Merge pull request #18 from Conjur-Enterprise/cnjr-11978-container-command-history

CNJR-11978: Add container command history to report

Author: micahlee

.devops/gitleaks.yaml

@@ -2,4 +2,5 @@ config:
   exclusions:
     # These tests include mock secrets to test the command history sanitizing
     - "pkg/checks/command_history_test.go"
+    - "pkg/checks/container_command_history_test.go"
     - "pkg/checks/sanitize/sanitizer_test.go"

CHANGELOG.md

@@ -17,6 +17,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   report. CNJR-11977
 - Command history check that records the recent command history from the host
   machine to the inspect report. CNJR-11976
+- Container command history check that records the recent command history from
+  inside a container to the inspect report. CNJR-11978
 
 ## [0.4.2] - 2025-03-25
 

pkg/checks/container_command_history.go

@@ -0,0 +1,83 @@
+// Package checks defines all of the possible Conjur Inspect checks that can
+// be run.
+package checks
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/checks/sanitize"
+	"github.com/cyberark/conjur-inspect/pkg/container"
+	"github.com/cyberark/conjur-inspect/pkg/log"
+)
+
+// ContainerCommandHistory collects recent command history from inside a container
+type ContainerCommandHistory struct {
+	Provider container.ContainerProvider
+}
+
+// Describe provides a textual description of what this check gathers info on
+func (cch *ContainerCommandHistory) Describe() string {
+	return fmt.Sprintf("%s command history", cch.Provider.Name())
+}
+
+// Run performs the container command history collection
+func (cch *ContainerCommandHistory) Run(runContext *check.RunContext) []check.Result {
+	// If there is no container ID, return
+	if strings.TrimSpace(runContext.ContainerID) == "" {
+		return []check.Result{}
+	}
+
+	containerInstance := cch.Provider.Container(runContext.ContainerID)
+
+	// Execute tail command to get last 100 lines of bash history
+	// Use a shell command that won't fail if the file doesn't exist
+	stdout, stderr, err := containerInstance.Exec(
+		"sh", "-c", "tail -n 100 /root/.bash_history 2>/dev/null || true",
+	)
+	if err != nil {
+		return check.ErrorResult(
+			cch,
+			fmt.Errorf("failed to retrieve command history from container: %w", err),
+		)
+	}
+
+	// Read stdout from the command execution
+	historyBytes, err := io.ReadAll(stdout)
+	if err != nil {
+		return check.ErrorResult(
+			cch,
+			fmt.Errorf("failed to read command history output: %w", err),
+		)
+	}
+
+	// Read any stderr for logging
+	stderrBytes, _ := io.ReadAll(stderr)
+	if len(stderrBytes) > 0 {
+		log.Warn("stderr while reading container command history: %s", string(stderrBytes))
+	}
+
+	historyContent := string(historyBytes)
+
+	// Sanitize the history to redact sensitive values
+	redactor := sanitize.NewRedactor()
+	sanitizedContent := redactor.RedactLines(historyContent)
+
+	// Save history to output store
+	outputFileName := fmt.Sprintf(
+		"%s-command-history.txt",
+		strings.ToLower(cch.Provider.Name()),
+	)
+	_, err = runContext.OutputStore.Save(
+		outputFileName,
+		strings.NewReader(sanitizedContent),
+	)
+	if err != nil {
+		log.Warn("failed to save container command history output: %s", err)
+	}
+
+	// Return empty results on success (output is saved)
+	return []check.Result{}
+}

