perf: dockerfile 添加 freerdp2-dev 依赖 (#12387)

Co-authored-by: feng <1304903146@qq.com>

.github/ISSUE_TEMPLATE/----.md

@@ -6,7 +6,6 @@ labels: 类型:需求
 assignees: 
   - ibuler
   - baijiangjie
-  - wojiushixiaobai
 ---
 
 **请描述您的需求或者改进建议.**

.github/ISSUE_TEMPLATE/bug---.md

@@ -2,11 +2,9 @@
 name: Bug 提交
 about: 提交产品缺陷帮助我们更好的改进
 title: "[Bug] "
-labels: 类型:bug
+labels: 类型:Bug
 assignees: 
-   - wojiushixiaobai
    - baijiangjie
-
 ---
 
 **JumpServer 版本( v2.28 之前的版本不再支持 )**

.github/ISSUE_TEMPLATE/question.md

@@ -4,9 +4,7 @@ about: 提出针对本项目安装部署、使用及其他方面的相关问题
 title: "[Question] "
 labels: 类型:提问
 assignees: 
-  - wojiushixiaobai
   - baijiangjie
-
 ---
 
 **请描述您的问题.**

.github/workflows/jms-build-test.yml

@@ -19,8 +19,8 @@ jobs:
       with:
         context: .
         push: false
-        tags: jumpserver/core:test
-        file: Dockerfile
+        tags: jumpserver/core-ce:test
+        file: Dockerfile-ce
         build-args: |
           APT_MIRROR=http://deb.debian.org
           PIP_MIRROR=https://pypi.org/simple

Dockerfile-ce

@@ -1,4 +1,4 @@
-FROM python:3.11-slim-bullseye as stage-build
+FROM python:3.11-slim-bullseye as stage-1
 ARG TARGETARCH
 
 ARG VERSION
@@ -6,9 +6,10 @@ ENV VERSION=$VERSION
 
 WORKDIR /opt/jumpserver
 ADD . .
-RUN cd utils && bash -ixeu build.sh
+RUN echo > /opt/jumpserver/config.yml \
+    && cd utils && bash -ixeu build.sh
 
-FROM python:3.11-slim-bullseye
+FROM python:3.11-slim-bullseye as stage-2
 ARG TARGETARCH
 
 ARG BUILD_DEPENDENCIES="              \
@@ -36,17 +37,15 @@ ARG TOOLS="                           \
         curl                          \
         default-libmysqlclient-dev    \
         default-mysql-client          \
-        locales                       \
-        nmap                          \
-        openssh-client                \
-        sshpass                       \
-        telnet                        \
-        vim                           \
+        git                           \
+        git-lfs                       \
+        unzip                         \
+        xz-utils                      \
         wget"
 
 ARG APT_MIRROR=http://mirrors.ustc.edu.cn
-
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
     sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
     && rm -f /etc/apt/apt.conf.d/docker-clean \
     && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
@@ -54,30 +53,72 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core \
     && apt-get -y install --no-install-recommends ${BUILD_DEPENDENCIES} \
     && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
     && apt-get -y install --no-install-recommends ${TOOLS} \
-    && mkdir -p /root/.ssh/ \
-    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
-    && echo "set mouse-=a" > ~/.vimrc \
-    && echo "no" | dpkg-reconfigure dash \
-    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
-    && sed -i "s@# export @export @g" ~/.bashrc \
-    && sed -i "s@# alias @alias @g" ~/.bashrc \
-    && rm -rf /var/lib/apt/lists/*
+    && echo "no" | dpkg-reconfigure dash
 
-COPY --from=stage-build /opt/jumpserver/release/jumpserver /opt/jumpserver
 WORKDIR /opt/jumpserver
 
 ARG PIP_MIRROR=https://pypi.tuna.tsinghua.edu.cn/simple
 RUN --mount=type=cache,target=/root/.cache \
+    --mount=type=bind,source=poetry.lock,target=/opt/jumpserver/poetry.lock \
+    --mount=type=bind,source=pyproject.toml,target=/opt/jumpserver/pyproject.toml \
     set -ex \
-    && echo > /opt/jumpserver/config.yml \
+    && python3 -m venv /opt/py3 \
     && pip install poetry -i ${PIP_MIRROR} \
     && poetry config virtualenvs.create false \
-    && poetry install --only=main
+    && . /opt/py3/bin/activate \
+    && poetry install
+
+FROM python:3.11-slim-bullseye
+ARG TARGETARCH
+ENV LANG=zh_CN.UTF-8 \
+    PATH=/opt/py3/bin:$PATH
+
+ARG DEPENDENCIES="                    \
+        libjpeg-dev                   \
+        libx11-dev                    \
+        freerdp2-dev                  \
+        libxmlsec1-openssl"
+
+ARG TOOLS="                           \
+        ca-certificates               \
+        curl                          \
+        default-libmysqlclient-dev    \
+        default-mysql-client          \
+        iputils-ping                  \
+        locales                       \
+        nmap                          \
+        openssh-client                \
+        patch                         \
+        sshpass                       \
+        telnet                        \
+        vim                           \
+        wget"
+
+ARG APT_MIRROR=http://mirrors.ustc.edu.cn
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=core-apt \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=core-apt \
+    sed -i "s@http://.*.debian.org@${APT_MIRROR}@g" /etc/apt/sources.list \
+    && rm -f /etc/apt/apt.conf.d/docker-clean \
+    && ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
+    && apt-get update \
+    && apt-get -y install --no-install-recommends ${DEPENDENCIES} \
+    && apt-get -y install --no-install-recommends ${TOOLS} \
+    && mkdir -p /root/.ssh/ \
+    && echo "Host *\n\tStrictHostKeyChecking no\n\tUserKnownHostsFile /dev/null\n\tCiphers +aes128-cbc\n\tKexAlgorithms +diffie-hellman-group1-sha1\n\tHostKeyAlgorithms +ssh-rsa" > /root/.ssh/config \
+    && echo "no" | dpkg-reconfigure dash \
+    && echo "zh_CN.UTF-8" | dpkg-reconfigure locales \
+    && sed -i "s@# export @export @g" ~/.bashrc \
+    && sed -i "s@# alias @alias @g" ~/.bashrc
+
+COPY --from=stage-2 /opt/py3 /opt/py3
+COPY --from=stage-1 /opt/jumpserver/release/jumpserver /opt/jumpserver
+
+WORKDIR /opt/jumpserver
+
+ARG VERSION
+ENV VERSION=$VERSION
 
 VOLUME /opt/jumpserver/data
-VOLUME /opt/jumpserver/logs
-
-ENV LANG=zh_CN.UTF-8
 
 EXPOSE 8080
 

Dockerfile-ee

@@ -1,9 +1,5 @@
 ARG VERSION
 FROM registry.fit2cloud.com/jumpserver/xpack:${VERSION} as build-xpack
-FROM jumpserver/core:${VERSION}
+FROM registry.fit2cloud.com/jumpserver/core-ce:${VERSION}
 
-COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack
-
-RUN --mount=type=cache,target=/root/.cache \
-    set -ex \
-    && poetry install --only=xpack
+COPY --from=build-xpack /opt/xpack /opt/jumpserver/apps/xpack

README.md

@@ -12,8 +12,6 @@
 
 
 <p align="center">
-    JumpServer <a href="https://github.com/jumpserver/jumpserver/releases/tag/v3.0.0">v3.0</a> 正式发布。
-    <br>
     9 年时间，倾情投入，用心做好一款开源堡垒机。
 </p>
 
@@ -63,6 +61,7 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型
 
 ## 案例研究
 
+- [腾讯音乐娱乐集团：基于JumpServer的安全运维审计解决方案](https://blog.fit2cloud.com/?p=a04cdf0d-6704-4d18-9b40-9180baecd0e2)
 - [腾讯海外游戏：基于JumpServer构建游戏安全运营能力](https://blog.fit2cloud.com/?p=3704)
 - [万华化学：通过JumpServer管理全球化分布式IT资产，并且实现与云管平台的联动](https://blog.fit2cloud.com/?p=3504)
 - [雪花啤酒：JumpServer堡垒机使用体会](https://blog.fit2cloud.com/?p=3412)
@@ -99,7 +98,7 @@ JumpServer 堡垒机帮助企业以更安全的方式管控和登录各种类型
 | [Magnus](https://github.com/jumpserver/magnus-release) | <a href="https://github.com/jumpserver/magnus-release/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/magnus-release.svg" /> | JumpServer 数据库代理 Connector 项目                                                     |
 | [Chen](https://github.com/jumpserver/chen-release)     | <a href="https://github.com/jumpserver/chen-release/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen-release.svg" />       | JumpServer Web DB 项目，替代原来的 OmniDB                                                 |
 | [Kael](https://github.com/jumpserver/kael)             | <a href="https://github.com/jumpserver/kael/releases"><img alt="Kael release" src="https://img.shields.io/github/release/jumpserver/kael.svg" />                       | JumpServer 连接 GPT 资产的组件项目                                                         |
-| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core Api 通信的组件项目                                              |
+| [Wisp](https://github.com/jumpserver/wisp)             | <a href="https://github.com/jumpserver/wisp/releases"><img alt="Magnus release" src="https://img.shields.io/github/release/jumpserver/wisp.svg" />                     | JumpServer 各系统终端组件和 Core API 通信的组件项目                                              |
 | [Clients](https://github.com/jumpserver/clients)       | <a href="https://github.com/jumpserver/clients/releases"><img alt="Clients release" src="https://img.shields.io/github/release/jumpserver/clients.svg" />              | JumpServer 客户端 项目                                                                 |
 | [Installer](https://github.com/jumpserver/installer)   | <a href="https://github.com/jumpserver/installer/releases"><img alt="Installer release" src="https://img.shields.io/github/release/jumpserver/installer.svg" />        | JumpServer 安装包 项目                                                                 |
 

apps/accounts/api/account/account.py

@@ -6,11 +6,12 @@ from rest_framework.status import HTTP_200_OK
 
 from accounts import serializers
 from accounts.filters import AccountFilterSet
+from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import Account
 from assets.models import Asset, Node
-from common.api import ExtraFilterFieldsMixin
-from common.permissions import UserConfirmation, ConfirmType, IsValidUser
-from common.views.mixins import RecordViewLogMixin
+from authentication.permissions import UserConfirmation, ConfirmType
+from common.api.mixin import ExtraFilterFieldsMixin
+from common.permissions import IsValidUser
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 
@@ -57,19 +58,19 @@ class AccountViewSet(OrgBulkModelViewSet):
         permission_classes=[IsValidUser]
     )
     def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.data.get('assets')
-        node_ids = request.data.get('nodes')
-        username = request.data.get('username')
+        asset_ids = request.data.get('assets', [])
+        node_ids = request.data.get('nodes', [])
+        username = request.data.get('username', '')
 
-        assets = Asset.objects.all()
-        if asset_ids:
-            assets = assets.filter(id__in=asset_ids)
+        accounts = Account.objects.all()
         if node_ids:
             nodes = Node.objects.filter(id__in=node_ids)
             node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-            assets = assets.filter(id__in=set(list(asset_ids) + list(node_asset_ids)))
+            asset_ids.extend(node_asset_ids)
+
+        if asset_ids:
+            accounts = accounts.filter(asset_id__in=list(set(asset_ids)))
 
-        accounts = Account.objects.filter(asset__in=assets)
         if username:
             accounts = accounts.filter(username__icontains=username)
         usernames = list(accounts.values_list('username', flat=True).distinct()[:10])
@@ -86,7 +87,7 @@ class AccountViewSet(OrgBulkModelViewSet):
         return Response(status=HTTP_200_OK)
 
 
-class AccountSecretsViewSet(RecordViewLogMixin, AccountViewSet):
+class AccountSecretsViewSet(AccountRecordViewLogMixin, AccountViewSet):
     """
     因为可能要导出所有账号，所以单独建立了一个 viewset
     """
@@ -115,7 +116,7 @@ class AssetAccountBulkCreateApi(CreateAPIView):
         return Response(data=serializer.data, status=HTTP_200_OK)
 
 
-class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, ListAPIView):
+class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, AccountRecordViewLogMixin, ListAPIView):
     model = Account.history.model
     serializer_class = serializers.AccountHistorySerializer
     http_method_names = ['get', 'options']
@@ -143,4 +144,3 @@ class AccountHistoriesSecretAPI(ExtraFilterFieldsMixin, RecordViewLogMixin, List
             return histories
         histories = histories.exclude(history_id=latest_history.history_id)
         return histories
-

apps/accounts/api/account/task.py

@@ -19,7 +19,9 @@ class AccountsTaskCreateAPI(CreateAPIView):
             code = 'accounts.push_account'
         else:
             code = 'accounts.verify_account'
-        return request.user.has_perm(code)
+        has = request.user.has_perm(code)
+        if not has:
+            self.permission_denied(request)
 
     def perform_create(self, serializer):
         data = serializer.validated_data
@@ -44,6 +46,6 @@ class AccountsTaskCreateAPI(CreateAPIView):
 
     def get_exception_handler(self):
         def handler(e, context):
-            return Response({"error": str(e)}, status=400)
+            return Response({"error": str(e)}, status=401)
 
         return handler

apps/accounts/api/account/template.py

@@ -1,13 +1,15 @@
 from django_filters import rest_framework as drf_filters
+from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
 from accounts import serializers
+from accounts.mixins import AccountRecordViewLogMixin
 from accounts.models import AccountTemplate
+from accounts.tasks import template_sync_related_accounts
 from assets.const import Protocol
+from authentication.permissions import UserConfirmation, ConfirmType
 from common.drf.filters import BaseFilterSet
-from common.permissions import UserConfirmation, ConfirmType
-from common.views.mixins import RecordViewLogMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from rbac.permissions import RBACPermission
 
@@ -44,6 +46,7 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
     }
     rbac_perms = {
         'su_from_account_templates': 'accounts.view_accounttemplate',
+        'sync_related_accounts': 'accounts.change_account',
     }
 
     @action(methods=['get'], detail=False, url_path='su-from-account-templates')
@@ -54,8 +57,15 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
         serializer = self.get_serializer(templates, many=True)
         return Response(data=serializer.data)
 
+    @action(methods=['patch'], detail=True, url_path='sync-related-accounts')
+    def sync_related_accounts(self, request, *args, **kwargs):
+        instance = self.get_object()
+        user_id = str(request.user.id)
+        task = template_sync_related_accounts.delay(str(instance.id), user_id)
+        return Response({'task': task.id}, status=status.HTTP_200_OK)
 
-class AccountTemplateSecretsViewSet(RecordViewLogMixin, AccountTemplateViewSet):
+
+class AccountTemplateSecretsViewSet(AccountRecordViewLogMixin, AccountTemplateViewSet):
     serializer_classes = {
         'default': serializers.AccountTemplateSecretSerializer,
     }

apps/accounts/api/automations/change_secret.py

@@ -1,12 +1,13 @@
 # -*- coding: utf-8 -*-
 #
-
-from rest_framework import mixins
+from rest_framework import status, mixins
+from rest_framework.decorators import action
+from rest_framework.response import Response
 
 from accounts import serializers
 from accounts.const import AutomationTypes
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, AutomationExecution
-from common.utils import get_object_or_none
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord
+from accounts.tasks import execute_automation_record_task
 from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
 from .base import (
     AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
@@ -30,21 +31,27 @@ class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
 
 class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
     serializer_class = serializers.ChangeSecretRecordSerializer
-    filter_fields = ['asset', 'execution_id']
-    search_fields = ['asset__hostname']
+    filterset_fields = ('asset_id', 'execution_id')
+    search_fields = ('asset__address',)
+    tp = AutomationTypes.change_secret
+    rbac_perms = {
+        'execute': 'accounts.add_changesecretexecution',
+    }
 
     def get_queryset(self):
-        return ChangeSecretRecord.objects.filter(
-            execution__automation__type=AutomationTypes.change_secret
-        )
+        return ChangeSecretRecord.objects.all()
 
