perf: add dbeaver-patch version

fix: login log get ipv6 error
fix: Fix the uncaught exception when face capture fails
2025-12-15 08:32:48 +00:00 · 2024-12-03 17:27:44 +08:00 · 2024-11-29 14:58:56 +08:00 · 2024-11-25 10:08:59 +08:00 · 2024-11-21 22:25:46 +08:00 · 2024-11-21 21:31:10 +08:00
1086 changed files with 52970 additions and 39109 deletions
--- a/.dockerignore
+++ b/.dockerignore
@@ -8,3 +8,4 @@ celerybeat.pid
 .vagrant/
 apps/xpack/.git
 .history/
+.idea
--- a/.github/workflows/build-base-image.yml
+++ b/.github/workflows/build-base-image.yml
@@ -0,0 +1,72 @@
+name: Build and Push Base Image
+
+on:
+  pull_request:
+    branches:
+      - 'dev'
+      - 'v*'
+    paths:
+      - poetry.lock
+      - pyproject.toml
+      - Dockerfile-base
+      - package.json
+      - go.mod
+      - yarn.lock
+      - pom.xml
+      - install_deps.sh
+      - utils/clean_site_packages.sh
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract date
+        id: vars
+        run: echo "IMAGE_TAG=$(date +'%Y%m%d_%H%M%S')" >> $GITHUB_ENV
+
+      - name: Extract repository name
+        id: repo
+        run: echo "REPO=$(basename ${{ github.repository }})" >> $GITHUB_ENV
+
+      - name: Build and push multi-arch image
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: true
+          file: Dockerfile-base
+          tags: jumpserver/core-base:${{ env.IMAGE_TAG }}
+
+      - name: Update Dockerfile
+        run: |
+          sed -i 's|-base:.* AS stage-build|-base:${{ env.IMAGE_TAG }} AS stage-build|' Dockerfile
+
+      - name: Commit changes
+        run: |
+          git config --global user.name 'github-actions[bot]'
+          git config --global user.email 'github-actions[bot]@users.noreply.github.com'
+          git add Dockerfile
+          git commit -m "perf: Update Dockerfile with new base image tag"
+          git push origin ${{ github.event.pull_request.head.ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/check-compilemessages.yml
+++ b/.github/workflows/check-compilemessages.yml
@@ -0,0 +1,31 @@
+name: Check I18n files CompileMessages
+
+on:
+  pull_request:
+    branches:
+      - 'dev'
+    paths:
+      - 'apps/i18n/core/**/*.po'
+    types:
+      - opened
+      - synchronize
+      - reopened
+jobs:
+  compile-messages-check:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and check compilemessages
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64
+          push: false
+          file: Dockerfile
+          target: stage-build
+          tags: jumpserver/core:stage-build
--- a/.github/workflows/discord-release.yml
+++ b/.github/workflows/discord-release.yml
@@ -0,0 +1,24 @@
+name: Publish Release to Discord
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  send_discord_notification:
+    runs-on: ubuntu-latest
+    if: startsWith(github.event.release.tag_name, 'v4.')
+    steps:
+      - name: Send release notification to Discord
+        env:
+          WEBHOOK_URL: ${{ secrets.DISCORD_CHANGELOG_WEBHOOK }}
+        run: |
+          # 获取标签名称和 release body
+          TAG_NAME="${{ github.event.release.tag_name }}"
+          RELEASE_BODY="${{ github.event.release.body }}"
+
+          # 使用 jq 构建 JSON 数据，以确保安全传递
+          JSON_PAYLOAD=$(jq -n --arg tag "# JumpServer $TAG_NAME Released! 🚀" --arg body "$RELEASE_BODY" '{content: "\($tag)\n\($body)"}')
+
+          # 使用 curl 发送 JSON 数据
+          curl -X POST -H "Content-Type: application/json" -d "$JSON_PAYLOAD" "$WEBHOOK_URL"
--- a/.github/workflows/jms-build-test.yml
+++ b/.github/workflows/jms-build-test.yml
@@ -1,55 +0,0 @@
-name: "Run Build Test"
-on:
-  push:
-    paths:
-      - 'Dockerfile'
-      - 'Dockerfile-*'
-      - 'pyproject.toml'
-      - 'poetry.lock'
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - uses: docker/setup-qemu-action@v3
-    - uses: docker/setup-buildx-action@v3
-
-    - name: Check Dockerfile
-      run: |
-        test -f Dockerfile-ce || cp -f Dockerfile Dockerfile-ce
-
-    - name: Build CE Image
-      uses: docker/build-push-action@v5
-      with:
-        context: .
-        push: false
-        file: Dockerfile-ce
-        tags: jumpserver/core-ce:test
-        platforms: linux/amd64
-        build-args: |
-          APT_MIRROR=http://deb.debian.org
-          PIP_MIRROR=https://pypi.org/simple
-          PIP_JMS_MIRROR=https://pypi.org/simple
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-
-    - name: Prepare EE Image
-      run: |
-        sed -i 's@^FROM registry.fit2cloud.com@# FROM registry.fit2cloud.com@g' Dockerfile-ee
-        sed -i 's@^COPY --from=build-xpack@# COPY --from=build-xpack@g' Dockerfile-ee
-
-    - name: Build EE Image
-      uses: docker/build-push-action@v5
-      with:
-        context: .
-        push: false
-        file: Dockerfile-ee
-        tags: jumpserver/core-ee:test
-        platforms: linux/amd64
-        build-args: |
-          APT_MIRROR=http://deb.debian.org
-          PIP_MIRROR=https://pypi.org/simple
-          PIP_JMS_MIRROR=https://pypi.org/simple
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
--- a/.github/workflows/jms-build-test.yml.disabled
+++ b/.github/workflows/jms-build-test.yml.disabled
@@ -0,0 +1,63 @@
+name: "Run Build Test"
+on:
+  push:
+    paths:
+      - 'Dockerfile'
+      - 'Dockerfile*'
+      - 'Dockerfile-*'
+      - 'pyproject.toml'
+      - 'poetry.lock'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        component: [core]
+        version: [v4]
+    steps:
+    - uses: actions/checkout@v4
+    - uses: docker/setup-buildx-action@v3
+
+    - name: Login to GitHub Container Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ghcr.io
+        username: ${{ github.repository_owner }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+    
+    - name: Prepare Build
+      run: |
+        sed -i 's@^FROM registry.fit2cloud.com/jumpserver@FROM ghcr.io/jumpserver@g' Dockerfile-ee
+
+    - name: Build CE Image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: true
+        file: Dockerfile
+        tags: ghcr.io/jumpserver/${{ matrix.component }}:${{ matrix.version }}-ce
+        platforms: linux/amd64
+        build-args: |
+          VERSION=${{ matrix.version }}
+          APT_MIRROR=http://deb.debian.org
+          PIP_MIRROR=https://pypi.org/simple
+        outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
+
+    - name: Build EE Image
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        push: false
+        file: Dockerfile-ee
+        tags: ghcr.io/jumpserver/${{ matrix.component }}:${{ matrix.version }}
+        platforms: linux/amd64
+        build-args: |
+          VERSION=${{ matrix.version }}
+          APT_MIRROR=http://deb.debian.org
+          PIP_MIRROR=https://pypi.org/simple
+        outputs: type=image,oci-mediatypes=true,compression=zstd,compression-level=3,force-compression=true
+        cache-from: type=gha
+        cache-to: type=gha,mode=max
--- a/.github/workflows/llm-code-review.yml
+++ b/.github/workflows/llm-code-review.yml
@@ -0,0 +1,28 @@
+name: LLM Code Review
+
+permissions:
+  contents: read
+  pull-requests: write
+
+on:
+  pull_request:
+    types: [opened, reopened, synchronize]
+
+jobs:
+  llm-code-review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: fit2cloud/LLM-CodeReview-Action@main
+        env:
+          GITHUB_TOKEN: ${{ secrets.FIT2CLOUDRD_LLM_CODE_REVIEW_TOKEN }}
+          OPENAI_API_KEY: ${{ secrets.ALIYUN_LLM_API_KEY }}
+          LANGUAGE: English
+          OPENAI_API_ENDPOINT: https://dashscope.aliyuncs.com/compatible-mode/v1
+          MODEL: qwen2-1.5b-instruct
+          PROMPT: "Please check the following code differences for any irregularities, potential issues, or optimization suggestions, and provide your answers in English."
+          top_p: 1
+          temperature: 1
+          # max_tokens: 10000
+          MAX_PATCH_LENGTH: 10000 
+          IGNORE_PATTERNS: "/node_modules,*.md,/dist,/.github"
+          FILE_PATTERNS: "*.java,*.go,*.py,*.vue,*.ts,*.js,*.css,*.scss,*.html"
--- a/.gitignore
+++ b/.gitignore
@@ -44,3 +44,4 @@ data/*
 test.py
 .history/
 .test/
+*.mo
--- a/.isort.cfg
+++ b/.isort.cfg
@@ -1,3 +1,4 @@
 [settings]
 line_length=120
 known_first_party=common,users,assets,perms,authentication,jumpserver,notification,ops,orgs,rbac,settings,terminal,tickets
+
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,5 +1,10 @@
 # Contributing

+As a contributor, you should agree that:
+
+- The producer can adjust the open-source agreement to be more strict or relaxed as deemed necessary.
+- Your contributed code may be used for commercial purposes, including but not limited to its cloud business operations.
+
 ## Create pull request
 PR are always welcome, even if they only contain small fixes like typos or a few lines of code. If there will be a significant effort, please document it as an issue and get a discussion going before starting to work on it.

--- a/68
+++ b/68
@@ -0,0 +1,68 @@
+FROM jumpserver/core-base:20241105_025649 AS stage-build
+
+ARG VERSION
+
+WORKDIR /opt/jumpserver
+
+ADD . .
+
+RUN echo > /opt/jumpserver/config.yml \
+    && \
+    if [ -n "${VERSION}" ]; then \
+        sed -i "s@VERSION = .*@VERSION = '${VERSION}'@g" apps/jumpserver/const.py; \
+    fi
+
+RUN set -ex \
+    && export SECRET_KEY=$(head -c100 < /dev/urandom | base64 | tr -dc A-Za-z0-9 | head -c 48) \
+    && . /opt/py3/bin/activate \
+    && cd apps \
+    && python manage.py compilemessages
+
+
+FROM python:3.11-slim-bullseye
+ENV LANG=en_US.UTF-8 \
+    PATH=/opt/py3/bin:$PATH
+
+ARG DEPENDENCIES="                    \
+        libldap2-dev                  \
+        libx11-dev"
+
+ARG TOOLS="                           \
+        cron                          \
+        ca-certificates               \
+        default-libmysqlclient-dev    \
+        openssh-client                \
+        sshpass                       \
+        bubblewrap"
+
+ARG APT_MIRROR=http://deb.debian.org
+
+RUN set -ex \
+    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update > /dev/null \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
+    && echo "no" | dpkg-reconfigure dash \
+    && apt-get clean all \
+    && rm -rf /var/lib/apt/lists/* \
+    && echo "0 3 * * * root find /tmp -type f -mtime +1 -size +1M -exec rm -f {} \; && date > /tmp/clean.log" > /etc/cron.d/cleanup_tmp \
+    && chmod 0644 /etc/cron.d/cleanup_tmp
+
+COPY --from=stage-build /opt /opt
+COPY --from=stage-build /usr/local/bin /usr/local/bin
+COPY --from=stage-build /opt/jumpserver/apps/libs/ansible/ansible.cfg /etc/ansible/
+
+WORKDIR /opt/jumpserver
+
+VOLUME /opt/jumpserver/data
+
+ENTRYPOINT ["./entrypoint.sh"]
+
+EXPOSE 8080
+
+STOPSIGNAL SIGQUIT
+
+CMD ["start", "all"]
--- a/60
+++ b/60
@@ -0,0 +1,60 @@
+FROM python:3.11-slim-bullseye
+ARG TARGETARCH
+
+# Install APT dependencies
+ARG DEPENDENCIES="                    \
+        ca-certificates               \
+        wget                          \
+        g++                           \
+        make                          \
+        pkg-config                    \
+        default-libmysqlclient-dev    \
+        freetds-dev                   \
+        gettext                       \
+        libkrb5-dev                   \
+        libldap2-dev                  \
+        libsasl2-dev"
+
+ARG APT_MIRROR=http://deb.debian.org
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core \
+    set -ex \
+    && rm -f /etc/apt/apt.conf.d/docker-clean \
+    && echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache \
+    && sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && apt-get update > /dev/null \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && echo "no" | dpkg-reconfigure dash
+
+# Install bin tools
+ARG CHECK_VERSION=v1.0.4
+RUN set -ex \
+    && wget https://github.com/jumpserver-dev/healthcheck/releases/download/${CHECK_VERSION}/check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz \
+    && tar -xf check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz \
+    && mv check /usr/local/bin/ \
+    && chown root:root /usr/local/bin/check \
+    && chmod 755 /usr/local/bin/check \
+    && rm -f check-${CHECK_VERSION}-linux-${TARGETARCH}.tar.gz
+
+# Install Python dependencies
+WORKDIR /opt/jumpserver
+
+ARG PIP_MIRROR=https://pypi.org/simple
+ENV POETRY_PYPI_MIRROR_URL=${PIP_MIRROR}
+ENV ANSIBLE_COLLECTIONS_PATHS=/opt/py3/lib/python3.11/site-packages/ansible_collections
+
+RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=bind,source=poetry.lock,target=poetry.lock \
+    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
+    --mount=type=bind,source=utils/clean_site_packages.sh,target=clean_site_packages.sh \
+    --mount=type=bind,source=requirements/collections.yml,target=collections.yml \
+    set -ex \
+    && python3 -m venv /opt/py3 \
+    && pip install poetry poetry-plugin-pypi-mirror -i ${PIP_MIRROR} \
+    && . /opt/py3/bin/activate \
+    && poetry config virtualenvs.create false \
+    && poetry install --no-cache --only main \
+    && ansible-galaxy collection install -r collections.yml --force --ignore-certs \
+    && bash clean_site_packages.sh \
+    && poetry cache clear pypi --all
--- a/137
+++ b/137
@@ -1,137 +0,0 @@
-FROM python:3.11-slim-bullseye as stage-1
-ARG TARGETARCH
-
-ARG VERSION
-ENV VERSION=$VERSION
-
-WORKDIR /opt/jumpserver
-ADD . .
-RUN echo > /opt/jumpserver/config.yml \
-    && cd utils && bash -ixeu build.sh
-
-FROM python:3.11-slim-bullseye as stage-2
-ARG TARGETARCH
-
-ARG BUILD_DEPENDENCIES="              \
-        g++                           \
-        make                          \
-        pkg-config"
-
-ARG DEPENDENCIES="                    \
-        freetds-dev                   \
-        libffi-dev                    \
-        libjpeg-dev                   \
-        libkrb5-dev                   \
-        libldap2-dev                  \
-        libpq-dev                     \
-        libsasl2-dev                  \
-        libssl-dev                    \
-        libxml2-dev                   \
-        libxmlsec1-dev                \
-        libxmlsec1-openssl            \
-        freerdp2-dev                  \
-        libaio-dev"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-libmysqlclient-dev    \
-        default-mysql-client          \
-        git                           \
-        git-lfs                       \
-        unzip                         \
-        xz-utils                      \
-        wget"
-
-ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
-    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
-    && rm -f /etc/apt/apt.conf.d/docker-clean \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && echo "no" | dpkg-reconfigure dash
-
-WORKDIR /opt/jumpserver
-
-ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
-RUN --mount=type=cache,target=/root/.cache \
-    --mount=type=bind,source=poetry.lock,target=/opt/jumpserver/poetry.lock \
-    --mount=type=bind,source=pyproject.toml,target=/opt/jumpserver/pyproject.toml \
-    set -ex \
-    && python3 -m venv /opt/py3 \
-    && pip install poetry -i ${PIP_MIRROR} \
-    && poetry config virtualenvs.create false \
-    && . /opt/py3/bin/activate \
-    && poetry install
-
-FROM python:3.11-slim-bullseye
-ARG TARGETARCH
-ENV LANG=zh_CN.UTF-8 \
-    PATH=/opt/py3/bin:$PATH
-
-ARG DEPENDENCIES="                    \
-        libjpeg-dev                   \
-        libpq-dev                     \
-        libx11-dev                    \
-        freerdp2-dev                  \
-        libxmlsec1-openssl"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-libmysqlclient-dev    \
-        default-mysql-client          \
-        iputils-ping                  \
-        locales                       \
-        netcat-openbsd                \
-        nmap                          \
-        openssh-client                \
-        patch                         \
-        sshpass                       \
-        telnet                        \
-        vim                           \
-        bubblewrap                    \
-        wget"
-
-ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
-    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
-    && rm -f /etc/apt/apt.conf.d/docker-clean \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
-    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc
-
-ARG RECEPTOR_VERSION=v1.4.5
-RUN set -ex \
-    && wget -O /opt/receptor.tar.gz https://github.com/ansible/receptor/releases/download/${RECEPTOR_VERSION}/receptor_${RECEPTOR_VERSION/v/}_linux_${TARGETARCH}.tar.gz \
-    && tar -xf /opt/receptor.tar.gz -C /usr/local/bin/ \
-    && chown root:root /usr/local/bin/receptor \
-    && chmod 755 /usr/local/bin/receptor \
-    && rm -f /opt/receptor.tar.gz
-
-COPY --from=stage-2 /opt/py3 /opt/py3
-COPY --from=stage-1 /opt/jumpserver/release/jumpserver /opt/jumpserver
-COPY --from=stage-1 /opt/jumpserver/release/jumpserver/apps/libs/ansible/ansible.cfg /etc/ansible/
-
-WORKDIR /opt/jumpserver
-
-ARG VERSION
-ENV VERSION=$VERSION
-
-VOLUME /opt/jumpserver/data
-
-EXPOSE 8080
-
-ENTRYPOINT ["./entrypoint.sh"]
--- a/37
+++ b/37
@@ -1,5 +1,34 @@
-ARG VERSION
-FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
-FROM registry.fit2cloud.com/jumpserver/core-ce:${VERSION}
+ARG VERSION=dev
+
+FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} AS build-xpack
+FROM jumpserver/core:${VERSION}-ce
+
+COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
+
+ARG TOOLS="                           \
+        g++                           \
+        curl                          \
+        iputils-ping                  \
+        netcat-openbsd                \
+        nmap                          \
+        telnet                        \
+        vim                           \
+        wget"
+
+RUN set -ex \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && apt-get clean all \
+    && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /opt/jumpserver
+
+ARG PIP_MIRROR=https://pypi.org/simple
+ENV POETRY_PYPI_MIRROR_URL=${PIP_MIRROR}
+COPY poetry.lock pyproject.toml ./
+RUN set -ex \
+    && . /opt/py3/bin/activate \
+    && pip install poetry poetry-plugin-pypi-mirror -i ${PIP_MIRROR} \
+    && poetry install --only xpack \
+    && poetry cache clear pypi --all

-COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
--- a/README.md
+++ b/README.md
@@ -1,125 +1,115 @@
-<p align="center">
-  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
-</p>
-<h3 align="center">广受欢迎的开源堡垒机</h3>
+<div align="center">
+  <a name="readme-top"></a>
+  <a href="https://jumpserver.org/index-en.html"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
+  
+## An open-source PAM tool (Bastion Host)

-<p align="center">
-  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
-  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
-  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
-  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
-</p>
+[![][license-shield]][license-link]
+[![][discord-shield]][discord-link]
+[![][docker-shield]][docker-link]
+[![][github-release-shield]][github-release-link]
+[![][github-stars-shield]][github-stars-link]

+**English** · [简体中文](./README.zh-CN.md)
+</div>
+<br/>

-<p align="center">
-    9 年时间，倾情投入，用心做好一款开源堡垒机。
-</p>
+## What is JumpServer?

