Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package rekor for openSUSE:Factory checked in at 2022-09-27 20:14:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/rekor (Old) and /work/SRC/openSUSE:Factory/.rekor.new.2275 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "rekor" Tue Sep 27 20:14:31 2022 rev:10 rq:1006397 version:0.12.1 Changes: -------- --- /work/SRC/openSUSE:Factory/rekor/rekor.changes 2022-09-15 23:01:18.453574043 +0200 +++ /work/SRC/openSUSE:Factory/.rekor.new.2275/rekor.changes 2022-09-27 20:14:44.285933151 +0200 @@ -1,0 +2,11 @@ +Tue Sep 27 12:22:57 UTC 2022 - Marcus Meissner <meiss...@suse.com> + +- updated to rekor 0.12.1 (jsc#SLE-23476): + - ** Rekor ** v0.12.1 comes with a breaking change to rekor-cli v0.12.1. Users of rekor-cli MUST upgrade to the latest version + The addition of the intotov2 created a breaking change for the rekor-cli + - What's Changed + - fix: fix harness tests with intoto v0.0.2 by @asraa in #1052 + - feat: add file based signer and password by @asraa in #1049 + - Adds new rekor metrics for latency and QPS. by @var-sdk in #1059 + +------------------------------------------------------------------- Old: ---- rekor-0.12.0.tar.gz New: ---- rekor-0.12.1.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ rekor.spec ++++++ --- /var/tmp/diff_new_pack.Onf6lT/_old 2022-09-27 20:14:44.993934693 +0200 +++ /var/tmp/diff_new_pack.Onf6lT/_new 2022-09-27 20:14:45.001934710 +0200 @@ -19,9 +19,9 @@ %define apps cli server Name: rekor -Version: 0.12.0 +Version: 0.12.1 Release: 0 -%define revision e7dc6c558491c108ed109557fad5404a5bef2197 +%define revision 584bc16fc8eba7c7663f540dea12730a71f830c1 Summary: Supply Chain Transparency Log License: Apache-2.0 URL: https://github.com/sigstore/rekor ++++++ rekor-0.12.0.tar.gz -> rekor-0.12.1.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/.github/workflows/codeql-analysis.yml new/rekor-0.12.1/.github/workflows/codeql-analysis.yml --- old/rekor-0.12.0/.github/workflows/codeql-analysis.yml 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/.github/workflows/codeql-analysis.yml 2022-09-21 13:38:41.000000000 +0200 @@ -43,12 +43,12 @@ # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@b398f525a5587552e573b247ac661067fafa920b # v2.1.22 + uses: github/codeql-action/init@904260d7d935dff982205cbdb42025ce30b7a34f # v2.1.24 with: languages: ${{ matrix.language }} - name: Autobuild - uses: github/codeql-action/autobuild@b398f525a5587552e573b247ac661067fafa920b # v2.1.22 + uses: github/codeql-action/autobuild@904260d7d935dff982205cbdb42025ce30b7a34f # v2.1.24 - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@b398f525a5587552e573b247ac661067fafa920b # v2.1.22 + uses: github/codeql-action/analyze@904260d7d935dff982205cbdb42025ce30b7a34f # v2.1.24 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/.github/workflows/depsreview.yml new/rekor-0.12.1/.github/workflows/depsreview.yml --- old/rekor-0.12.0/.github/workflows/depsreview.yml 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/.github/workflows/depsreview.yml 2022-09-21 13:38:41.000000000 +0200 @@ -25,4 +25,4 @@ - name: 'Checkout Repository' uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v3 - name: 'Dependency Review' - uses: actions/dependency-review-action@23d1ffffb6fa5401173051ec21eba8c35242733f # v2 + uses: actions/dependency-review-action@2b96ea7f03d82de498e97b42e6bee3f7cb0dafaa # v2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/.github/workflows/main.yml new/rekor-0.12.1/.github/workflows/main.yml --- old/rekor-0.12.0/.github/workflows/main.yml 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/.github/workflows/main.yml 2022-09-21 13:38:41.000000000 +0200 @@ -43,7 +43,7 @@ - name: Test run: go test -v -coverprofile=coverage.txt -covermode=atomic ./... - name: Upload Coverage Report - uses: codecov/codecov-action@81cd2dc8148241f03f5839d295e000b8f761e378 # v3.1.0 + uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.0 - name: Ensure no files were modified as a result of the build run: git update-index --refresh && git diff-index --quiet HEAD -- || git diff --exit-code diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/.github/workflows/scorecard_action.yml new/rekor-0.12.1/.github/workflows/scorecard_action.yml --- old/rekor-0.12.0/.github/workflows/scorecard_action.yml 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/.github/workflows/scorecard_action.yml 2022-09-21 13:38:41.000000000 +0200 @@ -52,6 +52,6 @@ # Upload the results to GitHub's code scanning dashboard. - name: "Upload to code-scanning" - uses: github/codeql-action/upload-sarif@b398f525a5587552e573b247ac661067fafa920b # v2.1.22 + uses: github/codeql-action/upload-sarif@904260d7d935dff982205cbdb42025ce30b7a34f # v2.1.24 with: sarif_file: results.sarif diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/Dockerfile new/rekor-0.12.1/Dockerfile --- old/rekor-0.12.0/Dockerfile 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/Dockerfile 2022-09-21 13:38:41.000000000 +0200 @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -FROM golang:1.19.1@sha256:4c8f4b8402a868dc6fb3902c97032b971d0179fbe007be408b455697e98d194a AS builder +FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 AS builder ENV APP_ROOT=/opt/app-root ENV GOPATH=$APP_ROOT @@ -30,7 +30,7 @@ RUN CGO_ENABLED=0 go build -gcflags "all=-N -l" -ldflags "${SERVER_LDFLAGS}" -o rekor-server_debug ./cmd/rekor-server # Multi-Stage production build -FROM golang:1.19.1@sha256:4c8f4b8402a868dc6fb3902c97032b971d0179fbe007be408b455697e98d194a as deploy +FROM golang:1.19.1@sha256:2d17ffd12a2cdb25d4a633ad25f8dc29608ed84f31b3b983427d825280427095 as deploy # Retrieve the binary from the previous stage COPY --from=builder /opt/app-root/src/rekor-server /usr/local/bin/rekor-server diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/cmd/rekor-server/app/root.go new/rekor-0.12.1/cmd/rekor-server/app/root.go --- old/rekor-0.12.0/cmd/rekor-server/app/root.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/cmd/rekor-server/app/root.go 2022-09-21 13:38:41.000000000 +0200 @@ -73,7 +73,11 @@ } rootCmd.PersistentFlags().String("rekor_server.hostname", hostname, "public hostname of instance") rootCmd.PersistentFlags().String("rekor_server.address", "127.0.0.1", "Address to bind to") - rootCmd.PersistentFlags().String("rekor_server.signer", "memory", "Rekor signer to use. Current valid options include: [gcpkms, memory]") + + rootCmd.PersistentFlags().String("rekor_server.signer", "memory", + `Rekor signer to use. Valid options are: [gcpkms, memory, filename containing PEM encoded private key]. + Memory and file-based signers should only be used for testing.