.html:48
+#: users/templates/users/user_password_update.html:105
+#: users/templates/users/user_update.html:57
 msgid "Normal"
 msgstr "正常"
 
 #: users/templates/users/reset_password.html:108
 #: users/templates/users/user_create.html:36
-#: users/templates/users/user_password_update.html:102
-#: users/templates/users/user_update.html:49
+#: users/templates/users/user_password_update.html:106
+#: users/templates/users/user_update.html:58
 msgid "Medium"
 msgstr "一般"
 
 #: users/templates/users/reset_password.html:109
 #: users/templates/users/user_create.html:37
-#: users/templates/users/user_password_update.html:103
-#: users/templates/users/user_update.html:50
+#: users/templates/users/user_password_update.html:107
+#: users/templates/users/user_update.html:59
 msgid "Strong"
 msgstr "强"
 
 #: users/templates/users/reset_password.html:110
 #: users/templates/users/user_create.html:38
-#: users/templates/users/user_password_update.html:104
-#: users/templates/users/user_update.html:51
+#: users/templates/users/user_password_update.html:108
+#: users/templates/users/user_update.html:60
 msgid "Very strong"
 msgstr "很强"
 
 #: users/templates/users/user_create.html:4
-#: users/templates/users/user_list.html:28 users/views/user.py:86
+#: users/templates/users/user_list.html:28 users/views/user.py:78
 msgid "Create user"
 msgstr "创建用户"
 
 #: users/templates/users/user_detail.html:19
-#: users/templates/users/user_granted_asset.html:18 users/views/user.py:197
+#: users/templates/users/user_granted_asset.html:18 users/views/user.py:189
 msgid "User detail"
 msgstr "用户详情"
 
@@ -4793,85 +4807,85 @@ msgid "Force enabled"
 msgstr "强制启用"
 
 #: users/templates/users/user_detail.html:119
-#: users/templates/users/user_profile.html:108
+#: users/templates/users/user_profile.html:110
 msgid "Last login"
 msgstr "最后登录"
 
-#: users/templates/users/user_detail.html:123
-#: users/templates/users/user_profile.html:112
+#: users/templates/users/user_detail.html:124
+#: users/templates/users/user_profile.html:115
 msgid "Last password updated"
 msgstr "最后更新密码"
 
-#: users/templates/users/user_detail.html:158
+#: users/templates/users/user_detail.html:160
 msgid "Force enabled MFA"
 msgstr "强制启用MFA"
 
-#: users/templates/users/user_detail.html:173
+#: users/templates/users/user_detail.html:175
 msgid "Reset MFA"
 msgstr "重置MFA"
 
-#: users/templates/users/user_detail.html:182
+#: users/templates/users/user_detail.html:184
 msgid "Send reset password mail"
 msgstr "发送重置密码邮件"
 
-#: users/templates/users/user_detail.html:185
-#: users/templates/users/user_detail.html:194
+#: users/templates/users/user_detail.html:187
+#: users/templates/users/user_detail.html:197
 msgid "Send"
 msgstr "发送"
 
-#: users/templates/users/user_detail.html:191
+#: users/templates/users/user_detail.html:194
 msgid "Send reset ssh key mail"
 msgstr "发送重置密钥邮件"
 
-#: users/templates/users/user_detail.html:199
-#: users/templates/users/user_detail.html:461
+#: users/templates/users/user_detail.html:203
+#: users/templates/users/user_detail.html:465
 msgid "Unblock user"
 msgstr "解除登录限制"
 
-#: users/templates/users/user_detail.html:202
+#: users/templates/users/user_detail.html:206
 msgid "Unblock"
 msgstr "解除"
 
-#: users/templates/users/user_detail.html:316
+#: users/templates/users/user_detail.html:320
 msgid "Goto profile page enable MFA"
 msgstr "请去个人信息页面启用自己的MFA"
 
-#: users/templates/users/user_detail.html:372
+#: users/templates/users/user_detail.html:376
 msgid "An e-mail has been sent to the user`s mailbox."
 msgstr "已发送邮件到用户邮箱"
 
-#: users/templates/users/user_detail.html:383
+#: users/templates/users/user_detail.html:387
 msgid "This will reset the user password and send a reset mail"
 msgstr "将失效用户当前密码，并发送重设密码邮件到用户邮箱"
 
