MediaMetz/gemini-cli
1
0
Fork 0
mirror of https://github.com/google-gemini/gemini-cli.git synced 2026-05-16 23:02:51 -07:00
Code Issues Packages Projects Releases Wiki Activity

Add fallback to encrypted file storage when keychain is not available

Browse Source
This commit is contained in:
Christine Betts
2026-02-24 15:11:58 -05:00
parent 6510347d5b
commit 3bbd1da6a1
5 changed files with 258 additions and 91 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/cli/src/config/extensions/extensionSettings.test.ts
+37 -83
View File
@@ -21,7 +21,7 @@ import { ExtensionStorage } from './storage.js';
import prompts from 'prompts';
import * as fsPromises from 'node:fs/promises';
import * as fs from 'node:fs';
import { KeychainTokenStorage } from '@google/gemini-cli-core';
import { HybridSecretStorage } from '@google/gemini-cli-core';
import { EXTENSION_SETTINGS_FILENAME } from './variables.js';
vi.mock('prompts');
@@ -38,7 +38,7 @@ vi.mock('@google/gemini-cli-core', async (importOriginal) => {
await importOriginal<typeof import('@google/gemini-cli-core')>();
return {
...actual,
KeychainTokenStorage: vi.fn(),
HybridSecretStorage: vi.fn(),
};
});
@@ -51,33 +51,29 @@ describe('extensionSettings', () => {
beforeEach(() => {
vi.clearAllMocks();
mockKeychainData = {};
vi.mocked(KeychainTokenStorage).mockImplementation(
(serviceName: string) => {
if (!mockKeychainData[serviceName]) {
mockKeychainData[serviceName] = {};
}
const keychainData = mockKeychainData[serviceName];
return {
getSecret: vi
.fn()
.mockImplementation(
async (key: string) => keychainData[key] || null,
),
setSecret: vi
.fn()
.mockImplementation(async (key: string, value: string) => {
keychainData[key] = value;
}),
deleteSecret: vi.fn().mockImplementation(async (key: string) => {
delete keychainData[key];
vi.mocked(HybridSecretStorage).mockImplementation((serviceName: string) => {
if (!mockKeychainData[serviceName]) {
mockKeychainData[serviceName] = {};
}
const keychainData = mockKeychainData[serviceName];
return {
getSecret: vi
.fn()
.mockImplementation(async (key: string) => keychainData[key] || null),
setSecret: vi
.fn()
.mockImplementation(async (key: string, value: string) => {
keychainData[key] = value;
}),
listSecrets: vi
.fn()
.mockImplementation(async () => Object.keys(keychainData)),
isAvailable: vi.fn().mockResolvedValue(true),
} as unknown as KeychainTokenStorage;
},
);
deleteSecret: vi.fn().mockImplementation(async (key: string) => {
delete keychainData[key];
}),
listSecrets: vi
.fn()
.mockImplementation(async () => Object.keys(keychainData)),
isAvailable: vi.fn().mockResolvedValue(true),
} as unknown as HybridSecretStorage;
});
tempHomeDir = os.tmpdir() + path.sep + `gemini-cli-test-home-${Date.now()}`;
tempWorkspaceDir = path.join(
os.tmpdir(),
@@ -215,7 +211,7 @@ describe('extensionSettings', () => {
VAR1: 'previous-VAR1',
SENSITIVE_VAR: 'secret',
};
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
await userKeychain.setSecret('SENSITIVE_VAR', 'secret');
@@ -255,7 +251,7 @@ describe('extensionSettings', () => {
settings: [],
};
const previousSettings = { SENSITIVE_VAR: 'secret' };
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
await userKeychain.setSecret('SENSITIVE_VAR', 'secret');
@@ -421,53 +417,11 @@ describe('extensionSettings', () => {
undefined,
);
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
expect(await userKeychain.getSecret('SENSITIVE_VAR')).toBeNull();
});
it('should not attempt to clear secrets if keychain is unavailable', async () => {
// Arrange
const mockIsAvailable = vi.fn().mockResolvedValue(false);
const mockListSecrets = vi.fn();
vi.mocked(KeychainTokenStorage).mockImplementation(
() =>
({
isAvailable: mockIsAvailable,
listSecrets: mockListSecrets,
deleteSecret: vi.fn(),
getSecret: vi.fn(),
setSecret: vi.fn(),
}) as unknown as KeychainTokenStorage,
);
const config: ExtensionConfig = {
name: 'test-ext',
version: '1.0.0',
settings: [], // Empty settings triggers clearSettings
};
const previousConfig: ExtensionConfig = {
name: 'test-ext',
version: '1.0.0',
