fix: ansible 密码支持 {{ }} {% %} (#12354)

Co-authored-by: feng <1304903146@qq.com>
2025-11-03 23:47:27 +00:00 · 2023-12-18 17:31:35 +08:00
parent 006faac326
commit 1f2db65dba
5 changed files with 25 additions and 23 deletions
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@@ -139,7 +139,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                'name': account.name,
                'username': account.username,
                'secret_type': secret_type,
-                'secret': new_secret,
+                'secret': account.escape_jinja2_syntax(new_secret),
                'private_key_path': private_key_path,
                'become': account.get_ansible_become_auth(),
            }
--- a/apps/accounts/automations/verify_account/manager.py
+++ b/apps/accounts/automations/verify_account/manager.py
@@ -62,7 +62,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
                'name': account.name,
                'username': account.username,
                'secret_type': account.secret_type,
-                'secret': secret,
+                'secret':  account.escape_jinja2_syntax(secret),
                'private_key_path': private_key_path,
                'become': account.get_ansible_become_auth(),
            }
--- a/apps/accounts/models/account.py
+++ b/apps/accounts/models/account.py
@@ -97,14 +97,13 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
        """ 排除自己和以自己为 su-from 的账号 """
        return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)

-    @staticmethod
-    def make_account_ansible_vars(su_from):
+    def make_account_ansible_vars(self, su_from):
        var = {
            'ansible_user': su_from.username,
        }
        if not su_from.secret:
            return var
-        var['ansible_password'] = su_from.secret
+        var['ansible_password'] = self.escape_jinja2_syntax(su_from.secret)
        var['ansible_ssh_private_key_file'] = su_from.private_key_path
        return var

@@ -121,9 +120,22 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
        auth['ansible_become'] = True
        auth['ansible_become_method'] = become_method
        auth['ansible_become_user'] = self.username
-        auth['ansible_become_password'] = password
+        auth['ansible_become_password'] = self.escape_jinja2_syntax(password)
        return auth

+    @staticmethod
+    def escape_jinja2_syntax(value):
+        if not isinstance(value, str):
+            return value
+
+        value = value.replace('{{', '__TEMP_OPEN_BRACES__') \
+            .replace('}}', '__TEMP_CLOSE_BRACES__')
+
+        value = value.replace('__TEMP_OPEN_BRACES__', '{{ "{{" }}') \
+            .replace('__TEMP_CLOSE_BRACES__', '{{ "}}" }}')
+
+        return value.replace('{%', '{{ "{%" }}').replace('%}', '{{ "%}" }}')
+

 def replace_history_model_with_mixin():
    """
--- a/apps/accounts/utils.py
+++ b/apps/accounts/utils.py
@@ -47,18 +47,7 @@ class SecretGenerator:

 def validate_password_for_ansible(password):
    """ 校验 Ansible 不支持的特殊字符 """
-    # validate password contains left double curly bracket
-    # check password not contains `{{`
-    # Ansible 推送的时候不支持
-    if '{{' in password or '}}' in password:
-        raise serializers.ValidationError(_('Password can not contains `{{` or `}}`'))
-    if '{%' in password or '%}' in password:
-        raise serializers.ValidationError(_('Password can not contains `{%` or `%}`'))
-    # Ansible Windows 推送的时候不支持
-    # if "'" in password:
-    #     raise serializers.ValidationError(_("Password can not contains `'` "))
-    # if '"' in password:
-    #     raise serializers.ValidationError(_('Password can not contains `"` '))
+    pass


 def validate_ssh_key(ssh_key, passphrase=None):
--- a/apps/ops/ansible/inventory.py
+++ b/apps/ops/ansible/inventory.py
@@ -71,8 +71,9 @@ class JMSInventory:
        }
        if not account.secret:
            return var
+
        if account.secret_type == 'password':
-            var['ansible_password'] = account.secret
+            var['ansible_password'] = account.escape_jinja2_syntax(account.secret)
        elif account.secret_type == 'ssh_key':
            var['ansible_ssh_private_key_file'] = account.private_key_path
        return var
@@ -84,7 +85,7 @@ class JMSInventory:
            'custom_become': True,
            'custom_become_method': su_method,
            'custom_become_user': account.su_from.username,
-            'custom_become_password': account.su_from.secret,
+            'custom_become_password': account.escape_jinja2_syntax(account.su_from.secret),
            'custom_become_private_key_path': account.su_from.private_key_path
        }
        return var
@@ -109,7 +110,7 @@ class JMSInventory:
            host.update(self.make_account_ansible_vars(account))
            host['ansible_become'] = True
            host['ansible_become_user'] = 'root'
-            host['ansible_become_password'] = account.secret
+            host['ansible_become_password'] = account.escape_jinja2_syntax(account.secret)
        else:
            host.update(self.make_account_ansible_vars(account))

@@ -173,8 +174,8 @@ class JMSInventory:
            },
            'jms_account': {
                'id': str(account.id), 'username': account.username,
-                'secret': account.secret, 'secret_type': account.secret_type,
-                'private_key_path': account.private_key_path
+                'secret': account.escape_jinja2_syntax(account.secret),
+                'secret_type': account.secret_type, 'private_key_path': account.private_key_path
            } if account else None
        }