feat: Update v3.0.1

Co-authored-by: feng <1304903146@qq.com>

.dockerignore

@@ -7,4 +7,5 @@ django.db
 celerybeat.pid
 ### Vagrant ###
 .vagrant/
-apps/xpack/.git
+apps/xpack/.git
+

.gitattributes

@@ -1,3 +1,4 @@
 *.mmdb filter=lfs diff=lfs merge=lfs -text
 *.mo filter=lfs diff=lfs merge=lfs -text
 *.ipdb filter=lfs diff=lfs merge=lfs -text
+

.github/release-config.yml

@@ -41,4 +41,5 @@ version-resolver:
   default: patch
 template: |
   ## 版本变化  What’s Changed
-  $CHANGES
+  $CHANGES
+

.github/workflows/jms-build-test.yml

@@ -0,0 +1,35 @@
+name: "Run Build Test"
+on:
+  push:
+    branches:
+      - pr@*
+      - repr@*
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+
+    - uses: docker/setup-qemu-action@v2
+
+    - uses: docker/setup-buildx-action@v2
+
+    - uses: docker/build-push-action@v3
+      with:
+        context: .
+        push: false
+        tags: jumpserver/core:test
+        file: Dockerfile
+        build-args: |
+          APT_MIRROR=http://deb.debian.org
+          PIP_MIRROR=https://pypi.org/simple
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+    - uses: LouisBrunner/checks-action@v1.5.0
+      if: always()
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        name: Check Build
+        conclusion: ${{ job.status }}

.github/workflows/release-drafter.yml

@@ -21,7 +21,7 @@ jobs:
           TAG=$(basename ${GITHUB_REF})
           VERSION=${TAG/v/}
           wget https://raw.githubusercontent.com/jumpserver/installer/master/quick_start.sh
-          sed -i "s@Version=.*@Version=v${VERSION}@g" quick_start.sh
+          sed -i "s@VERSION=dev@VERSION=v${VERSION}@g" quick_start.sh
           echo "::set-output name=TAG::$TAG"
           echo "::set-output name=VERSION::$VERSION"
       - name: Create Release

.gitignore

@@ -16,6 +16,7 @@ dump.rdb
 .cache/
 .idea/
 .vscode/
+.fleet/
 db.sqlite3
 config.py
 config.yml
@@ -41,3 +42,4 @@ release/*
 releashe
 /apps/script.py
 data/*
+test.py

.isort.cfg

@@ -0,0 +1,3 @@
+[settings]
+line_length=120
+known_first_party=common,users,assets,perms,authentication,jumpserver,notification,ops,orgs,rbac,settings,terminal,tickets

CODE_OF_CONDUCT.md

@@ -126,3 +126,4 @@ enforcement ladder](https://github.com/mozilla/diversity).
 For answers to common questions about this code of conduct, see the FAQ at
 https://www.contributor-covenant.org/faq. Translations are available at
 https://www.contributor-covenant.org/translations.
+

CONTRIBUTING.md

@@ -23,3 +23,4 @@ When reporting issues, always include:
 
 Because the issues are open to the public, when submitting files, be sure to remove any sensitive information, e.g. user name, password, IP address, and company name. You can
 replace those parts with "REDACTED" or other strings like "****".
+

Dockerfile

@@ -1,65 +1,77 @@
-FROM python:3.8-slim
+FROM python:3.9-slim as stage-build
+ARG TARGETARCH
+
+ARG VERSION
+ENV VERSION=$VERSION
+
+WORKDIR /opt/jumpserver
+ADD . .
+RUN cd utils && bash -ixeu build.sh
+
+FROM python:3.9-slim
+ARG TARGETARCH
 MAINTAINER JumpServer Team <ibuler@qq.com>
 
 ARG BUILD_DEPENDENCIES="              \
-    g++                               \
-    make                              \
-    pkg-config"
+        g++                           \
+        make                          \
+        pkg-config"
 
 ARG DEPENDENCIES="                    \
-    default-libmysqlclient-dev        \
-    freetds-dev                       \
-    libpq-dev                         \
-    libffi-dev                        \
-    libldap2-dev                      \
-    libsasl2-dev                      \
-    libxml2-dev                       \
-    libxmlsec1-dev                    \
-    libxmlsec1-openssl                \
-    libaio-dev                        \
-    openssh-client                    \
-    sshpass"
+        freetds-dev                   \
+        libpq-dev                     \
+        libffi-dev                    \
+        libjpeg-dev                   \
+        libldap2-dev                  \
+        libsasl2-dev                  \
+        libxml2-dev                   \
+        libxmlsec1-dev                \
+        libxmlsec1-openssl            \
+        libaio-dev"
 
 ARG TOOLS="                           \
-    curl                              \
-    default-mysql-client              \
-    iproute2                          \
-    iputils-ping                      \
-    locales                           \
-    procps                            \
-    redis-tools                       \
-    telnet                            \
-    vim                               \
-    unzip                             \
-    wget"
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        locales                       \
+        openssh-client                \
+        procps                        \
+        sshpass                       \
+        telnet                        \
+        unzip                         \
+        vim                           \
+        git                           \
+        wget"
 
-RUN sed -i 's@http://.*.debian.org@http://mirrors.ustc.edu.cn@g' /etc/apt/sources.list \
+ARG APT_MIRROR=http://mirrors.ustc.edu.cn
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && rm -f /etc/apt/apt.conf.d/docker-clean \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
     && apt-get update \
     && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
     && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
     && apt-get -y install --no-install-recommends ${TOOLS} \
-    && localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
-    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
     && mkdir -p /root/.ssh/ \
     && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
-    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
     && echo "set mouse-=a" > ~/.vimrc \
     && echo "no" | dpkg-reconfigure dash \
+    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && sed -i "s@# export @export @g" ~/.bashrc \
+    && sed -i "s@# alias @alias @g" ~/.bashrc \
     && rm -rf /var/lib/apt/lists/*
 
-ARG TARGETARCH
-ARG ORACLE_LIB_MAJOR=19
-ARG ORACLE_LIB_MINOR=10
-ENV ORACLE_FILE="instantclient-basiclite-linux.${TARGETARCH:-amd64}-${ORACLE_LIB_MAJOR}.${ORACLE_LIB_MINOR}.0.0.0dbru.zip"
+ARG DOWNLOAD_URL=https://download.jumpserver.org
 
 RUN mkdir -p /opt/oracle/ \
     && cd /opt/oracle/ \
-    && wget https://download.jumpserver.org/files/oracle/${ORACLE_FILE} \
-    && unzip instantclient-basiclite-linux.${TARGETARCH-amd64}-19.10.0.0.0dbru.zip \
-    && mv instantclient_${ORACLE_LIB_MAJOR}_${ORACLE_LIB_MINOR} instantclient \
-    && echo "/opt/oracle/instantclient" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
+    && unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
+    && sh -c "echo /opt/oracle/instantclient_19_10 > /etc/ld.so.conf.d/oracle-instantclient.conf" \
     && ldconfig \
-    && rm -f ${ORACLE_FILE}
+    && rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip
 
 WORKDIR /tmp/build
 COPY ./requirements ./requirements
@@ -68,21 +80,18 @@ ARG PIP_MIRROR=https://pypi.douban.com/simple
 ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
 ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
-# 因为以 jms 或者 jumpserver 开头的 mirror 上可能没有
-RUN pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
-    && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
-    && rm -rf ~/.cache/pip
 
-ARG VERSION
-ENV VERSION=$VERSION
+RUN --mount=type=cache,target=/root/.cache/pip \
+    set -ex \
+    && pip config set global.index-url ${PIP_MIRROR} \
+    && pip install --upgrade pip \
+    && pip install --upgrade setuptools wheel \
+    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install -r requirements/requirements.txt
 
-ADD . .
-RUN cd utils \
-    && bash -ixeu build.sh \
-    && mv ../release/jumpserver /opt/jumpserver \
-    && rm -rf /tmp/build \
-    && echo > /opt/jumpserver/config.yml
+COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+RUN echo > /opt/jumpserver/config.yml \
+    && rm -rf /tmp/build
 
 WORKDIR /opt/jumpserver
 VOLUME /opt/jumpserver/data
@@ -90,6 +99,6 @@ VOLUME /opt/jumpserver/logs
 
 ENV LANG=zh_CN.UTF-8
 
-EXPOSE 8070
 EXPOSE 8080
+
 ENTRYPOINT ["./entrypoint.sh"]

Dockerfile-ee

@@ -0,0 +1,10 @@
+ARG VERSION
+FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
+FROM jumpserver/core:${VERSION}
+COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
+
+WORKDIR /opt/jumpserver
+
+RUN --mount=type=cache,target=/root/.cache/pip \
+    set -ex \
+    && pip install -r requirements/requirements_xpack.txt

Dockerfile.loong64

@@ -0,0 +1,96 @@
+FROM python:3.9-slim as stage-build
+ARG TARGETARCH
+
+ARG VERSION
+ENV VERSION=$VERSION
+
+WORKDIR /opt/jumpserver
+ADD . .
+RUN cd utils && bash -ixeu build.sh
+
+FROM python:3.9-slim
+ARG TARGETARCH
+MAINTAINER JumpServer Team <ibuler@qq.com>
+
+ARG BUILD_DEPENDENCIES="              \
+        g++                           \
+        make                          \
+        pkg-config"
+
+ARG DEPENDENCIES="                    \
+        freetds-dev                   \
+        libpq-dev                     \
+        libffi-dev                    \
+        libjpeg-dev                   \
+        libldap2-dev                  \
+        libsasl2-dev                  \
+        libssl-dev                    \
+        libxml2-dev                   \
+        libxmlsec1-dev                \
+        libxmlsec1-openssl            \
+        libaio-dev"
+
+ARG TOOLS="                           \
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        locales                       \
+        openssh-client                \
+        procps                        \
+        sshpass                       \
+        telnet                        \
+        unzip                         \
+        vim                           \
+        git                           \
+        wget"
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+    set -ex \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
+    && echo "set mouse-=a" > ~/.vimrc \
+    && echo "no" | dpkg-reconfigure dash \
+    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && sed -i "s@# export @export @g" ~/.bashrc \
+    && sed -i "s@# alias @alias @g" ~/.bashrc \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /tmp/build
+COPY ./requirements ./requirements
+
+ARG PIP_MIRROR=https://pypi.douban.com/simple
+ENV PIP_MIRROR=$PIP_MIRROR
+ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
+ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
+
+RUN --mount=type=cache,target=/root/.cache/pip \
+    set -ex \
+    && pip config set global.index-url ${PIP_MIRROR} \
+    && pip install --upgrade pip \
+    && pip install --upgrade setuptools wheel \
+    && pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl \
+    && pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl \
+    && pip install $(grep 'PyNaCl' requirements/requirements.txt) \
+    && GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=true pip install grpcio \
+    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install -r requirements/requirements.txt
+
+COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+RUN echo > /opt/jumpserver/config.yml \
+    && rm -rf /tmp/build
+
+WORKDIR /opt/jumpserver
+VOLUME /opt/jumpserver/data
+VOLUME /opt/jumpserver/logs
+
+ENV LANG=zh_CN.UTF-8
+
+EXPOSE 8080
+
+ENTRYPOINT ["./entrypoint.sh"]

GITSHA

@@ -0,0 +1 @@
+86dab4fc6ea6b683efbe384a0694af4edb9f6716

LICENSE

@@ -671,4 +671,5 @@ into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
-<https://www.gnu.org/licenses/why-not-lgpl.html>.
+<https://www.gnu.org/licenses/why-not-lgpl.html>.
+

README.md

@@ -1,99 +1,52 @@
 <p align="center">
   <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
 </p>
-<h3 align="center">多云环境下更好用的堡垒机</h3>
+<h3 align="center">广受欢迎的开源堡垒机</h3>
 
