Merge pull request #22 from Conjur-Enterprise/cnjr-7307-network-inspect

CNJR-7307: Add network inspect and /etc/hosts checks

Author: tarnowsc

CHANGELOG.md

@@ -27,6 +27,8 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
   container to the inspect report. CNJR-4619
 - Resource usage check that captures the `top` command output from inside
   the container to the inspect report. CNJR-4618
+- Capture the `/etc/hosts` file from the container and the host. CNJR-7305
+- Capture the container runtime's `network inspect` output. CNJR-7307
 
 ## [0.4.2] - 2025-03-25
 

pkg/checks/container_etc_hosts.go

@@ -0,0 +1,86 @@
+// Package checks defines all of the possible Conjur Inspect checks that can
+// be run.
+package checks
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/container"
+	"github.com/cyberark/conjur-inspect/pkg/log"
+)
+
+// ContainerEtcHosts collects the contents of /etc/hosts from inside a container
+type ContainerEtcHosts struct {
+	Provider container.ContainerProvider
+}
+
+// Describe provides a textual description of what this check gathers info on
+func (ceh *ContainerEtcHosts) Describe() string {
+	return fmt.Sprintf("%s /etc/hosts", ceh.Provider.Name())
+}
+
+// Run performs the container /etc/hosts collection
+func (ceh *ContainerEtcHosts) Run(runContext *check.RunContext) []check.Result {
+	// If there is no container ID, return
+	if strings.TrimSpace(runContext.ContainerID) == "" {
+		return []check.Result{}
+	}
+
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(ceh.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				ceh,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
+	container := ceh.Provider.Container(runContext.ContainerID)
+
+	// Execute cat /etc/hosts inside the container
+	stdout, stderr, err := container.Exec("cat", "/etc/hosts")
+	if err != nil {
+		if runContext.VerboseErrors {
+			stderrBytes, _ := io.ReadAll(stderr)
+			return check.ErrorResult(
+				ceh,
+				fmt.Errorf("failed to read /etc/hosts: %w (stderr: %s)", err, string(stderrBytes)),
+			)
+		}
+		log.Warn("failed to read /etc/hosts from container: %s", err)
+		return []check.Result{}
+	}
+
+	// Read the stdout content
+	fileBytes, err := io.ReadAll(stdout)
+	if err != nil {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				ceh,
+				fmt.Errorf("failed to read command output: %w", err),
+			)
+		}
+		log.Warn("failed to read /etc/hosts output: %s", err)
+		return []check.Result{}
+	}
+
+	// Save the file contents to output store with runtime-specific filename
+	outputFilename := fmt.Sprintf(
+		"%s-etc-hosts.txt",
+		strings.ToLower(ceh.Provider.Name()),
+	)
+	_, err = runContext.OutputStore.Save(outputFilename, bytes.NewReader(fileBytes))
+	if err != nil {
+		log.Warn("failed to save /etc/hosts output: %s", err)
+	}
+
+	// Return empty results on success (output is saved)
+	return []check.Result{}
+}

