github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

perf: 改密替换校验可连接性方法 (#11224) 

Co-authored-by: feng <1304903146@qq.com>
pull/11228/head
fit2bot 2023-08-08 17:26:29 +08:00 committed by GitHub
parent 99ce2bc946
commit 8ea3c3288b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 128 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
apps/accounts/automations/change_secret/host/aix/main.yml
View File

@ -73,20 +73,24 @@
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: "Verify {{ account.username }} password" - name: "Verify {{ account.username }} password (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_user: "{{ account.username }}"
vars: login_password: "{{ account.secret }}"
ansible_user: "{{ account.username }}" login_host: "{{ jms_asset.address }}"
ansible_password: "{{ account.secret }}" login_port: "{{ jms_asset.port }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "password" when: account.secret_type == "password"
delegate_to: localhost
- name: "Verify {{ account.username }} SSH key" - name: "Verify {{ account.username }} SSH KEY (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_host: "{{ jms_asset.address }}"
vars: login_port: "{{ jms_asset.port }}"
ansible_user: "{{ account.username }}" login_user: "{{ account.username }}"
ansible_ssh_private_key_file: "{{ account.private_key_path }}" login_private_key_path: "{{ account.private_key_path }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
delegate_to: localhost

32
apps/accounts/automations/change_secret/host/posix/main.yml
View File

@ -73,20 +73,24 @@
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: "Verify {{ account.username }} password" - name: "Verify {{ account.username }} password (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_user: "{{ account.username }}"
vars: login_password: "{{ account.secret }}"
ansible_user: "{{ account.username }}" login_host: "{{ jms_asset.address }}"
ansible_password: "{{ account.secret }}" login_port: "{{ jms_asset.port }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "password" when: account.secret_type == "password"
delegate_to: localhost
- name: "Verify {{ account.username }} SSH key" - name: "Verify {{ account.username }} SSH KEY (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_host: "{{ jms_asset.address }}"
vars: login_port: "{{ jms_asset.port }}"
ansible_user: "{{ account.username }}" login_user: "{{ account.username }}"
ansible_ssh_private_key_file: "{{ account.private_key_path }}" login_private_key_path: "{{ account.private_key_path }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
delegate_to: localhost

33
apps/accounts/automations/push_account/host/aix/main.yml
View File

@ -73,20 +73,25 @@
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: "Verify {{ account.username }} password" - name: "Verify {{ account.username }} password (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_user: "{{ account.username }}"
vars: login_password: "{{ account.secret }}"
ansible_user: "{{ account.username }}" login_host: "{{ jms_asset.address }}"
ansible_password: "{{ account.secret }}" login_port: "{{ jms_asset.port }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "password" when: account.secret_type == "password"
delegate_to: localhost
- name: "Verify {{ account.username }} SSH key" - name: "Verify {{ account.username }} SSH KEY (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_host: "{{ jms_asset.address }}"
vars: login_port: "{{ jms_asset.port }}"
ansible_user: "{{ account.username }}" login_user: "{{ account.username }}"
ansible_ssh_private_key_file: "{{ account.private_key_path }}" login_private_key_path: "{{ account.private_key_path }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
delegate_to: localhost

33
apps/accounts/automations/push_account/host/posix/main.yml
View File

@ -73,20 +73,25 @@
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: "Verify {{ account.username }} password" - name: "Verify {{ account.username }} password (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_user: "{{ account.username }}"
vars: login_password: "{{ account.secret }}"
ansible_user: "{{ account.username }}" login_host: "{{ jms_asset.address }}"
ansible_password: "{{ account.secret }}" login_port: "{{ jms_asset.port }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "password" when: account.secret_type == "password"
delegate_to: localhost
- name: "Verify {{ account.username }} SSH key" - name: "Verify {{ account.username }} SSH KEY (paramiko)"
ansible.builtin.ping: ssh_ping:
become: no login_host: "{{ jms_asset.address }}"
vars: login_port: "{{ jms_asset.port }}"
ansible_user: "{{ account.username }}" login_user: "{{ account.username }}"
ansible_ssh_private_key_file: "{{ account.private_key_path }}" login_private_key_path: "{{ account.private_key_path }}"
ansible_become: no gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
become: false
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
delegate_to: localhost