-    def filter_queryset(self, queryset):
-        queryset = super().filter_queryset(queryset)
-        eid = self.request.query_params.get('execution_id')
-        execution = get_object_or_none(AutomationExecution, pk=eid)
-        if execution:
-            queryset = queryset.filter(execution=execution)
-        return queryset
+    @action(methods=['post'], detail=False, url_path='execute')
+    def execute(self, request, *args, **kwargs):
+        record_id = request.data.get('record_id')
+        record = self.get_queryset().filter(pk=record_id)
+        if not record:
+            return Response(
+                {'detail': 'record not found'},
+                status=status.HTTP_404_NOT_FOUND
+            )
+        task = execute_automation_record_task.delay(record_id, self.tp)
+        return Response({'task': task.id}, status=status.HTTP_200_OK)
 
 
 class ChangSecretExecutionViewSet(AutomationExecutionViewSet):

apps/accounts/api/automations/push_account.py

@@ -42,6 +42,7 @@ class PushAccountExecutionViewSet(AutomationExecutionViewSet):
 
 class PushAccountRecordViewSet(ChangeSecretRecordViewSet):
     serializer_class = serializers.ChangeSecretRecordSerializer
+    tp = AutomationTypes.push_account
 
     def get_queryset(self):
         return ChangeSecretRecord.objects.filter(

apps/accounts/automations/backup_account/handlers.py

@@ -6,16 +6,23 @@ from django.conf import settings
 from openpyxl import Workbook
 from rest_framework import serializers
 
-from accounts.notifications import AccountBackupExecutionTaskMsg
+from accounts.const.automation import AccountBackupType
+from accounts.notifications import AccountBackupExecutionTaskMsg, AccountBackupByObjStorageExecutionTaskMsg
 from accounts.serializers import AccountSecretSerializer
+from accounts.models.automations.backup_account import AccountBackupAutomation
 from assets.const import AllTypes
-from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_display
+from common.utils.file import encrypt_and_compress_zip_file, zip_files
+from common.utils.timezone import local_now_filename, local_now_display
+from terminal.models.component.storage import ReplayStorage
 from users.models import User
 
 PATH = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
 
 
+class RecipientsNotFound(Exception):
+    pass
+
+
 class BaseAccountHandler:
     @classmethod
     def unpack_data(cls, serializer_data, data=None):
@@ -67,7 +74,7 @@ class AssetAccountHandler(BaseAccountHandler):
     @staticmethod
     def get_filename(plan_name):
         filename = os.path.join(
-            PATH, f'{plan_name}-{local_now_display()}-{time.time()}.xlsx'
+            PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.xlsx'
         )
         return filename
 
@@ -143,7 +150,7 @@ class AccountBackupHandler:
         wb.save(filename)
         files.append(filename)
         timedelta = round((time.time() - time_start), 2)
-        print('步骤完成: 用时 {}s'.format(timedelta))
+        print('创建备份文件完成: 用时 {}s'.format(timedelta))
         return files
 
     def send_backup_mail(self, files, recipients):
@@ -152,7 +159,7 @@ class AccountBackupHandler:
         recipients = User.objects.filter(id__in=list(recipients))
         print(
             '\n'
-            '\033[32m>>> 发送备份邮件\033[0m'
+            '\033[32m>>> 开始发送备份邮件\033[0m'
             ''
         )
         plan_name = self.plan_name
@@ -161,7 +168,7 @@ class AccountBackupHandler:
                 attachment_list = []
             else:
                 password = user.secret_key.encode('utf8')
-                attachment = os.path.join(PATH, f'{plan_name}-{local_now_display()}-{time.time()}.zip')
+                attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
                 encrypt_and_compress_zip_file(attachment, password, files)
                 attachment_list = [attachment, ]
             AccountBackupExecutionTaskMsg(plan_name, user).publish(attachment_list)
@@ -169,11 +176,35 @@ class AccountBackupHandler:
         for file in files:
             os.remove(file)
 
+    def send_backup_obj_storage(self, files, recipients, password):
+        if not files:
+            return
+        recipients = ReplayStorage.objects.filter(id__in=list(recipients))
+        print(
+            '\n'
+            '\033[32m>>> 开始发送备份文件到sftp服务器\033[0m'
+            ''
+        )
+        plan_name = self.plan_name
+        for rec in recipients:
+            attachment = os.path.join(PATH, f'{plan_name}-{local_now_filename()}-{time.time()}.zip')
+            if password:
+                print('\033[32m>>> 使用加密密码对文件进行加密中\033[0m')
+                password = password.encode('utf8')
+                encrypt_and_compress_zip_file(attachment, password, files)
+            else:
+                zip_files(attachment, files)
+            attachment_list = attachment
+            AccountBackupByObjStorageExecutionTaskMsg(plan_name, rec).publish(attachment_list)
+            print('备份文件将发送至{}({})'.format(rec.name, rec.id))
+        for file in files:
+            os.remove(file)
+
     def step_perform_task_update(self, is_success, reason):
         self.execution.reason = reason[:1024]
         self.execution.is_success = is_success
         self.execution.save()
-        print('已完成对任务状态的更新')
+        print('\n已完成对任务状态的更新\n')
 
     @staticmethod
     def step_finished(is_success):
@@ -186,24 +217,11 @@ class AccountBackupHandler:
         is_success = False
         error = '-'
         try:
-            recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
-            recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
-            if not recipients_part_one and not recipients_part_two:
-                print(
-                    '\n'
-                    '\033[32m>>> 该备份任务未分配收件人\033[0m'
-                    ''
-                )
-            if recipients_part_one and recipients_part_two:
-                files = self.create_excel(section='front')
-                self.send_backup_mail(files, recipients_part_one)
-
-                files = self.create_excel(section='back')
-                self.send_backup_mail(files, recipients_part_two)
-            else:
-                recipients = recipients_part_one or recipients_part_two
-                files = self.create_excel()
-                self.send_backup_mail(files, recipients)
+            backup_type = self.execution.snapshot.get('backup_type', AccountBackupType.email.value)
+            if backup_type == AccountBackupType.email.value:
+                self.backup_by_email()
+            elif backup_type == AccountBackupType.object_storage.value:
+                self.backup_by_obj_storage()
         except Exception as e:
             self.is_frozen = True
             print('任务执行被异常中断')
@@ -217,6 +235,52 @@ class AccountBackupHandler:
             self.step_perform_task_update(is_success, reason)
             self.step_finished(is_success)
 
+    def backup_by_obj_storage(self):
+        object_id = self.execution.snapshot.get('id')
+        zip_encrypt_password = AccountBackupAutomation.objects.get(id=object_id).zip_encrypt_password
+        obj_recipients_part_one = self.execution.snapshot.get('obj_recipients_part_one', [])
+        obj_recipients_part_two = self.execution.snapshot.get('obj_recipients_part_two', [])
+        if not obj_recipients_part_one and not obj_recipients_part_two:
+            print(
+                '\n'
+                '\033[31m>>> 该备份任务未分配sftp服务器\033[0m'
+                ''
+            )
+            raise RecipientsNotFound('Not Found Recipients')
+        if obj_recipients_part_one and obj_recipients_part_two:
+            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
+            files = self.create_excel(section='front')
+            self.send_backup_obj_storage(files, obj_recipients_part_one, zip_encrypt_password)
+
+            files = self.create_excel(section='back')
+            self.send_backup_obj_storage(files, obj_recipients_part_two, zip_encrypt_password)
+        else:
+            recipients = obj_recipients_part_one or obj_recipients_part_two
+            files = self.create_excel()
+            self.send_backup_obj_storage(files, recipients, zip_encrypt_password)
+
+    def backup_by_email(self):
+        recipients_part_one = self.execution.snapshot.get('recipients_part_one', [])
+        recipients_part_two = self.execution.snapshot.get('recipients_part_two', [])
+        if not recipients_part_one and not recipients_part_two:
+            print(
+                '\n'
+                '\033[31m>>> 该备份任务未分配收件人\033[0m'
+                ''
+            )
+            raise RecipientsNotFound('Not Found Recipients')
+        if recipients_part_one and recipients_part_two:
+            print('\033[32m>>> 账号的密钥将被拆分成前后两部分发送\033[0m')
+            files = self.create_excel(section='front')
+            self.send_backup_mail(files, recipients_part_one)
+
+            files = self.create_excel(section='back')
+            self.send_backup_mail(files, recipients_part_two)
+        else:
+            recipients = recipients_part_one or recipients_part_two
+            files = self.create_excel()
+            self.send_backup_mail(files, recipients)
+
     def run(self):
         print('任务开始: {}'.format(local_now_display()))
         time_start = time.time()
@@ -229,4 +293,4 @@ class AccountBackupHandler:
         finally:
             print('\n任务结束: {}'.format(local_now_display()))
             timedelta = round((time.time() - time_start), 2)
-            print('用时: {}'.format(timedelta))
+            print('用时: {}s'.format(timedelta))

apps/accounts/automations/change_secret/custom/ssh/main.yml

@@ -1,6 +1,7 @@
 - hosts: custom
   gather_facts: no
   vars:
+    asset_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'ssh') | map(attribute='port') | first }}"
     ansible_connection: local
     ansible_become: false
 
@@ -8,7 +9,7 @@
     - name: Test privileged account (paramiko)
       ssh_ping:
         login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ asset_port }}"
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_secret_type: "{{ jms_account.secret_type }}"
@@ -19,13 +20,14 @@
         become_password: "{{ custom_become_password | default('') }}"
         become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
       register: ping_info
+      delegate_to: localhost
 
     - name: Change asset password (paramiko)
       custom_command:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ asset_port }}"
         login_secret_type: "{{ jms_account.secret_type }}"
         login_private_key_path: "{{ jms_account.private_key_path }}"
         become: "{{ custom_become | default(False) }}"
@@ -40,11 +42,17 @@
       ignore_errors: true
       when: ping_info is succeeded
       register: change_info
+      delegate_to: localhost
 
     - name: Verify password (paramiko)
       ssh_ping:
         login_user: "{{ account.username }}"
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
-        become: false
+        login_port: "{{ asset_port }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
+      delegate_to: localhost

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -1,7 +1,7 @@
 - hosts: mongodb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test MongoDB connection
@@ -11,9 +11,9 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
-        ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl: "{{ jms_asset.spec_info.use_ssl | default('') }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
       register: db_info
@@ -31,8 +31,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
         db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -1,8 +1,9 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
     db_name: "{{ jms_asset.spec_info.db_name }}"
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Test MySQL connection
@@ -11,6 +12,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version
       register: db_info
 
@@ -24,6 +29,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
@@ -37,4 +46,8 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/change_secret/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oracle
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test Oracle connection

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -1,7 +1,7 @@
 - hosts: postgre
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test PostgreSQL connection

apps/accounts/automations/change_secret/database/sqlserver/main.yml

@@ -1,7 +1,7 @@
 - hosts: sqlserver
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test SQLServer connection
@@ -40,7 +40,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length != 0
 
@@ -51,7 +51,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; CREATE USER {{ account.username }} FOR LOGIN {{ account.username }}; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length == 0
 

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,6 +95,5 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,6 +95,5 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost

apps/accounts/automations/change_secret/host/windows_rdp_verify/main.yml

@@ -0,0 +1,35 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+#    - name: Print variables
+#      debug:
+#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
+
+    - name: Change password
+      ansible.windows.win_user:
+        fullname: "{{ account.username}}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        password_never_expires: yes
+        groups: "{{ params.groups }}"
+        groups_action: add
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password (pyfreerdp)
+      rdp_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_secret_type: "{{ account.secret_type }}"
+        login_private_key_path: "{{ account.private_key_path }}"
+      when: account.secret_type == "password"
+      delegate_to: localhost

apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml

@@ -0,0 +1,26 @@
+id: change_secret_windows_rdp_verify
+name: "{{ 'Windows account change secret rdp verify' | trans }}"
+version: 1
+method: change_secret
+category: host
+type:
+  - windows
+params:
+  - name: groups
+    type: str
+    label: '用户组'
+    default: 'Users,Remote Desktop Users'
+    help_text: "{{ 'Params groups help text' | trans }}"
+
+
+i18n:
+  Windows account change secret rdp verify:
+    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密 RDP 协议测试最后的可连接性'
+    ja: 'Ansibleモジュールwin_userはWindowsアカウントの改密RDPプロトコルテストの最後の接続性を実行する'
+    en: 'Using the Ansible module win_user performs Windows account encryption RDP protocol testing for final connectivity'
+
+  Params groups help text:
+    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
+    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+

apps/accounts/automations/change_secret/manager.py

@@ -1,6 +1,5 @@
 import os
 import time
-from collections import defaultdict
 from copy import deepcopy
 
 from django.conf import settings
@@ -14,7 +13,7 @@ from accounts.serializers import ChangeSecretRecordBackUpSerializer
 from assets.const import HostTypes
 from common.utils import get_logger
 from common.utils.file import encrypt_and_compress_zip_file
-from common.utils.timezone import local_now_display
+from common.utils.timezone import local_now_filename
 from users.models import User
 from ..base.manager import AccountBasePlaybookManager
 from ...utils import SecretGenerator
@@ -27,7 +26,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
-        self.method_hosts_mapper = defaultdict(list)
+        self.record_id = self.execution.snapshot.get('record_id')
         self.secret_type = self.execution.snapshot.get('secret_type')
         self.secret_strategy = self.execution.snapshot.get(
             'secret_strategy', SecretStrategy.custom
@@ -50,7 +49,9 @@ class ChangeSecretManager(AccountBasePlaybookManager):
         kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'
 
         if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            kwargs['dest'] = '/home/{}/.ssh/authorized_keys'.format(account.username)
+            username = account.username
+            path = f'/{username}' if username == "root" else f'/home/{username}'
+            kwargs['dest'] = f'{path}/.ssh/authorized_keys'
             kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
         return kwargs
 
@@ -96,17 +97,13 @@ class ChangeSecretManager(AccountBasePlaybookManager):
 
         accounts = self.get_accounts(account)
         if not accounts:
-            print('没有发现待改密账号: %s 用户ID: %s 类型: %s' % (
+            print('没有发现待处理的账号: %s 用户ID: %s 类型: %s' % (
                 asset.name, self.account_ids, self.secret_type
             ))
             return []
 
