perf: aks encrypt

Co-authored-by: wangruidong <940853815@qq.com>
Co-authored-by: Bryan <jiangjie.bai@fit2cloud.com>

.dockerignore

@@ -8,4 +8,6 @@ celerybeat.pid
 .vagrant/
 apps/xpack/.git
 .history/
-.idea
+.idea
+.venv/
+.env

.gitattributes

@@ -1,4 +0,0 @@
-*.mmdb filter=lfs diff=lfs merge=lfs -text
-*.mo filter=lfs diff=lfs merge=lfs -text
-*.ipdb filter=lfs diff=lfs merge=lfs -text
-leak_passwords.db filter=lfs diff=lfs merge=lfs -text

.github/dependabot.yml.bak

@@ -0,0 +1,14 @@
+version: 2
+updates:
+  - package-ecosystem: "uv"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:30"
+      timezone: "Asia/Shanghai"
+    target-branch: dev
+    groups:
+      python-dependencies:
+        patterns:
+          - "*"

.github/workflows/translate-readme.yml

@@ -2,10 +2,14 @@ name: Translate README
 on:
   workflow_dispatch:
     inputs:
+      source_readme:
+        description: "Source README"
+        required: false
+        default: "./readmes/README.en.md"
       target_langs:
         description: "Target Languages"
         required: false
-        default: "zh-hans,zh-hant,ja,pt-br"
+        default: "zh-hans,zh-hant,ja,pt-br,es,ru"
       gen_dir_path:
         description: "Generate Dir Name"
         required: false
@@ -34,6 +38,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.PRIVATE_TOKEN }}
           OPENAI_API_KEY: ${{ secrets.GPT_API_TOKEN }}
           GPT_MODE: ${{ github.event.inputs.gpt_mode }}
+          SOURCE_README: ${{ github.event.inputs.source_readme }}
           TARGET_LANGUAGES: ${{ github.event.inputs.target_langs }}
           PUSH_BRANCH: ${{ github.event.inputs.push_branch }}
           GEN_DIR_PATH: ${{ github.event.inputs.gen_dir_path }}

.gitignore

@@ -46,3 +46,6 @@ test.py
 .test/
 *.mo
 apps.iml
+*.db
+*.mmdb
+*.ipdb

.prettierrc

@@ -0,0 +1,11 @@
+{
+  "tabWidth": 4,
+  "useTabs": false,
+  "semi": true,
+  "singleQuote": true,
+  "trailingComma": "es5",
+  "bracketSpacing": true,
+  "arrowParens": "avoid",
+  "printWidth": 100,
+  "endOfLine": "lf"
+}

Dockerfile

@@ -1,4 +1,4 @@
-FROM jumpserver/core-base:20250224_065619 AS stage-build
+FROM jumpserver/core-base:20250819_064003 AS stage-build
 
 ARG VERSION
 

Dockerfile-base

@@ -1,6 +1,6 @@
 FROM python:3.11-slim-bullseye
 ARG TARGETARCH
-
+COPY --from=ghcr.io/astral-sh/uv:0.6.14 /uv /uvx /usr/local/bin/
 # Install APT dependencies
 ARG DEPENDENCIES="                    \
         ca-certificates               \
@@ -43,18 +43,19 @@ WORKDIR /opt/jumpserver
 ARG PIP_MIRROR=https://pypi.org/simple
 ENV POETRY_PYPI_MIRROR_URL=${PIP_MIRROR}
 ENV ANSIBLE_COLLECTIONS_PATHS=/opt/py3/lib/python3.11/site-packages/ansible_collections
+ENV LANG=en_US.UTF-8 \
+    PATH=/opt/py3/bin:$PATH
+
+ENV UV_LINK_MODE=copy
 
 RUN --mount=type=cache,target=/root/.cache \
-    --mount=type=bind,source=poetry.lock,target=poetry.lock \
     --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
-    --mount=type=bind,source=utils/clean_site_packages.sh,target=clean_site_packages.sh \
+    --mount=type=bind,source=requirements/clean_site_packages.sh,target=clean_site_packages.sh \
     --mount=type=bind,source=requirements/collections.yml,target=collections.yml \
+    --mount=type=bind,source=requirements/static_files.sh,target=utils/static_files.sh \
     set -ex \
-    && python3 -m venv /opt/py3 \
+    && uv venv \
-    && pip install poetry poetry-plugin-pypi-mirror -i ${PIP_MIRROR} \
+    && uv pip install -i${PIP_MIRROR} -r pyproject.toml \
-    && . /opt/py3/bin/activate \
+    && ln -sf $(pwd)/.venv /opt/py3 \
-    && poetry config virtualenvs.create false \
+    && bash utils/static_files.sh \
-    && poetry install --no-cache --only main \
+    && bash clean_site_packages.sh
-    && ansible-galaxy collection install -r collections.yml --force --ignore-certs \
-    && bash clean_site_packages.sh \
-    && poetry cache clear pypi --all

Dockerfile-ee

@@ -13,7 +13,9 @@ ARG TOOLS="                           \
         nmap                          \
         telnet                        \
         vim                           \
-        wget"
+        postgresql-client-13          \
+        wget                          \
+        poppler-utils"
 
 RUN set -ex \
     && apt-get update \
@@ -24,11 +26,7 @@ RUN set -ex \
 WORKDIR /opt/jumpserver
 
 ARG PIP_MIRROR=https://pypi.org/simple
-ENV POETRY_PYPI_MIRROR_URL=${PIP_MIRROR}
-COPY poetry.lock pyproject.toml ./
-RUN set -ex \
-    && . /opt/py3/bin/activate \
-    && pip install poetry poetry-plugin-pypi-mirror -i ${PIP_MIRROR} \
-    && poetry install --only xpack \
-    && poetry cache clear pypi --all
 
+RUN set -ex \
+    && uv pip install -i${PIP_MIRROR} --group xpack \
+    && playwright install chromium  --with-deps --only-shell

README.md

@@ -1,16 +1,18 @@
 <div align="center">
   <a name="readme-top"></a>
-  <a href="https://jumpserver.org/index-en.html"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
+  <a href="https://jumpserver.com" target="_blank"><img src="https://download.jumpserver.org/images/jumpserver-logo.svg" alt="JumpServer" width="300" /></a>
   
 ## An open-source PAM tool (Bastion Host)
 
 [![][license-shield]][license-link]
+[![][docs-shield]][docs-link]
+[![][deepwiki-shield]][deepwiki-link]
 [![][discord-shield]][discord-link]
 [![][docker-shield]][docker-link]
 [![][github-release-shield]][github-release-link]
 [![][github-stars-shield]][github-stars-link]
 
-[English](/README.md) · [中文(简体)](/readmes/README.zh-hans.md) · [中文(繁體)](/readmes/README.zh-hant.md) · [日本語](/readmes/README.ja.md) · [Português (Brasil)](/readmes/README.pt-br.md)
+[English](/README.md) · [中文(简体)](/readmes/README.zh-hans.md) · [中文(繁體)](/readmes/README.zh-hant.md) · [日本語](/readmes/README.ja.md) · [Português (Brasil)](/readmes/README.pt-br.md) · [Español](/readmes/README.es.md) · [Русский](/readmes/README.ru.md) · [한국어](/readmes/README.ko.md)
 
 </div>
 <br/>
@@ -19,7 +21,13 @@
 
 JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints through a web browser.
 
-![JumpServer Overview](https://github.com/jumpserver/jumpserver/assets/32935519/35a371cb-8590-40ed-88ec-f351f8cf9045)
+
+<picture>
+  <source media="(prefers-color-scheme: light)" srcset="https://www.jumpserver.com/images/jumpserver-arch-light.png">
+  <source media="(prefers-color-scheme: dark)" srcset="https://www.jumpserver.com/images/jumpserver-arch-dark.png">
+  <img src="https://github.com/user-attachments/assets/dd612f3d-c958-4f84-b164-f31b75454d7f" alt="Theme-based Image">
+</picture>
+
 
 ## Quickstart
 
@@ -36,18 +44,19 @@ Access JumpServer in your browser at `http://your-jumpserver-ip/`
 [![JumpServer Quickstart](https://github.com/user-attachments/assets/0f32f52b-9935-485e-8534-336c63389612)](https://www.youtube.com/watch?v=UlGYRbKrpgY "JumpServer Quickstart")
 
 ## Screenshots
-
 <table style="border-collapse: collapse; border: 1px solid black;">
   <tr>
     <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/99fabe5b-0475-4a53-9116-4c370a1426c4" alt="JumpServer Console"   /></td>
-    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/a424d731-1c70-4108-a7d8-5bbf387dda9a" alt="JumpServer Audits"   /></td>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/user-attachments/assets/7c1f81af-37e8-4f07-8ac9-182895e1062e" alt="JumpServer PAM"   /></td>    
   </tr>
-
   <tr>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/a424d731-1c70-4108-a7d8-5bbf387dda9a" alt="JumpServer Audits"   /></td>
     <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/393d2c27-a2d0-4dea-882d-00ed509e00c9" alt="JumpServer Workbench"   /></td>
+  </tr>
+  <tr>
+    <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/user-attachments/assets/eaa41f66-8cc8-4f01-a001-0d258501f1c9" alt="JumpServer RBAC"   /></td>     
     <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/3a2611cd-8902-49b8-b82b-2a6dac851f3e" alt="JumpServer Settings"   /></td>
   </tr>
-
   <tr>
     <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/1e236093-31f7-4563-8eb1-e36d865f1568" alt="JumpServer SSH"   /></td>
     <td style="padding: 5px;background-color:#fff;"><img src= "https://github.com/jumpserver/jumpserver/assets/32935519/69373a82-f7ab-41e8-b763-bbad2ba52167" alt="JumpServer RDP"   /></td>
@@ -69,24 +78,20 @@ JumpServer consists of multiple key components, which collectively form the func
 | [KoKo](https://github.com/jumpserver/koko)             | <a href="https://github.com/jumpserver/koko/releases"><img alt="Koko release" src="https://img.shields.io/github/release/jumpserver/koko.svg" /></a>                   | JumpServer Character Protocol Connector                                                                 |
 | [Lion](https://github.com/jumpserver/lion)             | <a href="https://github.com/jumpserver/lion/releases"><img alt="Lion release" src="https://img.shields.io/github/release/jumpserver/lion.svg" /></a>                   | JumpServer Graphical Protocol Connector                                                                 |
 | [Chen](https://github.com/jumpserver/chen)             | <a href="https://github.com/jumpserver/chen/releases"><img alt="Chen release" src="https://img.shields.io/github/release/jumpserver/chen.svg" />                       | JumpServer Web DB                                                                                       |  
-| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-private-red" />                                                                                              | JumpServer EE RDP Proxy Connector                                                                       |
+| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer Remote Application Connector (Windows)                                                    |
-| [Tinker](https://github.com/jumpserver/tinker)         | <img alt="Tinker" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Remote Application Connector (Windows)                                                    |
 | [Panda](https://github.com/jumpserver/Panda)           | <img alt="Panda" src="https://img.shields.io/badge/release-private-red" />                                                                                             | JumpServer EE Remote Application Connector (Linux)                                                      |
+| [Razor](https://github.com/jumpserver/razor)           | <img alt="Chen" src="https://img.shields.io/badge/release-private-red" />                                                                                              | JumpServer EE RDP Proxy Connector                                                                       |
 | [Magnus](https://github.com/jumpserver/magnus)         | <img alt="Magnus" src="https://img.shields.io/badge/release-private-red" />                                                                                            | JumpServer EE Database Proxy Connector                                                                  |
 | [Nec](https://github.com/jumpserver/nec)               | <img alt="Nec" src="https://img.shields.io/badge/release-private-red" />                                                                                               | JumpServer EE VNC Proxy Connector                                                                       |
 | [Facelive](https://github.com/jumpserver/facelive)     | <img alt="Facelive" src="https://img.shields.io/badge/release-private-red" />                                                                                          | JumpServer EE Facial Recognition                                                                        |
 
+## Third-party projects 
+- [jumpserver-grafana-dashboard](https://github.com/acerrah/jumpserver-grafana-dashboard)   JumpServer with grafana dashboard
 
 ## Contributing
 
 Welcome to submit PR to contribute. Please refer to [CONTRIBUTING.md][contributing-link] for guidelines.
 
-## Security
-
-JumpServer is a mission critical product. Please refer to the Basic Security Recommendations for installation and deployment. If you encounter any security-related issues, please contact us directly:
-
-- Email: support@fit2cloud.com
-
 ## License
 
 Copyright (c) 2014-2025 FIT2CLOUD, All rights reserved.
@@ -100,6 +105,7 @@ Unless required by applicable law or agreed to in writing, software distributed
 <!-- JumpServer official link -->
 [docs-link]: https://jumpserver.com/docs
 [discord-link]: https://discord.com/invite/W6vYXmAQG2
+[deepwiki-link]: https://deepwiki.com/jumpserver/jumpserver/
 [contributing-link]: https://github.com/jumpserver/jumpserver/blob/dev/CONTRIBUTING.md
 
 <!-- JumpServer Other link-->
@@ -110,10 +116,10 @@ Unless required by applicable law or agreed to in writing, software distributed
 [github-issues-link]: https://github.com/jumpserver/jumpserver/issues
 
 <!-- Shield link-->
+[docs-shield]: https://img.shields.io/badge/documentation-148F76
 [github-release-shield]: https://img.shields.io/github/v/release/jumpserver/jumpserver
-[github-stars-shield]: https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square
+[github-stars-shield]: https://img.shields.io/github/stars/jumpserver/jumpserver?color=%231890FF&style=flat-square   
 [docker-shield]: https://img.shields.io/docker/pulls/jumpserver/jms_all.svg
 [license-shield]: https://img.shields.io/github/license/jumpserver/jumpserver
+[deepwiki-shield]: https://img.shields.io/badge/deepwiki-devin?color=blue
 [discord-shield]: https://img.shields.io/discord/1194233267294052363?style=flat&logo=discord&logoColor=%23f5f5f5&labelColor=%235462eb&color=%235462eb
-
-<!-- Image link -->

SECURITY.md

@@ -5,8 +5,7 @@ JumpServer 是一款正在成长的安全产品， 请参考 [基本安全建议
 如果你发现安全问题，请直接联系我们，我们携手让世界更好：
 
 - ibuler@fit2cloud.com
-- support@fit2cloud.com
+- support@lxware.hk
-- 400-052-0755
 
 
 # Security Policy
@@ -16,6 +15,5 @@ JumpServer is a security product, The installation and development should follow
 All security bugs should be reported to the contact as below:
 
 - ibuler@fit2cloud.com
-- support@fit2cloud.com
+- support@lxware.hk
-- 400-052-0755
 

apps/accounts/api/account/account.py

@@ -41,11 +41,21 @@ class AccountViewSet(OrgBulkModelViewSet):
         'partial_update': ['accounts.change_account'],
         'su_from_accounts': 'accounts.view_account',
         'clear_secret': 'accounts.change_account',
-        'move_to_assets': 'accounts.create_account',
+        'move_to_assets': 'accounts.delete_account',
-        'copy_to_assets': 'accounts.create_account',
+        'copy_to_assets': 'accounts.add_account',
     }
     export_as_zip = True
 
+    def get_queryset(self):
+        queryset = super().get_queryset()
+        asset_id = self.request.query_params.get('asset') or self.request.query_params.get('asset_id')
+        if not asset_id:
+            return queryset
+
+        asset = get_object_or_404(Asset, pk=asset_id)
+        queryset = asset.all_accounts.all()
+        return queryset
+
     @action(methods=['get'], detail=False, url_path='su-from-accounts')
     def su_from_accounts(self, request, *args, **kwargs):
         account_id = request.query_params.get('account')
@@ -68,18 +78,25 @@ class AccountViewSet(OrgBulkModelViewSet):
         permission_classes=[IsValidUser]
     )
     def username_suggestions(self, request, *args, **kwargs):
-        asset_ids = request.data.get('assets', [])
+        raw_asset_ids = request.data.get('assets', [])
         node_ids = request.data.get('nodes', [])
         username = request.data.get('username', '')
 
-        accounts = Account.objects.all()
+        asset_ids = set(raw_asset_ids)
+
         if node_ids:
             nodes = Node.objects.filter(id__in=node_ids)
-            node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
+            node_asset_qs = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-            asset_ids.extend(node_asset_ids)
+            asset_ids |= {str(u) for u in node_asset_qs}
 
         if asset_ids:
-            accounts = accounts.filter(asset_id__in=list(set(asset_ids)))
+            through = Asset.directory_services.through
+            ds_qs = through.objects.filter(asset_id__in=asset_ids) \
+                .values_list('directoryservice_id', flat=True)
+            asset_ids |= {str(u) for u in ds_qs}
+            accounts = Account.objects.filter(asset_id__in=list(asset_ids))
+        else:
+            accounts = Account.objects.all()
 
         if username:
             accounts = accounts.filter(username__icontains=username)
@@ -117,7 +134,7 @@ class AccountViewSet(OrgBulkModelViewSet):
                     self.model.objects.create(**account_data)
                     success_count += 1
             except Exception as e:
-                logger.debug(f'{ "Move" if move else "Copy" } to assets error: {e}')
+                logger.debug(f'{"Move" if move else "Copy"} to assets error: {e}')
                 creation_results[asset] = {'error': _('Account already exists'), 'state': 'error'}
 
         results = [{'asset': str(asset), **res} for asset, res in creation_results.items()]

apps/accounts/api/account/application.py

@@ -62,8 +62,7 @@ class IntegrationApplicationViewSet(OrgBulkModelViewSet):
     )
     def get_once_secret(self, request, *args, **kwargs):
         instance = self.get_object()
-        secret = instance.get_secret()
+        return Response(data={'id': instance.id, 'secret': instance.secret})
-        return Response(data={'id': instance.id, 'secret': secret})
 
     @action(['GET'], detail=False, url_path='account-secret',
             permission_classes=[RBACPermission])

apps/accounts/api/account/pam_dashboard.py

@@ -20,7 +20,7 @@ __all__ = ['PamDashboardApi']
 class PamDashboardApi(APIView):
     http_method_names = ['get']
     rbac_perms = {
-        'GET': 'accounts.view_account',
+        'GET': 'rbac.view_pam',
     }
 
     @staticmethod

apps/accounts/api/account/template.py

@@ -43,6 +43,7 @@ class AccountTemplateViewSet(OrgBulkModelViewSet):
     search_fields = ('username', 'name')
     serializer_classes = {
         'default': serializers.AccountTemplateSerializer,
+        'retrieve': serializers.AccountDetailTemplateSerializer,
     }
     rbac_perms = {
         'su_from_account_templates': 'accounts.view_accounttemplate',

apps/accounts/api/automations/base.py

@@ -17,7 +17,7 @@ from orgs.mixins import generics
 __all__ = [
     'AutomationAssetsListApi', 'AutomationRemoveAssetApi',
     'AutomationAddAssetApi', 'AutomationNodeAddRemoveApi',
-    'AutomationExecutionViewSet', 'RecordListMixin'
+    'AutomationExecutionViewSet'
 ]
 
 
@@ -39,9 +39,10 @@ class AutomationAssetsListApi(generics.ListAPIView):
         return assets
 
 
-class AutomationRemoveAssetApi(generics.RetrieveUpdateAPIView):
+class AutomationRemoveAssetApi(generics.UpdateAPIView):
     model = BaseAutomation
     serializer_class = serializers.UpdateAssetSerializer
+    http_method_names = ['patch']
 
     def update(self, request, *args, **kwargs):
         instance = self.get_object()
@@ -56,9 +57,10 @@ class AutomationRemoveAssetApi(generics.RetrieveUpdateAPIView):
         return Response({'msg': 'ok'})
 
 
-class AutomationAddAssetApi(generics.RetrieveUpdateAPIView):
+class AutomationAddAssetApi(generics.UpdateAPIView):
     model = BaseAutomation
     serializer_class = serializers.UpdateAssetSerializer
+    http_method_names = ['patch']
 
     def update(self, request, *args, **kwargs):
         instance = self.get_object()
@@ -72,9 +74,10 @@ class AutomationAddAssetApi(generics.RetrieveUpdateAPIView):
             return Response({"error": serializer.errors})
 
 
-class AutomationNodeAddRemoveApi(generics.RetrieveUpdateAPIView):
+class AutomationNodeAddRemoveApi(generics.UpdateAPIView):
     model = BaseAutomation
     serializer_class = serializers.UpdateNodeSerializer
+    http_method_names = ['patch']
 
     def update(self, request, *args, **kwargs):
         action_params = ['add', 'remove']
@@ -124,12 +127,3 @@ class AutomationExecutionViewSet(
         execution = self.get_object()
         report = execution.manager.gen_report()
         return HttpResponse(report)
-
-
-class RecordListMixin:
-    def list(self, request, *args, **kwargs):
-        try:
-            response = super().list(request, *args, **kwargs)
-        except Exception as e:
-            response = Response({'detail': str(e)}, status=status.HTTP_400_BAD_REQUEST)
-        return response

apps/accounts/api/automations/change_secret.py

@@ -6,24 +6,27 @@ from rest_framework.decorators import action
 from rest_framework.response import Response
 
 from accounts import serializers
-from accounts.const import AutomationTypes, ChangeSecretRecordStatusChoice
+from accounts.const import (
-from accounts.filters import ChangeSecretRecordFilterSet
+    AutomationTypes, ChangeSecretRecordStatusChoice
-from accounts.models import ChangeSecretAutomation, ChangeSecretRecord
+)
+from accounts.filters import ChangeSecretRecordFilterSet, ChangeSecretStatusFilterSet
+from accounts.models import ChangeSecretAutomation, ChangeSecretRecord, Account
 from accounts.tasks import execute_automation_record_task
+from accounts.utils import account_secret_task_status
 from authentication.permissions import UserConfirmation, ConfirmType
 from common.permissions import IsValidLicense
 from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
 from rbac.permissions import RBACPermission
 from .base import (
     AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
-    AutomationNodeAddRemoveApi, AutomationExecutionViewSet, RecordListMixin
+    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
 )
 
 __all__ = [
     'ChangeSecretAutomationViewSet', 'ChangeSecretRecordViewSet',
     'ChangSecretExecutionViewSet', 'ChangSecretAssetsListApi',
     'ChangSecretRemoveAssetApi', 'ChangSecretAddAssetApi',
-    'ChangSecretNodeAddRemoveApi'
+    'ChangSecretNodeAddRemoveApi', 'ChangeSecretStatusViewSet'
 ]
 
 
@@ -35,7 +38,7 @@ class ChangeSecretAutomationViewSet(OrgBulkModelViewSet):
     serializer_class = serializers.ChangeSecretAutomationSerializer
 
 
-class ChangeSecretRecordViewSet(RecordListMixin, mixins.ListModelMixin, OrgGenericViewSet):
+class ChangeSecretRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
     filterset_class = ChangeSecretRecordFilterSet
     permission_classes = [RBACPermission, IsValidLicense]
     search_fields = ('asset__address', 'account__username')
@@ -94,12 +97,13 @@ class ChangeSecretRecordViewSet(RecordListMixin, mixins.ListModelMixin, OrgGener
     def execute(self, request, *args, **kwargs):
         record_ids = request.data.get('record_ids')
         records = self.get_queryset().filter(id__in=record_ids)
-        execution_count = records.values_list('execution_id', flat=True).distinct().count()
+        if not records.exists():
-        if execution_count != 1:
             return Response(
-                {'detail': 'Only one execution is allowed to execute'},
+                {'detail': 'No valid records found'},
                 status=status.HTTP_400_BAD_REQUEST
             )
+
+        record_ids = [str(_id) for _id in records.values_list('id', flat=True)]
         task = execute_automation_record_task.delay(record_ids, self.tp)
         return Response({'task': task.id}, status=status.HTTP_200_OK)
 
@@ -154,3 +158,25 @@ class ChangSecretAddAssetApi(AutomationAddAssetApi):
 class ChangSecretNodeAddRemoveApi(AutomationNodeAddRemoveApi):
     model = ChangeSecretAutomation
     serializer_class = serializers.ChangeSecretUpdateNodeSerializer
+
+
+class ChangeSecretStatusViewSet(OrgBulkModelViewSet):
+    perm_model = ChangeSecretAutomation
+    filterset_class = ChangeSecretStatusFilterSet
+    serializer_class = serializers.ChangeSecretAccountSerializer
+    search_fields = ('username',)
+
+    permission_classes = [RBACPermission, IsValidLicense]
+    http_method_names = ["get", "delete", "options"]
+
+    def get_queryset(self):
+        account_ids = list(account_secret_task_status.account_ids)
+        return Account.objects.filter(id__in=account_ids).select_related('asset')
+
+    def bulk_destroy(self, request, *args, **kwargs):
+        account_ids = request.data.get('account_ids')
+        if isinstance(account_ids, str):
+            account_ids = [account_ids]
+        for _id in account_ids:
+            account_secret_task_status.clear(_id)
+        return Response(status=status.HTTP_200_OK)

apps/accounts/api/automations/change_secret_dashboard.py

@@ -90,10 +90,10 @@ class ChangeSecretDashboardApi(APIView):
 
     def get_change_secret_asset_queryset(self):
         qs = self.change_secrets_queryset
-        node_ids = qs.filter(nodes__isnull=False).values_list('nodes', flat=True).distinct()
+        node_ids = qs.values_list('nodes', flat=True).distinct()
-        nodes = Node.objects.filter(id__in=node_ids)
+        nodes = Node.objects.filter(id__in=node_ids).only('id', 'key')
         node_asset_ids = Node.get_nodes_all_assets(*nodes).values_list('id', flat=True)
-        direct_asset_ids = qs.filter(assets__isnull=False).values_list('assets', flat=True).distinct()
+        direct_asset_ids = qs.values_list('assets', flat=True).distinct()
         asset_ids = set(list(direct_asset_ids) + list(node_asset_ids))
         return Asset.objects.filter(id__in=asset_ids)
 

apps/accounts/api/automations/check_account.py

@@ -45,10 +45,10 @@ class CheckAccountAutomationViewSet(OrgBulkModelViewSet):
 class CheckAccountExecutionViewSet(AutomationExecutionViewSet):
     rbac_perms = (
         ("list", "accounts.view_checkaccountexecution"),
-        ("retrieve", "accounts.view_checkaccountsexecution"),
+        ("retrieve", "accounts.view_checkaccountexecution"),
         ("create", "accounts.add_checkaccountexecution"),
         ("adhoc", "accounts.add_checkaccountexecution"),
-        ("report", "accounts.view_checkaccountsexecution"),
+        ("report", "accounts.view_checkaccountexecution"),
     )
     ordering = ("-date_created",)
     tp = AutomationTypes.check_account
@@ -147,6 +147,7 @@ class CheckAccountEngineViewSet(JMSModelViewSet):
     serializer_class = serializers.CheckAccountEngineSerializer
     permission_classes = [RBACPermission, IsValidLicense]
     perm_model = CheckAccountEngine
+    http_method_names = ['get', 'options']
 
     def get_queryset(self):
         return CheckAccountEngine.get_default_engines()

apps/accounts/api/automations/push_account.py

@@ -9,7 +9,7 @@ from accounts.models import PushAccountAutomation, PushSecretRecord
 from orgs.mixins.api import OrgBulkModelViewSet, OrgGenericViewSet
 from .base import (
     AutomationAssetsListApi, AutomationRemoveAssetApi, AutomationAddAssetApi,
-    AutomationNodeAddRemoveApi, AutomationExecutionViewSet, RecordListMixin
+    AutomationNodeAddRemoveApi, AutomationExecutionViewSet
 )
 
 __all__ = [
@@ -42,7 +42,7 @@ class PushAccountExecutionViewSet(AutomationExecutionViewSet):
         return queryset
 
 
-class PushAccountRecordViewSet(RecordListMixin, mixins.ListModelMixin, OrgGenericViewSet):
+class PushAccountRecordViewSet(mixins.ListModelMixin, OrgGenericViewSet):
     filterset_class = PushAccountRecordFilterSet
     search_fields = ('asset__address', 'account__username')
     ordering_fields = ('date_finished',)

apps/accounts/automations/base/manager.py

@@ -5,12 +5,13 @@ from django.utils import timezone
 from django.utils.translation import gettext_lazy as _
 
 from accounts.automations.methods import platform_automation_methods
-from accounts.const import SSHKeyStrategy, SecretStrategy, SecretType, ChangeSecretRecordStatusChoice
+from accounts.const import SSHKeyStrategy, SecretStrategy, SecretType, ChangeSecretRecordStatusChoice, \
+    ChangeSecretAccountStatus
 from accounts.models import BaseAccountQuerySet
-from accounts.utils import SecretGenerator
+from accounts.utils import SecretGenerator, account_secret_task_status
 from assets.automations.base.manager import BasePlaybookManager
 from assets.const import HostTypes
-from common.db.utils import safe_db_connection
+from common.db.utils import safe_atomic_db_connection
 from common.utils import get_logger
 
 logger = get_logger(__name__)
@@ -36,7 +37,7 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         )
         self.account_ids = self.execution.snapshot['accounts']
         self.record_map = self.execution.snapshot.get('record_map', {})  # 这个是某个失败的记录重试
-        self.name_recorder_mapper = {}  # 做个映射，方便后面处理
+        self.name_record_mapper = {}  # 做个映射，方便后面处理
 
     def gen_account_inventory(self, account, asset, h, path_dir):
         raise NotImplementedError
@@ -69,7 +70,7 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
             return
 
         asset = privilege_account.asset
-        accounts = asset.accounts.all()
+        accounts = asset.all_accounts.all()
         accounts = accounts.filter(id__in=self.account_ids, secret_reset=True)
 
         if self.secret_type:
@@ -94,6 +95,7 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         h['account'] = {
             'name': account.name,
             'username': account.username,
+            'full_username': account.full_username,
             'secret_type': secret_type,
             'secret': account.escape_jinja2_syntax(new_secret),
             'private_key_path': private_key_path,
@@ -111,10 +113,15 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         if host.get('error'):
             return host
 
-        host['check_conn_after_change'] = self.execution.snapshot.get('check_conn_after_change', True)
         host['ssh_params'] = {}
 
         accounts = self.get_accounts(account)
+        existing_ids = set(map(str, accounts.values_list('id', flat=True)))
+        missing_ids = set(map(str, self.account_ids)) - existing_ids
+
+        for account_id in missing_ids:
+            self.clear_account_queue_status(account_id)
+
         error_msg = _("No pending accounts found")
         if not accounts:
             print(f'{asset}: {error_msg}')
@@ -131,31 +138,50 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         for account in accounts:
             h = deepcopy(host)
             h['name'] += '(' + account.username + ')'  # To distinguish different accounts
+
+            account_status = account_secret_task_status.get_status(account.id)
+            if account_status == ChangeSecretAccountStatus.PROCESSING:
+                h['error'] = f'Account is already being processed, skipping: {account}'
+                inventory_hosts.append(h)
+                continue
+
             try:
-                h = self.gen_account_inventory(account, asset, h, path_dir)
+                h, record = self.gen_account_inventory(account, asset, h, path_dir)
+                h['check_conn_after_change'] = record.execution.snapshot.get('check_conn_after_change', True)
+                account_secret_task_status.set_status(
+                    account.id,
+                    ChangeSecretAccountStatus.PROCESSING,
+                    metadata={'execution_id': self.execution.id}
+                )
             except Exception as e:
                 h['error'] = str(e)
+                self.clear_account_queue_status(account.id)
+
             inventory_hosts.append(h)
 
         return inventory_hosts
 
     @staticmethod
-    def save_record(recorder):
+    def save_record(record):
-        recorder.save(update_fields=['error', 'status', 'date_finished'])
+        record.save(update_fields=['error', 'status', 'date_finished'])
+
+    @staticmethod
+    def clear_account_queue_status(account_id):
+        account_secret_task_status.clear(account_id)
 
     def on_host_success(self, host, result):
-        recorder = self.name_recorder_mapper.get(host)
+        record = self.name_record_mapper.get(host)
-        if not recorder:
+        if not record:
             return
-        recorder.status = ChangeSecretRecordStatusChoice.success.value
+        record.status = ChangeSecretRecordStatusChoice.success.value
-        recorder.date_finished = timezone.now()
+        record.date_finished = timezone.now()
 