-#: users/templates/users/user_detail.html:398
+#: users/templates/users/user_detail.html:402
 msgid ""
 "The reset-ssh-public-key E-mail has been sent successfully. Please inform "
 "the user to update his new ssh public key."
 msgstr "重设密钥邮件将会发送到用户邮箱"
 
-#: users/templates/users/user_detail.html:399
+#: users/templates/users/user_detail.html:403
 msgid "Reset SSH public key"
 msgstr "重置SSH密钥"
 
-#: users/templates/users/user_detail.html:409
+#: users/templates/users/user_detail.html:413
 msgid "This will reset the user public key and send a reset mail"
 msgstr "将会失效用户当前密钥，并发送重置邮件到用户邮箱"
 
-#: users/templates/users/user_detail.html:427
+#: users/templates/users/user_detail.html:431
 msgid "Successfully updated the SSH public key."
 msgstr "更新ssh密钥成功"
 
-#: users/templates/users/user_detail.html:428
 #: users/templates/users/user_detail.html:432
+#: users/templates/users/user_detail.html:436
 msgid "User SSH public key update"
 msgstr "ssh密钥"
 
-#: users/templates/users/user_detail.html:477
+#: users/templates/users/user_detail.html:481
 msgid "After unlocking the user, the user can log in normally."
 msgstr "解除用户登录限制后，此用户即可正常登录"
 
-#: users/templates/users/user_detail.html:491
+#: users/templates/users/user_detail.html:495
 msgid "Reset user MFA success"
 msgstr "重置用户MFA成功"
 
@@ -4973,51 +4987,51 @@ msgid ""
 "installed, go to the next step directly)."
 msgstr "安装完成后点击下一步进入绑定页面（如已安装，直接进入下一步"
 
-#: users/templates/users/user_profile.html:95
+#: users/templates/users/user_profile.html:97
 msgid "Administrator Settings force MFA login"
 msgstr "管理员设置强制使用MFA登录"
 
-#: users/templates/users/user_profile.html:120
+#: users/templates/users/user_profile.html:124
 msgid "User groups"
 msgstr "用户组"
 
-#: users/templates/users/user_profile.html:152
+#: users/templates/users/user_profile.html:156
 msgid "Set MFA"
 msgstr "设置MFA"
 
-#: users/templates/users/user_profile.html:174
+#: users/templates/users/user_profile.html:178
 msgid "Update password"
 msgstr "更改密码"
 
-#: users/templates/users/user_profile.html:184
+#: users/templates/users/user_profile.html:188
 msgid "Update MFA"
 msgstr "更改MFA"
 
-#: users/templates/users/user_profile.html:193
+#: users/templates/users/user_profile.html:198
 msgid "Update SSH public key"
 msgstr "更改SSH密钥"
 
-#: users/templates/users/user_profile.html:201
+#: users/templates/users/user_profile.html:206
 msgid "Reset public key and download"
 msgstr "重置并下载SSH密钥"
 
-#: users/templates/users/user_pubkey_update.html:51
+#: users/templates/users/user_pubkey_update.html:55
 msgid "Old public key"
 msgstr "原来ssh密钥"
 
-#: users/templates/users/user_pubkey_update.html:59
+#: users/templates/users/user_pubkey_update.html:63
 msgid "Fingerprint"
 msgstr "指纹"
 
-#: users/templates/users/user_pubkey_update.html:65
+#: users/templates/users/user_pubkey_update.html:69
 msgid "Update public key"
 msgstr "更新密钥"
 
-#: users/templates/users/user_pubkey_update.html:68
+#: users/templates/users/user_pubkey_update.html:72
 msgid "Or reset by server"
 msgstr "或者重置并下载密钥"
 
-#: users/templates/users/user_pubkey_update.html:94
+#: users/templates/users/user_pubkey_update.html:98
 msgid ""
 "The new public key has been set successfully, Please download the "
 "corresponding private key."
@@ -5256,47 +5270,47 @@ msgstr "密码不一致"
 msgid "First login"
 msgstr "首次登录"
 
-#: users/views/user.py:148
+#: users/views/user.py:140
 msgid "Bulk update user success"
 msgstr "批量更新用户成功"
 
-#: users/views/user.py:176
+#: users/views/user.py:168
 msgid "Bulk update user"
 msgstr "批量更新用户"
 
