1 | =head1 NAME |
1 | =head1 NAME |
2 | |
2 | |
3 | AnyEvent::Porttracker - Porttracker/PortIQ API client interface. |
3 | AnyEvent::Porttracker - Porttracker API client interface. |
4 | |
4 | |
5 | =head1 SYNOPSIS |
5 | =head1 SYNOPSIS |
6 | |
6 | |
7 | use AnyEvent::Porttracker; |
7 | use AnyEvent::Porttracker; |
|
|
8 | |
|
|
9 | my $api = new AnyEvent::Porttracker |
|
|
10 | host => "10.0.0.1", |
|
|
11 | user => "admin", |
|
|
12 | pass => "31331", |
|
|
13 | tls => 1, |
|
|
14 | on_error => sub { |
|
|
15 | die $_[1]; |
|
|
16 | }, |
|
|
17 | ; |
|
|
18 | |
|
|
19 | # Example 1 |
|
|
20 | # a simple request: ping the server synchronously |
|
|
21 | |
|
|
22 | my ($timestamp, $pid) = $api->req_sync ("ping"); |
|
|
23 | |
|
|
24 | # Example 2 |
|
|
25 | # find all realms, start a discovery on all of them |
|
|
26 | # and wait until all discovery processes have finished |
|
|
27 | # but execute individual discoveries in parallel, |
|
|
28 | # asynchronously |
|
|
29 | |
|
|
30 | my $cv = AE::cv; |
|
|
31 | |
|
|
32 | $cv->begin; |
|
|
33 | # find all realms |
|
|
34 | $api->req (realm_info => ["gid", "name"], sub { |
|
|
35 | my ($api, @realms) = @_; |
|
|
36 | |
|
|
37 | # start discovery on all realms |
|
|
38 | for my $realm (@realms) { |
|
|
39 | my ($gid, $name) = @$realm; |
|
|
40 | |
|
|
41 | $cv->begin; |
|
|
42 | $api->req (realm_discover => $gid, sub { |
|
|
43 | warn "discovery for realm '$name' finished\n"; |
|
|
44 | $cv->end; |
|
|
45 | }); |
|
|
46 | } |
|
|
47 | |
|
|
48 | $cv->end; |
|
|
49 | }); |
|
|
50 | |
|
|
51 | $cv->recv; |
|
|
52 | |
|
|
53 | # Example 3 |
|
|
54 | # subscribe to realm_poll_stop events and report each occurance |
|
|
55 | |
|
|
56 | $api->req (subscribe => "realm_poll_stop", sub {}); |
|
|
57 | $api->on (realm_poll_stop_event => sub { |
|
|
58 | my ($api, $gid) = @_; |
|
|
59 | warn "this just in: poll for realm <$gid> finished.\n"; |
|
|
60 | }); |
|
|
61 | |
|
|
62 | AE::cv->recv; # wait forever |
8 | |
63 | |
9 | =head1 DESCRIPTION |
64 | =head1 DESCRIPTION |
10 | |
65 | |
11 | Porttracker (L<http://www.porttracker.com/>) is a product that (among |
66 | Porttracker (L<http://www.porttracker.com/>) is a product that (among |
12 | other things) scans switches and routers in a network and gives a coherent |
67 | other things) scans switches and routers in a network and gives a coherent |
13 | view of which end devices are connected to which switch ports on which |
68 | view of which end devices are connected to which switch ports on which |
14 | switches and routers. It also offers a JSON-based client API, for which |
69 | switches and routers. It also offers a JSON-based client API, for which |
15 | this module is an implementation. |
70 | this module is an implementation. |
16 | |
71 | |
17 | In addition to Porttracker, the PortIQ product is also supported, as it |
|
|
18 | uses the same protocol. |
|
|
19 | |
|
|
20 | If you do not have access to either a Porttracker or PortIQ box then this |
72 | If you do not have access to a Porttracker box then this module will be of |
21 | module will be of little value to you. |
73 | little value to you. |
22 | |
74 | |
23 | This module is an L<AnyEvent> user, you need to make sure that you use and |
75 | This module is an L<AnyEvent> user, you need to make sure that you use and |
24 | run a supported event loop. |
76 | run a supported event loop. |
25 | |
77 | |
26 | To quickly understand how this module works you should read how to |
