fix: 修复 private storage permission

perf: 优化命令过滤规则操作日志显示问题

.dockerignore

@@ -7,4 +7,5 @@ django.db
 celerybeat.pid
 ### Vagrant ###
 .vagrant/
-apps/xpack/.git
+apps/xpack/.git
+.history/

.gitattributes

@@ -1,2 +1,4 @@
 *.mmdb filter=lfs diff=lfs merge=lfs -text
 *.mo filter=lfs diff=lfs merge=lfs -text
+*.ipdb filter=lfs diff=lfs merge=lfs -text
+

.github/ISSUE_TEMPLATE/----.md

@@ -3,7 +3,10 @@ name: 需求建议
 about: 提出针对本项目的想法和建议
 title: "[Feature] "
 labels: 类型:需求
-assignees: ibuler
+assignees: 
+  - ibuler
+  - baijiangjie
+
 
 ---
 

.github/ISSUE_TEMPLATE/bug---.md

@@ -3,11 +3,13 @@ name: Bug 提交
 about: 提交产品缺陷帮助我们更好的改进
 title: "[Bug] "
 labels: 类型:bug
-assignees: wojiushixiaobai
+assignees: 
+   - wojiushixiaobai
+   - baijiangjie
 
 ---
 
-**JumpServer 版本(v1.5.9以下不再支持)**
+**JumpServer 版本( v2.28 之前的版本不再支持 )**
 
 
 **浏览器版本**
@@ -17,6 +19,6 @@ assignees: wojiushixiaobai
 
 
 **Bug 重现步骤(有截图更好)**
-1.  
-2. 
-3. 
+1.
+2.
+3.

.github/ISSUE_TEMPLATE/question.md

@@ -3,7 +3,9 @@ name: 问题咨询
 about: 提出针对本项目安装部署、使用及其他方面的相关问题
 title: "[Question] "
 labels: 类型:提问
-assignees: wojiushixiaobai
+assignees: 
+  - wojiushixiaobai
+  - baijiangjie
 
 ---
 

.github/release-config.yml

@@ -41,4 +41,5 @@ version-resolver:
   default: patch
 template: |
   ## 版本变化  What’s Changed
-  $CHANGES
+  $CHANGES
+

.github/workflows/jms-build-test.yml

@@ -0,0 +1,36 @@
+name: "Run Build Test"
+on:
+  push:
+    branches:
+      - pr@*
+      - repr@*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - uses: docker/setup-qemu-action@v2
+
+    - uses: docker/setup-buildx-action@v2
+
+    - uses: docker/build-push-action@v3
+      with:
+        context: .
+        push: false
+        tags: jumpserver/core:test
+        file: Dockerfile
+        build-args: |
+          APT_MIRROR=http://deb.debian.org
+          PIP_MIRROR=https://pypi.org/simple
+          PIP_JMS_MIRROR=https://pypi.org/simple
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+    - uses: LouisBrunner/checks-action@v1.5.0
+      if: always()
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        name: Check Build
+        conclusion: ${{ job.status }}

.github/workflows/release-drafter.yml

@@ -21,7 +21,7 @@ jobs:
           TAG=$(basename ${GITHUB_REF})
           VERSION=${TAG/v/}
           wget https://raw.githubusercontent.com/jumpserver/installer/master/quick_start.sh
-          sed -i "s@Version=.*@Version=v${VERSION}@g" quick_start.sh
+          sed -i "s@VERSION=dev@VERSION=v${VERSION}@g" quick_start.sh
           echo "::set-output name=TAG::$TAG"
           echo "::set-output name=VERSION::$VERSION"
       - name: Create Release

.github/workflows/sync-gitee.yml

@@ -20,4 +20,4 @@ jobs:
           SSH_PRIVATE_KEY: ${{ secrets.GITEE_SSH_PRIVATE_KEY }}
         with:
           source-repo: 'git@github.com:jumpserver/jumpserver.git'
-          destination-repo: 'git@gitee.com:jumpserver/jumpserver.git'
+          destination-repo: 'git@gitee.com:fit2cloud-feizhiyun/JumpServer.git'

.gitignore

@@ -16,6 +16,7 @@ dump.rdb
 .cache/
 .idea/
 .vscode/
+.fleet/
 db.sqlite3
 config.py
 config.yml
@@ -31,12 +32,15 @@ media
 celerybeat.pid
 django.db
 celerybeat-schedule.db
-data/static
 docs/_build/
 xpack
+xpack.bak
 logs/*
 ### Vagrant ###
 .vagrant/
 release/*
 releashe
 /apps/script.py
+data/*
+test.py
+.history/

.isort.cfg

@@ -0,0 +1,3 @@
+[settings]
+line_length=120
+known_first_party=common,users,assets,perms,authentication,jumpserver,notification,ops,orgs,rbac,settings,terminal,tickets

CODE_OF_CONDUCT.md

@@ -126,3 +126,4 @@ enforcement ladder](https://github.com/mozilla/diversity).
 For answers to common questions about this code of conduct, see the FAQ at
 https://www.contributor-covenant.org/faq. Translations are available at
 https://www.contributor-covenant.org/translations.
+

CONTRIBUTING.md

@@ -23,3 +23,4 @@ When reporting issues, always include:
 
 Because the issues are open to the public, when submitting files, be sure to remove any sensitive information, e.g. user name, password, IP address, and company name. You can
 replace those parts with "REDACTED" or other strings like "****".
+

Dockerfile

@@ -1,6 +1,6 @@
-# 编译代码
-FROM python:3.8-slim as stage-build
-MAINTAINER JumpServer Team <ibuler@qq.com>
+FROM python:3.9-slim as stage-build
+ARG TARGETARCH
+
 ARG VERSION
 ENV VERSION=$VERSION
 
@@ -8,80 +8,97 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 
-FROM python:3.8-slim
+FROM python:3.9-slim
+ARG TARGETARCH
+MAINTAINER JumpServer Team <ibuler@qq.com>
+
+ARG BUILD_DEPENDENCIES="              \
+        g++                           \
+        make                          \
+        pkg-config"
+
+ARG DEPENDENCIES="                    \
+        freetds-dev                   \
+        libpq-dev                     \
+        libffi-dev                    \
+        libjpeg-dev                   \
+        libldap2-dev                  \
+        libsasl2-dev                  \
+        libxml2-dev                   \
+        libxmlsec1-dev                \
+        libxmlsec1-openssl            \
+        libaio-dev"
+
+ARG TOOLS="                           \
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        locales                       \
+        openssh-client                \
+        procps                        \
+        sshpass                       \
+        telnet                        \
+        unzip                         \
+        vim                           \
+        git                           \
+        wget"
+
+ARG APT_MIRROR=http://mirrors.ustc.edu.cn
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && rm -f /etc/apt/apt.conf.d/docker-clean \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
+    && echo "set mouse-=a" > ~/.vimrc \
+    && echo "no" | dpkg-reconfigure dash \
+    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && sed -i "s@# export @export @g" ~/.bashrc \
+    && sed -i "s@# alias @alias @g" ~/.bashrc \
+    && rm -rf /var/lib/apt/lists/*
+
+ARG DOWNLOAD_URL=https://download.jumpserver.org
+
+RUN mkdir -p /opt/oracle/ \
+    && cd /opt/oracle/ \
+    && wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
+    && unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
+    && sh -c "echo /opt/oracle/instantclient_19_10 > /etc/ld.so.conf.d/oracle-instantclient.conf" \
+    && ldconfig \
+    && rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip
+
+WORKDIR /tmp/build
+COPY ./requirements ./requirements
+
 ARG PIP_MIRROR=https://pypi.douban.com/simple
 ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
 ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 
-WORKDIR /opt/jumpserver
-
-ARG BUILD_DEPENDENCIES="              \
-    g++                               \
-    make                              \
-    pkg-config"
-
-ARG DEPENDENCIES="                    \
-    default-libmysqlclient-dev        \
-    freetds-dev                       \
-    libpq-dev                         \
-    libffi-dev                        \
-    libldap2-dev                      \
-    libsasl2-dev                      \
-    libxml2-dev                       \
-    libxmlsec1-dev                    \
-    libxmlsec1-openssl                \
-    libaio-dev                        \
-    sshpass"
-
-ARG TOOLS="                           \
-    curl                              \
-    default-mysql-client              \
-    iproute2                          \
-    iputils-ping                      \
-    locales                           \
-    procps                            \
-    redis-tools                       \
-    telnet                            \
-    vim                               \
-    wget"
-
-RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
-    && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
-    && apt update \
-    && apt -y install ${BUILD_DEPENDENCIES} \
-    && apt -y install ${DEPENDENCIES} \
-    && apt -y install ${TOOLS} \
-    && localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
-    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
-    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
-    && echo "set mouse-=a" > ~/.vimrc \
-    && rm -rf /var/lib/apt/lists/* \
-    && mv /bin/sh /bin/sh.bak  \
-    && ln -s /bin/bash /bin/sh
-
-RUN mkdir -p /opt/jumpserver/oracle/ \
-    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar \
-    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/jumpserver/oracle/ \
-    && echo "/opt/jumpserver/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
-    && ldconfig \
-    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
+RUN --mount=type=cache,target=/root/.cache/pip \
+    set -ex \
+    && pip config set global.index-url ${PIP_MIRROR} \
+    && pip install --upgrade pip \
+    && pip install --upgrade setuptools wheel \
+    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install -r requirements/requirements.txt
 
 COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+RUN echo > /opt/jumpserver/config.yml \
+    && rm -rf /tmp/build
 
-RUN echo > config.yml \
-    && pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
-    && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
-    && rm -rf ~/.cache/pip
-
+WORKDIR /opt/jumpserver
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
 
 ENV LANG=zh_CN.UTF-8
 
-EXPOSE 8070
 EXPOSE 8080
+
 ENTRYPOINT ["./entrypoint.sh"]

Dockerfile-ee

@@ -0,0 +1,10 @@
+ARG VERSION
+FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
+FROM jumpserver/core:${VERSION}
+COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
+
+WORKDIR /opt/jumpserver
+
+RUN --mount=type=cache,target=/root/.cache/pip \
+    set -ex \
+    && pip install -r requirements/requirements_xpack.txt

Dockerfile.loong64

@@ -0,0 +1,96 @@
+FROM python:3.9-slim as stage-build
+ARG TARGETARCH
+
+ARG VERSION
+ENV VERSION=$VERSION
+
+WORKDIR /opt/jumpserver
+ADD . .
+RUN cd utils && bash -ixeu build.sh
+
+FROM python:3.9-slim
+ARG TARGETARCH
+MAINTAINER JumpServer Team <ibuler@qq.com>
+
+ARG BUILD_DEPENDENCIES="              \
+        g++                           \
+        make                          \
+        pkg-config"
+
+ARG DEPENDENCIES="                    \
+        freetds-dev                   \
+        libpq-dev                     \
+        libffi-dev                    \
+        libjpeg-dev                   \
+        libldap2-dev                  \
+        libsasl2-dev                  \
+        libssl-dev                    \
+        libxml2-dev                   \
+        libxmlsec1-dev                \
+        libxmlsec1-openssl            \
+        libaio-dev"
+
+ARG TOOLS="                           \
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        locales                       \
+        openssh-client                \
+        procps                        \
+        sshpass                       \
+        telnet                        \
+        unzip                         \
+        vim                           \
+        git                           \
+        wget"
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+    set -ex \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
+    && echo "set mouse-=a" > ~/.vimrc \
+    && echo "no" | dpkg-reconfigure dash \
+    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && sed -i "s@# export @export @g" ~/.bashrc \
+    && sed -i "s@# alias @alias @g" ~/.bashrc \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /tmp/build
+COPY ./requirements ./requirements
+
+ARG PIP_MIRROR=https://pypi.douban.com/simple
+ENV PIP_MIRROR=$PIP_MIRROR
+ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
+ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
+
+RUN --mount=type=cache,target=/root/.cache/pip \
+    set -ex \
+    && pip config set global.index-url ${PIP_MIRROR} \
+    && pip install --upgrade pip \
+    && pip install --upgrade setuptools wheel \
+    && pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl \
+    && pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl \
+    && pip install https://download.jumpserver.org/pypi/simple/PyNaCl/PyNaCl-1.5.0-cp39-cp39-linux_loongarch64.whl \
+    && pip install https://download.jumpserver.org/pypi/simple/grpcio/grpcio-1.54.2-cp39-cp39-linux_loongarch64.whl \
+    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install -r requirements/requirements.txt
+
+COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+RUN echo > /opt/jumpserver/config.yml \
+    && rm -rf /tmp/build
+
+WORKDIR /opt/jumpserver
+VOLUME /opt/jumpserver/data
+VOLUME /opt/jumpserver/logs
+
+ENV LANG=zh_CN.UTF-8
+
+EXPOSE 8080
+
+ENTRYPOINT ["./entrypoint.sh"]