-#: users/views/user.py:219
+#: users/views/user.py:211
 msgid "User granted assets"
 msgstr "用户授权资产"
 
-#: users/views/user.py:252
+#: users/views/user.py:244
 msgid "Profile setting"
 msgstr "个人信息设置"
 
-#: users/views/user.py:271
+#: users/views/user.py:264
 msgid "Password update"
 msgstr "密码更新"
 
-#: users/views/user.py:312
+#: users/views/user.py:299
 msgid "Public key update"
 msgstr "密钥更新"
 
-#: users/views/user.py:354
+#: users/views/user.py:341
 msgid "Password invalid"
 msgstr "用户名或密码无效"
 
-#: users/views/user.py:454
+#: users/views/user.py:441
 msgid "MFA enable success"
 msgstr "MFA 绑定成功"
 
-#: users/views/user.py:455
+#: users/views/user.py:442
 msgid "MFA enable success, return login page"
 msgstr "MFA 绑定成功，返回到登录页面"
 
-#: users/views/user.py:457
+#: users/views/user.py:444
 msgid "MFA disable success"
 msgstr "MFA 解绑成功"
 
-#: users/views/user.py:458
+#: users/views/user.py:445
 msgid "MFA disable success, return login page"
 msgstr "MFA 解绑成功，返回登录页面"
 

apps/perms/api/user_permission.py

@@ -9,13 +9,15 @@ from rest_framework.generics import (
 )
 from rest_framework.pagination import LimitOffsetPagination
 
-from common.permissions import IsValidUser, IsOrgAdminOrAppUser
+from common.permissions import IsValidUser, IsOrgAdminOrAppUser, IsOrgAdmin
 from common.tree import TreeNodeSerializer
 from common.utils import get_logger
 from ..utils import (
     AssetPermissionUtil, ParserNode,
 )
-from .mixin import UserPermissionCacheMixin, GrantAssetsMixin, NodesWithUngroupMixin
+from .mixin import (
+    UserPermissionCacheMixin, GrantAssetsMixin, NodesWithUngroupMixin
+)
 from .. import const
 from ..hands import User, Asset, Node, SystemUser, NodeSerializer
 from .. import serializers
@@ -29,6 +31,7 @@ __all__ = [
     'UserGrantedNodesWithAssetsApi', 'UserGrantedNodeAssetsApi',
     'ValidateUserAssetPermissionApi', 'UserGrantedNodesAsTreeApi',
     'UserGrantedNodesWithAssetsAsTreeApi', 'GetUserAssetPermissionActionsApi',
+    'RefreshAssetPermissionCacheApi'
 ]
 
 
@@ -365,3 +368,12 @@ class GetUserAssetPermissionActionsApi(UserPermissionCacheMixin, RetrieveAPIView
                 actions = asset["system_users"].get(system_id, 0)
                 break
         return {"actions": actions}
+
+
+class RefreshAssetPermissionCacheApi(RetrieveAPIView):
+    permission_classes = (IsOrgAdmin,)
+
+    def retrieve(self, request, *args, **kwargs):
+        # expire all cache
+        AssetPermissionUtil.expire_all_cache()
+        return Response({'msg': True}, status=200)

apps/perms/templates/perms/asset_permission_list.html

@@ -33,10 +33,14 @@
                </div>
            </div>
           <div class="mail-box-header">
-              <div class="uc pull-left m-r-5">
-                   <a class="btn btn-sm btn-primary btn-create-permission">
-                       {% trans "Create permission" %}
-                   </a>
+              <div class="btn-group uc pull-left m-r-5">
+                 <button class="btn btn-sm btn-primary btn-create-permission">
+                     {% trans "Create permission" %}
+                 </button>
+                 <button data-toggle="dropdown" class="btn btn-primary btn-sm dropdown-toggle"><span class="caret"></span></button>
+                 <ul class="dropdown-menu">
+                     <li><a class="refresh-asset-permission-cache" href="#">{% trans 'Refresh permission cache' %}</a></li>
+                 </ul>
               </div>
               <table class="table table-striped table-bordered table-hover" id="permission_list_table" style="width: 100%">
                   <thead>
@@ -232,6 +236,14 @@ $(document).ready(function(){
             .replace('{{ DEFAULT_PK }}', uid);
     objectDelete($this, name, the_url);
 })
+.on('click', '.refresh-asset-permission-cache', function () {
+    var the_url = "{% url 'api-perms:refresh-asset-permission-cache' %}";
+    requestApi({
+        url: the_url,
+        method: 'GET',
+        success_message: "{% trans 'Refresh success' %}"
+    });
+})
 .on('click', '.btn-create-permission', function () {
     var url = "{% url 'perms:asset-permission-create' %}";
     var nodes = zTree.getSelectedNodes();

