CNJR-7305: Add /etc/hosts file from host machine and container

Author: micahlee

CHANGELOG.md

@@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   container to the inspect report. CNJR-4619
 - Resource usage check that captures the `top` command output from inside
   the container to the inspect report. CNJR-4618
+- Capture the `/etc/hosts` file from the container and the host. CNJR-7305
 
 ## [0.4.2] - 2025-03-25
 

pkg/checks/container_etc_hosts.go

@@ -0,0 +1,86 @@
+// Package checks defines all of the possible Conjur Inspect checks that can
+// be run.
+package checks
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/container"
+	"github.com/cyberark/conjur-inspect/pkg/log"
+)
+
+// ContainerEtcHosts collects the contents of /etc/hosts from inside a container
+type ContainerEtcHosts struct {
+	Provider container.ContainerProvider
+}
+
+// Describe provides a textual description of what this check gathers info on
+func (ceh *ContainerEtcHosts) Describe() string {
+	return fmt.Sprintf("%s /etc/hosts", ceh.Provider.Name())
+}
+
+// Run performs the container /etc/hosts collection
+func (ceh *ContainerEtcHosts) Run(runContext *check.RunContext) []check.Result {
+	// If there is no container ID, return
+	if strings.TrimSpace(runContext.ContainerID) == "" {
+		return []check.Result{}
+	}
+
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(ceh.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				ceh,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
+	container := ceh.Provider.Container(runContext.ContainerID)
+
+	// Execute cat /etc/hosts inside the container
+	stdout, stderr, err := container.Exec("cat", "/etc/hosts")
+	if err != nil {
+		if runContext.VerboseErrors {
+			stderrBytes, _ := io.ReadAll(stderr)
+			return check.ErrorResult(
+				ceh,
+				fmt.Errorf("failed to read /etc/hosts: %w (stderr: %s)", err, string(stderrBytes)),
+			)
+		}
+		log.Warn("failed to read /etc/hosts from container: %s", err)
+		return []check.Result{}
+	}
+
+	// Read the stdout content
+	fileBytes, err := io.ReadAll(stdout)
+	if err != nil {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				ceh,
+				fmt.Errorf("failed to read command output: %w", err),
+			)
+		}
+		log.Warn("failed to read /etc/hosts output: %s", err)
+		return []check.Result{}
+	}
+
+	// Save the file contents to output store with runtime-specific filename
+	outputFilename := fmt.Sprintf(
+		"%s-etc-hosts.txt",
+		strings.ToLower(ceh.Provider.Name()),
+	)
+	_, err = runContext.OutputStore.Save(outputFilename, bytes.NewReader(fileBytes))
+	if err != nil {
+		log.Warn("failed to save /etc/hosts output: %s", err)
+	}
+
+	// Return empty results on success (output is saved)
+	return []check.Result{}
+}

pkg/checks/container_etc_hosts_test.go

@@ -0,0 +1,162 @@
+package checks
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestContainerEtcHostsDescribe(t *testing.T) {
+	provider := &test.ContainerProvider{}
+	ceh := &ContainerEtcHosts{Provider: provider}
+	assert.Equal(t, "Test Container Provider /etc/hosts", ceh.Describe())
+}
+
+func TestContainerEtcHostsRunSuccessful(t *testing.T) {
+	hostsContent := "127.0.0.1\tlocalhost\n::1\tlocalhost\n172.17.0.2\tconjur\n"
+
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"cat /etc/hosts": {
+				Stdout: strings.NewReader(hostsContent),
+				Stderr: strings.NewReader(""),
+				Error:  nil,
+			},
+		},
+	}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+
+	results := ceh.Run(&runContext)
+
+	// Should return empty results on success
+	assert.Empty(t, results)
+
+	// Verify the file was saved to the output store
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+	info, err := items[0].Info()
+	require.NoError(t, err)
+	// Test provider name is "Test Container Provider" -> lowercase -> "test container provider"
+	assert.Equal(t, "test container provider-etc-hosts.txt", info.Name())
+}
+
+func TestContainerEtcHostsEmptyContainerID(t *testing.T) {
+	provider := &test.ContainerProvider{}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("")
+	results := ceh.Run(&runContext)
+
+	// Should return empty results when no container ID
+	assert.Empty(t, results)
+
+	// Verify no output was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 0)
+}
+
+func TestContainerEtcHostsRuntimeNotAvailable(t *testing.T) {
+	provider := &test.ContainerProvider{}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	
+	// Set runtime as not available
+	runContext.ContainerRuntimeAvailability = map[string]check.RuntimeAvailability{
+		"test container provider": {
+			Available: false,
+			Error:     fmt.Errorf("runtime not found"),
+		},
+	}
+
+	results := ceh.Run(&runContext)
+
+	// Should return empty results when runtime not available
+	assert.Empty(t, results)
+
+	// Verify no output was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 0)
+}
+
+func TestContainerEtcHostsRuntimeNotAvailableWithVerboseErrors(t *testing.T) {
+	provider := &test.ContainerProvider{}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	runContext.VerboseErrors = true
+	
+	// Set runtime as not available
+	runContext.ContainerRuntimeAvailability = map[string]check.RuntimeAvailability{
+		"test container provider": {
+			Available: false,
+			Error:     fmt.Errorf("runtime not found"),
+		},
+	}
+
+	results := ceh.Run(&runContext)
+
+	// Should return error result with verbose errors enabled
+	require.Len(t, results, 1)
+	assert.Equal(t, check.StatusError, results[0].Status)
+	assert.Contains(t, results[0].Message, "container runtime not available")
+}
+
+func TestContainerEtcHostsExecError(t *testing.T) {
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"cat /etc/hosts": {
+				Stdout: strings.NewReader(""),
+				Stderr: strings.NewReader("cat: /etc/hosts: Permission denied"),
+				Error:  fmt.Errorf("exit status 1"),
+			},
+		},
+	}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+
+	results := ceh.Run(&runContext)
+
+	// Should return empty results without verbose errors
+	assert.Empty(t, results)
+
+	// Verify no output was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 0)
+}
+
+func TestContainerEtcHostsExecErrorWithVerboseErrors(t *testing.T) {
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"cat /etc/hosts": {
+				Stdout: strings.NewReader(""),
+				Stderr: strings.NewReader("cat: /etc/hosts: Permission denied"),
+				Error:  fmt.Errorf("exit status 1"),
+			},
+		},
+	}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	runContext.VerboseErrors = true
+
+	results := ceh.Run(&runContext)
+
+	// Should return error result with verbose errors enabled
+	require.Len(t, results, 1)
+	assert.Equal(t, check.StatusError, results[0].Status)
+	assert.Contains(t, results[0].Message, "failed to read /etc/hosts")
+	assert.Contains(t, results[0].Message, "Permission denied")
+}

