fix: 组织管理员 添加 view platform perm

Co-authored-by: feng626 <1304903146@qq.com>

.dockerignore

@@ -1,4 +1,5 @@
 .git
+logs/*
 data/*
 .github
 tmp/*
@@ -6,5 +7,4 @@ django.db
 celerybeat.pid
 ### Vagrant ###
 .vagrant/
-apps/xpack/.git
-.history/
+apps/xpack/.git

.gitattributes

@@ -1,4 +1,2 @@
 *.mmdb filter=lfs diff=lfs merge=lfs -text
 *.mo filter=lfs diff=lfs merge=lfs -text
-*.ipdb filter=lfs diff=lfs merge=lfs -text
-

.github/ISSUE_TEMPLATE/----.md

@@ -3,10 +3,8 @@ name: 需求建议
 about: 提出针对本项目的想法和建议
 title: "[Feature] "
 labels: 类型:需求
-assignees: 
-  - ibuler
-  - baijiangjie
-  - wojiushixiaobai
+assignees: ibuler
+
 ---
 
 **请描述您的需求或者改进建议.**

.github/ISSUE_TEMPLATE/bug---.md

@@ -3,13 +3,11 @@ name: Bug 提交
 about: 提交产品缺陷帮助我们更好的改进
 title: "[Bug] "
 labels: 类型:bug
-assignees: 
-   - wojiushixiaobai
-   - baijiangjie
+assignees: wojiushixiaobai
 
 ---
 
-**JumpServer 版本( v2.28 之前的版本不再支持 )**
+**JumpServer 版本(v1.5.9以下不再支持)**
 
 
 **浏览器版本**
@@ -19,6 +17,6 @@ assignees:
 
 
 **Bug 重现步骤(有截图更好)**
-1.
-2.
-3.
+1.  
+2. 
+3. 

.github/ISSUE_TEMPLATE/question.md

@@ -3,9 +3,7 @@ name: 问题咨询
 about: 提出针对本项目安装部署、使用及其他方面的相关问题
 title: "[Question] "
 labels: 类型:提问
-assignees: 
-  - wojiushixiaobai
-  - baijiangjie
+assignees: wojiushixiaobai
 
 ---
 

.github/release-config.yml

@@ -41,5 +41,4 @@ version-resolver:
   default: patch
 template: |
   ## 版本变化  What’s Changed
-  $CHANGES
-
+  $CHANGES

.github/workflows/issue-comment.yml

@@ -21,44 +21,17 @@ jobs:
           actions: 'remove-labels'
           labels: '状态:待反馈'
 
-  add-label-if-is-member:
+  add-label-if-not-author:
     runs-on: ubuntu-latest
+    if: (github.event.issue.user.id != github.event.comment.user.id) && !github.event.issue.pull_request && (github.event.issue.state == 'open')
     steps:
-      - name: Checkout repository
-        uses: actions/checkout@v2
-
-      - name: Get Organization name
-        id: org_name
-        run: echo "data=$(echo '${{ github.repository }}' | cut -d '/' -f 1)" >> $GITHUB_OUTPUT
-
-      - name: Get Organization public members
-        uses: octokit/request-action@v2.x
-        id: members
-        with:
-          route: GET /orgs/${{ steps.org_name.outputs.data }}/public_members
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Process public members data
-        # 将 members 中的数据转化为 login 字段的拼接字符串
-        id: member_names
-        run: echo "data=$(echo '${{ steps.members.outputs.data }}' | jq '[.[].login] | join(",")')" >> $GITHUB_OUTPUT
-
-
-      - run: "echo members: '${{ steps.members.outputs.data }}'"
-      - run: "echo member names: '${{ steps.member_names.outputs.data }}'"
-      - run: "echo comment user: '${{ github.event.comment.user.login }}'"
-      - run: "echo contains? : '${{ contains(steps.member_names.outputs.data, github.event.comment.user.login) }}'"
-
       - name: Add require replay label
-        if: contains(steps.member_names.outputs.data, github.event.comment.user.login)
         uses: actions-cool/issues-helper@v2
         with:
           actions: 'add-labels'
           labels: '状态:待反馈'
 
       - name: Remove require handle label
-        if: contains(steps.member_names.outputs.data, github.event.comment.user.login)
         uses: actions-cool/issues-helper@v2
         with:
           actions: 'remove-labels'

.github/workflows/jms-build-test.yml

@@ -1,36 +0,0 @@
-name: "Run Build Test"
-on:
-  push:
-    branches:
-      - pr@*
-      - repr@*
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-
-    - uses: docker/setup-qemu-action@v2
-
-    - uses: docker/setup-buildx-action@v2
-
-    - uses: docker/build-push-action@v3
-      with:
-        context: .
-        push: false
-        tags: jumpserver/core:test
-        file: Dockerfile
-        build-args: |
-          APT_MIRROR=http://deb.debian.org
-          PIP_MIRROR=https://pypi.org/simple
-          PIP_JMS_MIRROR=https://pypi.org/simple
-        cache-from: type=gha
-        cache-to: type=gha,mode=max
-
-    - uses: LouisBrunner/checks-action@v1.5.0
-      if: always()
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        name: Check Build
-        conclusion: ${{ job.status }}

.github/workflows/lgtm.yml

@@ -0,0 +1,18 @@
+name: Send LGTM reaction
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@1.0.0
+      - uses: micnncim/action-lgtm-reaction@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          trigger: '["^.?lgtm$"]'

.github/workflows/release-drafter.yml

@@ -21,7 +21,7 @@ jobs:
           TAG=$(basename ${GITHUB_REF})
           VERSION=${TAG/v/}
           wget https://raw.githubusercontent.com/jumpserver/installer/master/quick_start.sh
-          sed -i "s@VERSION=dev@VERSION=v${VERSION}@g" quick_start.sh
+          sed -i "s@Version=.*@Version=v${VERSION}@g" quick_start.sh
           echo "::set-output name=TAG::$TAG"
           echo "::set-output name=VERSION::$VERSION"
       - name: Create Release

.github/workflows/sync-gitee.yml

@@ -20,4 +20,4 @@ jobs:
           SSH_PRIVATE_KEY: ${{ secrets.GITEE_SSH_PRIVATE_KEY }}
         with:
           source-repo: 'git@github.com:jumpserver/jumpserver.git'
-          destination-repo: 'git@gitee.com:fit2cloud-feizhiyun/JumpServer.git'
+          destination-repo: 'git@gitee.com:jumpserver/jumpserver.git'

.gitignore

@@ -16,7 +16,6 @@ dump.rdb
 .cache/
 .idea/
 .vscode/
-.fleet/
 db.sqlite3
 config.py
 config.yml
@@ -32,14 +31,12 @@ media
 celerybeat.pid
 django.db
 celerybeat-schedule.db
+data/static
 docs/_build/
 xpack
-xpack.bak
+logs/*
 ### Vagrant ###
 .vagrant/
 release/*
 releashe
 /apps/script.py
-data/*
-test.py
-.history/

.isort.cfg

@@ -1,3 +0,0 @@
-[settings]
-line_length=120
-known_first_party=common,users,assets,perms,authentication,jumpserver,notification,ops,orgs,rbac,settings,terminal,tickets

CODE_OF_CONDUCT.md

@@ -126,4 +126,3 @@ enforcement ladder](https://github.com/mozilla/diversity).
 For answers to common questions about this code of conduct, see the FAQ at
 https://www.contributor-covenant.org/faq. Translations are available at
 https://www.contributor-covenant.org/translations.
-

CONTRIBUTING.md

@@ -23,4 +23,3 @@ When reporting issues, always include:
 
 Because the issues are open to the public, when submitting files, be sure to remove any sensitive information, e.g. user name, password, IP address, and company name. You can
 replace those parts with "REDACTED" or other strings like "****".
-

Dockerfile

@@ -1,6 +1,6 @@
-FROM jumpserver/python:3.9-slim-buster as stage-build
-ARG TARGETARCH
-
+# 编译代码
+FROM python:3.8-slim as stage-build
+MAINTAINER JumpServer Team <ibuler@qq.com>
 ARG VERSION
 ENV VERSION=$VERSION
 
@@ -8,108 +8,80 @@ WORKDIR /opt/jumpserver
 ADD . .
 RUN cd utils && bash -ixeu build.sh
 
-FROM jumpserver/python:3.9-slim-buster
-ARG TARGETARCH
-MAINTAINER JumpServer Team <ibuler@qq.com>
-
-ARG BUILD_DEPENDENCIES="              \
-        g++                           \
-        make                          \
-        pkg-config"
-
-ARG DEPENDENCIES="                    \
-        freetds-dev                   \
-        libpq-dev                     \
-        libffi-dev                    \
-        libjpeg-dev                   \
-        libldap2-dev                  \
-        libsasl2-dev                  \
-        libssl-dev                    \
-        libxml2-dev                   \
-        libxmlsec1-dev                \
-        libxmlsec1-openssl            \
-        freerdp2-dev                  \
-        libaio-dev"
-
-ARG TOOLS="                           \
-        ca-certificates               \
-        curl                          \
-        default-libmysqlclient-dev    \
-        default-mysql-client          \
-        locales                       \
-        openssh-client                \
-        procps                        \
-        sshpass                       \
-        telnet                        \
-        unzip                         \
-        vim                           \
-        git                           \
-        wget"
-
-ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
-    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
-    && rm -f /etc/apt/apt.conf.d/docker-clean \
-    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
-    && apt-get update \
-    && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
-    && apt-get -y install --no-install-recommends ${TOOLS} \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
-    && echo "set mouse-=a" > ~/.vimrc \
-    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc \
-    && rm -rf /var/lib/apt/lists/*
-
-ARG DOWNLOAD_URL=https://download.jumpserver.org
-
-RUN set -ex \
-    && \
-    if [ "${TARGETARCH}" == "amd64" ] || [ "${TARGETARCH}" == "arm64" ]; then \
-        mkdir -p /opt/oracle; \
-        cd /opt/oracle; \
-        wget ${DOWNLOAD_URL}/public/instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
-        unzip instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
-        echo "/opt/oracle/instantclient_19_10" > /etc/ld.so.conf.d/oracle-instantclient.conf; \
-        ldconfig; \
-        rm -f instantclient-basiclite-linux.${TARGETARCH}-19.10.0.0.0.zip; \
-    fi
-
-WORKDIR /tmp/build
-COPY ./requirements ./requirements
-
+FROM python:3.8-slim
 ARG PIP_MIRROR=https://pypi.douban.com/simple
+ENV PIP_MIRROR=$PIP_MIRROR
 ARG PIP_JMS_MIRROR=https://pypi.douban.com/simple
-
-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip config set global.index-url ${PIP_MIRROR} \
-    && pip install --upgrade pip \
-    && pip install --upgrade setuptools wheel \
-    && \
-    if [ "${TARGETARCH}" == "loong64" ]; then \
-        pip install https://download.jumpserver.org/pypi/simple/cryptography/cryptography-38.0.4-cp39-cp39-linux_loongarch64.whl; \
-        pip install https://download.jumpserver.org/pypi/simple/greenlet/greenlet-1.1.2-cp39-cp39-linux_loongarch64.whl; \
-        pip install https://download.jumpserver.org/pypi/simple/PyNaCl/PyNaCl-1.5.0-cp39-cp39-linux_loongarch64.whl; \
-        pip install https://download.jumpserver.org/pypi/simple/grpcio/grpcio-1.54.2-cp39-cp39-linux_loongarch64.whl; \
-    fi \
-    && pip install $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
-    && pip install -r requirements/requirements.txt
-
-COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
-RUN echo > /opt/jumpserver/config.yml \
-    && rm -rf /tmp/build
+ENV PIP_JMS_MIRROR=$PIP_JMS_MIRROR
 
