fix: pubkey auth require svc sign

Revert "perf: 锁定 Cython==0.29.35 增加 pip 选项 --use-deprecated=legacy-resolver"

.dockerignore

@@ -1,5 +1,4 @@
 .git
-logs/*
 data/*
 .github
 tmp/*

.github/ISSUE_TEMPLATE/----.md

@@ -6,8 +6,7 @@ labels: 类型:需求
 assignees: 
   - ibuler
   - baijiangjie
-
-
+  - wojiushixiaobai
 ---
 
 **请描述您的需求或者改进建议.**

.github/workflows/issue-comment.yml

@@ -21,17 +21,44 @@ jobs:
           actions: 'remove-labels'
           labels: '状态:待反馈'
 
-  add-label-if-not-author:
+  add-label-if-is-member:
     runs-on: ubuntu-latest
-    if: (github.event.issue.user.id != github.event.comment.user.id) && !github.event.issue.pull_request && (github.event.issue.state == 'open')
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+
+      - name: Get Organization name
+        id: org_name
+        run: echo "data=$(echo '${{ github.repository }}' | cut -d '/' -f 1)" >> $GITHUB_OUTPUT
+
+      - name: Get Organization public members
+        uses: octokit/request-action@v2.x
+        id: members
+        with:
+          route: GET /orgs/${{ steps.org_name.outputs.data }}/public_members
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Process public members data
+        # 将 members 中的数据转化为 login 字段的拼接字符串
+        id: member_names
+        run: echo "data=$(echo '${{ steps.members.outputs.data }}' | jq '[.[].login] | join(",")')" >> $GITHUB_OUTPUT
+
+
+      - run: "echo members: '${{ steps.members.outputs.data }}'"
+      - run: "echo member names: '${{ steps.member_names.outputs.data }}'"
+      - run: "echo comment user: '${{ github.event.comment.user.login }}'"
+      - run: "echo contains? : '${{ contains(steps.member_names.outputs.data, github.event.comment.user.login) }}'"
+
       - name: Add require replay label
+        if: contains(steps.member_names.outputs.data, github.event.comment.user.login)
         uses: actions-cool/issues-helper@v2
         with:
           actions: 'add-labels'
           labels: '状态:待反馈'
 
       - name: Remove require handle label
+        if: contains(steps.member_names.outputs.data, github.event.comment.user.login)
         uses: actions-cool/issues-helper@v2
         with:
           actions: 'remove-labels'

.gitignore

@@ -35,7 +35,6 @@ celerybeat-schedule.db
 docs/_build/
 xpack
 xpack.bak
-logs/*
 ### Vagrant ###
 .vagrant/
 release/*

Dockerfile

@@ -1,4 +1,4 @@
-FROM python:3.9-slim as stage-build
+FROM jumpserver/python:3.9-slim-buster as stage-build
 ARG TARGETARCH
 
 ARG VERSION
@@ -8,7 +8,7 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 
-FROM python:3.9-slim
+FROM jumpserver/python:3.9-slim-buster
 ARG TARGETARCH
 MAINTAINER JumpServer Team <ibuler@qq.com>
 
@@ -22,11 +22,14 @@ ARG DEPENDENCIES="                    \
         libpq-dev                     \
         libffi-dev                    \
         libjpeg-dev                   \
+        libkrb5-dev                   \
         libldap2-dev                  \
         libsasl2-dev                  \
+        libssl-dev                    \
         libxml2-dev                   \
         libxmlsec1-dev                \
         libxmlsec1-openssl            \
+        freerdp2-dev                  \
         libaio-dev"
 
 ARG TOOLS="                           \
@@ -65,27 +68,35 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
 
 ARG DOWNLOAD_URL=https://download.jumpserver.org
 
-RUN mkdir -p /opt/oracle/ \
-    && cd /opt/oracle/ \
-    && wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
-    && unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip \
-    && sh -c "echo /opt/oracle/instantclient_19_10 > /etc/ld.so.conf.d/oracle-instantclient.conf" \
-    && ldconfig \
-    && rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip
+RUN set -ex \
+    && \
+    if [ "${TARGETARCH}" == "amd64" ] || [ "${TARGETARCH}" == "arm64" ]; then \
+        mkdir -p /opt/oracle; \
+        cd /opt/oracle; \
+        wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
+        unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
+        echo "/opt/oracle/instantclient_19_10" > /etc/ld.so.conf.d/oracle-instantclient.conf; \
+        ldconfig; \
+        rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
+    fi
 
 WORKDIR /tmp/build
 COPY ./requirements ./requirements
 
 ARG PIP_MIRROR=https://pypi.douban.com/simple
-ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
-ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 
 RUN --mount=type=cache,target=/root/.cache/pip \
     set -ex \
     && pip config set global.index-url ${PIP_MIRROR} \
     && pip install --upgrade pip \
     && pip install --upgrade setuptools wheel \
+    && \
+    if [ "${TARGETARCH}" == "loong64" ]; then \
+        pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl; \
+        pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl; \
+        pip install https://download.jumpserver.org/pypi/simple/PyNaCl/PyNaCl-1.5.0-cp39-cp39-linux_loongarch64.whl; \
+    fi \
     && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
     && pip install -r requirements/requirements.txt
 

Dockerfile-ee

@@ -1,10 +1,21 @@
 ARG VERSION
 FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
 FROM jumpserver/core:${VERSION}
+ARG TARGETARCH
+
 COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
 
 WORKDIR /opt/jumpserver
+ARG ORACLE_VERSION=1.4.0b1
 
 RUN --mount=type=cache,target=/root/.cache/pip \
     set -ex \
+    && \
+    if [ "${TARGETARCH}" == "amd64" ] || [ "${TARGETARCH}" == "arm64" ] || [ "${TARGETARCH}" == "loong64" ]; then \
+        pip install https://download.jumpserver.org/pypi/simple/oracledb/oracledb-${ORACLE_VERSION}-cp39-cp39-linux_$(uname -m).whl; \
+    fi \
+    && \
+    if [ "${TARGETARCH}" == "loong64" ]; then \
+        pip install https://download.jumpserver.org/pypi/simple/grpcio/grpcio-1.54.2-cp39-cp39-linux_loongarch64.whl; \
+    fi \
     && pip install -r requirements/requirements_xpack.txt

Dockerfile.loong64

@@ -1,96 +0,0 @@
-FROM python:3.9-slim as stage-build
-ARG TARGETARCH
-
-ARG VERSION
-ENV VERSION=$VERSION
-
-WORKDIR /opt/jumpserver
-ADD . .
-RUN cd utils && bash -ixeu build.sh
-
-FROM python:3.9-slim
-ARG TARGETARCH
-MAINTAINER JumpServer Team <ibuler@qq.com>
-
-ARG BUILD_DEPENDENCIES="              \
-        g++                           \
-        make                          \
-        pkg-config"
-
-ARG DEPENDENCIES="                    \
-        freetds-dev                   \
-        libpq-dev                     \
-        libffi-dev                    \
-        libjpeg-dev                   \
-        libldap2-dev                  \
-        libsasl2-dev                  \
-        libssl-dev                    \
-        libxml2-dev                   \
-        libxmlsec1-dev                \
-        libxmlsec1-openssl            \
-        libaio-dev"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-libmysqlclient-dev    \
-        default-mysql-client          \
-        locales                       \
-        openssh-client                \
-        procps                        \
-        sshpass                       \
-        telnet                        \
-        unzip                         \
-        vim                           \
-        git                           \
-        wget"
-
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
-    set -ex \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
-    && echo "set mouse-=a" > ~/.vimrc \
-    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc \
-    && rm -rf /var/lib/apt/lists/*
-
-WORKDIR /tmp/build
-COPY ./requirements ./requirements
-
-ARG PIP_MIRROR=https://pypi.douban.com/simple
-ENV PIP_MIRROR=$PIP_MIRROR
-ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
-ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
-
-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip config set global.index-url ${PIP_MIRROR} \
-    && pip install --upgrade pip \
-    && pip install --upgrade setuptools wheel \
-    && pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl \
-    && pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl \
-    && pip install https://download.jumpserver.org/pypi/simple/PyNaCl/PyNaCl-1.5.0-cp39-cp39-linux_loongarch64.whl \
-    && pip install https://download.jumpserver.org/pypi/simple/grpcio/grpcio-1.54.0-cp39-cp39-linux_loongarch64.whl \
-    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install -r requirements/requirements.txt
-
-COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
-RUN echo > /opt/jumpserver/config.yml \
-    && rm -rf /tmp/build
-
-WORKDIR /opt/jumpserver
-VOLUME /opt/jumpserver/data
-VOLUME /opt/jumpserver/logs
-
-ENV LANG=zh_CN.UTF-8
-
-EXPOSE 8080
-
-ENTRYPOINT ["./entrypoint.sh"]

README.md

@@ -17,14 +17,19 @@
     9 年时间，倾情投入，用心做好一款开源堡垒机。
 </p>
 
-|                                                  :warning: 注意 :warning:                                                   |
-|:-------------------------------------------------------------------------------------------------------------------------:|
-| 3.0 架构上和 2.0 变化较大，建议全新安装一套环境来体验。如需升级，请务必升级前进行备份，并[查阅文档](https://kb.fit2cloud.com/?p=06638d69-f109-4333-b5bf-65b17b297ed9) |
-
---------------------------
-
 JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
 
+JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
+
+- **SSH**: Linux / Unix / 网络设备 等；
+- **Windows**: Web 方式连接 / 原生 RDP 连接；
+- **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
+- **NoSQL**: Redis / MongoDB 等；
+- **GPT**: ChatGPT 等;
+- **云服务**: Kubernetes / VMware vSphere 等;
+- **Web 站点**: 各类系统的 Web 管理后台；
+- **应用**: 通过 Remote App 连接各类应用。
+
 ## 产品特色
 
 - **开源**: 零门槛，线上快速获取和安装；
@@ -33,8 +38,6 @@ JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运
 - **多云支持**: 一套系统，同时管理不同云上面的资产；
 - **多租户**: 一套系统，多个子公司或部门同时使用；
 - **云端存储**: 审计录像云端存储，永不丢失；
-- **多应用支持**: 全面支持各类资产，包括服务器、数据库、Windows RemoteApp、Kubernetes 等;
-- **安全可靠**: 被广泛使用、验证和信赖，连续 9 年的持续研发投入和产品更新升级。
 
 ## UI 展示
 
@@ -72,14 +75,11 @@ JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运
 - [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
 - [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
 
-## 社区
+## 社区交流
 
-如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)
-或加入到我们的社区当中进行进一步交流沟通。
+如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
 
-### 微信交流群
-
-<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
+您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 当中进行交流沟通。
 
 ### 参与贡献
 
@@ -90,12 +90,17 @@ JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运
 ## 组件项目
 
 | 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                |
-|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|
+|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
 | [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                              |
 | [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                        |
-| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco) |
+| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目                                                      |
 | [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
+| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                                 | JumpServer RDP 代理 Connector 项目                                                    |
+| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目                                                      |
 | [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
+| [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
+| [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
+| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core Api 通信的组件项目                                              |
 | [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
 | [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |
 
@@ -107,11 +112,6 @@ JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.ju
 - 邮箱：support@fit2cloud.com
 - 电话：400-052-0755
 
-## 致谢
-
-- [Apache Guacamole](https://guacamole.apache.org/)： Web 页面连接 RDP、SSH、VNC 等协议资产，JumpServer Lion 组件使用到该项目；
-- [OmniDB](https://omnidb.org/)： Web 页面连接使用数据库，JumpServer Web 数据库组件使用到该项目。
-
 ## License & Copyright
 
 Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.

apps/accounts/api/account/account.py

@@ -22,7 +22,7 @@ __all__ = [
 
 class AccountViewSet(OrgBulkModelViewSet):
     model = Account
-    search_fields = ('username', 'asset__address', 'name')
+    search_fields = ('username', 'name', 'asset__name', 'asset__address')
     filterset_class = AccountFilterSet
     serializer_classes = {
         'default': serializers.AccountSerializer,
@@ -32,6 +32,7 @@ class AccountViewSet(OrgBulkModelViewSet):
         'su_from_accounts': 'accounts.view_account',
         'clear_secret': 'accounts.change_account',
     }
+    export_as_zip = True
 