------------------------------
-JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
+JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser.

-JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
+![JumpServer Overview](https://github.com/jumpserver/jumpserver/assets/32935519/35a371cb-8590-40ed-88ec-f351f8cf9045)

- **SSH**: Linux / Unix / 网络设备 等；
- **Windows**: Web 方式连接 / 原生 RDP 连接；
- **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
- **NoSQL**: Redis / MongoDB 等；
- **GPT**: ChatGPT 等;
- **云服务**: Kubernetes / VMware vSphere 等;
- **Web 站点**: 各类系统的 Web 管理后台；
- **应用**: 通过 Remote App 连接各类应用。
+## Quickstart

-## 产品特色
+Prepare a clean Linux Server ( 64 bit, >= 4c8g )

- **开源**: 零门槛，线上快速获取和安装；
- **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
- **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
- **多云支持**: 一套系统，同时管理不同云上面的资产；
- **多租户**: 一套系统，多个子公司或部门同时使用；
- **云端存储**: 审计录像云端存储，永不丢失；
+```sh
+curl -sSL https://github.com/jumpserver/jumpserver/releases/latest/download/quick_start.sh | bash
+```

-## UI 展示
+Access JumpServer in your browser at `http://your-jumpserver-ip/`
+- Username: `admin`
+- Password: `ChangeMe`

-![UI展示](https://docs.jumpserver.org/zh/v3/img/dashboard.png)
+[![JumpServer Quickstart](https://github.com/user-attachments/assets/0f32f52b-9935-485e-8534-336c63389612)](https://www.youtube.com/watch?v=UlGYRbKrpgY "JumpServer Quickstart")

-## 在线体验
+## Screenshots

- 环境地址：<https://demo.jumpserver.org/>
+<table style="border-collapse: collapse; border: 1px solid black;">
+  <tr>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/99fabe5b-0475-4a53-9116-4c370a1426c4" alt="JumpServer Console"   /></td>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/a424d731-1c70-4108-a7d8-5bbf387dda9a" alt="JumpServer Audits"   /></td>
+  </tr>

-| :warning: 注意                 |
-|:-----------------------------|
-| 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
-| 请勿修改体验环境用户的密码！               |
-| 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
+  <tr>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/393d2c27-a2d0-4dea-882d-00ed509e00c9" alt="JumpServer Workbench"   /></td>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/3a2611cd-8902-49b8-b82b-2a6dac851f3e" alt="JumpServer Settings"   /></td>
+  </tr>

-## 快速开始
+  <tr>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/1e236093-31f7-4563-8eb1-e36d865f1568" alt="JumpServer SSH"   /></td>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/69373a82-f7ab-41e8-b763-bbad2ba52167" alt="JumpServer RDP"   /></td>
+  </tr>
+  <tr>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/5bed98c6-cbe8-4073-9597-d53c69dc3957" alt="JumpServer K8s"   /></td>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/b80ad654-548f-42bc-ba3d-c1cfdf1b46d6" alt="JumpServer DB"   /></td>
+  </tr>
+</table>

- [快速入门](https://docs.jumpserver.org/zh/v3/quick_start/)
- [产品文档](https://docs.jumpserver.org)
- [在线学习](https://edu.fit2cloud.com/page/2635362)
- [知识库](https://kb.fit2cloud.com/categories/jumpserver)
+## Components

-## 案例研究
+JumpServer consists of multiple key components, which collectively form the functional framework of JumpServer, providing users with comprehensive capabilities for operations management and security control.

- [腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案](https://blog.fit2cloud.com/?p=a04cdf0d-6704-4d18-9b40-9180baecd0e2)
- [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
- [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
- [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
- [顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
- [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
- [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
- [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
- [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
- [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
+| Project                                                | Status                                                                                                                                                                 | Description                                                                                             |
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
+| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI                                                                                       |
+| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal                                                                                 |
+| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer Character Protocol Connector                                                                 |
+| [Lion](https://github.com/jumpserver/lion)             | <a href="https://github.com/jumpserver/lion/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion.svg" /></a>                   | JumpServer Graphical Protocol Connector                                                                 |
+| [Chen](https://github.com/jumpserver/chen)             | <a href="https://github.com/jumpserver/chen/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen.svg" />                       | JumpServer Web DB                                                                                       |  
+| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-private-red" />                                                                                              | JumpServer EE RDP Proxy Connector                                                                          |
+| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Remote Application Connector (Windows)                                                       |
+| [Panda](https://github.com/jumpserver/Panda)           | <img alt="Panda" src="https://img.shields.io/badge/release-private-red" />                                                                                             | JumpServer EE Remote Application Connector (Linux)                                                         |
+| [Magnus](https://github.com/jumpserver/magnus)         | <img alt="Magnus" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Database Proxy Connector                                                                     |

-## 社区交流
+## Contributing

-如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
+Welcome to submit PR to contribute. Please refer to [CONTRIBUTING.md][contributing-link] for guidelines.

-您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 当中进行交流沟通。
+## Security

-### 参与贡献
+JumpServer is a mission critical product. Please refer to the Basic Security Recommendations for installation and deployment. If you encounter any security-related issues, please contact us directly:

-欢迎提交 PR 参与贡献。 参考 [CONTRIBUTING.md](https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md)
+- Email: support@fit2cloud.com

-## 组件项目
-
-| 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                |
-|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
-| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                              |
-| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                        |
-| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目                                                      |
-| [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
-| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                                 | JumpServer RDP 代理 Connector 项目                                                    |
-| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目 (Windows)                                                      |
-| [Panda](https://github.com/jumpserver/Panda)         | <img alt="Panda" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目 (Linux)                                                      |
-| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
-| [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
-| [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
-| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core API 通信的组件项目                                              |
-| [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
-| [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |
-
-## 安全说明
-
-JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
-进行安装部署。如果您发现安全相关问题，请直接联系我们：
-
- 邮箱：support@fit2cloud.com
- 电话：400-052-0755
-
-## License & Copyright
+## License

 Copyright (c) 2014-2024 飞致云 FIT2CLOUD, All rights reserved.

-Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
-compliance with the License. You may obtain a copy of the License at
+Licensed under The GNU General Public License version 3 (GPLv3) (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

 https://www.gnu.org/licenses/gpl-3.0.html

-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
-AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
-language governing permissions and limitations under the License.
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an " AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+
+<!-- JumpServer official link -->
+[docs-link]: https://jumpserver.com/docs
+[discord-link]: https://discord.com/invite/W6vYXmAQG2
+[contributing-link]: https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md
+
+<!-- JumpServer Other link-->
+[license-link]: https://www.gnu.org/licenses/gpl-3.0.html
+[docker-link]: https://hub.docker.com/u/jumpserver
+[github-release-link]: https://github.com/jumpserver/jumpserver/releases/latest
+[github-stars-link]: https://github.com/jumpserver/jumpserver
+[github-issues-link]: https://github.com/jumpserver/jumpserver/issues
+
+<!-- Shield link-->
+[github-release-shield]: https://img.shields.io/github/v/release/jumpserver/jumpserver
+[github-stars-shield]: https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square
+[docker-shield]: https://img.shields.io/docker/pulls/jumpserver/jms_all.svg
+[license-shield]: https://img.shields.io/github/license/jumpserver/jumpserver
+[discord-shield]: https://img.shields.io/discord/1194233267294052363?style=flat&logo=discord&logoColor=%23f5f5f5&labelColor=%235462eb&color=%235462eb
+
+<!-- Image link -->
--- a/README.zh-CN.md
+++ b/README.zh-CN.md
@@ -0,0 +1,121 @@
+<p align="center">
+  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
+</p>
+<h3 align="center">广受欢迎的开源堡垒机</h3>
+
+<p align="center">
+  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
+  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
+  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
+  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
+</p>
+
+
+<p align="center">
+    10 年时间，倾情投入，用心做好一款开源堡垒机。
+</p>
+
+------------------------------
+## JumpServer 是什么？
+
+JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
+
+- **SSH**: Linux / Unix / 网络设备 等；
+- **Windows**: Web 方式连接 / 原生 RDP 连接；
+- **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
+- **NoSQL**: Redis / MongoDB 等；
+- **GPT**: ChatGPT 等;
+- **云服务**: Kubernetes / VMware vSphere 等;
+- **Web 站点**: 各类系统的 Web 管理后台；
+- **应用**: 通过 Remote App 连接各类应用。
+
+## 产品特色
+
+- **开源**: 零门槛，线上快速获取和安装；
+- **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
+- **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
+- **多云支持**: 一套系统，同时管理不同云上面的资产；
+- **多租户**: 一套系统，多个子公司或部门同时使用；
+- **云端存储**: 审计录像云端存储，永不丢失；
+
+## 快速开始
+
+- [快速入门](https://docs.jumpserver.org/zh/v3/quick_start/)
+- [产品文档](https://docs.jumpserver.org)
+- [在线学习](https://edu.fit2cloud.com/page/2635362)
+- [知识库](https://kb.fit2cloud.com/categories/jumpserver)
+
+## UI 展示
+
+![UI展示](https://docs.jumpserver.org/zh/v3/img/dashboard.png)
+
+## 在线体验
+
+- 环境地址：<https://demo.jumpserver.org/>
+
+| :warning: 注意                 |
+|:-----------------------------|
+| 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
+| 请勿修改体验环境用户的密码！               |
+| 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
+
+## 案例研究
+
+- [腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案](https://blog.fit2cloud.com/?p=a04cdf0d-6704-4d18-9b40-9180baecd0e2)
+- [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
+- [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
+- [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
+- [顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
+- [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
+- [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
+- [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
+- [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
+- [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
+
+## 社区交流
+
+如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
+
+您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 当中进行交流沟通。
+
+## 参与贡献
+
+欢迎提交 PR 参与贡献。 参考 [CONTRIBUTING.md](https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md)
+
+## 组件项目
+
+
+| Project                                                | Status                                                                                                                                                                 | Description                                                                                             |
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
+| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI                                                                                       |
+| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal                                                                                 |
+| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer Character Protocol Connector                                                                 |
+| [Lion](https://github.com/jumpserver/lion)             | <a href="https://github.com/jumpserver/lion/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion.svg" /></a>                   | JumpServer Graphical Protocol Connector                                                                 |
+| [Chen](https://github.com/jumpserver/chen)             | <a href="https://github.com/jumpserver/chen/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen.svg" />                       | JumpServer Web DB                                                                                       |  
+| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-private-red" />                                                                                              | JumpServer EE RDP Proxy Connector                                                                          |
+| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Remote Application Connector (Windows)                                                       |
+| [Panda](https://github.com/jumpserver/Panda)           | <img alt="Panda" src="https://img.shields.io/badge/release-private-red" />                                                                                             | JumpServer EE Remote Application Connector (Linux)                                                         |
+| [Magnus](https://github.com/jumpserver/magnus)         | <img alt="Magnus" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Database Proxy Connector                                                                     |
+## 安全说明
+
+JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
+进行安装部署。如果您发现安全相关问题，请直接联系我们：
+
+- 邮箱：support@fit2cloud.com
+- 电话：400-052-0755
+
+## License & Copyright
+
+Copyright (c) 2014-2024 飞致云 FIT2CLOUD, All rights reserved.
+
+Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
+compliance with the License. You may obtain a copy of the License at
+
+https://www.gnu.org/licenses/gpl-3.0.html
+
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
+AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
+language governing permissions and limitations under the License.
--- a/README_EN.md
+++ b/README_EN.md
@@ -1,94 +0,0 @@
-<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
-<h3 align="center">Open Source Bastion Host</h3>
-
-<p align="center">
-  <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
-  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
-  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
-  <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
-</p>
-
-JumpServer is the world's first open-source Bastion Host and is licensed under the GPLv3. It is a 4A-compliant professional operation and maintenance security audit system.
-
-JumpServer uses Python / Django for development, follows Web 2.0 specifications, and is equipped with an industry-leading Web Terminal solution that provides a beautiful user interface and great user experience
-
-JumpServer adopts a distributed architecture to support multi-branch deployment across multiple cross-regional areas. The central node provides APIs, and login nodes are deployed in each branch. It can be scaled horizontally without concurrency restrictions.
-
-Change the world by taking every little step
-
----
-### Advantages
-
- Open Source: huge transparency and free to access with quick installation process.
- Distributed: support large-scale concurrent access with ease.
- No Plugin required: all you need is a browser, the ultimate Web Terminal experience.
- Multi-Cloud supported: a unified system to manage assets on different clouds at the same time
- Cloud storage: audit records are stored in the cloud. Data lost no more!
- Multi-Tenant system: multiple subsidiary companies or departments access the same system simultaneously.
- Many applications supported: link to databases, windows remote applications, and Kubernetes cluster, etc.
-
-
-### JumpServer Component Projects
- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI
- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal
- [KoKo](https://github.com/jumpserver/koko) JumpServer Character protocaol Connector, replace original Python Version [Coco](https://github.com/jumpserver/coco)
- [Lion](https://github.com/jumpserver/lion-release) JumpServer Graphics protocol Connector，rely on [Apache Guacamole](https://guacamole.apache.org/)
-
-### Contribution
-If you have any good ideas or helping us to fix bugs, please submit a Pull Request and accept our thanks :)
-
-Thanks to the following contributors for making JumpServer better everyday!
-
-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
-</a>
-
-<a href="https://github.com/jumpserver/koko/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
-</a>
-
-<a href="https://github.com/jumpserver/lina/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
-</a>
-
-<a href="https://github.com/jumpserver/luna/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
-</a>
-
-### Thanks to
- [Apache Guacamole](https://guacamole.apache.org/) Web page connection RDP, SSH, VNC protocol equipment. JumpServer graphical connection dependent.
- [OmniDB](https://omnidb.org/) Web page connection to databases. JumpServer Web database dependent.
-
-
-### JumpServer Enterprise Version 
- [Apply for it](https://jinshuju.net/f/kyOYpi)
-
-### Case Study
-
- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。
-
-### For safety instructions
-
-JumpServer is a security product. Please refer to [Basic Security Recommendations](https://docs.jumpserver.org/zh/master/install/install_security/) for deployment and installation.
-
-If you find a security problem, please contact us directly：
-
- ibuler@fit2cloud.com 
- support@fit2cloud.com 
- 400-052-0755
-
-### License & Copyright
-Copyright (c) 2014-2024 FIT2CLOUD Tech, Inc., All rights reserved.
-
-Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
-
-https://www.gnu.org/licenses/gpl-3.0.htmll
-
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
--- a/apps/accounts/apps.py
+++ b/apps/accounts/apps.py
@@ -4,6 +4,7 @@ from django.apps import AppConfig
 class AccountsConfig(AppConfig):
    default_auto_field = 'django.db.models.BigAutoField'
    name = 'accounts'
+    verbose_name = 'App Accounts'

    def ready(self):
        from . import signal_handlers  # noqa
--- a/apps/accounts/automations/backup_account/handlers.py
+++ b/apps/accounts/automations/backup_account/handlers.py
@@ -3,6 +3,7 @@ import time
 from collections import defaultdict, OrderedDict

 from django.conf import settings
+from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 from xlsxwriter import Workbook

@@ -17,7 +18,7 @@ from terminal.models.component.storage import ReplayStorage
 from users.models import User

 PATH = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-
+split_help_text = _('The account key will be split into two parts and sent')

 class RecipientsNotFound(Exception):
    pass
@@ -115,8 +116,8 @@ class AssetAccountHandler(BaseAccountHandler):
            data = AccountSecretSerializer(_accounts, many=True).data
            cls.handler_secret(data, section)
            data_map.update(cls.add_rows(data, header_fields, sheet_name))
-
-        print('\n\033[33m- 共备份 {} 条账号\033[0m'.format(accounts.count()))
+        number_of_backup_accounts = _('Number of backup accounts')
+        print('\n\033[33m- {}: {}\033[0m'.format(number_of_backup_accounts, accounts.count()))
        return data_map