 WORKDIR /opt/jumpserver
+
+ARG BUILD_DEPENDENCIES="              \
+    g++                               \
+    make                              \
+    pkg-config"
+
+ARG DEPENDENCIES="                    \
+    default-libmysqlclient-dev        \
+    freetds-dev                       \
+    libpq-dev                         \
+    libffi-dev                        \
+    libldap2-dev                      \
+    libsasl2-dev                      \
+    libxml2-dev                       \
+    libxmlsec1-dev                    \
+    libxmlsec1-openssl                \
+    libaio-dev                        \
+    sshpass"
+
+ARG TOOLS="                           \
+    curl                              \
+    default-mysql-client              \
+    iproute2                          \
+    iputils-ping                      \
+    locales                           \
+    procps                            \
+    redis-tools                       \
+    telnet                            \
+    vim                               \
+    wget"
+
+RUN sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
+    && sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list \
+    && apt update \
+    && apt -y install ${BUILD_DEPENDENCIES} \
+    && apt -y install ${DEPENDENCIES} \
+    && apt -y install ${TOOLS} \
+    && localedef -c -f UTF-8 -i zh_CN zh_CN.UTF-8 \
+    && cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null" > /root/.ssh/config \
+    && sed -i "s@# alias l@alias l@g" ~/.bashrc \
+    && echo "set mouse-=a" > ~/.vimrc \
+    && rm -rf /var/lib/apt/lists/* \
+    && mv /bin/sh /bin/sh.bak  \
+    && ln -s /bin/bash /bin/sh
+
+RUN mkdir -p /opt/jumpserver/oracle/ \
+    && wget https://download.jumpserver.org/public/instantclient-basiclite-linux.x64-21.1.0.0.0.tar \
+    && tar xf instantclient-basiclite-linux.x64-21.1.0.0.0.tar -C /opt/jumpserver/oracle/ \
+    && echo "/opt/jumpserver/oracle/instantclient_21_1" > /etc/ld.so.conf.d/oracle-instantclient.conf \
+    && ldconfig \
+    && rm -f instantclient-basiclite-linux.x64-21.1.0.0.0.tar
+
+COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
+
+RUN echo > config.yml \
+    && pip install --upgrade pip==20.2.4 setuptools==49.6.0 wheel==0.34.2 -i ${PIP_MIRROR} \
+    && pip install --no-cache-dir $(grep -E 'jms|jumpserver' requirements/requirements.txt) -i ${PIP_JMS_MIRROR} \
+    && pip install --no-cache-dir -r requirements/requirements.txt -i ${PIP_MIRROR} \
+    && rm -rf ~/.cache/pip
+
 VOLUME /opt/jumpserver/data
 VOLUME /opt/jumpserver/logs
 
 ENV LANG=zh_CN.UTF-8
 
+EXPOSE 8070
 EXPOSE 8080
-
 ENTRYPOINT ["./entrypoint.sh"]

Dockerfile-ee

@@ -1,10 +0,0 @@
-ARG VERSION
-FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
-FROM jumpserver/core:${VERSION}
-COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
-
-WORKDIR /opt/jumpserver
-
-RUN --mount=type=cache,target=/root/.cache/pip \
-    set -ex \
-    && pip install -r requirements/requirements_xpack.txt

GITSHA

@@ -1 +0,0 @@
-fcfd7bb469b89c09ec8ed90ef0257266bb63a557

LICENSE

@@ -671,5 +671,4 @@ into proprietary programs.  If your program is a subroutine library, you
 may consider it more useful to permit linking proprietary applications with
 the library.  If this is what you want to do, use the GNU Lesser General
 Public License instead of this License.  But first, please read
-<https://www.gnu.org/licenses/why-not-lgpl.html>.
-
+<https://www.gnu.org/licenses/why-not-lgpl.html>.

README.md

@@ -1,126 +1,134 @@
-<p align="center">
-  <a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
-</p>
-<h3 align="center">广受欢迎的开源堡垒机</h3>
+<p align="center"><a href="https://jumpserver.org"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a></p>
+<h3 align="center">多云环境下更好用的堡垒机</h3>
 
 <p align="center">
   <a href="https://www.gnu.org/licenses/gpl-3.0.html"><img src="https://img.shields.io/github/license/jumpserver/jumpserver" alt="License: GPLv3"></a>
-  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Docker pulls"></a>
-  <a href="https://github.com/jumpserver/jumpserver/releases/latest"><img src="https://img.shields.io/github/v/release/jumpserver/jumpserver" alt="Latest release"></a>
+  <a href="https://shields.io/github/downloads/jumpserver/jumpserver/total"><img src="https://shields.io/github/downloads/jumpserver/jumpserver/total" alt=" release"></a>
+  <a href="https://hub.docker.com/u/jumpserver"><img src="https://img.shields.io/docker/pulls/jumpserver/jms_all.svg" alt="Codacy"></a>
   <a href="https://github.com/jumpserver/jumpserver"><img src="https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square" alt="Stars"></a>
 </p>
 
+--------------------------
+- [ENGLISH](https://github.com/jumpserver/jumpserver/blob/master/README_EN.md)
 
-<p align="center">
-    JumpServer <a href="https://github.com/jumpserver/jumpserver/releases/tag/v3.0.0">v3.0</a> 正式发布。
-    <br>
-    9 年时间，倾情投入，用心做好一款开源堡垒机。
-</p>
 
-JumpServer 是广受欢迎的开源堡垒机，是符合 4A 规范的专业运维安全审计系统。
 
-JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型的资产，包括：
+JumpServer 是全球首款开源的堡垒机，使用 GPLv3 开源协议，是符合 4A 规范的运维安全审计系统。
 
-- **SSH**: Linux / Unix / 网络设备 等；
-- **Windows**: Web 方式连接 / 原生 RDP 连接；
-- **数据库**: MySQL / MariaDB / PostgreSQL / Oracle / SQLServer / ClickHouse 等；
-- **NoSQL**: Redis / MongoDB 等；
-- **GPT**: ChatGPT 等;
-- **云服务**: Kubernetes / VMware vSphere 等;
-- **Web 站点**: 各类系统的 Web 管理后台；
-- **应用**: 通过 Remote App 连接各类应用。
+JumpServer 使用 Python 开发，遵循 Web 2.0 规范，配备了业界领先的 Web Terminal 方案，交互界面美观、用户体验好。
 
-## 产品特色
+JumpServer 采纳分布式架构，支持多机房跨区域部署，支持横向扩展，无资产数量及并发限制。
 
-- **开源**: 零门槛，线上快速获取和安装；
-- **无插件**: 仅需浏览器，极致的 Web Terminal 使用体验；
-- **分布式**: 支持分布式部署和横向扩展，轻松支持大规模并发访问；
-- **多云支持**: 一套系统，同时管理不同云上面的资产；
-- **多租户**: 一套系统，多个子公司或部门同时使用；
-- **云端存储**: 审计录像云端存储，永不丢失；
+改变世界，从一点点开始 ...
 
-## UI 展示
+> 如需进一步了解 JumpServer 开源项目，推荐阅读 [JumpServer 的初心和使命](https://mp.weixin.qq.com/s/S6q_2rP_9MwaVwyqLQnXzA)
 
-![UI展示](https://docs.jumpserver.org/zh/v3/img/dashboard.png)
+### 特色优势
 
-## 在线体验
+- 开源: 零门槛，线上快速获取和安装；
+- 分布式: 轻松支持大规模并发访问；
+- 无插件: 仅需浏览器，极致的 Web Terminal 使用体验；
+- 多云支持: 一套系统，同时管理不同云上面的资产；
+- 云端存储: 审计录像云端存储，永不丢失；
+- 多租户: 一套系统，多个子公司和部门同时使用；
+- 多应用支持: 数据库，Windows远程应用，Kubernetes。
 
-- 环境地址：<https://demo.jumpserver.org/>
+### UI 展示
+
+![UI展示](https://www.jumpserver.org/images/screenshot/1.png)
+
+### 在线体验
+
+-   环境地址：<https://demo.jumpserver.org/>
 
 | :warning: 注意                 |
-|:-----------------------------|
+| :--------------------------- |
 | 该环境仅作体验目的使用，我们会定时清理、重置数据！    |
 | 请勿修改体验环境用户的密码！               |
 | 请勿在环境中添加业务生产环境地址、用户名密码等敏感信息！ |
 
-## 快速开始
+### 快速开始
 
-- [快速入门](https://docs.jumpserver.org/zh/v3/quick_start/)
-- [产品文档](https://docs.jumpserver.org)
-- [在线学习](https://edu.fit2cloud.com/page/2635362)
-- [知识库](https://kb.fit2cloud.com/categories/jumpserver)
+- [极速安装](https://docs.jumpserver.org/zh/master/install/setup_by_fast/)
+- [完整文档](https://docs.jumpserver.org)
+- [演示视频](https://www.bilibili.com/video/BV1ZV41127GB)
+- [手动安装](https://github.com/jumpserver/installer)
 
-## 案例研究
+### 组件项目
+- [Lina](https://github.com/jumpserver/lina) JumpServer Web UI 项目
+- [Luna](https://github.com/jumpserver/luna) JumpServer Web Terminal 项目
+- [KoKo](https://github.com/jumpserver/koko) JumpServer 字符协议 Connector 项目，替代原来 Python 版本的 [Coco](https://github.com/jumpserver/coco)
+- [Lion](https://github.com/jumpserver/lion-release) JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/)
+- [Clients](https://github.com/jumpserver/clients) JumpServer 客户端 项目
+- [Installer](https://github.com/jumpserver/installer) JumpServer 安装包 项目
 
-- [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
-- [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
-- [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
-- [顺丰科技：JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)
-- [沐瞳游戏：通过JumpServer管控多项目分布式资产](https://blog.fit2cloud.com/?p=3213)
-- [携程：JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)
-- [大智慧：JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)
-- [小红书：JumpServer 堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)
-- [中手游：JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)
-- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)
-- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)
-- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)
+### 社区
 
-## 社区交流
+如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose) 或加入到我们的社区当中进行进一步交流沟通。
 
-如果您在使用过程中有任何疑问或对建议，欢迎提交 [GitHub Issue](https://github.com/jumpserver/jumpserver/issues/new/choose)。
+#### 微信交流群
 
-您也可以到我们的 [社区论坛](https://bbs.fit2cloud.com/c/js/5) 当中进行交流沟通。
+<img src="https://download.jumpserver.org/images/wecom-group.jpeg" alt="微信群二维码" width="200"/>
 
-### 参与贡献
+### 贡献
+如果有你好的想法创意，或者帮助我们修复了 Bug, 欢迎提交 Pull Request
 
-欢迎提交 PR 参与贡献。感谢以下贡献者，他们让 JumpServer 变的越来越好。
+感谢以下贡献者，让 JumpServer 更加完善
 
-<a href="https://github.com/jumpserver/jumpserver/graphs/contributors"><img src="https://opencollective.com/jumpserver/contributors.svg?width=890&button=false" /></a>
+<a href="https://github.com/jumpserver/jumpserver/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/jumpserver" />
+</a>
 
-## 组件项目
+<a href="https://github.com/jumpserver/koko/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/koko" />
+</a>
 
-| 项目                                                     | 状态                                                                                                                                                                     | 描述                                                                                |
-|--------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|
-| [Lina](https://github.com/jumpserver/lina)             | <a href="https://github.com/jumpserver/lina/releases"><img alt="Lina release" src="https://img.shields.io/github/release/jumpserver/lina.svg" /></a>                   | JumpServer Web UI 项目                                                              |
-| [Luna](https://github.com/jumpserver/luna)             | <a href="https://github.com/jumpserver/luna/releases"><img alt="Luna release" src="https://img.shields.io/github/release/jumpserver/luna.svg" /></a>                   | JumpServer Web Terminal 项目                                                        |
-| [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer 字符协议 Connector 项目                                                      |
-| [Lion](https://github.com/jumpserver/lion-release)     | <a href="https://github.com/jumpserver/lion-release/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion-release.svg" /></a>   | JumpServer 图形协议 Connector 项目，依赖 [Apache Guacamole](https://guacamole.apache.org/) |
-| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                                 | JumpServer RDP 代理 Connector 项目                                                    |
-| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-私有发布-red" />                                                                                               | JumpServer 远程应用 Connector 项目                                                      |
-| [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
-| [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
-| [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
-| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core Api 通信的组件项目                                              |
-| [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
-| [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |
+<a href="https://github.com/jumpserver/lina/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/lina" />
+</a>
 
-## 安全说明
+<a href="https://github.com/jumpserver/luna/graphs/contributors">
+  <img src="https://contrib.rocks/image?repo=jumpserver/luna" />
+</a>
 
-JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/)
-进行安装部署。如果您发现安全相关问题，请直接联系我们：
 
-- 邮箱：support@fit2cloud.com
-- 电话：400-052-0755
 
-## License & Copyright
+### 致谢
+- [Apache Guacamole](https://guacamole.apache.org/) Web页面连接 RDP, SSH, VNC协议设备，JumpServer 图形化组件 Lion 依赖 
+- [OmniDB](https://omnidb.org/) Web页面连接使用数据库，JumpServer Web数据库依赖
 
-Copyright (c) 2014-2023 飞致云 FIT2CLOUD, All rights reserved.
 
-Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in
-compliance with the License. You may obtain a copy of the License at
+### JumpServer 企业版 
+- [申请企业版试用](https://jinshuju.net/f/kyOYpi)
+
+### 案例研究
+
+- [JumpServer 堡垒机护航顺丰科技超大规模资产安全运维](https://blog.fit2cloud.com/?p=1147)；
+- [JumpServer 堡垒机让“大智慧”的混合 IT 运维更智慧](https://blog.fit2cloud.com/?p=882)；
+- [携程 JumpServer 堡垒机部署与运营实战](https://blog.fit2cloud.com/?p=851)；
+- [小红书的JumpServer堡垒机大规模资产跨版本迁移之路](https://blog.fit2cloud.com/?p=516)；
+- [JumpServer堡垒机助力中手游提升多云环境下安全运维能力](https://blog.fit2cloud.com/?p=732)；
+- [中通快递：JumpServer主机安全运维实践](https://blog.fit2cloud.com/?p=708)；
+- [东方明珠：JumpServer高效管控异构化、分布式云端资产](https://blog.fit2cloud.com/?p=687)；
+- [江苏农信：JumpServer堡垒机助力行业云安全运维](https://blog.fit2cloud.com/?p=666)。
+
+### 安全说明
+
+JumpServer是一款安全产品，请参考 [基本安全建议](https://docs.jumpserver.org/zh/master/install/install_security/) 部署安装.
+
+如果你发现安全问题，可以直接联系我们：
+
+- ibuler@fit2cloud.com 
+- support@fit2cloud.com 
+- 400-052-0755
+
+### License & Copyright
+
+Copyright (c) 2014-2022 飞致云 FIT2CLOUD, All rights reserved.
+
+Licensed under The GNU General Public License version 3 (GPLv3)  (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
 
 https://www.gnu.org/licenses/gpl-3.0.html
 
-Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "
-AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific
-language governing permissions and limitations under the License.
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+

README_EN.md

@@ -92,3 +92,4 @@ Licensed under The GNU General Public License version 3 (GPLv3)  (the "License")
 https://www.gnu.org/licenses/gpl-3.0.htmll
 
 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+

SECURITY.md

@@ -18,4 +18,3 @@ All security bugs should be reported to the contact as below:
 - ibuler@fit2cloud.com
 - support@fit2cloud.com
 - 400-052-0755
-

Vagrantfile

@@ -0,0 +1,56 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+Vagrant.configure("2") do |config|
+  # The most common configuration options are documented and commented below.
+  # For a complete reference, please see the online documentation at
+  # https://docs.vagrantup.com.
+
+  # Every Vagrant development environment requires a box. You can search for
+  # boxes at https://vagrantcloud.com/search.
+  config.vm.box_check_update = false
+  config.vm.box = "centos/7"
+  config.vm.hostname = "jumpserver"
+  config.vm.network "private_network", ip: "172.17.8.101"
+  config.vm.provider "virtualbox" do |vb|
+    vb.memory = "4096"
+    vb.cpus = 2
+    vb.name = "jumpserver"
+  end
+
+  config.vm.synced_folder ".", "/vagrant", type: "rsync",
+    rsync__verbose: true,
+    rsync__exclude: ['.git*', 'node_modules*','*.log','*.box','Vagrantfile']
+
+  config.vm.provision "shell", inline: <<-SHELL
+## 设置yum的阿里云源
+sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
+sudo sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
+sudo curl -o /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo
+sudo yum makecache
+
+## 安装依赖包
+sudo yum install -y python36 python36-devel python36-pip \
+		 libtiff-devel libjpeg-devel libzip-devel freetype-devel \
+     lcms2-devel libwebp-devel tcl-devel tk-devel sshpass \
+     openldap-devel mariadb-devel mysql-devel libffi-devel \
+     openssh-clients telnet openldap-clients gcc
+
+## 配置pip阿里云源
+mkdir /home/vagrant/.pip
+cat << EOF | sudo tee -a /home/vagrant/.pip/pip.conf
+[global]
+timeout = 6000
+index-url = https://mirrors.aliyun.com/pypi/simple/
+
+[install]
+use-mirrors = true
+mirrors = https://mirrors.aliyun.com/pypi/simple/
+trusted-host=mirrors.aliyun.com
+EOF
+
+python3.6 -m venv /home/vagrant/venv
+source /home/vagrant/venv/bin/activate
+echo 'source /home/vagrant/venv/bin/activate' >> /home/vagrant/.bash_profile
+  SHELL
+end

apps/accounts/api/__init__.py

@@ -1,2 +0,0 @@
-from .account import *
-from .automations import *

apps/accounts/api/account/__init__.py

@@ -1,3 +0,0 @@
-from .account import *
-from .task import *
-from .template import *

apps/accounts/api/account/account.py

@@ -1,142 +0,0 @@
-from django.shortcuts import get_object_or_404
-from rest_framework.decorators import action
-from rest_framework.generics import ListAPIView, CreateAPIView
-from rest_framework.response import Response
-from rest_framework.status import HTTP_200_OK
-
-from accounts import serializers
-from accounts.filters import AccountFilterSet
-from accounts.models import Account
-from assets.models import Asset, Node
-from common.api import ExtraFilterFieldsMixin
-from common.permissions import UserConfirmation, ConfirmType, IsValidUser
-from common.views.mixins import RecordViewLogMixin
-from orgs.mixins.api import OrgBulkModelViewSet
-from rbac.permissions import RBACPermission
-
-__all__ = [
-    'AccountViewSet', 'AccountSecretsViewSet',
-    'AccountHistoriesSecretAPI', 'AssetAccountBulkCreateApi',
-]
-
-
-class AccountViewSet(OrgBulkModelViewSet):
-    model = Account
-    search_fields = ('username', 'name', 'asset__name', 'asset__address')
-    filterset_class = AccountFilterSet
-    serializer_classes = {
-        'default': serializers.AccountSerializer,
-    }
-    rbac_perms = {
-        'partial_update': ['accounts.change_account'],
-        'su_from_accounts': 'accounts.view_account',
-        'clear_secret': 'accounts.change_account',
-    }
-    export_as_zip = True
-
-    @action(methods=['get'], detail=False, url_path='su-from-accounts')
-    def su_from_accounts(self, request, *args, **kwargs):
-        account_id = request.query_params.get('account')
-        asset_id = request.query_params.get('asset')
-
-        if account_id:
-            account = get_object_or_404(Account, pk=account_id)
-            accounts = account.get_su_from_accounts()
-        elif asset_id:
-            asset = get_object_or_404(Asset, pk=asset_id)
-            accounts = asset.accounts.all()
-        else:
-            accounts = Account.objects.none()
-        accounts = self.filter_queryset(accounts)
-        serializer = serializers.AccountSerializer(accounts, many=True)
-        return Response(data=serializer.data)
-
-    @action(
-        methods=['get'], detail=False, url_path='username-suggestions',
-        permission_classes=[IsValidUser]
-    )
-    def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.query_params.get('assets')
-        node_keys = request.query_params.get('keys')
-        username = request.query_params.get('username')
-
-        assets = Asset.objects.all()
-        if asset_ids:
-            assets = assets.filter(id__in=asset_ids.split(','))
-        if node_keys:
-            patten = Node.get_node_all_children_key_pattern(node_keys.split(','))
-            assets = assets.filter(nodes__key__regex=patten)
-
-        accounts = Account.objects.filter(asset__in=assets)
-        if username:
-            accounts = accounts.filter(username__icontains=username)
-        usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
-        usernames.sort()
-        common = [i for i in usernames if i in usernames if i.lower() in ['root', 'admin', 'administrator']]
-        others = [i for i in usernames if i not in common]
-        usernames = common + others
-        return Response(data=usernames)
-
-    @action(methods=['patch'], detail=False, url_path='clear-secret')
-    def clear_secret(self, request, *args, **kwargs):
-        account_ids = request.data.get('account_ids', [])
-        self.model.objects.filter(id__in=account_ids).update(secret=None)
-        return Response(status=HTTP_200_OK)
-
-
-class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
-    """
-    因为可能要导出所有账号，所以单独建立了一个 viewset
-    """
-    serializer_classes = {
-        'default': serializers.AccountSecretSerializer,
-    }
-    http_method_names = ['get', 'options']
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
-    rbac_perms = {
-        'list': 'accounts.view_accountsecret',
-        'retrieve': 'accounts.view_accountsecret',
-    }
-
-
-class AssetAccountBulkCreateApi(CreateAPIView):
-    serializer_class = serializers.AssetAccountBulkSerializer
-    rbac_perms = {
-        'POST': 'accounts.add_account',
-    }
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        data = serializer.create(serializer.validated_data)
-        serializer = serializers.AssetAccountBulkSerializerResultSerializer(data, many=True)
-        return Response(data=serializer.data, status=HTTP_200_OK)
-
-
-class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, ListAPIView):
-    model = Account.history.model
-    serializer_class = serializers.AccountHistorySerializer
-    http_method_names = ['get', 'options']
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
-    rbac_perms = {
-        'GET': 'accounts.view_accountsecret',
-    }
-
-    def get_object(self):
-        return get_object_or_404(Account, pk=self.kwargs.get('pk'))
-
-    @staticmethod
-    def filter_spm_queryset(resource_ids, queryset):
-        return queryset.filter(history_id__in=resource_ids)
-
-    def get_queryset(self):
-        account = self.get_object()
-        histories = account.history.all()
-        last_history = account.history.first()
-        if not last_history:
-            return histories
-
-        if account.secret == last_history.secret \
-                and account.secret_type == last_history.secret_type:
-            histories = histories.exclude(history_id=last_history.history_id)
-        return histories

apps/accounts/api/account/task.py

@@ -1,49 +0,0 @@
-from rest_framework.generics import CreateAPIView
-from rest_framework.response import Response
-
-from accounts import serializers
-from accounts.tasks import verify_accounts_connectivity_task, push_accounts_to_assets_task
-from assets.exceptions import NotSupportedTemporarilyError
-
-__all__ = [
-    'AccountsTaskCreateAPI',
-]
-
-
-class AccountsTaskCreateAPI(CreateAPIView):
-    serializer_class = serializers.AccountTaskSerializer
-
-    def check_permissions(self, request):
-        act = request.data.get('action')
-        if act == 'push':
-            code = 'accounts.push_account'
-        else:
-            code = 'accounts.verify_account'
-        return request.user.has_perm(code)
-
-    def perform_create(self, serializer):
-        data = serializer.validated_data
-        accounts = data.get('accounts', [])
-        params = data.get('params')
-        account_ids = [str(a.id) for a in accounts]
-
-        if data['action'] == 'push':
-            task = push_accounts_to_assets_task.delay(account_ids, params)
-        else:
-            account = accounts[0]
-            asset = account.asset
-            if not asset.auto_config['ansible_enabled'] or \
-                    not asset.auto_config['ping_enabled']:
-                raise NotSupportedTemporarilyError()
-            task = verify_accounts_connectivity_task.delay(account_ids)
-
-        data = getattr(serializer, '_data', {})
-        data["task"] = task.id
-        setattr(serializer, '_data', data)
-        return task
-
-    def get_exception_handler(self):
-        def handler(e, context):
-            return Response({"error": str(e)}, status=400)
-
-        return handler

apps/accounts/api/account/template.py

@@ -1,67 +0,0 @@
-from django_filters import rest_framework as drf_filters
-from rest_framework.decorators import action
-from rest_framework.response import Response
-
-from accounts import serializers
-from accounts.models import AccountTemplate
-from assets.const import Protocol
-from common.drf.filters import BaseFilterSet
-from common.permissions import UserConfirmation, ConfirmType
-from common.views.mixins import RecordViewLogMixin
-from orgs.mixins.api import OrgBulkModelViewSet
-from rbac.permissions import RBACPermission
-
-
-class AccountTemplateFilterSet(BaseFilterSet):
-    protocols = drf_filters.CharFilter(method='filter_protocols')
-
-    class Meta:
-        model = AccountTemplate
-        fields = ('username', 'name')
-
-    @staticmethod
-    def filter_protocols(queryset, name, value):
-        secret_types = set()
-        protocols = value.split(',')
-        protocol_secret_type_map = Protocol.settings()
-        for p in protocols:
-            if p not in protocol_secret_type_map:
-                continue
-            _st = protocol_secret_type_map[p].get('secret_types', [])
-            secret_types.update(_st)
-        if not secret_types:
-            secret_types = ['password']
-        queryset = queryset.filter(secret_type__in=secret_types)
-        return queryset
-
-
-class AccountTemplateViewSet(OrgBulkModelViewSet):
-    model = AccountTemplate
-    filterset_class = AccountTemplateFilterSet
-    search_fields = ('username', 'name')
-    serializer_classes = {
-        'default': serializers.AccountTemplateSerializer,
-    }
-    rbac_perms = {
-        'su_from_account_templates': 'accounts.view_accounttemplate',
-    }
-
-    @action(methods=['get'], detail=False, url_path='su-from-account-templates')
-    def su_from_account_templates(self, request, *args, **kwargs):
-        pk = request.query_params.get('template_id')
-        templates = AccountTemplate.get_su_from_account_templates(pk)
-        templates = self.filter_queryset(templates)
-        serializer = self.get_serializer(templates, many=True)
-        return Response(data=serializer.data)
-
-
-class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
-    serializer_classes = {
-        'default': serializers.AccountTemplateSecretSerializer,
-    }
-    http_method_names = ['get', 'options']
-    permission_classes = [RBACPermission, UserConfirmation.require(ConfirmType.MFA)]
-    rbac_perms = {
-        'list': 'accounts.view_accounttemplatesecret',
-        'retrieve': 'accounts.view_accounttemplatesecret',
-    }

