perf: Translate

v4.10.2

.github/.github/issue-spam-config.json

@@ -1,26 +0,0 @@
-{
-  "dry_run": false,
-  "min_account_age_days": 3,
-  "max_urls_for_spam": 1,
-  "min_body_len_for_links": 40,
-  "spam_words": [
-    "call now",
-    "zadzwoń",
-    "zadzwoń teraz",
-    "kontakt",
-    "telefon",
-    "telefone",
-    "contato",
-    "suporte",
-    "infolinii",
-    "click here",
-    "buy now",
-    "subscribe",
-    "visit"
-  ],
-  "bracket_max": 6,
-  "special_char_density_threshold": 0.12,
-  "phone_regex": "\\+?\\d[\\d\\-\\s\\(\\)\\.]{6,}\\d",
-  "labels_for_spam": ["spam"],
-  "labels_for_review": ["needs-triage"]
-}

.github/workflows/build-base-image.yml

@@ -1,72 +1,74 @@
 name: Build and Push Base Image
 
 on:
-    pull_request:
+  pull_request:
-        branches:
+    branches:
-            - 'dev'
+      - 'dev'
-            - 'v*'
+      - 'v*'
-        paths:
+    paths:
-            - poetry.lock
+      - poetry.lock
-            - pyproject.toml
+      - pyproject.toml
-            - Dockerfile-base
+      - Dockerfile-base
-            - package.json
+      - package.json
-            - go.mod
+      - go.mod
-            - yarn.lock
+      - yarn.lock
-            - pom.xml
+      - pom.xml
-            - install_deps.sh
+      - install_deps.sh
-            - utils/clean_site_packages.sh
+      - utils/clean_site_packages.sh
-        types:
+    types:
-            - opened
+      - opened
-            - synchronize
+      - synchronize
-            - reopened
+      - reopened
 
 jobs:
-    build-and-push:
+  build-and-push:
-        runs-on: ubuntu-22.04
+    runs-on: ubuntu-22.04
-        steps:
+    steps:
-            - name: Checkout repository
+      - name: Checkout repository
-              uses: actions/checkout@v4
+        uses: actions/checkout@v4
-              with:
+        with:
-                  ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.ref }}
 
-            - name: Set up QEMU
+      - name: Set up QEMU
-              uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@v3
+        with:
+          image: tonistiigi/binfmt:qemu-v7.0.0-28
 
-            - name: Set up Docker Buildx
+      - name: Set up Docker Buildx
-              uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3
 
-            - name: Login to DockerHub
+      - name: Login to DockerHub
-              uses: docker/login-action@v2
+        uses: docker/login-action@v2
-              with:
+        with:
-                  username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
-                  password: ${{ secrets.DOCKERHUB_TOKEN }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-            - name: Extract date
+      - name: Extract date
-              id: vars
+        id: vars
-              run: echo "IMAGE_TAG=$(date +'%Y%m%d_%H%M%S')" >> $GITHUB_ENV
+        run: echo "IMAGE_TAG=$(date +'%Y%m%d_%H%M%S')" >> $GITHUB_ENV
 
-            - name: Extract repository name
+      - name: Extract repository name
-              id: repo
+        id: repo
-              run: echo "REPO=$(basename ${{ github.repository }})" >> $GITHUB_ENV
+        run: echo "REPO=$(basename ${{ github.repository }})" >> $GITHUB_ENV
 
-            - name: Build and push multi-arch image
+      - name: Build and push multi-arch image
-              uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v6
-              with:
+        with:
-                  platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64,linux/arm64
-                  push: true
+          push: true
-                  file: Dockerfile-base
+          file: Dockerfile-base
-                  tags: jumpserver/core-base:${{ env.IMAGE_TAG }}
+          tags: jumpserver/core-base:${{ env.IMAGE_TAG }}
 
-            - name: Update Dockerfile
+      - name: Update Dockerfile
-              run: |
+        run: |
-                  sed -i 's|-base:.* AS stage-build|-base:${{ env.IMAGE_TAG }} AS stage-build|' Dockerfile
+          sed -i 's|-base:.* AS stage-build|-base:${{ env.IMAGE_TAG }} AS stage-build|' Dockerfile
 
-            - name: Commit changes
+      - name: Commit changes
-              run: |
+        run: |
-                  git config --global user.name 'github-actions[bot]'
+          git config --global user.name 'github-actions[bot]'
-                  git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
-                  git add Dockerfile
+          git add Dockerfile
-                  git commit -m "perf: Update Dockerfile with new base image tag"
+          git commit -m "perf: Update Dockerfile with new base image tag"
-                  git push origin ${{ github.event.pull_request.head.ref }}
+          git push origin ${{ github.event.pull_request.head.ref }}
-              env:
+        env:
-                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/build-python-image.yml

@@ -1,46 +0,0 @@
-name: Build and Push Python Base Image
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Tag to build'
-        required: true
-        default: '3.11-slim-bullseye-v1'
-        type: string
-
-jobs:
-  build-and-push:
-    runs-on: ubuntu-22.04
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.head.ref }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-        with:
-          image: tonistiigi/binfmt:qemu-v7.0.0-28
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Login to DockerHub
-        uses: docker/login-action@v2
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Extract repository name
-        id: repo
-        run: echo "REPO=$(basename ${{ github.repository }})" >> $GITHUB_ENV
-
-      - name: Build and push multi-arch image
-        uses: docker/build-push-action@v6
-        with:
-          platforms: linux/amd64,linux/arm64
-          push: true
-          file: Dockerfile-python
-          tags: jumpserver/core-base:python-${{ inputs.tag }}
-

.github/workflows/cleanup-branches.yml

@@ -1,123 +0,0 @@
-name: Cleanup PR Branches
-
-on:
-  schedule:
-    # 每天凌晨2点运行
-    - cron: '0 2 * * *'
-  workflow_dispatch:
-    # 允许手动触发
-    inputs:
-      dry_run:
-        description: 'Dry run mode (default: true)'
-        required: false
-        default: 'true'
-        type: boolean
-
-jobs:
-  cleanup-branches:
-    runs-on: ubuntu-latest
-    
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
-      with:
-        fetch-depth: 0  # 获取所有分支和提交历史
-        
-    - name: Setup Git
-      run: |
-        git config --global user.name "GitHub Actions"
-        git config --global user.email "actions@github.com"
-        
-    - name: Get dry run setting
-      id: dry-run
-      run: |
-        if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-          echo "dry_run=${{ github.event.inputs.dry_run }}" >> $GITHUB_OUTPUT
-        else
-          echo "dry_run=false" >> $GITHUB_OUTPUT
-        fi
-        
-    - name: Cleanup branches
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        DRY_RUN: ${{ steps.dry-run.outputs.dry_run }}
-      run: |
-        echo "Starting branch cleanup..."
-        echo "Dry run mode: $DRY_RUN"
-        
-        # 获取所有本地分支
-        git fetch --all --prune
-        
-        # 获取以 pr 或 repr 开头的分支
-        branches=$(git branch -r | grep -E 'origin/(pr|repr)' | sed 's/origin\///' | grep -v 'HEAD')
-        
-        echo "Found branches matching pattern:"
-        echo "$branches"
-        
-        deleted_count=0
-        skipped_count=0
-        
-        for branch in $branches; do
-          echo ""
-          echo "Processing branch: $branch"
-          
-          # 检查分支是否有未合并的PR
-          pr_info=$(gh pr list --head "$branch" --state open --json number,title,state 2>/dev/null)
-          
-          if [ $? -eq 0 ] && [ "$pr_info" != "[]" ]; then
-            echo "  ⚠️  Branch has open PR(s), skipping deletion"
-            echo "  PR info: $pr_info"
-            skipped_count=$((skipped_count + 1))
-            continue
-          fi
-          
-          # 检查分支是否有已合并的PR（可选：如果PR已合并也可以删除）
-          merged_pr_info=$(gh pr list --head "$branch" --state merged --json number,title,state 2>/dev/null)
-          
-          if [ $? -eq 0 ] && [ "$merged_pr_info" != "[]" ]; then
-            echo "  ✅ Branch has merged PR(s), safe to delete"
-            echo "  Merged PR info: $merged_pr_info"
-          else
-            echo "  ℹ️  No PRs found for this branch"
-          fi
-          
-          # 执行删除操作
-          if [ "$DRY_RUN" = "true" ]; then
-            echo "  🔍 [DRY RUN] Would delete branch: $branch"
-            deleted_count=$((deleted_count + 1))
-          else
-            echo "  🗑️  Deleting branch: $branch"
-            
-            # 删除远程分支
-            if git push origin --delete "$branch" 2>/dev/null; then
-              echo "  ✅ Successfully deleted remote branch: $branch"
-              deleted_count=$((deleted_count + 1))
-            else
-              echo "  ❌ Failed to delete remote branch: $branch"
-            fi
-          fi
-        done
-        
-        echo ""
-        echo "=== Cleanup Summary ==="
-        echo "Branches processed: $(echo "$branches" | wc -l)"
-        echo "Branches deleted: $deleted_count"
-        echo "Branches skipped: $skipped_count"
-        
-        if [ "$DRY_RUN" = "true" ]; then
-          echo ""
-          echo "🔍 This was a DRY RUN - no branches were actually deleted"
-          echo "To perform actual deletion, run this workflow manually with dry_run=false"
-        fi
-        
-    - name: Create summary
-      if: always()
-      run: |
-        echo "## Branch Cleanup Summary" >> $GITHUB_STEP_SUMMARY
-        echo "" >> $GITHUB_STEP_SUMMARY
-        echo "**Workflow:** ${{ github.workflow }}" >> $GITHUB_STEP_SUMMARY
-        echo "**Run ID:** ${{ github.run_id }}" >> $GITHUB_STEP_SUMMARY
-        echo "**Dry Run:** ${{ steps.dry-run.outputs.dry_run }}" >> $GITHUB_STEP_SUMMARY
-        echo "**Triggered by:** ${{ github.event_name }}" >> $GITHUB_STEP_SUMMARY
-        echo "" >> $GITHUB_STEP_SUMMARY
-        echo "Check the logs above for detailed information about processed branches." >> $GITHUB_STEP_SUMMARY

.github/workflows/jms-generic-action-handler.yml

@@ -1,33 +1,10 @@
-on:
+on: [push, pull_request, release]
-  push:
-  pull_request:
-    types: [opened, synchronize, closed]
-  release:
-    types: [created]
 
 name: JumpServer repos generic handler
 
 jobs:
-  handle_pull_request:
+  generic_handler:
-    if: github.event_name == 'pull_request'
+    name: Run generic handler
-    runs-on: ubuntu-latest
-    steps:
-      - uses: jumpserver/action-generic-handler@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}
-          I18N_TOKEN: ${{ secrets.I18N_TOKEN }}
-
-  handle_push:
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
-    steps:
-      - uses: jumpserver/action-generic-handler@master
-        env:
-          GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}
-          I18N_TOKEN: ${{ secrets.I18N_TOKEN }}
-
-  handle_release:
-    if: github.event_name == 'release'
     runs-on: ubuntu-latest
     steps:
       - uses: jumpserver/action-generic-handler@master

.github/workflows/sync-gitee.yml

@@ -1,9 +1,11 @@
 name: 🔀 Sync mirror to Gitee
 
 on:
-  schedule:
+  push:
-    # 每天凌晨3点运行
+    branches:
-    - cron: '0 3 * * *'
+      - master
+      - dev
+  create:
 
 jobs:
   mirror:
@@ -12,6 +14,7 @@ jobs:
     steps:
       - name: mirror
         continue-on-error: true
+        if: github.event_name == 'push' || (github.event_name == 'create' && github.event.ref_type == 'tag')
         uses: wearerequired/git-mirror-action@v1
         env:
           SSH_PRIVATE_KEY: ${{ secrets.GITEE_SSH_PRIVATE_KEY }}

Dockerfile

@@ -1,4 +1,4 @@
-FROM jumpserver/core-base:20251128_025056 AS stage-build
+FROM jumpserver/core-base:20250509_094529 AS stage-build
 
 ARG VERSION
 
@@ -19,7 +19,7 @@ RUN set -ex \
     && python manage.py compilemessages
 
 
-FROM python:3.11-slim-trixie
+FROM python:3.11-slim-bullseye
 ENV LANG=en_US.UTF-8 \
     PATH=/opt/py3/bin:$PATH
 
@@ -33,13 +33,12 @@ ARG TOOLS="                           \
         default-libmysqlclient-dev    \
         openssh-client                \
         sshpass                       \
-        nmap                          \
         bubblewrap"
 
