TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field

## Summary

Within the work of FEDRamp it is necessary to change the HA SD lookup to use as srv `fed-v2-origintunneld`

This work assumes that the tunnel token has an optional endpoint field which will be used to modify the behaviour of the HA SD lookup.

Finally, the presence of the endpoint will override region to _fed_ and fail if any value is passed for the flag region.

Closes TUN-9007

cmd/cloudflared/tunnel/configuration.go

@@ -34,6 +34,7 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
+	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 
 var (
@@ -208,13 +209,27 @@ func prepareTunnelConfig(
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
 
+	region := c.String(flags.Region)
+	endpoint := namedTunnel.Credentials.Endpoint
+	var resolvedRegion string
+	// set resolvedRegion to either the region passed as argument
+	// or to the endpoint in the credentials.
+	// Region and endpoint are interchangeable
+	if region != "" && endpoint != "" {
+		return nil, nil, fmt.Errorf("region provided with a token that has an endpoint")
+	} else if region != "" {
+		resolvedRegion = region
+	} else if endpoint != "" {
+		resolvedRegion = endpoint
+	}
+
 	tunnelConfig := &supervisor.TunnelConfig{
 		GracePeriod:     gracePeriod,
 		ReplaceExisting: c.Bool(flags.Force),
 		OSArch:          info.OSArch(),
 		ClientID:        clientID.String(),
 		EdgeAddrs:       c.StringSlice(flags.Edge),
-		Region:          c.String(flags.Region),
+		Region:          resolvedRegion,
 		EdgeIPVersion:   edgeIPVersion,
 		EdgeBindAddr:    edgeBindAddr,
 		HAConnections:   c.Int(flags.HaConnections),

connection/connection.go

@@ -60,6 +60,7 @@ type Credentials struct {
 	AccountTag   string
 	TunnelSecret []byte
 	TunnelID     uuid.UUID
+	Endpoint     string
 }
 
 func (c *Credentials) Auth() pogs.TunnelAuth {
@@ -74,13 +75,16 @@ type TunnelToken struct {
 	AccountTag   string    `json:"a"`
 	TunnelSecret []byte    `json:"s"`
 	TunnelID     uuid.UUID `json:"t"`
+	Endpoint     string    `json:"e,omitempty"`
 }
 
 func (t TunnelToken) Credentials() Credentials {
+	// nolint: gosimple
 	return Credentials{
 		AccountTag:   t.AccountTag,
 		TunnelSecret: t.TunnelSecret,
 		TunnelID:     t.TunnelID,
+		Endpoint:     t.Endpoint,
 	}
 }
 

supervisor/supervisor.go

@@ -247,9 +247,7 @@ func (s *Supervisor) startFirstTunnel(
 	ctx context.Context,
 	connectedSignal *signal.Signal,
 ) {
-	var (
+	var err error
-		err error
-	)
 	const firstConnIndex = 0
 	isStaticEdge := len(s.config.EdgeAddrs) > 0
 	defer func() {
@@ -300,9 +298,7 @@ func (s *Supervisor) startTunnel(
 	index int,
 	connectedSignal *signal.Signal,
 ) {
-	var (
+	var err error
-		err error
-	)
 	defer func() {
 		s.tunnelErrors <- tunnelError{index: index, err: err}
 	}()