jcarr
/
gemini-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(auth): Enhance non-interactive gcp auth (#4811)

This commit is contained in:
Gal Zahavi 2025-07-25 10:19:38 -07:00 committed by GitHub
parent fb0db2dfd6
commit 6321442865
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 200 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
packages/cli/src/utils/sandbox.ts
View File

@ -525,6 +525,14 @@ export async function start_sandbox(
); );
} }
// copy GOOGLE_GENAI_USE_GCA
if (process.env.GOOGLE_GENAI_USE_GCA) {
args.push(
'--env',
`GOOGLE_GENAI_USE_GCA=${process.env.GOOGLE_GENAI_USE_GCA}`,
);
}
// copy GOOGLE_CLOUD_PROJECT // copy GOOGLE_CLOUD_PROJECT
if (process.env.GOOGLE_CLOUD_PROJECT) { if (process.env.GOOGLE_CLOUD_PROJECT) {
args.push( args.push(

30
packages/cli/src/validateNonInterActiveAuth.test.ts
View File

@ -14,6 +14,7 @@ import { AuthType } from '@google/gemini-cli-core';
describe('validateNonInterActiveAuth', () => { describe('validateNonInterActiveAuth', () => {
let originalEnvGeminiApiKey: string | undefined; let originalEnvGeminiApiKey: string | undefined;
let originalEnvVertexAi: string | undefined; let originalEnvVertexAi: string | undefined;
let originalEnvGcp: string | undefined;
let consoleErrorSpy: ReturnType<typeof vi.spyOn>; let consoleErrorSpy: ReturnType<typeof vi.spyOn>;
let processExitSpy: ReturnType<typeof vi.spyOn>; let processExitSpy: ReturnType<typeof vi.spyOn>;
let refreshAuthMock: jest.MockedFunction< let refreshAuthMock: jest.MockedFunction<
@ -23,8 +24,10 @@ describe('validateNonInterActiveAuth', () => {
beforeEach(() => { beforeEach(() => {
originalEnvGeminiApiKey = process.env.GEMINI_API_KEY; originalEnvGeminiApiKey = process.env.GEMINI_API_KEY;
originalEnvVertexAi = process.env.GOOGLE_GENAI_USE_VERTEXAI; originalEnvVertexAi = process.env.GOOGLE_GENAI_USE_VERTEXAI;
originalEnvGcp = process.env.GOOGLE_GENAI_USE_GCA;
delete process.env.GEMINI_API_KEY; delete process.env.GEMINI_API_KEY;
delete process.env.GOOGLE_GENAI_USE_VERTEXAI; delete process.env.GOOGLE_GENAI_USE_VERTEXAI;
delete process.env.GOOGLE_GENAI_USE_GCA;
consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {}); consoleErrorSpy = vi.spyOn(console, 'error').mockImplementation(() => {});
processExitSpy = vi.spyOn(process, 'exit').mockImplementation((code) => { processExitSpy = vi.spyOn(process, 'exit').mockImplementation((code) => {
throw new Error(`process.exit(${code}) called`); throw new Error(`process.exit(${code}) called`);
@ -43,6 +46,11 @@ describe('validateNonInterActiveAuth', () => {
} else { } else {
delete process.env.GOOGLE_GENAI_USE_VERTEXAI; delete process.env.GOOGLE_GENAI_USE_VERTEXAI;
} }
if (originalEnvGcp !== undefined) {
process.env.GOOGLE_GENAI_USE_GCA = originalEnvGcp;
} else {
delete process.env.GOOGLE_GENAI_USE_GCA;
}
vi.restoreAllMocks(); vi.restoreAllMocks();
}); });
@ -62,6 +70,15 @@ describe('validateNonInterActiveAuth', () => {
expect(processExitSpy).toHaveBeenCalledWith(1); expect(processExitSpy).toHaveBeenCalledWith(1);
}); });
it('uses LOGIN_WITH_GOOGLE if GOOGLE_GENAI_USE_GCA is set', async () => {
process.env.GOOGLE_GENAI_USE_GCA = 'true';
const nonInteractiveConfig: NonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(undefined, nonInteractiveConfig);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.LOGIN_WITH_GOOGLE);
});
it('uses USE_GEMINI if GEMINI_API_KEY is set', async () => { it('uses USE_GEMINI if GEMINI_API_KEY is set', async () => {
process.env.GEMINI_API_KEY = 'fake-key'; process.env.GEMINI_API_KEY = 'fake-key';
const nonInteractiveConfig: NonInteractiveConfig = { const nonInteractiveConfig: NonInteractiveConfig = {
@ -92,6 +109,19 @@ describe('validateNonInterActiveAuth', () => {
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI); expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI);
}); });
it('uses LOGIN_WITH_GOOGLE if GOOGLE_GENAI_USE_GCA is set, even with other env vars', async () => {
process.env.GOOGLE_GENAI_USE_GCA = 'true';
process.env.GEMINI_API_KEY = 'fake-key';
process.env.GOOGLE_GENAI_USE_VERTEXAI = 'true';
process.env.GOOGLE_CLOUD_PROJECT = 'test-project';
process.env.GOOGLE_CLOUD_LOCATION = 'us-central1';
const nonInteractiveConfig: NonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(undefined, nonInteractiveConfig);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.LOGIN_WITH_GOOGLE);
});
it('uses USE_VERTEX_AI if both GEMINI_API_KEY and GOOGLE_GENAI_USE_VERTEXAI are set', async () => { it('uses USE_VERTEX_AI if both GEMINI_API_KEY and GOOGLE_GENAI_USE_VERTEXAI are set', async () => {
process.env.GEMINI_API_KEY = 'fake-key'; process.env.GEMINI_API_KEY = 'fake-key';
process.env.GOOGLE_GENAI_USE_VERTEXAI = 'true'; process.env.GOOGLE_GENAI_USE_VERTEXAI = 'true';

