fix: pubkey auth require svc sign

Co-authored-by: feng <1304903146@qq.com>

.github/ISSUE_TEMPLATE/----.md

@@ -1,35 +1,12 @@
 ---
 name: 需求建议
 about: 提出针对本项目的想法和建议
-title: "[Feature] 需求标题"
+title: "[Feature] "
 labels: 类型:需求
 assignees: 
   - ibuler
   - baijiangjie
+  - wojiushixiaobai
 ---
 
-## 注意
-_针对过于简单的需求描述不予考虑。请确保提供足够的细节和信息以支持功能的开发和实现。_
-
-## 功能名称
-[在这里输入功能的名称或标题]
-
-## 功能描述
-[在这里描述该功能的详细内容，包括其作用、目的和所需的功能]
-
-## 用户故事（可选）
-[如果适用，可以提供用户故事来更好地理解该功能的使用场景和用户期望]
-
-## 功能要求
-- [要求1：描述该功能的具体要求，如界面设计、交互逻辑等]
-- [要求2：描述该功能的另一个具体要求]
-- [以此类推，列出所有相关的功能要求]
-
-## 示例或原型（可选）
-[如果有的话，提供该功能的示例或原型图以更好地说明功能的实现方式]
-
-## 优先级
-[描述该功能的优先级，如高、中、低，或使用数字等其他标识]
-
-## 备注（可选）
-[在这里添加任何其他相关信息或备注]
+**请描述您的需求或者改进建议.**

.github/ISSUE_TEMPLATE/bug---.md

@@ -1,51 +1,24 @@
 ---
 name: Bug 提交
 about: 提交产品缺陷帮助我们更好的改进
-title: "[Bug] Bug 标题"
-labels: 类型:Bug
+title: "[Bug] "
+labels: 类型:bug
 assignees: 
+   - wojiushixiaobai
    - baijiangjie
+
 ---
 
-## 注意
-**JumpServer 版本( v2.28 之前的版本不再支持 )** <br>
-_针对过于简单的 Bug 描述不予考虑。请确保提供足够的细节和信息以支持 Bug 的复现和修复。_
-
-## 当前使用的 JumpServer 版本 (必填)
-[在这里输入当前使用的 JumpServer 的版本号]
-
-## 使用的版本类型 (必填)
-- [ ] 社区版
-- [ ] 企业版
-- [ ] 企业试用版
+**JumpServer 版本( v2.28 之前的版本不再支持 )**
 
 
-## 版本安装方式 (必填)
-- [ ] 在线安装 (一键命令)
-- [ ] 离线安装 (下载离线包)
-- [ ] All-in-One
-- [ ] 1Panel 安装
-- [ ] Kubernetes 安装
-- [ ] 源码安装
+**浏览器版本**
 
-## Bug 描述 (详细)
-[在这里描述 Bug 的详细情况，包括其影响和出现的具体情况]
 
-## 复现步骤
-1. [描述如何复现 Bug 的第一步]
-2. [描述如何复现 Bug 的第二步]
-3. [以此类推，列出所有复现 Bug 所需的步骤]
+**Bug 描述**
 
-## 期望行为
-[描述 Bug 出现时期望的系统行为或结果]
 
-## 实际行为
-[描述实际上发生了什么，以及 Bug 出现的具体情况]
-
-## 系统环境
-- 操作系统：[例如：Windows 10, macOS Big Sur]
-- 浏览器/应用版本：[如果适用，请提供相关版本信息]
-- 其他相关环境信息：[如果有其他相关环境信息，请在此处提供]
-
-## 附加信息（可选）
-[在这里添加任何其他相关信息，如截图、错误信息等]
+**Bug 重现步骤(有截图更好)**
+1.
+2.
+3.

.github/ISSUE_TEMPLATE/question.md

@@ -1,50 +1,12 @@
 ---
 name: 问题咨询
 about: 提出针对本项目安装部署、使用及其他方面的相关问题
-title: "[Question] 问题标题"
+title: "[Question] "
 labels: 类型:提问
 assignees: 
+  - wojiushixiaobai
   - baijiangjie
+
 ---
-## 注意
-**请描述您的问题.** <br>
-**JumpServer 版本( v2.28 之前的版本不再支持 )** <br>
-_针对过于简单的 Bug 描述不予考虑。请确保提供足够的细节和信息以支持 Bug 的复现和修复。_
-
-## 当前使用的 JumpServer 版本 (必填)
-[在这里输入当前使用的 JumpServer 的版本号]
-
-## 使用的版本类型 (必填)
-- [ ] 社区版
-- [ ] 企业版
-- [ ] 企业试用版
-
-
-## 版本安装方式 (必填)
-- [ ] 在线安装 (一键命令)
-- [ ] 离线安装 (下载离线包)
-- [ ] All-in-One
-- [ ] 1Panel 安装
-- [ ] Kubernetes 安装
-- [ ] 源码安装
-
-## 问题描述 (详细)
-[在这里描述你遇到的问题]
-
-## 背景信息
-- 操作系统：[例如：Windows 10, macOS Big Sur]
-- 浏览器/应用版本：[如果适用，请提供相关版本信息]
-- 其他相关环境信息：[如果有其他相关环境信息，请在此处提供]
-
-## 具体问题
-[在这里详细描述你的问题，包括任何相关细节或错误信息]
-
-## 尝试过的解决方法
-[如果你已经尝试过解决问题，请在这里列出你已经尝试过的解决方法]
-
-## 预期结果
-[描述你期望的解决方案或结果]
-
-## 我们的期望
-[描述你希望我们提供的帮助或支持]
 
+**请描述您的问题.**

.github/workflows/jms-build-test.yml

@@ -1,32 +1,26 @@
 name: "Run Build Test"
 on:
   push:
-    paths:
-      - 'Dockerfile'
-      - 'Dockerfile-*'
-      - 'pyproject.toml'
-      - 'poetry.lock'
+    branches:
+      - pr@*
+      - repr@*
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v3
-    - uses: docker/setup-qemu-action@v3
-    - uses: docker/setup-buildx-action@v3
 
-    - name: Check Dockerfile
-      run: |
-        test -f Dockerfile-ce || cp -f Dockerfile Dockerfile-ce
+    - uses: docker/setup-qemu-action@v2
 
-    - name: Build CE Image
-      uses: docker/build-push-action@v5
+    - uses: docker/setup-buildx-action@v2
+
+    - uses: docker/build-push-action@v3
       with:
         context: .
         push: false
-        file: Dockerfile-ce
-        tags: jumpserver/core-ce:test
-        platforms: linux/amd64
+        tags: jumpserver/core:test
+        file: Dockerfile
         build-args: |
           APT_MIRROR=http://deb.debian.org
           PIP_MIRROR=https://pypi.org/simple
@@ -34,22 +28,9 @@ jobs:
         cache-from: type=gha
         cache-to: type=gha,mode=max
 
-    - name: Prepare EE Image
-      run: |
-        sed -i 's@^FROM registry.fit2cloud.com@# FROM registry.fit2cloud.com@g' Dockerfile-ee
-        sed -i 's@^COPY --from=build-xpack@# COPY --from=build-xpack@g' Dockerfile-ee
-
-    - name: Build EE Image
-      uses: docker/build-push-action@v5
+    - uses: LouisBrunner/checks-action@v1.5.0
+      if: always()
       with:
-        context: .
-        push: false
-        file: Dockerfile-ee
-        tags: jumpserver/core-ee:test
-        platforms: linux/amd64
-        build-args: |
-          APT_MIRROR=http://deb.debian.org
-          PIP_MIRROR=https://pypi.org/simple
-          PIP_JMS_MIRROR=https://pypi.org/simple
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
+        token: ${{ secrets.GITHUB_TOKEN }}
+        name: Check Build
+        conclusion: ${{ job.status }}

.gitignore

@@ -43,4 +43,3 @@ releashe
 data/*
 test.py
 .history/
-.test/

Dockerfile

@@ -0,0 +1,85 @@
+FROM python:3.11-slim-bullseye as stage-build
+ARG TARGETARCH
+
+ARG VERSION
+ENV VERSION=$VERSION
+
+WORKDIR /opt/jumpserver
+ADD . .
+RUN cd utils && bash -ixeu build.sh
+
+FROM python:3.11-slim-bullseye
+ARG TARGETARCH
+
+ARG BUILD_DEPENDENCIES="              \
+        g++                           \
+        make                          \
+        pkg-config"
+
+ARG DEPENDENCIES="                    \
+        freetds-dev                   \
+        libpq-dev                     \
+        libffi-dev                    \
+        libjpeg-dev                   \
+        libkrb5-dev                   \
+        libldap2-dev                  \
+        libsasl2-dev                  \
+        libssl-dev                    \
+        libxml2-dev                   \
+        libxmlsec1-dev                \
+        libxmlsec1-openssl            \
+        freerdp2-dev                  \
+        libaio-dev"
+
+ARG TOOLS="                           \
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        locales                       \
+        nmap                          \
+        openssh-client                \
+        patch                         \
+        sshpass                       \
+        telnet                        \
+        vim                           \
+        wget"
+
+ARG APT_MIRROR=http://mirrors.ustc.edu.cn
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && rm -f /etc/apt/apt.conf.d/docker-clean \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
+    && echo "set mouse-=a" > ~/.vimrc \
+    && echo "no" | dpkg-reconfigure dash \
+    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && sed -i "s@# export @export @g" ~/.bashrc \
+    && sed -i "s@# alias @alias @g" ~/.bashrc \
+    && rm -rf /var/lib/apt/lists/*
+
+COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+WORKDIR /opt/jumpserver
+
+ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
+RUN --mount=type=cache,target=/root/.cache \
+    set -ex \
+    && echo > /opt/jumpserver/config.yml \
+    && pip install poetry -i ${PIP_MIRROR} \
+    && poetry config virtualenvs.create false \
+    && poetry install --only=main
+
+VOLUME /opt/jumpserver/data
+VOLUME /opt/jumpserver/logs
+
+ENV LANG=zh_CN.UTF-8
+
+EXPOSE 8080
+
+ENTRYPOINT ["./entrypoint.sh"]

Dockerfile-ce

@@ -1,136 +0,0 @@
-FROM python:3.11-slim-bullseye as stage-1
-ARG TARGETARCH
-
-ARG VERSION
-ENV VERSION=$VERSION
-
-WORKDIR /opt/jumpserver
-ADD . .
-RUN echo > /opt/jumpserver/config.yml \
-    && cd utils && bash -ixeu build.sh
-
-FROM python:3.11-slim-bullseye as stage-2
-ARG TARGETARCH
-
-ARG BUILD_DEPENDENCIES="              \
-        g++                           \
-        make                          \
-        pkg-config"
-
-ARG DEPENDENCIES="                    \
-        freetds-dev                   \
-        libffi-dev                    \
-        libjpeg-dev                   \
-        libkrb5-dev                   \
-        libldap2-dev                  \
-        libpq-dev                     \
-        libsasl2-dev                  \
-        libssl-dev                    \
-        libxml2-dev                   \
-        libxmlsec1-dev                \
-        libxmlsec1-openssl            \
-        freerdp2-dev                  \
-        libaio-dev"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-libmysqlclient-dev    \
-        default-mysql-client          \
-        git                           \
-        git-lfs                       \
-        unzip                         \
-        xz-utils                      \
-        wget"
-
-ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
-    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
-    && rm -f /etc/apt/apt.conf.d/docker-clean \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && echo "no" | dpkg-reconfigure dash
-
-WORKDIR /opt/jumpserver
-
-ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
-RUN --mount=type=cache,target=/root/.cache \
-    --mount=type=bind,source=poetry.lock,target=/opt/jumpserver/poetry.lock \
-    --mount=type=bind,source=pyproject.toml,target=/opt/jumpserver/pyproject.toml \
-    set -ex \
-    && python3 -m venv /opt/py3 \
-    && pip install poetry -i ${PIP_MIRROR} \
-    && poetry config virtualenvs.create false \
-    && . /opt/py3/bin/activate \
-    && poetry install
-
-FROM python:3.11-slim-bullseye
-ARG TARGETARCH
-ENV LANG=zh_CN.UTF-8 \
-    PATH=/opt/py3/bin:$PATH
-
-ARG DEPENDENCIES="                    \
-        libjpeg-dev                   \
-        libpq-dev                     \
-        libx11-dev                    \
-        freerdp2-dev                  \
-        libxmlsec1-openssl"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-libmysqlclient-dev    \
-        default-mysql-client          \
-        iputils-ping                  \
-        locales                       \
-        netcat-openbsd                \
-        nmap                          \
-        openssh-client                \
-        patch                         \
-        sshpass                       \
-        telnet                        \
-        vim                           \
-        wget"
-
-ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
-    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
-    && rm -f /etc/apt/apt.conf.d/docker-clean \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
-    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc
-
-ARG RECEPTOR_VERSION=v1.4.5
-RUN set -ex \
-    && wget -O /opt/receptor.tar.gz https://github.com/ansible/receptor/releases/download/${RECEPTOR_VERSION}/receptor_${RECEPTOR_VERSION/v/}_linux_${TARGETARCH}.tar.gz \
-    && tar -xf /opt/receptor.tar.gz -C /usr/local/bin/ \
-    && chown root:root /usr/local/bin/receptor \
-    && chmod 755 /usr/local/bin/receptor \
-    && rm -f /opt/receptor.tar.gz
-
-COPY --from=stage-2 /opt/py3 /opt/py3
-COPY --from=stage-1 /opt/jumpserver/release/jumpserver /opt/jumpserver
-COPY --from=stage-1 /opt/jumpserver/release/jumpserver/apps/libs/ansible/ansible.cfg /etc/ansible/
-
-WORKDIR /opt/jumpserver
-
-ARG VERSION
-ENV VERSION=$VERSION
-
-VOLUME /opt/jumpserver/data
-
-EXPOSE 8080
-
-ENTRYPOINT ["./entrypoint.sh"]

Dockerfile-ee

@@ -1,5 +1,9 @@
 ARG VERSION
 FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
-FROM registry.fit2cloud.com/jumpserver/core-ce:${VERSION}
+FROM jumpserver/core:${VERSION}
 
-COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
+COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
+
+RUN --mount=type=cache,target=/root/.cache \
+    set -ex \
+    && poetry install --only=xpack

README.md

@@ -12,6 +12,8 @@
 
 
 <p align="center">
+    JumpServer <a href="https://github.com/jumpserver/jumpserver/releases/tag/v3.0.0">v3.0</a> 正式发布。
+    <br>
     9 年时间，倾情投入，用心做好一款开源堡垒机。
 </p>
 
@@ -61,7 +63,6 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型
 
 ## 案例研究
 
-- [腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案](https://blog.fit2cloud.com/?p=a04cdf0d-6704-4d18-9b40-9180baecd0e2)
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
 - [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
@@ -94,12 +95,11 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型
 | [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目                                                      |
 | [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
 | [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                                 | JumpServer RDP 代理 Connector 项目                                                    |
-| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目 (Windows)                                                      |
-| [Panda](https://github.com/jumpserver/Panda)         | <img alt="Panda" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目 (Linux)                                                      |
+| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目                                                      |
 | [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
 | [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
 | [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
-| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core API 通信的组件项目                                              |
+| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core Api 通信的组件项目                                              |
 | [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
 | [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |
 
@@ -113,7 +113,7 @@ JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.ju
 
 ## License & Copyright
 
-Copyright (c) 2014-2024 飞致云 FIT2CLOUD, All rights reserved.
+Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.
 
