Update rekor REST API to match Trillian semantics (sigstore#250)

This patch removes the /api/v1/log/entries/{uuid}/proof endpoint. If you
have the UUID (aka the leaf Merkle hash), you likely want proof that the
content represented by that hash is included in the log. There's no need
for a separate /proof endpoint to deliver the same content.

This commit also ensures that the getLogEntryByIndex and
getLogEntryByUUID endpoints return an inclusion proof as part of their
response content. The search endpoint also now returns the inclusion
proof of all entries returned from the query.

With this patch, Rekor no longer uses the deprecated `GetLeavesByHash`
Trillian API.

Fixes sigstore#229

Signed-off-by: Bob Callaway <bob.callaway@gmail.com>

Author: bobcallaway

Dockerfile

@@ -7,7 +7,8 @@ ADD go.mod go.sum $APP_ROOT/src/
 RUN go mod download
 
 # Add source code
-ADD ./ $APP_ROOT/src/
+ADD ./cmd/ $APP_ROOT/src/cmd/
+ADD ./pkg/ $APP_ROOT/src/pkg/
 
 RUN go build ./cmd/rekor-server
 RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -o rekor-server_debug ./cmd/rekor-server

Makefile

@@ -1,6 +1,6 @@
-.PHONY: all test clean lint gosec
+.PHONY: all test clean clean-gen lint gosec
 
-all: cli server
+all: rekor-cli rekor-server
 
 GENSRC = pkg/generated/client/%.go pkg/generated/models/%.go pkg/generated/restapi/%.go
 OPENAPIDEPS = openapi.yaml $(shell find pkg/types -iname "*.json")
@@ -20,17 +20,20 @@ lint:
 gosec:
 	$(GOBIN)/gosec ./...
 
-cli: $(SRCS)
+rekor-cli: $(SRCS)
 	go build ./cmd/rekor-cli
 
-server: $(SRCS)
+rekor-server: $(SRCS)
 	go build ./cmd/rekor-server
 
 test:
 	go test ./...
 
 clean:
-	rm -rf cli server
+	rm -rf rekor-cli rekor-server
+
+clean-gen: clean
+	rm -rf $(shell find pkg/generated -iname "*.go"|grep -v pkg/generated/restapi/configure_rekor_server.go)
 
 up:
 	docker-compose -f docker-compose.yml build

cmd/rekor-cli/app/log_info.go

@@ -160,11 +160,11 @@ var logInfoCmd = &cobra.Command{
 				log.CliLogger.Infof("Consistency proof valid!")
 			} else if persistedSize == lr.TreeSize {
 				if !bytes.Equal(oldState.RootHash, lr.RootHash) {
-					return nil, errors.New("Root hash returned from server does not match previously persisted state")
+					return nil, errors.New("root hash returned from server does not match previously persisted state")
 				}
 				log.CliLogger.Infof("Persisted log state matches the current state of the log")
 			} else if persistedSize > lr.TreeSize {
-				return nil, fmt.Errorf("Current size of tree reported from server %d is less than previously persisted state %d", lr.TreeSize, persistedSize)
+				return nil, fmt.Errorf("current size of tree reported from server %d is less than previously persisted state %d", lr.TreeSize, persistedSize)
 			}
 		} else {
 			log.CliLogger.Infof("No previous log state stored, unable to prove consistency")

cmd/rekor-cli/app/log_proof.go

@@ -53,7 +53,7 @@ var logProofCmd = &cobra.Command{
 	PreRunE: func(cmd *cobra.Command, args []string) error {
 		// these are bound here so that they are not overwritten by other commands
 		if err := viper.BindPFlags(cmd.Flags()); err != nil {
-			return fmt.Errorf("Error initializing cmd line args: %s", err)
+			return fmt.Errorf("error initializing cmd line args: %s", err)
 		}
 		if viper.GetUint64("first-size") == 0 {
 			return errors.New("first-size must be > 0")

cmd/rekor-cli/app/verify.go

@@ -75,7 +75,7 @@ var verifyCmd = &cobra.Command{
 	PreRunE: func(cmd *cobra.Command, args []string) error {
 		// these are bound here so that they are not overwritten by other commands
 		if err := viper.BindPFlags(cmd.Flags()); err != nil {
-			return fmt.Errorf("Error initializing cmd line args: %s", err)
+			return fmt.Errorf("error initializing cmd line args: %s", err)
 		}
 		if err := validateArtifactPFlags(true, true); err != nil {
 			_ = cmd.Help()
@@ -89,86 +89,76 @@ var verifyCmd = &cobra.Command{
 			return nil, err
 		}
 
