phpipam icon indicating copy to clipboard operation
phpipam copied to clipboard
verified publisher icon phpipam

Scan Agent vs. API Key

Open JonTheNiceGuy opened this issue 2 years ago • 3 comments

Request for help using phpIPAM / Misc question? Hi,

I've written a scanning agent using Python and NMAP that currently only communicates over HTTPS (it doesn't use SQL). The way I've achieved this is to also create an App API token that has admin access. I use that API token to ask for the details of the scan agents (to get the ID), the tags (to get the "online" and "offline" states), and then ask for all the subnets, which I iterate through to get the ones which reference the the scan agent ID and that have "pingSubnet" set to 1. I then run the NMAP scan on those subnets and make POST or PATCH requests against the address objects per subnet.

So, my question is; Should (or can I) be using the scanning token to access the API? If so, what do I use as the Client name (referenced as "my_api" in the documentation) I've had a bit of a check through the code, but I am at a bit of a loss to work out where I should be checking.

Ideally, I'd see the scanning token being used as an API key which can ONLY:

  • Read scan agents, tags, subnets and addresses
  • Write addresses (entire row), scan agent (lastSeen value only) and subnets (lastScan value only)

(And yes, my intention is to release this code soon - I'm just trying to tidy up some edge cases!)

JonTheNiceGuy avatar Jun 06 '23 06:06 JonTheNiceGuy

I'm also wondering this, as I too have written a scan agent.

@JonTheNiceGuy did you end up finding a solution for this? Although my scan-agent is designed as server/client. The issue I'm facing, is that full API access is too broad. having the scan agent code as a limited scope api key would suffice.

jon-nfc avatar Feb 24 '24 12:02 jon-nfc

Hi @jon-nfc No, I didn't. I did, however, finish my scanner: https://github.com/JonTheNiceGuy/phpipam-python-scanagent

In my install docs, I've followed a similar path to yours; create an API key and give it a name (record both), create the scan agent, record the scan agent code and then my code uses those three items to work out whether it should be scanning that subnet or not, and then uses the write access to update the API accordingly.

JonTheNiceGuy avatar Feb 26 '24 07:02 JonTheNiceGuy

Hi @jon-nfc No, I didn't. I did, however, finish my scanner: https://github.com/JonTheNiceGuy/phpipam-python-scanagent

In my install docs, I've followed a similar path to yours; create an API key and give it a name (record both), create the scan agent, record the scan agent code and then my code uses those three items to work out whether it should be scanning that subnet or not, and then uses the write access to update the API accordingly.

@JonTheNiceGuy Thanks for taking the time to reply. I did take a look at your scanner before I started mine and considered extending yours as a contribution. However decided against as extending it with the features I required and to keep it secure over the public internet would have been a longer road. In the end I went with Ansible and thanks to it's modularity have been able to get most of the features required in a very short timeframe.

jon-nfc avatar Feb 27 '24 05:02 jon-nfc