feat: Update v2.28.10

fix: 操作日志显示用户加密后的密文，及日期格式调整

.github/workflows/jms-build-test.yml

@@ -1,35 +0,0 @@
-name: "Run Build Test"
-on:
-  push:
-    branches:
-      - pr@*
-      - repr@*
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-
-    - uses: docker/setup-qemu-action@v2
-
-    - uses: docker/setup-buildx-action@v2
-
-    - uses: docker/build-push-action@v3
-      with:
-        context: .
-        push: false
-        tags: jumpserver/core:test
-        file: Dockerfile
-        build-args: |
-          APT_MIRROR=http://deb.debian.org
-          PIP_MIRROR=https://pypi.org/simple
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-
-    - uses: LouisBrunner/checks-action@v1.5.0
-      if: always()
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        name: Check Build
-        conclusion: ${{ job.status }}

.github/workflows/release-drafter.yml

@@ -21,7 +21,7 @@ jobs:
           TAG=$(basename ${GITHUB_REF})
           VERSION=${TAG/v/}
           wget https://raw.githubusercontent.com/jumpserver/installer/master/quick_start.sh
-          sed -i "s@VERSION=dev@VERSION=v${VERSION}@g" quick_start.sh
+          sed -i "s@Version=.*@Version=v${VERSION}@g" quick_start.sh
           echo "::set-output name=TAG::$TAG"
           echo "::set-output name=VERSION::$VERSION"
       - name: Create Release

.gitignore

@@ -16,7 +16,6 @@ dump.rdb
 .cache/
 .idea/
 .vscode/
-.fleet/
 db.sqlite3
 config.py
 config.yml
@@ -42,4 +41,4 @@ release/*
 releashe
 /apps/script.py
 data/*
-test.py
+

.isort.cfg

@@ -1,3 +0,0 @@
-[settings]
-line_length=120
-known_first_party=common,users,assets,perms,authentication,jumpserver,notification,ops,orgs,rbac,settings,terminal,tickets

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9-slim as stage-build
+FROM python:3.8-slim as stage-build
 ARG TARGETARCH
 
 ARG VERSION
@@ -8,7 +8,7 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 
-FROM python:3.9-slim
+FROM python:3.8-slim
 ARG TARGETARCH
 MAINTAINER JumpServer Team <ibuler@qq.com>
 
@@ -18,6 +18,7 @@ ARG BUILD_DEPENDENCIES="              \
         pkg-config"
 
 ARG DEPENDENCIES="                    \
+        default-libmysqlclient-dev    \
         freetds-dev                   \
         libpq-dev                     \
         libffi-dev                    \
@@ -27,27 +28,25 @@ ARG DEPENDENCIES="                    \
         libxml2-dev                   \
         libxmlsec1-dev                \
         libxmlsec1-openssl            \
-        libaio-dev"
+        libaio-dev                    \
+        openssh-client                \
+        sshpass"
 
 ARG TOOLS="                           \
         ca-certificates               \
         curl                          \
-        default-libmysqlclient-dev    \
         default-mysql-client          \
+        iputils-ping                  \
         locales                       \
-        openssh-client                \
         procps                        \
-        sshpass                       \
+        redis-tools                   \
         telnet                        \
-        unzip                         \
         vim                           \
-        git                           \
+        unzip                         \
         wget"
 
-ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
-    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    sed -i 's@http://.*.debian.org@http://mirrors.ustc.edu.cn@g' /etc/apt/sources.list \
     && rm -f /etc/apt/apt.conf.d/docker-clean \
     && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
     && apt-get update \
@@ -56,22 +55,24 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
     && apt-get -y install --no-install-recommends ${TOOLS} \
     && mkdir -p /root/.ssh/ \
     && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
+    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
     && echo "set mouse-=a" > ~/.vimrc \
     && echo "no" | dpkg-reconfigure dash \
     && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc \
     && rm -rf /var/lib/apt/lists/*
 
-ARG DOWNLOAD_URL=https://download.jumpserver.org
+ARG ORACLE_LIB_MAJOR=19
+ARG ORACLE_LIB_MINOR=10
+ENV ORACLE_FILE="instantclient-basiclite-linux.${TARGETARCH:-amd64}-${ORACLE_LIB_MAJOR}.${ORACLE_LIB_MINOR}.0.0.0dbru.zip"
 
 RUN mkdir -p /opt/oracle/ \
     && cd /opt/oracle/ \
-    && wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
-    && unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
-    && sh -c "echo /opt/oracle/instantclient_19_10 > /etc/ld.so.conf.d/oracle-instantclient.conf" \
+    && wget https://download.jumpserver.org/files/oracle/${ORACLE_FILE} \
+    && unzip instantclient-basiclite-linux.${TARGETARCH-amd64}-19.10.0.0.0dbru.zip \
+    && mv instantclient_${ORACLE_LIB_MAJOR}_${ORACLE_LIB_MINOR} instantclient \
+    && echo "/opt/oracle/instantclient" > /etc/ld.so.conf.d/oracle-instantclient.conf \
     && ldconfig \
-    && rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip
+    && rm -f ${ORACLE_FILE}
 
 WORKDIR /tmp/build
 COPY ./requirements ./requirements
@@ -99,6 +100,6 @@ VOLUME /opt/jumpserver/logs
 
 ENV LANG=zh_CN.UTF-8
 
+EXPOSE 8070
 EXPOSE 8080
-
 ENTRYPOINT ["./entrypoint.sh"]

Dockerfile-ee

@@ -1,10 +0,0 @@
-ARG VERSION
-FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
-FROM jumpserver/core:${VERSION}
-COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
-
-WORKDIR /opt/jumpserver
-
-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip install -r requirements/requirements_xpack.txt

Dockerfile.loong64

@@ -1,4 +1,4 @@
-FROM python:3.9-slim as stage-build
+FROM python:3.8-slim as stage-build
 ARG TARGETARCH
 
 ARG VERSION
@@ -8,7 +8,7 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 
-FROM python:3.9-slim
+FROM python:3.8-slim
 ARG TARGETARCH
 MAINTAINER JumpServer Team <ibuler@qq.com>
 
@@ -18,31 +18,31 @@ ARG BUILD_DEPENDENCIES="              \
         pkg-config"
 
 ARG DEPENDENCIES="                    \
+        default-libmysqlclient-dev    \
         freetds-dev                   \
         libpq-dev                     \
         libffi-dev                    \
         libjpeg-dev                   \
         libldap2-dev                  \
         libsasl2-dev                  \
-        libssl-dev                    \
         libxml2-dev                   \
         libxmlsec1-dev                \
         libxmlsec1-openssl            \
-        libaio-dev"
+        libaio-dev                    \
+        openssh-client                \
+        sshpass"
 
 ARG TOOLS="                           \
         ca-certificates               \
         curl                          \
-        default-libmysqlclient-dev    \
         default-mysql-client          \
+        iputils-ping                  \
         locales                       \
-        openssh-client                \
         procps                        \
-        sshpass                       \
+        redis-tools                   \
         telnet                        \
-        unzip                         \
         vim                           \
-        git                           \
+        unzip                         \
         wget"
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
@@ -54,11 +54,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
     && apt-get -y install --no-install-recommends ${TOOLS} \
     && mkdir -p /root/.ssh/ \
     && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
+    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
     && echo "set mouse-=a" > ~/.vimrc \
     && echo "no" | dpkg-reconfigure dash \
     && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc \
     && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /tmp/build
@@ -74,8 +73,8 @@ RUN --mount=type=cache,target=/root/.cache/pip \
     && pip config set global.index-url ${PIP_MIRROR} \
     && pip install --upgrade pip \
     && pip install --upgrade setuptools wheel \
-    && pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl \
-    && pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl \
+    && pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-36.0.1-cp38-cp38-linux_loongarch64.whl \
+    && pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp38-cp38-linux_loongarch64.whl \
     && pip install $(grep 'PyNaCl' requirements/requirements.txt) \
     && GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=true pip install grpcio \
     && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
@@ -91,6 +90,6 @@ VOLUME /opt/jumpserver/logs
 
 ENV LANG=zh_CN.UTF-8
 
+EXPOSE 8070
 EXPOSE 8080
-
 ENTRYPOINT ["./entrypoint.sh"]

GITSHA

@@ -0,0 +1 @@
+fbc5ae1b9bef23ff816fa6fe25c57be24391052b

README.md

@@ -1,52 +1,97 @@
 <p align="center">
   <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
 </p>
-<h3 align="center">广受欢迎的开源堡垒机</h3>
+<h3 align="center">多云环境下更好用的堡垒机</h3>
 
 <p align="center">
   <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
-  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
-  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
+  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
+  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
+  <a href="https://github.com/jumpserver/jumpserver/commits"><img alt="GitHub last commit" src="https://img.shields.io/github/last-commit/jumpserver/jumpserver.svg" /></a>
   <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>
 
 --------------------------
+- [ENGLISH](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
+
+
 
 JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
 
-## 产品特色
+JumpServer 使用 Python 开发，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
 
-- **开源**: 零门槛，线上快速获取和安装；
-- **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
-- **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
-- **多云支持**: 一套系统，同时管理不同云上面的资产；
-- **多租户**: 一套系统，多个子公司或部门同时使用；
-- **云端存储**: 审计录像云端存储，永不丢失；
-- **多应用支持**: 全面支持各类资产，包括服务器、数据库、Windows RemoteApp、Kubernetes 等;
-- **安全可靠**: 被广泛使用、验证和信赖，连续 9 年的持续研发投入和产品更新升级。
+JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。
 
-## UI 展示
+
+
+### 特色优势
+
+- 开源: 零门槛，线上快速获取和安装；
+- 分布式: 轻松支持大规模并发访问；
+- 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
+- 多租户: 一套系统，多个子公司或部门同时使用；
+- 多云支持: 一套系统，同时管理不同云上面的资产；
+- 云端存储: 审计录像云端存储，永不丢失；
+- 多应用支持: 数据库，Windows远程应用，Kubernetes。
+
+### UI 展示
 
 ![UI展示](https://www.jumpserver.org/images/screenshot/1.png)
 
-## 在线体验
+### 在线体验
 
-- 环境地址：<https://demo.jumpserver.org/>
+-   环境地址：<https://demo.jumpserver.org/>
 
 | :warning: 注意                 |
-|:-----------------------------|
+| :--------------------------- |
 | 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
 | 请勿修改体验环境用户的密码！               |
 | 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
 
-## 快速开始
+### 快速开始
 
 - [极速安装](https://docs.jumpserver.org/zh/master/install/setup_by_fast/)
+- [完整文档](https://docs.jumpserver.org)
+- [演示视频](https://www.bilibili.com/video/BV1ZV41127GB)
 - [手动安装](https://github.com/jumpserver/installer)
-- [产品文档](https://docs.jumpserver.org)
-- [知识库](https://kb.fit2cloud.com/categories/jumpserver)
 
-## 案例研究
+### 组件项目
+| 项目                                                                          |  状态          | 描述                                     |
+| ---------------------------------------------------------------------------  |  -------------------   | ---------------------------------------- |
+| [Lina](https://github.com/jumpserver/lina) | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a> | JumpServer Web UI 项目 |
+| [Luna](https://github.com/jumpserver/luna) | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a> | JumpServer Web Terminal 项目 |
+| [KoKo](https://github.com/jumpserver/koko) | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a> | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
+| [Lion](https://github.com/jumpserver/lion-release) | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>  | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
+| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目 |
+| [Clients](https://github.com/jumpserver/clients) | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" /> | JumpServer 客户端 项目 |
+| [Installer](https://github.com/jumpserver/installer)| <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" /> | JumpServer 安装包 项目 |
+
+### 社区
+
+如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose) 或加入到我们的社区当中进行进一步交流沟通。
+
+#### 微信交流群
+
+<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
+
+### 贡献
+如果有你好的想法创意，或者帮助我们修复了 Bug, 欢迎提交 Pull Request
+
+感谢以下贡献者，让 JumpServer 更加完善
+
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
+
+
+
+### 致谢
+- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC 协议设备，JumpServer 图形化组件 Lion 依赖 
+- [OmniDB](https://omnidb.org/) Web 页面连接使用数据库，JumpServer Web 数据库依赖
+
+
+### JumpServer 企业版 
+- [申请企业版试用](https://jinshuju.net/f/kyOYpi)
+
+### 案例研究
 
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
@@ -61,55 +106,22 @@ JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运
 - [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
 - [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
 
-## 社区
+### 安全说明
 
-如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)
-或加入到我们的社区当中进行进一步交流沟通。
+JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.
 
-### 微信交流群
+如果你发现安全问题，可以直接联系我们：
 
-<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
+- ibuler@fit2cloud.com 
+- support@fit2cloud.com 
+- 400-052-0755
 
-### 参与贡献
+### License & Copyright
 
-欢迎提交 PR 参与贡献。感谢以下贡献者，他们让 JumpServer 变的越来越好。
+Copyright (c) 2014-2022 飞致云 FIT2CLOUD, All rights reserved.
 
