inspec-podman-resources 7.1.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 683c07b27de847a7f6aaed11eb700a1f92922cd19d25fec3d96eb123927ea95a
+  data.tar.gz: 076cb1a2d18110451bfe1de149592f124074e1f672c25d74a227e80e21b03518
+SHA512:
+  metadata.gz: 357d4ede45d728759c695a494233931efbb3089628447f45e735c38cc25cb98197485137f286fa7f1df1cd81c2ad2db8834a6a33da5727f72a65b8217e806e79
+  data.tar.gz: 39bf309cb79cf7fbc1d15c8708c31dedba208bd94fcda5cdc62c86c2962a8208b2b1f3ef70709a7cc31c4daa285fede654161de4a6286751f16c58131022c64a

data/Gemfile

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+source "https://rubygems.org"
+gem "inspec", git: "https://github.com/inspec/inspec", branch: "inspec-7"
+gem "inspec-bin", git: "https://github.com/inspec/inspec", branch: "inspec-7"
+
+gemspec
+
+group :test do
+  gem "byebug"
+  gem "chefstyle"
+  gem "minitest"
+  gem "m"
+  gem "mocha"
+  gem "rake"
+  gem "simplecov"
+  gem "simplecov_json_formatter"
+end

data/README.md

@@ -0,0 +1,17 @@
+# inspec-podman-resources
+
+Podman InSpec Resources in a Gem
+
+This repository contains the InSpec Podman resources, formerly contained in InSpec Core. In InSpec 7+, these resources are available in a gem, `inspec-podman-resources`.
+
+## Usage
+
+To use this resource pack, add this dependency to your inspec.yml :
+
+```yaml
+depends:
+ - name: inspec-podman-resources
+    gem: inspec-podman-resources
+```
+
+

data/inspec-podman-resources.gemspec

@@ -0,0 +1,44 @@
+# As plugins are usually packaged and distributed as a RubyGem,
+# we have to provide a .gemspec file, which controls the gembuild
+# and publish process.  This is a fairly generic gemspec.
+
+# It is traditional in a gemspec to dynamically load the current version
+# from a file in the source tree.  The next three lines make that happen.
+lib = File.expand_path("lib", __dir__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "inspec-podman-resources/version"
+
+Gem::Specification.new do |spec|
+  # Importantly, all InSpec plugins must be prefixed with `inspec-` (most
+  # plugins) or `train-` (plugins which add new connectivity features).
+  spec.name          = "inspec-podman-resources"
+
+  # It is polite to namespace your plugin under InspecPlugins::YourPluginInCamelCase
+  spec.version       = InspecPlugins::PodmanResources::VERSION
+  spec.authors       = ["InSpec Core Maintainers"]
+  spec.email         = ["inspec@progress.com"]
+  spec.summary       = "podman InSpec Resources in a Gem"
+  spec.description   = "Contains InSpec 7.0+ resources fo interacting with Podman Resources."
+  spec.homepage      = "https://github.com/inspec/inspec-podman-resources"
+  spec.license       = "Apache-2.0"
+
+  # Though complicated-looking, this is pretty standard for a gemspec.
+  # It just filters what will actually be packaged in the gem (leaving
+  # out tests, etc)
+  spec.files = %w{
+    README.md inspec-podman-resources.gemspec Gemfile inspec.yml
+  } + Dir.glob(
+    "lib/**/*", File::FNM_DOTMATCH
+  ).reject { |f| File.directory?(f) }
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = ">= 3.1.0"
+
+  # If you rely on any other gems, list them here with any constraints.
+  # This is how `inspec plugin install` is able to manage your dependencies.
+  # For example, perhaps you are writing a thing that talks to AWS, and you
+  # want to ensure you have `aws-sdk` in a certain version.
+
+  # This plugin uses InSpec 7 Resource Pack Plugins
+  spec.add_dependency "inspec-core", ">= 7.0"
+end

data/inspec.yml

@@ -0,0 +1,10 @@
+name: inspec-podman-resources
+title: Resource pack gem for PodmanResources
+maintainer: InSpec Core Maintainers
+copyright: Progress Software Corporation
+copyright_email: inspec@progress.com
+license: ApacheV2
+summary: podman InSpec Resources in a Gem
+version: 7.1.2
+supports:
+  platform: os