 <p align="center">
   <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
-  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
-  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
-  <a href="https://github.com/jumpserver/jumpserver/commits"><img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/jumpserver/jumpserver.svg" /></a>
+  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
+  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
   <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>
 
 --------------------------
-- [ENGLISH](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
-
-
 
 JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
 
-JumpServer 使用 Python 开发，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
+## 产品特色
 
-JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。
+- **开源**: 零门槛，线上快速获取和安装；
+- **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
+- **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
+- **多云支持**: 一套系统，同时管理不同云上面的资产；
+- **多租户**: 一套系统，多个子公司或部门同时使用；
+- **云端存储**: 审计录像云端存储，永不丢失；
+- **多应用支持**: 全面支持各类资产，包括服务器、数据库、Windows RemoteApp、Kubernetes 等;
+- **安全可靠**: 被广泛使用、验证和信赖，连续 9 年的持续研发投入和产品更新升级。
 
-改变世界，从一点点开始 ...
-
-> 如需进一步了解 JumpServer 开源项目，推荐阅读 [JumpServer 的初心和使命](https://mp.weixin.qq.com/s/S6q_2rP_9MwaVwyqLQnXzA)
-
-### 特色优势
-
-- 开源: 零门槛，线上快速获取和安装；
-- 分布式: 轻松支持大规模并发访问；
-- 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
-- 多租户: 一套系统，多个子公司或部门同时使用；
-- 多云支持: 一套系统，同时管理不同云上面的资产；
-- 云端存储: 审计录像云端存储，永不丢失；
-- 多应用支持: 数据库，Windows远程应用，Kubernetes。
-
-### UI 展示
+## UI 展示
 
 ![UI展示](https://www.jumpserver.org/images/screenshot/1.png)
 
-### 在线体验
+## 在线体验
 
--   环境地址：<https://demo.jumpserver.org/>
+- 环境地址：<https://demo.jumpserver.org/>
 
 | :warning: 注意                 |
-| :--------------------------- |
+|:-----------------------------|
 | 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
 | 请勿修改体验环境用户的密码！               |
 | 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
 
-### 快速开始
+## 快速开始
 
 - [极速安装](https://docs.jumpserver.org/zh/master/install/setup_by_fast/)
-- [完整文档](https://docs.jumpserver.org)
-- [演示视频](https://www.bilibili.com/video/BV1ZV41127GB)
 - [手动安装](https://github.com/jumpserver/installer)
+- [产品文档](https://docs.jumpserver.org)
+- [知识库](https://kb.fit2cloud.com/categories/jumpserver)
 
-### 组件项目
-| 项目                                                                          |  状态          | 描述                                     |
-| ---------------------------------------------------------------------------  |  -------------------   | ---------------------------------------- |
-| [Lina](https://github.com/jumpserver/lina) | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a> | JumpServer Web UI 项目 |
-| [Luna](https://github.com/jumpserver/luna) | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a> | JumpServer Web Terminal 项目 |
-| [KoKo](https://github.com/jumpserver/koko) | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a> | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
-| [Lion](https://github.com/jumpserver/lion-release) | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>  | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
-| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目 |
-| [Clients](https://github.com/jumpserver/clients) | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" /> | JumpServer 客户端 项目 |
-| [Installer](https://github.com/jumpserver/installer)| <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" /> | JumpServer 安装包 项目 |
-
-### 社区
-
-如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose) 或加入到我们的社区当中进行进一步交流沟通。
-
-#### 微信交流群
-
-<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
-
-### 贡献
-如果有你好的想法创意，或者帮助我们修复了 Bug, 欢迎提交 Pull Request
-
-感谢以下贡献者，让 JumpServer 更加完善
-
-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
-
-
-
-### 致谢
-- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC 协议设备，JumpServer 图形化组件 Lion 依赖 
-- [OmniDB](https://omnidb.org/) Web 页面连接使用数据库，JumpServer Web 数据库依赖
-
-
-### JumpServer 企业版 
-- [申请企业版试用](https://jinshuju.net/f/kyOYpi)
-
-### 案例研究
+## 案例研究
 
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
@@ -102,28 +55,61 @@ JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向
 - [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
 - [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
 - [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
-- [小红书：的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
+- [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
 - [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
 - [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
 - [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
 - [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
 
-### 安全说明
+## 社区
 
-JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.
+如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)
+或加入到我们的社区当中进行进一步交流沟通。
 
-如果你发现安全问题，可以直接联系我们：
+### 微信交流群
 
-- ibuler@fit2cloud.com 
-- support@fit2cloud.com 
-- 400-052-0755
+<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
 
-### License & Copyright
+### 参与贡献
 
-Copyright (c) 2014-2022 飞致云 FIT2CLOUD, All rights reserved.
+欢迎提交 PR 参与贡献。感谢以下贡献者，他们让 JumpServer 变的越来越好。
 
-Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
+
+## 组件项目
+
+| 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                      |
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                                    |
+| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                              |
+| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
+| [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)       |
+| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                           |
+| [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                       |
+| [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                       |
+
+## 安全说明
+
+JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
+进行安装部署。如果您发现安全相关问题，请直接联系我们：
+
+- 邮箱：support@fit2cloud.com
+- 电话：400-052-0755
+
+## 致谢
+
+- [Apache Guacamole](https://guacamole.apache.org/)： Web 页面连接 RDP、SSH、VNC 等协议资产，JumpServer Lion 组件使用到该项目；
+- [OmniDB](https://omnidb.org/)： Web 页面连接使用数据库，JumpServer Web 数据库组件使用到该项目。
+
+## License & Copyright
+
+Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.
+
+Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
+compliance with the License. You may obtain a copy of the License at
 
 https://www.gnu.org/licenses/gpl-3.0.html
 
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
+AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
+language governing permissions and limitations under the License.

README_EN.md

@@ -92,4 +92,3 @@ Licensed under The GNU General Public License version 3 (GPLv3)  (the "License")
 https://www.gnu.org/licenses/gpl-3.0.htmll
 
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
-

SECURITY.md

@@ -18,3 +18,4 @@ All security bugs should be reported to the contact as below:
 - ibuler@fit2cloud.com
 - support@fit2cloud.com
 - 400-052-0755
+

Vagrantfile

@@ -1,56 +0,0 @@
-# -*- mode: ruby -*-
-# vi: set ft=ruby :
-
-Vagrant.configure("2") do |config|
-  # The most common configuration options are documented and commented below.
-  # For a complete reference, please see the online documentation at
-  # https://docs.vagrantup.com.
-
-  # Every Vagrant development environment requires a box. You can search for
-  # boxes at https://vagrantcloud.com/search.
-  config.vm.box_check_update = false
-  config.vm.box = "centos/7"
-  config.vm.hostname = "jumpserver"
-  config.vm.network "private_network", ip: "172.17.8.101"
-  config.vm.provider "virtualbox" do |vb|
-    vb.memory = "4096"
-    vb.cpus = 2
-    vb.name = "jumpserver"
-  end
-
-  config.vm.synced_folder ".", "/vagrant", type: "rsync",
-    rsync__verbose: true,
-    rsync__exclude: ['.git*', 'node_modules*','*.log','*.box','Vagrantfile']
-
-  config.vm.provision "shell", inline: <<-SHELL
-## 设置yum的阿里云源
-sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
-sudo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
-sudo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
-sudo yum makecache
-
-## 安装依赖包
-sudo yum install -y python36 python36-devel python36-pip \
-		 libtiff-devel libjpeg-devel libzip-devel freetype-devel \
-     lcms2-devel libwebp-devel tcl-devel tk-devel sshpass \
-     openldap-devel mariadb-devel mysql-devel libffi-devel \
-     openssh-clients telnet openldap-clients gcc
-
-## 配置pip阿里云源
-mkdir /home/vagrant/.pip
-cat << EOF | sudo tee -a /home/vagrant/.pip/pip.conf
-[global]
-timeout = 6000
-index-url = https://mirrors.aliyun.com/pypi/simple/
-
-[install]
-use-mirrors = true
-mirrors = https://mirrors.aliyun.com/pypi/simple/
-trusted-host=mirrors.aliyun.com
-EOF
-
-python3.6 -m venv /home/vagrant/venv
-source /home/vagrant/venv/bin/activate
-echo 'source /home/vagrant/venv/bin/activate' >> /home/vagrant/.bash_profile
-  SHELL
-end

apps/accounts/api/__init__.py

@@ -0,0 +1,2 @@
+from .account import *
+from .automations import *

apps/accounts/api/account/__init__.py

@@ -0,0 +1,3 @@
+from .account import *
+from .task import *
+from .template import *

apps/accounts/api/account/account.py

@@ -0,0 +1,112 @@
+from django.shortcuts import get_object_or_404
+from rest_framework.decorators import action
+from rest_framework.generics import ListAPIView
+from rest_framework.response import Response
+
+from accounts import serializers
+from accounts.filters import AccountFilterSet
+from accounts.models import Account
+from assets.models import Asset, Node
+from common.permissions import UserConfirmation, ConfirmType
+from common.views.mixins import RecordViewLogMixin
+from orgs.mixins.api import OrgBulkModelViewSet
+from rbac.permissions import RBACPermission
+
+__all__ = [
+    'AccountViewSet', 'AccountSecretsViewSet',
+    'AccountHistoriesSecretAPI'
+]
+
+
+class AccountViewSet(OrgBulkModelViewSet):
+    model = Account
+    search_fields = ('username', 'asset__address', 'name')
+    filterset_class = AccountFilterSet
+    serializer_classes = {
+        'default': serializers.AccountSerializer,
+    }
+    rbac_perms = {
+        'partial_update': ['accounts.change_account'],
+        'su_from_accounts': 'accounts.view_account',
+        'username_suggestions': 'accounts.view_account',
+    }
+
+    @action(methods=['get'], detail=False, url_path='su-from-accounts')
+    def su_from_accounts(self, request, *args, **kwargs):
+        account_id = request.query_params.get('account')
+        asset_id = request.query_params.get('asset')
+
+        if account_id:
+            account = get_object_or_404(Account, pk=account_id)
+            accounts = account.get_su_from_accounts()
+        elif asset_id:
+            asset = get_object_or_404(Asset, pk=asset_id)
+            accounts = asset.accounts.all()
+        else:
+            accounts = []
+        accounts = self.filter_queryset(accounts)
+        serializer = serializers.AccountSerializer(accounts, many=True)
+        return Response(data=serializer.data)
+
+    @action(methods=['get'], detail=False, url_path='username-suggestions')
+    def username_suggestions(self, request, *args, **kwargs):
+        asset_ids = request.query_params.get('assets')
+        node_keys = request.query_params.get('keys')
+        username = request.query_params.get('username')
+
+        assets = Asset.objects.all()
+        if asset_ids:
+            assets = assets.filter(id__in=asset_ids.split(','))
+        if node_keys:
+            patten = Node.get_node_all_children_key_pattern(node_keys.split(','))
+            assets = assets.filter(nodes__key__regex=patten)
+
+        accounts = Account.objects.filter(asset__in=assets)
+        if username:
+            accounts = accounts.filter(username__icontains=username)
+        usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
+        usernames.sort()
+        common = [i for i in usernames if i in usernames if i.lower() in ['root', 'admin', 'administrator']]
+        others = [i for i in usernames if i not in common]
+        usernames = common + others
+        return Response(data=usernames)
+
+
+class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
+    """
+    因为可能要导出所有账号，所以单独建立了一个 viewset
+    """
+    serializer_classes = {
+        'default': serializers.AccountSecretSerializer,
+    }
+    http_method_names = ['get', 'options']
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    rbac_perms = {
+        'list': 'accounts.view_accountsecret',
+        'retrieve': 'accounts.view_accountsecret',
+    }
+
+
+class AccountHistoriesSecretAPI(RecordViewLogMixin, ListAPIView):
+    model = Account.history.model
+    serializer_class = serializers.AccountHistorySerializer
+    http_method_names = ['get', 'options']
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    rbac_perms = {
+        'GET': 'accounts.view_accountsecret',
+    }
+
+    def get_object(self):
+        return get_object_or_404(Account, pk=self.kwargs.get('pk'))
+
+    def get_queryset(self):
+        account = self.get_object()
+        histories = account.history.all()
+        last_history = account.history.first()
+        if not last_history:
+            return histories
+
+        if account.secret == last_history.secret \
+                and account.secret_type == last_history.secret_type:
+            histories = histories.exclude(history_id=last_history.history_id)
+        return histories