-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
-
-## 组件项目
-
-| 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                      |
-|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
-| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                                    |
-| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                              |
-| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
-| [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)       |
-| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                           |
-| [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                       |
-| [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                       |
-
-## 安全说明
-
-JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
-进行安装部署。如果您发现安全相关问题，请直接联系我们：
-
-- 邮箱：support@fit2cloud.com
-- 电话：400-052-0755
-
-## 致谢
-
-- [Apache Guacamole](https://guacamole.apache.org/)： Web 页面连接 RDP、SSH、VNC 等协议资产，JumpServer Lion 组件使用到该项目；
-- [OmniDB](https://omnidb.org/)： Web 页面连接使用数据库，JumpServer Web 数据库组件使用到该项目。
-
-## License & Copyright
-
-Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.
-
-Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
-compliance with the License. You may obtain a copy of the License at
+Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 
 https://www.gnu.org/licenses/gpl-3.0.html
 
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
-AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
-language governing permissions and limitations under the License.
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

apps/accounts/api/__init__.py

@@ -1,2 +0,0 @@
-from .account import *
-from .automations import *

apps/accounts/api/account/__init__.py

@@ -1,3 +0,0 @@
-from .account import *
-from .task import *
-from .template import *

apps/accounts/api/account/account.py

@@ -1,112 +0,0 @@
-from django.shortcuts import get_object_or_404
-from rest_framework.decorators import action
-from rest_framework.generics import ListAPIView
-from rest_framework.response import Response
-
-from accounts import serializers
-from accounts.filters import AccountFilterSet
-from accounts.models import Account
-from assets.models import Asset, Node
-from common.permissions import UserConfirmation, ConfirmType
-from common.views.mixins import RecordViewLogMixin
-from orgs.mixins.api import OrgBulkModelViewSet
-from rbac.permissions import RBACPermission
-
-__all__ = [
-    'AccountViewSet', 'AccountSecretsViewSet',
-    'AccountHistoriesSecretAPI'
-]
-
-
-class AccountViewSet(OrgBulkModelViewSet):
-    model = Account
-    search_fields = ('username', 'asset__address', 'name')
-    filterset_class = AccountFilterSet
-    serializer_classes = {
-        'default': serializers.AccountSerializer,
-    }
-    rbac_perms = {
-        'partial_update': ['accounts.change_account'],
-        'su_from_accounts': 'accounts.view_account',
-        'username_suggestions': 'accounts.view_account',
-    }
-
-    @action(methods=['get'], detail=False, url_path='su-from-accounts')
-    def su_from_accounts(self, request, *args, **kwargs):
-        account_id = request.query_params.get('account')
-        asset_id = request.query_params.get('asset')
-
-        if account_id:
-            account = get_object_or_404(Account, pk=account_id)
-            accounts = account.get_su_from_accounts()
-        elif asset_id:
-            asset = get_object_or_404(Asset, pk=asset_id)
-            accounts = asset.accounts.all()
-        else:
-            accounts = Account.objects.none()
-        accounts = self.filter_queryset(accounts)
-        serializer = serializers.AccountSerializer(accounts, many=True)
-        return Response(data=serializer.data)
-
-    @action(methods=['get'], detail=False, url_path='username-suggestions')
-    def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.query_params.get('assets')
-        node_keys = request.query_params.get('keys')
-        username = request.query_params.get('username')
-
-        assets = Asset.objects.all()
-        if asset_ids:
-            assets = assets.filter(id__in=asset_ids.split(','))
-        if node_keys:
-            patten = Node.get_node_all_children_key_pattern(node_keys.split(','))
-            assets = assets.filter(nodes__key__regex=patten)
-
-        accounts = Account.objects.filter(asset__in=assets)
-        if username:
-            accounts = accounts.filter(username__icontains=username)
-        usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
-        usernames.sort()
-        common = [i for i in usernames if i in usernames if i.lower() in ['root', 'admin', 'administrator']]
-        others = [i for i in usernames if i not in common]
-        usernames = common + others
-        return Response(data=usernames)
-
-
-class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
-    """
-    因为可能要导出所有账号，所以单独建立了一个 viewset
-    """
-    serializer_classes = {
-        'default': serializers.AccountSecretSerializer,
-    }
-    http_method_names = ['get', 'options']
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
-    rbac_perms = {
-        'list': 'accounts.view_accountsecret',
-        'retrieve': 'accounts.view_accountsecret',
-    }
-
-
-class AccountHistoriesSecretAPI(RecordViewLogMixin, ListAPIView):
-    model = Account.history.model
-    serializer_class = serializers.AccountHistorySerializer
-    http_method_names = ['get', 'options']
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
-    rbac_perms = {
-        'GET': 'accounts.view_accountsecret',
-    }
-
-    def get_object(self):
-        return get_object_or_404(Account, pk=self.kwargs.get('pk'))
-
-    def get_queryset(self):
-        account = self.get_object()
-        histories = account.history.all()
-        last_history = account.history.first()
-        if not last_history:
-            return histories
-
-        if account.secret == last_history.secret \
-                and account.secret_type == last_history.secret_type:
-            histories = histories.exclude(history_id=last_history.history_id)
-        return histories

apps/accounts/api/account/task.py

@@ -1,48 +0,0 @@
-from rest_framework.generics import CreateAPIView
-from rest_framework.response import Response
-
-from accounts import serializers
-from accounts.tasks import verify_accounts_connectivity_task, push_accounts_to_assets_task
-from assets.exceptions import NotSupportedTemporarilyError
-
-__all__ = [
-    'AccountsTaskCreateAPI',
-]
-
-
-class AccountsTaskCreateAPI(CreateAPIView):
-    serializer_class = serializers.AccountTaskSerializer
-
-    def check_permissions(self, request):
-        act = request.data.get('action')
-        if act == 'push':
-            code = 'accounts.push_account'
-        else:
-            code = 'accounts.verify_account'
-        return request.user.has_perm(code)
-
-    def perform_create(self, serializer):
-        data = serializer.validated_data
-        accounts = data.get('accounts', [])
-        account_ids = [str(a.id) for a in accounts]
-
-        if data['action'] == 'push':
-            task = push_accounts_to_assets_task.delay(account_ids)
-        else:
-            account = accounts[0]
-            asset = account.asset
-            if not asset.auto_info['ansible_enabled'] or \
-                not asset.auto_info['ping_enabled']:
-                raise NotSupportedTemporarilyError()
-            task = verify_accounts_connectivity_task.delay(account_ids)
-
-        data = getattr(serializer, '_data', {})
-        data["task"] = task.id
-        setattr(serializer, '_data', data)
-        return task
-
-    def get_exception_handler(self):
-        def handler(e, context):
-            return Response({"error": str(e)}, status=400)
-
-        return handler

apps/accounts/api/account/template.py

@@ -1,28 +0,0 @@
-from rbac.permissions import RBACPermission
-from common.permissions import UserConfirmation, ConfirmType
-
-from common.views.mixins import RecordViewLogMixin
-from orgs.mixins.api import OrgBulkModelViewSet
-from accounts import serializers
-from accounts.models import AccountTemplate
-
-
-class AccountTemplateViewSet(OrgBulkModelViewSet):
-    model = AccountTemplate
-    filterset_fields = ("username", 'name')
-    search_fields = ('username', 'name')
-    serializer_classes = {
-        'default': serializers.AccountTemplateSerializer
-    }
-
-
-class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
-    serializer_classes = {
-        'default': serializers.AccountTemplateSecretSerializer,
-    }
-    http_method_names = ['get', 'options']
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
-    rbac_perms = {
-        'list': 'accounts.view_accounttemplatesecret',
-        'retrieve': 'accounts.view_accounttemplatesecret',
-    }

apps/accounts/api/automations/__init__.py

@@ -1,5 +0,0 @@
-from .backup import *
-from .base import *
-from .change_secret import *
-from .gather_accounts import *
-from .push_account import *

apps/accounts/api/automations/base.py

@@ -1,115 +0,0 @@
-from django.shortcuts import get_object_or_404
-from django.utils.translation import ugettext_lazy as _
-from rest_framework import status, mixins, viewsets
-from rest_framework.response import Response
-
-from accounts.models import AutomationExecution
-from accounts.tasks import execute_account_automation_task
-from assets import serializers
-from assets.models import BaseAutomation
-from common.const.choices import Trigger
-from orgs.mixins import generics
-
-__all__ = [
-    'AutomationAssetsListApi', 'AutomationRemoveAssetApi',
-    'AutomationAddAssetApi', 'AutomationNodeAddRemoveApi',
-    'AutomationExecutionViewSet',
-]
-
-
-class AutomationAssetsListApi(generics.ListAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.AutomationAssetsSerializer
-    filter_fields = ("name", "address")
-    search_fields = filter_fields
-
-    def get_object(self):
-        pk = self.kwargs.get('pk')
-        return get_object_or_404(self.model, pk=pk)
-
-    def get_queryset(self):
-        instance = self.get_object()
-        assets = instance.get_all_assets().only(
-            *self.serializer_class.Meta.only_fields
-        )
-        return assets
-
-
-class AutomationRemoveAssetApi(generics.RetrieveUpdateAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.UpdateAssetSerializer
-
-    def update(self, request, *args, **kwargs):
-        instance = self.get_object()
-        serializer = self.serializer_class(data=request.data)
-
-        if not serializer.is_valid():
-            return Response({'error': serializer.errors})
-
-        assets = serializer.validated_data.get('assets')
-        if assets:
-            instance.assets.remove(*tuple(assets))
-        return Response({'msg': 'ok'})
-
-
-class AutomationAddAssetApi(generics.RetrieveUpdateAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.UpdateAssetSerializer
-
-    def update(self, request, *args, **kwargs):
-        instance = self.get_object()
-        serializer = self.serializer_class(data=request.data)
-        if serializer.is_valid():
-            assets = serializer.validated_data.get('assets')
-            if assets:
-                instance.assets.add(*tuple(assets))
-            return Response({"msg": "ok"})
-        else:
-            return Response({"error": serializer.errors})
-
-
-class AutomationNodeAddRemoveApi(generics.RetrieveUpdateAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.UpdateNodeSerializer
-
-    def update(self, request, *args, **kwargs):
-        action_params = ['add', 'remove']
-        action = request.query_params.get('action')
-        if action not in action_params:
-            err_info = _("The parameter 'action' must be [{}]".format(','.join(action_params)))
-            return Response({"error": err_info})
-
-        instance = self.get_object()
-        serializer = self.serializer_class(data=request.data)
-        if serializer.is_valid():
-            nodes = serializer.validated_data.get('nodes')
-            if nodes:
-                # eg: plan.nodes.add(*tuple(assets))
-                getattr(instance.nodes, action)(*tuple(nodes))
-            return Response({"msg": "ok"})
-        else:
-            return Response({"error": serializer.errors})
-
-
-class AutomationExecutionViewSet(
-    mixins.CreateModelMixin, mixins.ListModelMixin,
-    mixins.RetrieveModelMixin, viewsets.GenericViewSet
-):
-    search_fields = ('trigger',)
-    filterset_fields = ('trigger', 'automation_id')
-    serializer_class = serializers.AutomationExecutionSerializer
-
-    tp: str
-
-    def get_queryset(self):
-        queryset = AutomationExecution.objects.all()
-        return queryset
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        automation = serializer.validated_data.get('automation')
-        task = execute_account_automation_task.delay(
-            pid=str(automation.pk), trigger=Trigger.manual, tp=self.tp
-        )
-        return Response({'task': task.id}, status=status.HTTP_201_CREATED)

apps/accounts/api/automations/change_secret.py

@@ -1,81 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from rest_framework import mixins
-
-from accounts import serializers
-from accounts.const import AutomationTypes
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
-from common.utils import get_object_or_none
-from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
-from .base import (
-    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
-    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
-)
-
-__all__ = [
-    'ChangeSecretAutomationViewSet', 'ChangeSecretRecordViewSet',
-    'ChangSecretExecutionViewSet', 'ChangSecretAssetsListApi',
-    'ChangSecretRemoveAssetApi', 'ChangSecretAddAssetApi',
-    'ChangSecretNodeAddRemoveApi'
-]
-
-
-class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
-    model = ChangeSecretAutomation
-    filter_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filter_fields
-    serializer_class = serializers.ChangeSecretAutomationSerializer
-
-
-class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
-    serializer_class = serializers.ChangeSecretRecordSerializer
-    filter_fields = ['asset', 'execution_id']
-    search_fields = ['asset__hostname']
-
-    def get_queryset(self):
-        return ChangeSecretRecord.objects.filter(
-            execution__automation__type=AutomationTypes.change_secret
-        )
-
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        eid = self.request.query_params.get('execution_id')
-        execution = get_object_or_none(AutomationExecution, pk=eid)
-        if execution:
-            queryset = queryset.filter(execution=execution)
-        return queryset
-
-
-class ChangSecretExecutionViewSet(AutomationExecutionViewSet):
-    rbac_perms = (
-        ("list", "accounts.view_changesecretexecution"),
-        ("retrieve", "accounts.view_changesecretexecution"),
-        ("create", "accounts.add_changesecretexecution"),
-    )
-
-    tp = AutomationTypes.change_secret
-
-    def get_queryset(self):
-        queryset = super().get_queryset()
-        queryset = queryset.filter(automation__type=self.tp)
-        return queryset
-
-
-class ChangSecretAssetsListApi(AutomationAssetsListApi):
-    model = ChangeSecretAutomation
-
-
-class ChangSecretRemoveAssetApi(AutomationRemoveAssetApi):
-    model = ChangeSecretAutomation
-    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
-
-
-class ChangSecretAddAssetApi(AutomationAddAssetApi):
-    model = ChangeSecretAutomation
-    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
-
-
-class ChangSecretNodeAddRemoveApi(AutomationNodeAddRemoveApi):
-    model = ChangeSecretAutomation
-    serializer_class = serializers.ChangeSecretUpdateNodeSerializer

