add rego integration to source policies

[tonistiigi]

This is an early version of rego format support for defining source policies. Not ready for merge but suitable for early testing and feedback.

Currently many untested parts and unimplemented fields/builtins. I also discovered a bug with git/http metadata resolve in BuildKit that needs to be fixed for support of some fields.

For input schema see policy/types.go atm until we expose it better.

For app.Dockerfile, matching app.Dockerfile.rego is loaded. Only local files supported atm. This would be extended with manual control via flags and helper commands for testing.

Set export BUILDX_POLICY_DEBUG=1 and use plain progress mode to see the internal input data and policy decisions. This is a temporary debug until there is better progressbar integration.

Some examples in https://gist.github.com/tonistiigi/a8a1fdf39796ba484a31af18afb04bfc . BuildKit v0.26 is needed.

@crazy-max @dvdksn @cpuguy83 @colinhemmings

[dvdksn]

Encountered this:

FROM alpine

package docker

default allow := false

allow if input.local

allow if {
  input.image.hasProvenance
}

decision := {
    "allow": allow 
}

ERROR: failed to build: failed to solve: alpine: failed to resolve source metadata for docker.io/library/alpine:latest: could not resolve image due to policy: too many policy requests

[tonistiigi]

@dvdksn should be fixed as part of moby/buildkit#6383 https://gist.github.com/tonistiigi/a8a1fdf39796ba484a31af18afb04bfc#file-9-provenance-dockerfile . Although it looks like there is another issue where if the image is not an OCI index, then you get a different error when parsing instead of a policy deny error. Signature keys have not been implemented yet in this PR.

[dvdksn]

Perm would always be 600 I guess - and not sure what UID/GID would show?