inspec-core 5.18.14 → 5.21.29

data/lib/inspec/resources/podman.rb

@@ -0,0 +1,353 @@
+require "inspec/resources/command"
+require "inspec/utils/filter"
+require "hashie/mash"
+
+module Inspec::Resources
+  class Podman < Inspec.resource(1)
+    # Resource requires an internal name.
+    name "podman"
+
+    # Restrict to only run on the below platforms (if none were given,
+    # all OS's and cloud API's supported)
+    supports platform: "unix"
+
+    desc "A resource to retrieve information about podman"
+
+    example <<~EXAMPLE
+      describe podman.containers do
+        its('images') { should include "docker.io/library/ubuntu:latest" }
+      end
+
+      describe podman.images do
+        its('names') { should_not include "docker.io/library/ubuntu:latest" }
+      end
+
+      describe podman.pods do
+        its("ids") { should include "95cadbb84df71e6374fceb3fd89ee3b8f2c7e1a831062cd9cea7d0e3e4b1dbcc" }
+      end
+
+      describe podman.info.host do
+        its("os") { should eq "linux"}
+      end
+
+      describe podman.version do
+        its("Client.Version") { should eq "4.1.0"}
+      end
+
+      podman.containers.ids.each do |id|
+        # call podman inspect for a specific container id
+        describe podman.object(id) do
+          its("State.OciVersion") { should eq "1.0.2-dev" }
+          its("State.Running") { should eq true}
+        end
+      end
+    EXAMPLE
+
+    def containers
+      PodmanContainerFilter.new(parse_containers)
+    end
+
+    def images
+      PodmanImageFilter.new(parse_images)
+    end
+
+    def networks
+      PodmanNetworkFilter.new(parse_networks)
+    end
+
+    def pods
+      PodmanPodFilter.new(parse_pods)
+    end
+
+    def volumes
+      PodmanVolumeFilter.new(parse_volumes)
+    end
+
+    def version
+      return @version if defined?(@version)
+
+      sub_cmd = "version --format json"
+      output = run_command(sub_cmd)
+      @version = Hashie::Mash.new(JSON.parse(output))
+    rescue JSON::ParserError => _e
+      Hashie::Mash.new({})
+    end
+
+    def info
+      return @info if defined?(@info)
+
+      sub_cmd = "info --format json"
+      output = run_command(sub_cmd)
+      @info = Hashie::Mash.new(JSON.parse(output))
+    rescue JSON::ParserError => _e
+      Hashie::Mash.new({})
+    end
+
+    # returns information about podman objects
+    def object(id)
+      return @inspect if defined?(@inspect)
+
+      output = run_command("inspect #{id} --format json")
+      data = JSON.parse(output)
+      data = data[0] if data.is_a?(Array)
+      @inspect = Hashie::Mash.new(data)
+    rescue JSON::ParserError => _e
+      Hashie::Mash.new({})
+    end
+
+    def to_s
+      "Podman"
+    end
+
+    private
+
+    # Calls the run_command method to get all podman containers and parse the command output.
+    # Returns the parsed command output.
+    def parse_containers
+      labels = %w{ID Image ImageID Command CreatedAt RunningFor Status Pod Ports Size Names Networks Labels Mounts}
+      parse_json_command(labels, "ps -a --no-trunc --size")
+    end
+
+    # Calls the run_command method to get all podman images and parse the command output.
+    # Returns the parsed command output.
+    def parse_images
+      labels = %w{ID Repository Tag Size Digest CreatedAt CreatedSince History}
+      parse_json_command(labels, "images -a --no-trunc")
+    end
+
+    # Calls the run_command method to get all podman network list and parse the command output.
+    # Returns the parsed command output.
+    def parse_networks
+      labels = %w{ID Name Driver Labels Options IPAMOptions Created Internal IPv6Enabled DNSEnabled NetworkInterface Subnets}
+      parse_json_command(labels, "network ls --no-trunc")
+    end
+
+    # Calls the run_command method to get all podman pod list and parse the command output.
+    # Returns the parsed command output.
+    def parse_pods
+      sub_cmd = "pod ps --no-trunc --format json"
+      output = run_command(sub_cmd)
+      parse(output)
+    end
+
+    # Calls the run_command method to get all podman volume list and parse the command output.
+    # Returns the parsed command output.
+    def parse_volumes
+      sub_cmd = "volume ls --format json"
+      output = run_command(sub_cmd)
+      parse(output)
+    end
+
+    # Runs the given podman command on the host machine on which podman is installed
+    # Returns the command output or raises the command execution error.
+    def run_command(subcommand)
+      result = inspec.command("podman #{subcommand}")
+      if result.stderr.empty?
+        result.stdout
+      else
+        raise "Error while running command \'podman #{subcommand}\' : #{result.stderr}"
+      end
+    end
+
+    def parse_json_command(labels, subcommand)
+      # build command
+      format = labels.map { |label| "\"#{label}\": {{json .#{label}}}" }
+      raw = inspec.command("podman #{subcommand} --format '{#{format.join(", ")}}'").stdout
+      output = []
+
+      raw.each_line do |entry|
+        # convert all keys to lower_case to work well with ruby and filter table
+        row = JSON.parse(entry).map do |key, value|
+          [key.downcase, value]
+        end.to_h
+
+        # ensure all keys are there
+        row = ensure_keys(row, labels)
+        output.push(row)
+      end
+
+      output
+    rescue JSON::ParserError => _e
+      warn "Could not parse `podman #{subcommand}` output"
+      []
+    end
+
+    def ensure_keys(entry, labels)
+      labels.each do |key|
+        entry[key.downcase] = nil unless entry.key?(key.downcase)
+      end
+      entry
+    end
+
+    # Method to parse JDON content.
+    # Returns: Parsed data.
+    def parse(content)
