Block cloud explicitely from trusted networks (#59333)

* Block cloud explicitely from trusted networks

* Lint

homeassistant/auth/providers/trusted_networks.py

@@ -194,6 +194,12 @@ class TrustedNetworksAuthProvider(AuthProvider):
         if any(ip_addr in trusted_proxy for trusted_proxy in self.trusted_proxies):
             raise InvalidAuthError("Can't allow access from a proxy server")
 
+        if "cloud" in self.hass.config.components:
+            from hass_nabucasa import remote  # pylint: disable=import-outside-toplevel
+
+            if remote.is_cloud_request.get():
+                raise InvalidAuthError("Can't allow access from Home Assistant Cloud")
+
     @callback
     def async_validate_refresh_token(
         self, refresh_token: RefreshToken, remote_ip: str | None = None

tests/auth/providers/test_trusted_networks.py

@@ -2,6 +2,7 @@
 from ipaddress import ip_address, ip_network
 from unittest.mock import Mock, patch
 
+from hass_nabucasa import remote
 import pytest
 import voluptuous as vol
 
@@ -169,6 +170,27 @@ async def test_validate_access_proxy(hass, provider):
         provider.async_validate_access(ip_address("fd00::1"))
 
 
+async def test_validate_access_cloud(hass, provider):
+    """Test validate access from trusted networks are blocked from cloud."""
+    await async_setup_component(
+        hass,
+        "http",
+        {
+            "http": {
+                CONF_TRUSTED_PROXIES: ["192.168.128.0/31", "fd00::1"],
+                CONF_USE_X_FORWARDED_FOR: True,
+            }
+        },
+    )
+    hass.config.components.add("cloud")
+
+    provider.async_validate_access(ip_address("192.168.128.2"))
+
+    remote.is_cloud_request.set(True)
+    with pytest.raises(tn_auth.InvalidAuthError):
+        provider.async_validate_access(ip_address("192.168.128.2"))
+
+
 async def test_validate_refresh_token(provider):
     """Verify re-validation of refresh token."""
     with patch.object(provider, "async_validate_access") as mock: