From 6496322beeda202abaac0335064e079985899084 Mon Sep 17 00:00:00 2001 From: Luis Neto Date: Tue, 25 Feb 2025 19:03:41 +0000 Subject: [PATCH] TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field ## Summary Within the work of FEDRamp it is necessary to change the HA SD lookup to use as srv `fed-v2-origintunneld` This work assumes that the tunnel token has an optional endpoint field which will be used to modify the behaviour of the HA SD lookup. Finally, the presence of the endpoint will override region to _fed_ and fail if any value is passed for the flag region. Closes TUN-9007 --- cmd/cloudflared/tunnel/configuration.go | 17 ++++++++++++++++- connection/connection.go | 4 ++++ supervisor/supervisor.go | 8 ++------ 3 files changed, 22 insertions(+), 7 deletions(-) diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go index ac8e2db8..fc21c7ec 100644 --- a/cmd/cloudflared/tunnel/configuration.go +++ b/cmd/cloudflared/tunnel/configuration.go @@ -34,6 +34,7 @@ import ( const ( secretValue = "*****" icmpFunnelTimeout = time.Second * 10 + fedRampRegion = "fed" // const string denoting the region used to connect to FEDRamp servers ) var ( @@ -208,13 +209,27 @@ func prepareTunnelConfig( log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version") } + region := c.String(flags.Region) + endpoint := namedTunnel.Credentials.Endpoint + var resolvedRegion string + // set resolvedRegion to either the region passed as argument + // or to the endpoint in the credentials. + // Region and endpoint are interchangeable + if region != "" && endpoint != "" { + return nil, nil, fmt.Errorf("region provided with a token that has an endpoint") + } else if region != "" { + resolvedRegion = region + } else if endpoint != "" { + resolvedRegion = endpoint + } + tunnelConfig := &supervisor.TunnelConfig{ GracePeriod: gracePeriod, ReplaceExisting: c.Bool(flags.Force), OSArch: info.OSArch(), ClientID: clientID.String(), EdgeAddrs: c.StringSlice(flags.Edge), - Region: c.String(flags.Region), + Region: resolvedRegion, EdgeIPVersion: edgeIPVersion, EdgeBindAddr: edgeBindAddr, HAConnections: c.Int(flags.HaConnections), diff --git a/connection/connection.go b/connection/connection.go index b7376e38..f141d255 100644 --- a/connection/connection.go +++ b/connection/connection.go @@ -60,6 +60,7 @@ type Credentials struct { AccountTag string TunnelSecret []byte TunnelID uuid.UUID + Endpoint string } func (c *Credentials) Auth() pogs.TunnelAuth { @@ -74,13 +75,16 @@ type TunnelToken struct { AccountTag string `json:"a"` TunnelSecret []byte `json:"s"` TunnelID uuid.UUID `json:"t"` + Endpoint string `json:"e,omitempty"` } func (t TunnelToken) Credentials() Credentials { + // nolint: gosimple return Credentials{ AccountTag: t.AccountTag, TunnelSecret: t.TunnelSecret, TunnelID: t.TunnelID, + Endpoint: t.Endpoint, } } diff --git a/supervisor/supervisor.go b/supervisor/supervisor.go index 920fbeab..df8bbd46 100644 --- a/supervisor/supervisor.go +++ b/supervisor/supervisor.go @@ -247,9 +247,7 @@ func (s *Supervisor) startFirstTunnel( ctx context.Context, connectedSignal *signal.Signal, ) { - var ( - err error - ) + var err error const firstConnIndex = 0 isStaticEdge := len(s.config.EdgeAddrs) > 0 defer func() { @@ -300,9 +298,7 @@ func (s *Supervisor) startTunnel( index int, connectedSignal *signal.Signal, ) { - var ( - err error - ) + var err error defer func() { s.tunnelErrors <- tunnelError{index: index, err: err} }()