From 0126ba9a0bb91b6532d5f43b45e7c47546792ddf Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Tue, 30 Apr 2024 13:13:30 -0500
Subject: [PATCH] revert: rego evaluator result

---
 internal/test/test.go     | 24 +++++-------------------
 pkg/attest/verify.go      |  5 +----
 pkg/attest/verify_test.go |  5 ++---
 pkg/policy/evaluator.go   |  3 +--
 pkg/policy/policy_test.go |  5 ++---
 pkg/policy/rego.go        | 23 +++++++++++++++--------
 6 files changed, 26 insertions(+), 39 deletions(-)

diff --git a/internal/test/test.go b/internal/test/test.go
index 220d18b..10baf71 100644
--- a/internal/test/test.go
+++ b/internal/test/test.go
@@ -18,7 +18,6 @@ import (
 	"github.com/google/go-containerregistry/pkg/v1/layout"
 	"github.com/google/go-containerregistry/pkg/v1/partial"
 	intoto "github.com/in-toto/in-toto-golang/in_toto"
-	"github.com/open-policy-agent/opa/rego"
 	"github.com/secure-systems-lab/go-securesystemslib/dsse"
 )
 
@@ -88,33 +87,20 @@ func GetMockSigner(ctx context.Context) (dsse.SignerVerifier, error) {
 }
 
 type MockPolicyEvaluator struct {
-	EvaluateFunc func(ctx context.Context, resolver oci.AttestationResolver, policy []*policy.PolicyFile, input *policy.PolicyInput) (*rego.ResultSet, error)
+	EvaluateFunc func(ctx context.Context, resolver oci.AttestationResolver, policy []*policy.PolicyFile, input *policy.PolicyInput) error
 }
 
-func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, policy []*policy.PolicyFile, input *policy.PolicyInput) (*rego.ResultSet, error) {
+func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, policy []*policy.PolicyFile, input *policy.PolicyInput) error {
 	if pe.EvaluateFunc != nil {
 		return pe.EvaluateFunc(ctx, resolver, policy, input)
 	}
-	return AllowedResult(), nil
+	return nil
 }
 
 func GetMockPolicy() policy.PolicyEvaluator {
 	return &MockPolicyEvaluator{
-		EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, pfs []*policy.PolicyFile, input *policy.PolicyInput) (*rego.ResultSet, error) {
-			return AllowedResult(), nil
-		},
-	}
-}
-
-func AllowedResult() *rego.ResultSet {
-	return &rego.ResultSet{
-		{
-			Bindings: rego.Vars{},
-			Expressions: []*rego.ExpressionValue{
-				{
-					Value: true,
-				},
-			},
+		EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, policy []*policy.PolicyFile, input *policy.PolicyInput) error {
+			return nil
 		},
 	}
 }
diff --git a/pkg/attest/verify.go b/pkg/attest/verify.go
index 0a963d1..52f05c6 100644
--- a/pkg/attest/verify.go
+++ b/pkg/attest/verify.go
@@ -31,13 +31,10 @@ func VerifyAttestations(ctx context.Context, resolver oci.AttestationResolver, f
 	if err != nil {
 		return err
 	}
-	rs, err := evaluator.Evaluate(ctx, resolver, files, input)
+	err = evaluator.Evaluate(ctx, resolver, files, input)
 	if err != nil {
 		return fmt.Errorf("policy evaluation failed: %w", err)
 	}
-	if !rs.Allowed() {
-		return fmt.Errorf("policy evaluation failed: %s", fmt.Sprint(rs))
-	}
 
 	return nil
 }
diff --git a/pkg/attest/verify_test.go b/pkg/attest/verify_test.go
index 19e55ee..5751da0 100644
--- a/pkg/attest/verify_test.go
+++ b/pkg/attest/verify_test.go
@@ -12,7 +12,6 @@ import (
 	"github.com/docker/attest/pkg/attestation"
 	"github.com/docker/attest/pkg/oci"
 	"github.com/docker/attest/pkg/policy"
-	"github.com/open-policy-agent/opa/rego"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -44,8 +43,8 @@ func TestVerifyAttestations(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 
 			mockPE := test.MockPolicyEvaluator{
-				EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, pfs []*policy.PolicyFile, input *policy.PolicyInput) (*rego.ResultSet, error) {
-					return test.AllowedResult(), tc.policyEvaluationError
+				EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, pfs []*policy.PolicyFile, input *policy.PolicyInput) error {
+					return tc.policyEvaluationError
 				},
 			}
 
diff --git a/pkg/policy/evaluator.go b/pkg/policy/evaluator.go
index d512e56..35a34cb 100644
--- a/pkg/policy/evaluator.go
+++ b/pkg/policy/evaluator.go
@@ -5,7 +5,6 @@ import (
 	"fmt"
 
