perf: 自动化脱敏 aix (#9652)

Co-authored-by: feng <1304903146@qq.com>

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -0,0 +1,54 @@
+- hosts: demo
+  gather_facts: no
+  tasks:
+    - name: Test privileged account
+      ansible.builtin.ping:
+
+    - name: Change password
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+        password: "{{ account.secret | password_hash('des') }}"
+        update_password: always
+      when: secret_type == "password"
+
+    - name: create user If it already exists, no operation will be performed
+      ansible.builtin.user:
+        name: "{{ account.username }}"
+      when: secret_type == "ssh_key"
+
+    - name: remove jumpserver ssh key
+      ansible.builtin.lineinfile:
+        dest: "{{ kwargs.dest }}"
+        regexp: "{{ kwargs.regexp }}"
+        state: absent
+      when:
+      - secret_type == "ssh_key"
+      - kwargs.strategy == "set_jms"
+
+    - name: Change SSH key
+      ansible.builtin.authorized_key:
+        user: "{{ account.username }}"
+        key: "{{ account.secret }}"
+        exclusive: "{{ kwargs.exclusive }}"
+      when: secret_type == "ssh_key"
+
+    - name: Refresh connection
+      ansible.builtin.meta: reset_connection
+
+    - name: Verify password
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_password: "{{ account.secret }}"
+        ansible_become: no
+      when: secret_type == "password"
+
+    - name: Verify SSH key
+      ansible.builtin.ping:
+      become: no
+      vars:
+        ansible_user: "{{ account.username }}"
+        ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+        ansible_become: no
+      when: secret_type == "ssh_key"

apps/accounts/automations/change_secret/host/aix/manifest.yml

@@ -0,0 +1,6 @@
+id: change_secret_aix
+name: Change secret for aix
+category: host
+type:
+  - AIX
+method: change_secret

apps/assets/automations/base/manager.py

@@ -1,3 +1,4 @@
+import json
 import os
 import shutil
 from collections import defaultdict
@@ -196,6 +197,30 @@ class BasePlaybookManager:
     def before_runner_start(self, runner):
         pass
 
+    @staticmethod
+    def delete_sensitive_data(path):
+        if settings.DEBUG_DEV:
+            return
+
+        with open(path, 'r') as f:
+            d = json.load(f)
+        def delete_keys(d, keys_to_delete):
+            """
+            递归函数：删除嵌套字典中的指定键
+            """
+            if not isinstance(d, dict):
+                return d
+            keys = list(d.keys())
+            for key in keys:
+                if key in keys_to_delete:
+                    del d[key]
+                else:
+                    delete_keys(d[key], keys_to_delete)
+            return d
+        d = delete_keys(d, ['secret', 'ansible_password'])
+        with open(path, 'w') as f:
+            json.dump(d, f)
+
     def run(self, *args, **kwargs):
         runners = self.get_runners()
         if len(runners) > 1:
@@ -213,6 +238,7 @@ class BasePlaybookManager:
             self.before_runner_start(runner)
             try:
                 cb = runner.run(**kwargs)
+                self.delete_sensitive_data(runner.inventory)
                 self.on_runner_success(runner, cb)
             except Exception as e:
                 self.on_runner_failed(runner, e)

apps/assets/const/host.py

@@ -81,7 +81,13 @@ class HostTypes(BaseType):
                 {'name': 'Unix'},
                 {'name': 'macOS'},
                 {'name': 'BSD'},
-                {'name': 'AIX'},
+                {
+                    'name': 'AIX',
+                    'automation': {
+                        'push_account_method': 'push_account_aix',
+                        'change_secret_method': 'change_secret_aix',
+                    }
+                },
             ],
             cls.WINDOWS: [
                 {'name': 'Windows'},

apps/ops/signal_handlers.py

@@ -51,7 +51,8 @@ def check_registered_tasks(*args, **kwargs):
             continue
         for attr in attrs:
             if not hasattr(task, attr):
-                print('>>> Task {} has no attribute {}'.format(name, attr))
+                # print('>>> Task {} has no attribute {}'.format(name, attr))
+                pass
 
 
 @signals.before_task_publish.connect