TUN-9583: set proper url and hostname for cloudflared tail command

This commit adds support for FedRAMP environments. Cloudflared will now dynamically configure the management hostname and API URL, switching to FedRAMP-specific values like `management.fed.argotunnel.com` and `https://api.fed.cloudflare.com/client/v4` when a FedRAMP endpoint is detected. Key to this is an enhanced `ParseToken` function, which now includes an `IsFed()` method to determine if a management token's issuer is `fed-tunnelstore`. This allows cloudflared to correctly identify and operate within a FedRAMP context, ensuring proper connectivity. Closes TUN-9583
2025-07-27 15:39:58 +00:00 · 2025-07-23 20:09:50 +01:00
parent ddf4e6d854
commit 1cedefa1c2
7 changed files with 60 additions and 19 deletions
--- a/management/token.go
+++ b/management/token.go
@@ -7,9 +7,12 @@ import (
 	"github.com/go-jose/go-jose/v4/jwt"
 )

+const tunnelstoreFEDIssuer = "fed-tunnelstore"
+
 type managementTokenClaims struct {
 	Tunnel tunnel `json:"tun"`
 	Actor  actor  `json:"actor"`
+	jwt.Claims
 }

 // VerifyTunnel compares the tun claim isn't empty
@@ -37,7 +40,7 @@ func (t *actor) verify() bool {
 	return t.ID != ""
 }

-func parseToken(token string) (*managementTokenClaims, error) {
+func ParseToken(token string) (*managementTokenClaims, error) {
 	jwt, err := jwt.ParseSigned(token, []jose.SignatureAlgorithm{jose.ES256})
 	if err != nil {
 		return nil, fmt.Errorf("malformed jwt: %v", err)
@@ -54,3 +57,7 @@ func parseToken(token string) (*managementTokenClaims, error) {
 	}
 	return &claims, nil
 }
+
+func (m *managementTokenClaims) IsFed() bool {
+	return m.Issuer == tunnelstoreFEDIssuer
+}