-        account = recorder.account
+        account = record.account
         if not account:
             print("Account not found, deleted ?")
             return
 
-        account.secret = getattr(recorder, 'new_secret', account.secret)
+        account.secret = getattr(record, 'new_secret', account.secret)
         account.date_updated = timezone.now()
         account.date_change_secret = timezone.now()
         account.change_secret_status = ChangeSecretRecordStatusChoice.success
@@ -169,18 +195,19 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         )
         super().on_host_success(host, result)
 
-        with safe_db_connection():
+        with safe_atomic_db_connection():
             account.save(update_fields=['secret', 'date_updated', 'date_change_secret', 'change_secret_status'])
-            self.save_record(recorder)
+            self.save_record(record)
+            self.clear_account_queue_status(account.id)
 
     def on_host_error(self, host, error, result):
-        recorder = self.name_recorder_mapper.get(host)
+        record = self.name_record_mapper.get(host)
-        if not recorder:
+        if not record:
             return
-        recorder.status = ChangeSecretRecordStatusChoice.failed.value
+        record.status = ChangeSecretRecordStatusChoice.failed.value
-        recorder.date_finished = timezone.now()
+        record.date_finished = timezone.now()
-        recorder.error = error
+        record.error = error
-        account = recorder.account
+        account = record.account
         if not account:
             print("Account not found, deleted ?")
             return
@@ -191,12 +218,13 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
         self.summary['fail_accounts'] += 1
         self.result['fail_accounts'].append(
             {
-                "asset": str(recorder.asset),
+                "asset": str(record.asset),
-                "username": recorder.account.username,
+                "username": record.account.username,
             }
         )
         super().on_host_error(host, error, result)
 
-        with safe_db_connection():
+        with safe_atomic_db_connection():
             account.save(update_fields=['change_secret_status', 'date_change_secret', 'date_updated'])
-            self.save_record(recorder)
+            self.save_record(record)
+            self.clear_account_queue_status(account.id)

apps/accounts/automations/change_secret/database/mongodb/main.yml

@@ -53,4 +53,6 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
-      when: check_conn_after_change
+      when: check_conn_after_change
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/change_secret/database/mysql/main.yml

@@ -39,7 +39,8 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
-        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+        priv: "{{ omit if db_name == '' else db_name + '.*:ALL' }}"
+        append_privs: "{{ db_name != '' | bool }}"
       ignore_errors: true
       when: db_info is succeeded
 

apps/accounts/automations/change_secret/database/postgresql/main.yml

@@ -56,3 +56,5 @@
         ssl_key: "{{ ssl_key if check_ssl and ssl_key | length > 0 else omit }}"
         ssl_mode: "{{ jms_asset.spec_info.pg_ssl_mode }}"
       when: check_conn_after_change
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -41,6 +41,7 @@
         password: "{{ account.secret | password_hash('des') }}"
         update_password: always
       ignore_errors: true
+      register: change_secret_result
       when: account.secret_type == "password"
 
     - name: "Get home directory for {{ account.username }}"
@@ -83,6 +84,7 @@
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
       when: account.secret_type == "ssh_key"
 
     - name: Refresh connection
@@ -101,7 +103,9 @@
         become_password: "{{ account.become.ansible_password | default('') }}"
         become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password" and check_conn_after_change
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost
 
     - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@@ -112,5 +116,7 @@
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key" and check_conn_after_change
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -41,6 +41,7 @@
         password: "{{ account.secret | password_hash('sha512') }}"
         update_password: always
       ignore_errors: true
+      register: change_secret_result
       when: account.secret_type == "password"
 
     - name: "Get home directory for {{ account.username }}"
@@ -83,6 +84,7 @@
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
       when: account.secret_type == "ssh_key"
 
     - name: Refresh connection
@@ -101,7 +103,9 @@
         become_password: "{{ account.become.ansible_password | default('') }}"
         become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password" and check_conn_after_change
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost
 
     - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@@ -112,5 +116,7 @@
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key" and check_conn_after_change
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost

apps/accounts/automations/change_secret/host/windows/manifest.yml

@@ -8,7 +8,7 @@ type:
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -24,3 +24,7 @@ i18n:
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/change_secret/host/windows_ad/main.yml

@@ -0,0 +1,27 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+    - name: Change password
+      community.windows.win_domain_user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        update_password: always
+        password_never_expires: yes
+        state: present
+        groups: "{{ params.groups }}"
+        groups_action: add
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.windows.win_ping:
+      vars:
+        ansible_user: "{{ account.full_username }}"
+        ansible_password: "{{ account.secret }}"
+      when: account.secret_type == "password" and check_conn_after_change

apps/accounts/automations/change_secret/host/windows_ad/manifest.yml

@@ -0,0 +1,32 @@
+id: change_secret_ad_windows
+name: "{{ 'Windows account change secret' | trans }}"
+version: 1
+method: change_secret
+category:
+  - ds
+type:
+  - windows_ad
+params:
+  - name: groups
+    type: str
+    label: "{{ 'Params groups label' | trans }}"
+    default: 'Users,Remote Desktop Users'
+    help_text: "{{ 'Params groups help text' | trans }}"
+
+
+i18n:
+  Windows account change secret:
+    zh: '使用 Ansible 模块 win_domain_user 执行 Windows 账号改密'
+    ja: 'Ansible win_domain_user モジュールを使用して Windows アカウントのパスワード変更'
+    en: 'Using Ansible module win_domain_user to change Windows account secret'
+
+  Params groups help text:
+    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
+    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'
+

apps/accounts/automations/change_secret/host/windows_rdp_verify/manifest.yml

@@ -9,19 +9,24 @@ priority: 49
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
 
 i18n:
   Windows account change secret rdp verify:
-    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密 RDP 协议测试最后的可连接性'
+    zh: '使用 Ansible 模块 win_user 执行 Windows 账号改密（最后使用 Python 模块 pyfreerdp 验证账号的可连接性）'
-    ja: 'Ansibleモジュールwin_userはWindowsアカウントの改密RDPプロトコルテストの最後の接続性を実行する'
+    ja: 'Ansible モジュール win_user を使用して Windows アカウントのパスワードを変更します (最後に Python モジュール pyfreerdp を使用してアカウントの接続を確認します)'
-    en: 'Using the Ansible module win_user performs Windows account encryption RDP protocol testing for final connectivity'
+    en: 'Use the Ansible module win_user to change the Windows account password (finally use the Python module pyfreerdp to verify the account connectivity)'
 
   Params groups help text:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
 
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'
+

apps/accounts/automations/change_secret/manager.py

@@ -30,28 +30,28 @@ class ChangeSecretManager(BaseChangeSecretPushManager):
         record = self.get_or_create_record(asset, account, h['name'])
         new_secret, private_key_path = self.handle_ssh_secret(account.secret_type, record.new_secret, path_dir)
         h = self.gen_inventory(h, account, new_secret, private_key_path, asset)
-        return h
+        return h, record
 
     def get_or_create_record(self, asset, account, name):
         asset_account_id = f'{asset.id}-{account.id}'
 
         if asset_account_id in self.record_map:
             record_id = self.record_map[asset_account_id]
-            recorder = ChangeSecretRecord.objects.filter(id=record_id).first()
+            record = ChangeSecretRecord.objects.filter(id=record_id).first()
         else:
             new_secret = self.get_secret(account)
-            recorder = self.create_record(asset, account, new_secret)
+            record = self.create_record(asset, account, new_secret)
 
-        self.name_recorder_mapper[name] = recorder
+        self.name_record_mapper[name] = record
-        return recorder
+        return record
 
     def create_record(self, asset, account, new_secret):
-        recorder = ChangeSecretRecord(
+        record = ChangeSecretRecord(
             asset=asset, account=account, execution=self.execution,
             old_secret=account.secret, new_secret=new_secret,
             comment=f'{account.username}@{asset.address}'
         )
-        return recorder
+        return record
 
     def check_secret(self):
         if self.secret_strategy == SecretStrategy.custom \
@@ -61,10 +61,10 @@ class ChangeSecretManager(BaseChangeSecretPushManager):
         return True
 
     @staticmethod
-    def get_summary(recorders):
+    def get_summary(records):
         total, succeed, failed = 0, 0, 0
-        for recorder in recorders:
+        for record in records:
-            if recorder.status == ChangeSecretRecordStatusChoice.success.value:
+            if record.status == ChangeSecretRecordStatusChoice.success.value:
                 succeed += 1
             else:
                 failed += 1
@@ -73,8 +73,8 @@ class ChangeSecretManager(BaseChangeSecretPushManager):
         return summary
 
     def print_summary(self):
-        recorders = list(self.name_recorder_mapper.values())
+        records = list(self.name_record_mapper.values())
-        summary = self.get_summary(recorders)
+        summary = self.get_summary(records)
         print('\n\n' + '-' * 80)
         plan_execution_end = _('Plan execution end')
         print('{} {}\n'.format(plan_execution_end, local_now_filename()))
@@ -86,7 +86,7 @@ class ChangeSecretManager(BaseChangeSecretPushManager):
         if self.secret_type and not self.check_secret():
             return
 
-        recorders = list(self.name_recorder_mapper.values())
+        records = list(self.name_record_mapper.values())
         if self.record_map:
             return
 
@@ -98,17 +98,17 @@ class ChangeSecretManager(BaseChangeSecretPushManager):
         for user in recipients:
             ChangeSecretReportMsg(user, context).publish()
 
-        if not recorders:
+        if not records:
             return
 
-        summary = self.get_summary(recorders)
+        summary = self.get_summary(records)
-        self.send_recorder_mail(recipients, recorders, summary)
+        self.send_record_mail(recipients, records, summary)
 
-    def send_recorder_mail(self, recipients, recorders, summary):
+    def send_record_mail(self, recipients, records, summary):
         name = self.execution.snapshot['name']
         path = os.path.join(os.path.dirname(settings.BASE_DIR), 'tmp')
         filename = os.path.join(path, f'{name}-{local_now_filename()}-{time.time()}.xlsx')
-        if not self.create_file(recorders, filename):
+        if not self.create_file(records, filename):
             return
 
         for user in recipients:
@@ -121,9 +121,9 @@ class ChangeSecretManager(BaseChangeSecretPushManager):
         os.remove(filename)
 
     @staticmethod
-    def create_file(recorders, filename):
+    def create_file(records, filename):
         serializer_cls = ChangeSecretRecordBackUpSerializer
-        serializer = serializer_cls(recorders, many=True)
+        serializer = serializer_cls(records, many=True)
 
         header = [str(v.label) for v in serializer.child.fields.values()]
         rows = [[str(i) for i in row.values()] for row in serializer.data]

apps/accounts/automations/check_account/leak_passwords.db

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a2805a0264fc07ae597704841ab060edef8bf74654f525bc778cb9195d8cad0e
-size 2547712

apps/accounts/automations/check_account/manager.py

@@ -12,13 +12,16 @@ from accounts.models import Account, AccountRisk, RiskChoice
 from assets.automations.base.manager import BaseManager
 from common.const import ConfirmOrIgnore
 from common.decorators import bulk_create_decorator, bulk_update_decorator
+from settings.models import LeakPasswords
 
 
+# 已设置手动 finish
 @bulk_create_decorator(AccountRisk)
 def create_risk(data):
     return AccountRisk(**data)
 
 
+# 已设置手动 finish
 @bulk_update_decorator(AccountRisk, update_fields=["details", "status"])
 def update_risk(risk):
     return risk
@@ -157,10 +160,8 @@ class CheckLeakHandler(BaseCheckHandler):
         if not account.secret:
             return False
 
-        sql = 'SELECT 1 FROM passwords WHERE password = ? LIMIT 1'
+        is_exist = LeakPasswords.objects.using('sqlite').filter(password=account.secret).exists()
-        self.cursor.execute(sql, (account.secret,))
+        return is_exist
-        leak = self.cursor.fetchone() is not None
-        return leak
 
     def clean(self):
         self.cursor.close()
@@ -218,6 +219,9 @@ class CheckAccountManager(BaseManager):
                     "details": [{"datetime": now, 'type': 'init'}],
                 })
 
+        create_risk.finish()
+        update_risk.finish()
+
     def pre_run(self):
         super().pre_run()
         self.assets = self.execution.get_all_assets()
@@ -236,6 +240,11 @@ class CheckAccountManager(BaseManager):
 
                 print("Check: {} => {}".format(account, msg))
                 if not error:
+                    AccountRisk.objects.filter(
+                        asset=account.asset,
+                        username=account.username,
+                        risk=handler.risk
+                    ).delete()
                     continue
                 self.add_risk(handler.risk, account)
             self.commit_risks(_assets)
@@ -265,7 +274,7 @@ class CheckAccountManager(BaseManager):
             handler.clean()
 
     def get_report_subject(self):
-        return "Check account report of %s" % self.execution.id
+        return _("Check account report of {}").format(self.execution.id)
 
     def get_report_template(self):
         return "accounts/check_account_report.html"

apps/accounts/automations/gather_account/filter.py

@@ -13,6 +13,7 @@ def parse_date(date_str, default=None):
     formats = [
         '%Y/%m/%d %H:%M:%S',
         '%Y-%m-%dT%H:%M:%S',
+        '%Y-%m-%d %H:%M:%S',
         '%d-%m-%Y %H:%M:%S',
         '%Y/%m/%d',
         '%d-%m-%Y',
@@ -26,7 +27,6 @@ def parse_date(date_str, default=None):
     return default
 
 
-# TODO 后期会挪到 playbook 中
 class GatherAccountsFilter:
     def __init__(self, tp):
         self.tp = tp
@@ -208,14 +208,35 @@ class GatherAccountsFilter:
                     key, value = parts
                     user_info[key.strip()] = value.strip()
             detail = {'groups': user_info.get('Global Group memberships', ''), }
-            user = {
+
-                'username': user_info.get('User name', ''),
+            username = user_info.get('User name')
-                'date_password_change': parse_date(user_info.get('Password last set', '')),
+            if not username:
-                'date_password_expired': parse_date(user_info.get('Password expires', '')),
+                continue
-                'date_last_login': parse_date(user_info.get('Last logon', '')),
+
+            result[username] = {
+                'username': username,
+                'date_password_change': parse_date(user_info.get('Password last set')),
+                'date_password_expired': parse_date(user_info.get('Password expires')),
+                'date_last_login': parse_date(user_info.get('Last logon')),
+                'groups': detail,
+            }
+        return result
+
+    @staticmethod
+    def windows_ad_filter(info):
+        result = {}
+        for user_info in info['user_details']:
+            detail = {'groups': user_info.get('GlobalGroupMemberships', ''), }
+            username = user_info.get('SamAccountName')
+            if not username:
+                continue
+            result[username] = {
+                'username': username,
+                'date_password_change': parse_date(user_info.get('PasswordLastSet')),
+                'date_password_expired': parse_date(user_info.get('PasswordExpires')),
+                'date_last_login': parse_date(user_info.get('LastLogonDate')),
                 'groups': detail,
             }
-            result[user['username']] = user
         return result
 
