refactor(policy): move to public package with cross-platform support

Move policy code from internal/configuration to registry/remote/policy
as a public package so SDK users can create and manage policies. Add
platform-specific default path handling so GetDefaultPolicyPath only
falls back to /etc/containers/policy.json on Linux. Use interfaces for
signature verification instead of direct implementation.

Signed-off-by: Terry Howe <thowe@nvidia.com>

Author: TerryHowe

…mote/internal/configuration/evaluator.go registry/remote/policy/evaluator.goregistry/remote/internal/configuration/evaluator.go renamed to registry/remote/policy/evaluator.go registry/remote/internal/configuration/evaluator.go renamed to registry/remote/policy/evaluator.go

@@ -13,11 +13,13 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package configuration
+package policy
 
 import (
 	"context"
 	"fmt"
+
+	"github.com/oras-project/oras-go/v3/errdef"
 )
 
 // ImageReference represents a reference to an image
@@ -30,13 +32,48 @@ type ImageReference struct {
 	Reference string
 }
 
+// SignedByVerifier verifies GPG/simple signing signatures.
+// Implementations should verify that the image is signed with a valid key
+// as specified in the PRSignedBy requirement.
+type SignedByVerifier interface {
+	Verify(ctx context.Context, req *PRSignedBy, image ImageReference) (bool, error)
+}
+
+// SigstoreVerifier verifies sigstore signatures.
+// Implementations should verify that the image is signed with valid sigstore
+// signatures as specified in the PRSigstoreSigned requirement.
+type SigstoreVerifier interface {
+	Verify(ctx context.Context, req *PRSigstoreSigned, image ImageReference) (bool, error)
+}
+
 // Evaluator evaluates policy requirements against image references
 type Evaluator struct {
-	policy *Policy
+	policy           *Policy
+	signedByVerifier SignedByVerifier
+	sigstoreVerifier SigstoreVerifier
+}
+
+// EvaluatorOption configures an Evaluator
+type EvaluatorOption func(*Evaluator)
+
+// WithSignedByVerifier sets the verifier for PRSignedBy requirements.
+// If not set, evaluating PRSignedBy requirements will return ErrUnsupported.
+func WithSignedByVerifier(v SignedByVerifier) EvaluatorOption {
+	return func(e *Evaluator) {
+		e.signedByVerifier = v
+	}
+}
+
+// WithSigstoreVerifier sets the verifier for PRSigstoreSigned requirements.
+// If not set, evaluating PRSigstoreSigned requirements will return ErrUnsupported.
+func WithSigstoreVerifier(v SigstoreVerifier) EvaluatorOption {
+	return func(e *Evaluator) {
+		e.sigstoreVerifier = v
+	}
 }
 
 // NewEvaluator creates a new policy evaluator
-func NewEvaluator(policy *Policy) (*Evaluator, error) {
+func NewEvaluator(policy *Policy, opts ...EvaluatorOption) (*Evaluator, error) {
 	if policy == nil {
 		return nil, fmt.Errorf("policy cannot be nil")
 	}
@@ -45,9 +82,15 @@ func NewEvaluator(policy *Policy) (*Evaluator, error) {
 		return nil, fmt.Errorf("invalid policy: %w", err)
 	}
 
-	return &Evaluator{
+	e := &Evaluator{
 		policy: policy,
-	}, nil
+	}
+
+	for _, opt := range opts {
+		opt(e)
+	}
+
+	return e, nil
 }
 
 // IsImageAllowed determines if an image is allowed by the policy
@@ -100,19 +143,19 @@ func (e *Evaluator) evaluateReject(ctx context.Context, req *Reject, image Image
 }
 
 // evaluateSignedBy evaluates a signedBy requirement
-// Note: This is a placeholder implementation. Full signature verification
-// would require integration with GPG/signing libraries.
 func (e *Evaluator) evaluateSignedBy(ctx context.Context, req *PRSignedBy, image ImageReference) (bool, error) {
-	// TODO: Implement actual signature verification https://github.com/oras-project/oras-go/issues/1029
-	return false, fmt.Errorf("signedBy verification not yet implemented")
+	if e.signedByVerifier == nil {
+		return false, fmt.Errorf("signedBy verification requires a SignedByVerifier: %w", errdef.ErrUnsupported)
+	}
+	return e.signedByVerifier.Verify(ctx, req, image)
 }
 