apps/accounts/api/automations/gather_accounts.py

@@ -1,71 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.utils.translation import ugettext_lazy as _
-from rest_framework import status
-from rest_framework.decorators import action
-from rest_framework.response import Response
-
-from accounts import serializers
-from accounts.const import AutomationTypes
-from accounts.const import Source
-from accounts.filters import GatheredAccountFilterSet
-from accounts.models import GatherAccountsAutomation
-from accounts.models import GatheredAccount
-from orgs.mixins.api import OrgBulkModelViewSet
-from .base import AutomationExecutionViewSet
-
-__all__ = [
-    'GatherAccountsAutomationViewSet', 'GatherAccountsExecutionViewSet',
-    'GatheredAccountViewSet'
-]
-
-
-class GatherAccountsAutomationViewSet(OrgBulkModelViewSet):
-    model = GatherAccountsAutomation
-    filter_fields = ('name',)
-    search_fields = filter_fields
-    serializer_class = serializers.GatherAccountAutomationSerializer
-
-
-class GatherAccountsExecutionViewSet(AutomationExecutionViewSet):
-    rbac_perms = (
-        ("list", "accounts.view_gatheraccountsexecution"),
-        ("retrieve", "accounts.view_gatheraccountsexecution"),
-        ("create", "accounts.add_gatheraccountsexecution"),
-    )
-
-    tp = AutomationTypes.gather_accounts
-
-    def get_queryset(self):
-        queryset = super().get_queryset()
-        queryset = queryset.filter(automation__type=self.tp)
-        return queryset
-
-
-class GatheredAccountViewSet(OrgBulkModelViewSet):
-    model = GatheredAccount
-    search_fields = ('username',)
-    filterset_class = GatheredAccountFilterSet
-    serializer_classes = {
-        'default': serializers.GatheredAccountSerializer,
-    }
-    rbac_perms = {
-        'sync_account': 'assets.add_gatheredaccount',
-    }
-
-    @action(methods=['post'], detail=True, url_path='sync')
-    def sync_account(self, request, *args, **kwargs):
-        gathered_account = super().get_object()
-        asset = gathered_account.asset
-        username = gathered_account.username
-        accounts = asset.accounts.filter(username=username)
-
-        if accounts.exists():
-            accounts.update(source=Source.COLLECTED)
-        else:
-            asset.accounts.model.objects.create(
-                asset=asset, username=username,
-                name=f'{username}-{_("Collected")}',
-                source=Source.COLLECTED
-            )
-        return Response(status=status.HTTP_201_CREATED)

apps/accounts/api/automations/push_account.py

@@ -1,68 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from accounts import serializers
-from accounts.const import AutomationTypes
-from accounts.models import PushAccountAutomation, ChangeSecretRecord
-from orgs.mixins.api import OrgBulkModelViewSet
-
-from .base import (
-    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
-    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
-)
-from .change_secret import ChangeSecretRecordViewSet
-
-__all__ = [
-    'PushAccountAutomationViewSet', 'PushAccountAssetsListApi', 'PushAccountRemoveAssetApi',
-    'PushAccountAddAssetApi', 'PushAccountNodeAddRemoveApi', 'PushAccountExecutionViewSet',
-    'PushAccountRecordViewSet'
-]
-
-
-class PushAccountAutomationViewSet(OrgBulkModelViewSet):
-    model = PushAccountAutomation
-    filter_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filter_fields
-    serializer_class = serializers.PushAccountAutomationSerializer
-
-
-class PushAccountExecutionViewSet(AutomationExecutionViewSet):
-    rbac_perms = (
-        ("list", "accounts.view_pushaccountexecution"),
-        ("retrieve", "accounts.view_pushaccountexecution"),
-        ("create", "accounts.add_pushaccountexecution"),
-    )
-
-    tp = AutomationTypes.push_account
-
-    def get_queryset(self):
-        queryset = super().get_queryset()
-        queryset = queryset.filter(automation__type=self.tp)
-        return queryset
-
-
-class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
-    serializer_class = serializers.ChangeSecretRecordSerializer
-
-    def get_queryset(self):
-        return ChangeSecretRecord.objects.filter(
-            execution__automation__type=AutomationTypes.push_account
-        )
-
-
-class PushAccountAssetsListApi(AutomationAssetsListApi):
-    model = PushAccountAutomation
-
-
-class PushAccountRemoveAssetApi(AutomationRemoveAssetApi):
-    model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateAssetSerializer
-
-
-class PushAccountAddAssetApi(AutomationAddAssetApi):
-    model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateAssetSerializer
-
-
-class PushAccountNodeAddRemoveApi(AutomationNodeAddRemoveApi):
-    model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateNodeSerializer

apps/accounts/apps.py

@@ -1,11 +0,0 @@
-from django.apps import AppConfig
-
-
-class AccountsConfig(AppConfig):
-    default_auto_field = 'django.db.models.BigAutoField'
-    name = 'accounts'
-
-    def ready(self):
-        from . import signal_handlers
-        from . import tasks
-        __all__ = signal_handlers

apps/accounts/automations/__init__.py

@@ -1,2 +0,0 @@
-from .endpoint import ExecutionManager
-from .methods import platform_automation_methods

apps/accounts/automations/base/base_inventory.txt

@@ -1,14 +0,0 @@
-## all connection vars
-hostname asset_name=name asset_type=type asset_primary_protocol=ssh asset_primary_port=22 asset_protocols=[]
-
-## local connection
-hostname ansible_connection=local
-
-## local connection with gateway
-hostname ansible_connection=ssh ansible_user=gateway.username ansible_port=gateway.port ansible_host=gateway.host ansible_ssh_private_key_file=gateway.key
-
-## ssh connection for windows
-hostname ansible_connection=ssh ansible_shell_type=powershell/cmd ansible_user=windows.username ansible_port=windows.port ansible_host=windows.host ansible_ssh_private_key_file=windows.key
-
-## ssh connection
-hostname ansible_user=user ansible_password=pass ansible_host=host ansible_port=port ansible_ssh_private_key_file=key ssh_args="-o StrictHostKeyChecking=no"

apps/accounts/automations/base/manager.py

@@ -1,12 +0,0 @@
-from accounts.automations.methods import platform_automation_methods
-from assets.automations.base.manager import BasePlaybookManager
-from common.utils import get_logger
-
-logger = get_logger(__name__)
-
-
-class AccountBasePlaybookManager(BasePlaybookManager):
-
-    @property
-    def platform_automation_methods(self):
-        return platform_automation_methods

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -1,58 +0,0 @@
-- hosts: mongodb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test MongoDB connection
-      mongodb_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      register: db_info
-
-    - name: Display MongoDB version
-      debug:
-        var: db_info.server_version
-      when: db_info is succeeded
-
-    - name: Change MongoDB password
-      mongodb_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-      when: db_info is succeeded
-      register: change_info
-
-    - name: Verify password
-      mongodb_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/database/mongodb/manifest.yml

@@ -1,6 +0,0 @@
-id: change_secret_mongodb
-name: Change secret for MongoDB
-category: database
-type:
-  - mongodb
-method: change_secret

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -1,43 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-    db_name: "{{ jms_asset.spec_info.db_name }}"
-
-  tasks:
-    - name: Test MySQL connection
-      community.mysql.mysql_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version
-      register: db_info
-
-    - name: MySQL version
-      debug:
-        var: db_info.version.full
-
-    - name: Change MySQL password
-      community.mysql.mysql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        host: "%"
-        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
-      when: db_info is succeeded
-      register: change_info
-
-    - name: Verify password
-      community.mysql.mysql_info:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/database/mysql/manifest.yml

@@ -1,7 +0,0 @@
-id: change_secret_mysql
-name: Change secret for MySQL
-category: database
-type:
-  - mysql
-  - mariadb
-method: change_secret

apps/accounts/automations/change_secret/database/oracle/main.yml

@@ -1,44 +0,0 @@
-- hosts: oracle
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test Oracle connection
-      oracle_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-      register: db_info
-
-    - name: Display Oracle version
-      debug:
-        var: db_info.server_version
-      when: db_info is succeeded
-
-    - name: Change Oracle password
-      oracle_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-      when: db_info is succeeded
-      register: change_info
-
-    - name: Verify password
-      oracle_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/database/oracle/manifest.yml

@@ -1,6 +0,0 @@
-id: change_secret_oracle
-name: Change secret for Oracle
-category: database
-type:
-  - oracle
-method: change_secret

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -1,46 +0,0 @@
-- hosts: postgre
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test PostgreSQL connection
-      community.postgresql.postgresql_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_db: "{{ jms_asset.spec_info.db_name }}"
-      register: result
-      failed_when: not result.is_available
-
-    - name: Display PostgreSQL version
-      debug:
-        var: result.server_version.full
-      when: result is succeeded
-
-    - name: Change PostgreSQL password
-      community.postgresql.postgresql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        role_attr_flags: LOGIN
-      when: result is succeeded
-      register: change_info
-
-    - name: Verify password
-      community.postgresql.postgresql_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-      when:
-        - result is succeeded
-        - change_info is succeeded
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/postgresql/manifest.yml

@@ -1,6 +0,0 @@
-id: change_secret_postgresql
-name: Change secret for PostgreSQL
-category: database
-type:
-  - postgresql
-method: change_secret

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -1,69 +0,0 @@
-- hosts: sqlserver
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test SQLServer connection
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: |
-          SELECT @@version
-      register: db_info
-
-    - name: SQLServer version
-      set_fact:
-        info:
-          version: "{{ db_info.query_results[0][0][0][0].splitlines()[0] }}"
-    - debug:
-        var: info
-
-    - name: Check whether SQLServer User exist
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
-      when: db_info is succeeded
-      register: user_exist
-
-    - name: Change SQLServer password
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
-      when: user_exist.query_results[0] | length != 0
-      register: change_info
-
-    - name: Add SQLServer user
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
-      when: user_exist.query_results[0] | length == 0
-      register: change_info
-
-    - name: Verify password
-      community.general.mssql_script:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: |
-          SELECT @@version
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/database/sqlserver/manifest.yml

@@ -1,6 +0,0 @@
-id: change_secret_sqlserver
-name: Change secret for SQLServer
-category: database
-type:
-  - sqlserver
-method: change_secret

apps/accounts/automations/change_secret/demo_inventory.txt

@@ -1,2 +0,0 @@
-# all base inventory in base/base_inventory.txt
-asset_name(ip)_account_username account={"username": "", "password": "xxx"} ...base_inventory_vars

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -1,54 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.builtin.ping:
-
-    - name: Change password
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('des') }}"
-        update_password: always
-      when: secret_type == "password"
-
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: secret_type == "ssh_key"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ kwargs.dest }}"
-        regexp: "{{ kwargs.regexp }}"
-        state: absent
-      when:
-      - secret_type == "ssh_key"
-      - kwargs.strategy == "set_jms"
-
-    - name: Change SSH key
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ kwargs.exclusive }}"
-      when: secret_type == "ssh_key"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
-      when: secret_type == "password"
-
-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
-      when: secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -1,6 +0,0 @@
-id: change_secret_aix
-name: Change secret for aix
-category: host
-type:
-  - AIX
-method: change_secret

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -1,54 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.builtin.ping:
-
-    - name: Change password
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('sha512') }}"
-        update_password: always
-      when: secret_type == "password"
-
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: secret_type == "ssh_key"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ kwargs.dest }}"
-        regexp: "{{ kwargs.regexp }}"
-        state: absent
-      when:
-        - secret_type == "ssh_key"
-        - kwargs.strategy == "set_jms"
-
-    - name: Change SSH key
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ kwargs.exclusive }}"
-      when: secret_type == "ssh_key"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
-      when: secret_type == "password"
-
-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
-      when: secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/posix/manifest.yml

@@ -1,7 +0,0 @@
-id: change_secret_posix
-name: Change secret for posix
-category: host
-type:
-  - unix
-  - linux
-method: change_secret

apps/accounts/automations/change_secret/host/windows/main.yml

@@ -1,34 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.windows.win_ping:
-
-#    - name: Print variables
-#      debug:
-#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
-
-
-    - name: Get groups of a Windows user
-      ansible.windows.win_user:
-        name: "{{ jms_account.username }}"
-      register: user_info
-
-    - name: Change password
-      ansible.windows.win_user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        groups: "{{ user_info.groups[0].name }}"
-        groups_action: add
-        update_password: always
-      when: account.secret_type == "password"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.windows.win_ping:
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-      when: account.secret_type == "password"