@@ -127,9 +128,10 @@ class AccountBackupHandler:
        self.is_frozen = False  # 任务状态冻结标志

    def create_excel(self, section='complete'):
+        hint = _('Generating asset or application related backup information files')
        print(
            '\n'
-            '\033[32m>>> 正在生成资产或应用相关备份信息文件\033[0m'
+            f'\033[32m>>> {hint}\033[0m'
            ''
        )
        # Print task start date
@@ -151,7 +153,9 @@ class AccountBackupHandler:
        wb.close()
        files.append(filename)
        timedelta = round((time.time() - time_start), 2)
-        print('创建备份文件完成: 用时 {}s'.format(timedelta))
+        time_cost = _('Time cost')
+        file_created = _('Backup file creation completed')
+        print('{}: {} {}s'.format(file_created, time_cost, timedelta))
        return files

    def send_backup_mail(self, files, recipients):
@@ -160,7 +164,7 @@ class AccountBackupHandler:
        recipients = User.objects.filter(id__in=list(recipients))
        print(
            '\n'
-            '\033[32m>>> 开始发送备份邮件\033[0m'
+            f'\033[32m>>> {_("Start sending backup emails")}\033[0m'
            ''
        )
        plan_name = self.plan_name
@@ -172,7 +176,8 @@ class AccountBackupHandler:
                encrypt_and_compress_zip_file(attachment, user.secret_key, files)
                attachment_list = [attachment, ]
            AccountBackupExecutionTaskMsg(plan_name, user).publish(attachment_list)
-            print('邮件已发送至{}({})'.format(user, user.email))
+            email_sent_to = _('Email sent to')
+            print('{} {}({})'.format(email_sent_to, user, user.email))
        for file in files:
            os.remove(file)

@@ -182,20 +187,22 @@ class AccountBackupHandler:
        recipients = ReplayStorage.objects.filter(id__in=list(recipients))
        print(
            '\n'
-            '\033[32m>>> 开始发送备份文件到sftp服务器\033[0m'
+            '\033[32m>>> 📃 ---> sftp \033[0m'
            ''
        )
        plan_name = self.plan_name
+        encrypt_file = _('Encrypting files using encryption password')
        for rec in recipients:
            attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
            if password:
-                print('\033[32m>>> 使用加密密码对文件进行加密中\033[0m')
+                print(f'\033[32m>>> {encrypt_file}\033[0m')
                encrypt_and_compress_zip_file(attachment, password, files)
            else:
                zip_files(attachment, files)
            attachment_list = attachment
            AccountBackupByObjStorageExecutionTaskMsg(plan_name, rec).publish(attachment_list)
-            print('备份文件将发送至{}({})'.format(rec.name, rec.id))
+            file_sent_to = _('The backup file will be sent to')
+            print('{}: {}({})'.format(file_sent_to, rec.name, rec.id))
        for file in files:
            os.remove(file)

@@ -203,14 +210,15 @@ class AccountBackupHandler:
        self.execution.reason = reason[:1024]
        self.execution.is_success = is_success
        self.execution.save()
-        print('\n已完成对任务状态的更新\n')
+        finish = _('Finish')
+        print(f'\n{finish}\n')

    @staticmethod
    def step_finished(is_success):
        if is_success:
-            print('任务执行成功')
+            print(_('Success'))
        else:
-            print('任务执行失败')
+            print(_('Failed'))

    def _run(self):
        is_success = False
@@ -223,8 +231,6 @@ class AccountBackupHandler:
                self.backup_by_obj_storage()
        except Exception as e:
            self.is_frozen = True
-            print('任务执行被异常中断')
-            print('下面打印发生异常的 Traceback 信息 : ')
            print(e)
            error = str(e)
        else:
@@ -239,15 +245,16 @@ class AccountBackupHandler:
        zip_encrypt_password = AccountBackupAutomation.objects.get(id=object_id).zip_encrypt_password
        obj_recipients_part_one = self.execution.snapshot.get('obj_recipients_part_one', [])
        obj_recipients_part_two = self.execution.snapshot.get('obj_recipients_part_two', [])
+        no_assigned_sftp_server = _('The backup task has no assigned sftp server')
        if not obj_recipients_part_one and not obj_recipients_part_two:
            print(
                '\n'
-                '\033[31m>>> 该备份任务未分配sftp服务器\033[0m'
+                f'\033[31m>>> {no_assigned_sftp_server}\033[0m'
                ''
            )
            raise RecipientsNotFound('Not Found Recipients')
        if obj_recipients_part_one and obj_recipients_part_two:
-            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
+            print(f'\033[32m>>> {split_help_text}\033[0m')
            files = self.create_excel(section='front')
            self.send_backup_obj_storage(files, obj_recipients_part_one, zip_encrypt_password)

@@ -259,17 +266,19 @@ class AccountBackupHandler:
            self.send_backup_obj_storage(files, recipients, zip_encrypt_password)

    def backup_by_email(self):
+
+        warn_text = _('The backup task has no assigned recipient')
        recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
        recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
        if not recipients_part_one and not recipients_part_two:
            print(
                '\n'
-                '\033[31m>>> 该备份任务未分配收件人\033[0m'
+                f'\033[31m>>> {warn_text}\033[0m'
                ''
            )
            raise RecipientsNotFound('Not Found Recipients')
        if recipients_part_one and recipients_part_two:
-            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
+            print(f'\033[32m>>> {split_help_text}\033[0m')
            files = self.create_excel(section='front')
            self.send_backup_mail(files, recipients_part_one)

@@ -281,15 +290,18 @@ class AccountBackupHandler:
            self.send_backup_mail(files, recipients)

    def run(self):
-        print('任务开始: {}'.format(local_now_display()))
+        plan_start = _('Plan start')
+        plan_end = _('Plan end')
+        time_cost = _('Time cost')
+        error = _('An exception occurred during task execution')
+        print('{}: {}'.format(plan_start, local_now_display()))
        time_start = time.time()
        try:
            self._run()
        except Exception as e:
-            print('任务运行出现异常')
-            print('下面显示异常 Traceback 信息: ')
+            print(error)
            print(e)
        finally:
-            print('\n任务结束: {}'.format(local_now_display()))
+            print('\n{}: {}'.format(plan_end, local_now_display()))
            timedelta = round((time.time() - time_start), 2)
-            print('用时: {}s'.format(timedelta))
+            print('{}: {}s'.format(time_cost, timedelta))
--- a/apps/accounts/automations/backup_account/manager.py
+++ b/apps/accounts/automations/backup_account/manager.py
@@ -3,6 +3,7 @@
 import time

 from django.utils import timezone
+from django.utils.translation import gettext_lazy as _

 from common.utils.timezone import local_now_display
 from .handlers import AccountBackupHandler
@@ -19,7 +20,8 @@ class AccountBackupManager:

    def do_run(self):
        execution = self.execution
-        print('\n\033[33m# 账号备份计划正在执行\033[0m')
+        account_backup_execution_being_executed = _('The account backup plan is being executed')
+        print(f'\n\033[33m# {account_backup_execution_being_executed}\033[0m')
        handler = AccountBackupHandler(execution)
        handler.run()

@@ -32,9 +34,11 @@ class AccountBackupManager:
        self.date_end = timezone.now()

        print('\n\n' + '-' * 80)
-        print('计划执行结束 {}\n'.format(local_now_display()))
+        plan_execution_end = _('Plan execution end')
+        print('{} {}\n'.format(plan_execution_end, local_now_display()))
        self.timedelta = self.time_end - self.time_start
-        print('用时: {}s'.format(self.timedelta))
+        time_cost = _('Time cost')
+        print('{}: {}s'.format(time_cost, self.timedelta))
        self.execution.timedelta = self.timedelta
        self.execution.save()

--- a/apps/accounts/automations/change_secret/database/mysql/main.yml
+++ b/apps/accounts/automations/change_secret/database/mysql/main.yml
@@ -4,6 +4,9 @@
    ansible_python_interpreter: /opt/py3/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Test MySQL connection
@@ -13,9 +16,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
      register: db_info

@@ -30,9 +33,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -47,7 +50,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
--- a/apps/accounts/automations/change_secret/database/postgresql/main.yml
+++ b/apps/accounts/automations/change_secret/database/postgresql/main.yml
@@ -2,6 +2,10 @@
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Test PostgreSQL connection
@@ -11,6 +15,10 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_db: "{{ jms_asset.spec_info.db_name }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
      register: result
      failed_when: not result.is_available

@@ -28,6 +36,10 @@
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        role_attr_flags: LOGIN
      ignore_errors: true
      when: result is succeeded
@@ -39,3 +51,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
--- a/apps/accounts/automations/change_secret/host/aix/main.yml
+++ b/apps/accounts/automations/change_secret/host/aix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
-    - name: "Change {{ account.username }} password"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('des') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: "Change {{ account.username }} SSH key"
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo

+    - name: "Change {{ account.username }} password"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('des') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes
+
+    - name: "Change {{ account.username }} SSH key"
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
    - name: Refresh connection
      ansible.builtin.meta: reset_connection

@@ -79,7 +93,7 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
@@ -95,7 +109,7 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/aix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/aix/manifest.yml
@@ -5,6 +5,12 @@ type:
  - AIX
 method: change_secret
 params:
+  - name: modify_sudo
+    type: bool
+    label: "{{ 'Modify sudo label' | trans }}"
+    default: False
+    help_text: "{{ 'Modify params sudo help text' | trans }}"
+
  - name: sudo
    type: str
    label: 'Sudo'
@@ -28,12 +34,23 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  AIX account change secret:
    zh: '使用 Ansible 模块 user 执行账号改密 (DES)'
    ja: 'Ansible user モジュールを使用してアカウントのパスワード変更 (DES)'
    en: 'Using Ansible module user to change account secret (DES)'

+  Modify params sudo help text:
+    zh: '如果用户存在，可以修改sudo权限'
+    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
+    en: 'If the user exists, sudo permissions can be modified'
+
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
@@ -49,6 +66,16 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
+  Modify sudo label:
+    zh: '修改 sudo 权限'
+    ja: 'sudo 権限を変更'
+    en: 'Modify sudo'
+
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
@@ -59,3 +86,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'

+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/automations/change_secret/host/posix/main.yml
+++ b/apps/accounts/automations/change_secret/host/posix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
-    - name: "Change {{ account.username }} password"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('sha512') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: "Change {{ account.username }} SSH key"
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo

+    - name: "Change {{ account.username }} password"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('sha512') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes
+
+    - name: "Change {{ account.username }} SSH key"
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
    - name: Refresh connection
      ansible.builtin.meta: reset_connection

@@ -79,7 +93,7 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
@@ -95,7 +109,7 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/posix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/posix/manifest.yml
@@ -6,6 +6,12 @@ type:
  - linux
 method: change_secret
 params:
+  - name: modify_sudo
+    type: bool
+    label: "{{ 'Modify sudo label' | trans }}"
+    default: False
+    help_text: "{{ 'Modify params sudo help text' | trans }}"
+
  - name: sudo
    type: str
    label: 'Sudo'
@@ -30,12 +36,23 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  Posix account change secret:
    zh: '使用 Ansible 模块 user 执行账号改密 (SHA512)'
    ja: 'Ansible user モジュールを使用して アカウントのパスワード変更 (SHA512)'
    en: 'Using Ansible module user to change account secret (SHA512)'

+  Modify params sudo help text:
+    zh: '如果用户存在，可以修改sudo权限'
+    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
+    en: 'If the user exists, sudo permissions can be modified'
+
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
@@ -51,6 +68,16 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
+  Modify sudo label:
+    zh: '修改 sudo 权限'
+    ja: 'sudo 権限を変更'
+    en: 'Modify sudo'
+
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
@@ -61,3 +88,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'

+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml
@@ -25,11 +25,11 @@

    - name: Verify password (pyfreerdp)
      rdp_ping:
-        login_host: "{{ jms_asset.address }}"
+        login_host: "{{ jms_asset.origin_address }}"
        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
-        login_private_key_path: "{{ account.private_key_path }}"
+        gateway_args: "{{ jms_gateway | default({}) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@@ -8,7 +8,7 @@ from django.utils.translation import gettext_lazy as _
 from xlsxwriter import Workbook

 from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy, ChangeSecretRecordStatusChoice
-from accounts.models import ChangeSecretRecord
+from accounts.models import ChangeSecretRecord, BaseAccountQuerySet
 from accounts.notifications import ChangeSecretExecutionTaskMsg, ChangeSecretFailedMsg
 from accounts.serializers import ChangeSecretRecordBackUpSerializer
 from assets.const import HostTypes
@@ -50,9 +50,6 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'

        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            username = account.username
-            path = f'/{username}' if username == "root" else f'/home/{username}'
-            kwargs['dest'] = f'{path}/.ssh/authorized_keys'
            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
        return kwargs

@@ -68,10 +65,10 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        else:
            return self.secret_generator(secret_type).get_secret()

-    def get_accounts(self, privilege_account):
+    def get_accounts(self, privilege_account) -> BaseAccountQuerySet | None:
        if not privilege_account:
-            print(f'not privilege account')
-            return []
+            print('Not privilege account')
+            return

        asset = privilege_account.asset
        accounts = asset.accounts.all()
@@ -97,10 +94,9 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            return host

        accounts = self.get_accounts(account)
+        error_msg = _("No pending accounts found")
        if not accounts:
-            print('没有发现待处理的账号: %s 用户ID: %s 类型: %s' % (
-                asset.name, self.account_ids, self.secret_type
-            ))
+            print(f'{asset}: {error_msg}')
            return []

        records = []
@@ -109,6 +105,9 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            print(f'Windows {asset} does not support ssh key push')
            return inventory_hosts

+        if asset.type == HostTypes.WINDOWS:
+            accounts = accounts.filter(secret_type=SecretType.PASSWORD)
+
        host['ssh_params'] = {}
        for account in accounts:
            h = deepcopy(host)
@@ -128,6 +127,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                recorder = ChangeSecretRecord(
                    asset=asset, account=account, execution=self.execution,
                    old_secret=account.secret, new_secret=new_secret,
+                    comment=f'{account.username}@{asset.address}'
                )
                records.append(recorder)
            else:
@@ -227,6 +227,9 @@ class ChangeSecretManager(AccountBasePlaybookManager):

    def run(self, *args, **kwargs):
        if self.secret_type and not self.check_secret():
+            self.execution.status = 'success'
+            self.execution.date_finished = timezone.now()
+            self.execution.save()
            return
        super().run(*args, **kwargs)
        recorders = list(self.name_recorder_mapper.values())
--- a/apps/accounts/automations/gather_accounts/database/mysql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/mysql/main.yml
@@ -3,6 +3,9 @@
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Get info
@@ -12,9 +15,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: users
      register: db_info

--- a/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
+++ b/apps/accounts/automations/gather_accounts/database/postgresql/main.yml
@@ -2,6 +2,10 @@
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Get info
@@ -11,6 +15,10 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_db: "{{ jms_asset.spec_info.db_name }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        filter: "roles"
      register: db_info

--- a/apps/accounts/automations/gather_accounts/filter.py
+++ b/apps/accounts/automations/gather_accounts/filter.py
@@ -31,7 +31,7 @@ class GatherAccountsFilter:
    def posix_filter(info):
        username_pattern = re.compile(r'^(\S+)')
        ip_pattern = re.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})')
-        login_time_pattern = re.compile(r'\w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}')
+        login_time_pattern = re.compile(r'\w{3} \w{3}\s+\d{1,2} \d{2}:\d{2}:\d{2} \d{4}')
        result = {}
        for line in info:
            usernames = username_pattern.findall(line)
@@ -46,7 +46,8 @@ class GatherAccountsFilter:
                result[username].update({'address': ip_addr})
            login_times = login_time_pattern.findall(line)
            if login_times:
-                date = timezone.datetime.strptime(f'{login_times[0]} +0800', '%b %d %H:%M:%S %Y %z')
+                datetime_str = login_times[0].split(' ', 1)[1] + " +0800"
+                date = timezone.datetime.strptime(datetime_str, '%b %d %H:%M:%S %Y %z')
                result[username].update({'date': date})
        return result

--- a/apps/accounts/automations/gather_accounts/manager.py
+++ b/apps/accounts/automations/gather_accounts/manager.py
@@ -95,12 +95,14 @@ class GatherAccountsManager(AccountBasePlaybookManager):
            return None, None

        users = User.objects.filter(id__in=recipients)
-        if not users:
+        if not users.exists():
            return users, None

        asset_ids = self.asset_username_mapper.keys()
-        assets = Asset.objects.filter(id__in=asset_ids)
+
+        assets = Asset.objects.filter(id__in=asset_ids).prefetch_related('accounts')
        gather_accounts = GatheredAccount.objects.filter(asset_id__in=asset_ids, present=True)
+
        asset_id_map = {str(asset.id): asset for asset in assets}
        asset_id_username = list(assets.values_list('id', 'accounts__username'))
        asset_id_username.extend(list(gather_accounts.values_list('asset_id', 'username')))
@@ -109,26 +111,24 @@ class GatherAccountsManager(AccountBasePlaybookManager):
        for asset_id, username in asset_id_username:
            system_asset_username_mapper[str(asset_id)].add(username)

-        change_info = {}
+        change_info = defaultdict(dict)
        for asset_id, usernames in self.asset_username_mapper.items():
            system_usernames = system_asset_username_mapper.get(asset_id)
-
            if not system_usernames:
                continue

            add_usernames = usernames - system_usernames
            remove_usernames = system_usernames - usernames
-            k = f'{asset_id_map[asset_id]}[{asset_id}]'

            if not add_usernames and not remove_usernames:
                continue

-            change_info[k] = {
-                'add_usernames': ', '.join(add_usernames),
-                'remove_usernames': ', '.join(remove_usernames),
+            change_info[str(asset_id_map[asset_id])] = {
+                'add_usernames': add_usernames,
+                'remove_usernames': remove_usernames
            }

-        return users, change_info
+        return users, dict(change_info)

    @staticmethod
    def send_email_if_need(users, change_info):
--- a/apps/accounts/automations/push_account/database/mysql/main.yml
+++ b/apps/accounts/automations/push_account/database/mysql/main.yml
@@ -4,6 +4,9 @@
    ansible_python_interpreter: /opt/py3/bin/python
    db_name: "{{ jms_asset.spec_info.db_name }}"
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Test MySQL connection
@@ -13,9 +16,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
      register: db_info

@@ -30,9 +33,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
        host: "%"
@@ -47,7 +50,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
--- a/apps/accounts/automations/push_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/push_account/database/postgresql/main.yml
@@ -2,6 +2,10 @@
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Test PostgreSQL connection
@@ -11,6 +15,10 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        login_db: "{{ jms_asset.spec_info.db_name }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
      register: result
      failed_when: not result.is_available

