This allows you to create an entry for the entire certificate chain, not
just the leaf certificate. The certificate chain will be verified before
adding the entry.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

* Specify public key for each inactive shard in config

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Updated the integration test

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Add debugging to the sharding test

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Add debugging

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

tlog_id specifes the active shard and is kept for backwards compatibility.
To avoid replicating information, the shard config file is used only to
specify inactive shards and must be used in conjunction with a tlog_id flag.
Together, these build the logRanges type in the sharding module.

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Replace trillian_log_server.log_id_ranges flag with a config file

This will make it easier to specify mulitple shards, along with associated tree IDs and lengths.
Each shard may eventually have its own signer/public key as well, so it'll be easier to pass those in through
a config file rather than through CLI flags.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Add active tree ID to ranges

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Update loginfo to return info about inactive shards

This also updates `rekor-cli` to verify inactive shards if they exist. It also updates the sharding integration test to run loginfo and store state based on TreeID if available.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Fix typo

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* specify resp code in error

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

We will need this so we can get proofs for inactive shards. This will be used by `loginfo`.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Return virtual index when creating and getting a log entry

Use the virtual index when signing an entry on creation, and return that to the end user.
There shouldn't be any observable difference here at the moment, until we actually shard the log.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Remove pointer to logRanges so value can't be modified

Also make all fields private and only accessible via funcition calls

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Fix virtual log index bug when getting indicies in inactive shards

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

When printing the TreeID with rekor-cli loginfo, if the output is parsed through jq
then the TreeID gets rounded down as an int because it is bigger than JSON allows Numbers to be.

This is how jq works and is mentioned in the FAQ: https://github.com/stedolan/jq/wiki/FAQ#numbers



Switching this to a string will preserve the actual Tree ID.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Add helpers and refactor sharding package

- Adds a function to get a TreeID from an ID string
- Adds testing for the above
- Consolidates validation logic for UUID, TreeID, EntryID
- Removes code that attempts to use ActiveIndex() in the sharding
  package, as this is not accessible due to import cycles
- Other small cleanup and typo fixes

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Change logRanges to work with int64

This is the type used by the trillian TreeID and saves from having to
convert in multiple places.

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add TreeID to LogInfo API endpoint

WARNING: breaks loginfo cmd to current prod server

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Update API based on logRangesFlag

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Use API's logRanges to retrieve artifacts

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>

* Add in-toto type documentation

Signed-off-by: John Speed Meyers <jsmeyers@chainguard.dev>

Signed-off-by: Scott Nichols <n3wscott@chainguard.dev>

* Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (#636)

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.12.0 to 1.12.1.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.12.0...v1.12.1

)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: obarbier <obarbier13@gmail.com>

* fixing small typo while learning how to contribute

Signed-off-by: obarbier <obarbier13@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Asra Ali <asraa@google.com>

* Move range.go into sharding package to avoid import cycles

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Change name of FullID to EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add unit tests for sharding package

Also add a few helper functions and update names.

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add logic to GET artifacts via old UUID or new EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add e2e test for longer EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* helpful error message for hashedrekord types

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Jason Hall <jasonhall@redhat.com>

* Add sharding package

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Update validators to support future FullID

A FullID is a UUID prepended by a TreeID. This will be used for log sharding

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

Otherwise, the error:
`
error retrieving external entities: error received while fetching artifact: 404 Not Found
`
Which isn't great for debugging

Signed-off-by: Sylvestre Ledru <sylvestre@debian.org>

This should be the actual last one :)

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Right now the type itself is defined in the cli package, which means we can't
use it without an import cycle.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This should be the last one!

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Without this we can't properly re-run IndexKeys() on the log data because old minisign
keys were stripped to no longer contain the KeyID or Algorithm field.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This is required to make IndexKeys() work on stored types.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Also fix some possible missing index issues from the last round of refactors.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Morten Linderud <morten@linderud.pw>

* rekor-server: Implement /api/v1/version

This implements a version endpoint for rekor. This helps figure out the
version the server is currently running. It could later be used to
implement version compatibility with CLI utilities.

Example:
   λ rekor main» curl -s localhost:3000/api/v1/version | jq
   {
     "builddate": "'2021-12-27T13:20:32Z'",
     "commit": "12d1a47c",
     "treestate": "dirty",
     "version": "v0.4.0-15-g12d1a47-dirty"
   }

This removes some duplication of the build flags and inserts them into
/pkg/api which is then reused across the utilities.

Signed-off-by: Morten Linderud <morten@linderud.pw>

Signed-off-by: Morten Linderud <morten@linderud.pw>

* Generated files

Signed-off-by: Morten Linderud <morten@linderud.pw>

This was never actually correct - these are technically "payloadTypes", which are
not actually mediaTypes. Some implementations mistakenly sent incorrect media types, so
it appeared to work. The GCS storage layer rejected correct implementations that sent the
payloadType, because these are not valid mediaTypes.

We never used this field anyway, so let's drop it. I verified that the API correctly ignores
unknown fields, so removing this will not break clients that send it.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

We were previously stripping off the keyid/algorithm identifiers in minisign public keys.
These should be included in here to properly canonicalize/reconstruct the keys for verification.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

A lot of these only support one key type, so we don't need to go through
the map.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This is part of a larger series to reduce intermediate state on each rekord type.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This was duplicated across the unit tests for all of our types, moved it
up to the top-level package.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

We were catching these inside the IndexKeys function calls and logging, this
change moves that up to the caller. This is much more standard and simplifies the
implementations.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This got copy-pasta-ed a bit as we added a lot of new types. I refactored
this out so we have the logic only once.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>