apps/accounts/api/account/task.py

@@ -0,0 +1,48 @@
+from rest_framework.generics import CreateAPIView
+from rest_framework.response import Response
+
+from accounts import serializers
+from accounts.tasks import verify_accounts_connectivity_task, push_accounts_to_assets_task
+from assets.exceptions import NotSupportedTemporarilyError
+
+__all__ = [
+    'AccountsTaskCreateAPI',
+]
+
+
+class AccountsTaskCreateAPI(CreateAPIView):
+    serializer_class = serializers.AccountTaskSerializer
+
+    def check_permissions(self, request):
+        act = request.data.get('action')
+        if act == 'push':
+            code = 'accounts.push_account'
+        else:
+            code = 'accounts.verify_account'
+        return request.user.has_perm(code)
+
+    def perform_create(self, serializer):
+        data = serializer.validated_data
+        accounts = data.get('accounts', [])
+        account_ids = [str(a.id) for a in accounts]
+
+        if data['action'] == 'push':
+            task = push_accounts_to_assets_task.delay(account_ids)
+        else:
+            account = accounts[0]
+            asset = account.asset
+            if not asset.auto_info['ansible_enabled'] or \
+                not asset.auto_info['ping_enabled']:
+                raise NotSupportedTemporarilyError()
+            task = verify_accounts_connectivity_task.delay(account_ids)
+
+        data = getattr(serializer, '_data', {})
+        data["task"] = task.id
+        setattr(serializer, '_data', data)
+        return task
+
+    def get_exception_handler(self):
+        def handler(e, context):
+            return Response({"error": str(e)}, status=400)
+
+        return handler

apps/accounts/api/account/template.py

@@ -0,0 +1,28 @@
+from rbac.permissions import RBACPermission
+from common.permissions import UserConfirmation, ConfirmType
+
+from common.views.mixins import RecordViewLogMixin
+from orgs.mixins.api import OrgBulkModelViewSet
+from accounts import serializers
+from accounts.models import AccountTemplate
+
+
+class AccountTemplateViewSet(OrgBulkModelViewSet):
+    model = AccountTemplate
+    filterset_fields = ("username", 'name')
+    search_fields = ('username', 'name')
+    serializer_classes = {
+        'default': serializers.AccountTemplateSerializer
+    }
+
+
+class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
+    serializer_classes = {
+        'default': serializers.AccountTemplateSecretSerializer,
+    }
+    http_method_names = ['get', 'options']
+    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
+    rbac_perms = {
+        'list': 'accounts.view_accounttemplatesecret',
+        'retrieve': 'accounts.view_accounttemplatesecret',
+    }

apps/accounts/api/automations/__init__.py

@@ -0,0 +1,5 @@
+from .backup import *
+from .base import *
+from .change_secret import *
+from .gather_accounts import *
+from .push_account import *

apps/accounts/api/automations/backup.py

@@ -3,12 +3,13 @@
 from rest_framework import status, viewsets
 from rest_framework.response import Response
 
-from orgs.mixins.api import OrgBulkModelViewSet
-from .. import serializers
-from ..tasks import execute_account_backup_plan
-from ..models import (
-    AccountBackupPlan, AccountBackupPlanExecution
+from accounts import serializers
+from accounts.models import (
+    AccountBackupAutomation, AccountBackupExecution
 )
+from accounts.tasks import execute_account_backup_task
+from common.const.choices import Trigger
+from orgs.mixins.api import OrgBulkModelViewSet
 
 __all__ = [
     'AccountBackupPlanViewSet', 'AccountBackupPlanExecutionViewSet'
@@ -16,12 +17,11 @@ __all__ = [
 
 
 class AccountBackupPlanViewSet(OrgBulkModelViewSet):
-    model = AccountBackupPlan
+    model = AccountBackupAutomation
     filter_fields = ('name',)
     search_fields = filter_fields
-    ordering_fields = ('name',)
     ordering = ('name',)
-    serializer_class = serializers.AccountBackupPlanSerializer
+    serializer_class = serializers.AccountBackupSerializer
 
 
 class AccountBackupPlanExecutionViewSet(viewsets.ModelViewSet):
@@ -31,19 +31,12 @@ class AccountBackupPlanExecutionViewSet(viewsets.ModelViewSet):
     http_method_names = ['get', 'post', 'options']
 
     def get_queryset(self):
-        queryset = AccountBackupPlanExecution.objects.all()
+        queryset = AccountBackupExecution.objects.all()
         return queryset
 
     def create(self, request, *args, **kwargs):
         serializer = self.get_serializer(data=request.data)
         serializer.is_valid(raise_exception=True)
         pid = serializer.data.get('plan')
-        task = execute_account_backup_plan.delay(
-            pid=pid, trigger=AccountBackupPlanExecution.Trigger.manual
-        )
+        task = execute_account_backup_task.delay(pid=str(pid), trigger=Trigger.manual)
         return Response({'task': task.id}, status=status.HTTP_201_CREATED)
-
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        queryset = queryset.order_by('-date_start')
-        return queryset

apps/accounts/api/automations/base.py

@@ -0,0 +1,115 @@
+from django.shortcuts import get_object_or_404
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import status, mixins, viewsets
+from rest_framework.response import Response
+
+from accounts.models import AutomationExecution
+from accounts.tasks import execute_account_automation_task
+from assets import serializers
+from assets.models import BaseAutomation
+from common.const.choices import Trigger
+from orgs.mixins import generics
+
+__all__ = [
+    'AutomationAssetsListApi', 'AutomationRemoveAssetApi',
+    'AutomationAddAssetApi', 'AutomationNodeAddRemoveApi',
+    'AutomationExecutionViewSet',
+]
+
+
+class AutomationAssetsListApi(generics.ListAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.AutomationAssetsSerializer
+    filter_fields = ("name", "address")
+    search_fields = filter_fields
+
+    def get_object(self):
+        pk = self.kwargs.get('pk')
+        return get_object_or_404(self.model, pk=pk)
+
+    def get_queryset(self):
+        instance = self.get_object()
+        assets = instance.get_all_assets().only(
+            *self.serializer_class.Meta.only_fields
+        )
+        return assets
+
+
+class AutomationRemoveAssetApi(generics.RetrieveUpdateAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.UpdateAssetSerializer
+
+    def update(self, request, *args, **kwargs):
+        instance = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+
+        if not serializer.is_valid():
+            return Response({'error': serializer.errors})
+
+        assets = serializer.validated_data.get('assets')
+        if assets:
+            instance.assets.remove(*tuple(assets))
+        return Response({'msg': 'ok'})
+
+
+class AutomationAddAssetApi(generics.RetrieveUpdateAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.UpdateAssetSerializer
+
+    def update(self, request, *args, **kwargs):
+        instance = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            assets = serializer.validated_data.get('assets')
+            if assets:
+                instance.assets.add(*tuple(assets))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+class AutomationNodeAddRemoveApi(generics.RetrieveUpdateAPIView):
+    model = BaseAutomation
+    serializer_class = serializers.UpdateNodeSerializer
+
+    def update(self, request, *args, **kwargs):
+        action_params = ['add', 'remove']
+        action = request.query_params.get('action')
+        if action not in action_params:
+            err_info = _("The parameter 'action' must be [{}]".format(','.join(action_params)))
+            return Response({"error": err_info})
+
+        instance = self.get_object()
+        serializer = self.serializer_class(data=request.data)
+        if serializer.is_valid():
+            nodes = serializer.validated_data.get('nodes')
+            if nodes:
+                # eg: plan.nodes.add(*tuple(assets))
+                getattr(instance.nodes, action)(*tuple(nodes))
+            return Response({"msg": "ok"})
+        else:
+            return Response({"error": serializer.errors})
+
+
+class AutomationExecutionViewSet(
+    mixins.CreateModelMixin, mixins.ListModelMixin,
+    mixins.RetrieveModelMixin, viewsets.GenericViewSet
+):
+    search_fields = ('trigger',)
+    filterset_fields = ('trigger', 'automation_id')
+    serializer_class = serializers.AutomationExecutionSerializer
+
+    tp: str
+
+    def get_queryset(self):
+        queryset = AutomationExecution.objects.all()
+        return queryset
+
+    def create(self, request, *args, **kwargs):
+        serializer = self.get_serializer(data=request.data)
+        serializer.is_valid(raise_exception=True)
+        automation = serializer.validated_data.get('automation')
+        task = execute_account_automation_task.delay(
+            pid=str(automation.pk), trigger=Trigger.manual, tp=self.tp
+        )
+        return Response({'task': task.id}, status=status.HTTP_201_CREATED)

apps/accounts/api/automations/change_secret.py

@@ -0,0 +1,81 @@
+# -*- coding: utf-8 -*-
+#
+
+from rest_framework import mixins
+
+from accounts import serializers
+from accounts.const import AutomationTypes
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
+from common.utils import get_object_or_none
+from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
+from .base import (
+    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
+    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
+)
+
+__all__ = [
+    'ChangeSecretAutomationViewSet', 'ChangeSecretRecordViewSet',
+    'ChangSecretExecutionViewSet', 'ChangSecretAssetsListApi',
+    'ChangSecretRemoveAssetApi', 'ChangSecretAddAssetApi',
+    'ChangSecretNodeAddRemoveApi'
+]
+
+
+class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
+    model = ChangeSecretAutomation
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    search_fields = filter_fields
+    serializer_class = serializers.ChangeSecretAutomationSerializer
+
+
+class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
+    serializer_class = serializers.ChangeSecretRecordSerializer
+    filter_fields = ['asset', 'execution_id']
+    search_fields = ['asset__hostname']
+
+    def get_queryset(self):
+        return ChangeSecretRecord.objects.filter(
+            execution__automation__type=AutomationTypes.change_secret
+        )
+
+    def filter_queryset(self, queryset):
+        queryset = super().filter_queryset(queryset)
+        eid = self.request.query_params.get('execution_id')
+        execution = get_object_or_none(AutomationExecution, pk=eid)
+        if execution:
+            queryset = queryset.filter(execution=execution)
+        return queryset
+
+
+class ChangSecretExecutionViewSet(AutomationExecutionViewSet):
+    rbac_perms = (
+        ("list", "accounts.view_changesecretexecution"),
+        ("retrieve", "accounts.view_changesecretexecution"),
+        ("create", "accounts.add_changesecretexecution"),
+    )
+
+    tp = AutomationTypes.change_secret
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.filter(automation__type=self.tp)
+        return queryset
+
+
+class ChangSecretAssetsListApi(AutomationAssetsListApi):
+    model = ChangeSecretAutomation
+
+
+class ChangSecretRemoveAssetApi(AutomationRemoveAssetApi):
+    model = ChangeSecretAutomation
+    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
+
+
+class ChangSecretAddAssetApi(AutomationAddAssetApi):
+    model = ChangeSecretAutomation
+    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
+
+
+class ChangSecretNodeAddRemoveApi(AutomationNodeAddRemoveApi):
+    model = ChangeSecretAutomation
+    serializer_class = serializers.ChangeSecretUpdateNodeSerializer