data/lib/inspec-podman-resources/plugin.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+# Plugin Definition file
+# The purpose of this file is to declare to InSpec what plugin_types (capabilities)
+# are included in this plugin, and provide activator that will load them as needed.
+
+# It is important that this file load successfully and *quickly*.
+# Your plugin's functionality may never be used on this InSpec run; so we keep things
+# fast and light by only loading heavy things when they are needed.
+
+# Presumably this is light
+require "inspec-podman-resources/version"
+
+# The InspecPlugins namespace is where all plugins should declare themselves.
+# The "Inspec" capitalization is used throughout the InSpec source code; yes, it's
+# strange.
+module InspecPlugins
+  # Pick a reasonable namespace here for your plugin. A reasonable choice
+  # would be the CamelCase version of your plugin gem name.
+  # inspec-test-resources => TestResources
+  module PodmanResources
+    # This simple class handles the plugin definition, so calling it simply Plugin is OK.
+    #   Inspec.plugin returns various Classes, intended to be superclasses for various
+    # plugin components. Here, the one-arg form gives you the Plugin Definition superclass,
+    # which mainly gives you access to the activator / plugin_type DSL.
+    #   The number '2' says you are asking for version 2 of the plugin API. If there are
+    # future versions, InSpec promises plugin API v2 will work for at least two more InSpec
+    # major versions.
+    class Plugin < ::Inspec.plugin(2)
+      # Internal machine name of the plugin. InSpec will use this in errors, etc.
+      plugin_name :"inspec-podman-resources"
+
+      # Define a new Resource Pack.
+      resource_pack :"inspec-podman-resources" do
+        # This file will load the resources implicitly via the superclass
+        require "inspec-podman-resources/resource_pack"
+
+        # Having loaded our functionality, return a class that represents the plugin.
+        # Reserved for future use.
+        InspecPlugins::PodmanResources::ResourcePack
+      end
+    end
+  end
+end

data/lib/inspec-podman-resources/resource_pack.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+require "inspec/resource"
+
+module InspecPlugins::PodmanResources
+  # This class will provide the actual CLI implementation.
+  # Its superclass is provided by another call to Inspec.plugin,
+  # this time with two args.  The first arg specifies we are requesting
+  # version 2 of the Plugins API.  The second says we are making a Resource
+  # Pack plugin component, so please make available any DSL needed
+  # for that.
+  class ResourcePack < Inspec.plugin(2, :resource_pack)
+    # TBD
+    # load_timing :early  <-- isn't that implicit in the rewuire statements
+    # train relationship declarations?  <-- that should be in the gemspec
+  end
+end