     @staticmethod

apps/accounts/automations/gather_account/host/windows/main.yml

@@ -4,6 +4,7 @@
     - name: Run net user command to get all users
       win_shell: net user
       register: user_list_output
+      failed_when: false
 
     - name: Parse all users from net user command
       set_fact:

apps/accounts/automations/gather_account/host/windows/manifest.yml

@@ -2,10 +2,13 @@ id: gather_accounts_windows
 name: "{{ 'Windows account gather' | trans }}"
 version: 1
 method: gather_accounts
-category: host
+category:
+  - host
+
 type:
   - windows
 
+
 i18n:
   Windows account gather:
     zh: 使用命令 net user 收集 Windows 账号

apps/accounts/automations/gather_account/host/windows_ad/main.yml

@@ -0,0 +1,74 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Import ActiveDirectory module
+      win_shell: Import-Module ActiveDirectory
+      args:
+        warn: false
+
+    - name: Get the SamAccountName list of all AD users
+      win_shell: |
+        Import-Module ActiveDirectory
+        Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName
+      register: ad_user_list
+
+    - name: Set the all_users variable
+      set_fact:
+        all_users: "{{ ad_user_list.stdout_lines }}"
+
+    - name: Get detailed information for each user
+      win_shell: |
+        Import-Module ActiveDirectory
+    
+        $user = Get-ADUser -Identity {{ item }} -Properties Name, SamAccountName, Enabled, LastLogonDate, PasswordLastSet, msDS-UserPasswordExpiryTimeComputed, MemberOf
+    
+        $globalGroups = @()
+        if ($user.MemberOf) {
+          $globalGroups = $user.MemberOf | ForEach-Object {
+            try {
+              $group = Get-ADGroup $_ -ErrorAction Stop
+              if ($group.GroupScope -eq 'Global') { $group.Name }
+            } catch {
+            }
+          }
+        }
+    
+        $passwordExpiry = $null
+        $expiryRaw = $user.'msDS-UserPasswordExpiryTimeComputed'
+        if ($expiryRaw) {
+          try {
+            $passwordExpiry = [datetime]::FromFileTime($expiryRaw)
+          } catch {
+            $passwordExpiry = $null
+          }
+        }
+    
+        $output = [PSCustomObject]@{
+          Name                    = $user.Name
+          SamAccountName          = $user.SamAccountName
+          Enabled                 = $user.Enabled
+          LastLogonDate           = if ($user.LastLogonDate) { $user.LastLogonDate.ToString("yyyy-MM-dd HH:mm:ss") } else { $null }
+          PasswordLastSet         = if ($user.PasswordLastSet) { $user.PasswordLastSet.ToString("yyyy-MM-dd HH:mm:ss") } else { $null }
+          PasswordExpires         = if ($passwordExpiry) { $passwordExpiry.ToString("yyyy-MM-dd HH:mm:ss") } else { $null }
+          GlobalGroupMemberships  = $globalGroups
+        }
+    
+        $output | ConvertTo-Json -Depth 3
+      loop: "{{ all_users }}"
+      register: ad_user_details
+      ignore_errors: yes
+
+
+    - set_fact:
+        info:
+          user_details: >-
+            {{
+              ad_user_details.results
+              | selectattr('rc', 'equalto', 0)
+              | map(attribute='stdout')
+              | select('truthy')
+              | map('from_json')
+            }}
+
+    - debug:
+        var: info

apps/accounts/automations/gather_account/host/windows_ad/manifest.yml

@@ -0,0 +1,15 @@
+id: gather_accounts_windows_ad
+name: "{{ 'Windows account gather' | trans }}"
+version: 1
+method: gather_accounts
+category:
+  - ds
+
+type:
+  - windows_ad
+
+i18n:
+  Windows account gather:
+    zh: 使用命令 Get-ADUser 收集 Windows 账号
+    ja: コマンド Get-ADUser を使用して Windows アカウントを収集する
+    en: Using command Get-ADUser to gather accounts

apps/accounts/automations/gather_account/manager.py

@@ -1,6 +1,6 @@
+import time
 from collections import defaultdict
 
-import time
 from django.utils import timezone
 
 from accounts.const import AutomationTypes
@@ -30,6 +30,16 @@ common_risk_items = [
 diff_items = risk_items + common_risk_items
 
 
+@bulk_create_decorator(AccountRisk)
+def _create_risk(data):
+    return AccountRisk(**data)
+
+
+@bulk_update_decorator(AccountRisk, update_fields=["details"])
+def _update_risk(account):
+    return account
+
+
 def format_datetime(value):
     if isinstance(value, timezone.datetime):
         return value.strftime("%Y-%m-%d %H:%M:%S")
@@ -141,25 +151,17 @@ class AnalyseAccountRisk:
             found = assets_risks.get(key)
 
             if not found:
-                self._create_risk(dict(**d, details=[detail]))
+                _create_risk(dict(**d, details=[detail]))
                 continue
 
             found.details.append(detail)
-            self._update_risk(found)
+            _update_risk(found)
-
-    @bulk_create_decorator(AccountRisk)
-    def _create_risk(self, data):
-        return AccountRisk(**data)
-
-    @bulk_update_decorator(AccountRisk, update_fields=["details"])
-    def _update_risk(self, account):
-        return account
 
     def lost_accounts(self, asset, lost_users):
         if not self.check_risk:
             return
         for user in lost_users:
-            self._create_risk(
+            _create_risk(
                 dict(
                     asset_id=str(asset.id),
                     username=user,
@@ -176,7 +178,7 @@ class AnalyseAccountRisk:
             self._analyse_item_changed(ga, d)
         if not sys_found:
             basic = {"asset": asset, "username": d["username"], 'gathered_account': ga}
-            self._create_risk(
+            _create_risk(
                 dict(
                     **basic,
                     risk=RiskChoice.new_found,
@@ -222,6 +224,7 @@ class GatherAccountsManager(AccountBasePlaybookManager):
     def _collect_asset_account_info(self, asset, info):
         result = self._filter_success_result(asset.type, info)
         accounts = []
+
         for username, info in result.items():
             self.asset_usernames_mapper[str(asset.id)].add(username)
 
@@ -373,6 +376,7 @@ class GatherAccountsManager(AccountBasePlaybookManager):
 
         for asset, accounts_data in self.asset_account_info.items():
             ori_users = self.ori_asset_usernames[str(asset.id)]
+            need_analyser_gather_account = []
             with tmp_to_org(asset.org_id):
                 for d in accounts_data:
                     username = d["username"]
@@ -385,10 +389,12 @@ class GatherAccountsManager(AccountBasePlaybookManager):
                         ga = ori_account
                         self.update_gathered_account(ori_account, d)
                     ori_found = username in ori_users
-                    risk_analyser.analyse_risk(asset, ga, d, ori_found)
+                    need_analyser_gather_account.append((asset, ga, d, ori_found))
-
+                # 这里顺序不能调整，risk 外键关联了 gathered_account 主键 id，所以在创建 risk 需要保证 gathered_account 已经创建完成
                 self.create_gathered_account.finish()
                 self.update_gathered_account.finish()
+                for analysis_data in need_analyser_gather_account:
+                    risk_analyser.analyse_risk(*analysis_data)
                 self.update_gather_accounts_status(asset)
                 if not self.is_sync_account:
                     continue
@@ -400,6 +406,9 @@ class GatherAccountsManager(AccountBasePlaybookManager):
                     present=True
                 )
         # 因为有 bulk create, bulk update, 所以这里需要 sleep 一下，等待数据同步
+        _update_risk.finish()
+        _create_risk.finish()
+
         time.sleep(0.5)
 
     def get_report_template(self):

apps/accounts/automations/push_account/custom/ssh/main.yml

@@ -20,10 +20,11 @@
         become_private_key_path: "{{ jms_custom_become_private_key_path | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
+        recv_timeout: "{{ params.recv_timeout | default(30) }}"
       register: ping_info
       delegate_to: localhost
 
-    - name: Change asset password (paramiko)
+    - name: Push asset password (paramiko)
       custom_command:
         login_user: "{{ jms_account.username }}"
         login_password: "{{ jms_account.secret }}"
@@ -39,7 +40,10 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         commands: "{{ params.commands }}"
-        first_conn_delay_time: "{{ first_conn_delay_time | default(0.5) }}"
+        answers: "{{ params.answers }}"
+        recv_timeout: "{{ params.recv_timeout | default(30) }}"
+        delay_time: "{{ params.delay_time | default(2) }}"
+        prompt: "{{ params.prompt | default('.*') }}"
       ignore_errors: true
       when: ping_info is succeeded and check_conn_after_change
       register: change_info
@@ -58,5 +62,6 @@
         become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
+        recv_timeout: "{{ params.recv_timeout | default(30) }}"
       delegate_to: localhost
       when: check_conn_after_change

apps/accounts/automations/push_account/custom/ssh/manifest.yml

@@ -10,10 +10,30 @@ protocol: ssh
 priority: 50
 params:
   - name: commands
-    type: list
+    type: text
     label: "{{ 'Params commands label' | trans }}"
-    default: [ '' ]
+    default: ''
     help_text: "{{ 'Params commands help text' | trans }}"
+  - name: recv_timeout
+    type: int
+    label: "{{ 'Params recv_timeout label' | trans }}"
+    default: 30
+    help_text: "{{ 'Params recv_timeout help text' | trans }}"
+  - name: delay_time
+    type: int
+    label: "{{ 'Params delay_time label' | trans }}"
+    default: 2
+    help_text: "{{ 'Params delay_time help text' | trans }}"
+  - name: prompt
+    type: str
+    label: "{{ 'Params prompt label' | trans }}"
+    default: '.*'
+    help_text: "{{ 'Params prompt help text' | trans }}"
+  - name: answers
+    type: text
+    label: "{{ 'Params answer label' | trans }}"
+    default: '.*'
+    help_text: "{{ 'Params answer help text' | trans }}"
 
 i18n:
   SSH account push:
@@ -22,11 +42,91 @@ i18n:
     en: 'Custom push using SSH command line'
 
   Params commands help text:
-    zh: '自定义命令中如需包含账号的 账号、密码、SSH 连接的用户密码 字段，<br />请使用 &#123;username&#125;、&#123;password&#125;、&#123;login_password&#125;格式，执行任务时会进行替换 。<br />比如针对 Cisco 主机进行改密，一般需要配置五条命令：<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br />4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
+    zh: |
-    ja: 'カスタム コマンドに SSH 接続用のアカウント番号、パスワード、ユーザー パスワード フィールドを含める必要がある場合は、<br />&#123;ユーザー名&#125;、&#123;パスワード&#125;、&#123;login_password& を使用してください。 # 125; 形式。タスクの実行時に置き換えられます。 <br />たとえば、Cisco ホストのパスワードを変更するには、通常、次の 5 つのコマンドを設定する必要があります:<br />1.enable<br />2.&#123;login_password&#125;<br />3 .ターミナルの設定<br / >4. ユーザー名 &#123;ユーザー名&#125; 権限 0 パスワード &#123;パスワード&#125; <br />5. 終了'
+      请将命令中的指定位置改成特殊符号 <br />
-    en: 'If the custom command needs to include the account number, password, and user password field for SSH connection,<br />Please use &#123;username&#125;, &#123;password&#125;, &#123;login_password&# 125; format, which will be replaced when executing the task. <br />For example, to change the password of a Cisco host, you generally need to configure five commands:<br />1. enable<br />2. &#123;login_password&#125;<br />3. configure terminal<br / >4. username &#123;username&#125; privilege 0 password &#123;password&#125; <br />5. end'
+      1. 推送账号 -> {username} <br />
+      2. 推送密码 -> {password} <br />
+      3. 登录用户密码 -> {login_password} <br />
+      <strong>多条命令使用换行分割，</strong>执行任务时系统会根据特殊符号替换真实数据。<br />
+      比如针对 Cisco 主机进行推送，一般需要配置五条命令：<br />
+      enable <br />
+      {login_password} <br />
+      configure terminal <br />
+      username {username} privilege 0 password {password} <br />
+      end <br />
+    ja: |
+      コマンド内の指定された位置を特殊記号に変更してください。<br />
+      新しいパスワード（アカウント押す） -> {username} <br />
+      新しいパスワード（パスワード押す） -> {password} <br />
+      ログインユーザーパスワード -> {login_password} <br />
+      <strong>複数のコマンドは改行で区切り、</strong>タスクを実行するときにシステムは特殊記号を使用して実際のデータを置き換えます。<br />
+      例えば、Cisco機器のパスワードを変更する場合、一般的には5つのコマンドを設定する必要があります：<br />
+      enable <br />
+      {login_password} <br />
+      configure terminal <br />
+      username {username} privilege 0 password {password} <br />
+      end <br />
+    en: |
+      Please change the specified positions in the command to special symbols. <br /> 
+      Change password account -> {username} <br /> 
+      Change password -> {password} <br /> 
+      Login user password -> {login_password} <br /> 
+      <strong>Multiple commands are separated by new lines,</strong> and when executing tasks, <br /> 
+      the system will replace the special symbols with real data. <br /> 
+      For example, to push the password for a Cisco device, you generally need to configure five commands: <br />
+      enable <br />
+      {login_password} <br />
+      configure terminal <br />
+      username {username} privilege 0 password {password} <br />
+      end <br />
 
   Params commands label:
     zh: '自定义命令'
     ja: 'カスタムコマンド'
     en: 'Custom command'
+
+  Params recv_timeout label:
+    zh: '超时时间'
+    ja: 'タイムアウト'
+    en: 'Timeout'
+
+  Params recv_timeout help text:
+    zh: '等待命令结果返回的超时时间（秒）'
+    ja: 'コマンドの結果を待つタイムアウト時間（秒）'
+    en: 'The timeout for waiting for the command result to return (Seconds)'
+
+  Params delay_time label:
+    zh: '延迟发送时间'
+    ja: '遅延送信時間'
+    en: 'Delayed send time'
+
+  Params delay_time help text:
+    zh: '每条命令延迟发送的时间间隔（秒）'
+    ja: '各コマンド送信の遅延間隔（秒）'
+    en: 'Time interval for each command delay in sending (Seconds)'
+
+  Params prompt label:
+    zh: '提示符'
+    ja: 'ヒント'
+    en: 'Prompt'
+
+  Params prompt help text:
+    zh: '终端连接后显示的提示符信息（正则表达式）'
+    ja: 'ターミナル接続後に表示されるプロンプト情報（正規表現）'
+    en: 'Prompt information displayed after terminal connection (Regular expression)'
+
+  Params answer label:
+    zh: '命令结果'
+    ja: 'コマンド結果'
+    en: 'Command result'
+
+  Params answer help text:
+    zh: |
+      根据结果匹配度决定是否执行下一条命令，输入框的内容和上方 “自定义命令” 内容按行一一对应（正则表达式）
+    ja: |
+      結果の一致度に基づいて次のコマンドを実行するかどうかを決定します。
+      入力欄の内容は、上の「カスタムコマンド」の内容と行ごとに対応しています（せいきひょうげん）
+    en: |
+      Decide whether to execute the next command based on the result match. 
+      The input content corresponds line by line with the content 
+      of the `Custom command` above. (Regular expression)

apps/accounts/automations/push_account/database/mongodb/main.yml

@@ -54,3 +54,5 @@
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert}}"
       when: check_conn_after_change
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/push_account/database/mysql/main.yml

