TUN-9820: Add support for FedRAMP in originRequest Access config

GoncaloGarcia · GoncaloGarcia · commit 9e94122d2b87 · 2025-09-15T11:11:23.000Z
* TUN-9820: Add support for FedRAMP in originRequest Access config

Closes TUN-9820
diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go
@@ -36,7 +36,6 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
-	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 
 var (
diff --git a/config/configuration.go b/config/configuration.go
@@ -242,6 +242,8 @@ type AccessConfig struct {
 
 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
+
+	Environment string `yaml:"environment" json:"environment,omitempty"`
 }
 
 type IngressIPRule struct {
diff --git a/ingress/ingress.go b/ingress/ingress.go
@@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 				return Ingress{}, err
 			}
 			if access.Required {
-				verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
+				verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
 				handlers = append(handlers, verifier)
 			}
 		}
diff --git a/ingress/middleware/jwtvalidator.go b/ingress/middleware/jwtvalidator.go
@@ -6,14 +6,17 @@ import (
 	"net/http"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+
+	"github.com/cloudflare/cloudflared/credentials"
 )
 
 const (
 	headerKeyAccessJWTAssertion = "Cf-Access-Jwt-Assertion"
 )
 
 var (
-	cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"
+	cloudflareAccessCertsURL    = "https://%s.cloudflareaccess.com"
+	cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"
 )
 
 // JWTValidator is an implementation of Verifier that validates access based JWT tokens.
@@ -22,10 +25,14 @@ type JWTValidator struct {
 	audTags []string
 }
 
-func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator {
-	if certsURL == "" {
+func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {
+	var certsURL string
+	if environment == credentials.FedEndpoint {
+		certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)
+	} else {
 		certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)
 	}
+
 	certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)
 
 	config := &oidc.Config{

Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,6 @@ import (`
`36`	`36`	`const (`
`37`	`37`	`secretValue = "*****"`
`38`	`38`	`icmpFunnelTimeout = time.Second * 10`
`39`		`- fedRampRegion = "fed" // const string denoting the region used to connect to FEDRamp servers`
`40`	`39`	`)`
`41`	`40`
`42`	`41`	`var (`
Original file line number	Diff line number	Diff line change
`@@ -242,6 +242,8 @@ type AccessConfig struct {`
`242`	`242`
`243`	`243`	`// AudTag is the AudTag to verify access JWT against.`
`244`	`244`	AudTag []string `yaml:"audTag" json:"audTag"`
	`245`	`+`
	`246`	+ Environment string `yaml:"environment" json:"environment,omitempty"`
`245`	`247`	`}`
`246`	`248`
`247`	`249`	`type IngressIPRule struct {`
Original file line number	Diff line number	Diff line change
`@@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq`
`317`	`317`	`return Ingress{}, err`
`318`	`318`	`}`
`319`	`319`	`if access.Required {`
`320`		`- verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)`
	`320`	`+ verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)`
`321`	`321`	`handlers = append(handlers, verifier)`
`322`	`322`	`}`
`323`	`323`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,14 +6,17 @@ import (`
`6`	`6`	`"net/http"`
`7`	`7`
`8`	`8`	`"github.com/coreos/go-oidc/v3/oidc"`
	`9`	`+`
	`10`	`+ "github.com/cloudflare/cloudflared/credentials"`
`9`	`11`	`)`
`10`	`12`
`11`	`13`	`const (`
`12`	`14`	`headerKeyAccessJWTAssertion = "Cf-Access-Jwt-Assertion"`
`13`	`15`	`)`
`14`	`16`
`15`	`17`	`var (`
`16`		`- cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"`
	`18`	`+ cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"`
	`19`	`+ cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"`
`17`	`20`	`)`
`18`	`21`
`19`	`22`	`// JWTValidator is an implementation of Verifier that validates access based JWT tokens.`
`@@ -22,10 +25,14 @@ type JWTValidator struct {`
`22`	`25`	`audTags []string`
`23`	`26`	`}`
`24`	`27`
`25`		`-func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator {`
`26`		`- if certsURL == "" {`
	`28`	`+func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {`
	`29`	`+ var certsURL string`
	`30`	`+ if environment == credentials.FedEndpoint {`
	`31`	`+ certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)`
	`32`	`+ } else {`
`27`	`33`	`certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)`
`28`	`34`	`}`
	`35`	`+`
`29`	`36`	`certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)`
`30`	`37`
`31`	`38`	`config := &oidc.Config{`