perf: Add check_conn_after_change

2025-03-26 17:58:00 +08:00 · 2025-03-26 17:58:00 +08:00 · 99affad9b9
parent 34eea024f8
commit 99affad9b9
7 changed files with 36 additions and 8 deletions
--- a/apps/accounts/automations/change_secret/host/aix/main.yml
+++ b/apps/accounts/automations/change_secret/host/aix/main.yml
@ -52,6 +52,7 @@
        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
+      register: change_secret_result
      when: account.secret_type == "password"

    - name: remove jumpserver ssh key
@ -68,6 +69,7 @@
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
      when: account.secret_type == "ssh_key"

    - name: Refresh connection
@ -86,7 +88,9 @@
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password"
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost

    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@ -97,5 +101,7 @@
        login_private_key_path: "{{ account.private_key_path  }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key"
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost
--- a/apps/accounts/automations/change_secret/host/posix/main.yml
+++ b/apps/accounts/automations/change_secret/host/posix/main.yml
@ -52,6 +52,7 @@
        password: "{{ account.secret | password_hash('sha512') }}"
        update_password: always
      ignore_errors: true
+      register: change_secret_result
      when: account.secret_type == "password"

    - name: remove jumpserver ssh key
@ -68,6 +69,7 @@
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
      when: account.secret_type == "ssh_key"

    - name: Refresh connection
@ -86,7 +88,9 @@
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password"
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost

    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@ -97,5 +101,7 @@
        login_private_key_path: "{{ account.private_key_path  }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key"
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost
--- a/apps/accounts/automations/push_account/host/aix/main.yml
+++ b/apps/accounts/automations/push_account/host/aix/main.yml
@ -52,6 +52,7 @@
        password: "{{ account.secret | password_hash('des') }}"
        update_password: always
      ignore_errors: true
+      register: change_secret_result
      when: account.secret_type == "password"

    - name: remove jumpserver ssh key
@ -68,6 +69,7 @@
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
      when: account.secret_type == "ssh_key"

    - name: Refresh connection
@ -86,7 +88,9 @@
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password"
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost

    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@ -97,6 +101,8 @@
        login_private_key_path: "{{ account.private_key_path  }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key"
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost

--- a/apps/accounts/automations/push_account/host/posix/main.yml
+++ b/apps/accounts/automations/push_account/host/posix/main.yml
@ -52,6 +52,7 @@
        password: "{{ account.secret | password_hash('sha512') }}"
        update_password: always
      ignore_errors: true
+      register: change_secret_result
      when: account.secret_type == "password"

    - name: remove jumpserver ssh key
@ -68,6 +69,7 @@
        user: "{{ account.username }}"
        key: "{{ account.secret }}"
        exclusive: "{{ ssh_params.exclusive }}"
+      register: change_secret_result
      when: account.secret_type == "ssh_key"

    - name: Refresh connection
@ -86,7 +88,9 @@
        become_password: "{{ account.become.ansible_password | default('') }}"
        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "password"
+      when:
+       - account.secret_type == "password"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost

    - name: "Verify {{ account.username }} SSH KEY (paramiko)"
@ -97,6 +101,8 @@
        login_private_key_path: "{{ account.private_key_path  }}"
        gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
        old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}"
-      when: account.secret_type == "ssh_key"
+      when:
+       - account.secret_type == "ssh_key"
+       - check_conn_after_change or change_secret_result.failed
      delegate_to: localhost

--- a/apps/assets/automations/base/manager.py
+++ b/apps/assets/automations/base/manager.py
@ -187,6 +187,7 @@ class BasePlaybookManager:
            host['error'] = _('{} disabled'.format(self.__class__.method_type()))
            return host

+        host['check_conn_after_change'] = settings.CHECK_CONN_AFTER_CHANGE
        host = self.convert_cert_to_file(host, kwargs.get('path_dir'))
        host['params'] = self.get_params(automation, method_type)
        return host
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -488,6 +488,7 @@ class Config(dict):
        'TERMINAL_OMNIDB_ENABLED': True,

        # 安全配置
+        'CHECK_CONN_AFTER_CHANGE': True,
        'SECURITY_MFA_AUTH': 0,  # 0 不开启 1 全局开启 2 管理员开启
        'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True,
        'SECURITY_COMMAND_EXECUTION': False,
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@ -32,6 +32,8 @@ TERMINAL_REPLAY_STORAGE = CONFIG.TERMINAL_REPLAY_STORAGE
 FTP_FILE_MAX_STORE = CONFIG.FTP_FILE_MAX_STORE

 # Security settings
+CHECK_CONN_AFTER_CHANGE = CONFIG.CHECK_CONN_AFTER_CHANGE
+
 SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH
 SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY
 SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME  # Unit: minute