pkg/checks/container_etc_hosts_test.go

@@ -0,0 +1,162 @@
+package checks
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/test"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestContainerEtcHostsDescribe(t *testing.T) {
+	provider := &test.ContainerProvider{}
+	ceh := &ContainerEtcHosts{Provider: provider}
+	assert.Equal(t, "Test Container Provider /etc/hosts", ceh.Describe())
+}
+
+func TestContainerEtcHostsRunSuccessful(t *testing.T) {
+	hostsContent := "127.0.0.1\tlocalhost\n::1\tlocalhost\n172.17.0.2\tconjur\n"
+
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"cat /etc/hosts": {
+				Stdout: strings.NewReader(hostsContent),
+				Stderr: strings.NewReader(""),
+				Error:  nil,
+			},
+		},
+	}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+
+	results := ceh.Run(&runContext)
+
+	// Should return empty results on success
+	assert.Empty(t, results)
+
+	// Verify the file was saved to the output store
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 1)
+	info, err := items[0].Info()
+	require.NoError(t, err)
+	// Test provider name is "Test Container Provider" -> lowercase -> "test container provider"
+	assert.Equal(t, "test container provider-etc-hosts.txt", info.Name())
+}
+
+func TestContainerEtcHostsEmptyContainerID(t *testing.T) {
+	provider := &test.ContainerProvider{}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("")
+	results := ceh.Run(&runContext)
+
+	// Should return empty results when no container ID
+	assert.Empty(t, results)
+
+	// Verify no output was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 0)
+}
+
+func TestContainerEtcHostsRuntimeNotAvailable(t *testing.T) {
+	provider := &test.ContainerProvider{}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	
+	// Set runtime as not available
+	runContext.ContainerRuntimeAvailability = map[string]check.RuntimeAvailability{
+		"test container provider": {
+			Available: false,
+			Error:     fmt.Errorf("runtime not found"),
+		},
+	}
+
+	results := ceh.Run(&runContext)
+
+	// Should return empty results when runtime not available
+	assert.Empty(t, results)
+
+	// Verify no output was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 0)
+}
+
+func TestContainerEtcHostsRuntimeNotAvailableWithVerboseErrors(t *testing.T) {
+	provider := &test.ContainerProvider{}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	runContext.VerboseErrors = true
+	
+	// Set runtime as not available
+	runContext.ContainerRuntimeAvailability = map[string]check.RuntimeAvailability{
+		"test container provider": {
+			Available: false,
+			Error:     fmt.Errorf("runtime not found"),
+		},
+	}
+
+	results := ceh.Run(&runContext)
+
+	// Should return error result with verbose errors enabled
+	require.Len(t, results, 1)
+	assert.Equal(t, check.StatusError, results[0].Status)
+	assert.Contains(t, results[0].Message, "container runtime not available")
+}
+
+func TestContainerEtcHostsExecError(t *testing.T) {
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"cat /etc/hosts": {
+				Stdout: strings.NewReader(""),
+				Stderr: strings.NewReader("cat: /etc/hosts: Permission denied"),
+				Error:  fmt.Errorf("exit status 1"),
+			},
+		},
+	}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+
+	results := ceh.Run(&runContext)
+
+	// Should return empty results without verbose errors
+	assert.Empty(t, results)
+
+	// Verify no output was saved
+	items, err := runContext.OutputStore.Items()
+	require.NoError(t, err)
+	require.Len(t, items, 0)
+}
+
+func TestContainerEtcHostsExecErrorWithVerboseErrors(t *testing.T) {
+	provider := &test.ContainerProvider{
+		ExecResponses: map[string]test.ExecResponse{
+			"cat /etc/hosts": {
+				Stdout: strings.NewReader(""),
+				Stderr: strings.NewReader("cat: /etc/hosts: Permission denied"),
+				Error:  fmt.Errorf("exit status 1"),
+			},
+		},
+	}
+
+	ceh := &ContainerEtcHosts{Provider: provider}
+	runContext := test.NewRunContext("container123")
+	runContext.VerboseErrors = true
+
+	results := ceh.Run(&runContext)
+
+	// Should return error result with verbose errors enabled
+	require.Len(t, results, 1)
+	assert.Equal(t, check.StatusError, results[0].Status)
+	assert.Contains(t, results[0].Message, "failed to read /etc/hosts")
+	assert.Contains(t, results[0].Message, "Permission denied")
+}

pkg/checks/container_network_inspect.go

@@ -0,0 +1,78 @@
+// Package checks defines all of the possible Conjur Inspect checks that can
+// be run.
+package checks
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/container"
+	"github.com/cyberark/conjur-inspect/pkg/log"
+)
+
+// ContainerNetworkInspect collects the network inspection data from the
+// container runtime and saves it to the output store.
+type ContainerNetworkInspect struct {
+	Provider container.ContainerProvider
+}
+
+// Describe provides a textual description of what this check gathers info on
+func (cni *ContainerNetworkInspect) Describe() string {
+	return fmt.Sprintf("%s network inspect", cni.Provider.Name())
+}
+
+// Run performs the network inspection check
+func (cni *ContainerNetworkInspect) Run(runContext *check.RunContext) []check.Result {
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(cni.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				cni,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
+	networkInspectOutput, err := cni.Provider.NetworkInspect()
+	if err != nil {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				cni,
+				fmt.Errorf("failed to inspect networks: %w", err),
+			)
+		}
+		return []check.Result{}
+	}
+
+	// Read the output to save it
+	outputBytes, err := io.ReadAll(networkInspectOutput)
+	if err != nil {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				cni,
+				fmt.Errorf("failed to read network inspect output: %w", err),
+			)
+		}
+		return []check.Result{}
+	}
+
+	// Save raw network inspect output
+	outputFileName := fmt.Sprintf(
+		"%s-network-inspect.json",
+		strings.ToLower(cni.Provider.Name()),
+	)
+	_, err = runContext.OutputStore.Save(outputFileName, strings.NewReader(string(outputBytes)))
+	if err != nil {
+		log.Warn(
+			"Failed to save %s network inspect output: %s",
+			cni.Provider.Name(),
+			err,
+		)
+	}
+
+	return []check.Result{}
+}