feat: support arbitrary rego input parameters (#196)

* feat: support arbitrary rego input parameters

test/testdata/local-policy-param/.gitignore

@@ -0,0 +1 @@
+config.yaml

test/testdata/local-policy-param/mapping.yaml

@@ -0,0 +1,15 @@
+version: v1
+kind: policy-mapping
+policies:
+  - id: test-images
+    description: Local test images
+    files:
+      - path: policy.rego
+      - path: config.yaml #auto generated
+    attestations:
+      style: attached
+rules:
+  - pattern: "^docker[.]io/library/test-image$"
+    policy-id: test-images
+  - pattern: "^mirror[.]org/library/(.*)$"
+    rewrite: docker.io/library/$1

test/testdata/local-policy-param/policy.rego

@@ -0,0 +1,61 @@
+package attest
+
+import rego.v1
+
+import data.keys
+import input.parameters
+
+provs(pred) := p if {
+	res := attest.fetch(pred)
+	not res.error
+	p := res.value
+}
+
+atts := union({
+	provs("https://slsa.dev/provenance/v0.2"),
+	provs("https://spdx.dev/Document"),
+})
+
+opts := {"keys": keys, "skip_tl": true}
+
+statements contains s if {
+	parameters.foo == "bar"
+	some att in atts
+	res := attest.verify(att, opts)
+	not res.error
+	s := res.value
+}
+
+subjects contains subject if {
+	some statement in statements
+	some subject in statement.subject
+}
+
+unsafe_statement_from_attestation(att) := statement if {
+	payload := att.payload
+	statement := json.unmarshal(base64.decode(payload))
+}
+
+violations contains violation if {
+	some att in atts
+	statement := unsafe_statement_from_attestation(att)
+	res := attest.verify(att, opts)
+	err := res.error
+	violation := {
+		"type": "unsigned_statement",
+		"description": sprintf("Statement is not correctly signed: %v", [err]),
+		"attestation": statement,
+		"details": {"error": err},
+	}
+}
+
+result := {
+	"success": count(statements) > 0,
+	"violations": violations,
+	"summary": {
+		"subjects": subjects,
+		"slsa_level": "SLSA_BUILD_LEVEL_3",
+		"verifier": "docker-official-images",
+		"policy_uri": "https://docker.com/official/policy/v0.1",
+	},
+}