data/lib/inspec-podman-resources/resources/podman.rb

@@ -0,0 +1,351 @@
+require "inspec/resources/command"
+require "inspec/utils/filter"
+require "hashie/mash"
+
+class Podman < Inspec.resource(1)
+  # Resource requires an internal name.
+  name "podman"
+
+  # Restrict to only run on the below platforms (if none were given,
+  # all OS's and cloud API's supported)
+  supports platform: "unix"
+
+  desc "A resource to retrieve information about podman"
+
+  example <<~EXAMPLE
+    describe podman.containers do
+      its('images') { should include "docker.io/library/ubuntu:latest" }
+    end
+
+    describe podman.images do
+      its('names') { should_not include "docker.io/library/ubuntu:latest" }
+    end
+
+    describe podman.pods do
+      its("ids") { should include "95cadbb84df71e6374fceb3fd89ee3b8f2c7e1a831062cd9cea7d0e3e4b1dbcc" }
+    end
+
+    describe podman.info.host do
+      its("os") { should eq "linux"}
+    end
+
+    describe podman.version do
+      its("Client.Version") { should eq "4.1.0"}
+    end
+
+    podman.containers.ids.each do |id|
+      # call podman inspect for a specific container id
+      describe podman.object(id) do
+        its("State.OciVersion") { should eq "1.0.2-dev" }
+        its("State.Running") { should eq true}
+      end
+    end
+  EXAMPLE
+
+  def containers
+    PodmanContainerFilter.new(parse_containers)
+  end
+
+  def images
+    PodmanImageFilter.new(parse_images)
+  end
+
+  def networks
+    PodmanNetworkFilter.new(parse_networks)
+  end
+
+  def pods
+    PodmanPodFilter.new(parse_pods)
+  end
+
+  def volumes
+    PodmanVolumeFilter.new(parse_volumes)
+  end
+
+  def version
+    return @version if defined?(@version)
+
+    sub_cmd = "version --format json"
+    output = run_command(sub_cmd)
+    @version = Hashie::Mash.new(JSON.parse(output))
+  rescue JSON::ParserError => _e
+    Hashie::Mash.new({})
+  end
+
+  def info
+    return @info if defined?(@info)
+
+    sub_cmd = "info --format json"
+    output = run_command(sub_cmd)
+    @info = Hashie::Mash.new(JSON.parse(output))
+  rescue JSON::ParserError => _e
+    Hashie::Mash.new({})
+  end
+
+  # returns information about podman objects
+  def object(id)
+    return @inspect if defined?(@inspect)
+
+    output = run_command("inspect #{id} --format json")
+    data = JSON.parse(output)
+    data = data[0] if data.is_a?(Array)
+    @inspect = Hashie::Mash.new(data)
+  rescue JSON::ParserError => _e
+    Hashie::Mash.new({})
+  end
+
+  def to_s
+    "Podman"
+  end
+
+  private
+
+  # Calls the run_command method to get all podman containers and parse the command output.
+  # Returns the parsed command output.
+  def parse_containers
+    labels = %w{ID Image ImageID Command CreatedAt RunningFor Status Pod Ports Size Names Networks Labels Mounts}
+    parse_json_command(labels, "ps -a --no-trunc --size")
+  end
+
+  # Calls the run_command method to get all podman images and parse the command output.
+  # Returns the parsed command output.
+  def parse_images
+    labels = %w{ID Repository Tag Size Digest CreatedAt CreatedSince History}
+    parse_json_command(labels, "images -a --no-trunc")
+  end
+
+  # Calls the run_command method to get all podman network list and parse the command output.
+  # Returns the parsed command output.
+  def parse_networks
+    labels = %w{ID Name Driver Labels Options IPAMOptions Created Internal IPv6Enabled DNSEnabled NetworkInterface Subnets}
+    parse_json_command(labels, "network ls --no-trunc")
+  end
+
+  # Calls the run_command method to get all podman pod list and parse the command output.
+  # Returns the parsed command output.
+  def parse_pods
+    sub_cmd = "pod ps --no-trunc --format json"
+    output = run_command(sub_cmd)
+    parse(output)
+  end
+
+  # Calls the run_command method to get all podman volume list and parse the command output.
+  # Returns the parsed command output.
+  def parse_volumes
+    sub_cmd = "volume ls --format json"
+    output = run_command(sub_cmd)
+    parse(output)
+  end
+
+  # Runs the given podman command on the host machine on which podman is installed
+  # Returns the command output or raises the command execution error.
+  def run_command(subcommand)
+    result = inspec.command("podman #{subcommand}")
+    if result.stderr.empty?
+      result.stdout
+    else
+      raise "Error while running command \'podman #{subcommand}\' : #{result.stderr}"
+    end
+  end
+
+  def parse_json_command(labels, subcommand)
+    # build command
+    format = labels.map { |label| "\"#{label}\": {{json .#{label}}}" }
+    raw = inspec.command("podman #{subcommand} --format '{#{format.join(", ")}}'").stdout
+    output = []
+
+    raw.each_line do |entry|
+      # convert all keys to lower_case to work well with ruby and filter table
+      row = JSON.parse(entry).map do |key, value|
+        [key.downcase, value]
+      end.to_h
+
+      # ensure all keys are there
+      row = ensure_keys(row, labels)
+      output.push(row)
+    end
+
+    output
+  rescue JSON::ParserError => _e
+    warn "Could not parse `podman #{subcommand}` output"
+    []
+  end
+
+  def ensure_keys(entry, labels)
+    labels.each do |key|
+      entry[key.downcase] = nil unless entry.key?(key.downcase)
+    end
+    entry
+  end
+
+  # Method to parse JDON content.
+  # Returns: Parsed data.
+  def parse(content)
+    require "json" unless defined?(JSON)