@@ -28,6 +36,10 @@
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
        password: "{{ account.secret }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        role_attr_flags: LOGIN
      ignore_errors: true
      when: result is succeeded
@@ -40,6 +52,10 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
      when:
        - result is succeeded
        - change_info is succeeded
--- a/apps/accounts/automations/push_account/host/aix/main.yml
+++ b/apps/accounts/automations/push_account/host/aix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
-    - name: "Change {{ account.username }} password"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('des') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: "Change {{ account.username }} SSH key"
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo

+    - name: "Change {{ account.username }} password"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('des') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes
+
+    - name: "Change {{ account.username }} SSH key"
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
    - name: Refresh connection
      ansible.builtin.meta: reset_connection

@@ -79,7 +93,7 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
@@ -95,7 +109,7 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/aix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/aix/manifest.yml
@@ -5,6 +5,12 @@ type:
  - AIX
 method: push_account
 params:
+  - name: modify_sudo
+    type: bool
+    label: "{{ 'Modify sudo label' | trans }}"
+    default: False
+    help_text: "{{ 'Modify params sudo help text' | trans }}"
+
  - name: sudo
    type: str
    label: 'Sudo'
@@ -28,12 +34,23 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  Aix account push:
    zh: '使用 Ansible 模块 user 执行 Aix 账号推送 (DES)'
    ja: 'Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)'
    en: 'Using Ansible module user to push account (DES)'

+  Modify params sudo help text:
+    zh: '如果用户存在，可以修改sudo权限'
+    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
+    en: 'If the user exists, sudo permissions can be modified'
+
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
@@ -49,6 +66,16 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
+  Modify sudo label:
+    zh: '修改 sudo 权限'
+    ja: 'sudo 権限を変更'
+    en: 'Modify sudo'
+
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
@@ -59,3 +86,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'

+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/automations/push_account/host/posix/main.yml
+++ b/apps/accounts/automations/push_account/host/posix/main.yml
@@ -14,51 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
-    - name: "Change {{ account.username }} password"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('sha512') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: "Change {{ account.username }} SSH key"
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@@ -67,9 +31,59 @@
        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
        validate: visudo -cf %s
      when:
-        - user_info.failed
+        - user_info.failed or params.modify_sudo
        - params.sudo

+    - name: "Change {{ account.username }} password"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('sha512') }}"
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
+        regexp: "{{ ssh_params.regexp }}"
+        state: absent
+      when:
+        - account.secret_type == "ssh_key"
+        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes
+
+    - name: "Change {{ account.username }} SSH key"
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ ssh_params.exclusive }}"
+      when: account.secret_type == "ssh_key"
+
    - name: Refresh connection
      ansible.builtin.meta: reset_connection

@@ -79,7 +93,7 @@
        login_password: "{{ account.secret }}"
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        become: "{{ account.become.ansible_become | default(False) }}"
        become_method: su
        become_user: "{{ account.become.ansible_user | default('') }}"
@@ -95,7 +109,7 @@
        login_port: "{{ jms_asset.port }}"
        login_user: "{{ account.username }}"
        login_private_key_path: "{{ account.private_key_path  }}"
-        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
+        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
      when: account.secret_type == "ssh_key"
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/posix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/posix/manifest.yml
@@ -6,6 +6,12 @@ type:
  - linux
 method: push_account
 params:
+  - name: modify_sudo
+    type: bool
+    label: "{{ 'Modify sudo label' | trans }}"
+    default: False
+    help_text: "{{ 'Modify params sudo help text' | trans }}"
+
  - name: sudo
    type: str
    label: 'Sudo'
@@ -30,12 +36,23 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  Posix account push:
    zh: '使用 Ansible 模块 user 执行账号推送 (sha512)'
    ja: 'Ansible user モジュールを使用してアカウントをプッシュする (sha512)'
    en: 'Using Ansible module user to push account (sha512)'

+  Modify params sudo help text:
+    zh: '如果用户存在，可以修改sudo权限'
+    ja: 'ユーザーが存在する場合、sudo権限を変更できます'
+    en: 'If the user exists, sudo permissions can be modified'
+
  Params sudo help text:
    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
@@ -51,6 +68,16 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
+  Modify sudo label:
+    zh: '修改 sudo 权限'
+    ja: 'sudo 権限を変更'
+    en: 'Modify sudo'
+
  Params home label:
    zh: '家目录'
    ja: 'ホームディレクトリ'
@@ -59,4 +86,9 @@ i18n:
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
-    en: 'Groups'
+    en: 'Groups'
+
+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
+++ b/apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml
@@ -25,11 +25,11 @@

    - name: Verify password (pyfreerdp)
      rdp_ping:
-        login_host: "{{ jms_asset.address }}"
+        login_host: "{{ jms_asset.origin_address }}"
        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
-        login_private_key_path: "{{ account.private_key_path }}"
+        gateway_args: "{{ jms_gateway | default({}) }}"
      when: account.secret_type == "password"
      delegate_to: localhost
--- a/apps/accounts/automations/remove_account/database/mysql/main.yml
+++ b/apps/accounts/automations/remove_account/database/mysql/main.yml
@@ -2,6 +2,10 @@
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: "Remove account"
@@ -11,8 +15,8 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        name: "{{ account.username }}"
        state: absent
--- a/apps/accounts/automations/remove_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/remove_account/database/postgresql/main.yml
@@ -2,6 +2,10 @@
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: "Remove account"
@@ -12,4 +16,8 @@
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
        name: "{{ account.username }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
        state: absent
--- a/apps/accounts/automations/remove_account/host/posix/main.yml
+++ b/apps/accounts/automations/remove_account/host/posix/main.yml
@@ -12,11 +12,13 @@
        path: "{{ user_home_dir.stdout }}"
      register: home_dir
      when: user_home_dir.stdout != ""
+      ignore_errors: yes

    - name: "Rename user home directory if it exists"
      ansible.builtin.command:
        cmd: "mv {{ user_home_dir.stdout }} {{ user_home_dir.stdout }}.bak"
      when: home_dir.stat | default(false) and user_home_dir.stdout != ""
+      ignore_errors: yes

    - name: "Remove account"
      ansible.builtin.user:
--- a/apps/accounts/automations/verify_account/custom/rdp/main.yml
+++ b/apps/accounts/automations/verify_account/custom/rdp/main.yml
@@ -13,4 +13,3 @@
        login_user: "{{ account.username }}"
        login_password: "{{ account.secret }}"
        login_secret_type: "{{ account.secret_type }}"
-        login_private_key_path: "{{ account.private_key_path }}"
--- a/apps/accounts/automations/verify_account/database/mysql/main.yml
+++ b/apps/accounts/automations/verify_account/database/mysql/main.yml
@@ -3,6 +3,9 @@
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Verify account
@@ -12,7 +15,7 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        check_hostname: "{{ check_ssl if check_ssl else omit }}"
-        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
-        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
-        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        client_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        client_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
        filter: version
--- a/apps/accounts/automations/verify_account/database/postgresql/main.yml
+++ b/apps/accounts/automations/verify_account/database/postgresql/main.yml
@@ -2,6 +2,10 @@
  gather_facts: no
  vars:
    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl }}"
+    ca_cert: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+    ssl_cert: "{{ jms_asset.secret_info.client_cert | default('') }}"
+    ssl_key: "{{ jms_asset.secret_info.client_key | default('') }}"

  tasks:
    - name: Verify account
@@ -11,5 +15,9 @@
        login_host: "{{ jms_asset.address }}"
        login_port: "{{ jms_asset.port }}"
        db: "{{ jms_asset.spec_info.db_name }}"
+        ca_cert: "{{ ca_cert if check_ssl and ca_cert | length > 0 else omit }}"
+        ssl_cert: "{{ ssl_cert if check_ssl and ssl_cert | length > 0 else omit }}"
+        ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
+        ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
      register: result
      failed_when: not result.is_available
--- a/apps/accounts/automations/verify_gateway_account/manager.py
+++ b/apps/accounts/automations/verify_gateway_account/manager.py
@@ -1,3 +1,5 @@
+from django.utils.translation import gettext_lazy as _
+
 from accounts.const import AutomationTypes
 from assets.automations.ping_gateway.manager import PingGatewayManager
 from common.utils import get_logger
@@ -13,7 +15,7 @@ class VerifyGatewayAccountManager(PingGatewayManager):

    @staticmethod
    def before_runner_start():
-        logger.info(">>> 开始执行测试网关账号可连接性任务")
+        logger.info(_(">>> Start executing the task to test gateway account connectivity"))

    def get_accounts(self, gateway):
        account_ids = self.execution.snapshot['accounts']
--- a/apps/accounts/backends/init.py
+++ b/apps/accounts/backends/init.py
@@ -1,19 +1,21 @@
 from importlib import import_module

-from django.utils.functional import LazyObject
+from django.utils.functional import LazyObject, empty

 from common.utils import get_logger
 from ..const import VaultTypeChoices

-__all__ = ['vault_client', 'get_vault_client']
-
+__all__ = ['vault_client', 'get_vault_client', 'refresh_vault_client']

 logger = get_logger(__file__)


 def get_vault_client(raise_exception=False, **kwargs):
-    enabled = kwargs.get('VAULT_ENABLED')
-    tp = 'hcp' if enabled else 'local'
+    tp = kwargs.get('VAULT_BACKEND') if kwargs.get('VAULT_ENABLED') else VaultTypeChoices.local
+
+    # TODO: Temporary processing, subsequent deletion
+    tp = VaultTypeChoices.local if tp == VaultTypeChoices.azure else tp
+
    try:
        module_path = f'apps.accounts.backends.{tp}.main'
        client = import_module(module_path).Vault(**kwargs)
@@ -39,3 +41,7 @@ class VaultClient(LazyObject):

 """ 为了安全, 页面修改配置, 重启服务后才会重新初始化 vault_client """
 vault_client = VaultClient()
+
+
+def refresh_vault_client():
+    vault_client._wrapped = empty
--- a/apps/accounts/backends/azure/init.py
+++ b/apps/accounts/backends/azure/init.py
@@ -0,0 +1 @@
+from .main import *
--- a/apps/accounts/backends/azure/entries.py
+++ b/apps/accounts/backends/azure/entries.py
@@ -0,0 +1,70 @@
+import sys
+from abc import ABC
+
+from common.db.utils import Encryptor
+from common.utils import lazyproperty
+
+current_module = sys.modules[__name__]
+
+__all__ = ['build_entry']
+
+
+class BaseEntry(ABC):
+
+    def __init__(self, instance):
+        self.instance = instance
+
+    @lazyproperty
+    def full_path(self):
+        return self.path_spec
+
+    @property
+    def path_spec(self):
+        raise NotImplementedError
+
+    def to_internal_data(self):
+        secret = getattr(self.instance, '_secret', None)
+        if secret is not None:
+            secret = Encryptor(secret).encrypt()
+        return secret
+
+    @staticmethod
+    def to_external_data(secret):
+        if secret is not None:
+            secret = Encryptor(secret).decrypt()
+        return secret
+
+
+class AccountEntry(BaseEntry):
+
+    @property
+    def path_spec(self):
+        # 长度 0-127
+        account_id = str(self.instance.id)[:18]
+        path = f'assets-{self.instance.asset_id}-accounts-{account_id}'
+        return path
+
+
+class AccountTemplateEntry(BaseEntry):
+
+    @property
+    def path_spec(self):
+        path = f'account-templates-{self.instance.id}'
+        return path
+
+
+class HistoricalAccountEntry(BaseEntry):
+
+    @property
+    def path_spec(self):
+        path = f'accounts-{self.instance.instance.id}-histories-{self.instance.history_id}'
+        return path
+
+
+def build_entry(instance) -> BaseEntry:
+    class_name = instance.__class__.__name__
+    entry_class_name = f'{class_name}Entry'
+    entry_class = getattr(current_module, entry_class_name, None)
+    if not entry_class:
+        raise Exception(f'Entry class {entry_class_name} is not found')
+    return entry_class(instance)
--- a/apps/accounts/backends/azure/main.py
+++ b/apps/accounts/backends/azure/main.py
@@ -0,0 +1,57 @@
+from common.db.utils import get_logger
+from .entries import build_entry
+from .service import AZUREVaultClient
+from ..base import BaseVault
+
+from ...const import VaultTypeChoices
+
+logger = get_logger(__name__)
+
+__all__ = ['Vault']
+
+
+class Vault(BaseVault):
+    type = VaultTypeChoices.azure
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.client = AZUREVaultClient(
+            vault_url=kwargs.get('VAULT_AZURE_HOST'),
+            tenant_id=kwargs.get('VAULT_AZURE_TENANT_ID'),
+            client_id=kwargs.get('VAULT_AZURE_CLIENT_ID'),
+            client_secret=kwargs.get('VAULT_AZURE_CLIENT_SECRET')
+        )
+
+    def is_active(self):
+        return self.client.is_active()
+
+    def _get(self, instance):
+        entry = build_entry(instance)
+        secret = self.client.get(name=entry.full_path)
+        secret = entry.to_external_data(secret)
+        return secret
+
+    def _create(self, instance):
+        entry = build_entry(instance)
+        secret = entry.to_internal_data()
+        self.client.create(name=entry.full_path, secret=secret)
+
+    def _update(self, instance):
+        entry = build_entry(instance)
+        secret = entry.to_internal_data()
+        self.client.update(name=entry.full_path, secret=secret)
+
+    def _delete(self, instance):
+        entry = build_entry(instance)
+        self.client.delete(name=entry.full_path)
+
+    def _clean_db_secret(self, instance):
+        instance.is_sync_metadata = False
+        instance.mark_secret_save_to_vault()
+
+    def _save_metadata(self, instance, metadata):
+        try:
+            entry = build_entry(instance)
+            self.client.update_metadata(name=entry.full_path, metadata=metadata)
+        except Exception as e:
+            logger.error(f'save metadata error: {e}')
--- a/apps/accounts/backends/azure/service.py
+++ b/apps/accounts/backends/azure/service.py
@@ -0,0 +1,59 @@
+# -*- coding: utf-8 -*-
+#
+from azure.core.exceptions import ResourceNotFoundError, ClientAuthenticationError
+from azure.identity import ClientSecretCredential
+from azure.keyvault.secrets import SecretClient
+
+from common.utils import get_logger
+
+logger = get_logger(__name__)
+
+__all__ = ['AZUREVaultClient']
+
+
+class AZUREVaultClient(object):
+
+    def __init__(self, vault_url, tenant_id, client_id, client_secret):
+        authentication_endpoint = 'https://login.microsoftonline.com/' \
+            if ('azure.net' in vault_url) else 'https://login.chinacloudapi.cn/'
+
+        credentials = ClientSecretCredential(
+            client_id=client_id, client_secret=client_secret, tenant_id=tenant_id, authority=authentication_endpoint
+        )
+        self.client = SecretClient(vault_url=vault_url, credential=credentials)
+
+    def is_active(self):
+        try:
+            self.client.set_secret('jumpserver', '666')
+        except (ResourceNotFoundError, ClientAuthenticationError) as e:
+            logger.error(str(e))
+            return False, f'Vault is not reachable: {e}'
+        else:
+            return True, ''
+
+    def get(self, name, version=None):
+        try:
+            secret = self.client.get_secret(name, version)
+            return secret.value
+        except (ResourceNotFoundError, ClientAuthenticationError) as e:
+            logger.error(f'get: {name} {str(e)}')
+            return ''
+
+    def create(self, name, secret):
+        if not secret:
+            secret = ''
+        self.client.set_secret(name, secret)
+
+    def update(self, name, secret):
+        if not secret:
+            secret = ''
+        self.client.set_secret(name, secret)
+
+    def delete(self, name):
+        self.client.begin_delete_secret(name)
+
+    def update_metadata(self, name, metadata: dict):
+        try:
+            self.client.update_secret_properties(name, tags=metadata)
+        except (ResourceNotFoundError, ClientAuthenticationError) as e:
+            logger.error(f'update_metadata: {name} {str(e)}')
--- a/apps/accounts/backends/base.py
+++ b/apps/accounts/backends/base.py
@@ -10,6 +10,11 @@ class BaseVault(ABC):
    def __init__(self, *args, **kwargs):
        self.enabled = kwargs.get('VAULT_ENABLED')

+    @property
+    @abstractmethod
+    def type(self):
+        raise NotImplementedError
+
    def get(self, instance):
        """ 返回 secret 值 """
        return self._get(instance)
@@ -20,9 +25,6 @@ class BaseVault(ABC):
            self._clean_db_secret(instance)
            self.save_metadata(instance)

-        if instance.is_sync_metadata:
-            self.save_metadata(instance)
-
    def update(self, instance):
        if not instance.secret_has_save_to_vault:
            self._update(instance)
--- a/apps/accounts/backends/hcp/main.py
+++ b/apps/accounts/backends/hcp/main.py
@@ -3,12 +3,16 @@ from .entries import build_entry
 from .service import VaultKVClient
 from ..base import BaseVault

-__all__ = ['Vault']
+from ...const import VaultTypeChoices

 logger = get_logger(__name__)

+__all__ = ['Vault']
+

 class Vault(BaseVault):
+    type = VaultTypeChoices.hcp
+
    def __init__(self, *args, **kwargs):
        super().__init__(*args, **kwargs)
        self.client = VaultKVClient(
--- a/apps/accounts/backends/local/main.py
+++ b/apps/accounts/backends/local/main.py
@@ -1,5 +1,6 @@
 from common.utils import get_logger
 from ..base import BaseVault
+from ...const import VaultTypeChoices

 logger = get_logger(__name__)