apps/perms/urls/api_urls.py

@@ -57,6 +57,9 @@ asset_permission_urlpatterns = [
     # 验证用户是否有某个资产和系统用户的权限
     path('asset-permissions/user/validate/', api.ValidateUserAssetPermissionApi.as_view(), name='validate-user-asset-permission'),
     path('asset-permissions/user/actions/', api.GetUserAssetPermissionActionsApi.as_view(), name='get-user-asset-permission-actions'),
+
+    # 刷新缓存
+    path('asset-permissions/user/cache/refresh/', api.RefreshAssetPermissionCacheApi.as_view(), name='refresh-asset-permission-cache'),
 ]
 
 

apps/perms/utils/asset_permission.py

@@ -414,15 +414,12 @@ class AssetPermissionCacheMixin:
         cache.delete_pattern(key)
         self.expire_cache_meta()
 
-    @classmethod
-    def expire_all_cache_meta(cls):
-        key = cls.CACHE_META_KEY_PREFIX + '*'
-        cache.delete_pattern(key)
-
     @classmethod
     def expire_all_cache(cls):
         key = cls.CACHE_KEY_PREFIX + '*'
         cache.delete_pattern(key)
+        meta_key = cls.CACHE_META_KEY_PREFIX + '*'
+        cache.delete_pattern(meta_key)
 
 
 class AssetPermissionUtil(AssetPermissionCacheMixin):

apps/settings/utils.py

@@ -7,6 +7,7 @@ from django.utils.translation import ugettext_lazy as _
 from users.models import User
 from users.utils import construct_user_email
 from common.utils import get_logger
+from common.const import LDAP_AD_ACCOUNT_DISABLE
 
 from .models import settings
 
@@ -70,7 +71,12 @@ class LDAPUtil:
         for attr, mapping in self.attr_map.items():
             if not hasattr(entry, mapping):
                 continue
-            user_item[attr] = getattr(entry, mapping).value or ''
+            value = getattr(entry, mapping).value or ''
+            if mapping.lower() == 'useraccountcontrol' and attr == 'is_active'\
+                    and value:
+                value = int(value) & LDAP_AD_ACCOUNT_DISABLE \
+                        != LDAP_AD_ACCOUNT_DISABLE
+            user_item[attr] = value
         return user_item
 
     def search_user_items(self):
@@ -102,7 +108,9 @@ class LDAPUtil:
             if not hasattr(user, field):
                 continue
             if isinstance(getattr(user, field), bool):
-                value = value.lower() in ['true', 1]
+                if isinstance(value, str):
+                    value = value.lower()
+                value = value in ['true', 1, True]
             setattr(user, field, value)
         user.save()
 

apps/users/forms.py

@@ -157,7 +157,7 @@ UserProfileForm.verbose_name = _("Profile")
 class UserMFAForm(forms.ModelForm):
 
     mfa_description = _(
-        'Tip: when enabled, '
+        'When enabled, '
         'you will enter the MFA binding process the next time you log in. '
         'you can also directly bind in '
         '"personal information -> quick modification -> change MFA Settings"!')

apps/users/models/user.py

@@ -54,6 +54,9 @@ class AuthMixin:
     def can_update_password(self):
         return self.is_local
 
+    def can_update_ssh_key(self):
+        return self.is_local
+
     def check_otp(self, code):
         from ..utils import check_otp_code
         return check_otp_code(self.otp_secret_key, code)

apps/users/templates/users/first_login.html

@@ -73,14 +73,17 @@
                                   <p id="noTerms" class="red-fonts" style="visibility: hidden; font-size: 10px; margin-top: 10px;">* {% trans 'Please choose the terms and conditions.' %}</p>
                               {% endif %}
 