 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
 compliance with the License. You may obtain a copy of the License at

README_EN.md

@@ -85,7 +85,7 @@ If you find a security problem, please contact us directly：
 - 400-052-0755
 
 ### License & Copyright
-Copyright (c) 2014-2024 FIT2CLOUD Tech, Inc., All rights reserved.
+Copyright (c) 2014-2022 FIT2CLOUD Tech, Inc., All rights reserved.
 
 Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 

apps/accounts/api/account/account.py

@@ -6,12 +6,11 @@ from rest_framework.status import HTTP_200_OK
 
 from accounts import serializers
 from accounts.filters import AccountFilterSet
-from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import Account
 from assets.models import Asset, Node
-from authentication.permissions import UserConfirmation, ConfirmType
-from common.api.mixin import ExtraFilterFieldsMixin
-from common.permissions import IsValidUser
+from common.api import ExtraFilterFieldsMixin
+from common.permissions import UserConfirmation, ConfirmType, IsValidUser
+from common.views.mixins import RecordViewLogMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 
@@ -58,19 +57,19 @@ class AccountViewSet(OrgBulkModelViewSet):
         permission_classes=[IsValidUser]
     )
     def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.data.get('assets', [])
-        node_ids = request.data.get('nodes', [])
-        username = request.data.get('username', '')
+        asset_ids = request.data.get('assets')
+        node_ids = request.data.get('nodes')
+        username = request.data.get('username')
 
-        accounts = Account.objects.all()
+        assets = Asset.objects.all()
+        if asset_ids:
+            assets = assets.filter(id__in=asset_ids)
         if node_ids:
             nodes = Node.objects.filter(id__in=node_ids)
             node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-            asset_ids.extend(node_asset_ids)
-
-        if asset_ids:
-            accounts = accounts.filter(asset_id__in=list(set(asset_ids)))
+            assets = assets.filter(id__in=set(list(asset_ids) + list(node_asset_ids)))
 
+        accounts = Account.objects.filter(asset__in=assets)
         if username:
             accounts = accounts.filter(username__icontains=username)
         usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
@@ -87,7 +86,7 @@ class AccountViewSet(OrgBulkModelViewSet):
         return Response(status=HTTP_200_OK)
 
 
-class AccountSecretsViewSet(AccountRecordViewLogMixin, AccountViewSet):
+class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
     """
     因为可能要导出所有账号，所以单独建立了一个 viewset
     """
@@ -116,7 +115,7 @@ class AssetAccountBulkCreateApi(CreateAPIView):
         return Response(data=serializer.data, status=HTTP_200_OK)
 
 
-class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixin, ListAPIView):
+class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, ListAPIView):
     model = Account.history.model
     serializer_class = serializers.AccountHistorySerializer
     http_method_names = ['get', 'options']
@@ -144,3 +143,4 @@ class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixi
             return histories
         histories = histories.exclude(history_id=latest_history.history_id)
         return histories
+

apps/accounts/api/account/task.py

@@ -1,13 +1,9 @@
-from django.db.models import Q
 from rest_framework.generics import CreateAPIView
+from rest_framework.response import Response
 
 from accounts import serializers
-from accounts.models import Account
-from accounts.permissions import AccountTaskActionPermission
-from accounts.tasks import (
-    remove_accounts_task, verify_accounts_connectivity_task, push_accounts_to_assets_task
-)
-from authentication.permissions import UserConfirmation, ConfirmType
+from accounts.tasks import verify_accounts_connectivity_task, push_accounts_to_assets_task
+from assets.exceptions import NotSupportedTemporarilyError
 
 __all__ = [
     'AccountsTaskCreateAPI',
@@ -16,48 +12,38 @@ __all__ = [
 
 class AccountsTaskCreateAPI(CreateAPIView):
     serializer_class = serializers.AccountTaskSerializer
-    permission_classes = (AccountTaskActionPermission,)
 
-    def get_permissions(self):
-        act = self.request.data.get('action')
-        if act == 'remove':
-            self.permission_classes = [
-                AccountTaskActionPermission,
-                UserConfirmation.require(ConfirmType.PASSWORD)
-            ]
-        return super().get_permissions()
-
-    @staticmethod
-    def get_account_ids(data, action):
-        account_type = 'gather_accounts' if action == 'remove' else 'accounts'
-        accounts = data.get(account_type, [])
-        account_ids = [str(a.id) for a in accounts]
-
-        if action == 'remove':
-            return account_ids
-
-        assets = data.get('assets', [])
-        asset_ids = [str(a.id) for a in assets]
-        ids = Account.objects.filter(
-            Q(id__in=account_ids) | Q(asset_id__in=asset_ids)
-        ).distinct().values_list('id', flat=True)
-        return [str(_id) for _id in ids]
+    def check_permissions(self, request):
+        act = request.data.get('action')
+        if act == 'push':
+            code = 'accounts.push_account'
+        else:
+            code = 'accounts.verify_account'
+        return request.user.has_perm(code)
 
     def perform_create(self, serializer):
         data = serializer.validated_data
-        action = data['action']
-        ids = self.get_account_ids(data, action)
+        accounts = data.get('accounts', [])
+        params = data.get('params')
+        account_ids = [str(a.id) for a in accounts]
 
-        if action == 'push':
-            task = push_accounts_to_assets_task.delay(ids, data.get('params'))
-        elif action == 'remove':
-            task = remove_accounts_task.delay(ids)
-        elif action == 'verify':
-            task = verify_accounts_connectivity_task.delay(ids)
+        if data['action'] == 'push':
+            task = push_accounts_to_assets_task.delay(account_ids, params)
         else:
-            raise ValueError(f"Invalid action: {action}")
+            account = accounts[0]
+            asset = account.asset
+            if not asset.auto_config['ansible_enabled'] or \
+                    not asset.auto_config['ping_enabled']:
+                raise NotSupportedTemporarilyError()
+            task = verify_accounts_connectivity_task.delay(account_ids)
 
         data = getattr(serializer, '_data', {})
         data["task"] = task.id
         setattr(serializer, '_data', data)
         return task
+
+    def get_exception_handler(self):
+        def handler(e, context):
+            return Response({"error": str(e)}, status=400)
+
+        return handler

apps/accounts/api/account/template.py

@@ -1,15 +1,13 @@
 from django_filters import rest_framework as drf_filters
-from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
 from accounts import serializers
-from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import AccountTemplate
-from accounts.tasks import template_sync_related_accounts
 from assets.const import Protocol
-from authentication.permissions import UserConfirmation, ConfirmType
 from common.drf.filters import BaseFilterSet
+from common.permissions import UserConfirmation, ConfirmType
+from common.views.mixins import RecordViewLogMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 
@@ -46,7 +44,6 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
     }
     rbac_perms = {
         'su_from_account_templates': 'accounts.view_accounttemplate',
-        'sync_related_accounts': 'accounts.change_account',
     }
 
     @action(methods=['get'], detail=False, url_path='su-from-account-templates')
@@ -57,15 +54,8 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
         serializer = self.get_serializer(templates, many=True)
         return Response(data=serializer.data)
 
-    @action(methods=['patch'], detail=True, url_path='sync-related-accounts')
-    def sync_related_accounts(self, request, *args, **kwargs):
-        instance = self.get_object()
-        user_id = str(request.user.id)
-        task = template_sync_related_accounts.delay(str(instance.id), user_id)
-        return Response({'task': task.id}, status=status.HTTP_200_OK)
 
-
-class AccountTemplateSecretsViewSet(AccountRecordViewLogMixin, AccountTemplateViewSet):
+class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
     serializer_classes = {
         'default': serializers.AccountTemplateSecretSerializer,
     }

apps/accounts/api/automations/backup.py

@@ -18,8 +18,9 @@ __all__ = [
 
 class AccountBackupPlanViewSet(OrgBulkModelViewSet):
     model = AccountBackupAutomation
-    filterset_fields = ('name',)
-    search_fields = filterset_fields
+    filter_fields = ('name',)
+    search_fields = filter_fields
+    ordering = ('name',)
     serializer_class = serializers.AccountBackupSerializer
 
 

apps/accounts/api/automations/base.py

@@ -20,8 +20,8 @@ __all__ = [
 class AutomationAssetsListApi(generics.ListAPIView):
     model = BaseAutomation
     serializer_class = serializers.AutomationAssetsSerializer
-    filterset_fields = ("name", "address")
-    search_fields = filterset_fields
+    filter_fields = ("name", "address")
+    search_fields = filter_fields
 
     def get_object(self):
         pk = self.kwargs.get('pk')

apps/accounts/api/automations/change_secret.py

@@ -1,17 +1,13 @@
 # -*- coding: utf-8 -*-
 #
-from rest_framework import status, mixins
-from rest_framework.decorators import action
-from rest_framework.response import Response
+
+from rest_framework import mixins
 
 from accounts import serializers
 from accounts.const import AutomationTypes
-from accounts.filters import ChangeSecretRecordFilterSet
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord
-from accounts.tasks import execute_automation_record_task
-from authentication.permissions import UserConfirmation, ConfirmType
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
+from common.utils import get_object_or_none
 from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
-from rbac.permissions import RBACPermission
 from .base import (
     AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
     AutomationNodeAddRemoveApi, AutomationExecutionViewSet
@@ -27,53 +23,28 @@ __all__ = [
 
 class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
     model = ChangeSecretAutomation
-    filterset_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filterset_fields
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    search_fields = filter_fields
     serializer_class = serializers.ChangeSecretAutomationSerializer
 
 
 class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
-    filterset_class = ChangeSecretRecordFilterSet
-    search_fields = ('asset__address',)
-    tp = AutomationTypes.change_secret
-    serializer_classes = {
-        'default': serializers.ChangeSecretRecordSerializer,
-        'secret': serializers.ChangeSecretRecordViewSecretSerializer,
-    }
-    rbac_perms = {
-        'execute': 'accounts.add_changesecretexecution',
-        'secret': 'accounts.view_changesecretrecord',
-    }
-
-    def get_permissions(self):
-        if self.action == 'secret':
-            self.permission_classes = [
-                RBACPermission,
-                UserConfirmation.require(ConfirmType.MFA)
-            ]
-        return super().get_permissions()
+    serializer_class = serializers.ChangeSecretRecordSerializer
+    filter_fields = ['asset', 'execution_id']
+    search_fields = ['asset__hostname']
 
     def get_queryset(self):
-        return ChangeSecretRecord.objects.all()
+        return ChangeSecretRecord.objects.filter(
+            execution__automation__type=AutomationTypes.change_secret
+        )
 
-    @action(methods=['post'], detail=False, url_path='execute')
-    def execute(self, request, *args, **kwargs):
-        record_ids = request.data.get('record_ids')
-        records = self.get_queryset().filter(id__in=record_ids)
-        execution_count = records.values_list('execution_id', flat=True).distinct().count()
-        if execution_count != 1:
-            return Response(
-                {'detail': 'Only one execution is allowed to execute'},
-                status=status.HTTP_400_BAD_REQUEST
-            )
-        task = execute_automation_record_task.delay(record_ids, self.tp)
-        return Response({'task': task.id}, status=status.HTTP_200_OK)
-
-    @action(methods=['get'], detail=True, url_path='secret')
-    def secret(self, request, *args, **kwargs):
-        instance = self.get_object()
-        serializer = self.get_serializer(instance)
-        return Response(serializer.data)
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        eid = self.request.query_params.get('execution_id')
+        execution = get_object_or_none(AutomationExecution, pk=eid)
+        if execution:
+            queryset = queryset.filter(execution=execution)
+        return queryset
 
 
 class ChangSecretExecutionViewSet(AutomationExecutionViewSet):

apps/accounts/api/automations/gather_accounts.py

@@ -20,8 +20,8 @@ __all__ = [
 
 class GatherAccountsAutomationViewSet(OrgBulkModelViewSet):
     model = GatherAccountsAutomation
-    filterset_fields = ('name',)
-    search_fields = filterset_fields
+    filter_fields = ('name',)
+    search_fields = filter_fields
     serializer_class = serializers.GatherAccountAutomationSerializer
 
 

apps/accounts/api/automations/push_account.py

@@ -20,8 +20,8 @@ __all__ = [
 
 class PushAccountAutomationViewSet(OrgBulkModelViewSet):
     model = PushAccountAutomation
-    filterset_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filterset_fields
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    search_fields = filter_fields
     serializer_class = serializers.PushAccountAutomationSerializer
 
 
@@ -42,7 +42,6 @@ class PushAccountExecutionViewSet(AutomationExecutionViewSet):
 
 class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
     serializer_class = serializers.ChangeSecretRecordSerializer
-    tp = AutomationTypes.push_account
 
     def get_queryset(self):
         return ChangeSecretRecord.objects.filter(

apps/accounts/automations/backup_account/handlers.py

@@ -3,26 +3,19 @@ import time
 from collections import defaultdict, OrderedDict
 
 from django.conf import settings
+from openpyxl import Workbook
 from rest_framework import serializers
-from xlsxwriter import Workbook
 