+    output = JSON.parse(content)
+    parsed_output = []
+    output.each do |entry|
+      entry = entry.map do |k, v|
+        [k.downcase, v]
+      end.to_h
+      parsed_output << entry
+    end
+    parsed_output
+  rescue => e
+    raise Inspec::Exceptions::ResourceFailed, "Unable to parse command JSON output: #{e.message}"
+  end
+end
+
+# class for podman.containers plural resource
+class PodmanContainerFilter
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:commands,   field: "command")
+    .register_column(:ids,            field: "id")
+    .register_column(:created_at,     field: "createdat")
+    .register_column(:images,         field: "image")
+    .register_column(:names,          field: "names")
+    .register_column(:status,         field: "status")
+    .register_column(:image_ids,      field: "image_id")
+    .register_column(:labels,         field: "labels", style: :simple)
+    .register_column(:mounts,         field: "mounts")
+    .register_column(:networks,       field: "networks")
+    .register_column(:pods,           field: "pod")
+    .register_column(:ports,          field: "ports")
+    .register_column(:sizes,          field: "size")
+    .register_column(:running_for,    field: "running_for")
+    .register_custom_matcher(:running?) do |x|
+      x.where { status.downcase.start_with?("up") }
+    end
+  filter.install_filter_methods_on_resource(self, :containers)
+
+  attr_reader :containers
+  def initialize(containers)
+    @containers = containers
+  end
+
+  def to_s
+    "Podman Containers"
+  end
+
+  def resource_id
+    "Podman Containers"
+  end
+end
+
+# class for podman.images plural resource
+class PodmanImageFilter
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+  filter.register_column(:ids,       field: "id")
+    .register_column(:repositories,  field: "repository")
+    .register_column(:tags,          field: "tag")
+    .register_column(:sizes,         field: "size")
+    .register_column(:digests,       field: "digest")
+    .register_column(:created_at,    field: "createdat")
+    .register_column(:created_since, field: "createdsince")
+    .register_column(:history,       field: "history")
+  filter.install_filter_methods_on_resource(self, :images)
+
+  attr_reader :images
+  def initialize(images)
+    @images = images
+  end
+
+  def to_s
+    "Podman Images"
+  end
+
+  def resource_id
+    "Podman Images"
+  end
+end
+
+class PodmanNetworkFilter
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    .register_column(:ids,                  field: "id")
+    .register_column(:names,                field: "name")
+    .register_column(:drivers,              field: "driver")
+    .register_column(:network_interfaces,   field: "networkinterface")
+    .register_column(:created,              field: "created")
+    .register_column(:subnets,              field: "subnets")
+    .register_column(:ipv6_enabled,         field: "ipv6enabled")
+    .register_column(:internal,             field: "internal")
+    .register_column(:dns_enabled,          field: "dnsenabled")
+    .register_column(:ipam_options,         field: "ipamoptions")
+    .register_column(:options,              field: "options")
+    .register_column(:labels,               field: "labels")
+  filter.install_filter_methods_on_resource(self, :networks)
+
+  attr_reader :networks
+  def initialize(networks)
+    @networks = networks
+  end
+
+  def to_s
+    "Podman Networks"
+  end
+
+  def resource_id
+    "Podman Networks"
+  end
+end
+
+class PodmanPodFilter
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    .register_column(:ids,                  field: "id")
+    .register_column(:cgroups,              field: "cgroup")
+    .register_column(:containers,           field: "containers")
+    .register_column(:created,              field: "created")
+    .register_column(:infraids,             field: "infraid")
+    .register_column(:names,                field: "name")
+    .register_column(:namespaces,           field: "namespace")
+    .register_column(:networks,             field: "networks")
+    .register_column(:status,               field: "status")
+    .register_column(:labels,               field: "labels")
+  filter.install_filter_methods_on_resource(self, :pods)
+
+  attr_reader :pods
+  def initialize(pods)
+    @pods = pods
+  end
+
+  def to_s
+    "Podman Pods"
+  end
+
+  def resource_id
+    "Podman Pods"
+  end
+end
+
+class PodmanVolumeFilter
+  filter = FilterTable.create
+  filter.register_custom_matcher(:exists?) { |x| !x.entries.empty? }
+    .register_column(:names,              field: "name")
+    .register_column(:drivers,            field: "driver")
+    .register_column(:mountpoints,        field: "mountpoint")
+    .register_column(:createdat,          field: "createdat")
+    .register_column(:labels,             field: "labels")
+    .register_column(:scopes,             field: "scope")
+    .register_column(:options,            field: "options")
+    .register_column(:mountcount,         field: "mountcount")
+    .register_column(:needscopyup,        field: "needscopyup")
+    .register_column(:needschown,         field: "needschown")
+  filter.install_filter_methods_on_resource(self, :volumes)
+
+  attr_reader :volumes
+  def initialize(volumes)
+    @volumes = volumes
+  end
+
+  def to_s
+    "Podman Volumes"
+  end
+
+  def resource_id
+    "Podman Volumes"
+  end
+end