LICENSE

@@ -671,4 +671,5 @@ into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
-<https://www.gnu.org/licenses/why-not-lgpl.html>.
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
+

README.md

@@ -1,134 +1,132 @@
-<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
-<h3 align="center">多云环境下更好用的堡垒机</h3>
+<p align="center">
+  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
+</p>
+<h3 align="center">广受欢迎的开源堡垒机</h3>
 
 <p align="center">
   <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
-  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
-  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
+  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
+  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
   <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>
 
+
+<p align="center">
+    JumpServer <a href="https://github.com/jumpserver/jumpserver/releases/tag/v3.0.0">v3.0</a> 正式发布。
+    <br>
+    9 年时间，倾情投入，用心做好一款开源堡垒机。
+</p>
+
+|                                                  :warning: 注意 :warning:                                                   |
+|:-------------------------------------------------------------------------------------------------------------------------:|
+| 3.0 架构上和 2.0 变化较大，建议全新安装一套环境来体验。如需升级，请务必升级前进行备份，并[查阅文档](https://kb.fit2cloud.com/?p=06638d69-f109-4333-b5bf-65b17b297ed9) |
+
 --------------------------
-- [ENGLISH](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
 
+JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
 
+- **SSH**: Linux / Unix / 网络设备 等；
+- **Windows**: Web 方式连接 / 原生 RDP 连接；
+- **数据库**: MySQL / Oracle / SQLServer / PostgreSQL 等；
+- **Kubernetes**: 支持连接到 K8s 集群中的 Pods；
+- **Web 站点**: 各类系统的 Web 管理后台；
+- **应用**: 通过 Remote App 连接各类应用。
 
-JumpServer 是全球首款开源的堡垒机，使用 GPLv3 开源协议，是符合 4A 规范的运维安全审计系统。
+## 产品特色
 
-JumpServer 使用 Python 开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
+- **开源**: 零门槛，线上快速获取和安装；
+- **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
+- **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
+- **多云支持**: 一套系统，同时管理不同云上面的资产；
+- **多租户**: 一套系统，多个子公司或部门同时使用；
+- **云端存储**: 审计录像云端存储，永不丢失；
 
-JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。
+## UI 展示
 
-改变世界，从一点点开始 ...
+![UI展示](https://docs.jumpserver.org/zh/v3/img/dashboard.png)
 
-> 如需进一步了解 JumpServer 开源项目，推荐阅读 [JumpServer 的初心和使命](https://mp.weixin.qq.com/s/S6q_2rP_9MwaVwyqLQnXzA)
+## 在线体验
 
-### 特色优势
-
-- 开源: 零门槛，线上快速获取和安装；
-- 分布式: 轻松支持大规模并发访问；
-- 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
-- 多云支持: 一套系统，同时管理不同云上面的资产；
-- 云端存储: 审计录像云端存储，永不丢失；
-- 多租户: 一套系统，多个子公司和部门同时使用；
-- 多应用支持: 数据库，Windows远程应用，Kubernetes。
-
-### UI 展示
-
-![UI展示](https://www.jumpserver.org/images/screenshot/1.png)
-
-### 在线体验
-
--   环境地址：<https://demo.jumpserver.org/>
+- 环境地址：<https://demo.jumpserver.org/>
 
 | :warning: 注意                 |
-| :--------------------------- |
+|:-----------------------------|
 | 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
 | 请勿修改体验环境用户的密码！               |
 | 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
 
-### 快速开始
+## 快速开始
 
-- [极速安装](https://docs.jumpserver.org/zh/master/install/setup_by_fast/)
-- [完整文档](https://docs.jumpserver.org)
-- [演示视频](https://www.bilibili.com/video/BV1ZV41127GB)
-- [手动安装](https://github.com/jumpserver/installer)
+- [快速入门](https://docs.jumpserver.org/zh/v3/quick_start/)
+- [产品文档](https://docs.jumpserver.org)
+- [在线学习](https://edu.fit2cloud.com/page/2635362)
+- [知识库](https://kb.fit2cloud.com/categories/jumpserver)
 
-### 组件项目
-- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI 项目
-- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal 项目
-- [KoKo](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
-- [Lion](https://github.com/jumpserver/lion-release) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
-- [Clients](https://github.com/jumpserver/clients) JumpServer 客户端 项目
-- [Installer](https://github.com/jumpserver/installer) JumpServer 安装包 项目
+## 案例研究
 
-### 社区
+- [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
+- [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
+- [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
+- [顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
+- [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
+- [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
+- [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
+- [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
+- [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
 
-如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose) 或加入到我们的社区当中进行进一步交流沟通。
+## 社区交流
 
-#### 微信交流群
+如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
+
+您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 及微信交流群当中进行交流沟通。
+
+**微信交流群**
 
 <img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
 
-### 贡献
-如果有你好的想法创意，或者帮助我们修复了 Bug, 欢迎提交 Pull Request
+### 参与贡献
 
-感谢以下贡献者，让 JumpServer 更加完善
+欢迎提交 PR 参与贡献。感谢以下贡献者，他们让 JumpServer 变的越来越好。
 
-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
-</a>
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
 
-<a href="https://github.com/jumpserver/koko/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
-</a>
+## 组件项目
 
-<a href="https://github.com/jumpserver/lina/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
-</a>
+| 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                      |
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                                    |
+| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                              |
+| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
+| [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)       |
+| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                           |
+| [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                       |
+| [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                       |
 
-<a href="https://github.com/jumpserver/luna/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
-</a>
+## 安全说明
 
+JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
+进行安装部署。如果您发现安全相关问题，请直接联系我们：
 
+- 邮箱：support@fit2cloud.com
+- 电话：400-052-0755
 
-### 致谢
-- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC协议设备，JumpServer 图形化组件 Lion 依赖 
-- [OmniDB](https://omnidb.org/) Web页面连接使用数据库，JumpServer Web数据库依赖
+## 致谢开源
 
+- [Apache Guacamole](https://guacamole.apache.org/)： Web 页面连接 RDP、SSH、VNC 等协议资产，JumpServer Lion 组件使用到该项目；
+- [OmniDB](https://omnidb.org/)： Web 页面连接使用数据库，JumpServer Web 数据库组件使用到该项目。
 
-### JumpServer 企业版 
-- [申请企业版试用](https://jinshuju.net/f/kyOYpi)
+## License & Copyright
 
-### 案例研究
+Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.
 
-- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
-- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
-- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
-- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
-- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
-- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
-- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
-- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。
-
-### 安全说明
-
-JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.
-
-如果你发现安全问题，可以直接联系我们：
-
-- ibuler@fit2cloud.com 
-- support@fit2cloud.com 
-- 400-052-0755
-
-### License & Copyright
-
-Copyright (c) 2014-2022 飞致云 FIT2CLOUD, All rights reserved.
-
-Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
+compliance with the License. You may obtain a copy of the License at
 
 https://www.gnu.org/licenses/gpl-3.0.html
 
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
+AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
+language governing permissions and limitations under the License.

README_EN.md

@@ -92,4 +92,3 @@ Licensed under The GNU General Public License version 3 (GPLv3)  (the "License")
 https://www.gnu.org/licenses/gpl-3.0.htmll
 
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-

SECURITY.md

@@ -18,3 +18,4 @@ All security bugs should be reported to the contact as below:
 - ibuler@fit2cloud.com
 - support@fit2cloud.com
 - 400-052-0755
+

Vagrantfile

@@ -1,56 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure("2") do |config|
-  # The most common configuration options are documented and commented below.
-  # For a complete reference, please see the online documentation at
-  # https://docs.vagrantup.com.
-
-  # Every Vagrant development environment requires a box. You can search for
-  # boxes at https://vagrantcloud.com/search.
-  config.vm.box_check_update = false
-  config.vm.box = "centos/7"
-  config.vm.hostname = "jumpserver"
-  config.vm.network "private_network", ip: "172.17.8.101"
-  config.vm.provider "virtualbox" do |vb|
-    vb.memory = "4096"
-    vb.cpus = 2
-    vb.name = "jumpserver"
-  end
-
-  config.vm.synced_folder ".", "/vagrant", type: "rsync",
-    rsync__verbose: true,
-    rsync__exclude: ['.git*', 'node_modules*','*.log','*.box','Vagrantfile']
-
-  config.vm.provision "shell", inline: <<-SHELL
-## 设置yum的阿里云源
-sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
-sudo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
-sudo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
-sudo yum makecache
-
-## 安装依赖包
-sudo yum install -y python36 python36-devel python36-pip \
-		 libtiff-devel libjpeg-devel libzip-devel freetype-devel \
-     lcms2-devel libwebp-devel tcl-devel tk-devel sshpass \
-     openldap-devel mariadb-devel mysql-devel libffi-devel \
-     openssh-clients telnet openldap-clients gcc
-
-## 配置pip阿里云源
-mkdir /home/vagrant/.pip
-cat << EOF | sudo tee -a /home/vagrant/.pip/pip.conf
-[global]
-timeout = 6000
-index-url = https://mirrors.aliyun.com/pypi/simple/
-
-[install]
-use-mirrors = true
-mirrors = https://mirrors.aliyun.com/pypi/simple/
-trusted-host=mirrors.aliyun.com
-EOF
-
-python3.6 -m venv /home/vagrant/venv
-source /home/vagrant/venv/bin/activate
-echo 'source /home/vagrant/venv/bin/activate' >> /home/vagrant/.bash_profile
-  SHELL
-end

apps/accounts/api/__init__.py

@@ -0,0 +1,2 @@
+from .account import *
+from .automations import *

apps/accounts/api/account/__init__.py

@@ -0,0 +1,3 @@
+from .account import *
+from .task import *
+from .template import *