settings: [{ name: 's1', description: 'd1', envVar: 'VAR1' }],
};
// Act
await maybePromptForSettings(
config,
'12345',
mockRequestSetting,
previousConfig,
undefined,
);
// Assert
expect(mockIsAvailable).toHaveBeenCalled();
expect(mockListSecrets).not.toHaveBeenCalled();
});
});
describe('promptForSetting', () => {
@@ -549,7 +503,7 @@ describe('extensionSettings', () => {
it('should return combined contents from user .env and keychain for USER scope', async () => {
const userEnvPath = path.join(extensionDir, EXTENSION_SETTINGS_FILENAME);
await fsPromises.writeFile(userEnvPath, 'VAR1=user-value1');
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
await userKeychain.setSecret('SENSITIVE_VAR', 'user-secret');
@@ -573,7 +527,7 @@ describe('extensionSettings', () => {
EXTENSION_SETTINGS_FILENAME,
);
await fsPromises.writeFile(workspaceEnvPath, 'VAR1=workspace-value1');
const workspaceKeychain = new KeychainTokenStorage(
const workspaceKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345 ${tempWorkspaceDir}`,
);
await workspaceKeychain.setSecret('SENSITIVE_VAR', 'workspace-secret');
@@ -597,7 +551,7 @@ describe('extensionSettings', () => {
EXTENSION_SETTINGS_FILENAME,
);
fs.mkdirSync(workspaceEnvPath);
const workspaceKeychain = new KeychainTokenStorage(
const workspaceKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345 ${tempWorkspaceDir}`,
);
await workspaceKeychain.setSecret('SENSITIVE_VAR', 'workspace-secret');
@@ -634,7 +588,7 @@ describe('extensionSettings', () => {
userEnvPath,
'VAR1=user-value1\nVAR3=user-value3',
);
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext ${extensionId}`,
);
await userKeychain.setSecret('VAR2', 'user-secret2');
@@ -645,7 +599,7 @@ describe('extensionSettings', () => {
EXTENSION_SETTINGS_FILENAME,
);
await fsPromises.writeFile(workspaceEnvPath, 'VAR1=workspace-value1');
const workspaceKeychain = new KeychainTokenStorage(
const workspaceKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext ${extensionId} ${tempWorkspaceDir}`,
);
await workspaceKeychain.setSecret('VAR2', 'workspace-secret2');
@@ -678,7 +632,7 @@ describe('extensionSettings', () => {
beforeEach(async () => {
const userEnvPath = path.join(extensionDir, '.env');
await fsPromises.writeFile(userEnvPath, 'VAR1=value1\n');
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
await userKeychain.setSecret('VAR2', 'value2');
@@ -751,7 +705,7 @@ describe('extensionSettings', () => {
tempWorkspaceDir,
);
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
expect(await userKeychain.getSecret('VAR2')).toBe('new-value2');
@@ -769,7 +723,7 @@ describe('extensionSettings', () => {
tempWorkspaceDir,
);
const workspaceKeychain = new KeychainTokenStorage(
const workspaceKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345 ${tempWorkspaceDir}`,
);
expect(await workspaceKeychain.getSecret('VAR2')).toBe(
@@ -823,7 +777,7 @@ describe('extensionSettings', () => {
tempWorkspaceDir,
);
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
expect(await userKeychain.getSecret('VAR2')).toBeNull();
@@ -849,7 +803,7 @@ describe('extensionSettings', () => {
it('should not throw if deleting a non-existent sensitive setting with empty value', async () => {
mockRequestSetting.mockResolvedValue('');
// Ensure it doesn't exist first
const userKeychain = new KeychainTokenStorage(
const userKeychain = new HybridSecretStorage(
`Gemini CLI Extensions test-ext 12345`,
);
await userKeychain.deleteSecret('VAR2');
packages/cli/src/config/extensions/extensionSettings.ts
+5 -8
View File
@@ -13,7 +13,7 @@ import { ExtensionStorage } from './storage.js';
import type { ExtensionConfig } from '../extension.js';
import prompts from 'prompts';
import { debugLogger, KeychainTokenStorage } from '@google/gemini-cli-core';
import { debugLogger, HybridSecretStorage } from '@google/gemini-cli-core';
import { EXTENSION_SETTINGS_FILENAME } from './variables.js';
export enum ExtensionSettingScope {
@@ -78,7 +78,7 @@ export async function maybePromptForSettings(
// The user can change the scope later using the `settings set` command.