data/lib/inspec-podman-resources/resources/podman_container.rb

@@ -0,0 +1,82 @@
+require "inspec-podman-resources/resources/podman"
+require "inspec-podman-resources/resources/podman_object"
+
+class PodmanContainer < Inspec.resource(1)
+  include PodmanObject
+
+  name "podman_container"
+  supports platform: "unix"
+
+  desc "Inspec core resource to retrieve information about podman container"
+
+  example <<~EXAMPLE
+      describe podman_container("sweet_mendeleev") do
+        it { should exist }
+        it { should be_running }
+        its("id") { should eq "591270d8d80d26671fd6ed622f367fbe19004d16e3b519c292313feb5f22e7f7" }
+        its("image") { should eq "docker.io/library/nginx:latest" }
+        its("labels") { should include "maintainer"=>"NGINX Docker Maintainers <docker-maint@nginx.com>" }
+        its("ports") { should eq nil }
+      end
+
+      describe podman_container(id: "591270d8d80d2667") do
+        it { should exist }
+        it { should be_running }
+      end
+  EXAMPLE
+
+  def initialize(opts = {})
+    skip_resource "The `podman_container` resource is not yet available on your OS." unless inspec.os.unix?
+
+    # if a string is provided, we expect it is the name
+    if opts.is_a?(String)
+      @opts = { name: opts }
+    else
+      @opts = opts
+    end
+  end
+
+  def running?
+    status.downcase.start_with?("up") if object_info.entries.length == 1
+  end
+
+  def status
+    object_info.status[0] if object_info.entries.length == 1
+  end
+
+  def labels
+    object_info.labels
+  end
+
+  def ports
+    object_info.ports[0] if object_info.entries.length == 1
+  end
+
+  def command
+    return unless object_info.entries.length == 1
+
+    object_info.commands[0]
+  end
+
+  def image
+    object_info.images[0] if object_info.entries.length == 1
+  end
+
+  def resource_id
+    object_info.ids[0] || @opts[:id] || @opts[:name] || ""
+  end
+
+  def to_s
+    name = @opts[:name] || @opts[:id]
+    "Podman Container #{name}"
+  end
+
+  private
+
+  def object_info
+    return @info if defined?(@info)
+
+    opts = @opts
+    @info = inspec.podman.containers.where { names == opts[:name] || (!id.nil? && !opts[:id].nil? && (id == opts[:id] || id.start_with?(opts[:id]))) }
+  end
+end

data/lib/inspec-podman-resources/resources/podman_image.rb

@@ -0,0 +1,105 @@
+require "inspec/resources/command"
+require "inspec-podman-resources/resources/podman_object"
+require "inspec-podman-resources/resources/utils/podman"
+
+class PodmanImage < Inspec.resource(1)
+  include PodmanObject
+  include Utils::Podman
+  name "podman_image"
+  supports platform: "unix"
+
+  desc "InSpec core resource to retrieve information about podman image"
+
+  example <<~EXAMPLE
+    describe podman_image("docker.io/library/busybox") do
+      it { should exist }
+      its("repo_tags") { should include "docker.io/library/busybox:latest" }
+      its("size") { should eq 1636053 }
+      its("resource_id") { should eq "docker.io/library/busybox:latest" }
+    end
+
+    describe podman_image("docker.io/library/busybox:latest") do
+      it { should exist }
+    end
+
+    describe podman_image(repo: "docker.io/library/busybox", tag: "latest") do
+      it { should exist }
+    end
+
+    describe podman_image(id: "3c19bafed223") do
+      it { should exist }
+    end
+  EXAMPLE
+
+  attr_reader :opts, :image_info
+
+  def initialize(opts)
+    skip_resource "The `podman_image` resource is not yet available on your OS." unless inspec.os.unix?
+    opts = { image: opts } if opts.is_a?(String)
+    @opts = sanitize_options(opts)
+    raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+    @image_info = get_image_info
+  end
+
+  LABELS = {
+    "id" => "ID",
+    "repo_tags" => "RepoTags",
+    "size" => "Size",
+    "digest" => "Digest",
+    "created_at" => "Created",
+    "version" => "Version",
+    "names_history" => "NamesHistory",
+    "repo_digests" => "RepoDigests",
+    "architecture" => "Architecture",
+    "os" => "Os",
+    "virtual_size" => "VirtualSize",
+  }.freeze
+
+  ## This creates all the required properties methods dynamically.
+  LABELS.each do |k, v|
+    define_method(k) do
+      image_info[k.to_s]
+    end
+  end
+
+  def exist?
+    ! image_info.empty?
+  end
+
+  def resource_id
+    opts[:id] || opts[:image] || ""
+  end
+
+  def to_s
+    "podman_image #{resource_id}"
+  end
+
+  private
+
+  def sanitize_options(opts)
+    opts.merge!(parse_components_from_image(opts[:image]))
+
+    # assume a "latest" tag if we don't have one
+    opts[:tag] ||= "latest"
+
+    # Assemble/reassemble the image from the repo and tag
+    opts[:image] = "#{opts[:repo]}:#{opts[:tag]}" unless opts[:repo].nil?
+
+    opts
+  end
+
+  def get_image_info
+    current_image = opts[:id] || opts[:image] || opts[:repo] + ":" + opts[:tag]
+    json_key_label = generate_go_template(LABELS)
+    podman_inspect_cmd = inspec.command("podman image inspect #{current_image} --format '{#{json_key_label}}'")
+
+    if podman_inspect_cmd.exit_status == 0
+      parse_command_output(podman_inspect_cmd.stdout)
+    elsif podman_inspect_cmd.stderr =~ /failed to find image/
+      {}
+    else
+      raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman image information for #{current_image}.\nError message: #{podman_inspect_cmd.stderr}"
+    end
+  end
+end

