feat: Update v3.4.1

fix: 修复远程应用会话无法监控的问题
fix: 修复迁移文件时触发信号记录操作日志导致迁移失败的问题
2025-12-16 09:02:49 +00:00 · 2023-06-21 12:58:19 +08:00 · 2023-06-21 12:05:19 +08:00 · 2023-06-21 11:02:14 +08:00 · 2023-06-20 16:33:43 +08:00 · 2023-06-19 18:23:23 +08:00
906 changed files with 10378 additions and 45917 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -1,4 +1,5 @@
 .git
 logs/*
 data/*
 .github
 tmp/*
--- a/.github/ISSUE_TEMPLATE/----.md
+++ b/.github/ISSUE_TEMPLATE/----.md
@@ -1,35 +1,13 @@
 ---
 name: 需求建议
 about: 提出针对本项目的想法和建议
-title: "[Feature] 需求标题"
+title: "[Feature] "
 labels: 类型:需求
 assignees: 
  - ibuler
  - baijiangjie
 ---
-## 注意
+**请描述您的需求或者改进建议.**
 _针对过于简单的需求描述不予考虑。请确保提供足够的细节和信息以支持功能的开发和实现。_
 ## 功能名称
 [在这里输入功能的名称或标题]
 ## 功能描述
 [在这里描述该功能的详细内容，包括其作用、目的和所需的功能]
 ## 用户故事（可选）
 [如果适用，可以提供用户故事来更好地理解该功能的使用场景和用户期望]
 ## 功能要求
 - [要求1：描述该功能的具体要求，如界面设计、交互逻辑等]
 - [要求2：描述该功能的另一个具体要求]
 - [以此类推，列出所有相关的功能要求]
 ## 示例或原型（可选）
 [如果有的话，提供该功能的示例或原型图以更好地说明功能的实现方式]
 ## 优先级
 [描述该功能的优先级，如高、中、低，或使用数字等其他标识]
 ## 备注（可选）
 [在这里添加任何其他相关信息或备注]
--- a/.github/ISSUE_TEMPLATE/bug---.md
+++ b/.github/ISSUE_TEMPLATE/bug---.md
@@ -1,51 +1,24 @@
 ---
 name: Bug 提交
 about: 提交产品缺陷帮助我们更好的改进
-title: "[Bug] Bug 标题"
+title: "[Bug] "
-labels: 类型:Bug
+labels: 类型:bug
 assignees: 
   - wojiushixiaobai
   - baijiangjie
 ---
-## 注意
+**JumpServer 版本( v2.28 之前的版本不再支持 )**
 **JumpServer 版本( v2.28 之前的版本不再支持 )** <br>
 _针对过于简单的 Bug 描述不予考虑。请确保提供足够的细节和信息以支持 Bug 的复现和修复。_
 ## 当前使用的 JumpServer 版本 (必填)
 [在这里输入当前使用的 JumpServer 的版本号]
 ## 使用的版本类型 (必填)
 - [ ] 社区版
 - [ ] 企业版
 - [ ] 企业试用版
-## 版本安装方式 (必填)
+**浏览器版本**
 - [ ] 在线安装 (一键命令)
 - [ ] 离线安装 (下载离线包)
 - [ ] All-in-One
 - [ ] 1Panel 安装
 - [ ] Kubernetes 安装
 - [ ] 源码安装
 ## Bug 描述 (详细)
 [在这里描述 Bug 的详细情况，包括其影响和出现的具体情况]
-## 复现步骤
+**Bug 描述**
 1. [描述如何复现 Bug 的第一步]
 2. [描述如何复现 Bug 的第二步]
 3. [以此类推，列出所有复现 Bug 所需的步骤]
 ## 期望行为
 [描述 Bug 出现时期望的系统行为或结果]
-## 实际行为
+**Bug 重现步骤(有截图更好)**
-[描述实际上发生了什么，以及 Bug 出现的具体情况]
+1.
-
+2.
-## 系统环境
+3.
 - 操作系统：[例如：Windows 10, macOS Big Sur]
 - 浏览器/应用版本：[如果适用，请提供相关版本信息]
 - 其他相关环境信息：[如果有其他相关环境信息，请在此处提供]
 ## 附加信息（可选）
 [在这里添加任何其他相关信息，如截图、错误信息等]
--- a/.github/ISSUE_TEMPLATE/question.md
+++ b/.github/ISSUE_TEMPLATE/question.md
@@ -1,50 +1,12 @@
 ---
 name: 问题咨询
 about: 提出针对本项目安装部署、使用及其他方面的相关问题
-title: "[Question] 问题标题"
+title: "[Question] "
 labels: 类型:提问
 assignees: 
  - wojiushixiaobai
  - baijiangjie
 ---
 ## 注意
 **请描述您的问题.** <br>
 **JumpServer 版本( v2.28 之前的版本不再支持 )** <br>
 _针对过于简单的 Bug 描述不予考虑。请确保提供足够的细节和信息以支持 Bug 的复现和修复。_
 ## 当前使用的 JumpServer 版本 (必填)
 [在这里输入当前使用的 JumpServer 的版本号]
 ## 使用的版本类型 (必填)
 - [ ] 社区版
 - [ ] 企业版
 - [ ] 企业试用版
 ## 版本安装方式 (必填)
 - [ ] 在线安装 (一键命令)
 - [ ] 离线安装 (下载离线包)
 - [ ] All-in-One
 - [ ] 1Panel 安装
 - [ ] Kubernetes 安装
 - [ ] 源码安装
 ## 问题描述 (详细)
 [在这里描述你遇到的问题]
 ## 背景信息
 - 操作系统：[例如：Windows 10, macOS Big Sur]
 - 浏览器/应用版本：[如果适用，请提供相关版本信息]
 - 其他相关环境信息：[如果有其他相关环境信息，请在此处提供]
 ## 具体问题
 [在这里详细描述你的问题，包括任何相关细节或错误信息]
 ## 尝试过的解决方法
 [如果你已经尝试过解决问题，请在这里列出你已经尝试过的解决方法]
 ## 预期结果
 [描述你期望的解决方案或结果]
 ## 我们的期望
 [描述你希望我们提供的帮助或支持]
 **请描述您的问题.**
--- a/.github/workflows/issue-comment.yml
+++ b/.github/workflows/issue-comment.yml
@@ -21,44 +21,17 @@ jobs:
          actions: 'remove-labels'
          labels: '状态:待反馈'
-  add-label-if-is-member:
+  add-label-if-not-author:
    runs-on: ubuntu-latest
    if: (github.event.issue.user.id != github.event.comment.user.id) && !github.event.issue.pull_request && (github.event.issue.state == 'open')
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2
      - name: Get Organization name
        id: org_name
        run: echo "data=$(echo '${{ github.repository }}' | cut -d '/' -f 1)" >> $GITHUB_OUTPUT
      - name: Get Organization public members
        uses: octokit/request-action@v2.x
        id: members
        with:
          route: GET /orgs/${{ steps.org_name.outputs.data }}/public_members
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Process public members data
        # 将 members 中的数据转化为 login 字段的拼接字符串
        id: member_names
        run: echo "data=$(echo '${{ steps.members.outputs.data }}' | jq '[.[].login] | join(",")')" >> $GITHUB_OUTPUT
      - run: "echo members: '${{ steps.members.outputs.data }}'"
      - run: "echo member names: '${{ steps.member_names.outputs.data }}'"
      - run: "echo comment user: '${{ github.event.comment.user.login }}'"
      - run: "echo contains? : '${{ contains(steps.member_names.outputs.data, github.event.comment.user.login) }}'"
      - name: Add require replay label
        if: contains(steps.member_names.outputs.data, github.event.comment.user.login)
        uses: actions-cool/issues-helper@v2
        with:
          actions: 'add-labels'
          labels: '状态:待反馈'
      - name: Remove require handle label
        if: contains(steps.member_names.outputs.data, github.event.comment.user.login)
        uses: actions-cool/issues-helper@v2
        with:
          actions: 'remove-labels'
--- a/.github/workflows/jms-build-test.yml
+++ b/.github/workflows/jms-build-test.yml
@@ -1,32 +1,26 @@
 name: "Run Build Test"
 on:
  push:
-    paths:
+    branches:
-      - 'Dockerfile'
+      - pr@*
-      - 'Dockerfile-*'
+      - repr@*
      - 'pyproject.toml'
      - 'poetry.lock'
 jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v3
    - uses: docker/setup-qemu-action@v3
    - uses: docker/setup-buildx-action@v3
-    - name: Check Dockerfile
+    - uses: docker/setup-qemu-action@v2
      run: |
        test -f Dockerfile-ce || cp -f Dockerfile Dockerfile-ce
-    - name: Build CE Image
+    - uses: docker/setup-buildx-action@v2
-      uses: docker/build-push-action@v5
+
    - uses: docker/build-push-action@v3
      with:
        context: .
        push: false
-        file: Dockerfile-ce
+        tags: jumpserver/core:test
-        tags: jumpserver/core-ce:test
+        file: Dockerfile
        platforms: linux/amd64
        build-args: |
          APT_MIRROR=http://deb.debian.org
          PIP_MIRROR=https://pypi.org/simple
@@ -34,22 +28,9 @@ jobs:
        cache-from: type=gha
        cache-to: type=gha,mode=max
-    - name: Prepare EE Image
+    - uses: LouisBrunner/checks-action@v1.5.0
-      run: |
+      if: always()
        sed -i 's@^FROM registry.fit2cloud.com@# FROM registry.fit2cloud.com@g' Dockerfile-ee
        sed -i 's@^COPY --from=build-xpack@# COPY --from=build-xpack@g' Dockerfile-ee
    - name: Build EE Image
      uses: docker/build-push-action@v5
      with:
-        context: .
+        token: ${{ secrets.GITHUB_TOKEN }}
-        push: false
+        name: Check Build
-        file: Dockerfile-ee
+        conclusion: ${{ job.status }}
        tags: jumpserver/core-ee:test
        platforms: linux/amd64
        build-args: |
          APT_MIRROR=http://deb.debian.org
          PIP_MIRROR=https://pypi.org/simple
          PIP_JMS_MIRROR=https://pypi.org/simple
        cache-from: type=gha
        cache-to: type=gha,mode=max
--- a/.gitignore
+++ b/.gitignore
@@ -35,6 +35,7 @@ celerybeat-schedule.db
 docs/_build/
 xpack
 xpack.bak
 logs/*
 ### Vagrant ###
 .vagrant/
 release/*
@@ -43,4 +44,3 @@ releashe
 data/*
 test.py
 .history/
 .test/
--- a/105
+++ b/105
@@ -0,0 +1,105 @@
 FROM python:3.9-slim-bullseye as stage-build
 ARG TARGETARCH
 ARG VERSION
 ENV VERSION=$VERSION
 WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 FROM python:3.9-slim-bullseye
 ARG TARGETARCH
 MAINTAINER JumpServer Team <ibuler@qq.com>
 ARG BUILD_DEPENDENCIES="              \
        g++                           \
        make                          \
        pkg-config"
 ARG DEPENDENCIES="                    \
        freetds-dev                   \
        libpq-dev                     \
        libffi-dev                    \
        libjpeg-dev                   \
        libldap2-dev                  \
        libsasl2-dev                  \
        libxml2-dev                   \
        libxmlsec1-dev                \
        libxmlsec1-openssl            \
        freerdp2-dev                  \
        libaio-dev"
 ARG TOOLS="                           \
        ca-certificates               \
        curl                          \
        default-libmysqlclient-dev    \
        default-mysql-client          \
        locales                       \
        openssh-client                \
        procps                        \
        sshpass                       \
        telnet                        \
        unzip                         \
        vim                           \
        git                           \
        wget"
 ARG APT_MIRROR=http://mirrors.ustc.edu.cn
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
    && rm -f /etc/apt/apt.conf.d/docker-clean \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && apt-get update \
    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${TOOLS} \
    && mkdir -p /root/.ssh/ \
    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
    && echo "set mouse-=a" > ~/.vimrc \
    && echo "no" | dpkg-reconfigure dash \
    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
    && sed -i "s@# export @export @g" ~/.bashrc \
    && sed -i "s@# alias @alias @g" ~/.bashrc \
    && rm -rf /var/lib/apt/lists/*
 ARG DOWNLOAD_URL=https://download.jumpserver.org
 RUN mkdir -p /opt/oracle/ \
    && cd /opt/oracle/ \
    && wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
    && unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
    && sh -c "echo /opt/oracle/instantclient_19_10 > /etc/ld.so.conf.d/oracle-instantclient.conf" \
    && ldconfig \
    && rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip
 WORKDIR /tmp/build
 COPY ./requirements ./requirements
 ARG PIP_MIRROR=https://pypi.douban.com/simple
 ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
 ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 RUN --mount=type=cache,target=/root/.cache/pip \
    set -ex \
    && pip config set global.index-url ${PIP_MIRROR} \
    && pip install --upgrade pip \
    && pip install --upgrade setuptools wheel \
    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
    && pip install -r requirements/requirements.txt
 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 RUN echo > /opt/jumpserver/config.yml \
    && rm -rf /tmp/build
 WORKDIR /opt/jumpserver
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
 ENV LANG=zh_CN.UTF-8
 EXPOSE 8080
 ENTRYPOINT ["./entrypoint.sh"]
--- a/136
+++ b/136
@@ -1,136 +0,0 @@
 FROM python:3.11-slim-bullseye as stage-1
 ARG TARGETARCH
 ARG VERSION
 ENV VERSION=$VERSION
 WORKDIR /opt/jumpserver
 ADD . .
