Added obfuscated google account ID to clearcut log messages (#2593)

This commit is contained in:
Bryan Morgan 2025-06-29 16:35:20 -04:00 committed by GitHub
parent dbe63e7234
commit cdb803b9a4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 215 additions and 20 deletions

View File

@ -5,7 +5,7 @@
*/
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
import { getOauthClient } from './oauth2.js';
import { getOauthClient, getCachedGoogleAccountId } from './oauth2.js';
import { OAuth2Client } from 'google-auth-library';
import * as fs from 'fs';
import * as path from 'path';
@ -27,6 +27,9 @@ vi.mock('http');
vi.mock('open');
vi.mock('crypto');
// Mock fetch globally
global.fetch = vi.fn();
describe('oauth2', () => {
let tempHomeDir: string;
@ -52,10 +55,14 @@ describe('oauth2', () => {
const mockGenerateAuthUrl = vi.fn().mockReturnValue(mockAuthUrl);
const mockGetToken = vi.fn().mockResolvedValue({ tokens: mockTokens });
const mockSetCredentials = vi.fn();
const mockGetAccessToken = vi
.fn()
.mockResolvedValue({ token: 'mock-access-token' });
const mockOAuth2Client = {
generateAuthUrl: mockGenerateAuthUrl,
getToken: mockGetToken,
setCredentials: mockSetCredentials,
getAccessToken: mockGetAccessToken,
credentials: mockTokens,
} as unknown as OAuth2Client;
vi.mocked(OAuth2Client).mockImplementation(() => mockOAuth2Client);
@ -63,6 +70,12 @@ describe('oauth2', () => {
vi.spyOn(crypto, 'randomBytes').mockReturnValue(mockState as never);
vi.mocked(open).mockImplementation(async () => ({}) as never);
// Mock the UserInfo API response
vi.mocked(global.fetch).mockResolvedValue({
ok: true,
json: vi.fn().mockResolvedValue({ id: 'test-google-account-id-123' }),
} as unknown as Response);
let requestCallback!: http.RequestListener<
typeof http.IncomingMessage,
typeof http.ServerResponse
@ -126,5 +139,18 @@ describe('oauth2', () => {
const tokenPath = path.join(tempHomeDir, '.gemini', 'oauth_creds.json');
const tokenData = JSON.parse(fs.readFileSync(tokenPath, 'utf-8'));
expect(tokenData).toEqual(mockTokens);
// Verify Google Account ID was cached
const googleAccountIdPath = path.join(
tempHomeDir,
'.gemini',
'google_account_id',
);
expect(fs.existsSync(googleAccountIdPath)).toBe(true);
const cachedGoogleAccountId = fs.readFileSync(googleAccountIdPath, 'utf-8');
expect(cachedGoogleAccountId).toBe('test-google-account-id-123');
// Verify the getCachedGoogleAccountId function works
expect(getCachedGoogleAccountId()).toBe('test-google-account-id-123');
});
});