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -1,7 +0,0 @@
-id: change_secret_local_windows
-name: Change secret local account for Windows
-version: 1
-method: change_secret
-category: host
-type:
-  - windows

apps/accounts/automations/change_secret/manager.py

@@ -1,219 +0,0 @@
-import os
-import time
-from collections import defaultdict
-from copy import deepcopy
-
-from django.conf import settings
-from django.utils import timezone
-from openpyxl import Workbook
-
-from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy
-from accounts.models import ChangeSecretRecord
-from accounts.notifications import ChangeSecretExecutionTaskMsg
-from accounts.serializers import ChangeSecretRecordBackUpSerializer
-from assets.const import HostTypes
-from common.utils import get_logger, lazyproperty
-from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_display
-from users.models import User
-from ..base.manager import AccountBasePlaybookManager
-from ...utils import SecretGenerator
-
-logger = get_logger(__name__)
-
-
-class ChangeSecretManager(AccountBasePlaybookManager):
-    ansible_account_prefer = ''
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.method_hosts_mapper = defaultdict(list)
-        self.secret_type = self.execution.snapshot['secret_type']
-        self.secret_strategy = self.execution.snapshot.get(
-            'secret_strategy', SecretStrategy.custom
-        )
-        self.ssh_key_change_strategy = self.execution.snapshot.get(
-            'ssh_key_change_strategy', SSHKeyStrategy.add
-        )
-        self.snapshot_account_usernames = self.execution.snapshot['accounts']
-        self.name_recorder_mapper = {}  # 做个映射，方便后面处理
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.change_secret
-
-    def get_kwargs(self, account, secret):
-        kwargs = {}
-        if self.secret_type != SecretType.SSH_KEY:
-            return kwargs
-        kwargs['strategy'] = self.ssh_key_change_strategy
-        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
-
-        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
-            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
-        return kwargs
-
-    @lazyproperty
-    def secret_generator(self):
-        return SecretGenerator(
-            self.secret_strategy, self.secret_type,
-            self.execution.snapshot.get('password_rules')
-        )
-
-    def get_secret(self):
-        if self.secret_strategy == SecretStrategy.custom:
-            return self.execution.snapshot['secret']
-        else:
-            return self.secret_generator.get_secret()
-
-    def host_callback(
-            self, host, asset=None, account=None,
-            automation=None, path_dir=None, **kwargs
-    ):
-        host = super().host_callback(
-            host, asset=asset, account=account, automation=automation,
-            path_dir=path_dir, **kwargs
-        )
-        if host.get('error'):
-            return host
-
-        accounts = asset.accounts.all()
-        if account:
-            accounts = accounts.exclude(username=account.username)
-
-        if '*' not in self.snapshot_account_usernames:
-            accounts = accounts.filter(username__in=self.snapshot_account_usernames)
-
-        accounts = accounts.filter(secret_type=self.secret_type)
-        if not accounts:
-            print('没有发现待改密账号: %s 用户名: %s 类型: %s' % (
-                asset.name, self.snapshot_account_usernames, self.secret_type
-            ))
-            return []
-
-        method_attr = getattr(automation, self.method_type() + '_method')
-        method_hosts = self.method_hosts_mapper[method_attr]
-        method_hosts = [h for h in method_hosts if h != host['name']]
-        inventory_hosts = []
-        records = []
-        host['secret_type'] = self.secret_type
-
-        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
-            print(f'Windows {asset} does not support ssh key push \n')
-            return inventory_hosts
-
-        for account in accounts:
-            h = deepcopy(host)
-            h['name'] += '(' + account.username + ')'
-            new_secret = self.get_secret()
-
-            recorder = ChangeSecretRecord(
-                asset=asset, account=account, execution=self.execution,
-                old_secret=account.secret, new_secret=new_secret,
-            )
-            records.append(recorder)
-            self.name_recorder_mapper[h['name']] = recorder
-
-            private_key_path = None
-            if self.secret_type == SecretType.SSH_KEY:
-                private_key_path = self.generate_private_key_path(new_secret, path_dir)
-                new_secret = self.generate_public_key(new_secret)
-
-            h['kwargs'] = self.get_kwargs(account, new_secret)
-            h['account'] = {
-                'name': account.name,
-                'username': account.username,
-                'secret_type': account.secret_type,
-                'secret': new_secret,
-                'private_key_path': private_key_path
-            }
-            if asset.platform.type == 'oracle':
-                h['account']['mode'] = 'sysdba' if account.privileged else None
-            inventory_hosts.append(h)
-            method_hosts.append(h['name'])
-        self.method_hosts_mapper[method_attr] = method_hosts
-        ChangeSecretRecord.objects.bulk_create(records)
-        return inventory_hosts
-
-    def on_host_success(self, host, result):
-        recorder = self.name_recorder_mapper.get(host)
-        if not recorder:
-            return
-        recorder.status = 'success'
-        recorder.date_finished = timezone.now()
-        recorder.save()
-        account = recorder.account
-        if not account:
-            print("Account not found, deleted ?")
-            return
-        account.secret = recorder.new_secret
-        account.save(update_fields=['secret'])
-
-    def on_host_error(self, host, error, result):
-        recorder = self.name_recorder_mapper.get(host)
-        if not recorder:
-            return
-        recorder.status = 'failed'
-        recorder.date_finished = timezone.now()
-        recorder.error = error
-        recorder.save()
-
-    def on_runner_failed(self, runner, e):
-        logger.error("Change secret error: ", e)
-
-    def check_secret(self):
-        if self.secret_strategy == SecretStrategy.custom \
-                and not self.execution.snapshot['secret']:
-            print('Custom secret is empty')
-            return False
-        return True
-
-    def run(self, *args, **kwargs):
-        if not self.check_secret():
-            return
-        super().run(*args, **kwargs)
-        recorders = self.name_recorder_mapper.values()
-        recorders = list(recorders)
-        self.send_recorder_mail(recorders)
-
-    def send_recorder_mail(self, recorders):
-        recipients = self.execution.recipients
-        if not recorders or not recipients:
-            return
-
-        recipients = User.objects.filter(id__in=list(recipients.keys()))
-
-        name = self.execution.snapshot['name']
-        path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
-        if not self.create_file(recorders, filename):
-            return
-
-        for user in recipients:
-            attachments = []
-            if user.secret_key:
-                password = user.secret_key.encode('utf8')
-                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
-                encrypt_and_compress_zip_file(attachment, password, [filename])
-                attachments = [attachment]
-            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
-        os.remove(filename)
-
-    @staticmethod
-    def create_file(recorders, filename):
-        serializer_cls = ChangeSecretRecordBackUpSerializer
-        serializer = serializer_cls(recorders, many=True)
-
-        header = [str(v.label) for v in serializer.child.fields.values()]
-        rows = [[str(i) for i in row.values()] for row in serializer.data]
-        if not rows:
-            return False
-
-        rows.insert(0, header)
-        wb = Workbook(filename)
-        ws = wb.create_sheet('Sheet1')
-        for row in rows:
-            ws.append(row)
-        wb.save(filename)
-        return True

apps/accounts/automations/endpoint.py

@@ -1,26 +0,0 @@
-from .push_account.manager import PushAccountManager
-from .change_secret.manager import ChangeSecretManager
-from .verify_account.manager import VerifyAccountManager
-from .backup_account.manager import AccountBackupManager
-from .gather_accounts.manager import GatherAccountsManager
-from .verify_gateway_account.manager import VerifyGatewayAccountManager
-from ..const import AutomationTypes
-
-
-class ExecutionManager:
-    manager_type_mapper = {
-        AutomationTypes.push_account: PushAccountManager,
-        AutomationTypes.change_secret: ChangeSecretManager,
-        AutomationTypes.verify_account: VerifyAccountManager,
-        AutomationTypes.gather_accounts: GatherAccountsManager,
-        AutomationTypes.verify_gateway_account: VerifyGatewayAccountManager,
-        # TODO 后期迁移到自动化策略中
-        'backup_account': AccountBackupManager,
-    }
-
-    def __init__(self, execution):
-        self.execution = execution
-        self._runner = self.manager_type_mapper[execution.manager_type](execution)
-
-    def run(self, *args, **kwargs):
-        return self._runner.run(*args, **kwargs)

apps/accounts/automations/gather_accounts/database/mongodb/main.yml

@@ -1,27 +0,0 @@
-- hosts: mongodb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      community.mongodb.mongodb_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-        filter: users
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.users }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/mongodb/manifest.yml

@@ -1,6 +0,0 @@
-id: gather_accounts_mongodb
-name: Gather account from MongoDB
-category: database
-type:
-  - mongodb
-method: gather_accounts

apps/accounts/automations/gather_accounts/database/mysql/main.yml

@@ -1,21 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      community.mysql.mysql_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: users
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.users }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/mysql/manifest.yml

@@ -1,7 +0,0 @@
-id: gather_accounts_mysql
-name: Gather account from MySQL
-category: database
-type:
-  - mysql
-  - mariadb
-method: gather_accounts

apps/accounts/automations/gather_accounts/database/oracle/main.yml

@@ -1,23 +0,0 @@
-- hosts: oralce
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      oracle_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-        filter: users
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.users }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/oracle/manifest.yml

@@ -1,6 +0,0 @@
-id: gather_accounts_oracle
-name: Gather account from Oracle
-category: database
-type:
-  - oracle
-method: gather_accounts

apps/accounts/automations/gather_accounts/database/postgresql/main.yml

@@ -1,22 +0,0 @@
-- hosts: postgresql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      community.postgresql.postgresql_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_db: "{{ jms_asset.spec_info.db_name }}"
-        filter: "roles"
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.roles }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/postgresql/manifest.yml

@@ -1,6 +0,0 @@
-id: gather_accounts_postgresql
-name: Gather account for PostgreSQL
-category: database
-type:
-  - postgresql
-method: gather_accounts

apps/accounts/automations/gather_accounts/filter.py

@@ -1,63 +0,0 @@
-from django.utils import timezone
-
-__all__ = ['GatherAccountsFilter']
-
-
-# TODO 后期会挪到playbook中
-class GatherAccountsFilter:
-
-    def __init__(self, tp):
-        self.tp = tp
-
-    @staticmethod
-    def mysql_filter(info):
-        result = {}
-        for _, user_dict in info.items():
-            for username, data in user_dict.items():
-                if data.get('account_locked') == 'N':
-                    result[username] = {}
-        return result
-
-    @staticmethod
-    def postgresql_filter(info):
-        result = {}
-        for username in info:
-            result[username] = {}
-        return result
-
-    @staticmethod
-    def posix_filter(info):
-        result = {}
-        for line in info:
-            data = line.split('@')
-            if len(data) == 1:
-                result[line] = {}
-                continue
-
-            if len(data) != 3:
-                continue
-            username, address, dt = data
-            date = timezone.datetime.strptime(f'{dt} +0800', '%b %d %H:%M:%S %Y %z')
-            result[username] = {'address': address, 'date': date}
-        return result
-
-    @staticmethod
-    def windows_filter(info):
-        info = info[4:-2]
-        result = {}
-        for i in info:
-            for username in i.split():
-                result[username] = {}
-        return result
-
-    def run(self, method_id_meta_mapper, info):
-        run_method_name = None
-        for k, v in method_id_meta_mapper.items():
-            if self.tp not in v['type']:
-                continue
-            run_method_name = k.replace(f'{v["method"]}_', '')
-
-        if not run_method_name:
-            return info
-
-        return getattr(self, f'{run_method_name}_filter')(info)

apps/accounts/automations/gather_accounts/host/posix/main.yml

@@ -1,21 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Gather posix account
-      ansible.builtin.shell:
-        cmd: >
-          users=$(getent passwd | grep -v nologin | grep -v shutdown | awk -F":" '{ print $1 }');for i in $users;
-          do k=$(last -w -F $i -1 | head -1 | grep -v ^$ | awk '{ print $1"@"$3"@"$5,$6,$7,$8 }')
-            if [ -n "$k" ]; then
-              echo $k
-            else
-              echo $i
-            fi;done
-      register: result
-
-    - name: Define info by set_fact
-      ansible.builtin.set_fact:
-        info: "{{ result.stdout_lines }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/host/posix/manifest.yml

@@ -1,7 +0,0 @@
-id: gather_accounts_posix
-name: Gather posix account
-category: host
-type:
-  - linux
-  - unix
-method: gather_accounts

apps/accounts/automations/gather_accounts/host/windows/main.yml

@@ -1,13 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Gather posix account
-      ansible.builtin.win_shell: net user
-      register: result
-
-    - name: Define info by set_fact
-      ansible.builtin.set_fact:
-        info: "{{ result.stdout_lines }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/host/windows/manifest.yml

