TUN-9820: Add support for FedRAMP in originRequest Access config

* TUN-9820: Add support for FedRAMP in originRequest Access config Closes TUN-9820
2025-09-15 11:11:23 +00:00 · 2025-09-15 11:11:23 +00:00 · 9e94122d2b
parent 173396be90
commit 9e94122d2b
4 changed files with 13 additions and 5 deletions
--- a/cmd/cloudflared/tunnel/configuration.go
+++ b/cmd/cloudflared/tunnel/configuration.go
@ -36,7 +36,6 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
-	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )

 var (
--- a/config/configuration.go
+++ b/config/configuration.go
@ -242,6 +242,8 @@ type AccessConfig struct {

 	// AudTag is the AudTag to verify access JWT against.
 	AudTag []string `yaml:"audTag" json:"audTag"`
+
+	Environment string `yaml:"environment" json:"environment,omitempty"`
 }

 type IngressIPRule struct {
--- a/ingress/ingress.go
+++ b/ingress/ingress.go
@ -317,7 +317,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
 				return Ingress{}, err
 			}
 			if access.Required {
-				verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
+				verifier := middleware.NewJWTValidator(access.TeamName, access.Environment, access.AudTag)
 				handlers = append(handlers, verifier)
 			}
 		}
--- a/ingress/middleware/jwtvalidator.go
+++ b/ingress/middleware/jwtvalidator.go
@ -6,6 +6,8 @@ import (
 	"net/http"

 	"github.com/coreos/go-oidc/v3/oidc"
+
+	"github.com/cloudflare/cloudflared/credentials"
 )

 const (
@ -13,7 +15,8 @@ const (
 )

 var (
-	cloudflareAccessCertsURL = "https://%s.cloudflareaccess.com"
+	cloudflareAccessCertsURL    = "https://%s.cloudflareaccess.com"
+	cloudflareAccessFedCertsURL = "https://%s.fed.cloudflareaccess.com"
 )

 // JWTValidator is an implementation of Verifier that validates access based JWT tokens.
@ -22,10 +25,14 @@ type JWTValidator struct {
 	audTags []string
 }

-func NewJWTValidator(teamName string, certsURL string, audTags []string) *JWTValidator {
-	if certsURL == "" {
+func NewJWTValidator(teamName string, environment string, audTags []string) *JWTValidator {
+	var certsURL string
+	if environment == credentials.FedEndpoint {
+		certsURL = fmt.Sprintf(cloudflareAccessFedCertsURL, teamName)
+	} else {
 		certsURL = fmt.Sprintf(cloudflareAccessCertsURL, teamName)
 	}
+
 	certsEndpoint := fmt.Sprintf("%s/cdn-cgi/access/certs", certsURL)

 	config := &oidc.Config{