apps/accounts/api/account/account.py

@@ -0,0 +1,142 @@
+from django.shortcuts import get_object_or_404
+from rest_framework.decorators import action
+from rest_framework.generics import ListAPIView, CreateAPIView
+from rest_framework.response import Response
+from rest_framework.status import HTTP_200_OK
+
+from accounts import serializers
+from accounts.filters import AccountFilterSet
+from accounts.models import Account
+from assets.models import Asset, Node
+from common.api import ExtraFilterFieldsMixin
+from common.permissions import UserConfirmation, ConfirmType, IsValidUser
+from common.views.mixins import RecordViewLogMixin
+from orgs.mixins.api import OrgBulkModelViewSet
+from rbac.permissions import RBACPermission
+
+__all__ = [
+    'AccountViewSet', 'AccountSecretsViewSet',
+    'AccountHistoriesSecretAPI', 'AssetAccountBulkCreateApi',
+]
+
+
+class AccountViewSet(OrgBulkModelViewSet):
+    model = Account
+    search_fields = ('username', 'asset__address', 'name')
+    filterset_class = AccountFilterSet
+    serializer_classes = {
+        'default': serializers.AccountSerializer,
+    }
+    rbac_perms = {
+        'partial_update': ['accounts.change_account'],
+        'su_from_accounts': 'accounts.view_account',
+        'clear_secret': 'accounts.change_account',
+    }
+    export_as_zip = True
+
+    @action(methods=['get'], detail=False, url_path='su-from-accounts')
+    def su_from_accounts(self, request, *args, **kwargs):
+        account_id = request.query_params.get('account')
+        asset_id = request.query_params.get('asset')
+
+        if account_id:
+            account = get_object_or_404(Account, pk=account_id)
+            accounts = account.get_su_from_accounts()
+        elif asset_id:
+            asset = get_object_or_404(Asset, pk=asset_id)
+            accounts = asset.accounts.all()
+        else:
+            accounts = Account.objects.none()
+        accounts = self.filter_queryset(accounts)
+        serializer = serializers.AccountSerializer(accounts, many=True)
+        return Response(data=serializer.data)
+
+    @action(
+        methods=['get'], detail=False, url_path='username-suggestions',
+        permission_classes=[IsValidUser]
+    )
+    def username_suggestions(self, request, *args, **kwargs):
+        asset_ids = request.query_params.get('assets')
+        node_keys = request.query_params.get('keys')
+        username = request.query_params.get('username')
+
+        assets = Asset.objects.all()
+        if asset_ids:
+            assets = assets.filter(id__in=asset_ids.split(','))
+        if node_keys:
+            patten = Node.get_node_all_children_key_pattern(node_keys.split(','))
+            assets = assets.filter(nodes__key__regex=patten)
+
+        accounts = Account.objects.filter(asset__in=assets)
+        if username:
+            accounts = accounts.filter(username__icontains=username)
+        usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
+        usernames.sort()
+        common = [i for i in usernames if i in usernames if i.lower() in ['root', 'admin', 'administrator']]
+        others = [i for i in usernames if i not in common]
+        usernames = common + others
+        return Response(data=usernames)
+
+    @action(methods=['patch'], detail=False, url_path='clear-secret')
+    def clear_secret(self, request, *args, **kwargs):
+        account_ids = request.data.get('account_ids', [])
+        self.model.objects.filter(id__in=account_ids).update(secret=None)
+        return Response(status=HTTP_200_OK)
+
+
+class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
+    """
+    因为可能要导出所有账号，所以单独建立了一个 viewset
+    """
+    serializer_classes = {
+        'default': serializers.AccountSecretSerializer,
+    }
+    http_method_names = ['get', 'options']
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    rbac_perms = {
+        'list': 'accounts.view_accountsecret',
+        'retrieve': 'accounts.view_accountsecret',
+    }
+
+
+class AssetAccountBulkCreateApi(CreateAPIView):
+    serializer_class = serializers.AssetAccountBulkSerializer
+    rbac_perms = {
+        'POST': 'accounts.add_account',
+    }
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        data = serializer.create(serializer.validated_data)
+        serializer = serializers.AssetAccountBulkSerializerResultSerializer(data, many=True)
+        return Response(data=serializer.data, status=HTTP_200_OK)
+
+
+class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, ListAPIView):
+    model = Account.history.model
+    serializer_class = serializers.AccountHistorySerializer
+    http_method_names = ['get', 'options']
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    rbac_perms = {
+        'GET': 'accounts.view_accountsecret',
+    }
+
+    def get_object(self):
+        return get_object_or_404(Account, pk=self.kwargs.get('pk'))
+
+    @staticmethod
+    def filter_spm_queryset(resource_ids, queryset):
+        return queryset.filter(history_id__in=resource_ids)
+
+    def get_queryset(self):
+        account = self.get_object()
+        histories = account.history.all()
+        last_history = account.history.first()
+        if not last_history:
+            return histories
+
+        if account.secret == last_history.secret \
+                and account.secret_type == last_history.secret_type:
+            histories = histories.exclude(history_id=last_history.history_id)
+        return histories

apps/accounts/api/account/task.py

@@ -0,0 +1,49 @@
+from rest_framework.generics import CreateAPIView
+from rest_framework.response import Response
+
+from accounts import serializers
+from accounts.tasks import verify_accounts_connectivity_task, push_accounts_to_assets_task
+from assets.exceptions import NotSupportedTemporarilyError
+
+__all__ = [
+    'AccountsTaskCreateAPI',
+]
+
+
+class AccountsTaskCreateAPI(CreateAPIView):
+    serializer_class = serializers.AccountTaskSerializer
+
+    def check_permissions(self, request):
+        act = request.data.get('action')
+        if act == 'push':
+            code = 'accounts.push_account'
+        else:
+            code = 'accounts.verify_account'
+        return request.user.has_perm(code)
+
+    def perform_create(self, serializer):
+        data = serializer.validated_data
+        accounts = data.get('accounts', [])
+        params = data.get('params')
+        account_ids = [str(a.id) for a in accounts]
+
+        if data['action'] == 'push':
+            task = push_accounts_to_assets_task.delay(account_ids, params)
+        else:
+            account = accounts[0]
+            asset = account.asset
+            if not asset.auto_config['ansible_enabled'] or \
+                    not asset.auto_config['ping_enabled']:
+                raise NotSupportedTemporarilyError()
+            task = verify_accounts_connectivity_task.delay(account_ids)
+
+        data = getattr(serializer, '_data', {})
+        data["task"] = task.id
+        setattr(serializer, '_data', data)
+        return task
+
+    def get_exception_handler(self):
+        def handler(e, context):
+            return Response({"error": str(e)}, status=400)
+
+        return handler

apps/accounts/api/account/template.py

@@ -0,0 +1,68 @@
+from django_filters import rest_framework as drf_filters
+from rest_framework.decorators import action
+from rest_framework.response import Response
+
+from accounts import serializers
+from accounts.models import AccountTemplate
+from assets.const import Protocol
+from common.drf.filters import BaseFilterSet
+from common.permissions import UserConfirmation, ConfirmType
+from common.views.mixins import RecordViewLogMixin
+from orgs.mixins.api import OrgBulkModelViewSet
+from rbac.permissions import RBACPermission
+
+
+class AccountTemplateFilterSet(BaseFilterSet):
+    protocols = drf_filters.CharFilter(method='filter_protocols')
+
+    class Meta:
+        model = AccountTemplate
+        fields = ('username', 'name')
+
+    @staticmethod
+    def filter_protocols(queryset, name, value):
+        secret_types = set()
+        protocols = value.split(',')
+        protocol_secret_type_map = Protocol.settings()
+        for p in protocols:
+            if p not in protocol_secret_type_map:
+                continue
+            _st = protocol_secret_type_map[p].get('secret_types', [])
+            secret_types.update(_st)
+        if not secret_types:
+            secret_types = ['password']
+        queryset = queryset.filter(secret_type__in=secret_types)
+        return queryset
+
+
+class AccountTemplateViewSet(OrgBulkModelViewSet):
+    model = AccountTemplate
+    filterset_class = AccountTemplateFilterSet
+    search_fields = ('username', 'name')
+    serializer_classes = {
+        'default': serializers.AccountTemplateSerializer,
+    }
+    rbac_perms = {
+        'su_from_account_templates': 'accounts.view_accounttemplate',
+    }
+
+    @action(methods=['get'], detail=False, url_path='su-from-account-templates')
+    def su_from_account_templates(self, request, *args, **kwargs):
+        pk = request.query_params.get('template_id')
+        template = AccountTemplate.objects.filter(pk=pk).first()
+        templates = AccountTemplate.get_su_from_account_templates(template)
+        templates = self.filter_queryset(templates)
+        serializer = self.get_serializer(templates, many=True)
+        return Response(data=serializer.data)
+
+
+class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
+    serializer_classes = {
+        'default': serializers.AccountTemplateSecretSerializer,
+    }
+    http_method_names = ['get', 'options']
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    rbac_perms = {
+        'list': 'accounts.view_accounttemplatesecret',
+        'retrieve': 'accounts.view_accounttemplatesecret',
+    }

apps/accounts/api/automations/__init__.py

@@ -0,0 +1,5 @@
+from .backup import *
+from .base import *
+from .change_secret import *
+from .gather_accounts import *
+from .push_account import *

apps/accounts/api/automations/backup.py

@@ -3,12 +3,13 @@
 from rest_framework import status, viewsets
 from rest_framework.response import Response
 
-from orgs.mixins.api import OrgBulkModelViewSet
-from .. import serializers
-from ..tasks import execute_account_backup_plan
-from ..models import (
-    AccountBackupPlan, AccountBackupPlanExecution
+from accounts import serializers
+from accounts.models import (
+    AccountBackupAutomation, AccountBackupExecution
 )
+from accounts.tasks import execute_account_backup_task
+from common.const.choices import Trigger
+from orgs.mixins.api import OrgBulkModelViewSet
 
 __all__ = [
     'AccountBackupPlanViewSet', 'AccountBackupPlanExecutionViewSet'
@@ -16,12 +17,11 @@ __all__ = [
 
 
 class AccountBackupPlanViewSet(OrgBulkModelViewSet):
-    model = AccountBackupPlan
+    model = AccountBackupAutomation
     filter_fields = ('name',)
     search_fields = filter_fields
-    ordering_fields = ('name',)
     ordering = ('name',)
-    serializer_class = serializers.AccountBackupPlanSerializer
+    serializer_class = serializers.AccountBackupSerializer
 
 
 class AccountBackupPlanExecutionViewSet(viewsets.ModelViewSet):
@@ -31,19 +31,12 @@ class AccountBackupPlanExecutionViewSet(viewsets.ModelViewSet):
     http_method_names = ['get', 'post', 'options']
 
     def get_queryset(self):
-        queryset = AccountBackupPlanExecution.objects.all()
+        queryset = AccountBackupExecution.objects.all()
         return queryset
 
     def create(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
         pid = serializer.data.get('plan')
-        task = execute_account_backup_plan.delay(
-            pid=pid, trigger=AccountBackupPlanExecution.Trigger.manual
-        )
+        task = execute_account_backup_task.delay(pid=str(pid), trigger=Trigger.manual)
         return Response({'task': task.id}, status=status.HTTP_201_CREATED)
-
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        queryset = queryset.order_by('-date_start')
-        return queryset