const scope = ExtensionSettingScope.USER;
const envFilePath = getEnvFilePath(extensionName, scope);
const keychain = new KeychainTokenStorage(
const keychain = new HybridSecretStorage(
getKeychainStorageName(extensionName, extensionId, scope),
);
@@ -176,7 +176,7 @@ export async function getScopedEnvContents(
workspaceDir?: string,
): Promise<Record<string, string>> {
const { name: extensionName } = extensionConfig;
const keychain = new KeychainTokenStorage(
const keychain = new HybridSecretStorage(
getKeychainStorageName(extensionName, extensionId, scope, workspaceDir),
);
const envFilePath = getEnvFilePath(extensionName, scope, workspaceDir);
@@ -250,7 +250,7 @@ export async function updateSetting(
}
const newValue = await requestSetting(settingToUpdate);
const keychain = new KeychainTokenStorage(
const keychain = new HybridSecretStorage(
getKeychainStorageName(extensionName, extensionId, scope, workspaceDir),
);
@@ -339,7 +339,7 @@ function getSettingsChanges(
async function clearSettings(
envFilePath: string,
keychain: KeychainTokenStorage,
keychain: HybridSecretStorage,
) {
if (fsSync.existsSync(envFilePath)) {
const stat = fsSync.statSync(envFilePath);
@@ -347,9 +347,6 @@ async function clearSettings(
await fs.writeFile(envFilePath, '');
}
}
if (!(await keychain.isAvailable())) {
return;
}
const secrets = await keychain.listSecrets();
for (const secret of secrets) {
await keychain.deleteSecret(secret);
packages/core/src/index.ts
+2
View File
@@ -174,6 +174,8 @@ export type {
OAuthCredentials,
} from './mcp/token-storage/types.js';
export { MCPOAuthTokenStorage } from './mcp/oauth-token-storage.js';
export { HybridSecretStorage } from './mcp/token-storage/hybrid-secret-storage.js';
export { KeychainTokenStorage } from './mcp/token-storage/keychain-token-storage.js';
export type { MCPOAuthConfig } from './mcp/oauth-provider.js';
export type {
OAuthAuthorizationServerMetadata,
packages/core/src/mcp/token-storage/encrypted-file-secret-storage.ts
+152
View File
@@ -0,0 +1,152 @@
/**
* @license
* Copyright 2025 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/
import { promises as fs } from 'node:fs';
import * as path from 'node:path';
import * as os from 'node:os';
import * as crypto from 'node:crypto';
import type { SecretStorage } from './types.js';
import { GEMINI_DIR, homedir } from '../../utils/paths.js';
export class EncryptedFileSecretStorage implements SecretStorage {
private readonly tokenFilePath: string;
private readonly encryptionKey: Buffer;
private readonly serviceName: string;
constructor(serviceName: string) {
this.serviceName = serviceName;
const configDir = path.join(homedir(), GEMINI_DIR);
this.tokenFilePath = path.join(configDir, 'extension-secrets-v1.json');
this.encryptionKey = this.deriveEncryptionKey();
}
private deriveEncryptionKey(): Buffer {
const salt = `${os.hostname()}-${os.userInfo().username}-gemini-cli`;
return crypto.scryptSync('gemini-cli-secrets', salt, 32);
}
private encrypt(text: string): string {
const iv = crypto.randomBytes(16);
const cipher = crypto.createCipheriv('aes-256-gcm', this.encryptionKey, iv);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
const authTag = cipher.getAuthTag();
return iv.toString('hex') + ':' + authTag.toString('hex') + ':' + encrypted;
}
private decrypt(encryptedData: string): string {
const parts = encryptedData.split(':');
if (parts.length !== 3) {
throw new Error('Invalid encrypted data format');
}
const iv = Buffer.from(parts[0], 'hex');
const authTag = Buffer.from(parts[1], 'hex');
const encrypted = parts[2];
const decipher = crypto.createDecipheriv(
'aes-256-gcm',
this.encryptionKey,
iv,
);
decipher.setAuthTag(authTag);
let decrypted = decipher.update(encrypted, 'hex', 'utf8');
decrypted += decipher.final('utf8');
return decrypted;
}
private async ensureDirectoryExists(): Promise<void> {
const dir = path.dirname(this.tokenFilePath);
await fs.mkdir(dir, { recursive: true, mode: 0o700 });
}
private async loadSecrets(): Promise<Record<string, Record<string, string>>> {