     @action(methods=['get'], detail=False, url_path='su-from-accounts')
     def su_from_accounts(self, request, *args, **kwargs):

apps/accounts/api/account/template.py

@@ -1,13 +1,15 @@
 from django_filters import rest_framework as drf_filters
+from rest_framework.decorators import action
+from rest_framework.response import Response
 
-from assets.const import Protocol
 from accounts import serializers
 from accounts.models import AccountTemplate
-from orgs.mixins.api import OrgBulkModelViewSet
-from rbac.permissions import RBACPermission
+from assets.const import Protocol
+from common.drf.filters import BaseFilterSet
 from common.permissions import UserConfirmation, ConfirmType
 from common.views.mixins import RecordViewLogMixin
-from common.drf.filters import BaseFilterSet
+from orgs.mixins.api import OrgBulkModelViewSet
+from rbac.permissions import RBACPermission
 
 
 class AccountTemplateFilterSet(BaseFilterSet):
@@ -27,6 +29,8 @@ class AccountTemplateFilterSet(BaseFilterSet):
                 continue
             _st = protocol_secret_type_map[p].get('secret_types', [])
             secret_types.update(_st)
+        if not secret_types:
+            secret_types = ['password']
         queryset = queryset.filter(secret_type__in=secret_types)
         return queryset
 
@@ -36,8 +40,19 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
     filterset_class = AccountTemplateFilterSet
     search_fields = ('username', 'name')
     serializer_classes = {
-        'default': serializers.AccountTemplateSerializer
+        'default': serializers.AccountTemplateSerializer,
     }
+    rbac_perms = {
+        'su_from_account_templates': 'accounts.view_accounttemplate',
+    }
+
+    @action(methods=['get'], detail=False, url_path='su-from-account-templates')
+    def su_from_account_templates(self, request, *args, **kwargs):
+        pk = request.query_params.get('template_id')
+        templates = AccountTemplate.get_su_from_account_templates(pk)
+        templates = self.filter_queryset(templates)
+        serializer = self.get_serializer(templates, many=True)
+        return Response(data=serializer.data)
 
 
 class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):

apps/accounts/automations/change_secret/custom/ssh/main.yml

@@ -26,6 +26,7 @@
         password: "{{ account.secret }}"
         commands: "{{ params.commands }}"
         first_conn_delay_time: "{{ first_conn_delay_time | default(0.5) }}"
+      ignore_errors: true
       when: ping_info is succeeded
       register: change_info
 
@@ -35,6 +36,3 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-      when:
-        - ping_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/custom/ssh/manifest.yml

@@ -15,5 +15,6 @@ params:
 
 i18n:
   SSH account change secret:
-    zh: SSH 账号改密
-    ja: SSH アカウントのパスワード変更
+    zh: 使用 SSH 命令行自定义改密
+    ja: SSH コマンドライン方式でカスタムパスワード変更
+    en: Custom password change by SSH command line

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -38,8 +38,8 @@
         db: "{{ jms_asset.spec_info.db_name }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
+      ignore_errors: true
       when: db_info is succeeded
-      register: change_info
 
     - name: Verify password
       mongodb_ping:
@@ -53,6 +53,3 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/database/mongodb/manifest.yml

@@ -7,5 +7,6 @@ method: change_secret
 
 i18n:
   MongoDB account change secret:
-    zh: MongoDB 账号改密
-    ja: MongoDB アカウントのパスワード変更
+    zh: 使用 Ansible 模块 mongodb 执行 MongoDB 账号改密
+    ja: Ansible mongodb モジュールを使用して MongoDB アカウントのパスワード変更
+    en: Using Ansible module mongodb to change MongoDB account secret

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -28,8 +28,8 @@
         password: "{{ account.secret }}"
         host: "%"
         priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+      ignore_errors: true
       when: db_info is succeeded
-      register: change_info
 
     - name: Verify password
       community.mysql.mysql_info:
@@ -38,6 +38,3 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         filter: version
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/database/mysql/manifest.yml

@@ -8,5 +8,6 @@ method: change_secret
 
 i18n:
   MySQL account change secret:
-    zh: MySQL 账号改密
-    ja: MySQL アカウントのパスワード変更
+    zh: 使用 Ansible 模块 mysql 执行 MySQL 账号改密
+    ja: Ansible mysql モジュールを使用して MySQL アカウントのパスワード変更
+    en: Using Ansible module mysql to change MySQL account secret

apps/accounts/automations/change_secret/database/oracle/main.yml

@@ -29,8 +29,8 @@
         mode: "{{ jms_account.mode }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
+      ignore_errors: true
       when: db_info is succeeded
-      register: change_info
 
     - name: Verify password
       oracle_ping:
@@ -39,6 +39,3 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -29,8 +29,8 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         role_attr_flags: LOGIN
+      ignore_errors: true
       when: result is succeeded
-      register: change_info
 
     - name: Verify password
       community.postgresql.postgresql_ping:
@@ -39,8 +39,3 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         db: "{{ jms_asset.spec_info.db_name }}"
-      when:
-        - result is succeeded
-        - change_info is succeeded
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -41,8 +41,8 @@
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
         script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      ignore_errors: true
       when: user_exist.query_results[0] | length != 0
-      register: change_info
 
     - name: Add SQLServer user
       community.general.mssql_script:
@@ -52,8 +52,8 @@
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
         script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      ignore_errors: true
       when: user_exist.query_results[0] | length == 0
-      register: change_info
 
     - name: Verify password
       community.general.mssql_script:
@@ -64,6 +64,3 @@
         name: '{{ jms_asset.spec_info.db_name }}'
         script: |
           SELECT @@version
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -1,21 +1,48 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
       ansible.builtin.ping:
 
-    - name: Change password
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        shell: "{{ params.shell }}"
+        home: "{{ params.home | default('/home/' + account.username, true) }}"
+        groups: "{{ params.groups }}"
+        expires: -1
+        state: present
+      when: user_info.failed
+
+    - name: "Add {{ account.username }} group"
+      ansible.builtin.group:
+        name: "{{ account.username }}"
+        state: present
+      when: user_info.failed
+
+    - name: "Add {{ account.username }} user to group"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        groups: "{{ params.groups }}"
+      when:
+        - user_info.failed
+        - params.groups
+
+    - name: "Change {{ account.username }} password"
       ansible.builtin.user:
         name: "{{ account.username }}"
         password: "{{ account.secret | password_hash('des') }}"
         update_password: always
+      ignore_errors: true
       when: account.secret_type == "password"
 
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
     - name: remove jumpserver ssh key
       ansible.builtin.lineinfile:
         dest: "{{ ssh_params.dest }}"
@@ -25,17 +52,28 @@
         - account.secret_type == "ssh_key"
         - ssh_params.strategy == "set_jms"
 
-    - name: Change SSH key
+    - name: "Change {{ account.username }} SSH key"
       ansible.builtin.authorized_key:
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
       when: account.secret_type == "ssh_key"
 
+    - name: "Set {{ account.username }} sudo setting"
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^{{ account.username }} ALL="
+        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
+        validate: visudo -cf %s
+      when:
+        - user_info.failed
+        - params.sudo
+
     - name: Refresh connection
       ansible.builtin.meta: reset_connection
 
-    - name: Verify password
+    - name: "Verify {{ account.username }} password"
       ansible.builtin.ping:
       become: no
       vars:
@@ -44,7 +82,7 @@
         ansible_become: no
       when: account.secret_type == "password"
 
-    - name: Verify SSH key
+    - name: "Verify {{ account.username }} SSH key"
       ansible.builtin.ping:
       become: no
       vars:

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -4,8 +4,58 @@ category: host
 type:
   - AIX
 method: change_secret
+params:
+  - name: sudo
+    type: str
+    label: 'Sudo'
+    default: '/bin/whoami'
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+
+  - name: shell
+    type: str
+    label: 'Shell'
+    default: '/bin/bash'
+
+  - name: home
+    type: str
+    label: "{{ 'Params home label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params home help text' | trans }}"
+
+  - name: groups
+    type: str
+    label: "{{ 'Params groups label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params groups help text' | trans }}"
 
 i18n:
   AIX account change secret:
-    zh: AIX 账号改密
-    ja: AIX アカウントのパスワード変更
+    zh: '使用 Ansible 模块 user 执行账号改密 (DES)'
+    ja: 'Ansible user モジュールを使用してアカウントのパスワード変更 (DES)'
+    en: 'Using Ansible module user to change account secret (DES)'
+
+  Params sudo help text:
+    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
+    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
+
+  Params home help text:
+    zh: '默认家目录 /home/{账号用户名}'
+    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
+    en: 'Default home directory /home/{account username}'
+
+  Params groups help text:
+    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
+    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params home label:
+    zh: '家目录'
+    ja: 'ホームディレクトリ'
+    en: 'Home'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'
+

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -1,21 +1,48 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Test privileged account
+    - name: "Test privileged {{ jms_account.username }} account"
       ansible.builtin.ping:
 
-    - name: Change password
+    - name: "Check if {{ account.username }} user exists"
+      getent:
+        database: passwd
+        key: "{{ account.username }}"
+      register: user_info
+      ignore_errors: yes  # 忽略错误，如果用户不存在时不会导致playbook失败
+
+    - name: "Add {{ account.username }} user"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        shell: "{{ params.shell }}"
+        home: "{{ params.home | default('/home/' + account.username, true) }}"
+        groups: "{{ params.groups }}"
+        expires: -1
+        state: present
+      when: user_info.failed
+
+    - name: "Add {{ account.username }} group"
+      ansible.builtin.group:
+        name: "{{ account.username }}"
+        state: present
+      when: user_info.failed
+
+    - name: "Add {{ account.username }} user to group"
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        groups: "{{ params.groups }}"
+      when:
+        - user_info.failed
+        - params.groups
+
+    - name: "Change {{ account.username }} password"
       ansible.builtin.user:
         name: "{{ account.username }}"
         password: "{{ account.secret | password_hash('sha512') }}"
         update_password: always
+      ignore_errors: true
       when: account.secret_type == "password"
 
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
     - name: remove jumpserver ssh key
       ansible.builtin.lineinfile:
         dest: "{{ ssh_params.dest }}"
@@ -25,17 +52,28 @@
         - account.secret_type == "ssh_key"
         - ssh_params.strategy == "set_jms"
 
-    - name: Change SSH key
+    - name: "Change {{ account.username }} SSH key"
       ansible.builtin.authorized_key:
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
       when: account.secret_type == "ssh_key"
 
+    - name: "Set {{ account.username }} sudo setting"
+      ansible.builtin.lineinfile:
+        dest: /etc/sudoers
+        state: present
+        regexp: "^{{ account.username }} ALL="
+        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
+        validate: visudo -cf %s
+      when:
+        - user_info.failed
+        - params.sudo
+
     - name: Refresh connection
       ansible.builtin.meta: reset_connection
 
-    - name: Verify password
+    - name: "Verify {{ account.username }} password"
       ansible.builtin.ping:
       become: no
       vars:
@@ -44,7 +82,7 @@
         ansible_become: no
       when: account.secret_type == "password"
 
-    - name: Verify SSH key
+    - name: "Verify {{ account.username }} SSH key"
       ansible.builtin.ping:
       become: no
       vars:

apps/accounts/automations/change_secret/host/posix/manifest.yml

@@ -5,8 +5,59 @@ type:
   - unix
   - linux
 method: change_secret
+params:
+  - name: sudo
+    type: str
+    label: 'Sudo'
+    default: '/bin/whoami'
+    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+
+  - name: shell
+    type: str
+    label: 'Shell'
+    default: '/bin/bash'
+    help_text: ''
+
+  - name: home
+    type: str
+    label: "{{ 'Params home label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params home help text' | trans }}"
+
+  - name: groups
+    type: str
+    label: "{{ 'Params groups label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params groups help text' | trans }}"
 
 i18n:
   Posix account change secret:
-    zh: Posix 账号改密
-    ja: Posix アカウントのパスワード変更
+    zh: '使用 Ansible 模块 user 执行账号改密 (SHA512)'
+    ja: 'Ansible user モジュールを使用して アカウントのパスワード変更 (SHA512)'
+    en: 'Using Ansible module user to change account secret (SHA512)'
+
+  Params sudo help text:
+    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
+    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
+    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
+
+  Params home help text:
+    zh: '默认家目录 /home/{账号用户名}'
+    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
+    en: 'Default home directory /home/{account username}'
+
+  Params groups help text:
+    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
+    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params home label:
+    zh: '家目录'
+    ja: 'ホームディレクトリ'
+    en: 'Home'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'
+

apps/accounts/automations/change_secret/host/windows/main.yml

@@ -8,19 +8,16 @@
 #      debug:
 #        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
 