 RUN echo > /opt/jumpserver/config.yml \
    && cd utils && bash -ixeu build.sh
 FROM python:3.11-slim-bullseye as stage-2
 ARG TARGETARCH
 ARG BUILD_DEPENDENCIES="              \
        g++                           \
        make                          \
        pkg-config"
 ARG DEPENDENCIES="                    \
        freetds-dev                   \
        libffi-dev                    \
        libjpeg-dev                   \
        libkrb5-dev                   \
        libldap2-dev                  \
        libpq-dev                     \
        libsasl2-dev                  \
        libssl-dev                    \
        libxml2-dev                   \
        libxmlsec1-dev                \
        libxmlsec1-openssl            \
        freerdp2-dev                  \
        libaio-dev"
 ARG TOOLS="                           \
        ca-certificates               \
        curl                          \
        default-libmysqlclient-dev    \
        default-mysql-client          \
        git                           \
        git-lfs                       \
        unzip                         \
        xz-utils                      \
        wget"
 ARG APT_MIRROR=http://mirrors.ustc.edu.cn
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
    && rm -f /etc/apt/apt.conf.d/docker-clean \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && apt-get update \
    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${TOOLS} \
    && echo "no" | dpkg-reconfigure dash
 WORKDIR /opt/jumpserver
 ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
 RUN --mount=type=cache,target=/root/.cache \
    --mount=type=bind,source=poetry.lock,target=/opt/jumpserver/poetry.lock \
    --mount=type=bind,source=pyproject.toml,target=/opt/jumpserver/pyproject.toml \
    set -ex \
    && python3 -m venv /opt/py3 \
    && pip install poetry -i ${PIP_MIRROR} \
    && poetry config virtualenvs.create false \
    && . /opt/py3/bin/activate \
    && poetry install
 FROM python:3.11-slim-bullseye
 ARG TARGETARCH
 ENV LANG=zh_CN.UTF-8 \
    PATH=/opt/py3/bin:$PATH
 ARG DEPENDENCIES="                    \
        libjpeg-dev                   \
        libpq-dev                     \
        libx11-dev                    \
        freerdp2-dev                  \
        libxmlsec1-openssl"
 ARG TOOLS="                           \
        ca-certificates               \
        curl                          \
        default-libmysqlclient-dev    \
        default-mysql-client          \
        iputils-ping                  \
        locales                       \
        netcat-openbsd                \
        nmap                          \
        openssh-client                \
        patch                         \
        sshpass                       \
        telnet                        \
        vim                           \
        wget"
 ARG APT_MIRROR=http://mirrors.ustc.edu.cn
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
    && rm -f /etc/apt/apt.conf.d/docker-clean \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && apt-get update \
    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${TOOLS} \
    && mkdir -p /root/.ssh/ \
    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
    && echo "no" | dpkg-reconfigure dash \
    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
    && sed -i "s@# export @export @g" ~/.bashrc \
    && sed -i "s@# alias @alias @g" ~/.bashrc
 ARG RECEPTOR_VERSION=v1.4.5
 RUN set -ex \
    && wget -O /opt/receptor.tar.gz https://github.com/ansible/receptor/releases/download/${RECEPTOR_VERSION}/receptor_${RECEPTOR_VERSION/v/}_linux_${TARGETARCH}.tar.gz \
    && tar -xf /opt/receptor.tar.gz -C /usr/local/bin/ \
    && chown root:root /usr/local/bin/receptor \
    && chmod 755 /usr/local/bin/receptor \
    && rm -f /opt/receptor.tar.gz
 COPY --from=stage-2 /opt/py3 /opt/py3
 COPY --from=stage-1 /opt/jumpserver/release/jumpserver /opt/jumpserver
 COPY --from=stage-1 /opt/jumpserver/release/jumpserver/apps/libs/ansible/ansible.cfg /etc/ansible/
 WORKDIR /opt/jumpserver
 ARG VERSION
 ENV VERSION=$VERSION
 VOLUME /opt/jumpserver/data
 EXPOSE 8080
 ENTRYPOINT ["./entrypoint.sh"]
--- a/9
+++ b/9
@@ -1,5 +1,10 @@
 ARG VERSION
 FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
-FROM registry.fit2cloud.com/jumpserver/core-ce:${VERSION}
+FROM jumpserver/core:${VERSION}
 COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
 WORKDIR /opt/jumpserver
 RUN --mount=type=cache,target=/root/.cache/pip \
    set -ex \
    && pip install -r requirements/requirements_xpack.txt
--- a/Dockerfile.loong64
+++ b/Dockerfile.loong64
@@ -0,0 +1,97 @@
 FROM python:3.9-slim-buster as stage-build
 ARG TARGETARCH
 ARG VERSION
 ENV VERSION=$VERSION
 WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 FROM python:3.9-slim-buster
 ARG TARGETARCH
 MAINTAINER JumpServer Team <ibuler@qq.com>
 ARG BUILD_DEPENDENCIES="              \
        g++                           \
        make                          \
        pkg-config"
 ARG DEPENDENCIES="                    \
        freetds-dev                   \
        libpq-dev                     \
        libffi-dev                    \
        libjpeg-dev                   \
        libldap2-dev                  \
        libsasl2-dev                  \
        libssl-dev                    \
        libxml2-dev                   \
        libxmlsec1-dev                \
        libxmlsec1-openssl            \
        freerdp2-dev                  \
        libaio-dev"
 ARG TOOLS="                           \
        ca-certificates               \
        curl                          \
        default-libmysqlclient-dev    \
        default-mysql-client          \
        locales                       \
        openssh-client                \
        procps                        \
        sshpass                       \
        telnet                        \
        unzip                         \
        vim                           \
        git                           \
        wget"
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
    set -ex \
    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && apt-get update \
    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
    && apt-get -y install --no-install-recommends ${TOOLS} \
    && mkdir -p /root/.ssh/ \
    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
    && echo "set mouse-=a" > ~/.vimrc \
    && echo "no" | dpkg-reconfigure dash \
    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
    && sed -i "s@# export @export @g" ~/.bashrc \
    && sed -i "s@# alias @alias @g" ~/.bashrc \
    && rm -rf /var/lib/apt/lists/*
 WORKDIR /tmp/build
 COPY ./requirements ./requirements
 ARG PIP_MIRROR=https://pypi.douban.com/simple
 ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
 ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 RUN --mount=type=cache,target=/root/.cache/pip \
    set -ex \
    && pip config set global.index-url ${PIP_MIRROR} \
    && pip install --upgrade pip \
    && pip install --upgrade setuptools wheel \
    && pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl \
    && pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl \
    && pip install https://download.jumpserver.org/pypi/simple/PyNaCl/PyNaCl-1.5.0-cp39-cp39-linux_loongarch64.whl \
    && pip install https://download.jumpserver.org/pypi/simple/grpcio/grpcio-1.54.2-cp39-cp39-linux_loongarch64.whl \
    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
    && pip install -r requirements/requirements.txt
 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 RUN echo > /opt/jumpserver/config.yml \
    && rm -rf /tmp/build
 WORKDIR /opt/jumpserver
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
 ENV LANG=zh_CN.UTF-8
 EXPOSE 8080
 ENTRYPOINT ["./entrypoint.sh"]
--- a/1
+++ b/1
@@ -0,0 +1 @@
 13d895b22e95b5ec6e5a32b5d9461ec9f8b6b939
--- a/README.md
+++ b/README.md
@@ -12,20 +12,23 @@
 <p align="center">
    JumpServer <a href="https://github.com/jumpserver/jumpserver/releases/tag/v3.0.0">v3.0</a> 正式发布。
    <br>
    9 年时间，倾情投入，用心做好一款开源堡垒机。
 </p>
------------------------------
+|                                                  :warning: 注意 :warning:                                                   |
-JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
+|:-------------------------------------------------------------------------------------------------------------------------:|
 | 3.0 架构上和 2.0 变化较大，建议全新安装一套环境来体验。如需升级，请务必升级前进行备份，并[查阅文档](https://kb.fit2cloud.com/?p=06638d69-f109-4333-b5bf-65b17b297ed9) |
-JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
+--------------------------
 JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
 - **SSH**: Linux / Unix / 网络设备 等；
 - **Windows**: Web 方式连接 / 原生 RDP 连接；
- **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
+- **数据库**: MySQL / Oracle / SQLServer / PostgreSQL 等；
- **NoSQL**: Redis / MongoDB 等；
+- **Kubernetes**: 支持连接到 K8s 集群中的 Pods；
 - **GPT**: ChatGPT 等;
 - **云服务**: Kubernetes / VMware vSphere 等;
 - **Web 站点**: 各类系统的 Web 管理后台；
 - **应用**: 通过 Remote App 连接各类应用。
@@ -61,7 +64,6 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型
 ## 案例研究
 - [腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案](https://blog.fit2cloud.com/?p=a04cdf0d-6704-4d18-9b40-9180baecd0e2)
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
 - [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
@@ -79,29 +81,29 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型
 如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
-您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 当中进行交流沟通。
+您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 及微信交流群当中进行交流沟通。
 **微信交流群**
 <img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
 ### 参与贡献
-欢迎提交 PR 参与贡献。 参考 [CONTRIBUTING.md](https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md)
+欢迎提交 PR 参与贡献。感谢以下贡献者，他们让 JumpServer 变的越来越好。
 <a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
 ## 组件项目
-| 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                |
+| 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                      |
-|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
-| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                              |
+| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                                    |
-| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                        |
+| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                              |
-| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目                                                      |
+| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
-| [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
+| [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)       |
-| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                                 | JumpServer RDP 代理 Connector 项目                                                    |
+| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                           |
-| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目 (Windows)                                                      |
+| [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                       |
-| [Panda](https://github.com/jumpserver/Panda)         | <img alt="Panda" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目 (Linux)                                                      |
+| [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                       |
 | [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
 | [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
 | [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
 | [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core API 通信的组件项目                                              |
 | [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
 | [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |
 ## 安全说明
@@ -111,9 +113,14 @@ JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.ju
 - 邮箱：support@fit2cloud.com
 - 电话：400-052-0755
 ## 致谢开源
 - [Apache Guacamole](https://guacamole.apache.org/)： Web 页面连接 RDP、SSH、VNC 等协议资产，JumpServer Lion 组件使用到该项目；
 - [OmniDB](https://omnidb.org/)： Web 页面连接使用数据库，JumpServer Web 数据库组件使用到该项目。
 ## License & Copyright
-Copyright (c) 2014-2024 飞致云 FIT2CLOUD, All rights reserved.
+Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.
 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
 compliance with the License. You may obtain a copy of the License at
--- a/README_EN.md
+++ b/README_EN.md
@@ -85,7 +85,7 @@ If you find a security problem, please contact us directly：
 - 400-052-0755
 ### License & Copyright
-Copyright (c) 2014-2024 FIT2CLOUD Tech, Inc., All rights reserved.
+Copyright (c) 2014-2022 FIT2CLOUD Tech, Inc., All rights reserved.
 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
--- a/apps/accounts/api/account/init.py
+++ b/apps/accounts/api/account/init.py
@@ -1,4 +1,3 @@
 from .account import *
 from .task import *
 from .template import *
 from .virtual import *
--- a/apps/accounts/api/account/account.py
+++ b/apps/accounts/api/account/account.py
@@ -6,12 +6,11 @@ from rest_framework.status import HTTP_200_OK
 from accounts import serializers
 from accounts.filters import AccountFilterSet
 from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import Account
 from assets.models import Asset, Node
-from authentication.permissions import UserConfirmation, ConfirmType
+from common.api import ExtraFilterFieldsMixin
-from common.api.mixin import ExtraFilterFieldsMixin
+from common.permissions import UserConfirmation, ConfirmType, IsValidUser
-from common.permissions import IsValidUser
+from common.views.mixins import RecordViewLogMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
@@ -23,11 +22,10 @@ __all__ = [
 class AccountViewSet(OrgBulkModelViewSet):
    model = Account
-    search_fields = ('username', 'name', 'asset__name', 'asset__address', 'comment')
+    search_fields = ('username', 'name', 'asset__name', 'asset__address')
    filterset_class = AccountFilterSet
    serializer_classes = {
        'default': serializers.AccountSerializer,
        'retrieve': serializers.AccountDetailSerializer,
    }
    rbac_perms = {
        'partial_update': ['accounts.change_account'],
@@ -54,23 +52,22 @@ class AccountViewSet(OrgBulkModelViewSet):
        return Response(data=serializer.data)
    @action(
-        methods=['post'], detail=False, url_path='username-suggestions',
+        methods=['get'], detail=False, url_path='username-suggestions',
        permission_classes=[IsValidUser]
    )
    def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.data.get('assets', [])
+        asset_ids = request.query_params.get('assets')
-        node_ids = request.data.get('nodes', [])
+        node_keys = request.query_params.get('keys')
-        username = request.data.get('username', '')
+        username = request.query_params.get('username')
        accounts = Account.objects.all()
        if node_ids:
            nodes = Node.objects.filter(id__in=node_ids)
            node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
            asset_ids.extend(node_asset_ids)
        assets = Asset.objects.all()
        if asset_ids:
-            accounts = accounts.filter(asset_id__in=list(set(asset_ids)))
+            assets = assets.filter(id__in=asset_ids.split(','))
        if node_keys:
            patten = Node.get_node_all_children_key_pattern(node_keys.split(','))
            assets = assets.filter(nodes__key__regex=patten)
        accounts = Account.objects.filter(asset__in=assets)
        if username:
            accounts = accounts.filter(username__icontains=username)
        usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
@@ -87,7 +84,7 @@ class AccountViewSet(OrgBulkModelViewSet):
        return Response(status=HTTP_200_OK)
-class AccountSecretsViewSet(AccountRecordViewLogMixin, AccountViewSet):
+class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
    """
    因为可能要导出所有账号，所以单独建立了一个 viewset
    """
@@ -116,7 +113,7 @@ class AssetAccountBulkCreateApi(CreateAPIView):
        return Response(data=serializer.data, status=HTTP_200_OK)
-class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixin, ListAPIView):
+class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, ListAPIView):
    model = Account.history.model
    serializer_class = serializers.AccountHistorySerializer
    http_method_names = ['get', 'options']
@@ -135,12 +132,11 @@ class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixi
    def get_queryset(self):
        account = self.get_object()
        histories = account.history.all()
-        latest_history = account.history.first()
+        last_history = account.history.first()
-        if not latest_history:
+        if not last_history:
            return histories
-        if account.secret != latest_history.secret:
+
-            return histories
+        if account.secret == last_history.secret \
-        if account.secret_type != latest_history.secret_type:
+                and account.secret_type == last_history.secret_type:
-            return histories
+            histories = histories.exclude(history_id=last_history.history_id)
        histories = histories.exclude(history_id=latest_history.history_id)
        return histories
--- a/apps/accounts/api/account/task.py
+++ b/apps/accounts/api/account/task.py
@@ -1,13 +1,9 @@
 from django.db.models import Q
 from rest_framework.generics import CreateAPIView
 from rest_framework.response import Response
 from accounts import serializers
-from accounts.models import Account
+from accounts.tasks import verify_accounts_connectivity_task, push_accounts_to_assets_task
-from accounts.permissions import AccountTaskActionPermission
+from assets.exceptions import NotSupportedTemporarilyError
 from accounts.tasks import (
    remove_accounts_task, verify_accounts_connectivity_task, push_accounts_to_assets_task
 )
 from authentication.permissions import UserConfirmation, ConfirmType
 __all__ = [
    'AccountsTaskCreateAPI',
@@ -16,48 +12,38 @@ __all__ = [
 class AccountsTaskCreateAPI(CreateAPIView):
    serializer_class = serializers.AccountTaskSerializer
    permission_classes = (AccountTaskActionPermission,)
-    def get_permissions(self):
+    def check_permissions(self, request):
