feat: add policy, oci, attestation

pkg/attestation/sign.go

@@ -0,0 +1,62 @@
+package attestation
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/docker/attest/pkg/tlog"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+// SignDSSE signs a payload with a given signer and uploads the signature to the transparency log
+func SignDSSE(ctx context.Context, payload []byte, payloadType string, signer dsse.SignerVerifier) (*Envelope, error) {
+	t := tlog.GetTL(ctx)
+
+	env := new(Envelope)
+	env.Payload = base64Encoding.EncodeToString(payload)
+	env.PayloadType = payloadType
+	encPayload := dsse.PAE(payloadType, payload)
+
+	// statement message digest
+	hash := util.S256(encPayload)
+
+	// sign message digest
+	sig, err := signer.Sign(ctx, hash)
+	if err != nil {
+		return nil, fmt.Errorf("error signing attestation: %w", err)
+	}
+
+	// get Key ID from signer
+	keyId, err := signer.KeyID()
+	if err != nil {
+		return nil, fmt.Errorf("error getting public key ID: %w", err)
+	}
+
+	// upload to TL
+	entry, err := t.UploadLogEntry(ctx, keyId, encPayload, sig, signer)
+	if err != nil {
+		return nil, fmt.Errorf("error uploading TL entry: %w", err)
+	}
+	entryObj, err := t.UnmarshalEntry(entry)
+	if err != nil {
+		return nil, fmt.Errorf("error unmarshaling tl entry: %w", err)
+	}
+
+	// add signature w/ tl extension to dsse envelope
+	env.Signatures = append(env.Signatures, Signature{
+		KeyID: keyId,
+		Sig:   base64Encoding.EncodeToString(sig),
+		Extension: Extension{
+			Kind: DockerDsseExtKind,
+			Ext: DockerDsseExtension{
+				Tl: DockerTlExtension{
+					Kind: RekorTlExtKind,
+					Data: entryObj, // transparency log entry metadata
+				},
+			},
+		},
+	})
+
+	return env, nil
+}

pkg/attestation/sign_test.go

@@ -0,0 +1,147 @@
+package attestation_test
+
+import (
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"testing"
+	"time"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/signerverifier"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestSignVerifyAttestation(t *testing.T) {
+	ctx, signer := test.Setup(t)
+	stmt := &intoto.Statement{
+		StatementHeader: intoto.StatementHeader{
+			Type:          intoto.StatementInTotoV01,
+			PredicateType: intoto.PredicateSPDX,
+		},
+		Predicate: "test",
+	}
+
+	payload, err := json.Marshal(stmt)
+	assert.NoError(t, err)
+
+	env, err := attestation.SignDSSE(ctx, payload, intoto.PayloadType, signer)
+	assert.NoError(t, err)
+
+	// marshal envelope to json to test for bugs when marshaling envelope data
+	serializedEnv, err := json.Marshal(env)
+	assert.NoError(t, err)
+	deserializedEnv := new(attestation.Envelope)
+	err = json.Unmarshal(serializedEnv, deserializedEnv)
+	assert.NoError(t, err)
+
+	// signer.Public() calls AWS API when using AWS signer, use attestation.GetPublicVerificationKey() to get key from TUF repo
+	// signer.Public() used here for test purposes
+	ecPub, ok := signer.Public().(*ecdsa.PublicKey)
+	assert.True(t, ok)
+	pem, err := signerverifier.ToPEM(ecPub)
+	assert.NoError(t, err)
+	keyId, err := signerverifier.KeyID(ecPub)
+	assert.NoError(t, err)
+
+	badKeyPriv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	assert.NoError(t, err)
+	badKey := &badKeyPriv.PublicKey
+	badPEM, err := signerverifier.ToPEM(badKey)
+	assert.NoError(t, err)
+
+	testCases := []struct {
+		name          string
+		keyId         string
+		pem           []byte
+		distrust      bool
+		from          time.Time
+		to            *time.Time
+		status        string
+		expectedError string
+	}{
+		{
+			name:          "all OK",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      false,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: "",
+		},
+		{
+			name:          "key not found",
+			keyId:         "someotherkey",
+			pem:           pem,
+			distrust:      false,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: fmt.Sprintf("key not found: %s", keyId),
+		},
+		{
+			name:          "key distrusted",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      true,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: "distrusted",
+		},
+		{
+			name:          "key not yet valid",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      false,
+			from:          time.Now().Add(time.Hour),
+			to:            nil,
+			status:        "active",
+			expectedError: "not yet valid",
+		},
+		{
+			name:          "key already revoked",
+			keyId:         keyId,
+			pem:           pem,
+			distrust:      false,
+			from:          time.Time{},
+			to:            new(time.Time),
+			status:        "revoked",
+			expectedError: "already revoked",
+		},
+		{
+			name:          "bad key",
+			keyId:         keyId,
+			pem:           badPEM,
+			distrust:      false,
+			from:          time.Time{},
+			to:            nil,
+			status:        "active",
+			expectedError: "signature is not valid",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			keyMeta := attestation.KeyMetadata{
+				ID:       tc.keyId,
+				PEM:      string(tc.pem),
+				Distrust: tc.distrust,
+				From:     tc.from,
+				To:       tc.to,
+				Status:   tc.status,
+			}
+			_, err = attestation.VerifyDSSE(ctx, deserializedEnv, attestation.KeysMap{tc.keyId: keyMeta})
+			if tc.expectedError != "" {
+				assert.Contains(t, err.Error(), tc.expectedError)
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