78 | To quickly understand how this module works you should read how to |
… | |
… | |
42 | |
94 | |
43 | package AnyEvent::Porttracker; |
95 | package AnyEvent::Porttracker; |
44 | |
96 | |
45 | use common::sense; |
97 | use common::sense; |
46 | |
98 | |
|
|
99 | use Carp (); |
47 | use Scalar::Util (); |
100 | use Scalar::Util (); |
48 | |
101 | |
49 | use AnyEvent (); |
102 | use AnyEvent (); |
50 | use AnyEvent::Handle (); |
103 | use AnyEvent::Handle (); |
51 | |
104 | |
52 | use MIME::Base64 (); |
105 | use MIME::Base64 (); |
53 | use Digest::HMAC_MD6 (); |
|
|
54 | use JSON (); |
106 | use JSON (); |
55 | |
107 | |
56 | our $VERSION = '0.0'; |
108 | our $VERSION = 1.02; |
57 | |
109 | |
58 | sub call { |
110 | sub call { |
59 | my ($self, $type, @args) = @_; |
111 | my ($self, $type, @args) = @_; |
60 | |
112 | |
61 | $self->{$type} |
113 | $self->{$type} |
… | |
… | |
65 | : () |
117 | : () |
66 | } |
118 | } |
67 | |
119 | |
68 | =item $api = new AnyEvent::Porttracker [key => value...] |
120 | =item $api = new AnyEvent::Porttracker [key => value...] |
69 | |
121 | |
70 | Creates a new porttracker API connection object and tries to connect to |
122 | Creates a new porttracker API connection object and tries to connect |
71 | the specified host (see below). After the connection has been established, |
123 | to the specified host (see below). After the connection has been |
72 | the TLS handshake (if requested) will take place, followed by a login |
124 | established, the TLS handshake (if requested) will take place, followed |
73 | attempt using either the C<none>, C<login_cram_md6> or C<login> methods, |
125 | by a login attempt using either the C<none>, C<login_cram_sha3>, |
74 | in this order of preference (typically, C<login_cram_md6> is used, which |
126 | C<login_cram_md6> or C<login> methods, in this order of preference |
|
|
127 | (typically, C<login_cram_sha3> is used, which shields against some |
75 | shields against some man-in-the-middle attacks and avoids transferring the |
128 | man-in-the-middle attacks and avoids transferring the password). |
76 | password). |
|
|
77 | |
129 | |
78 | It is permissible to send requests immediately after creating the object - |
130 | It is permissible to send requests immediately after creating the object - |
79 | they will be queued until after successful login. |
131 | they will be queued until after successful login. |
80 | |
132 | |
81 | Possible key-value pairs are: |
133 | Possible key-value pairs are: |
… | |
… | |
93 | =item user => $string, pass => $string |
145 | =item user => $string, pass => $string |
94 | |
146 | |
95 | These are the username and password to use when authentication is required |
147 | These are the username and password to use when authentication is required |
96 | (which it is in almost all cases, so these keys are normally mandatory). |
148 | (which it is in almost all cases, so these keys are normally mandatory). |
97 | |
149 | |
98 | =item tls => ... |
150 | =item tls => $bool |
99 | |
151 | |
100 | #TODO# |
152 | Enables or disables TLS (default: disables). When enabled, then the |
|
|
153 | connection will try to handshake a TLS connection before logging in. If |
|
|
154 | unsuccessful a fatal error will be raised. |
|
|
155 | |
|
|
156 | Since most Porttracker boxes will not have a sensible/verifiable |
|
|
157 | certificate, no attempt at verifying it will be done (which means |
|
|
158 | man-in-the-middle-attacks will be trivial). If you want some form of |