-from accounts.const import AccountBackupType
-from accounts.models.automations.backup_account import AccountBackupAutomation
-from accounts.notifications import AccountBackupExecutionTaskMsg, AccountBackupByObjStorageExecutionTaskMsg
+from accounts.notifications import AccountBackupExecutionTaskMsg
 from accounts.serializers import AccountSecretSerializer
 from assets.const import AllTypes
-from common.utils.file import encrypt_and_compress_zip_file, zip_files
-from common.utils.timezone import local_now_filename, local_now_display
-from terminal.models.component.storage import ReplayStorage
+from common.utils.file import encrypt_and_compress_zip_file
+from common.utils.timezone import local_now_display
 from users.models import User
 
 PATH = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
 
 
-class RecipientsNotFound(Exception):
-    pass
-
-
 class BaseAccountHandler:
     @classmethod
     def unpack_data(cls, serializer_data, data=None):
@@ -74,7 +67,7 @@ class AssetAccountHandler(BaseAccountHandler):
     @staticmethod
     def get_filename(plan_name):
         filename = os.path.join(
-            PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.xlsx'
+            PATH, f'{plan_name}-{local_now_display()}-{time.time()}.xlsx'
         )
         return filename
 
@@ -144,14 +137,13 @@ class AccountBackupHandler:
 
         wb = Workbook(filename)
         for sheet, data in data_map.items():
-            ws = wb.add_worksheet(str(sheet))
-            for row_index, row_data in enumerate(data):
-                for col_index, col_data in enumerate(row_data):
-                    ws.write_string(row_index, col_index, col_data)
-        wb.close()
+            ws = wb.create_sheet(str(sheet))
+            for row in data:
+                ws.append(row)
+        wb.save(filename)
         files.append(filename)
         timedelta = round((time.time() - time_start), 2)
-        print('创建备份文件完成: 用时 {}s'.format(timedelta))
+        print('步骤完成: 用时 {}s'.format(timedelta))
         return files
 
     def send_backup_mail(self, files, recipients):
@@ -160,7 +152,7 @@ class AccountBackupHandler:
         recipients = User.objects.filter(id__in=list(recipients))
         print(
             '\n'
-            '\033[32m>>> 开始发送备份邮件\033[0m'
+            '\033[32m>>> 发送备份邮件\033[0m'
             ''
         )
         plan_name = self.plan_name
@@ -168,42 +160,20 @@ class AccountBackupHandler:
             if not user.secret_key:
                 attachment_list = []
             else:
-                attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
-                encrypt_and_compress_zip_file(attachment, user.secret_key, files)
+                password = user.secret_key.encode('utf8')
+                attachment = os.path.join(PATH, f'{plan_name}-{local_now_display()}-{time.time()}.zip')
+                encrypt_and_compress_zip_file(attachment, password, files)
                 attachment_list = [attachment, ]
             AccountBackupExecutionTaskMsg(plan_name, user).publish(attachment_list)
             print('邮件已发送至{}({})'.format(user, user.email))
         for file in files:
             os.remove(file)
 
-    def send_backup_obj_storage(self, files, recipients, password):
-        if not files:
-            return
-        recipients = ReplayStorage.objects.filter(id__in=list(recipients))
-        print(
-            '\n'
-            '\033[32m>>> 开始发送备份文件到sftp服务器\033[0m'
-            ''
-        )
-        plan_name = self.plan_name
-        for rec in recipients:
-            attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
-            if password:
-                print('\033[32m>>> 使用加密密码对文件进行加密中\033[0m')
-                encrypt_and_compress_zip_file(attachment, password, files)
-            else:
-                zip_files(attachment, files)
-            attachment_list = attachment
-            AccountBackupByObjStorageExecutionTaskMsg(plan_name, rec).publish(attachment_list)
-            print('备份文件将发送至{}({})'.format(rec.name, rec.id))
-        for file in files:
-            os.remove(file)
-
     def step_perform_task_update(self, is_success, reason):
         self.execution.reason = reason[:1024]
         self.execution.is_success = is_success
         self.execution.save()
-        print('\n已完成对任务状态的更新\n')
+        print('已完成对任务状态的更新')
 
     @staticmethod
     def step_finished(is_success):
@@ -216,11 +186,24 @@ class AccountBackupHandler:
         is_success = False
         error = '-'
         try:
-            backup_type = self.execution.snapshot.get('backup_type', AccountBackupType.email.value)
-            if backup_type == AccountBackupType.email.value:
-                self.backup_by_email()
-            elif backup_type == AccountBackupType.object_storage.value:
-                self.backup_by_obj_storage()
+            recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
+            recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
+            if not recipients_part_one and not recipients_part_two:
+                print(
+                    '\n'
+                    '\033[32m>>> 该备份任务未分配收件人\033[0m'
+                    ''
+                )
+            if recipients_part_one and recipients_part_two:
+                files = self.create_excel(section='front')
+                self.send_backup_mail(files, recipients_part_one)
+
+                files = self.create_excel(section='back')
+                self.send_backup_mail(files, recipients_part_two)
+            else:
+                recipients = recipients_part_one or recipients_part_two
+                files = self.create_excel()
+                self.send_backup_mail(files, recipients)
         except Exception as e:
             self.is_frozen = True
             print('任务执行被异常中断')
@@ -234,52 +217,6 @@ class AccountBackupHandler:
             self.step_perform_task_update(is_success, reason)
             self.step_finished(is_success)
 
-    def backup_by_obj_storage(self):
-        object_id = self.execution.snapshot.get('id')
-        zip_encrypt_password = AccountBackupAutomation.objects.get(id=object_id).zip_encrypt_password
-        obj_recipients_part_one = self.execution.snapshot.get('obj_recipients_part_one', [])
-        obj_recipients_part_two = self.execution.snapshot.get('obj_recipients_part_two', [])
-        if not obj_recipients_part_one and not obj_recipients_part_two:
-            print(
-                '\n'
-                '\033[31m>>> 该备份任务未分配sftp服务器\033[0m'
-                ''
-            )
-            raise RecipientsNotFound('Not Found Recipients')
-        if obj_recipients_part_one and obj_recipients_part_two:
-            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
-            files = self.create_excel(section='front')
-            self.send_backup_obj_storage(files, obj_recipients_part_one, zip_encrypt_password)
-
-            files = self.create_excel(section='back')
-            self.send_backup_obj_storage(files, obj_recipients_part_two, zip_encrypt_password)
-        else:
-            recipients = obj_recipients_part_one or obj_recipients_part_two
-            files = self.create_excel()
-            self.send_backup_obj_storage(files, recipients, zip_encrypt_password)
-
-    def backup_by_email(self):
-        recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
-        recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
-        if not recipients_part_one and not recipients_part_two:
-            print(
-                '\n'
-                '\033[31m>>> 该备份任务未分配收件人\033[0m'
-                ''
-            )
-            raise RecipientsNotFound('Not Found Recipients')
-        if recipients_part_one and recipients_part_two:
-            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
-            files = self.create_excel(section='front')
-            self.send_backup_mail(files, recipients_part_one)
-
-            files = self.create_excel(section='back')
-            self.send_backup_mail(files, recipients_part_two)
-        else:
-            recipients = recipients_part_one or recipients_part_two
-            files = self.create_excel()
-            self.send_backup_mail(files, recipients)
-
     def run(self):
         print('任务开始: {}'.format(local_now_display()))
         time_start = time.time()
@@ -292,4 +229,4 @@ class AccountBackupHandler:
         finally:
             print('\n任务结束: {}'.format(local_now_display()))
             timedelta = round((time.time() - time_start), 2)
-            print('用时: {}s'.format(timedelta))
+            print('用时: {}'.format(timedelta))

apps/accounts/automations/change_secret/custom/ssh/main.yml

@@ -18,10 +18,7 @@
         become_user: "{{ custom_become_user | default('') }}"
         become_password: "{{ custom_become_password | default('') }}"
         become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
       register: ping_info
-      delegate_to: localhost
 
     - name: Change asset password (paramiko)
       custom_command:
@@ -43,7 +40,6 @@
       ignore_errors: true
       when: ping_info is succeeded
       register: change_info
-      delegate_to: localhost
 
     - name: Verify password (paramiko)
       ssh_ping:
@@ -51,11 +47,4 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: su
-        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
-      delegate_to: localhost
+        become: false

apps/accounts/automations/change_secret/custom/ssh/manifest.yml

@@ -6,27 +6,15 @@ category:
 type:
   - all
 method: change_secret
-protocol: ssh
-priority: 50
 params:
   - name: commands
     type: list
-    label: "{{ 'Params commands label' | trans }}"
+    label: '自定义命令'
     default: [ '' ]
-    help_text: "{{ 'Params commands help text' | trans }}"
+    help_text: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
 
 i18n:
   SSH account change secret:
-    zh: '使用 SSH 命令行自定义改密'
-    ja: 'SSH コマンドライン方式でカスタムパスワード変更'
-    en: 'Custom password change by SSH command line'
-
-  Params commands help text:
-    zh: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
-    ja: 'カスタム コマンドに SSH 接続用のアカウント番号、パスワード、ユーザー パスワード フィールドを含める必要がある場合は、<br />&#123;ユーザー名&#125;、&#123;パスワード&#125;、&#123;login_password& を使用してください。 # 125; 形式。タスクの実行時に置き換えられます。 <br />たとえば、Cisco ホストのパスワードを変更するには、通常、次の 5 つのコマンドを設定する必要があります:<br />1.enable<br />2.&#123;login_password&#125;<br />3 .ターミナルの設定<br / >4. ユーザー名 &#123;ユーザー名&#125; 権限 0 パスワード &#123;パスワード&#125; <br />5. 終了'
-    en: 'If the custom command needs to include the account number, password, and user password field for SSH connection,<br />Please use &#123;username&#125;, &#123;password&#125;, &#123;login_password&# 125; format, which will be replaced when executing the task. <br />For example, to change the password of a Cisco host, you generally need to configure five commands:<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br / >4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
-
-  Params commands label:
-    zh: '自定义命令'
-    ja: 'カスタムコマンド'
-    en: 'Custom command'
+    zh: 使用 SSH 命令行自定义改密
+    ja: SSH コマンドライン方式でカスタムパスワード変更
+    en: Custom password change by SSH command line

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -1,7 +1,7 @@
 - hosts: mongodb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test MongoDB connection
@@ -11,9 +11,9 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl | default('') }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
       register: db_info
@@ -31,8 +31,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
         db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -1,9 +1,8 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
     db_name: "{{ jms_asset.spec_info.db_name }}"
-    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Test MySQL connection
@@ -12,10 +11,6 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version
       register: db_info
 
@@ -29,10 +24,6 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
@@ -46,8 +37,4 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/change_secret/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oracle
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test Oracle connection
@@ -39,4 +39,3 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ account.mode }}"

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -1,7 +1,7 @@
 - hosts: postgre
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test PostgreSQL connection

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -1,7 +1,7 @@
 - hosts: sqlserver
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test SQLServer connection
@@ -40,7 +40,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length != 0
 
@@ -51,7 +51,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; CREATE USER {{ account.username }} FOR LOGIN {{ account.username }}; select @@version"
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length == 0
 

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -80,12 +80,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: su
-        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -96,6 +91,6 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -80,12 +80,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: su
-        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -96,6 +91,6 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost

apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml

@@ -1,35 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.windows.win_ping:
-
-#    - name: Print variables
-#      debug:
-#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
-
-    - name: Change password
-      ansible.windows.win_user:
-        fullname: "{{ account.username}}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        password_never_expires: yes
-        groups: "{{ params.groups }}"
-        groups_action: add
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password (pyfreerdp)
-      rdp_ping:
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_secret_type: "{{ account.secret_type }}"
-        login_private_key_path: "{{ account.private_key_path }}"
-      when: account.secret_type == "password"
-      delegate_to: localhost

apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml

@@ -1,27 +0,0 @@
-id: change_secret_windows_rdp_verify
-name: "{{ 'Windows account change secret rdp verify' | trans }}"
-version: 1
-method: change_secret
-category: host
-type:
-  - windows
-priority: 49
-params:
-  - name: groups
-    type: str
-    label: '用户组'
-    default: 'Users,Remote Desktop Users'
-    help_text: "{{ 'Params groups help text' | trans }}"
-
-
-i18n:
-  Windows account change secret rdp verify:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密 RDP 协议测试最后的可连接性'
-    ja: 'Ansibleモジュールwin_userはWindowsアカウントの改密RDPプロトコルテストの最後の接続性を実行する'
-    en: 'Using the Ansible module win_user performs Windows account encryption RDP protocol testing for final connectivity'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-

apps/accounts/automations/change_secret/manager.py

@@ -1,20 +1,20 @@
 import os
 import time
+from collections import defaultdict
 from copy import deepcopy
 
 from django.conf import settings
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
-from xlsxwriter import Workbook
+from openpyxl import Workbook
 
-from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy, ChangeSecretRecordStatusChoice
+from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy
 from accounts.models import ChangeSecretRecord
-from accounts.notifications import ChangeSecretExecutionTaskMsg, ChangeSecretFailedMsg
+from accounts.notifications import ChangeSecretExecutionTaskMsg
 from accounts.serializers import ChangeSecretRecordBackUpSerializer
 from assets.const import HostTypes
 from common.utils import get_logger
 from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_filename
+from common.utils.timezone import local_now_display
 from users.models import User
 from ..base.manager import AccountBasePlaybookManager
 from ...utils import SecretGenerator
@@ -27,7 +27,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.record_map = self.execution.snapshot.get('record_map', {})
+        self.method_hosts_mapper = defaultdict(list)
         self.secret_type = self.execution.snapshot.get('secret_type')
         self.secret_strategy = self.execution.snapshot.get(
             'secret_strategy', SecretStrategy.custom
@@ -50,9 +50,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
         kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
 
         if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            username = account.username
-            path = f'/{username}' if username == "root" else f'/home/{username}'
-            kwargs['dest'] = f'{path}/.ssh/authorized_keys'
+            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
             kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
         return kwargs
 