pkg/attestation/types.go

@@ -0,0 +1,35 @@
+package attestation
+
+import "encoding/base64"
+
+const (
+	DockerDsseExtKind = "application/vnd.docker.attestation-verification.v1+json"
+	RekorTlExtKind    = "Rekor"
+)
+
+var base64Encoding = base64.StdEncoding.Strict()
+
+// the following types are needed until https://github.com/secure-systems-lab/dsse/pull/61 is merged
+type Envelope struct {
+	PayloadType string      `json:"payloadType"`
+	Payload     string      `json:"payload"`
+	Signatures  []Signature `json:"signatures"`
+}
+type Signature struct {
+	KeyID     string    `json:"keyid"`
+	Sig       string    `json:"sig"`
+	Extension Extension `json:"extension"`
+}
+type Extension struct {
+	Kind string              `json:"kind"`
+	Ext  DockerDsseExtension `json:"ext"`
+}
+
+type DockerDsseExtension struct {
+	Tl DockerTlExtension `json:"tl"`
+}
+
+type DockerTlExtension struct {
+	Kind string `json:"kind"`
+	Data any    `json:"data"`
+}

pkg/attestation/verify.go

@@ -0,0 +1,134 @@
+package attestation
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/x509"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/docker/attest/internal/util"
+	"github.com/docker/attest/pkg/signerverifier"
+	"github.com/docker/attest/pkg/tlog"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/secure-systems-lab/go-securesystemslib/dsse"
+)
+
+type KeyMetadata struct {
+	ID            string     `json:"id"`
+	PEM           string     `json:"key"`
+	From          time.Time  `json:"from"`
+	To            *time.Time `json:"to"`
+	Status        string     `json:"status"`
+	SigningFormat string     `json:"signing-format"`
+	Distrust      bool       `json:"distrust,omitempty"`
+}
+
+type Keys []KeyMetadata
+type KeysMap map[string]KeyMetadata
+
+func VerifyDSSE(ctx context.Context, env *Envelope, keys KeysMap) ([]byte, error) {
+	// enforce payload type
+	if !ValidPayloadType(env.PayloadType) {
+		return nil, fmt.Errorf("unsupported payload type %s", env.PayloadType)
+	}
+
+	if len(env.Signatures) == 0 {
+		return nil, fmt.Errorf("no signatures found")
+	}
+
+	payload, err := base64Encoding.DecodeString(env.Payload)
+	if err != nil {
+		return nil, fmt.Errorf("error failed to decode payload: %w", err)
+	}
+
+	encPayload := dsse.PAE(env.PayloadType, payload)
+
+	// verify signatures and transparency log entry
+	for _, sig := range env.Signatures {
+		err := verifySignature(ctx, sig, encPayload, keys)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return payload, nil
+}
+
+func verifySignature(ctx context.Context, sig Signature, payload []byte, keys KeysMap) error {
+	t := tlog.GetTL(ctx)
+
+	if sig.Extension.Kind == "" {
+		return fmt.Errorf("error missing signature extension kind")
+	}
+	if sig.Extension.Kind != DockerDsseExtKind {
+		return fmt.Errorf("error unsupported signature extension kind: %s", sig.Extension.Kind)
+	}
+
+	// verify TL entry
+	if sig.Extension.Ext.Tl.Kind != RekorTlExtKind {
+		return fmt.Errorf("error unsupported TL extension kind: %s", sig.Extension.Ext.Tl.Kind)
+	}
+	entry := sig.Extension.Ext.Tl.Data
+	entryBytes, err := json.Marshal(entry)
+	if err != nil {
+		return fmt.Errorf("failed to marshal TL entry: %w", err)
+	}
+
+	integratedTime, err := t.VerifyLogEntry(ctx, entryBytes)
+	if err != nil {
+		return fmt.Errorf("TL entry failed verification: %w", err)
+	}
+
+	keyMeta, ok := keys[sig.KeyID]
+	if !ok {
+		return fmt.Errorf("error key not found: %s", sig.KeyID)
+	}
+
+	if keyMeta.Distrust {
+		return fmt.Errorf("key %s is distrusted", keyMeta.ID)
+	}
+
+	if integratedTime.Before(keyMeta.From) {
+		return fmt.Errorf("key %s was not yet valid at TL log time %s (key valid from %s)", keyMeta.ID, integratedTime, keyMeta.From)
+	}
+
+	if keyMeta.To != nil && !integratedTime.Before(*keyMeta.To) {
+		return fmt.Errorf("key %s was already %s at TL log time %s (key %s at %s)", keyMeta.ID, keyMeta.Status, integratedTime, keyMeta.Status, *keyMeta.To)
+	}
+
+	// TODO: this is unmarshalling with MarshalPKIXPublicKey only for us to marshal it again
+	publicKey, err := signerverifier.Parse([]byte(keyMeta.PEM))
+	if err != nil {
+		return fmt.Errorf("failed to parse public key: %w", err)
+	}
+
+	// verify TL entry payload
+	encodedPub, err := x509.MarshalPKIXPublicKey(publicKey)
+	if err != nil {
+		return fmt.Errorf("error failed to marshal public key: %w", err)
+	}
+	err = t.VerifyEntryPayload(entryBytes, payload, encodedPub)
+	if err != nil {
+		return fmt.Errorf("TL entry failed payload verification: %w", err)
+	}
+	// decode signature
+	signature, err := base64.StdEncoding.Strict().DecodeString(sig.Sig)
+	if err != nil {
+		return fmt.Errorf("error failed to decode signature: %w", err)
+	}
+	// verify payload ecdsa signature
+	ok = ecdsa.VerifyASN1(publicKey, util.S256(payload), signature)
+	if !ok {
+		return fmt.Errorf("payload signature is not valid")
+	}
+
+	return nil
+}
+
+func ValidPayloadType(payloadType string) bool {
+	return payloadType == intoto.PayloadType || payloadType == ociv1.MediaTypeDescriptor
+}