try {
const data = await fs.readFile(this.tokenFilePath, 'utf-8');
const decrypted = this.decrypt(data);
// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
return JSON.parse(decrypted) as Record<string, Record<string, string>>;
} catch (error: unknown) {
// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
const err = error as NodeJS.ErrnoException & { message?: string };
if (err.code === 'ENOENT') {
return {};
}
if (
err.message?.includes('Invalid encrypted data format') ||
err.message?.includes(
'Unsupported state or unable to authenticate data',
)
) {
throw new Error(
`Corrupted secret file detected at: ${this.tokenFilePath}
` + `Please delete or rename this file to resolve the issue.`,
);
}
throw error;
}
}
private async saveSecrets(
secrets: Record<string, Record<string, string>>,
): Promise<void> {
await this.ensureDirectoryExists();
const json = JSON.stringify(secrets, null, 2);
const encrypted = this.encrypt(json);
await fs.writeFile(this.tokenFilePath, encrypted, { mode: 0o600 });
}
async setSecret(key: string, value: string): Promise<void> {
const allSecrets = await this.loadSecrets();
if (!allSecrets[this.serviceName]) {
allSecrets[this.serviceName] = {};
}
allSecrets[this.serviceName][key] = value;
await this.saveSecrets(allSecrets);
}
async getSecret(key: string): Promise<string | null> {
const allSecrets = await this.loadSecrets();
return allSecrets[this.serviceName]?.[key] || null;
}
async deleteSecret(key: string): Promise<void> {
const allSecrets = await this.loadSecrets();
if (allSecrets[this.serviceName]?.[key]) {
delete allSecrets[this.serviceName][key];
// Clean up empty service object
if (Object.keys(allSecrets[this.serviceName]).length === 0) {
delete allSecrets[this.serviceName];
}
if (Object.keys(allSecrets).length === 0) {
try {
await fs.unlink(this.tokenFilePath);
} catch (error: unknown) {
// eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
const err = error as NodeJS.ErrnoException;
if (err.code !== 'ENOENT') {
throw error;
}
}
} else {
await this.saveSecrets(allSecrets);
}
} else {
throw new Error(`No secret found for key: ${key}`);
}
}
async listSecrets(): Promise<string[]> {
const allSecrets = await this.loadSecrets();
return Object.keys(allSecrets[this.serviceName] || {});
}
}
packages/core/src/mcp/token-storage/hybrid-secret-storage.ts
+62
View File
@@ -0,0 +1,62 @@
/**
* @license
* Copyright 2025 Google LLC
* SPDX-License-Identifier: Apache-2.0
*/
import { KeychainTokenStorage } from './keychain-token-storage.js';
import { EncryptedFileSecretStorage } from './encrypted-file-secret-storage.js';
import type { SecretStorage } from './types.js';
export class HybridSecretStorage implements SecretStorage {
private storage: SecretStorage | null = null;
private storageInitPromise: Promise<SecretStorage> | null = null;
private readonly serviceName: string;
constructor(serviceName: string) {
this.serviceName = serviceName;
}
private async initializeStorage(): Promise<SecretStorage> {
const keychainStorage = new KeychainTokenStorage(this.serviceName);
const isAvailable = await keychainStorage.isAvailable();
if (isAvailable) {
this.storage = keychainStorage;
} else {
this.storage = new EncryptedFileSecretStorage(this.serviceName);
}
return this.storage;
}
private async getStorage(): Promise<SecretStorage> {
if (this.storage !== null) {
return this.storage;
}
if (!this.storageInitPromise) {
this.storageInitPromise = this.initializeStorage();
}
return this.storageInitPromise;
}
async setSecret(key: string, value: string): Promise<void> {
const storage = await this.getStorage();
await storage.setSecret(key, value);
}
async getSecret(key: string): Promise<string | null> {
const storage = await this.getStorage();
return storage.getSecret(key);
}
async deleteSecret(key: string): Promise<void> {
const storage = await this.getStorage();
await storage.deleteSecret(key);
}
async listSecrets(): Promise<string[]> {
const storage = await this.getStorage();
return storage.listSecrets();
}
}