 	"github.com/docker/attest/pkg/oci"
-	"github.com/open-policy-agent/opa/rego"
 )
 
 type policyEvaluatorCtxKeyType struct{}
@@ -27,5 +26,5 @@ func GetPolicyEvaluator(ctx context.Context) (PolicyEvaluator, error) {
 }
 
 type PolicyEvaluator interface {
-	Evaluate(ctx context.Context, resolver oci.AttestationResolver, policy []*PolicyFile, input *PolicyInput) (*rego.ResultSet, error)
+	Evaluate(ctx context.Context, resolver oci.AttestationResolver, policy []*PolicyFile, input *PolicyInput) error
 }
diff --git a/pkg/policy/policy_test.go b/pkg/policy/policy_test.go
index 3740d36..2665cf7 100644
--- a/pkg/policy/policy_test.go
+++ b/pkg/policy/policy_test.go
@@ -97,12 +97,11 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 
 			policyFiles, err := policy.ResolvePolicy(ctx, tc.resolver, tc.policy)
 			assert.NoErrorf(t, err, "failed to resolve policy")
-			rs, err := re.Evaluate(ctx, tc.resolver, policyFiles, tc.input)
-
+			err = re.Evaluate(ctx, tc.resolver, policyFiles, tc.input)
 			if tc.expectSuccess {
 				assert.NoErrorf(t, err, "Evaluate failed")
 			} else {
-				assert.False(t, rs.Allowed(), "Evaluate should have failed")
+				assert.Errorf(t, err, "Evaluate should have failed")
 			}
 		})
 	}
diff --git a/pkg/policy/rego.go b/pkg/policy/rego.go
index 48ca0f3..78f3de3 100644
--- a/pkg/policy/rego.go
+++ b/pkg/policy/rego.go
@@ -29,11 +29,10 @@ type regoEvaluator struct {
 func NewRegoEvaluator(debug bool) PolicyEvaluator {
 	return &regoEvaluator{
 		debug: debug,
-		query: "data.attestations.allow",
 	}
 }
 
-func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, files []*PolicyFile, input *PolicyInput) (*rego.ResultSet, error) {
+func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, files []*PolicyFile, input *PolicyInput) error {
 	var regoOpts []func(*rego.Rego)
 
 	// Create a new in-memory store
@@ -42,7 +41,7 @@ func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationR
 	params.Write = true
 	txn, err := store.NewTransaction(ctx, params)
 	if err != nil {
-		return nil, err
+		return err
 	}
 
 	for _, target := range files {
@@ -50,11 +49,11 @@ func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationR
 		if filepath.Ext(target.Path) == ".yaml" {
 			yamlData, err := loadYAML(target.Path, target.Content)
 			if err != nil {
-				return nil, err
+				return err
 			}
 			err = store.Write(ctx, txn, storage.AddOp, storage.Path{}, yamlData)
 			if err != nil {
-				return nil, err
+				return err
 			}
 		} else {
 			regoOpts = append(regoOpts, rego.Module(target.Path, string(target.Content)))
@@ -64,7 +63,7 @@ func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationR
 	err = store.Commit(ctx, txn)
 	if err != nil {
 		store.Abort(ctx, txn)
-		return nil, err
+		return err
 	}
 
 	if re.debug {
@@ -76,7 +75,7 @@ func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationR
 	}
 
 	regoOpts = append(regoOpts,
-		rego.Query(re.query),
+		rego.Query("data.docker.allow"),
 		rego.StrictBuiltinErrors(true),
 		rego.Input(input),
 		rego.Store(store),
@@ -87,7 +86,15 @@ func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationR
 
 	r := rego.New(regoOpts...)
 	rs, err := r.Eval(ctx)
-	return &rs, err
+	if err != nil {
+		return fmt.Errorf("error from Eval: %w", err)
+	}
+
+	if !rs.Allowed() {
+		return fmt.Errorf("policy evaluation failed")
+	}
+
+	return nil
 }
 
 var dynamicObj = types.NewObject(nil, types.NewDynamicProperty(types.S, types.A))