Adds ComplianceRegion to Op protocol

mitch292 · mitch292 · commit abdcefb763d4 · 2025-03-21T10:37:28.000-04:00
diff --git a/protocol/protocol.go b/protocol/protocol.go
@@ -21,7 +21,7 @@ import (
 	"github.com/cloudflare/cfssl/helpers/derhelpers"
 )
 
-//go:generate stringer -type=Tag,Op -output=protocol_string.go
+//go:generate stringer -type=Tag,Op,ComplianceRegion -output=protocol_string.go
 
 // Tag marks the type of an Item.
 type Tag byte
@@ -51,6 +51,8 @@ const (
 	TagJaegerSpan Tag = 0x15
 	// TagReqContext contains request metadata
 	TagReqContext Tag = 0x16
+	// TagComplianceRegion implies the compliance region of the operation which can impact behavior
+	TagComplianceRegion Tag = 0x17
 	// TagPadding implies an item with a meaningless payload added for padding.
 	TagPadding Tag = 0x20
 )
@@ -202,6 +204,16 @@ func (e Error) String() string {
 	}
 }
 
+// ComplianceRegion describes any guardrails that gokeyless should follow when accessing data from
+// external applications
+type ComplianceRegion byte
+
+const (
+	// ComplianceRegionFedRAMPHigh signals that this operation should only interact
+	// with the FedRAMP High QS instance
+	ComplianceRegionFedRAMPHigh ComplianceRegion = 0x01
+)
+
 const (
 	paddedLength = 1024
 	headerSize   = 8
@@ -405,30 +417,32 @@ func (p *Packet) ReadFrom(r io.Reader) (n int64, err error) {
 
 // Operation defines a single (repeatable) keyless operation.
 type Operation struct {
-	Opcode         Op
-	Payload        []byte
-	Extra          []byte
-	SKI            SKI
-	Digest         Digest
-	ClientIP       net.IP
-	ServerIP       net.IP
-	SNI            string
-	CertID         string
-	ForwardingSvc  int64
-	CustomFuncName string
-	JaegerSpan     []byte
-	ReqContext     []byte
+	Opcode           Op
+	Payload          []byte
+	Extra            []byte
+	SKI              SKI
+	Digest           Digest
+	ClientIP         net.IP
+	ServerIP         net.IP
+	SNI              string
+	CertID           string
+	ForwardingSvc    int64
+	CustomFuncName   string
+	JaegerSpan       []byte
+	ReqContext       []byte
+	ComplianceRegion ComplianceRegion
 }
 
 func (o *Operation) String() string {
-	return fmt.Sprintf("[Opcode: %v, SKI: %v, Digest: %02x, Client IP: %s, Server IP: %s, SNI: %s, Forwarding Service: %v]",
+	return fmt.Sprintf("[Opcode: %v, SKI: %v, Digest: %02x, Client IP: %s, Server IP: %s, SNI: %s, Forwarding Service: %v, ComplianceRegion %v]",
 		o.Opcode,
 		o.SKI,
 		o.Digest,
 		o.ClientIP,
 		o.ServerIP,
 		o.SNI,
 		o.ForwardingSvc,
+		o.ComplianceRegion,
 	)
 }
 
@@ -512,6 +526,8 @@ func (o *Operation) Bytes() uint16 {
 	if o.ReqContext != nil {
 		add(tlvLen(len(o.ReqContext)))
 	}
+	// compliance region
+	add(tlvLen(1))
 	if int(length)+headerSize < paddedLength {
 		// TODO: Are we sure that's the right behavior?
 
@@ -586,6 +602,8 @@ func (o *Operation) MarshalBinary() ([]byte, error) {
 		b = append(b, tlvBytes(TagReqContext, o.ReqContext)...)
 	}
 
+	b = append(b, tlvBytes(TagComplianceRegion, []byte{byte(o.ComplianceRegion)})...)
+
 	if len(b)+headerSize < paddedLength {
 		// TODO: Are we sure that's the right behavior?
 
@@ -673,6 +691,11 @@ func (o *Operation) UnmarshalBinary(body []byte) error {
 			o.JaegerSpan = data
 		case TagReqContext:
 			o.ReqContext = data
+		case TagComplianceRegion:
+			if len(data) != 1 {
+				return fmt.Errorf("invalid ComplianceRegion: %s", data)
+			}
+			o.ComplianceRegion = ComplianceRegion(data[0])
 		default:
 			// Silently ignore any unknown tags (to allow for new tags to be gradually added to the protocol).
 			continue
diff --git a/protocol/protocol.md b/protocol/protocol.md
@@ -39,6 +39,7 @@ The following tag values are possible for items:
     0x13 - CustomFuncName, (for use with opcode 0x24)
     0x14 - Supplemental payload, whose meaning is not specified and must be predetermined between the server and client,
     0x15 - Binary encoded Jaeger span (https://www.jaegertracing.io/docs/1.19/client-libraries/#value)
+    0x17 - ComplianceRegion,
 
 A requests contains a header and the following items:
 
diff --git a/protocol/protocol_string.go b/protocol/protocol_string.go
diff --git a/protocol/protocol_test.go b/protocol/protocol_test.go
@@ -23,18 +23,19 @@ func TestMarshalBinary(t *testing.T) {
 	rand.Read(payload)
 	rand.Read(reqCtx)
 	op := Operation{
-		Opcode:         OpECDSASignSHA256,
-		Payload:        payload,
-		Extra:          extra,
-		Digest:         sha256.Sum256([]byte("Digest")),
-		SKI:            sha1.Sum([]byte("SKI")),
-		ClientIP:       net.ParseIP("1.1.1.1").To4(),
-		ServerIP:       net.ParseIP("2.2.2.2").To4(),
-		SNI:            "SNI",
-		CertID:         "SNI",
-		CustomFuncName: "CustomFuncName",
-		JaegerSpan:     []byte("615f730ad5fe896f:615f730ad5fe896f:1"),
-		ReqContext:     reqCtx,
+		Opcode:           OpECDSASignSHA256,
+		Payload:          payload,
+		Extra:            extra,
+		Digest:           sha256.Sum256([]byte("Digest")),
+		SKI:              sha1.Sum([]byte("SKI")),
+		ClientIP:         net.ParseIP("1.1.1.1").To4(),
+		ServerIP:         net.ParseIP("2.2.2.2").To4(),
+		SNI:              "SNI",
+		CertID:           "SNI",
+		CustomFuncName:   "CustomFuncName",
+		JaegerSpan:       []byte("615f730ad5fe896f:615f730ad5fe896f:1"),
+		ReqContext:       reqCtx,
+		ComplianceRegion: ComplianceRegionFedRAMPHigh,
 	}
 	pkt := NewPacket(42, op)
 	b, err := pkt.MarshalBinary()