data/lib/inspec-podman-resources/resources/podman_network.rb

@@ -0,0 +1,80 @@
+require "inspec/resources/command"
+require "inspec-podman-resources/resources/utils/podman"
+
+class PodmanNetwork < Inspec.resource(1)
+  include Utils::Podman
+
+  name "podman_network"
+
+  supports platform: "unix"
+
+  desc "InSpec core resource to retrive information about the given Podman network"
+
+  example <<~EXAMPLE
+    describe podman_network("podman") do
+      it { should exist }
+    end
+    describe podman_network("3a7c94d937d5f3a0f1a9b1610589945aedfbe56207fd5d32fc8154aa1a8b007f") do
+      its("driver") { should eq bridge }
+    end
+  EXAMPLE
+
+  LABELS = {
+    id: "ID",
+    name: "Name",
+    driver: "Driver",
+    labels: "Labels",
+    options: "Options",
+    ipam_options: "IPAMOptions",
+    internal: "Internal",
+    created: "Created",
+    ipv6_enabled: "IPv6Enabled",
+    dns_enabled: "DNSEnabled",
+    network_interface: "NetworkInterface",
+    subnets: "Subnets",
+  }.freeze
+
+  attr_reader :param, :network_info
+  def initialize(param)
+    skip_resource "The `podman_network` resource is not yet available on your OS." unless inspec.os.unix?
+
+    @param = param
+    raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+    @network_info = get_network_info
+  end
+
+  ## This creates all the required properties methods dynamically.
+  LABELS.each do |k, v|
+    define_method(k) do
+      network_info[k.to_s]
+    end
+  end
+
+  def exist?
+    !network_info.empty?
+  end
+
+  def resource_id
+    id || param || ""
+  end
+
+  def to_s
+    "podman_network #{resource_id}"
+  end
+
+  private
+
+  def get_network_info
+    go_template_format = generate_go_template(LABELS)
+    result = inspec.command("podman network inspect #{param} --format '{#{go_template_format}}'")
+
+    if result.exit_status == 0
+      parse_command_output(result.stdout)
+    elsif result.stderr =~ /network not found/
+      {}
+    else
+      raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman network information for #{param}.\nError message: #{result.stderr}"
+    end
+  end
+end

data/lib/inspec-podman-resources/resources/podman_object.rb

@@ -0,0 +1,49 @@
+
+module PodmanObject
+  def exist?
+    object_info.exists?
+  end
+
+  def id
+    object_info.ids[0] if object_info.entries.size == 1
+  end
+
+  private
+
+  def parse_components_from_image(image_string)
+    # if the user did not supply an image string, they likely supplied individual
+    # option parameters, such as repo and tag. Return empty data back to the caller.
+    return {} if image_string.nil?
+
+    first_colon = image_string.index(":") || -1
+    first_slash = image_string.index("/") || -1
+
+    if image_string.count(":") == 2
+      # If there are two colons in the image string, it contains a repo-with-port and a tag.
+      # example: localhost:5000/chef/inspec:1.46.3
+      partitioned_string = image_string.rpartition(":")
+      repo = partitioned_string.first
+      tag = partitioned_string.last
+      image_name = repo.split("/")[1..-1].join
+    elsif image_string.count(":") == 1 && first_colon < first_slash
+      # If there's one colon in the image string, and it comes before a forward-slash,
+      # it contains a repo-with-port but no tag.
+      # example: localhost:5000/ubuntu
+      repo = image_string
+      tag = nil
+      image_name = repo.split("/")[1..-1].join
+    else
+      # If there's one colon in the image string and it doesn't preceed a slash, or if
+      # there is no colon at all, then it separates the repo from the tag, if there is a tag.
+      # example: chef/inspec:1.46.3
+      # example: chef/inspec
+      # example: ubuntu:14.04
+      repo, tag = image_string.split(":")
+      image_name = repo
+    end
+
+    # return the repo, image_name and tag parsed from the string, which can be merged into
+    # the rest of the user-supplied options
+    { repo: repo, image_name: image_name, tag: tag }
+  end
+end