-                              {% bootstrap_form wizard.form %}
+                              {% if wizard.steps.current == '1' and not request.user.can_update_ssh_key %}
+                                  <b id="ssh_key_help_text">{% trans 'User auth from {}, ssh key login is not supported' %}</b>
+                              {% else %}
+                                  {% bootstrap_form wizard.form %}
+                              {% endif %}
 
                               {% if form.mfa_description %}
                                   <b>{{ form.mfa_description }}</b>
                               {% endif %}
 
-                              {% if form.pubkey_description %}
-                                  <span>或者：</span>
+                              {% if form.pubkey_description and request.user.can_update_ssh_key %}
                                   <a type="button" id="btn-reset-pubkey">{{ form.pubkey_description }}</a>
                               {% endif %}
 
@@ -121,26 +124,33 @@
 
 {% block custom_foot_js %}
 <script>
-    $(document).on('click', ".fl_goto", function(){
-        var $form = $('#fl_form');
-        $('<input />', {'name': 'wizard_goto_step', 'value': $(this).data('goto'), 'type': 'hidden'}).appendTo($form);
-        $form.submit();
-        return false;
-    }).on('click', '#fl_submit', function(){
-        var isFinish = $('#fl_submit').html() === "{% trans 'Finish' %}";
-        var noChecked = !$('#acceptTerms').prop('checked');
-        if ( isFinish && noChecked){
-            $('#noTerms').css('visibility', 'visible');
-        }
-        else{
-            $('#fl_form').submit();
-            return false;
-        }
-    }).on('click', '#btn-reset-pubkey', function () {
-        var the_url = '{% url "users:user-pubkey-generate" %}';
-        window.open(the_url, "_blank");
+$(document).ready(function(){
+    var origin_ssh_key_text = $("#ssh_key_help_text").text();
+    var new_ssh_key_text = origin_ssh_key_text.replace('{}', "{{ request.user.source_display }}");
+    $("#ssh_key_help_text").html(new_ssh_key_text)
+})
+.on('click', ".fl_goto", function(){
+    var $form = $('#fl_form');
+    $('<input />', {'name': 'wizard_goto_step', 'value': $(this).data('goto'), 'type': 'hidden'}).appendTo($form);
+    $form.submit();
+    return false;
+})
+.on('click', '#fl_submit', function(){
+    var isFinish = $('#fl_submit').html() === "{% trans 'Finish' %}";
+    var noChecked = !$('#acceptTerms').prop('checked');
+    if ( isFinish && noChecked){
+        $('#noTerms').css('visibility', 'visible');
+    }
+    else{
         $('#fl_form').submit();
-    })
+        return false;
+    }
+})
+.on('click', '#btn-reset-pubkey', function () {
+    var the_url = '{% url "users:user-pubkey-generate" %}';
+    window.open(the_url, "_blank");
+    $('#fl_form').submit();
+})
 
 </script>
 {% endblock %}

apps/users/templates/users/user_detail.html

@@ -119,10 +119,12 @@
                                             <td>{% trans 'Last login' %}:</td>
                                             <td><b>{{ user_object.last_login|date:"Y-m-j H:i:s" }}</b></td>
                                         </tr>
+                                        {% if user_object.can_update_password %}
                                         <tr>
                                             <td>{% trans 'Last password updated' %}:</td>
                                             <td><b>{{ user_object.date_password_last_updated|date:"Y-m-j H:i:s" }}</b></td>
                                         </tr>
+                                        {% endif %}
                                         <tr>
                                             <td>{% trans 'Comment' %}:</td>
                                             <td><b>{{ user_object.comment }}</b></td>
@@ -187,6 +189,7 @@
                                             </td>
                                         </tr>
                                         {% endif %}
+                                        {% if user_object.can_update_ssh_key %}
                                         <tr>
                                             <td>{% trans 'Send reset ssh key mail' %}:</td>
                                             <td>
@@ -195,6 +198,7 @@
                                                 </span>
                                             </td>
                                         </tr>
+                                        {% endif %}
                                         <tr style="{% if not unblock %}display:none{% endif %}">
                                             <td>{% trans 'Unblock user' %}</td>
                                             <td>