@@ -39,7 +39,8 @@
         name: "{{ account.username }}"
         password: "{{ account.secret }}"
         host: "%"
-        priv: "{{ account.username + '.*:USAGE' if db_name == '' else db_name + '.*:ALL' }}"
+        priv: "{{ omit if db_name == '' else db_name + '.*:ALL' }}"
+        append_privs: "{{ db_name != '' | bool }}"
       ignore_errors: true
       when: db_info is succeeded
 

apps/accounts/automations/push_account/host/aix/main.yml

@@ -41,6 +41,7 @@
         password: "{{ account.secret | password_hash('des') }}"
         update_password: always
       ignore_errors: true
+      register: change_secret_result
       when: account.secret_type == "password"
 
     - name: "Get home directory for {{ account.username }}"
@@ -83,6 +84,7 @@
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
       when: account.secret_type == "ssh_key"
 
     - name: Refresh connection
@@ -101,7 +103,9 @@
         become_password: "{{ account.become.ansible_password | default('') }}"
         become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password" and check_conn_after_change
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost
 
     - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@@ -112,6 +116,8 @@
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key" and check_conn_after_change
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost
 

apps/accounts/automations/push_account/host/posix/main.yml

@@ -41,6 +41,7 @@
         password: "{{ account.secret | password_hash('sha512') }}"
         update_password: always
       ignore_errors: true
+      register: change_secret_result
       when: account.secret_type == "password"
 
     - name: "Get home directory for {{ account.username }}"
@@ -83,6 +84,7 @@
         user: "{{ account.username }}"
         key: "{{ account.secret }}"
         exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
       when: account.secret_type == "ssh_key"
 
     - name: Refresh connection
@@ -101,7 +103,9 @@
         become_password: "{{ account.become.ansible_password | default('') }}"
         become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password" and check_conn_after_change
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost
 
     - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@@ -112,6 +116,8 @@
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default(None) }}"
         old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key" and check_conn_after_change
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed | default(false)
       delegate_to: localhost
 

apps/accounts/automations/push_account/host/windows/manifest.yml

@@ -8,7 +8,7 @@ type:
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -22,3 +22,8 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/push_account/host/windows_ad/main.yml

@@ -0,0 +1,27 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.windows.win_ping:
+
+    - name: Push user password
+      community.windows.win_domain_user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret }}"
+        update_password: always
+        password_never_expires: yes
+        state: present
+        groups: "{{ params.groups }}"
+        groups_action: add
+      ignore_errors: true
+      when: account.secret_type == "password"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.windows.win_ping:
+      vars:
+        ansible_user: "{{ account.full_username }}"
+        ansible_password: "{{ account.secret }}"
+      when: account.secret_type == "password" and check_conn_after_change

apps/accounts/automations/push_account/host/windows_ad/manifest.yml

@@ -0,0 +1,30 @@
+id: push_account_ad_windows
+name: "{{ 'Windows account push' | trans }}"
+version: 1
+method: push_account
+category:
+  - ds
+type:
+  - windows_ad
+params:
+  - name: groups
+    type: str
+    label: "{{ 'Params groups label' | trans }}"
+    default: 'Users,Remote Desktop Users'
+    help_text: "{{ 'Params groups help text' | trans }}"
+
+i18n:
+  Windows account push:
+    zh: '使用 Ansible 模块 win_domain_user 执行 Windows 账号推送'
+    ja: 'Ansible win_domain_user モジュールを使用して Windows アカウントをプッシュする'
+    en: 'Using Ansible module win_domain_user to push account'
+
+  Params groups help text:
+    zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
+    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
+    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/push_account/host/windows_rdp_verify/manifest.yml

@@ -9,7 +9,7 @@ priority: 49
 params:
   - name: groups
     type: str
-    label: '用户组'
+    label: "{{ 'Params groups label' | trans }}"
     default: 'Users,Remote Desktop Users'
     help_text: "{{ 'Params groups help text' | trans }}"
 
@@ -23,3 +23,8 @@ i18n:
     zh: '请输入用户组，多个用户组使用逗号分隔（需填写已存在的用户组）'
     ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
     en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'
+
+  Params groups label:
+    zh: '用户组'
+    ja: 'グループ'
+    en: 'Groups'

apps/accounts/automations/push_account/manager.py

@@ -12,7 +12,7 @@ logger = get_logger(__name__)
 class PushAccountManager(BaseChangeSecretPushManager):
 
     @staticmethod
-    def require_update_version(account, recorder):
+    def require_update_version(account, record):
         account.skip_history_when_saving = True
         return False
 
@@ -31,29 +31,29 @@ class PushAccountManager(BaseChangeSecretPushManager):
         secret_type = account.secret_type
         if not secret:
             raise ValueError(_('Secret cannot be empty'))
-        self.get_or_create_record(asset, account, h['name'])
+        record = self.get_or_create_record(asset, account, h['name'])
         new_secret, private_key_path = self.handle_ssh_secret(secret_type, secret, path_dir)
         h = self.gen_inventory(h, account, new_secret, private_key_path, asset)
-        return h
+        return h, record
 
     def get_or_create_record(self, asset, account, name):
         asset_account_id = f'{asset.id}-{account.id}'
 
         if asset_account_id in self.record_map:
             record_id = self.record_map[asset_account_id]
-            recorder = PushSecretRecord.objects.filter(id=record_id).first()
+            record = PushSecretRecord.objects.filter(id=record_id).first()
         else:
-            recorder = self.create_record(asset, account)
+            record = self.create_record(asset, account)
 
-        self.name_recorder_mapper[name] = recorder
+        self.name_record_mapper[name] = record
-        return recorder
+        return record
 
     def create_record(self, asset, account):
-        recorder = PushSecretRecord(
+        record = PushSecretRecord(
             asset=asset, account=account, execution=self.execution,
             comment=f'{account.username}@{asset.address}'
         )
-        return recorder
+        return record
 
     def print_summary(self):
         print('\n\n' + '-' * 80)

apps/accounts/automations/remove_account/database/sqlserver/main.yml

@@ -11,4 +11,5 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         name: "{{ jms_asset.spec_info.db_name }}"
-        script: "DROP USER {{ account.username }}"
+        script: "DROP LOGIN {{ account.username }}; select @@version"
+

apps/accounts/automations/remove_account/host/windows_ad/main.yml

@@ -0,0 +1,9 @@
+- hosts: windows
+  gather_facts: no
+  tasks:
+    - name: "Remove account"
+      ansible.windows.win_domain_user:
+        name: "{{ account.username }}"
+        state: absent
+
+

apps/accounts/automations/remove_account/host/windows_ad/manifest.yml

@@ -0,0 +1,14 @@
+id: remove_account_ad_windows
+name: "{{ 'Windows account remove' | trans }}"
+version: 1
+method: remove_account
+category:
+  - ds
+type:
+  - windows_ad
+
+i18n:
+  Windows account remove:
+    zh: 使用 Ansible 模块 win_domain_user 删除账号
+    ja: Ansible モジュール win_domain_user を使用してアカウントを削除する
+    en: Use the Ansible module win_domain_user to delete an account

apps/accounts/automations/verify_account/custom/rdp/main.yml

@@ -3,13 +3,13 @@
   vars:
     ansible_shell_type: sh
     ansible_connection: local
-    ansible_python_interpreter: /opt/py3/bin/python
+    ansible_python_interpreter: "{{ local_python_interpreter }}"
 
   tasks:
     - name: Verify account (pyfreerdp)
       rdp_ping:
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        login_user: "{{ account.username }}"
+        login_user: "{{ account.full_username }}"
         login_password: "{{ account.secret }}"
         login_secret_type: "{{ account.secret_type }}"

apps/accounts/automations/verify_account/custom/rdp/manifest.yml

@@ -2,8 +2,10 @@ id: verify_account_by_rdp
 name: "{{ 'Windows rdp account verify' | trans }}"
 category:
   - host
+  - ds
 type:
   - windows
+  - windows_ad
 method: verify_account
 protocol: rdp
 priority: 1

apps/accounts/automations/verify_account/database/mongodb/main.yml

@@ -16,3 +16,5 @@
         ssl_certfile: "{{ jms_asset.secret_info.client_key | default('') }}"
         connection_options:
           - tlsAllowInvalidHostnames: "{{ jms_asset.spec_info.allow_invalid_cert }}"
+      register: result
+      failed_when: not result.is_available

apps/accounts/automations/verify_account/host/posix/main.yml

@@ -8,6 +8,7 @@
         ansible_user: "{{ account.username }}"
         ansible_password: "{{ account.secret }}"
         ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_timeout: 30
       when: not account.become.ansible_become
 
     - name: Verify account connectivity(Switch)
@@ -20,4 +21,5 @@
         ansible_become_method: "{{ account.become.ansible_become_method }}"
         ansible_become_user: "{{ account.become.ansible_become_user }}"
         ansible_become_password: "{{ account.become.ansible_become_password }}"
+        ansible_timeout: 30
       when: account.become.ansible_become

apps/accounts/automations/verify_account/host/windows/main.yml

@@ -7,5 +7,6 @@
     - name: Verify account
       ansible.windows.win_ping:
       vars:
-        ansible_user: "{{ account.username }}"
+        ansible_user: "{{ account.full_username }}"
         ansible_password: "{{ account.secret }}"
+        ansible_timeout: 30

apps/accounts/automations/verify_account/host/windows/manifest.yml

@@ -2,9 +2,12 @@ id: verify_account_windows
 name: "{{ 'Windows account verify' | trans }}"
 version: 1
 method: verify_account
-category: host
+category:
+  - host
+  - ds
 type:
   - windows
+  - windows_ad
 
 i18n:
   Windows account verify:

apps/accounts/automations/verify_account/manager.py

@@ -42,7 +42,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
         if host.get('error'):
             return host
 
-        accounts = asset.accounts.all()
+        accounts = asset.all_accounts.all()
         accounts = self.get_accounts(account, accounts)
         inventory_hosts = []
 
@@ -64,6 +64,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
             h['account'] = {
                 'name': account.name,
                 'username': account.username,
+                'full_username': account.full_username,
                 'secret_type': account.secret_type,
                 'secret': account.escape_jinja2_syntax(secret),
                 'private_key_path': private_key_path,
@@ -84,6 +85,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
     def on_host_error(self, host, error, result):
         account = self.host_account_mapper.get(host)
         try:
-            account.set_connectivity(Connectivity.ERR)
+            error_tp = account.get_err_connectivity(error)
+            account.set_connectivity(error_tp)
         except Exception as e:
             print(f'\033[31m Update account {account.name} connectivity failed: {e} \033[0m\n')

apps/accounts/const/automation.py

@@ -17,7 +17,7 @@ __all__ = [
     'AutomationTypes', 'SecretStrategy', 'SSHKeyStrategy', 'Connectivity',
     'DEFAULT_PASSWORD_LENGTH', 'DEFAULT_PASSWORD_RULES', 'TriggerChoice',
     'PushAccountActionChoice', 'AccountBackupType', 'ChangeSecretRecordStatusChoice',
-    'GatherAccountDetailField'
+    'GatherAccountDetailField', 'ChangeSecretAccountStatus'
 ]
 
 
@@ -117,6 +117,12 @@ class ChangeSecretRecordStatusChoice(models.TextChoices):
     pending = 'pending', _('Pending')
 
 
+class ChangeSecretAccountStatus(models.TextChoices):
+    QUEUED = 'queued', _('Queued')
+    READY = 'ready', _('Ready')
+    PROCESSING = 'processing', _('Processing')
+
+
 class GatherAccountDetailField(models.TextChoices):
     can_login = 'can_login', _('Can login')
     superuser = 'superuser', _('Superuser')

apps/accounts/filters.py

@@ -5,7 +5,6 @@ import uuid
 import django_filters
 from django.db.models import Q
 from django.utils import timezone
-from django.utils.translation import gettext_lazy as _
 from django_filters import rest_framework as drf_filters
 from rest_framework import filters
 from rest_framework.compat import coreapi
@@ -13,10 +12,26 @@ from rest_framework.compat import coreapi
 from assets.models import Node
 from assets.utils import get_node_from_request
 from common.drf.filters import BaseFilterSet
+from common.utils import get_logger
 from common.utils.timezone import local_zero_hour, local_now
 from .const.automation import ChangeSecretRecordStatusChoice
 from .models import Account, GatheredAccount, ChangeSecretRecord, PushSecretRecord, IntegrationApplication, \
     AutomationExecution
+from .utils import account_secret_task_status
+
+logger = get_logger(__file__)
+
+
+class UUIDFilterMixin:
+    @staticmethod
+    def filter_uuid(queryset, name, value):
+        try:
+            uuid.UUID(value)
+        except ValueError:
+            logger.warning(f"Invalid UUID: {value}")
+            return queryset.none()
+
+        return queryset.filter(**{name: value})
 
 
 class NodeFilterBackend(filters.BaseFilterBackend):
@@ -43,14 +58,15 @@ class NodeFilterBackend(filters.BaseFilterBackend):
         return queryset
 
 
-class AccountFilterSet(BaseFilterSet):
+class AccountFilterSet(UUIDFilterMixin, BaseFilterSet):
     ip = drf_filters.CharFilter(field_name="address", lookup_expr="exact")
+    name = drf_filters.CharFilter(field_name="name", lookup_expr="exact")
     hostname = drf_filters.CharFilter(field_name="name", lookup_expr="exact")
     username = drf_filters.CharFilter(field_name="username", lookup_expr="exact")
     address = drf_filters.CharFilter(field_name="asset__address", lookup_expr="exact")
-    asset_id = drf_filters.CharFilter(field_name="asset", lookup_expr="exact")
+    asset_name = drf_filters.CharFilter(field_name="asset__name", lookup_expr="exact")
-    asset = drf_filters.CharFilter(field_name="asset", lookup_expr="exact")
+    asset_id = drf_filters.CharFilter(field_name="asset", method="filter_uuid")
-    assets = drf_filters.CharFilter(field_name="asset_id", lookup_expr="exact")
+    assets = drf_filters.CharFilter(field_name="asset_id", method="filter_uuid")
     has_secret = drf_filters.BooleanFilter(method="filter_has_secret")
     platform = drf_filters.CharFilter(
         field_name="asset__platform_id", lookup_expr="exact"
@@ -135,8 +151,9 @@ class AccountFilterSet(BaseFilterSet):
             kwargs.update({"date_change_secret__gt": date})
 
         if name == "latest_secret_change_failed":
-            queryset = queryset.filter(date_change_secret__gt=date).exclude(
+            queryset = (
-                change_secret_status=ChangeSecretRecordStatusChoice.success
+                queryset.filter(date_change_secret__gt=date)
+                .exclude(change_secret_status=ChangeSecretRecordStatusChoice.success)
             )
 
         if kwargs:
@@ -146,8 +163,8 @@ class AccountFilterSet(BaseFilterSet):
     class Meta:
         model = Account
         fields = [
-            "id", "asset", "source_id", "secret_type", "category",
+            "id", "source_id", "secret_type", "category", "type",
-            "type", "privileged", "secret_reset", "connectivity", 'is_active'
+            "privileged", "secret_reset", "connectivity", "is_active"
         ]
 
 
@@ -185,16 +202,6 @@ class SecretRecordMixin(drf_filters.FilterSet):
         return queryset.filter(date_finished__gte=dt)
 