-        act = self.request.data.get('action')
+        act = request.data.get('action')
-        if act == 'remove':
+        if act == 'push':
-            self.permission_classes = [
+            code = 'accounts.push_account'
-                AccountTaskActionPermission,
+        else:
-                UserConfirmation.require(ConfirmType.PASSWORD)
+            code = 'accounts.verify_account'
-            ]
+        return request.user.has_perm(code)
        return super().get_permissions()
    @staticmethod
    def get_account_ids(data, action):
        account_type = 'gather_accounts' if action == 'remove' else 'accounts'
        accounts = data.get(account_type, [])
        account_ids = [str(a.id) for a in accounts]
        if action == 'remove':
            return account_ids
        assets = data.get('assets', [])
        asset_ids = [str(a.id) for a in assets]
        ids = Account.objects.filter(
            Q(id__in=account_ids) | Q(asset_id__in=asset_ids)
        ).distinct().values_list('id', flat=True)
        return [str(_id) for _id in ids]
    def perform_create(self, serializer):
        data = serializer.validated_data
-        action = data['action']
+        accounts = data.get('accounts', [])
-        ids = self.get_account_ids(data, action)
+        params = data.get('params')
        account_ids = [str(a.id) for a in accounts]
-        if action == 'push':
+        if data['action'] == 'push':
-            task = push_accounts_to_assets_task.delay(ids, data.get('params'))
+            task = push_accounts_to_assets_task.delay(account_ids, params)
        elif action == 'remove':
            task = remove_accounts_task.delay(ids)
        elif action == 'verify':
            task = verify_accounts_connectivity_task.delay(ids)
        else:
-            raise ValueError(f"Invalid action: {action}")
+            account = accounts[0]
            asset = account.asset
            if not asset.auto_config['ansible_enabled'] or \
                    not asset.auto_config['ping_enabled']:
                raise NotSupportedTemporarilyError()
            task = verify_accounts_connectivity_task.delay(account_ids)
        data = getattr(serializer, '_data', {})
        data["task"] = task.id
        setattr(serializer, '_data', data)
        return task
    def get_exception_handler(self):
        def handler(e, context):
            return Response({"error": str(e)}, status=400)
        return handler
--- a/apps/accounts/api/account/template.py
+++ b/apps/accounts/api/account/template.py
@@ -1,15 +1,13 @@
 from django_filters import rest_framework as drf_filters
 from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
 from accounts import serializers
 from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import AccountTemplate
 from accounts.tasks import template_sync_related_accounts
 from assets.const import Protocol
 from authentication.permissions import UserConfirmation, ConfirmType
 from common.drf.filters import BaseFilterSet
 from common.permissions import UserConfirmation, ConfirmType
 from common.views.mixins import RecordViewLogMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
@@ -46,26 +44,19 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
    }
    rbac_perms = {
        'su_from_account_templates': 'accounts.view_accounttemplate',
        'sync_related_accounts': 'accounts.change_account',
    }
    @action(methods=['get'], detail=False, url_path='su-from-account-templates')
    def su_from_account_templates(self, request, *args, **kwargs):
        pk = request.query_params.get('template_id')
-        templates = AccountTemplate.get_su_from_account_templates(pk)
+        template = AccountTemplate.objects.filter(pk=pk).first()
        templates = AccountTemplate.get_su_from_account_templates(template)
        templates = self.filter_queryset(templates)
        serializer = self.get_serializer(templates, many=True)
        return Response(data=serializer.data)
    @action(methods=['patch'], detail=True, url_path='sync-related-accounts')
    def sync_related_accounts(self, request, *args, **kwargs):
        instance = self.get_object()
        user_id = str(request.user.id)
        task = template_sync_related_accounts.delay(str(instance.id), user_id)
        return Response({'task': task.id}, status=status.HTTP_200_OK)
-
+class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
 class AccountTemplateSecretsViewSet(AccountRecordViewLogMixin, AccountTemplateViewSet):
    serializer_classes = {
        'default': serializers.AccountTemplateSecretSerializer,
    }
--- a/apps/accounts/api/account/virtual.py
+++ b/apps/accounts/api/account/virtual.py
@@ -1,20 +0,0 @@
 from django.shortcuts import get_object_or_404
 from accounts.models import VirtualAccount
 from accounts.serializers import VirtualAccountSerializer
 from common.utils import is_uuid
 from orgs.mixins.api import OrgBulkModelViewSet
 class VirtualAccountViewSet(OrgBulkModelViewSet):
    serializer_class = VirtualAccountSerializer
    search_fields = ('alias',)
    filterset_fields = ('alias',)
    def get_queryset(self):
        return VirtualAccount.get_or_init_queryset()
    def get_object(self, ):
        pk = self.kwargs.get('pk')
        kwargs = {'pk': pk} if is_uuid(pk) else {'alias': pk}
        return get_object_or_404(VirtualAccount, **kwargs)
--- a/apps/accounts/api/automations/backup.py
+++ b/apps/accounts/api/automations/backup.py
@@ -18,15 +18,16 @@ __all__ = [
 class AccountBackupPlanViewSet(OrgBulkModelViewSet):
    model = AccountBackupAutomation
-    filterset_fields = ('name',)
+    filter_fields = ('name',)
-    search_fields = filterset_fields
+    search_fields = filter_fields
    ordering = ('name',)
    serializer_class = serializers.AccountBackupSerializer
 class AccountBackupPlanExecutionViewSet(viewsets.ModelViewSet):
    serializer_class = serializers.AccountBackupPlanExecutionSerializer
-    search_fields = ('trigger', 'plan__name')
+    search_fields = ('trigger',)
-    filterset_fields = ('trigger', 'plan_id', 'plan__name')
+    filterset_fields = ('trigger', 'plan_id')
    http_method_names = ['get', 'post', 'options']
    def get_queryset(self):
--- a/apps/accounts/api/automations/base.py
+++ b/apps/accounts/api/automations/base.py
@@ -1,5 +1,5 @@
 from django.shortcuts import get_object_or_404
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import ugettext_lazy as _
 from rest_framework import status, mixins, viewsets
 from rest_framework.response import Response
@@ -20,8 +20,8 @@ __all__ = [
 class AutomationAssetsListApi(generics.ListAPIView):
    model = BaseAutomation
    serializer_class = serializers.AutomationAssetsSerializer
-    filterset_fields = ("name", "address")
+    filter_fields = ("name", "address")
-    search_fields = filterset_fields
+    search_fields = filter_fields
    def get_object(self):
        pk = self.kwargs.get('pk')
@@ -95,8 +95,8 @@ class AutomationExecutionViewSet(
    mixins.CreateModelMixin, mixins.ListModelMixin,
    mixins.RetrieveModelMixin, viewsets.GenericViewSet
 ):
-    search_fields = ('trigger', 'automation__name')
+    search_fields = ('trigger',)
-    filterset_fields = ('trigger', 'automation_id', 'automation__name')
+    filterset_fields = ('trigger', 'automation_id')
    serializer_class = serializers.AutomationExecutionSerializer
    tp: str
--- a/apps/accounts/api/automations/change_secret.py
+++ b/apps/accounts/api/automations/change_secret.py
@@ -1,17 +1,13 @@
 # -*- coding: utf-8 -*-
 #
-from rest_framework import status, mixins
+
-from rest_framework.decorators import action
+from rest_framework import mixins
 from rest_framework.response import Response
 from accounts import serializers
 from accounts.const import AutomationTypes
-from accounts.filters import ChangeSecretRecordFilterSet
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord
+from common.utils import get_object_or_none
 from accounts.tasks import execute_automation_record_task
 from authentication.permissions import UserConfirmation, ConfirmType
 from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
 from rbac.permissions import RBACPermission
 from .base import (
    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
@@ -27,53 +23,28 @@ __all__ = [
 class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
    model = ChangeSecretAutomation
-    filterset_fields = ('name', 'secret_type', 'secret_strategy')
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filterset_fields
+    search_fields = filter_fields
    serializer_class = serializers.ChangeSecretAutomationSerializer
 class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
-    filterset_class = ChangeSecretRecordFilterSet
+    serializer_class = serializers.ChangeSecretRecordSerializer
-    search_fields = ('asset__address',)
+    filter_fields = ['asset', 'execution_id']
-    tp = AutomationTypes.change_secret
+    search_fields = ['asset__hostname']
    serializer_classes = {
        'default': serializers.ChangeSecretRecordSerializer,
        'secret': serializers.ChangeSecretRecordViewSecretSerializer,
    }
    rbac_perms = {
        'execute': 'accounts.add_changesecretexecution',
        'secret': 'accounts.view_changesecretrecord',
    }
    def get_permissions(self):
        if self.action == 'secret':
            self.permission_classes = [
                RBACPermission,
                UserConfirmation.require(ConfirmType.MFA)
            ]
        return super().get_permissions()
    def get_queryset(self):
-        return ChangeSecretRecord.objects.all()
+        return ChangeSecretRecord.objects.filter(
            execution__automation__type=AutomationTypes.change_secret
        )
-    @action(methods=['post'], detail=False, url_path='execute')
+    def filter_queryset(self, queryset):
-    def execute(self, request, *args, **kwargs):
+        queryset = super().filter_queryset(queryset)
-        record_ids = request.data.get('record_ids')
+        eid = self.request.query_params.get('execution_id')
-        records = self.get_queryset().filter(id__in=record_ids)
+        execution = get_object_or_none(AutomationExecution, pk=eid)
-        execution_count = records.values_list('execution_id', flat=True).distinct().count()
+        if execution:
-        if execution_count != 1:
+            queryset = queryset.filter(execution=execution)
-            return Response(
+        return queryset
                {'detail': 'Only one execution is allowed to execute'},
                status=status.HTTP_400_BAD_REQUEST
            )
        task = execute_automation_record_task.delay(record_ids, self.tp)
        return Response({'task': task.id}, status=status.HTTP_200_OK)
    @action(methods=['get'], detail=True, url_path='secret')
    def secret(self, request, *args, **kwargs):
        instance = self.get_object()
        serializer = self.get_serializer(instance)
        return Response(serializer.data)
 class ChangSecretExecutionViewSet(AutomationExecutionViewSet):
--- a/apps/accounts/api/automations/gather_accounts.py
+++ b/apps/accounts/api/automations/gather_accounts.py
@@ -20,8 +20,8 @@ __all__ = [
 class GatherAccountsAutomationViewSet(OrgBulkModelViewSet):
    model = GatherAccountsAutomation
-    filterset_fields = ('name',)
+    filter_fields = ('name',)
-    search_fields = filterset_fields
+    search_fields = filter_fields
    serializer_class = serializers.GatherAccountAutomationSerializer
--- a/apps/accounts/api/automations/push_account.py
+++ b/apps/accounts/api/automations/push_account.py
@@ -20,8 +20,8 @@ __all__ = [
 class PushAccountAutomationViewSet(OrgBulkModelViewSet):
    model = PushAccountAutomation
-    filterset_fields = ('name', 'secret_type', 'secret_strategy')
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filterset_fields
+    search_fields = filter_fields
    serializer_class = serializers.PushAccountAutomationSerializer
@@ -42,7 +42,6 @@ class PushAccountExecutionViewSet(AutomationExecutionViewSet):
 class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
    serializer_class = serializers.ChangeSecretRecordSerializer
    tp = AutomationTypes.push_account
    def get_queryset(self):
        return ChangeSecretRecord.objects.filter(
--- a/apps/accounts/apps.py
+++ b/apps/accounts/apps.py
@@ -6,5 +6,6 @@ class AccountsConfig(AppConfig):
    name = 'accounts'
    def ready(self):
-        from . import signal_handlers  # noqa
+        from . import signal_handlers
-        from . import tasks  # noqa
+        from . import tasks
        __all__ = signal_handlers
--- a/apps/accounts/automations/backup_account/handlers.py
+++ b/apps/accounts/automations/backup_account/handlers.py
@@ -1,28 +1,26 @@
 import os
 import time
 from openpyxl import Workbook
 from collections import defaultdict, OrderedDict
 from django.conf import settings
 from django.db.models import F
 from rest_framework import serializers
 from xlsxwriter import Workbook
-from accounts.const import AccountBackupType
+from accounts.models import Account
 from accounts.models.automations.backup_account import AccountBackupAutomation
 from accounts.notifications import AccountBackupExecutionTaskMsg, AccountBackupByObjStorageExecutionTaskMsg
 from accounts.serializers import AccountSecretSerializer
 from assets.const import AllTypes
-from common.utils.file import encrypt_and_compress_zip_file, zip_files
+from accounts.serializers import AccountSecretSerializer
-from common.utils.timezone import local_now_filename, local_now_display
+from accounts.notifications import AccountBackupExecutionTaskMsg
 from terminal.models.component.storage import ReplayStorage
 from users.models import User
 from common.utils import get_logger
 from common.utils.timezone import local_now_display
 from common.utils.file import encrypt_and_compress_zip_file
 logger = get_logger(__file__)
 PATH = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
 class RecipientsNotFound(Exception):
    pass
 class BaseAccountHandler:
    @classmethod
    def unpack_data(cls, serializer_data, data=None):
@@ -74,26 +72,12 @@ class AssetAccountHandler(BaseAccountHandler):
    @staticmethod
    def get_filename(plan_name):
        filename = os.path.join(
-            PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.xlsx'
+            PATH, f'{plan_name}-{local_now_display()}-{time.time()}.xlsx'
        )
        return filename
    @staticmethod
    def handler_secret(data, section):
        for account_data in data:
            secret = account_data.get('secret')
            if not secret:
                continue
            length = len(secret)
            index = length // 2
            if section == "front":
                secret = secret[:index] + '*' * (length - index)
            elif section == "back":
                secret = '*' * (length - index) + secret[index:]
            account_data['secret'] = secret
    @classmethod
-    def create_data_map(cls, accounts, section):
+    def create_data_map(cls, accounts):
        data_map = defaultdict(list)
        if not accounts.exists():
@@ -113,10 +97,9 @@ class AssetAccountHandler(BaseAccountHandler):
        for tp, _accounts in account_type_map.items():
            sheet_name = type_dict.get(tp, tp)
            data = AccountSecretSerializer(_accounts, many=True).data
            cls.handler_secret(data, section)
            data_map.update(cls.add_rows(data, header_fields, sheet_name))
-        print('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
+        logger.info('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
        return data_map
@@ -126,8 +109,8 @@ class AccountBackupHandler:
        self.plan_name = self.execution.plan.name
        self.is_frozen = False  # 任务状态冻结标志
-    def create_excel(self, section='complete'):
+    def create_excel(self):
-        print(
+        logger.info(
            '\n'
            '\033[32m>>> 正在生成资产或应用相关备份信息文件\033[0m'
            ''
@@ -136,7 +119,7 @@ class AccountBackupHandler:
        time_start = time.time()
        files = []
        accounts = self.execution.backup_accounts
-        data_map = AssetAccountHandler.create_data_map(accounts, section)
+        data_map = AssetAccountHandler.create_data_map(accounts)
        if not data_map:
            return files
@@ -144,23 +127,22 @@ class AccountBackupHandler:
        wb = Workbook(filename)
        for sheet, data in data_map.items():
-            ws = wb.add_worksheet(str(sheet))
+            ws = wb.create_sheet(str(sheet))
-            for row_index, row_data in enumerate(data):
+            for row in data:
-                for col_index, col_data in enumerate(row_data):
+                ws.append(row)
-                    ws.write_string(row_index, col_index, col_data)
+        wb.save(filename)
        wb.close()
        files.append(filename)
        timedelta = round((time.time() - time_start), 2)
-        print('创建备份文件完成: 用时 {}s'.format(timedelta))
+        logger.info('步骤完成: 用时 {}s'.format(timedelta))
        return files
    def send_backup_mail(self, files, recipients):
        if not files:
            return
        recipients = User.objects.filter(id__in=list(recipients))
-        print(
+        logger.info(
            '\n'
-            '\033[32m>>> 开始发送备份邮件\033[0m'
+            '\033[32m>>> 发送备份邮件\033[0m'
            ''
        )
        plan_name = self.plan_name
@@ -168,34 +150,12 @@ class AccountBackupHandler:
            if not user.secret_key:
                attachment_list = []
            else:
-                attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
+                password = user.secret_key.encode('utf8')
-                encrypt_and_compress_zip_file(attachment, user.secret_key, files)
+                attachment = os.path.join(PATH, f'{plan_name}-{local_now_display()}-{time.time()}.zip')
                encrypt_and_compress_zip_file(attachment, password, files)
                attachment_list = [attachment, ]
            AccountBackupExecutionTaskMsg(plan_name, user).publish(attachment_list)
-            print('邮件已发送至{}({})'.format(user, user.email))
+            logger.info('邮件已发送至{}({})'.format(user, user.email))
        for file in files:
            os.remove(file)
    def send_backup_obj_storage(self, files, recipients, password):
        if not files:
            return
        recipients = ReplayStorage.objects.filter(id__in=list(recipients))
        print(
            '\n'