apps/accounts/api/automations/base.py

@@ -0,0 +1,115 @@
+from django.shortcuts import get_object_or_404
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import status, mixins, viewsets
+from rest_framework.response import Response
+
+from accounts.models import AutomationExecution
+from accounts.tasks import execute_account_automation_task
+from assets import serializers
+from assets.models import BaseAutomation
+from common.const.choices import Trigger
+from orgs.mixins import generics
+
+__all__ = [
+    'AutomationAssetsListApi', 'AutomationRemoveAssetApi',
+    'AutomationAddAssetApi', 'AutomationNodeAddRemoveApi',
+    'AutomationExecutionViewSet',
+]
+
+
+class AutomationAssetsListApi(generics.ListAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.AutomationAssetsSerializer
+    filter_fields = ("name", "address")
+    search_fields = filter_fields
+
+    def get_object(self):
+        pk = self.kwargs.get('pk')
+        return get_object_or_404(self.model, pk=pk)
+
+    def get_queryset(self):
+        instance = self.get_object()
+        assets = instance.get_all_assets().only(
+            *self.serializer_class.Meta.only_fields
+        )
+        return assets
+
+
+class AutomationRemoveAssetApi(generics.RetrieveUpdateAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.UpdateAssetSerializer
+
+    def update(self, request, *args, **kwargs):
+        instance = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+
+        if not serializer.is_valid():
+            return Response({'error': serializer.errors})
+
+        assets = serializer.validated_data.get('assets')
+        if assets:
+            instance.assets.remove(*tuple(assets))
+        return Response({'msg': 'ok'})
+
+
+class AutomationAddAssetApi(generics.RetrieveUpdateAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.UpdateAssetSerializer
+
+    def update(self, request, *args, **kwargs):
+        instance = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            assets = serializer.validated_data.get('assets')
+            if assets:
+                instance.assets.add(*tuple(assets))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+class AutomationNodeAddRemoveApi(generics.RetrieveUpdateAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.UpdateNodeSerializer
+
+    def update(self, request, *args, **kwargs):
+        action_params = ['add', 'remove']
+        action = request.query_params.get('action')
+        if action not in action_params:
+            err_info = _("The parameter 'action' must be [{}]".format(','.join(action_params)))
+            return Response({"error": err_info})
+
+        instance = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            nodes = serializer.validated_data.get('nodes')
+            if nodes:
+                # eg: plan.nodes.add(*tuple(assets))
+                getattr(instance.nodes, action)(*tuple(nodes))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+class AutomationExecutionViewSet(
+    mixins.CreateModelMixin, mixins.ListModelMixin,
+    mixins.RetrieveModelMixin, viewsets.GenericViewSet
+):
+    search_fields = ('trigger',)
+    filterset_fields = ('trigger', 'automation_id')
+    serializer_class = serializers.AutomationExecutionSerializer
+
+    tp: str
+
+    def get_queryset(self):
+        queryset = AutomationExecution.objects.all()
+        return queryset
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        automation = serializer.validated_data.get('automation')
+        task = execute_account_automation_task.delay(
+            pid=str(automation.pk), trigger=Trigger.manual, tp=self.tp
+        )
+        return Response({'task': task.id}, status=status.HTTP_201_CREATED)

apps/accounts/api/automations/change_secret.py

@@ -0,0 +1,81 @@
+# -*- coding: utf-8 -*-
+#
+
+from rest_framework import mixins
+
+from accounts import serializers
+from accounts.const import AutomationTypes
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
+from common.utils import get_object_or_none
+from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
+from .base import (
+    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
+    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
+)
+
+__all__ = [
+    'ChangeSecretAutomationViewSet', 'ChangeSecretRecordViewSet',
+    'ChangSecretExecutionViewSet', 'ChangSecretAssetsListApi',
+    'ChangSecretRemoveAssetApi', 'ChangSecretAddAssetApi',
+    'ChangSecretNodeAddRemoveApi'
+]
+
+
+class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
+    model = ChangeSecretAutomation
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    search_fields = filter_fields
+    serializer_class = serializers.ChangeSecretAutomationSerializer
+
+
+class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
+    serializer_class = serializers.ChangeSecretRecordSerializer
+    filter_fields = ['asset', 'execution_id']
+    search_fields = ['asset__hostname']
+
+    def get_queryset(self):
+        return ChangeSecretRecord.objects.filter(
+            execution__automation__type=AutomationTypes.change_secret
+        )
+
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        eid = self.request.query_params.get('execution_id')
+        execution = get_object_or_none(AutomationExecution, pk=eid)
+        if execution:
+            queryset = queryset.filter(execution=execution)
+        return queryset
+
+
+class ChangSecretExecutionViewSet(AutomationExecutionViewSet):
+    rbac_perms = (
+        ("list", "accounts.view_changesecretexecution"),
+        ("retrieve", "accounts.view_changesecretexecution"),
+        ("create", "accounts.add_changesecretexecution"),
+    )
+
+    tp = AutomationTypes.change_secret
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.filter(automation__type=self.tp)
+        return queryset
+
+
+class ChangSecretAssetsListApi(AutomationAssetsListApi):
+    model = ChangeSecretAutomation
+
+
+class ChangSecretRemoveAssetApi(AutomationRemoveAssetApi):
+    model = ChangeSecretAutomation
+    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
+
+
+class ChangSecretAddAssetApi(AutomationAddAssetApi):
+    model = ChangeSecretAutomation
+    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
+
+
+class ChangSecretNodeAddRemoveApi(AutomationNodeAddRemoveApi):
+    model = ChangeSecretAutomation
+    serializer_class = serializers.ChangeSecretUpdateNodeSerializer

apps/accounts/api/automations/gather_accounts.py

@@ -0,0 +1,59 @@
+# -*- coding: utf-8 -*-
+#
+from rest_framework import status
+from rest_framework.decorators import action
+from rest_framework.response import Response
+
+from accounts import serializers
+from accounts.const import AutomationTypes
+from accounts.filters import GatheredAccountFilterSet
+from accounts.models import GatherAccountsAutomation
+from accounts.models import GatheredAccount
+from orgs.mixins.api import OrgBulkModelViewSet
+from .base import AutomationExecutionViewSet
+
+__all__ = [
+    'GatherAccountsAutomationViewSet', 'GatherAccountsExecutionViewSet',
+    'GatheredAccountViewSet'
+]
+
+
+class GatherAccountsAutomationViewSet(OrgBulkModelViewSet):
+    model = GatherAccountsAutomation
+    filter_fields = ('name',)
+    search_fields = filter_fields
+    serializer_class = serializers.GatherAccountAutomationSerializer
+
+
+class GatherAccountsExecutionViewSet(AutomationExecutionViewSet):
+    rbac_perms = (
+        ("list", "accounts.view_gatheraccountsexecution"),
+        ("retrieve", "accounts.view_gatheraccountsexecution"),
+        ("create", "accounts.add_gatheraccountsexecution"),
+    )
+
+    tp = AutomationTypes.gather_accounts
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.filter(automation__type=self.tp)
+        return queryset
+
+
+class GatheredAccountViewSet(OrgBulkModelViewSet):
+    model = GatheredAccount
+    search_fields = ('username',)
+    filterset_class = GatheredAccountFilterSet
+    serializer_classes = {
+        'default': serializers.GatheredAccountSerializer,
+    }
+    rbac_perms = {
+        'sync_accounts': 'assets.add_gatheredaccount',
+    }
+
+    @action(methods=['post'], detail=False, url_path='sync-accounts')
+    def sync_accounts(self, request, *args, **kwargs):
+        gathered_account_ids = request.data.get('gathered_account_ids')
+        gathered_accounts = self.model.objects.filter(id__in=gathered_account_ids)
+        self.model.sync_accounts(gathered_accounts)
+        return Response(status=status.HTTP_201_CREATED)

apps/accounts/api/automations/push_account.py

@@ -0,0 +1,68 @@
+# -*- coding: utf-8 -*-
+#
+from accounts import serializers
+from accounts.const import AutomationTypes
+from accounts.models import PushAccountAutomation, ChangeSecretRecord
+from orgs.mixins.api import OrgBulkModelViewSet
+
+from .base import (
+    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
+    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
+)
+from .change_secret import ChangeSecretRecordViewSet
+
+__all__ = [
+    'PushAccountAutomationViewSet', 'PushAccountAssetsListApi', 'PushAccountRemoveAssetApi',
+    'PushAccountAddAssetApi', 'PushAccountNodeAddRemoveApi', 'PushAccountExecutionViewSet',
+    'PushAccountRecordViewSet'
+]
+
+
+class PushAccountAutomationViewSet(OrgBulkModelViewSet):
+    model = PushAccountAutomation
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    search_fields = filter_fields
+    serializer_class = serializers.PushAccountAutomationSerializer
+
+
+class PushAccountExecutionViewSet(AutomationExecutionViewSet):
+    rbac_perms = (
+        ("list", "accounts.view_pushaccountexecution"),
+        ("retrieve", "accounts.view_pushaccountexecution"),
+        ("create", "accounts.add_pushaccountexecution"),
+    )
+
+    tp = AutomationTypes.push_account
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.filter(automation__type=self.tp)
+        return queryset
+
+
+class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
+    serializer_class = serializers.ChangeSecretRecordSerializer
+
+    def get_queryset(self):
+        return ChangeSecretRecord.objects.filter(
+            execution__automation__type=AutomationTypes.push_account
+        )
+
+
+class PushAccountAssetsListApi(AutomationAssetsListApi):
+    model = PushAccountAutomation
+
+
+class PushAccountRemoveAssetApi(AutomationRemoveAssetApi):
+    model = PushAccountAutomation
+    serializer_class = serializers.PushAccountUpdateAssetSerializer
+
+
+class PushAccountAddAssetApi(AutomationAddAssetApi):
+    model = PushAccountAutomation
+    serializer_class = serializers.PushAccountUpdateAssetSerializer
+
+
+class PushAccountNodeAddRemoveApi(AutomationNodeAddRemoveApi):
+    model = PushAccountAutomation
+    serializer_class = serializers.PushAccountUpdateNodeSerializer

apps/accounts/apps.py

@@ -0,0 +1,11 @@
+from django.apps import AppConfig
+
+
+class AccountsConfig(AppConfig):
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'accounts'
+
+    def ready(self):
+        from . import signal_handlers
+        from . import tasks
+        __all__ = signal_handlers

apps/accounts/automations/__init__.py

@@ -0,0 +1,2 @@
+from .endpoint import ExecutionManager
+from .methods import platform_automation_methods

apps/accounts/automations/backup_account/handlers.py

@@ -1,18 +1,16 @@
 import os
 import time
-import pandas as pd
+from openpyxl import Workbook
 from collections import defaultdict, OrderedDict
 
 from django.conf import settings
-from django.utils.translation import ugettext_lazy as _
+from django.db.models import F
 from rest_framework import serializers
 
-from assets.models import AuthBook
-from assets.serializers import AccountSecretSerializer
-from assets.notifications import AccountBackupExecutionTaskMsg
-from applications.models import Account
-from applications.const import AppType
-from applications.serializers import AppAccountSecretSerializer
+from accounts.models import Account
+from assets.const import AllTypes
+from accounts.serializers import AccountSecretSerializer
+from accounts.notifications import AccountBackupExecutionTaskMsg
 from users.models import User
 from common.utils import get_logger
 from common.utils.timezone import local_now_display
@@ -48,78 +46,61 @@ class BaseAccountHandler:
                 _fields = cls.get_header_fields(v)
                 header_fields.update(_fields)
             else:
-                header_fields[field] = v.label
+                header_fields[field] = str(v.label)
         return header_fields
 
     @classmethod
-    def create_row(cls, account, serializer_cls, header_fields=None):
-        serializer = serializer_cls(account)
-        if not header_fields:
-            header_fields = cls.get_header_fields(serializer)
-        data = cls.unpack_data(serializer.data)
+    def create_row(cls, data, header_fields):
+        data = cls.unpack_data(data)
         row_dict = {}
         for field, header_name in header_fields.items():
-            row_dict[header_name] = data[field]
+            row_dict[header_name] = str(data.get(field, field))
         return row_dict
 