apps/accounts/api/automations/__init__.py

@@ -1,5 +0,0 @@
-from .backup import *
-from .base import *
-from .change_secret import *
-from .gather_accounts import *
-from .push_account import *

apps/accounts/api/automations/base.py

@@ -1,115 +0,0 @@
-from django.shortcuts import get_object_or_404
-from django.utils.translation import ugettext_lazy as _
-from rest_framework import status, mixins, viewsets
-from rest_framework.response import Response
-
-from accounts.models import AutomationExecution
-from accounts.tasks import execute_account_automation_task
-from assets import serializers
-from assets.models import BaseAutomation
-from common.const.choices import Trigger
-from orgs.mixins import generics
-
-__all__ = [
-    'AutomationAssetsListApi', 'AutomationRemoveAssetApi',
-    'AutomationAddAssetApi', 'AutomationNodeAddRemoveApi',
-    'AutomationExecutionViewSet',
-]
-
-
-class AutomationAssetsListApi(generics.ListAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.AutomationAssetsSerializer
-    filter_fields = ("name", "address")
-    search_fields = filter_fields
-
-    def get_object(self):
-        pk = self.kwargs.get('pk')
-        return get_object_or_404(self.model, pk=pk)
-
-    def get_queryset(self):
-        instance = self.get_object()
-        assets = instance.get_all_assets().only(
-            *self.serializer_class.Meta.only_fields
-        )
-        return assets
-
-
-class AutomationRemoveAssetApi(generics.RetrieveUpdateAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.UpdateAssetSerializer
-
-    def update(self, request, *args, **kwargs):
-        instance = self.get_object()
-        serializer = self.serializer_class(data=request.data)
-
-        if not serializer.is_valid():
-            return Response({'error': serializer.errors})
-
-        assets = serializer.validated_data.get('assets')
-        if assets:
-            instance.assets.remove(*tuple(assets))
-        return Response({'msg': 'ok'})
-
-
-class AutomationAddAssetApi(generics.RetrieveUpdateAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.UpdateAssetSerializer
-
-    def update(self, request, *args, **kwargs):
-        instance = self.get_object()
-        serializer = self.serializer_class(data=request.data)
-        if serializer.is_valid():
-            assets = serializer.validated_data.get('assets')
-            if assets:
-                instance.assets.add(*tuple(assets))
-            return Response({"msg": "ok"})
-        else:
-            return Response({"error": serializer.errors})
-
-
-class AutomationNodeAddRemoveApi(generics.RetrieveUpdateAPIView):
-    model = BaseAutomation
-    serializer_class = serializers.UpdateNodeSerializer
-
-    def update(self, request, *args, **kwargs):
-        action_params = ['add', 'remove']
-        action = request.query_params.get('action')
-        if action not in action_params:
-            err_info = _("The parameter 'action' must be [{}]".format(','.join(action_params)))
-            return Response({"error": err_info})
-
-        instance = self.get_object()
-        serializer = self.serializer_class(data=request.data)
-        if serializer.is_valid():
-            nodes = serializer.validated_data.get('nodes')
-            if nodes:
-                # eg: plan.nodes.add(*tuple(assets))
-                getattr(instance.nodes, action)(*tuple(nodes))
-            return Response({"msg": "ok"})
-        else:
-            return Response({"error": serializer.errors})
-
-
-class AutomationExecutionViewSet(
-    mixins.CreateModelMixin, mixins.ListModelMixin,
-    mixins.RetrieveModelMixin, viewsets.GenericViewSet
-):
-    search_fields = ('trigger',)
-    filterset_fields = ('trigger', 'automation_id')
-    serializer_class = serializers.AutomationExecutionSerializer
-
-    tp: str
-
-    def get_queryset(self):
-        queryset = AutomationExecution.objects.all()
-        return queryset
-
-    def create(self, request, *args, **kwargs):
-        serializer = self.get_serializer(data=request.data)
-        serializer.is_valid(raise_exception=True)
-        automation = serializer.validated_data.get('automation')
-        task = execute_account_automation_task.delay(
-            pid=str(automation.pk), trigger=Trigger.manual, tp=self.tp
-        )
-        return Response({'task': task.id}, status=status.HTTP_201_CREATED)

apps/accounts/api/automations/change_secret.py

@@ -1,81 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-
-from rest_framework import mixins
-
-from accounts import serializers
-from accounts.const import AutomationTypes
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
-from common.utils import get_object_or_none
-from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
-from .base import (
-    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
-    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
-)
-
-__all__ = [
-    'ChangeSecretAutomationViewSet', 'ChangeSecretRecordViewSet',
-    'ChangSecretExecutionViewSet', 'ChangSecretAssetsListApi',
-    'ChangSecretRemoveAssetApi', 'ChangSecretAddAssetApi',
-    'ChangSecretNodeAddRemoveApi'
-]
-
-
-class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
-    model = ChangeSecretAutomation
-    filter_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filter_fields
-    serializer_class = serializers.ChangeSecretAutomationSerializer
-
-
-class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
-    serializer_class = serializers.ChangeSecretRecordSerializer
-    filter_fields = ['asset', 'execution_id']
-    search_fields = ['asset__hostname']
-
-    def get_queryset(self):
-        return ChangeSecretRecord.objects.filter(
-            execution__automation__type=AutomationTypes.change_secret
-        )
-
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        eid = self.request.query_params.get('execution_id')
-        execution = get_object_or_none(AutomationExecution, pk=eid)
-        if execution:
-            queryset = queryset.filter(execution=execution)
-        return queryset
-
-
-class ChangSecretExecutionViewSet(AutomationExecutionViewSet):
-    rbac_perms = (
-        ("list", "accounts.view_changesecretexecution"),
-        ("retrieve", "accounts.view_changesecretexecution"),
-        ("create", "accounts.add_changesecretexecution"),
-    )
-
-    tp = AutomationTypes.change_secret
-
-    def get_queryset(self):
-        queryset = super().get_queryset()
-        queryset = queryset.filter(automation__type=self.tp)
-        return queryset
-
-
-class ChangSecretAssetsListApi(AutomationAssetsListApi):
-    model = ChangeSecretAutomation
-
-
-class ChangSecretRemoveAssetApi(AutomationRemoveAssetApi):
-    model = ChangeSecretAutomation
-    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
-
-
-class ChangSecretAddAssetApi(AutomationAddAssetApi):
-    model = ChangeSecretAutomation
-    serializer_class = serializers.ChangeSecretUpdateAssetSerializer
-
-
-class ChangSecretNodeAddRemoveApi(AutomationNodeAddRemoveApi):
-    model = ChangeSecretAutomation
-    serializer_class = serializers.ChangeSecretUpdateNodeSerializer

apps/accounts/api/automations/gather_accounts.py

@@ -1,59 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from rest_framework import status
-from rest_framework.decorators import action
-from rest_framework.response import Response
-
-from accounts import serializers
-from accounts.const import AutomationTypes
-from accounts.filters import GatheredAccountFilterSet
-from accounts.models import GatherAccountsAutomation
-from accounts.models import GatheredAccount
-from orgs.mixins.api import OrgBulkModelViewSet
-from .base import AutomationExecutionViewSet
-
-__all__ = [
-    'GatherAccountsAutomationViewSet', 'GatherAccountsExecutionViewSet',
-    'GatheredAccountViewSet'
-]
-
-
-class GatherAccountsAutomationViewSet(OrgBulkModelViewSet):
-    model = GatherAccountsAutomation
-    filter_fields = ('name',)
-    search_fields = filter_fields
-    serializer_class = serializers.GatherAccountAutomationSerializer
-
-
-class GatherAccountsExecutionViewSet(AutomationExecutionViewSet):
-    rbac_perms = (
-        ("list", "accounts.view_gatheraccountsexecution"),
-        ("retrieve", "accounts.view_gatheraccountsexecution"),
-        ("create", "accounts.add_gatheraccountsexecution"),
-    )
-
-    tp = AutomationTypes.gather_accounts
-
-    def get_queryset(self):
-        queryset = super().get_queryset()
-        queryset = queryset.filter(automation__type=self.tp)
-        return queryset
-
-
-class GatheredAccountViewSet(OrgBulkModelViewSet):
-    model = GatheredAccount
-    search_fields = ('username',)
-    filterset_class = GatheredAccountFilterSet
-    serializer_classes = {
-        'default': serializers.GatheredAccountSerializer,
-    }
-    rbac_perms = {
-        'sync_accounts': 'assets.add_gatheredaccount',
-    }
-
-    @action(methods=['post'], detail=False, url_path='sync-accounts')
-    def sync_accounts(self, request, *args, **kwargs):
-        gathered_account_ids = request.data.get('gathered_account_ids')
-        gathered_accounts = self.model.objects.filter(id__in=gathered_account_ids)
-        self.model.sync_accounts(gathered_accounts)
-        return Response(status=status.HTTP_201_CREATED)

apps/accounts/api/automations/push_account.py

@@ -1,68 +0,0 @@
-# -*- coding: utf-8 -*-
-#
-from accounts import serializers
-from accounts.const import AutomationTypes
-from accounts.models import PushAccountAutomation, ChangeSecretRecord
-from orgs.mixins.api import OrgBulkModelViewSet
-
-from .base import (
-    AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
-    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
-)
-from .change_secret import ChangeSecretRecordViewSet
-
-__all__ = [
-    'PushAccountAutomationViewSet', 'PushAccountAssetsListApi', 'PushAccountRemoveAssetApi',
-    'PushAccountAddAssetApi', 'PushAccountNodeAddRemoveApi', 'PushAccountExecutionViewSet',
-    'PushAccountRecordViewSet'
-]
-
-
-class PushAccountAutomationViewSet(OrgBulkModelViewSet):
-    model = PushAccountAutomation
-    filter_fields = ('name', 'secret_type', 'secret_strategy')
-    search_fields = filter_fields
-    serializer_class = serializers.PushAccountAutomationSerializer
-
-
-class PushAccountExecutionViewSet(AutomationExecutionViewSet):
-    rbac_perms = (
-        ("list", "accounts.view_pushaccountexecution"),
-        ("retrieve", "accounts.view_pushaccountexecution"),
-        ("create", "accounts.add_pushaccountexecution"),
-    )
-
-    tp = AutomationTypes.push_account
-
-    def get_queryset(self):
-        queryset = super().get_queryset()
-        queryset = queryset.filter(automation__type=self.tp)
-        return queryset
-
-
-class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
-    serializer_class = serializers.ChangeSecretRecordSerializer
-
-    def get_queryset(self):
-        return ChangeSecretRecord.objects.filter(
-            execution__automation__type=AutomationTypes.push_account
-        )
-
-
-class PushAccountAssetsListApi(AutomationAssetsListApi):
-    model = PushAccountAutomation
-
-
-class PushAccountRemoveAssetApi(AutomationRemoveAssetApi):
-    model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateAssetSerializer
-
-
-class PushAccountAddAssetApi(AutomationAddAssetApi):
-    model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateAssetSerializer
-
-
-class PushAccountNodeAddRemoveApi(AutomationNodeAddRemoveApi):
-    model = PushAccountAutomation
-    serializer_class = serializers.PushAccountUpdateNodeSerializer

apps/accounts/apps.py

@@ -1,11 +0,0 @@
-from django.apps import AppConfig
-
-
-class AccountsConfig(AppConfig):
-    default_auto_field = 'django.db.models.BigAutoField'
-    name = 'accounts'
-
-    def ready(self):
-        from . import signal_handlers
-        from . import tasks
-        __all__ = signal_handlers

apps/accounts/automations/__init__.py

@@ -1,2 +0,0 @@
-from .endpoint import ExecutionManager
-from .methods import platform_automation_methods