@@ -98,13 +96,17 @@ class ChangeSecretManager(AccountBasePlaybookManager):
 
         accounts = self.get_accounts(account)
         if not accounts:
-            print('没有发现待处理的账号: %s 用户ID: %s 类型: %s' % (
+            print('没有发现待改密账号: %s 用户ID: %s 类型: %s' % (
                 asset.name, self.account_ids, self.secret_type
             ))
             return []
 
-        records = []
+        method_attr = getattr(automation, self.method_type() + '_method')
+        method_hosts = self.method_hosts_mapper[method_attr]
+        method_hosts = [h for h in method_hosts if h != host['name']]
         inventory_hosts = []
+        records = []
+
         if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
             print(f'Windows {asset} does not support ssh key push')
             return inventory_hosts
@@ -114,30 +116,13 @@ class ChangeSecretManager(AccountBasePlaybookManager):
             h = deepcopy(host)
             secret_type = account.secret_type
             h['name'] += '(' + account.username + ')'
-            if self.secret_type is None:
-                new_secret = account.secret
-            else:
-                new_secret = self.get_secret(secret_type)
-
-            if new_secret is None:
-                print(f'new_secret is None, account: {account}')
-                continue
-
-            asset_account_id = f'{asset.id}-{account.id}'
-            if asset_account_id not in self.record_map:
-                recorder = ChangeSecretRecord(
-                    asset=asset, account=account, execution=self.execution,
-                    old_secret=account.secret, new_secret=new_secret,
-                )
-                records.append(recorder)
-            else:
-                record_id = self.record_map[asset_account_id]
-                try:
-                    recorder = ChangeSecretRecord.objects.get(id=record_id)
-                except ChangeSecretRecord.DoesNotExist:
-                    print(f"Record {record_id} not found")
-                    continue
+            new_secret = self.get_secret(secret_type)
 
+            recorder = ChangeSecretRecord(
+                asset=asset, account=account, execution=self.execution,
+                old_secret=account.secret, new_secret=new_secret,
+            )
+            records.append(recorder)
             self.name_recorder_mapper[h['name']] = recorder
 
             private_key_path = None
@@ -150,13 +135,14 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                 'name': account.name,
                 'username': account.username,
                 'secret_type': secret_type,
-                'secret': account.escape_jinja2_syntax(new_secret),
-                'private_key_path': private_key_path,
-                'become': account.get_ansible_become_auth(),
+                'secret': new_secret,
+                'private_key_path': private_key_path
             }
             if asset.platform.type == 'oracle':
                 h['account']['mode'] = 'sysdba' if account.privileged else None
             inventory_hosts.append(h)
+            method_hosts.append(h['name'])
+        self.method_hosts_mapper[method_attr] = method_hosts
         ChangeSecretRecord.objects.bulk_create(records)
         return inventory_hosts
 
@@ -164,46 +150,27 @@ class ChangeSecretManager(AccountBasePlaybookManager):
         recorder = self.name_recorder_mapper.get(host)
         if not recorder:
             return
-        recorder.status = ChangeSecretRecordStatusChoice.success.value
+        recorder.status = 'success'
         recorder.date_finished = timezone.now()
-
+        recorder.save()
         account = recorder.account
         if not account:
             print("Account not found, deleted ?")
             return
         account.secret = recorder.new_secret
-        account.date_updated = timezone.now()
-
-        max_retries = 3
-        retry_count = 0
-
-        while retry_count < max_retries:
-            try:
-                recorder.save()
-                account.save(update_fields=['secret', 'version', 'date_updated'])
-                break
-            except Exception as e:
-                retry_count += 1
-                if retry_count == max_retries:
-                    self.on_host_error(host, str(e), result)
-                else:
-                    print(f'retry {retry_count} times for {host} recorder save error: {e}')
-                    time.sleep(1)
+        account.save(update_fields=['secret'])
 
     def on_host_error(self, host, error, result):
         recorder = self.name_recorder_mapper.get(host)
         if not recorder:
             return
-        recorder.status = ChangeSecretRecordStatusChoice.failed.value
+        recorder.status = 'failed'
         recorder.date_finished = timezone.now()
         recorder.error = error
-        try:
-            recorder.save()
-        except Exception as e:
-            print(f"\033[31m Save {host} recorder error: {e} \033[0m\n")
+        recorder.save()
 
     def on_runner_failed(self, runner, e):
-        logger.error("Account error: ", e)
+        logger.error("Change secret error: ", e)
 
     def check_secret(self):
         if self.secret_strategy == SecretStrategy.custom \
@@ -212,69 +179,35 @@ class ChangeSecretManager(AccountBasePlaybookManager):
             return False
         return True
 
-    @staticmethod
-    def get_summary(recorders):
-        total, succeed, failed = 0, 0, 0
-        for recorder in recorders:
-            if recorder.status == ChangeSecretRecordStatusChoice.success.value:
-                succeed += 1
-            else:
-                failed += 1
-            total += 1
-
-        summary = _('Success: %s, Failed: %s, Total: %s') % (succeed, failed, total)
-        return summary
-
     def run(self, *args, **kwargs):
-        if self.secret_type and not self.check_secret():
+        if not self.check_secret():
             return
         super().run(*args, **kwargs)
-        recorders = list(self.name_recorder_mapper.values())
-        summary = self.get_summary(recorders)
-        print(summary, end='')
-
-        if self.record_map:
-            return
-
-        failed_recorders = [
-            r for r in recorders
-            if r.status == ChangeSecretRecordStatusChoice.failed.value
-        ]
+        recorders = self.name_recorder_mapper.values()
+        recorders = list(recorders)
+        self.send_recorder_mail(recorders)
 
+    def send_recorder_mail(self, recorders):
         recipients = self.execution.recipients
+        if not recorders or not recipients:
+            return
+
         recipients = User.objects.filter(id__in=list(recipients.keys()))
-        if not recipients:
-            return
 
-        if failed_recorders:
-            name = self.execution.snapshot.get('name')
-            execution_id = str(self.execution.id)
-            _ids = [r.id for r in failed_recorders]
-            asset_account_errors = ChangeSecretRecord.objects.filter(
-                id__in=_ids).values_list('asset__name', 'account__username', 'error')
-
-            for user in recipients:
-                ChangeSecretFailedMsg(name, execution_id, user, asset_account_errors).publish()
-
-        if not recorders:
-            return
-
-        self.send_recorder_mail(recipients, recorders, summary)
-
-    def send_recorder_mail(self, recipients, recorders, summary):
         name = self.execution.snapshot['name']
         path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-        filename = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.xlsx')
+        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
         if not self.create_file(recorders, filename):
             return
 
         for user in recipients:
             attachments = []
             if user.secret_key:
-                attachment = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.zip')
-                encrypt_and_compress_zip_file(attachment, user.secret_key, [filename])
+                password = user.secret_key.encode('utf8')
+                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
+                encrypt_and_compress_zip_file(attachment, password, [filename])
                 attachments = [attachment]
-            ChangeSecretExecutionTaskMsg(name, user, summary).publish(attachments)
+            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
         os.remove(filename)
 
     @staticmethod
@@ -289,9 +222,8 @@ class ChangeSecretManager(AccountBasePlaybookManager):
 
         rows.insert(0, header)
         wb = Workbook(filename)
-        ws = wb.add_worksheet('Sheet1')
-        for row_index, row_data in enumerate(rows):
-            for col_index, col_data in enumerate(row_data):
-                ws.write_string(row_index, col_index, col_data)
-        wb.close()
+        ws = wb.create_sheet('Sheet1')
+        for row in rows:
+            ws.append(row)
+        wb.save(filename)
         return True

apps/accounts/automations/endpoint.py

@@ -1,9 +1,8 @@
-from .backup_account.manager import AccountBackupManager
-from .change_secret.manager import ChangeSecretManager
-from .gather_accounts.manager import GatherAccountsManager
 from .push_account.manager import PushAccountManager
-from .remove_account.manager import RemoveAccountManager
+from .change_secret.manager import ChangeSecretManager
 from .verify_account.manager import VerifyAccountManager
+from .backup_account.manager import AccountBackupManager
+from .gather_accounts.manager import GatherAccountsManager
 from .verify_gateway_account.manager import VerifyGatewayAccountManager
 from ..const import AutomationTypes
 
@@ -13,7 +12,6 @@ class ExecutionManager:
         AutomationTypes.push_account: PushAccountManager,
         AutomationTypes.change_secret: ChangeSecretManager,
         AutomationTypes.verify_account: VerifyAccountManager,
-        AutomationTypes.remove_account: RemoveAccountManager,
         AutomationTypes.gather_accounts: GatherAccountsManager,
         AutomationTypes.verify_gateway_account: VerifyGatewayAccountManager,
         # TODO 后期迁移到自动化策略中

apps/accounts/automations/gather_accounts/database/mongodb/main.yml

@@ -1,7 +1,7 @@
 - hosts: mongodb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Get info
@@ -12,8 +12,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
         filter: users

apps/accounts/automations/gather_accounts/database/mysql/main.yml

@@ -1,8 +1,7 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
-    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Get info
@@ -11,10 +10,6 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: users
       register: db_info
 

apps/accounts/automations/gather_accounts/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oralce
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Get info

apps/accounts/automations/gather_accounts/database/postgresql/main.yml

@@ -1,7 +1,7 @@
 - hosts: postgresql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Get info

apps/accounts/automations/gather_accounts/host/windows/main.yml

@@ -1,10 +1,9 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Gather windows account
+    - name: Gather posix account
       ansible.builtin.win_shell: net user
       register: result
-      ignore_errors: true
 
     - name: Define info by set_fact
       ansible.builtin.set_fact:

apps/accounts/automations/gather_accounts/manager.py

@@ -1,14 +1,9 @@
-from collections import defaultdict
-
 from accounts.const import AutomationTypes
 from accounts.models import GatheredAccount
-from assets.models import Asset
 from common.utils import get_logger
 from orgs.utils import tmp_to_org
-from users.models import User
 from .filter import GatherAccountsFilter
 from ..base.manager import AccountBasePlaybookManager
-from ...notifications import GatherAccountChangeMsg
 
 logger = get_logger(__name__)
 
@@ -17,9 +12,6 @@ class GatherAccountsManager(AccountBasePlaybookManager):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.host_asset_mapper = {}
-        self.asset_account_info = {}
-
-        self.asset_username_mapper = defaultdict(set)
         self.is_sync_account = self.execution.snapshot.get('is_sync_account')
 
     @classmethod
@@ -34,11 +26,10 @@ class GatherAccountsManager(AccountBasePlaybookManager):
     def filter_success_result(self, tp, result):
         result = GatherAccountsFilter(tp).run(self.method_id_meta_mapper, result)
         return result
-
-    def generate_data(self, asset, result):
+    @staticmethod
+    def generate_data(asset, result):
         data = []
         for username, info in result.items():
-            self.asset_username_mapper[str(asset.id)].add(username)
             d = {'asset': asset, 'username': username, 'present': True}
             if info.get('date'):
                 d['date_last_login'] = info['date']
@@ -47,93 +38,26 @@ class GatherAccountsManager(AccountBasePlaybookManager):
             data.append(d)
         return data
 
-    def collect_asset_account_info(self, asset, result):
+    def update_or_create_accounts(self, asset, result):
         data = self.generate_data(asset, result)
-        self.asset_account_info[asset] = data
-
-    @staticmethod
-    def get_nested_info(data, *keys):
-        for key in keys:
-            data = data.get(key, {})
-            if not data:
-                break
-        return data
+        with tmp_to_org(asset.org_id):
+            gathered_accounts = []
+            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
+            for d in data:
+                username = d['username']
+                gathered_account, __ = GatheredAccount.objects.update_or_create(
+                    defaults=d, asset=asset, username=username,
+                )
+                gathered_accounts.append(gathered_account)
+            if not self.is_sync_account:
+                return
+            GatheredAccount.sync_accounts(gathered_accounts)
 
     def on_host_success(self, host, result):
-        info = self.get_nested_info(result, 'debug', 'res', 'info')
+        info = result.get('debug', {}).get('res', {}).get('info', {})
         asset = self.host_asset_mapper.get(host)
         if asset and info:
             result = self.filter_success_result(asset.type, info)
-            self.collect_asset_account_info(asset, result)
+            self.update_or_create_accounts(asset, result)
         else:
-            print(f'\033[31m Not found {host} info \033[0m\n')
-
-    def update_or_create_accounts(self):
-        for asset, data in self.asset_account_info.items():
-            with tmp_to_org(asset.org_id):
-                gathered_accounts = []
-                GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
-                for d in data:
-                    username = d['username']
-                    gathered_account, __ = GatheredAccount.objects.update_or_create(
-                        defaults=d, asset=asset, username=username,
-                    )
-                    gathered_accounts.append(gathered_account)
-                if not self.is_sync_account:
-                    continue
-                GatheredAccount.sync_accounts(gathered_accounts)
-
-    def run(self, *args, **kwargs):
-        super().run(*args, **kwargs)
-        users, change_info = self.generate_send_users_and_change_info()
-        self.update_or_create_accounts()
-        self.send_email_if_need(users, change_info)
-
-    def generate_send_users_and_change_info(self):
-        recipients = self.execution.recipients
-        if not self.asset_username_mapper or not recipients:
-            return None, None
-
-        users = User.objects.filter(id__in=recipients)
-        if not users:
-            return users, None
-
-        asset_ids = self.asset_username_mapper.keys()
-        assets = Asset.objects.filter(id__in=asset_ids)
-        gather_accounts = GatheredAccount.objects.filter(asset_id__in=asset_ids, present=True)
-        asset_id_map = {str(asset.id): asset for asset in assets}
-        asset_id_username = list(assets.values_list('id', 'accounts__username'))
-        asset_id_username.extend(list(gather_accounts.values_list('asset_id', 'username')))
-
-        system_asset_username_mapper = defaultdict(set)
-        for asset_id, username in asset_id_username:
-            system_asset_username_mapper[str(asset_id)].add(username)
-
-        change_info = {}
-        for asset_id, usernames in self.asset_username_mapper.items():
-            system_usernames = system_asset_username_mapper.get(asset_id)
-
-            if not system_usernames:
-                continue
-
-            add_usernames = usernames - system_usernames
-            remove_usernames = system_usernames - usernames
-            k = f'{asset_id_map[asset_id]}[{asset_id}]'
-
-            if not add_usernames and not remove_usernames:
-                continue
-
-            change_info[k] = {
-                'add_usernames': ', '.join(add_usernames),
-                'remove_usernames': ', '.join(remove_usernames),
-            }
-
-        return users, change_info
-
-    @staticmethod
-    def send_email_if_need(users, change_info):
-        if not users or not change_info:
-            return
-
-        for user in users:
-            GatherAccountChangeMsg(user, change_info).publish_async()
+            logger.error("Not found info".format(host))

