mirror of
https://github.com/cloudflare/cloudflared.git
synced 2025-07-27 07:59:58 +00:00
1cedefa1c2
This commit adds support for FedRAMP environments. Cloudflared will now dynamically configure the management hostname and API URL, switching to FedRAMP-specific values like `management.fed.argotunnel.com` and `https://api.fed.cloudflare.com/client/v4` when a FedRAMP endpoint is detected. Key to this is an enhanced `ParseToken` function, which now includes an `IsFed()` method to determine if a management token's issuer is `fed-tunnelstore`. This allows cloudflared to correctly identify and operate within a FedRAMP context, ensuring proper connectivity. Closes TUN-9583
90 lines
2.1 KiB
Go
90 lines
2.1 KiB
Go
package credentials
|
|
|
|
import (
|
|
"github.com/pkg/errors"
|
|
"github.com/rs/zerolog"
|
|
|
|
"github.com/cloudflare/cloudflared/cfapi"
|
|
)
|
|
|
|
const (
|
|
logFieldOriginCertPath = "originCertPath"
|
|
FedEndpoint = "fed"
|
|
FedRampBaseApiURL = "https://api.fed.cloudflare.com/client/v4"
|
|
FedRampHostname = "management.fed.argotunnel.com"
|
|
)
|
|
|
|
type User struct {
|
|
cert *OriginCert
|
|
certPath string
|
|
}
|
|
|
|
func (c User) AccountID() string {
|
|
return c.cert.AccountID
|
|
}
|
|
|
|
func (c User) ZoneID() string {
|
|
return c.cert.ZoneID
|
|
}
|
|
|
|
func (c User) APIToken() string {
|
|
return c.cert.APIToken
|
|
}
|
|
|
|
func (c User) CertPath() string {
|
|
return c.certPath
|
|
}
|
|
|
|
func (c User) IsFEDEndpoint() bool {
|
|
return c.cert.Endpoint == FedEndpoint
|
|
}
|
|
|
|
// Client uses the user credentials to create a Cloudflare API client
|
|
func (c *User) Client(apiURL string, userAgent string, log *zerolog.Logger) (cfapi.Client, error) {
|
|
if apiURL == "" {
|
|
return nil, errors.New("An api-url was not provided for the Cloudflare API client")
|
|
}
|
|
client, err := cfapi.NewRESTClient(
|
|
apiURL,
|
|
c.cert.AccountID,
|
|
c.cert.ZoneID,
|
|
c.cert.APIToken,
|
|
userAgent,
|
|
log,
|
|
)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return client, nil
|
|
}
|
|
|
|
// Read will load and read the origin cert.pem to load the user credentials
|
|
func Read(originCertPath string, log *zerolog.Logger) (*User, error) {
|
|
originCertLog := log.With().
|
|
Str(logFieldOriginCertPath, originCertPath).
|
|
Logger()
|
|
|
|
originCertPath, err := FindOriginCert(originCertPath, &originCertLog)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "Error locating origin cert")
|
|
}
|
|
blocks, err := readOriginCert(originCertPath)
|
|
if err != nil {
|
|
return nil, errors.Wrapf(err, "Can't read origin cert from %s", originCertPath)
|
|
}
|
|
|
|
cert, err := decodeOriginCert(blocks)
|
|
if err != nil {
|
|
return nil, errors.Wrap(err, "Error decoding origin cert")
|
|
}
|
|
|
|
if cert.AccountID == "" {
|
|
return nil, errors.Errorf(`Origin certificate needs to be refreshed before creating new tunnels.\nDelete %s and run "cloudflared login" to obtain a new cert.`, originCertPath)
|
|
}
|
|
|
|
return &User{
|
|
cert: cert,
|
|
certPath: originCertPath,
|
|
}, nil
|
|
}
|