-
-    - name: Get groups of a Windows user
-      ansible.windows.win_user:
-        name: "{{ jms_account.username }}"
-      register: user_info
-
     - name: Change password
       ansible.windows.win_user:
+        fullname: "{{ account.username}}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
-        groups: "{{ user_info.groups[0].name }}"
+        password_never_expires: yes
+        groups: "{{ params.groups }}"
         groups_action: add
         update_password: always
+      ignore_errors: true
       when: account.secret_type == "password"
 
     - name: Refresh connection

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -5,8 +5,22 @@ method: change_secret
 category: host
 type:
   - windows
+params:
+  - name: groups
+    type: str
+    label: '用户组'
+    default: 'Users,Remote Desktop Users'
+    help_text: "{{ 'Params groups help text' | trans }}"
+
 
 i18n:
   Windows account change secret:
-    zh: Windows 账号改密
-    ja: Windows アカウントのパスワード変更
+    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密'
+    ja: 'Ansible win_user モジュールを使用して Windows アカウントのパスワード変更'
+    en: 'Using Ansible module win_user to change Windows account secret'
+
+  Params groups help text:
+    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
+    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+

apps/accounts/automations/change_secret/manager.py

@@ -72,14 +72,14 @@ class ChangeSecretManager(AccountBasePlaybookManager):
             return []
 
         asset = privilege_account.asset
-        accounts = asset.accounts.exclude(username=privilege_account.username)
+        accounts = asset.accounts.all()
         accounts = accounts.filter(id__in=self.account_ids)
         if self.secret_type:
             accounts = accounts.filter(secret_type=self.secret_type)
 
         if settings.CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED:
             accounts = accounts.filter(privileged=False).exclude(
-                username__in=['root', 'administrator']
+                username__in=['root', 'administrator', privilege_account.username]
             )
         return accounts
 

apps/accounts/automations/gather_accounts/filter.py

@@ -1,3 +1,5 @@
+import re
+
 from django.utils import timezone
 
 __all__ = ['GatherAccountsFilter']
@@ -13,8 +15,8 @@ class GatherAccountsFilter:
     def mysql_filter(info):
         result = {}
         for _, user_dict in info.items():
-            for username, data in user_dict.items():
-                if data.get('account_locked') == 'N':
+            for username, _ in user_dict.items():
+                if len(username.split('.')) == 1:
                     result[username] = {}
         return result
 
@@ -27,18 +29,25 @@ class GatherAccountsFilter:
 
     @staticmethod
     def posix_filter(info):
+        username_pattern = re.compile(r'^(\S+)')
+        ip_pattern = re.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})')
+        login_time_pattern = re.compile(r'\w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}')
         result = {}
         for line in info:
-            data = line.split('@')
-            if len(data) == 1:
-                result[line] = {}
+            usernames = username_pattern.findall(line)
+            username = ''.join(usernames)
+            if username:
+                result[username] = {}
+            else:
                 continue
-
-            if len(data) != 3:
-                continue
-            username, address, dt = data
-            date = timezone.datetime.strptime(f'{dt} +0800', '%b %d %H:%M:%S %Y %z')
-            result[username] = {'address': address, 'date': date}
+            ip_addrs = ip_pattern.findall(line)
+            ip_addr = ''.join(ip_addrs)
+            if ip_addr:
+                result[username].update({'address': ip_addr})
+            login_times = login_time_pattern.findall(line)
+            if login_times:
+                date = timezone.datetime.strptime(f'{login_times[0]} +0800', '%b %d %H:%M:%S %Y %z')
+                result[username].update({'date': date})
         return result
 
     @staticmethod

apps/accounts/automations/gather_accounts/host/posix/main.yml

@@ -5,7 +5,7 @@
       ansible.builtin.shell:
         cmd: >
           users=$(getent passwd | grep -v nologin | grep -v shutdown | awk -F":" '{ print $1 }');for i in $users;
-          do k=$(last -w -F $i -1 | head -1 | grep -v ^$ | awk '{ print $1"@"$3"@"$5,$6,$7,$8 }')
+          do k=$(last -w -F $i -1 | head -1 | grep -v ^$ | awk '{ print $0 }')
             if [ -n "$k" ]; then
               echo $k
             else

apps/accounts/automations/gather_accounts/host/posix/manifest.yml

@@ -8,5 +8,6 @@ method: gather_accounts
 
 i18n:
   Posix account gather:
-    zh: Posix 账号收集
-    ja: Posix アカウントの収集
+    zh: 使用命令 getent passwd 收集 Posix 资产账号
+    ja: コマンド getent を使用してアセットアカウントを収集する
+    en: Using command getent to gather accounts

apps/accounts/automations/gather_accounts/host/windows/manifest.yml

@@ -8,5 +8,6 @@ type:
 
 i18n:
   Windows account gather:
-    zh: Windows 账号收集
-    ja: Windows アカウントの収集
+    zh: 使用命令 net user 收集 Windows 账号
+    ja: コマンド net user を使用して Windows アカウントを収集する
+    en: Using command net user to gather accounts

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -38,8 +38,8 @@
         db: "{{ jms_asset.spec_info.db_name }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
+      ignore_errors: true
       when: db_info is succeeded
-      register: change_info
 
     - name: Verify password
       mongodb_ping:
@@ -53,6 +53,3 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/push_account/database/mongodb/manifest.yml

@@ -7,5 +7,6 @@ method: push_account
 
 i18n:
   MongoDB account push:
-    zh: MongoDB 账号推送
-    ja: MongoDB アカウントのプッシュ
+    zh: 使用 Ansible 模块 mongodb 执行 MongoDB 账号推送
+    ja: Ansible mongodb モジュールを使用してアカウントをプッシュする
+    en: Using Ansible module mongodb to push account

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -28,8 +28,8 @@
         password: "{{ account.secret }}"
         host: "%"
         priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+      ignore_errors: true
       when: db_info is succeeded
-      register: change_info
 
     - name: Verify password
       community.mysql.mysql_info:
@@ -38,6 +38,3 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         filter: version
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/push_account/database/mysql/manifest.yml

@@ -8,5 +8,6 @@ method: push_account
 
 i18n:
   MySQL account push:
-    zh: MySQL 账号推送
-    ja: MySQL アカウントのプッシュ
+    zh: 使用 Ansible 模块 mysql 执行 MySQL 账号推送
+    ja: Ansible mysql モジュールを使用してアカウントをプッシュする
+    en: Using Ansible module mysql to push account

apps/accounts/automations/push_account/database/oracle/main.yml

@@ -29,8 +29,8 @@
         mode: "{{ jms_account.mode }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
+      ignore_errors: true
       when: db_info is succeeded
-      register: change_info
 
     - name: Verify password
       oracle_ping:
@@ -39,6 +39,3 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/push_account/database/oracle/manifest.yml

@@ -7,5 +7,6 @@ method: push_account
 
 i18n:
   Oracle account push:
-    zh: Oracle 账号推送
-    ja: Oracle アカウントのプッシュ
+    zh: 使用 Python 模块 oracledb 执行 Oracle 账号推送
+    ja: Python oracledb モジュールを使用してアカウントをプッシュする
+    en: Using Python module oracledb to push account

apps/accounts/automations/push_account/database/postgresql/main.yml

@@ -29,8 +29,8 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         role_attr_flags: LOGIN
+      ignore_errors: true
       when: result is succeeded
-      register: change_info
 
     - name: Verify password
       community.postgresql.postgresql_ping:
@@ -42,5 +42,3 @@
       when:
         - result is succeeded
         - change_info is succeeded
-      register: result
-      failed_when: not result.is_available

apps/accounts/automations/push_account/database/postgresql/manifest.yml

@@ -7,5 +7,6 @@ method: push_account
 
 i18n:
   PostgreSQL account push:
-    zh: PostgreSQL 账号推送
-    ja: PostgreSQL アカウントのプッシュ
+    zh: 使用 Ansible 模块 postgresql 执行 PostgreSQL 账号推送
+    ja: Ansible postgresql モジュールを使用してアカウントをプッシュする
+    en: Using Ansible module postgresql to push account

apps/accounts/automations/push_account/database/sqlserver/main.yml

@@ -41,6 +41,7 @@
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
         script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      ignore_errors: true
       when: user_exist.query_results[0] | length != 0
       register: change_info
 
@@ -52,6 +53,7 @@
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
         script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+      ignore_errors: true
       when: user_exist.query_results[0] | length == 0
       register: change_info
 
@@ -64,6 +66,3 @@
         name: '{{ jms_asset.spec_info.db_name }}'
         script: |
           SELECT @@version
-      when:
-        - db_info is succeeded
-        - change_info is succeeded

apps/accounts/automations/push_account/database/sqlserver/manifest.yml

@@ -7,5 +7,6 @@ method: push_account
 
 i18n:
   SQLServer account push:
-    zh: SQLServer 账号推送
-    ja: SQLServer アカウントのプッシュ
+    zh: 使用 Ansible 模块 mssql 执行 SQLServer 账号推送
+    ja: Ansible mssql モジュールを使用してアカウントをプッシュする
+    en: Using Ansible module mssql to push account

apps/accounts/automations/push_account/host/aix/main.yml

@@ -8,7 +8,7 @@
       ansible.builtin.user:
         name: "{{ account.username }}"
         shell: "{{ params.shell }}"
-        home: "{{ '/home/' + account.username }}"
+        home: "{{ params.home | default('/home/' + account.username, true) }}"
         groups: "{{ params.groups }}"
         expires: -1
         state: present
@@ -18,20 +18,6 @@
         name: "{{ account.username }}"
         state: present
 
-    - name: Check home dir exists
-      ansible.builtin.stat:
-        path: "{{ '/home/' + account.username }}"
-      register: home_existed
-
-    - name: Set home dir permission
-      ansible.builtin.file:
-        path: "{{ '/home/' + account.username }}"
-        owner: "{{ account.username }}"
-        group: "{{ account.username }}"
-        mode: "0700"
-      when:
-        - home_existed.stat.exists == true
-
     - name: Add user groups
       ansible.builtin.user:
         name: "{{ account.username }}"
@@ -43,6 +29,7 @@
         name: "{{ account.username }}"
         password: "{{ account.secret | password_hash('sha512') }}"
         update_password: always
+      ignore_errors: true
       when: account.secret_type == "password"
 
     - name: remove jumpserver ssh key

apps/accounts/automations/push_account/host/aix/manifest.yml

@@ -16,6 +16,12 @@ params:
     label: 'Shell'
     default: '/bin/bash'
 
+  - name: home
+    type: str
+    label: '家目录'
+    default: ''
+    help_text: '默认家目录 /home/系统用户名: /home/username'
+
   - name: groups
     type: str
     label: '用户组'
@@ -24,6 +30,7 @@ params:
 
 i18n:
   Aix account push:
-    zh: Aix 账号推送
-    ja: Aix アカウントのプッシュ
+    zh: 使用 Ansible 模块 user 执行 Aix 账号推送 (DES)
+    ja: Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)
+    en: Using Ansible module user to push account (DES)
 

apps/accounts/automations/push_account/host/posix/main.yml

@@ -8,7 +8,7 @@
       ansible.builtin.user:
         name: "{{ account.username }}"
         shell: "{{ params.shell }}"
-        home: "{{ '/home/' + account.username }}"
+        home: "{{ params.home | default('/home/' + account.username, true) }}"
         groups: "{{ params.groups }}"
         expires: -1
         state: present
@@ -18,20 +18,6 @@
         name: "{{ account.username }}"
         state: present
 
-    - name: Check home dir exists
-      ansible.builtin.stat:
-        path: "{{ '/home/' + account.username }}"
-      register: home_existed
-
-    - name: Set home dir permission
-      ansible.builtin.file:
-        path: "{{ '/home/' + account.username }}"
-        owner: "{{ account.username }}"
-        group: "{{ account.username }}"
-        mode: "0700"
-      when:
-        - home_existed.stat.exists == true
-
     - name: Add user groups
       ansible.builtin.user:
         name: "{{ account.username }}"
@@ -43,6 +29,7 @@
         name: "{{ account.username }}"
         password: "{{ account.secret | password_hash('sha512') }}"
         update_password: always
+      ignore_errors: true
       when: account.secret_type == "password"
 