+    @classmethod
+    def add_rows(cls, data, header_fields, sheet):
+        data_map = defaultdict(list)
+        for i in data:
+            row = cls.create_row(i, header_fields)
+            if sheet not in data_map:
+                data_map[sheet].append(list(row.keys()))
+            data_map[sheet].append(list(row.values()))
+        return data_map
+
 
 class AssetAccountHandler(BaseAccountHandler):
     @staticmethod
     def get_filename(plan_name):
         filename = os.path.join(
-            PATH, f'{plan_name}-{_("Asset")}-{local_now_display()}-{time.time()}.xlsx'
+            PATH, f'{plan_name}-{local_now_display()}-{time.time()}.xlsx'
         )
         return filename
 
     @classmethod
-    def create_df(cls):
-        df_dict = defaultdict(list)
-        sheet_name = AuthBook._meta.verbose_name
+    def create_data_map(cls, accounts):
+        data_map = defaultdict(list)
 
-        accounts = AuthBook.get_queryset().select_related('systemuser')
-        if not accounts.first():
-            return df_dict
+        if not accounts.exists():
+            return data_map
+
+        type_dict = {}
+        for i in AllTypes.grouped_choices_to_objs():
+            for j in i['children']:
+                type_dict[j['value']] = j['display_name']
 
         header_fields = cls.get_header_fields(AccountSecretSerializer(accounts.first()))
+        account_type_map = defaultdict(list)
         for account in accounts:
-            account.load_auth()
-            row = cls.create_row(account, AccountSecretSerializer, header_fields)
-            df_dict[sheet_name].append(row)
-        for k, v in df_dict.items():
-            df_dict[k] = pd.DataFrame(v)
+            account_type_map[account.type].append(account)
 
-        logger.info('\n\033[33m- 共收集 {} 条资产账号\033[0m'.format(accounts.count()))
-        return df_dict
+        data_map = {}
+        for tp, _accounts in account_type_map.items():
+            sheet_name = type_dict.get(tp, tp)
+            data = AccountSecretSerializer(_accounts, many=True).data
+            data_map.update(cls.add_rows(data, header_fields, sheet_name))
 
-
-class AppAccountHandler(BaseAccountHandler):
-    @staticmethod
-    def get_filename(plan_name):
-        filename = os.path.join(
-            PATH, f'{plan_name}-{_("Application")}-{local_now_display()}-{time.time()}.xlsx'
-        )
-        return filename
-
-    @classmethod
-    def create_df(cls):
-        df_dict = defaultdict(list)
-        accounts = Account.get_queryset().select_related('systemuser')
-        for account in accounts:
-            account.load_auth()
-            app_type = account.type
-            sheet_name = AppType.get_label(app_type)
-            row = cls.create_row(account, AppAccountSecretSerializer)
-            df_dict[sheet_name].append(row)
-        for k, v in df_dict.items():
-            df_dict[k] = pd.DataFrame(v)
-        logger.info('\n\033[33m- 共收集{}条应用账号\033[0m'.format(accounts.count()))
-        return df_dict
-
-
-handler_map = {
-    'asset': AssetAccountHandler,
-    'application': AppAccountHandler
-}
+        logger.info('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
+        return data_map
 
 
 class AccountBackupHandler:
@@ -137,29 +118,25 @@ class AccountBackupHandler:
         # Print task start date
         time_start = time.time()
         files = []
-        for account_type in self.execution.types:
-            handler = handler_map.get(account_type)
-            if not handler:
-                continue
+        accounts = self.execution.backup_accounts
+        data_map = AssetAccountHandler.create_data_map(accounts)
+        if not data_map:
+            return files
 
-            df_dict = handler.create_df()
-            if not df_dict:
-                continue
+        filename = AssetAccountHandler.get_filename(self.plan_name)
 
-            filename = handler.get_filename(self.plan_name)
-            with pd.ExcelWriter(filename) as w:
-                for sheet, df in df_dict.items():
-                    sheet = sheet.replace(' ', '-')
-                    getattr(df, 'to_excel')(w, sheet_name=sheet, index=False)
-            files.append(filename)
+        wb = Workbook(filename)
+        for sheet, data in data_map.items():
+            ws = wb.create_sheet(str(sheet))
+            for row in data:
+                ws.append(row)
+        wb.save(filename)
+        files.append(filename)
         timedelta = round((time.time() - time_start), 2)
         logger.info('步骤完成: 用时 {}s'.format(timedelta))
         return files
 
-    def send_backup_mail(self, files):
-        recipients = self.execution.plan_snapshot.get('recipients')
-        if not recipients:
-            return
+    def send_backup_mail(self, files, recipients):
         if not files:
             return
         recipients = User.objects.filter(id__in=list(recipients))
@@ -198,8 +175,16 @@ class AccountBackupHandler:
         is_success = False
         error = '-'
         try:
-            files = self.create_excel()
-            self.send_backup_mail(files)
+            recipients = self.execution.plan_snapshot.get('recipients')
+            if not recipients:
+                logger.info(
+                    '\n'
+                    '\033[32m>>> 该备份任务未分配收件人\033[0m'
+                    ''
+                )
+            else:
+                files = self.create_excel()
+                self.send_backup_mail(files, recipients)
         except Exception as e:
             self.is_frozen = True
             logger.error('任务执行被异常中断')

apps/accounts/automations/backup_account/manager.py

@@ -12,7 +12,7 @@ from .handlers import AccountBackupHandler
 logger = get_logger(__name__)
 
 
-class AccountBackupExecutionManager:
+class AccountBackupManager:
     def __init__(self, execution):
         self.execution = execution
         self.date_start = timezone.now()

apps/accounts/automations/base/base_inventory.txt

@@ -0,0 +1,14 @@
+## all connection vars
+hostname asset_name=name asset_type=type asset_primary_protocol=ssh asset_primary_port=22 asset_protocols=[]
+
+## local connection
+hostname ansible_connection=local
+
+## local connection with gateway
+hostname ansible_connection=ssh ansible_user=gateway.username ansible_port=gateway.port ansible_host=gateway.host ansible_ssh_private_key_file=gateway.key
+
+## ssh connection for windows
+hostname ansible_connection=ssh ansible_shell_type=powershell/cmd ansible_user=windows.username ansible_port=windows.port ansible_host=windows.host ansible_ssh_private_key_file=windows.key
+
+## ssh connection
+hostname ansible_user=user ansible_password=pass ansible_host=host ansible_port=port ansible_ssh_private_key_file=key ssh_args="-o StrictHostKeyChecking=no"

apps/accounts/automations/base/manager.py

@@ -0,0 +1,12 @@
+from accounts.automations.methods import platform_automation_methods
+from assets.automations.base.manager import BasePlaybookManager
+from common.utils import get_logger
+
+logger = get_logger(__name__)
+
+
+class AccountBasePlaybookManager(BasePlaybookManager):
+
+    @property
+    def platform_automation_methods(self):
+        return platform_automation_methods

apps/accounts/automations/change_secret/custom/ssh/main.yml

@@ -0,0 +1,40 @@
+- hosts: custom
+  gather_facts: no
+  vars:
+    ansible_connection: local
+
+  tasks:
+    - name: Test privileged account
+      ssh_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_secret_type: "{{ jms_account.secret_type }}"
+        login_private_key_path: "{{ jms_account.private_key_path }}"
+      register: ping_info
+
+    - name: Change asset password
+      custom_command:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_secret_type: "{{ jms_account.secret_type }}"
+        login_private_key_path: "{{ jms_account.private_key_path }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        commands: "{{ params.commands }}"
+        first_conn_delay_time: "{{ first_conn_delay_time | default(0.5) }}"
+      when: ping_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      ssh_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+      when:
+        - ping_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/custom/ssh/manifest.yml

@@ -0,0 +1,19 @@
+id: change_secret_by_ssh
+name: "{{ 'SSH account change secret' | trans }}"
+category:
+  - device
+  - host
+type:
+  - all
+method: change_secret
+params:
+  - name: commands
+    type: list
+    label: '自定义命令'
+    default: [ '' ]
+    help_text: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
+
+i18n:
+  SSH account change secret:
+    zh: SSH 账号改密
+    ja: SSH アカウントのパスワード変更

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -0,0 +1,58 @@
+- hosts: mongodb
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test MongoDB connection
+      mongodb_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+      register: db_info
+
+    - name: Display MongoDB version
+      debug:
+        var: db_info.server_version
+      when: db_info is succeeded
+
+    - name: Change MongoDB password
+      mongodb_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      mongodb_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/mongodb/manifest.yml

@@ -0,0 +1,11 @@
+id: change_secret_mongodb
+name: "{{ 'MongoDB account change secret' | trans }}"
+category: database
+type:
+  - mongodb
+method: change_secret
+
+i18n:
+  MongoDB account change secret:
+    zh: MongoDB 账号改密
+    ja: MongoDB アカウントのパスワード変更

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -0,0 +1,43 @@
+- hosts: mysql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+    db_name: "{{ jms_asset.spec_info.db_name }}"
+
+  tasks:
+    - name: Test MySQL connection
+      community.mysql.mysql_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: version
+      register: db_info
+
+    - name: MySQL version
+      debug:
+        var: db_info.version.full
+
+    - name: Change MySQL password
+      community.mysql.mysql_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        host: "%"
+        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      community.mysql.mysql_info:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: version
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/mysql/manifest.yml

@@ -0,0 +1,12 @@
+id: change_secret_mysql
+name: "{{ 'MySQL account change secret' | trans }}"
+category: database
+type:
+  - mysql
+  - mariadb
+method: change_secret
+
+i18n:
+  MySQL account change secret:
+    zh: MySQL 账号改密
+    ja: MySQL アカウントのパスワード変更

apps/accounts/automations/change_secret/database/oracle/main.yml

@@ -0,0 +1,44 @@
+- hosts: oracle
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test Oracle connection
+      oracle_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+      register: db_info
+
+    - name: Display Oracle version
+      debug:
+        var: db_info.server_version
+      when: db_info is succeeded
+
+    - name: Change Oracle password
+      oracle_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      oracle_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/oracle/manifest.yml

@@ -0,0 +1,11 @@
+id: change_secret_oracle
+name: "{{ 'Oracle account change secret' | trans }}"
+category: database
+type:
+  - oracle
+method: change_secret
+
+i18n:
+  Oracle account change secret:
+    zh: Oracle 账号改密
+    ja: Oracle アカウントのパスワード変更

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -0,0 +1,46 @@
+- hosts: postgre
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test PostgreSQL connection
+      community.postgresql.postgresql_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_db: "{{ jms_asset.spec_info.db_name }}"
+      register: result
+      failed_when: not result.is_available
+
+    - name: Display PostgreSQL version
+      debug:
+        var: result.server_version.full
+      when: result is succeeded
+
+    - name: Change PostgreSQL password
+      community.postgresql.postgresql_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        role_attr_flags: LOGIN
+      when: result is succeeded
+      register: change_info
+
+    - name: Verify password
+      community.postgresql.postgresql_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+      when:
+        - result is succeeded
+        - change_info is succeeded
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/postgresql/manifest.yml

@@ -0,0 +1,11 @@
+id: change_secret_postgresql
+name: "{{ 'PostgreSQL account change secret' | trans }}"
+category: database
+type:
+  - postgresql
+method: change_secret
+
+i18n:
+  PostgreSQL account change secret:
+    zh: PostgreSQL 账号改密
+    ja: PostgreSQL アカウントのパスワード変更

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -0,0 +1,69 @@
+- hosts: sqlserver
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test SQLServer connection
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: |
+          SELECT @@version
+      register: db_info
+
+    - name: SQLServer version
+      set_fact:
+        info:
+          version: "{{ db_info.query_results[0][0][0][0].splitlines()[0] }}"
+    - debug:
+        var: info
+
+    - name: Check whether SQLServer User exist
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
+      when: db_info is succeeded
+      register: user_exist
+
+    - name: Change SQLServer password
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      when: user_exist.query_results[0] | length != 0
+      register: change_info
+
+    - name: Add SQLServer user
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      when: user_exist.query_results[0] | length == 0
+      register: change_info
+
+    - name: Verify password
+      community.general.mssql_script:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: |
+          SELECT @@version
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/sqlserver/manifest.yml