apps/accounts/api/automations/gather_accounts.py

@@ -0,0 +1,71 @@
+# -*- coding: utf-8 -*-
+#
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import status
+from rest_framework.decorators import action
+from rest_framework.response import Response
+
+from accounts import serializers
+from accounts.const import AutomationTypes
+from accounts.const import Source
+from accounts.filters import GatheredAccountFilterSet
+from accounts.models import GatherAccountsAutomation
+from accounts.models import GatheredAccount
+from orgs.mixins.api import OrgBulkModelViewSet
+from .base import AutomationExecutionViewSet
+
+__all__ = [
+    'GatherAccountsAutomationViewSet', 'GatherAccountsExecutionViewSet',
+    'GatheredAccountViewSet'
+]
+
+
+class GatherAccountsAutomationViewSet(OrgBulkModelViewSet):
+    model = GatherAccountsAutomation
+    filter_fields = ('name',)
+    search_fields = filter_fields
+    serializer_class = serializers.GatherAccountAutomationSerializer
+
+
+class GatherAccountsExecutionViewSet(AutomationExecutionViewSet):
+    rbac_perms = (
+        ("list", "accounts.view_gatheraccountsexecution"),
+        ("retrieve", "accounts.view_gatheraccountsexecution"),
+        ("create", "accounts.add_gatheraccountsexecution"),
+    )
+
+    tp = AutomationTypes.gather_accounts
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.filter(automation__type=self.tp)
+        return queryset
+
+
+class GatheredAccountViewSet(OrgBulkModelViewSet):
+    model = GatheredAccount
+    search_fields = ('username',)
+    filterset_class = GatheredAccountFilterSet
+    serializer_classes = {
+        'default': serializers.GatheredAccountSerializer,
+    }
+    rbac_perms = {
+        'sync_account': 'assets.add_gatheredaccount',
+    }
+
+    @action(methods=['post'], detail=True, url_path='sync')
+    def sync_account(self, request, *args, **kwargs):
+        gathered_account = super().get_object()
+        asset = gathered_account.asset
+        username = gathered_account.username
+        accounts = asset.accounts.filter(username=username)
+
+        if accounts.exists():
+            accounts.update(source=Source.COLLECTED)
+        else:
+            asset.accounts.model.objects.create(
+                asset=asset, username=username,
+                name=f'{username}-{_("Collected")}',
+                source=Source.COLLECTED
+            )
+        return Response(status=status.HTTP_201_CREATED)

apps/accounts/api/automations/push_account.py

@@ -0,0 +1,68 @@
+# -*- coding: utf-8 -*-
+#
+from accounts import serializers
+from accounts.const import AutomationTypes
+from accounts.models import PushAccountAutomation, ChangeSecretRecord
+from orgs.mixins.api import OrgBulkModelViewSet
+
+from .base import (
+    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
+    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
+)
+from .change_secret import ChangeSecretRecordViewSet
+
+__all__ = [
+    'PushAccountAutomationViewSet', 'PushAccountAssetsListApi', 'PushAccountRemoveAssetApi',
+    'PushAccountAddAssetApi', 'PushAccountNodeAddRemoveApi', 'PushAccountExecutionViewSet',
+    'PushAccountRecordViewSet'
+]
+
+
+class PushAccountAutomationViewSet(OrgBulkModelViewSet):
+    model = PushAccountAutomation
+    filter_fields = ('name', 'secret_type', 'secret_strategy')
+    search_fields = filter_fields
+    serializer_class = serializers.PushAccountAutomationSerializer
+
+
+class PushAccountExecutionViewSet(AutomationExecutionViewSet):
+    rbac_perms = (
+        ("list", "accounts.view_pushaccountexecution"),
+        ("retrieve", "accounts.view_pushaccountexecution"),
+        ("create", "accounts.add_pushaccountexecution"),
+    )
+
+    tp = AutomationTypes.push_account
+
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        queryset = queryset.filter(automation__type=self.tp)
+        return queryset
+
+
+class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
+    serializer_class = serializers.ChangeSecretRecordSerializer
+
+    def get_queryset(self):
+        return ChangeSecretRecord.objects.filter(
+            execution__automation__type=AutomationTypes.push_account
+        )
+
+
+class PushAccountAssetsListApi(AutomationAssetsListApi):
+    model = PushAccountAutomation
+
+
+class PushAccountRemoveAssetApi(AutomationRemoveAssetApi):
+    model = PushAccountAutomation
+    serializer_class = serializers.PushAccountUpdateAssetSerializer
+
+
+class PushAccountAddAssetApi(AutomationAddAssetApi):
+    model = PushAccountAutomation
+    serializer_class = serializers.PushAccountUpdateAssetSerializer
+
+
+class PushAccountNodeAddRemoveApi(AutomationNodeAddRemoveApi):
+    model = PushAccountAutomation
+    serializer_class = serializers.PushAccountUpdateNodeSerializer

apps/accounts/apps.py

@@ -0,0 +1,11 @@
+from django.apps import AppConfig
+
+
+class AccountsConfig(AppConfig):
+    default_auto_field = 'django.db.models.BigAutoField'
+    name = 'accounts'
+
+    def ready(self):
+        from . import signal_handlers
+        from . import tasks
+        __all__ = signal_handlers

apps/accounts/automations/__init__.py

@@ -0,0 +1,2 @@
+from .endpoint import ExecutionManager
+from .methods import platform_automation_methods

apps/accounts/automations/backup_account/handlers.py

@@ -5,15 +5,12 @@ from collections import defaultdict, OrderedDict
 
 from django.conf import settings
 from django.db.models import F
-from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
-from assets.models import AuthBook, SystemUser, Asset
-from assets.serializers import AccountBackUpSerializer
-from assets.notifications import AccountBackupExecutionTaskMsg
-from applications.models import Account, Application
-from applications.const import AppType
-from applications.serializers import AppAccountBackUpSerializer
+from accounts.models import Account
+from assets.const import AllTypes
+from accounts.serializers import AccountSecretSerializer
+from accounts.notifications import AccountBackupExecutionTaskMsg
 from users.models import User
 from common.utils import get_logger
 from common.utils.timezone import local_now_display
@@ -39,7 +36,7 @@ class BaseAccountHandler:
     @classmethod
     def get_header_fields(cls, serializer: serializers.Serializer):
         try:
-            backup_fields = getattr(serializer, 'Meta').fields
+            backup_fields = getattr(serializer, 'Meta').fields_backup
         except AttributeError:
             backup_fields = serializer.fields.keys()
         header_fields = {}
@@ -52,23 +49,6 @@ class BaseAccountHandler:
                 header_fields[field] = str(v.label)
         return header_fields
 
-    @staticmethod
-    def load_auth(tp, value, system_user):
-        if value:
-            return value
-        if system_user:
-            return getattr(system_user, tp, '')
-        return ''
-
-    @classmethod
-    def replace_auth(cls, account, system_user_dict):
-        system_user = system_user_dict.get(account.systemuser_id)
-        account.username = cls.load_auth('username', account.username, system_user)
-        account.password = cls.load_auth('password', account.password, system_user)
-        account.private_key = cls.load_auth('private_key', account.private_key, system_user)
-        account.public_key = cls.load_auth('public_key', account.public_key, system_user)
-        return account
-
     @classmethod
     def create_row(cls, data, header_fields):
         data = cls.unpack_data(data)
@@ -92,84 +72,37 @@ class AssetAccountHandler(BaseAccountHandler):
     @staticmethod
     def get_filename(plan_name):
         filename = os.path.join(
-            PATH, f'{plan_name}-{_("Asset")}-{local_now_display()}-{time.time()}.xlsx'
+            PATH, f'{plan_name}-{local_now_display()}-{time.time()}.xlsx'
         )
         return filename
 
     @classmethod
-    def replace_account_info(cls, account, asset_dict, system_user_dict):
-        asset = asset_dict.get(account.asset_id)
-        account.ip = asset.ip if asset else ''
-        account.hostname = asset.hostname if asset else ''
-        account = cls.replace_auth(account, system_user_dict)
-        return account
+    def create_data_map(cls, accounts):
+        data_map = defaultdict(list)
 
-    @classmethod
-    def create_data_map(cls, system_user_dict):
-        sheet_name = AuthBook._meta.verbose_name
-        assets = Asset.objects.only('id', 'hostname', 'ip')
-        asset_dict = {asset.id: asset for asset in assets}
-        accounts = AuthBook.objects.all()
         if not accounts.exists():
-            return
+            return data_map
 
-        header_fields = cls.get_header_fields(AccountBackUpSerializer(accounts.first()))
-        for account in accounts:
-            cls.replace_account_info(account, asset_dict, system_user_dict)
-        data = AccountBackUpSerializer(accounts, many=True).data
-        data_map = cls.add_rows(data, header_fields, sheet_name)
-        logger.info('\n\033[33m- 共收集 {} 条资产账号\033[0m'.format(accounts.count()))
-        return data_map
-
-
-class AppAccountHandler(BaseAccountHandler):
-    @staticmethod
-    def get_filename(plan_name):
-        filename = os.path.join(
-            PATH, f'{plan_name}-{_("Application")}-{local_now_display()}-{time.time()}.xlsx'
-        )
-        return filename
-
-    @classmethod
-    def replace_account_info(cls, account, app_dict, system_user_dict):
-        app = app_dict.get(account.app_id)
-        account.type = app.type if app else ''
-        account.app_display = app.name if app else ''
-        account.category = app.category if app else ''
-        account = cls.replace_auth(account, system_user_dict)
-        return account
-
-    @classmethod
-    def create_data_map(cls, system_user_dict):
-        apps = Application.objects.only('id', 'type', 'name', 'category')
-        app_dict = {app.id: app for app in apps}
-        qs = Account.objects.all().annotate(app_type=F('app__type'))
-        if not qs.exists():
-            return
+        type_dict = {}
+        for i in AllTypes.grouped_choices_to_objs():
+            for j in i['children']:
+                type_dict[j['value']] = j['display_name']
 
+        header_fields = cls.get_header_fields(AccountSecretSerializer(accounts.first()))
         account_type_map = defaultdict(list)
-        for i in qs:
-            account_type_map[i.app_type].append(i)
+        for account in accounts:
+            account_type_map[account.type].append(account)
+
         data_map = {}
-        for app_type, accounts in account_type_map.items():
-            sheet_name = AppType.get_label(app_type)
-            header_fields = cls.get_header_fields(AppAccountBackUpSerializer(tp=app_type))
-            if not accounts:
-                continue
-            for account in accounts:
-                cls.replace_account_info(account, app_dict, system_user_dict)
-            data = AppAccountBackUpSerializer(accounts, many=True, tp=app_type).data
+        for tp, _accounts in account_type_map.items():
+            sheet_name = type_dict.get(tp, tp)
+            data = AccountSecretSerializer(_accounts, many=True).data
             data_map.update(cls.add_rows(data, header_fields, sheet_name))
-        logger.info('\n\033[33m- 共收集{}条应用账号\033[0m'.format(qs.count()))
+
+        logger.info('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
         return data_map
 
 
-handler_map = {
-    'asset': AssetAccountHandler,
-    'application': AppAccountHandler
-}
-
-
 class AccountBackupHandler:
     def __init__(self, execution):
         self.execution = execution
@@ -185,28 +118,20 @@ class AccountBackupHandler:
         # Print task start date
         time_start = time.time()
         files = []
-        system_user_qs = SystemUser.objects.only(
-            'id', 'username', 'password', 'private_key', 'public_key'
-        )
-        system_user_dict = {i.id: i for i in system_user_qs}
-        for account_type in self.execution.types:
-            handler = handler_map.get(account_type)
-            if not handler:
-                continue
+        accounts = self.execution.backup_accounts
+        data_map = AssetAccountHandler.create_data_map(accounts)
+        if not data_map:
+            return files
 
-            data_map = handler.create_data_map(system_user_dict)
-            if not data_map:
-                continue
+        filename = AssetAccountHandler.get_filename(self.plan_name)
 