|
|
159 | verification you need to provide your own C<tls_ctx> object with C<< |
|
|
160 | verify => 1, verify_peername => [1, 1, 1] >> or whatever verification mode |
|
|
161 | you wish to use. |
|
|
162 | |
|
|
163 | =item tls_ctx => $tls_ctx |
|
|
164 | |
|
|
165 | The L<AnyEvent::TLS> object to use. See C<tls>, above. |
101 | |
166 | |
102 | =item on_XYZ => $coderef |
167 | =item on_XYZ => $coderef |
103 | |
168 | |
104 | You can specify event callbacks either by subclassing and overriding the |
169 | You can specify event callbacks either by sub-classing and overriding the |
105 | respective methods or by specifying coderefs as key-value pairs when |
170 | respective methods or by specifying code-refs as key-value pairs when |
106 | constructing the object. |
171 | constructing the object. You add or remove event handlers at any time with |
|
|
172 | the C<event> method. |
107 | |
173 | |
108 | =back |
174 | =back |
109 | |
175 | |
110 | =cut |
176 | =cut |
111 | |
177 | |
… | |
… | |
113 | my $class = shift; |
179 | my $class = shift; |
114 | |
180 | |
115 | my $self = bless { |
181 | my $self = bless { |
116 | id => "a", |
182 | id => "a", |
117 | ids => [], |
183 | ids => [], |
118 | queue => [], # ininitially queue everything |
184 | queue => [], # initially queue everything |
119 | @_, |
185 | @_, |
120 | }, $class; |
186 | }, $class; |
121 | |
187 | |
122 | { |
188 | { |
123 | Scalar::Util::weaken (my $self = $self); |
189 | Scalar::Util::weaken (my $self = $self); |
124 | |
190 | |
125 | $self->{hdl} = new AnyEvent::Handle |
191 | $self->{hdl} = new AnyEvent::Handle |
126 | connect => [$self->{host}, $self->{port} || "porttracker=55"], |
192 | connect => [$self->{host}, $self->{port} || "porttracker=55"], |
127 | on_error => sub { |
193 | on_error => sub { |
128 | $self->error (); |
194 | $self->error ($_[2]); |
129 | }, |
195 | }, |
130 | on_connect => sub { |
196 | on_connect => sub { |
131 | if ($self->{tls}) { |
197 | if ($self->{tls}) { |
132 | $self->_req (start_tls => sub { |
198 | $self->_req (start_tls => sub { |
133 | $_[1] |
199 | $_[1] |
… | |
… | |
169 | } |
235 | } |
170 | |
236 | |
171 | sub error { |
237 | sub error { |
172 | my ($self, $msg) = @_; |
238 | my ($self, $msg) = @_; |
173 | |
239 | |
174 | call on_error => $msg; |
240 | call $self, on_error => $msg; |
175 | |
241 | |
176 | () |
242 | () |
177 | } |
243 | } |
178 | |
244 | |
179 | sub _req { |
245 | sub _req { |
… | |
… | |
188 | my $msg = JSON::encode_json \@_; |
254 | my $msg = JSON::encode_json \@_; |
189 | |
255 | |
190 | $self->{hdl}->push_write ($msg); |
256 | $self->{hdl}->push_write ($msg); |
191 | } |
257 | } |
192 | |
258 | |
193 | =item $api->req ($type => @args, $callback->($api, @args)) |
259 | =item $api->req ($type => @args, $callback->($api, @reply)) |
194 | |
260 | |
195 | Sends a generic request of type C<$type> to the server. When the server |
261 | Sends a generic request of type C<$type> to the server. When the server |
196 | responds, the API object and the response arguments are passed to the |
262 | responds, the API object and the response arguments (without the success |
197 | callback, which is the last argument to this method. |
263 | status) are passed to the callback, which is the last argument to this |
|
|
264 | method. |
|
|
265 | |
|
|
266 | If the request fails, then a fatal error will be raised. If you want to |
|
|
267 | handle failures gracefully, you need to use C<< ->req_failok >> instead. |
198 | |
268 | |