     - name: remove jumpserver ssh key

apps/accounts/automations/push_account/host/posix/manifest.yml

@@ -18,6 +18,12 @@ params:
     default: '/bin/bash'
     help_text: ''
 
+  - name: home
+    type: str
+    label: '家目录'
+    default: ''
+    help_text: '默认家目录 /home/系统用户名: /home/username'
+
   - name: groups
     type: str
     label: '用户组'
@@ -26,5 +32,6 @@ params:
 
 i18n:
   Posix account push:
-    zh: Posix 账号推送
-    ja: Posix アカウントのプッシュ
+    zh: 使用 Ansible 模块 user 执行账号推送 (sha512)
+    ja: Ansible user モジュールを使用してアカウントをプッシュする (sha512)
+    en: Using Ansible module user to push account (sha512)

apps/accounts/automations/push_account/host/windows/main.yml

@@ -17,6 +17,7 @@
         groups: "{{ params.groups }}"
         groups_action: add
         update_password: always
+      ignore_errors: true
       when: account.secret_type == "password"
 
     - name: Refresh connection

apps/accounts/automations/push_account/host/windows/manifest.yml

@@ -14,5 +14,6 @@ params:
 
 i18n:
   Windows account push:
-    zh: Windows 账号推送
-    ja: Windows アカウントのプッシュ
+    zh: 使用 Ansible 模块 win_user 执行 Windows 账号推送
+    ja: Ansible win_user モジュールを使用して Windows アカウントをプッシュする
+    en: Using Ansible module win_user to push account

apps/accounts/automations/verify_account/custom/manifest.yml

@@ -1,13 +0,0 @@
-id: verify_account_by_ssh
-name: "{{ 'SSH account verify' | trans }}"
-category:
-  - device
-  - host
-type:
-  - all
-method: verify_account
-
-i18n:
-  SSH account verify:
-    zh: SSH 账号验证
-    ja: SSH アカウントの検証

apps/accounts/automations/verify_account/custom/rdp/main.yml

@@ -0,0 +1,15 @@
+- hosts: custom
+  gather_facts: no
+  vars:
+    ansible_shell_type: sh
+    ansible_connection: local
+
+  tasks:
+    - name: Verify account (pyfreerdp)
+      rdp_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.port }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_secret_type: "{{ account.secret_type }}"
+        login_private_key_path: "{{ account.private_key_path }}"

apps/accounts/automations/verify_account/custom/rdp/manifest.yml

@@ -0,0 +1,13 @@
+id: verify_account_by_rdp
+name: "{{ 'Windows rdp account verify' | trans }}"
+category:
+  - host
+type:
+  - windows
+method: verify_account
+
+i18n:
+  Windows rdp account verify:
+    zh: 使用 Python 模块 pyfreerdp 验证账号
+    ja: Python モジュール pyfreerdp を使用してアカウントを検証する
+    en: Using Python module pyfreerdp to verify account

apps/accounts/automations/verify_account/custom/ssh/main.yml

@@ -4,11 +4,11 @@
     ansible_connection: local
 
   tasks:
-    - name: Verify account
+    - name: Verify account (paramiko)
       ssh_ping:
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         login_user: "{{ account.username }}"
         login_password: "{{ account.secret }}"
-        login_secret_type: "{{ jms_account.secret_type }}"
-        login_private_key_path: "{{ jms_account.private_key_path }}"
+        login_secret_type: "{{ account.secret_type }}"
+        login_private_key_path: "{{ account.private_key_path }}"

apps/accounts/automations/verify_account/custom/ssh/manifest.yml

@@ -0,0 +1,14 @@
+id: verify_account_by_ssh
+name: "{{ 'SSH account verify' | trans }}"
+category:
+  - device
+  - host
+type:
+  - all
+method: verify_account
+
+i18n:
+  SSH account verify:
+    zh: 使用 Python 模块 paramiko 验证账号
+    ja: Python モジュール paramiko を使用してアカウントを検証する
+    en: Using Python module paramiko to verify account

apps/accounts/automations/verify_account/database/mongodb/manifest.yml

@@ -7,5 +7,6 @@ method: verify_account
 
 i18n:
   MongoDB account verify:
-    zh: MongoDB 账号验证
-    ja: MongoDB アカウントの検証
+    zh: 使用 Ansible 模块 mongodb 验证账号
+    ja: Ansible mongodb モジュールを使用してアカウントを検証する
+    en: Using Ansible module mongodb to verify account

apps/accounts/automations/verify_account/database/mysql/manifest.yml

@@ -8,5 +8,7 @@ method: verify_account
 
 i18n:
   MySQL account verify:
-    zh: MySQL 账号验证
-    ja: MySQL アカウントの検証
+    zh: 使用 Ansible 模块 mysql 验证账号
+    ja: Ansible mysql モジュールを使用してアカウントを検証する
+    en: Using Ansible module mysql to verify account
+

apps/accounts/automations/verify_account/database/oracle/manifest.yml

@@ -7,5 +7,6 @@ method: verify_account
 
 i18n:
   Oracle account verify:
-    zh: Oracle 账号验证
-    ja: Oracle アカウントの検証
+    zh: 使用 Python 模块 oracledb 验证账号
+    ja: Python モジュール oracledb を使用してアカウントを検証する
+    en: Using Python module oracledb to verify account

apps/accounts/automations/verify_account/database/postgresql/manifest.yml

@@ -7,5 +7,6 @@ method: verify_account
 
 i18n:
   PostgreSQL account verify:
-    zh: PostgreSQL 账号验证
-    ja: PostgreSQL アカウントの検証
+    zh: 使用 Ansible 模块 postgresql 验证账号
+    ja: Ansible postgresql モジュールを使用してアカウントを検証する
+    en: Using Ansible module postgresql to verify account

apps/accounts/automations/verify_account/database/sqlserver/manifest.yml

@@ -7,5 +7,6 @@ method: verify_account
 
 i18n:
   SQLServer account verify:
-    zh: SQLServer 账号验证
-    ja: SQLServer アカウントの検証
+    zh: 使用 Ansible 模块 mssql 验证账号
+    ja: Ansible mssql モジュールを使用してアカウントを検証する
+    en: Using Ansible module mssql to verify account

apps/accounts/automations/verify_account/host/posix/manifest.yml

@@ -8,5 +8,6 @@ method: verify_account
 
 i18n:
   Posix account verify:
-    zh: Posix 账号验证
-    ja: Posix アカウントの検証
+    zh: 使用 Ansible 模块 ping 验证账号
+    ja: Ansible ping モジュールを使用してアカウントを検証する
+    en: Using Ansible module ping to verify account

apps/accounts/automations/verify_account/host/windows/manifest.yml

@@ -8,5 +8,6 @@ type:
 
 i18n:
   Windows account verify:
-        zh: Windows 账号验证
-        ja: Windows アカウントの検証
+    zh: 使用 Ansible 模块 win_ping 验证账号
+    ja: Ansible win_ping モジュールを使用してアカウントを検証する
+    en: Using Ansible module win_ping to verify account

apps/accounts/const/account.py

@@ -7,12 +7,14 @@ class SecretType(TextChoices):
     SSH_KEY = 'ssh_key', _('SSH key')
     ACCESS_KEY = 'access_key', _('Access key')
     TOKEN = 'token', _('Token')
+    API_KEY = 'api_key', _("API key")
 
 
 class AliasAccount(TextChoices):
     ALL = '@ALL', _('All')
     INPUT = '@INPUT', _('Manual input')
     USER = '@USER', _('Dynamic user')
+    ANON = '@ANON', _('Anonymous account')
 
 
 class Source(TextChoices):

apps/accounts/const/automation.py

@@ -48,7 +48,7 @@ class SecretStrategy(models.TextChoices):
 class SSHKeyStrategy(models.TextChoices):
     add = 'add', _('Append SSH KEY')
     set = 'set', _('Empty and append SSH KEY')
-    set_jms = 'set_jms', _('Replace (The key generated by JumpServer) ')
+    set_jms = 'set_jms', _('Replace (Replace only keys pushed by JumpServer) ')
 
 
 class TriggerChoice(models.TextChoices, TreeChoices):

apps/accounts/filters.py

@@ -5,7 +5,6 @@ from django_filters import rest_framework as drf_filters
 
 from assets.models import Node
 from common.drf.filters import BaseFilterSet
-
 from .models import Account, GatheredAccount
 
 
@@ -46,7 +45,7 @@ class AccountFilterSet(BaseFilterSet):
 
     class Meta:
         model = Account
-        fields = ['id', 'asset_id']
+        fields = ['id', 'asset_id', 'source_id', 'secret_type']
 
 
 class GatheredAccountFilterSet(BaseFilterSet):

apps/accounts/migrations/0001_initial.py

@@ -1,12 +1,14 @@
 # Generated by Django 3.2.14 on 2022-12-28 07:29
 
+import uuid
+
+import django.db.models.deletion
+import simple_history.models
+from django.conf import settings
+from django.db import migrations, models
+
 import common.db.encoder
 import common.db.fields
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
-import simple_history.models
-import uuid
 
 
 class Migration(migrations.Migration):
@@ -29,13 +31,16 @@ class Migration(migrations.Migration):
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                 ('org_id',
                  models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
-                ('connectivity', models.CharField(choices=[('-', 'Unknown'), ('ok', 'Ok'), ('err', 'Error')], default='-', max_length=16, verbose_name='Connectivity')),
+                ('connectivity',
+                 models.CharField(choices=[('-', 'Unknown'), ('ok', 'Ok'), ('err', 'Error')], default='-',
+                                  max_length=16, verbose_name='Connectivity')),
                 ('date_verified', models.DateTimeField(null=True, verbose_name='Date verified')),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
                 ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
                 ('secret_type', models.CharField(
                     choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
+                    verbose_name='Secret type')),
                 ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
                 ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
                 ('is_active', models.BooleanField(default=True, verbose_name='Is active')),
@@ -61,7 +66,8 @@ class Migration(migrations.Migration):
                 ('id', models.UUIDField(db_index=True, default=uuid.uuid4)),
                 ('secret_type', models.CharField(
                     choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
+                    verbose_name='Secret type')),
                 ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
                 ('version', models.IntegerField(default=0, verbose_name='Version')),
                 ('history_id', models.AutoField(primary_key=True, serialize=False)),
@@ -96,7 +102,8 @@ class Migration(migrations.Migration):
                 ('username', models.CharField(blank=True, db_index=True, max_length=128, verbose_name='Username')),
                 ('secret_type', models.CharField(
                     choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
+                    verbose_name='Secret type')),
                 ('secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
                 ('privileged', models.BooleanField(default=False, verbose_name='Privileged')),
                 ('is_active', models.BooleanField(default=True, verbose_name='Is active')),

apps/accounts/migrations/0003_automation.py

@@ -1,11 +1,13 @@
 # Generated by Django 3.2.16 on 2022-12-30 08:08
 
+import uuid
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
 import common.db.encoder
 import common.db.fields
-from django.conf import settings
-from django.db import migrations, models
-import django.db.models.deletion
-import uuid
 
 
 class Migration(migrations.Migration):
@@ -53,7 +55,8 @@ class Migration(migrations.Migration):
                                       primary_key=True, serialize=False, to='assets.baseautomation')),
                 ('secret_type', models.CharField(
                     choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
+                    verbose_name='Secret type')),
                 ('secret_strategy', models.CharField(choices=[('specific', 'Specific password'),
                                                               ('random_one', 'All assets use the same random password'),
                                                               ('random_all',
@@ -156,7 +159,8 @@ class Migration(migrations.Migration):
                                       primary_key=True, serialize=False, to='assets.baseautomation')),
                 ('secret_type', models.CharField(
                     choices=[('password', 'Password'), ('ssh_key', 'SSH key'), ('access_key', 'Access key'),
-                             ('token', 'Token')], default='password', max_length=16, verbose_name='Secret type')),
+                             ('token', 'Token'), ('api_key', 'API key')], default='password', max_length=16,
+                    verbose_name='Secret type')),
                 ('secret_strategy', models.CharField(choices=[('specific', 'Specific password'),
                                                               ('random_one', 'All assets use the same random password'),
                                                               ('random_all',

apps/accounts/migrations/0011_auto_20230506_1443.py

@@ -0,0 +1,29 @@
+# Generated by Django 3.2.17 on 2023-05-06 06:43
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0010_gatheraccountsautomation_is_sync_account'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='su_from',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, related_name='su_to', to='accounts.accounttemplate', verbose_name='Su from'),
+        ),
+        migrations.AlterField(
+            model_name='changesecretautomation',
+            name='ssh_key_change_strategy',
+            field=models.CharField(choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'), ('set_jms', 'Replace (Replace only keys pushed by JumpServer) ')], default='add', max_length=16, verbose_name='SSH key change strategy'),
+        ),
+        migrations.AlterField(
+            model_name='pushaccountautomation',
+            name='ssh_key_change_strategy',
+            field=models.CharField(choices=[('add', 'Append SSH KEY'), ('set', 'Empty and append SSH KEY'), ('set_jms', 'Replace (Replace only keys pushed by JumpServer) ')], default='add', max_length=16, verbose_name='SSH key change strategy'),
+        ),
+    ]

apps/accounts/models/__init__.py

@@ -1,3 +1,3 @@
-from .base import *
 from .account import *
 from .automations import *
+from .base import *

apps/accounts/models/account.py

@@ -1,4 +1,6 @@
 from django.db import models
+from django.db.models import Count, Q
+from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 from simple_history.models import HistoricalRecords
 