 
-class UUIDExecutionFilterMixin:
-    @staticmethod
-    def filter_execution(queryset, name, value):
-        try:
-            uuid.UUID(value)
-        except ValueError:
-            raise ValueError(_('Enter a valid UUID.'))
-        return queryset.filter(**{name: value})
-
-
 class DaysExecutionFilterMixin:
     days = drf_filters.NumberFilter(method="filter_days")
     field: str
@@ -209,10 +216,10 @@ class DaysExecutionFilterMixin:
 
 
 class ChangeSecretRecordFilterSet(
-    SecretRecordMixin, UUIDExecutionFilterMixin,
+    SecretRecordMixin, UUIDFilterMixin,
     DaysExecutionFilterMixin, BaseFilterSet
 ):
-    execution_id = django_filters.CharFilter(method="filter_execution")
+    execution_id = django_filters.CharFilter(method="filter_uuid")
     days = drf_filters.NumberFilter(method="filter_days")
 
     field = 'date_finished'
@@ -227,12 +234,34 @@ class AutomationExecutionFilterSet(DaysExecutionFilterMixin, BaseFilterSet):
 
     class Meta:
         model = AutomationExecution
-        fields = ["days", 'trigger', 'automation_id', 'automation__name']
+        fields = ["days", 'trigger', 'automation__name']
 
 
-class PushAccountRecordFilterSet(SecretRecordMixin, UUIDExecutionFilterMixin, BaseFilterSet):
+class PushAccountRecordFilterSet(SecretRecordMixin, UUIDFilterMixin, BaseFilterSet):
-    execution_id = django_filters.CharFilter(method="filter_execution")
+    execution_id = django_filters.CharFilter(method="filter_uuid")
 
     class Meta:
         model = PushSecretRecord
         fields = ["id", "status", "asset_id", "execution_id"]
+
+
+class ChangeSecretStatusFilterSet(BaseFilterSet):
+    asset_name = drf_filters.CharFilter(
+        field_name="asset__name", lookup_expr="icontains"
+    )
+    status = drf_filters.CharFilter(method='filter_dynamic')
+    execution_id = drf_filters.CharFilter(method='filter_dynamic')
+
+    class Meta:
+        model = Account
+        fields = ["username"]
+
+    @staticmethod
+    def filter_dynamic(queryset, name, value):
+        _ids = list(queryset.values_list('id', flat=True))
+        data_map = {
+            _id: account_secret_task_status.get(str(_id)).get(name)
+            for _id in _ids
+        }
+        matched = [_id for _id, v in data_map.items() if v == value]
+        return queryset.filter(id__in=matched)

apps/accounts/migrations/0001_initial.py

@@ -46,11 +46,16 @@ class Migration(migrations.Migration):
             ],
             options={
                 'verbose_name': 'Account',
-                'permissions': [('view_accountsecret', 'Can view asset account secret'),
+                'permissions': [
-                                ('view_historyaccount', 'Can view asset history account'),
+                    ('view_accountsecret', 'Can view asset account secret'),
-                                ('view_historyaccountsecret', 'Can view asset history account secret'),
+                    ('view_historyaccount', 'Can view asset history account'),
-                                ('verify_account', 'Can verify account'), ('push_account', 'Can push account'),
+                    ('view_historyaccountsecret', 'Can view asset history account secret'),
-                                ('remove_account', 'Can remove account')],
+                    ('verify_account', 'Can verify account'),
+                    ('push_account', 'Can push account'),
+                    ('remove_account', 'Can remove account'),
+                    ('view_accountsession', 'Can view session'),
+                    ('view_accountactivity', 'Can view activity')
+                ],
             },
         ),
         migrations.CreateModel(

apps/accounts/migrations/0005_accountrisk_backupaccountautomation_and_more.py

@@ -335,6 +335,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 "abstract": False,
+                "verbose_name": "Check engine",
             },
         ),
         migrations.CreateModel(
@@ -629,10 +630,15 @@ class Migration(migrations.Migration):
             name="connectivity",
             field=models.CharField(
                 choices=[
-                    ("-", "Unknown"),
+                    ('-', 'Unknown'),
-                    ("na", "N/A"),
+                    ('na', 'N/A'),
-                    ("ok", "OK"),
+                    ('ok', 'OK'),
-                    ("err", "Error"),
+                    ('err', 'Error'),
+                    ('auth_err', 'Authentication error'),
+                    ('password_err', 'Invalid password error'),
+                    ('openssh_key_err', 'OpenSSH key error'),
+                    ('ntlm_err', 'NTLM credentials rejected error'),
+                    ('create_temp_err', 'Create temporary error')
                 ],
                 default="-",
                 max_length=16,

apps/accounts/migrations/0007_alter_account_connectivity.py

@@ -0,0 +1,29 @@
+# Generated by Django 4.1.13 on 2025-05-06 10:23
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('accounts', '0006_alter_accountrisk_username_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='account',
+            name='connectivity',
+            field=models.CharField(choices=[
+                ('-', 'Unknown'),
+                ('na', 'N/A'),
+                ('ok', 'OK'),
+                ('err', 'Error'),
+                ('rdp_err', 'RDP error'),
+                ('auth_err', 'Authentication error'),
+                ('password_err', 'Invalid password error'),
+                ('openssh_key_err', 'OpenSSH key error'),
+                ('ntlm_err', 'NTLM credentials rejected error'),
+                ('create_temp_err', 'Create temporary error')
+            ],
+                default='-', max_length=16, verbose_name='Connectivity'),
+        ),
+    ]

apps/accounts/mixins.py

@@ -1,65 +1,15 @@
 from rest_framework.response import Response
 from rest_framework import status
+from django.db.models import Model
 from django.utils import translation
-from django.utils.translation import gettext_noop
 
 from audits.const import ActionChoices
-from common.views.mixins import RecordViewLogMixin
+from audits.handler import create_or_update_operate_log
-from common.utils import i18n_fmt
 
 
-class AccountRecordViewLogMixin(RecordViewLogMixin):
+class AccountRecordViewLogMixin(object):
     get_object: callable
-    get_queryset: callable
+    model: Model
-
-    @staticmethod
-    def _filter_params(params):
-        new_params = {}
-        need_pop_params = ('format', 'order')
-        for key, value in params.items():
-            if key in need_pop_params:
-                continue
-            if isinstance(value, list):
-                value = list(filter(None, value))
-            if value:
-                new_params[key] = value
-        return new_params
-
-    def get_resource_display(self, request):
-        query_params = dict(request.query_params)
-        params = self._filter_params(query_params)
-
-        spm_filter = params.pop("spm", None)
-
-        if not params and not spm_filter:
-            display_message = gettext_noop("Export all")
-        elif spm_filter:
-            display_message = gettext_noop("Export only selected items")
-        else:
-            query = ",".join(
-                ["%s=%s" % (key, value) for key, value in params.items()]
-            )
-            display_message = i18n_fmt(gettext_noop("Export filtered: %s"), query)
-        return display_message
-
-    @property
-    def detail_msg(self):
-        return i18n_fmt(
-            gettext_noop('User %s view/export secret'), self.request.user
-        )
-
-    def list(self, request, *args, **kwargs):
-        list_func = getattr(super(), 'list')
-        if not callable(list_func):
-            return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
-        response = list_func(request, *args, **kwargs)
-        with translation.override('en'):
-            resource_display = self.get_resource_display(request)
-            ids = [q.id for q in self.get_queryset()]
-            self.record_logs(
-                ids, ActionChoices.view, self.detail_msg, resource_display=resource_display
-            )
-        return response
 
     def retrieve(self, request, *args, **kwargs):
         retrieve_func = getattr(super(), 'retrieve')
@@ -67,9 +17,9 @@ class AccountRecordViewLogMixin(RecordViewLogMixin):
             return Response(status=status.HTTP_405_METHOD_NOT_ALLOWED)
         response = retrieve_func(request, *args, **kwargs)
         with translation.override('en'):
-            resource = self.get_object()
+            create_or_update_operate_log(
-            self.record_logs(
+                ActionChoices.view, self.model._meta.verbose_name,
-                [resource.id], ActionChoices.view, self.detail_msg, resource=resource
+                force=True, resource=self.get_object(),
             )
         return response
 

apps/accounts/models/account.py

@@ -116,6 +116,8 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
             ('verify_account', _('Can verify account')),
             ('push_account', _('Can push account')),
             ('remove_account', _('Can remove account')),
+            ('view_accountsession', _('Can view session')),
+            ('view_accountactivity', _('Can view activity')),
         ]
 
     def __str__(self):
@@ -131,9 +133,49 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount, JSONFilterMixin):
 
     @lazyproperty
     def alias(self):
+        """
+        别称，因为有虚拟账号，@INPUT @MANUAL @USER, 否则为 id
+        """
         if self.username.startswith('@'):
             return self.username
-        return self.name
+        return str(self.id)
+
+    def is_virtual(self):
+        """
+        不要用 username 去判断，因为可能是构造的 account 对象，设置了同名账号的用户名,
+        """
+        return self.alias.startswith('@')
+
+    def is_ds_account(self):
+        if self.is_virtual():
+            return ''
+        if not self.asset.is_directory_service:
+            return False
+        return True
+
+    @lazyproperty
+    def ds(self):
+        if not self.is_ds_account():
+            return None
+        return self.asset.ds
+
+    @lazyproperty
+    def ds_domain(self):
+        """这个不能去掉，perm_account 会动态设置这个值，以更改 full_username"""
+        if self.is_virtual():
+            return ''
+        if self.ds and self.ds.domain_name:
+            return self.ds.domain_name
+        return ''
+
+    def username_has_domain(self):
+        return '@' in self.username or '\\' in self.username
+
+    @property
+    def full_username(self):
+        if not self.username_has_domain() and self.ds_domain:
+            return '{}@{}'.format(self.username, self.ds_domain)
+        return self.username
 
     @lazyproperty
     def has_secret(self):

apps/accounts/models/automations/check_account.py

@@ -68,8 +68,10 @@ class AccountRisk(JMSOrgBaseModel):
         related_name='risks', null=True
     )
     risk = models.CharField(max_length=128, verbose_name=_('Risk'), choices=RiskChoice.choices)
-    status = models.CharField(max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,
+    status = models.CharField(
-                              blank=True, verbose_name=_('Status'))
+        max_length=32, choices=ConfirmOrIgnore.choices, default=ConfirmOrIgnore.pending,
+        blank=True, verbose_name=_('Status')
+    )
     details = models.JSONField(default=list, verbose_name=_('Detail'))
 
     class Meta:
@@ -119,6 +121,9 @@ class CheckAccountEngine(JMSBaseModel):
     def __str__(self):
         return self.name
 
+    class Meta:
+        verbose_name = _('Check engine')
+
     @staticmethod
     def get_default_engines():
         data = [
@@ -128,7 +133,7 @@ class CheckAccountEngine(JMSBaseModel):
                 "name": _("Check the discovered accounts"),
                 "comment": _(
                     "Perform checks and analyses based on automatically discovered account results, "
-                    "including user groups, public keys, sudoers, and other information"
+                    "including user groups, public keys, sudoers, and other information."
                 )
             },
             {
@@ -144,13 +149,13 @@ class CheckAccountEngine(JMSBaseModel):
                 "id": "00000000-0000-0000-0000-000000000003",
                 "slug": "check_account_repeat",
                 "name": _("Check if the account and password are repeated"),
-                "comment": _("Check if the account is the same as other accounts")
+                "comment": _("Check if the account is the same as other accounts.")
             },
             {
                 "id": "00000000-0000-0000-0000-000000000004",
                 "slug": "check_account_leak",
                 "name": _("Check whether the account password is a common password"),
-                "comment": _("Check whether the account password is a commonly leaked password")
+                "comment": _("Check whether the account password is a commonly leaked password.")
             },
         ]
         return data

apps/accounts/models/virtual.py

@@ -92,8 +92,9 @@ class VirtualAccount(JMSOrgBaseModel):
         from .account import Account
         username = user.username
 
+        alias = AliasAccount.USER.value
         with tmp_to_org(asset.org):
-            same_account = cls.objects.filter(alias='@USER').first()
+            same_account = cls.objects.filter(alias=alias).first()
 
         secret = ''
         if same_account and same_account.secret_from_login:
@@ -101,4 +102,6 @@ class VirtualAccount(JMSOrgBaseModel):
 
         if not secret and not from_permed:
             secret = input_secret
-        return Account(name=AliasAccount.USER.label, username=username, secret=secret)
+        account = Account(name=AliasAccount.USER.label, username=username, secret=secret)
+        account.alias = alias
+        return account

apps/accounts/notifications.py

@@ -6,6 +6,7 @@ from common.tasks import send_mail_attachment_async, upload_backup_to_obj_storag
 from notifications.notifications import UserMessage
 from terminal.models.component.storage import ReplayStorage
 from users.models import User
+from users.utils import activate_user_language
 
 
 class AccountBackupExecutionTaskMsg:
@@ -28,9 +29,10 @@ class AccountBackupExecutionTaskMsg:
                      ).format(name)
 
     def publish(self, attachment_list=None):
-        send_mail_attachment_async(
+        with activate_user_language(self.user):
-            self.subject, self.message, [self.user.email], attachment_list
+            send_mail_attachment_async(
-        )
+                self.subject, self.message, [self.user.email], attachment_list
+            )
 
 
 class AccountBackupByObjStorageExecutionTaskMsg:
@@ -74,9 +76,10 @@ class ChangeSecretExecutionTaskMsg:
         return self.summary + '\n' + default_message
 
     def publish(self, attachments=None):
-        send_mail_attachment_async(
+        with activate_user_language(self.user):
-            self.subject, self.message, [self.user.email], attachments
+            send_mail_attachment_async(
-        )
+                self.subject, self.message, [self.user.email], attachments
+            )
 
 
 class GatherAccountChangeMsg(UserMessage):

apps/accounts/risk_handlers.py

@@ -23,7 +23,7 @@ TYPE_CHOICES = [
     ("delete_both", _("Delete remote")),
     ("add_account", _("Add account")),
     ("change_password_add", _("Change password and Add")),
-    ("change_password", _("Change password")),
+    ("change_password", _("Change secret")),
 ]
 
 

apps/accounts/serializers/account/account.py

@@ -233,6 +233,7 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
         required=False, queryset=Account.objects, allow_null=True, allow_empty=True,
         label=_('Su from'), attrs=('id', 'name', 'username')
     )
+    ds = ObjectRelatedField(read_only=True, label=_('Directory service'), attrs=('id', 'name', 'domain_name'))
 
     class Meta(BaseAccountSerializer.Meta):
         model = Account
@@ -241,10 +242,11 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
             'date_change_secret', 'change_secret_status'
         ]
         fields = BaseAccountSerializer.Meta.fields + [
-            'su_from', 'asset', 'version',
+            'su_from', 'asset', 'version', 'ds',
             'source', 'source_id', 'secret_reset',
         ] + AccountCreateUpdateSerializerMixin.Meta.fields + automation_fields
         read_only_fields = BaseAccountSerializer.Meta.read_only_fields + automation_fields
+        fields = [f for f in fields if f not in ['spec_info']]
         extra_kwargs = {
             **BaseAccountSerializer.Meta.extra_kwargs,
             'name': {'required': False},
@@ -258,7 +260,7 @@ class AccountSerializer(AccountCreateUpdateSerializerMixin, BaseAccountSerialize
         queryset = queryset.prefetch_related(
             'asset', 'asset__platform',
             'asset__platform__automation'
-        ).prefetch_related('labels', 'labels__label')
+        )
         return queryset
 
 
@@ -267,7 +269,7 @@ class AccountDetailSerializer(AccountSerializer):
 
     class Meta(AccountSerializer.Meta):
         model = Account
-        fields = AccountSerializer.Meta.fields + ['has_secret']
+        fields = AccountSerializer.Meta.fields + ['has_secret', 'spec_info']
         read_only_fields = AccountSerializer.Meta.read_only_fields + ['has_secret']
 
