Add allowed package sources policy

[kosciCZ]

This adds a new allowed_package_sources policy that can gate content fetched by cachi2. This rule take a lot from the allowed_external_references, but makes it specific to content fetched by cachi2, because it is not uncommon for dependencies fetched by other means to define externalReferences of type distribution. Cachi2 currently produces the mentioned external reference only for packages fetched with the generic fetcher (docs WIP) that always produces a pkg:generic purl, but it is possible it will be extended to other package managers supported by cachi2 as well.

The rule data for this policy are structured as a list of regex patterns for a given purl type. Examples in tests.

Finally, this is my first contribution to EC (and rego) so please excuse any antipatterns I might have invented, feedback very much welcomed.

Resolves ISV-5342

[kosciCZ]

@ralphbean could I get your eyes on this as general concept as well as the effective_on date?

[lcarva]

See the rule_data_errors rules above. Let's add a new one that verifies the consistency of this new rule data key. This helps us determine if the rule data provided has any problems.

[kosciCZ]

Holding out on this until the the comment about rule data format is settled.

[simonbaird]

Since the rule is specific for cachi2, should it maybe be "cachi2_allowed_sources"?

[lcarva]

I do wonder if this rule can be a bit more data driven. For example, what if we allowed the rule data to be something like this:

- type: maven
  properties:
    - name: cachi2:found_by
      value: cachi2
  reference:
    type: distribution
  allowed_references:
    - ".*apache.org.*"
    - ".*example.com.*"

Or some variation of that. WDYT?

[kosciCZ]

I'm not sure if that brings any additional value, because cachi2 will always produce just the one type of externalReference. However, this might be useful in the case of cachi2 changing its name, which will likely occur.

I think that this also has a downside of making the rules less transparent with regards to what is actually allowed, because you get two additional parameters to control that. I think we should strike a balance between extensible and readable.

[kosciCZ]

(Also I think we should settle this first before I get to some of the other comments)

[lcarva]

We also need corresponding changes in sbom_spdx.rego 😭

[kosciCZ]

Cachi2 currently does not produce an SPDX SBOM, so there's not yet anything to latch onto (as in to the externalReference of type distribution in CycloneDX). Holding out on this until the the comment about rule data format is settled.

[simonbaird]

Suggested change

	# patterns are either those defined by the rule for a give purl type, or empty by default
	# patterns are either those defined by the rule for a given purl type, or empty by default

[simonbaird]

It would be nice to add some explanation to the commit message, and also include a Jira reference, e.g.:

Ref: https://issues.redhat.com/browse/ISV-5342

(I know it's explained in the PR, but having it in the git history is preferable IMO.)

Nice PR btw!

[simonbaird]

Suggested change

	# key. By default, allowed_package_sources is empty which means no components with such
	# key. By default, allowed_package_sources is empty, which means no components with such

🤷