apps/accounts/automations/base/base_inventory.txt

@@ -1,14 +0,0 @@
-## all connection vars
-hostname asset_name=name asset_type=type asset_primary_protocol=ssh asset_primary_port=22 asset_protocols=[]
-
-## local connection
-hostname ansible_connection=local
-
-## local connection with gateway
-hostname ansible_connection=ssh ansible_user=gateway.username ansible_port=gateway.port ansible_host=gateway.host ansible_ssh_private_key_file=gateway.key
-
-## ssh connection for windows
-hostname ansible_connection=ssh ansible_shell_type=powershell/cmd ansible_user=windows.username ansible_port=windows.port ansible_host=windows.host ansible_ssh_private_key_file=windows.key
-
-## ssh connection
-hostname ansible_user=user ansible_password=pass ansible_host=host ansible_port=port ansible_ssh_private_key_file=key ssh_args="-o StrictHostKeyChecking=no"

apps/accounts/automations/base/manager.py

@@ -1,12 +0,0 @@
-from accounts.automations.methods import platform_automation_methods
-from assets.automations.base.manager import BasePlaybookManager
-from common.utils import get_logger
-
-logger = get_logger(__name__)
-
-
-class AccountBasePlaybookManager(BasePlaybookManager):
-
-    @property
-    def platform_automation_methods(self):
-        return platform_automation_methods

apps/accounts/automations/change_secret/custom/ssh/main.yml

@@ -1,38 +0,0 @@
-- hosts: custom
-  gather_facts: no
-  vars:
-    ansible_connection: local
-
-  tasks:
-    - name: Test privileged account
-      ssh_ping:
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_secret_type: "{{ jms_account.secret_type }}"
-        login_private_key_path: "{{ jms_account.private_key_path }}"
-      register: ping_info
-
-    - name: Change asset password
-      custom_command:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_secret_type: "{{ jms_account.secret_type }}"
-        login_private_key_path: "{{ jms_account.private_key_path }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        commands: "{{ params.commands }}"
-        first_conn_delay_time: "{{ first_conn_delay_time | default(0.5) }}"
-      ignore_errors: true
-      when: ping_info is succeeded
-      register: change_info
-
-    - name: Verify password
-      ssh_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"

apps/accounts/automations/change_secret/custom/ssh/manifest.yml

@@ -1,20 +0,0 @@
-id: change_secret_by_ssh
-name: "{{ 'SSH account change secret' | trans }}"
-category:
-  - device
-  - host
-type:
-  - all
-method: change_secret
-params:
-  - name: commands
-    type: list
-    label: '自定义命令'
-    default: [ '' ]
-    help_text: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
-
-i18n:
-  SSH account change secret:
-    zh: 使用 SSH 命令行自定义改密
-    ja: SSH コマンドライン方式でカスタムパスワード変更
-    en: Custom password change by SSH command line

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -1,55 +0,0 @@
-- hosts: mongodb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test MongoDB connection
-      mongodb_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      register: db_info
-
-    - name: Display MongoDB version
-      debug:
-        var: db_info.server_version
-      when: db_info is succeeded
-
-    - name: Change MongoDB password
-      mongodb_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-      ignore_errors: true
-      when: db_info is succeeded
-
-    - name: Verify password
-      mongodb_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/change_secret/database/mongodb/manifest.yml

@@ -1,12 +0,0 @@
-id: change_secret_mongodb
-name: "{{ 'MongoDB account change secret' | trans }}"
-category: database
-type:
-  - mongodb
-method: change_secret
-
-i18n:
-  MongoDB account change secret:
-    zh: 使用 Ansible 模块 mongodb 执行 MongoDB 账号改密
-    ja: Ansible mongodb モジュールを使用して MongoDB アカウントのパスワード変更
-    en: Using Ansible module mongodb to change MongoDB account secret

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -1,40 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-    db_name: "{{ jms_asset.spec_info.db_name }}"
-
-  tasks:
-    - name: Test MySQL connection
-      community.mysql.mysql_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version
-      register: db_info
-
-    - name: MySQL version
-      debug:
-        var: db_info.version.full
-
-    - name: Change MySQL password
-      community.mysql.mysql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        host: "%"
-        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
-      ignore_errors: true
-      when: db_info is succeeded
-
-    - name: Verify password
-      community.mysql.mysql_info:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version

apps/accounts/automations/change_secret/database/mysql/manifest.yml

@@ -1,13 +0,0 @@
-id: change_secret_mysql
-name: "{{ 'MySQL account change secret' | trans }}"
-category: database
-type:
-  - mysql
-  - mariadb
-method: change_secret
-
-i18n:
-  MySQL account change secret:
-    zh: 使用 Ansible 模块 mysql 执行 MySQL 账号改密
-    ja: Ansible mysql モジュールを使用して MySQL アカウントのパスワード変更
-    en: Using Ansible module mysql to change MySQL account secret

apps/accounts/automations/change_secret/database/oracle/main.yml

@@ -1,41 +0,0 @@
-- hosts: oracle
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test Oracle connection
-      oracle_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-      register: db_info
-
-    - name: Display Oracle version
-      debug:
-        var: db_info.server_version
-      when: db_info is succeeded
-
-    - name: Change Oracle password
-      oracle_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-      ignore_errors: true
-      when: db_info is succeeded
-
-    - name: Verify password
-      oracle_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"

apps/accounts/automations/change_secret/database/oracle/manifest.yml

@@ -1,11 +0,0 @@
-id: change_secret_oracle
-name: "{{ 'Oracle account change secret' | trans }}"
-category: database
-type:
-  - oracle
-method: change_secret
-
-i18n:
-  Oracle account change secret:
-    zh: Oracle 账号改密
-    ja: Oracle アカウントのパスワード変更

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -1,41 +0,0 @@
-- hosts: postgre
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test PostgreSQL connection
-      community.postgresql.postgresql_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_db: "{{ jms_asset.spec_info.db_name }}"
-      register: result
-      failed_when: not result.is_available
-
-    - name: Display PostgreSQL version
-      debug:
-        var: result.server_version.full
-      when: result is succeeded
-
-    - name: Change PostgreSQL password
-      community.postgresql.postgresql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        role_attr_flags: LOGIN
-      ignore_errors: true
-      when: result is succeeded
-
-    - name: Verify password
-      community.postgresql.postgresql_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"

apps/accounts/automations/change_secret/database/postgresql/manifest.yml

@@ -1,11 +0,0 @@
-id: change_secret_postgresql
-name: "{{ 'PostgreSQL account change secret' | trans }}"
-category: database
-type:
-  - postgresql
-method: change_secret
-
-i18n:
-  PostgreSQL account change secret:
-    zh: PostgreSQL 账号改密
-    ja: PostgreSQL アカウントのパスワード変更

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -1,66 +0,0 @@
-- hosts: sqlserver
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test SQLServer connection
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: |
-          SELECT @@version
-      register: db_info
-
-    - name: SQLServer version
-      set_fact:
-        info:
-          version: "{{ db_info.query_results[0][0][0][0].splitlines()[0] }}"
-    - debug:
-        var: info
-
-    - name: Check whether SQLServer User exist
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
-      when: db_info is succeeded
-      register: user_exist
-
-    - name: Change SQLServer password
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
-      ignore_errors: true
-      when: user_exist.query_results[0] | length != 0
-
-    - name: Add SQLServer user
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
-      ignore_errors: true
-      when: user_exist.query_results[0] | length == 0
-
-    - name: Verify password
-      community.general.mssql_script:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: |
-          SELECT @@version

apps/accounts/automations/change_secret/database/sqlserver/manifest.yml

@@ -1,11 +0,0 @@
-id: change_secret_sqlserver
-name: "{{ 'SQLServer account change secret' | trans }}"
-category: database
-type:
-  - sqlserver
-method: change_secret
-
-i18n:
-  SQLServer account change secret:
-    zh: SQLServer 账号改密
-    ja: SQLServer アカウントのパスワード変更

apps/accounts/automations/change_secret/demo_inventory.txt

@@ -1,2 +0,0 @@
-# all base inventory in base/base_inventory.txt
-asset_name(ip)_account_username account={"username": "", "password": "xxx"} ...base_inventory_vars

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -1,75 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.builtin.ping:
-
-    - name: Check user
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
-        expires: -1
-        state: present
-
-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-
-    - name: Add user groups
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when: params.groups
-
-    - name: Change password
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('des') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: Change SSH key
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
-      when: account.secret_type == "password"
-
-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
-      when: account.secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -1,55 +0,0 @@
-id: change_secret_aix
-name: "{{ 'AIX account change secret' | trans }}"
-category: host
-type:
-  - AIX
-method: change_secret
-params:
-  - name: shell
-    type: str
-    label: 'Shell'
-    default: '/bin/bash'
-
-  - name: home
-    type: str
-    label: "{{ 'Params home label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params home help text' | trans }}"
-
-  - name: groups
-    type: str
-    label: "{{ 'Params groups label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params groups help text' | trans }}"
-
-i18n:
-  AIX account change secret:
-    zh: '使用 Ansible 模块 user 执行账号改密 (DES)'
-    ja: 'Ansible user モジュールを使用してアカウントのパスワード変更 (DES)'
-    en: 'Using Ansible module user to change account secret (DES)'
-
-  Params sudo help text:
-    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
-    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
-    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
-
-  Params home help text:
-    zh: '默认家目录 /home/{账号用户名}'
-    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
-    en: 'Default home directory /home/{account username}'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-
-  Params home label:
-    zh: '家目录'
-    ja: 'ホームディレクトリ'
-    en: 'Home'
-
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'
-

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -1,75 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.builtin.ping:
-
-    - name: Check user
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
-        expires: -1
-        state: present
-
-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-
-    - name: Add user groups
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when: params.groups
-
-    - name: Change password
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('sha512') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: create user If it already exists, no operation will be performed
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-      when: account.secret_type == "ssh_key"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: Change SSH key
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
-      when: account.secret_type == "password"
-
-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
-      when: account.secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/posix/manifest.yml

@@ -1,57 +0,0 @@
-id: change_secret_posix
-name: "{{ 'Posix account change secret' | trans }}"
-category: host
-type:
-  - unix
-  - linux
-method: change_secret
-params:
-  - name: shell
-    type: str
-    label: 'Shell'
-    default: '/bin/bash'
-    help_text: ''
-
-  - name: home
-    type: str
-    label: "{{ 'Params home label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params home help text' | trans }}"
-
-  - name: groups
-    type: str
-    label: "{{ 'Params groups label' | trans }}"
-    default: ''
-    help_text: "{{ 'Params groups help text' | trans }}"
-
-i18n:
-  Posix account change secret:
-    zh: '使用 Ansible 模块 user 执行账号改密 (SHA512)'
-    ja: 'Ansible user モジュールを使用して アカウントのパスワード変更 (SHA512)'
-    en: 'Using Ansible module user to change account secret (SHA512)'
-
-  Params sudo help text:
-    zh: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
-    ja: 'コンマで区切って複数のコマンドを入力してください。例: /bin/whoami,/sbin/ifconfig'
-    en: 'Use commas to separate multiple commands, such as: /bin/whoami,/sbin/ifconfig'
-
-  Params home help text:
-    zh: '默认家目录 /home/{账号用户名}'
-    ja: 'デフォルトのホームディレクトリ /home/{アカウントユーザ名}'
-    en: 'Default home directory /home/{account username}'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-
-  Params home label:
-    zh: '家目录'
-    ja: 'ホームディレクトリ'
-    en: 'Home'
-
-  Params groups label:
-    zh: '用户组'
-    ja: 'グループ'
-    en: 'Groups'
-

apps/accounts/automations/change_secret/host/windows/main.yml

@@ -1,31 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.windows.win_ping:
-
-#    - name: Print variables
-#      debug:
-#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
-
-    - name: Change password
-      ansible.windows.win_user:
-        fullname: "{{ account.username}}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        password_never_expires: yes
-        groups: "{{ params.groups }}"
-        groups_action: add
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.windows.win_ping:
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-      when: account.secret_type == "password"