@@ -0,0 +1,11 @@
+id: change_secret_sqlserver
+name: "{{ 'SQLServer account change secret' | trans }}"
+category: database
+type:
+  - sqlserver
+method: change_secret
+
+i18n:
+  SQLServer account change secret:
+    zh: SQLServer 账号改密
+    ja: SQLServer アカウントのパスワード変更

apps/accounts/automations/change_secret/demo_inventory.txt

@@ -0,0 +1,2 @@
+# all base inventory in base/base_inventory.txt
+asset_name(ip)_account_username account={"username": "", "password": "xxx"} ...base_inventory_vars

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -0,0 +1,55 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.builtin.ping:
+
+    - name: Change password
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('des') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: create user If it already exists, no operation will be performed
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+      when: account.secret_type == "ssh_key"
+
+    - name: remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ ssh_params.dest }}"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+      - account.secret_type == "ssh_key"
+      - ssh_params.strategy == "set_jms"
+
+    - name: Change SSH key
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_become: no
+      when: account.secret_type == "password"
+
+    - name: Verify SSH key
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_become: no
+      when: account.secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -0,0 +1,11 @@
+id: change_secret_aix
+name: "{{ 'AIX account change secret' | trans }}"
+category: host
+type:
+  - AIX
+method: change_secret
+
+i18n:
+  AIX account change secret:
+    zh: AIX 账号改密
+    ja: AIX アカウントのパスワード変更

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -0,0 +1,55 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.builtin.ping:
+
+    - name: Change password
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('sha512') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: create user If it already exists, no operation will be performed
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+      when: account.secret_type == "ssh_key"
+
+    - name: remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ ssh_params.dest }}"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"
+
+    - name: Change SSH key
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_become: no
+      when: account.secret_type == "password"
+
+    - name: Verify SSH key
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_become: no
+      when: account.secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/posix/manifest.yml

@@ -0,0 +1,12 @@
+id: change_secret_posix
+name: "{{ 'Posix account change secret' | trans }}"
+category: host
+type:
+  - unix
+  - linux
+method: change_secret
+
+i18n:
+  Posix account change secret:
+    zh: Posix 账号改密
+    ja: Posix アカウントのパスワード変更

apps/accounts/automations/change_secret/host/windows/main.yml

@@ -0,0 +1,35 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+#    - name: Print variables
+#      debug:
+#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
+
+
+    - name: Get groups of a Windows user
+      ansible.windows.win_user:
+        name: "{{ jms_account.username }}"
+      register: user_info
+
+    - name: Change password
+      ansible.windows.win_user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        groups: "{{ user_info.groups[0].name }}"
+        groups_action: add
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.windows.win_ping:
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+      when: account.secret_type == "password"

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -0,0 +1,12 @@
+id: change_secret_local_windows
+name: "{{ 'Windows account change secret' | trans }}"
+version: 1
+method: change_secret
+category: host
+type:
+  - windows
+
+i18n:
+  Windows account change secret:
+    zh: Windows 账号改密
+    ja: Windows アカウントのパスワード変更

apps/accounts/automations/change_secret/manager.py

@@ -0,0 +1,229 @@
+import os
+import time
+from collections import defaultdict
+from copy import deepcopy
+
+from django.conf import settings
+from django.utils import timezone
+from openpyxl import Workbook
+
+from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy
+from accounts.models import ChangeSecretRecord
+from accounts.notifications import ChangeSecretExecutionTaskMsg
+from accounts.serializers import ChangeSecretRecordBackUpSerializer
+from assets.const import HostTypes
+from common.utils import get_logger
+from common.utils.file import encrypt_and_compress_zip_file
+from common.utils.timezone import local_now_display
+from users.models import User
+from ..base.manager import AccountBasePlaybookManager
+from ...utils import SecretGenerator
+
+logger = get_logger(__name__)
+
+
+class ChangeSecretManager(AccountBasePlaybookManager):
+    ansible_account_prefer = ''
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.method_hosts_mapper = defaultdict(list)
+        self.secret_type = self.execution.snapshot.get('secret_type')
+        self.secret_strategy = self.execution.snapshot.get(
+            'secret_strategy', SecretStrategy.custom
+        )
+        self.ssh_key_change_strategy = self.execution.snapshot.get(
+            'ssh_key_change_strategy', SSHKeyStrategy.add
+        )
+        self.account_ids = self.execution.snapshot['accounts']
+        self.name_recorder_mapper = {}  # 做个映射，方便后面处理
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.change_secret
+
+    def get_ssh_params(self, account, secret, secret_type):
+        kwargs = {}
+        if secret_type != SecretType.SSH_KEY:
+            return kwargs
+        kwargs['strategy'] = self.ssh_key_change_strategy
+        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
+
+        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
+            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
+            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
+        return kwargs
+
+    def secret_generator(self, secret_type):
+        return SecretGenerator(
+            self.secret_strategy, secret_type,
+            self.execution.snapshot.get('password_rules')
+        )
+
+    def get_secret(self, secret_type):
+        if self.secret_strategy == SecretStrategy.custom:
+            return self.execution.snapshot['secret']
+        else:
+            return self.secret_generator(secret_type).get_secret()
+
+    def get_accounts(self, privilege_account):
+        if not privilege_account:
+            print(f'not privilege account')
+            return []
+
+        asset = privilege_account.asset
+        accounts = asset.accounts.all()
+        accounts = accounts.filter(id__in=self.account_ids)
+        if self.secret_type:
+            accounts = accounts.filter(secret_type=self.secret_type)
+
+        if settings.CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED:
+            accounts = accounts.filter(privileged=False).exclude(
+                username__in=['root', 'administrator', privilege_account.username]
+            )
+        return accounts
+
+    def host_callback(
+            self, host, asset=None, account=None,
+            automation=None, path_dir=None, **kwargs
+    ):
+        host = super().host_callback(
+            host, asset=asset, account=account, automation=automation,
+            path_dir=path_dir, **kwargs
+        )
+        if host.get('error'):
+            return host
+
+        accounts = self.get_accounts(account)
+        if not accounts:
+            print('没有发现待改密账号: %s 用户ID: %s 类型: %s' % (
+                asset.name, self.account_ids, self.secret_type
+            ))
+            return []
+
+        method_attr = getattr(automation, self.method_type() + '_method')
+        method_hosts = self.method_hosts_mapper[method_attr]
+        method_hosts = [h for h in method_hosts if h != host['name']]
+        inventory_hosts = []
+        records = []
+
+        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
+            print(f'Windows {asset} does not support ssh key push')
+            return inventory_hosts
+
+        host['ssh_params'] = {}
+        for account in accounts:
+            h = deepcopy(host)
+            secret_type = account.secret_type
+            h['name'] += '(' + account.username + ')'
+            new_secret = self.get_secret(secret_type)
+
+            recorder = ChangeSecretRecord(
+                asset=asset, account=account, execution=self.execution,
+                old_secret=account.secret, new_secret=new_secret,
+            )
+            records.append(recorder)
+            self.name_recorder_mapper[h['name']] = recorder
+
+            private_key_path = None
+            if secret_type == SecretType.SSH_KEY:
+                private_key_path = self.generate_private_key_path(new_secret, path_dir)
+                new_secret = self.generate_public_key(new_secret)
+
+            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
+            h['account'] = {
+                'name': account.name,
+                'username': account.username,
+                'secret_type': secret_type,
+                'secret': new_secret,
+                'private_key_path': private_key_path
+            }
+            if asset.platform.type == 'oracle':
+                h['account']['mode'] = 'sysdba' if account.privileged else None
+            inventory_hosts.append(h)
+            method_hosts.append(h['name'])
+        self.method_hosts_mapper[method_attr] = method_hosts
+        ChangeSecretRecord.objects.bulk_create(records)
+        return inventory_hosts
+
+    def on_host_success(self, host, result):
+        recorder = self.name_recorder_mapper.get(host)
+        if not recorder:
+            return
+        recorder.status = 'success'
+        recorder.date_finished = timezone.now()
+        recorder.save()
+        account = recorder.account
+        if not account:
+            print("Account not found, deleted ?")
+            return
+        account.secret = recorder.new_secret
+        account.save(update_fields=['secret'])
+
+    def on_host_error(self, host, error, result):
+        recorder = self.name_recorder_mapper.get(host)
+        if not recorder:
+            return
+        recorder.status = 'failed'
+        recorder.date_finished = timezone.now()
+        recorder.error = error
+        recorder.save()
+
+    def on_runner_failed(self, runner, e):
+        logger.error("Change secret error: ", e)
+
+    def check_secret(self):
+        if self.secret_strategy == SecretStrategy.custom \
+                and not self.execution.snapshot['secret']:
+            print('Custom secret is empty')
+            return False
+        return True
+
+    def run(self, *args, **kwargs):
+        if not self.check_secret():
+            return
+        super().run(*args, **kwargs)
+        recorders = self.name_recorder_mapper.values()
+        recorders = list(recorders)
+        self.send_recorder_mail(recorders)
+
+    def send_recorder_mail(self, recorders):
+        recipients = self.execution.recipients
+        if not recorders or not recipients:
+            return
+
+        recipients = User.objects.filter(id__in=list(recipients.keys()))
+
+        name = self.execution.snapshot['name']
+        path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
+        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
+        if not self.create_file(recorders, filename):
+            return
+
+        for user in recipients:
+            attachments = []
+            if user.secret_key:
+                password = user.secret_key.encode('utf8')
+                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
+                encrypt_and_compress_zip_file(attachment, password, [filename])
+                attachments = [attachment]
+            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
+        os.remove(filename)
+
+    @staticmethod
+    def create_file(recorders, filename):
+        serializer_cls = ChangeSecretRecordBackUpSerializer
+        serializer = serializer_cls(recorders, many=True)
+
+        header = [str(v.label) for v in serializer.child.fields.values()]
+        rows = [[str(i) for i in row.values()] for row in serializer.data]
+        if not rows:
+            return False
+
+        rows.insert(0, header)
+        wb = Workbook(filename)
+        ws = wb.create_sheet('Sheet1')
+        for row in rows:
+            ws.append(row)
+        wb.save(filename)
+        return True

apps/accounts/automations/endpoint.py

@@ -0,0 +1,26 @@
+from .push_account.manager import PushAccountManager
+from .change_secret.manager import ChangeSecretManager
+from .verify_account.manager import VerifyAccountManager
+from .backup_account.manager import AccountBackupManager
+from .gather_accounts.manager import GatherAccountsManager
+from .verify_gateway_account.manager import VerifyGatewayAccountManager
+from ..const import AutomationTypes
+
+
+class ExecutionManager:
+    manager_type_mapper = {
+        AutomationTypes.push_account: PushAccountManager,
+        AutomationTypes.change_secret: ChangeSecretManager,
+        AutomationTypes.verify_account: VerifyAccountManager,
+        AutomationTypes.gather_accounts: GatherAccountsManager,
+        AutomationTypes.verify_gateway_account: VerifyGatewayAccountManager,
+        # TODO 后期迁移到自动化策略中
+        'backup_account': AccountBackupManager,
+    }
+
+    def __init__(self, execution):
+        self.execution = execution
+        self._runner = self.manager_type_mapper[execution.manager_type](execution)
+
+    def run(self, *args, **kwargs):
+        return self._runner.run(*args, **kwargs)

apps/accounts/automations/gather_accounts/database/mongodb/main.yml

@@ -0,0 +1,27 @@
+- hosts: mongodb
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      community.mongodb.mongodb_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+        filter: users
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.users }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/mongodb/manifest.yml

