CNJR-7307: Add network inspect check

Author: micahlee

CHANGELOG.md

@@ -28,6 +28,7 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 - Resource usage check that captures the `top` command output from inside
   the container to the inspect report. CNJR-4618
 - Capture the `/etc/hosts` file from the container and the host. CNJR-7305
+- Capture the container runtime's `network inspect` output. CNJR-7307
 
 ## [0.4.2] - 2025-03-25
 

pkg/checks/container_network_inspect.go

@@ -0,0 +1,78 @@
+// Package checks defines all of the possible Conjur Inspect checks that can
+// be run.
+package checks
+
+import (
+	"fmt"
+	"io"
+	"strings"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/container"
+	"github.com/cyberark/conjur-inspect/pkg/log"
+)
+
+// ContainerNetworkInspect collects the network inspection data from the
+// container runtime and saves it to the output store.
+type ContainerNetworkInspect struct {
+	Provider container.ContainerProvider
+}
+
+// Describe provides a textual description of what this check gathers info on
+func (cni *ContainerNetworkInspect) Describe() string {
+	return fmt.Sprintf("%s network inspect", cni.Provider.Name())
+}
+
+// Run performs the network inspection check
+func (cni *ContainerNetworkInspect) Run(runContext *check.RunContext) []check.Result {
+	// Check if the container runtime is available
+	runtimeKey := strings.ToLower(cni.Provider.Name())
+	if !IsRuntimeAvailable(runContext, runtimeKey) {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				cni,
+				fmt.Errorf("container runtime not available"),
+			)
+		}
+		return []check.Result{}
+	}
+
+	networkInspectOutput, err := cni.Provider.NetworkInspect()
+	if err != nil {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				cni,
+				fmt.Errorf("failed to inspect networks: %w", err),
+			)
+		}
+		return []check.Result{}
+	}
+
+	// Read the output to save it
+	outputBytes, err := io.ReadAll(networkInspectOutput)
+	if err != nil {
+		if runContext.VerboseErrors {
+			return check.ErrorResult(
+				cni,
+				fmt.Errorf("failed to read network inspect output: %w", err),
+			)
+		}
+		return []check.Result{}
+	}
+
+	// Save raw network inspect output
+	outputFileName := fmt.Sprintf(
+		"%s-network-inspect.json",
+		strings.ToLower(cni.Provider.Name()),
+	)
+	_, err = runContext.OutputStore.Save(outputFileName, strings.NewReader(string(outputBytes)))
+	if err != nil {
+		log.Warn(
+			"Failed to save %s network inspect output: %s",
+			cni.Provider.Name(),
+			err,
+		)
+	}
+
+	return []check.Result{}
+}

