From 7625488f8484053497f36b9f32a420aec01d1a92 Mon Sep 17 00:00:00 2001
From: hectorj2f <hectorf@vmware.com>
Date: Sat, 23 Apr 2022 20:44:15 +0300
Subject: [PATCH] chore: change cue policy for the cip

Signed-off-by: hectorj2f <hectorf@vmware.com>
---
 pkg/policy/eval.go                            |  6 +--
 ...s-two-signatures-and-two-attestations.yaml | 51 +++++--------------
 2 files changed, 15 insertions(+), 42 deletions(-)

diff --git a/pkg/policy/eval.go b/pkg/policy/eval.go
index 32b8db82682..48eab9fbb9c 100644
--- a/pkg/policy/eval.go
+++ b/pkg/policy/eval.go
@@ -56,15 +56,15 @@ func evaluateCue(ctx context.Context, attestation []byte, evaluator string) erro
 	cueCtx := cuecontext.New()
 	cueEvaluator := cueCtx.CompileString(evaluator)
 	if cueEvaluator.Err() != nil {
-		return fmt.Errorf("failed to compile the cue policy with error: %v", cueEvaluator.Err())
+		return fmt.Errorf("failed to compile the cue policy with error: %w", cueEvaluator.Err())
 	}
 	cueAtt := cueCtx.CompileBytes(attestation)
 	if cueAtt.Err() != nil {
-		return fmt.Errorf("failed to compile the attestation data with error: %v", cueAtt.Err())
+		return fmt.Errorf("failed to compile the attestation data with error: %w", cueAtt.Err())
 	}
 	result := cueEvaluator.Unify(cueAtt)
 	if err := result.Validate(); err != nil {
-		return fmt.Errorf("failed to evaluate the policy with error: %v", err)
+		return fmt.Errorf("failed to evaluate the policy with error: %w", err)
 	}
 	return nil
 }
diff --git a/test/testdata/cosigned/e2e/cip-requires-two-signatures-and-two-attestations.yaml b/test/testdata/cosigned/e2e/cip-requires-two-signatures-and-two-attestations.yaml
index 80b44ece51a..97175aa53bd 100644
--- a/test/testdata/cosigned/e2e/cip-requires-two-signatures-and-two-attestations.yaml
+++ b/test/testdata/cosigned/e2e/cip-requires-two-signatures-and-two-attestations.yaml
@@ -95,48 +95,21 @@ spec:
   policy:
     type: cue
     data: |
-      if len(authorityMatches."keyless-att".attestations) < 2 {
-        keylessAttestationsErr: "error"
-        keylessAttestationsErr: "Did not get both keyless attestations"
-      }
-      if len(authorityMatches."key-att".attestations) < 1 {
-        keyAttestationsErr: 1
-        keyAttestationsErr: "Did not get key attestation"
-      }
-      if len(authorityMatches."keyless-signature".signatures) < 1 {
-        keylessSignatureErr: 1
-        keylessSignatureErr: "Did not get keyless signature"
-      }
-      if len(authorityMatches."key-signature".signatures) < 1 {
-        keySignatureErr: 1
-        keySignatureErr: "Did not get key signature"
-      }
+      package sigstore
+      import "struct"
+      import "list"
+
       authorityMatches: {
         key-att: {
-          attestations: {
-            "vuln-key": [
-              {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-            ]
-          }
-        }
+          attestations: struct.MaxFields(1) & struct.MinFields(1)
+        },
+        key-signature: {
+          signatures: list.MaxItems(1) & list.MinItems(1)
+        },
         keyless-att: {
-          attestations: {
-            "vuln-keyless": [
-              {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-            ],
-            "custom-keyless": [
-              {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-            ],
-          }
-        }
+          attestations: struct.MinFields(2) & struct.MaxFields(2)
+        },
         keyless-signature: {
-          signatures: [
-            {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-          ]
-        }
-        key-signature: {
-          signatures: [
-            {subject: "PLACEHOLDER", issuer: "PLACEHOLDER"},
-          ]
+          signatures: list.MaxItems(1) & list.MinItems(1)
         }
       }