@@ -0,0 +1,11 @@
+id: gather_accounts_mongodb
+name: "{{ 'MongoDB account gather' | trans }}"
+category: database
+type:
+  - mongodb
+method: gather_accounts
+
+i18n:
+  MongoDB account gather:
+    zh: MongoDB 账号收集
+    ja: MongoDB アカウントの収集

apps/accounts/automations/gather_accounts/database/mysql/main.yml

@@ -0,0 +1,21 @@
+- hosts: mysql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      community.mysql.mysql_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: users
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.users }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/mysql/manifest.yml

@@ -0,0 +1,12 @@
+id: gather_accounts_mysql
+name: "{{ 'MySQL account gather' | trans }}"
+category: database
+type:
+  - mysql
+  - mariadb
+method: gather_accounts
+
+i18n:
+  MySQL account gather:
+    zh: MySQL 账号收集
+    ja: MySQL アカウントの収集

apps/accounts/automations/gather_accounts/database/oracle/main.yml

@@ -0,0 +1,23 @@
+- hosts: oralce
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      oracle_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+        filter: users
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.users }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/oracle/manifest.yml

@@ -0,0 +1,11 @@
+id: gather_accounts_oracle
+name: "{{ 'Oracle account gather' | trans }}"
+category: database
+type:
+  - oracle
+method: gather_accounts
+
+i18n:
+  Oracle account gather:
+    zh: Oracle 账号收集
+    ja: Oracle アカウントの収集

apps/accounts/automations/gather_accounts/database/postgresql/main.yml

@@ -0,0 +1,22 @@
+- hosts: postgresql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      community.postgresql.postgresql_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_db: "{{ jms_asset.spec_info.db_name }}"
+        filter: "roles"
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.roles }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/postgresql/manifest.yml

@@ -0,0 +1,11 @@
+id: gather_accounts_postgresql
+name: "{{ 'PostgreSQL account gather' | trans }}"
+category: database
+type:
+  - postgresql
+method: gather_accounts
+
+i18n:
+  PostgreSQL account gather:
+    zh: PostgreSQL 账号收集
+    ja: PostgreSQL アカウントの収集

apps/accounts/automations/gather_accounts/filter.py

@@ -0,0 +1,74 @@
+import re
+
+from django.utils import timezone
+
+__all__ = ['GatherAccountsFilter']
+
+
+# TODO 后期会挪到playbook中
+class GatherAccountsFilter:
+
+    def __init__(self, tp):
+        self.tp = tp
+
+    @staticmethod
+    def mysql_filter(info):
+        result = {}
+        for _, user_dict in info.items():
+            for username, _ in user_dict.items():
+                if len(username.split('.')) == 1:
+                    result[username] = {}
+        return result
+
+    @staticmethod
+    def postgresql_filter(info):
+        result = {}
+        for username in info:
+            result[username] = {}
+        return result
+
+    @staticmethod
+    def posix_filter(info):
+        username_pattern = re.compile(r'^(\S+)')
+        ip_pattern = re.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})')
+        login_time_pattern = re.compile(r'\w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}')
+        result = {}
+        for line in info:
+            usernames = username_pattern.findall(line)
+            username = ''.join(usernames)
+            if username:
+                result[username] = {}
+            else:
+                continue
+            ip_addrs = ip_pattern.findall(line)
+            ip_addr = ''.join(ip_addrs)
+            if ip_addr:
+                result[username].update({'address': ip_addr})
+            login_times = login_time_pattern.findall(line)
+            if login_times:
+                date = timezone.datetime.strptime(f'{login_times[0]} +0800', '%b %d %H:%M:%S %Y %z')
+                result[username].update({'date': date})
+        return result
+
+    @staticmethod
+    def windows_filter(info):
+        info = info[4:-2]
+        result = {}
+        for i in info:
+            for username in i.split():
+                result[username] = {}
+        return result
+
+    def run(self, method_id_meta_mapper, info):
+        run_method_name = None
+        for k, v in method_id_meta_mapper.items():
+            if self.tp not in v['type']:
+                continue
+            run_method_name = k.replace(f'{v["method"]}_', '')
+
+        if not run_method_name:
+            return info
+
+        if hasattr(self, f'{run_method_name}_filter'):
+            return getattr(self, f'{run_method_name}_filter')(info)
+        return info

apps/accounts/automations/gather_accounts/host/posix/main.yml

@@ -0,0 +1,21 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Gather posix account
+      ansible.builtin.shell:
+        cmd: >
+          users=$(getent passwd | grep -v nologin | grep -v shutdown | awk -F":" '{ print $1 }');for i in $users;
+          do k=$(last -w -F $i -1 | head -1 | grep -v ^$ | awk '{ print $0 }')
+            if [ -n "$k" ]; then
+              echo $k
+            else
+              echo $i
+            fi;done
+      register: result
+
+    - name: Define info by set_fact
+      ansible.builtin.set_fact:
+        info: "{{ result.stdout_lines }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/host/posix/manifest.yml

@@ -0,0 +1,12 @@
+id: gather_accounts_posix
+name: "{{ 'Posix account gather' | trans }}"
+category: host
+type:
+  - linux
+  - unix
+method: gather_accounts
+
+i18n:
+  Posix account gather:
+    zh: Posix 账号收集
+    ja: Posix アカウントの収集

apps/accounts/automations/gather_accounts/host/windows/main.yml

@@ -0,0 +1,13 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Gather posix account
+      ansible.builtin.win_shell: net user
+      register: result
+
+    - name: Define info by set_fact
+      ansible.builtin.set_fact:
+        info: "{{ result.stdout_lines }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/host/windows/manifest.yml

@@ -0,0 +1,12 @@
+id: gather_accounts_windows
+name: "{{ 'Windows account gather' | trans }}"
+version: 1
+method: gather_accounts
+category: host
+type:
+  - windows
+
+i18n:
+  Windows account gather:
+    zh: Windows 账号收集
+    ja: Windows アカウントの収集

apps/accounts/automations/gather_accounts/manager.py

@@ -0,0 +1,63 @@
+from accounts.const import AutomationTypes
+from accounts.models import GatheredAccount
+from common.utils import get_logger
+from orgs.utils import tmp_to_org
+from .filter import GatherAccountsFilter
+from ..base.manager import AccountBasePlaybookManager
+
+logger = get_logger(__name__)
+
+
+class GatherAccountsManager(AccountBasePlaybookManager):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.host_asset_mapper = {}
+        self.is_sync_account = self.execution.snapshot.get('is_sync_account')
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.gather_accounts
+
+    def host_callback(self, host, asset=None, **kwargs):
+        super().host_callback(host, asset=asset, **kwargs)
+        self.host_asset_mapper[host['name']] = asset
+        return host
+
+    def filter_success_result(self, tp, result):
+        result = GatherAccountsFilter(tp).run(self.method_id_meta_mapper, result)
+        return result
+    @staticmethod
+    def generate_data(asset, result):
+        data = []
+        for username, info in result.items():
+            d = {'asset': asset, 'username': username, 'present': True}
+            if info.get('date'):
+                d['date_last_login'] = info['date']
+            if info.get('address'):
+                d['address_last_login'] = info['address'][:32]
+            data.append(d)
+        return data
+
+    def update_or_create_accounts(self, asset, result):
+        data = self.generate_data(asset, result)
+        with tmp_to_org(asset.org_id):
+            gathered_accounts = []
+            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
+            for d in data:
+                username = d['username']
+                gathered_account, __ = GatheredAccount.objects.update_or_create(
+                    defaults=d, asset=asset, username=username,
+                )
+                gathered_accounts.append(gathered_account)
+            if not self.is_sync_account:
+                return
+            GatheredAccount.sync_accounts(gathered_accounts)
+
+    def on_host_success(self, host, result):
+        info = result.get('debug', {}).get('res', {}).get('info', {})
+        asset = self.host_asset_mapper.get(host)
+        if asset and info:
+            result = self.filter_success_result(asset.type, info)
+            self.update_or_create_accounts(asset, result)
+        else:
+            logger.error("Not found info".format(host))

apps/accounts/automations/methods.py

@@ -0,0 +1,6 @@
+import os
+
+from assets.automations.methods import get_platform_automation_methods
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+platform_automation_methods = get_platform_automation_methods(BASE_DIR)

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -0,0 +1,58 @@
+- hosts: mongodb
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test MongoDB connection
+      mongodb_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+      register: db_info
+
+    - name: Display MongoDB version
+      debug:
+        var: db_info.server_version
+      when: db_info is succeeded
+
+    - name: Change MongoDB password
+      mongodb_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      mongodb_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/push_account/database/mongodb/manifest.yml

@@ -0,0 +1,11 @@
+id: push_account_mongodb
+name: "{{ 'MongoDB account push' | trans }}"
+category: database
+type:
+  - mongodb
+method: push_account
+
+i18n:
+  MongoDB account push:
+    zh: MongoDB 账号推送
+    ja: MongoDB アカウントのプッシュ

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -0,0 +1,43 @@
+- hosts: mysql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+    db_name: "{{ jms_asset.spec_info.db_name }}"
+
+  tasks:
+    - name: Test MySQL connection
+      community.mysql.mysql_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: version
+      register: db_info
+
+    - name: MySQL version
+      debug:
+        var: db_info.version.full
+
+    - name: Change MySQL password
+      community.mysql.mysql_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        host: "%"
+        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      community.mysql.mysql_info:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: version
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/push_account/database/mysql/manifest.yml

@@ -0,0 +1,12 @@
+id: push_account_mysql
+name: "{{ 'MySQL account push' | trans }}"
+category: database
+type:
+  - mysql
+  - mariadb
+method: push_account
+
+i18n:
+  MySQL account push:
+    zh: MySQL 账号推送
+    ja: MySQL アカウントのプッシュ

apps/accounts/automations/push_account/database/oracle/main.yml

@@ -0,0 +1,44 @@
+- hosts: oracle
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test Oracle connection
+      oracle_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+      register: db_info
+
+    - name: Display Oracle version
+      debug:
+        var: db_info.server_version
+      when: db_info is succeeded
+
+    - name: Change Oracle password
+      oracle_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      oracle_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/push_account/database/oracle/manifest.yml

@@ -0,0 +1,11 @@
+id: push_account_oracle
+name: "{{ 'Oracle account push' | trans }}"
+category: database
+type:
+  - oracle
+method: push_account
+
+i18n:
+  Oracle account push:
+    zh: Oracle 账号推送
+    ja: Oracle アカウントのプッシュ

apps/accounts/automations/push_account/database/postgresql/main.yml

@@ -0,0 +1,46 @@
+- hosts: postgre
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test PostgreSQL connection
+      community.postgresql.postgresql_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_db: "{{ jms_asset.spec_info.db_name }}"
+      register: result
+      failed_when: not result.is_available
+
+    - name: Display PostgreSQL version
+      debug:
+        var: result.server_version.full
+      when: result is succeeded
+
+    - name: Change PostgreSQL password
+      community.postgresql.postgresql_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        role_attr_flags: LOGIN
+      when: result is succeeded
+      register: change_info
+
+    - name: Verify password
+      community.postgresql.postgresql_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+      when:
+        - result is succeeded
+        - change_info is succeeded
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/push_account/database/postgresql/manifest.yml