            '\033[32m>>> 开始发送备份文件到sftp服务器\033[0m'
            ''
        )
        plan_name = self.plan_name
        for rec in recipients:
            attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
            if password:
                print('\033[32m>>> 使用加密密码对文件进行加密中\033[0m')
                encrypt_and_compress_zip_file(attachment, password, files)
            else:
                zip_files(attachment, files)
            attachment_list = attachment
            AccountBackupByObjStorageExecutionTaskMsg(plan_name, rec).publish(attachment_list)
            print('备份文件将发送至{}({})'.format(rec.name, rec.id))
        for file in files:
            os.remove(file)
@@ -203,29 +163,33 @@ class AccountBackupHandler:
        self.execution.reason = reason[:1024]
        self.execution.is_success = is_success
        self.execution.save()
-        print('\n已完成对任务状态的更新\n')
+        logger.info('已完成对任务状态的更新')
-    @staticmethod
+    def step_finished(self, is_success):
    def step_finished(is_success):
        if is_success:
-            print('任务执行成功')
+            logger.info('任务执行成功')
        else:
-            print('任务执行失败')
+            logger.error('任务执行失败')
    def _run(self):
        is_success = False
        error = '-'
        try:
-            backup_type = self.execution.snapshot.get('backup_type', AccountBackupType.email.value)
+            recipients = self.execution.plan_snapshot.get('recipients')
-            if backup_type == AccountBackupType.email.value:
+            if not recipients:
-                self.backup_by_email()
+                logger.info(
-            elif backup_type == AccountBackupType.object_storage.value:
+                    '\n'
-                self.backup_by_obj_storage()
+                    '\033[32m>>> 该备份任务未分配收件人\033[0m'
                    ''
                )
            else:
                files = self.create_excel()
                self.send_backup_mail(files, recipients)
        except Exception as e:
            self.is_frozen = True
-            print('任务执行被异常中断')
+            logger.error('任务执行被异常中断')
-            print('下面打印发生异常的 Traceback 信息 : ')
+            logger.info('下面打印发生异常的 Traceback 信息 : ')
-            print(e)
+            logger.error(e, exc_info=True)
            error = str(e)
        else:
            is_success = True
@@ -234,62 +198,16 @@ class AccountBackupHandler:
            self.step_perform_task_update(is_success, reason)
            self.step_finished(is_success)
    def backup_by_obj_storage(self):
        object_id = self.execution.snapshot.get('id')
        zip_encrypt_password = AccountBackupAutomation.objects.get(id=object_id).zip_encrypt_password
        obj_recipients_part_one = self.execution.snapshot.get('obj_recipients_part_one', [])
        obj_recipients_part_two = self.execution.snapshot.get('obj_recipients_part_two', [])
        if not obj_recipients_part_one and not obj_recipients_part_two:
            print(
                '\n'
                '\033[31m>>> 该备份任务未分配sftp服务器\033[0m'
                ''
            )
            raise RecipientsNotFound('Not Found Recipients')
        if obj_recipients_part_one and obj_recipients_part_two:
            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
            files = self.create_excel(section='front')
            self.send_backup_obj_storage(files, obj_recipients_part_one, zip_encrypt_password)
            files = self.create_excel(section='back')
            self.send_backup_obj_storage(files, obj_recipients_part_two, zip_encrypt_password)
        else:
            recipients = obj_recipients_part_one or obj_recipients_part_two
            files = self.create_excel()
            self.send_backup_obj_storage(files, recipients, zip_encrypt_password)
    def backup_by_email(self):
        recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
        recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
        if not recipients_part_one and not recipients_part_two:
            print(
                '\n'
                '\033[31m>>> 该备份任务未分配收件人\033[0m'
                ''
            )
            raise RecipientsNotFound('Not Found Recipients')
        if recipients_part_one and recipients_part_two:
            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
            files = self.create_excel(section='front')
            self.send_backup_mail(files, recipients_part_one)
            files = self.create_excel(section='back')
            self.send_backup_mail(files, recipients_part_two)
        else:
            recipients = recipients_part_one or recipients_part_two
            files = self.create_excel()
            self.send_backup_mail(files, recipients)
    def run(self):
-        print('任务开始: {}'.format(local_now_display()))
+        logger.info('任务开始: {}'.format(local_now_display()))
        time_start = time.time()
        try:
            self._run()
        except Exception as e:
-            print('任务运行出现异常')
+            logger.error('任务运行出现异常')
-            print('下面显示异常 Traceback 信息: ')
+            logger.error('下面显示异常 Traceback 信息: ')
-            print(e)
+            logger.error(e, exc_info=True)
        finally:
-            print('\n任务结束: {}'.format(local_now_display()))
+            logger.info('\n任务结束: {}'.format(local_now_display()))
            timedelta = round((time.time() - time_start), 2)
-            print('用时: {}s'.format(timedelta))
+            logger.info('用时: {}'.format(timedelta))
--- a/apps/accounts/automations/backup_account/manager.py
+++ b/apps/accounts/automations/backup_account/manager.py
@@ -4,9 +4,13 @@ import time
 from django.utils import timezone
 from common.utils import get_logger
 from common.utils.timezone import local_now_display
 from .handlers import AccountBackupHandler
 logger = get_logger(__name__)
 class AccountBackupManager:
    def __init__(self, execution):
@@ -19,7 +23,7 @@ class AccountBackupManager:
    def do_run(self):
        execution = self.execution
-        print('\n\033[33m# 账号备份计划正在执行\033[0m')
+        logger.info('\n\033[33m# 账号备份计划正在执行\033[0m')
        handler = AccountBackupHandler(execution)
        handler.run()
@@ -31,10 +35,10 @@ class AccountBackupManager:
        self.time_end = time.time()
        self.date_end = timezone.now()
-        print('\n\n' + '-' * 80)
+        logger.info('\n\n' + '-' * 80)
-        print('计划执行结束 {}\n'.format(local_now_display()))
+        logger.info('计划执行结束 {}\n'.format(local_now_display()))
        self.timedelta = self.time_end - self.time_start
-        print('用时: {}s'.format(self.timedelta))
+        logger.info('用时: {}s'.format(self.timedelta))
        self.execution.timedelta = self.timedelta
        self.execution.save()
--- a/apps/accounts/automations/change_secret/custom/ssh/main.yml
+++ b/apps/accounts/automations/change_secret/custom/ssh/main.yml
@@ -2,10 +2,9 @@
  gather_facts: no
  vars:
    ansible_connection: local
    ansible_become: false
  tasks:
-    - name: Test privileged account (paramiko)
+    - name: Test privileged account
      ssh_ping:
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
@@ -13,17 +12,9 @@
        login_password: "{{ jms_account.secret }}"
        login_secret_type: "{{ jms_account.secret_type }}"
        login_private_key_path: "{{ jms_account.private_key_path }}"
        become: "{{ custom_become | default(False) }}"
        become_method: "{{ custom_become_method | default('su') }}"
        become_user: "{{ custom_become_user | default('') }}"
        become_password: "{{ custom_become_password | default('') }}"
        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
      register: ping_info
      delegate_to: localhost
-    - name: Change asset password (paramiko)
+    - name: Change asset password
      custom_command:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
@@ -31,11 +22,6 @@
        login_port: "{{ jms_asset.port }}"
        login_secret_type: "{{ jms_account.secret_type }}"
        login_private_key_path: "{{ jms_account.private_key_path }}"
        become: "{{ custom_become | default(False) }}"
        become_method: "{{ custom_become_method | default('su') }}"
        become_user: "{{ custom_become_user | default('') }}"
        become_password: "{{ custom_become_password | default('') }}"
        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        commands: "{{ params.commands }}"
@@ -43,19 +29,10 @@
      ignore_errors: true
      when: ping_info is succeeded
      register: change_info
      delegate_to: localhost
-    - name: Verify password (paramiko)
+    - name: Verify password
      ssh_ping:
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/custom/ssh/manifest.yml
+++ b/apps/accounts/automations/change_secret/custom/ssh/manifest.yml
@@ -6,27 +6,15 @@ category:
 type:
  - all
 method: change_secret
 protocol: ssh
 priority: 50
 params:
  - name: commands
    type: list
-    label: "{{ 'Params commands label' | trans }}"
+    label: '自定义命令'
    default: [ '' ]
-    help_text: "{{ 'Params commands help text' | trans }}"
+    help_text: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
 i18n:
  SSH account change secret:
-    zh: '使用 SSH 命令行自定义改密'
+    zh: 使用 SSH 命令行自定义改密
-    ja: 'SSH コマンドライン方式でカスタムパスワード変更'
+    ja: SSH コマンドライン方式でカスタムパスワード変更
-    en: 'Custom password change by SSH command line'
+    en: Custom password change by SSH command line
  Params commands help text:
    zh: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
    ja: 'カスタム コマンドに SSH 接続用のアカウント番号、パスワード、ユーザー パスワード フィールドを含める必要がある場合は、<br />&#123;ユーザー名&#125;、&#123;パスワード&#125;、&#123;login_password& を使用してください。 # 125; 形式。タスクの実行時に置き換えられます。 <br />たとえば、Cisco ホストのパスワードを変更するには、通常、次の 5 つのコマンドを設定する必要があります:<br />1.enable<br />2.&#123;login_password&#125;<br />3 .ターミナルの設定<br / >4. ユーザー名 &#123;ユーザー名&#125; 権限 0 パスワード &#123;パスワード&#125; <br />5. 終了'
    en: 'If the custom command needs to include the account number, password, and user password field for SSH connection,<br />Please use &#123;username&#125;, &#123;password&#125;, &#123;login_password&# 125; format, which will be replaced when executing the task. <br />For example, to change the password of a Cisco host, you generally need to configure five commands:<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br / >4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
  Params commands label:
    zh: '自定义命令'
    ja: 'カスタムコマンド'
    en: 'Custom command'
--- a/apps/accounts/automations/change_secret/database/mongodb/main.yml
+++ b/apps/accounts/automations/change_secret/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test MongoDB connection
@@ -11,9 +11,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl | default('') }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
      register: db_info
@@ -31,8 +31,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
--- a/apps/accounts/automations/change_secret/database/mysql/main.yml
+++ b/apps/accounts/automations/change_secret/database/mysql/main.yml
@@ -1,9 +1,8 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
  tasks:
    - name: Test MySQL connection
@@ -12,10 +11,6 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
      register: db_info
@@ -29,10 +24,6 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -46,8 +37,4 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
--- a/apps/accounts/automations/change_secret/database/oracle/main.yml
+++ b/apps/accounts/automations/change_secret/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test Oracle connection
@@ -39,4 +39,3 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        mode: "{{ account.mode }}"
--- a/apps/accounts/automations/change_secret/database/postgresql/main.yml
+++ b/apps/accounts/automations/change_secret/database/postgresql/main.yml
@@ -1,7 +1,7 @@
 - hosts: postgre
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test PostgreSQL connection
--- a/apps/accounts/automations/change_secret/database/sqlserver/main.yml
+++ b/apps/accounts/automations/change_secret/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test SQLServer connection
@@ -40,7 +40,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length != 0
@@ -51,7 +51,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; CREATE USER {{ account.username }} FOR LOGIN {{ account.username }}; select @@version"
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length == 0
--- a/apps/accounts/automations/change_secret/host/aix/main.yml
+++ b/apps/accounts/automations/change_secret/host/aix/main.yml
@@ -1,41 +1,10 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: "Test privileged {{ jms_account.username }} account"
+    - name: Test privileged account
      ansible.builtin.ping:
-    - name: "Check if {{ account.username }} user exists"
+    - name: Change password
      getent:
        database: passwd
        key: "{{ account.username }}"
      register: user_info
      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
        home: "{{ params.home | default('/home/' + account.username, true) }}"
        groups: "{{ params.groups }}"
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
      when:
        - user_info.failed
        - params.groups
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('des') }}"
@@ -43,59 +12,44 @@
      ignore_errors: true
      when: account.secret_type == "password"
    - name: create user If it already exists, no operation will be performed
      ansible.builtin.user:
        name: "{{ account.username }}"
      when: account.secret_type == "ssh_key"
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
-        - account.secret_type == "ssh_key"
+      - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
+      - ssh_params.strategy == "set_jms"
-    - name: "Change {{ account.username }} SSH key"
+    - name: Change SSH key
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: "^{{ account.username }} ALL="
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
        - user_info.failed
        - params.sudo
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
-    - name: "Verify {{ account.username }} password (paramiko)"
+    - name: Verify password
-      ssh_ping:
+      ansible.builtin.ping:
-        login_user: "{{ account.username }}"
+      become: no
-        login_password: "{{ account.secret }}"
+      vars:
-        login_host: "{{ jms_asset.address }}"
+        ansible_user: "{{ account.username }}"
-        login_port: "{{ jms_asset.port }}"
+        ansible_password: "{{ account.secret }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
-    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+    - name: Verify SSH key
-      ssh_ping:
+      ansible.builtin.ping:
-        login_host: "{{ jms_asset.address }}"
+      become: no
-        login_port: "{{ jms_asset.port }}"
+      vars:
-        login_user: "{{ account.username }}"
+        ansible_user: "{{ account.username }}"
-        login_private_key_path: "{{ account.private_key_path  }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/aix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/aix/manifest.yml
@@ -4,58 +4,9 @@ category: host
 type:
  - AIX
 method: change_secret
 params:
  - name: sudo
    type: str
    label: 'Sudo'
    default: '/bin/whoami'
    help_text: "{{ 'Params sudo help text' | trans }}"
  - name: shell
    type: str
    label: 'Shell'
    default: '/bin/bash'
  - name: home
    type: str
    label: "{{ 'Params home label' | trans }}"
    default: ''
    help_text: "{{ 'Params home help text' | trans }}"
  - name: groups
    type: str
    label: "{{ 'Params groups label' | trans }}"
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  AIX account change secret:
-    zh: '使用 Ansible 模块 user 执行账号改密 (DES)'
+    zh: 使用 Ansible 模块 user 执行账号改密 (DES)
-    ja: 'Ansible user モジュールを使用してアカウントのパスワード変更 (DES)'
+    ja: Ansible user モジュールを使用してアカウントのパスワード変更 (DES)
-    en: 'Using Ansible module user to change account secret (DES)'
+    en: Using Ansible module user to change account secret (DES)
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
  Params home help text:
    zh: '默认家目录 /home/{账号用户名}'
    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
    en: 'Default home directory /home/{account username}'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
    en: 'Home'
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
    en: 'Groups'
--- a/apps/accounts/automations/change_secret/host/posix/main.yml
+++ b/apps/accounts/automations/change_secret/host/posix/main.yml
@@ -1,41 +1,10 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: "Test privileged {{ jms_account.username }} account"
+    - name: Test privileged account
      ansible.builtin.ping:
-    - name: "Check if {{ account.username }} user exists"
+    - name: Change password
      getent:
        database: passwd
        key: "{{ account.username }}"
      register: user_info
      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
        home: "{{ params.home | default('/home/' + account.username, true) }}"
        groups: "{{ params.groups }}"
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} user to group"
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
      when:
        - user_info.failed
        - params.groups
    - name: "Change {{ account.username }} password"
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
@@ -43,6 +12,11 @@
      ignore_errors: true
      when: account.secret_type == "password"
    - name: create user If it already exists, no operation will be performed
      ansible.builtin.user:
        name: "{{ account.username }}"
      when: account.secret_type == "ssh_key"
    - name: remove jumpserver ssh key
      ansible.builtin.lineinfile:
        dest: "{{ ssh_params.dest }}"
@@ -52,50 +26,30 @@
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
-    - name: "Change {{ account.username }} SSH key"
+    - name: Change SSH key
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
        regexp: "^{{ account.username }} ALL="
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
        - user_info.failed
        - params.sudo
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
-    - name: "Verify {{ account.username }} password (paramiko)"
+    - name: Verify password
-      ssh_ping:
+      ansible.builtin.ping:
-        login_user: "{{ account.username }}"
+      become: no
-        login_password: "{{ account.secret }}"
+      vars:
-        login_host: "{{ jms_asset.address }}"