pkg/checks/host_etc_hosts.go

@@ -0,0 +1,43 @@
+// Package checks defines all of the possible Conjur Inspect checks that can
+// be run.
+package checks
+
+import (
+	"bytes"
+	"os"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/log"
+)
+
+// HostEtcHosts collects the contents of /etc/hosts from the host machine
+type HostEtcHosts struct{}
+
+// Describe provides a textual description of what this check gathers info on
+func (*HostEtcHosts) Describe() string {
+	return "Host /etc/hosts"
+}
+
+// Run performs the host /etc/hosts collection
+func (h *HostEtcHosts) Run(runContext *check.RunContext) []check.Result {
+	fileBytes, err := os.ReadFile("/etc/hosts")
+	if err != nil {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(h, err)
+		}
+		log.Warn("failed to read /etc/hosts: %s", err)
+		return []check.Result{}
+	}
+
+	// Save the file contents to output store
+	_, err = runContext.OutputStore.Save(
+		"host-etc-hosts.txt",
+		bytes.NewReader(fileBytes),
+	)
+	if err != nil {
+		log.Warn("failed to save /etc/hosts output: %s", err)
+	}
+
+	// Return empty results on success (output is saved)
+	return []check.Result{}
+}

pkg/checks/host_etc_hosts_test.go

@@ -0,0 +1,49 @@
+package checks
+
+import (
+	"testing"
+
+	"github.com/cyberark/conjur-inspect/pkg/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestHostEtcHostsDescribe(t *testing.T) {
+	h := &HostEtcHosts{}
+	assert.Equal(t, "Host /etc/hosts", h.Describe())
+}
+
+func TestHostEtcHostsRunSuccessful(t *testing.T) {
+	// This test reads the actual /etc/hosts file on the system
+	h := &HostEtcHosts{}
+	runContext := test.NewRunContext("")
+	results := h.Run(&runContext)
+
+	// Should return empty results on success
+	assert.Empty(t, results)
+
+	// Verify the file was saved to the output store
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+	info, err := items[0].Info()
+	require.NoError(t, err)
+	assert.Equal(t, "host-etc-hosts.txt", info.Name())
+}
+
+func TestHostEtcHostsRunWithVerboseErrors(t *testing.T) {
+	// This test verifies that we return empty results even with verbose errors
+	// when the file is readable (which /etc/hosts typically is)
+	h := &HostEtcHosts{}
+	runContext := test.NewRunContext("")
+	runContext.VerboseErrors = true
+	results := h.Run(&runContext)
+
+	// Should still return empty results when file is readable
+	assert.Empty(t, results)
+
+	// Verify the file was saved to the output store
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+}

pkg/cmd/default_report.go

@@ -73,6 +73,7 @@ func defaultReportSections() []report.Section {
 			Checks: []check.Check{
 				&checks.Host{},
 				&checks.CommandHistory{},
+				&checks.HostEtcHosts{},
 			},
 		},
 		{
@@ -158,6 +159,14 @@ func defaultReportSections() []report.Section {
 				&checks.RunItServices{
 					Provider: &container.PodmanProvider{},
 				},
+
+				// Container /etc/hosts
+				&checks.ContainerEtcHosts{
+					Provider: &container.DockerProvider{},
+				},
+				&checks.ContainerEtcHosts{
+					Provider: &container.PodmanProvider{},
+				},
 			},
 		},
 		{