Handle errors from Go in Rego. Support for skipping TL (#47)

* Make TL logging/verification optional

* Return errors from go-lang fns

* Update pkg/policy/rego.go

Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>

* Update pkg/attestation/sign.go

Co-authored-by: Joel Kamp <joel.kamp@docker.com>

* Move public key marshelling until later

* Simplify logSignature and pass down opts

---------

Co-authored-by: Jonny Stoten <jonny@jonnystoten.com>
Co-authored-by: Joel Kamp <joel.kamp@docker.com>

test/testdata/local-policy-fail/doi/policy.rego

@@ -12,14 +12,24 @@ keys := [{
 	"signing-format": "dssev1",
 }]
 
+provs(pred) := p if {
+	res := attest.fetch(pred)
+	not res.error
+	p := res.value
+}
+
 atts := union({
-	attestations.attestation("https://slsa.dev/provenance/v0.2"),
-	attestations.attestation("https://spdx.dev/Document"),
+	provs("https://slsa.dev/provenance/v0.2"),
+	provs("https://spdx.dev/Document"),
 })
 
+opts := {"keys": keys}
+
 statements contains s if {
 	some att in atts
-	s := attestations.verify_envelope(att, keys)
+	res := attest.verify(att, opts)
+	not res.error
+	s := res.value
 }
 
 subjects contains subject if {

test/testdata/local-policy-no-tl/doi/policy.rego

@@ -0,0 +1,49 @@
+package attest
+
+import rego.v1
+
+keys := [{
+	"id": "6b241993defaba26558c64f94a94303ce860e7ad9163d801495c91cf57197c75",
+	"key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZmicqYSY38DprGr42jU0V3ND0ROj\nzSRH1+yjsxhh0bi52Hh/DuOhrSq2KJ5a09lW3ybnDjljowbkof0Y1i9Oow==\n-----END PUBLIC KEY-----",
+	"from": "2023-12-15T14:00:00Z",
+	"to": null,
+	# this key is still active
+	"status": "active",
+	"signing-format": "dssev1",
+}]
+
+provs(pred) := p if {
+	res := attest.fetch(pred)
+	not res.error
+	p := res.value
+}
+
+atts := union({
+	provs("https://slsa.dev/provenance/v0.2"),
+	provs("https://spdx.dev/Document"),
+})
+
+opts := {"keys": keys, "skip_tl": true}
+
+statements contains s if {
+	some att in atts
+	res := attest.verify(att, opts)
+	not res.error
+	s := res.value
+}
+
+subjects contains subject if {
+	some statement in statements
+	some subject in statement.subject
+}
+
+result := {
+	"success": true,
+	"violations": set(),
+	"summary": {
+		"subjects": subjects,
+		"slsa_levels": ["SLSA_BUILD_LEVEL_3"],
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}

test/testdata/local-policy-no-tl/mapping.yaml

@@ -0,0 +1,11 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: library/
+    id: test-images
+    description: Local test images
+    files:
+      - path: doi/policy.rego

test/testdata/local-policy-pass/doi/policy.rego

@@ -12,14 +12,24 @@ keys := [{
 	"signing-format": "dssev1",
 }]
 
+provs(pred) := p if {
+	res := attest.fetch(pred)
+	not res.error
+	p := res.value
+}
+
 atts := union({
-	attestations.attestation("https://slsa.dev/provenance/v0.2"),
-	attestations.attestation("https://spdx.dev/Document"),
+	provs("https://slsa.dev/provenance/v0.2"),
+	provs("https://spdx.dev/Document"),
 })
 
+opts := {"keys": keys}
+
 statements contains s if {
 	some att in atts
-	s := attestations.verify_envelope(att, keys)
+	res := attest.verify(att, opts)
+	not res.error
+	s := res.value
 }
 
 subjects contains subject if {