+      require "json" unless defined?(JSON)
+      output = JSON.parse(content)
+      parsed_output = []
+      output.each do |entry|
+        entry = entry.map do |k, v|
+          [k.downcase, v]
+        end.to_h
+        parsed_output << entry
+      end
+      parsed_output
+    rescue => e
+      raise Inspec::Exceptions::ResourceFailed, "Unable to parse command JSON output: #{e.message}"
+    end
+  end
+
+  # class for podman.containers plural resource
+  class PodmanContainerFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:commands,   field: "command")
+      .register_column(:ids,            field: "id")
+      .register_column(:created_at,     field: "createdat")
+      .register_column(:images,         field: "image")
+      .register_column(:names,          field: "names")
+      .register_column(:status,         field: "status")
+      .register_column(:image_ids,      field: "image_id")
+      .register_column(:labels,         field: "labels", style: :simple)
+      .register_column(:mounts,         field: "mounts")
+      .register_column(:networks,       field: "networks")
+      .register_column(:pods,           field: "pod")
+      .register_column(:ports,          field: "ports")
+      .register_column(:sizes,          field: "size")
+      .register_column(:running_for,    field: "running_for")
+      .register_custom_matcher(:running?) do |x|
+        x.where { status.downcase.start_with?("up") }
+      end
+    filter.install_filter_methods_on_resource(self, :containers)
+
+    attr_reader :containers
+    def initialize(containers)
+      @containers = containers
+    end
+
+    def to_s
+      "Podman Containers"
+    end
+
+    def resource_id
+      "Podman Containers"
+    end
+  end
+
+  # class for podman.images plural resource
+  class PodmanImageFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    filter.register_column(:ids,       field: "id")
+      .register_column(:repositories,  field: "repository")
+      .register_column(:tags,          field: "tag")
+      .register_column(:sizes,         field: "size")
+      .register_column(:digests,       field: "digest")
+      .register_column(:created_at,    field: "createdat")
+      .register_column(:created_since, field: "createdsince")
+      .register_column(:history,       field: "history")
+    filter.install_filter_methods_on_resource(self, :images)
+
+    attr_reader :images
+    def initialize(images)
+      @images = images
+    end
+
+    def to_s
+      "Podman Images"
+    end
+
+    def resource_id
+      "Podman Images"
+    end
+  end
+
+  class PodmanNetworkFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+      .register_column(:ids,                  field: "id")
+      .register_column(:names,                field: "name")
+      .register_column(:drivers,              field: "driver")
+      .register_column(:network_interfaces,   field: "networkinterface")
+      .register_column(:created,              field: "created")
+      .register_column(:subnets,              field: "subnets")
+      .register_column(:ipv6_enabled,         field: "ipv6enabled")
+      .register_column(:internal,             field: "internal")
+      .register_column(:dns_enabled,          field: "dnsenabled")
+      .register_column(:ipam_options,         field: "ipamoptions")
+      .register_column(:options,              field: "options")
+      .register_column(:labels,               field: "labels")
+    filter.install_filter_methods_on_resource(self, :networks)
+
+    attr_reader :networks
+    def initialize(networks)
+      @networks = networks
+    end
+
+    def to_s
+      "Podman Networks"
+    end
+
+    def resource_id
+      "Podman Networks"
+    end
+  end
+
+  class PodmanPodFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+      .register_column(:ids,                  field: "id")
+      .register_column(:cgroups,              field: "cgroup")
+      .register_column(:containers,           field: "containers")
+      .register_column(:created,              field: "created")
+      .register_column(:infraids,             field: "infraid")
+      .register_column(:names,                field: "name")
+      .register_column(:namespaces,           field: "namespace")
+      .register_column(:networks,             field: "networks")
+      .register_column(:status,               field: "status")
+      .register_column(:labels,               field: "labels")
+    filter.install_filter_methods_on_resource(self, :pods)
+
+    attr_reader :pods
+    def initialize(pods)
+      @pods = pods
+    end
+
+    def to_s
+      "Podman Pods"
+    end
+
+    def resource_id
+      "Podman Pods"
+    end
+  end
+
+  class PodmanVolumeFilter
+    filter = FilterTable.create
+    filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+      .register_column(:names,              field: "name")
+      .register_column(:drivers,            field: "driver")
+      .register_column(:mountpoints,        field: "mountpoint")
+      .register_column(:createdat,          field: "createdat")
+      .register_column(:labels,             field: "labels")
+      .register_column(:scopes,             field: "scope")
+      .register_column(:options,            field: "options")
+      .register_column(:mountcount,         field: "mountcount")
+      .register_column(:needscopyup,        field: "needscopyup")
+      .register_column(:needschown,         field: "needschown")
+    filter.install_filter_methods_on_resource(self, :volumes)
+
+    attr_reader :volumes
+    def initialize(volumes)
+      @volumes = volumes
+    end
+
+    def to_s
+      "Podman Volumes"
+    end
+
+    def resource_id
+      "Podman Volumes"
+    end
+  end
+end

data/lib/inspec/resources/podman_container.rb

@@ -0,0 +1,84 @@
+require "inspec/resources/podman"
+require_relative "docker_object"
+
+# Change module if required
+module Inspec::Resources
+  class PodmanContainer < Inspec.resource(1)
+    include Inspec::Resources::DockerObject
+    name "podman_container"
+    supports platform: "unix"
+
+    desc "Inspec core resource to retrieve information about podman container"
+
+    example <<~EXAMPLE
+        describe podman_container("sweet_mendeleev") do
+          it { should exist }
+          it { should be_running }
+          its("id") { should eq "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" }
+          its("image") { should eq "docker.io/library/nginx:latest" }
+          its("labels") { should include "maintainer"=>"NGINX Docker Maintainers <docker-maint@nginx.com>" }
+          its("ports") { should eq nil }
+        end
+
+        describe podman_container(id: "591270d8d80d2667") do
+          it { should exist }
+          it { should be_running }
+        end
+    EXAMPLE
+
+    def initialize(opts = {})
+      skip_resource "The `podman_container` resource is not yet available on your OS." unless inspec.os.unix?
+
+      # if a string is provided, we expect it is the name
+      if opts.is_a?(String)
+        @opts = { name: opts }
+      else
+        @opts = opts
+      end
+    end
+
+    def running?
+      status.downcase.start_with?("up") if object_info.entries.length == 1
+    end
+
+    def status
+      object_info.status[0] if object_info.entries.length == 1
+    end
+
+    def labels
+      object_info.labels
+    end
+
+    def ports
+      object_info.ports[0] if object_info.entries.length == 1
+    end
+
+    def command
+      return unless object_info.entries.length == 1
+
+      object_info.commands[0]
+    end
+
+    def image
+      object_info.images[0] if object_info.entries.length == 1
+    end
+
+    def resource_id
+      object_info.ids[0] || @opts[:id] || @opts[:name] || ""
+    end
+
+    def to_s
+      name = @opts[:name] || @opts[:id]
+      "Podman Container #{name}"
+    end
+
+    private
+
+    def object_info
+      return @info if defined?(@info)
+
+      opts = @opts
+      @info = inspec.podman.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
+    end
+  end
+end