-        method_attr = getattr(automation, self.method_type() + '_method')
-        method_hosts = self.method_hosts_mapper[method_attr]
-        method_hosts = [h for h in method_hosts if h != host['name']]
-        inventory_hosts = []
         records = []
-
+        inventory_hosts = []
         if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
             print(f'Windows {asset} does not support ssh key push')
             return inventory_hosts
@@ -116,13 +113,20 @@ class ChangeSecretManager(AccountBasePlaybookManager):
             h = deepcopy(host)
             secret_type = account.secret_type
             h['name'] += '(' + account.username + ')'
-            new_secret = self.get_secret(secret_type)
+            if self.secret_type is None:
+                new_secret = account.secret
+            else:
+                new_secret = self.get_secret(secret_type)
+
+            if self.record_id is None:
+                recorder = ChangeSecretRecord(
+                    asset=asset, account=account, execution=self.execution,
+                    old_secret=account.secret, new_secret=new_secret,
+                )
+                records.append(recorder)
+            else:
+                recorder = ChangeSecretRecord.objects.get(id=self.record_id)
 
-            recorder = ChangeSecretRecord(
-                asset=asset, account=account, execution=self.execution,
-                old_secret=account.secret, new_secret=new_secret,
-            )
-            records.append(recorder)
             self.name_recorder_mapper[h['name']] = recorder
 
             private_key_path = None
@@ -136,13 +140,12 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                 'username': account.username,
                 'secret_type': secret_type,
                 'secret': new_secret,
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
+                'become': account.get_ansible_become_auth(),
             }
             if asset.platform.type == 'oracle':
                 h['account']['mode'] = 'sysdba' if account.privileged else None
             inventory_hosts.append(h)
-            method_hosts.append(h['name'])
-        self.method_hosts_mapper[method_attr] = method_hosts
         ChangeSecretRecord.objects.bulk_create(records)
         return inventory_hosts
 
@@ -170,7 +173,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
         recorder.save()
 
     def on_runner_failed(self, runner, e):
-        logger.error("Change secret error: ", e)
+        logger.error("Account error: ", e)
 
     def check_secret(self):
         if self.secret_strategy == SecretStrategy.custom \
@@ -180,9 +183,11 @@ class ChangeSecretManager(AccountBasePlaybookManager):
         return True
 
     def run(self, *args, **kwargs):
-        if not self.check_secret():
+        if self.secret_type and not self.check_secret():
             return
         super().run(*args, **kwargs)
+        if self.record_id:
+            return
         recorders = self.name_recorder_mapper.values()
         recorders = list(recorders)
         self.send_recorder_mail(recorders)
@@ -196,7 +201,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
 
         name = self.execution.snapshot['name']
         path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
-        filename = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.xlsx')
+        filename = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.xlsx')
         if not self.create_file(recorders, filename):
             return
 
@@ -204,7 +209,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
             attachments = []
             if user.secret_key:
                 password = user.secret_key.encode('utf8')
-                attachment = os.path.join(path, f'{name}-{local_now_display()}-{time.time()}.zip')
+                attachment = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.zip')
                 encrypt_and_compress_zip_file(attachment, password, [filename])
                 attachments = [attachment]
             ChangeSecretExecutionTaskMsg(name, user).publish(attachments)

apps/accounts/automations/gather_accounts/database/mongodb/main.yml

@@ -1,7 +1,7 @@
 - hosts: mongodb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Get info
@@ -12,8 +12,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
         filter: users

apps/accounts/automations/gather_accounts/database/mysql/main.yml

@@ -1,7 +1,8 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Get info
@@ -10,6 +11,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: users
       register: db_info
 

apps/accounts/automations/gather_accounts/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oralce
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Get info

apps/accounts/automations/gather_accounts/database/postgresql/main.yml

@@ -1,7 +1,7 @@
 - hosts: postgresql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Get info

apps/accounts/automations/gather_accounts/manager.py

@@ -1,9 +1,14 @@
+from collections import defaultdict
+
 from accounts.const import AutomationTypes
 from accounts.models import GatheredAccount
+from assets.models import Asset
 from common.utils import get_logger
 from orgs.utils import tmp_to_org
+from users.models import User
 from .filter import GatherAccountsFilter
 from ..base.manager import AccountBasePlaybookManager
+from ...notifications import GatherAccountChangeMsg
 
 logger = get_logger(__name__)
 
@@ -12,6 +17,9 @@ class GatherAccountsManager(AccountBasePlaybookManager):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         self.host_asset_mapper = {}
+        self.asset_account_info = {}
+
+        self.asset_username_mapper = defaultdict(set)
         self.is_sync_account = self.execution.snapshot.get('is_sync_account')
 
     @classmethod
@@ -26,10 +34,11 @@ class GatherAccountsManager(AccountBasePlaybookManager):
     def filter_success_result(self, tp, result):
         result = GatherAccountsFilter(tp).run(self.method_id_meta_mapper, result)
         return result
-    @staticmethod
-    def generate_data(asset, result):
+
+    def generate_data(self, asset, result):
         data = []
         for username, info in result.items():
+            self.asset_username_mapper[str(asset.id)].add(username)
             d = {'asset': asset, 'username': username, 'present': True}
             if info.get('date'):
                 d['date_last_login'] = info['date']
@@ -38,26 +47,85 @@ class GatherAccountsManager(AccountBasePlaybookManager):
             data.append(d)
         return data
 
-    def update_or_create_accounts(self, asset, result):
+    def collect_asset_account_info(self, asset, result):
         data = self.generate_data(asset, result)
-        with tmp_to_org(asset.org_id):
-            gathered_accounts = []
-            GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
-            for d in data:
-                username = d['username']
-                gathered_account, __ = GatheredAccount.objects.update_or_create(
-                    defaults=d, asset=asset, username=username,
-                )
-                gathered_accounts.append(gathered_account)
-            if not self.is_sync_account:
-                return
-            GatheredAccount.sync_accounts(gathered_accounts)
+        self.asset_account_info[asset] = data
 
     def on_host_success(self, host, result):
         info = result.get('debug', {}).get('res', {}).get('info', {})
         asset = self.host_asset_mapper.get(host)
         if asset and info:
             result = self.filter_success_result(asset.type, info)
-            self.update_or_create_accounts(asset, result)
+            self.collect_asset_account_info(asset, result)
         else:
-            logger.error("Not found info".format(host))
+            logger.error(f'Not found {host} info')
+
+    def update_or_create_accounts(self):
+        for asset, data in self.asset_account_info.items():
+            with tmp_to_org(asset.org_id):
+                gathered_accounts = []
+                GatheredAccount.objects.filter(asset=asset, present=True).update(present=False)
+                for d in data:
+                    username = d['username']
+                    gathered_account, __ = GatheredAccount.objects.update_or_create(
+                        defaults=d, asset=asset, username=username,
+                    )
+                    gathered_accounts.append(gathered_account)
+                if not self.is_sync_account:
+                    return
+                GatheredAccount.sync_accounts(gathered_accounts)
+
+    def run(self, *args, **kwargs):
+        super().run(*args, **kwargs)
+        users, change_info = self.generate_send_users_and_change_info()
+        self.update_or_create_accounts()
+        self.send_email_if_need(users, change_info)
+
+    def generate_send_users_and_change_info(self):
+        recipients = self.execution.recipients
+        if not self.asset_username_mapper or not recipients:
+            return None, None
+
+        users = User.objects.filter(id__in=recipients)
+        if not users:
+            return users, None
+
+        asset_ids = self.asset_username_mapper.keys()
+        assets = Asset.objects.filter(id__in=asset_ids)
+        gather_accounts = GatheredAccount.objects.filter(asset_id__in=asset_ids, present=True)
+        asset_id_map = {str(asset.id): asset for asset in assets}
+        asset_id_username = list(assets.values_list('id', 'accounts__username'))
+        asset_id_username.extend(list(gather_accounts.values_list('asset_id', 'username')))
+
+        system_asset_username_mapper = defaultdict(set)
+        for asset_id, username in asset_id_username:
+            system_asset_username_mapper[str(asset_id)].add(username)
+
+        change_info = {}
+        for asset_id, usernames in self.asset_username_mapper.items():
+            system_usernames = system_asset_username_mapper.get(asset_id)
+
+            if not system_usernames:
+                continue
+
+            add_usernames = usernames - system_usernames
+            remove_usernames = system_usernames - usernames
+            k = f'{asset_id_map[asset_id]}[{asset_id}]'
+
+            if not add_usernames and not remove_usernames:
+                continue
+
+            change_info[k] = {
+                'add_usernames': ', '.join(add_usernames),
+                'remove_usernames': ', '.join(remove_usernames),
+            }
+
+        return users, change_info
+
+    @staticmethod
+    def send_email_if_need(users, change_info):
+        if not users or not change_info:
+            return
+
+        for user in users:
+            GatherAccountChangeMsg(user, change_info).publish_async()

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -1,7 +1,7 @@
 - hosts: mongodb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test MongoDB connection
@@ -12,8 +12,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
       register: db_info
@@ -31,8 +31,8 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
         db: "{{ jms_asset.spec_info.db_name }}"
@@ -49,7 +49,7 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -1,8 +1,9 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
     db_name: "{{ jms_asset.spec_info.db_name }}"
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Test MySQL connection
@@ -11,6 +12,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version
       register: db_info
 
@@ -24,6 +29,10 @@
         login_password: "{{ jms_account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
@@ -37,4 +46,8 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/push_account/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oracle
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test Oracle connection

apps/accounts/automations/push_account/database/postgresql/main.yml

@@ -1,7 +1,7 @@
 - hosts: postgre
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test PostgreSQL connection
@@ -31,6 +31,7 @@
         role_attr_flags: LOGIN
       ignore_errors: true
       when: result is succeeded
+      register: change_info
 
     - name: Verify password
       community.postgresql.postgresql_ping:
@@ -42,3 +43,5 @@
       when:
         - result is succeeded
         - change_info is succeeded
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/push_account/database/sqlserver/main.yml

@@ -1,7 +1,7 @@
 - hosts: sqlserver
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Test SQLServer connection
@@ -40,7 +40,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "ALTER LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}', DEFAULT_DATABASE = {{ jms_asset.spec_info.db_name }}; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length != 0
       register: change_info
@@ -52,7 +52,7 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: '{{ jms_asset.spec_info.db_name }}'
-        script: "CREATE LOGIN {{ account.username }} WITH PASSWORD = '{{ account.secret }}'; select @@version"
+        script: "CREATE LOGIN [{{ account.username }}] WITH PASSWORD = '{{ account.secret }}'; CREATE USER [{{ account.username }}] FOR LOGIN [{{ account.username }}]; select @@version"
       ignore_errors: true
       when: user_exist.query_results[0] | length == 0
       register: change_info

apps/accounts/automations/push_account/host/aix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,7 +95,6 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost
 

apps/accounts/automations/push_account/host/posix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,7 +95,6 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost
 

apps/accounts/automations/push_account/host/windows_rdp_verify/main.yml

@@ -0,0 +1,35 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+#    - name: Print variables
+#      debug:
+#        msg: "Username: {{ account.username }}, Password: {{ account.secret }}"
+
+    - name: Push user password
+      ansible.windows.win_user:
+        fullname: "{{ account.username}}"
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        password_never_expires: yes
+        groups: "{{ params.groups }}"
+        groups_action: add
+        update_password: always
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password (pyfreerdp)
+      rdp_ping:
+        login_host: "{{ jms_asset.address }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
+        login_user: "{{ account.username }}"
+        login_password: "{{ account.secret }}"
+        login_secret_type: "{{ account.secret_type }}"
+        login_private_key_path: "{{ account.private_key_path }}"
+      when: account.secret_type == "password"
+      delegate_to: localhost

apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml

@@ -0,0 +1,19 @@
+id: push_account_windows_rdp_verify
+name: "{{ 'Windows account push rdp verify' | trans }}"
+version: 1
+method: push_account
+category: host
+type:
+  - windows
+params:
+  - name: groups
+    type: str
+    label: '用户组'
+    default: 'Users,Remote Desktop Users'
+    help_text: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+
+i18n:
+  Windows account push rdp verify:
+    zh: 使用 Ansible 模块 win_user 执行 Windows 账号推送 RDP 协议测试最后的可连接性
+    ja: Ansibleモジュールwin_userがWindowsアカウントプッシュRDPプロトコルテストを実行する最後の接続性
+    en: Using the Ansible module win_user performs Windows account push RDP protocol testing for final connectivity

apps/accounts/automations/push_account/manager.py

@@ -1,7 +1,4 @@
-from copy import deepcopy
-
-from accounts.const import AutomationTypes, SecretType, Connectivity
-from assets.const import HostTypes
+from accounts.const import AutomationTypes
 from common.utils import get_logger
 from ..base.manager import AccountBasePlaybookManager
 from ..change_secret.manager import ChangeSecretManager
@@ -10,83 +7,11 @@ logger = get_logger(__name__)
 
 
 class PushAccountManager(ChangeSecretManager, AccountBasePlaybookManager):
-    ansible_account_prefer = ''
 
     @classmethod
     def method_type(cls):
         return AutomationTypes.push_account
 
-    def host_callback(self, host, asset=None, account=None, automation=None, path_dir=None, **kwargs):
-        host = super(ChangeSecretManager, self).host_callback(
-            host, asset=asset, account=account, automation=automation,
-            path_dir=path_dir, **kwargs
-        )
-        if host.get('error'):
-            return host
-
-        accounts = self.get_accounts(account)
-        inventory_hosts = []
-        if asset.type == HostTypes.WINDOWS and self.secret_type == SecretType.SSH_KEY:
-            msg = f'Windows {asset} does not support ssh key push'
-            print(msg)
-            return inventory_hosts
-
-        host['ssh_params'] = {}
-        for account in accounts:
-            h = deepcopy(host)
-            secret_type = account.secret_type
-            h['name'] += '(' + account.username + ')'
-            if self.secret_type is None:
-                new_secret = account.secret
-            else:
-                new_secret = self.get_secret(secret_type)
-
-            self.name_recorder_mapper[h['name']] = {
-                'account': account, 'new_secret': new_secret,
-            }
-
-            private_key_path = None
-            if secret_type == SecretType.SSH_KEY:
-                private_key_path = self.generate_private_key_path(new_secret, path_dir)
-                new_secret = self.generate_public_key(new_secret)
-
-            h['ssh_params'].update(self.get_ssh_params(account, new_secret, secret_type))
-            h['account'] = {
-                'name': account.name,
-                'username': account.username,
-                'secret_type': secret_type,
-                'secret': new_secret,
-                'private_key_path': private_key_path
-            }
-            if asset.platform.type == 'oracle':
-                h['account']['mode'] = 'sysdba' if account.privileged else None
-            inventory_hosts.append(h)
-        return inventory_hosts
-
-    def on_host_success(self, host, result):
-        account_info = self.name_recorder_mapper.get(host)
-        if not account_info:
-            return
-
-        account = account_info['account']
-        new_secret = account_info['new_secret']
-        if not account:
-            return
-        account.secret = new_secret
-        account.save(update_fields=['secret'])
-        account.set_connectivity(Connectivity.OK)
-
-    def on_host_error(self, host, error, result):
-        pass
-
-    def on_runner_failed(self, runner, e):
-        logger.error("Pust account error: ", e)
-
-    def run(self, *args, **kwargs):
-        if self.secret_type and not self.check_secret():
-            return
-        super(ChangeSecretManager, self).run(*args, **kwargs)
-
     # @classmethod
     # def trigger_by_asset_create(cls, asset):
     #     automations = PushAccountAutomation.objects.filter(

apps/accounts/automations/verify_account/custom/rdp/main.yml

@@ -8,7 +8,7 @@
     - name: Verify account (pyfreerdp)
       rdp_ping:
         login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'rdp') | map(attribute='port') | first }}"
         login_user: "{{ account.username }}"
         login_password: "{{ account.secret }}"
         login_secret_type: "{{ account.secret_type }}"

