# -----------------------------------------------------------------------------
# cve-gate-base.rego
# Sprint: SPRINT_20260118_027_Policy_cve_release_gates
# Task: TASK-027-08 - OPA/Rego Policy Examples
# Description: Base policy for DSSE signature and Rekor anchor verification
# -----------------------------------------------------------------------------

package stellaops.gates.base

import future.keywords.if
import future.keywords.in

# Default deny - require explicit allow
default valid_attestation = false

# Attestation is valid if DSSE envelope has valid signature from trusted key
valid_attestation if {
    valid_dsse_envelope
    valid_signature
    valid_rekor_anchor
}

# Allow without Rekor if not required
valid_attestation if {
    valid_dsse_envelope
    valid_signature
    not config_require_rekor
}

# DSSE envelope structure validation
valid_dsse_envelope if {
    input.attestation.dsse_envelope.payloadType
    input.attestation.dsse_envelope.payload
    count(input.attestation.dsse_envelope.signatures) > 0
}

# Signature validation - at least one signature from trusted key
valid_signature if {
    some sig in input.attestation.dsse_envelope.signatures
    sig.keyid in trusted_keys
    sig.sig != ""
}

# Rekor anchor validation
valid_rekor_anchor if {
    input.attestation.rekor_entry.log_index >= 0
    input.attestation.rekor_entry.integrated_time > 0
    input.attestation.rekor_entry.inclusion_proof.root_hash != ""
}

# Configuration helpers
config_require_rekor if {
    input.config.require_rekor == true
}

# Get trusted keys from input or use default
trusted_keys := input.attestation.trusted_keys if {
    input.attestation.trusted_keys
} else := []

# Denial messages
deny[msg] if {
    not input.attestation.dsse_envelope
    msg := "Missing DSSE envelope in attestation"
}

deny[msg] if {
    input.attestation.dsse_envelope
    not valid_dsse_envelope
    msg := "Invalid DSSE envelope structure"
}

deny[msg] if {
    valid_dsse_envelope
    not valid_signature
    msg := "No valid signature from trusted key"
}

deny[msg] if {
    config_require_rekor
    not input.attestation.rekor_entry
    msg := "Rekor anchor required but not present"
}

deny[msg] if {
    config_require_rekor
    input.attestation.rekor_entry
    not valid_rekor_anchor
    msg := "Invalid Rekor inclusion proof"
}

# Metadata for debugging
attestation_info := {
    "has_dsse": valid_dsse_envelope,
    "has_valid_sig": valid_signature,
    "has_rekor": valid_rekor_anchor,
    "signature_count": count(input.attestation.dsse_envelope.signatures),
    "trusted_key_count": count(trusted_keys),
}