data/lib/inspec-podman-resources/resources/podman_pod.rb

@@ -0,0 +1,98 @@
+require "inspec/resources/command"
+require "inspec-podman-resources/resources/utils/podman"
+
+class PodmanPod < Inspec.resource(1)
+  include Utils::Podman
+
+  name "podman_pod"
+  supports platform: "unix"
+
+  desc "InSpec core resource to retrieve information about podman pod"
+
+  example <<~EXAMPLE
+    describe podman_pod("nginx-frontend") do
+      it { should exist }
+      its("id") { should eq "fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4" }
+      its("name") { should eq "nginx-frontend" }
+      its("created_at") { should eq "2022-07-14T15:47:47.978078124+05:30" }
+      its("create_command") { should include "new:nginx-frontend" }
+      its("state") { should eq "Running" }
+      its("hostname") { should eq "" }
+      its("create_cgroup") { should eq true }
+      its("cgroup_parent") { should eq "user.slice" }
+      its("cgroup_path") { should eq "user.slice/user-libpod_pod_fcfe4d471cfface0d1b39bce23af7d31ab8736cd68c0360ade0b4afe364f79d4.slice" }
+      its("create_infra") { should eq true }
+      its("infra_container_id") { should eq "727538044b32a165934729dc2d47d9d5e981b6496aebfad7de470f7e76ea4251" }
+      its("infra_config") { should include "DNSOption" }
+      its("shared_namespaces") { should include "ipc" }
+      its("num_containers") { should eq 2 }
+      its("containers") { should_not be nil }
+    end
+
+    describe podman_pod("non-existing-pod") do
+      it { should_not exist }
+    end
+  EXAMPLE
+
+  attr_reader :pod_info, :pod_id
+
+  def initialize(pod_id)
+    skip_resource "The `podman_pod` resource is not yet available on your OS." unless inspec.os.unix?
+    raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+    @pod_id = pod_id
+    @pod_info = get_pod_info
+  end
+
+  LABELS = {
+    "id" => "ID",
+    "name" => "Name",
+    "created_at" => "Created",
+    "create_command" => "CreateCommand",
+    "state" => "State",
+    "hostname" => "Hostname",
+    "create_cgroup" => "CreateCgroup",
+    "cgroup_parent" => "CgroupParent",
+    "cgroup_path" => "CgroupPath",
+    "create_infra" => "CreateInfra",
+    "infra_container_id" => "InfraContainerID",
+    "infra_config" => "InfraConfig",
+    "shared_namespaces" => "SharedNamespaces",
+    "num_containers" => "NumContainers",
+    "containers" => "Containers",
+  }.freeze
+
+  # This creates all the required properties methods dynamically.
+  LABELS.each do |k, _|
+    define_method(k) do
+      pod_info[k.to_s]
+    end
+  end
+
+  def exist?
+    !pod_info.empty?
+  end
+
+  def resource_id
+    pod_id
+  end
+
+  def to_s
+    "Podman Pod #{resource_id}"
+  end
+
+  private
+
+  def get_pod_info
+    json_key_label = generate_go_template(LABELS)
+    inspect_pod_cmd = inspec.command("podman pod inspect #{pod_id} --format '{#{json_key_label}}'")
+
+    if inspect_pod_cmd.exit_status == 0
+      parse_command_output(inspect_pod_cmd.stdout)
+    elsif inspect_pod_cmd.stderr =~ /no pod with name or ID/
+      {}
+    else
+      raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman pod information for #{pod_id}.\nError message: #{inspect_pod_cmd.stderr}"
+    end
+  end
+end