-            filename = handler.get_filename(self.plan_name)
-
-            wb = Workbook(filename)
-            for sheet, data in data_map.items():
-                ws = wb.create_sheet(str(sheet))
-                for row in data:
-                    ws.append(row)
-            wb.save(filename)
-            files.append(filename)
+        wb = Workbook(filename)
+        for sheet, data in data_map.items():
+            ws = wb.create_sheet(str(sheet))
+            for row in data:
+                ws.append(row)
+        wb.save(filename)
+        files.append(filename)
         timedelta = round((time.time() - time_start), 2)
         logger.info('步骤完成: 用时 {}s'.format(timedelta))
         return files

apps/accounts/automations/backup_account/manager.py

@@ -12,7 +12,7 @@ from .handlers import AccountBackupHandler
 logger = get_logger(__name__)
 
 
-class AccountBackupExecutionManager:
+class AccountBackupManager:
     def __init__(self, execution):
         self.execution = execution
         self.date_start = timezone.now()

apps/accounts/automations/base/base_inventory.txt

@@ -0,0 +1,14 @@
+## all connection vars
+hostname asset_name=name asset_type=type asset_primary_protocol=ssh asset_primary_port=22 asset_protocols=[]
+
+## local connection
+hostname ansible_connection=local
+
+## local connection with gateway
+hostname ansible_connection=ssh ansible_user=gateway.username ansible_port=gateway.port ansible_host=gateway.host ansible_ssh_private_key_file=gateway.key
+
+## ssh connection for windows
+hostname ansible_connection=ssh ansible_shell_type=powershell/cmd ansible_user=windows.username ansible_port=windows.port ansible_host=windows.host ansible_ssh_private_key_file=windows.key
+
+## ssh connection
+hostname ansible_user=user ansible_password=pass ansible_host=host ansible_port=port ansible_ssh_private_key_file=key ssh_args="-o StrictHostKeyChecking=no"

apps/accounts/automations/base/manager.py

@@ -0,0 +1,12 @@
+from accounts.automations.methods import platform_automation_methods
+from assets.automations.base.manager import BasePlaybookManager
+from common.utils import get_logger
+
+logger = get_logger(__name__)
+
+
+class AccountBasePlaybookManager(BasePlaybookManager):
+
+    @property
+    def platform_automation_methods(self):
+        return platform_automation_methods

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -0,0 +1,58 @@
+- hosts: mongodb
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test MongoDB connection
+      mongodb_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+      register: db_info
+
+    - name: Display MongoDB version
+      debug:
+        var: db_info.server_version
+      when: db_info is succeeded
+
+    - name: Change MongoDB password
+      mongodb_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      mongodb_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/mongodb/manifest.yml

@@ -0,0 +1,6 @@
+id: change_secret_mongodb
+name: Change secret for MongoDB
+category: database
+type:
+  - mongodb
+method: change_secret

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -0,0 +1,43 @@
+- hosts: mysql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+    db_name: "{{ jms_asset.spec_info.db_name }}"
+
+  tasks:
+    - name: Test MySQL connection
+      community.mysql.mysql_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: version
+      register: db_info
+
+    - name: MySQL version
+      debug:
+        var: db_info.version.full
+
+    - name: Change MySQL password
+      community.mysql.mysql_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        host: "%"
+        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      community.mysql.mysql_info:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: version
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/mysql/manifest.yml

@@ -0,0 +1,7 @@
+id: change_secret_mysql
+name: Change secret for MySQL
+category: database
+type:
+  - mysql
+  - mariadb
+method: change_secret

apps/accounts/automations/change_secret/database/oracle/main.yml

@@ -0,0 +1,44 @@
+- hosts: oracle
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test Oracle connection
+      oracle_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+      register: db_info
+
+    - name: Display Oracle version
+      debug:
+        var: db_info.server_version
+      when: db_info is succeeded
+
+    - name: Change Oracle password
+      oracle_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+      when: db_info is succeeded
+      register: change_info
+
+    - name: Verify password
+      oracle_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/oracle/manifest.yml

@@ -0,0 +1,6 @@
+id: change_secret_oracle
+name: Change secret for Oracle
+category: database
+type:
+  - oracle
+method: change_secret

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -0,0 +1,46 @@
+- hosts: postgre
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test PostgreSQL connection
+      community.postgresql.postgresql_ping:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_db: "{{ jms_asset.spec_info.db_name }}"
+      register: result
+      failed_when: not result.is_available
+
+    - name: Display PostgreSQL version
+      debug:
+        var: result.server_version.full
+      when: result is succeeded
+
+    - name: Change PostgreSQL password
+      community.postgresql.postgresql_user:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        role_attr_flags: LOGIN
+      when: result is succeeded
+      register: change_info
+
+    - name: Verify password
+      community.postgresql.postgresql_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+      when:
+        - result is succeeded
+        - change_info is succeeded
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/postgresql/manifest.yml

@@ -0,0 +1,6 @@
+id: change_secret_postgresql
+name: Change secret for PostgreSQL
+category: database
+type:
+  - postgresql
+method: change_secret

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -0,0 +1,69 @@
+- hosts: sqlserver
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Test SQLServer connection
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: |
+          SELECT @@version
+      register: db_info
+
+    - name: SQLServer version
+      set_fact:
+        info:
+          version: "{{ db_info.query_results[0][0][0][0].splitlines()[0] }}"
+    - debug:
+        var: info
+
+    - name: Check whether SQLServer User exist
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
+      when: db_info is succeeded
+      register: user_exist
+
+    - name: Change SQLServer password
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      when: user_exist.query_results[0] | length != 0
+      register: change_info
+
+    - name: Add SQLServer user
+      community.general.mssql_script:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      when: user_exist.query_results[0] | length == 0
+      register: change_info
+
+    - name: Verify password
+      community.general.mssql_script:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: |
+          SELECT @@version
+      when:
+        - db_info is succeeded
+        - change_info is succeeded

apps/accounts/automations/change_secret/database/sqlserver/manifest.yml

@@ -0,0 +1,6 @@
+id: change_secret_sqlserver
+name: Change secret for SQLServer
+category: database
+type:
+  - sqlserver
+method: change_secret

apps/accounts/automations/change_secret/demo_inventory.txt

@@ -0,0 +1,2 @@
+# all base inventory in base/base_inventory.txt
+asset_name(ip)_account_username account={"username": "", "password": "xxx"} ...base_inventory_vars

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -0,0 +1,54 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.builtin.ping:
+
+    - name: Change password
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('des') }}"
+        update_password: always
+      when: secret_type == "password"
+
+    - name: create user If it already exists, no operation will be performed
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+      when: secret_type == "ssh_key"
+
+    - name: remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ kwargs.dest }}"
+        regexp: "{{ kwargs.regexp }}"
+        state: absent
+      when:
+      - secret_type == "ssh_key"
+      - kwargs.strategy == "set_jms"
+
+    - name: Change SSH key
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ kwargs.exclusive }}"
+      when: secret_type == "ssh_key"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_become: no
+      when: secret_type == "password"
+
+    - name: Verify SSH key
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_become: no
+      when: secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -0,0 +1,6 @@
+id: change_secret_aix
+name: Change secret for aix
+category: host
+type:
+  - AIX
+method: change_secret

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -0,0 +1,54 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.builtin.ping:
+
+    - name: Change password
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('sha512') }}"
+        update_password: always
+      when: secret_type == "password"
+
+    - name: create user If it already exists, no operation will be performed
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+      when: secret_type == "ssh_key"
+
+    - name: remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ kwargs.dest }}"
+        regexp: "{{ kwargs.regexp }}"
+        state: absent
+      when:
+        - secret_type == "ssh_key"
+        - kwargs.strategy == "set_jms"
+
+    - name: Change SSH key
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ kwargs.exclusive }}"
+      when: secret_type == "ssh_key"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_become: no
+      when: secret_type == "password"
+
+    - name: Verify SSH key
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_become: no
+      when: secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/posix/manifest.yml

@@ -0,0 +1,7 @@
+id: change_secret_posix
+name: Change secret for posix
+category: host
+type:
+  - unix
+  - linux
+method: change_secret

apps/accounts/automations/change_secret/host/windows/main.yml

@@ -0,0 +1,34 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+#    - name: Print variables
+#      debug:
+#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
+
+
+    - name: Get groups of a Windows user
+      ansible.windows.win_user:
+        name: "{{ jms_account.username }}"
+      register: user_info
+
+    - name: Change password
+      ansible.windows.win_user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        groups: "{{ user_info.groups[0].name }}"
+        groups_action: add
+        update_password: always
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.windows.win_ping:
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+      when: account.secret_type == "password"

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -0,0 +1,7 @@
+id: change_secret_local_windows
+name: Change secret local account for Windows
+version: 1
+method: change_secret
+category: host
+type:
+  - windows