apps/users/templates/users/user_password_update.html

@@ -39,12 +39,16 @@
                             <li>
                                 <a href="{% url 'users:user-profile-update' %}" class="text-center">{% trans 'Profile' %} </a>
                             </li>
+                            {% if request.user.can_update_password %}
                             <li class="active">
                                 <a href="{% url 'users:user-password-update' %}" class="text-center">{% trans 'Password' %} </a>
                             </li>
+                            {% endif %}
+                            {% if request.user.can_update_ssh_key %}
                             <li>
                                 <a href="{% url 'users:user-pubkey-update' %}" class="text-center">{% trans 'Public key' %} </a>
                             </li>
+                            {% endif %}
                         </ul>
                     </div>
                     <div class="tab-content" style="background-color: #ffffff">

apps/users/templates/users/user_profile.html

@@ -64,6 +64,7 @@
                                                 <td>{{ user.is_active|yesno:"Yes,No,Unkown" }}</td>
                                             </tr>
 
+                                            {% if user.can_update_ssh_key %}
                                             <tr>
                                                 <td class="text-navy">{% trans 'Public key' %}</td>
                                                 <td>
@@ -81,6 +82,7 @@
                                                     </table>
                                                 </td>
                                             </tr>
+                                            {% endif %}
                                             <tr>
                                                 <td class="text-navy">{% trans 'MFA certification' %}</td>
                                                 <td>
@@ -108,10 +110,12 @@
                                                 <td class="text-navy">{% trans 'Last login' %}</td>
                                                 <td>{{ user.last_login|date:"Y-m-d H:i:s" }}</td>
                                             </tr>
+                                            {% if user.can_update_password %}
                                             <tr>
                                                 <td class="text-navy">{% trans 'Last password updated' %}</td>
                                                 <td>{{ user.date_password_last_updated|date:"Y-m-d H:i:s" }}</td>
                                             </tr>
+                                            {% endif %}
                                             <tr>
                                                 <td class="text-navy">{% trans 'Date expired' %}</td>
                                                 <td>{{ user.date_expired|date:"Y-m-d H:i:s" }}</td>
@@ -189,6 +193,7 @@
                                         </td>
                                     </tr>
                                     {% endif %}
+                                    {% if request.user.can_update_ssh_key %}
                                     <tr>
                                         <td>{% trans 'Update SSH public key' %}:</td>
                                         <td>
@@ -205,6 +210,7 @@
                                             </span>
                                         </td>
                                     </tr>
+                                    {% endif %}
                                     </tbody>
                                 </table>
                             </div>

apps/users/templates/users/user_profile_update.html

@@ -36,12 +36,16 @@
                             <li class="active">
                                 <a href="{% url 'users:user-profile-update' %}" class="text-center">{% trans 'Profile' %} </a>
                             </li>
+                            {% if request.user.can_update_password %}
                             <li>
                                 <a href="{% url 'users:user-password-update' %}" class="text-center">{% trans 'Password' %} </a>
                             </li>
+                            {% endif %}
+                            {% if request.user.can_update_ssh_key %}
                             <li>
                                 <a href="{% url 'users:user-pubkey-update' %}" class="text-center">{% trans 'Public key' %} </a>
                             </li>
+                            {% endif %}
                         </ul>
                     </div>
                     <div class="tab-content" style="background-color: #ffffff">

apps/users/templates/users/user_pubkey_update.html

@@ -36,12 +36,16 @@
                             <li>
                                 <a href="{% url 'users:user-profile-update' %}" class="text-center">{% trans 'Profile' %} </a>
                             </li>
+                            {% if request.user.can_update_password %}
                             <li>
                                 <a href="{% url 'users:user-password-update' %}" class="text-center">{% trans 'Password' %} </a>
                             </li>
+                            {% endif %}
+                            {% if request.user.can_update_ssh_key %}
                             <li class="active">
                                 <a href="{% url 'users:user-pubkey-update' %}" class="text-center">{% trans 'Public key' %} </a>
                             </li>
+                            {% endif %}
                         </ul>
                     </div>
                     <div class="tab-content" style="background-color: #ffffff">

apps/users/templates/users/user_update.html

@@ -23,7 +23,16 @@
         </div>
     </div>
     {% endif %}
+    {% if object.can_update_ssh_key %}
     {% bootstrap_field form.public_key layout="horizontal" %}
+    {% else %}
+        <div class="form-group">
+            <label class="col-sm-2 control-label">{% trans 'ssh public key' %}</label>
+            <div class="col-sm-8 controls" style="margin-top: 8px;" id="ssh_key_help_text">
+                {% trans 'User auth from {}, ssh key login is not supported' %}
+            </div>
+        </div>
+    {% endif %}
 {% endblock %}
 