4
apps/ops/ansible/inventory.py
View File

@ -127,7 +127,9 @@ class JMSInventory:
} }
host['jms_asset']['port'] = port host['jms_asset']['port'] = port
else: else:
host.update(self.make_proxy_command(gateway)) ansible_ssh_common_args = self.make_proxy_command(gateway)
host['jms_asset'].update(ansible_ssh_common_args)
host.update(ansible_ssh_common_args)
@staticmethod @staticmethod
def get_primary_protocol(ansible_config, protocols): def get_primary_protocol(ansible_config, protocols):

52
apps/ops/ansible/modules_utils/custom_common.py
View File

@ -1,6 +1,8 @@
import re
import time import time
import paramiko import paramiko
from sshtunnel import SSHTunnelForwarder
def common_argument_spec(): def common_argument_spec():
@ -12,6 +14,7 @@ def common_argument_spec():
login_secret_type=dict(type='str', required=False, default='password'), login_secret_type=dict(type='str', required=False, default='password'),
login_private_key_path=dict(type='str', required=False, no_log=True), login_private_key_path=dict(type='str', required=False, no_log=True),
first_conn_delay_time=dict(type='float', required=False, default=0.5), first_conn_delay_time=dict(type='float', required=False, default=0.5),
gateway_args=dict(type='str', required=False, default=''),
become=dict(type='bool', default=False, required=False), become=dict(type='bool', default=False, required=False),
become_method=dict(type='str', required=False), become_method=dict(type='str', required=False),
@ -27,8 +30,10 @@ class SSHClient:
self.module = module self.module = module
self.channel = None self.channel = None
self.is_connect = False self.is_connect = False
self.gateway_server = None
self.client = paramiko.SSHClient() self.client = paramiko.SSHClient()
self.client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) self.client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
self.connect_params = self.get_connect_params()
def get_connect_params(self): def get_connect_params(self):
params = { params = {
@ -90,11 +95,56 @@ class SSHClient:
err_msg = su_output err_msg = su_output
return err_msg return err_msg
def local_gateway_prepare(self):
gateway_args = self.module.params['gateway_args'] or ''
pattern = r"(?:sshpass -p ([\w@]+))?\s*ssh -o Port=(\d+)\s+-o StrictHostKeyChecking=no\s+([\w@]+)@([" \
r"\d.]+)\s+-W %h:%p -q(?: -i (.+))?'"
match = re.search(pattern, gateway_args)
if not match:
return
password, port, username, address, private_key_path = match.groups()
password = password if password else None
private_key_path = private_key_path if private_key_path else None
remote_hostname = self.module.params['login_host']
remote_port = self.module.params['login_port']
server = SSHTunnelForwarder(
(address, int(port)),
ssh_username=username,
ssh_password=password,
ssh_pkey=private_key_path,
remote_bind_address=(remote_hostname, remote_port)
)
server.start()
self.connect_params['hostname'] = '127.0.0.1'
self.connect_params['port'] = server.local_bind_port
self.gateway_server = server
def local_gateway_clean(self):
gateway_server = self.gateway_server
if not gateway_server:
return
try:
gateway_server.stop()
except Exception:
pass
def before_runner_start(self):
self.local_gateway_prepare()
def after_runner_end(self):
self.local_gateway_clean()
def connect(self): def connect(self):
try: try:
self.client.connect(**self.get_connect_params()) self.before_runner_start()
self.client.connect(**self.connect_params)
self.is_connect = True self.is_connect = True
err_msg = self.switch_user() err_msg = self.switch_user()
self.after_runner_end()
except Exception as err: except Exception as err:
err_msg = str(err) err_msg = str(err)
return err_msg return err_msg