 ARG APT_MIRROR=http://deb.debian.org
 
 RUN set -ex \
-    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list.d/debian.sources \
+    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
     && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
     && apt-get update > /dev/null \
     && apt-get -y install --no-install-recommends ${DEPENDENCIES} \

Dockerfile-base

@@ -1,5 +1,6 @@
-FROM python:3.11.14-slim-trixie
+FROM python:3.11-slim-bullseye
 ARG TARGETARCH
+COPY --from=ghcr.io/astral-sh/uv:0.6.14 /uv /uvx /usr/local/bin/
 # Install APT dependencies
 ARG DEPENDENCIES="                    \
         ca-certificates               \
@@ -21,13 +22,13 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
     set -ex \
     && rm -f /etc/apt/apt.conf.d/docker-clean \
     && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache \
-    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list.d/debian.sources \
+    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
     && apt-get update > /dev/null \
     && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
     && echo "no" | dpkg-reconfigure dash
 
 # Install bin tools
-ARG CHECK_VERSION=v1.0.5
+ARG CHECK_VERSION=v1.0.4
 RUN set -ex \
     && wget https://github.com/jumpserver-dev/healthcheck/releases/download/${CHECK_VERSION}/check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz \
     && tar -xf check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz \
@@ -40,10 +41,12 @@ RUN set -ex \
 WORKDIR /opt/jumpserver
 
 ARG PIP_MIRROR=https://pypi.org/simple
+ENV POETRY_PYPI_MIRROR_URL=${PIP_MIRROR}
 ENV ANSIBLE_COLLECTIONS_PATHS=/opt/py3/lib/python3.11/site-packages/ansible_collections
 ENV LANG=en_US.UTF-8 \
     PATH=/opt/py3/bin:$PATH
-ENV SETUPTOOLS_SCM_PRETEND_VERSION=3.4.5
+
+ENV UV_LINK_MODE=copy
 
 RUN --mount=type=cache,target=/root/.cache \
     --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
@@ -51,7 +54,6 @@ RUN --mount=type=cache,target=/root/.cache \
     --mount=type=bind,source=requirements/collections.yml,target=collections.yml \
     --mount=type=bind,source=requirements/static_files.sh,target=utils/static_files.sh \
     set -ex \
-    && pip install uv -i${PIP_MIRROR} \
     && uv venv \
     && uv pip install -i${PIP_MIRROR} -r pyproject.toml \
     && ln -sf $(pwd)/.venv /opt/py3 \

Dockerfile-ee

@@ -13,9 +13,7 @@ ARG TOOLS="                           \
         nmap                          \
         telnet                        \
         vim                           \
-        postgresql-client         \
+        wget"
-        wget                          \
-        poppler-utils"
 
 RUN set -ex \
     && apt-get update \
@@ -28,5 +26,5 @@ WORKDIR /opt/jumpserver
 ARG PIP_MIRROR=https://pypi.org/simple
 
 RUN set -ex \
-    && uv pip install -i${PIP_MIRROR} --group xpack \
+    && uv pip install -i${PIP_MIRROR} --group xpack
-    && playwright install chromium  --with-deps --only-shell
+

README.md

@@ -2,7 +2,7 @@
   <a name="readme-top"></a>
   <a href="https://jumpserver.com" target="_blank"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
   
-## An open-source PAM platform (Bastion Host)
+## An open-source PAM tool (Bastion Host)
 
 [![][license-shield]][license-link]
 [![][docs-shield]][docs-link]
@@ -19,7 +19,7 @@
 
 ## What is JumpServer?
 
-JumpServer is an open-source Privileged Access Management (PAM) platform that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser.
+JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser.
 
 
 <picture>
@@ -77,8 +77,7 @@ JumpServer consists of multiple key components, which collectively form the func
 | [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal                                                                                 |
 | [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer Character Protocol Connector                                                                 |
 | [Lion](https://github.com/jumpserver/lion)             | <a href="https://github.com/jumpserver/lion/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion.svg" /></a>                   | JumpServer Graphical Protocol Connector                                                                 |
-| [Chen](https://github.com/jumpserver/chen)             | <a href="https://github.com/jumpserver/chen/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen.svg" />                       | JumpServer Web DB 
+| [Chen](https://github.com/jumpserver/chen)             | <a href="https://github.com/jumpserver/chen/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen.svg" />                       | JumpServer Web DB                                                                                       |  
-| [Client](https://github.com/jumpserver/clients)             | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />                       | JumpServer Client     |  
 | [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer Remote Application Connector (Windows)                                                    |
 | [Panda](https://github.com/jumpserver/Panda)           | <img alt="Panda" src="https://img.shields.io/badge/release-private-red" />                                                                                             | JumpServer EE Remote Application Connector (Linux)                                                      |
 | [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-private-red" />                                                                                              | JumpServer EE RDP Proxy Connector                                                                       |
@@ -86,8 +85,6 @@ JumpServer consists of multiple key components, which collectively form the func
 | [Nec](https://github.com/jumpserver/nec)               | <img alt="Nec" src="https://img.shields.io/badge/release-private-red" />                                                                                               | JumpServer EE VNC Proxy Connector                                                                       |
 | [Facelive](https://github.com/jumpserver/facelive)     | <img alt="Facelive" src="https://img.shields.io/badge/release-private-red" />                                                                                          | JumpServer EE Facial Recognition                                                                        |
 
-## Third-party projects 
-- [jumpserver-grafana-dashboard](https://github.com/acerrah/jumpserver-grafana-dashboard)   JumpServer with grafana dashboard
 
 ## Contributing
 

apps/accounts/api/account/account.py

@@ -1,18 +1,16 @@
 from django.db import transaction
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext_lazy as _
-from rest_framework import serializers as drf_serializers
 from rest_framework.decorators import action
 from rest_framework.generics import ListAPIView, CreateAPIView
 from rest_framework.response import Response
-from rest_framework.status import HTTP_200_OK, HTTP_400_BAD_REQUEST
+from rest_framework.status import HTTP_200_OK
 
 from accounts import serializers
 from accounts.const import ChangeSecretRecordStatusChoice
 from accounts.filters import AccountFilterSet, NodeFilterBackend
 from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import Account, ChangeSecretRecord
-from assets.const.gpt import create_or_update_chatx_resources
 from assets.models import Asset, Node
 from authentication.permissions import UserConfirmation, ConfirmType
 from common.api.mixin import ExtraFilterFieldsMixin
@@ -20,7 +18,6 @@ from common.drf.filters import AttrRulesFilterBackend
 from common.permissions import IsValidUser
 from common.utils import lazyproperty, get_logger
 from orgs.mixins.api import OrgBulkModelViewSet
-from orgs.utils import tmp_to_root_org
 from rbac.permissions import RBACPermission
 
 logger = get_logger(__file__)
@@ -44,9 +41,8 @@ class AccountViewSet(OrgBulkModelViewSet):
         'partial_update': ['accounts.change_account'],
         'su_from_accounts': 'accounts.view_account',
         'clear_secret': 'accounts.change_account',
-        'move_to_assets': 'accounts.delete_account',
+        'move_to_assets': 'accounts.create_account',
-        'copy_to_assets': 'accounts.add_account',
+        'copy_to_assets': 'accounts.create_account',
-        'chat': 'accounts.view_account',
     }
     export_as_zip = True
 
@@ -156,13 +152,6 @@ class AccountViewSet(OrgBulkModelViewSet):
     def copy_to_assets(self, request, *args, **kwargs):
         return self._copy_or_move_to_assets(request, move=False)
 
-    @action(methods=['get'], detail=False, url_path='chat')
-    def chat(self, request, *args, **kwargs):
-        with tmp_to_root_org():
-            __, account = create_or_update_chatx_resources()
-            serializer = self.get_serializer(account)
-        return Response(serializer.data)
-
 
 class AccountSecretsViewSet(AccountRecordViewLogMixin, AccountViewSet):
     """
@@ -185,66 +174,12 @@ class AssetAccountBulkCreateApi(CreateAPIView):
         'POST': 'accounts.add_account',
     }
 
-    @staticmethod
-    def get_all_assets(base_payload: dict):
-        nodes = base_payload.pop('nodes', [])
-        asset_ids = base_payload.pop('assets', [])
-        nodes = Node.objects.filter(id__in=nodes).only('id', 'key')
-
-        node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-        asset_ids = set(asset_ids + list(node_asset_ids))
-        return Asset.objects.filter(id__in=asset_ids)
-
     def create(self, request, *args, **kwargs):
-        if hasattr(request.data, "copy"):
+        serializer = self.get_serializer(data=request.data)
-            base_payload = request.data.copy()
+        serializer.is_valid(raise_exception=True)
-        else:
+        data = serializer.create(serializer.validated_data)
-            base_payload = dict(request.data)
+        serializer = serializers.AssetAccountBulkSerializerResultSerializer(data, many=True)
-
+        return Response(data=serializer.data, status=HTTP_200_OK)
-        templates = base_payload.pop("template", None)
-        assets = self.get_all_assets(base_payload)
-        if not assets.exists():
-            error = _("No valid assets found for account creation.")
-            return Response(
-                data={
-                    "detail": error,
-                    "code": "no_valid_assets"
-                },
-                status=HTTP_400_BAD_REQUEST
-            )
-
-        result = []
-        errors = []
-
-        def handle_one(_payload):
-            try:
-                ser = self.get_serializer(data=_payload)
-                ser.is_valid(raise_exception=True)
-                data = ser.bulk_create(ser.validated_data, assets)
-                if isinstance(data, (list, tuple)):
-                    result.extend(data)
-                else:
-                    result.append(data)
-            except drf_serializers.ValidationError as e:
-                errors.extend(list(e.detail))
-            except Exception as e:
-                errors.extend([str(e)])
-
-        if not templates:
-            handle_one(base_payload)
-        else:
-            if not isinstance(templates, (list, tuple)):
-                templates = [templates]
-            for tpl in templates:
-                payload = dict(base_payload)
-                payload["template"] = tpl
-                handle_one(payload)
-
-        if errors:
-            raise drf_serializers.ValidationError(errors)
-
-        out_ser = serializers.AssetAccountBulkSerializerResultSerializer(result, many=True)
-        return Response(data=out_ser.data, status=HTTP_200_OK)
 
 
 class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixin, ListAPIView):
@@ -255,7 +190,6 @@ class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixi
     rbac_perms = {
         'GET': 'accounts.view_accountsecret',
     }
-    queryset = Account.history.model.objects.none()
 
     @lazyproperty
     def account(self) -> Account:

apps/accounts/api/account/application.py

@@ -25,8 +25,7 @@ class IntegrationApplicationViewSet(OrgBulkModelViewSet):
     }
     rbac_perms = {
         'get_once_secret': 'accounts.change_integrationapplication',
-        'get_account_secret': 'accounts.view_integrationapplication',
+        'get_account_secret': 'accounts.view_integrationapplication'
-        'get_sdks_info': 'accounts.view_integrationapplication'
     }
 
     def read_file(self, path):
@@ -37,6 +36,7 @@ class IntegrationApplicationViewSet(OrgBulkModelViewSet):
 
     @action(
         ['GET'], detail=False, url_path='sdks',
+        permission_classes=[IsValidUser]
     )
     def get_sdks_info(self, request, *args, **kwargs):
         code_suffix_mapper = {

apps/accounts/api/account/pam_dashboard.py

@@ -20,7 +20,7 @@ __all__ = ['PamDashboardApi']
 class PamDashboardApi(APIView):
     http_method_names = ['get']
     rbac_perms = {
-        'GET': 'rbac.view_pam',
+        'GET': 'accounts.view_account',
     }
 
     @staticmethod

apps/accounts/api/account/virtual.py

@@ -12,8 +12,6 @@ class VirtualAccountViewSet(OrgBulkModelViewSet):
     filterset_fields = ('alias',)
 
     def get_queryset(self):
-        if getattr(self, "swagger_fake_view", False):
-            return VirtualAccount.objects.none()
         return VirtualAccount.get_or_init_queryset()
 
     def get_object(self, ):

apps/accounts/api/automations/base.py

@@ -41,7 +41,6 @@ class AutomationAssetsListApi(generics.ListAPIView):
 
 class AutomationRemoveAssetApi(generics.UpdateAPIView):
     model = BaseAutomation
-    queryset = BaseAutomation.objects.all()
     serializer_class = serializers.UpdateAssetSerializer
     http_method_names = ['patch']
 
