1 | =head1 NAME |
1 | =head1 NAME |
2 | |
2 | |
3 | AnyEvent::Porttracker - Porttracker/PortIQ API client interface. |
3 | AnyEvent::Porttracker - Porttracker API client interface. |
4 | |
4 | |
5 | =head1 SYNOPSIS |
5 | =head1 SYNOPSIS |
6 | |
6 | |
7 | use AnyEvent::Porttracker; |
7 | use AnyEvent::Porttracker; |
8 | |
8 | |
9 | my $api = new AnyEvent::Porttracker |
9 | my $api = new AnyEvent::Porttracker |
10 | host => "10.0.0.1", |
10 | host => "10.0.0.1", |
11 | user => "admin", |
11 | user => "admin", |
12 | pass => "31331", |
12 | pass => "31331", |
13 | tls => 1, |
13 | tls => 1, |
|
|
14 | on_error => sub { |
|
|
15 | die $_[1]; |
|
|
16 | }, |
14 | ; |
17 | ; |
15 | |
18 | |
16 | # Example 1 |
19 | # Example 1 |
17 | # a simple request: ping the server |
20 | # a simple request: ping the server synchronously |
18 | |
21 | |
19 | $api->req ("ping", sub { |
22 | my ($timestamp, $pid) = $api->req_sync ("ping"); |
20 | my ($api, $ok, $timestamp, $pid) = @_; |
|
|
21 | ... |
|
|
22 | }); |
|
|
23 | |
23 | |
24 | # Example 2 |
24 | # Example 2 |
25 | # find all realms, start a discovery on all of them |
25 | # find all realms, start a discovery on all of them |
26 | # and wait until all discovery processes have finished |
26 | # and wait until all discovery processes have finished |
|
|
27 | # but execute individual discoveries in parallel, |
|
|
28 | # asynchronously |
27 | |
29 | |
28 | my $cv = AE::cv; |
30 | my $cv = AE::cv; |
29 | |
31 | |
30 | $cv->begin; |
32 | $cv->begin; |
31 | # find all realms |
33 | # find all realms |
… | |
… | |
55 | $api->on (realm_poll_stop_event => sub { |
57 | $api->on (realm_poll_stop_event => sub { |
56 | my ($api, $gid) = @_; |
58 | my ($api, $gid) = @_; |
57 | warn "this just in: poll for realm <$gid> finished.\n"; |
59 | warn "this just in: poll for realm <$gid> finished.\n"; |
58 | }); |
60 | }); |
59 | |
61 | |
|
|
62 | AE::cv->recv; # wait forever |
|
|
63 | |
60 | =head1 DESCRIPTION |
64 | =head1 DESCRIPTION |
61 | |
65 | |
62 | Porttracker (L<http://www.porttracker.com/>) is a product that (among |
66 | Porttracker (L<http://www.porttracker.com/>) is a product that (among |
63 | other things) scans switches and routers in a network and gives a coherent |
67 | other things) scans switches and routers in a network and gives a coherent |
64 | view of which end devices are connected to which switch ports on which |
68 | view of which end devices are connected to which switch ports on which |
65 | switches and routers. It also offers a JSON-based client API, for which |
69 | switches and routers. It also offers a JSON-based client API, for which |
66 | this module is an implementation. |
70 | this module is an implementation. |
67 | |
71 | |
68 | In addition to Porttracker, the PortIQ product is also supported, as it |
|
|
69 | uses the same protocol. |
|
|
70 | |
|
|
71 | If you do not have access to either a Porttracker or PortIQ box then this |
72 | If you do not have access to a Porttracker box then this module will be of |
72 | module will be of little value to you. |
73 | little value to you. |
73 | |
74 | |
74 | This module is an L<AnyEvent> user, you need to make sure that you use and |
75 | This module is an L<AnyEvent> user, you need to make sure that you use and |
75 | run a supported event loop. |
76 | run a supported event loop. |
76 | |
77 | |
77 | To quickly understand how this module works you should read how to |
78 | To quickly understand how this module works you should read how to |
… | |
… | |
93 | |
94 | |
94 | package AnyEvent::Porttracker; |
95 | package AnyEvent::Porttracker; |
95 | |
96 | |
96 | use common::sense; |
97 | use common::sense; |
97 | |
98 | |
|
|
99 | use Carp (); |
98 | use Scalar::Util (); |
100 | use Scalar::Util (); |
99 | |
101 | |
100 | use AnyEvent (); |
102 | use AnyEvent (); |
101 | use AnyEvent::Handle (); |
103 | use AnyEvent::Handle (); |
102 | |
104 | |
103 | use MIME::Base64 (); |
105 | use MIME::Base64 (); |
104 | use Digest::HMAC_MD6 (); |
|
|
105 | use JSON (); |
106 | use JSON (); |
106 | |
107 | |
107 | our $VERSION = '0.1'; |
108 | our $VERSION = 1.02; |
108 | |
109 | |
109 | sub call { |
110 | sub call { |
110 | my ($self, $type, @args) = @_; |
111 | my ($self, $type, @args) = @_; |