 {% block custom_foot_js %}
@@ -77,9 +86,13 @@ function passwordCheck() {
 $(document).ready(function(){
     passwordCheck();
 
-    var origin_text = $("#password_help_text").text();
-    var new_text = origin_text.replace('{}', "{{ object.source_display }}");
-    $("#password_help_text").html(new_text);
+    var origin_password_text = $("#password_help_text").text();
+    var new_password_text = origin_password_text.replace('{}', "{{ object.source_display }}");
+    $("#password_help_text").html(new_password_text);
+
+    var origin_ssh_key_text = $("#ssh_key_help_text").text();
+    var new_ssh_key_text = origin_ssh_key_text.replace('{}', "{{ object.source_display }}");
+    $("#ssh_key_help_text").html(new_ssh_key_text)
 
 })
 .on("submit", "form", function (evt) {

apps/users/utils.py

@@ -198,7 +198,7 @@ def check_user_valid(**kwargs):
     if password and authenticate(username=username, password=password):
         return user, ''
 
-    if public_key and user.public_key:
+    if public_key and user.public_key and user.is_local:
         public_key_saved = user.public_key.split()
         if len(public_key_saved) == 1:
             if public_key == public_key_saved[0]:

apps/users/views/user.py

@@ -2,40 +2,32 @@
 
 from __future__ import unicode_literals
 
-import json
-import uuid
-import csv
-import codecs
-import chardet
-from io import StringIO
 
 from django.contrib import messages
-from django.contrib.auth import authenticate, login as auth_login
+from django.contrib.auth import authenticate
 from django.contrib.messages.views import SuccessMessageMixin
 from django.core.cache import cache
 from django.conf import settings
-from django.http import HttpResponse, JsonResponse
+from django.http import HttpResponse
 from django.shortcuts import redirect
 from django.urls import reverse_lazy, reverse
-from django.utils import timezone
 from django.utils.translation import ugettext as _
-from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.generic.base import TemplateView
-from django.db import transaction
 from django.views.generic.edit import (
     CreateView, UpdateView, FormView
 )
 from django.views.generic.detail import DetailView
-from django.views.decorators.csrf import csrf_exempt
 from django.contrib.auth import logout as auth_logout
 
 from common.const import (
     create_success_msg, update_success_msg, KEY_CACHE_RESOURCES_ID
 )
-from common.mixins import JSONResponseMixin
-from common.utils import get_logger, get_object_or_none, is_uuid, ssh_key_gen
-from common.permissions import PermissionsMixin, IsOrgAdmin, IsValidUser
+from common.utils import get_logger, ssh_key_gen
+from common.permissions import (
+    PermissionsMixin, IsOrgAdmin, IsValidUser,
+    UserCanUpdatePassword, UserCanUpdateSSHKey,
+)
 from orgs.utils import current_org
 from .. import forms
 from ..models import User, UserGroup
@@ -260,6 +252,7 @@ class UserPasswordUpdateView(PermissionsMixin, UpdateView):
     model = User
     form_class = forms.UserPasswordForm
     success_url = reverse_lazy('users:user-profile')
+    permission_classes = [IsValidUser, UserCanUpdatePassword]
 
     def get_object(self, queryset=None):
         return self.request.user
@@ -279,12 +272,6 @@ class UserPasswordUpdateView(PermissionsMixin, UpdateView):
         return super().get_success_url()
 
     def form_valid(self, form):
-        if not self.request.user.can_update_password():
-            error = _("User auth from {}, go there change password").format(
-                self.request.source_display
-            )
-            form.add_error("password", error)
-            return self.form_invalid(form)
         password = form.cleaned_data.get('new_password')
         is_ok = check_password_rules(password)
         if not is_ok:
@@ -300,7 +287,7 @@ class UserPublicKeyUpdateView(PermissionsMixin, UpdateView):
     template_name = 'users/user_pubkey_update.html'
     model = User
     form_class = forms.UserPublicKeyForm
-    permission_classes = [IsValidUser]
+    permission_classes = [IsValidUser, UserCanUpdateSSHKey]
     success_url = reverse_lazy('users:user-profile')
 
     def get_object(self, queryset=None):