@@ -7,6 +8,7 @@ __all__ = ['Vault']


 class Vault(BaseVault):
+    type = VaultTypeChoices.local

    def is_active(self):
        return True, ''
--- a/apps/accounts/const/automation.py
+++ b/apps/accounts/const/automation.py
@@ -49,9 +49,9 @@ class SecretStrategy(models.TextChoices):


 class SSHKeyStrategy(models.TextChoices):
-    add = 'add', _('Append SSH KEY')
-    set = 'set', _('Empty and append SSH KEY')
    set_jms = 'set_jms', _('Replace (Replace only keys pushed by JumpServer) ')
+    set = 'set', _('Empty and append SSH KEY')
+    add = 'add', _('Append SSH KEY')


 class TriggerChoice(models.TextChoices, TreeChoices):
--- a/apps/accounts/const/vault.py
+++ b/apps/accounts/const/vault.py
@@ -7,3 +7,4 @@ __all__ = ['VaultTypeChoices']
 class VaultTypeChoices(models.TextChoices):
    local = 'local', _('Database')
    hcp = 'hcp', _('HCP Vault')
+    azure = 'azure', _('Azure Key Vault')
--- a/apps/accounts/migrations/0001_initial.py
+++ b/apps/accounts/migrations/0001_initial.py
@@ -1,10 +1,8 @@
-# Generated by Django 3.2.14 on 2022-12-28 07:29
+# Generated by Django 4.1.13 on 2024-05-09 03:16

 import uuid

-import django.db.models.deletion
 import simple_history.models
-from django.conf import settings
 from django.db import migrations, models

 import common.db.encoder
@@ -15,8 +13,6 @@ class Migration(migrations.Migration):
    initial = True

    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('assets', '0098_auto_20220430_2126'),
    ]

    operations = [
@@ -32,60 +28,81 @@ class Migration(migrations.Migration):
                ('org_id',
                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
                ('connectivity',
-                 models.CharField(choices=[('-', 'Unknown'), ('ok', 'Ok'), ('err', 'Error')], default='-',
+                 models.CharField(choices=[('-', 'Unknown'), ('ok', 'OK'), ('err', 'Error')], default='-',
                                  max_length=16, verbose_name='Connectivity')),
                ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
+                ('_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
                ('secret_type', models.CharField(
                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
                    verbose_name='Secret type')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
                ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
                ('version', models.IntegerField(default=0, verbose_name='Version')),
                ('source', models.CharField(default='local', max_length=30, verbose_name='Source')),
-                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='accounts',
-                                            to='assets.asset', verbose_name='Asset')),
-                ('su_from',
-                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='su_to',
-                                   to='accounts.account', verbose_name='Su from')),
+                ('source_id', models.CharField(blank=True, max_length=128, null=True, verbose_name='Source ID')),
            ],
            options={
                'verbose_name': 'Account',
                'permissions': [('view_accountsecret', 'Can view asset account secret'),
                                ('view_historyaccount', 'Can view asset history account'),
-                                ('view_historyaccountsecret', 'Can view asset history account secret')],
-                'unique_together': {('username', 'asset', 'secret_type'), ('name', 'asset')},
+                                ('view_historyaccountsecret', 'Can view asset history account secret'),
+                                ('verify_account', 'Can verify account'), ('push_account', 'Can push account'),
+                                ('remove_account', 'Can remove account')],
            },
        ),
        migrations.CreateModel(
-            name='HistoricalAccount',
+            name='AccountBackupAutomation',
            fields=[
-                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
-                    verbose_name='Secret type')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('version', models.IntegerField(default=0, verbose_name='Version')),
-                ('history_id', models.AutoField(primary_key=True, serialize=False)),
-                ('history_date', models.DateTimeField(db_index=True)),
-                ('history_change_reason', models.CharField(max_length=100, null=True)),
-                ('history_type',
-                 models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
-                ('history_user',
-                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+',
-                                   to=settings.AUTH_USER_MODEL)),
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('org_id',
+                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('name', models.CharField(max_length=128, verbose_name='Name')),
+                ('is_periodic', models.BooleanField(default=False, verbose_name='Periodic run')),
+                ('interval', models.IntegerField(blank=True, default=24, null=True, verbose_name='Interval')),
+                ('crontab', models.CharField(blank=True, max_length=128, null=True, verbose_name='Crontab')),
+                ('types', models.JSONField(default=list)),
+                ('backup_type',
+                 models.CharField(choices=[('email', 'Email'), ('object_storage', 'SFTP')], default='email',
+                                  max_length=128, verbose_name='Backup type')),
+                ('is_password_divided_by_email', models.BooleanField(default=True, verbose_name='Password divided')),
+                ('is_password_divided_by_obj_storage',
+                 models.BooleanField(default=True, verbose_name='Password divided')),
+                ('zip_encrypt_password', common.db.fields.EncryptCharField(blank=True, max_length=4096, null=True,
+                                                                           verbose_name='Zip encrypt password')),
            ],
            options={
-                'verbose_name': 'historical Account',
-                'verbose_name_plural': 'historical Accounts',
-                'ordering': ('-history_date', '-history_id'),
-                'get_latest_by': ('history_date', 'history_id'),
+                'verbose_name': 'Account backup plan',
+                'ordering': ['name'],
+            },
+        ),
+        migrations.CreateModel(
+            name='AccountBackupExecution',
+            fields=[
+                ('org_id',
+                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('date_start', models.DateTimeField(auto_now_add=True, verbose_name='Date start')),
+                ('timedelta', models.FloatField(default=0.0, null=True, verbose_name='Time')),
+                ('snapshot',
+                 models.JSONField(blank=True, default=dict, encoder=common.db.encoder.ModelJSONFieldEncoder, null=True,
+                                  verbose_name='Account backup snapshot')),
+                ('trigger', models.CharField(choices=[('manual', 'Manual trigger'), ('timing', 'Timing trigger')],
+                                             default='manual', max_length=128, verbose_name='Trigger mode')),
+                ('reason', models.CharField(blank=True, max_length=1024, null=True, verbose_name='Reason')),
+                ('is_success', models.BooleanField(default=False, verbose_name='Is success')),
+            ],
+            options={
+                'verbose_name': 'Account backup execution',
+                'ordering': ('-date_start',),
            },
-            bases=(simple_history.models.HistoricalChanges, models.Model),
        ),
        migrations.CreateModel(
            name='AccountTemplate',
@@ -98,21 +115,108 @@ class Migration(migrations.Migration):
                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                ('org_id',
                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('secret_strategy',
+                 models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')],
+                                  default='specific', max_length=16, verbose_name='Secret strategy')),
+                ('password_rules', models.JSONField(default=dict, verbose_name='Password rules')),
                ('name', models.CharField(max_length=128, verbose_name='Name')),
                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
                ('secret_type', models.CharField(
                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
                    verbose_name='Secret type')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
                ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
+                ('auto_push', models.BooleanField(default=False, verbose_name='Auto push')),
+                ('push_params', models.JSONField(default=dict, verbose_name='Push params')),
            ],
            options={
                'verbose_name': 'Account template',
-                'permissions': [('view_accounttemplatesecret', 'Can view asset account template secret'),
-                                ('change_accounttemplatesecret', 'Can change asset account template secret')],
-                'unique_together': {('name', 'org_id')},
+                'permissions': [('view_accounttemplatesecret', 'Can view asset account template secret')],
            },
        ),
+        migrations.CreateModel(
+            name='ChangeSecretRecord',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('old_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Old secret')),
+                ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='New secret')),
+                ('date_started', models.DateTimeField(blank=True, null=True, verbose_name='Date started')),
+                ('date_finished', models.DateTimeField(blank=True, null=True, verbose_name='Date finished')),
+                ('status', models.CharField(default='pending', max_length=16, verbose_name='Status')),
+                ('error', models.TextField(blank=True, null=True, verbose_name='Error')),
+            ],
+            options={
+                'verbose_name': 'Change secret record',
+                'ordering': ('-date_created',),
+            },
+        ),
+        migrations.CreateModel(
+            name='GatheredAccount',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('org_id',
+                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('present', models.BooleanField(default=True, verbose_name='Present')),
+                ('date_last_login', models.DateTimeField(null=True, verbose_name='Date login')),
+                ('username', models.CharField(blank=True, db_index=True, max_length=32, verbose_name='Username')),
+                ('address_last_login', models.CharField(default='', max_length=39, verbose_name='Address login')),
+            ],
+            options={
+                'verbose_name': 'Gather asset accounts',
+                'ordering': ['asset'],
+            },
+        ),
+        migrations.CreateModel(
+            name='HistoricalAccount',
+            fields=[
+                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
+                ('_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('secret_type', models.CharField(
+                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
+                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
+                    verbose_name='Secret type')),
+                ('version', models.IntegerField(default=0, verbose_name='Version')),
+                ('history_id', models.AutoField(primary_key=True, serialize=False)),
+                ('history_date', models.DateTimeField(db_index=True)),
+                ('history_change_reason', models.CharField(max_length=100, null=True)),
+                ('history_type',
+                 models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
+            ],
+            options={
+                'verbose_name': 'historical Account',
+                'verbose_name_plural': 'historical Accounts',
+                'ordering': ('-history_date', '-history_id'),
+                'get_latest_by': ('history_date', 'history_id'),
+            },
+            bases=(simple_history.models.HistoricalChanges, models.Model),
+        ),
+        migrations.CreateModel(
+            name='VirtualAccount',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('org_id',
+                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('alias', models.CharField(
+                    choices=[('@INPUT', 'Manual input'), ('@USER', 'Dynamic user'), ('@ANON', 'Anonymous account'),
+                             ('@SPEC', 'Specified account')], max_length=128, verbose_name='Alias')),
+                ('secret_from_login', models.BooleanField(default=None, null=True, verbose_name='Secret from login')),
+            ],
+            options={'verbose_name': 'Virtual account'},
+        ),
    ]
--- a/apps/accounts/migrations/0002_auto_20220616_0021.py
+++ b/apps/accounts/migrations/0002_auto_20220616_0021.py
@@ -1,44 +1,103 @@
-# Generated by Django 3.2.14 on 2022-12-28 10:39
+# Generated by Django 4.1.13 on 2024-05-09 03:16

-import common.db.encoder
-import common.db.fields
-from django.conf import settings
-from django.db import migrations, models
 import django.db.models.deletion
-import uuid
+from django.db import migrations, models
+
+import common.db.fields


 class Migration(migrations.Migration):
+
+    initial = True
+
    dependencies = [
-        ('assets', '0106_auto_20221228_1838'),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('assets', '0001_initial'),
        ('accounts', '0001_initial'),
    ]

    operations = [
        migrations.CreateModel(
-            name='AccountBackupAutomation',
+            name='AccountBaseAutomation',
            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id',
-                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('is_periodic', models.BooleanField(default=False, verbose_name='Periodic perform')),
-                ('interval', models.IntegerField(blank=True, default=24, null=True, verbose_name='Cycle perform')),
-                ('crontab', models.CharField(blank=True, max_length=128, null=True, verbose_name='Regularly perform')),
-                ('types', models.JSONField(default=list)),
-                ('recipients', models.ManyToManyField(blank=True, related_name='recipient_escape_route_plans',
-                                                      to=settings.AUTH_USER_MODEL, verbose_name='Recipient')),
            ],
            options={
-                'verbose_name': 'Account backup plan',
-                'ordering': ['name'],
-                'unique_together': {('name', 'org_id')},
+                'verbose_name': 'Account automation task',
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
            },
-        )
+            bases=('assets.baseautomation',),
+        ),
+        migrations.CreateModel(
+            name='AutomationExecution',
+            fields=[
+            ],
+            options={
+                'verbose_name': 'Automation execution',
+                'verbose_name_plural': 'Automation executions',
+                'permissions': [('view_changesecretexecution', 'Can view change secret execution'), ('add_changesecretexecution', 'Can add change secret execution'), ('view_gatheraccountsexecution', 'Can view gather accounts execution'), ('add_gatheraccountsexecution', 'Can add gather accounts execution'), ('view_pushaccountexecution', 'Can view push account execution'), ('add_pushaccountexecution', 'Can add push account execution')],
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('assets.automationexecution',),
+        ),
+        migrations.CreateModel(
+            name='ChangeSecretAutomation',
+            fields=[
+                ('baseautomation_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='assets.baseautomation')),
+                ('secret_type', models.CharField(choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'), ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16, verbose_name='Secret type')),
+                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('secret_strategy', models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy')),
+                ('password_rules', models.JSONField(default=dict, verbose_name='Password rules')),
+                ('ssh_key_change_strategy', models.CharField(choices=[('set_jms', 'Replace (Replace only keys pushed by JumpServer) '), ('set', 'Empty and append SSH KEY'), ('add', 'Append SSH KEY')], default='set_jms', max_length=16, verbose_name='SSH key change strategy')),
+            ],
+            options={
+                'verbose_name': 'Change secret automation',
+            },
+            bases=('accounts.accountbaseautomation', models.Model),
+        ),
+        migrations.CreateModel(
+            name='GatherAccountsAutomation',
+            fields=[
+                ('baseautomation_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='assets.baseautomation')),
+                ('is_sync_account', models.BooleanField(blank=True, default=False, verbose_name='Is sync account')),
+            ],
+            options={
+                'verbose_name': 'Gather account automation',
+            },
+            bases=('accounts.accountbaseautomation',),
+        ),
+        migrations.CreateModel(
+            name='PushAccountAutomation',
+            fields=[
+                ('baseautomation_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='assets.baseautomation')),
+                ('secret_type', models.CharField(choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'), ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16, verbose_name='Secret type')),
+                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('secret_strategy', models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy')),
+                ('password_rules', models.JSONField(default=dict, verbose_name='Password rules')),
+                ('ssh_key_change_strategy', models.CharField(choices=[('set_jms', 'Replace (Replace only keys pushed by JumpServer) '), ('set', 'Empty and append SSH KEY'), ('add', 'Append SSH KEY')], default='set_jms', max_length=16, verbose_name='SSH key change strategy')),
+                ('triggers', models.JSONField(default=list, max_length=16, verbose_name='Triggers')),
+                ('username', models.CharField(max_length=128, verbose_name='Username')),
+                ('action', models.CharField(max_length=16, verbose_name='Action')),
+            ],
+            options={
+                'verbose_name': 'Push asset account',
+            },
+            bases=('accounts.accountbaseautomation', models.Model),
+        ),
+        migrations.CreateModel(
+            name='VerifyAccountAutomation',
+            fields=[
+                ('baseautomation_ptr', models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, primary_key=True, serialize=False, to='assets.baseautomation')),
+            ],
+            options={
+                'verbose_name': 'Verify asset account',
+            },
+            bases=('accounts.accountbaseautomation',),
+        ),
+        migrations.AlterUniqueTogether(
+            name='virtualaccount',
+            unique_together={('alias', 'org_id')},
+        ),
    ]
--- a/apps/accounts/migrations/0003_automation.py
+++ b/apps/accounts/migrations/0003_automation.py
@@ -1,198 +1,116 @@
-# Generated by Django 3.2.16 on 2022-12-30 08:08
+# Generated by Django 4.1.13 on 2024-05-09 03:16

-import uuid
-
-import django.db.models.deletion
 from django.conf import settings
 from django.db import migrations, models
-
-import common.db.encoder
-import common.db.fields
+import django.db.models.deletion


 class Migration(migrations.Migration):
+
+    initial = True
+
    dependencies = [
-        ('assets', '0107_automation'),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('assets', '0001_initial'),
+        ('terminal', '0001_initial'),
        ('accounts', '0002_auto_20220616_0021'),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
    ]