apps/accounts/automations/change_secret/manager.py

@@ -0,0 +1,219 @@
+import os
+import time
+from collections import defaultdict
+from copy import deepcopy
+
+from django.conf import settings
+from django.utils import timezone
+from openpyxl import Workbook
+
+from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy
+from accounts.models import ChangeSecretRecord
+from accounts.notifications import ChangeSecretExecutionTaskMsg
+from accounts.serializers import ChangeSecretRecordBackUpSerializer
+from assets.const import HostTypes
+from common.utils import get_logger, lazyproperty
+from common.utils.file import encrypt_and_compress_zip_file
+from common.utils.timezone import local_now_display
+from users.models import User
+from ..base.manager import AccountBasePlaybookManager
+from ...utils import SecretGenerator
+
+logger = get_logger(__name__)
+
+
+class ChangeSecretManager(AccountBasePlaybookManager):
+    ansible_account_prefer = ''
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.method_hosts_mapper = defaultdict(list)
+        self.secret_type = self.execution.snapshot['secret_type']
+        self.secret_strategy = self.execution.snapshot.get(
+            'secret_strategy', SecretStrategy.custom
+        )
+        self.ssh_key_change_strategy = self.execution.snapshot.get(
+            'ssh_key_change_strategy', SSHKeyStrategy.add
+        )
+        self.snapshot_account_usernames = self.execution.snapshot['accounts']
+        self.name_recorder_mapper = {}  # 做个映射，方便后面处理
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.change_secret
+
+    def get_kwargs(self, account, secret):
+        kwargs = {}
+        if self.secret_type != SecretType.SSH_KEY:
+            return kwargs
+        kwargs['strategy'] = self.ssh_key_change_strategy
+        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
+
+        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
+            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
+            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
+        return kwargs
+
+    @lazyproperty
+    def secret_generator(self):
+        return SecretGenerator(
+            self.secret_strategy, self.secret_type,
+            self.execution.snapshot.get('password_rules')
+        )
+
+    def get_secret(self):
+        if self.secret_strategy == SecretStrategy.custom:
+            return self.execution.snapshot['secret']
+        else:
+            return self.secret_generator.get_secret()
+
+    def host_callback(
+            self, host, asset=None, account=None,
+            automation=None, path_dir=None, **kwargs
+    ):
+        host = super().host_callback(
+            host, asset=asset, account=account, automation=automation,
+            path_dir=path_dir, **kwargs
+        )
+        if host.get('error'):
+            return host
+
+        accounts = asset.accounts.all()
+        if account:
+            accounts = accounts.exclude(username=account.username)
+
+        if '*' not in self.snapshot_account_usernames:
+            accounts = accounts.filter(username__in=self.snapshot_account_usernames)
+
+        accounts = accounts.filter(secret_type=self.secret_type)
+        if not accounts:
+            print('没有发现待改密账号: %s 用户名: %s 类型: %s' % (
+                asset.name, self.snapshot_account_usernames, self.secret_type
+            ))
+            return []
+
+        method_attr = getattr(automation, self.method_type() + '_method')
+        method_hosts = self.method_hosts_mapper[method_attr]
+        method_hosts = [h for h in method_hosts if h != host['name']]
+        inventory_hosts = []
+        records = []
+        host['secret_type'] = self.secret_type
+
+        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
+            print(f'Windows {asset} does not support ssh key push \n')
+            return inventory_hosts
+
+        for account in accounts:
+            h = deepcopy(host)
+            h['name'] += '(' + account.username + ')'
+            new_secret = self.get_secret()
+
+            recorder = ChangeSecretRecord(
+                asset=asset, account=account, execution=self.execution,
+                old_secret=account.secret, new_secret=new_secret,
+            )
+            records.append(recorder)
+            self.name_recorder_mapper[h['name']] = recorder
+
+            private_key_path = None
+            if self.secret_type == SecretType.SSH_KEY:
+                private_key_path = self.generate_private_key_path(new_secret, path_dir)
+                new_secret = self.generate_public_key(new_secret)
+
+            h['kwargs'] = self.get_kwargs(account, new_secret)
+            h['account'] = {
+                'name': account.name,
+                'username': account.username,
+                'secret_type': account.secret_type,
+                'secret': new_secret,
+                'private_key_path': private_key_path
+            }
+            if asset.platform.type == 'oracle':
+                h['account']['mode'] = 'sysdba' if account.privileged else None
+            inventory_hosts.append(h)
+            method_hosts.append(h['name'])
+        self.method_hosts_mapper[method_attr] = method_hosts
+        ChangeSecretRecord.objects.bulk_create(records)
+        return inventory_hosts
+
+    def on_host_success(self, host, result):
+        recorder = self.name_recorder_mapper.get(host)
+        if not recorder:
+            return
+        recorder.status = 'success'
+        recorder.date_finished = timezone.now()
+        recorder.save()
+        account = recorder.account
+        if not account:
+            print("Account not found, deleted ?")
+            return
+        account.secret = recorder.new_secret
+        account.save(update_fields=['secret'])
+
+    def on_host_error(self, host, error, result):
+        recorder = self.name_recorder_mapper.get(host)
+        if not recorder:
+            return
+        recorder.status = 'failed'
+        recorder.date_finished = timezone.now()
+        recorder.error = error
+        recorder.save()
+
+    def on_runner_failed(self, runner, e):
+        logger.error("Change secret error: ", e)
+
+    def check_secret(self):
+        if self.secret_strategy == SecretStrategy.custom \
+                and not self.execution.snapshot['secret']:
+            print('Custom secret is empty')
+            return False
+        return True
+
+    def run(self, *args, **kwargs):
+        if not self.check_secret():
+            return
+        super().run(*args, **kwargs)
+        recorders = self.name_recorder_mapper.values()
+        recorders = list(recorders)
+        self.send_recorder_mail(recorders)
+
+    def send_recorder_mail(self, recorders):
+        recipients = self.execution.recipients
+        if not recorders or not recipients:
+            return
+
+        recipients = User.objects.filter(id__in=list(recipients.keys()))
+
+        name = self.execution.snapshot['name']
+        path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
+        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
+        if not self.create_file(recorders, filename):
+            return
+
+        for user in recipients:
+            attachments = []
+            if user.secret_key:
+                password = user.secret_key.encode('utf8')
+                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
+                encrypt_and_compress_zip_file(attachment, password, [filename])
+                attachments = [attachment]
+            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
+        os.remove(filename)
+
+    @staticmethod
+    def create_file(recorders, filename):
+        serializer_cls = ChangeSecretRecordBackUpSerializer
+        serializer = serializer_cls(recorders, many=True)
+
+        header = [str(v.label) for v in serializer.child.fields.values()]
+        rows = [[str(i) for i in row.values()] for row in serializer.data]
+        if not rows:
+            return False
+
+        rows.insert(0, header)
+        wb = Workbook(filename)
+        ws = wb.create_sheet('Sheet1')
+        for row in rows:
+            ws.append(row)
+        wb.save(filename)
+        return True

apps/accounts/automations/endpoint.py

@@ -0,0 +1,26 @@
+from .push_account.manager import PushAccountManager
+from .change_secret.manager import ChangeSecretManager
+from .verify_account.manager import VerifyAccountManager
+from .backup_account.manager import AccountBackupManager
+from .gather_accounts.manager import GatherAccountsManager
+from .verify_gateway_account.manager import VerifyGatewayAccountManager
+from ..const import AutomationTypes
+
+
+class ExecutionManager:
+    manager_type_mapper = {
+        AutomationTypes.push_account: PushAccountManager,
+        AutomationTypes.change_secret: ChangeSecretManager,
+        AutomationTypes.verify_account: VerifyAccountManager,
+        AutomationTypes.gather_accounts: GatherAccountsManager,
+        AutomationTypes.verify_gateway_account: VerifyGatewayAccountManager,
+        # TODO 后期迁移到自动化策略中
+        'backup_account': AccountBackupManager,
+    }
+
+    def __init__(self, execution):
+        self.execution = execution
+        self._runner = self.manager_type_mapper[execution.manager_type](execution)
+
+    def run(self, *args, **kwargs):
+        return self._runner.run(*args, **kwargs)

apps/accounts/automations/gather_accounts/database/mongodb/main.yml

@@ -0,0 +1,27 @@
+- hosts: mongodb
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      community.mongodb.mongodb_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+        filter: users
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.users }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/mongodb/manifest.yml

@@ -0,0 +1,6 @@
+id: gather_accounts_mongodb
+name: Gather account from MongoDB
+category: database
+type:
+  - mongodb
+method: gather_accounts

apps/accounts/automations/gather_accounts/database/mysql/main.yml

@@ -0,0 +1,21 @@
+- hosts: mysql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      community.mysql.mysql_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: users
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.users }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/mysql/manifest.yml

@@ -0,0 +1,7 @@
+id: gather_accounts_mysql
+name: Gather account from MySQL
+category: database
+type:
+  - mysql
+  - mariadb
+method: gather_accounts

apps/accounts/automations/gather_accounts/database/oracle/main.yml

@@ -0,0 +1,23 @@
+- hosts: oralce
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      oracle_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ jms_account.mode }}"
+        filter: users
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.users }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/oracle/manifest.yml

@@ -0,0 +1,6 @@
+id: gather_accounts_oracle
+name: Gather account from Oracle
+category: database
+type:
+  - oracle
+method: gather_accounts

apps/accounts/automations/gather_accounts/database/postgresql/main.yml

@@ -0,0 +1,22 @@
+- hosts: postgresql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Get info
+      community.postgresql.postgresql_info:
+        login_user: "{{ jms_account.username }}"
+        login_password: "{{ jms_account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_db: "{{ jms_asset.spec_info.db_name }}"
+        filter: "roles"
+      register: db_info
+
+    - name: Define info by set_fact
+      set_fact:
+        info: "{{ db_info.roles }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/database/postgresql/manifest.yml

@@ -0,0 +1,6 @@
+id: gather_accounts_postgresql
+name: Gather account for PostgreSQL
+category: database
+type:
+  - postgresql
+method: gather_accounts

apps/accounts/automations/gather_accounts/filter.py

@@ -0,0 +1,63 @@
+from django.utils import timezone
+
+__all__ = ['GatherAccountsFilter']
+
+
+# TODO 后期会挪到playbook中
+class GatherAccountsFilter:
+
+    def __init__(self, tp):
+        self.tp = tp
+
+    @staticmethod
+    def mysql_filter(info):
+        result = {}
+        for _, user_dict in info.items():
+            for username, data in user_dict.items():
+                if data.get('account_locked') == 'N':
+                    result[username] = {}
+        return result
+
+    @staticmethod
+    def postgresql_filter(info):
+        result = {}
+        for username in info:
+            result[username] = {}
+        return result
+
+    @staticmethod
+    def posix_filter(info):
+        result = {}
+        for line in info:
+            data = line.split('@')
+            if len(data) == 1:
+                result[line] = {}
+                continue
+
+            if len(data) != 3:
+                continue
+            username, address, dt = data
+            date = timezone.datetime.strptime(f'{dt} +0800', '%b %d %H:%M:%S %Y %z')
+            result[username] = {'address': address, 'date': date}
+        return result
+
+    @staticmethod
+    def windows_filter(info):
+        info = info[4:-2]
+        result = {}
+        for i in info:
+            for username in i.split():
+                result[username] = {}
+        return result
+
+    def run(self, method_id_meta_mapper, info):
+        run_method_name = None
+        for k, v in method_id_meta_mapper.items():
+            if self.tp not in v['type']:
+                continue
+            run_method_name = k.replace(f'{v["method"]}_', '')
+
+        if not run_method_name:
+            return info
+
+        return getattr(self, f'{run_method_name}_filter')(info)

apps/accounts/automations/gather_accounts/host/posix/main.yml

@@ -0,0 +1,21 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Gather posix account
+      ansible.builtin.shell:
+        cmd: >
+          users=$(getent passwd | grep -v nologin | grep -v shutdown | awk -F":" '{ print $1 }');for i in $users;
+          do k=$(last -w -F $i -1 | head -1 | grep -v ^$ | awk '{ print $1"@"$3"@"$5,$6,$7,$8 }')
+            if [ -n "$k" ]; then
+              echo $k
+            else
+              echo $i
+            fi;done
+      register: result
+
+    - name: Define info by set_fact
+      ansible.builtin.set_fact:
+        info: "{{ result.stdout_lines }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/host/posix/manifest.yml

@@ -0,0 +1,7 @@
+id: gather_accounts_posix
+name: Gather posix account
+category: host
+type:
+  - linux
+  - unix
+method: gather_accounts

apps/accounts/automations/gather_accounts/host/windows/main.yml

@@ -0,0 +1,13 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Gather posix account
+      ansible.builtin.win_shell: net user
+      register: result
+
+    - name: Define info by set_fact
+      ansible.builtin.set_fact:
+        info: "{{ result.stdout_lines }}"
+
+    - debug:
+        var: info

apps/accounts/automations/gather_accounts/host/windows/manifest.yml

@@ -0,0 +1,7 @@
+id: gather_accounts_windows
+name: Gather account windows
+version: 1
+method: gather_accounts
+category: host
+type:
+  - windows

apps/accounts/automations/gather_accounts/manager.py

@@ -0,0 +1,50 @@
+from accounts.const import AutomationTypes
+from accounts.models import GatheredAccount
+from common.utils import get_logger
+from orgs.utils import tmp_to_org
+from .filter import GatherAccountsFilter
+from ..base.manager import AccountBasePlaybookManager
+
+logger = get_logger(__name__)
+
+
+class GatherAccountsManager(AccountBasePlaybookManager):
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.host_asset_mapper = {}
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.gather_accounts
+
+    def host_callback(self, host, asset=None, **kwargs):
+        super().host_callback(host, asset=asset, **kwargs)
+        self.host_asset_mapper[host['name']] = asset
+        return host
+
+    def filter_success_result(self, host, result):
+        result = GatherAccountsFilter(host).run(self.method_id_meta_mapper, result)
+        return result
+
+    @staticmethod
+    def update_or_create_gathered_accounts(asset, result):
+        with tmp_to_org(asset.org_id):
+            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
+            for username, data in result.items():
+                d = {'asset': asset, 'username': username, 'present': True}
+                if data.get('date'):
+                    d['date_last_login'] = data['date']
+                if data.get('address'):
+                    d['address_last_login'] = data['address'][:32]
+                GatheredAccount.objects.update_or_create(
+                    defaults=d, asset=asset, username=username,
+                )
+
+    def on_host_success(self, host, result):
+        info = result.get('debug', {}).get('res', {}).get('info', {})
+        asset = self.host_asset_mapper.get(host)
+        if asset and info:
+            result = self.filter_success_result(asset.type, info)
+            self.update_or_create_gathered_accounts(asset, result)
+        else:
+            logger.error("Not found info".format(host))

