curben
/
cloudflared-mirror
mirror of https://github.com/cloudflare/cloudflared.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

TUN-9820: Add support for FedRAMP in originRequest Access config 

* TUN-9820: Add support for FedRAMP in originRequest Access config

Closes TUN-9820
This commit is contained in:
Gonçalo Garcia 2025-09-15 11:11:23 +00:00
parent 173396be90
commit 9e94122d2b
4 changed files with 13 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/cloudflared/tunnel/configuration.go
View File

@ -36,7 +36,6 @@ import (
const ( const (
secretValue = "*****" secretValue = "*****"
icmpFunnelTimeout = time.Second * 10 icmpFunnelTimeout = time.Second * 10
fedRampRegion = "fed" // const string denoting the region used to connect to FEDRamp servers
) )
var ( var (

2
config/configuration.go
View File

@ -242,6 +242,8 @@ type AccessConfig struct {
// AudTag is the AudTag to verify access JWT against. // AudTag is the AudTag to verify access JWT against.
AudTag []string `yaml:"audTag" json:"audTag"` AudTag []string `yaml:"audTag" json:"audTag"`
Environment string `yaml:"environment" json:"environment,omitempty"`
} }
type IngressIPRule struct { type IngressIPRule struct {

2
ingress/ingress.go
View File

@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
return Ingress{}, err return Ingress{}, err
} }
if access.Required { if access.Required {
verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag) verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
handlers = append(handlers, verifier) handlers = append(handlers, verifier)
} }
} }

13
ingress/middleware/jwtvalidator.go
View File

@ -6,6 +6,8 @@ import (
"net/http" "net/http"
"github.com/coreos/go-oidc/v3/oidc" "github.com/coreos/go-oidc/v3/oidc"
"github.com/cloudflare/cloudflared/credentials"
) )
const ( const (
@ -13,7 +15,8 @@ const (
) )
var ( var (
cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com" cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"
cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"
) )
// JWTValidator is an implementation of Verifier that validates access based JWT tokens. // JWTValidator is an implementation of Verifier that validates access based JWT tokens.
@ -22,10 +25,14 @@ type JWTValidator struct {
audTags []string audTags []string
} }
func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator { func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {
if certsURL == "" { var certsURL string
if environment == credentials.FedEndpoint {
certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)
} else {
certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName) certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)
} }
certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL) certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)
config := &oidc.Config{ config := &oidc.Config{