clone/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-02-01 22:48:03 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add enforcedAuthType setting (#6564)

Browse Source
This commit is contained in:
christine betts
2025-09-03 15:33:37 -07:00
committed by GitHub
parent 5cc23f0cd8
commit 987f08a619
10 changed files with 194 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
docs/cli/configuration.md
View File

@@ -240,6 +240,10 @@ Settings are organized into categories. All settings should be placed within the
- **Description:** The currently selected authentication type.
- **Default:** `undefined`
- **`security.auth.enforcedType`** (string):
- **Description:** The required auth type (useful for enterprises).
- **Default:** `undefined`
- **`security.auth.useExternal`** (boolean):
- **Description:** Whether to use an external authentication flow.
- **Default:** `undefined`

14
docs/cli/enterprise.md
View File

@@ -317,6 +317,20 @@ For auditing and monitoring purposes, you can configure Gemini CLI to send telem
**Note:** Ensure that `logPrompts` is set to `false` in an enterprise setting to avoid collecting potentially sensitive information from user prompts.
## Authentication
You can enforce a specific authentication method for all users by setting the `enforcedAuthType` in the system-level `settings.json` file. This prevents users from choosing a different authentication method. See the [Authentication docs](./authentication.md) for more details.
**Example:** Enforce the use of Google login for all users.
```json
{
"enforcedAuthType": "oauth-personal"
}
```
If a user has a different authentication method configured, they will be prompted to switch to the enforced method. In non-interactive mode, the CLI will exit with an error if the configured authentication method does not match the enforced one.
## Putting It All Together: Example System `settings.json`
Here is an example of a system `settings.json` file that combines several of the patterns discussed above to create a secure, controlled environment for Gemini CLI.

1
packages/cli/src/config/settings.ts
View File

@@ -85,6 +85,7 @@ const MIGRATION_MAP: Record<string, string> = {
excludeMCPServers: 'mcp.excluded',
folderTrust: 'security.folderTrust.enabled',
selectedAuthType: 'security.auth.selectedType',
enforcedAuthType: 'security.auth.enforcedType',
useExternalAuth: 'security.auth.useExternal',
autoConfigureMaxOldSpaceSize: 'advanced.autoConfigureMemory',
dnsResolutionOrder: 'advanced.dnsResolutionOrder',

10
packages/cli/src/config/settingsSchema.ts
View File

@@ -737,6 +737,16 @@ export const SETTINGS_SCHEMA = {
description: 'The currently selected authentication type.',
showInDialog: false,
},
enforcedType: {
type: 'string',
label: 'Enforced Auth Type',
category: 'Advanced',
requiresRestart: true,
default: undefined as AuthType | undefined,
description:
'The required auth type. If this does not match the selected auth type, the user will be prompted to re-authenticate.',
showInDialog: false,
},
useExternal: {
type: 'boolean',
label: 'Use External Auth',

1
packages/cli/src/gemini.tsx
View File

@@ -425,6 +425,7 @@ export async function main() {
settings.merged.security?.auth?.selectedType,
settings.merged.security?.auth?.useExternal,
config,
settings,
);
if (config.getDebugMode()) {

11
packages/cli/src/ui/App.tsx
View File

@@ -333,6 +333,16 @@ const App = ({ config, settings, startupWarnings = [], version }: AppProps) => {
useEffect(() => {
if (
settings.merged.security?.auth?.enforcedType &&
settings.merged.security?.auth.selectedType &&
settings.merged.security?.auth.enforcedType !==
settings.merged.security?.auth.selectedType
) {
setAuthError(
`Authentication is enforced to be ${settings.merged.security?.auth.enforcedType}, but you are currently using ${settings.merged.security?.auth.selectedType}.`,
);
openAuthDialog();
} else if (
settings.merged.security?.auth?.selectedType &&
!settings.merged.security?.auth?.useExternal
) {
@@ -346,6 +356,7 @@ const App = ({ config, settings, startupWarnings = [], version }: AppProps) => {
}
}, [
settings.merged.security?.auth?.selectedType,
settings.merged.security?.auth?.enforcedType,
settings.merged.security?.auth?.useExternal,
openAuthDialog,
setAuthError,

43
packages/cli/src/ui/components/AuthDialog.test.tsx
View File

@@ -427,4 +427,47 @@ describe('AuthDialog', () => {
expect(onSelect).toHaveBeenCalledWith(undefined, SettingScope.User);
unmount();
});
describe('enforcedAuthType', () => {
it('should display the enforced auth type message if enforcedAuthType is set', () => {
const settings: LoadedSettings = new LoadedSettings(
{
settings: {
security: {
auth: {
enforcedType: AuthType.USE_VERTEX_AI,
},
},
},
path: '',
},
{
settings: {
security: {
auth: {
selectedType: AuthType.USE_VERTEX_AI,
},
},
},
path: '',
},
{
settings: {},
path: '',
},
{
settings: {},
path: '',
},
true,
new Set(),
);
const { lastFrame } = renderWithProviders(
<AuthDialog onSelect={() => {}} settings={settings} />,
);
expect(lastFrame()).toContain('1. Vertex AI');
});
});
});