-		params := entries.NewGetLogEntryProofParams()
-		params.EntryUUID = viper.GetString("uuid")
-		if params.EntryUUID == "" {
-			// without the UUID, we need to search for it
-			searchParams := entries.NewSearchLogQueryParams()
-			searchLogQuery := models.SearchLogQuery{}
+		searchParams := entries.NewSearchLogQueryParams()
+		searchLogQuery := models.SearchLogQuery{}
 
-			logIndex := viper.GetString("log-index")
-			if logIndex != "" {
-				logIndexInt, err := strconv.ParseInt(logIndex, 10, 0)
+		uuid := viper.GetString("uuid")
+		logIndex := viper.GetString("log-index")
+
+		if uuid != "" {
+			searchLogQuery.EntryUUIDs = append(searchLogQuery.EntryUUIDs, uuid)
+		} else if logIndex != "" {
+			logIndexInt, err := strconv.ParseInt(logIndex, 10, 0)
+			if err != nil {
+				return nil, fmt.Errorf("error parsing --log-index: %w", err)
+			}
+			searchLogQuery.LogIndexes = []*int64{&logIndexInt}
+		} else {
+			var entry models.ProposedEntry
+			switch viper.GetString("type") {
+			case "rekord":
+				entry, err = CreateRekordFromPFlags()
 				if err != nil {
-					return nil, fmt.Errorf("error parsing --log-index: %w", err)
+					return nil, err
 				}
-				searchLogQuery.LogIndexes = []*int64{&logIndexInt}
-			} else {
-				var entry models.ProposedEntry
-				switch viper.GetString("type") {
-				case "rekord":
-					entry, err = CreateRekordFromPFlags()
-					if err != nil {
-						return nil, err
-					}
-				case "rpm":
-					entry, err = CreateRpmFromPFlags()
-					if err != nil {
-						return nil, err
-					}
-				default:
-					return nil, errors.New("invalid type specified")
+			case "rpm":
+				entry, err = CreateRpmFromPFlags()
+				if err != nil {
+					return nil, err
 				}
-
-				entries := []models.ProposedEntry{entry}
-				searchLogQuery.SetEntries(entries)
-			}
-			searchParams.SetEntry(&searchLogQuery)
-
-			resp, err := rekorClient.Entries.SearchLogQuery(searchParams)
-			if err != nil {
-				return nil, err
+			default:
+				return nil, errors.New("invalid type specified")
 			}
 
-			if len(resp.Payload) == 0 {
-				return nil, fmt.Errorf("entry in log cannot be located")
-			} else if len(resp.Payload) > 1 {
-				return nil, fmt.Errorf("multiple entries returned; this should not happen")
-			}
-			logEntry := resp.Payload[0]
-			if len(logEntry) != 1 {
-				return nil, errors.New("UUID value can not be extracted")
-			}
-			for k := range logEntry {
-				params.EntryUUID = k
-			}
+			entries := []models.ProposedEntry{entry}
+			searchLogQuery.SetEntries(entries)
 		}
+		searchParams.SetEntry(&searchLogQuery)
 
-		resp, err := rekorClient.Entries.GetLogEntryProof(params)
+		resp, err := rekorClient.Entries.SearchLogQuery(searchParams)
 		if err != nil {
 			return nil, err
 		}
 
-		o := &verifyCmdOutput{
-			RootHash:  *resp.Payload.RootHash,
-			EntryUUID: params.EntryUUID,
-			Index:     *resp.Payload.LogIndex,
-			Size:      *resp.Payload.TreeSize,
-			Hashes:    resp.Payload.Hashes,
+		if len(resp.Payload) == 0 {
+			return nil, fmt.Errorf("entry in log cannot be located")
+		} else if len(resp.Payload) > 1 {
+			return nil, fmt.Errorf("multiple entries returned; this should not happen")
+		}
+		logEntry := resp.Payload[0]
+
+		var o *verifyCmdOutput
+		for k, v := range logEntry {
+			o = &verifyCmdOutput{
+				RootHash:  *v.InclusionProof.RootHash,
+				EntryUUID: k,
+				Index:     *v.LogIndex,
+				Size:      *v.InclusionProof.TreeSize,
+				Hashes:    v.InclusionProof.Hashes,
+			}
 		}
 
 		hashes := [][]byte{}
-		for _, h := range resp.Payload.Hashes {
+		for _, h := range o.Hashes {
 			hb, _ := hex.DecodeString(h)
 			hashes = append(hashes, hb)
 		}
 
-		rootHash, _ := hex.DecodeString(*resp.Payload.RootHash)
-		leafHash, _ := hex.DecodeString(params.EntryUUID)
+		rootHash, _ := hex.DecodeString(o.RootHash)
+		leafHash, _ := hex.DecodeString(o.EntryUUID)
 
 		v := logverifier.New(rfc6962.DefaultHasher)
-		if err := v.VerifyInclusionProof(*resp.Payload.LogIndex, *resp.Payload.TreeSize,
-			hashes, rootHash, leafHash); err != nil {
+		if err := v.VerifyInclusionProof(o.Index, o.Size, hashes, rootHash, leafHash); err != nil {
 			return nil, err
 		}
 		return o, err

openapi.yaml

@@ -41,6 +41,7 @@ paths:
           $ref: '#/responses/BadContent'
         default:
           $ref: '#/responses/InternalServerError'
+
   /api/v1/log:
     get:
       summary: Get information about the current state of the transparency log
@@ -140,7 +141,7 @@ paths:
         default:
           $ref: '#/responses/InternalServerError'
     get:
-      summary: Retrieves an entry from the transparency log (if it exists) by index
+      summary: Retrieves an entry and inclusion proof from the transparency log (if it exists) by index
       operationId: getLogEntryByIndex
       tags:
         - entries
@@ -153,7 +154,7 @@ paths:
           description: specifies the index of the entry in the transparency log to be retrieved
       responses:
         200:
-          description: the entry in the transparency log requested
+          description: the entry in the transparency log requested along with an inclusion proof
           schema:
             $ref: '#/definitions/LogEntry'
         404:
@@ -163,32 +164,9 @@ paths:
 
   /api/v1/log/entries/{entryUUID}:
     get:
-      summary: Retrieves an entry from the transparency log (if it exists) by UUID
+      summary: Get log entry and information required to generate an inclusion proof for the entry in the transparency log
+      description: Returns the entry, root hash, tree size, and a list of hashes that can be used to calculate proof of an entry being included in the transparency log
       operationId: getLogEntryByUUID
-      tags:
-        - entries
-      parameters:
-        - in: path
-          name: entryUUID
-          type: string
-          required: true
-          pattern: '^[0-9a-fA-F]{64}$'
-          description: the UUID of the entry to be retrieved from the log. The UUID is also the merkle tree hash of the entry.
-      responses:
-        200:
-          description: the entry in the transparency log requested
-          schema:
-            $ref: '#/definitions/LogEntry'
-        404:
-          $ref: '#/responses/NotFound'
-        default:
-          $ref: '#/responses/InternalServerError'
-
-  /api/v1/log/entries/{entryUUID}/proof:
-    get:
-      summary: Get information required to generate an inclusion proof for a specified entry in the transparency log
-      description: Returns root hash, tree size, and a list of hashes that can be used to calculate proof of an entry being included in the transparency log
-      operationId: getLogEntryProof
       tags:
         - entries
       parameters:
@@ -202,7 +180,7 @@ paths:
         200:
           description: Information needed for a client to compute the inclusion proof
           schema:
-            $ref: '#/definitions/InclusionProof'
+            $ref: '#/definitions/LogEntry'
         404:
           $ref: '#/responses/NotFound'
         default:
@@ -289,7 +267,10 @@ definitions:
           additionalProperties: true
         integratedTime:
           type: integer
+        inclusionProof:
+          $ref: '#/definitions/InclusionProof'
       required:
+        - "logIndex"
         - "body"
 
   SearchIndex: