* Update trillian dependency to master

This removes calls to the trillian verifier and replaces them with calls to a new rekor verify package!
The `verify` package currently only verifies the signed log root.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add verifier back in and update trillian images

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make verify private

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Roll back to trillian v1.3.13

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Pin trillian to latest commit

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add signing package for signing within rekor

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from trillian and add in TODO for getting public key from Signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create signer flag and store signer in api struct

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from tlog in API, replace with a new pubkey tag

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make sure we can get the public key locally

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix build error

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Reuse cosign implementation of signing interface

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add in-memory signer, store unmarshaled public key in api

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Temporarily skip the log_info test, since we are now getting the public key from rekor and not trillian

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Replace cosign import with sigstore

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add unit test for memory signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove unnecessary code

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* skip test

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Sign the signature for the signed log root ourselves

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Include memory as a signer option for signer flag, make memory default

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

This was triggering some internal security scans we have, everything still works
with it only exposed locally.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Update version of docker-compose.yml

start_period in healthcheck and target in build are properties that are not supported for docker-compose versions <3.4. This change fixes this issue.

Signed-off-by: Efe Barlas <ebarlas@purdue.edu>

In our CI environment there is an artifical delay in between starting
the Rekor services via docker-compose and when the E2E tests are
actually executed due to Go modules being downloaded. In a local
development environment, the download may not be required so the tests
can start before the docker-compose services are actually running.

This introduces a healthcheck for services (where possible), and blocks
the start of the e2e tests until the services are reporting as healthy.
It also forces the use of an empty homedir and rekor config file to
ensure no collision between the tests and the developer's environment.

Fixes #183

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

This just exposes the default go metrics for now. We can use middleware to expose
more custom metrics for our API.

This is only toggled on for the server right now.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

This allows us to skip sticking it onto each request context and retrieving it.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Some changes:
- import names (app -> api, logging -> log)
- Commands package (cmd -> app)