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -1,7 +1,7 @@
 - hosts: mongodb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test MongoDB connection
@@ -12,8 +12,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
       register: db_info
@@ -31,8 +31,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
         db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -1,9 +1,8 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
     db_name: "{{ jms_asset.spec_info.db_name }}"
-    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Test MySQL connection
@@ -12,10 +11,6 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version
       register: db_info
 
@@ -29,10 +24,6 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
@@ -46,8 +37,4 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/push_account/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oracle
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test Oracle connection
@@ -39,4 +39,3 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ account.mode }}"

apps/accounts/automations/push_account/database/postgresql/main.yml

@@ -1,7 +1,7 @@
 - hosts: postgre
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test PostgreSQL connection
@@ -31,7 +31,6 @@
         role_attr_flags: LOGIN
       ignore_errors: true
       when: result is succeeded
-      register: change_info
 
     - name: Verify password
       community.postgresql.postgresql_ping:
@@ -43,5 +42,3 @@
       when:
         - result is succeeded
         - change_info is succeeded
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/push_account/database/sqlserver/main.yml

@@ -1,7 +1,7 @@
 - hosts: sqlserver
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Test SQLServer connection
@@ -40,7 +40,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length != 0
       register: change_info
@@ -52,7 +52,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN [{{ account.username }}] WITH PASSWORD = '{{ account.secret }}'; CREATE USER [{{ account.username }}] FOR LOGIN [{{ account.username }}]; select @@version"
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length == 0
       register: change_info

apps/accounts/automations/push_account/host/aix/main.yml

@@ -80,12 +80,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: su
-        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -96,7 +91,7 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost
 

apps/accounts/automations/push_account/host/aix/manifest.yml

@@ -9,7 +9,7 @@ params:
     type: str
     label: 'Sudo'
     default: '/bin/whoami'
-    help_text: "{{ 'Params sudo help text' | trans }}"
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
 
   - name: shell
     type: str
@@ -18,44 +18,19 @@ params:
 
   - name: home
     type: str
-    label: "{{ 'Params home label' | trans }}"
+    label: '家目录'
     default: ''
-    help_text: "{{ 'Params home help text' | trans }}"
+    help_text: '默认家目录 /home/系统用户名: /home/username'
 
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: ''
-    help_text: "{{ 'Params groups help text' | trans }}"
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
 
 i18n:
   Aix account push:
-    zh: '使用 Ansible 模块 user 执行 Aix 账号推送 (DES)'
-    ja: 'Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)'
-    en: 'Using Ansible module user to push account (DES)'
-
-  Params sudo help text:
-    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
-    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
-    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
-
-  Params home help text:
-    zh: '默认家目录 /home/{账号用户名}'
-    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
-    en: 'Default home directory /home/{account username}'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-
-  Params home label:
-    zh: '家目录'
-    ja: 'ホームディレクトリ'
-    en: 'Home'
-
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'
+    zh: 使用 Ansible 模块 user 执行 Aix 账号推送 (DES)
+    ja: Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)
+    en: Using Ansible module user to push account (DES)
 

apps/accounts/automations/push_account/host/posix/main.yml

@@ -80,12 +80,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: su
-        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -96,7 +91,7 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
+        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost
 

apps/accounts/automations/push_account/host/posix/manifest.yml

@@ -10,7 +10,7 @@ params:
     type: str
     label: 'Sudo'
     default: '/bin/whoami'
-    help_text: "{{ 'Params sudo help text' | trans }}"
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
 
   - name: shell
     type: str
@@ -20,43 +20,18 @@ params:
 
   - name: home
     type: str
-    label: "{{ 'Params home label' | trans }}"
+    label: '家目录'
     default: ''
-    help_text: "{{ 'Params home help text' | trans }}"
+    help_text: '默认家目录 /home/系统用户名: /home/username'
 
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: ''
-    help_text: "{{ 'Params groups help text' | trans }}"
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
 
 i18n:
   Posix account push:
-    zh: '使用 Ansible 模块 user 执行账号推送 (sha512)'
-    ja: 'Ansible user モジュールを使用してアカウントをプッシュする (sha512)'
-    en: 'Using Ansible module user to push account (sha512)'
-
-  Params sudo help text:
-    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
-    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
-    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
-
-  Params home help text:
-    zh: '默认家目录 /home/{账号用户名}'
-    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
-    en: 'Default home directory /home/{account username}'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-
-  Params home label:
-    zh: '家目录'
-    ja: 'ホームディレクトリ'
-    en: 'Home'
-
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'
+    zh: 使用 Ansible 模块 user 执行账号推送 (sha512)
+    ja: Ansible user モジュールを使用してアカウントをプッシュする (sha512)
+    en: Using Ansible module user to push account (sha512)

apps/accounts/automations/push_account/host/windows/manifest.yml

@@ -10,15 +10,10 @@ params:
     type: str
     label: '用户组'
     default: 'Users,Remote Desktop Users'
-    help_text: "{{ 'Params groups help text' | trans }}"
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
 
 i18n:
   Windows account push:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号推送'
-    ja: 'Ansible win_user モジュールを使用して Windows アカウントをプッシュする'
-    en: 'Using Ansible module win_user to push account'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+    zh: 使用 Ansible 模块 win_user 执行 Windows 账号推送
+    ja: Ansible win_user モジュールを使用して Windows アカウントをプッシュする
+    en: Using Ansible module win_user to push account

apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml

@@ -1,35 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.windows.win_ping:
-
-#    - name: Print variables
-#      debug:
-#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
-
-    - name: Push user password
-      ansible.windows.win_user:
-        fullname: "{{ account.username}}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        password_never_expires: yes
-        groups: "{{ params.groups }}"
-        groups_action: add
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password (pyfreerdp)
-      rdp_ping:
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_secret_type: "{{ account.secret_type }}"
-        login_private_key_path: "{{ account.private_key_path }}"
-      when: account.secret_type == "password"
-      delegate_to: localhost

apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml

@@ -1,25 +0,0 @@
-id: push_account_windows_rdp_verify
-name: "{{ 'Windows account push rdp verify' | trans }}"
-version: 1
-method: push_account
-category: host
-type:
-  - windows
-priority: 49
-params:
-  - name: groups
-    type: str
-    label: '用户组'
-    default: 'Users,Remote Desktop Users'
-    help_text: "{{ 'Params groups help text' | trans }}"
-
-i18n:
-  Windows account push rdp verify:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号推送（最后使用 Python 模块 pyfreerdp 验证账号的可连接性）'
-    ja: 'Ansible モジュール win_user を使用して Windows アカウントのプッシュを実行します (最後に Python モジュール pyfreerdp を使用してアカウントの接続性を確認します)'
-    en: 'Use the Ansible module win_user to perform Windows account push (finally use the Python module pyfreerdp to verify the connectability of the account)'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

apps/accounts/automations/push_account/manager.py

@@ -1,4 +1,7 @@
-from accounts.const import AutomationTypes
+from copy import deepcopy
+
+from accounts.const import AutomationTypes, SecretType, Connectivity
+from assets.const import HostTypes
 from common.utils import get_logger
 from ..base.manager import AccountBasePlaybookManager
 from ..change_secret.manager import ChangeSecretManager
@@ -7,11 +10,83 @@ logger = get_logger(__name__)
 
 
 class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
+    ansible_account_prefer = ''
 
     @classmethod
     def method_type(cls):
         return AutomationTypes.push_account
 
+    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
+        host = super(ChangeSecretManager, self).host_callback(
+            host, asset=asset, account=account, automation=automation,
+            path_dir=path_dir, **kwargs
+        )
+        if host.get('error'):
+            return host
+
+        accounts = self.get_accounts(account)
+        inventory_hosts = []
+        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
+            msg = f'Windows {asset} does not support ssh key push'
+            print(msg)
+            return inventory_hosts
+
+        host['ssh_params'] = {}
+        for account in accounts:
+            h = deepcopy(host)
+            secret_type = account.secret_type
+            h['name'] += '(' + account.username + ')'
+            if self.secret_type is None:
+                new_secret = account.secret
+            else:
+                new_secret = self.get_secret(secret_type)
+
+            self.name_recorder_mapper[h['name']] = {
+                'account': account, 'new_secret': new_secret,
+            }
+
+            private_key_path = None
+            if secret_type == SecretType.SSH_KEY:
+                private_key_path = self.generate_private_key_path(new_secret, path_dir)
+                new_secret = self.generate_public_key(new_secret)
+
+            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
+            h['account'] = {
+                'name': account.name,
+                'username': account.username,
+                'secret_type': secret_type,
+                'secret': new_secret,
+                'private_key_path': private_key_path
+            }
+            if asset.platform.type == 'oracle':
+                h['account']['mode'] = 'sysdba' if account.privileged else None
+            inventory_hosts.append(h)
+        return inventory_hosts
+
+    def on_host_success(self, host, result):
+        account_info = self.name_recorder_mapper.get(host)
+        if not account_info:
+            return
+
+        account = account_info['account']
+        new_secret = account_info['new_secret']
+        if not account:
+            return
+        account.secret = new_secret
+        account.save(update_fields=['secret'])
+        account.set_connectivity(Connectivity.OK)
+
+    def on_host_error(self, host, error, result):
+        pass
+
+    def on_runner_failed(self, runner, e):
+        logger.error("Pust account error: ", e)
+
+    def run(self, *args, **kwargs):
+        if self.secret_type and not self.check_secret():
+            return
+        super(ChangeSecretManager, self).run(*args, **kwargs)
+
     # @classmethod
     # def trigger_by_asset_create(cls, asset):
     #     automations = PushAccountAutomation.objects.filter(

apps/accounts/automations/remove_account/database/mongodb/main.yml

@@ -1,21 +0,0 @@
-- hosts: mongodb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
-
-  tasks:
-    - name: "Remove account"
-      mongodb_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        state: absent

apps/accounts/automations/remove_account/database/mongodb/manifest.yml

@@ -1,12 +0,0 @@
-id: remove_account_mongodb
-name: "{{ 'MongoDB account remove' | trans }}"
-category: database
-type:
-  - mongodb
-method: remove_account
-
-i18n:
-  MongoDB account remove:
-    zh: 使用 Ansible 模块 mongodb 删除账号
-    ja: Ansible モジュール mongodb を使用してアカウントを削除する
-    en: Delete account using Ansible module mongodb

apps/accounts/automations/remove_account/database/mysql/main.yml

@@ -1,18 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
-
-  tasks:
-    - name: "Remove account"
-      community.mysql.mysql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
-        name: "{{ account.username }}"
-        state: absent

apps/accounts/automations/remove_account/database/mysql/manifest.yml

@@ -1,14 +0,0 @@
-id: remove_account_mysql
-name: "{{ 'MySQL account remove' | trans }}"
-category: database
-type:
-  - mysql
-  - mariadb
-method: remove_account
-
-i18n:
-  MySQL account remove:
-    zh: 使用 Ansible 模块 mysql_user 删除账号
-    ja: Ansible モジュール mysql_user を使用してアカウントを削除します
-    en: Use the Ansible module mysql_user to delete the account
-

apps/accounts/automations/remove_account/database/oracle/main.yml

@@ -1,16 +0,0 @@
-- hosts: oracle
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
-
-  tasks:
-    - name: "Remove account"
-      oracle_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-        name: "{{ account.username }}"
-        state: absent

apps/accounts/automations/remove_account/database/oracle/manifest.yml

@@ -1,12 +0,0 @@
-id: remove_account_oracle
-name: "{{ 'Oracle account remove' | trans }}"
-category: database
-type:
-  - oracle
-method: remove_account
-
-i18n:
-  Oracle account remove:
-    zh: 使用 Python 模块 oracledb 删除账号
-    ja: Python モジュール oracledb を使用してアカウントを検証する
-    en: Using Python module oracledb to verify account

apps/accounts/automations/remove_account/database/postgresql/main.yml

@@ -1,15 +0,0 @@
-- hosts: postgresql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
-
-  tasks:
-    - name: "Remove account"
-      community.postgresql.postgresql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        state: absent

apps/accounts/automations/remove_account/database/postgresql/manifest.yml

@@ -1,12 +0,0 @@
-id: remove_account_postgresql
-name: "{{ 'PostgreSQL account remove' | trans }}"
-category: database
-type:
-  - postgresql
-method: remove_account
-
-i18n:
-  PostgreSQL account remove:
-    zh: 使用 Ansible 模块 postgresql_user 删除账号
-    ja: Ansible モジュール postgresql_user を使用してアカウントを削除します
-    en: Use the Ansible module postgresql_user to delete the account

apps/accounts/automations/remove_account/database/sqlserver/main.yml

@@ -1,14 +0,0 @@
-- hosts: sqlserver
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /opt/py3/bin/python
-
-  tasks:
-    - name: "Remove account"
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: "{{ jms_asset.spec_info.db_name }}"
-        script: "DROP USER {{ account.username }}"

apps/accounts/automations/remove_account/database/sqlserver/manifest.yml

@@ -1,12 +0,0 @@
-id: remove_account_sqlserver
-name: "{{ 'SQLServer account remove' | trans }}"
-category: database
-type:
-  - sqlserver
-method: remove_account
-
-i18n:
-  SQLServer account remove:
-    zh: 使用 Ansible 模块 mssql 删除账号
-    ja: Ansible モジュール mssql を使用してアカウントを削除する
-    en: Use Ansible module mssql to delete account