@@ -1,7 +0,0 @@
-id: gather_accounts_windows
-name: Gather account windows
-version: 1
-method: gather_accounts
-category: host
-type:
-  - windows

apps/accounts/automations/gather_accounts/manager.py

@@ -1,50 +0,0 @@
-from accounts.const import AutomationTypes
-from accounts.models import GatheredAccount
-from common.utils import get_logger
-from orgs.utils import tmp_to_org
-from .filter import GatherAccountsFilter
-from ..base.manager import AccountBasePlaybookManager
-
-logger = get_logger(__name__)
-
-
-class GatherAccountsManager(AccountBasePlaybookManager):
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.host_asset_mapper = {}
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.gather_accounts
-
-    def host_callback(self, host, asset=None, **kwargs):
-        super().host_callback(host, asset=asset, **kwargs)
-        self.host_asset_mapper[host['name']] = asset
-        return host
-
-    def filter_success_result(self, host, result):
-        result = GatherAccountsFilter(host).run(self.method_id_meta_mapper, result)
-        return result
-
-    @staticmethod
-    def update_or_create_gathered_accounts(asset, result):
-        with tmp_to_org(asset.org_id):
-            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
-            for username, data in result.items():
-                d = {'asset': asset, 'username': username, 'present': True}
-                if data.get('date'):
-                    d['date_last_login'] = data['date']
-                if data.get('address'):
-                    d['address_last_login'] = data['address'][:32]
-                GatheredAccount.objects.update_or_create(
-                    defaults=d, asset=asset, username=username,
-                )
-
-    def on_host_success(self, host, result):
-        info = result.get('debug', {}).get('res', {}).get('info', {})
-        asset = self.host_asset_mapper.get(host)
-        if asset and info:
-            result = self.filter_success_result(asset.type, info)
-            self.update_or_create_gathered_accounts(asset, result)
-        else:
-            logger.error("Not found info".format(host))

apps/accounts/automations/methods.py

@@ -1,30 +0,0 @@
-import os
-import copy
-
-from accounts.const import AutomationTypes
-from assets.automations.methods import get_platform_automation_methods
-
-
-def copy_change_secret_to_push_account(methods):
-    push_account = AutomationTypes.push_account
-    change_secret = AutomationTypes.change_secret
-    copy_methods = copy.deepcopy(methods)
-    for method in copy_methods:
-        if not method['id'].startswith(change_secret):
-            continue
-        copy_method = copy.deepcopy(method)
-        copy_method['method'] = push_account.value
-        copy_method['id'] = copy_method['id'].replace(
-            change_secret, push_account
-        )
-        copy_method['name'] = copy_method['name'].replace(
-            'Change secret', 'Push account'
-        )
-        methods.append(copy_method)
-    return methods
-
-
-BASE_DIR = os.path.dirname(os.path.abspath(__file__))
-automation_methods = get_platform_automation_methods(BASE_DIR)
-
-platform_automation_methods = copy_change_secret_to_push_account(automation_methods)

apps/accounts/automations/push_account/manager.py

@@ -1,178 +0,0 @@
-from copy import deepcopy
-
-from django.db.models import QuerySet
-
-from accounts.const import AutomationTypes, SecretType
-from accounts.models import Account
-from assets.const import HostTypes
-from common.utils import get_logger
-from ..base.manager import AccountBasePlaybookManager
-from ..change_secret.manager import ChangeSecretManager
-
-logger = get_logger(__name__)
-
-
-class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
-    ansible_account_prefer = ''
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.push_account
-
-    def create_nonlocal_accounts(self, accounts, snapshot_account_usernames, asset):
-        secret_type = self.secret_type
-        usernames = accounts.filter(secret_type=secret_type).values_list(
-            'username', flat=True
-        )
-        create_usernames = set(snapshot_account_usernames) - set(usernames)
-        create_account_objs = [
-            Account(
-                name=f'{username}-{secret_type}', username=username,
-                secret_type=secret_type, asset=asset,
-            )
-            for username in create_usernames
-        ]
-        Account.objects.bulk_create(create_account_objs)
-
-    def get_accounts(self, privilege_account, accounts: QuerySet):
-        if not privilege_account:
-            print(f'not privilege account')
-            return []
-        snapshot_account_usernames = self.execution.snapshot['accounts']
-        if '*' in snapshot_account_usernames:
-            return accounts.exclude(username=privilege_account.username)
-
-        asset = privilege_account.asset
-        self.create_nonlocal_accounts(accounts, snapshot_account_usernames, asset)
-        accounts = asset.accounts.exclude(username=privilege_account.username).filter(
-            username__in=snapshot_account_usernames, secret_type=self.secret_type
-        )
-        return accounts
-
-    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
-        host = super(ChangeSecretManager, self).host_callback(
-            host, asset=asset, account=account, automation=automation,
-            path_dir=path_dir, **kwargs
-        )
-        if host.get('error'):
-            return host
-
-        accounts = asset.accounts.all()
-        accounts = self.get_accounts(account, accounts)
-        inventory_hosts = []
-        host['secret_type'] = self.secret_type
-        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
-            msg = f'Windows {asset} does not support ssh key push \n'
-            print(msg)
-            return inventory_hosts
-
-        for account in accounts:
-            h = deepcopy(host)
-            h['name'] += '(' + account.username + ')'
-            new_secret = self.get_secret()
-
-            self.name_recorder_mapper[h['name']] = {
-                'account': account, 'new_secret': new_secret,
-            }
-
-            private_key_path = None
-            if self.secret_type == SecretType.SSH_KEY:
-                private_key_path = self.generate_private_key_path(new_secret, path_dir)
-                new_secret = self.generate_public_key(new_secret)
-
-            h['kwargs'] = self.get_kwargs(account, new_secret)
-            h['account'] = {
-                'name': account.name,
-                'username': account.username,
-                'secret_type': account.secret_type,
-                'secret': new_secret,
-                'private_key_path': private_key_path
-            }
-            if asset.platform.type == 'oracle':
-                h['account']['mode'] = 'sysdba' if account.privileged else None
-            inventory_hosts.append(h)
-        return inventory_hosts
-
-    def on_host_success(self, host, result):
-        account_info = self.name_recorder_mapper.get(host)
-        if not account_info:
-            return
-
-        account = account_info['account']
-        new_secret = account_info['new_secret']
-        if not account:
-            return
-        account.secret = new_secret
-        account.save(update_fields=['secret'])
-
-    def on_host_error(self, host, error, result):
-        pass
-
-    def on_runner_failed(self, runner, e):
-        logger.error("Pust account error: ", e)
-
-    def run(self, *args, **kwargs):
-        if not self.check_secret():
-            return
-        super().run(*args, **kwargs)
-
-    # @classmethod
-    # def trigger_by_asset_create(cls, asset):
-    #     automations = PushAccountAutomation.objects.filter(
-    #         triggers__contains=TriggerChoice.on_asset_create
-    #     )
-    #     account_automation_map = {auto.username: auto for auto in automations}
-    #
-    #     util = AssetPermissionUtil()
-    #     permissions = util.get_permissions_for_assets([asset], with_node=True)
-    #     account_permission_map = defaultdict(list)
-    #     for permission in permissions:
-    #         for account in permission.accounts:
-    #             account_permission_map[account].append(permission)
-    #
-    #     username_automation_map = {}
-    #     for username, automation in account_automation_map.items():
-    #         if username != '@USER':
-    #             username_automation_map[username] = automation
-    #             continue
-    #
-    #         asset_permissions = account_permission_map.get(username)
-    #         if not asset_permissions:
-    #             continue
-    #         asset_permissions = util.get_permissions([p.id for p in asset_permissions])
-    #         usernames = asset_permissions.values_list('users__username', flat=True).distinct()
-    #         for _username in usernames:
-    #             username_automation_map[_username] = automation
-    #
-    #     asset_usernames_exists = asset.accounts.values_list('username', flat=True)
-    #     accounts_to_create = []
-    #     accounts_to_push = []
-    #     for username, automation in username_automation_map.items():
-    #         if username in asset_usernames_exists:
-    #             continue
-    #
-    #         if automation.secret_strategy != SecretStrategy.custom:
-    #             secret_generator = SecretGenerator(
-    #                 automation.secret_strategy, automation.secret_type,
-    #                 automation.password_rules
-    #             )
-    #             secret = secret_generator.get_secret()
-    #         else:
-    #             secret = automation.secret
-    #
-    #         account = Account(
-    #             username=username, secret=secret,
-    #             asset=asset, secret_type=automation.secret_type,
-    #             comment='Create by account creation {}'.format(automation.name),
-    #         )
-    #         accounts_to_create.append(account)
-    #         if automation.action == 'create_and_push':
-    #             accounts_to_push.append(account)
-    #         else:
-    #             accounts_to_create.append(account)
-    #
-    #         logger.debug(f'Create account {account} for asset {asset}')
-
-    # @classmethod
-    # def trigger_by_permission_accounts_change(cls):
-    #     pass

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -1,18 +0,0 @@
-- hosts: mongdb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Verify account
-      mongodb_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/verify_account/database/mongodb/manifest.yml

@@ -1,6 +0,0 @@
-id: verify_account_mongodb
-name: Verify account from MongoDB
-category: database
-type:
-  - mongodb
-method: verify_account

apps/accounts/automations/verify_account/database/mysql/main.yml

@@ -1,13 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Verify account
-      community.mysql.mysql_info:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version

apps/accounts/automations/verify_account/database/mysql/manifest.yml

@@ -1,7 +0,0 @@
-id: verify_account_mysql
-name: Verify account from MySQL
-category: database
-type:
-  - mysql
-  - mariadb
-method: verify_account

apps/accounts/automations/verify_account/database/oracle/main.yml

@@ -1,14 +0,0 @@
-- hosts: oracle
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Verify account
-      oracle_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ account.mode }}"

apps/accounts/automations/verify_account/database/oracle/manifest.yml

@@ -1,6 +0,0 @@
-id: verify_account_oracle
-name: Verify account from Oracle
-category: database
-type:
-  - oracle
-method: verify_account

apps/accounts/automations/verify_account/database/postgresql/main.yml

@@ -1,16 +0,0 @@
-- hosts: postgresql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-
-  tasks:
-    - name: Verify account
-      community.postgresql.postgresql_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/verify_account/database/postgresql/manifest.yml

@@ -1,6 +0,0 @@
-id: verify_account_postgresql
-name: Verify account for PostgreSQL
-category: database
-type:
-  - postgresql
-method: verify_account

apps/accounts/automations/verify_account/database/sqlserver/main.yml

@@ -1,15 +0,0 @@
-- hosts: sqlserver
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Verify account
-      community.general.mssql_script:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: |
-          SELECT @@version

apps/accounts/automations/verify_account/database/sqlserver/manifest.yml

@@ -1,6 +0,0 @@
-id: verify_account_sqlserver
-name: Verify account from SQLServer
-category: database
-type:
-  - sqlserver
-method: verify_account

apps/accounts/automations/verify_account/host/posix/main.yml

@@ -1,11 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Verify account connectivity
-      become: no
-      ansible.builtin.ping:
-      vars:
-        ansible_become: no
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"

apps/accounts/automations/verify_account/host/posix/manifest.yml

@@ -1,7 +0,0 @@
-id: verify_account_posix
-name: Verify posix account
-category: host
-type:
-  - linux
-  - unix
-method: verify_account

apps/accounts/automations/verify_account/host/windows/main.yml

@@ -1,8 +0,0 @@
-- hosts: windows
-  gather_facts: no
-  tasks:
-    - name: Verify account
-      ansible.windows.win_ping:
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"

apps/accounts/automations/verify_account/host/windows/manifest.yml

@@ -1,7 +0,0 @@
-id: verify_account_windows
-name: Verify account windows
-version: 1
-method: verify_account
-category: host
-type:
-  - windows

apps/accounts/automations/verify_account/manager.py

@@ -1,81 +0,0 @@
-import os
-from copy import deepcopy
-
-from django.db.models import QuerySet
-
-from accounts.const import AutomationTypes, Connectivity, SecretType
-from common.utils import get_logger
-from ..base.manager import AccountBasePlaybookManager
-
-logger = get_logger(__name__)
-
-
-class VerifyAccountManager(AccountBasePlaybookManager):
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.host_account_mapper = {}
-
-    def prepare_runtime_dir(self):
-        path = super().prepare_runtime_dir()
-        ansible_config_path = os.path.join(path, 'ansible.cfg')
-
-        with open(ansible_config_path, 'w') as f:
-            f.write('[ssh_connection]\n')
-            f.write('ssh_args = -o ControlMaster=no -o ControlPersist=no\n')
-        return path
-
-    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
-        host = super().host_callback(
-            host, asset=asset, account=account,
-            automation=automation, path_dir=path_dir, **kwargs
-        )
-        if host.get('error'):
-            return host
-
-        # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no'
-        accounts = asset.accounts.all()
-        accounts = self.get_accounts(account, accounts)
-        inventory_hosts = []
-
-        for account in accounts:
-            h = deepcopy(host)
-            h['name'] += '(' + account.username + ')'
-            self.host_account_mapper[h['name']] = account
-            secret = account.secret
-
-            private_key_path = None
-            if account.secret_type == SecretType.SSH_KEY:
-                private_key_path = self.generate_private_key_path(secret, path_dir)
-                secret = self.generate_public_key(secret)
-
-            h['secret_type'] = account.secret_type
-            h['account'] = {
-                'name': account.name,
-                'username': account.username,
-                'secret_type': account.secret_type,
-                'secret': secret,
-                'private_key_path': private_key_path
-            }
-            if account.platform.type == 'oracle':
-                h['account']['mode'] = 'sysdba' if account.privileged else None
-            inventory_hosts.append(h)
-        return inventory_hosts
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.verify_account
-
-    def get_accounts(self, privilege_account, accounts: QuerySet):
-        snapshot_account_usernames = self.execution.snapshot['accounts']
-        if '*' not in snapshot_account_usernames:
-            accounts = accounts.filter(username__in=snapshot_account_usernames)
-        return accounts
-
-    def on_host_success(self, host, result):
-        account = self.host_account_mapper.get(host)
-        account.set_connectivity(Connectivity.OK)
-
-    def on_host_error(self, host, error, result):
-        account = self.host_account_mapper.get(host)
-        account.set_connectivity(Connectivity.ERR)