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -1,26 +0,0 @@
-id: change_secret_local_windows
-name: "{{ 'Windows account change secret' | trans }}"
-version: 1
-method: change_secret
-category: host
-type:
-  - windows
-params:
-  - name: groups
-    type: str
-    label: '用户组'
-    default: 'Users,Remote Desktop Users'
-    help_text: "{{ 'Params groups help text' | trans }}"
-
-
-i18n:
-  Windows account change secret:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密'
-    ja: 'Ansible win_user モジュールを使用して Windows アカウントのパスワード変更'
-    en: 'Using Ansible module win_user to change Windows account secret'
-
-  Params groups help text:
-    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
-    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
-

apps/accounts/automations/change_secret/manager.py

@@ -1,229 +0,0 @@
-import os
-import time
-from collections import defaultdict
-from copy import deepcopy
-
-from django.conf import settings
-from django.utils import timezone
-from openpyxl import Workbook
-
-from accounts.const import AutomationTypes, SecretType, SSHKeyStrategy, SecretStrategy
-from accounts.models import ChangeSecretRecord
-from accounts.notifications import ChangeSecretExecutionTaskMsg
-from accounts.serializers import ChangeSecretRecordBackUpSerializer
-from assets.const import HostTypes
-from common.utils import get_logger
-from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_display
-from users.models import User
-from ..base.manager import AccountBasePlaybookManager
-from ...utils import SecretGenerator
-
-logger = get_logger(__name__)
-
-
-class ChangeSecretManager(AccountBasePlaybookManager):
-    ansible_account_prefer = ''
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.method_hosts_mapper = defaultdict(list)
-        self.secret_type = self.execution.snapshot.get('secret_type')
-        self.secret_strategy = self.execution.snapshot.get(
-            'secret_strategy', SecretStrategy.custom
-        )
-        self.ssh_key_change_strategy = self.execution.snapshot.get(
-            'ssh_key_change_strategy', SSHKeyStrategy.add
-        )
-        self.account_ids = self.execution.snapshot['accounts']
-        self.name_recorder_mapper = {}  # 做个映射，方便后面处理
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.change_secret
-
-    def get_ssh_params(self, account, secret, secret_type):
-        kwargs = {}
-        if secret_type != SecretType.SSH_KEY:
-            return kwargs
-        kwargs['strategy'] = self.ssh_key_change_strategy
-        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
-
-        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
-            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
-        return kwargs
-
-    def secret_generator(self, secret_type):
-        return SecretGenerator(
-            self.secret_strategy, secret_type,
-            self.execution.snapshot.get('password_rules')
-        )
-
-    def get_secret(self, secret_type):
-        if self.secret_strategy == SecretStrategy.custom:
-            return self.execution.snapshot['secret']
-        else:
-            return self.secret_generator(secret_type).get_secret()
-
-    def get_accounts(self, privilege_account):
-        if not privilege_account:
-            print(f'not privilege account')
-            return []
-
-        asset = privilege_account.asset
-        accounts = asset.accounts.all()
-        accounts = accounts.filter(id__in=self.account_ids)
-        if self.secret_type:
-            accounts = accounts.filter(secret_type=self.secret_type)
-
-        if settings.CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED:
-            accounts = accounts.filter(privileged=False).exclude(
-                username__in=['root', 'administrator', privilege_account.username]
-            )
-        return accounts
-
-    def host_callback(
-            self, host, asset=None, account=None,
-            automation=None, path_dir=None, **kwargs
-    ):
-        host = super().host_callback(
-            host, asset=asset, account=account, automation=automation,
-            path_dir=path_dir, **kwargs
-        )
-        if host.get('error'):
-            return host
-
-        accounts = self.get_accounts(account)
-        if not accounts:
-            print('没有发现待改密账号: %s 用户ID: %s 类型: %s' % (
-                asset.name, self.account_ids, self.secret_type
-            ))
-            return []
-
-        method_attr = getattr(automation, self.method_type() + '_method')
-        method_hosts = self.method_hosts_mapper[method_attr]
-        method_hosts = [h for h in method_hosts if h != host['name']]
-        inventory_hosts = []
-        records = []
-
-        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
-            print(f'Windows {asset} does not support ssh key push')
-            return inventory_hosts
-
-        host['ssh_params'] = {}
-        for account in accounts:
-            h = deepcopy(host)
-            secret_type = account.secret_type
-            h['name'] += '(' + account.username + ')'
-            new_secret = self.get_secret(secret_type)
-
-            recorder = ChangeSecretRecord(
-                asset=asset, account=account, execution=self.execution,
-                old_secret=account.secret, new_secret=new_secret,
-            )
-            records.append(recorder)
-            self.name_recorder_mapper[h['name']] = recorder
-
-            private_key_path = None
-            if secret_type == SecretType.SSH_KEY:
-                private_key_path = self.generate_private_key_path(new_secret, path_dir)
-                new_secret = self.generate_public_key(new_secret)
-
-            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
-            h['account'] = {
-                'name': account.name,
-                'username': account.username,
-                'secret_type': secret_type,
-                'secret': new_secret,
-                'private_key_path': private_key_path
-            }
-            if asset.platform.type == 'oracle':
-                h['account']['mode'] = 'sysdba' if account.privileged else None
-            inventory_hosts.append(h)
-            method_hosts.append(h['name'])
-        self.method_hosts_mapper[method_attr] = method_hosts
-        ChangeSecretRecord.objects.bulk_create(records)
-        return inventory_hosts
-
-    def on_host_success(self, host, result):
-        recorder = self.name_recorder_mapper.get(host)
-        if not recorder:
-            return
-        recorder.status = 'success'
-        recorder.date_finished = timezone.now()
-        recorder.save()
-        account = recorder.account
-        if not account:
-            print("Account not found, deleted ?")
-            return
-        account.secret = recorder.new_secret
-        account.save(update_fields=['secret'])
-
-    def on_host_error(self, host, error, result):
-        recorder = self.name_recorder_mapper.get(host)
-        if not recorder:
-            return
-        recorder.status = 'failed'
-        recorder.date_finished = timezone.now()
-        recorder.error = error
-        recorder.save()
-
-    def on_runner_failed(self, runner, e):
-        logger.error("Change secret error: ", e)
-
-    def check_secret(self):
-        if self.secret_strategy == SecretStrategy.custom \
-                and not self.execution.snapshot['secret']:
-            print('Custom secret is empty')
-            return False
-        return True
-
-    def run(self, *args, **kwargs):
-        if not self.check_secret():
-            return
-        super().run(*args, **kwargs)
-        recorders = self.name_recorder_mapper.values()
-        recorders = list(recorders)
-        self.send_recorder_mail(recorders)
-
-    def send_recorder_mail(self, recorders):
-        recipients = self.execution.recipients
-        if not recorders or not recipients:
-            return
-
-        recipients = User.objects.filter(id__in=list(recipients.keys()))
-
-        name = self.execution.snapshot['name']
-        path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
-        if not self.create_file(recorders, filename):
-            return
-
-        for user in recipients:
-            attachments = []
-            if user.secret_key:
-                password = user.secret_key.encode('utf8')
-                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
-                encrypt_and_compress_zip_file(attachment, password, [filename])
-                attachments = [attachment]
-            ChangeSecretExecutionTaskMsg(name, user).publish(attachments)
-        os.remove(filename)
-
-    @staticmethod
-    def create_file(recorders, filename):
-        serializer_cls = ChangeSecretRecordBackUpSerializer
-        serializer = serializer_cls(recorders, many=True)
-
-        header = [str(v.label) for v in serializer.child.fields.values()]
-        rows = [[str(i) for i in row.values()] for row in serializer.data]
-        if not rows:
-            return False
-
-        rows.insert(0, header)
-        wb = Workbook(filename)
-        ws = wb.create_sheet('Sheet1')
-        for row in rows:
-            ws.append(row)
-        wb.save(filename)
-        return True

apps/accounts/automations/endpoint.py

@@ -1,26 +0,0 @@
-from .push_account.manager import PushAccountManager
-from .change_secret.manager import ChangeSecretManager
-from .verify_account.manager import VerifyAccountManager
-from .backup_account.manager import AccountBackupManager
-from .gather_accounts.manager import GatherAccountsManager
-from .verify_gateway_account.manager import VerifyGatewayAccountManager
-from ..const import AutomationTypes
-
-
-class ExecutionManager:
-    manager_type_mapper = {
-        AutomationTypes.push_account: PushAccountManager,
-        AutomationTypes.change_secret: ChangeSecretManager,
-        AutomationTypes.verify_account: VerifyAccountManager,
-        AutomationTypes.gather_accounts: GatherAccountsManager,
-        AutomationTypes.verify_gateway_account: VerifyGatewayAccountManager,
-        # TODO 后期迁移到自动化策略中
-        'backup_account': AccountBackupManager,
-    }
-
-    def __init__(self, execution):
-        self.execution = execution
-        self._runner = self.manager_type_mapper[execution.manager_type](execution)
-
-    def run(self, *args, **kwargs):
-        return self._runner.run(*args, **kwargs)

apps/accounts/automations/gather_accounts/database/mongodb/main.yml

@@ -1,27 +0,0 @@
-- hosts: mongodb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      community.mongodb.mongodb_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-        filter: users
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.users }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/mongodb/manifest.yml

@@ -1,11 +0,0 @@
-id: gather_accounts_mongodb
-name: "{{ 'MongoDB account gather' | trans }}"
-category: database
-type:
-  - mongodb
-method: gather_accounts
-
-i18n:
-  MongoDB account gather:
-    zh: MongoDB 账号收集
-    ja: MongoDB アカウントの収集

apps/accounts/automations/gather_accounts/database/mysql/main.yml

@@ -1,21 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      community.mysql.mysql_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: users
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.users }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/mysql/manifest.yml

@@ -1,12 +0,0 @@
-id: gather_accounts_mysql
-name: "{{ 'MySQL account gather' | trans }}"
-category: database
-type:
-  - mysql
-  - mariadb
-method: gather_accounts
-
-i18n:
-  MySQL account gather:
-    zh: MySQL 账号收集
-    ja: MySQL アカウントの収集

apps/accounts/automations/gather_accounts/database/oracle/main.yml

@@ -1,23 +0,0 @@
-- hosts: oralce
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      oracle_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-        filter: users
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.users }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/oracle/manifest.yml

@@ -1,11 +0,0 @@
-id: gather_accounts_oracle
-name: "{{ 'Oracle account gather' | trans }}"
-category: database
-type:
-  - oracle
-method: gather_accounts
-
-i18n:
-  Oracle account gather:
-    zh: Oracle 账号收集
-    ja: Oracle アカウントの収集

apps/accounts/automations/gather_accounts/database/postgresql/main.yml

@@ -1,22 +0,0 @@
-- hosts: postgresql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Get info
-      community.postgresql.postgresql_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_db: "{{ jms_asset.spec_info.db_name }}"
-        filter: "roles"
-      register: db_info
-
-    - name: Define info by set_fact
-      set_fact:
-        info: "{{ db_info.roles }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/database/postgresql/manifest.yml

@@ -1,11 +0,0 @@
-id: gather_accounts_postgresql
-name: "{{ 'PostgreSQL account gather' | trans }}"
-category: database
-type:
-  - postgresql
-method: gather_accounts
-
-i18n:
-  PostgreSQL account gather:
-    zh: PostgreSQL 账号收集
-    ja: PostgreSQL アカウントの収集

apps/accounts/automations/gather_accounts/filter.py

@@ -1,74 +0,0 @@
-import re
-
-from django.utils import timezone
-
-__all__ = ['GatherAccountsFilter']
-
-
-# TODO 后期会挪到playbook中
-class GatherAccountsFilter:
-
-    def __init__(self, tp):
-        self.tp = tp
-
-    @staticmethod
-    def mysql_filter(info):
-        result = {}
-        for _, user_dict in info.items():
-            for username, _ in user_dict.items():
-                if len(username.split('.')) == 1:
-                    result[username] = {}
-        return result
-
-    @staticmethod
-    def postgresql_filter(info):
-        result = {}
-        for username in info:
-            result[username] = {}
-        return result
-
-    @staticmethod
-    def posix_filter(info):
-        username_pattern = re.compile(r'^(\S+)')
-        ip_pattern = re.compile(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})')
-        login_time_pattern = re.compile(r'\w{3} \d{2} \d{2}:\d{2}:\d{2} \d{4}')
-        result = {}
-        for line in info:
-            usernames = username_pattern.findall(line)
-            username = ''.join(usernames)
-            if username:
-                result[username] = {}
-            else:
-                continue
-            ip_addrs = ip_pattern.findall(line)
-            ip_addr = ''.join(ip_addrs)
-            if ip_addr:
-                result[username].update({'address': ip_addr})
-            login_times = login_time_pattern.findall(line)
-            if login_times:
-                date = timezone.datetime.strptime(f'{login_times[0]} +0800', '%b %d %H:%M:%S %Y %z')
-                result[username].update({'date': date})
-        return result
-
-    @staticmethod
-    def windows_filter(info):
-        info = info[4:-2]
-        result = {}
-        for i in info:
-            for username in i.split():
-                result[username] = {}
-        return result
-
-    def run(self, method_id_meta_mapper, info):
-        run_method_name = None
-        for k, v in method_id_meta_mapper.items():
-            if self.tp not in v['type']:
-                continue
-            run_method_name = k.replace(f'{v["method"]}_', '')
-
-        if not run_method_name:
-            return info
-
-        if hasattr(self, f'{run_method_name}_filter'):
-            return getattr(self, f'{run_method_name}_filter')(info)
-        return info

apps/accounts/automations/gather_accounts/host/posix/main.yml

@@ -1,21 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Gather posix account
-      ansible.builtin.shell:
-        cmd: >
-          users=$(getent passwd | grep -v nologin | grep -v shutdown | awk -F":" '{ print $1 }');for i in $users;
-          do k=$(last -w -F $i -1 | head -1 | grep -v ^$ | awk '{ print $0 }')
-            if [ -n "$k" ]; then
-              echo $k
-            else
-              echo $i
-            fi;done
-      register: result
-
-    - name: Define info by set_fact
-      ansible.builtin.set_fact:
-        info: "{{ result.stdout_lines }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/host/posix/manifest.yml