apps/accounts/automations/remove_account/host/posix/main.yml

@@ -1,26 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: "Get user home directory path"
-      ansible.builtin.shell:
-        cmd: "getent passwd {{ account.username }} | cut -d: -f6"
-      register: user_home_dir
-      ignore_errors: yes
-
-    - name: "Check if user home directory exists"
-      ansible.builtin.stat:
-        path: "{{ user_home_dir.stdout }}"
-      register: home_dir
-      when: user_home_dir.stdout != ""
-
-    - name: "Rename user home directory if it exists"
-      ansible.builtin.command:
-        cmd: "mv {{ user_home_dir.stdout }} {{ user_home_dir.stdout }}.bak"
-      when: home_dir.stat | default(false) and user_home_dir.stdout != ""
-
-    - name: "Remove account"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        state: absent
-        remove: "{{ home_dir.stat.exists }}"
-      when: home_dir.stat | default(false)

apps/accounts/automations/remove_account/host/posix/manifest.yml

@@ -1,13 +0,0 @@
-id: remove_account_posix
-name: "{{ 'Posix account remove' | trans }}"
-category: host
-type:
-  - linux
-  - unix
-method: remove_account
-
-i18n:
-  Posix account remove:
-    zh: 使用 Ansible 模块 user 删除账号
-    ja: Ansible モジュール ユーザーを使用してアカウントを削除します
-    en: Use the Ansible module user to delete the account

apps/accounts/automations/remove_account/host/windows/main.yml

@@ -1,9 +0,0 @@
-- hosts: windows
-  gather_facts: no
-  tasks:
-    - name: "Remove account"
-      ansible.windows.win_user:
-        name: "{{ account.username }}"
-        state: absent
-        purge: yes
-        force: yes

apps/accounts/automations/remove_account/host/windows/manifest.yml

@@ -1,13 +0,0 @@
-id: remove_account_windows
-name: "{{ 'Windows account remove' | trans }}"
-version: 1
-method: remove_account
-category: host
-type:
-  - windows
-
-i18n:
-  Windows account remove:
-    zh: 使用 Ansible 模块 win_user 删除账号
-    ja: Ansible モジュール win_user を使用してアカウントを削除する
-    en: Use the Ansible module win_user to delete an account

apps/accounts/automations/remove_account/manager.py

@@ -1,70 +0,0 @@
-import os
-from copy import deepcopy
-
-from django.db.models import QuerySet
-
-from accounts.const import AutomationTypes
-from accounts.models import Account
-from common.utils import get_logger
-from ..base.manager import AccountBasePlaybookManager
-
-logger = get_logger(__name__)
-
-
-class RemoveAccountManager(AccountBasePlaybookManager):
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.host_account_mapper = {}
-
-    def prepare_runtime_dir(self):
-        path = super().prepare_runtime_dir()
-        ansible_config_path = os.path.join(path, 'ansible.cfg')
-
-        with open(ansible_config_path, 'w') as f:
-            f.write('[ssh_connection]\n')
-            f.write('ssh_args = -o ControlMaster=no -o ControlPersist=no\n')
-        return path
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.remove_account
-
-    def get_gather_accounts(self, privilege_account, gather_accounts: QuerySet):
-        gather_account_ids = self.execution.snapshot['gather_accounts']
-        gather_accounts = gather_accounts.filter(id__in=gather_account_ids)
-        gather_accounts = gather_accounts.exclude(
-            username__in=[privilege_account.username, 'root', 'Administrator']
-        )
-        return gather_accounts
-
-    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
-        if host.get('error'):
-            return host
-
-        gather_accounts = asset.gatheredaccount_set.all()
-        gather_accounts = self.get_gather_accounts(account, gather_accounts)
-
-        inventory_hosts = []
-
-        for gather_account in gather_accounts:
-            h = deepcopy(host)
-            h['name'] += '(' + gather_account.username + ')'
-            self.host_account_mapper[h['name']] = (asset, gather_account)
-            h['account'] = {'username': gather_account.username}
-            inventory_hosts.append(h)
-        return inventory_hosts
-
-    def on_host_success(self, host, result):
-        tuple_asset_gather_account = self.host_account_mapper.get(host)
-        if not tuple_asset_gather_account:
-            return
-        asset, gather_account = tuple_asset_gather_account
-        try:
-            Account.objects.filter(
-                asset_id=asset.id,
-                username=gather_account.username
-            ).delete()
-            gather_account.delete()
-        except Exception as e:
-            print(f'\033[31m Delete account {gather_account.username} failed: {e} \033[0m\n')

apps/accounts/automations/verify_account/custom/rdp/main.yml

@@ -3,7 +3,6 @@
   vars:
     ansible_shell_type: sh
     ansible_connection: local
-    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Verify account (pyfreerdp)

apps/accounts/automations/verify_account/custom/rdp/manifest.yml

@@ -5,11 +5,9 @@ category:
 type:
   - windows
 method: verify_account
-protocol: rdp
-priority: 1
 
 i18n:
   Windows rdp account verify:
-    zh: '使用 Python 模块 pyfreerdp 验证账号'
-    ja: 'Python モジュール pyfreerdp を使用してアカウントを検証する'
-    en: 'Using Python module pyfreerdp to verify account'
+    zh: 使用 Python 模块 pyfreerdp 验证账号
+    ja: Python モジュール pyfreerdp を使用してアカウントを検証する
+    en: Using Python module pyfreerdp to verify account

apps/accounts/automations/verify_account/custom/ssh/main.yml

@@ -2,7 +2,6 @@
   gather_facts: no
   vars:
     ansible_connection: local
-    ansible_shell_type: sh
     ansible_become: false
 
   tasks:
@@ -14,10 +13,8 @@
         login_password: "{{ account.secret }}"
         login_secret_type: "{{ account.secret_type }}"
         login_private_key_path: "{{ account.private_key_path }}"
-        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: "{{ account.become.ansible_become_method | default('su') }}"
-        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
-        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
+        become: "{{ custom_become | default(False) }}"
+        become_method: "{{ custom_become_method | default('su') }}"
+        become_user: "{{ custom_become_user | default('') }}"
+        become_password: "{{ custom_become_password | default('') }}"
+        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"

apps/accounts/automations/verify_account/custom/ssh/manifest.yml

@@ -6,11 +6,9 @@ category:
 type:
   - all
 method: verify_account
-protocol: ssh
-priority: 50
 
 i18n:
   SSH account verify:
-    zh: '使用 Python 模块 paramiko 验证账号'
-    ja: 'Python モジュール paramiko を使用してアカウントを検証する'
-    en: 'Using Python module paramiko to verify account'
+    zh: 使用 Python 模块 paramiko 验证账号
+    ja: Python モジュール paramiko を使用してアカウントを検証する
+    en: Using Python module paramiko to verify account

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -1,7 +1,7 @@
-- hosts: mongodb
+- hosts: mongdb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Verify account
@@ -12,7 +12,7 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/verify_account/database/mysql/main.yml

@@ -1,8 +1,7 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
-    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Verify account
@@ -11,8 +10,4 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/verify_account/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oracle
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Verify account

apps/accounts/automations/verify_account/database/postgresql/main.yml

@@ -1,7 +1,8 @@
 - hosts: postgresql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
+
 
   tasks:
     - name: Verify account

apps/accounts/automations/verify_account/database/sqlserver/main.yml

@@ -1,7 +1,7 @@
 - hosts: sqlserver
   gather_facts: no
   vars:
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: /usr/local/bin/python
 
   tasks:
     - name: Verify account

apps/accounts/automations/verify_account/host/posix/main.yml

@@ -1,23 +1,11 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Verify account connectivity(Do not switch)
+    - name: Verify account connectivity
+      become: no
       ansible.builtin.ping:
       vars:
         ansible_become: no
         ansible_user: "{{ account.username }}"
         ansible_password: "{{ account.secret }}"
         ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-      when: not account.become.ansible_become
-
-    - name: Verify account connectivity(Switch)
-      ansible.builtin.ping:
-      vars:
-        ansible_become: yes
-        ansible_user: "{{ account.become.ansible_user }}"
-        ansible_password: "{{ account.become.ansible_password }}"
-        ansible_ssh_private_key_file: "{{ account.become.ansible_ssh_private_key_file }}"
-        ansible_become_method: "{{ account.become.ansible_become_method }}"
-        ansible_become_user: "{{ account.become.ansible_become_user }}"
-        ansible_become_password: "{{ account.become.ansible_become_password }}"
-      when: account.become.ansible_become

apps/accounts/automations/verify_account/manager.py

@@ -42,6 +42,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
         if host.get('error'):
             return host
 
+        # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no'
         accounts = asset.accounts.all()
         accounts = self.get_accounts(account, accounts)
         inventory_hosts = []
@@ -51,9 +52,6 @@ class VerifyAccountManager(AccountBasePlaybookManager):
             h['name'] += '(' + account.username + ')'
             self.host_account_mapper[h['name']] = account
             secret = account.secret
-            if secret is None:
-                print(f'account {account.name} secret is None')
-                continue
 
             private_key_path = None
             if account.secret_type == SecretType.SSH_KEY:
@@ -65,9 +63,8 @@ class VerifyAccountManager(AccountBasePlaybookManager):
                 'name': account.name,
                 'username': account.username,
                 'secret_type': account.secret_type,
-                'secret': account.escape_jinja2_syntax(secret),
-                'private_key_path': private_key_path,
-                'become': account.get_ansible_become_auth(),
+                'secret': secret,
+                'private_key_path': private_key_path
             }
             if account.platform.type == 'oracle':
                 h['account']['mode'] = 'sysdba' if account.privileged else None
@@ -76,14 +73,8 @@ class VerifyAccountManager(AccountBasePlaybookManager):
 
     def on_host_success(self, host, result):
         account = self.host_account_mapper.get(host)
-        try:
-            account.set_connectivity(Connectivity.OK)
-        except Exception as e:
-            print(f'\033[31m Update account {account.name} connectivity failed: {e} \033[0m\n')
+        account.set_connectivity(Connectivity.OK)
 
     def on_host_error(self, host, error, result):
         account = self.host_account_mapper.get(host)
-        try:
-            account.set_connectivity(Connectivity.ERR)
-        except Exception as e:
-            print(f'\033[31m Update account {account.name} connectivity failed: {e} \033[0m\n')
+        account.set_connectivity(Connectivity.ERR)

apps/accounts/const/account.py

@@ -15,7 +15,6 @@ class AliasAccount(TextChoices):
     INPUT = '@INPUT', _('Manual input')
     USER = '@USER', _('Dynamic user')
     ANON = '@ANON', _('Anonymous account')
-    SPEC = '@SPEC', _('Specified account')
 
     @classmethod
     def virtual_choices(cls):

apps/accounts/const/automation.py

@@ -4,19 +4,17 @@ from django.utils.translation import gettext_lazy as _
 from assets.const import Connectivity
 from common.db.fields import TreeChoices
 
+string_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'
 DEFAULT_PASSWORD_LENGTH = 30
 DEFAULT_PASSWORD_RULES = {
     'length': DEFAULT_PASSWORD_LENGTH,
-    'uppercase': True,
-    'lowercase': True,
-    'digit': True,
-    'symbol': True,
+    'symbol_set': string_punctuation
 }
 
 __all__ = [
     'AutomationTypes', 'SecretStrategy', 'SSHKeyStrategy', 'Connectivity',
     'DEFAULT_PASSWORD_LENGTH', 'DEFAULT_PASSWORD_RULES', 'TriggerChoice',
-    'PushAccountActionChoice', 'AccountBackupType', 'ChangeSecretRecordStatusChoice',
+    'PushAccountActionChoice',
 ]
 
 
@@ -24,7 +22,6 @@ class AutomationTypes(models.TextChoices):
     push_account = 'push_account', _('Push account')
     change_secret = 'change_secret', _('Change secret')
     verify_account = 'verify_account', _('Verify account')
-    remove_account = 'remove_account', _('Remove account')
     gather_accounts = 'gather_accounts', _('Gather accounts')
     verify_gateway_account = 'verify_gateway_account', _('Verify gateway account')
 
@@ -44,8 +41,8 @@ class AutomationTypes(models.TextChoices):
 
 
 class SecretStrategy(models.TextChoices):
-    custom = 'specific', _('Specific secret')
-    random = 'random', _('Random generate')
+    custom = 'specific', _('Specific password')
+    random = 'random', _('Random')
 
 
 class SSHKeyStrategy(models.TextChoices):
@@ -96,16 +93,3 @@ class TriggerChoice(models.TextChoices, TreeChoices):
 class PushAccountActionChoice(models.TextChoices):
     create_and_push = 'create_and_push', _('Create and push')
     only_create = 'only_create', _('Only create')
-
-
-class AccountBackupType(models.TextChoices):
-    """Backup type"""
-    email = 'email', _('Email')
-    # 目前只支持sftp方式
-    object_storage = 'object_storage', _('SFTP')
-
-
-class ChangeSecretRecordStatusChoice(models.TextChoices):
-    failed = 'failed', _('Failed')
-    success = 'success', _('Success')
-    pending = 'pending', _('Pending')

apps/accounts/filters.py

@@ -5,7 +5,7 @@ from django_filters import rest_framework as drf_filters
 
 from assets.models import Node
 from common.drf.filters import BaseFilterSet
-from .models import Account, GatheredAccount, ChangeSecretRecord
+from .models import Account, GatheredAccount
 
 
 class AccountFilterSet(BaseFilterSet):
@@ -51,8 +51,6 @@ class AccountFilterSet(BaseFilterSet):
 
 class GatheredAccountFilterSet(BaseFilterSet):
     node_id = drf_filters.CharFilter(method='filter_nodes')
-    asset_id = drf_filters.CharFilter(field_name='asset_id', lookup_expr='exact')
-    asset_name = drf_filters.CharFilter(field_name='asset__name', lookup_expr='icontains')
 