pkg/attestation/verify_test.go

@@ -0,0 +1,46 @@
+package attestation_test
+
+import (
+	"encoding/base64"
+	"testing"
+
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	ociv1 "github.com/opencontainers/image-spec/specs-go/v1"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidPayloadType(t *testing.T) {
+	testCases := []struct {
+		name        string
+		payloadType string
+		expected    bool
+	}{
+		{"valid in-toto payload type", intoto.PayloadType, true},
+		{"valid oci descriptor payload type", ociv1.MediaTypeDescriptor, true},
+		{"invalid payload type", "application/vnd.test.fail", false},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			assert.Equalf(t, tc.expected, attestation.ValidPayloadType(tc.payloadType), "expected %v for payload type %s", tc.expected, tc.payloadType)
+		})
+	}
+}
+
+func TestVerifyUnsignedAttestation(t *testing.T) {
+	ctx, _ := test.Setup(t)
+
+	payload := []byte("payload")
+	env := &attestation.Envelope{
+		// no signatures
+		Signatures:  []attestation.Signature{},
+		Payload:     base64.StdEncoding.EncodeToString(payload),
+		PayloadType: intoto.PayloadType,
+	}
+
+	_, err := attestation.VerifyDSSE(ctx, env, attestation.KeysMap{})
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "no signatures")
+}

pkg/mirror/metadata_test.go

@@ -16,7 +16,7 @@ import (
 )
 
 func TestGetTufMetadataMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -34,7 +34,7 @@ func TestGetTufMetadataMirror(t *testing.T) {
 }
 
 func TestGetMetadataManifest(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -74,7 +74,7 @@ func TestGetMetadataManifest(t *testing.T) {
 }
 
 func TestGetDelegatedMetadataMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")

pkg/mirror/targets_test.go

@@ -22,7 +22,7 @@ type Layers struct {
 }
 
 func TestGetTufTargetsMirror(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -56,7 +56,7 @@ func TestGetTufTargetsMirror(t *testing.T) {
 }
 
 func TestTargetDelegationMetadata(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
@@ -69,7 +69,7 @@ func TestTargetDelegationMetadata(t *testing.T) {
 }
 
 func TestGetDelegatedTargetMirrors(t *testing.T) {
-	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "internal", "test", "testdata", "test-repo"))))
+	server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo"))))
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")

pkg/policy/evaluator.go

@@ -0,0 +1,41 @@
+package policy
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/docker/attest/internal/oci"
+)
+
+type policyEvaluatorCtxKeyType struct{}
+
+var PolicyEvaluatorCtxKey policyEvaluatorCtxKeyType
+
+// sets PolicyEvaluator in context
+func WithPolicyEvaluator(ctx context.Context, pe PolicyEvaluator) context.Context {
+	return context.WithValue(ctx, PolicyEvaluatorCtxKey, pe)
+}
+
+// gets PolicyEvaluator from context, defaults to Rego PolicyEvaluator if not set
+func GetPolicyEvaluator(ctx context.Context) (PolicyEvaluator, error) {
+	t, ok := ctx.Value(PolicyEvaluatorCtxKey).(PolicyEvaluator)
+	if !ok {
+		return nil, fmt.Errorf("no policy evaluator client set on context (set one with policy.WithPolicyEvaluator)")
+	}
+	return t, nil
+}
+
+type PolicyEvaluator interface {
+	Evaluate(ctx context.Context, resolver oci.AttestationResolver, policy []*PolicyFile, input *PolicyInput) error
+}
+
+type MockPolicyEvaluator struct {
+	EvaluateFunc func(ctx context.Context, resolver oci.AttestationResolver, policy []*PolicyFile, input *PolicyInput) error
+}
+
+func (pe *MockPolicyEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, policy []*PolicyFile, input *PolicyInput) error {
+	if pe.EvaluateFunc != nil {
+		return pe.EvaluateFunc(ctx, resolver, policy, input)
+	}
+	return nil
+}