111 | |
112 | |
112 | $self->{$type} |
113 | $self->{$type} |
… | |
… | |
116 | : () |
117 | : () |
117 | } |
118 | } |
118 | |
119 | |
119 | =item $api = new AnyEvent::Porttracker [key => value...] |
120 | =item $api = new AnyEvent::Porttracker [key => value...] |
120 | |
121 | |
121 | Creates a new porttracker API connection object and tries to connect to |
122 | Creates a new porttracker API connection object and tries to connect |
122 | the specified host (see below). After the connection has been established, |
123 | to the specified host (see below). After the connection has been |
123 | the TLS handshake (if requested) will take place, followed by a login |
124 | established, the TLS handshake (if requested) will take place, followed |
124 | attempt using either the C<none>, C<login_cram_md6> or C<login> methods, |
125 | by a login attempt using either the C<none>, C<login_cram_sha3>, |
125 | in this order of preference (typically, C<login_cram_md6> is used, which |
126 | C<login_cram_md6> or C<login> methods, in this order of preference |
|
|
127 | (typically, C<login_cram_sha3> is used, which shields against some |
126 | shields against some man-in-the-middle attacks and avoids transferring the |
128 | man-in-the-middle attacks and avoids transferring the password). |
127 | password). |
|
|
128 | |
129 | |
129 | It is permissible to send requests immediately after creating the object - |
130 | It is permissible to send requests immediately after creating the object - |
130 | they will be queued until after successful login. |
131 | they will be queued until after successful login. |
131 | |
132 | |
132 | Possible key-value pairs are: |
133 | Possible key-value pairs are: |
… | |
… | |
150 | |
151 | |
151 | Enables or disables TLS (default: disables). When enabled, then the |
152 | Enables or disables TLS (default: disables). When enabled, then the |
152 | connection will try to handshake a TLS connection before logging in. If |
153 | connection will try to handshake a TLS connection before logging in. If |
153 | unsuccessful a fatal error will be raised. |
154 | unsuccessful a fatal error will be raised. |
154 | |
155 | |
155 | Since most Porttracker/PortIQ boxes will not have a sensible/verifiable |
156 | Since most Porttracker boxes will not have a sensible/verifiable |
156 | certificate, no attempt at verifying it will be done (which means |
157 | certificate, no attempt at verifying it will be done (which means |
157 | man-in-the-middle-attacks will be trivial). If you want some form of |
158 | man-in-the-middle-attacks will be trivial). If you want some form of |
158 | verification you need to provide your own C<tls_ctx> object with C<< |
159 | verification you need to provide your own C<tls_ctx> object with C<< |
159 | verify => 1, verify_peername => [1, 1, 1] >> or whatever verification mode |
160 | verify => 1, verify_peername => [1, 1, 1] >> or whatever verification mode |
160 | you wish to use. |
161 | you wish to use. |
… | |
… | |
310 | $_[0]{queue} |
311 | $_[0]{queue} |
311 | ? push @{ $_[0]{queue} }, [@_] |
312 | ? push @{ $_[0]{queue} }, [@_] |
312 | : &_req |
313 | : &_req |
313 | } |
314 | } |
314 | |
315 | |
|
|
316 | =item @res = $api->req_sync ($type => @args) |
|
|
317 | |
|
|
318 | Similar to C<< ->req >>, but waits for the results of the request and on |
|
|
319 | success, returns the values instead (without the success flag, and only |
|
|
320 | the first value in scalar context). On failure, the method will C<croak> |
|
|
321 | with the error message. |
|
|
322 | |
|
|
323 | =cut |
|
|
324 | |
|
|
325 | sub req_sync { |
|
|
326 | push @_, my $cv = AE::cv; |
|
|
327 | &req; |
|
|
328 | my ($ok, @res) = $cv->recv; |
|
|
329 | |
|
|
330 | $ok |
|
|
331 | or Carp::croak $res[0]; |
|
|
332 | |
|
|
333 | wantarray ? @res : $res[0] |
|
|
334 | } |
|
|
335 | |
315 | =item $api->req_failok ($type => @args, $callback->($api, $success, @reply)) |
336 | =item $api->req_failok ($type => @args, $callback->($api, $success, @reply)) |
316 | |
337 | |
317 | Just like C<< ->req >>, with two differences: first, a failure will not |
338 | Just like C<< ->req >>, with two differences: first, a failure will not |