pkg/checks/container_network_inspect_test.go

@@ -0,0 +1,169 @@
+// Package checks defines all of the possible Conjur Inspect checks that can
+// be run.
+package checks
+
+import (
+	"errors"
+	"io"
+	"strings"
+	"testing"
+
+	"github.com/cyberark/conjur-inspect/pkg/check"
+	"github.com/cyberark/conjur-inspect/pkg/test"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestContainerNetworkInspectRun(t *testing.T) {
+	rawOutput := `[{"Name":"bridge","Id":"abc123"}]`
+
+	testCheck := &ContainerNetworkInspect{
+		Provider: &test.ContainerProvider{
+			NetworkInspectResult: strings.NewReader(rawOutput),
+		},
+	}
+
+	testOutputStore := test.NewOutputStore()
+
+	results := testCheck.Run(
+		&check.RunContext{
+			OutputStore: testOutputStore,
+			ContainerRuntimeAvailability: map[string]check.RuntimeAvailability{
+				"test container provider": {Available: true},
+			},
+		},
+	)
+
+	assert.Empty(t, results)
+
+	outputStoreItems, err := testOutputStore.Items()
+	assert.NoError(t, err)
+
+	assert.Equal(t, 1, len(outputStoreItems))
+
+	itemInfo, err := outputStoreItems[0].Info()
+	assert.NoError(t, err)
+	assert.Equal(t, "test container provider-network-inspect.json", itemInfo.Name())
+
+	reader, cleanup, err := outputStoreItems[0].Open()
+	assert.NoError(t, err)
+	defer cleanup()
+
+	output, err := io.ReadAll(reader)
+	assert.NoError(t, err)
+
+	assert.Equal(t, rawOutput, string(output))
+}
+
+func TestContainerNetworkInspectRunEmpty(t *testing.T) {
+	rawOutput := `[]`
+
+	testCheck := &ContainerNetworkInspect{
+		Provider: &test.ContainerProvider{
+			NetworkInspectResult: strings.NewReader(rawOutput),
+		},
+	}
+
+	testOutputStore := test.NewOutputStore()
+
+	results := testCheck.Run(
+		&check.RunContext{
+			OutputStore: testOutputStore,
+			ContainerRuntimeAvailability: map[string]check.RuntimeAvailability{
+				"test container provider": {Available: true},
+			},
+		},
+	)
+
+	assert.Empty(t, results)
+
+	outputStoreItems, err := testOutputStore.Items()
+	assert.NoError(t, err)
+
+	assert.Equal(t, 1, len(outputStoreItems))
+
+	_, err = outputStoreItems[0].Info()
+	assert.NoError(t, err)
+
+	reader, cleanup, err := outputStoreItems[0].Open()
+	assert.NoError(t, err)
+	defer cleanup()
+
+	output, err := io.ReadAll(reader)
+	assert.NoError(t, err)
+
+	assert.Equal(t, rawOutput, string(output))
+}
+
+func TestContainerNetworkInspectRunError(t *testing.T) {
+	testCheck := &ContainerNetworkInspect{
+		Provider: &test.ContainerProvider{
+			NetworkInspectError: errors.New("network inspect failed"),
+		},
+	}
+
+	results := testCheck.Run(
+		&check.RunContext{
+			ContainerRuntimeAvailability: map[string]check.RuntimeAvailability{
+				"test container provider": {Available: true},
+			},
+		},
+	)
+
+	assert.Empty(t, results)
+}
+
+func TestContainerNetworkInspectRunErrorVerboseErrors(t *testing.T) {
+	testCheck := &ContainerNetworkInspect{
+		Provider: &test.ContainerProvider{
+			NetworkInspectError: errors.New("network inspect failed"),
+		},
+	}
+
+	results := testCheck.Run(
+		&check.RunContext{
+			VerboseErrors: true,
+			ContainerRuntimeAvailability: map[string]check.RuntimeAvailability{
+				"test container provider": {Available: true},
+			},
+		},
+	)
+
+	assert.Len(t, results, 1)
+	assert.Equal(t, check.StatusError, results[0].Status)
+	assert.Contains(t, results[0].Message, "network inspect failed")
+}
+
+func TestContainerNetworkInspectRuntimeNotAvailable(t *testing.T) {
+	testCheck := &ContainerNetworkInspect{
+		Provider: &test.ContainerProvider{},
+	}
+
+	results := testCheck.Run(
+		&check.RunContext{
+			ContainerRuntimeAvailability: map[string]check.RuntimeAvailability{
+				"test container provider": {Available: false},
+			},
+		},
+	)
+
+	assert.Empty(t, results)
+}
+
+func TestContainerNetworkInspectRuntimeNotAvailableVerboseErrors(t *testing.T) {
+	testCheck := &ContainerNetworkInspect{
+		Provider: &test.ContainerProvider{},
+	}
+
+	results := testCheck.Run(
+		&check.RunContext{
+			VerboseErrors: true,
+			ContainerRuntimeAvailability: map[string]check.RuntimeAvailability{
+				"test container provider": {Available: false},
+			},
+		},
+	)
+
+	assert.Len(t, results, 1)
+	assert.Equal(t, check.StatusError, results[0].Status)
+	assert.Contains(t, results[0].Message, "runtime not available")
+}

pkg/checks/etcd_perf_test.go

@@ -27,6 +27,7 @@ type mockExecResult struct {
 
 func (m *mockContainerProvider) Name() string                                   { return "MockProvider" }
 func (m *mockContainerProvider) Info() (container.ContainerProviderInfo, error) { return nil, nil }
+func (m *mockContainerProvider) NetworkInspect() (io.Reader, error)            { return nil, nil }
 func (m *mockContainerProvider) Container(id string) container.Container {
 	return &mockContainer{
 		execMap:     m.execMap,