     @staticmethod
     def filter_nodes(queryset, name, value):
@@ -60,14 +58,4 @@ class GatheredAccountFilterSet(BaseFilterSet):
 
     class Meta:
         model = GatheredAccount
-        fields = ['id', 'username']
-
-
-class ChangeSecretRecordFilterSet(BaseFilterSet):
-    asset_name = drf_filters.CharFilter(field_name='asset__name', lookup_expr='icontains')
-    account_username = drf_filters.CharFilter(field_name='account__username', lookup_expr='icontains')
-    execution_id = drf_filters.CharFilter(field_name='execution_id', lookup_expr='exact')
-
-    class Meta:
-        model = ChangeSecretRecord
-        fields = ['id', 'status', 'asset_id', 'execution']
+        fields = ['id', 'asset_id', 'username']

apps/accounts/migrations/0003_automation.py

@@ -38,7 +38,7 @@ class Migration(migrations.Migration):
                 'verbose_name': 'Automation execution',
                 'verbose_name_plural': 'Automation executions',
                 'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                ('add_changesecretexecution', 'Can add change secret execution'),
+                                ('add_changesecretexection', 'Can add change secret execution'),
                                 ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                 ('add_gatheraccountsexecution', 'Can add gather accounts execution')],
                 'proxy': True,
@@ -116,7 +116,7 @@ class Migration(migrations.Migration):
                 ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='New secret')),
                 ('date_started', models.DateTimeField(blank=True, null=True, verbose_name='Date started')),
                 ('date_finished', models.DateTimeField(blank=True, null=True, verbose_name='Date finished')),
-                ('status', models.CharField(default='pending', max_length=16, verbose_name='Status')),
+                ('status', models.CharField(default='pending', max_length=16)),
                 ('error', models.TextField(blank=True, null=True, verbose_name='Error')),
                 ('account',
                  models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='accounts.account')),
@@ -184,7 +184,7 @@ class Migration(migrations.Migration):
         migrations.AlterModelOptions(
             name='automationexecution',
             options={'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                     ('add_changesecretexecution', 'Can add change secret execution'),
+                                     ('add_changesecretexection', 'Can add change secret execution'),
                                      ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                      ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
                                      ('view_pushaccountexecution', 'Can view push account execution'),

apps/accounts/migrations/0004_auto_20230106_1507.py

@@ -13,11 +13,11 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='changesecretautomation',
             name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
+            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
         ),
         migrations.AlterField(
             model_name='pushaccountautomation',
             name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
+            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
         ),
     ]

apps/accounts/migrations/0007_alter_account_options.py

@@ -4,6 +4,7 @@ from django.db import migrations
 
 
 class Migration(migrations.Migration):
+
     dependencies = [
         ('accounts', '0006_gatheredaccount'),
     ]
@@ -11,13 +12,6 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='account',
-            options={'permissions': [
-                ('view_accountsecret', 'Can view asset account secret'),
-                ('view_historyaccount', 'Can view asset history account'),
-                ('view_historyaccountsecret', 'Can view asset history account secret'),
-                ('verify_account', 'Can verify account'),
-                ('push_account', 'Can push account'),
-                ('remove_account', 'Can remove account'),
-            ], 'verbose_name': 'Account'},
+            options={'permissions': [('view_accountsecret', 'Can view asset account secret'), ('view_historyaccount', 'Can view asset history account'), ('view_historyaccountsecret', 'Can view asset history account secret'), ('verify_account', 'Can verify account'), ('push_account', 'Can push account')], 'verbose_name': 'Account'},
         ),
     ]

apps/accounts/migrations/0014_virtualaccount.py

@@ -1,8 +1,7 @@
 # Generated by Django 4.1.10 on 2023-08-01 09:12
 
-import uuid
-
 from django.db import migrations, models
+import uuid
 
 
 class Migration(migrations.Migration):
@@ -21,7 +20,7 @@ class Migration(migrations.Migration):
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                 ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('alias', models.CharField(choices=[('@INPUT', 'Manual input'), ('@USER', 'Dynamic user'), ('@ANON', 'Anonymous account'), ('@SPEC', 'Specified account')], max_length=128, verbose_name='Alias')),
+                ('alias', models.CharField(choices=[('@INPUT', 'Manual input'), ('@USER', 'Dynamic user'), ('@ANON', 'Anonymous account')], max_length=128, verbose_name='Alias')),
                 ('secret_from_login', models.BooleanField(default=None, null=True, verbose_name='Secret from login')),
             ],
             options={

apps/accounts/migrations/0015_auto_20230825_1120.py

@@ -1,34 +0,0 @@
-# Generated by Django 4.1.10 on 2023-08-25 03:19
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0122_auto_20230803_1553'),
-        ('accounts', '0014_virtualaccount'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='auto_push',
-            field=models.BooleanField(default=False, verbose_name='Auto push'),
-        ),
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='platforms',
-            field=models.ManyToManyField(related_name='account_templates', to='assets.platform', verbose_name='Platforms', blank=True),
-        ),
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='push_params',
-            field=models.JSONField(default=dict, verbose_name='Push params'),
-        ),
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
-        ),
-    ]

apps/accounts/migrations/0016_accounttemplate_password_rules.py

@@ -1,18 +0,0 @@
-# Generated by Django 4.1.10 on 2023-09-18 08:09
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0015_auto_20230825_1120'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='password_rules',
-            field=models.JSONField(default=dict, verbose_name='Password rules'),
-        ),
-    ]

apps/accounts/migrations/0017_alter_automationexecution_options.py

@@ -1,25 +0,0 @@
-# Generated by Django 4.1.10 on 2023-10-24 05:59
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('accounts', '0016_accounttemplate_password_rules'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='automationexecution',
-            options={
-                'permissions': [
-                    ('view_changesecretexecution', 'Can view change secret execution'),
-                    ('add_changesecretexecution', 'Can add change secret execution'),
-                    ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
-                    ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
-                    ('view_pushaccountexecution', 'Can view push account execution'),
-                    ('add_pushaccountexecution', 'Can add push account execution')
-                ],
-                'verbose_name': 'Automation execution', 'verbose_name_plural': 'Automation executions'},
-        ),
-    ]

apps/accounts/migrations/0018_accountbackupautomation_backup_type_and_more.py

@@ -1,45 +0,0 @@
-# Generated by Django 4.1.10 on 2023-11-03 07:10
-
-import common.db.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('terminal', '0067_alter_replaystorage_type'),
-        ('accounts', '0017_alter_automationexecution_options'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='backup_type',
-            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'Object Storage')], default='email', max_length=128),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_email',
-            field=models.BooleanField(default=True),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_obj_storage',
-            field=models.BooleanField(default=True),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='obj_recipients_part_one',
-            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_one_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part one'),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='obj_recipients_part_two',
-            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_two_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part two'),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='zip_encrypt_password',
-            field=common.db.fields.EncryptCharField(blank=True, max_length=4096, null=True, verbose_name='Zip Encrypt Password'),
-        ),
-    ]

apps/accounts/migrations/0019_gatheraccountsautomation_recipients.py

@@ -1,20 +0,0 @@
-# Generated by Django 4.1.10 on 2023-10-31 06:12
-
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('accounts', '0018_accountbackupautomation_backup_type_and_more'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='gatheraccountsautomation',
-            name='recipients',
-            field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient'),
-        ),
-    ]

apps/accounts/migrations/0020_alter_accountbackupautomation_backup_type_and_more.py

@@ -1,28 +0,0 @@
-# Generated by Django 4.1.10 on 2023-11-16 02:13
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0019_gatheraccountsautomation_recipients'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='accountbackupautomation',
-            name='backup_type',
-            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'SFTP')], default='email', max_length=128, verbose_name='Backup Type'),
-        ),
-        migrations.AlterField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_email',
-            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
-        ),
-        migrations.AlterField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_obj_storage',
-            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
-        ),
-    ]

apps/accounts/mixins.py

@@ -1,75 +0,0 @@
-from rest_framework.response import Response
-from rest_framework import status
-from django.utils import translation
-from django.utils.translation import gettext_noop
-
-from audits.const import ActionChoices
-from common.views.mixins import RecordViewLogMixin
-from common.utils import i18n_fmt
-
-
-class AccountRecordViewLogMixin(RecordViewLogMixin):
-    get_object: callable
-    get_queryset: callable
-
-    @staticmethod
-    def _filter_params(params):
-        new_params = {}
-        need_pop_params = ('format', 'order')
-        for key, value in params.items():
-            if key in need_pop_params:
-                continue
-            if isinstance(value, list):
-                value = list(filter(None, value))
-            if value:
-                new_params[key] = value
-        return new_params
-
-    def get_resource_display(self, request):
-        query_params = dict(request.query_params)
-        params = self._filter_params(query_params)
-
-        spm_filter = params.pop("spm", None)
-
-        if not params and not spm_filter:
-            display_message = gettext_noop("Export all")
-        elif spm_filter:
-            display_message = gettext_noop("Export only selected items")
-        else:
-            query = ",".join(
-                ["%s=%s" % (key, value) for key, value in params.items()]
-            )
-            display_message = i18n_fmt(gettext_noop("Export filtered: %s"), query)
-        return display_message
-
-    @property
-    def detail_msg(self):
-        return i18n_fmt(
-            gettext_noop('User %s view/export secret'), self.request.user
-        )
-
-    def list(self, request, *args, **kwargs):
-        list_func = getattr(super(), 'list')
-        if not callable(list_func):
-            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
-        response = list_func(request, *args, **kwargs)
-        with translation.override('en'):
-            resource_display = self.get_resource_display(request)
-            ids = [q.id for q in self.get_queryset()]
-            self.record_logs(
-                ids, ActionChoices.view, self.detail_msg, resource_display=resource_display
-            )
-        return response
-
-    def retrieve(self, request, *args, **kwargs):
-        retrieve_func = getattr(super(), 'retrieve')
-        if not callable(retrieve_func):
-            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
-        response = retrieve_func(request, *args, **kwargs)
-        with translation.override('en'):
-            resource = self.get_object()
-            self.record_logs(
-                [resource.id], ActionChoices.view, self.detail_msg, resource=resource
-            )
-        return response
-

apps/accounts/models/__init__.py

@@ -1,5 +1,5 @@
-from .account import *  # noqa
-from .base import *  # noqa
-from .automations import *  # noqa
-from .template import *  # noqa
-from .virtual import *  # noqa
+from .account import *
+from .automations import *
+from .base import *
+from .template import *
+from .virtual import *

apps/accounts/models/account.py

@@ -4,7 +4,6 @@ from simple_history.models import HistoricalRecords
 
 from assets.models.base import AbsConnectivity
 from common.utils import lazyproperty
-from labels.mixins import LabeledMixin
 from .base import BaseAccount
 from .mixins import VaultModelMixin
 from ..const import Source
@@ -43,7 +42,7 @@ class AccountHistoricalRecords(HistoricalRecords):
         return super().create_history_model(model, inherited)
 
 
-class Account(AbsConnectivity, LabeledMixin, BaseAccount):
+class Account(AbsConnectivity, BaseAccount):
     asset = models.ForeignKey(
         'assets.Asset', related_name='accounts',
         on_delete=models.CASCADE, verbose_name=_('Asset')
@@ -69,15 +68,10 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
             ('view_historyaccountsecret', _('Can view asset history account secret')),
             ('verify_account', _('Can verify account')),
             ('push_account', _('Can push account')),
-            ('remove_account', _('Can remove account')),
         ]
 
     def __str__(self):
-        if self.asset_id:
-            host = self.asset.name
-        else:
-            host = 'Dynamic'
-        return '{}({})'.format(self.name, host)
+        return '{}'.format(self.username)
 
     @lazyproperty
     def platform(self):
@@ -101,48 +95,6 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
         """ 排除自己和以自己为 su-from 的账号 """
         return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)
 
-    def make_account_ansible_vars(self, su_from):
-        var = {
-            'ansible_user': su_from.username,
-        }
-        if not su_from.secret:
-            return var
-        var['ansible_password'] = self.escape_jinja2_syntax(su_from.secret)
-        var['ansible_ssh_private_key_file'] = su_from.private_key_path
-        return var
-
-    def get_ansible_become_auth(self):
-        su_from = self.su_from
-        platform = self.platform
-        auth = {'ansible_become': False}
-        if not (platform.su_enabled and su_from):
-            return auth
-
-        auth.update(self.make_account_ansible_vars(su_from))
-        become_method = platform.su_method if platform.su_method else 'sudo'
-        password = su_from.secret if become_method == 'sudo' else self.secret
-        auth['ansible_become'] = True
-        auth['ansible_become_method'] = become_method
-        auth['ansible_become_user'] = self.username
-        auth['ansible_become_password'] = self.escape_jinja2_syntax(password)
-        return auth
-
-    @staticmethod
-    def escape_jinja2_syntax(value):
-        if not isinstance(value, str):
-            return value
-
-        def escape(v):
-            v = v.replace('{{', '__TEMP_OPEN_BRACES__') \
-                .replace('}}', '__TEMP_CLOSE_BRACES__')
-
-            v = v.replace('__TEMP_OPEN_BRACES__', '{{ "{{" }}') \
-                .replace('__TEMP_CLOSE_BRACES__', '{{ "}}" }}')
-
-            return v.replace('{%', '{{ "{%" }}').replace('%}', '{{ "%}" }}')
-
-        return escape(value)
-
 
 def replace_history_model_with_mixin():
     """

apps/accounts/models/automations/backup_account.py

@@ -8,11 +8,10 @@ from django.db import models
 from django.db.models import F
 from django.utils.translation import gettext_lazy as _
 
-from accounts.const import AccountBackupType
 from common.const.choices import Trigger
-from common.db import fields
 from common.db.encoder import ModelJSONFieldEncoder
-from common.utils import get_logger, lazyproperty
+from common.utils import get_logger
+from common.utils import lazyproperty
 from ops.mixin import PeriodTaskModelMixin
 from orgs.mixins.models import OrgModelMixin, JMSOrgBaseModel
 
