* Update loginfo to return info about inactive shards

This also updates `rekor-cli` to verify inactive shards if they exist. It also updates the sharding integration test to run loginfo and store state based on TreeID if available.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* Fix typo

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

* specify resp code in error

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

This refactors the loginfo file in preparation for also getting info for inactive shards and verifying them as well.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

We will need this so we can get proofs for inactive shards. This will be used by `loginfo`.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

When printing the TreeID with rekor-cli loginfo, if the output is parsed through jq
then the TreeID gets rounded down as an int because it is bigger than JSON allows Numbers to be.

This is how jq works and is mentioned in the FAQ: https://github.com/stedolan/jq/wiki/FAQ#numbers



Switching this to a string will preserve the actual Tree ID.

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

And also handle the roothash.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

The logid field comes back as nil (which is expected), but we break trying
to dereference that for formatting.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* Add helpers and refactor sharding package

- Adds a function to get a TreeID from an ID string
- Adds testing for the above
- Consolidates validation logic for UUID, TreeID, EntryID
- Removes code that attempts to use ActiveIndex() in the sharding
  package, as this is not accessible due to import cycles
- Other small cleanup and typo fixes

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Change logRanges to work with int64

This is the type used by the trillian TreeID and saves from having to
convert in multiple places.

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add TreeID to LogInfo API endpoint

WARNING: breaks loginfo cmd to current prod server

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Update API based on logRangesFlag

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Use API's logRanges to retrieve artifacts

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

This sets the User-Agent header to match the format used in cosign of

rekor-cli/vX.Y.Z (OS) (ARCH)

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Scott Nichols <n3wscott@chainguard.dev>

* Move range.go into sharding package to avoid import cycles

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Change name of FullID to EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add unit tests for sharding package

Also add a few helper functions and update names.

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add logic to GET artifacts via old UUID or new EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Add e2e test for longer EntryID

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* helpful error message for hashedrekord types

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add sharding package

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* Update validators to support future FullID

A FullID is a UUID prepended by a TreeID. This will be used for log sharding

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

* rekor-server: Implement /api/v1/version

This implements a version endpoint for rekor. This helps figure out the
version the server is currently running. It could later be used to
implement version compatibility with CLI utilities.

Example:
   λ rekor main» curl -s localhost:3000/api/v1/version | jq
   {
     "builddate": "'2021-12-27T13:20:32Z'",
     "commit": "12d1a47c",
     "treestate": "dirty",
     "version": "v0.4.0-15-g12d1a47-dirty"
   }

This removes some duplication of the build flags and inserts them into
/pkg/api which is then reused across the utilities.

Signed-off-by: Morten Linderud <morten@linderud.pw>

Signed-off-by: Morten Linderud <morten@linderud.pw>

* Generated files

Signed-off-by: Morten Linderud <morten@linderud.pw>

This was never actually correct - these are technically "payloadTypes", which are
not actually mediaTypes. Some implementations mistakenly sent incorrect media types, so
it appeared to work. The GCS storage layer rejected correct implementations that sent the
payloadType, because these are not valid mediaTypes.

We never used this field anyway, so let's drop it. I verified that the API correctly ignores
unknown fields, so removing this will not break clients that send it.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* Upgraded go-playground/validator module to v10

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

* Manually re-added missing go.sum entry for module providing package github.com/dvyukov/go-fuzz/go-fuzz-dep

Signed-off-by: Harry Fallows <harryfallows@protonmail.com>

I had to change a few package imports to deal with upstream refactoring.

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* WIP: new hashed type

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

* wip add signature verification

Signed-off-by: Asra Ali <asraa@google.com>

* address bobs comments

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Dan Lorenc <lorenc.d@gmail.com>

Adds the ability to search for indicies with sha1 hashes. Currently
rekor custom types can store indices with formats other than
sha256:<hash>.  Particularly the in-toto type can do this.

One particular use case of interest is indexing log entries by git
commit hash, which largely still use sha1.

Signed-off-by: Mikhail Swift <mswift@mswift.dev>

Signed-off-by: Lily Sturmann <lsturman@redhat.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Dan Luhring <dan.luhring@anchore.com>

Fixes #420.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Signed-off-by: kpcyrd <git@rxv.cc>

* Adds rekor TUF type

Co-authored-by: Santiago Torres <santiagotorres@purdue.edu>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Co-authored-by: Marina Moore <mnm678@gmail.com>
Signed-off-by: Asra Ali <asraa@google.com>

* add type documentation

Signed-off-by: Asra Ali <asraa@google.com>

* Address bob comments

Signed-off-by: Asra Ali <asraa@google.com>

* run make

Signed-off-by: Asra Ali <asraa@google.com>

* wip

Signed-off-by: Asra Ali <asraa@google.com>

* Address comments

Signed-off-by: Asra Ali <asraa@google.com>

Co-authored-by: Santiago Torres <santiagotorres@purdue.edu>
Co-authored-by: Trishank Karthik Kuppusamy <trishank.kuppusamy@datadoghq.com>
Co-authored-by: Marina Moore <mnm678@gmail.com>

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* just commit timestampnote

Signed-off-by: Asra Ali <asraa@google.com>

* add signed timestamp note

Signed-off-by: Asra Ali <asraa@google.com>

* address validating sha comment

Signed-off-by: Asra Ali <asraa@google.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* generalize signed checkpoint

Signed-off-by: Asra Ali <asraa@google.com>

* store note as text representation

Signed-off-by: Asra Ali <asraa@google.com>

* cleanup diff

Signed-off-by: Asra Ali <asraa@google.com>

* simplify

Signed-off-by: Asra Ali <asraa@google.com>

* use signer/verifier

Signed-off-by: Asra Ali <asraa@google.com>

* address dan comments

Signed-off-by: Asra Ali <asraa@google.com>

* Refactor PKI factory and add type checking

This allows for more DRY addition of new PKI types, and stricter
type checking. This also allows for simpler enumeration of
supported PKI formats which will be used in further updates to
simplify the CLI codebase.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* revamp CLI flags; support different versions for upload

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add Alpine Package type

This adds support for the alpine package format used by Alpine Linux,
which is the concatenation of three tgz files (signature, control data,
and then the actual package files).

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* use shaFlag for --artifact-hash

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* change arg type to PKIFormat

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* defer type-specific validation logic to type code (instead of in CLI); also use CliLogger throughout CLI

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* refactor factory code

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* review comments

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Signed-off-by: Dan Lorenc <lorenc.d@gmail.com>

Signed-off-by: Dan Lorenc <dlorenc@google.com>

* Added Helm type

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Cleaned up helm type

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Correct Helm schema required fields

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Regenerated Helm schema

Signed-off-by: Andrew Block <andy.block@gmail.com>

* Move GetRekorClient into util directory

Since other sigstore projects are using GetRekorClient, this moves it
into the pkg/util directory so that the number of dependencies this
brings with it can be minimized.

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* move to pkg/client

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

This adds support for the alpine package format used by Alpine Linux,
which is the concatenation of three tgz files (signature, control data,
and then the actual package files).

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* upload all generated timestamps

Signed-off-by: Asra Ali <asraa@google.com>

* address bazooka comments

Signed-off-by: Asra Ali <asraa@google.com>

* simplify params

Signed-off-by: Asra Ali <asraa@google.com>

* address changes

Signed-off-by: Asra Ali <asraa@google.com>

* forgot to run swagger

Signed-off-by: Asra Ali <asraa@google.com>