pkg/policy/policy.go

@@ -0,0 +1,203 @@
+package policy
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path"
+	"path/filepath"
+	"strings"
+
+	"github.com/distribution/reference"
+	"github.com/docker/attest/internal/oci"
+	"github.com/docker/attest/internal/util"
+	"github.com/docker/attest/pkg/tuf"
+
+	goyaml "gopkg.in/yaml.v3"
+)
+
+const (
+	PolicyMappingFileName = "mapping.yaml"
+)
+
+var (
+	PolicyFileNames = []string{"data.yaml", "policy.rego"}
+)
+
+type PolicyMappings struct {
+	Version  string          `json:"version"`
+	Kind     string          `json:"kind"`
+	Policies []PolicyMapping `json:"policies"`
+	Mirrors  []PolicyMirror  `json:"mirrors"`
+}
+
+type PolicyMapping struct {
+	Name        string       `json:"namespace"`
+	Location    string       `json:"location"`
+	Description string       `json:"description"`
+	Origin      PolicyOrigin `json:"origin"`
+}
+
+type PolicyMirror struct {
+	Name   string     `json:"name"`
+	Mirror MirrorSpec `json:"mirror"`
+}
+
+type MirrorSpec struct {
+	Domains []string `json:"domains"`
+	Prefix  string   `json:"prefix"`
+}
+
+type PolicyOrigin struct {
+	Name   string `json:"name"`
+	Prefix string `json:"prefix"`
+	Domain string `json:"domain"`
+}
+
+type PolicyOptions struct {
+	TufClient       tuf.TUFClient
+	LocalTargetsDir string
+	LocalPolicyDir  string
+}
+
+type PolicyInput struct {
+	Digest      string `json:"digest"`
+	Purl        string `json:"purl"`
+	IsCanonical bool   `json:"isCanonical"`
+}
+
+type PolicyFile struct {
+	Path    string
+	Content []byte
+}
+
+func resolveLocalPolicy(opts *PolicyOptions, mapping *PolicyMapping) ([]*PolicyFile, error) {
+	if opts.LocalPolicyDir == "" {
+		return nil, fmt.Errorf("local policy dir not set")
+	}
+	files := make([]*PolicyFile, 0, len(PolicyFileNames))
+	for _, filename := range PolicyFileNames {
+		filePath := path.Join(opts.LocalPolicyDir, mapping.Location, filename)
+		fileContents, err := os.ReadFile(filePath)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read policy file %s: %w", filename, err)
+		}
+		files = append(files, &PolicyFile{
+			Path:    filename,
+			Content: fileContents,
+		})
+	}
+	return files, nil
+}
+
+func loadLocalMappings(opts *PolicyOptions) (*PolicyMappings, error) {
+	if opts.LocalPolicyDir == "" {
+		return nil, nil
+	}
+	mappings := &PolicyMappings{}
+	path := path.Join(opts.LocalPolicyDir, PolicyMappingFileName)
+	mappingFile, err := os.ReadFile(path)
+	if err != nil {
+		return nil, fmt.Errorf("failed to read policy mapping file %s: %w", path, err)
+	}
+	err = goyaml.Unmarshal(mappingFile, mappings)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal policy mapping file %s: %w", path, err)
+	}
+	return mappings, nil
+}
+
+func resolveTufPolicy(opts *PolicyOptions, mapping *PolicyMapping) ([]*PolicyFile, error) {
+	files := make([]*PolicyFile, 0, len(PolicyFileNames))
+	for _, filename := range PolicyFileNames {
+		filePath := path.Join(mapping.Location, filename)
+		_, fileContents, err := opts.TufClient.DownloadTarget(filePath, filepath.Join(opts.LocalTargetsDir, filePath))
+		if err != nil {
+			return nil, fmt.Errorf("failed to download policy file %s: %w", filename, err)
+		}
+		files = append(files, &PolicyFile{
+			Path:    filename,
+			Content: fileContents,
+		})
+	}
+	return files, nil
+}
+
+func loadTufMappings(tufClient tuf.TUFClient, localTargetsDir string) (*PolicyMappings, error) {
+	filename := PolicyMappingFileName
+	_, fileContents, err := tufClient.DownloadTarget(filename, filepath.Join(localTargetsDir, filename))
+	if err != nil {
+		return nil, fmt.Errorf("failed to download policy file %s: %w", filename, err)
+	}
+	mappings := &PolicyMappings{}
+
+	err = goyaml.Unmarshal(fileContents, mappings)
+	if err != nil {
+		return nil, fmt.Errorf("failed to unmarshal policy mapping file %s: %w", filename, err)
+	}
+	return mappings, nil
+}
+
+func findPolicyMatch(named reference.Named, mappings *PolicyMappings) (*PolicyMapping, *PolicyMirror) {
+	if mappings != nil {
+		for _, mapping := range mappings.Policies {
+			if mapping.Origin.Domain == reference.Domain(named) &&
+				strings.HasPrefix(reference.Path(named), mapping.Origin.Prefix) {
+				return &mapping, nil
+			}
+		}
+		// now search mirrors
+		for _, mirror := range mappings.Mirrors {
+			if util.StringInSlice(reference.Domain(named), mirror.Mirror.Domains) &&
+				strings.HasPrefix(reference.Path(named), mirror.Mirror.Prefix) {
+				for _, mapping := range mappings.Policies {
+					if mapping.Name == mirror.Name {
+						return &mapping, nil
+					}
+				}
+				return nil, &mirror
+			}
+		}
+	}
+	return nil, nil
+}
+
+func ResolvePolicy(ctx context.Context, resolver oci.AttestationResolver, opts *PolicyOptions) ([]*PolicyFile, error) {
+	imageName, err := resolver.ImageName(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get image name: %w", err)
+	}
+	named, err := reference.ParseNormalizedNamed(imageName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to parse image name: %w", err)
+	}
+	localMappings, err := loadLocalMappings(opts)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load local policy mappings: %w", err)
+	}
+	mapping, mirror := findPolicyMatch(named, localMappings)
+	if mapping != nil {
+		return resolveLocalPolicy(opts, mapping)
+	}
+	// must check tuf
+	tufMappings, err := loadTufMappings(opts.TufClient, opts.LocalTargetsDir)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load tuf policy mappings: %w", err)
+	}
+
+	// it's a mirror of a tuf policy
+	if mirror != nil {
+		for _, mapping := range tufMappings.Policies {
+			if mapping.Name == mirror.Name {
+				return resolveTufPolicy(opts, &mapping)
+			}
+		}
+	}
+
+	// try to resolve a tuf policy directly
+	mapping, _ = findPolicyMatch(named, tufMappings)
+	if mapping == nil {
+		return nil, nil
+	}
+	return resolveTufPolicy(opts, mapping)
+}

pkg/policy/policy_test.go

@@ -0,0 +1,110 @@
+package policy_test
+
+import (
+	"encoding/json"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/docker/attest/internal/oci"
+	"github.com/docker/attest/internal/test"
+	"github.com/docker/attest/pkg/attestation"
+	"github.com/docker/attest/pkg/policy"
+	"github.com/docker/attest/pkg/tuf"
+	"github.com/stretchr/testify/assert"
+)
+
+func loadAttestation(t *testing.T, path string) *attestation.Envelope {
+	ex, err := os.ReadFile(path)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var env = new(attestation.Envelope)
+	err = json.Unmarshal(ex, env)
+	if err != nil {
+		t.Fatal(err)
+	}
+	return env
+}
+
+func TestRegoEvaluator_Evaluate(t *testing.T) {
+	ctx, _ := test.Setup(t)
+
+	TestDataPath := filepath.Join("..", "..", "test", "testdata")
+	MockTufRepo := filepath.Join(TestDataPath, "local-policy")
+	ExampleAttestation := filepath.Join(TestDataPath, "example_attestation.json")
+	VSA := filepath.Join(TestDataPath, "vsa.json")
+
+	re := policy.NewRegoEvaluator(true)
+
+	defaultInput := &policy.PolicyInput{
+		Digest:      "sha256:test-digest",
+		Purl:        "test-purl",
+		IsCanonical: true,
+	}
+
+	defaultResolver := oci.MockResolver{
+		Envs: []*attestation.Envelope{loadAttestation(t, ExampleAttestation)},
+	}
+
+	vsaResolver := oci.MockResolver{
+		Envs: []*attestation.Envelope{loadAttestation(t, ExampleAttestation), loadAttestation(t, VSA)},
+	}
+
+	testCases := []struct {
+		repo          string
+		expectSuccess bool
+		input         *policy.PolicyInput
+		resolver      oci.AttestationResolver
+		policy        *policy.PolicyOptions
+	}{
+		{repo: "testdata/mock-tuf-allow", expectSuccess: true, input: defaultInput, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-deny", expectSuccess: false, input: defaultInput, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-verify-sig", expectSuccess: true, input: defaultInput, resolver: defaultResolver},
+		{repo: "testdata/mock-tuf-wrong-key", expectSuccess: false, input: defaultInput, resolver: defaultResolver},
+		{repo: MockTufRepo, expectSuccess: true, input: &policy.PolicyInput{
+			Digest:      "sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620",
+			Purl:        "pkg:docker/test-image@test?platform=linux%2Famd64",
+			IsCanonical: true,
+		}, resolver: vsaResolver},
+		{repo: MockTufRepo, expectSuccess: true, input: &policy.PolicyInput{
+			Digest:      "sha256:da8b190665956ea07890a0273e2a9c96bfe291662f08e2860e868eef69c34620",
+			Purl:        "pkg:docker/test-image@test?platform=linux%2Famd64",
+			IsCanonical: false,
+		}, resolver: vsaResolver},
+		// not a doi
+		{repo: MockTufRepo, expectSuccess: false, input: defaultInput, resolver: vsaResolver, policy: &policy.PolicyOptions{
+			LocalPolicyDir: "testdata/mock-tuf-deny",
+		}},
+		// digest mismatch
+		{repo: MockTufRepo, expectSuccess: false, input: &policy.PolicyInput{
+			Digest:      "sha256:test-digest-wrong",
+			Purl:        "test-purl",
+			IsCanonical: false,
+		}, resolver: vsaResolver},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.repo, func(t *testing.T) {
+			tufClient := tuf.NewMockTufClient(tc.repo, test.CreateTempDir(t, "", "tuf-dest"))
+			if tc.policy == nil {
+				tc.policy = &policy.PolicyOptions{
+					TufClient:       tufClient,
+					LocalTargetsDir: test.CreateTempDir(t, "", "tuf-targets"),
+				}
+			}
+
+			policyFiles, err := policy.ResolvePolicy(ctx, tc.resolver, tc.policy)
+			assert.NoErrorf(t, err, "failed to resolve policy")
+			err = re.Evaluate(ctx, tc.resolver, policyFiles, tc.input)
+
+			if tc.expectSuccess {
+				assert.NoErrorf(t, err, "Evaluate failed")
+			} else {
+				assert.Errorf(t, err, "Evaluate should have failed")
+			}
+		})
+	}
+
+}