apps/accounts/automations/verify_gateway_account/manager.py

@@ -1,21 +0,0 @@
-from common.utils import get_logger
-from accounts.const import AutomationTypes
-from assets.automations.ping_gateway.manager import PingGatewayManager
-
-logger = get_logger(__name__)
-
-
-class VerifyGatewayAccountManager(PingGatewayManager):
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.verify_gateway_account
-
-    @staticmethod
-    def before_runner_start():
-        logger.info(">>> 开始执行测试网关账号可连接性任务")
-
-    def get_accounts(self, gateway):
-        usernames = self.execution.snapshot['accounts']
-        accounts = gateway.accounts.filter(username__in=usernames)
-        return accounts

apps/accounts/const/__init__.py

@@ -1,2 +0,0 @@
-from .account import *
-from .automation import *

apps/accounts/const/account.py

@@ -1,20 +0,0 @@
-from django.db.models import TextChoices
-from django.utils.translation import ugettext_lazy as _
-
-
-class SecretType(TextChoices):
-    PASSWORD = 'password', _('Password')
-    SSH_KEY = 'ssh_key', _('SSH key')
-    ACCESS_KEY = 'access_key', _('Access key')
-    TOKEN = 'token', _('Token')
-
-
-class AliasAccount(TextChoices):
-    ALL = '@ALL', _('All')
-    INPUT = '@INPUT', _('Manual input')
-    USER = '@USER', _('Dynamic user')
-
-
-class Source(TextChoices):
-    LOCAL = 'local', _('Local')
-    COLLECTED = 'collected', _('Collected')

apps/accounts/const/automation.py

@@ -1,95 +0,0 @@
-from django.db import models
-from django.utils.translation import ugettext_lazy as _
-
-from assets.const import Connectivity
-from common.db.fields import TreeChoices
-
-string_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'
-DEFAULT_PASSWORD_LENGTH = 30
-DEFAULT_PASSWORD_RULES = {
-    'length': DEFAULT_PASSWORD_LENGTH,
-    'symbol_set': string_punctuation
-}
-
-__all__ = [
-    'AutomationTypes', 'SecretStrategy', 'SSHKeyStrategy', 'Connectivity',
-    'DEFAULT_PASSWORD_LENGTH', 'DEFAULT_PASSWORD_RULES', 'TriggerChoice',
-    'PushAccountActionChoice',
-]
-
-
-class AutomationTypes(models.TextChoices):
-    push_account = 'push_account', _('Push account')
-    change_secret = 'change_secret', _('Change secret')
-    verify_account = 'verify_account', _('Verify account')
-    gather_accounts = 'gather_accounts', _('Gather accounts')
-    verify_gateway_account = 'verify_gateway_account', _('Verify gateway account')
-
-    @classmethod
-    def get_type_model(cls, tp):
-        from accounts.models import (
-            PushAccountAutomation, ChangeSecretAutomation,
-            VerifyAccountAutomation, GatherAccountsAutomation,
-        )
-        type_model_dict = {
-            cls.push_account: PushAccountAutomation,
-            cls.change_secret: ChangeSecretAutomation,
-            cls.verify_account: VerifyAccountAutomation,
-            cls.gather_accounts: GatherAccountsAutomation,
-        }
-        return type_model_dict.get(tp)
-
-
-class SecretStrategy(models.TextChoices):
-    custom = 'specific', _('Specific password')
-    random = 'random', _('Random')
-
-
-class SSHKeyStrategy(models.TextChoices):
-    add = 'add', _('Append SSH KEY')
-    set = 'set', _('Empty and append SSH KEY')
-    set_jms = 'set_jms', _('Replace (The key generated by JumpServer) ')
-
-
-class TriggerChoice(models.TextChoices, TreeChoices):
-    # 当资产创建时，直接创建账号，如果是动态账号，需要从授权中查询该资产被授权过的用户，已用户用户名为账号，创建
-    on_asset_create = 'on_asset_create', _('On asset create')
-    # 授权变化包含，用户加入授权，用户组加入授权，资产加入授权，节点加入授权，账号变化
-    # 当添加用户到授权时，查询所有同名账号 automation, 把本授权上的用户 (用户组), 创建到本授权的资产(节点)上
-    on_perm_add_user = 'on_perm_add_user', _('On perm add user')
-    # 当添加用户组到授权时，查询所有同名账号 automation, 把本授权上的用户 (用户组), 创建到本授权的资产(节点)上
-    on_perm_add_user_group = 'on_perm_add_user_group', _('On perm add user group')
-    # 当添加资产到授权时，查询授权的所有账号 automation, 创建到本授权的资产上
-    on_perm_add_asset = 'on_perm_add_asset', _('On perm add asset')
-    # 当添加节点到授权时，查询授权的所有账号 automation, 创建到本授权的节点的资产上
-    on_perm_add_node = 'on_perm_add_node', _('On perm add node')
-    # 当授权的账号变化时，查询授权的所有账号 automation, 创建到本授权的资产(节点)上
-    on_perm_add_account = 'on_perm_add_account', _('On perm add account')
-    # 当资产添加到节点时，查询节点的授权规则，查询授权的所有账号 automation, 创建到本授权的资产(节点)上
-    on_asset_join_node = 'on_asset_join_node', _('On asset join node')
-    # 当用户加入到用户组时，查询用户组的授权规则，查询授权的所有账号 automation, 创建到本授权的资产(节点)上
-    on_user_join_group = 'on_user_join_group', _('On user join group')
-
-    @classmethod
-    def branches(cls):
-        # 和用户和用户组相关的都是动态账号
-        #
-        return [
-            cls.on_asset_create,
-            (_("On perm change"), [
-                cls.on_perm_add_user,
-                cls.on_perm_add_user_group,
-                cls.on_perm_add_asset,
-                cls.on_perm_add_node,
-                cls.on_perm_add_account,
-            ]),
-            (_("Inherit from group or node"), [
-                cls.on_asset_join_node,
-                cls.on_user_join_group,
-            ])
-        ]
-
-
-class PushAccountActionChoice(models.TextChoices):
-    create_and_push = 'create_and_push', _('Create and push')
-    only_create = 'only_create', _('Only create')

apps/accounts/filters.py

@@ -1,61 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from django.db.models import Q
-from django_filters import rest_framework as drf_filters
-
-from assets.models import Node
-from common.drf.filters import BaseFilterSet
-
-from .models import Account, GatheredAccount
-
-
-class AccountFilterSet(BaseFilterSet):
-    ip = drf_filters.CharFilter(field_name='address', lookup_expr='exact')
-    hostname = drf_filters.CharFilter(field_name='name', lookup_expr='exact')
-    username = drf_filters.CharFilter(field_name="username", lookup_expr='exact')
-    address = drf_filters.CharFilter(field_name="asset__address", lookup_expr='exact')
-    asset = drf_filters.CharFilter(field_name="asset_id", lookup_expr='exact')
-    assets = drf_filters.CharFilter(field_name='asset_id', lookup_expr='exact')
-    nodes = drf_filters.CharFilter(method='filter_nodes')
-    node_id = drf_filters.CharFilter(method='filter_nodes')
-    has_secret = drf_filters.BooleanFilter(method='filter_has_secret')
-    platform = drf_filters.CharFilter(field_name='asset__platform_id', lookup_expr='exact')
-    category = drf_filters.CharFilter(field_name='asset__platform__category', lookup_expr='exact')
-    type = drf_filters.CharFilter(field_name='asset__platform__type', lookup_expr='exact')
-
-    @staticmethod
-    def filter_has_secret(queryset, name, has_secret):
-        q = Q(secret__isnull=True) | Q(secret='')
-        if has_secret:
-            return queryset.exclude(q)
-        else:
-            return queryset.filter(q)
-
-    @staticmethod
-    def filter_nodes(queryset, name, value):
-        nodes = Node.objects.filter(id=value)
-        if not nodes:
-            return queryset
-
-        node_qs = Node.objects.none()
-        for node in nodes:
-            node_qs |= node.get_all_children(with_self=True)
-        node_ids = list(node_qs.values_list('id', flat=True))
-        queryset = queryset.filter(asset__nodes__in=node_ids)
-        return queryset
-
-    class Meta:
-        model = Account
-        fields = ['id', 'asset_id']
-
-
-class GatheredAccountFilterSet(BaseFilterSet):
-    node_id = drf_filters.CharFilter(method='filter_nodes')
-
-    @staticmethod
-    def filter_nodes(queryset, name, value):
-        return AccountFilterSet.filter_nodes(queryset, name, value)
-
-    class Meta:
-        model = GatheredAccount
-        fields = ['id', 'asset_id', 'username']

apps/accounts/migrations/0001_initial.py

@@ -1,111 +0,0 @@
-# Generated by Django 3.2.14 on 2022-12-28 07:29
-
-import common.db.encoder
-import common.db.fields
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
-import simple_history.models
-import uuid
-
-
-class Migration(migrations.Migration):
-    initial = True
-
-    dependencies = [
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('assets', '0098_auto_20220430_2126'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='Account',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id',
-                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('connectivity', models.CharField(choices=[('-', 'Unknown'), ('ok', 'Ok'), ('err', 'Error')], default='-', max_length=16, verbose_name='Connectivity')),
-                ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
-                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
-                ('version', models.IntegerField(default=0, verbose_name='Version')),
-                ('source', models.CharField(default='local', max_length=30, verbose_name='Source')),
-                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='accounts',
-                                            to='assets.asset', verbose_name='Asset')),
-                ('su_from',
-                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='su_to',
-                                   to='accounts.account', verbose_name='Su from')),
-            ],
-            options={
-                'verbose_name': 'Account',
-                'permissions': [('view_accountsecret', 'Can view asset account secret'),
-                                ('view_historyaccount', 'Can view asset history account'),
-                                ('view_historyaccountsecret', 'Can view asset history account secret')],
-                'unique_together': {('username', 'asset', 'secret_type'), ('name', 'asset')},
-            },
-        ),
-        migrations.CreateModel(
-            name='HistoricalAccount',
-            fields=[
-                ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('version', models.IntegerField(default=0, verbose_name='Version')),
-                ('history_id', models.AutoField(primary_key=True, serialize=False)),
-                ('history_date', models.DateTimeField(db_index=True)),
-                ('history_change_reason', models.CharField(max_length=100, null=True)),
-                ('history_type',
-                 models.CharField(choices=[('+', 'Created'), ('~', 'Changed'), ('-', 'Deleted')], max_length=1)),
-                ('history_user',
-                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='+',
-                                   to=settings.AUTH_USER_MODEL)),
-            ],
-            options={
-                'verbose_name': 'historical Account',
-                'verbose_name_plural': 'historical Accounts',
-                'ordering': ('-history_date', '-history_id'),
-                'get_latest_by': ('history_date', 'history_id'),
-            },
-            bases=(simple_history.models.HistoricalChanges, models.Model),
-        ),
-        migrations.CreateModel(
-            name='AccountTemplate',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id',
-                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
-                ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
-            ],
-            options={
-                'verbose_name': 'Account template',
-                'permissions': [('view_accounttemplatesecret', 'Can view asset account template secret'),
-                                ('change_accounttemplatesecret', 'Can change asset account template secret')],
-                'unique_together': {('name', 'org_id')},
-            },
-        ),
-    ]

apps/accounts/migrations/0002_auto_20220616_0021.py

@@ -1,44 +0,0 @@
-# Generated by Django 3.2.14 on 2022-12-28 10:39
-
-import common.db.encoder
-import common.db.fields
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('assets', '0106_auto_20221228_1838'),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('accounts', '0001_initial'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='AccountBackupAutomation',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id',
-                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('is_periodic', models.BooleanField(default=False, verbose_name='Periodic perform')),
-                ('interval', models.IntegerField(blank=True, default=24, null=True, verbose_name='Cycle perform')),
-                ('crontab', models.CharField(blank=True, max_length=128, null=True, verbose_name='Regularly perform')),
-                ('types', models.JSONField(default=list)),
-                ('recipients', models.ManyToManyField(blank=True, related_name='recipient_escape_route_plans',
-                                                      to=settings.AUTH_USER_MODEL, verbose_name='Recipient')),
-            ],
-            options={
-                'verbose_name': 'Account backup plan',
-                'ordering': ['name'],
-                'unique_together': {('name', 'org_id')},
-            },
-        )
-    ]