@@ -60,7 +59,6 @@ class AutomationRemoveAssetApi(generics.UpdateAPIView):
 
 class AutomationAddAssetApi(generics.UpdateAPIView):
     model = BaseAutomation
-    queryset = BaseAutomation.objects.all()
     serializer_class = serializers.UpdateAssetSerializer
     http_method_names = ['patch']
 

apps/accounts/api/automations/change_secret.py

@@ -97,13 +97,12 @@ class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
     def execute(self, request, *args, **kwargs):
         record_ids = request.data.get('record_ids')
         records = self.get_queryset().filter(id__in=record_ids)
-        if not records.exists():
+        execution_count = records.values_list('execution_id', flat=True).distinct().count()
+        if execution_count != 1:
             return Response(
-                {'detail': 'No valid records found'},
+                {'detail': 'Only one execution is allowed to execute'},
                 status=status.HTTP_400_BAD_REQUEST
             )
-
-        record_ids = [str(_id) for _id in records.values_list('id', flat=True)]
         task = execute_automation_record_task.delay(record_ids, self.tp)
         return Response({'task': task.id}, status=status.HTTP_200_OK)
 
@@ -154,10 +153,12 @@ class ChangSecretAddAssetApi(AutomationAddAssetApi):
     model = ChangeSecretAutomation
     serializer_class = serializers.ChangeSecretUpdateAssetSerializer
 
+
 class ChangSecretNodeAddRemoveApi(AutomationNodeAddRemoveApi):
     model = ChangeSecretAutomation
     serializer_class = serializers.ChangeSecretUpdateNodeSerializer
 
+
 class ChangeSecretStatusViewSet(OrgBulkModelViewSet):
     perm_model = ChangeSecretAutomation
     filterset_class = ChangeSecretStatusFilterSet

apps/accounts/api/automations/change_secret_dashboard.py

@@ -62,8 +62,7 @@ class ChangeSecretDashboardApi(APIView):
         status_counts = defaultdict(lambda: defaultdict(int))
 
         for date_finished, status in results:
-            dt_local = timezone.localtime(date_finished)
+            date_str = str(date_finished.date())
-            date_str = str(dt_local.date())
             if status == ChangeSecretRecordStatusChoice.failed:
                 status_counts[date_str]['failed'] += 1
             elif status == ChangeSecretRecordStatusChoice.success:
@@ -91,10 +90,10 @@ class ChangeSecretDashboardApi(APIView):
 
     def get_change_secret_asset_queryset(self):
         qs = self.change_secrets_queryset
-        node_ids = qs.values_list('nodes', flat=True).distinct()
+        node_ids = qs.filter(nodes__isnull=False).values_list('nodes', flat=True).distinct()
-        nodes = Node.objects.filter(id__in=node_ids).only('id', 'key')
+        nodes = Node.objects.filter(id__in=node_ids)
         node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-        direct_asset_ids = qs.values_list('assets', flat=True).distinct()
+        direct_asset_ids = qs.filter(assets__isnull=False).values_list('assets', flat=True).distinct()
         asset_ids = set(list(direct_asset_ids) + list(node_asset_ids))
         return Asset.objects.filter(id__in=asset_ids)
 

apps/accounts/api/automations/check_account.py

@@ -45,10 +45,10 @@ class CheckAccountAutomationViewSet(OrgBulkModelViewSet):
 class CheckAccountExecutionViewSet(AutomationExecutionViewSet):
     rbac_perms = (
         ("list", "accounts.view_checkaccountexecution"),
-        ("retrieve", "accounts.view_checkaccountexecution"),
+        ("retrieve", "accounts.view_checkaccountsexecution"),
         ("create", "accounts.add_checkaccountexecution"),
         ("adhoc", "accounts.add_checkaccountexecution"),
-        ("report", "accounts.view_checkaccountexecution"),
+        ("report", "accounts.view_checkaccountsexecution"),
     )
     ordering = ("-date_created",)
     tp = AutomationTypes.check_account
@@ -150,9 +150,6 @@ class CheckAccountEngineViewSet(JMSModelViewSet):
     http_method_names = ['get', 'options']
 
     def get_queryset(self):
-        if getattr(self, "swagger_fake_view", False):
-            return CheckAccountEngine.objects.none()
-
         return CheckAccountEngine.get_default_engines()
 
     def filter_queryset(self, queryset: list):

apps/accounts/api/automations/push_account.py

@@ -63,10 +63,12 @@ class PushAccountRemoveAssetApi(AutomationRemoveAssetApi):
     model = PushAccountAutomation
     serializer_class = serializers.PushAccountUpdateAssetSerializer
 
+
 class PushAccountAddAssetApi(AutomationAddAssetApi):
     model = PushAccountAutomation
     serializer_class = serializers.PushAccountUpdateAssetSerializer
 
+
 class PushAccountNodeAddRemoveApi(AutomationNodeAddRemoveApi):
     model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateNodeSerializer
+    serializer_class = serializers.PushAccountUpdateNodeSerializer

apps/accounts/automations/backup_account/handlers.py

@@ -235,8 +235,8 @@ class AccountBackupHandler:
         except Exception as e:
             error = str(e)
             print(f'\033[31m>>> {error}\033[0m')
-            self.manager.status = Status.error
+            self.execution.status = Status.error
-            self.manager.summary['error'] = error
+            self.execution.summary['error'] = error
 
     def backup_by_obj_storage(self):
         object_id = self.execution.snapshot.get('id')

apps/accounts/automations/base/manager.py

@@ -113,16 +113,6 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         if host.get('error'):
             return host
 
-        inventory_hosts = []
-        if asset.type == HostTypes.WINDOWS:
-            if self.secret_type == SecretType.SSH_KEY:
-                host['error'] = _("Windows does not support SSH key authentication")
-                return host
-            new_secret = self.get_secret(account)
-            if '>' in new_secret or '^' in new_secret:
-                host['error'] = _("Windows password cannot contain special characters like > ^")
-                return host
-
         host['ssh_params'] = {}
 
         accounts = self.get_accounts(account)
@@ -140,6 +130,11 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         if asset.type == HostTypes.WINDOWS:
             accounts = accounts.filter(secret_type=SecretType.PASSWORD)
 
+        inventory_hosts = []
+        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
+            print(f'Windows {asset} does not support ssh key push')
+            return inventory_hosts
+
         for account in accounts:
             h = deepcopy(host)
             h['name'] += '(' + account.username + ')'  # To distinguish different accounts

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -53,6 +53,4 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      when: check_conn_after_change
+      when: check_conn_after_change
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -39,8 +39,7 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
-        priv: "{{ omit if db_name == '' else db_name + '.*:ALL' }}"
+        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
-        append_privs: "{{ db_name != '' | bool }}"
       ignore_errors: true
       when: db_info is succeeded
 

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -56,5 +56,3 @@
         ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
         ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
       when: check_conn_after_change
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -5,14 +5,12 @@
 
   tasks:
     - name: Test SQLServer connection
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: |
           SELECT @@version
       register: db_info
@@ -25,53 +23,45 @@
         var: info
 
     - name: Check whether SQLServer User exist
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
       when: db_info is succeeded
       register: user_exist
 
     - name: Change SQLServer password
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length != 0
 
     - name: Add SQLServer user
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; CREATE USER {{ account.username }} FOR LOGIN {{ account.username }}; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length == 0
 
     - name: Verify password
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ account.username }}"
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: |
           SELECT @@version
       when: check_conn_after_change

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -18,7 +18,6 @@
         uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
         shell: "{{ params.shell if params.shell | length > 0 else omit }}"
         home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
-        group: "{{ params.group if params.group | length > 0 else omit }}"
         groups: "{{ params.groups if params.groups | length > 0 else omit }}"
         append: "{{ true if params.groups | length > 0 else false }}"
         expires: -1

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -28,12 +28,6 @@ params:
     default: ''
     help_text: "{{ 'Params home help text' | trans }}"
 
-  - name: group
-    type: str
-    label: "{{ 'Params group label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params group help text' | trans }}"
-
   - name: groups
     type: str
     label: "{{ 'Params groups label' | trans }}"
@@ -67,11 +61,6 @@ i18n:
     ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
     en: 'Default home directory /home/{account username}'
 
-  Params group help text:
-    zh: '请输入用户组（名字或数字），只能输入一个（需填写已存在的用户组）'
-    ja: 'ユーザー グループ (名前または番号) を入力してください。入力できるのは 1 つだけです (既存のユーザー グループを入力する必要があります)'
-    en: 'Please enter a user group (name or number), only one can be entered (must fill in an existing user group)'
-
   Params groups help text:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
@@ -97,11 +86,6 @@ i18n:
     ja: 'グループ'
     en: 'Groups'
 
-  Params group label:
-    zh: '主组'
-    ja: '主组'
-    en: 'Main group'
-
   Params uid label:
     zh: '用户ID'
     ja: 'ユーザーID'

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -18,7 +18,6 @@
         uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
         shell: "{{ params.shell if params.shell | length > 0 else omit }}"
         home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
-        group: "{{ params.group if params.group | length > 0 else omit }}"
         groups: "{{ params.groups if params.groups | length > 0 else omit }}"
         append: "{{ true if params.groups | length > 0 else false }}"
         expires: -1

apps/accounts/automations/change_secret/host/posix/manifest.yml

@@ -30,12 +30,6 @@ params:
     default: ''
     help_text: "{{ 'Params home help text' | trans }}"
 
-  - name: group
-    type: str
-    label: "{{ 'Params group label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params group help text' | trans }}"
-
   - name: groups
     type: str
     label: "{{ 'Params groups label' | trans }}"
@@ -69,11 +63,6 @@ i18n:
     ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
     en: 'Default home directory /home/{account username}'
 
-  Params group help text:
-    zh: '请输入用户组（名字或数字），只能输入一个（需填写已存在的用户组）'
-    ja: 'ユーザー グループ (名前または番号) を入力してください。入力できるのは 1 つだけです (既存のユーザー グループを入力する必要があります)'
-    en: 'Please enter a user group (name or number), only one can be entered (must fill in an existing user group)'
-
   Params groups help text:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
@@ -99,11 +88,6 @@ i18n:
     ja: 'グループ'
     en: 'Groups'
 
-  Params group label:
-    zh: '主组'
-    ja: '主组'
-    en: 'Main group'
-
   Params uid label:
     zh: '用户ID'
     ja: 'ユーザーID'

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -8,7 +8,7 @@ type:
 params:
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -24,7 +24,3 @@ i18n:
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'

apps/accounts/automations/change_secret/host/windows_ad/manifest.yml

@@ -9,7 +9,7 @@ type:
 params:
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -25,8 +25,3 @@ i18n:
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'
-

apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml

@@ -9,24 +9,19 @@ priority: 49
 params:
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
 
 i18n:
   Windows account change secret rdp verify:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密（最后使用 Python 模块 pyfreerdp 验证账号的可连接性）'
+    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密 RDP 协议测试最后的可连接性'
-    ja: 'Ansible モジュール win_user を使用して Windows アカウントのパスワードを変更します (最後に Python モジュール pyfreerdp を使用してアカウントの接続を確認します)'
+    ja: 'Ansibleモジュールwin_userはWindowsアカウントの改密RDPプロトコルテストの最後の接続性を実行する'
-    en: 'Use the Ansible module win_user to change the Windows account password (finally use the Python module pyfreerdp to verify the account connectivity)'
+    en: 'Using the Ansible module win_user performs Windows account encryption RDP protocol testing for final connectivity'
 
   Params groups help text:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'
-

apps/accounts/automations/change_secret/manager.py

@@ -9,7 +9,7 @@ from accounts.const import (
     AutomationTypes, SecretStrategy, ChangeSecretRecordStatusChoice
 )
 from accounts.models import ChangeSecretRecord
-from accounts.notifications import ChangeSecretExecutionTaskMsg
+from accounts.notifications import ChangeSecretExecutionTaskMsg, ChangeSecretReportMsg
 from accounts.serializers import ChangeSecretRecordBackUpSerializer
 from common.utils import get_logger
 from common.utils.file import encrypt_and_compress_zip_file
@@ -94,6 +94,10 @@ class ChangeSecretManager(BaseChangeSecretPushManager):
         if not recipients:
             return
 
+        context = self.get_report_context()
+        for user in recipients:
+            ChangeSecretReportMsg(user, context).publish()
+
         if not records:
             return
 

apps/accounts/automations/check_account/manager.py

@@ -15,13 +15,11 @@ from common.decorators import bulk_create_decorator, bulk_update_decorator
 from settings.models import LeakPasswords
 
 
-# 已设置手动 finish
 @bulk_create_decorator(AccountRisk)
 def create_risk(data):
     return AccountRisk(**data)
 
 
-# 已设置手动 finish
 @bulk_update_decorator(AccountRisk, update_fields=["details", "status"])
 def update_risk(risk):
     return risk
@@ -219,9 +217,6 @@ class CheckAccountManager(BaseManager):
                     "details": [{"datetime": now, 'type': 'init'}],
                 })
 
