Drop signature verification in rekor server.

This is changing as part of the general trillian signature changes.
The trust model is still client -> database, our server trusts our
database so we can pass signed messages on directly to users without
double verification.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This patch removes the /api/v1/log/entries/{uuid}/proof endpoint. If you
have the UUID (aka the leaf Merkle hash), you likely want proof that the
content represented by that hash is included in the log. There's no need
for a separate /proof endpoint to deliver the same content.

This commit also ensures that the getLogEntryByIndex and
getLogEntryByUUID endpoints return an inclusion proof as part of their
response content. The search endpoint also now returns the inclusion
proof of all entries returned from the query.

With this patch, Rekor no longer uses the deprecated `GetLeavesByHash`
Trillian API.

Fixes #229

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Bump google.golang.org/grpc from 1.36.1 to 1.37.0

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.36.1 to 1.37.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.36.1...v1.37.0

)

Signed-off-by: dependabot[bot] <support@github.com>

rekor-cli: Pretty print for get cmd

Signed-off-by: Dan Lorenc <dlorenc@google.com>

rekor-cli: logproof -last-size default fix

I will perform a 'lazy consensus' and self-merge this is not
approved by 07/05/2021

The idea is to point to one file in community where we can
add to the security handling process without updating all repos.

Signed-off-by: Luke Hinds <lhinds@redhat.com>

Bumps [golangci/golangci-lint-action](https://github.com/golangci/golangci-lint-action) from v2.5.1 to v2.5.2.
- [Release notes](https://github.com/golangci/golangci-lint-action/releases)
- [Commits](https://github.com/golangci/golangci-lint-action/compare/v2.5.1...5c56cd6c9dc07901af25baab6f2b0d9f3b7c3018

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

* fail build if diff exists

Right now the build tries to detect mismatches between what is in the change versus any changes actually occurred from a clean rebuild (e.g. missed checking in any updates to generated code). However if those are present, the build logs print that out but do not cause the build to fail.

Also bumps GOVERSION to match what is used in Dockerfile so we don't have go.mod or go.sum as a reason for above.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Bumps golang from 1.16.2 to 1.16.3.

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github.com/go-openapi/swag](https://github.com/go-openapi/swag) from 0.19.14 to 0.19.15.
- [Release notes](https://github.com/go-openapi/swag/releases)
- [Commits](https://github.com/go-openapi/swag/compare/v0.19.14...v0.19.15

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

-last-size is defaulting to 1, but fixing it to 0 so we can properly error out
if it's unspecified.

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

Otherwise prints []byte contents which are not quite usable.

Signed-off-by: Ahmet Alp Balkan <ahmetb@google.com>

Bump github.com/go-openapi/strfmt from 0.20.0 to 0.20.1

Bumps [github.com/go-openapi/strfmt](https://github.com/go-openapi/strfmt) from 0.20.0 to 0.20.1.
- [Release notes](https://github.com/go-openapi/strfmt/releases)
- [Commits](https://github.com/go-openapi/strfmt/compare/v0.20.0...v0.20.1

)

Signed-off-by: dependabot[bot] <support@github.com>

Stop exposing the redis server port on the host.

This was triggering some internal security scans we have, everything still works
with it only exposed locally.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

The error was turning signature bytes into a string directly. We could
base64 encode it, but that's not terribly useful either.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Fix a few more paths I was missing in the first folder move.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Rename the directories for rekor-cli and rekor-server.

This makes the binaries "go installable" by their canonical names.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Drop the replace that was pinning grpc.

This isn't needed and prevents "go install" from working.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.36.0 to 1.36.1.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.36.0...v1.36.1

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Adds a Location response header when a 409 Conflict error is returned
from the server when a duplicate entry is sent for insertion into the
log. Also changes message printed by CLI to improve usability.

Fixes #222

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Bumps [github.com/go-openapi/runtime](https://github.com/go-openapi/runtime) from 0.19.26 to 0.19.27.
- [Release notes](https://github.com/go-openapi/runtime/releases)
- [Commits](https://github.com/go-openapi/runtime/compare/v0.19.26...v0.19.27

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Pin the trillian deps in docker-compose.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

* Remove gzip processing flow completely from rekor

Issue #208 reported different handling of gzipped content via fetch vs
direct upload to rekor server. The code should be consistent, regardless
of whether content was compressed or not - by always attempting to
verify the signature against the (unmodified) byte stream.

This patch removes the gzip decoding completely from rekor and verifies
the bytes supplied or referenced.

Also fixes issue in E2E tests where sending SIGKILL to watch process
caused message to be printed to stderr, which fails the test when
running on MacOS.

Fixes #208

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/master/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.9.0...v1.10.0

)

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: axelsimon <github@axelsimon.net>

Store the whole cert.

Add a second job that watches rekor for new STH entries and publishes

them to GCS.

We don't always have a new one, and under load there might be "batches" of entries
all integrated into the same STH. This means there is no guaranteed frequency of updates
or even a guarantee that every index will exist.

The values (and timestamps) should be monotonically increasing though.

Signed-off-by: Dan Lorenc <dlorenc@google.com>