From 2c3d5949dd47a7b3658e0436b002c7e89f61bc38 Mon Sep 17 00:00:00 2001
From: Tim Ross <tim.ross@goteleport.com>
Date: Wed, 13 Sep 2023 17:07:55 -0400
Subject: [PATCH] Prevent trusted clusters in Cloud

---
 lib/auth/auth_with_roles.go     |  5 +++++
 lib/auth/trustedcluster_test.go | 17 +++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go
index ee97f0bd30c65..4873c6ecf309a 100644
--- a/lib/auth/auth_with_roles.go
+++ b/lib/auth/auth_with_roles.go
@@ -4410,6 +4410,11 @@ func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.Tru
 }
 
 func (a *ServerWithRoles) ValidateTrustedCluster(ctx context.Context, validateRequest *ValidateTrustedClusterRequest) (*ValidateTrustedClusterResponse, error) {
+	// Don't allow leaf clusters if running in Cloud.
+	if modules.GetModules().Features().Cloud {
+		return nil, trace.NotImplemented("cloud clusters do not support trusted cluster resources")
+	}
+
 	// the token provides it's own authorization and authentication
 	return a.authServer.validateTrustedCluster(ctx, validateRequest)
 }
diff --git a/lib/auth/trustedcluster_test.go b/lib/auth/trustedcluster_test.go
index d87f9be1628ad..92dbaecc702d9 100644
--- a/lib/auth/trustedcluster_test.go
+++ b/lib/auth/trustedcluster_test.go
@@ -22,6 +22,7 @@ import (
 	"time"
 
 	"github.com/google/go-cmp/cmp"
+	"github.com/gravitational/trace"
 	"github.com/stretchr/testify/require"
 
 	"github.com/gravitational/teleport"
@@ -30,6 +31,7 @@ import (
 	"github.com/gravitational/teleport/lib/auth/keystore"
 	authority "github.com/gravitational/teleport/lib/auth/testauthority"
 	"github.com/gravitational/teleport/lib/backend/memory"
+	"github.com/gravitational/teleport/lib/modules"
 	"github.com/gravitational/teleport/lib/services"
 	"github.com/gravitational/teleport/lib/services/suite"
 )
@@ -391,6 +393,21 @@ func TestValidateTrustedCluster(t *testing.T) {
 			[]types.CertAuthType{resp.CAs[0].GetType(), resp.CAs[1].GetType(), resp.CAs[2].GetType()},
 		)
 	})
+
+	t.Run("trusted clusters prevented on cloud", func(t *testing.T) {
+		modules.SetTestModules(t, &modules.TestModules{
+			TestFeatures: modules.Features{Cloud: true},
+		})
+
+		req := &ValidateTrustedClusterRequest{
+			Token: "invalidtoken",
+			CAs:   []types.CertAuthority{},
+		}
+
+		server := ServerWithRoles{authServer: a}
+		_, err := server.ValidateTrustedCluster(ctx, req)
+		require.True(t, trace.IsNotImplemented(err), "ValidateTrustedCluster returned an unexpected error, got = %v (%T), want trace.NotImplementedError", err, err)
+	})
 }
 
 func newTestAuthServer(ctx context.Context, t *testing.T, name ...string) *Server {