pkg/policy/rego.go

@@ -0,0 +1,225 @@
+package policy
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/docker/attest/internal/oci"
+	att "github.com/docker/attest/pkg/attestation"
+	intoto "github.com/in-toto/in-toto-golang/in_toto"
+	"github.com/open-policy-agent/opa/ast"
+	"github.com/open-policy-agent/opa/rego"
+	"github.com/open-policy-agent/opa/storage"
+	"github.com/open-policy-agent/opa/storage/inmem"
+	"github.com/open-policy-agent/opa/tester"
+	"github.com/open-policy-agent/opa/topdown"
+	"github.com/open-policy-agent/opa/types"
+	opa "github.com/open-policy-agent/opa/util"
+	"sigs.k8s.io/yaml"
+)
+
+type regoEvaluator struct {
+	debug bool
+}
+
+func NewRegoEvaluator(debug bool) PolicyEvaluator {
+	return &regoEvaluator{
+		debug: debug,
+	}
+}
+
+func (re *regoEvaluator) Evaluate(ctx context.Context, resolver oci.AttestationResolver, files []*PolicyFile, input *PolicyInput) error {
+	var regoOpts []func(*rego.Rego)
+
+	// Create a new in-memory store
+	store := inmem.New()
+	params := storage.TransactionParams{}
+	params.Write = true
+	txn, err := store.NewTransaction(ctx, params)
+	if err != nil {
+		return err
+	}
+
+	for _, target := range files {
+		// load yaml as data (no rego opt for this!?)
+		if filepath.Ext(target.Path) == ".yaml" {
+			yamlData, err := loadYAML(target.Path, target.Content)
+			if err != nil {
+				return err
+			}
+			err = store.Write(ctx, txn, storage.AddOp, storage.Path{}, yamlData)
+			if err != nil {
+				return err
+			}
+		} else {
+			regoOpts = append(regoOpts, rego.Module(target.Path, string(target.Content)))
+		}
+	}
+
+	err = store.Commit(ctx, txn)
+	if err != nil {
+		store.Abort(ctx, txn)
+		return err
+	}
+
+	if re.debug {
+		regoOpts = append(regoOpts,
+			rego.EnablePrintStatements(true),
+			rego.PrintHook(topdown.NewPrintHook(os.Stderr)),
+			rego.Dump(os.Stderr),
+		)
+	}
+
+	regoOpts = append(regoOpts,
+		rego.Query("data.docker.allow"),
+		rego.StrictBuiltinErrors(true),
+		rego.Input(input),
+		rego.Store(store),
+	)
+	for _, custom := range RegoFunctions(resolver) {
+		regoOpts = append(regoOpts, custom.Func)
+	}
+
+	r := rego.New(regoOpts...)
+	rs, err := r.Eval(ctx)
+	if err != nil {
+		return fmt.Errorf("error from Eval: %w", err)
+	}
+
+	if !rs.Allowed() {
+		return fmt.Errorf("policy evaluation failed")
+	}
+
+	return nil
+}
+
+var dynamicObj = types.NewObject(nil, types.NewDynamicProperty(types.S, types.A))
+var arrayObj = types.NewArray(nil, dynamicObj)
+var verifyDecl = &ast.Builtin{
+	Name:             "attestations.verify_envelope",
+	Decl:             types.NewFunction(types.Args(dynamicObj, arrayObj), dynamicObj),
+	Nondeterministic: true,
+}
+var attestDecl = &ast.Builtin{
+	Name:             "attestations.attestation",
+	Decl:             types.NewFunction(types.Args(types.S), dynamicObj),
+	Nondeterministic: true,
+}
+
+func RegoFunctions(resolver oci.AttestationResolver) []*tester.Builtin {
+	return []*tester.Builtin{
+		{
+			Decl: verifyDecl,
+			Func: rego.Function2(
+				&rego.Function{
+					Name:             verifyDecl.Name,
+					Decl:             verifyDecl.Decl,
+					Memoize:          true,
+					Nondeterministic: verifyDecl.Nondeterministic,
+				},
+				verifyIntotoEnvelope),
+		},
+		{
+			Decl: attestDecl,
+			Func: rego.Function1(
+				&rego.Function{
+					Name:             attestDecl.Name,
+					Decl:             attestDecl.Decl,
+					Memoize:          true,
+					Nondeterministic: attestDecl.Nondeterministic,