23
packages/cli/src/validateNonInterActiveAuth.ts
View File

@ -8,21 +8,28 @@ import { AuthType, Config } from '@google/gemini-cli-core';
import { USER_SETTINGS_PATH } from './config/settings.js'; import { USER_SETTINGS_PATH } from './config/settings.js';
import { validateAuthMethod } from './config/auth.js'; import { validateAuthMethod } from './config/auth.js';
function getAuthTypeFromEnv(): AuthType | undefined {
if (process.env.GOOGLE_GENAI_USE_GCA === 'true') {
return AuthType.LOGIN_WITH_GOOGLE;
}
if (process.env.GOOGLE_GENAI_USE_VERTEXAI === 'true') {
return AuthType.USE_VERTEX_AI;
}
if (process.env.GEMINI_API_KEY) {
return AuthType.USE_GEMINI;
}
return undefined;
}
export async function validateNonInteractiveAuth( export async function validateNonInteractiveAuth(
configuredAuthType: AuthType | undefined, configuredAuthType: AuthType | undefined,
nonInteractiveConfig: Config, nonInteractiveConfig: Config,
) { ) {
const effectiveAuthType = const effectiveAuthType = configuredAuthType || getAuthTypeFromEnv();
configuredAuthType ||
(process.env.GOOGLE_GENAI_USE_VERTEXAI === 'true'
? AuthType.USE_VERTEX_AI
: process.env.GEMINI_API_KEY
? AuthType.USE_GEMINI
: undefined);
if (!effectiveAuthType) { if (!effectiveAuthType) {
console.error( console.error(
`Please set an Auth method in your ${USER_SETTINGS_PATH} or specify either the GEMINI_API_KEY or GOOGLE_GENAI_USE_VERTEXAI environment variables before running`, `Please set an Auth method in your ${USER_SETTINGS_PATH} or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA`,
); );
process.exit(1); process.exit(1);
} }