199 | The available requests are documented in the Porttracker API |
269 | The available requests are documented in the Porttracker API |
200 | documentation (a copy of which is included in this module as |
270 | documentation (a copy of which is included in this module as |
201 | L<AnyEvent::Porttracker::protocol>. |
271 | L<AnyEvent::Porttracker::protocol>. |
202 | |
272 | |
… | |
… | |
228 | }); |
298 | }); |
229 | |
299 | |
230 | =cut |
300 | =cut |
231 | |
301 | |
232 | sub req { |
302 | sub req { |
|
|
303 | my $cb = pop; |
|
|
304 | push @_, sub { |
|
|
305 | splice @_, 1, 1 |
|
|
306 | or $_[0]->error ($_[1]); |
|
|
307 | |
|
|
308 | &$cb |
|
|
309 | }; |
|
|
310 | |
233 | $_[0]{queue} |
311 | $_[0]{queue} |
234 | ? push @{ $_[0]{queue} }, [@_] |
312 | ? push @{ $_[0]{queue} }, [@_] |
235 | : &_req |
313 | : &_req |
236 | } |
314 | } |
237 | |
315 | |
|
|
316 | =item @res = $api->req_sync ($type => @args) |
|
|
317 | |
|
|
318 | Similar to C<< ->req >>, but waits for the results of the request and on |
|
|
319 | success, returns the values instead (without the success flag, and only |
|
|
320 | the first value in scalar context). On failure, the method will C<croak> |
|
|
321 | with the error message. |
|
|
322 | |
|
|
323 | =cut |
|
|
324 | |
|
|
325 | sub req_sync { |
|
|
326 | push @_, my $cv = AE::cv; |
|
|
327 | &req; |
|
|
328 | my ($ok, @res) = $cv->recv; |
|
|
329 | |
|
|
330 | $ok |
|
|
331 | or Carp::croak $res[0]; |
|
|
332 | |
|
|
333 | wantarray ? @res : $res[0] |
|
|
334 | } |
|
|
335 | |
|
|
336 | =item $api->req_failok ($type => @args, $callback->($api, $success, @reply)) |
|
|
337 | |
|
|
338 | Just like C<< ->req >>, with two differences: first, a failure will not |
|
|
339 | raise an error, second, the initial status reply which indicates success |
|
|
340 | or failure is not removed before calling the callback. |
|
|
341 | |
|
|
342 | =cut |
|
|
343 | |
|
|
344 | sub req_failok { |
|
|
345 | $_[0]{queue} |
|
|
346 | ? push @{ $_[0]{queue} }, [@_] |
|
|
347 | : &_req |
|
|
348 | } |
|
|
349 | |
|
|
350 | =item $api->on (XYZ => $callback) |
|
|
351 | |
|
|
352 | Overwrites any currently registered handler for C<on_XYZ> or |
|
|
353 | installs a new one. Or, when C<$callback> is undef, unregisters any |
|
|
354 | currently-registered handler. |
|
|
355 | |
|
|
356 | Example: replace/set the handler for C<on_discover_stop_event>. |
|
|
357 | |
|
|
358 | $api->on (discover_stop_event => sub { |
|
|
359 | my ($api, $gid) = @_; |
|
|
360 | ... |
|
|
361 | }); |
|
|
362 | |
|
|
363 | =cut |
|
|
364 | |
|
|
365 | sub on { |
|
|
366 | my $self = shift; |
|
|
367 | |
|
|
368 | while (@_) { |
|
|
369 | my ($event, $cb) = splice @_, 0, 2; |
|
|
370 | $event =~ s/^on_//; |
|
|
371 | |
|
|
372 | $self->{"on_$event"} = $cb; |
|
|
373 | } |
|
|
374 | } |
|
|
375 | |
238 | sub on_start_tls_notify { |
376 | sub on_start_tls_notify { |
239 | my ($self) = @_; |
377 | my ($self) = @_; |
240 | |
378 | |
241 | $self->{hdl}->starttls ("connect"); |
379 | $self->{hdl}->starttls (connect => $self->{tls_ctx}); |
242 | $self->{tls} ||= 1; |
380 | $self->{tls} ||= 1; |
243 | |
381 | |
244 | $self->_login; |
382 | $self->_login; |
245 | } |
383 | } |
246 | |
384 | |
… | |
… | |
269 | |
407 | |
270 | sub _login { |
408 | sub _login { |
271 | my ($self) = @_; |
409 | my ($self) = @_; |
272 | |
410 | |
273 | my ($auths, $nonce) = @{ delete $self->{hello} or return }; |
411 | my ($auths, $nonce) = @{ delete $self->{hello} or return }; |
|
