diff --git a/lib/auth/auth_with_roles.go b/lib/auth/auth_with_roles.go index f11a924d661a4..69d81ea0420de 100644 --- a/lib/auth/auth_with_roles.go +++ b/lib/auth/auth_with_roles.go @@ -4574,6 +4574,10 @@ func (a *ServerWithRoles) UpsertTrustedCluster(ctx context.Context, tc types.Tru return nil, trace.Wrap(err) } + if err := a.context.AuthorizeAdminAction(); err != nil { + return nil, trace.Wrap(err) + } + return a.authServer.UpsertTrustedCluster(ctx, tc) } @@ -4593,6 +4597,10 @@ func (a *ServerWithRoles) DeleteTrustedCluster(ctx context.Context, name string) return trace.Wrap(err) } + if err := a.context.AuthorizeAdminAction(); err != nil { + return trace.Wrap(err) + } + return a.authServer.DeleteTrustedCluster(ctx, name) } diff --git a/lib/web/resources.go b/lib/web/resources.go index f696635a6cfa7..347360eb2e73d 100644 --- a/lib/web/resources.go +++ b/lib/web/resources.go @@ -30,6 +30,7 @@ import ( "github.com/gravitational/teleport/api/client/proto" kubeproto "github.com/gravitational/teleport/api/gen/proto/go/teleport/kube/v1" + "github.com/gravitational/teleport/api/mfa" "github.com/gravitational/teleport/api/types" "github.com/gravitational/teleport/lib/auth" "github.com/gravitational/teleport/lib/client" @@ -238,7 +239,13 @@ func (h *Handler) upsertTrustedClusterHandle(w http.ResponseWriter, r *http.Requ func upsertTrustedCluster(ctx context.Context, clt resourcesAPIGetter, content, httpMethod string, params httprouter.Params) (*ui.ResourceItem, error) { get := func(ctx context.Context, name string) (types.Resource, error) { - return clt.GetTrustedCluster(ctx, name) + // Remove the MFA resp from the context before getting the trusted cluster. + // Otherwise, it will be consumed before the Upsert which actually + // requires the MFA. + // TODO(Joerger): Explicitly provide MFA response only where it is + // needed instead of removing it like this. + getCtx := mfa.ContextWithMFAResponse(ctx, nil) + return clt.GetTrustedCluster(getCtx, name) } extractedRes, err := ExtractResourceAndValidate(content)