13
packages/cli/src/ui/components/AuthDialog.tsx
View File

@@ -62,7 +62,7 @@ export function AuthDialog({
}
return null;
});
const items = [
let items = [
{
label: 'Login with Google',
value: AuthType.LOGIN_WITH_GOOGLE,
@@ -82,7 +82,13 @@ export function AuthDialog({
{ label: 'Vertex AI', value: AuthType.USE_VERTEX_AI },
];
const initialAuthIndex = items.findIndex((item) => {
if (settings.merged.security?.auth?.enforcedType) {
items = items.filter(
(item) => item.value === settings.merged.security?.auth?.enforcedType,
);
}
let initialAuthIndex = items.findIndex((item) => {
if (settings.merged.security?.auth?.selectedType) {
return item.value === settings.merged.security.auth.selectedType;
}
@@ -100,6 +106,9 @@ export function AuthDialog({
return item.value === AuthType.LOGIN_WITH_GOOGLE;
});
if (settings.merged.security?.auth?.enforcedType) {
initialAuthIndex = 0;
}
const handleAuthSelect = (authMethod: AuthType) => {
const error = validateAuthMethod(authMethod);

99
packages/cli/src/validateNonInterActiveAuth.test.ts
View File

@@ -5,10 +5,10 @@
*/
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
import type { NonInteractiveConfig } from './validateNonInterActiveAuth.js';
import { validateNonInteractiveAuth } from './validateNonInterActiveAuth.js';
import { AuthType } from '@google/gemini-cli-core';
import * as auth from './config/auth.js';
import { type LoadedSettings } from './config/settings.js';
describe('validateNonInterActiveAuth', () => {
let originalEnvGeminiApiKey: string | undefined;
@@ -16,9 +16,8 @@ describe('validateNonInterActiveAuth', () => {
let originalEnvGcp: string | undefined;
let consoleErrorSpy: ReturnType<typeof vi.spyOn>;
let processExitSpy: ReturnType<typeof vi.spyOn>;
let refreshAuthMock: jest.MockedFunction<
(authType: AuthType) => Promise<unknown>
>;
let refreshAuthMock: vi.Mock;
let mockSettings: LoadedSettings;
beforeEach(() => {
originalEnvGeminiApiKey = process.env['GEMINI_API_KEY'];
@@ -32,6 +31,25 @@ describe('validateNonInterActiveAuth', () => {
throw new Error(`process.exit(${code}) called`);
});
refreshAuthMock = vi.fn().mockResolvedValue('refreshed');
mockSettings = {
system: { path: '', settings: {} },
systemDefaults: { path: '', settings: {} },
user: { path: '', settings: {} },
workspace: { path: '', settings: {} },
errors: [],
setValue: vi.fn(),
merged: {
security: {
auth: {
enforcedType: undefined,
},
},
},
isTrusted: true,
migratedInMemorScopes: new Set(),
forScope: vi.fn(),
computeMergedSettings: vi.fn(),
} as unknown as LoadedSettings;
});
afterEach(() => {
@@ -54,7 +72,7 @@ describe('validateNonInterActiveAuth', () => {
});
it('exits if no auth type is configured or env vars set', async () => {
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
try {
@@ -62,6 +80,7 @@ describe('validateNonInterActiveAuth', () => {
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect.fail('Should have exited');
} catch (e) {
@@ -75,26 +94,28 @@ describe('validateNonInterActiveAuth', () => {
it('uses LOGIN_WITH_GOOGLE if GOOGLE_GENAI_USE_GCA is set', async () => {
process.env['GOOGLE_GENAI_USE_GCA'] = 'true';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.LOGIN_WITH_GOOGLE);
});
it('uses USE_GEMINI if GEMINI_API_KEY is set', async () => {
process.env['GEMINI_API_KEY'] = 'fake-key';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
});
@@ -103,13 +124,14 @@ describe('validateNonInterActiveAuth', () => {
process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI);
});
@@ -117,13 +139,14 @@ describe('validateNonInterActiveAuth', () => {
it('uses USE_VERTEX_AI if GOOGLE_GENAI_USE_VERTEXAI is true and GOOGLE_API_KEY is set', async () => {
process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
process.env['GOOGLE_API_KEY'] = 'vertex-api-key';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI);
});
@@ -134,13 +157,14 @@ describe('validateNonInterActiveAuth', () => {
process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.LOGIN_WITH_GOOGLE);
});
@@ -150,13 +174,14 @@ describe('validateNonInterActiveAuth', () => {
process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI);
});
@@ -166,13 +191,14 @@ describe('validateNonInterActiveAuth', () => {