|
412 | use Data::Dump; ddx $auths;#d# |
274 | |
413 | |
275 | if (grep $_ eq "none", @$auths) { |
414 | if (grep $_ eq "none", @$auths) { |
276 | $self->_login_success ("none"); |
415 | $self->_login_success ("none"); |
|
|
416 | } elsif (grep $_ eq "login_cram_sha3", @$auths) { |
|
|
417 | my $cc = join "", map chr 256 * rand, 0..63; |
277 | |
418 | |
|
|
419 | require Digest::SHA3; |
|
|
420 | require Digest::HMAC; |
|
|
421 | |
|
|
422 | my $hmac_sha3 = sub ($$){ # $key, $text |
|
|
423 | Digest::HMAC::hmac ($_[1], $_[0], \&Digest::SHA3::sha3_512, 72) |
|
|
424 | }; |
|
|
425 | |
|
|
426 | my $key = $hmac_sha3->($self->{pass}, $self->{user}); |
|
|
427 | my $cr = $hmac_sha3->($key, "$cc$nonce"); |
|
|
428 | my $sr = $hmac_sha3->($key, "$nonce$cc"); |
|
|
429 | |
|
|
430 | $cc = MIME::Base64::encode_base64 $cc; |
|
|
431 | $cr = MIME::Base64::encode_base64 $cr; |
|
|
432 | |
|
|
433 | $self->_req (login_cram_sha3 => $self->{user}, $cr, $cc, sub { |
|
|
434 | my ($self, $ok, $msg) = @_; |
|
|
435 | |
|
|
436 | $ok |
|
|
437 | or return call $self, on_login_failure => $msg; |
|
|
438 | |
|
|
439 | (MIME::Base64::decode_base64 $msg) eq $sr |
|
|
440 | or return call $self, on_login_failure => "sr and cr mismatch, possible man in the middle attack"; |
|
|
441 | |
|
|
442 | $self->_login_success ("login_cram_sha3"); |
|
|
443 | }); |
278 | } elsif (grep $_ eq "login_cram_md6", @$auths) { |
444 | } elsif (grep $_ eq "login_cram_md6", @$auths) { |
279 | my $cc = join "", map chr 256 * rand, 0..63; |
445 | my $cc = join "", map chr 256 * rand, 0..63; |
280 | |
446 | |
|
|
447 | require Digest::HMAC_MD6; |
|
|
448 | |
281 | my $key = Digest::HMAC_MD6::hmac_md6 $self->{pass}, $self->{user}, 64, 256; |
449 | my $key = Digest::HMAC_MD6::hmac_md6 ($self->{pass}, $self->{user}, 64, 256); |
282 | my $cr = Digest::HMAC_MD6::hmac_md6_base64 $key, "$cc$nonce", 64, 256; |
450 | my $cr = Digest::HMAC_MD6::hmac_md6 ($key, "$cc$nonce", 64, 256); |
283 | my $sr = Digest::HMAC_MD6::hmac_md6_base64 $key, "$nonce$cc", 64, 256; |
451 | my $sr = Digest::HMAC_MD6::hmac_md6 ($key, "$nonce$cc", 64, 256); |
284 | |
452 | |
285 | $cc = MIME::Base64::encode_base64 $cc; |
453 | $cc = MIME::Base64::encode_base64 $cc; |
|
|
454 | $cr = MIME::Base64::encode_base64 $cr; |
286 | |
455 | |
287 | $self->_req (login_cram_md6 => $self->{user}, $cr, $cc, sub { |
456 | $self->_req (login_cram_md6 => $self->{user}, $cr, $cc, sub { |
288 | my ($self, $ok, $msg) = @_; |
457 | my ($self, $ok, $msg) = @_; |
289 | |
458 | |
290 | $ok |
459 | $ok |
291 | or return call $self, on_login_failure => $msg; |
460 | or return call $self, on_login_failure => $msg; |
292 | |
461 | |
293 | $msg eq $sr |
462 | (MIME::Base64::decode_base64 $msg) eq $sr |
294 | or return call $self, on_login_failure => "sr and cr mismatch, possible man in the middle attack"; |
463 | or return call $self, on_login_failure => "sr and cr mismatch, possible man in the middle attack"; |
295 | |
464 | |
296 | $self->_login_success ("login_cram_md6"); |
465 | $self->_login_success ("login_cram_md6"); |
297 | }); |
466 | }); |
298 | } elsif (grep $_ eq "login", @$auths) { |
467 | } elsif (grep $_ eq "login", @$auths) { |
… | |
… | |
338 | |
507 | |
339 | $msg =~ s/\n$//; |
508 | $msg =~ s/\n$//; |
340 | $self->error ("login failed: $msg"); |
509 | $self->error ("login failed: $msg"); |
341 | } |
510 | } |
342 | |
511 | |
|
|
512 | sub on_event_notify { |
|
|
513 | my ($self, $event, @args) = @_; |
|
|
514 | |
|
|