`) + rootCmd.PersistentFlags().String("rekor_server.signer-passwd", "", "Password to decrypt signer private key") rootCmd.PersistentFlags().Uint16("port", 3000, "Port to bind to") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/go.mod new/rekor-0.12.1/go.mod --- old/rekor-0.12.0/go.mod 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/go.mod 2022-09-21 13:38:41.000000000 +0200 @@ -16,7 +16,7 @@ github.com/go-openapi/strfmt v0.21.3 github.com/go-openapi/swag v0.22.3 github.com/go-openapi/validate v0.22.0 - github.com/go-playground/validator/v10 v10.11.0 + github.com/go-playground/validator/v10 v10.11.1 github.com/google/go-cmp v0.5.9 github.com/google/rpmpack v0.0.0-20210518075352-dc539ef4f2ea github.com/google/trillian v1.5.0 @@ -56,6 +56,8 @@ require golang.org/x/exp v0.0.0-20220823124025-807a23277127 +require filippo.io/edwards25519 v1.0.0-rc.1 // indirect + require ( cloud.google.com/go v0.103.0 // indirect cloud.google.com/go/compute v1.7.0 // indirect @@ -116,12 +118,13 @@ github.com/x448/float16 v0.8.4 // indirect go.mongodb.org/mongo-driver v1.10.0 // indirect go.opencensus.io v0.23.0 // indirect + go.step.sm/crypto v0.19.0 go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.8.0 // indirect golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094 // indirect golang.org/x/sys v0.0.0-20220907062415-87db552b00fd // indirect golang.org/x/term v0.0.0-20220526004731-065cf7ba2467 // indirect - golang.org/x/text v0.3.7 // indirect + golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b // indirect golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f // indirect google.golang.org/api v0.95.0 // indirect google.golang.org/appengine v1.6.7 // indirect diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/go.sum new/rekor-0.12.1/go.sum --- old/rekor-0.12.0/go.sum 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/go.sum 2022-09-21 13:38:41.000000000 +0200 @@ -80,6 +80,8 @@ contrib.go.opencensus.io/exporter/stackdriver v0.13.10/go.mod h1:I5htMbyta491eUxufwwZPQdcKvvgzMB4O9ni41YnIM8= contrib.go.opencensus.io/integrations/ocsql v0.1.7/go.mod h1:8DsSdjz3F+APR+0z0WkU1aRorQCFfRxvqjUUPMbF3fE= dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU= +filippo.io/edwards25519 v1.0.0-rc.1 h1:m0VOOB23frXZvAOK44usCgLWvtsxIoMCTBGJZlpmGfU= +filippo.io/edwards25519 v1.0.0-rc.1/go.mod h1:N1IkdkCkiLB6tki+MYJoSx2JTY9NUlxZE7eHn5EwJns= github.com/Azure/azure-amqp-common-go/v3 v3.2.1/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI= github.com/Azure/azure-amqp-common-go/v3 v3.2.2/go.mod h1:O6X1iYHP7s2x7NjUKsXVhkwWrQhxrd+d8/3rRadj4CI= github.com/Azure/azure-pipeline-go v0.2.3 h1:7U9HBg1JFK3jHl5qmo4CTZKFTVgMwdFHMVtCdfBE21U= @@ -336,8 +338,8 @@ github.com/go-playground/universal-translator v0.18.0/go.mod h1:UvRDBj+xPUEGrFYl+lu/H90nyDXpg0fqeB/AQUGNTVA= github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI= github.com/go-playground/validator/v10 v10.4.1/go.mod h1:nlOn6nFhuKACm19sB/8EGNn9GlaMV7XkbRSipzJ0Ii4= -github.com/go-playground/validator/v10 v10.11.0 h1:0W+xRM511GY47Yy3bZUbJVitCNg2BOGlCyvTqsp/xIw= -github.com/go-playground/validator/v10 v10.11.0/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU= +github.com/go-playground/validator/v10 v10.11.1 h1:prmOlTVv+YjZjmRmNSF3VmspqJIxJWXmqUsHwfTRRkQ= +github.com/go-playground/validator/v10 v10.11.1/go.mod h1:i+3WkQ1FvaUjjxh1kSvIA4dMGDBiPU55YFDl0WbKdWU= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= @@ -715,6 +717,7 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= github.com/sirupsen/logrus v1.6.0/go.mod h1:7uNnSEd1DgxDLC74fIahvMZmmYsHGZGEOFrfsX/uA88= +github.com/smallstep/assert v0.0.0-20200723003110-82e2b9b3b262 h1:unQFBIznI+VYD1/1fApl1A+9VcBk+9dcqGfnePY87LY= github.com/soheilhy/cmux v0.1.4/go.mod h1:IM3LyeVVIOuxMH7sFAkER9+bJ4dT7Ms6E4xg4kGIyLM= github.com/spaolacci/murmur3 v0.0.0-20180118202830-f09979ecbc72/go.mod