 

apps/accounts/serializers/account/base.py

@@ -75,7 +75,7 @@ class BaseAccountSerializer(
         fields_mini = ["id", "name", "username"]
         fields_small = fields_mini + [
             "secret_type", "secret", "passphrase",
-            "privileged", "is_active", "spec_info",
+            "privileged", "is_active",
         ]
         fields_other = ["created_by", "date_created", "date_updated", "comment"]
         fields = fields_small + fields_other + ["labels"]

apps/accounts/serializers/account/service.py

@@ -1,9 +1,11 @@
+from django.templatetags.static import static
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
 from accounts.models import IntegrationApplication
 from acls.serializers.rules import ip_group_child_validator, ip_group_help_text
 from common.serializers.fields import JSONManyToManyField
+from common.utils import random_string
 from orgs.mixins.serializers import BulkOrgResourceModelSerializer
 
 
@@ -27,13 +29,18 @@ class IntegrationApplicationSerializer(BulkOrgResourceModelSerializer):
             'name': {'label': _('Name')},
             'accounts_amount': {'label': _('Accounts amount')},
             'is_active': {'default': True},
+            'logo': {'required': False},
         }
 
-    def __init__(self, *args, **kwargs):
+    def to_representation(self, instance):
-        super().__init__(*args, **kwargs)
+        data = super().to_representation(instance)
-        request_method = self.context.get('request').method
+        if not data.get('logo'):
-        if request_method == 'PUT':
+            data['logo'] = static('img/logo.png')
-            self.fields['logo'].required = False
+        return data
+
+    def validate(self, attrs):
+        attrs['secret'] = random_string(36)
+        return attrs
 
 
 class IntegrationAccountSecretSerializer(serializers.Serializer):

apps/accounts/serializers/account/template.py

@@ -57,11 +57,15 @@ class AccountTemplateSerializer(BaseAccountSerializer):
         fields_unimport_template = ['push_params']
 
 
-class AccountTemplateSecretSerializer(SecretReadableMixin, AccountTemplateSerializer):
+class AccountDetailTemplateSerializer(AccountTemplateSerializer):
     class Meta(AccountTemplateSerializer.Meta):
         fields = AccountTemplateSerializer.Meta.fields + ['spec_info']
+
+
+class AccountTemplateSecretSerializer(SecretReadableMixin, AccountDetailTemplateSerializer):
+    class Meta(AccountDetailTemplateSerializer.Meta):
+        fields = AccountDetailTemplateSerializer.Meta.fields
         extra_kwargs = {
-            **AccountTemplateSerializer.Meta.extra_kwargs,
+            **AccountDetailTemplateSerializer.Meta.extra_kwargs,
             'secret': {'write_only': False},
-            'spec_info': {'label': _('Spec info')},
         }

apps/accounts/serializers/automations/backup.py

@@ -1,8 +1,9 @@
 # -*- coding: utf-8 -*-
 #
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
-from accounts.const import AutomationTypes
+from accounts.const import AutomationTypes, AccountBackupType
 from accounts.models import BackupAccountAutomation
 from common.serializers.fields import EncryptedField
 from common.utils import get_logger
@@ -41,6 +42,17 @@ class BackupAccountSerializer(BaseAutomationSerializer):
             'types': {'label': _('Asset type')}
         }
 
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.set_backup_type_choices()
+
+    def set_backup_type_choices(self):
+        field_backup_type = self.fields.get("backup_type")
+        if not field_backup_type:
+            return
+        if not settings.XPACK_LICENSE_IS_VALID:
+            field_backup_type._choices.pop(AccountBackupType.object_storage, None)
+
     @property
     def model_type(self):
         return AutomationTypes.backup_account

apps/accounts/serializers/automations/change_secret.py

@@ -16,6 +16,7 @@ from assets.models import Asset
 from common.serializers.fields import LabeledChoiceField, ObjectRelatedField
 from common.utils import get_logger
 from .base import BaseAutomationSerializer
+from ...utils import account_secret_task_status
 
 logger = get_logger(__file__)
 
@@ -26,6 +27,7 @@ __all__ = [
     'ChangeSecretRecordBackUpSerializer',
     'ChangeSecretUpdateAssetSerializer',
     'ChangeSecretUpdateNodeSerializer',
+    'ChangeSecretAccountSerializer'
 ]
 
 
@@ -179,3 +181,24 @@ class ChangeSecretUpdateNodeSerializer(serializers.ModelSerializer):
     class Meta:
         model = ChangeSecretAutomation
         fields = ['id', 'nodes']
+
+
+class ChangeSecretAccountSerializer(serializers.ModelSerializer):
+    asset = ObjectRelatedField(
+        queryset=Asset.objects.all(), required=False, label=_("Asset")
+    )
+    ttl = serializers.SerializerMethodField(label=_('TTL'))
+    meta = serializers.SerializerMethodField(label=_('Meta'))
+
+    class Meta:
+        model = Account
+        fields = ['id', 'username', 'asset', 'meta', 'ttl']
+        read_only_fields = fields
+
+    @staticmethod
+    def get_meta(obj):
+        return account_secret_task_status.get(str(obj.id))
+
+    @staticmethod
+    def get_ttl(obj):
+        return account_secret_task_status.get_ttl(str(obj.id))

apps/accounts/serializers/automations/gather_account.py

@@ -28,7 +28,7 @@ class DiscoverAccountAutomationSerializer(BaseAutomationSerializer):
                   + read_only_fields)
         extra_kwargs = {
             'check_risk': {
-                'help_text': _('Whether to check the risk of the gathered accounts.'),
+                'help_text': _('Whether to check the risk of the discovered accounts.'),
             },
             **BaseAutomationSerializer.Meta.extra_kwargs
         }

apps/accounts/tasks/automation.py

@@ -1,4 +1,5 @@
 import datetime
+from collections import defaultdict
 
 from celery import shared_task
 from django.db.models import Q
@@ -72,24 +73,43 @@ def execute_automation_record_task(record_ids, tp):
     task_name = gettext_noop('Execute automation record')
 
     with tmp_to_root_org():
-        records = ChangeSecretRecord.objects.filter(id__in=record_ids)
+        records = ChangeSecretRecord.objects.filter(id__in=record_ids).order_by('-date_updated')
 
     if not records:
-        logger.error('No automation record found: {}'.format(record_ids))
+        logger.error(f'No automation record found: {record_ids}')
         return
 
-    record = records[0]
+    seen_accounts = set()
-    record_map = {f'{record.asset_id}-{record.account_id}': str(record.id) for record in records}
+    unique_records = []
-    task_snapshot = {
+    for rec in records:
-        'params': {},
+        acct = str(rec.account_id)
-        'record_map': record_map,
+        if acct not in seen_accounts:
-        'secret': record.new_secret,
+            seen_accounts.add(acct)
-        'secret_type': record.execution.snapshot.get('secret_type'),
+            unique_records.append(rec)
-        'assets': [str(instance.asset_id) for instance in records],
+
-        'accounts': [str(instance.account_id) for instance in records],
+    exec_groups = defaultdict(list)
-    }
+    for rec in unique_records:
-    with tmp_to_org(record.execution.org_id):
+        exec_groups[rec.execution_id].append(rec)
-        quickstart_automation_by_snapshot(task_name, tp, task_snapshot)
+
+    for __, group in exec_groups.items():
+        latest_rec = group[0]
+        snapshot = getattr(latest_rec.execution, 'snapshot', {}) or {}
+
+        record_map = {f"{r.asset_id}-{r.account_id}": str(r.id) for r in group}
+        assets = [str(r.asset_id) for r in group]
+        accounts = [str(r.account_id) for r in group]
+
+        task_snapshot = {
+            'params': {},
+            'record_map': record_map,
+            'secret': latest_rec.new_secret,
+            'secret_type': snapshot.get('secret_type'),
+            'assets': assets,
+            'accounts': accounts,
+        }
+
+        with tmp_to_org(latest_rec.execution.org_id):
+            quickstart_automation_by_snapshot(task_name, tp, task_snapshot)
 
 
 @shared_task(
@@ -107,16 +127,18 @@ def execute_automation_record_task(record_ids, tp):
 )
 @register_as_period_task(crontab=CRONTAB_AT_AM_THREE)
 def clean_change_secret_and_push_record_period():
-    from accounts.models import ChangeSecretRecord
+    from accounts.models import ChangeSecretRecord, PushSecretRecord
     print('Start clean change secret and push record period')
     with tmp_to_root_org():
         now = timezone.now()
         days = get_log_keep_day('ACCOUNT_CHANGE_SECRET_RECORD_KEEP_DAYS')
-        expired_day = now - datetime.timedelta(days=days)
+        expired_time = now - datetime.timedelta(days=days)
-        records = ChangeSecretRecord.objects.filter(
-            date_updated__lt=expired_day
-        ).filter(
-            Q(execution__isnull=True) | Q(asset__isnull=True) | Q(account__isnull=True)
-        )
 
-        records.delete()
+        null_related_q = Q(execution__isnull=True) | Q(asset__isnull=True) | Q(account__isnull=True)
+        expired_q = Q(date_updated__lt=expired_time)
+
+        ChangeSecretRecord.objects.filter(null_related_q).delete()
+        ChangeSecretRecord.objects.filter(expired_q).delete()
+
+        PushSecretRecord.objects.filter(null_related_q).delete()
+        PushSecretRecord.objects.filter(expired_q).delete()

apps/accounts/tasks/push_account.py

@@ -1,37 +1,107 @@
+from collections import defaultdict
+
 from celery import shared_task
 from django.utils.translation import gettext_noop, gettext_lazy as _
 
-from accounts.const import AutomationTypes
+from accounts.const import AutomationTypes, ChangeSecretAccountStatus
 from accounts.tasks.common import quickstart_automation_by_snapshot
+from accounts.utils import account_secret_task_status
 from common.utils import get_logger
+from orgs.utils import tmp_to_org
 
 logger = get_logger(__file__)
 __all__ = [
-    'push_accounts_to_assets_task',
+    'push_accounts_to_assets_task', 'change_secret_accounts_to_assets_task'
 ]
 
 
+def _process_accounts(account_ids, automation_model, default_name, automation_type, snapshot=None):
+    from accounts.models import Account
+    accounts = Account.objects.filter(id__in=account_ids)
+    if not accounts:
+        logger.warning(
+            "No accounts found for automation task %s with ids %s",
+            automation_type, account_ids
+        )
+        return
+
+    task_name = automation_model.generate_unique_name(gettext_noop(default_name))
+    snapshot = snapshot or {}
+    snapshot.update({
+        'accounts': [str(a.id) for a in accounts],
+        'assets': [str(a.asset_id) for a in accounts],
+    })
+
+    quickstart_automation_by_snapshot(task_name, automation_type, snapshot)
+
+
 @shared_task(
     queue="ansible",
     verbose_name=_('Push accounts to assets'),
     activity_callback=lambda self, account_ids, *args, **kwargs: (account_ids, None),
     description=_(
-        "When creating or modifying an account requires account push, this task is executed"
+        "Whenever an account is created or modified and needs pushing to assets, run this task"
     )
 )
 def push_accounts_to_assets_task(account_ids, params=None):
     from accounts.models import PushAccountAutomation
-    from accounts.models import Account
+    snapshot = {
-
-    accounts = Account.objects.filter(id__in=account_ids)
-    task_name = gettext_noop("Push accounts to assets")
-    task_name = PushAccountAutomation.generate_unique_name(task_name)
-
-    task_snapshot = {
-        'accounts': [str(account.id) for account in accounts],
-        'assets': [str(account.asset_id) for account in accounts],
         'params': params or {},
     }
+    _process_accounts(
+        account_ids,
+        PushAccountAutomation,
+        _("Push accounts to assets"),
+        AutomationTypes.push_account,
+        snapshot=snapshot
+    )
 
-    tp = AutomationTypes.push_account
+
-    quickstart_automation_by_snapshot(task_name, tp, task_snapshot)
+@shared_task(
+    queue="ansible",
+    verbose_name=_('Change secret accounts to assets'),
+    activity_callback=lambda self, account_ids, *args, **kwargs: (account_ids, None),
+    description=_(
+        "When a secret on an account changes and needs pushing to assets, run this task"
+    )
+)
+def change_secret_accounts_to_assets_task(account_ids, params=None, snapshot=None, trigger='manual'):
+    from accounts.models import ChangeSecretAutomation, Account
+
+    manager = account_secret_task_status
+
+    if trigger == 'delay':
+        for _id in manager.account_ids:
+            status = manager.get_status(_id)
+            # Check if the account is in QUEUED status
+            if status == ChangeSecretAccountStatus.QUEUED:
+                account_ids.append(_id)
+                manager.set_status(_id, ChangeSecretAccountStatus.READY)
+
+    if not account_ids:
+        return
+
+    accounts = Account.objects.filter(id__in=account_ids)
+    if not accounts:
+        logger.warning(
+            "No accounts found for change secret automation task with ids %s",
+            account_ids
+        )
+        return
+
+    grouped_ids = defaultdict(lambda: defaultdict(list))
+    for account in accounts:
+        grouped_ids[account.org_id][account.secret_type].append(str(account.id))
+
+    snapshot = snapshot or {}
+    for org_id, secret_map in grouped_ids.items():
+        with tmp_to_org(org_id):
+            for secret_type, ids in secret_map.items():
+                snapshot['secret_type'] = secret_type
+                _process_accounts(
+                    ids,
+                    ChangeSecretAutomation,
+                    _("Change secret accounts to assets"),
+                    AutomationTypes.change_secret,
+                    snapshot=snapshot
+                )

apps/accounts/templates/accounts/gather_account_report.html

@@ -129,7 +129,7 @@
         </tbody>
       </table>
       {% else %}
-      <p class="no-data">{% trans 'No new accounts found' %}</p>
+      <p class="no-data">{% trans 'No lost accounts found' %}</p>
       {% endif %}
     </div>
   </section>

apps/accounts/urls.py

@@ -17,6 +17,7 @@ router.register(r'account-template-secrets', api.AccountTemplateSecretsViewSet,
 router.register(r'account-backup-plans', api.BackupAccountViewSet, 'account-backup')
 router.register(r'account-backup-plan-executions', api.BackupAccountExecutionViewSet, 'account-backup-execution')
 router.register(r'change-secret-automations', api.ChangeSecretAutomationViewSet, 'change-secret-automation')
+router.register(r'change-secret-status', api.ChangeSecretStatusViewSet, 'change-secret-status')
 router.register(r'change-secret-executions', api.ChangSecretExecutionViewSet, 'change-secret-execution')
 router.register(r'change-secret-records', api.ChangeSecretRecordViewSet, 'change-secret-record')
 router.register(r'gather-account-automations', api.DiscoverAccountsAutomationViewSet, 'gather-account-automation')

apps/accounts/utils.py

@@ -1,10 +1,11 @@
 import copy
 
+from django.conf import settings
+from django.core.cache import cache
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
 from accounts.const import SecretType, DEFAULT_PASSWORD_RULES
-
 from common.utils import ssh_key_gen, random_string
 from common.utils import validate_ssh_private_key, parse_ssh_private_key_str
 