@@ -86,26 +88,44 @@ class Account(AbsConnectivity, BaseAccount):
     def has_secret(self):
         return bool(self.secret)
 
+    @classmethod
+    def get_special_account(cls, name):
+        if name == AliasAccount.INPUT.value:
+            return cls.get_manual_account()
+        elif name == AliasAccount.ANON.value:
+            return cls.get_anonymous_account()
+        else:
+            return cls(name=name, username=name, secret=None)
+
     @classmethod
     def get_manual_account(cls):
         """ @INPUT 手动登录的账号(any) """
         return cls(name=AliasAccount.INPUT.label, username=AliasAccount.INPUT.value, secret=None)
 
-    @lazyproperty
-    def versions(self):
-        return self.history.count()
+    @classmethod
+    def get_anonymous_account(cls):
+        return cls(name=AliasAccount.ANON.label, username=AliasAccount.ANON.value, secret=None)
 
     @classmethod
     def get_user_account(cls):
         """ @USER 动态用户的账号(self) """
         return cls(name=AliasAccount.USER.label, username=AliasAccount.USER.value, secret=None)
 
+    @lazyproperty
+    def versions(self):
+        return self.history.count()
+
     def get_su_from_accounts(self):
         """ 排除自己和以自己为 su-from 的账号 """
         return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)
 
 
 class AccountTemplate(BaseAccount):
+    su_from = models.ForeignKey(
+        'self', related_name='su_to', null=True,
+        on_delete=models.SET_NULL, verbose_name=_("Su from")
+    )
+
     class Meta:
         verbose_name = _('Account template')
         unique_together = (
@@ -116,5 +136,65 @@ class AccountTemplate(BaseAccount):
             ('change_accounttemplatesecret', _('Can change asset account template secret')),
         ]
 
+    @classmethod
+    def get_su_from_account_templates(cls, pk=None):
+        if pk is None:
+            return cls.objects.all()
+        return cls.objects.exclude(Q(id=pk) | Q(su_from_id=pk))
+
+    def __str__(self):
+        return f'{self.name}({self.username})'
+
+    def get_su_from_account(self, asset):
+        su_from = self.su_from
+        if su_from and asset.platform.su_enabled:
+            account = asset.accounts.filter(
+                username=su_from.username,
+                secret_type=su_from.secret_type
+            ).first()
+            return account
+
     def __str__(self):
         return self.username
+
+    @staticmethod
+    def bulk_update_accounts(accounts, data):
+        history_model = Account.history.model
+        account_ids = accounts.values_list('id', flat=True)
+        history_accounts = history_model.objects.filter(id__in=account_ids)
+        account_id_count_map = {
+            str(i['id']): i['count']
+            for i in history_accounts.values('id').order_by('id')
+            .annotate(count=Count(1)).values('id', 'count')
+        }
+
+        for account in accounts:
+            account_id = str(account.id)
+            account.version = account_id_count_map.get(account_id) + 1
+            for k, v in data.items():
+                setattr(account, k, v)
+        Account.objects.bulk_update(accounts, ['version', 'secret'])
+
+    @staticmethod
+    def bulk_create_history_accounts(accounts, user_id):
+        history_model = Account.history.model
+        history_account_objs = []
+        for account in accounts:
+            history_account_objs.append(
+                history_model(
+                    id=account.id,
+                    version=account.version,
+                    secret=account.secret,
+                    secret_type=account.secret_type,
+                    history_user_id=user_id,
+                    history_date=timezone.now()
+                )
+            )
+        history_model.objects.bulk_create(history_account_objs)
+
+    def bulk_sync_account_secret(self, accounts, user_id):
+        """ 批量同步账号密码 """
+        if not accounts:
+            return
+        self.bulk_update_accounts(accounts, {'secret': self.secret})
+        self.bulk_create_history_accounts(accounts, user_id)

apps/accounts/models/automations/change_secret.py

@@ -28,7 +28,6 @@ class ChangeSecretMixin(models.Model):
         default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
     )
 
-    accounts: list[str]  # account usernames
     get_all_assets: callable  # get all assets
 
     class Meta:

apps/accounts/serializers/account/account.py

@@ -1,9 +1,11 @@
 import uuid
+from copy import deepcopy
 
 from django.db import IntegrityError
 from django.db.models import Q
 from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
+from rest_framework.generics import get_object_or_404
 from rest_framework.validators import UniqueTogetherValidator
 
 from accounts.const import SecretType, Source, AccountInvalidPolicy
@@ -21,8 +23,8 @@ logger = get_logger(__name__)
 
 class AccountCreateUpdateSerializerMixin(serializers.Serializer):
     template = serializers.PrimaryKeyRelatedField(
-        queryset=AccountTemplate.objects,
-        required=False, label=_("Template"), write_only=True
+        queryset=AccountTemplate.objects, required=False,
+        label=_("Template"), write_only=True, allow_null=True
     )
     push_now = serializers.BooleanField(
         default=False, label=_("Push now"), write_only=True
@@ -32,9 +34,10 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
     )
     on_invalid = LabeledChoiceField(
         choices=AccountInvalidPolicy.choices, default=AccountInvalidPolicy.ERROR,
-        write_only=True, label=_('Exist policy')
+        write_only=True, allow_null=True, label=_('Exist policy'),
     )
     _template = None
+    clean_auth_fields: callable
 
     class Meta:
         fields = ['template', 'push_now', 'params', 'on_invalid']
@@ -58,10 +61,6 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
             self.from_template_if_need(data)
             self.set_uniq_name_if_need(data, asset)
 
-    def to_internal_value(self, data):
-        self.from_template_if_need(data)
-        return super().to_internal_value(data)
-
     def set_uniq_name_if_need(self, initial_data, asset):
         name = initial_data.get('name')
         if name is not None:
@@ -91,7 +90,7 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
 
         self._template = template
         # Set initial data from template
-        ignore_fields = ['id', 'date_created', 'date_updated', 'org_id']
+        ignore_fields = ['id', 'date_created', 'date_updated', 'su_from', 'org_id']
         field_names = [
             field.name for field in template._meta.fields
             if field.name not in ignore_fields
@@ -103,6 +102,15 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
                 continue
             attrs[name] = value
         initial_data.update(attrs)
+        initial_data.update({
+            'source': Source.TEMPLATE,
+            'source_id': str(template.id)
+        })
+        asset_id = initial_data.get('asset')
+        if isinstance(asset_id, list) or not asset_id:
+            return
+        asset = get_object_or_404(Asset, pk=asset_id)
+        initial_data['su_from'] = template.get_su_from_account(asset)
 
     @staticmethod
     def push_account_if_need(instance, push_now, params, stat):
@@ -147,17 +155,10 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
         else:
             raise serializers.ValidationError('Account already exists')
 
-    def generate_source_data(self, validated_data):
-        template = self._template
-        if template is None:
-            return
-        validated_data['source'] = Source.TEMPLATE
-        validated_data['source_id'] = str(template.id)
-
     def create(self, validated_data):
         push_now = validated_data.pop('push_now', None)
         params = validated_data.pop('params', None)
-        self.generate_source_data(validated_data)
+        self.clean_auth_fields(validated_data)
         instance, stat = self.do_create(validated_data)
         self.push_account_if_need(instance, push_now, params, stat)
         return instance
@@ -197,8 +198,11 @@ class AccountAssetSerializer(serializers.ModelSerializer):
 
 class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerializer):
     asset = AccountAssetSerializer(label=_('Asset'))
-    source = LabeledChoiceField(choices=Source.choices, label=_("Source"), read_only=True)
     has_secret = serializers.BooleanField(label=_("Has secret"), read_only=True)
+    source = LabeledChoiceField(
+        choices=Source.choices, label=_("Source"), required=False,
+        allow_null=True, default=Source.LOCAL
+    )
     su_from = ObjectRelatedField(
         required=False, queryset=Account.objects, allow_null=True, allow_empty=True,
         label=_('Su from'), attrs=('id', 'name', 'username')
@@ -211,11 +215,12 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
             'source', 'source_id', 'connectivity',
         ] + AccountCreateUpdateSerializerMixin.Meta.fields
         read_only_fields = BaseAccountSerializer.Meta.read_only_fields + [
-            'source', 'source_id', 'connectivity'
+            'connectivity'
         ]
         extra_kwargs = {
             **BaseAccountSerializer.Meta.extra_kwargs,
             'name': {'required': False},
+            'source_id': {'required': False, 'allow_null': True},
         }
 
     @classmethod
@@ -238,18 +243,25 @@ class AssetAccountBulkSerializerResultSerializer(serializers.Serializer):
 class AssetAccountBulkSerializer(
     AccountCreateUpdateSerializerMixin, AuthValidateMixin, serializers.ModelSerializer
 ):
+    su_from_username = serializers.CharField(
+        max_length=128, required=False, write_only=True, allow_null=True, label=_("Su from"),
+        allow_blank=True,
+    )
     assets = serializers.PrimaryKeyRelatedField(queryset=Asset.objects, many=True, label=_('Assets'))
 
     class Meta:
         model = Account
         fields = [
-            'name', 'username', 'secret', 'secret_type',
+            'name', 'username', 'secret', 'secret_type', 'passphrase',
             'privileged', 'is_active', 'comment', 'template',
-            'on_invalid', 'push_now', 'assets',
+            'on_invalid', 'push_now', 'assets', 'su_from_username',
+            'source', 'source_id',
         ]
         extra_kwargs = {
             'name': {'required': False},
             'secret_type': {'required': False},
+            'source': {'required': False, 'allow_null': True},
+            'source_id': {'required': False, 'allow_null': True},
         }
 
     def set_initial_value(self):
@@ -293,8 +305,21 @@ class AssetAccountBulkSerializer(
             raise serializers.ValidationError(_('Account already exists'))
         return instance, True, 'created'
 
+    def generate_su_from_data(self, validated_data):
+        template = self._template
+        asset = validated_data['asset']
+        su_from = validated_data.get('su_from')
+        su_from_username = validated_data.pop('su_from_username', None)
+        if template:
+            su_from = template.get_su_from_account(asset)
+        elif su_from_username:
+            su_from = asset.accounts.filter(username=su_from_username).first()
+        validated_data['su_from'] = su_from
+
     def perform_create(self, vd, handler):
         lookup = self.get_filter_lookup(vd)
+        vd = deepcopy(vd)
+        self.generate_su_from_data(vd)
         try:
             instance, changed, state = handler(vd, lookup)
         except IntegrityError:
@@ -335,6 +360,7 @@ class AssetAccountBulkSerializer(
             vd = vd.copy()
             vd['asset'] = asset
             try:
+                self.clean_auth_fields(vd)
                 instance, changed, state = self.perform_create(vd, create_handler)
                 _results[asset] = {
                     'changed': changed, 'instance': instance.id, 'state': state
@@ -375,7 +401,6 @@ class AssetAccountBulkSerializer(
 
     def create(self, validated_data):
         push_now = validated_data.pop('push_now', False)
-        self.generate_source_data(validated_data)
         results = self.perform_bulk_create(validated_data)
         self.push_accounts_if_need(results, push_now)
         for res in results:

apps/accounts/serializers/account/backup.py

@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-from django.utils.translation import ugettext as _
+from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
 from accounts.models import AccountBackupAutomation, AccountBackupExecution

apps/accounts/serializers/account/base.py

@@ -78,4 +78,8 @@ class BaseAccountSerializer(AuthValidateMixin, BulkOrgResourceModelSerializer):
         ]
         extra_kwargs = {
             'spec_info': {'label': _('Spec info')},
+            'username': {'help_text': _(
+                "Tip: If no username is required for authentication, fill in `null`, "
+                "If AD account, like `username@domain`"
+            )},
         }

apps/accounts/serializers/account/template.py

@@ -1,86 +1,51 @@
-from django.db.transaction import atomic
-from django.db.utils import IntegrityError
+from django.utils.translation import ugettext_lazy as _
+from rest_framework import serializers
 
 from accounts.models import AccountTemplate, Account
-from assets.models import Asset
 from common.serializers import SecretReadableMixin
+from common.serializers.fields import ObjectRelatedField
 from .base import BaseAccountSerializer
 
 
 class AccountTemplateSerializer(BaseAccountSerializer):
+    is_sync_account = serializers.BooleanField(default=False, write_only=True)
+    _is_sync_account = False
+
+    su_from = ObjectRelatedField(
+        required=False, queryset=AccountTemplate.objects, allow_null=True,
+        allow_empty=True, label=_('Su from'), attrs=('id', 'name', 'username')
+    )
+
     class Meta(BaseAccountSerializer.Meta):
         model = AccountTemplate
+        fields = BaseAccountSerializer.Meta.fields + ['is_sync_account', 'su_from']
 