+				},
+				fetchIntotoAttestations(resolver)),
+		},
+	}
+}
+
+func fetchIntotoAttestations(resolver oci.AttestationResolver) func(rego.BuiltinContext, *ast.Term) (*ast.Term, error) {
+	return func(rCtx rego.BuiltinContext, predicateTypeTerm *ast.Term) (*ast.Term, error) {
+		predicateTypeStr, ok := predicateTypeTerm.Value.(ast.String)
+		if !ok {
+			return nil, fmt.Errorf("predicateTypeTerm is not a string")
+		}
+		predicateType := string(predicateTypeStr)
+
+		envelopes, err := resolver.Attestations(rCtx.Context, predicateType)
+		if err != nil {
+			return nil, err
+		}
+
+		// Convert each envelope to an ast.Value.
+		values := make([]*ast.Term, len(envelopes))
+		for i, envelope := range envelopes {
+			value, err := ast.InterfaceToValue(envelope)
+			if err != nil {
+				return nil, err
+			}
+			values[i] = ast.NewTerm(value)
+		}
+
+		// Wrap the values in an ast.Array and convert it to an ast.Term.
+		array := ast.NewTerm(ast.NewArray(values...))
+
+		return array, nil
+	}
+}
+func verifyIntotoEnvelope(rCtx rego.BuiltinContext, envTerm, keysTerm *ast.Term) (*ast.Term, error) {
+	env := new(att.Envelope)
+	var keys att.Keys
+	err := ast.As(envTerm.Value, env)
+	if err != nil {
+		return nil, fmt.Errorf("failed to cast envelope: %w", err)
+	}
+	err = ast.As(keysTerm.Value, &keys)
+	if err != nil {
+		return nil, fmt.Errorf("failed to cast keys: %w", err)
+	}
+	keysmap := make(map[string]att.KeyMetadata, len(keys))
+	for _, key := range keys {
+		keysmap[key.ID] = key
+	}
+	payload, err := att.VerifyDSSE(rCtx.Context, env, keysmap)
+	if err != nil {
+		return nil, err
+	}
+
+	statement := new(intoto.Statement)
+
+	switch env.PayloadType {
+	case intoto.PayloadType:
+		err = json.Unmarshal(payload, statement)
+		if err != nil {
+			return nil, fmt.Errorf("failed to unmarshal statement: %w", err)
+		}
+		// TODO: implement other types of envelope
+	default:
+		return nil, fmt.Errorf("unsupported payload type: %s", env.PayloadType)
+	}
+
+	value, err := ast.InterfaceToValue(statement)
+	if err != nil {
+		return nil, err
+	}
+
+	return ast.NewTerm(value), nil
+}
+
+// copied from opa
+func loadYAML(path string, bs []byte) (interface{}, error) {
+	bs, err := yaml.YAMLToJSON(bs)
+	if err != nil {
+		return nil, fmt.Errorf("%v: error converting YAML to JSON: %v", path, err)
+	}
+	return loadJSON(path, bs)
+}
+
+func loadJSON(path string, bs []byte) (interface{}, error) {
+	var x interface{}
+	err := opa.UnmarshalJSON(bs, &x)
+	if err != nil {
+		return nil, fmt.Errorf("%s: %w", path, err)
+	}
+	return x, nil
+}

pkg/policy/testdata/mock-tuf-allow/doi/data.yaml

@@ -0,0 +1 @@
+config:

pkg/policy/testdata/mock-tuf-allow/doi/policy.rego

@@ -0,0 +1,5 @@
+package docker
+
+import rego.v1
+
+allow := true

pkg/policy/testdata/mock-tuf-allow/mapping.yaml

@@ -0,0 +1,10 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: library/
+    name: docker-official-images
+    description: Docker Official Images
+    location: doi

pkg/policy/testdata/mock-tuf-deny/doi/data.yaml

@@ -0,0 +1 @@
+config:

pkg/policy/testdata/mock-tuf-deny/doi/policy.rego

@@ -0,0 +1,5 @@
+package docker
+
+import rego.v1
+
+allow := false

pkg/policy/testdata/mock-tuf-deny/mapping.yaml

@@ -0,0 +1,10 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: library/
+    name: docker-official-images
+    description: Docker Official Images
+    location: doi

pkg/policy/testdata/mock-tuf-verify-sig/doi/data.yaml

@@ -0,0 +1 @@
+config:

pkg/policy/testdata/mock-tuf-verify-sig/doi/policy.rego

@@ -0,0 +1,15 @@
+package docker
+
+import rego.v1
+
+keys := [{
+    "id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+    "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgH23D1i2+ZIOtVjmfB7iFvX8AhVN\n9CPJ4ie9axw+WRHozGnRy99U2dRge3zueBBg2MweF0zrToXGig2v3YOrdw==\n-----END PUBLIC KEY-----",
+    "from": "2023-12-15T14:00:00Z",
+    "to": null
+}]
+
+allow if {
+  some env in attestations.attestation("foo")
+  statement := attestations.verify_envelope(env, keys)
+}

pkg/policy/testdata/mock-tuf-verify-sig/mapping.yaml

@@ -0,0 +1,10 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: library/
+    name: docker-official-images
+    description: Docker Official Images
+    location: doi

pkg/policy/testdata/mock-tuf-wrong-key/doi/data.yaml

@@ -0,0 +1 @@
+config:

pkg/policy/testdata/mock-tuf-wrong-key/doi/policy.rego

@@ -0,0 +1,19 @@
+package docker
+
+import rego.v1
+
+keys := {
+  "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4": {
+    "id": "a0c296026645799b2a297913878e81b0aefff2a0c301e97232f717e14402f3e4",
+    "key": "-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEHyZpSgzvqFqNv7f3x7865OS38rAb\nQMcff55zM2UH/KR3Pr84a8QsGDNgaNGzJQJWjtMSgfV8WnNoffNK+svFNg==\n-----END PUBLIC KEY-----",
+    "from": "2023-12-15T14:00:00Z",
+    "to": null,
+  }
+}
+
+allow if {
+  some env in attestations.attestation("foo")
+  statement := attestations.verify_envelope(env, keys)
+}
+
+allow := true

pkg/policy/testdata/mock-tuf-wrong-key/mapping.yaml

@@ -0,0 +1,10 @@
+# map repos to policies
+version: v1
+kind: policy-mapping
+policies:
+  - origin:
+      domain: docker.io
+      prefix: library/
+    name: docker-official-images
+    description: Docker Official Images
+    location: doi

pkg/tuf/registry_test.go

@@ -10,7 +10,6 @@ import (
 	"testing"
 
 	"github.com/docker/attest/internal/embed"
-	"github.com/docker/attest/internal/test"
 	"github.com/docker/attest/internal/util"
 	"github.com/google/go-containerregistry/pkg/authn"
 	"github.com/google/go-containerregistry/pkg/crane"
@@ -49,8 +48,8 @@ func TestRegistryFetcher(t *testing.T) {
 	targetsRepo := regAddr.Host + "/tuf-targets"
 	targetFile := "test.txt"
 	delegatedRole := "test-role"
-	dir := test.CreateTempDir(t, "", "tuf_temp")
-	delegatedDir := test.CreateTempDir(t, dir, delegatedRole)
+	dir := CreateTempDir(t, "", "tuf_temp")
+	delegatedDir := CreateTempDir(t, dir, delegatedRole)
 	delegatedTargetFile := fmt.Sprintf("%s/%s", delegatedRole, targetFile)
 
 	cfg, err := config.New(metadataRepo, embed.DevRoot)

pkg/tuf/tuf_test.go

@@ -4,24 +4,40 @@ import (
 	"context"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"path/filepath"
 	"testing"
 
 	"github.com/docker/attest/internal/embed"
-	"github.com/docker/attest/internal/test"
 	"github.com/stretchr/testify/assert"
 )
 
 var (
-	HttpTufTestDataPath = filepath.Join("..", "..", "internal", "test", "testdata", "test-repo")
-	OciTufTestDataPath  = filepath.Join("..", "..", "internal", "test", "testdata", "test-repo-oci")
+	HttpTufTestDataPath = filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo")
+	OciTufTestDataPath  = filepath.Join("..", "..", "test", "testdata", "tuf", "test-repo-oci")
 )
 
+func CreateTempDir(t *testing.T, dir, pattern string) string {
+	// Create a temporary directory for output oci layout
+	tempDir, err := os.MkdirTemp(dir, pattern)
+	if err != nil {
+		t.Fatalf("Failed to create temp directory: %v", err)
+	}
+
+	// Register a cleanup function to delete the temp directory when the test exits
+	t.Cleanup(func() {
+		if err := os.RemoveAll(tempDir); err != nil {
+			t.Errorf("Failed to remove temp directory: %v", err)
+		}
+	})
+	return tempDir
+}
+
 // NewTufClient creates a new TUF client
 func TestRootInit(t *testing.T) {
-	tufPath := test.CreateTempDir(t, "", "tuf_temp")
+	tufPath := CreateTempDir(t, "", "tuf_temp")
 
-	// Start a test HTTP server to serve data from ./testdata/test-repo/ paths
+	// Start a test HTTP server to serve data from /test/testdata/tuf/test-repo/ paths
 	server := httptest.NewServer(http.FileServer(http.Dir(HttpTufTestDataPath)))
 	defer server.Close()