@@ -61,3 +62,80 @@ def validate_ssh_key(ssh_key, passphrase=None):
     if not valid:
         raise serializers.ValidationError(_("private key invalid or passphrase error"))
     return parse_ssh_private_key_str(ssh_key, passphrase)
+
+
+class AccountSecretTaskStatus:
+
+    def __init__(
+            self,
+            prefix='queue:change_secret:',
+            debounce_key='debounce:change_secret:task',
+            debounce_timeout=10,
+            queue_status_timeout=60,
+            default_timeout=3600,
+            delayed_task_countdown=20,
+    ):
+        self.prefix = prefix
+        self.debounce_key = debounce_key
+        self.debounce_timeout = debounce_timeout
+        self.queue_status_timeout = queue_status_timeout
+        self.default_timeout = default_timeout
+        self.delayed_task_countdown = delayed_task_countdown
+        self.enabled = getattr(settings, 'CHANGE_SECRET_AFTER_SESSION_END', False)
+
+    def _key(self, identifier):
+        return f"{self.prefix}{identifier}"
+
+    @property
+    def account_ids(self):
+        for key in cache.iter_keys(f"{self.prefix}*"):
+            yield key.split(':')[-1]
+
+    def is_debounced(self):
+        return cache.add(self.debounce_key, True, self.debounce_timeout)
+
+    def get_queue_key(self, identifier):
+        return self._key(identifier)
+
+    def set_status(
+            self,
+            identifier,
+            status,
+            timeout=None,
+            metadata=None,
+            use_add=False
+    ):
+        if not self.enabled:
+            return
+
+        key = self._key(identifier)
+        data = {"status": status}
+        if metadata:
+            data.update(metadata)
+
+        if use_add:
+            return cache.add(key, data, timeout or self.queue_status_timeout)
+
+        cache.set(key, data, timeout or self.default_timeout)
+
+    def get(self, identifier):
+        return cache.get(self._key(identifier), {})
+
+    def get_status(self, identifier):
+        if not self.enabled:
+            return
+
+        record = cache.get(self._key(identifier), {})
+        return record.get("status")
+
+    def get_ttl(self, identifier):
+        return cache.ttl(self._key(identifier))
+
+    def clear(self, identifier):
+        if not self.enabled:
+            return
+
+        cache.delete(self._key(identifier))
+
+
+account_secret_task_status = AccountSecretTaskStatus()

apps/acls/const.py

@@ -8,6 +8,7 @@ class ActionChoices(models.TextChoices):
     review = 'review', _('Review')
     warning = 'warning', _('Warn')
     notice = 'notice', _('Notify')
-    notify_and_warn = 'notify_and_warn', _('Notify and warn')
+    notify_and_warn = 'notify_and_warn', _('Prompt and warn')
-    face_verify = 'face_verify', _('Face Verify')
+    face_verify = 'face_verify', _('Face verify')
-    face_online = 'face_online', _('Face Online')
+    face_online = 'face_online', _('Face online')
+    change_secret = 'change_secret', _('Secret rotation')

apps/acls/models/base.py

@@ -5,7 +5,7 @@ from django.utils.translation import gettext_lazy as _
 from common.db.fields import JSONManyToManyField
 from common.db.models import JMSBaseModel
 from common.utils import contains_ip
-from common.utils.time_period import contains_time_period
+from common.utils.timezone import contains_time_period
 from orgs.mixins.models import OrgModelMixin, OrgManager
 from ..const import ActionChoices
 

apps/acls/models/command_acl.py

@@ -34,16 +34,16 @@ class CommandGroup(JMSOrgBaseModel):
 
     @lazyproperty
     def pattern(self):
+        content = self.content.replace('\r\n', '\n')
         if self.type == 'command':
-            s = self.construct_command_regex(self.content)
+            s = self.construct_command_regex(content)
         else:
-            s = r'{0}'.format(self.content)
+            s = r'{0}'.format(r'{}'.format('|'.join(content.split('\n'))))
         return s
 
     @classmethod
     def construct_command_regex(cls, content):
         regex = []
-        content = content.replace('\r\n', '\n')
         for _cmd in content.split('\n'):
             cmd = re.sub(r'\s+', ' ', _cmd)
             cmd = re.escape(cmd)

apps/acls/serializers/base.py

@@ -79,6 +79,8 @@ class ActionAclSerializer(serializers.Serializer):
             field_action._choices.pop(ActionChoices.face_online, None)
         for choice in self.Meta.action_choices_exclude:
             field_action._choices.pop(choice, None)
+        if not settings.XPACK_LICENSE_IS_VALID or not settings.CHANGE_SECRET_AFTER_SESSION_END:
+            field_action._choices.pop(ActionChoices.change_secret, None)
 
 
 class BaseACLSerializer(ActionAclSerializer, serializers.Serializer):

apps/acls/serializers/command_acl.py

@@ -32,9 +32,12 @@ class CommandFilterACLSerializer(BaseSerializer, BulkOrgResourceModelSerializer)
     class Meta(BaseSerializer.Meta):
         model = CommandFilterACL
         fields = BaseSerializer.Meta.fields + ['command_groups']
-        action_choices_exclude = [ActionChoices.notice,
+        action_choices_exclude = [
-                                  ActionChoices.face_verify,
+            ActionChoices.notice,
-                                  ActionChoices.face_online]
+            ActionChoices.face_verify,
+            ActionChoices.face_online,
+            ActionChoices.change_secret
+        ]
 
 
 class CommandReviewSerializer(serializers.Serializer):

apps/acls/serializers/connect_method.py

@@ -14,5 +14,10 @@ class ConnectMethodACLSerializer(BaseSerializer, BulkOrgResourceModelSerializer)
             if i not in ['assets', 'accounts']
         ]
         action_choices_exclude = BaseSerializer.Meta.action_choices_exclude + [
-            ActionChoices.review, ActionChoices.accept, ActionChoices.notice
+            ActionChoices.review,
+            ActionChoices.accept,
+            ActionChoices.notice,
+            ActionChoices.face_verify,
+            ActionChoices.face_online,
+            ActionChoices.change_secret
         ]

apps/acls/serializers/login_acl.py

@@ -18,7 +18,13 @@ class LoginACLSerializer(BaseUserACLSerializer, BulkOrgResourceModelSerializer):
     class Meta(BaseUserACLSerializer.Meta):
         model = LoginACL
         fields = BaseUserACLSerializer.Meta.fields + ['rules', ]
-        action_choices_exclude = [ActionChoices.face_online, ActionChoices.face_verify]
+        action_choices_exclude = [
+            ActionChoices.warning,
+            ActionChoices.notify_and_warn,
+            ActionChoices.face_online,
+            ActionChoices.face_verify,
+            ActionChoices.change_secret
+        ]
 
     def get_rules_serializer(self):
         return RuleSerializer()

apps/acls/serializers/rules/rules.py

@@ -1,5 +1,7 @@
 # coding: utf-8
 #
+from urllib.parse import urlparse
+
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers
 
@@ -8,7 +10,7 @@ from common.utils.ip import is_ip_address, is_ip_network, is_ip_segment
 
 logger = get_logger(__file__)
 
-__all__ = ['RuleSerializer', 'ip_group_child_validator', 'ip_group_help_text']
+__all__ = ['RuleSerializer', 'ip_group_child_validator', 'ip_group_help_text', 'address_validator']
 
 
 def ip_group_child_validator(ip_group_child):
@@ -21,6 +23,19 @@ def ip_group_child_validator(ip_group_child):
         raise serializers.ValidationError(error)
 
 
+def address_validator(value):
+    parsed = urlparse(value)
+    is_basic_url = parsed.scheme in ('http', 'https') and parsed.netloc
+    is_valid = value == '*' \
+               or is_ip_address(value) \
+               or is_ip_network(value) \
+               or is_ip_segment(value) \
+               or is_basic_url
+    if not is_valid:
+        error = _('address invalid: `{}`').format(value)
+        raise serializers.ValidationError(error)
+
+
 ip_group_help_text = _(
     'With * indicating a match all. '
     'Such as: '

apps/assets/api/__init__.py

@@ -1,10 +1,10 @@
 from .asset import *
 from .category import *
-from .domain import *
 from .favorite_asset import *
 from .mixin import *
+from .my_asset import *
 from .node import *
 from .platform import *
 from .protocol import *
 from .tree import *
-from .my_asset import *
+from .zone import *

apps/assets/api/asset/__init__.py

@@ -3,6 +3,7 @@ from .cloud import *
 from .custom import *
 from .database import *
 from .device import *
+from .ds import *
 from .gpt import *
 from .host import *
 from .permission import *

apps/assets/api/asset/asset.py

@@ -11,6 +11,7 @@ from rest_framework.decorators import action
 from rest_framework.response import Response
 from rest_framework.status import HTTP_200_OK
 
+from accounts.serializers import AccountSerializer
 from accounts.tasks import push_accounts_to_assets_task, verify_accounts_connectivity_task
 from assets import serializers
 from assets.exceptions import NotSupportedTemporarilyError
@@ -36,12 +37,12 @@ class AssetFilterSet(BaseFilterSet):
     platform = drf_filters.CharFilter(method='filter_platform')
     is_gateway = drf_filters.BooleanFilter(method='filter_is_gateway')
     exclude_platform = drf_filters.CharFilter(field_name="platform__name", lookup_expr='exact', exclude=True)
-    domain = drf_filters.CharFilter(method='filter_domain')
+    zone = drf_filters.CharFilter(method='filter_zone')
     type = drf_filters.CharFilter(field_name="platform__type", lookup_expr="exact")
     category = drf_filters.CharFilter(field_name="platform__category", lookup_expr="exact")
     protocols = drf_filters.CharFilter(method='filter_protocols')
-    domain_enabled = drf_filters.BooleanFilter(
+    gateway_enabled = drf_filters.BooleanFilter(
-        field_name="platform__domain_enabled", lookup_expr="exact"
+        field_name="platform__gateway_enabled", lookup_expr="exact"
     )
     ping_enabled = drf_filters.BooleanFilter(
         field_name="platform__automation__ping_enabled", lookup_expr="exact"
@@ -84,11 +85,11 @@ class AssetFilterSet(BaseFilterSet):
         return queryset
 
     @staticmethod
-    def filter_domain(queryset, name, value):
+    def filter_zone(queryset, name, value):
         if is_uuid(value):
-            return queryset.filter(domain_id=value)
+            return queryset.filter(zone_id=value)
         else:
-            return queryset.filter(domain__name__contains=value)
+            return queryset.filter(zone__name__contains=value)
 
     @staticmethod
     def filter_protocols(queryset, name, value):
@@ -96,10 +97,10 @@ class AssetFilterSet(BaseFilterSet):
         return queryset.filter(protocols__name__in=value).distinct()
 
 
-class AssetViewSet(SuggestionMixin, OrgBulkModelViewSet):
+class BaseAssetViewSet(OrgBulkModelViewSet):
-    """
-    API endpoint that allows Asset to be viewed or edited.
     """
+      API endpoint that allows Asset to be viewed or edited.
+      """
     model = Asset
     filterset_class = AssetFilterSet
     search_fields = ("name", "address", "comment")
@@ -109,18 +110,19 @@ class AssetViewSet(SuggestionMixin, OrgBulkModelViewSet):
         ("platform", serializers.PlatformSerializer),
         ("suggestion", serializers.MiniAssetSerializer),
         ("gateways", serializers.GatewaySerializer),
+        ("accounts", AccountSerializer),
     )
     rbac_perms = (
         ("match", "assets.match_asset"),
         ("platform", "assets.view_platform"),
         ("gateways", "assets.view_gateway"),
+        ("accounts", "assets.view_account"),
         ("spec_info", "assets.view_asset"),
         ("gathered_info", "assets.view_asset"),
         ("sync_platform_protocols", "assets.change_asset"),
     )
     extra_filter_backends = [
-        IpInFilterBackend,
+        IpInFilterBackend, NodeFilterBackend, AttrRulesFilterBackend
-        NodeFilterBackend, AttrRulesFilterBackend
     ]
 
     def perform_destroy(self, instance):
@@ -141,6 +143,25 @@ class AssetViewSet(SuggestionMixin, OrgBulkModelViewSet):
             return retrieve_cls
         return cls
 
+    def paginate_queryset(self, queryset):
+        page = super().paginate_queryset(queryset)
+        if page:
+            page = Asset.compute_all_accounts_amount(page)
+        return page
+
+    def create(self, request, *args, **kwargs):
+        if request.path.find('/api/v1/assets/assets/') > -1:
+            error = _('Cannot create asset directly, you should create a host or other')
+            return Response({'error': error}, status=400)
+
+        if not settings.XPACK_LICENSE_IS_VALID and self.model.objects.order_by().count() >= 5000:
+            error = _('The number of assets exceeds the limit of 5000')
+            return Response({'error': error}, status=400)
+
+        return super().create(request, *args, **kwargs)
+
+
+class AssetViewSet(SuggestionMixin, BaseAssetViewSet):
     @action(methods=["GET"], detail=True, url_path="platform")
     def platform(self, *args, **kwargs):
         asset = super().get_object()
@@ -150,10 +171,10 @@ class AssetViewSet(SuggestionMixin, OrgBulkModelViewSet):
     @action(methods=["GET"], detail=True, url_path="gateways")
     def gateways(self, *args, **kwargs):
         asset = self.get_object()
-        if not asset.domain:
+        if not asset.zone:
             gateways = Gateway.objects.none()
         else:
-            gateways = asset.domain.gateways
+            gateways = asset.zone.gateways
         return self.get_paginated_response_from_queryset(gateways)
 
     @action(methods=['post'], detail=False, url_path='sync-platform-protocols')
@@ -189,17 +210,6 @@ class AssetViewSet(SuggestionMixin, OrgBulkModelViewSet):
         Protocol.objects.bulk_create(objs)
         return Response(status=status.HTTP_200_OK)
 
-    def create(self, request, *args, **kwargs):
-        if request.path.find('/api/v1/assets/assets/') > -1:
-            error = _('Cannot create asset directly, you should create a host or other')
-            return Response({'error': error}, status=400)
-
-        if not settings.XPACK_LICENSE_IS_VALID and self.model.objects.order_by().count() >= 5000:
-            error = _('The number of assets exceeds the limit of 5000')
-            return Response({'error': error}, status=400)
-
-        return super().create(request, *args, **kwargs)
-
     def filter_bulk_update_data(self):
         bulk_data = []
         skip_assets = []

apps/assets/api/asset/cloud.py

@@ -1,12 +1,12 @@
 from assets.models import Cloud, Asset
 from assets.serializers import CloudSerializer
 
-from .asset import AssetViewSet
+from .asset import BaseAssetViewSet
 
 __all__ = ['CloudViewSet']
 
 
-class CloudViewSet(AssetViewSet):
+class CloudViewSet(BaseAssetViewSet):
     model = Cloud
     perm_model = Asset
 

apps/assets/api/asset/custom.py

@@ -1,12 +1,12 @@
 from assets.models import Custom, Asset
 from assets.serializers import CustomSerializer
 
-from .asset import AssetViewSet
+from .asset import BaseAssetViewSet
 
 __all__ = ['CustomViewSet']
 
 
-class CustomViewSet(AssetViewSet):
+class CustomViewSet(BaseAssetViewSet):
     model = Custom
     perm_model = Asset
 

apps/assets/api/asset/database.py

@@ -1,12 +1,12 @@
 from assets.models import Database, Asset
 from assets.serializers import DatabaseSerializer
 
-from .asset import AssetViewSet
+from .asset import BaseAssetViewSet
 
 __all__ = ['DatabaseViewSet']
 
 
-class DatabaseViewSet(AssetViewSet):
+class DatabaseViewSet(BaseAssetViewSet):
     model = Database
     perm_model = Asset
 

apps/assets/api/asset/device.py

@@ -1,11 +1,11 @@
-from assets.serializers import DeviceSerializer
 from assets.models import Device, Asset
-from .asset import AssetViewSet
+from assets.serializers import DeviceSerializer
+from .asset import BaseAssetViewSet
 
 __all__ = ['DeviceViewSet']
 
 
-class DeviceViewSet(AssetViewSet):
+class DeviceViewSet(BaseAssetViewSet):
     model = Device
     perm_model = Asset
 

apps/assets/api/asset/ds.py

@@ -0,0 +1,16 @@
+from assets.models import DirectoryService, Asset
+from assets.serializers import DSSerializer
+
+from .asset import BaseAssetViewSet
+
+__all__ = ['DSViewSet']
+
+
+class DSViewSet(BaseAssetViewSet):
+    model = DirectoryService
+    perm_model = Asset
+
+    def get_serializer_classes(self):
+        serializer_classes = super().get_serializer_classes()
+        serializer_classes['default'] = DSSerializer
+        return serializer_classes