Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Update loginfo to return info about inactive shards

This also updates `rekor-cli` to verify inactive shards if they exist. It also updates the sharding integration test to run loginfo and store state based on TreeID if available.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Fix typo

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* specify resp code in error

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Add helpers and refactor sharding package

- Adds a function to get a TreeID from an ID string
- Adds testing for the above
- Consolidates validation logic for UUID, TreeID, EntryID
- Removes code that attempts to use ActiveIndex() in the sharding
  package, as this is not accessible due to import cycles
- Other small cleanup and typo fixes

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Change logRanges to work with int64

This is the type used by the trillian TreeID and saves from having to
convert in multiple places.

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add TreeID to LogInfo API endpoint

WARNING: breaks loginfo cmd to current prod server

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Update API based on logRangesFlag

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Use API's logRanges to retrieve artifacts

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

I had to change a few package imports to deal with upstream refactoring.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

This is in preparation for supporting multiple logIDs (for sharding).

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

* Add signature to LogEntry for offline verification

Also add an integration test for this.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments:
- Canonicalize payload before signing it
- Change name of signature to signedEntryTimestamp
- move signedEntryTimestamp and inclusionProof into separate Verification field in LogEntry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create helper func for extracting log entry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add info around verifying signedEntryTimestamp as comments in openapi.yaml

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Generalize verification instructions

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Update trillian dependency to master

This removes calls to the trillian verifier and replaces them with calls to a new rekor verify package!
The `verify` package currently only verifies the signed log root.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add verifier back in and update trillian images

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make verify private

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Roll back to trillian v1.3.13

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Pin trillian to latest commit

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add signing package for signing within rekor

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from trillian and add in TODO for getting public key from Signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create signer flag and store signer in api struct

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove public key from tlog in API, replace with a new pubkey tag

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Make sure we can get the public key locally

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Fix build error

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Reuse cosign implementation of signing interface

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* fix lint

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add in-memory signer, store unmarshaled public key in api

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Temporarily skip the log_info test, since we are now getting the public key from rekor and not trillian

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Replace cosign import with sigstore

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add unit test for memory signer

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Remove unnecessary code

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* skip test

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Sign the signature for the signed log root ourselves

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Include memory as a signer option for signer flag, make memory default

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

This patch removes the /api/v1/log/entries/{uuid}/proof endpoint. If you
have the UUID (aka the leaf Merkle hash), you likely want proof that the
content represented by that hash is included in the log. There's no need
for a separate /proof endpoint to deliver the same content.

This commit also ensures that the getLogEntryByIndex and
getLogEntryByUUID endpoints return an inclusion proof as part of their
response content. The search endpoint also now returns the inclusion
proof of all entries returned from the query.

With this patch, Rekor no longer uses the deprecated `GetLeavesByHash`
Trillian API.

Fixes #229

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Bump github.com/google/trillian from 1.3.10 to 1.3.13

Bumps [github.com/google/trillian](https://github.com/google/trillian) from 1.3.10 to 1.3.13.
- [Release notes](https://github.com/google/trillian/releases)
- [Changelog](https://github.com/google/trillian/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/trillian/compare/v1.3.10...v1.3.13

)

Signed-off-by: dependabot[bot] <support@github.com>

* update to new package structure

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

* register hasher

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

* revert to original naming

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Bob Callaway <bcallawa@redhat.com>
Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>

After #77, we have one global GRPC channel for the entire process. This
change causes each GRPC call to be made on the incoming HTTP request's
context such that if an HTTP client cancels prematurely, we will handle
the GRPC cleanup appropriately.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

- adds trillian API object to context
- improves request error logging pre and post validation
- use consistent request context throughout all GRPC calls
- improve validation of incoming UUID values
- disable swagger UI endpoint
- only print cacheable headers if response code is HTTP 2XX
- use GetLeavesByRange instead of deprecated GetLeavesByIndex API

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Some changes:
- import names (app -> api, logging -> log)
- Commands package (cmd -> app)