-        create_risk.finish()
-        update_risk.finish()
-
     def pre_run(self):
         super().pre_run()
         self.assets = self.execution.get_all_assets()
@@ -240,11 +235,6 @@ class CheckAccountManager(BaseManager):
 
                 print("Check: {} => {}".format(account, msg))
                 if not error:
-                    AccountRisk.objects.filter(
-                        asset=account.asset,
-                        username=account.username,
-                        risk=handler.risk
-                    ).delete()
                     continue
                 self.add_risk(handler.risk, account)
             self.commit_risks(_assets)

apps/accounts/automations/gather_account/database/sqlserver/main.yml

@@ -5,14 +5,12 @@
 
   tasks:
     - name: Test SQLServer connection
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: |
           SELECT 
               l.name,

apps/accounts/automations/gather_account/manager.py

@@ -30,16 +30,6 @@ common_risk_items = [
 diff_items = risk_items + common_risk_items
 
 
-@bulk_create_decorator(AccountRisk)
-def _create_risk(data):
-    return AccountRisk(**data)
-
-
-@bulk_update_decorator(AccountRisk, update_fields=["details"])
-def _update_risk(account):
-    return account
-
-
 def format_datetime(value):
     if isinstance(value, timezone.datetime):
         return value.strftime("%Y-%m-%d %H:%M:%S")
@@ -151,17 +141,25 @@ class AnalyseAccountRisk:
             found = assets_risks.get(key)
 
             if not found:
-                _create_risk(dict(**d, details=[detail]))
+                self._create_risk(dict(**d, details=[detail]))
                 continue
 
             found.details.append(detail)
-            _update_risk(found)
+            self._update_risk(found)
+
+    @bulk_create_decorator(AccountRisk)
+    def _create_risk(self, data):
+        return AccountRisk(**data)
+
+    @bulk_update_decorator(AccountRisk, update_fields=["details"])
+    def _update_risk(self, account):
+        return account
 
     def lost_accounts(self, asset, lost_users):
         if not self.check_risk:
             return
         for user in lost_users:
-            _create_risk(
+            self._create_risk(
                 dict(
                     asset_id=str(asset.id),
                     username=user,
@@ -178,7 +176,7 @@ class AnalyseAccountRisk:
             self._analyse_item_changed(ga, d)
         if not sys_found:
             basic = {"asset": asset, "username": d["username"], 'gathered_account': ga}
-            _create_risk(
+            self._create_risk(
                 dict(
                     **basic,
                     risk=RiskChoice.new_found,
@@ -390,7 +388,6 @@ class GatherAccountsManager(AccountBasePlaybookManager):
                         self.update_gathered_account(ori_account, d)
                     ori_found = username in ori_users
                     need_analyser_gather_account.append((asset, ga, d, ori_found))
-                # 这里顺序不能调整，risk 外键关联了 gathered_account 主键 id，所以在创建 risk 需要保证 gathered_account 已经创建完成
                 self.create_gathered_account.finish()
                 self.update_gathered_account.finish()
                 for analysis_data in need_analyser_gather_account:
@@ -406,9 +403,6 @@ class GatherAccountsManager(AccountBasePlaybookManager):
                     present=True
                 )
         # 因为有 bulk create, bulk update, 所以这里需要 sleep 一下，等待数据同步
-        _update_risk.finish()
-        _create_risk.finish()
-
         time.sleep(0.5)
 
     def get_report_template(self):

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -54,5 +54,3 @@
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
       when: check_conn_after_change
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -39,8 +39,7 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
-        priv: "{{ omit if db_name == '' else db_name + '.*:ALL' }}"
+        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
-        append_privs: "{{ db_name != '' | bool }}"
       ignore_errors: true
       when: db_info is succeeded
 

apps/accounts/automations/push_account/database/sqlserver/main.yml

@@ -5,14 +5,12 @@
 
   tasks:
     - name: Test SQLServer connection
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: |
           SELECT @@version
       register: db_info
@@ -25,55 +23,47 @@
         var: info
 
     - name: Check whether SQLServer User exist
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
       when: db_info is succeeded
       register: user_exist
 
     - name: Change SQLServer password
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length != 0
       register: change_info
 
     - name: Add SQLServer user
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: "CREATE LOGIN [{{ account.username }}] WITH PASSWORD = '{{ account.secret }}'; CREATE USER [{{ account.username }}] FOR LOGIN [{{ account.username }}]; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length == 0
       register: change_info
 
     - name: Verify password
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ account.username }}"
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: |
           SELECT @@version
       when: check_conn_after_change

apps/accounts/automations/push_account/host/aix/main.yml

@@ -18,7 +18,6 @@
         uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
         shell: "{{ params.shell if params.shell | length > 0 else omit }}"
         home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
-        group: "{{ params.group if params.group | length > 0 else omit }}"
         groups: "{{ params.groups if params.groups | length > 0 else omit }}"
         append: "{{ true if params.groups | length > 0 else false }}"
         expires: -1

apps/accounts/automations/push_account/host/aix/manifest.yml

@@ -28,12 +28,6 @@ params:
     default: ''
     help_text: "{{ 'Params home help text' | trans }}"
 
-  - name: group
-    type: str
-    label: "{{ 'Params group label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params group help text' | trans }}"
-
   - name: groups
     type: str
     label: "{{ 'Params groups label' | trans }}"
@@ -67,11 +61,6 @@ i18n:
     ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
     en: 'Default home directory /home/{account username}'
 
-  Params group help text:
-    zh: '请输入用户组（名字或数字），只能输入一个（需填写已存在的用户组）'
-    ja: 'ユーザー グループ (名前または番号) を入力してください。入力できるのは 1 つだけです (既存のユーザー グループを入力する必要があります)'
-    en: 'Please enter a user group (name or number), only one can be entered (must fill in an existing user group)'
-
   Params groups help text:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
@@ -97,11 +86,6 @@ i18n:
     ja: 'グループ'
     en: 'Groups'
 
-  Params group label:
-    zh: '主组'
-    ja: '主组'
-    en: 'Main group'
-
   Params uid label:
     zh: '用户ID'
     ja: 'ユーザーID'

apps/accounts/automations/push_account/host/posix/main.yml

@@ -18,7 +18,6 @@
         uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
         shell: "{{ params.shell if params.shell | length > 0 else omit }}"
         home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
-        group: "{{ params.group if params.group | length > 0 else omit }}"
         groups: "{{ params.groups if params.groups | length > 0 else omit }}"
         append: "{{ true if params.groups | length > 0 else false }}"
         expires: -1

apps/accounts/automations/push_account/host/posix/manifest.yml

@@ -30,12 +30,6 @@ params:
     default: ''
     help_text: "{{ 'Params home help text' | trans }}"
 
-  - name: group
-    type: str
-    label: "{{ 'Params group label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params group help text' | trans }}"
-
   - name: groups
     type: str
     label: "{{ 'Params groups label' | trans }}"
@@ -69,11 +63,6 @@ i18n:
     ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
     en: 'Default home directory /home/{account username}'
 
-  Params group help text:
-    zh: '请输入用户组（名字或数字），只能输入一个（需填写已存在的用户组）'
-    ja: 'ユーザー グループ (名前または番号) を入力してください。入力できるのは 1 つだけです (既存のユーザー グループを入力する必要があります)'
-    en: 'Please enter a user group (name or number), only one can be entered (must fill in an existing user group)'
-
   Params groups help text:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
@@ -95,14 +84,9 @@ i18n:
     en: 'Home'
 
   Params groups label:
-    zh: '附加组'
+    zh: '用户组'
-    ja: '追加グループ'
+    ja: 'グループ'
-    en: 'Additional Group'
+    en: 'Groups'
-
-  Params group label:
-    zh: '主组'
-    ja: '主组'
-    en: 'Main group'
 
   Params uid label:
     zh: '用户ID'

apps/accounts/automations/push_account/host/windows/manifest.yml

@@ -8,7 +8,7 @@ type:
 params:
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -22,8 +22,3 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'

apps/accounts/automations/push_account/host/windows_ad/manifest.yml

@@ -9,7 +9,7 @@ type:
 params:
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -23,8 +23,3 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'

apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml

@@ -9,7 +9,7 @@ priority: 49
 params:
   - name: groups
     type: str
-    label: "{{ 'Params groups label' | trans }}"
+    label: '用户组'
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -23,8 +23,3 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'

apps/accounts/automations/remove_account/database/sqlserver/main.yml

@@ -5,13 +5,11 @@
 
   tasks:
     - name: "Remove account"
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: "{{ jms_asset.spec_info.db_name }}"
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: "DROP LOGIN {{ account.username }}; select @@version"
 

apps/accounts/automations/verify_account/custom/rdp/main.yml

@@ -3,7 +3,7 @@
   vars:
     ansible_shell_type: sh
     ansible_connection: local
-    ansible_python_interpreter: "{{ local_python_interpreter }}"
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Verify account (pyfreerdp)

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -16,5 +16,3 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/verify_account/database/sqlserver/main.yml

@@ -5,13 +5,11 @@
 
   tasks:
     - name: Verify account
-      mssql_script:
+      community.general.mssql_script:
         login_user: "{{ account.username }}"
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        encryption: "{{ jms_asset.encryption | default(None) }}"
-        tds_version: "{{ jms_asset.tds_version | default(None) }}"
         script: |
           SELECT @@version

apps/accounts/backends/azure/service.py

@@ -1,5 +1,8 @@
 # -*- coding: utf-8 -*-
 #
+from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
+from azure.identity import ClientSecretCredential
+from azure.keyvault.secrets import SecretClient
 
 from common.utils import get_logger
 
@@ -11,9 +14,6 @@ __all__ = ['AZUREVaultClient']
 class AZUREVaultClient(object):
 
     def __init__(self, vault_url, tenant_id, client_id, client_secret):
-        from azure.identity import ClientSecretCredential
-        from azure.keyvault.secrets import SecretClient
-        
         authentication_endpoint = 'https://login.microsoftonline.com/' \
             if ('azure.net' in vault_url) else 'https://login.chinacloudapi.cn/'
 
@@ -23,8 +23,6 @@ class AZUREVaultClient(object):
         self.client = SecretClient(vault_url=vault_url, credential=credentials)
 
     def is_active(self):
-        from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
-
         try:
             self.client.set_secret('jumpserver', '666')
         except (ResourceNotFoundError, ClientAuthenticationError) as e:
@@ -34,8 +32,6 @@ class AZUREVaultClient(object):
             return True, ''
 
     def get(self, name, version=None):
-        from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
-
         try:
             secret = self.client.get_secret(name, version)
             return secret.value

apps/accounts/migrations/0001_initial.py

@@ -46,16 +46,11 @@ class Migration(migrations.Migration):
             ],
             options={
                 'verbose_name': 'Account',
-                'permissions': [
+                'permissions': [('view_accountsecret', 'Can view asset account secret'),
-                    ('view_accountsecret', 'Can view asset account secret'),
+                                ('view_historyaccount', 'Can view asset history account'),
-                    ('view_historyaccount', 'Can view asset history account'),
+                                ('view_historyaccountsecret', 'Can view asset history account secret'),
-                    ('view_historyaccountsecret', 'Can view asset history account secret'),
+                                ('verify_account', 'Can verify account'), ('push_account', 'Can push account'),
-                    ('verify_account', 'Can verify account'),
+                                ('remove_account', 'Can remove account')],
-                    ('push_account', 'Can push account'),
-                    ('remove_account', 'Can remove account'),
-                    ('view_accountsession', 'Can view session'),
-                    ('view_accountactivity', 'Can view activity')
-                ],
             },
         ),
         migrations.CreateModel(

apps/accounts/migrations/0005_accountrisk_backupaccountautomation_and_more.py

@@ -335,7 +335,6 @@ class Migration(migrations.Migration):
             ],
             options={
                 "abstract": False,
-                "verbose_name": "Check engine",
             },
         ),
         migrations.CreateModel(

apps/accounts/models/account.py

@@ -116,8 +116,6 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
             ('verify_account', _('Can verify account')),
             ('push_account', _('Can push account')),
             ('remove_account', _('Can remove account')),
-            ('view_accountsession', _('Can view session')),
-            ('view_accountactivity', _('Can view activity')),
         ]
 
     def __str__(self):
@@ -132,7 +130,7 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
         return self.asset.platform
 
     @lazyproperty
-    def alias(self) -> str:
+    def alias(self):
         """
         别称，因为有虚拟账号，@INPUT @MANUAL @USER, 否则为 id
         """
@@ -140,13 +138,13 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
             return self.username
         return str(self.id)
 
