* Bump github.com/prometheus/client_golang from 1.12.0 to 1.12.1 (#636)

Bumps [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) from 1.12.0 to 1.12.1.
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.12.0...v1.12.1

)

---
updated-dependencies:
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: obarbier <obarbier13@gmail.com>

* fixing small typo while learning how to contribute

Signed-off-by: obarbier <obarbier13@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Signed-off-by: Asra Ali <asraa@google.com>

* Move range.go into sharding package to avoid import cycles

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Change name of FullID to EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add unit tests for sharding package

Also add a few helper functions and update names.

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add logic to GET artifacts via old UUID or new EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add e2e test for longer EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* helpful error message for hashedrekord types

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Jason Hall <jasonhall@redhat.com>

* Add sharding package

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Update validators to support future FullID

A FullID is a UUID prepended by a TreeID. This will be used for log sharding

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

Otherwise, the error:
`
error retrieving external entities: error received while fetching artifact: 404 Not Found
`
Which isn't great for debugging

Signed-off-by: Sylvestre Ledru <sylvestre@debian.org>

This should be the actual last one :)

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Right now the type itself is defined in the cli package, which means we can't
use it without an import cycle.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This should be the last one!

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Without this we can't properly re-run IndexKeys() on the log data because old minisign
keys were stripped to no longer contain the KeyID or Algorithm field.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This is required to make IndexKeys() work on stored types.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Also fix some possible missing index issues from the last round of refactors.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Morten Linderud <morten@linderud.pw>

* rekor-server: Implement /api/v1/version

This implements a version endpoint for rekor. This helps figure out the
version the server is currently running. It could later be used to
implement version compatibility with CLI utilities.

Example:
   λ rekor main» curl -s localhost:3000/api/v1/version | jq
   {
     "builddate": "'2021-12-27T13:20:32Z'",
     "commit": "12d1a47c",
     "treestate": "dirty",
     "version": "v0.4.0-15-g12d1a47-dirty"
   }

This removes some duplication of the build flags and inserts them into
/pkg/api which is then reused across the utilities.

Signed-off-by: Morten Linderud <morten@linderud.pw>

Signed-off-by: Morten Linderud <morten@linderud.pw>

* Generated files

Signed-off-by: Morten Linderud <morten@linderud.pw>

This was never actually correct - these are technically "payloadTypes", which are
not actually mediaTypes. Some implementations mistakenly sent incorrect media types, so
it appeared to work. The GCS storage layer rejected correct implementations that sent the
payloadType, because these are not valid mediaTypes.

We never used this field anyway, so let's drop it. I verified that the API correctly ignores
unknown fields, so removing this will not break clients that send it.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

We were previously stripping off the keyid/algorithm identifiers in minisign public keys.
These should be included in here to properly canonicalize/reconstruct the keys for verification.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

A lot of these only support one key type, so we don't need to go through
the map.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This is part of a larger series to reduce intermediate state on each rekord type.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This was duplicated across the unit tests for all of our types, moved it
up to the top-level package.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

We were catching these inside the IndexKeys function calls and logging, this
change moves that up to the caller. This is much more standard and simplifies the
implementations.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This got copy-pasta-ed a bit as we added a lot of new types. I refactored
this out so we have the logic only once.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This didn't appear to actually be useful on any of our types - we also
check the actual fields that need to be hydrated directly.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This was set to fail on December 18th, which happens to be yesterday!

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* rename ecosystem to origin

Signed-off-by: Asra Ali <asraa@google.com>

* update comments

Signed-off-by: Asra Ali <asraa@google.com>

* Bump google.golang.org/grpc from 1.42.0 to 1.43.0

Bumps [google.golang.org/grpc](https://github.com/grpc/grpc-go) from 1.42.0 to 1.43.0.
- [Release notes](https://github.com/grpc/grpc-go/releases)
- [Commits](https://github.com/grpc/grpc-go/compare/v1.42.0...v1.43.0

)

---
updated-dependencies:
- dependency-name: google.golang.org/grpc
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

* replace grpc.WithInsecure() with insecure.NewCredentials()

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Carlos Panato <ctadeu@gmail.com>

* Delete INSTALLATION.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Delete release-verify.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Update README.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Update README.md

Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

* Apply suggestions from code review

Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>
Signed-off-by: Edoardo Tenani <edoardo.tenani@pm.me>

Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>

This included some manual changes because of the interface changes.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

* ensure that the test HTTP handlers are called

Signed-off-by: Jake Sanders <jsand@google.com>

* parallelize HTTP server dependent tests

Signed-off-by: Jake Sanders <jsand@google.com>

Signed-off-by: Jake Sanders <jsand@google.com>

* Upgraded go-playground/validator module to v10

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

* Manually re-added missing go.sum entry for module providing package github.com/dvyukov/go-fuzz/go-fuzz-dep

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

I had to change a few package imports to deal with upstream refactoring.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Asra Ali <asraa@google.com>

* WIP: new hashed type

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* wip add signature verification

Signed-off-by: Asra Ali <asraa@google.com>

* address bobs comments

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Dan Lorenc <lorenc.d@gmail.com>

Adds the ability to search for indicies with sha1 hashes. Currently
rekor custom types can store indices with formats other than
sha256:<hash>.  Particularly the in-toto type can do this.

One particular use case of interest is indexing log entries by git
commit hash, which largely still use sha1.

Signed-off-by: Mikhail Swift <mswift@mswift.dev>