 // evaluateSigstoreSigned evaluates a sigstoreSigned requirement
-// Note: This is a placeholder implementation. Full signature verification
-// would require integration with sigstore libraries.
 func (e *Evaluator) evaluateSigstoreSigned(ctx context.Context, req *PRSigstoreSigned, image ImageReference) (bool, error) {
-	// TODO: Implement actual sigstore verification https://github.com/oras-project/oras-go/issues/1029
-	return false, fmt.Errorf("sigstoreSigned verification not yet implemented")
+	if e.sigstoreVerifier == nil {
+		return false, fmt.Errorf("sigstoreSigned verification requires a SigstoreVerifier: %w", errdef.ErrUnsupported)
+	}
+	return e.sigstoreVerifier.Verify(ctx, req, image)
 }
 
 // ShouldAcceptImage is a convenience function that returns true if the image is allowed

registry/remote/policy/evaluator_test.go

@@ -0,0 +1,256 @@
+/*
+Copyright The ORAS Authors.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package policy
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"github.com/oras-project/oras-go/v3/errdef"
+)
+
+// mockSignedByVerifier is a mock implementation of SignedByVerifier for testing
+type mockSignedByVerifier struct {
+	result bool
+	err    error
+}
+
+func (m *mockSignedByVerifier) Verify(ctx context.Context, req *PRSignedBy, image ImageReference) (bool, error) {
+	return m.result, m.err
+}
+
+// mockSigstoreVerifier is a mock implementation of SigstoreVerifier for testing
+type mockSigstoreVerifier struct {
+	result bool
+	err    error
+}
+
+func (m *mockSigstoreVerifier) Verify(ctx context.Context, req *PRSigstoreSigned, image ImageReference) (bool, error) {
+	return m.result, m.err
+}
+
+func TestEvaluator_WithSignedByVerifier(t *testing.T) {
+	policy := &Policy{
+		Default: PolicyRequirements{
+			&PRSignedBy{
+				KeyType: "GPGKeys",
+				KeyPath: "/path/to/key.gpg",
+			},
+		},
+	}
+
+	image := ImageReference{
+		Transport: TransportNameDocker,
+		Scope:     "docker.io/library/nginx",
+		Reference: "docker.io/library/nginx:latest",
+	}
+
+	tests := []struct {
+		name       string
+		verifier   *mockSignedByVerifier
+		wantResult bool
+		wantErr    bool
+	}{
+		{
+			name:       "verifier returns true",
+			verifier:   &mockSignedByVerifier{result: true, err: nil},
+			wantResult: true,
+			wantErr:    false,
+		},
+		{
+			name:       "verifier returns false",
+			verifier:   &mockSignedByVerifier{result: false, err: nil},
+			wantResult: false,
+			wantErr:    false,
+		},
+		{
+			name:       "verifier returns error",
+			verifier:   &mockSignedByVerifier{result: false, err: errors.New("verification failed")},
+			wantResult: false,
+			wantErr:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			evaluator, err := NewEvaluator(policy, WithSignedByVerifier(tt.verifier))
+			if err != nil {
+				t.Fatalf("NewEvaluator() error = %v", err)
+			}
+
+			result, err := evaluator.IsImageAllowed(context.Background(), image)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("IsImageAllowed() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if result != tt.wantResult {
+				t.Errorf("IsImageAllowed() = %v, want %v", result, tt.wantResult)
+			}
+		})
+	}
+}
+
+func TestEvaluator_WithSigstoreVerifier(t *testing.T) {
+	policy := &Policy{
+		Default: PolicyRequirements{
+			&PRSigstoreSigned{
+				KeyPath: "/path/to/key.pub",
+			},
+		},
+	}
+
+	image := ImageReference{
+		Transport: TransportNameDocker,
+		Scope:     "docker.io/library/nginx",
+		Reference: "docker.io/library/nginx:latest",
+	}
+
+	tests := []struct {
+		name       string
+		verifier   *mockSigstoreVerifier
+		wantResult bool
+		wantErr    bool
+	}{
+		{
+			name:       "verifier returns true",
+			verifier:   &mockSigstoreVerifier{result: true, err: nil},
+			wantResult: true,
+			wantErr:    false,
+		},
+		{
+			name:       "verifier returns false",
+			verifier:   &mockSigstoreVerifier{result: false, err: nil},
+			wantResult: false,
+			wantErr:    false,
+		},
+		{
+			name:       "verifier returns error",
+			verifier:   &mockSigstoreVerifier{result: false, err: errors.New("verification failed")},
+			wantResult: false,
+			wantErr:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			evaluator, err := NewEvaluator(policy, WithSigstoreVerifier(tt.verifier))
+			if err != nil {
+				t.Fatalf("NewEvaluator() error = %v", err)
+			}
+
+			result, err := evaluator.IsImageAllowed(context.Background(), image)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("IsImageAllowed() error = %v, wantErr %v", err, tt.wantErr)
+				return
+			}
+			if result != tt.wantResult {
+				t.Errorf("IsImageAllowed() = %v, want %v", result, tt.wantResult)
+			}
+		})
+	}
+}
+
+func TestEvaluator_NoVerifier_ReturnsUnsupported(t *testing.T) {
+	tests := []struct {
+		name   string
+		policy *Policy
+	}{
+		{
+			name: "signedBy without verifier",
+			policy: &Policy{
+				Default: PolicyRequirements{
+					&PRSignedBy{
+						KeyType: "GPGKeys",
+						KeyPath: "/path/to/key.gpg",
+					},
+				},
+			},
+		},
+		{
+			name: "sigstoreSigned without verifier",
+			policy: &Policy{
+				Default: PolicyRequirements{
+					&PRSigstoreSigned{
+						KeyPath: "/path/to/key.pub",
+					},
+				},
+			},
+		},
+	}
+
+	image := ImageReference{
+		Transport: TransportNameDocker,
+		Scope:     "docker.io/library/nginx",
+		Reference: "docker.io/library/nginx:latest",
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			evaluator, err := NewEvaluator(tt.policy)
+			if err != nil {
+				t.Fatalf("NewEvaluator() error = %v", err)
+			}
+
+			_, err = evaluator.IsImageAllowed(context.Background(), image)
+			if err == nil {
+				t.Error("IsImageAllowed() should return error when no verifier is set")
+			}
+			if !errors.Is(err, errdef.ErrUnsupported) {
+				t.Errorf("IsImageAllowed() error should wrap ErrUnsupported, got: %v", err)
+			}
+		})
+	}
+}
+
+func TestEvaluator_WithBothVerifiers(t *testing.T) {
+	policy := &Policy{
+		Default: PolicyRequirements{
+			&PRSignedBy{
+				KeyType: "GPGKeys",
+				KeyPath: "/path/to/key.gpg",
+			},
+			&PRSigstoreSigned{
+				KeyPath: "/path/to/key.pub",
+			},
+		},
+	}
+
+	image := ImageReference{
+		Transport: TransportNameDocker,
+		Scope:     "docker.io/library/nginx",
+		Reference: "docker.io/library/nginx:latest",
+	}
+
+	signedByVerifier := &mockSignedByVerifier{result: true, err: nil}
+	sigstoreVerifier := &mockSigstoreVerifier{result: true, err: nil}
+
+	evaluator, err := NewEvaluator(policy,
+		WithSignedByVerifier(signedByVerifier),
+		WithSigstoreVerifier(sigstoreVerifier),
+	)
+	if err != nil {
+		t.Fatalf("NewEvaluator() error = %v", err)
+	}
+
+	result, err := evaluator.IsImageAllowed(context.Background(), image)
+	if err != nil {
+		t.Errorf("IsImageAllowed() error = %v", err)
+	}
+	if !result {
+		t.Error("IsImageAllowed() should return true when all verifiers pass")
+	}
+}