@@ -23,10 +22,6 @@ logger = get_logger(__file__)
 
 class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
     types = models.JSONField(default=list)
-    backup_type = models.CharField(max_length=128, choices=AccountBackupType.choices,
-                                   default=AccountBackupType.email.value, verbose_name=_('Backup Type'))
-    is_password_divided_by_email = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
-    is_password_divided_by_obj_storage = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
     recipients_part_one = models.ManyToManyField(
         'users.User', related_name='recipient_part_one_plans', blank=True,
         verbose_name=_("Recipient part one")
@@ -35,16 +30,6 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
         'users.User', related_name='recipient_part_two_plans', blank=True,
         verbose_name=_("Recipient part two")
     )
-    obj_recipients_part_one = models.ManyToManyField(
-        'terminal.ReplayStorage', related_name='obj_recipient_part_one_plans', blank=True,
-        verbose_name=_("Object Storage Recipient part one")
-    )
-    obj_recipients_part_two = models.ManyToManyField(
-        'terminal.ReplayStorage', related_name='obj_recipient_part_two_plans', blank=True,
-        verbose_name=_("Object Storage Recipient part two")
-    )
-    zip_encrypt_password = fields.EncryptCharField(max_length=4096, blank=True, null=True,
-                                                   verbose_name=_('Zip Encrypt Password'))
 
     def __str__(self):
         return f'{self.name}({self.org_id})'
@@ -64,7 +49,6 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
 
     def to_attr_json(self):
         return {
-            'id': self.id,
             'name': self.name,
             'is_periodic': self.is_periodic,
             'interval': self.interval,
@@ -72,10 +56,6 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
             'org_id': self.org_id,
             'created_by': self.created_by,
             'types': self.types,
-            'backup_type': self.backup_type,
-            'is_password_divided_by_email': self.is_password_divided_by_email,
-            'is_password_divided_by_obj_storage': self.is_password_divided_by_obj_storage,
-            'zip_encrypt_password': self.zip_encrypt_password,
             'recipients_part_one': {
                 str(user.id): (str(user), bool(user.secret_key))
                 for user in self.recipients_part_one.all()
@@ -83,15 +63,7 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
             'recipients_part_two': {
                 str(user.id): (str(user), bool(user.secret_key))
                 for user in self.recipients_part_two.all()
-            },
-            'obj_recipients_part_one': {
-                str(obj_storage.id): (str(obj_storage.name), str(obj_storage.type))
-                for obj_storage in self.obj_recipients_part_one.all()
-            },
-            'obj_recipients_part_two': {
-                str(obj_storage.id): (str(obj_storage.name), str(obj_storage.type))
-                for obj_storage in self.obj_recipients_part_two.all()
-            },
+            }
         }
 
     @property

apps/accounts/models/automations/base.py

@@ -1,15 +1,12 @@
-from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from accounts.const import SSHKeyStrategy
-from accounts.models import Account, SecretWithRandomMixin
 from accounts.tasks import execute_account_automation_task
 from assets.models.automations import (
     BaseAutomation as AssetBaseAutomation,
     AutomationExecution as AssetAutomationExecution
 )
 
-__all__ = ['AccountBaseAutomation', 'AutomationExecution', 'ChangeSecretMixin']
+__all__ = ['AccountBaseAutomation', 'AutomationExecution']
 
 
 class AccountBaseAutomation(AssetBaseAutomation):
@@ -33,7 +30,7 @@ class AutomationExecution(AssetAutomationExecution):
         verbose_name_plural = _("Automation executions")
         permissions = [
             ('view_changesecretexecution', _('Can view change secret execution')),
-            ('add_changesecretexecution', _('Can add change secret execution')),
+            ('add_changesecretexection', _('Can add change secret execution')),
 
             ('view_gatheraccountsexecution', _('Can view gather accounts execution')),
             ('add_gatheraccountsexecution', _('Can add gather accounts execution')),
@@ -46,40 +43,3 @@ class AutomationExecution(AssetAutomationExecution):
         from accounts.automations.endpoint import ExecutionManager
         manager = ExecutionManager(execution=self)
         return manager.run()
-
-
-class ChangeSecretMixin(SecretWithRandomMixin):
-    ssh_key_change_strategy = models.CharField(
-        choices=SSHKeyStrategy.choices, max_length=16,
-        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
-    )
-    get_all_assets: callable  # get all assets
-
-    class Meta:
-        abstract = True
-
-    def create_nonlocal_accounts(self, usernames, asset):
-        pass
-
-    def get_account_ids(self):
-        usernames = self.accounts
-        accounts = Account.objects.none()
-        for asset in self.get_all_assets():
-            self.create_nonlocal_accounts(usernames, asset)
-            accounts = accounts | asset.accounts.all()
-        account_ids = accounts.filter(
-            username__in=usernames, secret_type=self.secret_type
-        ).values_list('id', flat=True)
-        return [str(_id) for _id in account_ids]
-
-    def to_attr_json(self):
-        attr_json = super().to_attr_json()
-        attr_json.update({
-            'secret': self.secret,
-            'secret_type': self.secret_type,
-            'accounts': self.get_account_ids(),
-            'password_rules': self.password_rules,
-            'secret_strategy': self.secret_strategy,
-            'ssh_key_change_strategy': self.ssh_key_change_strategy,
-        })
-        return attr_json

apps/accounts/models/automations/change_secret.py

@@ -2,13 +2,62 @@ from django.db import models
 from django.utils.translation import gettext_lazy as _
 
 from accounts.const import (
-    AutomationTypes, ChangeSecretRecordStatusChoice
+    AutomationTypes, SecretType, SecretStrategy, SSHKeyStrategy
 )
+from accounts.models import Account
 from common.db import fields
 from common.db.models import JMSBaseModel
-from .base import AccountBaseAutomation, ChangeSecretMixin
+from .base import AccountBaseAutomation
 
-__all__ = ['ChangeSecretAutomation', 'ChangeSecretRecord', ]
+__all__ = ['ChangeSecretAutomation', 'ChangeSecretRecord', 'ChangeSecretMixin']
+
+
+class ChangeSecretMixin(models.Model):
+    secret_type = models.CharField(
+        choices=SecretType.choices, max_length=16,
+        default=SecretType.PASSWORD, verbose_name=_('Secret type')
+    )
+    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
+    secret_strategy = models.CharField(
+        choices=SecretStrategy.choices, max_length=16,
+        default=SecretStrategy.custom, verbose_name=_('Secret strategy')
+    )
+    password_rules = models.JSONField(default=dict, verbose_name=_('Password rules'))
+    ssh_key_change_strategy = models.CharField(
+        choices=SSHKeyStrategy.choices, max_length=16,
+        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
+    )
+
+    get_all_assets: callable  # get all assets
+
+    class Meta:
+        abstract = True
+
+    def create_nonlocal_accounts(self, usernames, asset):
+        pass
+
+    def get_account_ids(self):
+        usernames = self.accounts
+        accounts = Account.objects.none()
+        for asset in self.get_all_assets():
+            self.create_nonlocal_accounts(usernames, asset)
+            accounts = accounts | asset.accounts.all()
+        account_ids = accounts.filter(
+            username__in=usernames, secret_type=self.secret_type
+        ).values_list('id', flat=True)
+        return [str(_id) for _id in account_ids]
+
+    def to_attr_json(self):
+        attr_json = super().to_attr_json()
+        attr_json.update({
+            'secret': self.secret,
+            'secret_type': self.secret_type,
+            'accounts': self.get_account_ids(),
+            'password_rules': self.password_rules,
+            'secret_strategy': self.secret_strategy,
+            'ssh_key_change_strategy': self.ssh_key_change_strategy,
+        })
+        return attr_json
 
 
 class ChangeSecretAutomation(ChangeSecretMixin, AccountBaseAutomation):
@@ -40,10 +89,7 @@ class ChangeSecretRecord(JMSBaseModel):
     new_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('New secret'))
     date_started = models.DateTimeField(blank=True, null=True, verbose_name=_('Date started'))
     date_finished = models.DateTimeField(blank=True, null=True, verbose_name=_('Date finished'))
-    status = models.CharField(
-        max_length=16, verbose_name=_('Status'),
-        default=ChangeSecretRecordStatusChoice.pending.value
-    )
+    status = models.CharField(max_length=16, default='pending')
     error = models.TextField(blank=True, null=True, verbose_name=_('Error'))
 
     class Meta:
@@ -52,3 +98,9 @@ class ChangeSecretRecord(JMSBaseModel):
 
     def __str__(self):
         return self.account.__str__()
+
+    @property
+    def timedelta(self):
+        if self.date_started and self.date_finished:
+            return self.date_finished - self.date_started
+        return None

apps/accounts/models/automations/gather_account.py

@@ -55,15 +55,11 @@ class GatherAccountsAutomation(AccountBaseAutomation):
     is_sync_account = models.BooleanField(
         default=False, blank=True, verbose_name=_("Is sync account")
     )
-    recipients = models.ManyToManyField('users.User', verbose_name=_("Recipient"), blank=True)
 
     def to_attr_json(self):
         attr_json = super().to_attr_json()
         attr_json.update({
             'is_sync_account': self.is_sync_account,
-            'recipients': [
-                str(recipient.id) for recipient in self.recipients.all()
-            ]
         })
         return attr_json
 

apps/accounts/models/automations/push_account.py

@@ -1,9 +1,9 @@
-from django.conf import settings
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
 from accounts.const import AutomationTypes
 from accounts.models import Account
+from jumpserver.utils import has_valid_xpack_license
 from .base import AccountBaseAutomation
 from .change_secret import ChangeSecretMixin
 
@@ -17,9 +17,9 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
 
     def create_nonlocal_accounts(self, usernames, asset):
         secret_type = self.secret_type
-        account_usernames = asset.accounts \
-            .filter(secret_type=self.secret_type) \
-            .values_list('username', flat=True)
+        account_usernames = asset.accounts.filter(secret_type=self.secret_type).values_list(
+            'username', flat=True
+        )
         create_usernames = set(usernames) - set(account_usernames)
         create_account_objs = [
             Account(
@@ -30,6 +30,9 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
         ]
         Account.objects.bulk_create(create_account_objs)
 
+    def set_period_schedule(self):
+        pass
+
     @property
     def dynamic_username(self):
         return self.username == '@USER'
@@ -41,7 +44,7 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
 
     def save(self, *args, **kwargs):
         self.type = AutomationTypes.push_account
-        if not settings.XPACK_LICENSE_IS_VALID:
+        if not has_valid_xpack_license():
             self.is_periodic = False
         super().save(*args, **kwargs)
 

apps/accounts/models/base.py

@@ -8,14 +8,12 @@ from django.conf import settings
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from accounts.const import SecretType, SecretStrategy
-from accounts.models.mixins import VaultModelMixin, VaultManagerMixin, VaultQuerySetMixin
-from accounts.utils import SecretGenerator
-from common.db import fields
+from accounts.const import SecretType
 from common.utils import (
     ssh_key_string_to_obj, ssh_key_gen, get_logger,
     random_string, lazyproperty, parse_ssh_public_key_str, is_openssh_format_key
 )
+from accounts.models.mixins import VaultModelMixin, VaultManagerMixin, VaultQuerySetMixin
 from orgs.mixins.models import JMSOrgBaseModel, OrgManager
 
 logger = get_logger(__file__)
@@ -31,35 +29,6 @@ class BaseAccountManager(VaultManagerMixin, OrgManager):
         return self.get_queryset().active()
 
 
-class SecretWithRandomMixin(models.Model):
-    secret_type = models.CharField(
-        choices=SecretType.choices, max_length=16,
-        default=SecretType.PASSWORD, verbose_name=_('Secret type')
-    )
-    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
-    secret_strategy = models.CharField(
-        choices=SecretStrategy.choices, max_length=16,
-        default=SecretStrategy.custom, verbose_name=_('Secret strategy')
-    )
-    password_rules = models.JSONField(default=dict, verbose_name=_('Password rules'))
-
-    class Meta:
-        abstract = True
-
-    @lazyproperty
-    def secret_generator(self):
-        return SecretGenerator(
-            self.secret_strategy, self.secret_type,
-            self.password_rules,
-        )
-
-    def get_secret(self):
-        if self.secret_strategy == 'random':
-            return self.secret_generator.get_secret()
-        else:
-            return self.secret
-
-
 class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
     name = models.CharField(max_length=128, verbose_name=_("Name"))
     username = models.CharField(max_length=128, blank=True, verbose_name=_('Username'), db_index=True)
@@ -137,13 +106,16 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
         else:
             return None
 
-    def get_private_key_path(self, path):
+    @property
+    def private_key_path(self):
         if self.secret_type != SecretType.SSH_KEY \
                 or not self.secret \
                 or not self.private_key:
             return None
+        project_dir = settings.PROJECT_DIR
+        tmp_dir = os.path.join(project_dir, 'tmp')
         key_name = '.' + md5(self.private_key.encode('utf-8')).hexdigest()
-        key_path = os.path.join(path, key_name)
+        key_path = os.path.join(tmp_dir, key_name)
         if not os.path.exists(key_path):
             # https://github.com/ansible/ansible-runner/issues/544
             # ssh requires OpenSSH format keys to have a full ending newline.
@@ -155,12 +127,6 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
             os.chmod(key_path, 0o400)
         return key_path
 
-    @property
-    def private_key_path(self):
-        project_dir = settings.PROJECT_DIR
-        tmp_dir = os.path.join(project_dir, 'tmp')
-        return self.get_private_key_path(tmp_dir)
-
     def get_private_key(self):
         if not self.private_key:
             return None

apps/accounts/models/mixins/vault.py

@@ -37,9 +37,8 @@ class VaultManagerMixin(models.Manager):
             post_save.send(obj.__class__, instance=obj, created=True)
         return objs
 
-    def bulk_update(self, objs, fields, batch_size=None):
-        fields = ["_secret" if field == "secret" else field for field in fields]
-        super().bulk_update(objs, fields, batch_size=batch_size)
+    def bulk_update(self, objs, batch_size=None, ignore_conflicts=False):
+        objs = super().bulk_update(objs, batch_size=batch_size, ignore_conflicts=ignore_conflicts)
         for obj in objs:
             post_save.send(obj.__class__, instance=obj, created=False)
         return objs