-    def is_virtual(self) -> bool:
+    def is_virtual(self):
         """
         不要用 username 去判断，因为可能是构造的 account 对象，设置了同名账号的用户名,
         """
         return self.alias.startswith('@')
 
-    def is_ds_account(self) -> bool:
+    def is_ds_account(self):
         if self.is_virtual():
             return ''
         if not self.asset.is_directory_service:
@@ -160,7 +158,7 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
         return self.asset.ds
 
     @lazyproperty
-    def ds_domain(self) -> str:
+    def ds_domain(self):
         """这个不能去掉，perm_account 会动态设置这个值，以更改 full_username"""
         if self.is_virtual():
             return ''
@@ -172,17 +170,17 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
         return '@' in self.username or '\\' in self.username
 
     @property
-    def full_username(self) -> str:
+    def full_username(self):
         if not self.username_has_domain() and self.ds_domain:
             return '{}@{}'.format(self.username, self.ds_domain)
         return self.username
 
     @lazyproperty
-    def has_secret(self) -> bool:
+    def has_secret(self):
         return bool(self.secret)
 
     @lazyproperty
-    def versions(self) -> int:
+    def versions(self):
         return self.history.count()
 
     def get_su_from_accounts(self):

apps/accounts/models/application.py

@@ -33,7 +33,7 @@ class IntegrationApplication(JMSOrgBaseModel):
         return qs.filter(*query)
 
     @property
-    def accounts_amount(self) -> int:
+    def accounts_amount(self):
         return self.get_accounts().count()
 
     @property

apps/accounts/models/automations/check_account.py

@@ -68,10 +68,8 @@ class AccountRisk(JMSOrgBaseModel):
         related_name='risks', null=True
     )
     risk = models.CharField(max_length=128, verbose_name=_('Risk'), choices=RiskChoice.choices)
-    status = models.CharField(
+    status = models.CharField(max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,
-        max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,
+                              blank=True, verbose_name=_('Status'))
-        blank=True, verbose_name=_('Status')
-    )
     details = models.JSONField(default=list, verbose_name=_('Detail'))
 
     class Meta:
@@ -121,9 +119,6 @@ class CheckAccountEngine(JMSBaseModel):
     def __str__(self):
         return self.name
 
-    class Meta:
-        verbose_name = _('Check engine')
-
     @staticmethod
     def get_default_engines():
         data = [

apps/accounts/models/base.py

@@ -75,11 +75,11 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
         return bool(self.secret)
 
     @property
-    def has_username(self) -> bool:
+    def has_username(self):
         return bool(self.username)
 
     @property
-    def spec_info(self) -> dict:
+    def spec_info(self):
         data = {}
         if self.secret_type != SecretType.SSH_KEY:
             return data
@@ -87,13 +87,13 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
         return data
 
     @property
-    def password(self) -> str:
+    def password(self):
         if self.secret_type == SecretType.PASSWORD:
             return self.secret
         return None
 
     @property
-    def private_key(self) -> str:
+    def private_key(self):
         if self.secret_type == SecretType.SSH_KEY:
             return self.secret
         return None
@@ -110,7 +110,7 @@ class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
         return None
 
     @property
-    def ssh_key_fingerprint(self) -> str:
+    def ssh_key_fingerprint(self):
         if self.public_key:
             public_key = self.public_key
         elif self.private_key:

apps/accounts/models/mixins/vault.py

@@ -56,7 +56,7 @@ class VaultModelMixin(models.Model):
     __secret = None
 
     @property
-    def secret(self) -> str:
+    def secret(self):
         if self.__secret:
             return self.__secret
         from accounts.backends import vault_client

apps/accounts/models/virtual.py

@@ -18,11 +18,11 @@ class VirtualAccount(JMSOrgBaseModel):
         verbose_name = _('Virtual account')
 
     @property
-    def name(self) -> str:
+    def name(self):
         return self.get_alias_display()
 
     @property
-    def username(self) -> str:
+    def username(self):
         usernames_map = {
             AliasAccount.INPUT: _("Manual input"),
             AliasAccount.USER: _("Same with user"),
@@ -32,7 +32,7 @@ class VirtualAccount(JMSOrgBaseModel):
         return usernames_map.get(self.alias, '')
 
     @property
-    def comment(self) -> str:
+    def comment(self):
         comments_map = {
             AliasAccount.INPUT: _('Non-asset account, Input username/password on connect'),
             AliasAccount.USER: _('The account username name same with user on connect'),

apps/accounts/serializers/account/account.py

@@ -14,7 +14,7 @@ from accounts.models import Account, AccountTemplate, GatheredAccount
 from accounts.tasks import push_accounts_to_assets_task
 from assets.const import Category, AllTypes
 from assets.models import Asset
-from common.serializers import SecretReadableMixin, CommonBulkModelSerializer
+from common.serializers import SecretReadableMixin
 from common.serializers.fields import ObjectRelatedField, LabeledChoiceField
 from common.utils import get_logger
 from .base import BaseAccountSerializer, AuthValidateMixin
@@ -253,8 +253,6 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
             'source_id': {'required': False, 'allow_null': True},
         }
         fields_unimport_template = ['params']
-        # 手动判断唯一性校验
-        validators = []
 
     @classmethod
     def setup_eager_loading(cls, queryset):
@@ -265,21 +263,6 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
         )
         return queryset
 
-    def validate(self, attrs):
-        instance = getattr(self, "instance", None)
-        if instance:
-            return super().validate(attrs)
-
-        field_errors = {}
-        for _fields in Account._meta.unique_together:
-            lookup = {field: attrs.get(field) for field in _fields}
-            if Account.objects.filter(**lookup).exists():
-                verbose_names = ', '.join([str(Account._meta.get_field(f).verbose_name) for f in _fields])
-                msg_template = _('Account already exists. Field(s): {fields} must be unique.')
-                field_errors[_fields[0]] = msg_template.format(fields=verbose_names)
-                raise serializers.ValidationError(field_errors)
-        return attrs
-
 
 class AccountDetailSerializer(AccountSerializer):
     has_secret = serializers.BooleanField(label=_("Has secret"), read_only=True)
@@ -292,26 +275,26 @@ class AccountDetailSerializer(AccountSerializer):
 
 class AssetAccountBulkSerializerResultSerializer(serializers.Serializer):
     asset = serializers.CharField(read_only=True, label=_('Asset'))
-    account = serializers.CharField(read_only=True, label=_('Account'))
     state = serializers.CharField(read_only=True, label=_('State'))
     error = serializers.CharField(read_only=True, label=_('Error'))
     changed = serializers.BooleanField(read_only=True, label=_('Changed'))
 
 
 class AssetAccountBulkSerializer(
-    AccountCreateUpdateSerializerMixin, AuthValidateMixin, CommonBulkModelSerializer
+    AccountCreateUpdateSerializerMixin, AuthValidateMixin, serializers.ModelSerializer
 ):
     su_from_username = serializers.CharField(
         max_length=128, required=False, write_only=True, allow_null=True, label=_("Su from"),
         allow_blank=True,
     )
+    assets = serializers.PrimaryKeyRelatedField(queryset=Asset.objects, many=True, label=_('Assets'))
 
     class Meta:
         model = Account
         fields = [
-            'name', 'username', 'secret', 'secret_type', 'secret_reset',
+            'name', 'username', 'secret', 'secret_type', 'passphrase',
-            'passphrase', 'privileged', 'is_active', 'comment', 'template',
+            'privileged', 'is_active', 'comment', 'template',
-            'on_invalid', 'push_now', 'params',
+            'on_invalid', 'push_now', 'params', 'assets',
             'su_from_username', 'source', 'source_id',
         ]
         extra_kwargs = {
@@ -393,7 +376,8 @@ class AssetAccountBulkSerializer(
             handler = self._handle_err_create
         return handler
 
-    def perform_bulk_create(self, vd, assets):
+    def perform_bulk_create(self, vd):
+        assets = vd.pop('assets')
         on_invalid = vd.pop('on_invalid', 'skip')
         secret_type = vd.get('secret_type', 'password')
 
@@ -401,7 +385,8 @@ class AssetAccountBulkSerializer(
             vd['name'] = vd.get('username')
 
         create_handler = self.get_create_handler(on_invalid)
-        secret_type_supports = Asset.get_secret_type_assets(assets, secret_type)
+        asset_ids = [asset.id for asset in assets]
+        secret_type_supports = Asset.get_secret_type_assets(asset_ids, secret_type)
 
         _results = {}
         for asset in assets:
@@ -409,7 +394,6 @@ class AssetAccountBulkSerializer(
                 _results[asset] = {
                     'error': _('Asset does not support this secret type: %s') % secret_type,
                     'state': 'error',
-                    'account': vd['name'],
                 }
                 continue
 
@@ -419,13 +403,13 @@ class AssetAccountBulkSerializer(
                 self.clean_auth_fields(vd)
                 instance, changed, state = self.perform_create(vd, create_handler)
                 _results[asset] = {
-                    'changed': changed, 'instance': instance.id, 'state': state, 'account': vd['name']
+                    'changed': changed, 'instance': instance.id, 'state': state
                 }
             except serializers.ValidationError as e:
-                _results[asset] = {'error': e.detail[0], 'state': 'error', 'account': vd['name']}
+                _results[asset] = {'error': e.detail[0], 'state': 'error'}
             except Exception as e:
                 logger.exception(e)
-                _results[asset] = {'error': str(e), 'state': 'error', 'account': vd['name']}
+                _results[asset] = {'error': str(e), 'state': 'error'}
 
         results = [{'asset': asset, **result} for asset, result in _results.items()]
         state_score = {'created': 3, 'updated': 2, 'skipped': 1, 'error': 0}
@@ -442,8 +426,7 @@ class AssetAccountBulkSerializer(
             errors.append({
                 'error': _('Account has exist'),
                 'state': 'error',
-                'asset': str(result['asset']),
+                'asset': str(result['asset'])
-                'account': result.get('account'),
             })
         if errors:
             raise serializers.ValidationError(errors)
@@ -462,16 +445,10 @@ class AssetAccountBulkSerializer(
         account_ids = [str(_id) for _id in accounts.values_list('id', flat=True)]
         push_accounts_to_assets_task.delay(account_ids, params)
 
-    def bulk_create(self, validated_data, assets):
+    def create(self, validated_data):
-        if not assets:
-            raise serializers.ValidationError(
-                {'assets': _('At least one asset or node must be specified')},
-                {'nodes': _('At least one asset or node must be specified')}
-            )
-
         params = validated_data.pop('params', None)
         push_now = validated_data.pop('push_now', False)
-        results = self.perform_bulk_create(validated_data, assets)
+        results = self.perform_bulk_create(validated_data)
         self.push_accounts_if_need(results, push_now, params)
         for res in results:
             res['asset'] = str(res['asset'])
@@ -479,8 +456,6 @@ class AssetAccountBulkSerializer(
 
 
 class AccountSecretSerializer(SecretReadableMixin, AccountSerializer):
-    spec_info = serializers.DictField(label=_('Spec info'), read_only=True)
-
     class Meta(AccountSerializer.Meta):
         fields = AccountSerializer.Meta.fields + ['spec_info']
         extra_kwargs = {
@@ -495,7 +470,6 @@ class AccountSecretSerializer(SecretReadableMixin, AccountSerializer):
 
 class AccountHistorySerializer(serializers.ModelSerializer):
     secret_type = LabeledChoiceField(choices=SecretType.choices, label=_('Secret type'))
-    secret = serializers.CharField(label=_('Secret'), read_only=True)
     id = serializers.IntegerField(label=_('ID'), source='history_id', read_only=True)
 
     class Meta:

apps/accounts/serializers/account/base.py

@@ -70,8 +70,6 @@ class AuthValidateMixin(serializers.Serializer):
 class BaseAccountSerializer(
     AuthValidateMixin, ResourceLabelsMixin, BulkOrgResourceModelSerializer
 ):
-    spec_info = serializers.DictField(label=_('Spec info'), read_only=True)
-
     class Meta:
         model = BaseAccount
         fields_mini = ["id", "name", "username"]

apps/accounts/serializers/automations/backup.py

@@ -1,9 +1,8 @@
 # -*- coding: utf-8 -*-
 #
-from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
-from accounts.const import AutomationTypes, AccountBackupType
+from accounts.const import AutomationTypes
 from accounts.models import BackupAccountAutomation
 from common.serializers.fields import EncryptedField
 from common.utils import get_logger
@@ -42,17 +41,6 @@ class BackupAccountSerializer(BaseAutomationSerializer):
             'types': {'label': _('Asset type')}
         }
 
