fix: ansible 密码支持 {{ }} {% %} (#12354)

Co-authored-by: feng <1304903146@qq.com>

apps/accounts/automations/change_secret/manager.py

@@ -139,7 +139,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                 'name': account.name,
                 'username': account.username,
                 'secret_type': secret_type,
-                'secret': new_secret,
+                'secret': account.escape_jinja2_syntax(new_secret),
                 'private_key_path': private_key_path,
                 'become': account.get_ansible_become_auth(),
             }

apps/accounts/automations/verify_account/manager.py

@@ -62,7 +62,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
                 'name': account.name,
                 'username': account.username,
                 'secret_type': account.secret_type,
-                'secret': secret,
+                'secret':  account.escape_jinja2_syntax(secret),
                 'private_key_path': private_key_path,
                 'become': account.get_ansible_become_auth(),
             }

apps/accounts/models/account.py

@@ -97,14 +97,13 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
         """ 排除自己和以自己为 su-from 的账号 """
         return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)
 
-    @staticmethod
+    def make_account_ansible_vars(self, su_from):
-    def make_account_ansible_vars(su_from):
         var = {
             'ansible_user': su_from.username,
         }
         if not su_from.secret:
             return var
-        var['ansible_password'] = su_from.secret
+        var['ansible_password'] = self.escape_jinja2_syntax(su_from.secret)
         var['ansible_ssh_private_key_file'] = su_from.private_key_path
         return var
 
@@ -121,9 +120,22 @@ class Account(AbsConnectivity, LabeledMixin, BaseAccount):
         auth['ansible_become'] = True
         auth['ansible_become_method'] = become_method
         auth['ansible_become_user'] = self.username
-        auth['ansible_become_password'] = password
+        auth['ansible_become_password'] = self.escape_jinja2_syntax(password)
         return auth
 
+    @staticmethod
+    def escape_jinja2_syntax(value):
+        if not isinstance(value, str):
+            return value
+
+        value = value.replace('{{', '__TEMP_OPEN_BRACES__') \
+            .replace('}}', '__TEMP_CLOSE_BRACES__')
+
+        value = value.replace('__TEMP_OPEN_BRACES__', '{{ "{{" }}') \
+            .replace('__TEMP_CLOSE_BRACES__', '{{ "}}" }}')
+
+        return value.replace('{%', '{{ "{%" }}').replace('%}', '{{ "%}" }}')
+
 
 def replace_history_model_with_mixin():
     """

apps/accounts/utils.py

@@ -47,18 +47,7 @@ class SecretGenerator:
 
 def validate_password_for_ansible(password):
     """ 校验 Ansible 不支持的特殊字符 """
-    # validate password contains left double curly bracket
+    pass
-    # check password not contains `{{`
-    # Ansible 推送的时候不支持
-    if '{{' in password or '}}' in password:
-        raise serializers.ValidationError(_('Password can not contains `{{` or `}}`'))
-    if '{%' in password or '%}' in password:
-        raise serializers.ValidationError(_('Password can not contains `{%` or `%}`'))
-    # Ansible Windows 推送的时候不支持
-    # if "'" in password:
-    #     raise serializers.ValidationError(_("Password can not contains `'` "))
-    # if '"' in password:
-    #     raise serializers.ValidationError(_('Password can not contains `"` '))
 
 
 def validate_ssh_key(ssh_key, passphrase=None):

apps/ops/ansible/inventory.py

@@ -71,8 +71,9 @@ class JMSInventory:
         }
         if not account.secret:
             return var
+
         if account.secret_type == 'password':
-            var['ansible_password'] = account.secret
+            var['ansible_password'] = account.escape_jinja2_syntax(account.secret)
         elif account.secret_type == 'ssh_key':
             var['ansible_ssh_private_key_file'] = account.private_key_path
         return var
@@ -84,7 +85,7 @@ class JMSInventory:
             'custom_become': True,
             'custom_become_method': su_method,
             'custom_become_user': account.su_from.username,
-            'custom_become_password': account.su_from.secret,
+            'custom_become_password': account.escape_jinja2_syntax(account.su_from.secret),
             'custom_become_private_key_path': account.su_from.private_key_path
         }
         return var
@@ -109,7 +110,7 @@ class JMSInventory:
             host.update(self.make_account_ansible_vars(account))
             host['ansible_become'] = True
             host['ansible_become_user'] = 'root'
-            host['ansible_become_password'] = account.secret
+            host['ansible_become_password'] = account.escape_jinja2_syntax(account.secret)
         else:
             host.update(self.make_account_ansible_vars(account))
 
@@ -173,8 +174,8 @@ class JMSInventory:
             },
             'jms_account': {
                 'id': str(account.id), 'username': account.username,
-                'secret': account.secret, 'secret_type': account.secret_type,
+                'secret': account.escape_jinja2_syntax(account.secret),
-                'private_key_path': account.private_key_path
+                'secret_type': account.secret_type, 'private_key_path': account.private_key_path
             } if account else None
         }