@@ -1,13 +0,0 @@
-id: gather_accounts_posix
-name: "{{ 'Posix account gather' | trans }}"
-category: host
-type:
-  - linux
-  - unix
-method: gather_accounts
-
-i18n:
-  Posix account gather:
-    zh: 使用命令 getent passwd 收集 Posix 资产账号
-    ja: コマンド getent を使用してアセットアカウントを収集する
-    en: Using command getent to gather accounts

apps/accounts/automations/gather_accounts/host/windows/main.yml

@@ -1,13 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Gather posix account
-      ansible.builtin.win_shell: net user
-      register: result
-
-    - name: Define info by set_fact
-      ansible.builtin.set_fact:
-        info: "{{ result.stdout_lines }}"
-
-    - debug:
-        var: info

apps/accounts/automations/gather_accounts/host/windows/manifest.yml

@@ -1,13 +0,0 @@
-id: gather_accounts_windows
-name: "{{ 'Windows account gather' | trans }}"
-version: 1
-method: gather_accounts
-category: host
-type:
-  - windows
-
-i18n:
-  Windows account gather:
-    zh: 使用命令 net user 收集 Windows 账号
-    ja: コマンド net user を使用して Windows アカウントを収集する
-    en: Using command net user to gather accounts

apps/accounts/automations/gather_accounts/manager.py

@@ -1,63 +0,0 @@
-from accounts.const import AutomationTypes
-from accounts.models import GatheredAccount
-from common.utils import get_logger
-from orgs.utils import tmp_to_org
-from .filter import GatherAccountsFilter
-from ..base.manager import AccountBasePlaybookManager
-
-logger = get_logger(__name__)
-
-
-class GatherAccountsManager(AccountBasePlaybookManager):
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        self.host_asset_mapper = {}
-        self.is_sync_account = self.execution.snapshot.get('is_sync_account')
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.gather_accounts
-
-    def host_callback(self, host, asset=None, **kwargs):
-        super().host_callback(host, asset=asset, **kwargs)
-        self.host_asset_mapper[host['name']] = asset
-        return host
-
-    def filter_success_result(self, tp, result):
-        result = GatherAccountsFilter(tp).run(self.method_id_meta_mapper, result)
-        return result
-    @staticmethod
-    def generate_data(asset, result):
-        data = []
-        for username, info in result.items():
-            d = {'asset': asset, 'username': username, 'present': True}
-            if info.get('date'):
-                d['date_last_login'] = info['date']
-            if info.get('address'):
-                d['address_last_login'] = info['address'][:32]
-            data.append(d)
-        return data
-
-    def update_or_create_accounts(self, asset, result):
-        data = self.generate_data(asset, result)
-        with tmp_to_org(asset.org_id):
-            gathered_accounts = []
-            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
-            for d in data:
-                username = d['username']
-                gathered_account, __ = GatheredAccount.objects.update_or_create(
-                    defaults=d, asset=asset, username=username,
-                )
-                gathered_accounts.append(gathered_account)
-            if not self.is_sync_account:
-                return
-            GatheredAccount.sync_accounts(gathered_accounts)
-
-    def on_host_success(self, host, result):
-        info = result.get('debug', {}).get('res', {}).get('info', {})
-        asset = self.host_asset_mapper.get(host)
-        if asset and info:
-            result = self.filter_success_result(asset.type, info)
-            self.update_or_create_accounts(asset, result)
-        else:
-            logger.error("Not found info".format(host))

apps/accounts/automations/methods.py

@@ -1,6 +0,0 @@
-import os
-
-from assets.automations.methods import get_platform_automation_methods
-
-BASE_DIR = os.path.dirname(os.path.abspath(__file__))
-platform_automation_methods = get_platform_automation_methods(BASE_DIR)

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -1,55 +0,0 @@
-- hosts: mongodb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test MongoDB connection
-      mongodb_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      register: db_info
-
-    - name: Display MongoDB version
-      debug:
-        var: db_info.server_version
-      when: db_info is succeeded
-
-    - name: Change MongoDB password
-      mongodb_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-      ignore_errors: true
-      when: db_info is succeeded
-
-    - name: Verify password
-      mongodb_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/push_account/database/mongodb/manifest.yml

@@ -1,12 +0,0 @@
-id: push_account_mongodb
-name: "{{ 'MongoDB account push' | trans }}"
-category: database
-type:
-  - mongodb
-method: push_account
-
-i18n:
-  MongoDB account push:
-    zh: 使用 Ansible 模块 mongodb 执行 MongoDB 账号推送
-    ja: Ansible mongodb モジュールを使用してアカウントをプッシュする
-    en: Using Ansible module mongodb to push account

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -1,40 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-    db_name: "{{ jms_asset.spec_info.db_name }}"
-
-  tasks:
-    - name: Test MySQL connection
-      community.mysql.mysql_info:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version
-      register: db_info
-
-    - name: MySQL version
-      debug:
-        var: db_info.version.full
-
-    - name: Change MySQL password
-      community.mysql.mysql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        host: "%"
-        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
-      ignore_errors: true
-      when: db_info is succeeded
-
-    - name: Verify password
-      community.mysql.mysql_info:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version

apps/accounts/automations/push_account/database/mysql/manifest.yml

@@ -1,13 +0,0 @@
-id: push_account_mysql
-name: "{{ 'MySQL account push' | trans }}"
-category: database
-type:
-  - mysql
-  - mariadb
-method: push_account
-
-i18n:
-  MySQL account push:
-    zh: 使用 Ansible 模块 mysql 执行 MySQL 账号推送
-    ja: Ansible mysql モジュールを使用してアカウントをプッシュする
-    en: Using Ansible module mysql to push account

apps/accounts/automations/push_account/database/oracle/main.yml

@@ -1,41 +0,0 @@
-- hosts: oracle
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test Oracle connection
-      oracle_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-      register: db_info
-
-    - name: Display Oracle version
-      debug:
-        var: db_info.server_version
-      when: db_info is succeeded
-
-    - name: Change Oracle password
-      oracle_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ jms_account.mode }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-      ignore_errors: true
-      when: db_info is succeeded
-
-    - name: Verify password
-      oracle_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"

apps/accounts/automations/push_account/database/oracle/manifest.yml

@@ -1,12 +0,0 @@
-id: push_account_oracle
-name: "{{ 'Oracle account push' | trans }}"
-category: database
-type:
-  - oracle
-method: push_account
-
-i18n:
-  Oracle account push:
-    zh: 使用 Python 模块 oracledb 执行 Oracle 账号推送
-    ja: Python oracledb モジュールを使用してアカウントをプッシュする
-    en: Using Python module oracledb to push account

apps/accounts/automations/push_account/database/postgresql/main.yml

@@ -1,44 +0,0 @@
-- hosts: postgre
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test PostgreSQL connection
-      community.postgresql.postgresql_ping:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_db: "{{ jms_asset.spec_info.db_name }}"
-      register: result
-      failed_when: not result.is_available
-
-    - name: Display PostgreSQL version
-      debug:
-        var: result.server_version.full
-      when: result is succeeded
-
-    - name: Change PostgreSQL password
-      community.postgresql.postgresql_user:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        role_attr_flags: LOGIN
-      ignore_errors: true
-      when: result is succeeded
-
-    - name: Verify password
-      community.postgresql.postgresql_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        db: "{{ jms_asset.spec_info.db_name }}"
-      when:
-        - result is succeeded
-        - change_info is succeeded

apps/accounts/automations/push_account/database/postgresql/manifest.yml

@@ -1,12 +0,0 @@
-id: push_account_postgresql
-name: "{{ 'PostgreSQL account push' | trans }}"
-category: database
-type:
-  - postgresql
-method: push_account
-
-i18n:
-  PostgreSQL account push:
-    zh: 使用 Ansible 模块 postgresql 执行 PostgreSQL 账号推送
-    ja: Ansible postgresql モジュールを使用してアカウントをプッシュする
-    en: Using Ansible module postgresql to push account

apps/accounts/automations/push_account/database/sqlserver/main.yml

@@ -1,68 +0,0 @@
-- hosts: sqlserver
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Test SQLServer connection
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: |
-          SELECT @@version
-      register: db_info
-
-    - name: SQLServer version
-      set_fact:
-        info:
-          version: "{{ db_info.query_results[0][0][0][0].splitlines()[0] }}"
-    - debug:
-        var: info
-
-    - name: Check whether SQLServer User exist
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "SELECT 1 from sys.sql_logins WHERE name='{{ account.username }}';"
-      when: db_info is succeeded
-      register: user_exist
-
-    - name: Change SQLServer password
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
-      ignore_errors: true
-      when: user_exist.query_results[0] | length != 0
-      register: change_info
-
-    - name: Add SQLServer user
-      community.general.mssql_script:
-        login_user: "{{ jms_account.username }}"
-        login_password: "{{ jms_account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
-      ignore_errors: true
-      when: user_exist.query_results[0] | length == 0
-      register: change_info
-
-    - name: Verify password
-      community.general.mssql_script:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        name: '{{ jms_asset.spec_info.db_name }}'
-        script: |
-          SELECT @@version

apps/accounts/automations/push_account/database/sqlserver/manifest.yml

@@ -1,12 +0,0 @@
-id: push_account_sqlserver
-name: "{{ 'SQLServer account push' | trans }}"
-category: database
-type:
-  - sqlserver
-method: push_account
-
-i18n:
-  SQLServer account push:
-    zh: 使用 Ansible 模块 mssql 执行 SQLServer 账号推送
-    ja: Ansible mssql モジュールを使用してアカウントをプッシュする
-    en: Using Ansible module mssql to push account

apps/accounts/automations/push_account/host/aix/main.yml

@@ -1,80 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.builtin.ping:
-
-    - name: Push user
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
-        expires: -1
-        state: present
-
-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-
-    - name: Add user groups
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when: params.groups
-
-    - name: Push user password
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('sha512') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: Push SSH key
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
-    - name: Set sudo setting
-      ansible.builtin.lineinfile:
-        dest: /etc/sudoers
-        state: present
-        regexp: "^{{ account.username }} ALL="
-        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
-        validate: visudo -cf %s
-      when:
-        - params.sudo
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
-      when: account.secret_type == "password"
-
-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
-      when: account.secret_type == "ssh_key"

apps/accounts/automations/push_account/host/aix/manifest.yml

@@ -1,36 +0,0 @@
-id: push_account_aix
-name: "{{ 'Aix account push' | trans }}"
-category: host
-type:
-  - AIX
-method: push_account
-params:
-  - name: sudo
-    type: str
-    label: 'Sudo'
-    default: '/bin/whoami'
-    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
-
-  - name: shell
-    type: str
-    label: 'Shell'
-    default: '/bin/bash'
-
-  - name: home
-    type: str
-    label: '家目录'
-    default: ''
-    help_text: '默认家目录 /home/系统用户名: /home/username'
-
-  - name: groups
-    type: str
-    label: '用户组'
-    default: ''
-    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-
-i18n:
-  Aix account push:
-    zh: 使用 Ansible 模块 user 执行 Aix 账号推送 (DES)
-    ja: Ansible user モジュールを使用して Aix アカウントをプッシュする (DES)
-    en: Using Ansible module user to push account (DES)
-