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.set_backup_type_choices()
-
-    def set_backup_type_choices(self):
-        field_backup_type = self.fields.get("backup_type")
-        if not field_backup_type:
-            return
-        if not settings.XPACK_LICENSE_IS_VALID:
-            field_backup_type._choices.pop(AccountBackupType.object_storage, None)
-
     @property
     def model_type(self):
         return AutomationTypes.backup_account

apps/accounts/serializers/automations/change_secret.py

@@ -130,7 +130,7 @@ class ChangeSecretRecordSerializer(serializers.ModelSerializer):
         read_only_fields = fields
 
     @staticmethod
-    def get_is_success(obj) -> bool:
+    def get_is_success(obj):
         return obj.status == ChangeSecretRecordStatusChoice.success
 
 
@@ -157,7 +157,7 @@ class ChangeSecretRecordBackUpSerializer(serializers.ModelSerializer):
         read_only_fields = fields
 
     @staticmethod
-    def get_asset(instance) -> str:
+    def get_asset(instance):
         return str(instance.asset)
 
     @staticmethod
@@ -165,7 +165,7 @@ class ChangeSecretRecordBackUpSerializer(serializers.ModelSerializer):
         return str(instance.account)
 
     @staticmethod
-    def get_is_success(obj) -> str:
+    def get_is_success(obj):
         if obj.status == ChangeSecretRecordStatusChoice.success.value:
             return _("Success")
         return _("Failed")
@@ -196,9 +196,9 @@ class ChangeSecretAccountSerializer(serializers.ModelSerializer):
         read_only_fields = fields
 
     @staticmethod
-    def get_meta(obj) -> dict:
+    def get_meta(obj):
         return account_secret_task_status.get(str(obj.id))
 
     @staticmethod
-    def get_ttl(obj) -> int:
+    def get_ttl(obj):
         return account_secret_task_status.get_ttl(str(obj.id))

apps/accounts/serializers/automations/check_account.py

@@ -69,7 +69,7 @@ class AssetRiskSerializer(serializers.Serializer):
     risk_summary = serializers.SerializerMethodField()
 
     @staticmethod
-    def get_risk_summary(obj) -> dict:
+    def get_risk_summary(obj):
         summary = {}
         for risk in RiskChoice.choices:
             summary[f"{risk[0]}_count"] = obj.get(f"{risk[0]}_count", 0)

apps/accounts/serializers/automations/gather_account.py

@@ -28,7 +28,7 @@ class DiscoverAccountAutomationSerializer(BaseAutomationSerializer):
                   + read_only_fields)
         extra_kwargs = {
             'check_risk': {
-                'help_text': _('Whether to check the risk of the discovered accounts.'),
+                'help_text': _('Whether to check the risk of the gathered accounts.'),
             },
             **BaseAutomationSerializer.Meta.extra_kwargs
         }

apps/accounts/tasks/automation.py

@@ -1,5 +1,4 @@
 import datetime
-from collections import defaultdict
 
 from celery import shared_task
 from django.db.models import Q
@@ -73,43 +72,24 @@ def execute_automation_record_task(record_ids, tp):
     task_name = gettext_noop('Execute automation record')
 
     with tmp_to_root_org():
-        records = ChangeSecretRecord.objects.filter(id__in=record_ids).order_by('-date_updated')
+        records = ChangeSecretRecord.objects.filter(id__in=record_ids)
 
     if not records:
-        logger.error(f'No automation record found: {record_ids}')
+        logger.error('No automation record found: {}'.format(record_ids))
         return
 
-    seen_accounts = set()
+    record = records[0]
-    unique_records = []
+    record_map = {f'{record.asset_id}-{record.account_id}': str(record.id) for record in records}
-    for rec in records:
+    task_snapshot = {
-        acct = str(rec.account_id)
+        'params': {},
-        if acct not in seen_accounts:
+        'record_map': record_map,
-            seen_accounts.add(acct)
+        'secret': record.new_secret,
-            unique_records.append(rec)
+        'secret_type': record.execution.snapshot.get('secret_type'),
-
+        'assets': [str(instance.asset_id) for instance in records],
-    exec_groups = defaultdict(list)
+        'accounts': [str(instance.account_id) for instance in records],
-    for rec in unique_records:
+    }
-        exec_groups[rec.execution_id].append(rec)
+    with tmp_to_org(record.execution.org_id):
-
+        quickstart_automation_by_snapshot(task_name, tp, task_snapshot)
-    for __, group in exec_groups.items():
-        latest_rec = group[0]
-        snapshot = getattr(latest_rec.execution, 'snapshot', {}) or {}
-
-        record_map = {f"{r.asset_id}-{r.account_id}": str(r.id) for r in group}
-        assets = [str(r.asset_id) for r in group]
-        accounts = [str(r.account_id) for r in group]
-
-        task_snapshot = {
-            'params': {},
-            'record_map': record_map,
-            'secret': latest_rec.new_secret,
-            'secret_type': snapshot.get('secret_type'),
-            'assets': assets,
-            'accounts': accounts,
-        }
-
-        with tmp_to_org(latest_rec.execution.org_id):
-            quickstart_automation_by_snapshot(task_name, tp, task_snapshot)
 
 
 @shared_task(

apps/accounts/templates/accounts/change_secret_failed_info.html

@@ -0,0 +1,36 @@
+{% load i18n %}
+
+<h3>{% trans 'Task name' %}: {{ name }}</h3>
+<h3>{% trans 'Task execution id' %}: {{ execution_id }}</h3>
+<p>{% trans 'Respectful' %} {{ recipient }}</p>
+<p>{% trans 'Hello! The following is the failure of changing the password of your assets or pushing the account. Please check and handle it in time.' %}</p>
+<table style="width: 100%; border-collapse: collapse; max-width: 100%; text-align: left; margin-top: 20px;">
+    <caption></caption>
+    <thead>
+    <tr style="background-color: #f2f2f2;">
+        <th style="border: 1px solid #ddd; padding: 10px;">{% trans 'Asset' %}</th>
+        <th style="border: 1px solid #ddd; padding: 10px;">{% trans 'Account' %}</th>
+        <th style="border: 1px solid #ddd; padding: 10px;">{% trans 'Error' %}</th>
+    </tr>
+    </thead>
+    <tbody>
+    {% for asset_name, account_username, error in asset_account_errors %}
+        <tr>
+            <td style="border: 1px solid #ddd; padding: 10px;">{{ asset_name }}</td>
+            <td style="border: 1px solid #ddd; padding: 10px;">{{ account_username }}</td>
+            <td style="border: 1px solid #ddd; padding: 10px;">
+                <div style="
+                max-width: 90%;
+                white-space: nowrap;
+                overflow: hidden;
+                text-overflow: ellipsis;
+                display: block;"
+                     title="{{ error }}"
+                >
+                    {{ error }}
+                </div>
+            </td>
+        </tr>
+    {% endfor %}
+    </tbody>
+</table>

apps/acls/api/__init__.py

@@ -3,4 +3,3 @@ from .connect_method import *
 from .login_acl import *
 from .login_asset_acl import *
 from .login_asset_check import *
-from .data_masking import *

apps/acls/api/data_masking.py

@@ -1,20 +0,0 @@
-from orgs.mixins.api import OrgBulkModelViewSet
-
-from .common import ACLUserFilterMixin
-from ..models import DataMaskingRule
-from .. import serializers
-
-__all__ = ['DataMaskingRuleViewSet']
-
-
-class DataMaskingRuleFilter(ACLUserFilterMixin):
-    class Meta:
-        model = DataMaskingRule
-        fields = ('name',)
-
-
-class DataMaskingRuleViewSet(OrgBulkModelViewSet):
-    model = DataMaskingRule
-    filterset_class = DataMaskingRuleFilter
-    search_fields = ('name',)
-    serializer_class = serializers.DataMaskingRuleSerializer

apps/acls/api/login_asset_acl.py

@@ -8,7 +8,7 @@ __all__ = ['LoginAssetACLViewSet']
 class LoginAssetACLFilter(ACLUserAssetFilterMixin):
     class Meta:
         model = models.LoginAssetACL
-        fields = ['name', 'action']
+        fields = ['name', ]
 
 
 class LoginAssetACLViewSet(OrgBulkModelViewSet):

apps/acls/migrations/0003_datamaskingrule.py

@@ -1,45 +0,0 @@
-# Generated by Django 4.1.13 on 2025-10-07 16:16
-
-import common.db.fields
-from django.conf import settings
-import django.core.validators
-from django.db import migrations, models
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('acls', '0002_auto_20210926_1047'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='DataMaskingRule',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')),
-                ('action', models.CharField(default='reject', max_length=64, verbose_name='Action')),
-                ('is_active', models.BooleanField(default=True, verbose_name='Active')),
-                ('users', common.db.fields.JSONManyToManyField(default=dict, to='users.User', verbose_name='Users')),
-                ('assets', common.db.fields.JSONManyToManyField(default=dict, to='assets.Asset', verbose_name='Assets')),
-                ('accounts', models.JSONField(default=list, verbose_name='Accounts')),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('fields_pattern', models.CharField(default='password', max_length=128, verbose_name='Fields pattern')),
-                ('masking_method', models.CharField(choices=[('fixed_char', 'Fixed Character Replacement'), ('hide_middle', 'Hide Middle Characters'), ('keep_prefix', 'Keep Prefix Only'), ('keep_suffix', 'Keep Suffix Only')], default='fixed_char', max_length=32, verbose_name='Masking Method')),
-                ('mask_pattern', models.CharField(blank=True, default='######', max_length=128, null=True, verbose_name='Mask Pattern')),
-                ('reviewers', models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Reviewers')),
-            ],
-            options={
-                'verbose_name': 'Data Masking Rule',
-                'unique_together': {('org_id', 'name')},
-            },
-        ),
-    ]

apps/acls/models/__init__.py

@@ -2,4 +2,3 @@ from .command_acl import *
 from .connect_method import *
 from .login_acl import *
 from .login_asset_acl import *
-from .data_masking import *

apps/acls/models/base.py

@@ -5,7 +5,7 @@ from django.utils.translation import gettext_lazy as _
 from common.db.fields import JSONManyToManyField
 from common.db.models import JMSBaseModel
 from common.utils import contains_ip
-from common.utils.timezone import contains_time_period
+from common.utils.time_period import contains_time_period
 from orgs.mixins.models import OrgModelMixin, OrgManager
 from ..const import ActionChoices
 

apps/acls/models/command_acl.py

@@ -34,16 +34,16 @@ class CommandGroup(JMSOrgBaseModel):
 
     @lazyproperty
     def pattern(self):
-        content = self.content.replace('\r\n', '\n')
         if self.type == 'command':
-            s = self.construct_command_regex(content)
+            s = self.construct_command_regex(self.content)
         else:
-            s = r'{0}'.format(r'{}'.format('|'.join(content.split('\n'))))
+            s = r'{0}'.format(self.content)
         return s
 
     @classmethod
     def construct_command_regex(cls, content):
         regex = []
+        content = content.replace('\r\n', '\n')
         for _cmd in content.split('\n'):
             cmd = re.sub(r'\s+', ' ', _cmd)
             cmd = re.escape(cmd)

apps/acls/models/data_masking.py

@@ -1,42 +0,0 @@
-from django.db import models
-
-from acls.models import UserAssetAccountBaseACL
-from common.utils import get_logger
-from django.utils.translation import gettext_lazy as _
-
-logger = get_logger(__file__)
-
-__all__ = ['MaskingMethod', 'DataMaskingRule']
-
-
-class MaskingMethod(models.TextChoices):
-    fixed_char = "fixed_char", _("Fixed Character Replacement")  # 固定字符替换
-    hide_middle = "hide_middle", _("Hide Middle Characters")  # 隐藏中间几位
-    keep_prefix = "keep_prefix", _("Keep Prefix Only")  # 只保留前缀
-    keep_suffix = "keep_suffix", _("Keep Suffix Only")  # 只保留后缀
-
-
-class DataMaskingRule(UserAssetAccountBaseACL):
-    name = models.CharField(max_length=128, verbose_name=_("Name"))
-    fields_pattern = models.CharField(max_length=128, default='password', verbose_name=_("Fields pattern"))
-
-    masking_method = models.CharField(
-        max_length=32,
-        choices=MaskingMethod.choices,
-        default=MaskingMethod.fixed_char,
-        verbose_name=_("Masking Method"),
-    )
-    mask_pattern = models.CharField(
-        max_length=128,
-        verbose_name=_("Mask Pattern"),
-        default="######",
-        blank=True,
-        null=True,
-    )
-
-    def __str__(self):
-        return self.name
-
-    class Meta:
-        unique_together = [('org_id', 'name')]
-        verbose_name = _("Data Masking Rule")

apps/acls/notifications.py

@@ -1,52 +1,30 @@
-from django.utils import timezone
+from django.template.loader import render_to_string
 from django.utils.translation import gettext_lazy as _
 
 from accounts.models import Account
-from acls.models import LoginACL, LoginAssetACL
 from assets.models import Asset
 from audits.models import UserLoginLog
-from common.views.template import custom_render_to_string
 from notifications.notifications import UserMessage
 from users.models import User
 
 
 class UserLoginReminderMsg(UserMessage):
     subject = _('User login reminder')
-    template_name = 'acls/user_login_reminder.html'
-    contexts = [
-        {"name": "city", "label": _('Login city'), "default": "Shanghai"},
-        {"name": "username", "label": _('User'), "default": "john"},
-        {"name": "ip", "label": "IP", "default": "192.168.1.1"},
-        {"name": "recipient_name", "label": _("Recipient name"), "default": "John"},
-        {"name": "recipient_username", "label": _("Recipient username"), "default": "john"},
-        {"name": "user_agent", "label": _('User agent'), "default": "Mozilla/5.0"},
-        {"name": "acl_name", "label": _('ACL name'), "default": "login acl"},
-        {"name": "login_from", "label": _('Login from'), "default": "web"},
-        {"name": "time", "label": _('Login time'), "default": "2025-01-01 12:00:00"},
-    ]
 
