TUN-9007: modify logic to resolve region when the tunnel token has an endpoint field

lmpn · lmpn · commit 6496322beeda · 2025-02-25T19:03:41.000Z
## Summary

Within the work of FEDRamp it is necessary to change the HA SD lookup to use as srv `fed-v2-origintunneld`

This work assumes that the tunnel token has an optional endpoint field which will be used to modify the behaviour of the HA SD lookup.

Finally, the presence of the endpoint will override region to _fed_ and fail if any value is passed for the flag region.

Closes TUN-9007
diff --git a/cmd/cloudflared/tunnel/configuration.go b/cmd/cloudflared/tunnel/configuration.go
@@ -34,6 +34,7 @@ import (
 const (
 	secretValue       = "*****"
 	icmpFunnelTimeout = time.Second * 10
+	fedRampRegion     = "fed" // const string denoting the region used to connect to FEDRamp servers
 )
 
 var (
@@ -208,13 +209,27 @@ func prepareTunnelConfig(
 		log.Warn().Str("edgeIPVersion", edgeIPVersion.String()).Err(err).Msg("Overriding edge-ip-version")
 	}
 
+	region := c.String(flags.Region)
+	endpoint := namedTunnel.Credentials.Endpoint
+	var resolvedRegion string
+	// set resolvedRegion to either the region passed as argument
+	// or to the endpoint in the credentials.
+	// Region and endpoint are interchangeable
+	if region != "" && endpoint != "" {
+		return nil, nil, fmt.Errorf("region provided with a token that has an endpoint")
+	} else if region != "" {
+		resolvedRegion = region
+	} else if endpoint != "" {
+		resolvedRegion = endpoint
+	}
+
 	tunnelConfig := &supervisor.TunnelConfig{
 		GracePeriod:     gracePeriod,
 		ReplaceExisting: c.Bool(flags.Force),
 		OSArch:          info.OSArch(),
 		ClientID:        clientID.String(),
 		EdgeAddrs:       c.StringSlice(flags.Edge),
-		Region:          c.String(flags.Region),
+		Region:          resolvedRegion,
 		EdgeIPVersion:   edgeIPVersion,
 		EdgeBindAddr:    edgeBindAddr,
 		HAConnections:   c.Int(flags.HaConnections),
diff --git a/connection/connection.go b/connection/connection.go
@@ -60,6 +60,7 @@ type Credentials struct {
 	AccountTag   string
 	TunnelSecret []byte
 	TunnelID     uuid.UUID
+	Endpoint     string
 }
 
 func (c *Credentials) Auth() pogs.TunnelAuth {
@@ -74,13 +75,16 @@ type TunnelToken struct {
 	AccountTag   string    `json:"a"`
 	TunnelSecret []byte    `json:"s"`
 	TunnelID     uuid.UUID `json:"t"`
+	Endpoint     string    `json:"e,omitempty"`
 }
 
 func (t TunnelToken) Credentials() Credentials {
+	// nolint: gosimple
 	return Credentials{
 		AccountTag:   t.AccountTag,
 		TunnelSecret: t.TunnelSecret,
 		TunnelID:     t.TunnelID,
+		Endpoint:     t.Endpoint,
 	}
 }
 
diff --git a/supervisor/supervisor.go b/supervisor/supervisor.go
@@ -247,9 +247,7 @@ func (s *Supervisor) startFirstTunnel(
 	ctx context.Context,
 	connectedSignal *signal.Signal,
 ) {
-	var (
-		err error
-	)
+	var err error
 	const firstConnIndex = 0
 	isStaticEdge := len(s.config.EdgeAddrs) > 0
 	defer func() {
@@ -300,9 +298,7 @@ func (s *Supervisor) startTunnel(
 	index int,
 	connectedSignal *signal.Signal,
 ) {
-	var (
-		err error
-	)
+	var err error
 	defer func() {
 		s.tunnelErrors <- tunnelError{index: index, err: err}
 	}()

Original file line number	Diff line number	Diff line change
`@@ -60,6 +60,7 @@ type Credentials struct {`
`60`	`60`	`AccountTag string`
`61`	`61`	`TunnelSecret []byte`
`62`	`62`	`TunnelID uuid.UUID`
	`63`	`+ Endpoint string`
`63`	`64`	`}`
`64`	`65`
`65`	`66`	`func (c *Credentials) Auth() pogs.TunnelAuth {`
`@@ -74,13 +75,16 @@ type TunnelToken struct {`
`74`	`75`	AccountTag string `json:"a"`
`75`	`76`	TunnelSecret []byte `json:"s"`
`76`	`77`	TunnelID uuid.UUID `json:"t"`
	`78`	+ Endpoint string `json:"e,omitempty"`
`77`	`79`	`}`
`78`	`80`
`79`	`81`	`func (t TunnelToken) Credentials() Credentials {`
	`82`	`+ // nolint: gosimple`
`80`	`83`	`return Credentials{`
`81`	`84`	`AccountTag: t.AccountTag,`
`82`	`85`	`TunnelSecret: t.TunnelSecret,`
`83`	`86`	`TunnelID: t.TunnelID,`
	`87`	`+ Endpoint: t.Endpoint,`
`84`	`88`	`}`
`85`	`89`	`}`
`86`	`90`