-    @staticmethod
-    def account_save(data, account):
-        for field, value in data.items():
-            setattr(account, field, value)
-        try:
-            account.save(update_fields=list(data.keys()))
-        except IntegrityError:
-            pass
-
-    # TODO 数据库访问的太多了 后期优化
-    @atomic()
-    def bulk_update_accounts(self, instance, diff):
-        accounts = Account.objects.filter(source_id=instance.id)
-        if not accounts:
+    def sync_accounts_secret(self, instance, diff):
+        if not self._is_sync_account or 'secret' not in diff:
             return
+        query_data = {
+            'source_id': instance.id,
+            'username': instance.username,
+            'secret_type': instance.secret_type
+        }
+        accounts = Account.objects.filter(**query_data)
+        instance.bulk_sync_account_secret(accounts, self.context['request'].user.id)
 
-        diff.pop('secret', None)
-        name = diff.pop('name', None)
-        username = diff.pop('username', None)
-        secret_type = diff.pop('secret_type', None)
-        update_accounts = []
-        for account in accounts:
-            for field, value in diff.items():
-                setattr(account, field, value)
-                update_accounts.append(account)
-
-        if update_accounts:
-            Account.objects.bulk_update(update_accounts, diff.keys())
-
-        if name:
-            for account in accounts:
-                data = {'name': name}
-                self.account_save(data, account)
-
-        if secret_type and username:
-            asset_ids_supports = self.get_asset_ids_supports(accounts, secret_type)
-            for account in accounts:
-                asset_id = account.asset_id
-                if asset_id not in asset_ids_supports:
-                    data = {'username': username}
-                    self.account_save(data, account)
-                    continue
-                data = {'username': username, 'secret_type': secret_type, 'secret': instance.secret}
-                self.account_save(data, account)
-        elif secret_type:
-            asset_ids_supports = self.get_asset_ids_supports(accounts, secret_type)
-            for account in accounts:
-                asset_id = account.asset_id
-                if asset_id not in asset_ids_supports:
-                    continue
-                data = {'secret_type': secret_type, 'secret': instance.secret}
-                self.account_save(data, account)
-        elif username:
-            for account in accounts:
-                data = {'username': username}
-                self.account_save(data, account)
-
-    @staticmethod
-    def get_asset_ids_supports(accounts, secret_type):
-        asset_ids = accounts.values_list('asset_id', flat=True)
-        secret_type_supports = Asset.get_secret_type_assets(asset_ids, secret_type)
-        return [asset.id for asset in secret_type_supports]
+    def validate(self, attrs):
+        self._is_sync_account = attrs.pop('is_sync_account', None)
+        attrs = super().validate(attrs)
+        return attrs
 
     def update(self, instance, validated_data):
-        # diff = {
-        #     k: v for k, v in validated_data.items()
-        #     if getattr(instance, k) != v
-        # }
+        diff = {
+            k: v for k, v in validated_data.items()
+            if getattr(instance, k, None) != v
+        }
         instance = super().update(instance, validated_data)
-        # self.bulk_update_accounts(instance, diff)
+        if {'username', 'secret_type'} & set(diff.keys()):
+            Account.objects.filter(source_id=instance.id).update(source_id=None)
+        else:
+            self.sync_accounts_secret(instance, diff)
         return instance
 
 

apps/accounts/serializers/automations/base.py

@@ -1,4 +1,4 @@
-from django.utils.translation import ugettext as _
+from django.utils.translation import ugettext_lazy as _
 from rest_framework import serializers
 
 from accounts.models import AutomationExecution
@@ -63,15 +63,17 @@ class AutomationExecutionSerializer(serializers.ModelSerializer):
 
     @staticmethod
     def get_snapshot(obj):
-        tp = obj.snapshot['type']
+        tp = obj.snapshot.get('type', '')
+        type_display = tp if not hasattr(AutomationTypes, tp) \
+            else getattr(AutomationTypes, tp).label
         snapshot = {
             'type': tp,
-            'name': obj.snapshot['name'],
-            'comment': obj.snapshot['comment'],
-            'accounts': obj.snapshot['accounts'],
-            'node_amount': len(obj.snapshot['nodes']),
-            'asset_amount': len(obj.snapshot['assets']),
-            'type_display': getattr(AutomationTypes, tp).label,
+            'name': obj.snapshot.get('name'),
+            'comment': obj.snapshot.get('comment'),
+            'accounts': obj.snapshot.get('accounts'),
+            'node_amount': len(obj.snapshot.get('nodes', [])),
+            'asset_amount': len(obj.snapshot.get('assets', [])),
+            'type_display': type_display,
         }
         return snapshot
 

apps/accounts/serializers/automations/change_secret.py

@@ -50,7 +50,7 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
         read_only_fields = BaseAutomationSerializer.Meta.read_only_fields
         fields = BaseAutomationSerializer.Meta.fields + read_only_fields + [
             'secret_type', 'secret_strategy', 'secret', 'password_rules',
-            'ssh_key_change_strategy', 'passphrase', 'recipients',
+            'ssh_key_change_strategy', 'passphrase', 'recipients', 'params'
         ]
         extra_kwargs = {**BaseAutomationSerializer.Meta.extra_kwargs, **{
             'accounts': {'required': True},

apps/accounts/serializers/automations/push_account.py

@@ -10,7 +10,7 @@ class PushAccountAutomationSerializer(ChangeSecretAutomationSerializer):
 
     class Meta(ChangeSecretAutomationSerializer.Meta):
         model = PushAccountAutomation
-        fields = ['params'] + [
+        fields = [
             n for n in ChangeSecretAutomationSerializer.Meta.fields
             if n not in ['recipients']
         ]

apps/accounts/urls.py

@@ -39,7 +39,7 @@ urlpatterns = [
 
     path('push-account/<uuid:pk>/asset/remove/', api.PushAccountRemoveAssetApi.as_view(),
          name='push-account-remove-asset'),
-    path('push-accountt/<uuid:pk>/asset/add/', api.PushAccountAddAssetApi.as_view(), name='push-account-add-asset'),
+    path('push-account/<uuid:pk>/asset/add/', api.PushAccountAddAssetApi.as_view(), name='push-account-add-asset'),
     path('push-account/<uuid:pk>/nodes/', api.PushAccountNodeAddRemoveApi.as_view(),
          name='push-account-add-or-remove-node'),
     path('push-account/<uuid:pk>/assets/', api.PushAccountAssetsListApi.as_view(), name='push-account-assets'),

apps/accounts/utils.py

@@ -4,7 +4,7 @@ from rest_framework import serializers
 from accounts.const import (
     SecretType, DEFAULT_PASSWORD_RULES
 )
-from common.utils import gen_key_pair, random_string
+from common.utils import ssh_key_gen, random_string
 from common.utils import validate_ssh_private_key, parse_ssh_private_key_str
 
 
@@ -16,7 +16,7 @@ class SecretGenerator:
 
     @staticmethod
     def generate_ssh_key():
-        private_key, public_key = gen_key_pair()
+        private_key, public_key = ssh_key_gen()
         return private_key
 
     def generate_password(self):

apps/acls/api/__init__.py

@@ -1,4 +1,5 @@
 from .command_acl import *
+from .connect_method import *
 from .login_acl import *
 from .login_asset_acl import *
 from .login_asset_check import *

apps/acls/api/command_acl.py

@@ -1,6 +1,8 @@
 from rest_framework.decorators import action
 from rest_framework.response import Response
+
 from orgs.mixins.api import OrgBulkModelViewSet
+from .common import ACLUserAssetFilterMixin
 from .. import models, serializers
 
 __all__ = ['CommandFilterACLViewSet', 'CommandGroupViewSet']
@@ -13,10 +15,16 @@ class CommandGroupViewSet(OrgBulkModelViewSet):
     serializer_class = serializers.CommandGroupSerializer
 
 
+class CommandACLFilter(ACLUserAssetFilterMixin):
+    class Meta:
+        model = models.CommandFilterACL
+        fields = ['name', ]
+
+
 class CommandFilterACLViewSet(OrgBulkModelViewSet):
     model = models.CommandFilterACL
-    filterset_fields = ('name',)
-    search_fields = filterset_fields
+    filterset_class = CommandACLFilter
+    search_fields = ['name']
     serializer_class = serializers.CommandFilterACLSerializer
     rbac_perms = {
         'command_review': 'tickets.add_superticket'

apps/acls/api/common.py

@@ -0,0 +1,45 @@
+from django.db.models import Q
+from django_filters import rest_framework as drf_filters
+
+from common.drf.filters import BaseFilterSet
+from common.utils import is_uuid
+
+
+class ACLUserFilterMixin(BaseFilterSet):
+    users = drf_filters.CharFilter(method='filter_user')
+
+    @staticmethod
+    def filter_user(queryset, name, value):
+        from users.models import User
+        if not value:
+            return queryset
+        if is_uuid(value):
+            user = User.objects.filter(id=value).first()
+        else:
+            q = Q(name=value) | Q(username=value)
+            user = User.objects.filter(q).first()
+        if not user:
+            return queryset.none()
+        q = queryset.model.users.get_filter_q(user)
+        return queryset.filter(q).distinct()
+
+
+class ACLUserAssetFilterMixin(ACLUserFilterMixin):
+    assets = drf_filters.CharFilter(method='filter_asset')
+
+    @staticmethod
+    def filter_asset(queryset, name, value):
+        from assets.models import Asset
+        if not value:
+            return queryset
+
+        if is_uuid(value):
+            asset = Asset.objects.filter(id=value).first()
+        else:
+            q = Q(name=value) | Q(address=value)
+            asset = Asset.objects.filter(q).first()
+        if not asset:
+            return queryset.none()
+
+        q = queryset.model.assets.get_filter_q(asset)
+        return queryset.filter(q).distinct()

apps/acls/api/connect_method.py

@@ -0,0 +1,29 @@
+from django_filters import rest_framework as drf_filters
+
+from common.api import JMSBulkModelViewSet
+from orgs.utils import tmp_to_root_org
+from .common import ACLUserFilterMixin
+from .. import serializers
+from ..models import ConnectMethodACL
+
+__all__ = ['ConnectMethodACLViewSet']
+
+
+class ConnectMethodFilter(ACLUserFilterMixin):
+    methods = drf_filters.CharFilter(field_name="methods__contains", lookup_expr='exact')
+
+    class Meta:
+        model = ConnectMethodACL
+        fields = ['name', ]
+
+
+class ConnectMethodACLViewSet(JMSBulkModelViewSet):
+    queryset = ConnectMethodACL.objects.all()
+    filterset_class = ConnectMethodFilter
+    search_fields = ('name',)
+    serializer_class = serializers.ConnectMethodACLSerializer
+
+    def filter_queryset(self, queryset):
+        with tmp_to_root_org():
+            return super().filter_queryset(queryset)
+

apps/acls/api/login_acl.py

@@ -1,14 +1,26 @@
 from common.api import JMSBulkModelViewSet
-from ..models import LoginACL
+
+from orgs.utils import tmp_to_root_org
+from .common import ACLUserFilterMixin
 from .. import serializers
-from ..filters import LoginAclFilter
+from ..models import LoginACL
 