process.env['GEMINI_API_KEY'] = 'fake-key';
process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
undefined,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
});
@@ -180,13 +206,14 @@ describe('validateNonInterActiveAuth', () => {
it('uses configuredAuthType if provided', async () => {
// Set required env var for USE_GEMINI
process.env['GEMINI_API_KEY'] = 'fake-key';
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
AuthType.USE_GEMINI,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
});
@@ -194,7 +221,7 @@ describe('validateNonInterActiveAuth', () => {
it('exits if validateAuthMethod returns error', async () => {
// Mock validateAuthMethod to return error
vi.spyOn(auth, 'validateAuthMethod').mockReturnValue('Auth error!');
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
try {
@@ -202,6 +229,7 @@ describe('validateNonInterActiveAuth', () => {
AuthType.USE_GEMINI,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect.fail('Should have exited');
} catch (e) {
@@ -216,7 +244,7 @@ describe('validateNonInterActiveAuth', () => {
const validateAuthMethodSpy = vi
.spyOn(auth, 'validateAuthMethod')
.mockReturnValue('Auth error!');
const nonInteractiveConfig: NonInteractiveConfig = {
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
@@ -226,6 +254,7 @@ describe('validateNonInterActiveAuth', () => {
'invalid-auth-type' as AuthType,
true, // useExternalAuth = true
nonInteractiveConfig,
mockSettings,
);
expect(validateAuthMethodSpy).not.toHaveBeenCalled();
@@ -234,4 +263,44 @@ describe('validateNonInterActiveAuth', () => {
// We still expect refreshAuth to be called with the (invalid) type
expect(refreshAuthMock).toHaveBeenCalledWith('invalid-auth-type');
});
it('uses enforcedAuthType if provided', async () => {
mockSettings.merged.security.auth.enforcedType = AuthType.USE_GEMINI;
mockSettings.merged.security.auth.selectedType = AuthType.USE_GEMINI;
// Set required env var for USE_GEMINI to ensure enforcedAuthType takes precedence
process.env['GEMINI_API_KEY'] = 'fake-key';
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
await validateNonInteractiveAuth(
AuthType.USE_GEMINI,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
});
it('exits if currentAuthType does not match enforcedAuthType', async () => {
mockSettings.merged.security.auth.enforcedType = AuthType.LOGIN_WITH_GOOGLE;
process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
const nonInteractiveConfig = {
refreshAuth: refreshAuthMock,
};
try {
await validateNonInteractiveAuth(
AuthType.USE_GEMINI,
undefined,
nonInteractiveConfig,
mockSettings,
);
expect.fail('Should have exited');
} catch (e) {
expect((e as Error).message).toContain('process.exit(1) called');
}
expect(consoleErrorSpy).toHaveBeenCalledWith(
'The configured auth type is oauth-personal, but the current auth type is vertex-ai. Please re-authenticate with the correct type.',
);
expect(processExitSpy).toHaveBeenCalledWith(1);
});
});

16
packages/cli/src/validateNonInterActiveAuth.ts
View File

@@ -8,6 +8,7 @@ import type { Config } from '@google/gemini-cli-core';
import { AuthType } from '@google/gemini-cli-core';
import { USER_SETTINGS_PATH } from './config/settings.js';
import { validateAuthMethod } from './config/auth.js';
import { type LoadedSettings } from './config/settings.js';
function getAuthTypeFromEnv(): AuthType | undefined {
if (process.env['GOOGLE_GENAI_USE_GCA'] === 'true') {
@@ -26,8 +27,21 @@ export async function validateNonInteractiveAuth(
configuredAuthType: AuthType | undefined,
useExternalAuth: boolean | undefined,
nonInteractiveConfig: Config,
settings: LoadedSettings,
) {
const effectiveAuthType = configuredAuthType || getAuthTypeFromEnv();
const enforcedType = settings.merged.security?.auth?.enforcedType;
if (enforcedType) {
const currentAuthType = getAuthTypeFromEnv();
if (currentAuthType !== enforcedType) {
console.error(
`The configured auth type is ${enforcedType}, but the current auth type is ${currentAuthType}. Please re-authenticate with the correct type.`,
);
process.exit(1);
}
}
const effectiveAuthType =
enforcedType || getAuthTypeFromEnv() || configuredAuthType;
if (!effectiveAuthType) {
console.error(