apps/accounts/automations/push_account/host/posix/main.yml

@@ -1,80 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.builtin.ping:
-
-    - name: Push user
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
-        expires: -1
-        state: present
-
-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-
-    - name: Add user groups
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when: params.groups
-
-    - name: Push user password
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        password: "{{ account.secret | password_hash('sha512') }}"
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: remove jumpserver ssh key
-      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
-        regexp: "{{ ssh_params.regexp }}"
-        state: absent
-      when:
-        - account.secret_type == "ssh_key"
-        - ssh_params.strategy == "set_jms"
-
-    - name: Push SSH key
-      ansible.builtin.authorized_key:
-        user: "{{ account.username }}"
-        key: "{{ account.secret }}"
-        exclusive: "{{ ssh_params.exclusive }}"
-      when: account.secret_type == "ssh_key"
-
-    - name: Set sudo setting
-      ansible.builtin.lineinfile:
-        dest: /etc/sudoers
-        state: present
-        regexp: "^{{ account.username }} ALL="
-        line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
-        validate: visudo -cf %s
-      when:
-        - params.sudo
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-        ansible_become: no
-      when: account.secret_type == "password"
-
-    - name: Verify SSH key
-      ansible.builtin.ping:
-      become: no
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
-        ansible_become: no
-      when: account.secret_type == "ssh_key"

apps/accounts/automations/push_account/host/posix/manifest.yml

@@ -1,37 +0,0 @@
-id: push_account_posix
-name: "{{ 'Posix account push' | trans }}"
-category: host
-type:
-  - unix
-  - linux
-method: push_account
-params:
-  - name: sudo
-    type: str
-    label: 'Sudo'
-    default: '/bin/whoami'
-    help_text: '使用逗号分隔多个命令，如: /bin/whoami,/sbin/ifconfig'
-
-  - name: shell
-    type: str
-    label: 'Shell'
-    default: '/bin/bash'
-    help_text: ''
-
-  - name: home
-    type: str
-    label: '家目录'
-    default: ''
-    help_text: '默认家目录 /home/系统用户名: /home/username'
-
-  - name: groups
-    type: str
-    label: '用户组'
-    default: ''
-    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-
-i18n:
-  Posix account push:
-    zh: 使用 Ansible 模块 user 执行账号推送 (sha512)
-    ja: Ansible user モジュールを使用してアカウントをプッシュする (sha512)
-    en: Using Ansible module user to push account (sha512)

apps/accounts/automations/push_account/host/windows/main.yml

@@ -1,31 +0,0 @@
-- hosts: demo
-  gather_facts: no
-  tasks:
-    - name: Test privileged account
-      ansible.windows.win_ping:
-
-#    - name: Print variables
-#      debug:
-#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
-
-    - name: Push user password
-      ansible.windows.win_user:
-        fullname: "{{ account.username}}"
-        name: "{{ account.username }}"
-        password: "{{ account.secret }}"
-        password_never_expires: yes
-        groups: "{{ params.groups }}"
-        groups_action: add
-        update_password: always
-      ignore_errors: true
-      when: account.secret_type == "password"
-
-    - name: Refresh connection
-      ansible.builtin.meta: reset_connection
-
-    - name: Verify password
-      ansible.windows.win_ping:
-      vars:
-        ansible_user: "{{ account.username }}"
-        ansible_password: "{{ account.secret }}"
-      when: account.secret_type == "password"

apps/accounts/automations/push_account/host/windows/manifest.yml

@@ -1,19 +0,0 @@
-id: push_account_local_windows
-name: "{{ 'Windows account push' | trans }}"
-version: 1
-method: push_account
-category: host
-type:
-  - windows
-params:
-  - name: groups
-    type: str
-    label: '用户组'
-    default: 'Users,Remote Desktop Users'
-    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
-
-i18n:
-  Windows account push:
-    zh: 使用 Ansible 模块 win_user 执行 Windows 账号推送
-    ja: Ansible win_user モジュールを使用して Windows アカウントをプッシュする
-    en: Using Ansible module win_user to push account

apps/accounts/automations/push_account/manager.py

@@ -1,149 +0,0 @@
-from copy import deepcopy
-
-from accounts.const import AutomationTypes, SecretType, Connectivity
-from assets.const import HostTypes
-from common.utils import get_logger
-from ..base.manager import AccountBasePlaybookManager
-from ..change_secret.manager import ChangeSecretManager
-
-logger = get_logger(__name__)
-
-
-class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
-    ansible_account_prefer = ''
-
-    @classmethod
-    def method_type(cls):
-        return AutomationTypes.push_account
-
-    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
-        host = super(ChangeSecretManager, self).host_callback(
-            host, asset=asset, account=account, automation=automation,
-            path_dir=path_dir, **kwargs
-        )
-        if host.get('error'):
-            return host
-
-        accounts = self.get_accounts(account)
-        inventory_hosts = []
-        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
-            msg = f'Windows {asset} does not support ssh key push'
-            print(msg)
-            return inventory_hosts
-
-        host['ssh_params'] = {}
-        for account in accounts:
-            h = deepcopy(host)
-            secret_type = account.secret_type
-            h['name'] += '(' + account.username + ')'
-            if self.secret_type is None:
-                new_secret = account.secret
-            else:
-                new_secret = self.get_secret(secret_type)
-
-            self.name_recorder_mapper[h['name']] = {
-                'account': account, 'new_secret': new_secret,
-            }
-
-            private_key_path = None
-            if secret_type == SecretType.SSH_KEY:
-                private_key_path = self.generate_private_key_path(new_secret, path_dir)
-                new_secret = self.generate_public_key(new_secret)
-
-            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
-            h['account'] = {
-                'name': account.name,
-                'username': account.username,
-                'secret_type': secret_type,
-                'secret': new_secret,
-                'private_key_path': private_key_path
-            }
-            if asset.platform.type == 'oracle':
-                h['account']['mode'] = 'sysdba' if account.privileged else None
-            inventory_hosts.append(h)
-        return inventory_hosts
-
-    def on_host_success(self, host, result):
-        account_info = self.name_recorder_mapper.get(host)
-        if not account_info:
-            return
-
-        account = account_info['account']
-        new_secret = account_info['new_secret']
-        if not account:
-            return
-        account.secret = new_secret
-        account.save(update_fields=['secret'])
-        account.set_connectivity(Connectivity.OK)
-
-    def on_host_error(self, host, error, result):
-        pass
-
-    def on_runner_failed(self, runner, e):
-        logger.error("Pust account error: ", e)
-
-    def run(self, *args, **kwargs):
-        if self.secret_type and not self.check_secret():
-            return
-        super(ChangeSecretManager, self).run(*args, **kwargs)
-
-    # @classmethod
-    # def trigger_by_asset_create(cls, asset):
-    #     automations = PushAccountAutomation.objects.filter(
-    #         triggers__contains=TriggerChoice.on_asset_create
-    #     )
-    #     account_automation_map = {auto.username: auto for auto in automations}
-    #
-    #     util = AssetPermissionUtil()
-    #     permissions = util.get_permissions_for_assets([asset], with_node=True)
-    #     account_permission_map = defaultdict(list)
-    #     for permission in permissions:
-    #         for account in permission.accounts:
-    #             account_permission_map[account].append(permission)
-    #
-    #     username_automation_map = {}
-    #     for username, automation in account_automation_map.items():
-    #         if username != '@USER':
-    #             username_automation_map[username] = automation
-    #             continue
-    #
-    #         asset_permissions = account_permission_map.get(username)
-    #         if not asset_permissions:
-    #             continue
-    #         asset_permissions = util.get_permissions([p.id for p in asset_permissions])
-    #         usernames = asset_permissions.values_list('users__username', flat=True).distinct()
-    #         for _username in usernames:
-    #             username_automation_map[_username] = automation
-    #
-    #     asset_usernames_exists = asset.accounts.values_list('username', flat=True)
-    #     accounts_to_create = []
-    #     accounts_to_push = []
-    #     for username, automation in username_automation_map.items():
-    #         if username in asset_usernames_exists:
-    #             continue
-    #
-    #         if automation.secret_strategy != SecretStrategy.custom:
-    #             secret_generator = SecretGenerator(
-    #                 automation.secret_strategy, automation.secret_type,
-    #                 automation.password_rules
-    #             )
-    #             secret = secret_generator.get_secret()
-    #         else:
-    #             secret = automation.secret
-    #
-    #         account = Account(
-    #             username=username, secret=secret,
-    #             asset=asset, secret_type=automation.secret_type,
-    #             comment='Create by account creation {}'.format(automation.name),
-    #         )
-    #         accounts_to_create.append(account)
-    #         if automation.action == 'create_and_push':
-    #             accounts_to_push.append(account)
-    #         else:
-    #             accounts_to_create.append(account)
-    #
-    #         logger.debug(f'Create account {account} for asset {asset}')
-
-    # @classmethod
-    # def trigger_by_permission_accounts_change(cls):
-    #     pass

apps/accounts/automations/verify_account/custom/rdp/main.yml

@@ -1,15 +0,0 @@
-- hosts: custom
-  gather_facts: no
-  vars:
-    ansible_shell_type: sh
-    ansible_connection: local
-
-  tasks:
-    - name: Verify account (pyfreerdp)
-      rdp_ping:
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_secret_type: "{{ account.secret_type }}"
-        login_private_key_path: "{{ account.private_key_path }}"

apps/accounts/automations/verify_account/custom/rdp/manifest.yml

@@ -1,13 +0,0 @@
-id: verify_account_by_rdp
-name: "{{ 'Windows rdp account verify' | trans }}"
-category:
-  - host
-type:
-  - windows
-method: verify_account
-
-i18n:
-  Windows rdp account verify:
-    zh: 使用 Python 模块 pyfreerdp 验证账号
-    ja: Python モジュール pyfreerdp を使用してアカウントを検証する
-    en: Using Python module pyfreerdp to verify account

apps/accounts/automations/verify_account/custom/ssh/main.yml

@@ -1,14 +0,0 @@
-- hosts: custom
-  gather_facts: no
-  vars:
-    ansible_connection: local
-
-  tasks:
-    - name: Verify account (paramiko)
-      ssh_ping:
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_secret_type: "{{ account.secret_type }}"
-        login_private_key_path: "{{ account.private_key_path }}"

apps/accounts/automations/verify_account/custom/ssh/manifest.yml

@@ -1,14 +0,0 @@
-id: verify_account_by_ssh
-name: "{{ 'SSH account verify' | trans }}"
-category:
-  - device
-  - host
-type:
-  - all
-method: verify_account
-
-i18n:
-  SSH account verify:
-    zh: 使用 Python 模块 paramiko 验证账号
-    ja: Python モジュール paramiko を使用してアカウントを検証する
-    en: Using Python module paramiko to verify account

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -1,18 +0,0 @@
-- hosts: mongdb
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Verify account
-      mongodb_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
-        connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/verify_account/database/mongodb/manifest.yml

@@ -1,12 +0,0 @@
-id: verify_account_mongodb
-name: "{{ 'MongoDB account verify' | trans }}"
-category: database
-type:
-  - mongodb
-method: verify_account
-
-i18n:
-  MongoDB account verify:
-    zh: 使用 Ansible 模块 mongodb 验证账号
-    ja: Ansible mongodb モジュールを使用してアカウントを検証する
-    en: Using Ansible module mongodb to verify account

apps/accounts/automations/verify_account/database/mysql/main.yml

@@ -1,13 +0,0 @@
-- hosts: mysql
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Verify account
-      community.mysql.mysql_info:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        filter: version

apps/accounts/automations/verify_account/database/mysql/manifest.yml

@@ -1,14 +0,0 @@
-id: verify_account_mysql
-name: "{{ 'MySQL account verify' | trans }}"
-category: database
-type:
-  - mysql
-  - mariadb
-method: verify_account
-
-i18n:
-  MySQL account verify:
-    zh: 使用 Ansible 模块 mysql 验证账号
-    ja: Ansible mysql モジュールを使用してアカウントを検証する
-    en: Using Ansible module mysql to verify account
-

apps/accounts/automations/verify_account/database/oracle/main.yml

@@ -1,14 +0,0 @@
-- hosts: oracle
-  gather_facts: no
-  vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
-  tasks:
-    - name: Verify account
-      oracle_ping:
-        login_user: "{{ account.username }}"
-        login_password: "{{ account.secret }}"
-        login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        login_database: "{{ jms_asset.spec_info.db_name }}"
-        mode: "{{ account.mode }}"

apps/accounts/automations/verify_account/database/oracle/manifest.yml

@@ -1,12 +0,0 @@
-id: verify_account_oracle
-name: "{{ 'Oracle account verify' | trans }}"
-category: database
-type:
-  - oracle
-method: verify_account
-
-i18n:
-  Oracle account verify:
-    zh: 使用 Python 模块 oracledb 验证账号
-    ja: Python モジュール oracledb を使用してアカウントを検証する
-    en: Using Python module oracledb to verify account