-    def __init__(self, user, user_log: UserLoginLog, acl: LoginACL):
+    def __init__(self, user, user_log: UserLoginLog):
         self.user_log = user_log
-        self.acl_name = str(acl)
-        self.login_from = user_log.get_type_display()
-        now = timezone.localtime(user_log.datetime)
-        self.time = now.strftime('%Y-%m-%d %H:%M:%S')
         super().__init__(user)
 
     def get_html_msg(self) -> dict:
         user_log = self.user_log
         context = {
             'ip': user_log.ip,
-            'time': self.time,
             'city': user_log.city,
-            'acl_name': self.acl_name,
-            'login_from': self.login_from,
             'username': user_log.username,
-            'recipient_name': self.user.name,
+            'recipient': self.user,
-            'recipient_username': self.user.username,
             'user_agent': user_log.user_agent,
         }
-        message = custom_render_to_string(self.template_name, context)
+        message = render_to_string('acls/user_login_reminder.html', context)
 
         return {
             'subject': str(self.subject),
@@ -62,55 +40,24 @@ class UserLoginReminderMsg(UserMessage):
 
 class AssetLoginReminderMsg(UserMessage):
     subject = _('User login alert for asset')
-    template_name = 'acls/asset_login_reminder.html'
-    contexts = [
-        {"name": "city", "label": _('Login city'), "default": "Shanghai"},
-        {"name": "username", "label": _('User'), "default": "john"},
-        {"name": "name", "label": _('Name'), "default": "John"},
-        {"name": "asset", "label": _('Asset'), "default": "dev server"},
-        {"name": "recipient_name", "label": _('Recipient name'), "default": "John"},
-        {"name": "recipient_username", "label": _('Recipient username'), "default": "john"},
-        {"name": "account", "label": _('Account Input username'), "default": "root"},
-        {"name": "account_name", "label": _('Account name'), "default": "root"},
-        {"name": "acl_name", "label": _('ACL name'), "default": "login acl"},
-        {"name": "ip", "label": "IP", "default": "192.168.1.1"},
-        {"name": "login_from", "label": _('Login from'), "default": "web"},
-        {"name": "time", "label": _('Login time'), "default": "2025-01-01 12:00:00"}
-    ]
 
-    def __init__(
+    def __init__(self, user, asset: Asset, login_user: User, account: Account, input_username):
-            self, user, asset: Asset, login_user: User,
-            account: Account, acl: LoginAssetACL,
-            ip, input_username, login_from
-    ):
-        self.ip = ip
         self.asset = asset
         self.login_user = login_user
         self.account = account
-        self.acl_name = str(acl)
-        self.login_from = login_from
-        self.login_user = login_user
         self.input_username = input_username
-
-        now = timezone.localtime(timezone.now())
-        self.time = now.strftime('%Y-%m-%d %H:%M:%S')
         super().__init__(user)
 
     def get_html_msg(self) -> dict:
         context = {
-            'ip': self.ip,
+            'recipient': self.user,
-            'time': self.time,
-            'login_from': self.login_from,
-            'recipient_name': self.user.name,
-            'recipient_username': self.user.username,
             'username': self.login_user.username,
             'name': self.login_user.name,
             'asset': str(self.asset),
             'account': self.input_username,
             'account_name': self.account.name,
-            'acl_name': self.acl_name,
         }
-        message = custom_render_to_string(self.template_name, context)
+        message = render_to_string('acls/asset_login_reminder.html', context)
 
         return {
             'subject': str(self.subject),

apps/acls/serializers/__init__.py

@@ -3,4 +3,3 @@ from .connect_method import *
 from .login_acl import *
 from .login_asset_acl import *
 from .login_asset_check import *
-from .data_masking import *

apps/acls/serializers/base.py

@@ -90,7 +90,7 @@ class BaseACLSerializer(ActionAclSerializer, serializers.Serializer):
         fields_small = fields_mini + [
             "is_active", "priority", "action",
             "date_created", "date_updated",
-            "comment", "created_by"
+            "comment", "created_by", "org_id",
         ]
         fields_m2m = ["reviewers", ]
         fields = fields_small + fields_m2m
@@ -100,20 +100,6 @@ class BaseACLSerializer(ActionAclSerializer, serializers.Serializer):
             'reviewers': {'label': _('Recipients')},
         }
 
-class BaseUserACLSerializer(BaseACLSerializer):
-    users = JSONManyToManyField(label=_('User'))
-
-    class Meta(BaseACLSerializer.Meta):
-        fields = BaseACLSerializer.Meta.fields + ['users']
-
-
-class BaseUserAssetAccountACLSerializer(BaseUserACLSerializer):
-    assets = JSONManyToManyField(label=_('Asset'))
-    accounts = serializers.ListField(label=_('Account'))
-
-    class Meta(BaseUserACLSerializer.Meta):
-        fields = BaseUserACLSerializer.Meta.fields + ['assets', 'accounts', 'org_id']
-
     def validate_reviewers(self, reviewers):
         action = self.initial_data.get('action')
         if not action and self.instance:
@@ -132,4 +118,19 @@ class BaseUserAssetAccountACLSerializer(BaseUserACLSerializer):
                 "None of the reviewers belong to Organization `{}`".format(org.name)
             )
             raise serializers.ValidationError(error)
-        return valid_reviewers
+        return valid_reviewers
+
+
+class BaseUserACLSerializer(BaseACLSerializer):
+    users = JSONManyToManyField(label=_('User'))
+
+    class Meta(BaseACLSerializer.Meta):
+        fields = BaseACLSerializer.Meta.fields + ['users']
+
+
+class BaseUserAssetAccountACLSerializer(BaseUserACLSerializer):
+    assets = JSONManyToManyField(label=_('Asset'))
+    accounts = serializers.ListField(label=_('Account'))
+
+    class Meta(BaseUserACLSerializer.Meta):
+        fields = BaseUserACLSerializer.Meta.fields + ['assets', 'accounts']

apps/acls/serializers/connect_method.py

@@ -1,4 +1,4 @@
-from common.serializers.mixin import CommonBulkModelSerializer
+from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from .base import BaseUserAssetAccountACLSerializer as BaseSerializer
 from ..const import ActionChoices
 from ..models import ConnectMethodACL
@@ -6,15 +6,16 @@ from ..models import ConnectMethodACL
 __all__ = ["ConnectMethodACLSerializer"]
 
 
-class ConnectMethodACLSerializer(BaseSerializer, CommonBulkModelSerializer):
+class ConnectMethodACLSerializer(BaseSerializer, BulkOrgResourceModelSerializer):
     class Meta(BaseSerializer.Meta):
         model = ConnectMethodACL
         fields = [
             i for i in BaseSerializer.Meta.fields + ['connect_methods']
-            if i not in ['assets', 'accounts', 'org_id']
+            if i not in ['assets', 'accounts']
         ]
         action_choices_exclude = BaseSerializer.Meta.action_choices_exclude + [
             ActionChoices.review,
+            ActionChoices.accept,
             ActionChoices.notice,
             ActionChoices.face_verify,
             ActionChoices.face_online,

apps/acls/serializers/data_masking.py

@@ -1,19 +0,0 @@
-from django.utils.translation import gettext_lazy as _
-
-from acls.models import MaskingMethod, DataMaskingRule
-from common.serializers.fields import LabeledChoiceField
-from common.serializers.mixin import CommonBulkModelSerializer
-from orgs.mixins.serializers import BulkOrgResourceModelSerializer
-from .base import BaseUserAssetAccountACLSerializer as BaseSerializer
-
-__all__ = ['DataMaskingRuleSerializer']
-
-
-class DataMaskingRuleSerializer(BaseSerializer, BulkOrgResourceModelSerializer):
-    masking_method = LabeledChoiceField(
-        choices=MaskingMethod.choices, default=MaskingMethod.fixed_char, label=_('Masking Method')
-    )
-
-    class Meta(BaseSerializer.Meta):
-        model = DataMaskingRule
-        fields = BaseSerializer.Meta.fields + ['fields_pattern', 'masking_method', 'mask_pattern']

apps/acls/serializers/login_acl.py

@@ -1,7 +1,7 @@
 from django.utils.translation import gettext as _
 
-from common.serializers import CommonBulkModelSerializer
 from common.serializers import MethodSerializer
+from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from .base import BaseUserACLSerializer
 from .rules import RuleSerializer
 from ..const import ActionChoices
@@ -12,12 +12,12 @@ __all__ = ["LoginACLSerializer"]
 common_help_text = _("With * indicating a match all. ")
 
 
-class LoginACLSerializer(BaseUserACLSerializer, CommonBulkModelSerializer):
+class LoginACLSerializer(BaseUserACLSerializer, BulkOrgResourceModelSerializer):
     rules = MethodSerializer(label=_('Rule'))
 
     class Meta(BaseUserACLSerializer.Meta):
         model = LoginACL
-        fields = list((set(BaseUserACLSerializer.Meta.fields) | {'rules'}))
+        fields = BaseUserACLSerializer.Meta.fields + ['rules', ]
         action_choices_exclude = [
             ActionChoices.warning,
             ActionChoices.notify_and_warn,

apps/acls/serializers/rules/rules.py

@@ -1,7 +1,5 @@
 # coding: utf-8
 #
-from urllib.parse import urlparse
-
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
@@ -10,7 +8,7 @@ from common.utils.ip import is_ip_address, is_ip_network, is_ip_segment
 
 logger = get_logger(__file__)
 
-__all__ = ['RuleSerializer', 'ip_group_child_validator', 'ip_group_help_text', 'address_validator']
+__all__ = ['RuleSerializer', 'ip_group_child_validator', 'ip_group_help_text']
 
 
 def ip_group_child_validator(ip_group_child):
@@ -23,19 +21,6 @@ def ip_group_child_validator(ip_group_child):
         raise serializers.ValidationError(error)
 