@@ -0,0 +1,11 @@
+id: push_account_postgresql
+name: "{{ 'PostgreSQL account push' | trans }}"
+category: database
+type:
+  - postgresql
+method: push_account
+
+i18n:
+  PostgreSQL account push:
+    zh: PostgreSQL 账号推送
+    ja: PostgreSQL アカウントのプッシュ

apps/accounts/automations/push_account/database/sqlserver/main.yml

@@ -0,0 +1,69 @@
+- hosts: sqlserver
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test SQLServer connection
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: |
+          SELECT @@version
+      register: db_info
+
+    - name: SQLServer version
+      set_fact:
+        info:
+          version: "{{ db_info.query_results[0][0][0][0].splitlines()[0] }}"
+    - debug:
+        var: info
+
+    - name: Check whether SQLServer User exist
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
+      when: db_info is succeeded
+      register: user_exist
+
+    - name: Change SQLServer password
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      when: user_exist.query_results[0] | length != 0
+      register: change_info
+
+    - name: Add SQLServer user
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      when: user_exist.query_results[0] | length == 0
+      register: change_info
+
+    - name: Verify password
+      community.general.mssql_script:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: |
+          SELECT @@version
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/push_account/database/sqlserver/manifest.yml

@@ -0,0 +1,11 @@
+id: push_account_sqlserver
+name: "{{ 'SQLServer account push' | trans }}"
+category: database
+type:
+  - sqlserver
+method: push_account
+
+i18n:
+  SQLServer account push:
+    zh: SQLServer 账号推送
+    ja: SQLServer アカウントのプッシュ

apps/accounts/automations/push_account/host/aix/main.yml

@@ -0,0 +1,94 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.builtin.ping:
+
+    - name: Push user
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        shell: "{{ params.shell }}"
+        home: "{{ '/home/' + account.username }}"
+        groups: "{{ params.groups }}"
+        expires: -1
+        state: present
+
+    - name: "Add {{ account.username }} group"
+      ansible.builtin.group:
+        name: "{{ account.username }}"
+        state: present
+
+    - name: Check home dir exists
+      ansible.builtin.stat:
+        path: "{{ '/home/' + account.username }}"
+      register: home_existed
+
+    - name: Set home dir permission
+      ansible.builtin.file:
+        path: "{{ '/home/' + account.username }}"
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: "0700"
+      when:
+        - home_existed.stat.exists == true
+
+    - name: Add user groups
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        groups: "{{ params.groups }}"
+      when: params.groups
+
+    - name: Push user password
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('sha512') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ ssh_params.dest }}"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"
+
+    - name: Push SSH key
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
+    - name: Set sudo setting
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^{{ account.username }} ALL="
+        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
+        validate: visudo -cf %s
+      when:
+        - params.sudo
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_become: no
+      when: account.secret_type == "password"
+
+    - name: Verify SSH key
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_become: no
+      when: account.secret_type == "ssh_key"

apps/accounts/automations/push_account/host/aix/manifest.yml

@@ -0,0 +1,29 @@
+id: push_account_aix
+name: "{{ 'Aix account push' | trans }}"
+category: host
+type:
+  - AIX
+method: push_account
+params:
+  - name: sudo
+    type: str
+    label: 'Sudo'
+    default: '/bin/whoami'
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+
+  - name: shell
+    type: str
+    label: 'Shell'
+    default: '/bin/bash'
+
+  - name: groups
+    type: str
+    label: '用户组'
+    default: ''
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+
+i18n:
+  Aix account push:
+    zh: Aix 账号推送
+    ja: Aix アカウントのプッシュ
+

apps/accounts/automations/push_account/host/posix/main.yml

@@ -0,0 +1,94 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.builtin.ping:
+
+    - name: Push user
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        shell: "{{ params.shell }}"
+        home: "{{ '/home/' + account.username }}"
+        groups: "{{ params.groups }}"
+        expires: -1
+        state: present
+
+    - name: "Add {{ account.username }} group"
+      ansible.builtin.group:
+        name: "{{ account.username }}"
+        state: present
+
+    - name: Check home dir exists
+      ansible.builtin.stat:
+        path: "{{ '/home/' + account.username }}"
+      register: home_existed
+
+    - name: Set home dir permission
+      ansible.builtin.file:
+        path: "{{ '/home/' + account.username }}"
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: "0700"
+      when:
+        - home_existed.stat.exists == true
+
+    - name: Add user groups
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        groups: "{{ params.groups }}"
+      when: params.groups
+
+    - name: Push user password
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('sha512') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ ssh_params.dest }}"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"
+
+    - name: Push SSH key
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
+    - name: Set sudo setting
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^{{ account.username }} ALL="
+        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
+        validate: visudo -cf %s
+      when:
+        - params.sudo
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_become: no
+      when: account.secret_type == "password"
+
+    - name: Verify SSH key
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_become: no
+      when: account.secret_type == "ssh_key"

apps/accounts/automations/push_account/host/posix/manifest.yml

@@ -0,0 +1,30 @@
+id: push_account_posix
+name: "{{ 'Posix account push' | trans }}"
+category: host
+type:
+  - unix
+  - linux
+method: push_account
+params:
+  - name: sudo
+    type: str
+    label: 'Sudo'
+    default: '/bin/whoami'
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+
+  - name: shell
+    type: str
+    label: 'Shell'
+    default: '/bin/bash'
+    help_text: ''
+
+  - name: groups
+    type: str
+    label: '用户组'
+    default: ''
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+
+i18n:
+  Posix account push:
+    zh: Posix 账号推送
+    ja: Posix アカウントのプッシュ

apps/accounts/automations/push_account/host/windows/main.yml

@@ -0,0 +1,31 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+#    - name: Print variables
+#      debug:
+#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
+
+    - name: Push user password
+      ansible.windows.win_user:
+        fullname: "{{ account.username}}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        password_never_expires: yes
+        groups: "{{ params.groups }}"
+        groups_action: add
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.windows.win_ping:
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+      when: account.secret_type == "password"

apps/accounts/automations/push_account/host/windows/manifest.yml

@@ -0,0 +1,18 @@
+id: push_account_local_windows
+name: "{{ 'Windows account push' | trans }}"
+version: 1
+method: push_account
+category: host
+type:
+  - windows
+params:
+  - name: groups
+    type: str
+    label: '用户组'
+    default: 'Users,Remote Desktop Users'
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+
+i18n:
+  Windows account push:
+    zh: Windows 账号推送
+    ja: Windows アカウントのプッシュ

apps/accounts/automations/push_account/manager.py

@@ -0,0 +1,149 @@
+from copy import deepcopy
+
+from accounts.const import AutomationTypes, SecretType, Connectivity
+from assets.const import HostTypes
+from common.utils import get_logger
+from ..base.manager import AccountBasePlaybookManager
+from ..change_secret.manager import ChangeSecretManager
+
+logger = get_logger(__name__)
+
+
+class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
+    ansible_account_prefer = ''
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.push_account
+
+    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
+        host = super(ChangeSecretManager, self).host_callback(
+            host, asset=asset, account=account, automation=automation,
+            path_dir=path_dir, **kwargs
+        )
+        if host.get('error'):
+            return host
+
+        accounts = self.get_accounts(account)
+        inventory_hosts = []
+        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
+            msg = f'Windows {asset} does not support ssh key push'
+            print(msg)
+            return inventory_hosts
+
+        host['ssh_params'] = {}
+        for account in accounts:
+            h = deepcopy(host)
+            secret_type = account.secret_type
+            h['name'] += '(' + account.username + ')'
+            if self.secret_type is None:
+                new_secret = account.secret
+            else:
+                new_secret = self.get_secret(secret_type)
+
+            self.name_recorder_mapper[h['name']] = {
+                'account': account, 'new_secret': new_secret,
+            }
+
+            private_key_path = None
+            if secret_type == SecretType.SSH_KEY:
+                private_key_path = self.generate_private_key_path(new_secret, path_dir)
+                new_secret = self.generate_public_key(new_secret)
+
+            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
+            h['account'] = {
+                'name': account.name,
+                'username': account.username,
+                'secret_type': secret_type,
+                'secret': new_secret,
+                'private_key_path': private_key_path
+            }
+            if asset.platform.type == 'oracle':
+                h['account']['mode'] = 'sysdba' if account.privileged else None
+            inventory_hosts.append(h)
+        return inventory_hosts
+
+    def on_host_success(self, host, result):
+        account_info = self.name_recorder_mapper.get(host)
+        if not account_info:
+            return
+
+        account = account_info['account']
+        new_secret = account_info['new_secret']
+        if not account:
+            return
+        account.secret = new_secret
+        account.save(update_fields=['secret'])
+        account.set_connectivity(Connectivity.OK)
+
+    def on_host_error(self, host, error, result):
+        pass
+
+    def on_runner_failed(self, runner, e):
+        logger.error("Pust account error: ", e)
+
+    def run(self, *args, **kwargs):
+        if self.secret_type and not self.check_secret():
+            return
+        super(ChangeSecretManager, self).run(*args, **kwargs)
+
+    # @classmethod
+    # def trigger_by_asset_create(cls, asset):
+    #     automations = PushAccountAutomation.objects.filter(
+    #         triggers__contains=TriggerChoice.on_asset_create
+    #     )
+    #     account_automation_map = {auto.username: auto for auto in automations}
+    #
+    #     util = AssetPermissionUtil()
+    #     permissions = util.get_permissions_for_assets([asset], with_node=True)
+    #     account_permission_map = defaultdict(list)
+    #     for permission in permissions:
+    #         for account in permission.accounts:
+    #             account_permission_map[account].append(permission)
+    #
+    #     username_automation_map = {}
+    #     for username, automation in account_automation_map.items():
+    #         if username != '@USER':
+    #             username_automation_map[username] = automation
+    #             continue
+    #
+    #         asset_permissions = account_permission_map.get(username)
+    #         if not asset_permissions:
+    #             continue
+    #         asset_permissions = util.get_permissions([p.id for p in asset_permissions])
+    #         usernames = asset_permissions.values_list('users__username', flat=True).distinct()
+    #         for _username in usernames:
+    #             username_automation_map[_username] = automation
+    #
+    #     asset_usernames_exists = asset.accounts.values_list('username', flat=True)
+    #     accounts_to_create = []
+    #     accounts_to_push = []
+    #     for username, automation in username_automation_map.items():
+    #         if username in asset_usernames_exists:
+    #             continue
+    #
+    #         if automation.secret_strategy != SecretStrategy.custom:
+    #             secret_generator = SecretGenerator(
+    #                 automation.secret_strategy, automation.secret_type,
+    #                 automation.password_rules
+    #             )
+    #             secret = secret_generator.get_secret()
+    #         else:
+    #             secret = automation.secret
+    #
+    #         account = Account(
+    #             username=username, secret=secret,
+    #             asset=asset, secret_type=automation.secret_type,
+    #             comment='Create by account creation {}'.format(automation.name),
+    #         )
+    #         accounts_to_create.append(account)
+    #         if automation.action == 'create_and_push':
+    #             accounts_to_push.append(account)
+    #         else:
+    #             accounts_to_create.append(account)
+    #
+    #         logger.debug(f'Create account {account} for asset {asset}')
+
+    # @classmethod
+    # def trigger_by_permission_accounts_change(cls):
+    #     pass

apps/accounts/automations/verify_account/custom/main.yml

@@ -0,0 +1,14 @@
+- hosts: custom
+  gather_facts: no
+  vars:
+    ansible_connection: local
+
+  tasks:
+    - name: Verify account
+      ssh_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_secret_type: "{{ account.secret_type }}"
+        login_private_key_path: "{{ account.private_key_path }}"