chore(policies): support file:// to reference filesystem policies (#1267)

Signed-off-by: Jose I. Paris <[email protected]>

Author: jiparis

docs/docs/reference/policies.mdx

@@ -45,7 +45,7 @@ materials:
     type: CONTAINER_IMAGE
 policies:
   materials: # policies applied to materials
-    - ref: cyclonedx-licenses.yaml # (1)
+    - ref: file://cyclonedx-licenses.yaml # (1)
   attestation: # policies applied to the whole attestation
     - ref: https://github.com/chainloop/chainloop-dev/blob/main/docs/examples/policies/chainloop-commit.yaml # (2)
 ```
@@ -56,7 +56,7 @@ Here we can see that:
   ```yaml
   policies:
     materials:
-      - ref: cyclonedx-licenses.yaml
+      - ref: file://cyclonedx-licenses.yaml
         selector: # (3)
           name: sbom
   ```
@@ -68,11 +68,11 @@ Finally, note that material policies are evaluated during `chainloop attestation
 
 ### Embedding or referencing policies
 There are two ways to attach a policy to a contract:
-* **By referencing it**, as it can be seen in the examples above. `ref` property admits a local (filesystem) or remote reference (HTTPS). For example:
+* **By referencing it**, as it can be seen in the examples above. `ref` property admits a local `file://`` (filesystem) or remote reference `https://`. For example:
   ```yaml
   policies:
     materials: 
-      - ref: cyclonedx-licenses.yaml # local reference
+      - ref: file://cyclonedx-licenses.yaml # local reference
   ```
   and
   ```yaml

pkg/policies/loader.go

@@ -18,6 +18,7 @@ package policies
 import (
 	"context"
 	"fmt"
+	"os"
 	"path/filepath"
 	"strings"
 	"sync"
@@ -45,13 +46,28 @@ func (e *EmbeddedLoader) Load(_ context.Context, attachment *v1.PolicyAttachment
 type BlobLoader struct{}
 
 func (l *BlobLoader) Load(_ context.Context, attachment *v1.PolicyAttachment) (*v1.Policy, error) {
+	var (
+		rawData []byte
+		err     error
+	)
+
 	reference := attachment.GetRef()
 
-	// look for the referenced policy spec (note: loading by `name` is not supported yet)
-	// this method understands env, http and https schemes, and defaults to file system.
-	rawData, err := blob.LoadFileOrURL(reference)
-	if err != nil {
-		return nil, fmt.Errorf("loading policy spec: %w", err)
+	// Support file:// references
+	parts := strings.SplitAfterN(reference, "://", 2)
+	if len(parts) == 2 && parts[0] == "file://" {
+		rawData, err = os.ReadFile(filepath.Clean(parts[1]))
+		if err != nil {
+			return nil, fmt.Errorf("loading policy spec: %w", err)
+		}
+	}
+
+	// this method understands env, http and https schemes, and defaults to file system (without scheme).
+	if rawData == nil {
+		rawData, err = blob.LoadFileOrURL(reference)
+		if err != nil {
+			return nil, fmt.Errorf("loading policy spec: %w", err)
+		}
 	}
 
 	jsonContent, err := materials.LoadJSONBytes(rawData, filepath.Ext(reference))

pkg/policies/policies_test.go

@@ -492,6 +492,17 @@ func (s *testSuite) TestLoadPolicySpec() {
 			expectedDesc:     "This policy checks that the SPDX SBOM was created with syft",
 			expectedCategory: "SBOM",
 		},
+		{
+			name: "by file ref",
+			attachment: &v12.PolicyAttachment{
+				Policy: &v12.PolicyAttachment_Ref{
+					Ref: "file://testdata/sbom_syft.yaml",
+				},
+			},
+			expectedName:     "made-with-syft",
+			expectedDesc:     "This policy checks that the SPDX SBOM was created with syft",
+			expectedCategory: "SBOM",
+		},
 		{
 			name: "embedded invalid",
 			attachment: &v12.PolicyAttachment{
@@ -557,6 +568,11 @@ func (s *testSuite) TestLoader() {
 			ref:      "local-policy.yaml",
 			expected: &BlobLoader{},
 		},
+		{
+			name:     "file ref",
+			ref:      "file://local-policy.yaml",
+			expected: &BlobLoader{},
+		},
 		{
 			name:     "http ref",
 			ref:      "https://myhost/policy.yaml",