data/lib/inspec/resources/podman_image.rb

@@ -0,0 +1,108 @@
+require "inspec/resources/command"
+require_relative "docker_object"
+require "inspec/utils/podman"
+
+module Inspec::Resources
+  class PodmanImage < Inspec.resource(1)
+    include Inspec::Resources::DockerObject
+    include Inspec::Utils::Podman
+
+    name "podman_image"
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrieve information about podman image"
+
+    example <<~EXAMPLE
+      describe podman_image("docker.io/library/busybox") do
+        it { should exist }
+        its("repo_tags") { should include "docker.io/library/busybox:latest" }
+        its("size") { should eq 1636053 }
+        its("resource_id") { should eq "docker.io/library/busybox:latest" }
+      end
+
+      describe podman_image("docker.io/library/busybox:latest") do
+        it { should exist }
+      end
+
+      describe podman_image(repo: "docker.io/library/busybox", tag: "latest") do
+        it { should exist }
+      end
+
+      describe podman_image(id: "3c19bafed223") do
+        it { should exist }
+      end
+    EXAMPLE
+
+    attr_reader :opts, :image_info
+
+    def initialize(opts)
+      skip_resource "The `podman_image` resource is not yet available on your OS." unless inspec.os.unix?
+      opts = { image: opts } if opts.is_a?(String)
+      @opts = sanitize_options(opts)
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @image_info = get_image_info
+    end
+
+    LABELS = {
+      "id" => "ID",
+      "repo_tags" => "RepoTags",
+      "size" => "Size",
+      "digest" => "Digest",
+      "created_at" => "Created",
+      "version" => "Version",
+      "names_history" => "NamesHistory",
+      "repo_digests" => "RepoDigests",
+      "architecture" => "Architecture",
+      "os" => "Os",
+      "virtual_size" => "VirtualSize",
+    }.freeze
+
+    ## This creates all the required properties methods dynamically.
+    LABELS.each do |k, v|
+      define_method(k) do
+        image_info[k.to_s]
+      end
+    end
+
+    def exist?
+      ! image_info.empty?
+    end
+
+    def resource_id
+      opts[:id] || opts[:image] || ""
+    end
+
+    def to_s
+      "podman_image #{resource_id}"
+    end
+
+    private
+
+    def sanitize_options(opts)
+      opts.merge!(parse_components_from_image(opts[:image]))
+
+      # assume a "latest" tag if we don't have one
+      opts[:tag] ||= "latest"
+
+      # Assemble/reassemble the image from the repo and tag
+      opts[:image] = "#{opts[:repo]}:#{opts[:tag]}" unless opts[:repo].nil?
+
+      opts
+    end
+
+    def get_image_info
+      current_image = opts[:id] || opts[:image] || opts[:repo] + ":" + opts[:tag]
+      json_key_label = generate_go_template(LABELS)
+      podman_inspect_cmd = inspec.command("podman image inspect #{current_image} --format '{#{json_key_label}}'")
+
+      if podman_inspect_cmd.exit_status == 0
+        parse_command_output(podman_inspect_cmd.stdout)
+      elsif podman_inspect_cmd.stderr =~ /failed to find image/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman image information for #{current_image}.\nError message: #{podman_inspect_cmd.stderr}"
+      end
+    end
+  end
+end

data/lib/inspec/resources/podman_network.rb

@@ -0,0 +1,81 @@
+require "inspec/resources/command"
+require "inspec/utils/podman"
+module Inspec::Resources
+  class PodmanNetwork < Inspec.resource(1)
+    include Inspec::Utils::Podman
+
+    name "podman_network"
+
+    supports platform: "unix"
+
+    desc "InSpec core resource to retrive information about the given Podman network"
+
+    example <<~EXAMPLE
+      describe podman_network("podman") do
+        it { should exist }
+      end
+      describe podman_network("3a7c94d937d5f3a0f1a9b1610589945aedfbe56207fd5d32fc8154aa1a8b007f") do
+        its("driver") { should eq bridge }
+      end
+    EXAMPLE
+
+    LABELS = {
+      id: "ID",
+      name: "Name",
+      driver: "Driver",
+      labels: "Labels",
+      options: "Options",
+      ipam_options: "IPAMOptions",
+      internal: "Internal",
+      created: "Created",
+      ipv6_enabled: "IPv6Enabled",
+      dns_enabled: "DNSEnabled",
+      network_interface: "NetworkInterface",
+      subnets: "Subnets",
+    }.freeze
+
+    attr_reader :param, :network_info
+    def initialize(param)
+      skip_resource "The `podman_network` resource is not yet available on your OS." unless inspec.os.unix?
+
+      @param = param
+      raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+      @network_info = get_network_info
+    end
+
+    ## This creates all the required properties methods dynamically.
+    LABELS.each do |k, v|
+      define_method(k) do
+        network_info[k.to_s]
+      end
+    end
+
+    def exist?
+      !network_info.empty?
+    end
+
+    def resource_id
+      id || param || ""
+    end
+
+    def to_s
+      "podman_network #{resource_id}"
+    end
+
+    private
+
+    def get_network_info
+      go_template_format = generate_go_template(LABELS)
+      result = inspec.command("podman network inspect #{param} --format '{#{go_template_format}}'")
+
+      if result.exit_status == 0
+        parse_command_output(result.stdout)
+      elsif result.stderr =~ /network not found/
+        {}
+      else
+        raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman network information for #{param}.\nError message: #{result.stderr}"
+      end
+    end
+  end
+end