View File

@ -41,6 +41,7 @@ const SIGN_IN_FAILURE_URL =
const GEMINI_DIR = '.gemini';
const CREDENTIAL_FILENAME = 'oauth_creds.json';
const GOOGLE_ACCOUNT_ID_FILENAME = 'google_account_id';
/**
* An Authentication URL for updating the credentials of a Oauth2Client
@ -60,6 +61,21 @@ export async function getOauthClient(): Promise<OAuth2Client> {
if (await loadCachedCredentials(client)) {
// Found valid cached credentials.
// Check if we need to retrieve Google Account ID
if (!getCachedGoogleAccountId()) {
try {
const googleAccountId = await getGoogleAccountId(client);
if (googleAccountId) {
await cacheGoogleAccountId(googleAccountId);
}
} catch (error) {
console.error(
'Failed to retrieve Google Account ID for existing credentials:',
error,
);
// Continue with existing auth flow
}
}
return client;
}
@ -116,6 +132,20 @@ async function authWithWeb(client: OAuth2Client): Promise<OauthWebLogin> {
client.setCredentials(tokens);
await cacheCredentials(client.credentials);
// Retrieve and cache Google Account ID during authentication
try {
const googleAccountId = await getGoogleAccountId(client);
if (googleAccountId) {
await cacheGoogleAccountId(googleAccountId);
}
} catch (error) {
console.error(
'Failed to retrieve Google Account ID during authentication:',
error,
);
// Don't fail the auth flow if Google Account ID retrieval fails
}
res.writeHead(HTTP_REDIRECT, { Location: SIGN_IN_SUCCESS_URL });
res.end();
resolve();
@ -193,10 +223,76 @@ function getCachedCredentialPath(): string {
return path.join(os.homedir(), GEMINI_DIR, CREDENTIAL_FILENAME);
}
function getGoogleAccountIdCachePath(): string {
return path.join(os.homedir(), GEMINI_DIR, GOOGLE_ACCOUNT_ID_FILENAME);
}
async function cacheGoogleAccountId(googleAccountId: string): Promise<void> {
const filePath = getGoogleAccountIdCachePath();
await fs.mkdir(path.dirname(filePath), { recursive: true });
await fs.writeFile(filePath, googleAccountId, 'utf-8');
}
export function getCachedGoogleAccountId(): string | null {
try {
const filePath = getGoogleAccountIdCachePath();
// eslint-disable-next-line @typescript-eslint/no-require-imports, no-restricted-syntax
const fs_sync = require('fs');
if (fs_sync.existsSync(filePath)) {
return fs_sync.readFileSync(filePath, 'utf-8').trim() || null;
}
return null;
} catch (_error) {
return null;
}
}
export async function clearCachedCredentialFile() {
try {
await fs.rm(getCachedCredentialPath());
await fs.rm(getCachedCredentialPath(), { force: true });
// Clear the Google Account ID cache when credentials are cleared
await fs.rm(getGoogleAccountIdCachePath(), { force: true });
} catch (_) {
/* empty */
}
}
/**
* Retrieves the authenticated user's Google Account ID from Google's UserInfo API.
* @param client - The authenticated OAuth2Client
* @returns The user's Google Account ID or null if not available
*/
export async function getGoogleAccountId(
client: OAuth2Client,
): Promise<string | null> {
try {
const { token } = await client.getAccessToken();
if (!token) {
return null;
}
const response = await fetch(
'https://www.googleapis.com/oauth2/v2/userinfo',
{
headers: {
Authorization: `Bearer ${token}`,
},
},
);
if (!response.ok) {
console.error(
'Failed to fetch user info:',
response.status,
response.statusText,
);
return null;
}
const userInfo = await response.json();
return userInfo.id || null;
} catch (error) {
console.error('Error retrieving Google Account ID:', error);
return null;
}
}

View File

@ -17,7 +17,8 @@ import {
} from '../types.js';
import { EventMetadataKey } from './event-metadata-key.js';
import { Config } from '../../config/config.js';
import { getPersistentUserId } from '../../utils/user_id.js';
import { getInstallationId } from '../../utils/user_id.js';
import { getObfuscatedGoogleAccountId } from '../../utils/user_id.js';
const start_session_event_name = 'start_session';
const new_prompt_event_name = 'new_prompt';
@ -69,7 +70,8 @@ export class ClearcutLogger {
console_type: 'GEMINI_CLI',
application: 102,
event_name: name,
client_install_id: getPersistentUserId(),
obfuscated_google_account_id: getObfuscatedGoogleAccountId(),
client_install_id: getInstallationId(),
event_metadata: [data] as object[],
};
}