apps/accounts/migrations/0003_automation.py

@@ -1,194 +0,0 @@
-# Generated by Django 3.2.16 on 2022-12-30 08:08
-
-import common.db.encoder
-import common.db.fields
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-    dependencies = [
-        ('assets', '0107_automation'),
-        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
-        ('accounts', '0002_auto_20220616_0021'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='AccountBaseAutomation',
-            fields=[
-            ],
-            options={
-                'verbose_name': 'Account automation task',
-                'proxy': True,
-                'indexes': [],
-                'constraints': [],
-            },
-            bases=('assets.baseautomation',),
-        ),
-        migrations.CreateModel(
-            name='AutomationExecution',
-            fields=[
-            ],
-            options={
-                'verbose_name': 'Automation execution',
-                'verbose_name_plural': 'Automation executions',
-                'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                ('add_changesecretexection', 'Can add change secret execution'),
-                                ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
-                                ('add_gatheraccountsexecution', 'Can add gather accounts execution')],
-                'proxy': True,
-                'indexes': [],
-                'constraints': [],
-            },
-            bases=('assets.automationexecution',),
-        ),
-        migrations.CreateModel(
-            name='PushAccountAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
-                ('secret_strategy', models.CharField(choices=[('specific', 'Specific password'),
-                                                              ('random_one', 'All assets use the same random password'),
-                                                              ('random_all',
-                                                               'All assets use different random password')],
-                                                     default='specific', max_length=16,
-                                                     verbose_name='Secret strategy')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('password_rules', models.JSONField(default=dict, verbose_name='Password rules')),
-                ('ssh_key_change_strategy', models.CharField(
-                    choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'),
-                             ('set_jms', 'Replace (The key generated by JumpServer) ')], default='add', max_length=16,
-                    verbose_name='SSH key change strategy')),
-                ('triggers', models.JSONField(default=list, max_length=16, verbose_name='Triggers')),
-                ('username', models.CharField(max_length=128, verbose_name='Username')),
-                ('action', models.CharField(max_length=16, verbose_name='Action')),
-            ],
-            options={
-                'verbose_name': 'Push asset account',
-            },
-            bases=('accounts.accountbaseautomation', models.Model),
-        ),
-
-        migrations.CreateModel(
-            name='GatherAccountsAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-            ],
-            options={
-                'verbose_name': 'Gather asset accounts',
-            },
-            bases=('accounts.accountbaseautomation',),
-        ),
-        migrations.CreateModel(
-            name='VerifyAccountAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-            ],
-            options={
-                'verbose_name': 'Verify asset account',
-            },
-            bases=('accounts.accountbaseautomation',),
-        ),
-        migrations.CreateModel(
-            name='ChangeSecretRecord',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('old_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Old secret')),
-                ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('date_started', models.DateTimeField(blank=True, null=True, verbose_name='Date started')),
-                ('date_finished', models.DateTimeField(blank=True, null=True, verbose_name='Date finished')),
-                ('status', models.CharField(default='pending', max_length=16)),
-                ('error', models.TextField(blank=True, null=True, verbose_name='Error')),
-                ('account',
-                 models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='accounts.account')),
-                ('asset', models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='assets.asset')),
-                ('execution',
-                 models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='accounts.automationexecution')),
-            ],
-            options={
-                'verbose_name': 'Change secret record',
-            },
-        ),
-        migrations.CreateModel(
-            name='AccountBackupExecution',
-            fields=[
-                ('org_id',
-                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('date_start', models.DateTimeField(auto_now_add=True, verbose_name='Date start')),
-                ('timedelta', models.FloatField(default=0.0, null=True, verbose_name='Time')),
-                ('plan_snapshot',
-                 models.JSONField(blank=True, default=dict, encoder=common.db.encoder.ModelJSONFieldEncoder, null=True,
-                                  verbose_name='Account backup snapshot')),
-                ('trigger', models.CharField(choices=[('manual', 'Manual trigger'), ('timing', 'Timing trigger')],
-                                             default='manual', max_length=128, verbose_name='Trigger mode')),
-                ('reason', models.CharField(blank=True, max_length=1024, null=True, verbose_name='Reason')),
-                ('is_success', models.BooleanField(default=False, verbose_name='Is success')),
-                ('plan', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='execution',
-                                           to='accounts.accountbackupautomation', verbose_name='Account backup plan')),
-            ],
-            options={
-                'verbose_name': 'Account backup execution',
-                'ordering': ('-date_start',),
-            },
-        ),
-        migrations.CreateModel(
-            name='ChangeSecretAutomation',
-            fields=[
-                ('baseautomation_ptr',
-                 models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True,
-                                      primary_key=True, serialize=False, to='assets.baseautomation')),
-                ('secret_type', models.CharField(
-                    choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
-                ('secret_strategy', models.CharField(choices=[('specific', 'Specific password'),
-                                                              ('random_one', 'All assets use the same random password'),
-                                                              ('random_all',
-                                                               'All assets use different random password')],
-                                                     default='specific', max_length=16,
-                                                     verbose_name='Secret strategy')),
-                ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
-                ('password_rules', models.JSONField(default=dict, verbose_name='Password rules')),
-                ('ssh_key_change_strategy', models.CharField(
-                    choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'),
-                             ('set_jms', 'Replace (The key generated by JumpServer) ')], default='add', max_length=16,
-                    verbose_name='SSH key change strategy')),
-                ('recipients',
-                 models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient')),
-            ],
-            options={
-                'verbose_name': 'Change secret automation',
-            },
-            bases=('accounts.accountbaseautomation', models.Model),
-        ),
-        migrations.AlterModelOptions(
-            name='automationexecution',
-            options={'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                     ('add_changesecretexection', 'Can add change secret execution'),
-                                     ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
-                                     ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
-                                     ('view_pushaccountexecution', 'Can view push account execution'),
-                                     ('add_pushaccountexecution', 'Can add push account execution')],
-                     'verbose_name': 'Automation execution', 'verbose_name_plural': 'Automation executions'},
-        ),
-        migrations.AlterModelOptions(
-            name='changesecretrecord',
-            options={'ordering': ('-date_started',), 'verbose_name': 'Change secret record'},
-        ),
-    ]

apps/accounts/migrations/0004_auto_20230106_1507.py

@@ -1,23 +0,0 @@
-# Generated by Django 3.2.16 on 2023-01-06 07:07
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0003_automation'),
-    ]
-
-    operations = [
-        migrations.AlterField(
-            model_name='changesecretautomation',
-            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
-        ),
-        migrations.AlterField(
-            model_name='pushaccountautomation',
-            name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
-        ),
-    ]

apps/accounts/migrations/0005_alter_changesecretrecord_options.py

@@ -1,17 +0,0 @@
-# Generated by Django 3.2.16 on 2023-01-10 06:45
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0004_auto_20230106_1507'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='changesecretrecord',
-            options={'ordering': ('-date_created',), 'verbose_name': 'Change secret record'},
-        ),
-    ]

apps/accounts/migrations/0006_gatheredaccount.py

@@ -1,38 +0,0 @@
-# Generated by Django 3.2.16 on 2023-02-07 04:41
-
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('assets', '0108_alter_platform_charset'),
-        ('accounts', '0005_alter_changesecretrecord_options'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='GatheredAccount',
-            fields=[
-                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
-                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
-                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
-                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
-                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
-                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('present', models.BooleanField(default=True, verbose_name='Present')),
-                ('date_last_login', models.DateTimeField(null=True, verbose_name='Date last login')),
-                ('username', models.CharField(blank=True, db_index=True, max_length=32, verbose_name='Username')),
-                ('address_last_login', models.CharField(default='', max_length=39, verbose_name='Address last login')),
-                ('asset', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='assets.asset', verbose_name='Asset')),
-            ],
-            options={
-                'verbose_name': 'Gather account',
-                'ordering': ['asset'],
-                'unique_together': {('username', 'asset')},
-            },
-        ),
-    ]

apps/accounts/migrations/0007_alter_account_options.py

@@ -1,17 +0,0 @@
-# Generated by Django 3.2.16 on 2023-02-16 11:07
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0006_gatheredaccount'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='account',
-            options={'permissions': [('view_accountsecret', 'Can view asset account secret'), ('view_historyaccount', 'Can view asset history account'), ('view_historyaccountsecret', 'Can view asset history account secret'), ('verify_account', 'Can verify account'), ('push_account', 'Can push account')], 'verbose_name': 'Account'},
-        ),
-    ]

apps/accounts/migrations/0008_alter_gatheredaccount_options.py

@@ -1,17 +0,0 @@
-# Generated by Django 3.2.16 on 2023-02-23 09:59
-
-from django.db import migrations
-
-
-class Migration(migrations.Migration):
-
-    dependencies = [
-        ('accounts', '0007_alter_account_options'),
-    ]
-
-    operations = [
-        migrations.AlterModelOptions(
-            name='gatheredaccount',
-            options={'ordering': ['asset'], 'verbose_name': 'Gather account automation'},
-        ),
-    ]

apps/accounts/models/__init__.py

@@ -1,3 +0,0 @@
-from .base import *
-from .account import *
-from .automations import *

apps/accounts/models/account.py

@@ -1,119 +0,0 @@
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-from simple_history.models import HistoricalRecords
-
-from assets.models.base import AbsConnectivity
-from common.utils import lazyproperty
-from .base import BaseAccount
-from ..const import AliasAccount, Source
-
-__all__ = ['Account', 'AccountTemplate']
-
-
-class AccountHistoricalRecords(HistoricalRecords):
-    def __init__(self, *args, **kwargs):
-        self.included_fields = kwargs.pop('included_fields', None)
-        super().__init__(*args, **kwargs)
-
-    def post_save(self, instance, created, using=None, **kwargs):
-        if not self.included_fields:
-            return super().post_save(instance, created, using=using, **kwargs)
-
-        check_fields = set(self.included_fields) - {'version'}
-        history_attrs = instance.history.all().values(*check_fields).first()
-        if history_attrs is None:
-            return super().post_save(instance, created, using=using, **kwargs)
-
-        attrs = {field: getattr(instance, field) for field in check_fields}
-        history_attrs = set(history_attrs.items())
-        attrs = set(attrs.items())
-        diff = attrs - history_attrs
-        if not diff:
-            return
-        super().post_save(instance, created, using=using, **kwargs)
-
-    def create_history_model(self, model, inherited):
-        if self.included_fields and not self.excluded_fields:
-            self.excluded_fields = [
-                field.name for field in model._meta.fields
-                if field.name not in self.included_fields
-            ]
-        return super().create_history_model(model, inherited)
-
-
-class Account(AbsConnectivity, BaseAccount):
-    asset = models.ForeignKey(
-        'assets.Asset', related_name='accounts',
-        on_delete=models.CASCADE, verbose_name=_('Asset')
-    )
-    su_from = models.ForeignKey(
-        'accounts.Account', related_name='su_to', null=True,
-        on_delete=models.SET_NULL, verbose_name=_("Su from")
-    )
-    version = models.IntegerField(default=0, verbose_name=_('Version'))
-    history = AccountHistoricalRecords(included_fields=['id', 'secret', 'secret_type', 'version'])
-    source = models.CharField(max_length=30, default=Source.LOCAL, verbose_name=_('Source'))
-
-    class Meta:
-        verbose_name = _('Account')
-        unique_together = [
-            ('username', 'asset', 'secret_type'),
-            ('name', 'asset'),
-        ]
-        permissions = [
-            ('view_accountsecret', _('Can view asset account secret')),
-            ('view_historyaccount', _('Can view asset history account')),
-            ('view_historyaccountsecret', _('Can view asset history account secret')),
-            ('verify_account', _('Can verify account')),
-            ('push_account', _('Can push account')),
-        ]
-
-    def __str__(self):
-        return '{}'.format(self.username)
-
-    @lazyproperty
-    def platform(self):
-        return self.asset.platform
-
-    @lazyproperty
-    def alias(self):
-        if self.username.startswith('@'):
-            return self.username
-        return self.name
-
-    @lazyproperty
-    def has_secret(self):
-        return bool(self.secret)
-
-    @classmethod
-    def get_manual_account(cls):
-        """ @INPUT 手动登录的账号(any) """
-        return cls(name=AliasAccount.INPUT.label, username=AliasAccount.INPUT.value, secret=None)
-
-    @lazyproperty
-    def versions(self):
-        return self.history.count()
-
-    @classmethod
-    def get_user_account(cls):
-        """ @USER 动态用户的账号(self) """
-        return cls(name=AliasAccount.USER.label, username=AliasAccount.USER.value, secret=None)
-
-    def get_su_from_accounts(self):
-        """ 排除自己和以自己为 su-from 的账号 """
-        return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)
-
-
-class AccountTemplate(BaseAccount):
-    class Meta:
-        verbose_name = _('Account template')
-        unique_together = (
-            ('name', 'org_id'),
-        )
-        permissions = [
-            ('view_accounttemplatesecret', _('Can view asset account template secret')),
-            ('change_accounttemplatesecret', _('Can change asset account template secret')),
-        ]
-
-    def __str__(self):
-        return self.username

apps/accounts/models/automations/__init__.py

@@ -1,6 +0,0 @@
-from .base import *
-from .backup_account import *
-from .change_secret import *
-from .gather_account import *
-from .push_account import *
-from .verify_account import *

apps/accounts/models/automations/base.py

@@ -1,45 +0,0 @@
-from django.utils.translation import gettext_lazy as _
-
-from accounts.tasks import execute_account_automation_task
-from assets.models.automations import (
-    BaseAutomation as AssetBaseAutomation,
-    AutomationExecution as AssetAutomationExecution
-)
-
-__all__ = ['AccountBaseAutomation', 'AutomationExecution']
-
-
-class AccountBaseAutomation(AssetBaseAutomation):
-    class Meta:
-        proxy = True
-        verbose_name = _("Account automation task")
-
-    @property
-    def execute_task(self):
-        return execute_account_automation_task
-
-    @property
-    def execution_model(self):
-        return AutomationExecution
-
-
-class AutomationExecution(AssetAutomationExecution):
-    class Meta:
-        proxy = True
-        verbose_name = _("Automation execution")
-        verbose_name_plural = _("Automation executions")
-        permissions = [
-            ('view_changesecretexecution', _('Can view change secret execution')),
-            ('add_changesecretexection', _('Can add change secret execution')),
-
-            ('view_gatheraccountsexecution', _('Can view gather accounts execution')),
-            ('add_gatheraccountsexecution', _('Can add gather accounts execution')),
-
-            ('view_pushaccountexecution', _('Can view push account execution')),
-            ('add_pushaccountexecution', _('Can add push account execution')),
-        ]
-
-    def start(self):
-        from accounts.automations.endpoint import ExecutionManager
-        manager = ExecutionManager(execution=self)
-        return manager.run()

