Search inactive trees for GET by UUID requests

[lkatalin]

UPDATED:
This fix is useful for client v0.5 when there is more than one shard. When a GET by UUID request is made with a UUID (as opposed to the EntryID that has the prepended TreeID), this change will first check the active tree, then iterate through inactive trees to see if the UUID can be found in any of them.

Fixes the "expected bug" mentioned in #711

Add temporary fix to check old prod treeID for entry if UUID is not
found in active tree. This can be removed once client v0.5 is phased
out.

Related to #711 (the "expected bug") - this fix is only needed if we plan to shard the production server before the client v0.5 is phased out.

[priyawadhwa]

Instead of hardcoding the tree ID, could we go through all inactive shards in ranges and see if the UUID exists in them?

[lkatalin]

Great idea! Done in updated version.

[priyawadhwa]

Instead of doing this logic here, I think it would make more sense in this conditional where we don't have a tree ID:

https://github.com/sigstore/rekor/blob/main/pkg/api/entries.go#L283-L290

so basically, if we don't have a tree id:

1. Check the active tree ID
2. If that fails, start going through each inactive shard & check those.
3. If none of those work, return an error

[lkatalin]

Some notes on the new version:

• I made a new function called GetTrees() in api.go that can be used in entries.go to avoid doing a bunch of imports in that file.
• I made a new function GetLogServerAndClients() for setting up the logClient and logAdminClient since this is used in both GetTrees() and NewAPI()
• Pulled out logic to check a tree for a UUID into its own function AttemptRetrieveUUID() since this is now called multiple times in GetLogEntryByUUIDHandler()
• Did some refactoring of GetLogEntryByUUIDHandler() because it had a lot of if/else statements. I think the switch makes it more readable but maybe it can be improved further.

I don't like returning the error from AttemptRetrieveUUID() as a bool, but could not quickly find a way to check a middleware.Responder to see if it is an error type - any ideas here?

[codecov-commenter]

Codecov Report

Merging #750 (ff9f2fd) into main (34d242e) will increase coverage by 0.08%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##             main     #750      +/-   ##
==========================================
+ Coverage   49.02%   49.11%   +0.08%     
==========================================
  Files          61       61              
  Lines        5566     5566              
==========================================
+ Hits         2729     2734       +5     
+ Misses       2542     2538       -4     
+ Partials      295      294       -1     

Impacted Files	Coverage Δ
pkg/types/alpine/v0.0.1/entry.go	63.17% <0.00%> (+1.93%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 34d242e...ff9f2fd. Read the comment docs.

[lkatalin]

I would love to not return the bool here (it's just a marker for whether this is an error state) - is there some way to check a middleware.Responder to see if it's an error type? Or should we implement something? I wanted to throw this up quickly so didn't go down this path of investigation. Could also return a separate error but it would be great if even that is not necessary.

[priyawadhwa]

nit: I would just call this RetrieveUUID, it's implied that we're attempting to do so

[lkatalin]

That's fair :)

[priyawadhwa]

The switch statement within the switch statement is a little hard to read. How about a structure like this:

tidString, err := sharding.GetTreeIDFromIDString(params.EntryUUID)
if err == nil {
   // Get the UUID from the specified TreeID
}
// This should get the active tree ID and the inactive IDs
trees, err := GetTrees()
if err != nil {
  return handleRekorAPIError(params, http.StatusBadRequest, err, "")
}
for _, t := range trees {
  logEntry, err := RetrieveUUID(params, uuid, t)
  if err != nil {
    continue
  }
  return entries.NewGetLogEntryByUUIDOK().WithPayload(logEntry)
}
// If we've reached this point, none of the shards have worked out, so return an error
return handleRekorAPIError(params, http.StatusBadRequest, fmt.Errorf("unable to find UUID"), "")

[lkatalin]

I changed it to be more like this, let me know what you think about the readability.

[priyawadhwa]

Won't GetTrees include the active Tree ID?

[priyawadhwa]

I think we should be getting this list of trees from the config and the tlog_id flag, rather than from the server. Right now, this will return all trees, but it doesn't make sense to check them if the user hasn't specified them in the config.

[lkatalin]

Thanks for the good comments @priyawadhwa , will incorporate these and get a new one up.

[lkatalin]

@priyawadhwa It's ready!

[priyawadhwa]

Thanks for the speedy changes @lkatalin ! Just a couple more comments and we should be good to go :)

[priyawadhwa]

We probably shouldn't hide this error, might be useful to return it for the user if it's non-nil

[lkatalin]

This makes sense now when returning (models.LogEntry, error) from RetrieveUUID

[priyawadhwa]

Best practice would be not to hardcode this string in case someone changes the wording on the error later on. You could either:

1. Create an error type to check for (example here which uses errors.Is)
2. Change the GetUUIDFromIDString function to return "", nil in the case that there is no treeID. That way the error is nil, but we know if the treeID is empty that we have to go through all the shards

[lkatalin]

Yes, these options make more sense.

[priyawadhwa]

We should check this error in case someone passes in a malformed UUID?

[lkatalin]

I just moved this line of code from where it was earlier, but checking it seems like a good thing to do.

[priyawadhwa]

thanks ! :)

[priyawadhwa]

I think it would still make more sense to return (models.LogEntry,, error) here and create the response in GetLogEntryByIndexHandler

[lkatalin]

Looks like creating a models.LogEntry will require turning a trillian.GetEntryAndProofResponse into a models.LogEntryAnon, is that right? Is there a straightforward way to do that? I'm looking at logEntryFromLeaf as an example but not really seeing how the fields match up.

[lkatalin]

Make a LogEntryAnon and unmarshal into it?

[priyawadhwa]

I think logEntryFromLeaf returns models.LogEntry, so after line 443 you could just return logEntry, nil?

[lkatalin]

Nice! You're so right. Thanks!

[priyawadhwa]

Couple small comments!

[priyawadhwa]

I don't think we need this ErrUnexpected since we don't check for it anywhere

[lkatalin]

Okay cool, I took it out!

[priyawadhwa]

as mentioned above we can just return err here

[priyawadhwa]

LGTM! 🎉

[lkatalin]