pkg/checks/container_command_history_test.go

@@ -0,0 +1,221 @@
+package checks
+
+import (
+	"fmt"
+	"io"
+	"strings"
+	"testing"
+
+	"github.com/cyberark/conjur-inspect/pkg/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestContainerCommandHistoryDescribe(t *testing.T) {
+	provider := &test.ContainerProvider{}
+	cch := &ContainerCommandHistory{Provider: provider}
+	assert.Equal(t, "Test Container Provider command history", cch.Describe())
+}
+
+func TestContainerCommandHistoryRunSuccessful(t *testing.T) {
+	// Create a mock container provider with bash history
+	bashHistory := strings.Join([]string{
+		"ls -la",
+		"cd /tmp",
+		"echo 'hello world'",
+	}, "\n")
+
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"sh -c tail -n 100 /root/.bash_history 2>/dev/null || true": {
+				Stdout: strings.NewReader(bashHistory),
+				Stderr: strings.NewReader(""),
+				Error:  nil,
+			},
+		},
+	}
+
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	results := cch.Run(&runContext)
+
+	// Should return empty results on success
+	assert.Empty(t, results)
+
+	// Verify the file was saved to the output store
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+	info, err := items[0].Info()
+	require.NoError(t, err)
+	// Provider name is "Test Container Provider" and gets ToLower() -> "test container provider"
+	assert.Equal(t, "test container provider-command-history.txt", info.Name())
+}
+
+func TestContainerCommandHistorySanitization(t *testing.T) {
+	// Create history with sensitive data that should be redacted
+	bashHistory := strings.Join([]string{
+		"mysql -u root -pMyPassword123",
+		"api_key=sk_live_abc123xyz",
+		"token=secret_token_value",
+		"echo 'normal command'",
+	}, "\n")
+
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"sh -c tail -n 100 /root/.bash_history 2>/dev/null || true": {
+				Stdout: strings.NewReader(bashHistory),
+				Stderr: strings.NewReader(""),
+				Error:  nil,
+			},
+		},
+	}
+
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	results := cch.Run(&runContext)
+
+	assert.Empty(t, results)
+
+	// Verify sanitization occurred
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+
+	outputStoreItemReader, cleanup, err := items[0].Open()
+	defer cleanup()
+	require.NoError(t, err)
+
+	savedContent, err := io.ReadAll(outputStoreItemReader)
+	require.NoError(t, err)
+
+	// Verify sensitive data was redacted
+	assert.NotContains(t, string(savedContent), "sk_live_abc123xyz")
+	assert.NotContains(t, string(savedContent), "secret_token_value")
+	// Normal command should still be present
+	assert.Contains(t, string(savedContent), "echo 'normal command'")
+	// The api_key and token patterns should have been redacted with [REDACTED]
+	assert.Contains(t, string(savedContent), "[REDACTED]")
+}
+
+func TestContainerCommandHistoryEmptyContainerID(t *testing.T) {
+	provider := &test.ContainerProvider{}
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("")
+	results := cch.Run(&runContext)
+
+	// Should return empty results when container ID is empty
+	assert.Empty(t, results)
+
+	// Verify nothing was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	assert.Len(t, items, 0)
+}
+
+func TestContainerCommandHistoryExecError(t *testing.T) {
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"sh -c tail -n 100 /root/.bash_history 2>/dev/null || true": {
+				Stdout: nil,
+				Stderr: nil,
+				Error:  fmt.Errorf("file not found"),
+			},
+		},
+	}
+
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	results := cch.Run(&runContext)
+
+	// Should return error result
+	require.Len(t, results, 1)
+	assert.Equal(t, "Test Container Provider command history", results[0].Title)
+	assert.Contains(t, results[0].Message, "failed to retrieve command history from container")
+}
+
+func TestContainerCommandHistoryNoExecResponse(t *testing.T) {
+	// Provider with empty ExecResponses - should error on unknown command
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{},
+	}
+
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	results := cch.Run(&runContext)
+
+	// Should return error result
+	require.Len(t, results, 1)
+	assert.Equal(t, "Test Container Provider command history", results[0].Title)
+	assert.Contains(t, results[0].Message, "failed to retrieve command history from container")
+}
+
+func TestContainerCommandHistoryEmptyHistory(t *testing.T) {
+	// Test with empty history file
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"sh -c tail -n 100 /root/.bash_history 2>/dev/null || true": {
+				Stdout: strings.NewReader(""),
+				Stderr: strings.NewReader(""),
+				Error:  nil,
+			},
+		},
+	}
+
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	results := cch.Run(&runContext)
+
+	// Should return empty results (empty history is valid)
+	assert.Empty(t, results)
+
+	// Verify empty file was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+}
+
+func TestContainerCommandHistoryStderr(t *testing.T) {
+	// Test that stderr is logged but doesn't cause failure
+	bashHistory := strings.Join([]string{
+		"ls -la",
+		"pwd",
+	}, "\n")
+
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"sh -c tail -n 100 /root/.bash_history 2>/dev/null || true": {
+				Stdout: strings.NewReader(bashHistory),
+				Stderr: strings.NewReader("some warning message"),
+				Error:  nil,
+			},
+		},
+	}
+
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	results := cch.Run(&runContext)
+
+	// Should still succeed despite stderr
+	assert.Empty(t, results)
+
+	// Verify the file was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+}
+
+func TestContainerCommandHistoryWhitespaceContainerID(t *testing.T) {
+	provider := &test.ContainerProvider{}
+	cch := &ContainerCommandHistory{Provider: provider}
+	runContext := test.NewRunContext("   ")
+	results := cch.Run(&runContext)
+
+	// Should return empty results when container ID is only whitespace
+	assert.Empty(t, results)
+
+	// Verify nothing was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	assert.Len(t, items, 0)
+}

pkg/cmd/default_report.go

@@ -108,6 +108,14 @@ func defaultReportSections() []report.Section {
 					Provider: &container.PodmanProvider{},
 				},
 
+				// Container command history
+				&checks.ContainerCommandHistory{
+					Provider: &container.DockerProvider{},
+				},
+				&checks.ContainerCommandHistory{
+					Provider: &container.PodmanProvider{},
+				},
+
 				// Container config
 				&checks.ConjurConfig{
 					Provider: &container.DockerProvider{},