Relative paths for remote policies

[jiparis]

When working with policies, it's a common practice to keep .rego scripts in their own files instead of embedding them:

apiVersion: workflowcontract.chainloop.dev/v1
kind: Policy
metadata:
  name: my-policy
spec:
  policies:
    - kind: SBOM_SPDX_JSON
      path: script1.rego
    - kind: ATTESTATION
      path: script2.rego

However, when working with remote HTTP policies, the path field is not interpreted as a relative path. This feature only works with local policies. So policy writers need to prepend the URL to the rego script paths:

    - kind: SBOM_SPDX_JSON
      path: https://server/path/script1.rego
    - kind: ATTESTATION
      path: https://server/path/script2.rego

The proposal is to deprecate the path field in favor of a generic ref like the one used in contracts or policy groups. This ref will support relative URLs out of the box (if the main URL has a folder-like structure).

spec:
  policies:
    - kind: SBOM_SPDX_JSON
      ref: script1.rego. # relative to the policy yaml file
    - kind: ATTESTATION
      ref: file://testdata/script2.rego

Note that AutoMatch configuration is also affected by this issue.

[migmartri]

I'd make sure that the ref follows the same logic than the one used in policy attachment in the contract.

thoughts? @JeffResc

[migmartri]

@JeffResc let us know if you'd be intersted in implementing this, we believe it's about

1 - deprecate current path
2 - add new ref option with new behavior so it supports files, and http refs