 __all__ = ['LoginACLViewSet']
 
 
+class LoginACLFilter(ACLUserFilterMixin):
+    class Meta:
+        model = LoginACL
+        fields = ('name', 'action')
+
+
 class LoginACLViewSet(JMSBulkModelViewSet):
     queryset = LoginACL.objects.all()
-    filterset_class = LoginAclFilter
+    filterset_class = LoginACLFilter
     search_fields = ('name',)
     serializer_class = serializers.LoginACLSerializer
 
+    def filter_queryset(self, queryset):
+        with tmp_to_root_org():
+            return super().filter_queryset(queryset)
+

apps/acls/api/login_asset_acl.py

@@ -1,12 +1,18 @@
 from orgs.mixins.api import OrgBulkModelViewSet
+from .common import ACLUserAssetFilterMixin
 from .. import models, serializers
 
-
 __all__ = ['LoginAssetACLViewSet']
 
 
+class LoginAssetACLFilter(ACLUserAssetFilterMixin):
+    class Meta:
+        model = models.LoginAssetACL
+        fields = ['name', ]
+
+
 class LoginAssetACLViewSet(OrgBulkModelViewSet):
     model = models.LoginAssetACL
-    filterset_fields = ('name', )
-    search_fields = filterset_fields
+    filterset_class = LoginAssetACLFilter
+    search_fields = ['name']
     serializer_class = serializers.LoginAssetACLSerializer

apps/acls/api/login_asset_check.py

@@ -30,14 +30,21 @@ class LoginAssetCheckAPI(CreateAPIView):
         return serializer
 
     def check_review(self):
+        user = self.serializer.user
+        asset = self.serializer.asset
+
+        # 用户满足的 acls
+        queryset = LoginAssetACL.objects.all()
+        q = LoginAssetACL.users.get_filter_q(LoginAssetACL, 'users', user)
+        queryset = queryset.filter(q)
+        q = LoginAssetACL.assets.get_filter_q(LoginAssetACL, 'assets', asset)
+        queryset = queryset.filter(q)
+        account_username = self.serializer.validated_data.get('account_username')
+        queryset = queryset.filter(accounts__contains=account_username)
+
         with tmp_to_org(self.serializer.asset.org):
-            kwargs = {
-                'user': self.serializer.user,
-                'asset': self.serializer.asset,
-                'account_username': self.serializer.validated_data.get('account_username'),
-                'action': LoginAssetACL.ActionChoices.review
-            }
-            acl = LoginAssetACL.filter_queryset(**kwargs).valid().first()
+            acl = queryset.valid().first()
+
         if acl:
             need_review = True
             response_data = self._get_response_data_of_need_review(acl)

apps/acls/const.py

@@ -0,0 +1,9 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+
+class ActionChoices(models.TextChoices):
+    reject = 'reject', _('Reject')
+    accept = 'accept', _('Accept')
+    review = 'review', _('Review')
+    warning = 'warning', _('Warning')

apps/acls/filters.py

@@ -1,15 +0,0 @@
-from django_filters import rest_framework as filters
-from common.drf.filters import BaseFilterSet
-
-from acls.models import LoginACL
-
-
-class LoginAclFilter(BaseFilterSet):
-    user = filters.UUIDFilter(field_name='user_id')
-    user_display = filters.CharFilter(field_name='user__name')
-
-    class Meta:
-        model = LoginACL
-        fields = (
-            'name', 'user', 'user_display', 'action'
-        )

apps/acls/migrations/0001_initial.py

@@ -1,14 +1,14 @@
 # Generated by Django 3.1 on 2021-03-11 09:53
 
-from django.conf import settings
-import django.core.validators
-from django.db import migrations, models
-import django.db.models.deletion
 import uuid
 
+import django.core.validators
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
 
 class Migration(migrations.Migration):
-
     initial = True
 
     dependencies = [
@@ -24,37 +24,51 @@ class Migration(migrations.Migration):
                 ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')),
+                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first',
+                                                 validators=[django.core.validators.MinValueValidator(1),
+                                                             django.core.validators.MaxValueValidator(100)],
+                                                 verbose_name='Priority')),
                 ('is_active', models.BooleanField(default=True, verbose_name='Active')),
                 ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
                 ('ip_group', models.JSONField(default=list, verbose_name='Login IP')),
-                ('action', models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow')], default='reject', max_length=64, verbose_name='Action')),
-                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='login_acls', to=settings.AUTH_USER_MODEL, verbose_name='User')),
+                ('action',
+                 models.CharField(choices=[('reject', 'Reject'), ('allow', 'Allow')], default='reject', max_length=64,
+                                  verbose_name='Action')),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, related_name='login_acls',
+                                           to=settings.AUTH_USER_MODEL, verbose_name='User')),
             ],
             options={
-                'ordering': ('priority', '-date_updated', 'name'),
+                'ordering': ('priority', '-is_active', 'name'),
             },
         ),
         migrations.CreateModel(
             name='LoginAssetACL',
             fields=[
-                ('org_id', models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
+                ('org_id',
+                 models.CharField(blank=True, db_index=True, default='', max_length=36, verbose_name='Organization')),
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                 ('created_by', models.CharField(blank=True, max_length=32, null=True, verbose_name='Created by')),
                 ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
                 ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
                 ('name', models.CharField(max_length=128, verbose_name='Name')),
-                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first', validators=[django.core.validators.MinValueValidator(1), django.core.validators.MaxValueValidator(100)], verbose_name='Priority')),
+                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first',
+                                                 validators=[django.core.validators.MinValueValidator(1),
+                                                             django.core.validators.MaxValueValidator(100)],
+                                                 verbose_name='Priority')),
                 ('is_active', models.BooleanField(default=True, verbose_name='Active')),
                 ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
                 ('users', models.JSONField(verbose_name='User')),
                 ('system_users', models.JSONField(verbose_name='System User')),
                 ('assets', models.JSONField(verbose_name='Asset')),
-                ('action', models.CharField(choices=[('login_confirm', 'Login confirm')], default='login_confirm', max_length=64, verbose_name='Action')),
-                ('reviewers', models.ManyToManyField(blank=True, related_name='review_login_asset_acls', to=settings.AUTH_USER_MODEL, verbose_name='Reviewers')),
+                ('action',
+                 models.CharField(choices=[('login_confirm', 'Login confirm')], default='login_confirm', max_length=64,
+                                  verbose_name='Action')),
+                ('reviewers',
+                 models.ManyToManyField(blank=True, related_name='review_login_asset_acls', to=settings.AUTH_USER_MODEL,
+                                        verbose_name='Reviewers')),
             ],
             options={
-                'ordering': ('priority', '-date_updated', 'name'),
+                'ordering': ('priority', '-is_active', 'name'),
                 'unique_together': {('name', 'org_id')},
             },
         ),

apps/acls/migrations/0002_auto_20210926_1047.py

@@ -2,7 +2,6 @@
 import django
 from django.conf import settings
 from django.db import migrations, models, transaction
-from acls.models import LoginACL
 
 LOGIN_CONFIRM_ZH = '登录复核'
 LOGIN_CONFIRM_EN = 'Login confirm'
@@ -90,10 +89,10 @@ class Migration(migrations.Migration):
         ),
         migrations.AlterModelOptions(
             name='loginacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login acl'},
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Login acl'},
         ),
         migrations.AlterModelOptions(
             name='loginassetacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login asset acl'},
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Login asset acl'},
         ),
     ]

apps/acls/migrations/0003_auto_20211130_1037.py

@@ -4,7 +4,6 @@ from django.db import migrations
 
 
 class Migration(migrations.Migration):
-
     dependencies = [
         ('acls', '0002_auto_20210926_1047'),
     ]
@@ -12,10 +11,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='loginacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login acl'},
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Login acl'},
         ),
         migrations.AlterModelOptions(
             name='loginassetacl',
-            options={'ordering': ('priority', '-date_updated', 'name'), 'verbose_name': 'Login asset acl'},
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Login asset acl'},
         ),
     ]

apps/acls/migrations/0006_commandfilteracl_commandgroup.py

@@ -63,7 +63,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'verbose_name': 'Command acl',
-                'ordering': ('priority', '-date_updated', 'name'),
+                'ordering': ('priority', '-is_active', 'name'),
                 'unique_together': {('name', 'org_id')},
             },
         ),

apps/acls/migrations/0008_commandgroup_comment.py

@@ -20,14 +20,14 @@ class Migration(migrations.Migration):
         ),
         migrations.AlterModelOptions(
             name='commandfilteracl',
-            options={'ordering': ('priority', 'date_updated', 'name'), 'verbose_name': 'Command acl'},
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Command acl'},
         ),
         migrations.AlterModelOptions(
             name='loginacl',
-            options={'ordering': ('priority', 'date_updated', 'name'), 'verbose_name': 'Login acl'},
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Login acl'},
         ),
         migrations.AlterModelOptions(
             name='loginassetacl',
-            options={'ordering': ('priority', 'date_updated', 'name'), 'verbose_name': 'Login asset acl'},
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Login asset acl'},
         ),
     ]

apps/acls/migrations/0011_auto_20230425_1704.py

@@ -0,0 +1,44 @@
+# Generated by Django 3.2.17 on 2023-04-25 09:04
+
+from django.db import migrations, models
+
+import common.db.fields
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('acls', '0010_alter_commandfilteracl_command_groups'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='commandfilteracl',
+            name='new_accounts',
+            field=models.JSONField(default=list, verbose_name='Accounts'),
+        ),
+        migrations.AddField(
+            model_name='commandfilteracl',
+            name='new_assets',
+            field=common.db.fields.JSONManyToManyField(default=dict, to='assets.Asset', verbose_name='Assets'),
+        ),
+        migrations.AddField(
+            model_name='commandfilteracl',
+            name='new_users',
+            field=common.db.fields.JSONManyToManyField(default=dict, to='users.User', verbose_name='Users'),
+        ),
+        migrations.AddField(
+            model_name='loginassetacl',
+            name='new_accounts',
+            field=models.JSONField(default=list, verbose_name='Accounts')
+        ),
+        migrations.AddField(
+            model_name='loginassetacl',
+            name='new_assets',
+            field=common.db.fields.JSONManyToManyField(default=dict, to='assets.Asset', verbose_name='Assets'),
+        ),
+        migrations.AddField(
+            model_name='loginassetacl',
+            name='new_users',
+            field=common.db.fields.JSONManyToManyField(default=dict, to='users.User', verbose_name='Users'),
+        ),
+    ]

apps/acls/migrations/0012_auto_20230426_1111.py

@@ -0,0 +1,41 @@
+# Generated by Django 3.2.17 on 2023-04-26 03:11
+
+from django.db import migrations
+
+
+def migrate_base_acl_users_assets_accounts(apps, *args):
+    cmd_acl_model = apps.get_model('acls', 'CommandFilterACL')
+    login_asset_acl_model = apps.get_model('acls', 'LoginAssetACL')
+
+    for model in [cmd_acl_model, login_asset_acl_model]:
+        for obj in model.objects.all():
+            user_names = (obj.users or {}).get('username_group', [])
+            obj.new_users = {
+                "type": "attrs",
+                "attrs": [{"name": "username", "value": user_names, "match": "in"}]
+            }
+
+            asset_names = (obj.assets or {}).get('name_group', [])
+            asset_attrs = []
+            if asset_names:
+                asset_attrs.append({"name": "name", "value": asset_names, "match": "in"})
+            asset_address = (obj.assets or {}).get('address_group', [])
+            if asset_address:
+                asset_attrs.append({"name": "address", "value": asset_address, "match": "ip_in"})
+            obj.new_assets = {"type": "attrs", "attrs": asset_attrs}
+
+            account_usernames = (obj.accounts or {}).get('username_group', [])
+            if '*' in account_usernames:
+                account_usernames = ['@ALL']
+            obj.new_accounts = account_usernames
+            obj.save()
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('acls', '0011_auto_20230425_1704'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_base_acl_users_assets_accounts)
+    ]