136
packages/core/src/code_assist/oauth2.test.ts
View File

@ -57,6 +57,8 @@ describe('oauth2', () => {
fs.rmSync(tempHomeDir, { recursive: true, force: true }); fs.rmSync(tempHomeDir, { recursive: true, force: true });
vi.clearAllMocks(); vi.clearAllMocks();
delete process.env.CLOUD_SHELL; delete process.env.CLOUD_SHELL;
delete process.env.GOOGLE_GENAI_USE_GCA;
delete process.env.GOOGLE_CLOUD_ACCESS_TOKEN;
}); });
it('should perform a web login', async () => { it('should perform a web login', async () => {
@ -332,4 +334,138 @@ describe('oauth2', () => {
); );
}); });
}); });
describe('with GCP environment variables', () => {
it('should use GOOGLE_CLOUD_ACCESS_TOKEN when GOOGLE_GENAI_USE_GCA is true', async () => {
process.env.GOOGLE_GENAI_USE_GCA = 'true';
process.env.GOOGLE_CLOUD_ACCESS_TOKEN = 'gcp-access-token';
const mockSetCredentials = vi.fn();
const mockGetAccessToken = vi
.fn()
.mockResolvedValue({ token: 'gcp-access-token' });
const mockOAuth2Client = {
setCredentials: mockSetCredentials,
getAccessToken: mockGetAccessToken,
on: vi.fn(),
} as unknown as OAuth2Client;
(OAuth2Client as unknown as Mock).mockImplementation(
() => mockOAuth2Client,
);
// Mock the UserInfo API response for fetchAndCacheUserInfo
(global.fetch as Mock).mockResolvedValue({
ok: true,
json: vi
.fn()
.mockResolvedValue({ email: 'test-gcp-account@gmail.com' }),
} as unknown as Response);
const writeFileSpy = vi
.spyOn(fs.promises, 'writeFile')
.mockResolvedValue(undefined);
const client = await getOauthClient(
AuthType.LOGIN_WITH_GOOGLE,
mockConfig,
);
expect(client).toBe(mockOAuth2Client);
expect(mockSetCredentials).toHaveBeenCalledWith({
access_token: 'gcp-access-token',
});
// Verify fetchAndCacheUserInfo was effectively called
expect(mockGetAccessToken).toHaveBeenCalled();
expect(global.fetch).toHaveBeenCalledWith(
'https://www.googleapis.com/oauth2/v2/userinfo',
{
headers: {
Authorization: 'Bearer gcp-access-token',
},
},
);
// Verify Google Account was cached
const googleAccountPath = path.join(
tempHomeDir,
'.gemini',
'google_accounts.json',
);
expect(writeFileSpy).toHaveBeenCalledWith(
googleAccountPath,
JSON.stringify(
{
active: 'test-gcp-account@gmail.com',
old: [],
},
null,
2,
),
'utf-8',
);
});
it('should not use GCP token if GOOGLE_CLOUD_ACCESS_TOKEN is not set', async () => {
process.env.GOOGLE_GENAI_USE_GCA = 'true';
const mockSetCredentials = vi.fn();
const mockGetAccessToken = vi
.fn()
.mockResolvedValue({ token: 'cached-access-token' });
const mockGetTokenInfo = vi.fn().mockResolvedValue({});
const mockOAuth2Client = {
setCredentials: mockSetCredentials,
getAccessToken: mockGetAccessToken,
getTokenInfo: mockGetTokenInfo,
on: vi.fn(),
} as unknown as OAuth2Client;
(OAuth2Client as unknown as Mock).mockImplementation(
() => mockOAuth2Client,
);
// Make it fall through to cached credentials path
const cachedCreds = { refresh_token: 'cached-token' };
vi.spyOn(fs.promises, 'readFile').mockResolvedValue(
JSON.stringify(cachedCreds),
);
await getOauthClient(AuthType.LOGIN_WITH_GOOGLE, mockConfig);
// It should be called with the cached credentials, not the GCP access token.
expect(mockSetCredentials).toHaveBeenCalledTimes(1);
expect(mockSetCredentials).toHaveBeenCalledWith(cachedCreds);
});
it('should not use GCP token if GOOGLE_GENAI_USE_GCA is not set', async () => {
process.env.GOOGLE_CLOUD_ACCESS_TOKEN = 'gcp-access-token';
const mockSetCredentials = vi.fn();
const mockGetAccessToken = vi
.fn()
.mockResolvedValue({ token: 'cached-access-token' });
const mockGetTokenInfo = vi.fn().mockResolvedValue({});
const mockOAuth2Client = {
setCredentials: mockSetCredentials,
getAccessToken: mockGetAccessToken,
getTokenInfo: mockGetTokenInfo,
on: vi.fn(),
} as unknown as OAuth2Client;
(OAuth2Client as unknown as Mock).mockImplementation(
() => mockOAuth2Client,
);
// Make it fall through to cached credentials path
const cachedCreds = { refresh_token: 'cached-token' };
vi.spyOn(fs.promises, 'readFile').mockResolvedValue(
JSON.stringify(cachedCreds),
);
await getOauthClient(AuthType.LOGIN_WITH_GOOGLE, mockConfig);
// It should be called with the cached credentials, not the GCP access token.
expect(mockSetCredentials).toHaveBeenCalledTimes(1);
expect(mockSetCredentials).toHaveBeenCalledWith(cachedCreds);
});
});
}); });

11
packages/core/src/code_assist/oauth2.ts
View File

@ -78,6 +78,17 @@ export async function getOauthClient(
}, },
}); });
if (
process.env.GOOGLE_GENAI_USE_GCA &&
process.env.GOOGLE_CLOUD_ACCESS_TOKEN
) {
client.setCredentials({
access_token: process.env.GOOGLE_CLOUD_ACCESS_TOKEN,
});
await fetchAndCacheUserInfo(client);
return client;
}
client.on('tokens', async (tokens: Credentials) => { client.on('tokens', async (tokens: Credentials) => {
await cacheCredentials(tokens); await cacheCredentials(tokens);
}); });