View File

@ -0,0 +1,48 @@
/**
* @license
* Copyright 2025 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/
import { describe, it, expect } from 'vitest';
import { getInstallationId, getObfuscatedGoogleAccountId } from './user_id.js';
describe('user_id', () => {
describe('getInstallationId', () => {
it('should return a valid UUID format string', () => {
const installationId = getInstallationId();
expect(installationId).toBeDefined();
expect(typeof installationId).toBe('string');
expect(installationId.length).toBeGreaterThan(0);
// Should return the same ID on subsequent calls (consistent)
const secondCall = getInstallationId();
expect(secondCall).toBe(installationId);
});
});
describe('getObfuscatedGoogleAccountId', () => {
it('should return a non-empty string', () => {
const result = getObfuscatedGoogleAccountId();
expect(result).toBeDefined();
expect(typeof result).toBe('string');
expect(result.length).toBeGreaterThan(0);
// Should be consistent on subsequent calls
const secondCall = getObfuscatedGoogleAccountId();
expect(secondCall).toBe(result);
});
it('should return the same as installation ID when no Google Account ID is cached', () => {
// In a clean test environment, there should be no cached Google Account ID
// so getObfuscatedGoogleAccountId should fall back to installation ID
const googleAccountIdResult = getObfuscatedGoogleAccountId();
const installationIdResult = getInstallationId();
// They should be the same when no Google Account ID is cached
expect(googleAccountIdResult).toBe(installationIdResult);
});
});
});

View File

@ -12,7 +12,7 @@ import { GEMINI_DIR } from './paths.js';
const homeDir = os.homedir() ?? '';
const geminiDir = path.join(homeDir, GEMINI_DIR);
const userIdFile = path.join(geminiDir, 'user_id');
const installationIdFile = path.join(geminiDir, 'installation_id');
function ensureGeminiDirExists() {
if (!fs.existsSync(geminiDir)) {
@ -20,39 +20,62 @@ function ensureGeminiDirExists() {
}
}
function readUserIdFromFile(): string | null {
if (fs.existsSync(userIdFile)) {
const userId = fs.readFileSync(userIdFile, 'utf-8').trim();
return userId || null;
function readInstallationIdFromFile(): string | null {
if (fs.existsSync(installationIdFile)) {
const installationid = fs.readFileSync(installationIdFile, 'utf-8').trim();
return installationid || null;
}
return null;
}
function writeUserIdToFile(userId: string) {
fs.writeFileSync(userIdFile, userId, 'utf-8');
function writeInstallationIdToFile(installationId: string) {
fs.writeFileSync(installationIdFile, installationId, 'utf-8');
}
/**
* Retrieves the persistent user ID from a file, creating it if it doesn't exist.
* This ID is used for unique user tracking.
* Retrieves the installation ID from a file, creating it if it doesn't exist.
* This ID is used for unique user installation tracking.
* @returns A UUID string for the user.
*/
export function getPersistentUserId(): string {
export function getInstallationId(): string {
try {
ensureGeminiDirExists();
let userId = readUserIdFromFile();
let installationId = readInstallationIdFromFile();
if (!userId) {
userId = randomUUID();
writeUserIdToFile(userId);
if (!installationId) {
installationId = randomUUID();
writeInstallationIdToFile(installationId);
}
return userId;
return installationId;
} catch (error) {
console.error(
'Error accessing persistent user ID file, generating ephemeral ID:',
'Error accessing installation ID file, generating ephemeral ID:',
error,
);
return '123456789';
}
}
/**
* Retrieves the obfuscated Google Account ID for the currently authenticated user.
* When OAuth is available, returns the user's cached Google Account ID. Otherwise, returns the installation ID.
* @returns A string ID for the user (Google Account ID if available, otherwise installation ID).
*/
export function getObfuscatedGoogleAccountId(): string {
// Try to get cached Google Account ID first
try {
// Dynamically import to avoid circular dependencies
// eslint-disable-next-line @typescript-eslint/no-require-imports, no-restricted-syntax
const { getCachedGoogleAccountId } = require('../code_assist/oauth2.js');
const googleAccountId = getCachedGoogleAccountId();
if (googleAccountId) {
return googleAccountId;
}
} catch (_error) {
// If there's any error accessing Google Account ID, fall back to installation ID
}
// Fall back to installation ID when no Google Account ID is cached or on error
return getInstallationId();
}