    operations = [
-        migrations.CreateModel(
-            name='AccountBaseAutomation',
-            fields=[
-            ],
-            options={
-                'verbose_name': 'Account automation task',
-                'proxy': True,
-                'indexes': [],
-                'constraints': [],
-            },
-            bases=('assets.baseautomation',),
+        migrations.AddField(
+            model_name='historicalaccount',
+            name='history_user',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+', to=settings.AUTH_USER_MODEL),
        ),
-        migrations.CreateModel(
-            name='AutomationExecution',
-            fields=[
-            ],
-            options={
-                'verbose_name': 'Automation execution',
-                'verbose_name_plural': 'Automation executions',
-                'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                ('add_changesecretexecution', 'Can add change secret execution'),
-                                ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
-                                ('add_gatheraccountsexecution', 'Can add gather accounts execution')],
-                'proxy': True,
-                'indexes': [],
-                'constraints': [],
-            },
-            bases=('assets.automationexecution',),
+        migrations.AddField(
+            model_name='gatheredaccount',
+            name='asset',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.asset', verbose_name='Asset'),
        ),
-        migrations.CreateModel(
-            name='PushAccountAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
-                    verbose_name='Secret type')),
-                ('secret_strategy', models.CharField(choices=[('specific', 'Specific password'),
-                                                              ('random_one', 'All assets use the same random password'),
-                                                              ('random_all',
-                                                               'All assets use different random password')],
-                                                     default='specific', max_length=16,
-                                                     verbose_name='Secret strategy')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('password_rules', models.JSONField(default=dict, verbose_name='Password rules')),
-                ('ssh_key_change_strategy', models.CharField(
-                    choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'),
-                             ('set_jms', 'Replace (The key generated by JumpServer) ')], default='add', max_length=16,
-                    verbose_name='SSH key change strategy')),
-                ('triggers', models.JSONField(default=list, max_length=16, verbose_name='Triggers')),
-                ('username', models.CharField(max_length=128, verbose_name='Username')),
-                ('action', models.CharField(max_length=16, verbose_name='Action')),
-            ],
-            options={
-                'verbose_name': 'Push asset account',
-            },
-            bases=('accounts.accountbaseautomation', models.Model),
+        migrations.AddField(
+            model_name='changesecretrecord',
+            name='account',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='accounts.account'),
        ),
-
-        migrations.CreateModel(
-            name='GatherAccountsAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-            ],
-            options={
-                'verbose_name': 'Gather asset accounts',
-            },
-            bases=('accounts.accountbaseautomation',),
+        migrations.AddField(
+            model_name='changesecretrecord',
+            name='asset',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='assets.asset'),
        ),
-        migrations.CreateModel(
-            name='VerifyAccountAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-            ],
-            options={
-                'verbose_name': 'Verify asset account',
-            },
-            bases=('accounts.accountbaseautomation',),
+        migrations.AddField(
+            model_name='changesecretrecord',
+            name='execution',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='accounts.automationexecution'),
        ),
-        migrations.CreateModel(
-            name='ChangeSecretRecord',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('old_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Old secret')),
-                ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='New secret')),
-                ('date_started', models.DateTimeField(blank=True, null=True, verbose_name='Date started')),
-                ('date_finished', models.DateTimeField(blank=True, null=True, verbose_name='Date finished')),
-                ('status', models.CharField(default='pending', max_length=16, verbose_name='Status')),
-                ('error', models.TextField(blank=True, null=True, verbose_name='Error')),
-                ('account',
-                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='accounts.account')),
-                ('asset', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='assets.asset')),
-                ('execution',
-                 models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='accounts.automationexecution')),
-            ],
-            options={
-                'verbose_name': 'Change secret record',
-            },
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='platforms',
+            field=models.ManyToManyField(blank=True, related_name='account_templates', to='assets.platform', verbose_name='Platforms'),
        ),
-        migrations.CreateModel(
-            name='AccountBackupExecution',
-            fields=[
-                ('org_id',
-                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('date_start', models.DateTimeField(auto_now_add=True, verbose_name='Date start')),
-                ('timedelta', models.FloatField(default=0.0, null=True, verbose_name='Time')),
-                ('plan_snapshot',
-                 models.JSONField(blank=True, default=dict, encoder=common.db.encoder.ModelJSONFieldEncoder, null=True,
-                                  verbose_name='Account backup snapshot')),
-                ('trigger', models.CharField(choices=[('manual', 'Manual trigger'), ('timing', 'Timing trigger')],
-                                             default='manual', max_length=128, verbose_name='Trigger mode')),
-                ('reason', models.CharField(blank=True, max_length=1024, null=True, verbose_name='Reason')),
-                ('is_success', models.BooleanField(default=False, verbose_name='Is success')),
-                ('plan', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='execution',
-                                           to='accounts.accountbackupautomation', verbose_name='Account backup plan')),
-            ],
-            options={
-                'verbose_name': 'Account backup execution',
-                'ordering': ('-date_start',),
-            },
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='su_from',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='su_to', to='accounts.accounttemplate', verbose_name='Su from'),
        ),
-        migrations.CreateModel(
-            name='ChangeSecretAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
-                    verbose_name='Secret type')),
-                ('secret_strategy', models.CharField(choices=[('specific', 'Specific password'),
-                                                              ('random_one', 'All assets use the same random password'),
-                                                              ('random_all',
-                                                               'All assets use different random password')],
-                                                     default='specific', max_length=16,
-                                                     verbose_name='Secret strategy')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('password_rules', models.JSONField(default=dict, verbose_name='Password rules')),
-                ('ssh_key_change_strategy', models.CharField(
-                    choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'),
-                             ('set_jms', 'Replace (The key generated by JumpServer) ')], default='add', max_length=16,
-                    verbose_name='SSH key change strategy')),
-                ('recipients',
-                 models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient')),
-            ],
-            options={
-                'verbose_name': 'Change secret automation',
-            },
-            bases=('accounts.accountbaseautomation', models.Model),
+        migrations.AddField(
+            model_name='accountbackupexecution',
+            name='plan',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='execution', to='accounts.accountbackupautomation', verbose_name='Account backup plan'),
        ),
-        migrations.AlterModelOptions(
-            name='automationexecution',
-            options={'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                     ('add_changesecretexecution', 'Can add change secret execution'),
-                                     ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
-                                     ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
-                                     ('view_pushaccountexecution', 'Can view push account execution'),
-                                     ('add_pushaccountexecution', 'Can add push account execution')],
-                     'verbose_name': 'Automation execution', 'verbose_name_plural': 'Automation executions'},
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='obj_recipients_part_one',
+            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_one_plans', to='terminal.replaystorage', verbose_name='Object storage recipient part one'),
        ),
-        migrations.AlterModelOptions(
-            name='changesecretrecord',
-            options={'ordering': ('-date_started',), 'verbose_name': 'Change secret record'},
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='obj_recipients_part_two',
+            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_two_plans', to='terminal.replaystorage', verbose_name='Object storage recipient part two'),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='recipients_part_one',
+            field=models.ManyToManyField(blank=True, related_name='recipient_part_one_plans', to=settings.AUTH_USER_MODEL, verbose_name='Recipient part one'),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='recipients_part_two',
+            field=models.ManyToManyField(blank=True, related_name='recipient_part_two_plans', to=settings.AUTH_USER_MODEL, verbose_name='Recipient part two'),
+        ),
+        migrations.AddField(
+            model_name='account',
+            name='asset',
+            field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='accounts', to='assets.asset', verbose_name='Asset'),
+        ),
+        migrations.AddField(
+            model_name='account',
+            name='su_from',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='su_to', to='accounts.account', verbose_name='Su from'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='gatheredaccount',
+            unique_together={('username', 'asset')},
+        ),
+        migrations.AddField(
+            model_name='gatheraccountsautomation',
+            name='recipients',
+            field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient'),
+        ),
+        migrations.AddField(
+            model_name='changesecretautomation',
+            name='recipients',
+            field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient'),
+        ),
+        migrations.AlterUniqueTogether(
+            name='accounttemplate',
+            unique_together={('name', 'org_id')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='accountbackupautomation',
+            unique_together={('name', 'org_id')},
+        ),
+        migrations.AlterUniqueTogether(
+            name='account',
+            unique_together={('name', 'asset'), ('username', 'asset', 'secret_type')},
        ),
    ]
--- a/apps/accounts/migrations/0004_alter_changesecretrecord_account_and_more.py
+++ b/apps/accounts/migrations/0004_alter_changesecretrecord_account_and_more.py
@@ -0,0 +1,30 @@
+# Generated by Django 4.1.13 on 2024-08-26 09:05
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0005_myasset'),
+        ('accounts', '0003_automation'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='changesecretrecord',
+            name='account',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='accounts.account'),
+        ),
+        migrations.AlterField(
+            model_name='changesecretrecord',
+            name='asset',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.asset'),
+        ),
+        migrations.AlterField(
+            model_name='changesecretrecord',
+            name='execution',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='accounts.automationexecution'),
+        ),
+    ]
--- a/apps/accounts/migrations/0004_auto_20230106_1507.py
+++ b/apps/accounts/migrations/0004_auto_20230106_1507.py
@@ -1,23 +0,0 @@
-# Generated by Django 3.2.16 on 2023-01-06 07:07
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0003_automation'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='changesecretautomation',
-            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
-        ),
-        migrations.AlterField(
-            model_name='pushaccountautomation',
-            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
-        ),
-    ]
--- a/apps/accounts/migrations/0005_alter_changesecretrecord_options.py
+++ b/apps/accounts/migrations/0005_alter_changesecretrecord_options.py
@@ -1,17 +0,0 @@
-# Generated by Django 3.2.16 on 2023-01-10 06:45
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0004_auto_20230106_1507'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='changesecretrecord',
-            options={'ordering': ('-date_created',), 'verbose_name': 'Change secret record'},
-        ),
-    ]
--- a/apps/accounts/migrations/0006_gatheredaccount.py
+++ b/apps/accounts/migrations/0006_gatheredaccount.py
@@ -1,38 +0,0 @@
-# Generated by Django 3.2.16 on 2023-02-07 04:41
-
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0108_alter_platform_charset'),
-        ('accounts', '0005_alter_changesecretrecord_options'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='GatheredAccount',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('present', models.BooleanField(default=True, verbose_name='Present')),
-                ('date_last_login', models.DateTimeField(null=True, verbose_name='Date last login')),
-                ('username', models.CharField(blank=True, db_index=True, max_length=32, verbose_name='Username')),
-                ('address_last_login', models.CharField(default='', max_length=39, verbose_name='Address last login')),
-                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.asset', verbose_name='Asset')),
-            ],
-            options={
-                'verbose_name': 'Gather account',
-                'ordering': ['asset'],
-                'unique_together': {('username', 'asset')},
-            },
-        ),
-    ]
--- a/apps/accounts/migrations/0007_alter_account_options.py
+++ b/apps/accounts/migrations/0007_alter_account_options.py
@@ -1,23 +0,0 @@
-# Generated by Django 3.2.16 on 2023-02-16 11:07
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('accounts', '0006_gatheredaccount'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='account',
-            options={'permissions': [
-                ('view_accountsecret', 'Can view asset account secret'),
-                ('view_historyaccount', 'Can view asset history account'),
-                ('view_historyaccountsecret', 'Can view asset history account secret'),
-                ('verify_account', 'Can verify account'),
-                ('push_account', 'Can push account'),
-                ('remove_account', 'Can remove account'),
-            ], 'verbose_name': 'Account'},
-        ),
-    ]
--- a/apps/accounts/migrations/0008_alter_gatheredaccount_options.py
+++ b/apps/accounts/migrations/0008_alter_gatheredaccount_options.py
@@ -1,17 +0,0 @@
-# Generated by Django 3.2.16 on 2023-02-23 09:59
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0007_alter_account_options'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='gatheredaccount',
-            options={'ordering': ['asset'], 'verbose_name': 'Gather account automation'},
-        ),
-    ]
--- a/apps/accounts/migrations/0009_account_usernames_to_ids.py
+++ b/apps/accounts/migrations/0009_account_usernames_to_ids.py
@@ -1,69 +0,0 @@
-# Generated by Django 3.2.16 on 2023-03-07 07:36
-
-from django.db import migrations
-from django.db.models import Q
-
-
-def get_nodes_all_assets(apps, *nodes):
-    node_model = apps.get_model('assets', 'Node')
-    asset_model = apps.get_model('assets', 'Asset')
-    node_ids = set()
-    descendant_node_query = Q()
-    for n in nodes:
-        node_ids.add(n.id)
-        descendant_node_query |= Q(key__istartswith=f'{n.key}:')
-    if descendant_node_query:
-        _ids = node_model.objects.order_by().filter(descendant_node_query).values_list('id', flat=True)
-        node_ids.update(_ids)
-    return asset_model.objects.order_by().filter(nodes__id__in=node_ids).distinct()
-
-
-def get_all_assets(apps, snapshot):
-    node_model = apps.get_model('assets', 'Node')
-    asset_model = apps.get_model('assets', 'Asset')
-    asset_ids = snapshot.get('assets', [])
-    node_ids = snapshot.get('nodes', [])
-
-    nodes = node_model.objects.filter(id__in=node_ids)
-    node_asset_ids = get_nodes_all_assets(apps, *nodes).values_list('id', flat=True)
-    asset_ids = set(list(asset_ids) + list(node_asset_ids))
-    return asset_model.objects.filter(id__in=asset_ids)
-
-
-def migrate_account_usernames_to_ids(apps, schema_editor):
-    db_alias = schema_editor.connection.alias
-    execution_model = apps.get_model('accounts', 'AutomationExecution')
-    account_model = apps.get_model('accounts', 'Account')
-    executions = execution_model.objects.using(db_alias).all()
-    executions_update = []
-    for execution in executions:
-        snapshot = execution.snapshot
-        accounts = account_model.objects.none()
-        account_usernames = snapshot.get('accounts', [])
-        for asset in get_all_assets(apps, snapshot):
-            accounts = accounts | asset.accounts.all()
-        secret_type = snapshot.get('secret_type')
-        if secret_type:
-            ids = accounts.filter(
-                username__in=account_usernames,
-                secret_type=secret_type
-            ).values_list('id', flat=True)
-        else:
-            ids = accounts.filter(
-                username__in=account_usernames
-            ).values_list('id', flat=True)
-        snapshot['accounts'] = [str(_id) for _id in ids]
-        execution.snapshot = snapshot
-        executions_update.append(execution)
-
-    execution_model.objects.bulk_update(executions_update, ['snapshot'])
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('accounts', '0008_alter_gatheredaccount_options'),
-    ]
-
-    operations = [
-        migrations.RunPython(migrate_account_usernames_to_ids),
-    ]
--- a/apps/accounts/migrations/0010_gatheraccountsautomation_is_sync_account.py
+++ b/apps/accounts/migrations/0010_gatheraccountsautomation_is_sync_account.py
@@ -1,22 +0,0 @@
-# Generated by Django 3.2.16 on 2023-03-23 08:39
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('accounts', '0009_account_usernames_to_ids'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='gatheraccountsautomation',
-            name='is_sync_account',
-            field=models.BooleanField(blank=True, default=False, verbose_name='Is sync account'),
-        ),
-        migrations.AddField(
-            model_name='account',
-            name='source_id',
-            field=models.CharField(max_length=128, null=True, blank=True, verbose_name='Source ID'),
-        ),
-    ]
--- a/apps/accounts/migrations/0011_auto_20230506_1443.py
+++ b/apps/accounts/migrations/0011_auto_20230506_1443.py
@@ -1,29 +0,0 @@
-# Generated by Django 3.2.17 on 2023-05-06 06:43
-
-from django.db import migrations, models
-import django.db.models.deletion
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0010_gatheraccountsautomation_is_sync_account'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='su_from',
-            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='su_to', to='accounts.accounttemplate', verbose_name='Su from'),
-        ),
-        migrations.AlterField(
-            model_name='changesecretautomation',
-            name='ssh_key_change_strategy',
-            field=models.CharField(choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'), ('set_jms', 'Replace (Replace only keys pushed by JumpServer) ')], default='add', max_length=16, verbose_name='SSH key change strategy'),
-        ),
-        migrations.AlterField(
-            model_name='pushaccountautomation',
-            name='ssh_key_change_strategy',
-            field=models.CharField(choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'), ('set_jms', 'Replace (Replace only keys pushed by JumpServer) ')], default='add', max_length=16, verbose_name='SSH key change strategy'),
-        ),
-    ]
--- a/apps/accounts/migrations/0012_auto_20230621_1456.py
+++ b/apps/accounts/migrations/0012_auto_20230621_1456.py
@@ -1,28 +0,0 @@
-# Generated by Django 3.2.19 on 2023-06-21 06:56
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0011_auto_20230506_1443'),
-    ]
-
-    operations = [
-        migrations.RenameField(
-            model_name='account',
-            old_name='secret',
-            new_name='_secret',
-        ),
-        migrations.RenameField(
-            model_name='accounttemplate',
-            old_name='secret',
-            new_name='_secret',
-        ),
-        migrations.RenameField(
-            model_name='historicalaccount',
-            old_name='secret',
-            new_name='_secret',
-        ),
-    ]
--- a/apps/accounts/migrations/0013_account_backup_recipients.py
+++ b/apps/accounts/migrations/0013_account_backup_recipients.py
@@ -1,77 +0,0 @@
-# Generated by Django 4.1.10 on 2023-08-03 08:28
-from django.conf import settings
-from django.db import migrations, models
-
-import common.db.encoder
-
-
-def migrate_recipients(apps, schema_editor):
-    account_backup_model = apps.get_model('accounts', 'AccountBackupAutomation')
-    execution_model = apps.get_model('accounts', 'AccountBackupExecution')
-    for account_backup in account_backup_model.objects.all():
-        recipients = list(account_backup.recipients.all())
-        if not recipients:
-            continue
-        account_backup.recipients_part_one.set(recipients)
-
-    objs = []
-    for execution in execution_model.objects.all():
-        snapshot = execution.snapshot
-        recipients = snapshot.pop('recipients', {})
-        snapshot.update({'recipients_part_one': recipients, 'recipients_part_two': {}})
-        objs.append(execution)
-    execution_model.objects.bulk_update(objs, ['snapshot'])
-
-
-def migrate_snapshot(apps, schema_editor):
-    model = apps.get_model('accounts', 'AccountBackupExecution')
-    objs = []
-    for execution in model.objects.all():
-        execution.snapshot = execution.plan_snapshot
-        objs.append(execution)
-    model.objects.bulk_update(objs, ['snapshot'])
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('accounts', '0012_auto_20230621_1456'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='recipients_part_one',
-            field=models.ManyToManyField(
-                blank=True, related_name='recipient_part_one_plans',
-                to=settings.AUTH_USER_MODEL, verbose_name='Recipient part one'
-            ),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='recipients_part_two',
-            field=models.ManyToManyField(
-                blank=True, related_name='recipient_part_two_plans',
-                to=settings.AUTH_USER_MODEL, verbose_name='Recipient part two'
-            ),
-        ),
-        migrations.AddField(
-            model_name='accountbackupexecution',
-            name='snapshot',
-            field=models.JSONField(
-                default=dict, encoder=common.db.encoder.ModelJSONFieldEncoder,
-                null=True, blank=True, verbose_name='Account backup snapshot'
-            ),
-        ),
-        migrations.RunPython(migrate_snapshot),
-        migrations.RunPython(migrate_recipients),
-        migrations.RemoveField(
-            model_name='accountbackupexecution',
-            name='plan_snapshot',
-        ),
-        migrations.RemoveField(
-            model_name='accountbackupautomation',
-            name='recipients',
-        ),
-
-    ]
--- a/apps/accounts/migrations/0014_virtualaccount.py
+++ b/apps/accounts/migrations/0014_virtualaccount.py
@@ -1,31 +0,0 @@
-# Generated by Django 4.1.10 on 2023-08-01 09:12
-
-import uuid
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0013_account_backup_recipients'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='VirtualAccount',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('alias', models.CharField(choices=[('@INPUT', 'Manual input'), ('@USER', 'Dynamic user'), ('@ANON', 'Anonymous account'), ('@SPEC', 'Specified account')], max_length=128, verbose_name='Alias')),
-                ('secret_from_login', models.BooleanField(default=None, null=True, verbose_name='Secret from login')),
-            ],
-            options={
-                'unique_together': {('alias', 'org_id')},
-            },
-        ),
-    ]
--- a/apps/accounts/migrations/0015_auto_20230825_1120.py
+++ b/apps/accounts/migrations/0015_auto_20230825_1120.py
@@ -1,34 +0,0 @@
-# Generated by Django 4.1.10 on 2023-08-25 03:19
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0122_auto_20230803_1553'),
-        ('accounts', '0014_virtualaccount'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='auto_push',
-            field=models.BooleanField(default=False, verbose_name='Auto push'),
-        ),
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='platforms',
-            field=models.ManyToManyField(related_name='account_templates', to='assets.platform', verbose_name='Platforms', blank=True),
-        ),
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='push_params',
-            field=models.JSONField(default=dict, verbose_name='Push params'),
-        ),
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
-        ),
-    ]
--- a/apps/accounts/migrations/0016_accounttemplate_password_rules.py
+++ b/apps/accounts/migrations/0016_accounttemplate_password_rules.py
@@ -1,18 +0,0 @@
-# Generated by Django 4.1.10 on 2023-09-18 08:09
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0015_auto_20230825_1120'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accounttemplate',
-            name='password_rules',
-            field=models.JSONField(default=dict, verbose_name='Password rules'),
-        ),
-    ]
--- a/apps/accounts/migrations/0017_alter_automationexecution_options.py
+++ b/apps/accounts/migrations/0017_alter_automationexecution_options.py
@@ -1,25 +0,0 @@
-# Generated by Django 4.1.10 on 2023-10-24 05:59
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('accounts', '0016_accounttemplate_password_rules'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='automationexecution',
-            options={
-                'permissions': [
-                    ('view_changesecretexecution', 'Can view change secret execution'),
-                    ('add_changesecretexecution', 'Can add change secret execution'),
-                    ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
-                    ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
-                    ('view_pushaccountexecution', 'Can view push account execution'),
-                    ('add_pushaccountexecution', 'Can add push account execution')
-                ],
-                'verbose_name': 'Automation execution', 'verbose_name_plural': 'Automation executions'},
-        ),
-    ]
--- a/apps/accounts/migrations/0018_accountbackupautomation_backup_type_and_more.py
+++ b/apps/accounts/migrations/0018_accountbackupautomation_backup_type_and_more.py
@@ -1,45 +0,0 @@
-# Generated by Django 4.1.10 on 2023-11-03 07:10
-
-import common.db.fields
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('terminal', '0067_alter_replaystorage_type'),
-        ('accounts', '0017_alter_automationexecution_options'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='backup_type',
-            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'Object Storage')], default='email', max_length=128),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_email',
-            field=models.BooleanField(default=True),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_obj_storage',
-            field=models.BooleanField(default=True),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='obj_recipients_part_one',
-            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_one_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part one'),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='obj_recipients_part_two',
-            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_two_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part two'),
-        ),
-        migrations.AddField(
-            model_name='accountbackupautomation',
-            name='zip_encrypt_password',
-            field=common.db.fields.EncryptCharField(blank=True, max_length=4096, null=True, verbose_name='Zip Encrypt Password'),
-        ),
-    ]
--- a/apps/accounts/migrations/0019_gatheraccountsautomation_recipients.py
+++ b/apps/accounts/migrations/0019_gatheraccountsautomation_recipients.py
@@ -1,20 +0,0 @@
-# Generated by Django 4.1.10 on 2023-10-31 06:12
-
-from django.conf import settings
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('accounts', '0018_accountbackupautomation_backup_type_and_more'),
-    ]
-
-    operations = [
-        migrations.AddField(
-            model_name='gatheraccountsautomation',
-            name='recipients',
-            field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient'),
-        ),
-    ]
--- a/apps/accounts/migrations/0020_alter_accountbackupautomation_backup_type_and_more.py
+++ b/apps/accounts/migrations/0020_alter_accountbackupautomation_backup_type_and_more.py
@@ -1,28 +0,0 @@
-# Generated by Django 4.1.10 on 2023-11-16 02:13
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0019_gatheraccountsautomation_recipients'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='accountbackupautomation',
-            name='backup_type',
-            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'SFTP')], default='email', max_length=128, verbose_name='Backup Type'),
-        ),
-        migrations.AlterField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_email',
-            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
-        ),
-        migrations.AlterField(
-            model_name='accountbackupautomation',
-            name='is_password_divided_by_obj_storage',
-            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
-        ),
-    ]
--- a/apps/accounts/models/account.py
+++ b/apps/accounts/models/account.py
@@ -53,7 +53,8 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
        on_delete=models.SET_NULL, verbose_name=_("Su from")
    )
    version = models.IntegerField(default=0, verbose_name=_('Version'))
-    history = AccountHistoricalRecords(included_fields=['id', '_secret', 'secret_type', 'version'])
+    history = AccountHistoricalRecords(included_fields=['id', '_secret', 'secret_type', 'version'],
+                                       verbose_name=_("historical Account"))
    source = models.CharField(max_length=30, default=Source.LOCAL, verbose_name=_('Source'))
    source_id = models.CharField(max_length=128, null=True, blank=True, verbose_name=_('Source ID'))