data/lib/inspec-podman-resources/resources/podman_volume.rb

@@ -0,0 +1,85 @@
+require "inspec/resources/command"
+require "inspec-podman-resources/resources/utils/podman"
+
+class PodmanVolume < Inspec.resource(1)
+  include Utils::Podman
+
+  name "podman_volume"
+  supports platform: "unix"
+
+  desc "InSpec core resource to retrieve information about podman volume"
+
+  example <<~EXAMPLE
+    describe podman_volume("my_volume") do
+      it { should exist }
+      its("name") { should eq "my_volume" }
+      its("driver") { should eq "local" }
+      its("mountpoint") { should eq "/var/home/core/.local/share/containers/storage/volumes/my_volume/_data" }
+      its("created_at") { should eq "2022-07-14T13:21:19.965421792+05:30" }
+      its("labels") { should eq({}) }
+      its("scope") { should eq "local" }
+      its("options") { should eq({}) }
+      its("mount_count") { should eq 0 }
+      its("needs_copy_up") { should eq true }
+      its("needs_chown") { should eq true }
+    end
+  EXAMPLE
+
+  attr_reader :volume_info, :volume_name
+
+  def initialize(volume_name)
+    skip_resource "The `podman_volume` resource is not yet available on your OS." unless inspec.os.unix?
+    raise Inspec::Exceptions::ResourceFailed, "Podman is not running. Please make sure it is installed and running." unless podman_running?
+
+    @volume_name = volume_name
+    @volume_info = get_volume_info
+  end
+
+  LABELS = {
+    "name" => "Name",
+    "driver" => "Driver",
+    "mountpoint" => "Mountpoint",
+    "created_at" => "CreatedAt",
+    "labels" => "Labels",
+    "scope" => "Scope",
+    "options" => "Options",
+    "mount_count" => "MountCount",
+    "needs_copy_up" => "NeedsCopyUp",
+    "needs_chown" => "NeedsChown",
+  }.freeze
+
+  # This creates all the required properties methods dynamically.
+  LABELS.each do |k, _|
+    define_method(k) do
+      volume_info[k.to_s]
+    end
+  end
+
+  def exist?
+    !volume_info.empty?
+  end
+
+  def resource_id
+    volume_name
+  end
+
+  def to_s
+    "podman_volume #{resource_id}"
+  end
+
+  private
+
+  def get_volume_info
+    json_key_label = generate_go_template(LABELS)
+
+    inspect_volume_cmd = inspec.command("podman volume inspect #{volume_name} --format '{#{json_key_label}}'")
+
+    if inspect_volume_cmd.exit_status == 0
+      parse_command_output(inspect_volume_cmd.stdout)
+    elsif inspect_volume_cmd.stderr =~ /inspecting object: no such/
+      {}
+    else
+      raise Inspec::Exceptions::ResourceFailed, "Unable to retrieve podman volume information for #{volume_name}.\nError message: #{inspect_volume_cmd.stderr}"
+    end
+  end
+end

data/lib/inspec-podman-resources/resources/utils/podman.rb

@@ -0,0 +1,24 @@
+
+
+require "inspec/resources/command"
+
+module Utils
+  module Podman
+    def podman_running?
+      inspec.command("podman version").exit_status == 0
+    end
+
+    # Generates the template in this format using labels hash: "\"id\": {{json .ID}}, \"name\": {{json .Name}}",
+    def generate_go_template(labels)
+      (labels.map { |k, v| "\"#{k}\": {{json .#{v}}}" }).join(", ")
+    end
+
+    def parse_command_output(output)
+      require "json" unless defined?(JSON)
+      JSON.parse(output)
+    rescue JSON::ParserError => _e
+      warn "Could not parse the command output"
+      {}
+    end
+  end
+end

data/lib/inspec-podman-resources/version.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+# This file simply makes it easier for CI engines to update
+# the version stamp, and provide a clean way for the gemspec
+# to learn the current version.
+module InspecPlugins
+  module PodmanResources
+    VERSION = "7.1.2"
+  end
+end

data/lib/inspec-podman-resources.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+# This file is known as the "entry point."
+# This is the file InSpec will try to load if it
+# thinks your plugin is installed.
+
+# The *only* thing this file should do is setup the
+# load path, then load the plugin definition file.
+
+# Next two lines simply add the path of the gem to the load path.
+# This is not needed when being loaded as a gem; but when doing
+# plugin development, you may need it.  Either way, it's harmless.
+libdir = File.dirname(__FILE__)
+$LOAD_PATH.unshift(libdir) unless $LOAD_PATH.include?(libdir)
+
+require "inspec-podman-resources/plugin"

metadata

@@ -0,0 +1,73 @@
+--- !ruby/object:Gem::Specification
+name: inspec-podman-resources
+version: !ruby/object:Gem::Version
+  version: 7.1.2
+platform: ruby
+authors:
+- InSpec Core Maintainers
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2025-10-10 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: inspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+description: Contains InSpec 7.0+ resources fo interacting with Podman Resources.
+email:
+- inspec@progress.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- README.md
+- inspec-podman-resources.gemspec
+- inspec.yml
+- lib/inspec-podman-resources.rb
+- lib/inspec-podman-resources/plugin.rb
+- lib/inspec-podman-resources/resource_pack.rb
+- lib/inspec-podman-resources/resources/podman.rb
+- lib/inspec-podman-resources/resources/podman_container.rb
+- lib/inspec-podman-resources/resources/podman_image.rb
+- lib/inspec-podman-resources/resources/podman_network.rb
+- lib/inspec-podman-resources/resources/podman_object.rb
+- lib/inspec-podman-resources/resources/podman_pod.rb
+- lib/inspec-podman-resources/resources/podman_volume.rb
+- lib/inspec-podman-resources/resources/utils/podman.rb
+- lib/inspec-podman-resources/version.rb
+homepage: https://github.com/inspec/inspec-podman-resources
+licenses:
+- Apache-2.0
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.3.27
+signing_key: 
+specification_version: 4
+summary: podman InSpec Resources in a Gem
+test_files: []