+        ansible_user: "{{ account.username }}"
-        login_port: "{{ jms_asset.port }}"
+        ansible_password: "{{ account.secret }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
-    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+    - name: Verify SSH key
-      ssh_ping:
+      ansible.builtin.ping:
-        login_host: "{{ jms_asset.address }}"
+      become: no
-        login_port: "{{ jms_asset.port }}"
+      vars:
-        login_user: "{{ account.username }}"
+        ansible_user: "{{ account.username }}"
-        login_private_key_path: "{{ account.private_key_path  }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/posix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/posix/manifest.yml
@@ -5,59 +5,9 @@ type:
  - unix
  - linux
 method: change_secret
 params:
  - name: sudo
    type: str
    label: 'Sudo'
    default: '/bin/whoami'
    help_text: "{{ 'Params sudo help text' | trans }}"
  - name: shell
    type: str
    label: 'Shell'
    default: '/bin/bash'
    help_text: ''
  - name: home
    type: str
    label: "{{ 'Params home label' | trans }}"
    default: ''
    help_text: "{{ 'Params home help text' | trans }}"
  - name: groups
    type: str
    label: "{{ 'Params groups label' | trans }}"
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  Posix account change secret:
-    zh: '使用 Ansible 模块 user 执行账号改密 (SHA512)'
+    zh: 使用 Ansible 模块 user 执行账号改密 (SHA512)
-    ja: 'Ansible user モジュールを使用して アカウントのパスワード変更 (SHA512)'
+    ja: Ansible user モジュールを使用して アカウントのパスワード変更 (SHA512)
-    en: 'Using Ansible module user to change account secret (SHA512)'
+    en: Using Ansible module user to change account secret (SHA512)
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
  Params home help text:
    zh: '默认家目录 /home/{账号用户名}'
    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
    en: 'Default home directory /home/{account username}'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
    en: 'Home'
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
    en: 'Groups'
--- a/apps/accounts/automations/change_secret/host/windows/main.yml
+++ b/apps/accounts/automations/change_secret/host/windows/main.yml
@@ -8,13 +8,17 @@
 #      debug:
 #        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
    - name: Get groups of a Windows user
      ansible.windows.win_user:
        name: "{{ jms_account.username }}"
      register: user_info
    - name: Change password
      ansible.windows.win_user:
        fullname: "{{ account.username}}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
-        password_never_expires: yes
+        groups: "{{ user_info.groups[0].name }}"
        groups: "{{ params.groups }}"
        groups_action: add
        update_password: always
      ignore_errors: true
--- a/apps/accounts/automations/change_secret/host/windows/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/windows/manifest.yml
@@ -5,22 +5,9 @@ method: change_secret
 category: host
 type:
  - windows
 params:
  - name: groups
    type: str
    label: '用户组'
    default: 'Users,Remote Desktop Users'
    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  Windows account change secret:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密'
+    zh: 使用 Ansible 模块 win_user 执行 Windows 账号改密
-    ja: 'Ansible win_user モジュールを使用して Windows アカウントのパスワード変更'
+    ja: Ansible win_user モジュールを使用して Windows アカウントのパスワード変更
-    en: 'Using Ansible module win_user to change Windows account secret'
+    en: Using Ansible module win_user to change Windows account secret
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
--- a/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
@@ -1,35 +0,0 @@
 - hosts: demo
  gather_facts: no
  tasks:
    - name: Test privileged account
      ansible.windows.win_ping:
 #    - name: Print variables
 #      debug:
 #        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
    - name: Change password
      ansible.windows.win_user:
        fullname: "{{ account.username}}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        password_never_expires: yes
        groups: "{{ params.groups }}"
        groups_action: add
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
    - name: Verify password (pyfreerdp)
      rdp_ping:
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        login_private_key_path: "{{ account.private_key_path }}"
      when: account.secret_type == "password"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml
@@ -1,27 +0,0 @@
 id: change_secret_windows_rdp_verify
 name: "{{ 'Windows account change secret rdp verify' | trans }}"
 version: 1
 method: change_secret
 category: host
 type:
  - windows
 priority: 49
 params:
  - name: groups
    type: str
    label: '用户组'
    default: 'Users,Remote Desktop Users'
    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  Windows account change secret rdp verify:
    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密 RDP 协议测试最后的可连接性'
    ja: 'Ansibleモジュールwin_userはWindowsアカウントの改密RDPプロトコルテストの最後の接続性を実行する'
    en: 'Using the Ansible module win_user performs Windows account encryption RDP protocol testing for final connectivity'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@@ -1,20 +1,20 @@
 import os
 import time
 from collections import defaultdict
 from copy import deepcopy
 from django.conf import settings
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
+from openpyxl import Workbook
 from xlsxwriter import Workbook
-from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy, ChangeSecretRecordStatusChoice
+from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy
 from accounts.models import ChangeSecretRecord
-from accounts.notifications import ChangeSecretExecutionTaskMsg, ChangeSecretFailedMsg
+from accounts.notifications import ChangeSecretExecutionTaskMsg
 from accounts.serializers import ChangeSecretRecordBackUpSerializer
 from assets.const import HostTypes
 from common.utils import get_logger
 from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_filename
+from common.utils.timezone import local_now_display
 from users.models import User
 from ..base.manager import AccountBasePlaybookManager
 from ...utils import SecretGenerator
@@ -27,7 +27,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
-        self.record_map = self.execution.snapshot.get('record_map', {})
+        self.method_hosts_mapper = defaultdict(list)
        self.secret_type = self.execution.snapshot.get('secret_type')
        self.secret_strategy = self.execution.snapshot.get(
            'secret_strategy', SecretStrategy.custom
@@ -50,9 +50,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            username = account.username
+            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
            path = f'/{username}' if username == "root" else f'/home/{username}'
            kwargs['dest'] = f'{path}/.ssh/authorized_keys'
            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
        return kwargs
@@ -98,13 +96,17 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        accounts = self.get_accounts(account)
        if not accounts:
-            print('没有发现待处理的账号: %s 用户ID: %s 类型: %s' % (
+            print('没有发现待改密账号: %s 用户ID: %s 类型: %s' % (
                asset.name, self.account_ids, self.secret_type
            ))
            return []
-        records = []
+        method_attr = getattr(automation, self.method_type() + '_method')
        method_hosts = self.method_hosts_mapper[method_attr]
        method_hosts = [h for h in method_hosts if h != host['name']]
        inventory_hosts = []
        records = []
        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
            print(f'Windows {asset} does not support ssh key push')
            return inventory_hosts
@@ -114,30 +116,13 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            h = deepcopy(host)
            secret_type = account.secret_type
            h['name'] += '(' + account.username + ')'
-            if self.secret_type is None:
+            new_secret = self.get_secret(secret_type)
                new_secret = account.secret
            else:
                new_secret = self.get_secret(secret_type)
            if new_secret is None:
                print(f'new_secret is None, account: {account}')
                continue
            asset_account_id = f'{asset.id}-{account.id}'
            if asset_account_id not in self.record_map:
                recorder = ChangeSecretRecord(
                    asset=asset, account=account, execution=self.execution,
                    old_secret=account.secret, new_secret=new_secret,
                )
                records.append(recorder)
            else:
                record_id = self.record_map[asset_account_id]
                try:
                    recorder = ChangeSecretRecord.objects.get(id=record_id)
                except ChangeSecretRecord.DoesNotExist:
                    print(f"Record {record_id} not found")
                    continue
            recorder = ChangeSecretRecord(
                asset=asset, account=account, execution=self.execution,
                old_secret=account.secret, new_secret=new_secret,
            )
            records.append(recorder)
            self.name_recorder_mapper[h['name']] = recorder
            private_key_path = None
@@ -150,13 +135,14 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                'name': account.name,
                'username': account.username,
                'secret_type': secret_type,
-                'secret': account.escape_jinja2_syntax(new_secret),
+                'secret': new_secret,
-                'private_key_path': private_key_path,
+                'private_key_path': private_key_path
                'become': account.get_ansible_become_auth(),
            }
            if asset.platform.type == 'oracle':
                h['account']['mode'] = 'sysdba' if account.privileged else None
            inventory_hosts.append(h)
            method_hosts.append(h['name'])
        self.method_hosts_mapper[method_attr] = method_hosts
        ChangeSecretRecord.objects.bulk_create(records)
        return inventory_hosts
@@ -164,46 +150,27 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        recorder = self.name_recorder_mapper.get(host)
        if not recorder:
            return
-        recorder.status = ChangeSecretRecordStatusChoice.success.value
+        recorder.status = 'success'
        recorder.date_finished = timezone.now()
-
+        recorder.save()
        account = recorder.account
        if not account:
            print("Account not found, deleted ?")
            return
        account.secret = recorder.new_secret
-        account.date_updated = timezone.now()
+        account.save(update_fields=['secret'])
        max_retries = 3
        retry_count = 0
        while retry_count < max_retries:
            try:
                recorder.save()
                account.save(update_fields=['secret', 'version', 'date_updated'])
                break
            except Exception as e:
                retry_count += 1
                if retry_count == max_retries:
                    self.on_host_error(host, str(e), result)
                else:
                    print(f'retry {retry_count} times for {host} recorder save error: {e}')
                    time.sleep(1)
    def on_host_error(self, host, error, result):
        recorder = self.name_recorder_mapper.get(host)
        if not recorder:
            return
-        recorder.status = ChangeSecretRecordStatusChoice.failed.value
+        recorder.status = 'failed'
        recorder.date_finished = timezone.now()
        recorder.error = error
-        try:
+        recorder.save()
            recorder.save()
        except Exception as e:
            print(f"\033[31m Save {host} recorder error: {e} \033[0m\n")
    def on_runner_failed(self, runner, e):
-        logger.error("Account error: ", e)
+        logger.error("Change secret error: ", e)
    def check_secret(self):
        if self.secret_strategy == SecretStrategy.custom \
@@ -212,69 +179,35 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            return False
        return True
    @staticmethod
    def get_summary(recorders):
        total, succeed, failed = 0, 0, 0
        for recorder in recorders:
            if recorder.status == ChangeSecretRecordStatusChoice.success.value:
                succeed += 1
            else:
                failed += 1
            total += 1
        summary = _('Success: %s, Failed: %s, Total: %s') % (succeed, failed, total)
        return summary
    def run(self, *args, **kwargs):
-        if self.secret_type and not self.check_secret():
+        if not self.check_secret():
            return
        super().run(*args, **kwargs)
-        recorders = list(self.name_recorder_mapper.values())
+        recorders = self.name_recorder_mapper.values()
-        summary = self.get_summary(recorders)
+        recorders = list(recorders)
-        print(summary, end='')
+        self.send_recorder_mail(recorders)
        if self.record_map:
            return
        failed_recorders = [
            r for r in recorders
            if r.status == ChangeSecretRecordStatusChoice.failed.value
        ]
    def send_recorder_mail(self, recorders):
        recipients = self.execution.recipients
        if not recorders or not recipients:
            return
        recipients = User.objects.filter(id__in=list(recipients.keys()))
        if not recipients:
            return
        if failed_recorders:
            name = self.execution.snapshot.get('name')
            execution_id = str(self.execution.id)
            _ids = [r.id for r in failed_recorders]
            asset_account_errors = ChangeSecretRecord.objects.filter(
                id__in=_ids).values_list('asset__name', 'account__username', 'error')
            for user in recipients:
                ChangeSecretFailedMsg(name, execution_id, user, asset_account_errors).publish()
        if not recorders:
            return
        self.send_recorder_mail(recipients, recorders, summary)
    def send_recorder_mail(self, recipients, recorders, summary):
        name = self.execution.snapshot['name']
        path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-        filename = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.xlsx')
+        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
        if not self.create_file(recorders, filename):
            return
        for user in recipients:
            attachments = []
            if user.secret_key:
-                attachment = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.zip')
+                password = user.secret_key.encode('utf8')
-                encrypt_and_compress_zip_file(attachment, user.secret_key, [filename])
+                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
                encrypt_and_compress_zip_file(attachment, password, [filename])
                attachments = [attachment]
-            ChangeSecretExecutionTaskMsg(name, user, summary).publish(attachments)
+            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
        os.remove(filename)
    @staticmethod
@@ -289,9 +222,8 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        rows.insert(0, header)
        wb = Workbook(filename)
-        ws = wb.add_worksheet('Sheet1')
+        ws = wb.create_sheet('Sheet1')
-        for row_index, row_data in enumerate(rows):
+        for row in rows:
-            for col_index, col_data in enumerate(row_data):
+            ws.append(row)
-                ws.write_string(row_index, col_index, col_data)
+        wb.save(filename)
        wb.close()
        return True
--- a/apps/accounts/automations/endpoint.py
+++ b/apps/accounts/automations/endpoint.py
@@ -1,9 +1,8 @@
 from .backup_account.manager import AccountBackupManager
 from .change_secret.manager import ChangeSecretManager
 from .gather_accounts.manager import GatherAccountsManager
 from .push_account.manager import PushAccountManager
-from .remove_account.manager import RemoveAccountManager
+from .change_secret.manager import ChangeSecretManager
 from .verify_account.manager import VerifyAccountManager
 from .backup_account.manager import AccountBackupManager
 from .gather_accounts.manager import GatherAccountsManager
 from .verify_gateway_account.manager import VerifyGatewayAccountManager
 from ..const import AutomationTypes
@@ -13,7 +12,6 @@ class ExecutionManager:
        AutomationTypes.push_account: PushAccountManager,
        AutomationTypes.change_secret: ChangeSecretManager,
        AutomationTypes.verify_account: VerifyAccountManager,
        AutomationTypes.remove_account: RemoveAccountManager,
        AutomationTypes.gather_accounts: GatherAccountsManager,
        AutomationTypes.verify_gateway_account: VerifyGatewayAccountManager,
        # TODO 后期迁移到自动化策略中
--- a/apps/accounts/automations/gather_accounts/database/mongodb/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Get info
@@ -12,8 +12,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        filter: users
--- a/apps/accounts/automations/gather_accounts/database/mysql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/mysql/main.yml
@@ -1,8 +1,7 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
  tasks:
    - name: Get info
@@ -11,10 +10,6 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: users
      register: db_info
--- a/apps/accounts/automations/gather_accounts/database/oracle/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oralce
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Get info
--- a/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
@@ -1,7 +1,7 @@
 - hosts: postgresql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Get info
--- a/apps/accounts/automations/gather_accounts/host/windows/main.yml
+++ b/apps/accounts/automations/gather_accounts/host/windows/main.yml
@@ -1,10 +1,9 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Gather windows account
+    - name: Gather posix account
      ansible.builtin.win_shell: net user
      register: result
      ignore_errors: true
    - name: Define info by set_fact
      ansible.builtin.set_fact:
--- a/apps/accounts/automations/gather_accounts/manager.py
+++ b/apps/accounts/automations/gather_accounts/manager.py
@@ -1,14 +1,9 @@
 from collections import defaultdict
 from accounts.const import AutomationTypes