 
-def address_validator(value):
-    parsed = urlparse(value)
-    is_basic_url = parsed.scheme in ('http', 'https') and parsed.netloc
-    is_valid = value == '*' \
-               or is_ip_address(value) \
-               or is_ip_network(value) \
-               or is_ip_segment(value) \
-               or is_basic_url
-    if not is_valid:
-        error = _('address invalid: `{}`').format(value)
-        raise serializers.ValidationError(error)
-
-
 ip_group_help_text = _(
     'With * indicating a match all. '
     'Such as: '

apps/acls/templates/acls/asset_login_reminder.html

@@ -1,17 +1,13 @@
 {% load i18n %}
 
-<h3>{% trans 'Dear' %}: {{ recipient_name }}[{{ recipient_username }}]</h3>
+<h3>{% trans 'Dear' %}: {{ recipient.name }}[{{ recipient.username }}]</h3>
 <hr>
 <p>{% trans 'We would like to inform you that a user has recently logged into the following asset:' %}<p>
 <p><strong>{% trans 'Asset details' %}:</strong></p>
 <ul>
     <li><strong>{% trans 'User' %}:</strong> [{{ name }}({{ username }})]</li>
-    <li><strong>IP:</strong> [{{ ip }}]</li>
     <li><strong>{% trans 'Assets' %}:</strong> [{{ asset }}]</li>
     <li><strong>{% trans 'Account' %}:</strong> [{{ account_name }}({{ account }})]</li>
-    <li><strong>{% trans 'Login asset acl' %}:</strong> [{{ acl_name }}]</li>
-    <li><strong>{% trans 'Login from' %}:</strong> [{{ login_from }}]</li>
-    <li><strong>{% trans 'Time' %}:</strong> [{{ time }}]</li>
 </ul>
 <hr>
 

apps/acls/templates/acls/user_login_reminder.html

@@ -1,6 +1,6 @@
 {% load i18n %}
 
-<h3>{% trans 'Dear' %}: {{ recipient_name }}[{{ recipient_username }}]</h3>
+<h3>{% trans 'Dear' %}: {{ recipient.name }}[{{ recipient.username }}]</h3>
 <hr>
 <p>{% trans 'We would like to inform you that a user has recently logged:' %}<p>
 <p><strong>{% trans 'User details' %}:</strong></p>
@@ -8,10 +8,7 @@
     <li><strong>{% trans 'User' %}:</strong> [{{ username }}]</li>
     <li><strong>IP:</strong> [{{ ip }}]</li>
     <li><strong>{% trans 'Login city' %}:</strong> [{{ city }}]</li>
-    <li><strong>{% trans 'Login from' %}:</strong> [{{ login_from }}]</li>
     <li><strong>{% trans 'User agent' %}:</strong> [{{ user_agent }}]</li>
-    <li><strong>{% trans 'Login acl' %}:</strong> [{{ acl_name }}]</li>
-    <li><strong>{% trans 'Time' %}:</strong> [{{ time }}]</li>
 </ul>
 <hr>
 

apps/acls/urls/api_urls.py

@@ -11,7 +11,6 @@ router.register(r'login-asset-acls', api.LoginAssetACLViewSet, 'login-asset-acl'
 router.register(r'command-filter-acls', api.CommandFilterACLViewSet, 'command-filter-acl')
 router.register(r'command-groups', api.CommandGroupViewSet, 'command-group')
 router.register(r'connect-method-acls', api.ConnectMethodACLViewSet, 'connect-method-acl')
-router.register(r'data-masking-rules', api.DataMaskingRuleViewSet, 'data-masking-rule')
 
 urlpatterns = [
     path('login-asset/check/', api.LoginAssetCheckAPI.as_view(), name='login-asset-check'),

apps/assets/api/asset/asset.py

@@ -1,7 +1,8 @@
 # -*- coding: utf-8 -*-
 #
+from collections import defaultdict
+
 from django.conf import settings
-from django.db import transaction
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext as _
 from django_filters import rest_framework as drf_filters
@@ -112,7 +113,7 @@ class BaseAssetViewSet(OrgBulkModelViewSet):
         ("accounts", AccountSerializer),
     )
     rbac_perms = (
-        ("match", "assets.view_asset"),
+        ("match", "assets.match_asset"),
         ("platform", "assets.view_platform"),
         ("gateways", "assets.view_gateway"),
         ("accounts", "assets.view_account"),
@@ -180,18 +181,33 @@ class AssetViewSet(SuggestionMixin, BaseAssetViewSet):
     def sync_platform_protocols(self, request, *args, **kwargs):
         platform_id = request.data.get('platform_id')
         platform = get_object_or_404(Platform, pk=platform_id)
-        asset_ids = list(platform.assets.values_list('id', flat=True))
+        assets = platform.assets.all()
-        platform_protocols = list(platform.protocols.values('name', 'port'))
 
-        with transaction.atomic():
+        platform_protocols = {
-            if asset_ids:
+            p['name']: p['port']
-                Protocol.objects.filter(asset_id__in=asset_ids).delete()
+            for p in platform.protocols.values('name', 'port')
-            if asset_ids and platform_protocols:
+        }
-                objs = []
+        asset_protocols_map = defaultdict(set)
-                for aid in asset_ids:
+        protocols = assets.prefetch_related('protocols').values_list(
-                    for p in platform_protocols:
+            'id', 'protocols__name'
-                        objs.append(Protocol(name=p['name'], port=p['port'], asset_id=aid))
+        )
-                Protocol.objects.bulk_create(objs)
+        for asset_id, protocol in protocols:
+            asset_id = str(asset_id)
+            asset_protocols_map[asset_id].add(protocol)
+        objs = []
+        for asset_id, protocols in asset_protocols_map.items():
+            protocol_names = set(platform_protocols) - protocols
+            if not protocol_names:
+                continue
+            for name in protocol_names:
+                objs.append(
+                    Protocol(
+                        name=name,
+                        port=platform_protocols[name],
+                        asset_id=asset_id,
+                    )
+                )
+        Protocol.objects.bulk_create(objs)
         return Response(status=status.HTTP_200_OK)
 
     def filter_bulk_update_data(self):

apps/assets/api/favorite_asset.py

@@ -14,7 +14,6 @@ class FavoriteAssetViewSet(BulkModelViewSet):
     serializer_class = FavoriteAssetSerializer
     permission_classes = (IsValidUser,)
     filterset_fields = ['asset']
-    page_no_limit = True
 
     def dispatch(self, request, *args, **kwargs):
         with tmp_to_root_org():

apps/assets/api/node.py

@@ -43,7 +43,7 @@ class NodeViewSet(SuggestionMixin, OrgBulkModelViewSet):
     search_fields = ('full_value',)
     serializer_class = serializers.NodeSerializer
     rbac_perms = {
-        'match': 'assets.view_node',
+        'match': 'assets.match_node',
         'check_assets_amount_task': 'assets.change_node'
     }
 

apps/assets/api/platform.py

@@ -7,18 +7,15 @@ from rest_framework.decorators import action
 from rest_framework.response import Response
 
 from assets.const import AllTypes
-from assets.models import Platform, Node, Asset, PlatformProtocol, PlatformAutomation
+from assets.models import Platform, Node, Asset, PlatformProtocol
 from assets.serializers import PlatformSerializer, PlatformProtocolSerializer, PlatformListSerializer
 from common.api import JMSModelViewSet
 from common.permissions import IsValidUser
 from common.serializers import GroupedChoiceSerializer
-from rbac.models import RoleBinding
 
 __all__ = ['AssetPlatformViewSet', 'PlatformAutomationMethodsApi', 'PlatformProtocolViewSet']
 
 
-
-
 class PlatformFilter(filters.FilterSet):
     name__startswith = filters.CharFilter(field_name='name', lookup_expr='istartswith')
 
@@ -43,7 +40,6 @@ class AssetPlatformViewSet(JMSModelViewSet):
         'ops_methods': 'assets.view_platform',
         'filter_nodes_assets': 'assets.view_platform',
     }
-    page_no_limit = True
 
     def get_queryset(self):
         # 因为没有走分页逻辑，所以需要这里 prefetch
@@ -67,13 +63,6 @@ class AssetPlatformViewSet(JMSModelViewSet):
             return super().get_object()
         return self.get_queryset().get(name=pk)
 
-
-    def check_permissions(self, request):
-        if self.action == 'list' and RoleBinding.is_org_admin(request.user):
-            return True
-        else:
-            return super().check_permissions(request)
-
     def check_object_permissions(self, request, obj):
         if request.method.lower() in ['delete', 'put', 'patch'] and obj.internal:
             self.permission_denied(
@@ -112,10 +101,7 @@ class PlatformProtocolViewSet(JMSModelViewSet):
 
 
 class PlatformAutomationMethodsApi(generics.ListAPIView):
-    queryset = PlatformAutomation.objects.none()
+    permission_classes = (IsValidUser,)
-    rbac_perms = {
-        'list': 'assets.view_platform'
-    }
 
     @staticmethod
     def automation_methods():

apps/assets/api/protocol.py

@@ -13,13 +13,3 @@ class ProtocolListApi(ListAPIView):
 
     def get_queryset(self):
         return list(Protocol.protocols())
-
-    def filter_queryset(self, queryset):
-        search = self.request.query_params.get("search", "").lower().strip()
-        if not search:
-            return queryset
-        queryset = [
-            p for p in queryset
-            if search in p['label'].lower() or search in p['value'].lower()
-        ]
-        return queryset

apps/assets/api/tree.py

@@ -161,7 +161,6 @@ class CategoryTreeApi(SerializeToTreeNodeMixin, generics.ListAPIView):
         'GET': 'assets.view_asset',
         'list': 'assets.view_asset',
     }
-    queryset = Node.objects.none()
 
     def get_assets(self):
         key = self.request.query_params.get('key')

apps/assets/automations/base/manager.py

@@ -123,7 +123,9 @@ class BaseManager:
         self.execution.summary = self.summary
         self.execution.result = self.result
         self.execution.status = self.status
-        self.execution.save()
+
+        with safe_atomic_db_connection():
+            self.execution.save()
 
     def print_summary(self):
         content = "\nSummery: \n"
@@ -155,7 +157,7 @@ class BaseManager:
                 report = self.gen_report()
                 report = transform(report, cssutils_logging_level="CRITICAL")
                 subject = self.get_report_subject()
-                emails = [user.email]
+                emails = [r.email for r in recipients if r.email]
                 send_mail_async(subject, report, emails, html_message=report)
 
     def gen_report(self):
@@ -165,10 +167,9 @@ class BaseManager:
         return data
 
     def post_run(self):
-        with safe_atomic_db_connection():
+        self.update_execution()
-            self.update_execution()
+        self.print_summary()
-            self.print_summary()
+        self.send_report_if_need()
-            self.send_report_if_need()
 
     def run(self, *args, **kwargs):
         self.pre_run()
@@ -547,8 +548,7 @@ class BasePlaybookManager(PlaybookPrepareMixin, BaseManager):
             try:
                 kwargs.update({"clean_workspace": False})
                 cb = runner.run(**kwargs)
-                with safe_atomic_db_connection():
+                self.on_runner_success(runner, cb)
-                    self.on_runner_success(runner, cb)
             except Exception as e:
                 self.on_runner_failed(runner, e, **info)
             finally:

apps/assets/automations/gather_facts/format_asset_info.py

@@ -11,20 +11,15 @@ class FormatAssetInfo:
     @staticmethod
     def get_cpu_model_count(cpus):
         try:
-            if len(cpus) % 3 == 0:
+            models = [cpus[i + 1] + " " + cpus[i + 2] for i in range(0, len(cpus), 3)]
-                step = 3
-                models = [cpus[i + 2] for i in range(0, len(cpus), step)]
-            elif len(cpus) % 2 == 0:
-                step = 2
-                models = [cpus[i + 1] for i in range(0, len(cpus), step)]
-            else:
-                raise ValueError("CPU list format not recognized")
 
             model_counts = Counter(models)
+
             result = ', '.join([f"{model} x{count}" for model, count in model_counts.items()])
         except Exception as e:
             print(f"Error processing CPU model list: {e}")
             result = ''
+
         return result
 
     @staticmethod

apps/assets/automations/ping/custom/rdp/main.yml

@@ -3,8 +3,7 @@
   vars:
     ansible_shell_type: sh
     ansible_connection: local
-    ansible_python_interpreter: "{{ local_python_interpreter }}"
+    ansible_python_interpreter: /opt/py3/bin/python
-    ansible_timeout: 30
 
   tasks:
     - name: Test asset connection (pyfreerdp)

apps/assets/automations/ping/custom/ssh/main.yml

@@ -4,7 +4,7 @@
     ansible_connection: local
     ansible_shell_type: sh
     ansible_become: false
-    ansible_timeout: 30
+
   tasks:
     - name: Test asset connection (paramiko)
       ssh_ping:

apps/assets/automations/ping/custom/telnet/main.yml

@@ -3,7 +3,7 @@
   vars:
     ansible_connection: local
     ansible_shell_type: sh
-    ansible_timeout: 30
+
   tasks:
     - name: Test asset connection (telnet)
       telnet_ping:

apps/assets/automations/ping/database/mongodb/main.yml

@@ -2,7 +2,6 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: "{{ local_python_interpreter }}"
-    ansible_timeout: 30
 
   tasks:
     - name: Test MongoDB connection
@@ -17,5 +16,3 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      register: result
-      failed_when: not result.is_available

apps/assets/automations/ping/database/mysql/main.yml

@@ -6,7 +6,6 @@
     ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
     ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
     ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
-    ansible_timeout: 30
 
   tasks:
     - name: Test MySQL connection

apps/assets/automations/ping/database/oracle/main.yml

@@ -2,7 +2,6 @@
   gather_facts: no
   vars:
     ansible_python_interpreter: "{{ local_python_interpreter }}"
-    ansible_timeout: 30
 
   tasks:
     - name: Test Oracle connection

apps/assets/automations/ping/database/postgresql/main.yml

@@ -6,7 +6,7 @@
     ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
     ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
     ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"
-    ansible_timeout: 30
+
   tasks:
     - name: Test PostgreSQL connection
       community.postgresql.postgresql_ping: