From 9e94122d2b876c8b89e4632f2f6d4b2f7efcb989 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20Garcia?= <ggarcia@cloudflare.com>
Date: Mon, 15 Sep 2025 11:11:23 +0000
Subject: [PATCH] TUN-9820: Add support for FedRAMP in originRequest Access
 config

* TUN-9820: Add support for FedRAMP in originRequest Access config

Closes TUN-9820
---
 cmd/cloudflared/tunnel/configuration.go |  1 -
 config/configuration.go                 |  2 ++
 ingress/ingress.go                      |  2 +-
 ingress/middleware/jwtvalidator.go      | 13 ++++++++++---
 4 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go
index 63f78426..b38f79da 100644
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@@ -36,7 +36,6 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
-	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 
 var (
diff --git a/config/configuration.go b/config/configuration.go
index a3b65ad3..cb0b0ade 100644
--- a/config/configuration.go
+++ b/config/configuration.go
@@ -242,6 +242,8 @@ type AccessConfig struct {
 
 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
+
+	Environment string `yaml:"environment" json:"environment,omitempty"`
 }
 
 type IngressIPRule struct {
diff --git a/ingress/ingress.go b/ingress/ingress.go
index eaad7dce..a325271a 100644
--- a/ingress/ingress.go
+++ b/ingress/ingress.go
@@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 				return Ingress{}, err
 			}
 			if access.Required {
-				verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
+				verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
 				handlers = append(handlers, verifier)
 			}
 		}
diff --git a/ingress/middleware/jwtvalidator.go b/ingress/middleware/jwtvalidator.go
index 8ee9b789..93ca8c61 100644
--- a/ingress/middleware/jwtvalidator.go
+++ b/ingress/middleware/jwtvalidator.go
@@ -6,6 +6,8 @@ import (
 	"net/http"
 
 	"github.com/coreos/go-oidc/v3/oidc"
+
+	"github.com/cloudflare/cloudflared/credentials"
 )
 
 const (
@@ -13,7 +15,8 @@ const (
 )
 
 var (
-	cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"
+	cloudflareAccessCertsURL    = "https://%s.cloudflareaccess.com"
+	cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"
 )
 
 // JWTValidator is an implementation of Verifier that validates access based JWT tokens.
@@ -22,10 +25,14 @@ type JWTValidator struct {
 	audTags []string
 }
 
-func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator {
-	if certsURL == "" {
+func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {
+	var certsURL string
+	if environment == credentials.FedEndpoint {
+		certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)
+	} else {
 		certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)
 	}
+
 	certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)
 
 	config := &oidc.Config{