 from accounts.models import GatheredAccount
 from assets.models import Asset
 from common.utils import get_logger
 from orgs.utils import tmp_to_org
 from users.models import User
 from .filter import GatherAccountsFilter
 from ..base.manager import AccountBasePlaybookManager
 from ...notifications import GatherAccountChangeMsg
 logger = get_logger(__name__)
@@ -17,9 +12,6 @@ class GatherAccountsManager(AccountBasePlaybookManager):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.host_asset_mapper = {}
        self.asset_account_info = {}
        self.asset_username_mapper = defaultdict(set)
        self.is_sync_account = self.execution.snapshot.get('is_sync_account')
    @classmethod
@@ -34,11 +26,10 @@ class GatherAccountsManager(AccountBasePlaybookManager):
    def filter_success_result(self, tp, result):
        result = GatherAccountsFilter(tp).run(self.method_id_meta_mapper, result)
        return result
-
+    @staticmethod
-    def generate_data(self, asset, result):
+    def generate_data(asset, result):
        data = []
        for username, info in result.items():
            self.asset_username_mapper[str(asset.id)].add(username)
            d = {'asset': asset, 'username': username, 'present': True}
            if info.get('date'):
                d['date_last_login'] = info['date']
@@ -47,93 +38,26 @@ class GatherAccountsManager(AccountBasePlaybookManager):
            data.append(d)
        return data
-    def collect_asset_account_info(self, asset, result):
+    def update_or_create_accounts(self, asset, result):
        data = self.generate_data(asset, result)
-        self.asset_account_info[asset] = data
+        with tmp_to_org(asset.org_id):
-
+            gathered_accounts = []
-    @staticmethod
+            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
-    def get_nested_info(data, *keys):
+            for d in data:
-        for key in keys:
+                username = d['username']
-            data = data.get(key, {})
+                gathered_account, __ = GatheredAccount.objects.update_or_create(
-            if not data:
+                    defaults=d, asset=asset, username=username,
-                break
+                )
-        return data
+                gathered_accounts.append(gathered_account)
            if not self.is_sync_account:
                return
            GatheredAccount.sync_accounts(gathered_accounts)
    def on_host_success(self, host, result):
-        info = self.get_nested_info(result, 'debug', 'res', 'info')
+        info = result.get('debug', {}).get('res', {}).get('info', {})
        asset = self.host_asset_mapper.get(host)
        if asset and info:
            result = self.filter_success_result(asset.type, info)
-            self.collect_asset_account_info(asset, result)
+            self.update_or_create_accounts(asset, result)
        else:
-            print(f'\033[31m Not found {host} info \033[0m\n')
+            logger.error("Not found info".format(host))
    def update_or_create_accounts(self):
        for asset, data in self.asset_account_info.items():
            with tmp_to_org(asset.org_id):
                gathered_accounts = []
                GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
                for d in data:
                    username = d['username']
                    gathered_account, __ = GatheredAccount.objects.update_or_create(
                        defaults=d, asset=asset, username=username,
                    )
                    gathered_accounts.append(gathered_account)
                if not self.is_sync_account:
                    continue
                GatheredAccount.sync_accounts(gathered_accounts)
    def run(self, *args, **kwargs):
        super().run(*args, **kwargs)
        users, change_info = self.generate_send_users_and_change_info()
        self.update_or_create_accounts()
        self.send_email_if_need(users, change_info)
    def generate_send_users_and_change_info(self):
        recipients = self.execution.recipients
        if not self.asset_username_mapper or not recipients:
            return None, None
        users = User.objects.filter(id__in=recipients)
        if not users:
            return users, None
        asset_ids = self.asset_username_mapper.keys()
        assets = Asset.objects.filter(id__in=asset_ids)
        gather_accounts = GatheredAccount.objects.filter(asset_id__in=asset_ids, present=True)
        asset_id_map = {str(asset.id): asset for asset in assets}
        asset_id_username = list(assets.values_list('id', 'accounts__username'))
        asset_id_username.extend(list(gather_accounts.values_list('asset_id', 'username')))
        system_asset_username_mapper = defaultdict(set)
        for asset_id, username in asset_id_username:
            system_asset_username_mapper[str(asset_id)].add(username)
        change_info = {}
        for asset_id, usernames in self.asset_username_mapper.items():
            system_usernames = system_asset_username_mapper.get(asset_id)
            if not system_usernames:
                continue
            add_usernames = usernames - system_usernames
            remove_usernames = system_usernames - usernames
            k = f'{asset_id_map[asset_id]}[{asset_id}]'
            if not add_usernames and not remove_usernames:
                continue
            change_info[k] = {
                'add_usernames': ', '.join(add_usernames),
                'remove_usernames': ', '.join(remove_usernames),
            }
        return users, change_info
    @staticmethod
    def send_email_if_need(users, change_info):
        if not users or not change_info:
            return
        for user in users:
            GatherAccountChangeMsg(user, change_info).publish_async()
--- a/apps/accounts/automations/push_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/push_account/database/mongodb/main.yml
@@ -1,7 +1,7 @@
 - hosts: mongodb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test MongoDB connection
@@ -12,8 +12,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
      register: db_info
@@ -31,8 +31,8 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
--- a/apps/accounts/automations/push_account/database/mysql/main.yml
+++ b/apps/accounts/automations/push_account/database/mysql/main.yml
@@ -1,9 +1,8 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
  tasks:
    - name: Test MySQL connection
@@ -12,10 +11,6 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
      register: db_info
@@ -29,10 +24,6 @@
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -46,8 +37,4 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
--- a/apps/accounts/automations/push_account/database/oracle/main.yml
+++ b/apps/accounts/automations/push_account/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test Oracle connection
@@ -39,4 +39,3 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        mode: "{{ account.mode }}"
--- a/apps/accounts/automations/push_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/push_account/database/postgresql/main.yml
@@ -1,7 +1,7 @@
 - hosts: postgre
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test PostgreSQL connection
@@ -31,7 +31,6 @@
        role_attr_flags: LOGIN
      ignore_errors: true
      when: result is succeeded
      register: change_info
    - name: Verify password
      community.postgresql.postgresql_ping:
@@ -43,5 +42,3 @@
      when:
        - result is succeeded
        - change_info is succeeded
      register: result
      failed_when: not result.is_available
--- a/apps/accounts/automations/push_account/database/sqlserver/main.yml
+++ b/apps/accounts/automations/push_account/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Test SQLServer connection
@@ -40,7 +40,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length != 0
      register: change_info
@@ -52,7 +52,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN [{{ account.username }}] WITH PASSWORD = '{{ account.secret }}'; CREATE USER [{{ account.username }}] FOR LOGIN [{{ account.username }}]; select @@version"
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
      ignore_errors: true
      when: user_exist.query_results[0] | length == 0
      register: change_info
--- a/apps/accounts/automations/push_account/host/aix/main.yml
+++ b/apps/accounts/automations/push_account/host/aix/main.yml
@@ -1,17 +1,10 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: "Test privileged {{ jms_account.username }} account"
+    - name: Test privileged account
      ansible.builtin.ping:
-    - name: "Check if {{ account.username }} user exists"
+    - name: Push user
      getent:
        database: passwd
        key: "{{ account.username }}"
      register: user_info
      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
@@ -19,26 +12,22 @@
        groups: "{{ params.groups }}"
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
-    - name: "Add {{ account.username }} user to group"
+    - name: Add user groups
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
-      when:
+      when: params.groups
        - user_info.failed
        - params.groups
-    - name: "Change {{ account.username }} password"
+    - name: Push user password
      ansible.builtin.user:
        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('des') }}"
+        password: "{{ account.secret | password_hash('sha512') }}"
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
@@ -52,14 +41,14 @@
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
-    - name: "Change {{ account.username }} SSH key"
+    - name: Push SSH key
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
-    - name: "Set {{ account.username }} sudo setting"
+    - name: Set sudo setting
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
@@ -67,36 +56,25 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
        - user_info.failed
        - params.sudo
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
-    - name: "Verify {{ account.username }} password (paramiko)"
+    - name: Verify password
-      ssh_ping:
+      ansible.builtin.ping:
-        login_user: "{{ account.username }}"
+      become: no
-        login_password: "{{ account.secret }}"
+      vars:
-        login_host: "{{ jms_asset.address }}"
+        ansible_user: "{{ account.username }}"
-        login_port: "{{ jms_asset.port }}"
+        ansible_password: "{{ account.secret }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
-    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+    - name: Verify SSH key
-      ssh_ping:
+      ansible.builtin.ping:
-        login_host: "{{ jms_asset.address }}"
+      become: no
-        login_port: "{{ jms_asset.port }}"
+      vars:
-        login_user: "{{ account.username }}"
+        ansible_user: "{{ account.username }}"
-        login_private_key_path: "{{ account.private_key_path  }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/aix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/aix/manifest.yml
@@ -9,7 +9,7 @@ params:
    type: str
    label: 'Sudo'
    default: '/bin/whoami'
-    help_text: "{{ 'Params sudo help text' | trans }}"
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
  - name: shell
    type: str
@@ -18,44 +18,19 @@ params:
  - name: home
    type: str
-    label: "{{ 'Params home label' | trans }}"
+    label: '家目录'
    default: ''
-    help_text: "{{ 'Params home help text' | trans }}"
+    help_text: '默认家目录 /home/系统用户名: /home/username'
  - name: groups
    type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
    default: ''
-    help_text: "{{ 'Params groups help text' | trans }}"
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
 i18n:
  Aix account push:
-    zh: '使用 Ansible 模块 user 执行 Aix 账号推送 (DES)'
+    zh: 使用 Ansible 模块 user 执行 Aix 账号推送 (DES)
-    ja: 'Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)'
+    ja: Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)
-    en: 'Using Ansible module user to push account (DES)'
+    en: Using Ansible module user to push account (DES)
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
  Params home help text:
    zh: '默认家目录 /home/{账号用户名}'
    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
    en: 'Default home directory /home/{account username}'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
    en: 'Home'
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
    en: 'Groups'
--- a/apps/accounts/automations/push_account/host/posix/main.yml
+++ b/apps/accounts/automations/push_account/host/posix/main.yml
@@ -1,17 +1,10 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: "Test privileged {{ jms_account.username }} account"
+    - name: Test privileged account
      ansible.builtin.ping:
-    - name: "Check if {{ account.username }} user exists"
+    - name: Push user
      getent:
        database: passwd
        key: "{{ account.username }}"
      register: user_info
      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
        shell: "{{ params.shell }}"
@@ -19,23 +12,19 @@
        groups: "{{ params.groups }}"
        expires: -1
        state: present
      when: user_info.failed
    - name: "Add {{ account.username }} group"
      ansible.builtin.group:
        name: "{{ account.username }}"
        state: present
      when: user_info.failed
-    - name: "Add {{ account.username }} user to group"
+    - name: Add user groups
      ansible.builtin.user:
        name: "{{ account.username }}"
        groups: "{{ params.groups }}"
-      when:
+      when: params.groups
        - user_info.failed
        - params.groups
-    - name: "Change {{ account.username }} password"
+    - name: Push user password
      ansible.builtin.user:
        name: "{{ account.username }}"
        password: "{{ account.secret | password_hash('sha512') }}"
@@ -52,14 +41,14 @@
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
-    - name: "Change {{ account.username }} SSH key"
+    - name: Push SSH key
      ansible.builtin.authorized_key:
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
      when: account.secret_type == "ssh_key"
-    - name: "Set {{ account.username }} sudo setting"
+    - name: Set sudo setting
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
        state: present
@@ -67,36 +56,25 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
        - user_info.failed
        - params.sudo
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
-    - name: "Verify {{ account.username }} password (paramiko)"
+    - name: Verify password
-      ssh_ping:
+      ansible.builtin.ping:
-        login_user: "{{ account.username }}"
+      become: no
-        login_password: "{{ account.secret }}"
+      vars:
-        login_host: "{{ jms_asset.address }}"
+        ansible_user: "{{ account.username }}"
-        login_port: "{{ jms_asset.port }}"
+        ansible_password: "{{ account.secret }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
-    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
+    - name: Verify SSH key
-      ssh_ping:
+      ansible.builtin.ping:
-        login_host: "{{ jms_asset.address }}"
+      become: no
-        login_port: "{{ jms_asset.port }}"
+      vars:
-        login_user: "{{ account.username }}"
+        ansible_user: "{{ account.username }}"
-        login_private_key_path: "{{ account.private_key_path  }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        ansible_become: no
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/posix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/posix/manifest.yml
@@ -10,7 +10,7 @@ params:
    type: str
    label: 'Sudo'
    default: '/bin/whoami'
-    help_text: "{{ 'Params sudo help text' | trans }}"
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
  - name: shell
    type: str
@@ -20,43 +20,18 @@ params:
  - name: home
    type: str
-    label: "{{ 'Params home label' | trans }}"
+    label: '家目录'
    default: ''
-    help_text: "{{ 'Params home help text' | trans }}"
+    help_text: '默认家目录 /home/系统用户名: /home/username'
  - name: groups
    type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
    default: ''
-    help_text: "{{ 'Params groups help text' | trans }}"
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
 i18n:
  Posix account push:
-    zh: '使用 Ansible 模块 user 执行账号推送 (sha512)'
+    zh: 使用 Ansible 模块 user 执行账号推送 (sha512)
-    ja: 'Ansible user モジュールを使用してアカウントをプッシュする (sha512)'
+    ja: Ansible user モジュールを使用してアカウントをプッシュする (sha512)
-    en: 'Using Ansible module user to push account (sha512)'
+    en: Using Ansible module user to push account (sha512)
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
  Params home help text:
    zh: '默认家目录 /home/{账号用户名}'
    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
    en: 'Default home directory /home/{account username}'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
    en: 'Home'
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
    en: 'Groups'
--- a/apps/accounts/automations/push_account/host/windows/manifest.yml
+++ b/apps/accounts/automations/push_account/host/windows/manifest.yml
@@ -10,15 +10,10 @@ params:
    type: str
    label: '用户组'
    default: 'Users,Remote Desktop Users'
-    help_text: "{{ 'Params groups help text' | trans }}"
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
 i18n:
  Windows account push:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号推送'
+    zh: 使用 Ansible 模块 win_user 执行 Windows 账号推送
-    ja: 'Ansible win_user モジュールを使用して Windows アカウントをプッシュする'
+    ja: Ansible win_user モジュールを使用して Windows アカウントをプッシュする
-    en: 'Using Ansible module win_user to push account'
+    en: Using Ansible module win_user to push account
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
--- a/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
@@ -1,35 +0,0 @@
 - hosts: demo
  gather_facts: no
  tasks:
    - name: Test privileged account
      ansible.windows.win_ping:
 #    - name: Print variables
 #      debug:
 #        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
    - name: Push user password
      ansible.windows.win_user:
        fullname: "{{ account.username}}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        password_never_expires: yes
        groups: "{{ params.groups }}"
        groups_action: add
        update_password: always
      ignore_errors: true
      when: account.secret_type == "password"
    - name: Refresh connection
      ansible.builtin.meta: reset_connection
    - name: Verify password (pyfreerdp)
      rdp_ping:
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        login_private_key_path: "{{ account.private_key_path }}"
      when: account.secret_type == "password"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml
+++ b/apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml
@@ -1,25 +0,0 @@
 id: push_account_windows_rdp_verify
 name: "{{ 'Windows account push rdp verify' | trans }}"
 version: 1
 method: push_account
 category: host
 type:
  - windows
 priority: 49
 params:
  - name: groups
    type: str
    label: '用户组'
    default: 'Users,Remote Desktop Users'
    help_text: "{{ 'Params groups help text' | trans }}"
 i18n:
  Windows account push rdp verify:
    zh: '使用 Ansible 模块 win_user 执行 Windows 账号推送（最后使用 Python 模块 pyfreerdp 验证账号的可连接性）'
    ja: 'Ansible モジュール win_user を使用して Windows アカウントのプッシュを実行します (最後に Python モジュール pyfreerdp を使用してアカウントの接続性を確認します)'
    en: 'Use the Ansible module win_user to perform Windows account push (finally use the Python module pyfreerdp to verify the connectability of the account)'
  Params groups help text:
    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
--- a/apps/accounts/automations/push_account/manager.py
+++ b/apps/accounts/automations/push_account/manager.py
@@ -1,4 +1,7 @@
-from accounts.const import AutomationTypes
+from copy import deepcopy
 from accounts.const import AutomationTypes, SecretType, Connectivity
 from assets.const import HostTypes
 from common.utils import get_logger
 from ..base.manager import AccountBasePlaybookManager
 from ..change_secret.manager import ChangeSecretManager
@@ -7,11 +10,83 @@ logger = get_logger(__name__)
 class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
    ansible_account_prefer = ''
    @classmethod
    def method_type(cls):
        return AutomationTypes.push_account
    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
        host = super(ChangeSecretManager, self).host_callback(
            host, asset=asset, account=account, automation=automation,
            path_dir=path_dir, **kwargs
        )
        if host.get('error'):
            return host
        accounts = self.get_accounts(account)
        inventory_hosts = []
        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
            msg = f'Windows {asset} does not support ssh key push'
            print(msg)
            return inventory_hosts
        host['ssh_params'] = {}
        for account in accounts:
            h = deepcopy(host)
            secret_type = account.secret_type
            h['name'] += '(' + account.username + ')'
            if self.secret_type is None:
                new_secret = account.secret
            else:
                new_secret = self.get_secret(secret_type)
            self.name_recorder_mapper[h['name']] = {
                'account': account, 'new_secret': new_secret,
            }
            private_key_path = None
            if secret_type == SecretType.SSH_KEY:
                private_key_path = self.generate_private_key_path(new_secret, path_dir)
                new_secret = self.generate_public_key(new_secret)
            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
            h['account'] = {
                'name': account.name,
                'username': account.username,
                'secret_type': secret_type,
                'secret': new_secret,
                'private_key_path': private_key_path
            }
            if asset.platform.type == 'oracle':
                h['account']['mode'] = 'sysdba' if account.privileged else None
            inventory_hosts.append(h)
        return inventory_hosts
    def on_host_success(self, host, result):
        account_info = self.name_recorder_mapper.get(host)
        if not account_info:
            return
        account = account_info['account']
        new_secret = account_info['new_secret']
        if not account:
            return
        account.secret = new_secret
        account.save(update_fields=['secret'])
        account.set_connectivity(Connectivity.OK)
    def on_host_error(self, host, error, result):
        pass
    def on_runner_failed(self, runner, e):
        logger.error("Pust account error: ", e)
    def run(self, *args, **kwargs):
        if self.secret_type and not self.check_secret():
            return
        super(ChangeSecretManager, self).run(*args, **kwargs)
    # @classmethod
    # def trigger_by_asset_create(cls, asset):
    #     automations = PushAccountAutomation.objects.filter(
--- a/apps/accounts/automations/remove_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/remove_account/database/mongodb/main.yml
@@ -1,21 +0,0 @@
 - hosts: mongodb
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      mongodb_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
        connection_options:
          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/mongodb/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/mongodb/manifest.yml
@@ -1,12 +0,0 @@
 id: remove_account_mongodb
 name: "{{ 'MongoDB account remove' | trans }}"
 category: database
 type:
  - mongodb
 method: remove_account
 i18n:
  MongoDB account remove:
    zh: 使用 Ansible 模块 mongodb 删除账号
    ja: Ansible モジュール mongodb を使用してアカウントを削除する
    en: Delete account using Ansible module mongodb
--- a/apps/accounts/automations/remove_account/database/mysql/main.yml
+++ b/apps/accounts/automations/remove_account/database/mysql/main.yml
@@ -1,18 +0,0 @@
 - hosts: mysql
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      community.mysql.mysql_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/mysql/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/mysql/manifest.yml
@@ -1,14 +0,0 @@
 id: remove_account_mysql
 name: "{{ 'MySQL account remove' | trans }}"
 category: database
 type:
  - mysql
  - mariadb
 method: remove_account
 i18n:
  MySQL account remove:
    zh: 使用 Ansible 模块 mysql_user 删除账号
    ja: Ansible モジュール mysql_user を使用してアカウントを削除します
    en: Use the Ansible module mysql_user to delete the account
--- a/apps/accounts/automations/remove_account/database/oracle/main.yml
+++ b/apps/accounts/automations/remove_account/database/oracle/main.yml
@@ -1,16 +0,0 @@
 - hosts: oracle
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      oracle_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        mode: "{{ jms_account.mode }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/oracle/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/oracle/manifest.yml
@@ -1,12 +0,0 @@
 id: remove_account_oracle
 name: "{{ 'Oracle account remove' | trans }}"
 category: database
 type:
  - oracle
 method: remove_account
 i18n:
  Oracle account remove:
    zh: 使用 Python 模块 oracledb 删除账号
    ja: Python モジュール oracledb を使用してアカウントを検証する
    en: Using Python module oracledb to verify account
--- a/apps/accounts/automations/remove_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/remove_account/database/postgresql/main.yml
@@ -1,15 +0,0 @@
 - hosts: postgresql
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      community.postgresql.postgresql_user:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/postgresql/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/postgresql/manifest.yml
@@ -1,12 +0,0 @@
 id: remove_account_postgresql
 name: "{{ 'PostgreSQL account remove' | trans }}"
 category: database
 type:
  - postgresql
 method: remove_account
 i18n:
  PostgreSQL account remove:
    zh: 使用 Ansible 模块 postgresql_user 删除账号
    ja: Ansible モジュール postgresql_user を使用してアカウントを削除します
    en: Use the Ansible module postgresql_user to delete the account
--- a/apps/accounts/automations/remove_account/database/sqlserver/main.yml
+++ b/apps/accounts/automations/remove_account/database/sqlserver/main.yml
@@ -1,14 +0,0 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: "Remove account"
      community.general.mssql_script:
        login_user: "{{ jms_account.username }}"
        login_password: "{{ jms_account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        name: "{{ jms_asset.spec_info.db_name }}"
        script: "DROP USER {{ account.username }}"
--- a/apps/accounts/automations/remove_account/database/sqlserver/manifest.yml
+++ b/apps/accounts/automations/remove_account/database/sqlserver/manifest.yml
@@ -1,12 +0,0 @@
 id: remove_account_sqlserver
 name: "{{ 'SQLServer account remove' | trans }}"
 category: database
 type:
  - sqlserver
 method: remove_account
 i18n:
  SQLServer account remove:
    zh: 使用 Ansible 模块 mssql 删除账号
    ja: Ansible モジュール mssql を使用してアカウントを削除する
    en: Use Ansible module mssql to delete account
--- a/apps/accounts/automations/remove_account/host/posix/main.yml
+++ b/apps/accounts/automations/remove_account/host/posix/main.yml
@@ -1,26 +0,0 @@
 - hosts: demo
  gather_facts: no
  tasks:
    - name: "Get user home directory path"
      ansible.builtin.shell:
        cmd: "getent passwd {{ account.username }} | cut -d: -f6"
      register: user_home_dir
      ignore_errors: yes
    - name: "Check if user home directory exists"
      ansible.builtin.stat:
        path: "{{ user_home_dir.stdout }}"
      register: home_dir
      when: user_home_dir.stdout != ""
    - name: "Rename user home directory if it exists"
      ansible.builtin.command:
        cmd: "mv {{ user_home_dir.stdout }} {{ user_home_dir.stdout }}.bak"
      when: home_dir.stat | default(false) and user_home_dir.stdout != ""
    - name: "Remove account"
      ansible.builtin.user:
        name: "{{ account.username }}"
        state: absent
        remove: "{{ home_dir.stat.exists }}"
      when: home_dir.stat | default(false)
--- a/apps/accounts/automations/remove_account/host/posix/manifest.yml
+++ b/apps/accounts/automations/remove_account/host/posix/manifest.yml
@@ -1,13 +0,0 @@
 id: remove_account_posix
 name: "{{ 'Posix account remove' | trans }}"
 category: host
 type:
  - linux
  - unix
 method: remove_account
 i18n:
  Posix account remove:
    zh: 使用 Ansible 模块 user 删除账号
    ja: Ansible モジュール ユーザーを使用してアカウントを削除します
    en: Use the Ansible module user to delete the account
--- a/apps/accounts/automations/remove_account/host/windows/main.yml
+++ b/apps/accounts/automations/remove_account/host/windows/main.yml
@@ -1,9 +0,0 @@
 - hosts: windows
  gather_facts: no
  tasks:
    - name: "Remove account"
      ansible.windows.win_user:
        name: "{{ account.username }}"
        state: absent
        purge: yes
        force: yes
--- a/apps/accounts/automations/remove_account/host/windows/manifest.yml
+++ b/apps/accounts/automations/remove_account/host/windows/manifest.yml
@@ -1,13 +0,0 @@
 id: remove_account_windows
 name: "{{ 'Windows account remove' | trans }}"
 version: 1
 method: remove_account
 category: host
 type:
  - windows
 i18n:
  Windows account remove:
    zh: 使用 Ansible 模块 win_user 删除账号
    ja: Ansible モジュール win_user を使用してアカウントを削除する
    en: Use the Ansible module win_user to delete an account
--- a/apps/accounts/automations/remove_account/manager.py
+++ b/apps/accounts/automations/remove_account/manager.py
@@ -1,70 +0,0 @@
 import os
 from copy import deepcopy
 from django.db.models import QuerySet
 from accounts.const import AutomationTypes
 from accounts.models import Account
 from common.utils import get_logger
 from ..base.manager import AccountBasePlaybookManager
 logger = get_logger(__name__)
 class RemoveAccountManager(AccountBasePlaybookManager):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.host_account_mapper = {}
    def prepare_runtime_dir(self):
        path = super().prepare_runtime_dir()
        ansible_config_path = os.path.join(path, 'ansible.cfg')
        with open(ansible_config_path, 'w') as f:
            f.write('[ssh_connection]\n')
            f.write('ssh_args = -o ControlMaster=no -o ControlPersist=no\n')
        return path
    @classmethod
    def method_type(cls):
        return AutomationTypes.remove_account
    def get_gather_accounts(self, privilege_account, gather_accounts: QuerySet):
        gather_account_ids = self.execution.snapshot['gather_accounts']
        gather_accounts = gather_accounts.filter(id__in=gather_account_ids)
        gather_accounts = gather_accounts.exclude(
            username__in=[privilege_account.username, 'root', 'Administrator']
        )
        return gather_accounts
    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
        if host.get('error'):
            return host
        gather_accounts = asset.gatheredaccount_set.all()
        gather_accounts = self.get_gather_accounts(account, gather_accounts)
        inventory_hosts = []
        for gather_account in gather_accounts:
            h = deepcopy(host)
            h['name'] += '(' + gather_account.username + ')'
            self.host_account_mapper[h['name']] = (asset, gather_account)
            h['account'] = {'username': gather_account.username}
            inventory_hosts.append(h)
        return inventory_hosts
    def on_host_success(self, host, result):
        tuple_asset_gather_account = self.host_account_mapper.get(host)
        if not tuple_asset_gather_account:
            return
        asset, gather_account = tuple_asset_gather_account
        try:
            Account.objects.filter(
                asset_id=asset.id,
                username=gather_account.username
            ).delete()
            gather_account.delete()
        except Exception as e:
            print(f'\033[31m Delete account {gather_account.username} failed: {e} \033[0m\n')
--- a/apps/accounts/automations/verify_account/custom/rdp/main.yml
+++ b/apps/accounts/automations/verify_account/custom/rdp/main.yml
@@ -3,7 +3,6 @@
  vars:
    ansible_shell_type: sh
    ansible_connection: local
    ansible_python_interpreter: /opt/py3/bin/python
  tasks:
    - name: Verify account (pyfreerdp)
--- a/apps/accounts/automations/verify_account/custom/rdp/manifest.yml
+++ b/apps/accounts/automations/verify_account/custom/rdp/manifest.yml
@@ -5,11 +5,9 @@ category:
 type:
  - windows
 method: verify_account
 protocol: rdp
 priority: 1
 i18n:
  Windows rdp account verify:
-    zh: '使用 Python 模块 pyfreerdp 验证账号'
+    zh: 使用 Python 模块 pyfreerdp 验证账号
-    ja: 'Python モジュール pyfreerdp を使用してアカウントを検証する'
+    ja: Python モジュール pyfreerdp を使用してアカウントを検証する
-    en: 'Using Python module pyfreerdp to verify account'
+    en: Using Python module pyfreerdp to verify account
--- a/apps/accounts/automations/verify_account/custom/ssh/main.yml
+++ b/apps/accounts/automations/verify_account/custom/ssh/main.yml
@@ -2,8 +2,6 @@
  gather_facts: no
  vars:
    ansible_connection: local
    ansible_shell_type: sh
    ansible_become: false
  tasks:
    - name: Verify account (paramiko)
@@ -14,10 +12,3 @@
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
        login_private_key_path: "{{ account.private_key_path }}"
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: "{{ account.become.ansible_become_method | default('su') }}"
        become_user: "{{ account.become.ansible_user | default('') }}"
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
--- a/apps/accounts/automations/verify_account/custom/ssh/manifest.yml
+++ b/apps/accounts/automations/verify_account/custom/ssh/manifest.yml
@@ -6,11 +6,9 @@ category:
 type:
  - all
 method: verify_account
 protocol: ssh
 priority: 50
 i18n:
  SSH account verify:
-    zh: '使用 Python 模块 paramiko 验证账号'
+    zh: 使用 Python 模块 paramiko 验证账号
-    ja: 'Python モジュール paramiko を使用してアカウントを検証する'
+    ja: Python モジュール paramiko を使用してアカウントを検証する
-    en: 'Using Python module paramiko to verify account'
+    en: Using Python module paramiko to verify account
--- a/apps/accounts/automations/verify_account/database/mongodb/main.yml
+++ b/apps/accounts/automations/verify_account/database/mongodb/main.yml
@@ -1,7 +1,7 @@
- hosts: mongodb
+- hosts: mongdb
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Verify account
@@ -12,7 +12,7 @@
        login_port: "{{ jms_asset.port }}"
        login_database: "{{ jms_asset.spec_info.db_name }}"
        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
--- a/apps/accounts/automations/verify_account/database/mysql/main.yml
+++ b/apps/accounts/automations/verify_account/database/mysql/main.yml
@@ -1,8 +1,7 @@
 - hosts: mysql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
  tasks:
    - name: Verify account
@@ -11,8 +10,4 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
        filter: version
--- a/apps/accounts/automations/verify_account/database/oracle/main.yml
+++ b/apps/accounts/automations/verify_account/database/oracle/main.yml
@@ -1,7 +1,7 @@
 - hosts: oracle
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Verify account
--- a/apps/accounts/automations/verify_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/verify_account/database/postgresql/main.yml
@@ -1,7 +1,8 @@
 - hosts: postgresql
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Verify account
--- a/apps/accounts/automations/verify_account/database/sqlserver/main.yml
+++ b/apps/accounts/automations/verify_account/database/sqlserver/main.yml
@@ -1,7 +1,7 @@
 - hosts: sqlserver
  gather_facts: no
  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
  tasks:
    - name: Verify account
--- a/apps/accounts/automations/verify_account/host/posix/main.yml
+++ b/apps/accounts/automations/verify_account/host/posix/main.yml
@@ -1,23 +1,11 @@
 - hosts: demo
  gather_facts: no
  tasks:
-    - name: Verify account connectivity(Do not switch)
+    - name: Verify account connectivity
      become: no
      ansible.builtin.ping:
      vars:
        ansible_become: no
        ansible_user: "{{ account.username }}"
        ansible_password: "{{ account.secret }}"
        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
      when: not account.become.ansible_become
    - name: Verify account connectivity(Switch)
      ansible.builtin.ping:
      vars:
        ansible_become: yes
        ansible_user: "{{ account.become.ansible_user }}"
        ansible_password: "{{ account.become.ansible_password }}"
        ansible_ssh_private_key_file: "{{ account.become.ansible_ssh_private_key_file }}"
        ansible_become_method: "{{ account.become.ansible_become_method }}"
        ansible_become_user: "{{ account.become.ansible_become_user }}"
        ansible_become_password: "{{ account.become.ansible_become_password }}"
      when: account.become.ansible_become
--- a/apps/accounts/automations/verify_account/manager.py
+++ b/apps/accounts/automations/verify_account/manager.py
