Make protocol-less references point to policy providers

[jiparis]

This PR is a followup of #1267 to make policy providers the default when no protocol is specified.
This simplifies the operation in organizations with built-in policies provided by an external provider.

Note. This PR maintains backwards compatibility for existing contracts. For example, for attestation add:

DBG loading policy spec "test/another-sbom-policy.yaml" using *policies.ChainloopLoader
DBG falling back to FileLoader for test/another-sbom-policy.yaml
DBG loading policy spec "file://test/another-sbom-policy.yaml" using *policies.FileLoader
INF evaluating policy 'another-sbom-policy' against material 'material-1724952896483353000'
DBG added to state key=material-1724952896483353000
INF material kind detected kind=SBOM_SPDX_JSON
INF material added to attestation

It also improves some error messages during contract validation:

• when no providers are configured:

ERR validation error: failed to get policy 'mypolicy': policy providers not configured. Make sure your policy is referenced with file:// or https:// protocol

• when requested provider is not found:

ERR validation error: failed to get policy 'mypolicy': failed to resolve provider: test. Available providers: [chainloop]

[migmartri]

Thanks @jiparis, is there any improvements we should do in the contract validation now?

For example, if no providers are configured, say that file:// or https:// needs to be used?

I want to make sure people don't point to remote policies by mistake if we can prevent it.

[jiparis]

Thanks @jiparis, is there any improvements we should do in the contract validation now?

For example, if no providers are configured, say that file:// or https:// needs to be used?

I want to make sure people don't point to remote policies by mistake if we can prevent it.

Currently, any attempt of creating a contract with a policy from external providers, will raise an error if providers are not configured or policy is not found. For example, when trying to create this contract, with no providers:

schemaVersion: v1
materials: []
policies:
  materials:
    - ref: cyclonedx-freshness
      with:
        limit: "1"

> chainloop --insecure wf contract create --name test --contract test/my-contract.yaml
WRN API contacted in insecure mode
ERR validation error: failed to get policy 'cyclonedx-freshness': policy not found
exit status 1

We could try to improve the error message.

[migmartri]

Thanks @jiparis, is there any improvements we should do in the contract validation now?
For example, if no providers are configured, say that file:// or https:// needs to be used?
I want to make sure people don't point to remote policies by mistake if we can prevent it.

Currently, any attempt of creating a contract with a policy from external providers, will raise an error if providers are not configured or policy is not found. For example, when trying to create this contract, with no providers:

schemaVersion: v1
materials: []
policies:
  materials:
    - ref: cyclonedx-freshness
      with:
        limit: "1"

> chainloop --insecure wf contract create --name test --contract test/my-contract.yaml
WRN API contacted in insecure mode
ERR validation error: failed to get policy 'cyclonedx-freshness': policy not found
exit status 1

We could try to improve the error message.

I think so, let's say that 99% of users will not have enabled the provider setup. In that case I'd make sure to tell them to use file:// or https://, what do you think?

[migmartri]

LGTM!

[migmartri]

please wrap the errors.

[migmartri]

ditto about wrap

[migmartri]

these two variables could be replaced if you run the following stanza in two lines

	if httpRef, err = ensureScheme(ref, httpScheme, httpsScheme); err != nil {

httpRef, err := ensureScheme(ref, httpScheme, httpsScheme)
if err != nil {