apps/accounts/models/automations/change_secret.py

@@ -1,89 +0,0 @@
-from django.db import models
-from django.utils.translation import ugettext_lazy as _
-
-from common.db import fields
-from common.db.models import JMSBaseModel
-from accounts.const import (
-    AutomationTypes, SecretType, SecretStrategy, SSHKeyStrategy
-)
-from .base import AccountBaseAutomation
-
-__all__ = ['ChangeSecretAutomation', 'ChangeSecretRecord', 'ChangeSecretMixin']
-
-
-class ChangeSecretMixin(models.Model):
-    secret_type = models.CharField(
-        choices=SecretType.choices, max_length=16,
-        default=SecretType.PASSWORD, verbose_name=_('Secret type')
-    )
-    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
-    secret_strategy = models.CharField(
-        choices=SecretStrategy.choices, max_length=16,
-        default=SecretStrategy.custom, verbose_name=_('Secret strategy')
-    )
-    password_rules = models.JSONField(default=dict, verbose_name=_('Password rules'))
-    ssh_key_change_strategy = models.CharField(
-        choices=SSHKeyStrategy.choices, max_length=16,
-        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
-    )
-
-    class Meta:
-        abstract = True
-
-    def to_attr_json(self):
-        attr_json = super().to_attr_json()
-        attr_json.update({
-            'secret': self.secret,
-            'secret_type': self.secret_type,
-            'secret_strategy': self.secret_strategy,
-            'password_rules': self.password_rules,
-            'ssh_key_change_strategy': self.ssh_key_change_strategy,
-
-        })
-        return attr_json
-
-
-class ChangeSecretAutomation(ChangeSecretMixin, AccountBaseAutomation):
-    recipients = models.ManyToManyField('users.User', verbose_name=_("Recipient"), blank=True)
-
-    def save(self, *args, **kwargs):
-        self.type = AutomationTypes.change_secret
-        super().save(*args, **kwargs)
-
-    class Meta:
-        verbose_name = _("Change secret automation")
-
-    def to_attr_json(self):
-        attr_json = super().to_attr_json()
-        attr_json.update({
-            'recipients': {
-                str(recipient.id): (str(recipient), bool(recipient.secret_key))
-                for recipient in self.recipients.all()
-            }
-        })
-        return attr_json
-
-
-class ChangeSecretRecord(JMSBaseModel):
-    execution = models.ForeignKey('accounts.AutomationExecution', on_delete=models.CASCADE)
-    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, null=True)
-    account = models.ForeignKey('accounts.Account', on_delete=models.CASCADE, null=True)
-    old_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Old secret'))
-    new_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
-    date_started = models.DateTimeField(blank=True, null=True, verbose_name=_('Date started'))
-    date_finished = models.DateTimeField(blank=True, null=True, verbose_name=_('Date finished'))
-    status = models.CharField(max_length=16, default='pending')
-    error = models.TextField(blank=True, null=True, verbose_name=_('Error'))
-
-    class Meta:
-        ordering = ('-date_created',)
-        verbose_name = _("Change secret record")
-
-    def __str__(self):
-        return self.account.__str__()
-
-    @property
-    def timedelta(self):
-        if self.date_started and self.date_finished:
-            return self.date_finished - self.date_started
-        return None

apps/accounts/models/automations/gather_account.py

@@ -1,39 +0,0 @@
-from django.db import models
-from django.utils.translation import ugettext_lazy as _
-
-from accounts.const import AutomationTypes
-from orgs.mixins.models import JMSOrgBaseModel
-from .base import AccountBaseAutomation
-
-__all__ = ['GatherAccountsAutomation', 'GatheredAccount']
-
-
-class GatheredAccount(JMSOrgBaseModel):
-    present = models.BooleanField(default=True, verbose_name=_("Present"))
-    date_last_login = models.DateTimeField(null=True, verbose_name=_("Date last login"))
-    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, verbose_name=_("Asset"))
-    username = models.CharField(max_length=32, blank=True, db_index=True, verbose_name=_('Username'))
-    address_last_login = models.CharField(max_length=39, default='', verbose_name=_("Address last login"))
-
-    @property
-    def address(self):
-        return self.asset.address
-
-    class Meta:
-        verbose_name = _('Gather account automation')
-        unique_together = [
-            ('username', 'asset'),
-        ]
-        ordering = ['asset']
-
-    def __str__(self):
-        return '{}: {}'.format(self.asset, self.username)
-
-
-class GatherAccountsAutomation(AccountBaseAutomation):
-    def save(self, *args, **kwargs):
-        self.type = AutomationTypes.gather_accounts
-        super().save(*args, **kwargs)
-
-    class Meta:
-        verbose_name = _("Gather asset accounts")

apps/accounts/models/automations/push_account.py

@@ -1,43 +0,0 @@
-from django.db import models
-from django.utils.translation import ugettext_lazy as _
-
-from accounts.const import AutomationTypes
-from jumpserver.utils import has_valid_xpack_license
-from .base import AccountBaseAutomation
-from .change_secret import ChangeSecretMixin
-
-__all__ = ['PushAccountAutomation']
-
-
-class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
-    triggers = models.JSONField(max_length=16, default=list, verbose_name=_('Triggers'))
-    username = models.CharField(max_length=128, verbose_name=_('Username'))
-    action = models.CharField(max_length=16, verbose_name=_('Action'))
-
-    def set_period_schedule(self):
-        pass
-
-    @property
-    def dynamic_username(self):
-        return self.username == '@USER'
-
-    @dynamic_username.setter
-    def dynamic_username(self, value):
-        if value:
-            self.username = '@USER'
-
-    def save(self, *args, **kwargs):
-        self.type = AutomationTypes.push_account
-        if not has_valid_xpack_license():
-            self.is_periodic = False
-        super().save(*args, **kwargs)
-
-    def to_attr_json(self):
-        attr_json = super().to_attr_json()
-        attr_json.update({
-            'username': self.username
-        })
-        return attr_json
-
-    class Meta:
-        verbose_name = _("Push asset account")

apps/accounts/models/automations/verify_account.py

@@ -1,15 +0,0 @@
-from django.utils.translation import ugettext_lazy as _
-
-from accounts.const import AutomationTypes
-from .base import AccountBaseAutomation
-
-__all__ = ['VerifyAccountAutomation']
-
-
-class VerifyAccountAutomation(AccountBaseAutomation):
-    def save(self, *args, **kwargs):
-        self.type = AutomationTypes.verify_account
-        super().save(*args, **kwargs)
-
-    class Meta:
-        verbose_name = _("Verify asset account")

apps/accounts/models/base.py

@@ -1,157 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-import os
-from hashlib import md5
-
-import sshpubkeys
-from django.conf import settings
-from django.db import models
-from django.utils.translation import ugettext_lazy as _
-
-from accounts.const import SecretType
-from common.db import fields
-from common.utils import (
-    ssh_key_string_to_obj, ssh_key_gen, get_logger,
-    random_string, lazyproperty, parse_ssh_public_key_str
-)
-from orgs.mixins.models import JMSOrgBaseModel, OrgManager
-
-logger = get_logger(__file__)
-
-
-class BaseAccountQuerySet(models.QuerySet):
-    def active(self):
-        return self.filter(is_active=True)
-
-
-class BaseAccountManager(OrgManager):
-    def active(self):
-        return self.get_queryset().active()
-
-
-class BaseAccount(JMSOrgBaseModel):
-    name = models.CharField(max_length=128, verbose_name=_("Name"))
-    username = models.CharField(max_length=128, blank=True, verbose_name=_('Username'), db_index=True)
-    secret_type = models.CharField(
-        max_length=16, choices=SecretType.choices, default=SecretType.PASSWORD, verbose_name=_('Secret type')
-    )
-    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
-    privileged = models.BooleanField(verbose_name=_("Privileged"), default=False)
-    is_active = models.BooleanField(default=True, verbose_name=_("Is active"))
-
-    objects = BaseAccountManager.from_queryset(BaseAccountQuerySet)()
-
-    @property
-    def has_secret(self):
-        return bool(self.secret)
-
-    @property
-    def has_username(self):
-        return bool(self.username)
-
-    @property
-    def spec_info(self):
-        data = {}
-        if self.secret_type != SecretType.SSH_KEY:
-            return data
-        data['ssh_key_fingerprint'] = self.ssh_key_fingerprint
-        return data
-
-    @property
-    def password(self):
-        if self.secret_type == SecretType.PASSWORD:
-            return self.secret
-        return None
-
-    @property
-    def private_key(self):
-        if self.secret_type == SecretType.SSH_KEY:
-            return self.secret
-        return None
-
-    @private_key.setter
-    def private_key(self, value):
-        self.secret = value
-        self.secret_type = SecretType.SSH_KEY
-
-    @lazyproperty
-    def public_key(self):
-        if self.secret_type == SecretType.SSH_KEY and self.private_key:
-            return parse_ssh_public_key_str(self.private_key)
-        return None
-
-    @property
-    def ssh_key_fingerprint(self):
-        if self.public_key:
-            public_key = self.public_key
-        elif self.private_key:
-            try:
-                public_key = parse_ssh_public_key_str(self.private_key)
-            except IOError as e:
-                return str(e)
-        else:
-            return ''
-
-        if not public_key:
-            return ''
-
-        public_key_obj = sshpubkeys.SSHKey(public_key)
-        fingerprint = public_key_obj.hash_md5()
-        return fingerprint
-
-    @property
-    def private_key_obj(self):
-        if self.private_key:
-            key_obj = ssh_key_string_to_obj(self.private_key)
-            return key_obj
-        else:
-            return None
-
-    @property
-    def private_key_path(self):
-        if self.secret_type != SecretType.SSH_KEY \
-                or not self.secret \
-                or not self.private_key:
-            return None
-        project_dir = settings.PROJECT_DIR
-        tmp_dir = os.path.join(project_dir, 'tmp')
-        key_name = '.' + md5(self.private_key.encode('utf-8')).hexdigest()
-        key_path = os.path.join(tmp_dir, key_name)
-        if not os.path.exists(key_path):
-            self.private_key_obj.write_private_key_file(key_path)
-            os.chmod(key_path, 0o400)
-        return key_path
-
-    def get_private_key(self):
-        if not self.private_key:
-            return None
-        return self.private_key
-
-    @property
-    def public_key_obj(self):
-        if self.public_key:
-            try:
-                return sshpubkeys.SSHKey(self.public_key)
-            except TabError:
-                pass
-        return None
-
-    @staticmethod
-    def gen_password(length=36):
-        return random_string(length, special_char=True)
-
-    @staticmethod
-    def gen_key(username):
-        private_key, public_key = ssh_key_gen(username=username)
-        return private_key, public_key
-
-    def _to_secret_json(self):
-        """Push system user use it"""
-        return {
-            'name': self.name,
-            'username': self.username,
-            'public_key': self.public_key,
-        }
-
-    class Meta:
-        abstract = True

apps/accounts/notifications.py

@@ -1,53 +0,0 @@
-from django.utils.translation import ugettext_lazy as _
-
-from common.tasks import send_mail_attachment_async
-from users.models import User
-
-
-class AccountBackupExecutionTaskMsg(object):
-    subject = _('Notification of account backup route task results')
-
-    def __init__(self, name: str, user: User):
-        self.name = name
-        self.user = user
-
-    @property
-    def message(self):
-        name = self.name
-        if self.user.secret_key:
-            return _('{} - The account backup passage task has been completed.'
-                     ' See the attachment for details').format(name)
-        else:
-            return _("{} - The account backup passage task has been completed: "
-                     "the encryption password has not been set - "
-                     "please go to personal information -> file encryption password "
-                     "to set the encryption password").format(name)
-
-    def publish(self, attachment_list=None):
-        send_mail_attachment_async(
-            self.subject, self.message, [self.user.email], attachment_list
-        )
-
-
-class ChangeSecretExecutionTaskMsg(object):
-    subject = _('Notification of implementation result of encryption change plan')
-
-    def __init__(self, name: str, user: User):
-        self.name = name
-        self.user = user
-
-    @property
-    def message(self):
-        name = self.name
-        if self.user.secret_key:
-            return _('{} - The encryption change task has been completed. '
-                     'See the attachment for details').format(name)
-        else:
-            return _("{} - The encryption change task has been completed: the encryption "
-                     "password has not been set - please go to personal information -> "
-                     "file encryption password to set the encryption password").format(name)
-
-    def publish(self, attachments=None):
-        send_mail_attachment_async(
-            self.subject, self.message, [self.user.email], attachments
-        )