pkg/cmd/default_report.go

@@ -74,6 +74,27 @@ func defaultReportSections() []report.Section {
 				&checks.Host{},
 				&checks.CommandHistory{},
 				&checks.HostEtcHosts{},
+
+				// Check container runtime availability before runtime checks to
+				// cache the results.
+				&checks.ContainerAvailability{},
+
+				// Runtime
+				&checks.ContainerRuntime{
+					Provider: &container.DockerProvider{},
+				},
+				&checks.ContainerRuntime{
+					Provider: &container.PodmanProvider{},
+				},
+
+				// Network
+				&checks.ContainerNetworkInspect{
+					Provider: &container.DockerProvider{},
+				},
+				&checks.ContainerNetworkInspect{
+					Provider: &container.PodmanProvider{},
+				},
+
 			},
 		},
 		{
@@ -85,17 +106,6 @@ func defaultReportSections() []report.Section {
 		{
 			Title: "Container",
 			Checks: []check.Check{
-				// Check container runtime availability first to cache the results
-				&checks.ContainerAvailability{},
-
-				// Runtime
-				&checks.ContainerRuntime{
-					Provider: &container.DockerProvider{},
-				},
-				&checks.ContainerRuntime{
-					Provider: &container.PodmanProvider{},
-				},
-
 				// Container inspect
 				&checks.ContainerInspect{
 					Provider: &container.DockerProvider{},

pkg/container/container_provider.go

@@ -15,6 +15,7 @@ type ContainerProvider interface {
 	Name() string
 	Info() (ContainerProviderInfo, error)
 	Container(containerID string) Container
+	NetworkInspect() (io.Reader, error)
 }
 
 // Container is an interface for a container instance

pkg/container/docker_provider.go

@@ -13,6 +13,7 @@ import (
 
 // Function variable for dependency injection
 var executeDockerInfoFunc = executeDockerInfo
+var executeDockerNetworkInspectFunc = executeDockerNetworkInspect
 
 // DockerProvider is a concrete implementation of the
 // ContainerProvider interface for Docker
@@ -69,6 +70,11 @@ func (*DockerProvider) Container(containerID string) Container {
 	return &DockerContainer{ContainerID: containerID}
 }
 
+// NetworkInspect returns the JSON output of all Docker networks
+func (*DockerProvider) NetworkInspect() (io.Reader, error) {
+	return executeDockerNetworkInspectFunc()
+}
+
 func executeDockerInfo() (stdout, stderr io.Reader, err error) {
 	return shell.NewCommandWrapper(
 		"docker",
@@ -78,3 +84,49 @@ func executeDockerInfo() (stdout, stderr io.Reader, err error) {
 		"{{json .}}",
 	).Run()
 }
+
+func executeDockerNetworkInspect() (io.Reader, error) {
+	// First, get the list of network IDs
+	stdout, stderr, err := shell.NewCommandWrapper(
+		"docker",
+		"network",
+		"ls",
+		"-q",
+	).Run()
+
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to list Docker networks: %w (%s)",
+			err,
+			strings.TrimSpace(shell.ReadOrDefault(stderr, "N/A")),
+		)
+	}
+
+	// Read the network IDs
+	networkIDsBytes, err := io.ReadAll(stdout)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read Docker network IDs: %w", err)
+	}
+
+	networkIDs := strings.TrimSpace(string(networkIDsBytes))
+
+	// If there are no networks, return empty JSON array
+	if networkIDs == "" {
+		return strings.NewReader("[]"), nil
+	}
+
+	// Split network IDs and inspect them all at once
+	ids := strings.Fields(networkIDs)
+	args := append([]string{"network", "inspect"}, ids...)
+
+	stdout, stderr, err = shell.NewCommandWrapper("docker", args...).Run()
+	if err != nil {
+		return nil, fmt.Errorf(
+			"failed to inspect Docker networks: %w (%s)",
+			err,
+			strings.TrimSpace(shell.ReadOrDefault(stderr, "N/A")),
+		)
+	}
+
+	return stdout, nil
+}