@@ -42,6 +42,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
        if host.get('error'):
            return host
        # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no'
        accounts = asset.accounts.all()
        accounts = self.get_accounts(account, accounts)
        inventory_hosts = []
@@ -51,9 +52,6 @@ class VerifyAccountManager(AccountBasePlaybookManager):
            h['name'] += '(' + account.username + ')'
            self.host_account_mapper[h['name']] = account
            secret = account.secret
            if secret is None:
                print(f'account {account.name} secret is None')
                continue
            private_key_path = None
            if account.secret_type == SecretType.SSH_KEY:
@@ -65,9 +63,8 @@ class VerifyAccountManager(AccountBasePlaybookManager):
                'name': account.name,
                'username': account.username,
                'secret_type': account.secret_type,
-                'secret': account.escape_jinja2_syntax(secret),
+                'secret': secret,
-                'private_key_path': private_key_path,
+                'private_key_path': private_key_path
                'become': account.get_ansible_become_auth(),
            }
            if account.platform.type == 'oracle':
                h['account']['mode'] = 'sysdba' if account.privileged else None
@@ -76,14 +73,8 @@ class VerifyAccountManager(AccountBasePlaybookManager):
    def on_host_success(self, host, result):
        account = self.host_account_mapper.get(host)
-        try:
+        account.set_connectivity(Connectivity.OK)
            account.set_connectivity(Connectivity.OK)
        except Exception as e:
            print(f'\033[31m Update account {account.name} connectivity failed: {e} \033[0m\n')
    def on_host_error(self, host, error, result):
        account = self.host_account_mapper.get(host)
-        try:
+        account.set_connectivity(Connectivity.ERR)
            account.set_connectivity(Connectivity.ERR)
        except Exception as e:
            print(f'\033[31m Update account {account.name} connectivity failed: {e} \033[0m\n')
--- a/apps/accounts/backends/init.py
+++ b/apps/accounts/backends/init.py
@@ -1,41 +0,0 @@
 from importlib import import_module
 from django.utils.functional import LazyObject
 from common.utils import get_logger
 from ..const import VaultTypeChoices
 __all__ = ['vault_client', 'get_vault_client']
 logger = get_logger(__file__)
 def get_vault_client(raise_exception=False, **kwargs):
    enabled = kwargs.get('VAULT_ENABLED')
    tp = 'hcp' if enabled else 'local'
    try:
        module_path = f'apps.accounts.backends.{tp}.main'
        client = import_module(module_path).Vault(**kwargs)
    except Exception as e:
        logger.error(f'Init vault client failed: {e}')
        if raise_exception:
            raise
        tp = VaultTypeChoices.local
        module_path = f'apps.accounts.backends.{tp}.main'
        client = import_module(module_path).Vault(**kwargs)
    return client
 class VaultClient(LazyObject):
    def _setup(self):
        from jumpserver import settings as js_settings
        from django.conf import settings
        vault_config_names = [k for k in js_settings.__dict__.keys() if k.startswith('VAULT_')]
        vault_configs = {name: getattr(settings, name, None) for name in vault_config_names}
        self._wrapped = get_vault_client(**vault_configs)
 """ 为了安全, 页面修改配置, 重启服务后才会重新初始化 vault_client """
 vault_client = VaultClient()
--- a/apps/accounts/backends/base.py
+++ b/apps/accounts/backends/base.py
@@ -1,74 +0,0 @@
 from abc import ABC, abstractmethod
 from django.forms.models import model_to_dict
 __all__ = ['BaseVault']
 class BaseVault(ABC):
    def __init__(self, *args, **kwargs):
        self.enabled = kwargs.get('VAULT_ENABLED')
    def get(self, instance):
        """ 返回 secret 值 """
        return self._get(instance)
    def create(self, instance):
        if not instance.secret_has_save_to_vault:
            self._create(instance)
            self._clean_db_secret(instance)
            self.save_metadata(instance)
        if instance.is_sync_metadata:
            self.save_metadata(instance)
    def update(self, instance):
        if not instance.secret_has_save_to_vault:
            self._update(instance)
            self._clean_db_secret(instance)
            self.save_metadata(instance)
        if instance.is_sync_metadata:
            self.save_metadata(instance)
    def delete(self, instance):
        self._delete(instance)
    def save_metadata(self, instance):
        metadata = model_to_dict(instance, fields=[
            'name', 'username', 'secret_type',
            'connectivity', 'su_from', 'privileged'
        ])
        metadata = {k: str(v)[:500] for k, v in metadata.items() if v}
        return self._save_metadata(instance, metadata)
    # -------- abstractmethod -------- #
    @abstractmethod
    def _get(self, instance):
        raise NotImplementedError
    @abstractmethod
    def _create(self, instance):
        raise NotImplementedError
    @abstractmethod
    def _update(self, instance):
        raise NotImplementedError
    @abstractmethod
    def _delete(self, instance):
        raise NotImplementedError
    @abstractmethod
    def _clean_db_secret(self, instance):
        raise NotImplementedError
    @abstractmethod
    def _save_metadata(self, instance, metadata):
        raise NotImplementedError
    @abstractmethod
    def is_active(self, *args, **kwargs) -> (bool, str):
        raise NotImplementedError
--- a/apps/accounts/backends/hcp/init.py
+++ b/apps/accounts/backends/hcp/init.py
@@ -1 +0,0 @@
 from .main import *
--- a/apps/accounts/backends/hcp/entries.py
+++ b/apps/accounts/backends/hcp/entries.py
@@ -1,84 +0,0 @@
 import sys
 from abc import ABC
 from common.db.utils import Encryptor
 from common.utils import lazyproperty
 current_module = sys.modules[__name__]
 __all__ = ['build_entry']
 class BaseEntry(ABC):
    def __init__(self, instance):
        self.instance = instance
    @lazyproperty
    def full_path(self):
        path_base = self.path_base
        path_spec = self.path_spec
        path = f'{path_base}/{path_spec}'
        return path
    @property
    def path_base(self):
        path = f'orgs/{self.instance.org_id}'
        return path
    @property
    def path_spec(self):
        raise NotImplementedError
    def to_internal_data(self):
        secret = getattr(self.instance, '_secret', None)
        if secret is not None:
            secret = Encryptor(secret).encrypt()
        data = {'secret': secret}
        return data
    @staticmethod
    def to_external_data(data):
        secret = data.pop('secret', None)
        if secret is not None:
            secret = Encryptor(secret).decrypt()
        return secret
 class AccountEntry(BaseEntry):
    @property
    def path_spec(self):
        path = f'assets/{self.instance.asset_id}/accounts/{self.instance.id}'
        return path
 class AccountTemplateEntry(BaseEntry):
    @property
    def path_spec(self):
        path = f'account-templates/{self.instance.id}'
        return path
 class HistoricalAccountEntry(BaseEntry):
    @property
    def path_base(self):
        account = self.instance.instance
        path = f'accounts/{account.id}/'
        return path
    @property
    def path_spec(self):
        path = f'histories/{self.instance.history_id}'
        return path
 def build_entry(instance) -> BaseEntry:
    class_name = instance.__class__.__name__
    entry_class_name = f'{class_name}Entry'
    entry_class = getattr(current_module, entry_class_name, None)
    if not entry_class:
        raise Exception(f'Entry class {entry_class_name} is not found')
    return entry_class(instance)
--- a/apps/accounts/backends/hcp/main.py
+++ b/apps/accounts/backends/hcp/main.py
@@ -1,53 +0,0 @@
 from common.db.utils import get_logger
 from .entries import build_entry
 from .service import VaultKVClient
 from ..base import BaseVault
 __all__ = ['Vault']
 logger = get_logger(__name__)
 class Vault(BaseVault):
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.client = VaultKVClient(
            url=kwargs.get('VAULT_HCP_HOST'),
            token=kwargs.get('VAULT_HCP_TOKEN'),
            mount_point=kwargs.get('VAULT_HCP_MOUNT_POINT')
        )
    def is_active(self):
        return self.client.is_active()
    def _get(self, instance):
        entry = build_entry(instance)
        # TODO: get data 是不是层数太多了
        data = self.client.get(path=entry.full_path).get('data', {})
        data = entry.to_external_data(data)
        return data
    def _create(self, instance):
        entry = build_entry(instance)
        data = entry.to_internal_data()
        self.client.create(path=entry.full_path, data=data)
    def _update(self, instance):
        entry = build_entry(instance)
        data = entry.to_internal_data()
        self.client.patch(path=entry.full_path, data=data)
    def _delete(self, instance):
        entry = build_entry(instance)
        self.client.delete(path=entry.full_path)
    def _clean_db_secret(self, instance):
        instance.is_sync_metadata = False
        instance.mark_secret_save_to_vault()
    def _save_metadata(self, instance, metadata):
        try:
            entry = build_entry(instance)
            self.client.update_metadata(path=entry.full_path, metadata=metadata)
        except Exception as e:
            logger.error(f'save metadata error: {e}')
--- a/apps/accounts/backends/hcp/service.py
+++ b/apps/accounts/backends/hcp/service.py
@@ -1,102 +0,0 @@
 # -*- coding: utf-8 -*-
 #
 import hvac
 from hvac import exceptions
 from requests.exceptions import ConnectionError
 from common.utils import get_logger
 logger = get_logger(__name__)
 __all__ = ['VaultKVClient']
 class VaultKVClient(object):
    max_versions = 20
    def __init__(self, url, token, mount_point):
        assert isinstance(self.max_versions, int) and self.max_versions >= 3, (
            'max_versions must to be an integer that is greater than or equal to 3'
        )
        self.client = hvac.Client(url=url, token=token)
        self.mount_point = mount_point
        self.enable_secrets_engine_if_need()
    def is_active(self):
        try:
            if not self.client.sys.is_initialized():
                return False, 'Vault is not initialized'
            if self.client.sys.is_sealed():
                return False, 'Vault is sealed'
            if not self.client.is_authenticated():
                return False, 'Vault is not authenticated'
        except ConnectionError as e:
            logger.error(str(e))
            return False, f'Vault is not reachable: {e}'
        else:
            return True, ''
    def enable_secrets_engine_if_need(self):
        secrets_engines = self.client.sys.list_mounted_secrets_engines()
        mount_points = secrets_engines.keys()
        if f'{self.mount_point}/' in mount_points:
            return
        self.client.sys.enable_secrets_engine(
            backend_type='kv',
            path=self.mount_point,
            options={'version': 2}  # TODO: version 是否从配置中读取?
        )
        self.client.secrets.kv.v2.configure(
            max_versions=self.max_versions,
            mount_point=self.mount_point
        )
    def get(self, path, version=None):
        try:
            response = self.client.secrets.kv.v2.read_secret_version(
                path=path,
                version=version,
                mount_point=self.mount_point
            )
        except exceptions.InvalidPath as e:
            return {}
        data = response.get('data', {})
        return data
    def create(self, path, data: dict):
        self._update_or_create(path=path, data=data)
    def update(self, path, data: dict):
        """ 未更新的数据会被删除 """
        self._update_or_create(path=path, data=data)
    def patch(self, path, data: dict):
        """ 未更新的数据不会被删除 """
        self.client.secrets.kv.v2.patch(
            path=path,
            secret=data,
            mount_point=self.mount_point
        )
    def delete(self, path):
        self.client.secrets.kv.v2.delete_metadata_and_all_versions(
            path=path,
            mount_point=self.mount_point,
        )
    def _update_or_create(self, path, data: dict):
        self.client.secrets.kv.v2.create_or_update_secret(
            path=path,
            secret=data,
            mount_point=self.mount_point
        )
    def update_metadata(self, path, metadata: dict):
        try:
            self.client.secrets.kv.v2.update_metadata(
                path=path,
                mount_point=self.mount_point,
                custom_metadata=metadata
            )
        except exceptions.InvalidPath as e:
            logger.error('Update metadata error: {}'.format(e))
--- a/apps/accounts/backends/local/init.py
+++ b/apps/accounts/backends/local/init.py
@@ -1 +0,0 @@
 from .main import *
--- a/apps/accounts/backends/local/main.py
+++ b/apps/accounts/backends/local/main.py
@@ -1,36 +0,0 @@
 from common.utils import get_logger
 from ..base import BaseVault
 logger = get_logger(__name__)
 __all__ = ['Vault']
 class Vault(BaseVault):
    def is_active(self):
        return True, ''
    def _get(self, instance):
        secret = getattr(instance, '_secret', None)
        return secret
    def _create(self, instance):
        """ Ignore """
        pass
    def _update(self, instance):
        """ Ignore """
        pass
    def _delete(self, instance):
        """ Ignore """
        pass
    def _save_metadata(self, instance, metadata):
        """ Ignore """
        pass
    def _clean_db_secret(self, instance):
        """ Ignore *重要* 不能删除本地 secret """
        pass
--- a/apps/accounts/const/init.py
+++ b/apps/accounts/const/init.py
@@ -1,3 +1,2 @@
 from .account import *
 from .automation import *
 from .vault import *
--- a/apps/accounts/const/account.py
+++ b/apps/accounts/const/account.py
@@ -1,5 +1,5 @@
 from django.db.models import TextChoices
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import ugettext_lazy as _
 class SecretType(TextChoices):
@@ -7,19 +7,12 @@ class SecretType(TextChoices):
    SSH_KEY = 'ssh_key', _('SSH key')
    ACCESS_KEY = 'access_key', _('Access key')
    TOKEN = 'token', _('Token')
    API_KEY = 'api_key', _("API key")
 class AliasAccount(TextChoices):
    ALL = '@ALL', _('All')
    INPUT = '@INPUT', _('Manual input')
    USER = '@USER', _('Dynamic user')
    ANON = '@ANON', _('Anonymous account')
    SPEC = '@SPEC', _('Specified account')
    @classmethod
    def virtual_choices(cls):
        return [(k, v) for k, v in cls.choices if k not in (cls.ALL,)]
 class Source(TextChoices):
--- a/apps/accounts/const/automation.py
+++ b/apps/accounts/const/automation.py
@@ -1,22 +1,20 @@
 from django.db import models
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import ugettext_lazy as _
 from assets.const import Connectivity
 from common.db.fields import TreeChoices
 string_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'
 DEFAULT_PASSWORD_LENGTH = 30
 DEFAULT_PASSWORD_RULES = {
    'length': DEFAULT_PASSWORD_LENGTH,
-    'uppercase': True,
+    'symbol_set': string_punctuation
    'lowercase': True,
    'digit': True,
    'symbol': True,
 }
 __all__ = [
    'AutomationTypes', 'SecretStrategy', 'SSHKeyStrategy', 'Connectivity',
    'DEFAULT_PASSWORD_LENGTH', 'DEFAULT_PASSWORD_RULES', 'TriggerChoice',
-    'PushAccountActionChoice', 'AccountBackupType', 'ChangeSecretRecordStatusChoice',
+    'PushAccountActionChoice',
 ]
@@ -24,7 +22,6 @@ class AutomationTypes(models.TextChoices):
    push_account = 'push_account', _('Push account')
    change_secret = 'change_secret', _('Change secret')
    verify_account = 'verify_account', _('Verify account')
    remove_account = 'remove_account', _('Remove account')
    gather_accounts = 'gather_accounts', _('Gather accounts')
    verify_gateway_account = 'verify_gateway_account', _('Verify gateway account')
@@ -44,8 +41,8 @@ class AutomationTypes(models.TextChoices):
 class SecretStrategy(models.TextChoices):
-    custom = 'specific', _('Specific secret')
+    custom = 'specific', _('Specific password')
-    random = 'random', _('Random generate')
+    random = 'random', _('Random')
 class SSHKeyStrategy(models.TextChoices):
@@ -96,16 +93,3 @@ class TriggerChoice(models.TextChoices, TreeChoices):
 class PushAccountActionChoice(models.TextChoices):
    create_and_push = 'create_and_push', _('Create and push')
    only_create = 'only_create', _('Only create')
 class AccountBackupType(models.TextChoices):
    """Backup type"""
    email = 'email', _('Email')
    # 目前只支持sftp方式
    object_storage = 'object_storage', _('SFTP')
 class ChangeSecretRecordStatusChoice(models.TextChoices):
    failed = 'failed', _('Failed')
    success = 'success', _('Success')
    pending = 'pending', _('Pending')
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
fit2bot	9ec4f2c4d6	feat: Update v3.4.1	2023-06-21 12:58:19 +08:00
Eric	13d895b22e	fix: 修复远程应用会话无法监控的问题	2023-06-21 12:05:19 +08:00
Bai	d5c51a4f0e	fix: 修复迁移文件时触发信号记录操作日志导致迁移失败的问题	2023-06-21 11:02:14 +08:00
Eric	7c965706d4	perf: 修复 terminal 显示问题	2023-06-20 16:33:43 +08:00
feng	f59499f77e	fix: 修改 push_account_params 数据迁移逻辑，不在导入公共方法生成数据	2023-06-19 18:23:23 +08:00
ibuler	98536cbc24	fix: 修改原来 platform 为 device 时，导致的 asset 类型不对	2023-06-19 17:54:17 +08:00
老广	7c29e60a82	Merge pull request #10757 from jumpserver/pr@v3.4@fix_custom_asset_detail_error perf: 修复自定义资产详情没有 auto_config 的问题	2023-06-16 18:48:41 +08:00
ibuler	9e68d7d1a0	perf: 修复自定义资产详情没有 auto_config 的问题	2023-06-16 10:45:00 +00:00
ibuler	77b7134404	perf: 优化自定义 platform field	2023-06-16 17:02:46 +08:00
老广	fb7a839c16	Merge pull request #10755 from jumpserver/pr@v3.4@fix_permed_asset_duplicate fix: 修复授权资产根据协议搜索重复的问题	2023-06-16 16:53:21 +08:00
ibuler	e80855068e	fix: 修复授权资产根据协议搜索重复的问题	2023-06-16 08:44:53 +00:00
ibuler	5832246e5f	perf: 修改 login acls 迁移冲突问题 perf: 修改 login acls 迁移，避免冲突	2023-06-16 13:58:51 +08:00
ibuler	dbef45e23b	perf: 修复 acl 迁移后无法使用	2023-06-15 18:46:33 +08:00
feng	dedc42d775	feat: 添加自动化任务rdp ping	2023-06-15 18:46:04 +08:00
老广	f64073f48f	Merge pull request #10739 from jumpserver/pr@v3.4@pr@dev@change_base_image perf: 修改基础镜像版本	2023-06-15 17:36:33 +08:00
ibuler	70754ad748	perf: 修改基础镜像版本	2023-06-15 17:33:04 +08:00
fit2bot	3158980057	perf: 修改翻译 (#10734 ) Co-authored-by: feng <1304903146@qq.com>	2023-06-15 15:41:25 +08:00