apps/accounts/automations/methods.py

@@ -0,0 +1,30 @@
+import os
+import copy
+
+from accounts.const import AutomationTypes
+from assets.automations.methods import get_platform_automation_methods
+
+
+def copy_change_secret_to_push_account(methods):
+    push_account = AutomationTypes.push_account
+    change_secret = AutomationTypes.change_secret
+    copy_methods = copy.deepcopy(methods)
+    for method in copy_methods:
+        if not method['id'].startswith(change_secret):
+            continue
+        copy_method = copy.deepcopy(method)
+        copy_method['method'] = push_account.value
+        copy_method['id'] = copy_method['id'].replace(
+            change_secret, push_account
+        )
+        copy_method['name'] = copy_method['name'].replace(
+            'Change secret', 'Push account'
+        )
+        methods.append(copy_method)
+    return methods
+
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+automation_methods = get_platform_automation_methods(BASE_DIR)
+
+platform_automation_methods = copy_change_secret_to_push_account(automation_methods)

apps/accounts/automations/push_account/manager.py

@@ -0,0 +1,178 @@
+from copy import deepcopy
+
+from django.db.models import QuerySet
+
+from accounts.const import AutomationTypes, SecretType
+from accounts.models import Account
+from assets.const import HostTypes
+from common.utils import get_logger
+from ..base.manager import AccountBasePlaybookManager
+from ..change_secret.manager import ChangeSecretManager
+
+logger = get_logger(__name__)
+
+
+class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
+    ansible_account_prefer = ''
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.push_account
+
+    def create_nonlocal_accounts(self, accounts, snapshot_account_usernames, asset):
+        secret_type = self.secret_type
+        usernames = accounts.filter(secret_type=secret_type).values_list(
+            'username', flat=True
+        )
+        create_usernames = set(snapshot_account_usernames) - set(usernames)
+        create_account_objs = [
+            Account(
+                name=f'{username}-{secret_type}', username=username,
+                secret_type=secret_type, asset=asset,
+            )
+            for username in create_usernames
+        ]
+        Account.objects.bulk_create(create_account_objs)
+
+    def get_accounts(self, privilege_account, accounts: QuerySet):
+        if not privilege_account:
+            print(f'not privilege account')
+            return []
+        snapshot_account_usernames = self.execution.snapshot['accounts']
+        if '*' in snapshot_account_usernames:
+            return accounts.exclude(username=privilege_account.username)
+
+        asset = privilege_account.asset
+        self.create_nonlocal_accounts(accounts, snapshot_account_usernames, asset)
+        accounts = asset.accounts.exclude(username=privilege_account.username).filter(
+            username__in=snapshot_account_usernames, secret_type=self.secret_type
+        )
+        return accounts
+
+    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
+        host = super(ChangeSecretManager, self).host_callback(
+            host, asset=asset, account=account, automation=automation,
+            path_dir=path_dir, **kwargs
+        )
+        if host.get('error'):
+            return host
+
+        accounts = asset.accounts.all()
+        accounts = self.get_accounts(account, accounts)
+        inventory_hosts = []
+        host['secret_type'] = self.secret_type
+        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
+            msg = f'Windows {asset} does not support ssh key push \n'
+            print(msg)
+            return inventory_hosts
+
+        for account in accounts:
+            h = deepcopy(host)
+            h['name'] += '(' + account.username + ')'
+            new_secret = self.get_secret()
+
+            self.name_recorder_mapper[h['name']] = {
+                'account': account, 'new_secret': new_secret,
+            }
+
+            private_key_path = None
+            if self.secret_type == SecretType.SSH_KEY:
+                private_key_path = self.generate_private_key_path(new_secret, path_dir)
+                new_secret = self.generate_public_key(new_secret)
+
+            h['kwargs'] = self.get_kwargs(account, new_secret)
+            h['account'] = {
+                'name': account.name,
+                'username': account.username,
+                'secret_type': account.secret_type,
+                'secret': new_secret,
+                'private_key_path': private_key_path
+            }
+            if asset.platform.type == 'oracle':
+                h['account']['mode'] = 'sysdba' if account.privileged else None
+            inventory_hosts.append(h)
+        return inventory_hosts
+
+    def on_host_success(self, host, result):
+        account_info = self.name_recorder_mapper.get(host)
+        if not account_info:
+            return
+
+        account = account_info['account']
+        new_secret = account_info['new_secret']
+        if not account:
+            return
+        account.secret = new_secret
+        account.save(update_fields=['secret'])
+
+    def on_host_error(self, host, error, result):
+        pass
+
+    def on_runner_failed(self, runner, e):
+        logger.error("Pust account error: ", e)
+
+    def run(self, *args, **kwargs):
+        if not self.check_secret():
+            return
+        super().run(*args, **kwargs)
+
+    # @classmethod
+    # def trigger_by_asset_create(cls, asset):
+    #     automations = PushAccountAutomation.objects.filter(
+    #         triggers__contains=TriggerChoice.on_asset_create
+    #     )
+    #     account_automation_map = {auto.username: auto for auto in automations}
+    #
+    #     util = AssetPermissionUtil()
+    #     permissions = util.get_permissions_for_assets([asset], with_node=True)
+    #     account_permission_map = defaultdict(list)
+    #     for permission in permissions:
+    #         for account in permission.accounts:
+    #             account_permission_map[account].append(permission)
+    #
+    #     username_automation_map = {}
+    #     for username, automation in account_automation_map.items():
+    #         if username != '@USER':
+    #             username_automation_map[username] = automation
+    #             continue
+    #
+    #         asset_permissions = account_permission_map.get(username)
+    #         if not asset_permissions:
+    #             continue
+    #         asset_permissions = util.get_permissions([p.id for p in asset_permissions])
+    #         usernames = asset_permissions.values_list('users__username', flat=True).distinct()
+    #         for _username in usernames:
+    #             username_automation_map[_username] = automation
+    #
+    #     asset_usernames_exists = asset.accounts.values_list('username', flat=True)
+    #     accounts_to_create = []
+    #     accounts_to_push = []
+    #     for username, automation in username_automation_map.items():
+    #         if username in asset_usernames_exists:
+    #             continue
+    #
+    #         if automation.secret_strategy != SecretStrategy.custom:
+    #             secret_generator = SecretGenerator(
+    #                 automation.secret_strategy, automation.secret_type,
+    #                 automation.password_rules
+    #             )
+    #             secret = secret_generator.get_secret()
+    #         else:
+    #             secret = automation.secret
+    #
+    #         account = Account(
+    #             username=username, secret=secret,
+    #             asset=asset, secret_type=automation.secret_type,
+    #             comment='Create by account creation {}'.format(automation.name),
+    #         )
+    #         accounts_to_create.append(account)
+    #         if automation.action == 'create_and_push':
+    #             accounts_to_push.append(account)
+    #         else:
+    #             accounts_to_create.append(account)
+    #
+    #         logger.debug(f'Create account {account} for asset {asset}')
+
+    # @classmethod
+    # def trigger_by_permission_accounts_change(cls):
+    #     pass

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -0,0 +1,18 @@
+- hosts: mongdb
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Verify account
+      mongodb_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        connection_options:
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/verify_account/database/mongodb/manifest.yml

@@ -0,0 +1,6 @@
+id: verify_account_mongodb
+name: Verify account from MongoDB
+category: database
+type:
+  - mongodb
+method: verify_account

apps/accounts/automations/verify_account/database/mysql/main.yml

@@ -0,0 +1,13 @@
+- hosts: mysql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Verify account
+      community.mysql.mysql_info:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        filter: version

apps/accounts/automations/verify_account/database/mysql/manifest.yml

@@ -0,0 +1,7 @@
+id: verify_account_mysql
+name: Verify account from MySQL
+category: database
+type:
+  - mysql
+  - mariadb
+method: verify_account

apps/accounts/automations/verify_account/database/oracle/main.yml

@@ -0,0 +1,14 @@
+- hosts: oracle
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Verify account
+      oracle_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_database: "{{ jms_asset.spec_info.db_name }}"
+        mode: "{{ account.mode }}"

apps/accounts/automations/verify_account/database/oracle/manifest.yml

@@ -0,0 +1,6 @@
+id: verify_account_oracle
+name: Verify account from Oracle
+category: database
+type:
+  - oracle
+method: verify_account

apps/accounts/automations/verify_account/database/postgresql/main.yml

@@ -0,0 +1,16 @@
+- hosts: postgresql
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+
+  tasks:
+    - name: Verify account
+      community.postgresql.postgresql_ping:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        db: "{{ jms_asset.spec_info.db_name }}"
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/verify_account/database/postgresql/manifest.yml

@@ -0,0 +1,6 @@
+id: verify_account_postgresql
+name: Verify account for PostgreSQL
+category: database
+type:
+  - postgresql
+method: verify_account

apps/accounts/automations/verify_account/database/sqlserver/main.yml

@@ -0,0 +1,15 @@
+- hosts: sqlserver
+  gather_facts: no
+  vars:
+    ansible_python_interpreter: /usr/local/bin/python
+
+  tasks:
+    - name: Verify account
+      community.general.mssql_script:
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        name: '{{ jms_asset.spec_info.db_name }}'
+        script: |
+          SELECT @@version

apps/accounts/automations/verify_account/database/sqlserver/manifest.yml

@@ -0,0 +1,6 @@
+id: verify_account_sqlserver
+name: Verify account from SQLServer
+category: database
+type:
+  - sqlserver
+method: verify_account

apps/accounts/automations/verify_account/host/posix/main.yml

@@ -0,0 +1,11 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Verify account connectivity
+      become: no
+      ansible.builtin.ping:
+      vars:
+        ansible_become: no
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"

apps/accounts/automations/verify_account/host/posix/manifest.yml

@@ -0,0 +1,7 @@
+id: verify_account_posix
+name: Verify posix account
+category: host
+type:
+  - linux
+  - unix
+method: verify_account

apps/accounts/automations/verify_account/host/windows/main.yml

@@ -0,0 +1,8 @@
+- hosts: windows
+  gather_facts: no
+  tasks:
+    - name: Verify account
+      ansible.windows.win_ping:
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"

apps/accounts/automations/verify_account/host/windows/manifest.yml

@@ -0,0 +1,7 @@
+id: verify_account_windows
+name: Verify account windows
+version: 1
+method: verify_account
+category: host
+type:
+  - windows

apps/accounts/automations/verify_account/manager.py

@@ -0,0 +1,81 @@
+import os
+from copy import deepcopy
+
+from django.db.models import QuerySet
+
+from accounts.const import AutomationTypes, Connectivity, SecretType
+from common.utils import get_logger
+from ..base.manager import AccountBasePlaybookManager
+
+logger = get_logger(__name__)
+
+
+class VerifyAccountManager(AccountBasePlaybookManager):
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.host_account_mapper = {}
+
+    def prepare_runtime_dir(self):
+        path = super().prepare_runtime_dir()
+        ansible_config_path = os.path.join(path, 'ansible.cfg')
+
+        with open(ansible_config_path, 'w') as f:
+            f.write('[ssh_connection]\n')
+            f.write('ssh_args = -o ControlMaster=no -o ControlPersist=no\n')
+        return path
+
+    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
+        host = super().host_callback(
+            host, asset=asset, account=account,
+            automation=automation, path_dir=path_dir, **kwargs
+        )
+        if host.get('error'):
+            return host
+
+        # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no'
+        accounts = asset.accounts.all()
+        accounts = self.get_accounts(account, accounts)
+        inventory_hosts = []
+
+        for account in accounts:
+            h = deepcopy(host)
+            h['name'] += '(' + account.username + ')'
+            self.host_account_mapper[h['name']] = account
+            secret = account.secret
+
+            private_key_path = None
+            if account.secret_type == SecretType.SSH_KEY:
+                private_key_path = self.generate_private_key_path(secret, path_dir)
+                secret = self.generate_public_key(secret)
+
+            h['secret_type'] = account.secret_type
+            h['account'] = {
+                'name': account.name,
+                'username': account.username,
+                'secret_type': account.secret_type,
+                'secret': secret,
+                'private_key_path': private_key_path
+            }
+            if account.platform.type == 'oracle':
+                h['account']['mode'] = 'sysdba' if account.privileged else None
+            inventory_hosts.append(h)
+        return inventory_hosts
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.verify_account
+
+    def get_accounts(self, privilege_account, accounts: QuerySet):
+        snapshot_account_usernames = self.execution.snapshot['accounts']
+        if '*' not in snapshot_account_usernames:
+            accounts = accounts.filter(username__in=snapshot_account_usernames)
+        return accounts
+
+    def on_host_success(self, host, result):
+        account = self.host_account_mapper.get(host)
+        account.set_connectivity(Connectivity.OK)
+
+    def on_host_error(self, host, error, result):
+        account = self.host_account_mapper.get(host)
+        account.set_connectivity(Connectivity.ERR)