apps/accounts/automations/verify_account/custom/ssh/main.yml

@@ -2,19 +2,20 @@
   gather_facts: no
   vars:
     ansible_connection: local
+    ansible_shell_type: sh
     ansible_become: false
 
   tasks:
     - name: Verify account (paramiko)
       ssh_ping:
         login_host: "{{ jms_asset.address }}"
-        login_port: "{{ jms_asset.port }}"
+        login_port: "{{ jms_asset.protocols | selectattr('name', 'equalto', 'ssh') | map(attribute='port') | first }}"
         login_user: "{{ account.username }}"
         login_password: "{{ account.secret }}"
         login_secret_type: "{{ account.secret_type }}"
         login_private_key_path: "{{ account.private_key_path }}"
-        become: "{{ custom_become | default(False) }}"
-        become_method: "{{ custom_become_method | default('su') }}"
-        become_user: "{{ custom_become_user | default('') }}"
-        become_password: "{{ custom_become_password | default('') }}"
-        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: "{{ account.become.ansible_become_method | default('su') }}"
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -1,7 +1,7 @@
 - hosts: mongdb
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Verify account
@@ -12,7 +12,7 @@
         login_port: "{{ jms_asset.port }}"
         login_database: "{{ jms_asset.spec_info.db_name }}"
         ssl: "{{ jms_asset.spec_info.use_ssl }}"
-        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert }}"
-        ssl_certfile: "{{ jms_asset.secret_info.client_key }}"
+        ssl_ca_certs: "{{ jms_asset.secret_info.ca_cert | default('') }}"
+        ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
-          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
+          - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"

apps/accounts/automations/verify_account/database/mysql/main.yml

@@ -1,7 +1,8 @@
 - hosts: mysql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
+    check_ssl: "{{ jms_asset.spec_info.use_ssl and not jms_asset.spec_info.allow_invalid_cert }}"
 
   tasks:
     - name: Verify account
@@ -10,4 +11,8 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
+        check_hostname: "{{ check_ssl if check_ssl else omit }}"
+        ca_cert: "{{ jms_asset.secret_info.ca_cert | default(omit) if check_ssl else omit }}"
+        client_cert: "{{ jms_asset.secret_info.client_cert | default(omit) if check_ssl else omit }}"
+        client_key: "{{ jms_asset.secret_info.client_key | default(omit) if check_ssl else omit }}"
         filter: version

apps/accounts/automations/verify_account/database/oracle/main.yml

@@ -1,7 +1,7 @@
 - hosts: oracle
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Verify account

apps/accounts/automations/verify_account/database/postgresql/main.yml

@@ -1,8 +1,7 @@
 - hosts: postgresql
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
-
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Verify account

apps/accounts/automations/verify_account/database/sqlserver/main.yml

@@ -1,7 +1,7 @@
 - hosts: sqlserver
   gather_facts: no
   vars:
-    ansible_python_interpreter: /usr/local/bin/python
+    ansible_python_interpreter: /opt/py3/bin/python
 
   tasks:
     - name: Verify account

apps/accounts/automations/verify_account/host/posix/main.yml

@@ -1,11 +1,23 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Verify account connectivity
-      become: no
+    - name: Verify account connectivity(Do not switch)
       ansible.builtin.ping:
       vars:
         ansible_become: no
         ansible_user: "{{ account.username }}"
         ansible_password: "{{ account.secret }}"
         ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+      when: not account.become.ansible_become
+
+    - name: Verify account connectivity(Switch)
+      ansible.builtin.ping:
+      vars:
+        ansible_become: yes
+        ansible_user: "{{ account.become.ansible_user }}"
+        ansible_password: "{{ account.become.ansible_password }}"
+        ansible_ssh_private_key_file: "{{ account.become.ansible_ssh_private_key_file }}"
+        ansible_become_method: "{{ account.become.ansible_become_method }}"
+        ansible_become_user: "{{ account.become.ansible_become_user }}"
+        ansible_become_password: "{{ account.become.ansible_become_password }}"
+      when: account.become.ansible_become

apps/accounts/automations/verify_account/manager.py

@@ -42,7 +42,6 @@ class VerifyAccountManager(AccountBasePlaybookManager):
         if host.get('error'):
             return host
 
-        # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no'
         accounts = asset.accounts.all()
         accounts = self.get_accounts(account, accounts)
         inventory_hosts = []
@@ -64,7 +63,8 @@ class VerifyAccountManager(AccountBasePlaybookManager):
                 'username': account.username,
                 'secret_type': account.secret_type,
                 'secret': secret,
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
+                'become': account.get_ansible_become_auth(),
             }
             if account.platform.type == 'oracle':
                 h['account']['mode'] = 'sysdba' if account.privileged else None

apps/accounts/const/automation.py

@@ -4,17 +4,19 @@ from django.utils.translation import gettext_lazy as _
 from assets.const import Connectivity
 from common.db.fields import TreeChoices
 
-string_punctuation = '!#$%&()*+,-.:;<=>?@[]^_~'
 DEFAULT_PASSWORD_LENGTH = 30
 DEFAULT_PASSWORD_RULES = {
     'length': DEFAULT_PASSWORD_LENGTH,
-    'symbol_set': string_punctuation
+    'uppercase': True,
+    'lowercase': True,
+    'digit': True,
+    'symbol': True,
 }
 
 __all__ = [
     'AutomationTypes', 'SecretStrategy', 'SSHKeyStrategy', 'Connectivity',
     'DEFAULT_PASSWORD_LENGTH', 'DEFAULT_PASSWORD_RULES', 'TriggerChoice',
-    'PushAccountActionChoice',
+    'PushAccountActionChoice', 'AccountBackupType'
 ]
 
 
@@ -41,8 +43,8 @@ class AutomationTypes(models.TextChoices):
 
 
 class SecretStrategy(models.TextChoices):
-    custom = 'specific', _('Specific password')
-    random = 'random', _('Random')
+    custom = 'specific', _('Specific secret')
+    random = 'random', _('Random generate')
 
 
 class SSHKeyStrategy(models.TextChoices):
@@ -93,3 +95,10 @@ class TriggerChoice(models.TextChoices, TreeChoices):
 class PushAccountActionChoice(models.TextChoices):
     create_and_push = 'create_and_push', _('Create and push')
     only_create = 'only_create', _('Only create')
+
+
+class AccountBackupType(models.TextChoices):
+    """Backup type"""
+    email = 'email', _('Email')
+    # 目前只支持sftp方式
+    object_storage = 'object_storage', _('SFTP')

apps/accounts/migrations/0003_automation.py

@@ -38,7 +38,7 @@ class Migration(migrations.Migration):
                 'verbose_name': 'Automation execution',
                 'verbose_name_plural': 'Automation executions',
                 'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                ('add_changesecretexection', 'Can add change secret execution'),
+                                ('add_changesecretexecution', 'Can add change secret execution'),
                                 ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                 ('add_gatheraccountsexecution', 'Can add gather accounts execution')],
                 'proxy': True,
@@ -113,10 +113,10 @@ class Migration(migrations.Migration):
                 ('comment', models.TextField(blank=True, default='', verbose_name='Comment')),
                 ('id', models.UUIDField(default=uuid.uuid4, primary_key=True, serialize=False)),
                 ('old_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Old secret')),
-                ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='Secret')),
+                ('new_secret', common.db.fields.EncryptTextField(blank=True, null=True, verbose_name='New secret')),
                 ('date_started', models.DateTimeField(blank=True, null=True, verbose_name='Date started')),
                 ('date_finished', models.DateTimeField(blank=True, null=True, verbose_name='Date finished')),
-                ('status', models.CharField(default='pending', max_length=16)),
+                ('status', models.CharField(default='pending', max_length=16, verbose_name='Status')),
                 ('error', models.TextField(blank=True, null=True, verbose_name='Error')),
                 ('account',
                  models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE, to='accounts.account')),
@@ -184,7 +184,7 @@ class Migration(migrations.Migration):
         migrations.AlterModelOptions(
             name='automationexecution',
             options={'permissions': [('view_changesecretexecution', 'Can view change secret execution'),
-                                     ('add_changesecretexection', 'Can add change secret execution'),
+                                     ('add_changesecretexecution', 'Can add change secret execution'),
                                      ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
                                      ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
                                      ('view_pushaccountexecution', 'Can view push account execution'),

apps/accounts/migrations/0004_auto_20230106_1507.py

@@ -13,11 +13,11 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='changesecretautomation',
             name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
+            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
         ),
         migrations.AlterField(
             model_name='pushaccountautomation',
             name='secret_strategy',
-            field=models.CharField(choices=[('specific', 'Specific password'), ('random', 'Random')], default='specific', max_length=16, verbose_name='Secret strategy'),
+            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
         ),
     ]

apps/accounts/migrations/0015_auto_20230825_1120.py

@@ -0,0 +1,34 @@
+# Generated by Django 4.1.10 on 2023-08-25 03:19
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0122_auto_20230803_1553'),
+        ('accounts', '0014_virtualaccount'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='auto_push',
+            field=models.BooleanField(default=False, verbose_name='Auto push'),
+        ),
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='platforms',
+            field=models.ManyToManyField(related_name='account_templates', to='assets.platform', verbose_name='Platforms', blank=True),
+        ),
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='push_params',
+            field=models.JSONField(default=dict, verbose_name='Push params'),
+        ),
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='secret_strategy',
+            field=models.CharField(choices=[('specific', 'Specific secret'), ('random', 'Random generate')], default='specific', max_length=16, verbose_name='Secret strategy'),
+        ),
+    ]

apps/accounts/migrations/0016_accounttemplate_password_rules.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.1.10 on 2023-09-18 08:09
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0015_auto_20230825_1120'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accounttemplate',
+            name='password_rules',
+            field=models.JSONField(default=dict, verbose_name='Password rules'),
+        ),
+    ]

apps/accounts/migrations/0017_alter_automationexecution_options.py

@@ -0,0 +1,25 @@
+# Generated by Django 4.1.10 on 2023-10-24 05:59
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('accounts', '0016_accounttemplate_password_rules'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='automationexecution',
+            options={
+                'permissions': [
+                    ('view_changesecretexecution', 'Can view change secret execution'),
+                    ('add_changesecretexecution', 'Can add change secret execution'),
+                    ('view_gatheraccountsexecution', 'Can view gather accounts execution'),
+                    ('add_gatheraccountsexecution', 'Can add gather accounts execution'),
+                    ('view_pushaccountexecution', 'Can view push account execution'),
+                    ('add_pushaccountexecution', 'Can add push account execution')
+                ],
+                'verbose_name': 'Automation execution', 'verbose_name_plural': 'Automation executions'},
+        ),
+    ]

apps/accounts/migrations/0018_accountbackupautomation_backup_type_and_more.py

@@ -0,0 +1,45 @@
+# Generated by Django 4.1.10 on 2023-11-03 07:10
+
+import common.db.fields
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('terminal', '0067_alter_replaystorage_type'),
+        ('accounts', '0017_alter_automationexecution_options'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='backup_type',
+            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'Object Storage')], default='email', max_length=128),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_email',
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_obj_storage',
+            field=models.BooleanField(default=True),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='obj_recipients_part_one',
+            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_one_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part one'),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='obj_recipients_part_two',
+            field=models.ManyToManyField(blank=True, related_name='obj_recipient_part_two_plans', to='terminal.replaystorage', verbose_name='Object Storage Recipient part two'),
+        ),
+        migrations.AddField(
+            model_name='accountbackupautomation',
+            name='zip_encrypt_password',
+            field=common.db.fields.EncryptCharField(blank=True, max_length=4096, null=True, verbose_name='Zip Encrypt Password'),
+        ),
+    ]

apps/accounts/migrations/0019_gatheraccountsautomation_recipients.py

@@ -0,0 +1,20 @@
+# Generated by Django 4.1.10 on 2023-10-31 06:12
+
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('accounts', '0018_accountbackupautomation_backup_type_and_more'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='gatheraccountsautomation',
+            name='recipients',
+            field=models.ManyToManyField(blank=True, to=settings.AUTH_USER_MODEL, verbose_name='Recipient'),
+        ),
+    ]

apps/accounts/migrations/0020_alter_accountbackupautomation_backup_type_and_more.py

@@ -0,0 +1,28 @@
+# Generated by Django 4.1.10 on 2023-11-16 02:13
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('accounts', '0019_gatheraccountsautomation_recipients'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='accountbackupautomation',
+            name='backup_type',
+            field=models.CharField(choices=[('email', 'Email'), ('object_storage', 'SFTP')], default='email', max_length=128, verbose_name='Backup Type'),
+        ),
+        migrations.AlterField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_email',
+            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
+        ),
+        migrations.AlterField(
+            model_name='accountbackupautomation',
+            name='is_password_divided_by_obj_storage',
+            field=models.BooleanField(default=True, verbose_name='Is Password Divided'),
+        ),
+    ]

apps/accounts/mixins.py

@@ -0,0 +1,75 @@
+from rest_framework.response import Response
+from rest_framework import status
+from django.utils import translation
+from django.utils.translation import gettext_noop
+
+from audits.const import ActionChoices
+from common.views.mixins import RecordViewLogMixin
+from common.utils import i18n_fmt
+
+
+class AccountRecordViewLogMixin(RecordViewLogMixin):
+    get_object: callable
+    get_queryset: callable
+
+    @staticmethod
+    def _filter_params(params):
+        new_params = {}
+        need_pop_params = ('format', 'order')
+        for key, value in params.items():
+            if key in need_pop_params:
+                continue
+            if isinstance(value, list):
+                value = list(filter(None, value))
+            if value:
+                new_params[key] = value
+        return new_params
+
+    def get_resource_display(self, request):
+        query_params = dict(request.query_params)
+        params = self._filter_params(query_params)
+
+        spm_filter = params.pop("spm", None)
+
+        if not params and not spm_filter:
+            display_message = gettext_noop("Export all")
+        elif spm_filter:
+            display_message = gettext_noop("Export only selected items")
+        else:
+            query = ",".join(
+                ["%s=%s" % (key, value) for key, value in params.items()]
+            )
+            display_message = i18n_fmt(gettext_noop("Export filtered: %s"), query)
+        return display_message
+
+    @property
+    def detail_msg(self):
+        return i18n_fmt(
+            gettext_noop('User %s view/export secret'), self.request.user
+        )
+
+    def list(self, request, *args, **kwargs):
+        list_func = getattr(super(), 'list')
+        if not callable(list_func):
+            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
+        response = list_func(request, *args, **kwargs)
+        with translation.override('en'):
+            resource_display = self.get_resource_display(request)
+            ids = [q.id for q in self.get_queryset()]
+            self.record_logs(
+                ids, ActionChoices.view, self.detail_msg, resource_display=resource_display
+            )
+        return response
+
+    def retrieve(self, request, *args, **kwargs):
+        retrieve_func = getattr(super(), 'retrieve')
+        if not callable(retrieve_func):
+            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
+        response = retrieve_func(request, *args, **kwargs)
+        with translation.override('en'):
+            resource = self.get_object()
+            self.record_logs(
+                [resource.id], ActionChoices.view, self.detail_msg, resource=resource
+            )
+        return response
+

apps/accounts/models/__init__.py

@@ -1,5 +1,5 @@
-from .account import *
-from .automations import *
-from .base import *
-from .template import *
-from .virtual import *
+from .account import *  # noqa
+from .base import *  # noqa
+from .automations import *  # noqa
+from .template import *  # noqa
+from .virtual import *  # noqa

apps/accounts/models/account.py

@@ -95,6 +95,33 @@ class Account(AbsConnectivity, BaseAccount):
         """ 排除自己和以自己为 su-from 的账号 """
         return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)
 
