Signed-off-by: Asra Ali <asraa@google.com>

This adds an "Attestation" method to the entry interface. Entries can
return an attestation that they would like to store.

The attestations are currently stored in GCS, but it supports any blob store.
The feature is turned off with a flag, and we can set a max size as well.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

* Add Log ID to LogEntry field

Since the signed entry timestamp (SET) will be able to prove insertion into the log, adding the log ID (aka public key SHA256 hash) makes it easier to know which log the entry came from. 

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* GetLogByIndexHandler returns 404 for missing index

GRPC return codes have changed after switching the Trillian GRPC calls
due to recent changes; therefore we need to adapt for InvalidArgument
which should be returned as a 404 Not Found error to callers.

Fixes #296

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add sha256 prefix to index keys for artifact hashes

This change adds the `sha256:` prefix to index values that are created to simplify searching the transparency log for artifacts. In case we shift to using a different hashing algorithm in the future, this will provide a way to specify it.

Fixes #289

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

* Add signature to LogEntry for offline verification

Also add an integration test for this.

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Address code review comments:
- Canonicalize payload before signing it
- Change name of signature to signedEntryTimestamp
- move signedEntryTimestamp and inclusionProof into separate Verification field in LogEntry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Create helper func for extracting log entry

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Add info around verifying signedEntryTimestamp as comments in openapi.yaml

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* Generalize verification instructions

Signed-off-by: Priya Wadhwa <priyawadhwa@google.com>

* update boilerplate header and apply go fmt

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* lints: fix golangci-lint issues

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

* updated based on feedback

Signed-off-by: Carlos Panato <ctadeu@gmail.com>

This is changing as part of the general trillian signature changes.
The trust model is still client -> database, our server trusts our
database so we can pass signed messages on directly to users without
double verification.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

This patch removes the /api/v1/log/entries/{uuid}/proof endpoint. If you
have the UUID (aka the leaf Merkle hash), you likely want proof that the
content represented by that hash is included in the log. There's no need
for a separate /proof endpoint to deliver the same content.

This commit also ensures that the getLogEntryByIndex and
getLogEntryByUUID endpoints return an inclusion proof as part of their
response content. The search endpoint also now returns the inclusion
proof of all entries returned from the query.

With this patch, Rekor no longer uses the deprecated `GetLeavesByHash`
Trillian API.

Fixes #229

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Adds a Location response header when a 409 Conflict error is returned
from the server when a duplicate entry is sent for insertion into the
log. Also changes message printed by CLI to improve usability.

Fixes #222

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

This will allow us to use types.NewEntry() to unmarshal returned
values in clients.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

Since the API key can be specified as an environment variable and could
be thought of as an authentication credential, it should not be included
in the path to the created entry in the log.

Previously we simply appended the new entry's UUID to the full URL,
which was incorrect if an API key was specified as a query parameter.

Fixes #182

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

All instances of projectrekor are now renamed to SigStore

This includes:

* Import paths
* Tests
* Readme's

Signed-off-by: Luke Hinds <lhinds@redhat.com>

* Bump github.com/google/trillian from 1.3.10 to 1.3.13

Bumps [github.com/google/trillian](https://github.com/google/trillian) from 1.3.10 to 1.3.13.
- [Release notes](https://github.com/google/trillian/releases)
- [Changelog](https://github.com/google/trillian/blob/master/CHANGELOG.md)
- [Commits](https://github.com/google/trillian/compare/v1.3.10...v1.3.13

)

Signed-off-by: dependabot[bot] <support@github.com>

* update to new package structure

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

* register hasher

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

* revert to original naming

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Bob Callaway <bcallawa@redhat.com>
Co-authored-by: Bob Callaway <bobcallaway@users.noreply.github.com>

This works! We can use it to track # of new entries over time.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

Co-authored-by: Dan Lorenc <dlorenc@google.com>

The search API allows callers to look for multiple entries in the same request; this change parallelizes the lookups to help speed up processing.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

QueuedLeafResponse holds the actual insertion response code, so check that instead of just the base GRPC status code.

also fixes middleware ordering issue

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

This allows us to skip sticking it onto each request context and retrieving it.

Signed-off-by: Dan Lorenc <dlorenc@google.com>

After #77, we have one global GRPC channel for the entire process. This
change causes each GRPC call to be made on the incoming HTTP request's
context such that if an HTTP client cancels prematurely, we will handle
the GRPC cleanup appropriately.

Signed-off-by: Bob Callaway <bcallawa@redhat.com>

- adds trillian API object to context
- improves request error logging pre and post validation
- use consistent request context throughout all GRPC calls
- improve validation of incoming UUID values
- disable swagger UI endpoint
- only print cacheable headers if response code is HTTP 2XX
- use GetLeavesByRange instead of deprecated GetLeavesByIndex API

Signed-off-by: Bob Callaway <bcallawa@redhat.com>