318 | raise an error, second, the initial status reply which indicates success |
339 | raise an error, second, the initial status reply which indicates success |
319 | or failure is not removed before calling the callback. |
340 | or failure is not removed before calling the callback. |
… | |
… | |
386 | |
407 | |
387 | sub _login { |
408 | sub _login { |
388 | my ($self) = @_; |
409 | my ($self) = @_; |
389 | |
410 | |
390 | my ($auths, $nonce) = @{ delete $self->{hello} or return }; |
411 | my ($auths, $nonce) = @{ delete $self->{hello} or return }; |
|
|
412 | use Data::Dump; ddx $auths;#d# |
391 | |
413 | |
392 | if (grep $_ eq "none", @$auths) { |
414 | if (grep $_ eq "none", @$auths) { |
393 | $self->_login_success ("none"); |
415 | $self->_login_success ("none"); |
|
|
416 | } elsif (grep $_ eq "login_cram_sha3", @$auths) { |
|
|
417 | my $cc = join "", map chr 256 * rand, 0..63; |
394 | |
418 | |
|
|
419 | require Digest::SHA3; |
|
|
420 | require Digest::HMAC; |
|
|
421 | |
|
|
422 | my $hmac_sha3 = sub ($$){ # $key, $text |
|
|
423 | Digest::HMAC::hmac ($_[1], $_[0], \&Digest::SHA3::sha3_512, 72) |
|
|
424 | }; |
|
|
425 | |
|
|
426 | my $key = $hmac_sha3->($self->{pass}, $self->{user}); |
|
|
427 | my $cr = $hmac_sha3->($key, "$cc$nonce"); |
|
|
428 | my $sr = $hmac_sha3->($key, "$nonce$cc"); |
|
|
429 | |
|
|
430 | $cc = MIME::Base64::encode_base64 $cc; |
|
|
431 | $cr = MIME::Base64::encode_base64 $cr; |
|
|
432 | |
|
|
433 | $self->_req (login_cram_sha3 => $self->{user}, $cr, $cc, sub { |
|
|
434 | my ($self, $ok, $msg) = @_; |
|
|
435 | |
|
|
436 | $ok |
|
|
437 | or return call $self, on_login_failure => $msg; |
|
|
438 | |
|
|
439 | (MIME::Base64::decode_base64 $msg) eq $sr |
|
|
440 | or return call $self, on_login_failure => "sr and cr mismatch, possible man in the middle attack"; |
|
|
441 | |
|
|
442 | $self->_login_success ("login_cram_sha3"); |
|
|
443 | }); |
395 | } elsif (grep $_ eq "login_cram_md6", @$auths) { |
444 | } elsif (grep $_ eq "login_cram_md6", @$auths) { |
396 | my $cc = join "", map chr 256 * rand, 0..63; |
445 | my $cc = join "", map chr 256 * rand, 0..63; |
397 | |
446 | |
|
|
447 | require Digest::HMAC_MD6; |
|
|
448 | |
398 | my $key = Digest::HMAC_MD6::hmac_md6 $self->{pass}, $self->{user}, 64, 256; |
449 | my $key = Digest::HMAC_MD6::hmac_md6 ($self->{pass}, $self->{user}, 64, 256); |
399 | my $cr = Digest::HMAC_MD6::hmac_md6_base64 $key, "$cc$nonce", 64, 256; |
450 | my $cr = Digest::HMAC_MD6::hmac_md6 ($key, "$cc$nonce", 64, 256); |
400 | my $sr = Digest::HMAC_MD6::hmac_md6_base64 $key, "$nonce$cc", 64, 256; |
451 | my $sr = Digest::HMAC_MD6::hmac_md6 ($key, "$nonce$cc", 64, 256); |
401 | |
452 | |
402 | $cc = MIME::Base64::encode_base64 $cc; |
453 | $cc = MIME::Base64::encode_base64 $cc; |
|
|
454 | $cr = MIME::Base64::encode_base64 $cr; |
403 | |
455 | |
404 | $self->_req (login_cram_md6 => $self->{user}, $cr, $cc, sub { |
456 | $self->_req (login_cram_md6 => $self->{user}, $cr, $cc, sub { |
405 | my ($self, $ok, $msg) = @_; |
457 | my ($self, $ok, $msg) = @_; |
406 | |
458 | |
407 | $ok |
459 | $ok |
408 | or return call $self, on_login_failure => $msg; |
460 | or return call $self, on_login_failure => $msg; |
409 | |
461 | |
410 | $msg eq $sr |
462 | (MIME::Base64::decode_base64 $msg) eq $sr |
411 | or return call $self, on_login_failure => "sr and cr mismatch, possible man in the middle attack"; |
463 | or return call $self, on_login_failure => "sr and cr mismatch, possible man in the middle attack"; |
412 | |
464 | |
413 | $self->_login_success ("login_cram_md6"); |
465 | $self->_login_success ("login_cram_md6"); |
414 | }); |
466 | }); |
415 | } elsif (grep $_ eq "login", @$auths) { |
467 | } elsif (grep $_ eq "login", @$auths) { |
… | |
… | |
561 | |
613 | |
562 | =back |
614 | =back |
563 | |
615 | |
564 | =head1 SEE ALSO |
616 | =head1 SEE ALSO |
565 | |
617 | |
566 | L<AnyEvent>, L<http://www.porttracker.com/>, L<http://www.infoblox.com/en/products/portiq.html>. |
618 | L<AnyEvent>, L<http://www.porttracker.com/>. |
567 | |
619 | |
568 | =head1 AUTHOR |
620 | =head1 AUTHOR |
569 | |
621 | |
570 | Marc Lehmann <marc@porttracker.net> |
622 | Marc Lehmann <marc@nethype.de> |
571 | |
623 | |
572 | =cut |
624 | =cut |
573 | |
625 | |
574 | 1 |
626 | 1 |