+    @staticmethod
+    def make_account_ansible_vars(su_from):
+        var = {
+            'ansible_user': su_from.username,
+        }
+        if not su_from.secret:
+            return var
+        var['ansible_password'] = su_from.secret
+        var['ansible_ssh_private_key_file'] = su_from.private_key_path
+        return var
+
+    def get_ansible_become_auth(self):
+        su_from = self.su_from
+        platform = self.platform
+        auth = {'ansible_become': False}
+        if not (platform.su_enabled and su_from):
+            return auth
+
+        auth.update(self.make_account_ansible_vars(su_from))
+        become_method = platform.su_method if platform.su_method else 'sudo'
+        password = su_from.secret if become_method == 'sudo' else self.secret
+        auth['ansible_become'] = True
+        auth['ansible_become_method'] = become_method
+        auth['ansible_become_user'] = self.username
+        auth['ansible_become_password'] = password
+        return auth
+
 
 def replace_history_model_with_mixin():
     """

apps/accounts/models/automations/backup_account.py

@@ -8,10 +8,11 @@ from django.db import models
 from django.db.models import F
 from django.utils.translation import gettext_lazy as _
 
+from accounts.const.automation import AccountBackupType
 from common.const.choices import Trigger
+from common.db import fields
 from common.db.encoder import ModelJSONFieldEncoder
-from common.utils import get_logger
-from common.utils import lazyproperty
+from common.utils import get_logger, lazyproperty
 from ops.mixin import PeriodTaskModelMixin
 from orgs.mixins.models import OrgModelMixin, JMSOrgBaseModel
 
@@ -22,6 +23,10 @@ logger = get_logger(__file__)
 
 class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
     types = models.JSONField(default=list)
+    backup_type = models.CharField(max_length=128, choices=AccountBackupType.choices,
+                                   default=AccountBackupType.email.value, verbose_name=_('Backup Type'))
+    is_password_divided_by_email = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
+    is_password_divided_by_obj_storage = models.BooleanField(default=True, verbose_name=_('Is Password Divided'))
     recipients_part_one = models.ManyToManyField(
         'users.User', related_name='recipient_part_one_plans', blank=True,
         verbose_name=_("Recipient part one")
@@ -30,6 +35,16 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
         'users.User', related_name='recipient_part_two_plans', blank=True,
         verbose_name=_("Recipient part two")
     )
+    obj_recipients_part_one = models.ManyToManyField(
+        'terminal.ReplayStorage', related_name='obj_recipient_part_one_plans', blank=True,
+        verbose_name=_("Object Storage Recipient part one")
+    )
+    obj_recipients_part_two = models.ManyToManyField(
+        'terminal.ReplayStorage', related_name='obj_recipient_part_two_plans', blank=True,
+        verbose_name=_("Object Storage Recipient part two")
+    )
+    zip_encrypt_password = fields.EncryptCharField(max_length=4096, blank=True, null=True,
+                                                   verbose_name=_('Zip Encrypt Password'))
 
     def __str__(self):
         return f'{self.name}({self.org_id})'
@@ -49,6 +64,7 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
 
     def to_attr_json(self):
         return {
+            'id': self.id,
             'name': self.name,
             'is_periodic': self.is_periodic,
             'interval': self.interval,
@@ -56,6 +72,10 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
             'org_id': self.org_id,
             'created_by': self.created_by,
             'types': self.types,
+            'backup_type': self.backup_type,
+            'is_password_divided_by_email': self.is_password_divided_by_email,
+            'is_password_divided_by_obj_storage': self.is_password_divided_by_obj_storage,
+            'zip_encrypt_password': self.zip_encrypt_password,
             'recipients_part_one': {
                 str(user.id): (str(user), bool(user.secret_key))
                 for user in self.recipients_part_one.all()
@@ -63,7 +83,15 @@ class AccountBackupAutomation(PeriodTaskModelMixin, JMSOrgBaseModel):
             'recipients_part_two': {
                 str(user.id): (str(user), bool(user.secret_key))
                 for user in self.recipients_part_two.all()
-            }
+            },
+            'obj_recipients_part_one': {
+                str(obj_storage.id): (str(obj_storage.name), str(obj_storage.type))
+                for obj_storage in self.obj_recipients_part_one.all()
+            },
+            'obj_recipients_part_two': {
+                str(obj_storage.id): (str(obj_storage.name), str(obj_storage.type))
+                for obj_storage in self.obj_recipients_part_two.all()
+            },
         }
 
     @property

apps/accounts/models/automations/base.py

@@ -1,12 +1,15 @@
+from django.db import models
 from django.utils.translation import gettext_lazy as _
 
+from accounts.const import SSHKeyStrategy
+from accounts.models import Account, SecretWithRandomMixin
 from accounts.tasks import execute_account_automation_task
 from assets.models.automations import (
     BaseAutomation as AssetBaseAutomation,
     AutomationExecution as AssetAutomationExecution
 )
 
-__all__ = ['AccountBaseAutomation', 'AutomationExecution']
+__all__ = ['AccountBaseAutomation', 'AutomationExecution', 'ChangeSecretMixin']
 
 
 class AccountBaseAutomation(AssetBaseAutomation):
@@ -30,7 +33,7 @@ class AutomationExecution(AssetAutomationExecution):
         verbose_name_plural = _("Automation executions")
         permissions = [
             ('view_changesecretexecution', _('Can view change secret execution')),
-            ('add_changesecretexection', _('Can add change secret execution')),
+            ('add_changesecretexecution', _('Can add change secret execution')),
 
             ('view_gatheraccountsexecution', _('Can view gather accounts execution')),
             ('add_gatheraccountsexecution', _('Can add gather accounts execution')),
@@ -43,3 +46,40 @@ class AutomationExecution(AssetAutomationExecution):
         from accounts.automations.endpoint import ExecutionManager
         manager = ExecutionManager(execution=self)
         return manager.run()
+
+
+class ChangeSecretMixin(SecretWithRandomMixin):
+    ssh_key_change_strategy = models.CharField(
+        choices=SSHKeyStrategy.choices, max_length=16,
+        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
+    )
+    get_all_assets: callable  # get all assets
+
+    class Meta:
+        abstract = True
+
+    def create_nonlocal_accounts(self, usernames, asset):
+        pass
+
+    def get_account_ids(self):
+        usernames = self.accounts
+        accounts = Account.objects.none()
+        for asset in self.get_all_assets():
+            self.create_nonlocal_accounts(usernames, asset)
+            accounts = accounts | asset.accounts.all()
+        account_ids = accounts.filter(
+            username__in=usernames, secret_type=self.secret_type
+        ).values_list('id', flat=True)
+        return [str(_id) for _id in account_ids]
+
+    def to_attr_json(self):
+        attr_json = super().to_attr_json()
+        attr_json.update({
+            'secret': self.secret,
+            'secret_type': self.secret_type,
+            'accounts': self.get_account_ids(),
+            'password_rules': self.password_rules,
+            'secret_strategy': self.secret_strategy,
+            'ssh_key_change_strategy': self.ssh_key_change_strategy,
+        })
+        return attr_json

apps/accounts/models/automations/change_secret.py

@@ -2,62 +2,13 @@ from django.db import models
 from django.utils.translation import gettext_lazy as _
 
 from accounts.const import (
-    AutomationTypes, SecretType, SecretStrategy, SSHKeyStrategy
+    AutomationTypes
 )
-from accounts.models import Account
 from common.db import fields
 from common.db.models import JMSBaseModel
-from .base import AccountBaseAutomation
+from .base import AccountBaseAutomation, ChangeSecretMixin
 
-__all__ = ['ChangeSecretAutomation', 'ChangeSecretRecord', 'ChangeSecretMixin']
-
-
-class ChangeSecretMixin(models.Model):
-    secret_type = models.CharField(
-        choices=SecretType.choices, max_length=16,
-        default=SecretType.PASSWORD, verbose_name=_('Secret type')
-    )
-    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
-    secret_strategy = models.CharField(
-        choices=SecretStrategy.choices, max_length=16,
-        default=SecretStrategy.custom, verbose_name=_('Secret strategy')
-    )
-    password_rules = models.JSONField(default=dict, verbose_name=_('Password rules'))
-    ssh_key_change_strategy = models.CharField(
-        choices=SSHKeyStrategy.choices, max_length=16,
-        default=SSHKeyStrategy.add, verbose_name=_('SSH key change strategy')
-    )
-
-    get_all_assets: callable  # get all assets
-
-    class Meta:
-        abstract = True
-
-    def create_nonlocal_accounts(self, usernames, asset):
-        pass
-
-    def get_account_ids(self):
-        usernames = self.accounts
-        accounts = Account.objects.none()
-        for asset in self.get_all_assets():
-            self.create_nonlocal_accounts(usernames, asset)
-            accounts = accounts | asset.accounts.all()
-        account_ids = accounts.filter(
-            username__in=usernames, secret_type=self.secret_type
-        ).values_list('id', flat=True)
-        return [str(_id) for _id in account_ids]
-
-    def to_attr_json(self):
-        attr_json = super().to_attr_json()
-        attr_json.update({
-            'secret': self.secret,
-            'secret_type': self.secret_type,
-            'accounts': self.get_account_ids(),
-            'password_rules': self.password_rules,
-            'secret_strategy': self.secret_strategy,
-            'ssh_key_change_strategy': self.ssh_key_change_strategy,
-        })
-        return attr_json
+__all__ = ['ChangeSecretAutomation', 'ChangeSecretRecord', ]
 
 
 class ChangeSecretAutomation(ChangeSecretMixin, AccountBaseAutomation):
@@ -89,7 +40,7 @@ class ChangeSecretRecord(JMSBaseModel):
     new_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('New secret'))
     date_started = models.DateTimeField(blank=True, null=True, verbose_name=_('Date started'))
     date_finished = models.DateTimeField(blank=True, null=True, verbose_name=_('Date finished'))
-    status = models.CharField(max_length=16, default='pending')
+    status = models.CharField(max_length=16, default='pending', verbose_name=_('Status'))
     error = models.TextField(blank=True, null=True, verbose_name=_('Error'))
 
     class Meta:
@@ -98,9 +49,3 @@ class ChangeSecretRecord(JMSBaseModel):
 
     def __str__(self):
         return self.account.__str__()
-
-    @property
-    def timedelta(self):
-        if self.date_started and self.date_finished:
-            return self.date_finished - self.date_started
-        return None

apps/accounts/models/automations/gather_account.py

@@ -55,11 +55,15 @@ class GatherAccountsAutomation(AccountBaseAutomation):
     is_sync_account = models.BooleanField(
         default=False, blank=True, verbose_name=_("Is sync account")
     )
+    recipients = models.ManyToManyField('users.User', verbose_name=_("Recipient"), blank=True)
 
     def to_attr_json(self):
         attr_json = super().to_attr_json()
         attr_json.update({
             'is_sync_account': self.is_sync_account,
+            'recipients': [
+                str(recipient.id) for recipient in self.recipients.all()
+            ]
         })
         return attr_json
 

apps/accounts/models/automations/push_account.py

@@ -1,9 +1,9 @@
+from django.conf import settings
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
 from accounts.const import AutomationTypes
 from accounts.models import Account
-from jumpserver.utils import has_valid_xpack_license
 from .base import AccountBaseAutomation
 from .change_secret import ChangeSecretMixin
 
@@ -17,9 +17,9 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
 
     def create_nonlocal_accounts(self, usernames, asset):
         secret_type = self.secret_type
-        account_usernames = asset.accounts.filter(secret_type=self.secret_type).values_list(
-            'username', flat=True
-        )
+        account_usernames = asset.accounts \
+            .filter(secret_type=self.secret_type) \
+            .values_list('username', flat=True)
         create_usernames = set(usernames) - set(account_usernames)
         create_account_objs = [
             Account(
@@ -30,9 +30,6 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
         ]
         Account.objects.bulk_create(create_account_objs)
 
-    def set_period_schedule(self):
-        pass
-
     @property
     def dynamic_username(self):
         return self.username == '@USER'
@@ -44,7 +41,7 @@ class PushAccountAutomation(ChangeSecretMixin, AccountBaseAutomation):
 
     def save(self, *args, **kwargs):
         self.type = AutomationTypes.push_account
-        if not has_valid_xpack_license():
+        if not settings.XPACK_LICENSE_IS_VALID:
             self.is_periodic = False
         super().save(*args, **kwargs)
 

apps/accounts/models/base.py

@@ -8,12 +8,14 @@ from django.conf import settings
 from django.db import models
 from django.utils.translation import gettext_lazy as _
 
-from accounts.const import SecretType
+from accounts.const import SecretType, SecretStrategy
+from accounts.models.mixins import VaultModelMixin, VaultManagerMixin, VaultQuerySetMixin
+from accounts.utils import SecretGenerator
+from common.db import fields
 from common.utils import (
     ssh_key_string_to_obj, ssh_key_gen, get_logger,
     random_string, lazyproperty, parse_ssh_public_key_str, is_openssh_format_key
 )
-from accounts.models.mixins import VaultModelMixin, VaultManagerMixin, VaultQuerySetMixin
 from orgs.mixins.models import JMSOrgBaseModel, OrgManager
 
 logger = get_logger(__file__)
@@ -29,6 +31,35 @@ class BaseAccountManager(VaultManagerMixin, OrgManager):
         return self.get_queryset().active()
 
 
+class SecretWithRandomMixin(models.Model):
+    secret_type = models.CharField(
+        choices=SecretType.choices, max_length=16,
+        default=SecretType.PASSWORD, verbose_name=_('Secret type')
+    )
+    secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Secret'))
+    secret_strategy = models.CharField(
+        choices=SecretStrategy.choices, max_length=16,
+        default=SecretStrategy.custom, verbose_name=_('Secret strategy')
+    )
+    password_rules = models.JSONField(default=dict, verbose_name=_('Password rules'))
+
+    class Meta:
+        abstract = True
+
+    @lazyproperty
+    def secret_generator(self):
+        return SecretGenerator(
+            self.secret_strategy, self.secret_type,
+            self.password_rules,
+        )
+
+    def get_secret(self):
+        if self.secret_strategy == 'random':
+            return self.secret_generator.get_secret()
+        else:
+            return self.secret
+
+
 class BaseAccount(VaultModelMixin, JMSOrgBaseModel):
     name = models.CharField(max_length=128, verbose_name=_("Name"))
     username = models.CharField(max_length=128, blank=True, verbose_name=_('Username'), db_index=True)

apps/accounts/models/mixins/vault.py

@@ -37,8 +37,9 @@ class VaultManagerMixin(models.Manager):
             post_save.send(obj.__class__, instance=obj, created=True)
         return objs
 