@@ -119,7 +120,8 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
            return auth

        auth.update(self.make_account_ansible_vars(su_from))
-        become_method = platform.su_method if platform.su_method else 'sudo'
+
+        become_method = platform.ansible_become_method
        password = su_from.secret if become_method == 'sudo' else self.secret
        auth['ansible_become'] = True
        auth['ansible_become_method'] = become_method
--- a/apps/accounts/models/automations/backup_account.py
+++ b/apps/accounts/models/automations/backup_account.py
@@ -24,9 +24,9 @@ logger = get_logger(__file__)
 class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
    types = models.JSONField(default=list)
    backup_type = models.CharField(max_length=128, choices=AccountBackupType.choices,
-                                   default=AccountBackupType.email.value, verbose_name=_('Backup Type'))
-    is_password_divided_by_email = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
-    is_password_divided_by_obj_storage = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
+                                   default=AccountBackupType.email.value, verbose_name=_('Backup type'))
+    is_password_divided_by_email = models.BooleanField(default=True, verbose_name=_('Password divided'))
+    is_password_divided_by_obj_storage = models.BooleanField(default=True, verbose_name=_('Password divided'))
    recipients_part_one = models.ManyToManyField(
        'users.User', related_name='recipient_part_one_plans', blank=True,
        verbose_name=_("Recipient part one")
@@ -37,14 +37,15 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
    )
    obj_recipients_part_one = models.ManyToManyField(
        'terminal.ReplayStorage', related_name='obj_recipient_part_one_plans', blank=True,
-        verbose_name=_("Object Storage Recipient part one")
+        verbose_name=_("Object storage recipient part one")
    )
    obj_recipients_part_two = models.ManyToManyField(
        'terminal.ReplayStorage', related_name='obj_recipient_part_two_plans', blank=True,
-        verbose_name=_("Object Storage Recipient part two")
+        verbose_name=_("Object storage recipient part two")
+    )
+    zip_encrypt_password = fields.EncryptCharField(
+        max_length=4096, blank=True, null=True, verbose_name=_('Zip encrypt password')
    )
-    zip_encrypt_password = fields.EncryptCharField(max_length=4096, blank=True, null=True,
-                                                   verbose_name=_('Zip Encrypt Password'))

    def __str__(self):
        return f'{self.name}({self.org_id})'
--- a/apps/accounts/models/automations/base.py
+++ b/apps/accounts/models/automations/base.py
@@ -51,7 +51,7 @@ class AutomationExecution(AssetAutomationExecution):
 class ChangeSecretMixin(SecretWithRandomMixin):
    ssh_key_change_strategy = models.CharField(
        choices=SSHKeyStrategy.choices, max_length=16,
-        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
+        default=SSHKeyStrategy.set_jms, verbose_name=_('SSH key change strategy')
    )
    get_all_assets: callable  # get all assets

--- a/apps/accounts/models/automations/change_secret.py
+++ b/apps/accounts/models/automations/change_secret.py
@@ -33,16 +33,15 @@ class ChangeSecretAutomation(ChangeSecretMixin, AccountBaseAutomation):


 class ChangeSecretRecord(JMSBaseModel):
-    execution = models.ForeignKey('accounts.AutomationExecution', on_delete=models.CASCADE)
-    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, null=True)
-    account = models.ForeignKey('accounts.Account', on_delete=models.CASCADE, null=True)
+    execution = models.ForeignKey('accounts.AutomationExecution', on_delete=models.SET_NULL, null=True)
+    asset = models.ForeignKey('assets.Asset', on_delete=models.SET_NULL, null=True)
+    account = models.ForeignKey('accounts.Account', on_delete=models.SET_NULL, null=True)
    old_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Old secret'))
    new_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('New secret'))
    date_started = models.DateTimeField(blank=True, null=True, verbose_name=_('Date started'))
    date_finished = models.DateTimeField(blank=True, null=True, verbose_name=_('Date finished'))
    status = models.CharField(
-        max_length=16, verbose_name=_('Status'),
-        default=ChangeSecretRecordStatusChoice.pending.value
+        max_length=16, verbose_name=_('Status'), default=ChangeSecretRecordStatusChoice.pending.value
    )
    error = models.TextField(blank=True, null=True, verbose_name=_('Error'))

@@ -51,4 +50,4 @@ class ChangeSecretRecord(JMSBaseModel):
        verbose_name = _("Change secret record")

    def __str__(self):
-        return self.account.__str__()
+        return f'{self.account.username}@{self.asset}'
--- a/apps/accounts/models/automations/gather_account.py
+++ b/apps/accounts/models/automations/gather_account.py
@@ -12,10 +12,10 @@ __all__ = ['GatherAccountsAutomation', 'GatheredAccount']

 class GatheredAccount(JMSOrgBaseModel):
    present = models.BooleanField(default=True, verbose_name=_("Present"))
-    date_last_login = models.DateTimeField(null=True, verbose_name=_("Date last login"))
+    date_last_login = models.DateTimeField(null=True, verbose_name=_("Date login"))
    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, verbose_name=_("Asset"))
    username = models.CharField(max_length=32, blank=True, db_index=True, verbose_name=_('Username'))
-    address_last_login = models.CharField(max_length=39, default='', verbose_name=_("Address last login"))
+    address_last_login = models.CharField(max_length=39, default='', verbose_name=_("Address login"))

    @property
    def address(self):
@@ -41,7 +41,7 @@ class GatheredAccount(JMSOrgBaseModel):
        Account.objects.bulk_create(account_objs)

    class Meta:
-        verbose_name = _('Gather account automation')
+        verbose_name = _("Gather asset accounts")
        unique_together = [
            ('username', 'asset'),
        ]
@@ -72,4 +72,4 @@ class GatherAccountsAutomation(AccountBaseAutomation):
        super().save(*args, **kwargs)

    class Meta:
-        verbose_name = _("Gather asset accounts")
+        verbose_name = _('Gather account automation')
--- a/apps/accounts/models/automations/push_account.py
+++ b/apps/accounts/models/automations/push_account.py
@@ -2,7 +2,7 @@ from django.conf import settings
 from django.db import models
 from django.utils.translation import gettext_lazy as _

-from accounts.const import AutomationTypes
+from accounts.const import AutomationTypes, SecretType
 from accounts.models import Account
 from .base import AccountBaseAutomation
 from .change_secret import ChangeSecretMixin
@@ -23,7 +23,8 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
        create_usernames = set(usernames) - set(account_usernames)
        create_account_objs = [
            Account(
-                name=f'{username}-{secret_type}', username=username,
+                name=f"{username}-{secret_type}" if secret_type != SecretType.PASSWORD else username,
+                username=username,
                secret_type=secret_type, asset=asset,
            )
            for username in create_usernames
--- a/apps/accounts/models/template.py
+++ b/apps/accounts/models/template.py
@@ -29,7 +29,6 @@ class AccountTemplate(LabeledMixin, BaseAccount, SecretWithRandomMixin):
        )
        permissions = [
            ('view_accounttemplatesecret', _('Can view asset account template secret')),
-            ('change_accounttemplatesecret', _('Can change asset account template secret')),
        ]

    def __str__(self):
--- a/apps/accounts/models/virtual.py
+++ b/apps/accounts/models/virtual.py
@@ -15,6 +15,7 @@ class VirtualAccount(JMSOrgBaseModel):

    class Meta:
        unique_together = [('alias', 'org_id')]
+        verbose_name = _('Virtual account')

    @property
    def name(self):
--- a/apps/accounts/serializers/account/account.py
+++ b/apps/accounts/serializers/account/account.py
@@ -31,7 +31,9 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
        default=False, label=_("Push now"), write_only=True
    )
    params = serializers.JSONField(
-        decoder=None, encoder=None, required=False, style={'base_template': 'textarea.html'}
+        decoder=None, encoder=None, required=False,
+        style={'base_template': 'textarea.html'},
+        label=_('Params'),
    )
    on_invalid = LabeledChoiceField(
        choices=AccountInvalidPolicy.choices, default=AccountInvalidPolicy.ERROR,
@@ -79,18 +81,28 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):

    @staticmethod
    def get_template_attr_for_account(template):
-        # Set initial data from template
        field_names = [
-            'name', 'username', 'secret',
-            'secret_type', 'privileged', 'is_active'
+            'name', 'username',
+            'secret_type', 'secret',
+            'privileged', 'is_active'
        ]

+        field_map = {
+            'push_params': 'params',
+            'auto_push': 'push_now'
+        }
+
+        field_names.extend(field_map.keys())
+
        attrs = {}
        for name in field_names:
            value = getattr(template, name, None)
            if value is None:
                continue
-            attrs[name] = value
+
+            attr_name = field_map.get(name, name)
+            attrs[attr_name] = value
+
        attrs['secret'] = template.get_secret()
        return attrs

@@ -166,14 +178,15 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
            instance.save()
            return instance, 'updated'
        else:
-            raise serializers.ValidationError('Account already exists')
+            raise serializers.ValidationError(_('Account already exists'))

    def create(self, validated_data):
        push_now = validated_data.pop('push_now', None)
        params = validated_data.pop('params', None)
        self.clean_auth_fields(validated_data)
        instance, stat = self.do_create(validated_data)
-        self.push_account_if_need(instance, push_now, params, stat)
+        if instance.source == Source.LOCAL:
+            self.push_account_if_need(instance, push_now, params, stat)
        return instance

    def update(self, instance, validated_data):
@@ -225,7 +238,7 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
        fields = BaseAccountSerializer.Meta.fields + [
            'su_from', 'asset', 'version',
            'source', 'source_id', 'connectivity',
-        ] + list(set(AccountCreateUpdateSerializerMixin.Meta.fields) - {'params'})
+        ] + AccountCreateUpdateSerializerMixin.Meta.fields
        read_only_fields = BaseAccountSerializer.Meta.read_only_fields + [
            'connectivity'
        ]
@@ -234,6 +247,7 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
            'name': {'required': False},
            'source_id': {'required': False, 'allow_null': True},
        }
+        fields_unimport_template = ['params']

    @classmethod
    def setup_eager_loading(cls, queryset):
@@ -275,8 +289,8 @@ class AssetAccountBulkSerializer(
        fields = [
            'name', 'username', 'secret', 'secret_type', 'passphrase',
            'privileged', 'is_active', 'comment', 'template',
-            'on_invalid', 'push_now', 'assets', 'su_from_username',
-            'source', 'source_id',
+            'on_invalid', 'push_now', 'params', 'assets',
+            'su_from_username', 'source', 'source_id',
        ]
        extra_kwargs = {
            'name': {'required': False},
@@ -414,16 +428,23 @@ class AssetAccountBulkSerializer(
        return results

    @staticmethod
-    def push_accounts_if_need(results, push_now):
+    def push_accounts_if_need(results, push_now, params):
        if not push_now:
            return
-        accounts = [str(v['instance']) for v in results if v.get('instance')]
-        push_accounts_to_assets_task.delay(accounts)
+
+        account_ids = [v['instance'] for v in results if v.get('instance')]
+        accounts = Account.objects.filter(id__in=account_ids, source=Source.LOCAL)
+        if not accounts.exists():
+            return
+
+        account_ids = [str(_id) for _id in accounts.values_list('id', flat=True)]
+        push_accounts_to_assets_task.delay(account_ids, params)

    def create(self, validated_data):
+        params = validated_data.pop('params', None)
        push_now = validated_data.pop('push_now', False)
        results = self.perform_bulk_create(validated_data)
-        self.push_accounts_if_need(results, push_now)
+        self.push_accounts_if_need(results, push_now, params)
        for res in results:
            res['asset'] = str(res['asset'])
        return results
--- a/apps/accounts/serializers/account/backup.py
+++ b/apps/accounts/serializers/account/backup.py
@@ -35,8 +35,7 @@ class AccountBackupSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSer
        ]
        extra_kwargs = {
            'name': {'required': True},
-            'periodic_display': {'label': _('Periodic perform')},
-            'executed_amount': {'label': _('Executed amount')},
+            'executed_amount': {'label': _('Executions')},
            'recipients': {
                'label': _('Recipient'),
                'help_text': _('Currently only mail sending is supported')
--- a/apps/accounts/serializers/account/base.py
+++ b/apps/accounts/serializers/account/base.py
@@ -9,26 +9,34 @@ from common.serializers import ResourceLabelsMixin
 from common.serializers.fields import EncryptedField, LabeledChoiceField
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer

-__all__ = ['AuthValidateMixin', 'BaseAccountSerializer']
+__all__ = ["AuthValidateMixin", "BaseAccountSerializer"]


 class AuthValidateMixin(serializers.Serializer):
    secret_type = LabeledChoiceField(
-        choices=SecretType.choices, label=_('Secret type'), default='password'
+        choices=SecretType.choices, label=_("Secret type"), default="password"
    )
    secret = EncryptedField(
-        label=_('Secret'), required=False, max_length=40960, allow_blank=True,
-        allow_null=True, write_only=True,
+        label=_("Secret"),
+        required=False,
+        max_length=40960,
+        allow_blank=True,
+        allow_null=True,
+        write_only=True,
    )
    passphrase = serializers.CharField(
-        allow_blank=True, allow_null=True, required=False, max_length=512,
-        write_only=True, label=_('Key password')
+        allow_blank=True,
+        allow_null=True,
+        required=False,
+        max_length=512,
+        write_only=True,
+        label=_("Passphrase"),
    )

    @staticmethod
    def handle_secret(secret, secret_type, passphrase=None):
        if not secret:
-            return ''
+            return ""
        if secret_type == SecretType.PASSWORD:
            validate_password_for_ansible(secret)
            return secret
@@ -40,17 +48,15 @@ class AuthValidateMixin(serializers.Serializer):
            return secret

    def clean_auth_fields(self, validated_data):
-        secret_type = validated_data.get('secret_type')
-        passphrase = validated_data.get('passphrase')
-        secret = validated_data.pop('secret', None)
-        validated_data['secret'] = self.handle_secret(
-            secret, secret_type, passphrase
-        )
-        for field in ('secret',):
+        secret_type = validated_data.get("secret_type")
+        passphrase = validated_data.get("passphrase")
+        secret = validated_data.pop("secret", None)
+        validated_data["secret"] = self.handle_secret(secret, secret_type, passphrase)
+        for field in ("secret",):
            value = validated_data.get(field)
            if not value:
                validated_data.pop(field, None)
-        validated_data.pop('passphrase', None)
+        validated_data.pop("passphrase", None)

    def create(self, validated_data):
        self.clean_auth_fields(validated_data)
@@ -61,22 +67,34 @@ class AuthValidateMixin(serializers.Serializer):
        return super().update(instance, validated_data)


