Fix searching by hash

Signed-off-by: Priya Wadhwa <priya@chainguard.dev>

.gitignore

@@ -19,3 +19,4 @@ trillianServerImagerefs
 trillianSignerImagerefs
 cosign.*
 signature
+rekor.pub

pkg/api/entries.go

@@ -350,7 +350,6 @@ func GetLogEntryByUUIDHandler(params entries.GetLogEntryByUUIDParams) middleware
 func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Responder {
 	httpReqCtx := params.HTTPRequest.Context()
 	resultPayload := []models.LogEntry{}
-	tc := NewTrillianClient(httpReqCtx)
 
 	totalQueries := len(params.Entry.EntryUUIDs) + len(params.Entry.Entries()) + len(params.Entry.LogIndexes)
 	if totalQueries > maxSearchQueries {
@@ -415,24 +414,31 @@ func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Respo
 			searchHashes = append(searchHashes, hash)
 		}
 
-		searchByHashResults := make([][]*trillian.GetEntryAndProofResponse, len(searchHashes))
+		searchByHashResults := make([]map[int64]*trillian.GetEntryAndProofResponse, len(searchHashes))
 		g, _ = errgroup.WithContext(httpReqCtx)
 		for i, hash := range searchHashes {
 			i, hash := i, hash // https://golang.org/doc/faq#closures_and_goroutines
 			g.Go(func() error {
-				var results []*trillian.GetEntryAndProofResponse
+				var results map[int64]*trillian.GetEntryAndProofResponse
 				for _, shard := range api.logRanges.AllShards() {
 					tcs := NewTrillianClientFromTreeID(httpReqCtx, shard)
 					resp := tcs.getLeafAndProofByHash(hash)
 					if resp.status != codes.OK {
 						continue
 					}
+					if resp.err != nil {
+						continue
+					}
 					leafResult := resp.getLeafAndProofResult
 					if leafResult != nil && leafResult.Leaf != nil {
-						results = append(results, resp.getLeafAndProofResult)
+						if results == nil {
+							results = map[int64]*trillian.GetEntryAndProofResponse{}
+						}
+						results[shard] = resp.getLeafAndProofResult
 					}
 				}
 				if results == nil {
+					code = http.StatusNotFound
 					return fmt.Errorf("no responses found")
 				}
 				searchByHashResults[i] = results
@@ -444,17 +450,13 @@ func SearchLogQueryHandler(params entries.SearchLogQueryParams) middleware.Respo
 			return handleRekorAPIError(params, code, err, err.Error())
 		}
 
-		var flattenedHashResults []*trillian.GetEntryAndProofResponse
-		for _, s := range searchByHashResults {
-			flattenedHashResults = append(flattenedHashResults, s...)
-		}
-
-		for _, leafResp := range flattenedHashResults {
-			if leafResp == nil {
-				continue
-			}
-			for _, shard := range api.logRanges.AllShards() {
-				logEntry, err := logEntryFromLeaf(httpReqCtx, api.signer, tc, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof, shard, api.logRanges)
+		for _, hashMap := range searchByHashResults {
+			for shard, leafResp := range hashMap {
+				if leafResp == nil {
+					continue
+				}
+				tcs := NewTrillianClientFromTreeID(httpReqCtx, shard)
+				logEntry, err := logEntryFromLeaf(httpReqCtx, api.signer, tcs, leafResp.Leaf, leafResp.SignedLogRoot, leafResp.Proof, shard, api.logRanges)
 				if err != nil {
 					continue
 				}

tests/sharding-e2e-test.sh

@@ -24,8 +24,8 @@ set -ex
 echo "Installing createtree..."
 go install github.com/google/trillian/cmd/createtree@latest
 
-echo "Installing cosign..."
-go install github.com/sigstore/cosign/cmd/cosign@latest
+# echo "Installing cosign..."
+# go install github.com/sigstore/cosign/cmd/cosign@latest
 
 echo "starting services"
 docker-compose up -d
@@ -134,7 +134,7 @@ echo "the new shard ID is $SHARD_TREE_ID"
 $REKOR_CLI loginfo --rekor_server http://localhost:3000
 
 # Get the public key for the active tree for later
-ENCODED_PUBLIC_KEY=$(curl http://localhost:3000/api/v1/log/publicKey | base64 -w 0)
+ENCODED_PUBLIC_KEY=$(curl http://localhost:3000/api/v1/log/publicKey | base64)
 
 # Spin down the rekor server
 echo "stopping the rekor server..."
@@ -227,12 +227,12 @@ $REKOR_CLI logproof --last-size 2 --tree-id $INITIAL_TREE_ID --rekor_server http
 $REKOR_CLI logproof --last-size 1 --rekor_server http://localhost:3000
 
 echo "Getting public key for inactive shard..."
-GOT_PUB_KEY=$(curl "http://localhost:3000/api/v1/log/publicKey?treeID=$INITIAL_TREE_ID" | base64 -w 0)
+GOT_PUB_KEY=$(curl "http://localhost:3000/api/v1/log/publicKey?treeID=$INITIAL_TREE_ID" | base64)
 echo "Got encoded public key $GOT_PUB_KEY, making sure this matches the public key we got earlier..."
 stringsMatch $ENCODED_PUBLIC_KEY $GOT_PUB_KEY
 
 echo "Getting the public key for the active tree..."
-NEW_PUB_KEY=$(curl "http://localhost:3000/api/v1/log/publicKey" | base64 -w 0)
+NEW_PUB_KEY=$(curl "http://localhost:3000/api/v1/log/publicKey" | base64)
 echo "Making sure the public key for the active shard is different from the inactive shard..."
 if [[ "$ENCODED_PUBLIC_KEY" == "$NEW_PUB_KEY" ]]; then
     echo
@@ -255,7 +255,8 @@ NUM_ELEMENTS=$(curl -f http://localhost:3000/api/v1/log/entries/retrieve -H "Con
 stringsMatch $NUM_ELEMENTS "1"
 
 # Make sure we can verify the blob we entered into the now-inactive shard
-COSIGN_EXPERIMENTAL=1 cosign verify-blob README.md --key cosign.pub --rekor-url http://localhost:3000  --signature ./signature
+echo $NEW_PUB_KEY > rekor.pub
+COSIGN_EXPERIMENTAL=1 SIGSTORE_REKOR_PUBLIC_KEY=./rekor.pub cosign verify-blob README.md --key cosign.pub --rekor-url http://localhost:3000  --signature ./signature
 
 # -f makes sure we exit on failure
 NUM_ELEMENTS=$(curl -f http://localhost:3000/api/v1/log/entries/retrieve -H "Content-Type: application/json" -H "Accept: application/json" -d "{ \"entryUUIDs\": [\"$ENTRY_ID_1\", \"$ENTRY_ID_2\"]}" | jq '. | length')