-    def bulk_update(self, objs, batch_size=None, ignore_conflicts=False):
-        objs = super().bulk_update(objs, batch_size=batch_size, ignore_conflicts=ignore_conflicts)
+    def bulk_update(self, objs, fields, batch_size=None):
+        fields = ["_secret" if field == "secret" else field for field in fields]
+        super().bulk_update(objs, fields, batch_size=batch_size)
         for obj in objs:
             post_save.send(obj.__class__, instance=obj, created=False)
         return objs

apps/accounts/models/template.py

@@ -4,16 +4,22 @@ from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
 from .account import Account
-from .base import BaseAccount
+from .base import BaseAccount, SecretWithRandomMixin
 
 __all__ = ['AccountTemplate', ]
 
 
-class AccountTemplate(BaseAccount):
+class AccountTemplate(BaseAccount, SecretWithRandomMixin):
     su_from = models.ForeignKey(
         'self', related_name='su_to', null=True,
         on_delete=models.SET_NULL, verbose_name=_("Su from")
     )
+    auto_push = models.BooleanField(default=False, verbose_name=_('Auto push'))
+    platforms = models.ManyToManyField(
+        'assets.Platform', related_name='account_templates',
+        verbose_name=_('Platforms'), blank=True,
+    )
+    push_params = models.JSONField(default=dict, verbose_name=_('Push params'))
 
     class Meta:
         verbose_name = _('Account template')
@@ -25,15 +31,15 @@ class AccountTemplate(BaseAccount):
             ('change_accounttemplatesecret', _('Can change asset account template secret')),
         ]
 
+    def __str__(self):
+        return f'{self.name}({self.username})'
+
     @classmethod
     def get_su_from_account_templates(cls, pk=None):
         if pk is None:
             return cls.objects.all()
         return cls.objects.exclude(Q(id=pk) | Q(su_from_id=pk))
 
-    def __str__(self):
-        return f'{self.name}({self.username})'
-
     def get_su_from_account(self, asset):
         su_from = self.su_from
         if su_from and asset.platform.su_enabled:
@@ -43,8 +49,7 @@ class AccountTemplate(BaseAccount):
             ).first()
             return account
 
-    @staticmethod
-    def bulk_update_accounts(accounts, data):
+    def bulk_update_accounts(self, accounts):
         history_model = Account.history.model
         account_ids = accounts.values_list('id', flat=True)
         history_accounts = history_model.objects.filter(id__in=account_ids)
@@ -57,8 +62,7 @@ class AccountTemplate(BaseAccount):
         for account in accounts:
             account_id = str(account.id)
             account.version = account_id_count_map.get(account_id) + 1
-            for k, v in data.items():
-                setattr(account, k, v)
+            account.secret = self.get_secret()
         Account.objects.bulk_update(accounts, ['version', 'secret'])
 
     @staticmethod
@@ -80,7 +84,5 @@ class AccountTemplate(BaseAccount):
 
     def bulk_sync_account_secret(self, accounts, user_id):
         """ 批量同步账号密码 """
-        if not accounts:
-            return
-        self.bulk_update_accounts(accounts, {'secret': self.secret})
+        self.bulk_update_accounts(accounts)
         self.bulk_create_history_accounts(accounts, user_id)

apps/accounts/notifications.py

@@ -1,7 +1,10 @@
+from django.template.loader import render_to_string
 from django.utils.translation import gettext_lazy as _
 
-from common.tasks import send_mail_attachment_async
+from common.tasks import send_mail_attachment, upload_backup_to_obj_storage
+from notifications.notifications import UserMessage
 from users.models import User
+from terminal.models.component.storage import ReplayStorage
 
 
 class AccountBackupExecutionTaskMsg(object):
@@ -24,11 +27,30 @@ class AccountBackupExecutionTaskMsg(object):
                      "to set the encryption password").format(name)
 
     def publish(self, attachment_list=None):
-        send_mail_attachment_async(
+        send_mail_attachment(
             self.subject, self.message, [self.user.email], attachment_list
         )
 
 
+class AccountBackupByObjStorageExecutionTaskMsg(object):
+    subject = _('Notification of account backup route task results')
+
+    def __init__(self, name: str, obj_storage: ReplayStorage):
+        self.name = name
+        self.obj_storage = obj_storage
+
+    @property
+    def message(self):
+        name = self.name
+        return _('{} - The account backup passage task has been completed.'
+                 ' See the attachment for details').format(name)
+
+    def publish(self, attachment_list=None):
+        upload_backup_to_obj_storage(
+            self.obj_storage, attachment_list
+        )
+
+
 class ChangeSecretExecutionTaskMsg(object):
     subject = _('Notification of implementation result of encryption change plan')
 
@@ -48,6 +70,28 @@ class ChangeSecretExecutionTaskMsg(object):
                      "file encryption password to set the encryption password").format(name)
 
     def publish(self, attachments=None):
-        send_mail_attachment_async(
+        send_mail_attachment(
             self.subject, self.message, [self.user.email], attachments
         )
+
+
+class GatherAccountChangeMsg(UserMessage):
+    subject = _('Gather account change information')
+
+    def __init__(self, user, change_info: dict):
+        self.change_info = change_info
+        super().__init__(user)
+
+    def get_html_msg(self) -> dict:
+        context = {'change_info': self.change_info}
+        message = render_to_string('accounts/asset_account_change_info.html', context)
+
+        return {
+            'subject': str(self.subject),
+            'message': message
+        }
+
+    @classmethod
+    def gen_test_msg(cls):
+        user = User.objects.first()
+        return cls(user, {})

apps/accounts/serializers/account/account.py

@@ -2,6 +2,7 @@ import uuid
 from copy import deepcopy
 
 from django.db import IntegrityError
+from django.db import transaction
 from django.db.models import Q
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
@@ -73,6 +74,23 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
             name = name + '_' + uuid.uuid4().hex[:4]
         initial_data['name'] = name
 
+    @staticmethod
+    def get_template_attr_for_account(template):
+        # Set initial data from template
+        field_names = [
+            'name', 'username', 'secret',
+            'secret_type', 'privileged', 'is_active'
+        ]
+
+        attrs = {}
+        for name in field_names:
+            value = getattr(template, name, None)
+            if value is None:
+                continue
+            attrs[name] = value
+        attrs['secret'] = template.get_secret()
+        return attrs
+
     def from_template_if_need(self, initial_data):
         if isinstance(initial_data, str):
             return
@@ -89,20 +107,7 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
             raise serializers.ValidationError({'template': 'Template not found'})
 
         self._template = template
-        # Set initial data from template
-        ignore_fields = ['id', 'date_created', 'date_updated', 'su_from', 'org_id']
-        field_names = [
-            field.name for field in template._meta.fields
-            if field.name not in ignore_fields
-        ]
-        field_names = [name if name != '_secret' else 'secret' for name in field_names]
-
-        attrs = {}
-        for name in field_names:
-            value = getattr(template, name, None)
-            if value is None:
-                continue
-            attrs[name] = value
+        attrs = self.get_template_attr_for_account(template)
         initial_data.update(attrs)
         initial_data.update({
             'source': Source.TEMPLATE,
@@ -114,10 +119,13 @@ class AccountCreateUpdateSerializerMixin(serializers.Serializer):
         asset = get_object_or_404(Asset, pk=asset_id)
         initial_data['su_from'] = template.get_su_from_account(asset)
 
-    @staticmethod
-    def push_account_if_need(instance, push_now, params, stat):
+    def push_account_if_need(self, instance, push_now, params, stat):
         if not push_now or stat not in ['created', 'updated']:
             return
+        transaction.on_commit(lambda: self.start_push(instance, params))
+
+    @staticmethod
+    def start_push(instance, params):
         push_accounts_to_assets_task.delay([str(instance.id)], params)
 
     def get_validators(self):

apps/accounts/serializers/account/backup.py

@@ -5,7 +5,7 @@ from rest_framework import serializers
 
 from accounts.models import AccountBackupAutomation, AccountBackupExecution
 from common.const.choices import Trigger
-from common.serializers.fields import LabeledChoiceField
+from common.serializers.fields import LabeledChoiceField, EncryptedField
 from common.utils import get_logger
 from ops.mixin import PeriodTaskSerializerMixin
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
@@ -16,6 +16,11 @@ __all__ = ['AccountBackupSerializer', 'AccountBackupPlanExecutionSerializer']
 
 
 class AccountBackupSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSerializer):
+    zip_encrypt_password = EncryptedField(
+        label=_('Zip Encrypt Password'), required=False, max_length=40960, allow_blank=True,
+        allow_null=True, write_only=True,
+    )
+
     class Meta:
         model = AccountBackupAutomation
         read_only_fields = [
@@ -24,7 +29,9 @@ class AccountBackupSerializer(PeriodTaskSerializerMixin, BulkOrgResourceModelSer
         ]
         fields = read_only_fields + [
             'id', 'name', 'is_periodic', 'interval', 'crontab',
-            'comment', 'types', 'recipients_part_one', 'recipients_part_two'
+            'comment', 'types', 'recipients_part_one', 'recipients_part_two', 'backup_type',
+            'is_password_divided_by_email', 'is_password_divided_by_obj_storage', 'obj_recipients_part_one',
+            'obj_recipients_part_two', 'zip_encrypt_password'
         ]
         extra_kwargs = {
             'name': {'required': True},

apps/accounts/serializers/account/template.py

@@ -1,16 +1,24 @@
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
-from accounts.models import AccountTemplate, Account
+from accounts.const import SecretStrategy, SecretType
+from accounts.models import AccountTemplate
+from accounts.utils import SecretGenerator
 from common.serializers import SecretReadableMixin
 from common.serializers.fields import ObjectRelatedField
 from .base import BaseAccountSerializer
 
 
-class AccountTemplateSerializer(BaseAccountSerializer):
-    is_sync_account = serializers.BooleanField(default=False, write_only=True)
-    _is_sync_account = False
+class PasswordRulesSerializer(serializers.Serializer):
+    length = serializers.IntegerField(min_value=8, max_value=30, default=16, label=_('Password length'))
+    lowercase = serializers.BooleanField(default=True, label=_('Lowercase'))
+    uppercase = serializers.BooleanField(default=True, label=_('Uppercase'))
+    digit = serializers.BooleanField(default=True, label=_('Digit'))
+    symbol = serializers.BooleanField(default=True, label=_('Special symbol'))
 
+
+class AccountTemplateSerializer(BaseAccountSerializer):
+    password_rules = PasswordRulesSerializer(required=False, label=_('Password rules'))
     su_from = ObjectRelatedField(
         required=False, queryset=AccountTemplate.objects, allow_null=True,
         allow_empty=True, label=_('Su from'), attrs=('id', 'name', 'username')
@@ -18,36 +26,38 @@ class AccountTemplateSerializer(BaseAccountSerializer):
 
     class Meta(BaseAccountSerializer.Meta):
         model = AccountTemplate
-        fields = BaseAccountSerializer.Meta.fields + ['is_sync_account', 'su_from']
-
-    def sync_accounts_secret(self, instance, diff):
-        if not self._is_sync_account or 'secret' not in diff:
-            return
-        query_data = {
-            'source_id': instance.id,
-            'username': instance.username,
-            'secret_type': instance.secret_type
+        fields = BaseAccountSerializer.Meta.fields + [
+            'secret_strategy', 'password_rules',
+            'auto_push', 'push_params', 'platforms',
+            'su_from'
+        ]
+        extra_kwargs = {
+            'secret_strategy': {'help_text': _('Secret generation strategy for account creation')},
+            'auto_push': {'help_text': _('Whether to automatically push the account to the asset')},
+            'platforms': {
+                'help_text': _(
+                    'Associated platform, you can configure push parameters. '
+                    'If not associated, default parameters will be used'
+                ),
+                'required': False
+            },
         }
-        accounts = Account.objects.filter(**query_data)
-        instance.bulk_sync_account_secret(accounts, self.context['request'].user.id)
+
+    @staticmethod
+    def generate_secret(attrs):
+        secret_type = attrs.get('secret_type', SecretType.PASSWORD)
+        secret_strategy = attrs.get('secret_strategy', SecretStrategy.custom)
+        password_rules = attrs.get('password_rules')
+        if secret_strategy != SecretStrategy.random:
+            return
+        generator = SecretGenerator(secret_strategy, secret_type, password_rules)
+        attrs['secret'] = generator.get_secret()
 
     def validate(self, attrs):
-        self._is_sync_account = attrs.pop('is_sync_account', None)
         attrs = super().validate(attrs)
+        self.generate_secret(attrs)
         return attrs
 
-    def update(self, instance, validated_data):
-        diff = {
-            k: v for k, v in validated_data.items()
-            if getattr(instance, k, None) != v
-        }
-        instance = super().update(instance, validated_data)
-        if {'username', 'secret_type'} & set(diff.keys()):
-            Account.objects.filter(source_id=instance.id).update(source_id=None)
-        else:
-            self.sync_accounts_secret(instance, diff)
-        return instance
-
 
 class AccountTemplateSecretSerializer(SecretReadableMixin, AccountTemplateSerializer):
     class Meta(AccountTemplateSerializer.Meta):

apps/accounts/serializers/account/virtual.py

@@ -19,8 +19,12 @@ class VirtualAccountSerializer(serializers.ModelSerializer):
             'comment': {'label': _('Comment')},
             'name': {'label': _('Name')},
             'username': {'label': _('Username')},
-            'secret_from_login': {'help_text': _('Current only support login from AD/LDAP. Secret priority: '
-                                                 'Same account in asset secret > Login secret > Manual input')
-                                  },
+            'secret_from_login': {
+                'help_text': _(
+                    'Current only support login from AD/LDAP. Secret priority: '
+                    'Same account in asset secret > Login secret > Manual input. <br/ >'
+                    'For security, please set config CACHE_LOGIN_PASSWORD_ENABLED to true'
+                )
+            },
             'alias': {'required': False},
         }

apps/accounts/serializers/automations/change_secret.py

@@ -4,14 +4,13 @@ from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
 from accounts.const import (
-    AutomationTypes, DEFAULT_PASSWORD_RULES,
-    SecretType, SecretStrategy, SSHKeyStrategy
+    AutomationTypes, SecretType, SecretStrategy, SSHKeyStrategy
 )
 from accounts.models import (
     Account, ChangeSecretAutomation,
     ChangeSecretRecord, AutomationExecution
 )
-from accounts.serializers import AuthValidateMixin
+from accounts.serializers import AuthValidateMixin, PasswordRulesSerializer
 from assets.models import Asset
 from common.serializers.fields import LabeledChoiceField, ObjectRelatedField
 from common.utils import get_logger
@@ -42,7 +41,7 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
     ssh_key_change_strategy = LabeledChoiceField(
         choices=SSHKeyStrategy.choices, required=False, label=_('SSH Key strategy')
     )
-    password_rules = serializers.DictField(default=DEFAULT_PASSWORD_RULES)
+    password_rules = PasswordRulesSerializer(required=False, label=_('Password rules'))
     secret_type = LabeledChoiceField(choices=get_secret_types(), required=True, label=_('Secret type'))
 
     class Meta:
@@ -72,7 +71,6 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
             return password_rules
 
         length = password_rules.get('length')
-        symbol_set = password_rules.get('symbol_set', '')
 
         try:
             length = int(length)
@@ -85,10 +83,6 @@ class ChangeSecretAutomationSerializer(AuthValidateMixin, BaseAutomationSerializ
             msg = _('* Password length range 6-30 bits')
             raise serializers.ValidationError(msg)
 
-        if not isinstance(symbol_set, str):
-            symbol_set = str(symbol_set)
-
-        password_rules = {'length': length, 'symbol_set': ''.join(symbol_set)}
         return password_rules
 
     def validate(self, attrs):
@@ -118,8 +112,8 @@ class ChangeSecretRecordSerializer(serializers.ModelSerializer):
     class Meta:
         model = ChangeSecretRecord
         fields = [
-            'id', 'asset', 'account', 'date_started', 'date_finished',
-            'timedelta', 'is_success', 'error', 'execution',
+            'id', 'asset', 'account', 'date_finished',
+            'status', 'is_success', 'error', 'execution',
         ]
         read_only_fields = fields
 

apps/accounts/serializers/automations/gather_accounts.py

@@ -18,7 +18,7 @@ class GatherAccountAutomationSerializer(BaseAutomationSerializer):
         model = GatherAccountsAutomation
         read_only_fields = BaseAutomationSerializer.Meta.read_only_fields
         fields = BaseAutomationSerializer.Meta.fields \
-                 + ['is_sync_account'] + read_only_fields
+                 + ['is_sync_account', 'recipients'] + read_only_fields
 
         extra_kwargs = BaseAutomationSerializer.Meta.extra_kwargs
 

apps/accounts/signal_handlers.py

@@ -1,9 +1,17 @@
-from django.db.models.signals import pre_save, post_save, post_delete
+from collections import defaultdict
+
+from django.db.models.signals import post_delete
+from django.db.models.signals import pre_save, post_save
 from django.dispatch import receiver
+from django.utils.translation import gettext_noop
 
 from accounts.backends import vault_client
-from common.utils import get_logger
+from audits.const import ActivityChoices
+from audits.signal_handlers import create_activities
+from common.decorators import merge_delay_run
+from common.utils import get_logger, i18n_fmt
 from .models import Account, AccountTemplate
+from .tasks.push_account import push_accounts_to_assets_task
 
 logger = get_logger(__name__)
 
@@ -16,6 +24,53 @@ def on_account_pre_save(sender, instance, **kwargs):
         instance.version = instance.history.count()
 
 
+@merge_delay_run(ttl=5)
+def push_accounts_if_need(accounts=()):
+    from .models import AccountTemplate
+
+    template_accounts = defaultdict(list)
+    for ac in accounts:
+        # 再强调一次吧
+        if ac.source != 'template':
+            continue
+        template_accounts[ac.source_id].append(ac)
+
+    for source_id, accounts in template_accounts.items():
+        template = AccountTemplate.objects.filter(id=source_id).first()
+        if not template or not template.auto_push:
+            continue
+        logger.debug("Push accounts to source: %s", source_id)
+        account_ids = [str(ac.id) for ac in accounts]
+        task = push_accounts_to_assets_task.delay(account_ids, params=template.push_params)
+        detail = i18n_fmt(
+            gettext_noop('Push related accounts to assets: %s, by system'),
+            len(account_ids)
+        )
+        create_activities([str(template.id)], detail, task.id, ActivityChoices.task, template.org_id)
+        logger.debug("Push accounts to source: %s, task: %s", source_id, task)
+
+
+def create_accounts_activities(account, action='create'):
+    if action == 'create':
+        detail = i18n_fmt(gettext_noop('Add account: %s'), str(account))
+    else:
+        detail = i18n_fmt(gettext_noop('Delete account: %s'), str(account))
+    create_activities([account.asset_id], detail, None, ActivityChoices.operate_log, account.org_id)
+
+
+@receiver(post_save, sender=Account)
+def on_account_create_by_template(sender, instance, created=False, **kwargs):
+    if not created or instance.source != 'template':
+        return
+    push_accounts_if_need(accounts=(instance,))
+    create_accounts_activities(instance, action='create')
+
+
+@receiver(post_delete, sender=Account)
+def on_account_delete(sender, instance, **kwargs):
+    create_accounts_activities(instance, action='delete')
+
+
 class VaultSignalHandler(object):
     """ 处理 Vault 相关的信号 """
 

apps/accounts/tasks/__init__.py

@@ -1,5 +1,6 @@
-from .backup_account import *
 from .automation import *
-from .push_account import *
-from .verify_account import *
+from .backup_account import *
 from .gather_accounts import *
+from .push_account import *
+from .template import *
+from .verify_account import *

apps/accounts/tasks/automation.py

@@ -1,7 +1,8 @@
 from celery import shared_task
-from django.utils.translation import gettext_lazy as _
+from django.utils.translation import gettext_lazy as _, gettext_noop
 
 from accounts.const import AutomationTypes
+from accounts.tasks.common import quickstart_automation_by_snapshot
 from common.utils import get_logger, get_object_or_none
 from orgs.utils import tmp_to_org, tmp_to_root_org
 
@@ -33,3 +34,39 @@ def execute_account_automation_task(pid, trigger, tp):
         return
     with tmp_to_org(instance.org):
         instance.execute(trigger)
+
+
+def record_task_activity_callback(self, record_id, *args, **kwargs):
+    from accounts.models import ChangeSecretRecord
+    with tmp_to_root_org():
+        record = get_object_or_none(ChangeSecretRecord, id=record_id)
+    if not record:
+        return
+    resource_ids = [record.id]
+    org_id = record.execution.org_id
+    return resource_ids, org_id
+
+
+@shared_task(
+    queue='ansible', verbose_name=_('Execute automation record'),
+    activity_callback=record_task_activity_callback
+)
+def execute_automation_record_task(record_id, tp):
+    from accounts.models import ChangeSecretRecord
+    with tmp_to_root_org():
+        instance = get_object_or_none(ChangeSecretRecord, pk=record_id)
+    if not instance:
+        logger.error("No automation record found: {}".format(record_id))
+        return
+
+    task_name = gettext_noop('Execute automation record')
+    task_snapshot = {
+        'secret': instance.new_secret,
+        'secret_type': instance.execution.snapshot.get('secret_type'),
+        'accounts': [str(instance.account_id)],
+        'assets': [str(instance.asset_id)],
+        'params': {},
+        'record_id': record_id,
+    }
+    with tmp_to_org(instance.execution.org_id):
+        quickstart_automation_by_snapshot(task_name, tp, task_snapshot)

apps/accounts/tasks/template.py

@@ -0,0 +1,60 @@
+from datetime import datetime
+
+from celery import shared_task
+from django.shortcuts import get_object_or_404
+from django.utils.translation import gettext_lazy as _
+
+from orgs.utils import tmp_to_root_org, tmp_to_org
+
+
+@shared_task(
+    verbose_name=_('Template sync info to related accounts'),
+    activity_callback=lambda self, template_id, *args, **kwargs: (template_id, None)
+)
+def template_sync_related_accounts(template_id, user_id=None):
+    from accounts.models import Account, AccountTemplate
+    with tmp_to_root_org():
+        template = get_object_or_404(AccountTemplate, id=template_id)
+    org_id = template.org_id
+
+    with tmp_to_org(org_id):
+        accounts = Account.objects.filter(source_id=template_id)
+    if not accounts:
+        print('\033[35m>>> 没有需要同步的账号, 结束任务')
+        print('\033[0m')
+        return
+
+    failed, succeeded = 0, 0
+    succeeded_account_ids = []
+    name = template.name
+    username = template.username
+    secret_type = template.secret_type
+    print(f'\033[32m>>> 开始同步模版名称、用户名、密钥类型到相关联的账号 ({datetime.now().strftime("%Y-%m-%d %H:%M:%S")})')
+    with tmp_to_org(org_id):
+        for account in accounts:
+            account.name = name
+            account.username = username
+            account.secret_type = secret_type
+            try:
+                account.save(update_fields=['name', 'username', 'secret_type'])
+                succeeded += 1
+                succeeded_account_ids.append(account.id)
+            except Exception as e:
+                account.source_id = None
+                account.save(update_fields=['source_id'])
+                print(f'\033[31m- 同步失败: [{account}] 原因: [{e}]')
+                failed += 1
+        accounts = Account.objects.filter(id__in=succeeded_account_ids)
+        if accounts:
+            print(f'\033[33m>>> 批量更新账号密文 ({datetime.now().strftime("%Y-%m-%d %H:%M:%S")})')
+            template.bulk_sync_account_secret(accounts, user_id)
+
+    total = succeeded + failed
+    print(
+        f'\033[33m>>> 同步完成:, '
+        f'共计: {total}, '
+        f'成功: {succeeded}, '
+        f'失败: {failed}, '
+        f'({datetime.now().strftime("%Y-%m-%d %H:%M:%S")}) '
+    )
+    print('\033[0m')

apps/accounts/templates/accounts/asset_account_change_info.html

@@ -0,0 +1,20 @@
+{% load i18n %}
+
+
+<table style="width: 100%; border-collapse: collapse; max-width: 100%; text-align: left; margin-top: 20px;">
+    <caption></caption>
+    <tr style="background-color: #f2f2f2;">
+        <th style="border: 1px solid #ddd; padding: 10px; font-weight: bold;">{% trans 'Asset' %}</th>
+        <th style="border: 1px solid #ddd; padding: 10px;">{% trans 'Added account' %}</th>
+        <th style="border: 1px solid #ddd; padding: 10px;">{% trans 'Deleted account' %}</th>
+    </tr>
+    {% for name, change in change_info.items %}
+        <tr style="{% cycle 'background-color: #ebf5ff;' 'background-color: #fff;' %}">
+            <td style="border: 1px solid #ddd; padding: 10px;">{{ name }}</td>
+            <td style="border: 1px solid #ddd; padding: 10px;">{{ change.add_usernames }}</td>
+            <td style="border: 1px solid #ddd; padding: 10px;">{{ change.remove_usernames }}</td>
+        </tr>
+    {% endfor %}
+</table>
+
+

apps/accounts/utils.py

@@ -1,3 +1,5 @@
+import copy
+
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
@@ -14,13 +16,23 @@ class SecretGenerator:
 
     @staticmethod
     def generate_ssh_key():
-        private_key, public_key = ssh_key_gen()
+        private_key, __ = ssh_key_gen()
         return private_key
 
     def generate_password(self):
-        length = int(self.password_rules.get('length', 0))
-        length = length if length else DEFAULT_PASSWORD_RULES['length']
-        return random_string(length, special_char=True)
+        password_rules = self.password_rules
+        if not password_rules or not isinstance(password_rules, dict):
+            password_rules = {}
+        rules = copy.deepcopy(DEFAULT_PASSWORD_RULES)
+        rules.update(password_rules)
+        rules = {
+            'length': rules['length'],
+            'lower': rules['lowercase'],
+            'upper': rules['uppercase'],
+            'digit': rules['digit'],
+            'special_char': rules['symbol']
+        }
+        return random_string(**rules)
 
     def get_secret(self):
         if self.secret_type == SecretType.SSH_KEY:
@@ -37,13 +49,15 @@ def validate_password_for_ansible(password):
     # validate password contains left double curly bracket
     # check password not contains `{{`
     # Ansible 推送的时候不支持
-    if '{{' in password:
-        raise serializers.ValidationError(_('Password can not contains `{{` '))
+    if '{{' in password or '}}' in password:
+        raise serializers.ValidationError(_('Password can not contains `{{` or `}}`'))
+    if '{%' in password or '%}' in password:
+        raise serializers.ValidationError(_('Password can not contains `{%` or `%}`'))
     # Ansible Windows 推送的时候不支持
-    if "'" in password:
-        raise serializers.ValidationError(_("Password can not contains `'` "))
-    if '"' in password:
-        raise serializers.ValidationError(_('Password can not contains `"` '))
+    # if "'" in password:
+    #     raise serializers.ValidationError(_("Password can not contains `'` "))
+    # if '"' in password:
+    #     raise serializers.ValidationError(_('Password can not contains `"` '))
 
 
 def validate_ssh_key(ssh_key, passphrase=None):

apps/acls/api/command_acl.py

@@ -10,7 +10,7 @@ __all__ = ['CommandFilterACLViewSet', 'CommandGroupViewSet']
 
 class CommandGroupViewSet(OrgBulkModelViewSet):
     model = models.CommandGroup
-    filterset_fields = ('name',)
+    filterset_fields = ('name', 'command_filters')
     search_fields = filterset_fields
     serializer_class = serializers.CommandGroupSerializer
 

apps/acls/const.py

@@ -7,3 +7,4 @@ class ActionChoices(models.TextChoices):
     accept = 'accept', _('Accept')
     review = 'review', _('Review')
     warning = 'warning', _('Warning')
+    notice = 'notice', _('Notifications')

apps/acls/migrations/0018_alter_commandfilteracl_command_groups.py

@@ -0,0 +1,18 @@
+# Generated by Django 4.1.10 on 2023-10-18 10:44
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('acls', '0017_alter_connectmethodacl_options'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='commandfilteracl',
+            name='command_groups',
+            field=models.ManyToManyField(related_name='command_filters', to='acls.commandgroup', verbose_name='Command group'),
+        ),
+    ]

apps/acls/models/base.py

@@ -103,25 +103,27 @@ class UserAssetAccountBaseACL(OrgModelMixin, UserBaseACL):
         abstract = True
 
     @classmethod
-    def filter_queryset(cls, user=None, asset=None, account=None, account_username=None, **kwargs):
+    def _get_filter_queryset(cls, user=None, asset=None, account=None, account_username=None, **kwargs):
         queryset = cls.objects.all()
-
-        if user:
-            q = cls.users.get_filter_q(user)
-            queryset = queryset.filter(q)
+        q = models.Q()
 
         if asset:
-            org_id = asset.org_id
-            with tmp_to_org(org_id):
-                q = cls.assets.get_filter_q(asset)
-            queryset = queryset.filter(q)
+            q &= cls.assets.get_filter_q(asset)
+        if user:
+            q &= cls.users.get_filter_q(user)
         if account and not account_username:
             account_username = account.username
         if account_username:
-            q = models.Q(accounts__contains=account_username) | \
-                models.Q(accounts__contains='*') | \
-                models.Q(accounts__contains='@ALL')
-            queryset = queryset.filter(q)
+            q &= models.Q(accounts__contains=account_username) | \
+                 models.Q(accounts__contains='*') | \
+                 models.Q(accounts__contains='@ALL')
         if kwargs:
-            queryset = queryset.filter(**kwargs)
+            q &= models.Q(**kwargs)
+        queryset = queryset.filter(q)
         return queryset.valid().distinct()
+
+    @classmethod
+    def filter_queryset(cls, asset=None, **kwargs):
+        org_id = asset.org_id if asset else ''
+        with tmp_to_org(org_id):
+            return cls._get_filter_queryset(asset=asset, **kwargs)

apps/acls/models/command_acl.py

@@ -93,7 +93,10 @@ class CommandGroup(JMSOrgBaseModel):
 
 
 class CommandFilterACL(UserAssetAccountBaseACL):
-    command_groups = models.ManyToManyField(CommandGroup, verbose_name=_('Command group'))
+    command_groups = models.ManyToManyField(
+        CommandGroup, verbose_name=_('Command group'),
+        related_name='command_filters'
+    )
 
     class Meta(UserAssetAccountBaseACL.Meta):
         abstract = False

apps/acls/notifications.py

@@ -0,0 +1,68 @@
+from django.template.loader import render_to_string
+from django.utils.translation import gettext_lazy as _
+
+from assets.models import Asset
+from audits.models import UserLoginLog
+from notifications.notifications import UserMessage
+from users.models import User
+
+
+class UserLoginReminderMsg(UserMessage):
+    subject = _('User login reminder')
+
+    def __init__(self, user, user_log: UserLoginLog):
+        self.user_log = user_log
+        super().__init__(user)
+
+    def get_html_msg(self) -> dict:
+        user_log = self.user_log
+
+        context = {
+            'ip': user_log.ip,
+            'city': user_log.city,
+            'username': user_log.username,
+            'recipient': self.user.username,
+            'user_agent': user_log.user_agent,
+        }
+        message = render_to_string('acls/user_login_reminder.html', context)
+
+        return {
+            'subject': str(self.subject),
+            'message': message
+        }
+
+    @classmethod
+    def gen_test_msg(cls):
+        user = User.objects.first()
+        user_log = UserLoginLog.objects.first()
+        return cls(user, user_log)
+
+
+class AssetLoginReminderMsg(UserMessage):
+    subject = _('Asset login reminder')
+
+    def __init__(self, user, asset: Asset, login_user: User, account_username):
+        self.asset = asset
+        self.login_user = login_user
+        self.account_username = account_username
+        super().__init__(user)
+
+    def get_html_msg(self) -> dict:
+        context = {
+            'recipient': self.user.username,
+            'username': self.login_user.username,
+            'asset': str(self.asset),
+            'account': self.account_username,
+        }
+        message = render_to_string('acls/asset_login_reminder.html', context)
+
+        return {
+            'subject': str(self.subject),
+            'message': message
+        }
+
+    @classmethod
+    def gen_test_msg(cls):
+        user = User.objects.first()
+        asset = Asset.objects.first()
+        return cls(user, asset, user)

apps/acls/serializers/base.py

@@ -1,9 +1,9 @@
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
 from acls.models.base import BaseACL
 from common.serializers.fields import JSONManyToManyField, LabeledChoiceField
-from jumpserver.utils import has_valid_xpack_license
 from orgs.models import Organization
 from ..const import ActionChoices
 
@@ -68,7 +68,7 @@ class ActionAclSerializer(serializers.Serializer):
         field_action = self.fields.get("action")
         if not field_action:
             return
-        if not has_valid_xpack_license():
+        if not settings.XPACK_LICENSE_IS_VALID:
             field_action._choices.pop(ActionChoices.review, None)
         for choice in self.Meta.action_choices_exclude:
             field_action._choices.pop(choice, None)

apps/acls/serializers/command_acl.py

@@ -8,6 +8,7 @@ from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from orgs.utils import tmp_to_root_org
 from terminal.models import Session
 from .base import BaseUserAssetAccountACLSerializer as BaseSerializer
+from ..const import ActionChoices
 
 __all__ = ["CommandFilterACLSerializer", "CommandGroupSerializer", "CommandReviewSerializer"]
 
@@ -31,8 +32,7 @@ class CommandFilterACLSerializer(BaseSerializer, BulkOrgResourceModelSerializer)
     class Meta(BaseSerializer.Meta):
         model = CommandFilterACL
         fields = BaseSerializer.Meta.fields + ['command_groups']
-        # 默认都支持所有的 actions
-        action_choices_exclude = []
+        action_choices_exclude = [ActionChoices.notice]
 
 
 class CommandReviewSerializer(serializers.Serializer):

apps/acls/serializers/connect_method.py

@@ -1,7 +1,7 @@
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 from .base import BaseUserAssetAccountACLSerializer as BaseSerializer
-from ..models import ConnectMethodACL
 from ..const import ActionChoices
+from ..models import ConnectMethodACL
 
 __all__ = ["ConnectMethodACLSerializer"]
 
@@ -14,5 +14,5 @@ class ConnectMethodACLSerializer(BaseSerializer, BulkOrgResourceModelSerializer)
             if i not in ['assets', 'accounts']
         ]
         action_choices_exclude = BaseSerializer.Meta.action_choices_exclude + [
-            ActionChoices.review, ActionChoices.accept
+            ActionChoices.review, ActionChoices.accept, ActionChoices.notice
         ]

apps/acls/templates/acls/asset_login_reminder.html

@@ -0,0 +1,13 @@
+{% load i18n %}
+
+<h3>{% trans 'Respectful' %}{{ recipient }}，</h3>
+<hr>
+<p><strong>{% trans 'Username' %}:</strong> [{{ username }}]</p>
+<p><strong>{% trans 'Assets' %}:</strong> [{{ asset }}]</p>
+<p><strong>{% trans 'Account' %}:</strong> [{{ account }}]</p>
+<hr>
+
+<p>{% trans 'The user has just logged in to the asset. Please ensure that this is an authorized operation. If you suspect that this is an unauthorized access, please take appropriate measures immediately.' %}</p>
+
+<p>{% trans 'Thank you' %}！</p>
+

apps/acls/templates/acls/user_login_reminder.html

@@ -0,0 +1,14 @@
+{% load i18n %}
+
+<h3>{% trans 'Respectful' %}{{ recipient }}，</h3>
+<hr>
+<p><strong>{% trans 'Username' %}:</strong> [{{ username }}]</p>
+<p><strong>IP:</strong> [{{ ip }}]</p>
+<p><strong>{% trans 'Login city' %}:</strong> [{{ city }}]</p>
+<p><strong>{% trans 'User agent' %}:</strong> [{{ user_agent }}]</p>
+<hr>
+
+<p>{% trans 'The user has just successfully logged into the system. Please ensure that this is an authorized operation. If you suspect that this is an unauthorized access, please take appropriate measures immediately.' %}</p>
+
+<p>{% trans 'Thank you' %}！</p>
+

apps/assets/api/__init__.py

@@ -6,4 +6,5 @@ from .label import *
 from .mixin import *
 from .node import *
 from .platform import *
+from .protocol import *
 from .tree import *

apps/assets/api/asset/asset.py

@@ -1,9 +1,12 @@
 # -*- coding: utf-8 -*-
 #
+from collections import defaultdict
+
 import django_filters
 from django.db.models import Q
 from django.shortcuts import get_object_or_404
 from django.utils.translation import gettext as _
+from rest_framework import status
 from rest_framework.decorators import action
 from rest_framework.response import Response
 from rest_framework.status import HTTP_200_OK
@@ -12,7 +15,7 @@ from accounts.tasks import push_accounts_to_assets_task, verify_accounts_connect
 from assets import serializers
 from assets.exceptions import NotSupportedTemporarilyError
 from assets.filters import IpInFilterBackend, LabelFilterBackend, NodeFilterBackend
-from assets.models import Asset, Gateway, Platform
+from assets.models import Asset, Gateway, Platform, Protocol
 from assets.tasks import test_assets_connectivity_manual, update_assets_hardware_info_manual
 from common.api import SuggestionMixin
 from common.drf.filters import BaseFilterSet, AttrRulesFilterBackend
@@ -115,6 +118,7 @@ class AssetViewSet(SuggestionMixin, NodeFilterMixin, OrgBulkModelViewSet):
         ("gateways", "assets.view_gateway"),
         ("spec_info", "assets.view_asset"),
         ("gathered_info", "assets.view_asset"),
+        ("sync_platform_protocols", "assets.change_asset"),
     )
     extra_filter_backends = [
         LabelFilterBackend, IpInFilterBackend,
@@ -152,6 +156,39 @@ class AssetViewSet(SuggestionMixin, NodeFilterMixin, OrgBulkModelViewSet):
             gateways = asset.domain.gateways
         return self.get_paginated_response_from_queryset(gateways)
 
+    @action(methods=['post'], detail=False, url_path='sync-platform-protocols')
+    def sync_platform_protocols(self, request, *args, **kwargs):
+        platform_id = request.data.get('platform_id')
+        platform = get_object_or_404(Platform, pk=platform_id)
+        assets = platform.assets.all()
+
+        platform_protocols = {
+            p['name']: p['port']
+            for p in platform.protocols.values('name', 'port')
+        }
+        asset_protocols_map = defaultdict(set)
+        protocols = assets.prefetch_related('protocols').values_list(
+            'id', 'protocols__name'
+        )
+        for asset_id, protocol in protocols:
+            asset_id = str(asset_id)
+            asset_protocols_map[asset_id].add(protocol)
+        objs = []
+        for asset_id, protocols in asset_protocols_map.items():
+            protocol_names = set(platform_protocols) - protocols
+            if not protocol_names:
+                continue
+            for name in protocol_names:
+                objs.append(
+                    Protocol(
+                        name=name,
+                        port=platform_protocols[name],
+                        asset_id=asset_id,
+                    )
+                )
+        Protocol.objects.bulk_create(objs)
+        return Response(status=status.HTTP_200_OK)
+
     def create(self, request, *args, **kwargs):
         if request.path.find('/api/v1/assets/assets/') > -1:
             error = _('Cannot create asset directly, you should create a host or other')

apps/assets/api/category.py

@@ -13,7 +13,7 @@ __all__ = ['CategoryViewSet']
 class CategoryViewSet(ListModelMixin, JMSGenericViewSet):
     serializer_classes = {
         'default': CategorySerializer,
-        'types': TypeSerializer
+        'types': TypeSerializer,
     }
     permission_classes = (IsValidUser,)
 

apps/assets/api/mixin.py

@@ -42,7 +42,7 @@ class SerializeToTreeNodeMixin:
                 'name': _name(node),
                 'title': _name(node),
                 'pId': node.parent_key,
-                'isParent': node.assets_amount > 0,
+                'isParent': True,
                 'open': _open(node),
                 'meta': {
                     'data': {
@@ -63,6 +63,8 @@ class SerializeToTreeNodeMixin:
         return AllTypes.get_types_values(exclude_custom=True)
 
     def get_icon(self, asset):
+        if asset.category == 'device':
+            return 'switch'
         if asset.type in self.support_types:
             return asset.type
         else:

apps/assets/api/platform.py

@@ -49,13 +49,19 @@ class AssetPlatformViewSet(JMSModelViewSet):
     @action(methods=['post'], detail=False, url_path='filter-nodes-assets')
     def filter_nodes_assets(self, request, *args, **kwargs):
         node_ids = request.data.get('node_ids', [])
-        asset_ids = request.data.get('asset_ids', [])
-        nodes = Node.objects.filter(id__in=node_ids)
-        node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-        direct_asset_ids = Asset.objects.filter(id__in=asset_ids).values_list('id', flat=True)
-        platform_ids = Asset.objects.filter(
-            id__in=set(list(direct_asset_ids) + list(node_asset_ids))
-        ).values_list('platform_id', flat=True)
+        asset_ids = set(request.data.get('asset_ids', []))
+        platform_ids = set(request.data.get('platform_ids', []))
+
+        if node_ids:
+            nodes = Node.objects.filter(id__in=node_ids)
+            node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
+            asset_ids |= set(node_asset_ids)
+
+        if asset_ids:
+            _platform_ids = Asset.objects \
+                .filter(id__in=set(asset_ids)) \
+                .values_list('platform_id', flat=True)
+            platform_ids |= set(_platform_ids)
         platforms = Platform.objects.filter(id__in=platform_ids)
         serializer = self.get_serializer(platforms, many=True)
         return Response(serializer.data)

apps/assets/api/protocol.py

@@ -0,0 +1,15 @@
+from rest_framework.generics import ListAPIView
+
+from assets import serializers
+from assets.const import Protocol
+from common.permissions import IsValidUser
+
+__all__ = ['ProtocolListApi']
+
+
+class ProtocolListApi(ListAPIView):
+    serializer_class = serializers.ProtocolSerializer
+    permission_classes = (IsValidUser,)
+
+    def get_queryset(self):
+        return list(Protocol.protocols())

apps/assets/api/tree.py

@@ -1,14 +1,14 @@
 # ~*~ coding: utf-8 ~*~
 
 from django.db.models import Q
+from django.utils.translation import gettext_lazy as _
 from rest_framework.generics import get_object_or_404
 from rest_framework.response import Response
-from django.utils.translation import gettext_lazy as _
 
 from assets.locks import NodeAddChildrenLock
+from common.exceptions import JMSException
 from common.tree import TreeNodeSerializer
 from common.utils import get_logger
-from common.exceptions import JMSException
 from orgs.mixins import generics
 from orgs.utils import current_org
 from .mixin import SerializeToTreeNodeMixin
@@ -35,8 +35,8 @@ class NodeChildrenApi(generics.ListCreateAPIView):
     is_initial = False
 
     def initial(self, request, *args, **kwargs):
+        super().initial(request, *args, **kwargs)
         self.instance = self.get_object()
-        return super().initial(request, *args, **kwargs)
 
     def perform_create(self, serializer):
         with NodeAddChildrenLock(self.instance):

apps/assets/automations/base/manager.py

@@ -1,8 +1,7 @@
+import hashlib
 import json
 import os
 import shutil
-from collections import defaultdict
-from hashlib import md5
 from socket import gethostname
 
 import yaml
@@ -37,8 +36,6 @@ class BasePlaybookManager:
         }
         # 根据执行方式就行分组, 不同资产的改密、推送等操作可能会使用不同的执行方式
         # 然后根据执行方式分组, 再根据 bulk_size 分组, 生成不同的 playbook
-        # 避免一个 playbook 中包含太多的主机
-        self.method_hosts_mapper = defaultdict(list)
         self.playbooks = []
         self.gateway_servers = dict()
         params = self.execution.snapshot.get('params')
@@ -146,7 +143,7 @@ class BasePlaybookManager:
 
     @staticmethod
     def generate_private_key_path(secret, path_dir):
-        key_name = '.' + md5(secret.encode('utf-8')).hexdigest()
+        key_name = '.' + hashlib.md5(secret.encode('utf-8')).hexdigest()
         key_path = os.path.join(path_dir, key_name)
 
         if not os.path.exists(key_path):
@@ -175,7 +172,7 @@ class BasePlaybookManager:
         method = self.method_id_meta_mapper.get(method_id)
         if not method:
             logger.error("Method not found: {}".format(method_id))
-            return method
+            return
         method_playbook_dir_path = method['dir']
         sub_playbook_path = os.path.join(sub_playbook_dir, 'project', 'main.yml')
         shutil.copytree(method_playbook_dir_path, os.path.dirname(sub_playbook_path))
@@ -196,6 +193,11 @@ class BasePlaybookManager:
             print(msg)
         runners = []
         for platform, assets in assets_group_by_platform.items():
+            if not assets:
+                continue
+            if not platform.automation or not platform.automation.ansible_enabled:
+                print(_("  - Platform {} ansible disabled").format(platform.name))
+                continue
             assets_bulked = [assets[i:i + self.bulk_size] for i in range(0, len(assets), self.bulk_size)]
 
             for i, _assets in enumerate(assets_bulked, start=1):
@@ -204,6 +206,8 @@ class BasePlaybookManager:
                 inventory_path = os.path.join(self.runtime_dir, sub_dir, 'hosts.json')
                 self.generate_inventory(_assets, inventory_path)
                 playbook_path = self.generate_playbook(_assets, platform, playbook_dir)
+                if not playbook_path:
+                    continue
 
                 runer = PlaybookRunner(
                     inventory_path,
@@ -309,6 +313,7 @@ class BasePlaybookManager:
         shutil.rmtree(self.runtime_dir)
 
     def run(self, *args, **kwargs):
+        print(">>> 任务准备阶段\n")
         runners = self.get_runners()
         if len(runners) > 1:
             print("### 分次执行任务, 总共 {}\n".format(len(runners)))