apps/accounts/automations/verify_gateway_account/manager.py

@@ -0,0 +1,21 @@
+from common.utils import get_logger
+from accounts.const import AutomationTypes
+from assets.automations.ping_gateway.manager import PingGatewayManager
+
+logger = get_logger(__name__)
+
+
+class VerifyGatewayAccountManager(PingGatewayManager):
+
+    @classmethod
+    def method_type(cls):
+        return AutomationTypes.verify_gateway_account
+
+    @staticmethod
+    def before_runner_start():
+        logger.info(">>> 开始执行测试网关账号可连接性任务")
+
+    def get_accounts(self, gateway):
+        usernames = self.execution.snapshot['accounts']
+        accounts = gateway.accounts.filter(username__in=usernames)
+        return accounts

apps/accounts/const/__init__.py

@@ -0,0 +1,2 @@
+from .account import *
+from .automation import *

apps/accounts/const/account.py

@@ -0,0 +1,20 @@
+from django.db.models import TextChoices
+from django.utils.translation import ugettext_lazy as _
+
+
+class SecretType(TextChoices):
+    PASSWORD = 'password', _('Password')
+    SSH_KEY = 'ssh_key', _('SSH key')
+    ACCESS_KEY = 'access_key', _('Access key')
+    TOKEN = 'token', _('Token')
+
+
+class AliasAccount(TextChoices):
+    ALL = '@ALL', _('All')
+    INPUT = '@INPUT', _('Manual input')
+    USER = '@USER', _('Dynamic user')
+
+
+class Source(TextChoices):
+    LOCAL = 'local', _('Local')
+    COLLECTED = 'collected', _('Collected')

apps/accounts/const/automation.py

@@ -0,0 +1,95 @@
+from django.db import models
+from django.utils.translation import ugettext_lazy as _
+
+from assets.const import Connectivity
+from common.db.fields import TreeChoices
+
+string_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'
+DEFAULT_PASSWORD_LENGTH = 30
+DEFAULT_PASSWORD_RULES = {
+    'length': DEFAULT_PASSWORD_LENGTH,
+    'symbol_set': string_punctuation
+}
+
+__all__ = [
+    'AutomationTypes', 'SecretStrategy', 'SSHKeyStrategy', 'Connectivity',
+    'DEFAULT_PASSWORD_LENGTH', 'DEFAULT_PASSWORD_RULES', 'TriggerChoice',
+    'PushAccountActionChoice',
+]
+
+
+class AutomationTypes(models.TextChoices):
+    push_account = 'push_account', _('Push account')
+    change_secret = 'change_secret', _('Change secret')
+    verify_account = 'verify_account', _('Verify account')
+    gather_accounts = 'gather_accounts', _('Gather accounts')
+    verify_gateway_account = 'verify_gateway_account', _('Verify gateway account')
+
+    @classmethod
+    def get_type_model(cls, tp):
+        from accounts.models import (
+            PushAccountAutomation, ChangeSecretAutomation,
+            VerifyAccountAutomation, GatherAccountsAutomation,
+        )
+        type_model_dict = {
+            cls.push_account: PushAccountAutomation,
+            cls.change_secret: ChangeSecretAutomation,
+            cls.verify_account: VerifyAccountAutomation,
+            cls.gather_accounts: GatherAccountsAutomation,
+        }
+        return type_model_dict.get(tp)
+
+
+class SecretStrategy(models.TextChoices):
+    custom = 'specific', _('Specific password')
+    random = 'random', _('Random')
+
+
+class SSHKeyStrategy(models.TextChoices):
+    add = 'add', _('Append SSH KEY')
+    set = 'set', _('Empty and append SSH KEY')
+    set_jms = 'set_jms', _('Replace (The key generated by JumpServer) ')
+
+
+class TriggerChoice(models.TextChoices, TreeChoices):
+    # 当资产创建时，直接创建账号，如果是动态账号，需要从授权中查询该资产被授权过的用户，已用户用户名为账号，创建
+    on_asset_create = 'on_asset_create', _('On asset create')
+    # 授权变化包含，用户加入授权，用户组加入授权，资产加入授权，节点加入授权，账号变化
+    # 当添加用户到授权时，查询所有同名账号 automation, 把本授权上的用户 (用户组), 创建到本授权的资产(节点)上
+    on_perm_add_user = 'on_perm_add_user', _('On perm add user')
+    # 当添加用户组到授权时，查询所有同名账号 automation, 把本授权上的用户 (用户组), 创建到本授权的资产(节点)上
+    on_perm_add_user_group = 'on_perm_add_user_group', _('On perm add user group')
+    # 当添加资产到授权时，查询授权的所有账号 automation, 创建到本授权的资产上
+    on_perm_add_asset = 'on_perm_add_asset', _('On perm add asset')
+    # 当添加节点到授权时，查询授权的所有账号 automation, 创建到本授权的节点的资产上
+    on_perm_add_node = 'on_perm_add_node', _('On perm add node')
+    # 当授权的账号变化时，查询授权的所有账号 automation, 创建到本授权的资产(节点)上
+    on_perm_add_account = 'on_perm_add_account', _('On perm add account')
+    # 当资产添加到节点时，查询节点的授权规则，查询授权的所有账号 automation, 创建到本授权的资产(节点)上
+    on_asset_join_node = 'on_asset_join_node', _('On asset join node')
+    # 当用户加入到用户组时，查询用户组的授权规则，查询授权的所有账号 automation, 创建到本授权的资产(节点)上
+    on_user_join_group = 'on_user_join_group', _('On user join group')
+
+    @classmethod
+    def branches(cls):
+        # 和用户和用户组相关的都是动态账号
+        #
+        return [
+            cls.on_asset_create,
+            (_("On perm change"), [
+                cls.on_perm_add_user,
+                cls.on_perm_add_user_group,
+                cls.on_perm_add_asset,
+                cls.on_perm_add_node,
+                cls.on_perm_add_account,
+            ]),
+            (_("Inherit from group or node"), [
+                cls.on_asset_join_node,
+                cls.on_user_join_group,
+            ])
+        ]
+
+
+class PushAccountActionChoice(models.TextChoices):
+    create_and_push = 'create_and_push', _('Create and push')
+    only_create = 'only_create', _('Only create')

apps/accounts/filters.py

@@ -0,0 +1,61 @@
+# -*- coding: utf-8 -*-
+#
+from django.db.models import Q
+from django_filters import rest_framework as drf_filters
+
+from assets.models import Node
+from common.drf.filters import BaseFilterSet
+
+from .models import Account, GatheredAccount
+
+
+class AccountFilterSet(BaseFilterSet):
+    ip = drf_filters.CharFilter(field_name='address', lookup_expr='exact')
+    hostname = drf_filters.CharFilter(field_name='name', lookup_expr='exact')
+    username = drf_filters.CharFilter(field_name="username", lookup_expr='exact')
+    address = drf_filters.CharFilter(field_name="asset__address", lookup_expr='exact')
+    asset = drf_filters.CharFilter(field_name="asset_id", lookup_expr='exact')
+    assets = drf_filters.CharFilter(field_name='asset_id', lookup_expr='exact')
+    nodes = drf_filters.CharFilter(method='filter_nodes')
+    node_id = drf_filters.CharFilter(method='filter_nodes')
+    has_secret = drf_filters.BooleanFilter(method='filter_has_secret')
+    platform = drf_filters.CharFilter(field_name='asset__platform_id', lookup_expr='exact')
+    category = drf_filters.CharFilter(field_name='asset__platform__category', lookup_expr='exact')
+    type = drf_filters.CharFilter(field_name='asset__platform__type', lookup_expr='exact')
+
+    @staticmethod
+    def filter_has_secret(queryset, name, has_secret):
+        q = Q(secret__isnull=True) | Q(secret='')
+        if has_secret:
+            return queryset.exclude(q)
+        else:
+            return queryset.filter(q)
+
+    @staticmethod
+    def filter_nodes(queryset, name, value):
+        nodes = Node.objects.filter(id=value)
+        if not nodes:
+            return queryset
+
+        node_qs = Node.objects.none()
+        for node in nodes:
+            node_qs |= node.get_all_children(with_self=True)
+        node_ids = list(node_qs.values_list('id', flat=True))
+        queryset = queryset.filter(asset__nodes__in=node_ids)
+        return queryset
+
+    class Meta:
+        model = Account
+        fields = ['id', 'asset_id']
+
+
+class GatheredAccountFilterSet(BaseFilterSet):
+    node_id = drf_filters.CharFilter(method='filter_nodes')
+
+    @staticmethod
+    def filter_nodes(queryset, name, value):
+        return AccountFilterSet.filter_nodes(queryset, name, value)
+
+    class Meta:
+        model = GatheredAccount
+        fields = ['id', 'asset_id', 'username']

apps/accounts/migrations/0001_initial.py

@@ -0,0 +1,111 @@
+# Generated by Django 3.2.14 on 2022-12-28 07:29
+
+import common.db.encoder
+import common.db.fields
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+import simple_history.models
+import uuid
+
+
+class Migration(migrations.Migration):
+    initial = True
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('assets', '0098_auto_20220430_2126'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Account',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('org_id',
+                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('connectivity', models.CharField(choices=[('-', 'Unknown'), ('ok', 'Ok'), ('err', 'Error')], default='-', max_length=16, verbose_name='Connectivity')),
+                ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
+                ('secret_type', models.CharField(
+                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
+                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+                ('version', models.IntegerField(default=0, verbose_name='Version')),
+                ('source', models.CharField(default='local', max_length=30, verbose_name='Source')),
+                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='accounts',
+                                            to='assets.asset', verbose_name='Asset')),
+                ('su_from',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='su_to',
+                                   to='accounts.account', verbose_name='Su from')),
+            ],
+            options={
+                'verbose_name': 'Account',
+                'permissions': [('view_accountsecret', 'Can view asset account secret'),
+                                ('view_historyaccount', 'Can view asset history account'),
+                                ('view_historyaccountsecret', 'Can view asset history account secret')],
+                'unique_together': {('username', 'asset', 'secret_type'), ('name', 'asset')},
+            },
+        ),
+        migrations.CreateModel(
+            name='HistoricalAccount',
+            fields=[
+                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
+                ('secret_type', models.CharField(
+                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
+                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('version', models.IntegerField(default=0, verbose_name='Version')),
+                ('history_id', models.AutoField(primary_key=True, serialize=False)),
+                ('history_date', models.DateTimeField(db_index=True)),
+                ('history_change_reason', models.CharField(max_length=100, null=True)),
+                ('history_type',
+                 models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
+                ('history_user',
+                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+',
+                                   to=settings.AUTH_USER_MODEL)),
+            ],
+            options={
+                'verbose_name': 'historical Account',
+                'verbose_name_plural': 'historical Accounts',
+                'ordering': ('-history_date', '-history_id'),
+                'get_latest_by': ('history_date', 'history_id'),
+            },
+            bases=(simple_history.models.HistoricalChanges, models.Model),
+        ),
+        migrations.CreateModel(
+            name='AccountTemplate',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('org_id',
+                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
+                ('secret_type', models.CharField(
+                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
+                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+            ],
+            options={
+                'verbose_name': 'Account template',
+                'permissions': [('view_accounttemplatesecret', 'Can view asset account template secret'),
+                                ('change_accounttemplatesecret', 'Can change asset account template secret')],
+                'unique_together': {('name', 'org_id')},
+            },
+        ),
+    ]