-class BaseAccountSerializer(AuthValidateMixin, ResourceLabelsMixin, BulkOrgResourceModelSerializer):
+class BaseAccountSerializer(
+    AuthValidateMixin, ResourceLabelsMixin, BulkOrgResourceModelSerializer
+):
    class Meta:
        model = BaseAccount
-        fields_mini = ['id', 'name', 'username']
+        fields_mini = ["id", "name", "username"]
        fields_small = fields_mini + [
-            'secret_type', 'secret', 'passphrase',
-            'privileged', 'is_active',
+            "secret_type",
+            "secret",
+            "passphrase",
+            "privileged",
+            "is_active",
+            "spec_info",
        ]
-        fields_other = ['created_by', 'date_created', 'date_updated', 'comment']
-        fields = fields_small + fields_other + ['labels']
+        fields_other = ["created_by", "date_created", "date_updated", "comment"]
+        fields = fields_small + fields_other + ["labels"]
        read_only_fields = [
-            'date_verified', 'created_by', 'date_created',
+            "spec_info",
+            "date_verified",
+            "created_by",
+            "date_created",
        ]
        extra_kwargs = {
-            'username': {'help_text': _(
-                "Tip: If no username is required for authentication, fill in `null`, "
-                "If AD account, like `username@domain`"
-            )},
+            "spec_info": {"label": _("Spec info")},
+            "username": {
+                "help_text": _(
+                    "* If no username is required for authentication, enter null.  "
+                    "For AD accounts, use the format username@domain."
+                )
+            },
        }
--- a/apps/accounts/serializers/account/template.py
+++ b/apps/accounts/serializers/account/template.py
@@ -10,7 +10,7 @@ from .base import BaseAccountSerializer


 class PasswordRulesSerializer(serializers.Serializer):
-    length = serializers.IntegerField(min_value=8, max_value=30, default=16, label=_('Password length'))
+    length = serializers.IntegerField(min_value=8, max_value=36, default=16, label=_('Password length'))
    lowercase = serializers.BooleanField(default=True, label=_('Lowercase'))
    uppercase = serializers.BooleanField(default=True, label=_('Uppercase'))
    digit = serializers.BooleanField(default=True, label=_('Digit'))
@@ -19,6 +19,16 @@ class PasswordRulesSerializer(serializers.Serializer):
        default='', allow_blank=True, max_length=16, label=_('Exclude symbol')
    )

+    @staticmethod
+    def get_render_help_text():
+        return _("""length is the length of the password, and the range is 8 to 30.
+lowercase indicates whether the password contains lowercase letters, 
+uppercase indicates whether it contains uppercase letters,
+digit indicates whether it contains numbers, and symbol indicates whether it contains special symbols.
+exclude_symbols is used to exclude specific symbols. You can fill in the symbol characters to be excluded (up to 16). 
+If you do not need to exclude symbols, you can leave it blank.
+default: {"length": 16, "lowercase": true, "uppercase": true, "digit": true, "symbol": true, "exclude_symbols": ""}""")
+

 class AccountTemplateSerializer(BaseAccountSerializer):
    password_rules = PasswordRulesSerializer(required=False, label=_('Password rules'))
@@ -46,6 +56,7 @@ class AccountTemplateSerializer(BaseAccountSerializer):
                'required': False
            },
        }
+        fields_unimport_template = ['push_params']

    @staticmethod
    def generate_secret(attrs):
--- a/apps/accounts/serializers/automations/base.py
+++ b/apps/accounts/serializers/automations/base.py
@@ -25,7 +25,8 @@ class BaseAutomationSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSe

    class Meta:
        read_only_fields = [
-            'date_created', 'date_updated', 'created_by', 'periodic_display', 'executed_amount'
+            'date_created', 'date_updated', 'created_by',
+            'periodic_display', 'executed_amount'
        ]
        fields = read_only_fields + [
            'id', 'name', 'is_periodic', 'interval', 'crontab', 'comment',
@@ -34,8 +35,7 @@ class BaseAutomationSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSe
        extra_kwargs = {
            'name': {'required': True},
            'type': {'read_only': True},
-            'periodic_display': {'label': _('Periodic perform')},
-            'executed_amount': {'label': _('Executed amount')},
+            'executed_amount': {'label': _('Executions')},
        }

    def validate_name(self, name):
--- a/apps/accounts/serializers/automations/change_secret.py
+++ b/apps/accounts/serializers/automations/change_secret.py
@@ -54,12 +54,35 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
            'ssh_key_change_strategy', 'passphrase', 'recipients', 'params'
        ]
        extra_kwargs = {**BaseAutomationSerializer.Meta.extra_kwargs, **{
-            'accounts': {'required': True},
+            'accounts': {'required': True, 'help_text': _('Please enter your account username')},
            'recipients': {'label': _('Recipient'), 'help_text': _(
                "Currently only mail sending is supported"
            )},
+            'params': {'help_text': _(
+                "Secret parameter settings, currently only effective for assets of the host type."
+            )},
        }}

+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.set_ssh_key_change_strategy_choices()
+
+    def set_ssh_key_change_strategy_choices(self):
+        ssh_key_change_strategy = self.fields.get("ssh_key_change_strategy")
+        if not ssh_key_change_strategy:
+            return
+        ssh_key_change_strategy._choices.pop(SSHKeyStrategy.add, None)
+
+    def to_representation(self, instance):
+        data = super().to_representation(instance)
+        ssh_strategy_value = data.get('ssh_key_change_strategy', {}).get('value')
+        if ssh_strategy_value == SSHKeyStrategy.add:
+            data['ssh_key_change_strategy'] = {
+                'label': SSHKeyStrategy.set_jms.label,
+                'value': SSHKeyStrategy.set_jms.value
+            }
+        return data
+
    @property
    def model_type(self):
        return AutomationTypes.change_secret
@@ -72,19 +95,6 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
        if self.initial_data.get('secret_strategy') == SecretStrategy.custom:
            return password_rules

-        length = password_rules.get('length')
-
-        try:
-            length = int(length)
-        except Exception as e:
-            logger.error(e)
-            msg = _("* Please enter the correct password length")
-            raise serializers.ValidationError(msg)
-
-        if length < 6 or length > 30:
-            msg = _('* Password length range 6-30 bits')
-            raise serializers.ValidationError(msg)
-
        return password_rules

    def validate(self, attrs):
--- a/apps/accounts/serializers/automations/push_account.py
+++ b/apps/accounts/serializers/automations/push_account.py
@@ -7,7 +7,6 @@ from .change_secret import (


 class PushAccountAutomationSerializer(ChangeSecretAutomationSerializer):
-
    class Meta(ChangeSecretAutomationSerializer.Meta):
        model = PushAccountAutomation
        fields = [
--- a/apps/accounts/signal_handlers.py
+++ b/apps/accounts/signal_handlers.py
@@ -3,13 +3,17 @@ from collections import defaultdict
 from django.db.models.signals import post_delete
 from django.db.models.signals import pre_save, post_save
 from django.dispatch import receiver
+from django.utils.functional import LazyObject
 from django.utils.translation import gettext_noop

-from accounts.backends import vault_client
+from accounts.backends import vault_client, refresh_vault_client
+from accounts.const import Source
 from audits.const import ActivityChoices
 from audits.signal_handlers import create_activities
 from common.decorators import merge_delay_run
+from common.signals import django_ready
 from common.utils import get_logger, i18n_fmt
+from common.utils.connection import RedisPubSub
 from .models import Account, AccountTemplate
 from .tasks.push_account import push_accounts_to_assets_task

@@ -32,7 +36,7 @@ def push_accounts_if_need(accounts=()):
    template_accounts = defaultdict(list)
    for ac in accounts:
        # 再强调一次吧
-        if ac.source != 'template':
+        if ac.source != Source.TEMPLATE:
            continue
        template_accounts[ac.source_id].append(ac)

@@ -61,7 +65,7 @@ def create_accounts_activities(account, action='create'):

@receiver(post_save, sender=Account)
 def on_account_create_by_template(sender, instance, created=False, **kwargs):
-    if not created or instance.source != 'template':
+    if not created or instance.source != Source.TEMPLATE:
        return
    push_accounts_if_need.delay(accounts=(instance,))
    create_accounts_activities(instance, action='create')
@@ -90,3 +94,18 @@ class VaultSignalHandler(object):
 for model in (Account, AccountTemplate, Account.history.model):
    post_save.connect(VaultSignalHandler.save_to_vault, sender=model)
    post_delete.connect(VaultSignalHandler.delete_to_vault, sender=model)
+
+
+class VaultPubSub(LazyObject):
+    def _setup(self):
+        self._wrapped = RedisPubSub('refresh_vault')
+
+
+vault_pub_sub = VaultPubSub()
+
+
+@receiver(django_ready)
+def subscribe_vault_change(sender, **kwargs):
+    logger.debug("Start subscribe vault change")
+
+    vault_pub_sub.subscribe(lambda name: refresh_vault_client())
--- a/apps/accounts/tasks/automation.py
+++ b/apps/accounts/tasks/automation.py
@@ -1,9 +1,15 @@
+import datetime
+
 from celery import shared_task
+from django.db.models import Q
+from django.utils import timezone
 from django.utils.translation import gettext_lazy as _, gettext_noop

 from accounts.const import AutomationTypes
 from accounts.tasks.common import quickstart_automation_by_snapshot
-from common.utils import get_logger, get_object_or_none
+from common.const.crontab import CRONTAB_AT_AM_THREE
+from common.utils import get_logger, get_object_or_none, get_log_keep_day
+from ops.celery.decorator import register_as_period_task
 from orgs.utils import tmp_to_org, tmp_to_root_org

 logger = get_logger(__file__)
@@ -22,8 +28,14 @@ def task_activity_callback(self, pid, trigger, tp, *args, **kwargs):


@shared_task(
-    queue='ansible', verbose_name=_('Account execute automation'),
-    activity_callback=task_activity_callback
+    queue='ansible',
+    verbose_name=_('Account execute automation'),
+    activity_callback=task_activity_callback,
+    description=_(
+        """Unified execution entry for account automation tasks: when the system performs tasks 
+        such as account push, password change, account verification, account collection, 
+        and gateway account verification, all tasks are executed through this unified entry"""
+    )
 )
 def execute_account_automation_task(pid, trigger, tp):
    model = AutomationTypes.get_type_model(tp)
@@ -48,8 +60,12 @@ def record_task_activity_callback(self, record_ids, *args, **kwargs):


@shared_task(
-    queue='ansible', verbose_name=_('Execute automation record'),
-    activity_callback=record_task_activity_callback
+    queue='ansible',
+    verbose_name=_('Execute automation record'),
+    activity_callback=record_task_activity_callback,
+    description=_(
+        """When manually executing password change records, this task is used"""
+    )
 )
 def execute_automation_record_task(record_ids, tp):
    from accounts.models import ChangeSecretRecord
@@ -74,3 +90,33 @@ def execute_automation_record_task(record_ids, tp):
    }
    with tmp_to_org(record.execution.org_id):
        quickstart_automation_by_snapshot(task_name, tp, task_snapshot)
+
+
+@shared_task(
+    verbose_name=_('Clean change secret and push record period'),
+    description=_(
+        """The system will periodically clean up unnecessary password change and push records, 
+        including their associated change tasks, execution logs, assets, and accounts. When any 
+        of these associated items are deleted, the corresponding password change and push records 
+        become invalid. Therefore, to maintain a clean and efficient database, the system will 
+        clean up expired records at 2 a.m daily, based on the interval specified by 
+        PERM_EXPIRED_CHECK_PERIODIC in the config.txt configuration file. This periodic cleanup 
+        mechanism helps free up storage space and enhances the security and overall performance 
+        of data management"""
+    )
+)
+@register_as_period_task(crontab=CRONTAB_AT_AM_THREE)
+def clean_change_secret_and_push_record_period():
+    from accounts.models import ChangeSecretRecord
+    print('Start clean change secret and push record period')
+    with tmp_to_root_org():
+        now = timezone.now()
+        days = get_log_keep_day('ACCOUNT_CHANGE_SECRET_RECORD_KEEP_DAYS')
+        expired_day = now - datetime.timedelta(days=days)
+        records = ChangeSecretRecord.objects.filter(
+            date_updated__lt=expired_day
+        ).filter(
+            Q(execution__isnull=True) | Q(asset__isnull=True) | Q(account__isnull=True)
+        )
+
+        records.delete()
--- a/apps/accounts/tasks/backup_account.py
+++ b/apps/accounts/tasks/backup_account.py
@@ -22,7 +22,13 @@ def task_activity_callback(self, pid, trigger, *args, **kwargs):
    return resource_ids, org_id


-@shared_task(verbose_name=_('Execute account backup plan'), activity_callback=task_activity_callback)
+@shared_task(
+    verbose_name=_('Execute account backup plan'),
+    activity_callback=task_activity_callback,
+    description=_(
+        "When performing scheduled or manual account backups, this task is used"
+    )
+)
 def execute_account_backup_task(pid, trigger, **kwargs):
    from accounts.models import AccountBackupAutomation
    with tmp_to_root_org():
--- a/apps/accounts/tasks/gather_accounts.py
+++ b/apps/accounts/tasks/gather_accounts.py
@@ -26,8 +26,10 @@ def gather_asset_accounts_util(nodes, task_name):


@shared_task(
-    queue="ansible", verbose_name=_('Gather asset accounts'),
-    activity_callback=lambda self, node_ids, task_name=None, *args, **kwargs: (node_ids, None)
+    queue="ansible",
+    verbose_name=_('Gather asset accounts'),
+    activity_callback=lambda self, node_ids, task_name=None, *args, **kwargs: (node_ids, None),
+    description=_("Unused")
 )
 def gather_asset_accounts_task(node_ids, task_name=None):
    if task_name is None:
--- a/apps/accounts/tasks/push_account.py
+++ b/apps/accounts/tasks/push_account.py
@@ -12,8 +12,12 @@ __all__ = [


@shared_task(
-    queue="ansible", verbose_name=_('Push accounts to assets'),
-    activity_callback=lambda self, account_ids, *args, **kwargs: (account_ids, None)
+    queue="ansible",
+    verbose_name=_('Push accounts to assets'),
+    activity_callback=lambda self, account_ids, *args, **kwargs: (account_ids, None),
+    description=_(
+        "When creating or modifying an account requires account push, this task is executed"
+    )
 )
 def push_accounts_to_assets_task(account_ids, params=None):
    from accounts.models import PushAccountAutomation
--- a/apps/accounts/tasks/remove_account.py
+++ b/apps/accounts/tasks/remove_account.py
@@ -21,8 +21,13 @@ __all__ = ['remove_accounts_task']


@shared_task(
-    queue="ansible", verbose_name=_('Remove account'),
-    activity_callback=lambda self, gather_account_ids, *args, **kwargs: (gather_account_ids, None)
+    queue="ansible",
+    verbose_name=_('Remove account'),
+    activity_callback=lambda self, gather_account_ids, *args, **kwargs: (gather_account_ids, None),
+    description=_(
+        """When clicking "Sync deletion" in 'Console - Gather Account - Gathered accounts' this 
+        task will be executed"""
+    )
 )
 def remove_accounts_task(gather_account_ids):
    from accounts.models import GatheredAccount
@@ -41,7 +46,15 @@ def remove_accounts_task(gather_account_ids):
    quickstart_automation_by_snapshot(task_name, tp, task_snapshot)


-@shared_task(verbose_name=_('Clean historical accounts'))
+@shared_task(
+    verbose_name=_('Clean historical accounts'),
+    description=_(
+        """Each time an asset account is updated, a historical account is generated, so it is 
+        necessary to clean up the asset account history. The system will clean up excess account 
+        records at 2 a.m. daily based on the configuration in the "System settings - Features - 
+        Account storage - Record limit"""
+    )
+)
@register_as_period_task(crontab=CRONTAB_AT_AM_TWO)
@tmp_to_root_org()
 def clean_historical_accounts():
--- a/apps/accounts/tasks/template.py
+++ b/apps/accounts/tasks/template.py
@@ -9,7 +9,11 @@ from orgs.utils import tmp_to_root_org, tmp_to_org

@shared_task(
    verbose_name=_('Template sync info to related accounts'),
-    activity_callback=lambda self, template_id, *args, **kwargs: (template_id, None)
+    activity_callback=lambda self, template_id, *args, **kwargs: (template_id, None),
+    description=_(
+        """When clicking 'Sync new secret to accounts' in 'Console - Account - Templates - 
+        Accounts' this task will be executed"""
+    )
 )
 def template_sync_related_accounts(template_id, user_id=None):
    from accounts.models import Account, AccountTemplate
--- a/apps/accounts/tasks/vault.py
+++ b/apps/accounts/tasks/vault.py
@@ -5,6 +5,7 @@ from celery import shared_task
 from django.utils.translation import gettext_lazy as _

 from accounts.backends import vault_client
+from accounts.const import VaultTypeChoices
 from accounts.models import Account, AccountTemplate
 from common.utils import get_logger
 from orgs.utils import tmp_to_root_org
@@ -28,12 +29,20 @@ def sync_instance(instance):
        return "succeeded", msg


-@shared_task(verbose_name=_('Sync secret to vault'))
+@shared_task(
+    verbose_name=_('Sync secret to vault'),
+    description=_(
+        "When clicking 'Sync' in 'System Settings - Features - Account Storage' this task will be executed"
+    )
+)
 def sync_secret_to_vault():
    if not vault_client.enabled:
        # 这里不能判断 settings.VAULT_ENABLED, 必须判断当前 vault_client 的类型
        print('\033[35m>>> 当前 Vault 功能未开启, 不需要同步')
        return
+    if VaultTypeChoices.local == vault_client.type:
+        print('\033[31m>>> 当前第三方 Vault 客户端初始化失败，数据存储在本地数据库')
+        return

    failed, skipped, succeeded = 0, 0, 0
    to_sync_models = [Account, AccountTemplate, Account.history.model]
--- a/Show More
+++ b/Show More