apps/acls/migrations/0013_auto_20230426_1759.py

@@ -0,0 +1,66 @@
+# Generated by Django 3.2.17 on 2023-04-26 09:59
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('acls', '0012_auto_20230426_1111'),
+    ]
+
+    operations = [
+        migrations.RemoveField(
+            model_name='commandfilteracl',
+            name='accounts',
+        ),
+        migrations.RemoveField(
+            model_name='commandfilteracl',
+            name='assets',
+        ),
+        migrations.RemoveField(
+            model_name='commandfilteracl',
+            name='users',
+        ),
+        migrations.RemoveField(
+            model_name='loginassetacl',
+            name='accounts',
+        ),
+        migrations.RemoveField(
+            model_name='loginassetacl',
+            name='assets',
+        ),
+        migrations.RemoveField(
+            model_name='loginassetacl',
+            name='users',
+        ),
+        migrations.RenameField(
+            model_name='commandfilteracl',
+            old_name='new_accounts',
+            new_name='accounts',
+        ),
+        migrations.RenameField(
+            model_name='commandfilteracl',
+            old_name='new_assets',
+            new_name='assets',
+        ),
+        migrations.RenameField(
+            model_name='commandfilteracl',
+            old_name='new_users',
+            new_name='users',
+        ),
+        migrations.RenameField(
+            model_name='loginassetacl',
+            old_name='new_accounts',
+            new_name='accounts',
+        ),
+        migrations.RenameField(
+            model_name='loginassetacl',
+            old_name='new_assets',
+            new_name='assets',
+        ),
+        migrations.RenameField(
+            model_name='loginassetacl',
+            old_name='new_users',
+            new_name='users',
+        ),
+    ]

apps/acls/migrations/0014_loginassetacl_rules.py

@@ -0,0 +1,18 @@
+# Generated by Django 3.2.17 on 2023-05-26 09:00
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('acls', '0013_auto_20230426_1759'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='loginassetacl',
+            name='rules',
+            field=models.JSONField(default=dict, verbose_name='Rule'),
+        ),
+    ]

apps/acls/migrations/0015_connectmethodacl.py

@@ -0,0 +1,46 @@
+# Generated by Django 3.2.17 on 2023-06-06 06:23
+
+import uuid
+
+import django.core.validators
+from django.conf import settings
+from django.db import migrations, models
+
+import common.db.fields
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('acls', '0014_loginassetacl_rules'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='ConnectMethodACL',
+            fields=[
+                ('created_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Created by')),
+                ('updated_by', models.CharField(blank=True, max_length=128, null=True, verbose_name='Updated by')),
+                ('date_created', models.DateTimeField(auto_now_add=True, null=True, verbose_name='Date created')),
+                ('date_updated', models.DateTimeField(auto_now=True, verbose_name='Date updated')),
+                ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
+                ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
+                ('name', models.CharField(max_length=128, unique=True, verbose_name='Name')),
+                ('priority', models.IntegerField(default=50, help_text='1-100, the lower the value will be match first',
+                                                 validators=[django.core.validators.MinValueValidator(1),
+                                                             django.core.validators.MaxValueValidator(100)],
+                                                 verbose_name='Priority')),
+                ('action', models.CharField(default='reject', max_length=64, verbose_name='Action')),
+                ('is_active', models.BooleanField(default=True, verbose_name='Active')),
+                ('users', common.db.fields.JSONManyToManyField(default=dict, to='users.User', verbose_name='Users')),
+                ('connect_methods', models.JSONField(default=list, verbose_name='Connect methods')),
+                (
+                    'reviewers',
+                    models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Reviewers')),
+            ],
+            options={
+                'ordering': ('priority', '-is_active', 'name'),
+                'abstract': False,
+            },
+        ),
+    ]

apps/acls/migrations/0016_auto_20230606_1857.py

@@ -0,0 +1,47 @@
+# Generated by Django 3.2.17 on 2023-06-06 10:57
+
+from django.db import migrations, models
+
+import common.db.fields
+
+
+def migrate_users_login_acls(apps, schema_editor):
+    login_acl_model = apps.get_model('acls', 'LoginACL')
+
+    name_used = []
+    login_acls = []
+    for login_acl in login_acl_model.objects.all().select_related('user'):
+        name = '{}_{}'.format(login_acl.name, login_acl.user.username)
+        if name.lower() in name_used:
+            name += '_{}'.format(str(login_acl.user_id)[:4])
+        name_used.append(name.lower())
+        login_acl.name = name
+        login_acl.users = {
+            "type": "ids", "ids": [str(login_acl.user_id)]
+        }
+        login_acls.append(login_acl)
+    login_acl_model.objects.bulk_update(login_acls, ['name', 'users'])
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('acls', '0015_connectmethodacl'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='loginacl',
+            name='users',
+            field=common.db.fields.JSONManyToManyField(default=dict, to='users.User', verbose_name='Users'),
+        ),
+        migrations.RunPython(migrate_users_login_acls),
+        migrations.RemoveField(
+            model_name='loginacl',
+            name='user',
+        ),
+        migrations.AlterField(
+            model_name='loginacl',
+            name='name',
+            field=models.CharField(max_length=128, unique=True, verbose_name='Name'),
+        ),
+    ]

apps/acls/migrations/0017_alter_connectmethodacl_options.py

@@ -0,0 +1,16 @@
+# Generated by Django 3.2.19 on 2023-06-13 07:49
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('acls', '0016_auto_20230606_1857'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='connectmethodacl',
+            options={'ordering': ('priority', '-is_active', 'name'), 'verbose_name': 'Connect method acl'},
+        ),
+    ]

apps/acls/models/__init__.py

@@ -1,3 +1,4 @@
+from .command_acl import *
+from .connect_method import *
 from .login_acl import *
 from .login_asset_acl import *
-from .command_acl import *

apps/acls/models/base.py

@@ -1,25 +1,20 @@
 from django.core.validators import MinValueValidator, MaxValueValidator
 from django.db import models
-from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 
+from common.db.fields import JSONManyToManyField
 from common.db.models import JMSBaseModel
 from common.utils import contains_ip
+from common.utils.time_period import contains_time_period
 from orgs.mixins.models import OrgModelMixin, OrgManager
+from ..const import ActionChoices
 
 __all__ = [
-    'ACLManager',
-    'BaseACL',
-    'BaseACLQuerySet',
-    'UserAssetAccountBaseACL',
-    'UserAssetAccountACLQuerySet'
+    'BaseACL', 'UserBaseACL', 'UserAssetAccountBaseACL',
 ]
 
-
-class ActionChoices(models.TextChoices):
-    reject = 'reject', _('Reject')
-    accept = 'accept', _('Accept')
-    review = 'review', _('Review')
+from orgs.utils import tmp_to_root_org
+from orgs.utils import tmp_to_org
 
 
 class BaseACLQuerySet(models.QuerySet):
@@ -36,43 +31,8 @@ class BaseACLQuerySet(models.QuerySet):
         return self.inactive()
 
 
-class UserAssetAccountACLQuerySet(BaseACLQuerySet):
-    def filter_user(self, username):
-        q = Q(users__username_group__contains=username) | \
-            Q(users__username_group__contains='*')
-        return self.filter(q)
-
-    def filter_asset(self, name=None, address=None):
-        queryset = self.filter()
-        if name:
-            q = Q(assets__name_group__contains=name) | \
-                Q(assets__name_group__contains='*')
-            queryset = queryset.filter(q)
-        if address:
-            ids = [
-                q.id for q in queryset
-                if contains_ip(address, q.assets.get('address_group', []))
-            ]
-            queryset = queryset.filter(id__in=ids)
-        return queryset
-
-    def filter_account(self, username):
-        q = Q(accounts__username_group__contains=username) | \
-            Q(accounts__username_group__contains='*')
-        return self.filter(q)
-
-
-class ACLManager(models.Manager):
-    def valid(self):
-        return self.get_queryset().valid()
-
-
-class OrgACLManager(OrgManager, ACLManager):
-    pass
-
-
 class BaseACL(JMSBaseModel):
-    name = models.CharField(max_length=128, verbose_name=_('Name'))
+    name = models.CharField(max_length=128, verbose_name=_('Name'), unique=True)
     priority = models.IntegerField(
         default=50, verbose_name=_("Priority"),
         help_text=_("1-100, the lower the value will be match first"),
@@ -83,46 +43,85 @@ class BaseACL(JMSBaseModel):
     is_active = models.BooleanField(default=True, verbose_name=_("Active"))
 
     ActionChoices = ActionChoices
-    objects = ACLManager.from_queryset(BaseACLQuerySet)()
+    objects = BaseACLQuerySet.as_manager()
 
     class Meta:
-        ordering = ('priority', 'date_updated', 'name')
+        ordering = ('priority', '-is_active', 'name')
         abstract = True
 
     def is_action(self, action):
         return self.action == action
 
+    @classmethod
+    def get_user_acls(cls, user):
+        return cls.objects.none()
 
-class UserAssetAccountBaseACL(BaseACL, OrgModelMixin):
-    # username_group
-    users = models.JSONField(verbose_name=_('User'))
-    # name_group, address_group
-    assets = models.JSONField(verbose_name=_('Asset'))
-    # username_group
-    accounts = models.JSONField(verbose_name=_('Account'))
+    @classmethod
+    def get_match_rule_acls(cls, user, ip, acl_qs=None):
+        if acl_qs is None:
+            acl_qs = cls.get_user_acls(user)
+        if not acl_qs:
+            return
 
-    objects = OrgACLManager.from_queryset(UserAssetAccountACLQuerySet)()
+        for acl in acl_qs:
+            if acl.is_action(ActionChoices.review) and not acl.reviewers.exists():
+                continue
+            ip_group = acl.rules.get('ip_group')
+            time_periods = acl.rules.get('time_period')
+            is_contain_ip = contains_ip(ip, ip_group) if ip_group else True
+            is_contain_time_period = contains_time_period(time_periods) if time_periods else True
+
+            if is_contain_ip and is_contain_time_period:
+                # 满足条件，则返回
+                return acl
+        return None
+
+
+class UserBaseACL(BaseACL):
+    users = JSONManyToManyField('users.User', default=dict, verbose_name=_('Users'))
 
     class Meta(BaseACL.Meta):
-        unique_together = ('name', 'org_id')
+        abstract = True
+
+    @classmethod
+    def get_user_acls(cls, user):
+        queryset = cls.objects.all()
+        with tmp_to_root_org():
+            q = cls.users.get_filter_q(user)
+        queryset = queryset.filter(q)
+        return queryset.filter(is_active=True).distinct()
+
+
+class UserAssetAccountBaseACL(OrgModelMixin, UserBaseACL):
+    name = models.CharField(max_length=128, verbose_name=_('Name'))
+    assets = JSONManyToManyField('assets.Asset', default=dict, verbose_name=_('Assets'))
+    accounts = models.JSONField(default=list, verbose_name=_("Accounts"))
+    objects = OrgManager.from_queryset(BaseACLQuerySet)()
+
+    class Meta(UserBaseACL.Meta):
+        unique_together = [('name', 'org_id')]
         abstract = True
 
     @classmethod
     def filter_queryset(cls, user=None, asset=None, account=None, account_username=None, **kwargs):
         queryset = cls.objects.all()
-        org_id = None
+
         if user:
-            queryset = queryset.filter_user(user.username)
-        if account:
-            org_id = account.org_id
-            queryset = queryset.filter_account(account.username)
-        if account_username:
-            queryset = queryset.filter_account(username=account_username)
+            q = cls.users.get_filter_q(user)
+            queryset = queryset.filter(q)
+
         if asset:
             org_id = asset.org_id
-            queryset = queryset.filter_asset(asset.name, asset.address)
-        if org_id:
-            kwargs['org_id'] = org_id
+            with tmp_to_org(org_id):
+                q = cls.assets.get_filter_q(asset)
+            queryset = queryset.filter(q)
+        if account and not account_username:
+            account_username = account.username
+        if account_username:
+            q = models.Q(accounts__contains=account_username) | \
+                models.Q(accounts__contains='*') | \
+                models.Q(accounts__contains='@ALL')
+            queryset = queryset.filter(q)
         if kwargs:
             queryset = queryset.filter(**kwargs)
-        return queryset
+        return queryset.valid().distinct()

apps/acls/models/connect_method.py

@@ -0,0 +1,14 @@
+from django.db import models
+from django.utils.translation import gettext_lazy as _
+
+from .base import UserBaseACL
+
+__all__ = ['ConnectMethodACL']
+
+
+class ConnectMethodACL(UserBaseACL):
+    connect_methods = models.JSONField(default=list, verbose_name=_('Connect methods'))
+
+    class Meta(UserBaseACL.Meta):
+        verbose_name = _('Connect method acl')
+        abstract = False