515 | call $self, "on_${event}_event", @args; |
|
|
516 | } |
|
|
517 | |
343 | =back |
518 | =back |
344 | |
519 | |
345 | =head2 EVENTS |
520 | =head1 EVENTS/CALLBACKS |
346 | |
521 | |
347 | AnyEvent::Porttracker conenctions are fully event-driven, and naturally |
522 | AnyEvent::Porttracker connections are fully event-driven, and naturally |
348 | there are a number of events that can occur. All these events have a name |
523 | there are a number of events that can occur. All these events have a name |
349 | starting with C<on_> (example: C<on_login_failure>). |
524 | starting with C<on_> (example: C<on_login_failure>). |
350 | |
525 | |
351 | Programs can catch these events in two ways: either by providing |
526 | Programs can catch these events in two ways: either by providing |
352 | constructor arguments with the event name as key and a coderef as value: |
527 | constructor arguments with the event name as key and a code-ref as value: |
353 | |
528 | |
354 | my $api = new AnyEvent::Porttracker |
529 | my $api = new AnyEvent::Porttracker |
355 | host => ..., |
530 | host => ..., |
356 | user => ..., pass => ..., |
531 | user => ..., pass => ..., |
357 | on_error => sub { |
532 | on_error => sub { |
… | |
… | |
359 | warn $msg; |
534 | warn $msg; |
360 | exit 1; |
535 | exit 1; |
361 | }, |
536 | }, |
362 | ; |
537 | ; |
363 | |
538 | |
364 | Or by subclassing C<AnyEvent::Porttracker> and overriding methods of the |
539 | Or by sub-classing C<AnyEvent::Porttracker> and overriding methods of the |
365 | same name: |
540 | same name: |
366 | |
541 | |
367 | package MyClass; |
542 | package MyClass; |
368 | |
543 | |
369 | use base AnyEvent::Porttracker; |
544 | use base AnyEvent::Porttracker; |
… | |
… | |
417 | |
592 | |
418 | =item on_start_tls_notify $api |
593 | =item on_start_tls_notify $api |
419 | |
594 | |
420 | Called when the server wants to start TLS negotiation. This is used |
595 | Called when the server wants to start TLS negotiation. This is used |
421 | internally and - while it is possible to override it - should not be |
596 | internally and - while it is possible to override it - should not be |
422 | overriden. |
597 | overridden. |
|
|
598 | |
|
|
599 | =item on_event_notify $api, $eventname, @args |
|
|
600 | |
|
|
601 | Called when the server broadcasts an event the API object is subscribed |
|
|
602 | to. The default implementation (which should not be overridden) simply |
|
|
603 | re-issues an "on_eventname_event" event with the @args. |
423 | |
604 | |
424 | =item on_XYZ_notify $api, ... |
605 | =item on_XYZ_notify $api, ... |
425 | |
606 | |
426 | In general, any protocol notification will result in an event of the form |
607 | In general, any protocol notification will result in an event of the form |
427 | C<on_NOTIFICATION_notify>. |
608 | C<on_NOTIFICATION_notify>. |
428 | |
609 | |
|
|
610 | =item on_XYZ_event $api, ... |
|
|
611 | |
|
|
612 | Called when the server broadcasts the named (XYZ) event. |
|
|
613 | |
429 | =back |
614 | =back |
430 | |
615 | |
431 | =head1 SEE ALSO |
616 | =head1 SEE ALSO |
432 | |
617 | |
433 | L<AnyEvent>, L<http://www.porttracker.com/>, L<http://www.infoblox.com/en/products/portiq.html>. |
618 | L<AnyEvent>, L<http://www.porttracker.com/>. |
434 | |
619 | |
435 | =head1 AUTHOR |
620 | =head1 AUTHOR |
436 | |
621 | |
437 | Marc Lehmann <marc@porttracker.net> |
622 | Marc Lehmann <marc@nethype.de> |
438 | |
623 | |
439 | =cut |
624 | =cut |
440 | |
625 | |
441 | 1 |
626 | 1 |