h1:JwIasOWyU6f++ZhiEuf87xNszmSA2myDM2Kzu9HwQUA= github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ= @@ -822,6 +825,8 @@ go.opentelemetry.io/otel v0.20.0 h1:eaP0Fqu7SXHwvjiqDq83zImeehOHX8doTvU9AwXON8g= go.opentelemetry.io/otel/trace v0.20.0 h1:1DL6EXUdcg95gukhuRRvLDO/4X5THh/5dIV52lqtnbw= go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI= +go.step.sm/crypto v0.19.0 h1:WxjUDeTDpuPZ1IR3v6c4jc6WdlQlS5IYYQBhfnG5uW0= +go.step.sm/crypto v0.19.0/go.mod h1:qZ+pNU1nV+THwP7TPTNCRMRr9xrRURhETTAK7U5psfw= go.uber.org/atomic v1.4.0/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE= go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc= go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE= @@ -1107,8 +1112,9 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b h1:NXqSWXSRUSCaFuvitrWtU169I3876zRTalMRbfd6LL0= +golang.org/x/text v0.3.8-0.20211004125949-5bd84dd9b33b/go.mod h1:EFNZuWvGYxIRUEX+K8UmCFwYmZjqcrnq15ZuVldZkZ0= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/pkg/api/api.go new/rekor-0.12.1/pkg/api/api.go --- old/rekor-0.12.0/pkg/api/api.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/pkg/api/api.go 2022-09-21 13:38:41.000000000 +0200 @@ -90,7 +90,8 @@ log.Logger.Infof("Starting Rekor server with active tree %v", tid) ranges.SetActive(tid) - rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer")) + rekorSigner, err := signer.New(ctx, viper.GetString("rekor_server.signer"), + viper.GetString("rekor_server.signer-passwd")) if err != nil { return nil, fmt.Errorf("getting new signer: %w", err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/pkg/api/metrics.go new/rekor-0.12.1/pkg/api/metrics.go --- old/rekor-0.12.0/pkg/api/metrics.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/pkg/api/metrics.go 2022-09-21 13:38:41.000000000 +0200 @@ -16,6 +16,8 @@ package api import ( + "time" + "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promauto" ) @@ -35,4 +37,18 @@ Name: "rekor_api_latency_summary", Help: "Api Latency on calls", }, []string{"path", "code"}) + + MetricRequestLatency = promauto.NewHistogramVec(prometheus.HistogramOpts{ + Name: "rekor_latency_by_api", + Help: "Api Latency (in ns) by path and method", + Buckets: prometheus.ExponentialBucketsRange( + float64(time.Millisecond), + float64(4*time.Second), + 10), + }, []string{"path", "method"}) + + MetricRequestCount = promauto.NewCounterVec(prometheus.CounterOpts{ + Name: "rekor_qps_by_api", + Help: "Api QPS by path, method, and response code", + }, []string{"path", "method", "code"}) ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/pkg/generated/restapi/configure_rekor_server.go new/rekor-0.12.1/pkg/generated/restapi/configure_rekor_server.go --- old/rekor-0.12.0/pkg/generated/restapi/configure_rekor_server.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/pkg/generated/restapi/configure_rekor_server.go 2022-09-21 13:38:41.000000000 +0200 @@ -18,6 +18,7 @@ package restapi import ( + "context" "crypto/tls" "net/http" "strconv" @@ -47,6 +48,18 @@ //go:generate swagger generate server --target ../../generated --name RekorServer --spec ../../../openapi.yaml --principal interface{} --exclude-main +type contextKey string + +var ( + ctxKeyAPIToRecord = contextKey("apiToRecord") +) + +// Context payload for recording metrics. +type apiToRecord struct { + method *string // Method to record in metrics, if any. + path *string // Path to record in metrics, if any. +} + func configureFlags(api *operations.RekorServerAPI) { // api.CommandLineOptionsGroups = []swag.CommandLineOptionsGroup{ ... } } @@ -104,6 +117,16 @@ api.AddMiddlewareFor("GET", "/api/v1/log/publicKey", cacheForever) api.AddMiddlewareFor("GET", "/api/v1/log/timestamp/certchain", cacheForever) + // add metrics for explicitly handled endpoints + recordMetricsForAPI(api, "POST", "/api/v1/index/retrieve") + recordMetricsForAPI(api, "GET", "/api/v1/log") + recordMetricsForAPI(api, "GET", "/api/v1/publicKey") + recordMetricsForAPI(api, "GET", "/api/v1/log/proof") + recordMetricsForAPI(api, "GET", "/api/v1/log/entries") + recordMetricsForAPI(api, "POST", "/api/v1/log/entries") + recordMetricsForAPI(api, "GET", "/api/v1/log/entries/{entryUUID}") + recordMetricsForAPI(api, "GET", "/api/v1/log/entries/retrieve") + return setupGlobalMiddleware(api.Serve(setupMiddlewares)) } @@ -159,18 +182,59 @@ })) } +// Populates the the apiToRecord for this method/path so metrics are emitted. +func recordMetricsForAPI(api *operations.RekorServerAPI, method string, path string) { + metricsHandler := func(handler http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + if apiInfo, ok := ctx.Value(ctxKeyAPIToRecord).(*apiToRecord); ok { + apiInfo.method = &method + apiInfo.path = &path + } else { + log.ContextLogger(ctx).Warn("Could not attach api info - endpoint may not be monitored.") + } + handler.ServeHTTP(w, r) + }) + } + + api.AddMiddlewareFor(method, path, metricsHandler) +} + func wrapMetrics(handler http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + ctx := r.Context() + apiInfo := apiToRecord{} + ctx = context.WithValue(ctx, ctxKeyAPIToRecord, &apiInfo) + r = r.WithContext(ctx) + start := time.Now() ww := middleware.NewWrapResponseWriter(w, r.ProtoMajor) defer func() { - labels := map[string]string{ - "path": r.URL.Path, - "code": strconv.Itoa(ww.Status()), + // Only record metrics for APIs that need instrumentation. + if apiInfo.path != nil && apiInfo.method != nil { + code := strconv.Itoa(ww.Status()) + labels := map[string]string{ + "path": *apiInfo.path, + "code": code, + } + // This logs latency broken down by URL path and response code + // TODO(var-sdk): delete these metrics once the new metrics are safely rolled out. + pkgapi.MetricLatency.With(labels).Observe(float64(time.Since(start))) + pkgapi.MetricLatencySummary.With(labels).Observe(float64(time.Since(start))) + + pkgapi.MetricRequestLatency.With( + map[string]string{ + "path": *apiInfo.path, + "method": *apiInfo.method, + }).Observe(float64(time.Since(start))) + + pkgapi.MetricRequestCount.With( + map[string]string{ + "path": *apiInfo.path, + "method": *apiInfo.method, + "code": code, + }).Inc() } - // This logs latency broken down by URL path and response code - pkgapi.MetricLatency.With(labels).Observe(float64(time.Since(start))) - pkgapi.MetricLatencySummary.With(labels).Observe(float64(time.Since(start))) }() handler.ServeHTTP(ww, r) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/pkg/signer/file.go new/rekor-0.12.1/pkg/signer/file.go --- old/rekor-0.12.0/pkg/signer/file.go 1970-01-01 01:00:00.000000000 +0100 +++ new/rekor-0.12.1/pkg/signer/file.go 2022-09-21 13:38:41.000000000 +0200 @@ -0,0 +1,43 @@ +/* +Copyright The Rekor Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package signer + +import ( + "crypto" + "fmt" + + "github.com/sigstore/sigstore/pkg/signature" + "go.step.sm/crypto/pemutil" +) + +// returns an file based signer and verify, used for spinning up local instances +type File struct { + signature.SignerVerifier +} + +func NewFile(keyPath, keyPass string) (*File, error) { + opaqueKey, err := pemutil.Read(keyPath, pemutil.WithPassword([]byte(keyPass))) + if err != nil { + return nil, fmt.Errorf("file: provide a valid signer, %s is not valid: %w", keyPath, err) + } + + signer, err := signature.LoadSignerVerifier(opaqueKey, crypto.SHA256) + if err != nil { + return nil, fmt.Errorf(`file: loaded private key from %s can't be used to sign: %w`, keyPath, err) + } + return &File{signer}, nil +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/pkg/signer/file_test.go new/rekor-0.12.1/pkg/signer/file_test.go --- old/rekor-0.12.0/pkg/signer/file_test.go 1970-01-01 01:00:00.000000000 +0100 +++ new/rekor-0.12.1/pkg/signer/file_test.go 2022-09-21 13:38:41.000000000 +0200 @@ -0,0 +1,72 @@ +/* +Copyright The Rekor Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package signer + +import ( + "os" + "path/filepath" + "testing" +) + +const testEcdsaKey = ` +-----BEGIN EC PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: AES-256-CBC,1ee56fe067d83265fe430391edfa6586 + +W5NqqRe5rOVe4OvxehYKm6wscR1JFoyRyd8M+Rutp8Q2lxPuKFhR4FZ61b0yy6pr +LGJGQWOTIZxrNZ8g4JeS9I3huDWGloZRI2fbTg69HK4EiQQWUc1wS1TWAVoaf4fr +LclBWxp2UzqHDaNJ0/2DoGFZhaeMU84VA1O41lO+p5Cx4bms0yWeEHwOrf2AmnNY +l5Zm9zoPpXxaDEPSTs5c1loRmmxPHKgb68oZPxEnsCg= +-----END EC PRIVATE KEY-----` + +func TestFile(t *testing.T) { + testKeyPass := `password123` + td := t.TempDir() + keyFile := filepath.Join(td, "ecdsa-key.pem") + if err := os.WriteFile(keyFile, []byte(testEcdsaKey), 0644); err != nil { + t.Fatal(err) + } + + tests := []struct { + name string + keyPath string + keyPass string + wantErr bool + }{ + { + name: "valid ecdsa", + keyPath: keyFile, + keyPass: testKeyPass, + wantErr: false, + }, + { + name: "invalid pass", + keyPath: keyFile, + keyPass: "123", + wantErr: true, + }, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + tc := tc + _, err := NewFile(tc.keyPath, tc.keyPass) + if tc.wantErr != (err != nil) { + t.Errorf("NewFile() expected %t, got err %s", tc.wantErr, err) + } + }) + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/pkg/signer/memory_test.go new/rekor-0.12.1/pkg/signer/memory_test.go --- old/rekor-0.12.0/pkg/signer/memory_test.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/pkg/signer/memory_test.go 2022-09-21 13:38:41.000000000 +0200 @@ -24,7 +24,7 @@ func TestMemory(t *testing.T) { ctx := context.Background() - m, err := New(ctx, "memory") + m, err := New(ctx, "memory", "") if err != nil { t.Fatalf("new memory: %v", err) } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/pkg/signer/signer.go new/rekor-0.12.1/pkg/signer/signer.go --- old/rekor-0.12.0/pkg/signer/signer.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/pkg/signer/signer.go 2022-09-21 13:38:41.000000000 +0200 @@ -18,20 +18,19 @@ import ( "context" - "fmt" "strings" "github.com/sigstore/sigstore/pkg/signature" "github.com/sigstore/sigstore/pkg/signature/kms/gcp" ) -func New(ctx context.Context, signer string) (signature.Signer, error) { +func New(ctx context.Context, signer string, pass string) (signature.Signer, error) { switch { case strings.HasPrefix(signer, gcp.ReferenceScheme): return gcp.LoadSignerVerifier(ctx, signer) case signer == MemoryScheme: return NewMemory() default: - return nil, fmt.Errorf("please provide a valid signer, %v is not valid", signer) + return NewFile(signer, pass) } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/tests/e2e_test.go new/rekor-0.12.1/tests/e2e_test.go --- old/rekor-0.12.0/tests/e2e_test.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/tests/e2e_test.go 2022-09-21 13:38:41.000000000 +0200 @@ -19,6 +19,7 @@ package e2e import ( + "bufio" "bytes" "context" "crypto" @@ -37,6 +38,7 @@ "os/exec" "path/filepath" "reflect" + "regexp" "strconv" "strings" "testing" @@ -1347,3 +1349,75 @@ t.Fatalf("expected 404 status code but got %d", resp.StatusCode) } } + +func getRekorMetricCount(metricLine string, t *testing.T) (int, error) { + re, err := regexp.Compile(fmt.Sprintf("^%s.*([0-9]+)$", regexp.QuoteMeta(metricLine))) + if err != nil { + return 0, err + } + + resp, err := http.Get("http://localhost:2112/metrics") + if err != nil { + return 0, err + } + defer resp.Body.Close() + + scanner := bufio.NewScanner(resp.Body) + for scanner.Scan() { + match := re.FindStringSubmatch(scanner.Text()) + if len(match) != 2 { + continue + } + + result, err := strconv.Atoi(match[1]) + if err != nil { + return 0, nil + } + t.Log("Matched metric line: " + scanner.Text()) + return result, nil + } + return 0, nil +} + +// Smoke test to ensure we're publishing and recording metrics when an API is +// called. +// TODO: use a more robust test approach here e.g. prometheus client-based? +// TODO: cover all endpoints to make sure none are dropped. +func TestMetricsCounts(t *testing.T) { + latencyMetric := "rekor_latency_by_api_count{method=\"GET\",path=\"/api/v1/log\"}" + qpsMetric := "rekor_qps_by_api{code=\"200\",method=\"GET\",path=\"/api/v1/log\"}" + + latencyCount, err := getRekorMetricCount(latencyMetric, t) + if err != nil { + t.Fatal(err) + } + + qpsCount, err := getRekorMetricCount(qpsMetric, t) + if err != nil { + t.Fatal(err) + } + + resp, err := http.Get("http://localhost:3000/api/v1/log") + if err != nil { + t.Fatal(err) + } + resp.Body.Close() + + latencyCount2, err := getRekorMetricCount(latencyMetric, t) + if err != nil { + t.Fatal(err) + } + + qpsCount2, err := getRekorMetricCount(qpsMetric, t) + if err != nil { + t.Fatal(err) + } + + if latencyCount2-latencyCount != 1 { + t.Error("rekor_latency_by_api_count did not increment") + } + + if qpsCount2-qpsCount != 1 { + t.Error("rekor_qps_by_api did not increment") + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/rekor-0.12.0/tests/harness_test.go new/rekor-0.12.1/tests/harness_test.go --- old/rekor-0.12.0/tests/harness_test.go 2022-09-13 17:00:10.000000000 +0200 +++ new/rekor-0.12.1/tests/harness_test.go 2022-09-21 13:38:41.000000000 +0200 @@ -246,7 +246,12 @@ // Make sure we can get and verify all entries // For attestations, make sure we can see the attestation +// Older versions of the CLI may not be able to parse the retrieved entry. func TestHarnessGetAllEntriesLogIndex(t *testing.T) { + if rekorCLIIncompatible() { + t.Skipf("Skipping getting entries by UUID, old rekor-cli version %s is incompatible with server version %s", os.Getenv("CLI_VERSION"), os.Getenv("SERVER_VERSION")) + } + treeSize := activeTreeSize(t) if treeSize == 0 { t.Fatal("There are 0 entries in the log, there should be at least 2") @@ -331,11 +336,15 @@ // Check if we have a new server version and an old CLI version // since the new server returns an EntryID but the old CLI version expects a UUID +// Also, new rekor server allows upload of intoto v0.0.2, and old rekor cli versions +// don't understand how to parse these entries. +// TODO: use semver comparisons. func rekorCLIIncompatible() bool { if sv := os.Getenv("SERVER_VERSION"); sv != "v0.10.0" && sv != "v0.11.0" { if cv := os.Getenv("CLI_VERSION"); cv == "v0.10.0" || cv == "v0.11.0" { return true } } + return false } ++++++ vendor.tar.xz ++++++ ++++ 892377 lines of diff (skipped)