Add enforcedAuthType setting (#6564)

2026-04-02 17:31:05 -07:00 · 2025-09-03 15:33:37 -07:00
parent 5cc23f0cd8
commit 987f08a619
10 changed files with 194 additions and 18 deletions
--- a/packages/cli/src/validateNonInterActiveAuth.test.ts
+++ b/packages/cli/src/validateNonInterActiveAuth.test.ts
@@ -5,10 +5,10 @@
 */

 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
-import type { NonInteractiveConfig } from './validateNonInterActiveAuth.js';
 import { validateNonInteractiveAuth } from './validateNonInterActiveAuth.js';
 import { AuthType } from '@google/gemini-cli-core';
 import * as auth from './config/auth.js';
+import { type LoadedSettings } from './config/settings.js';

 describe('validateNonInterActiveAuth', () => {
  let originalEnvGeminiApiKey: string | undefined;
@@ -16,9 +16,8 @@ describe('validateNonInterActiveAuth', () => {
  let originalEnvGcp: string | undefined;
  let consoleErrorSpy: ReturnType<typeof vi.spyOn>;
  let processExitSpy: ReturnType<typeof vi.spyOn>;
-  let refreshAuthMock: jest.MockedFunction<
-    (authType: AuthType) => Promise<unknown>
-  >;
+  let refreshAuthMock: vi.Mock;
+  let mockSettings: LoadedSettings;

  beforeEach(() => {
    originalEnvGeminiApiKey = process.env['GEMINI_API_KEY'];
@@ -32,6 +31,25 @@ describe('validateNonInterActiveAuth', () => {
      throw new Error(`process.exit(${code}) called`);
    });
    refreshAuthMock = vi.fn().mockResolvedValue('refreshed');
+    mockSettings = {
+      system: { path: '', settings: {} },
+      systemDefaults: { path: '', settings: {} },
+      user: { path: '', settings: {} },
+      workspace: { path: '', settings: {} },
+      errors: [],
+      setValue: vi.fn(),
+      merged: {
+        security: {
+          auth: {
+            enforcedType: undefined,
+          },
+        },
+      },
+      isTrusted: true,
+      migratedInMemorScopes: new Set(),
+      forScope: vi.fn(),
+      computeMergedSettings: vi.fn(),
+    } as unknown as LoadedSettings;
  });

  afterEach(() => {
@@ -54,7 +72,7 @@ describe('validateNonInterActiveAuth', () => {
  });

  it('exits if no auth type is configured or env vars set', async () => {
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    try {
@@ -62,6 +80,7 @@ describe('validateNonInterActiveAuth', () => {
        undefined,
        undefined,
        nonInteractiveConfig,
+        mockSettings,
      );
      expect.fail('Should have exited');
    } catch (e) {
@@ -75,26 +94,28 @@ describe('validateNonInterActiveAuth', () => {

  it('uses LOGIN_WITH_GOOGLE if GOOGLE_GENAI_USE_GCA is set', async () => {
    process.env['GOOGLE_GENAI_USE_GCA'] = 'true';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      undefined,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.LOGIN_WITH_GOOGLE);
  });

  it('uses USE_GEMINI if GEMINI_API_KEY is set', async () => {
    process.env['GEMINI_API_KEY'] = 'fake-key';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      undefined,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
  });
@@ -103,13 +124,14 @@ describe('validateNonInterActiveAuth', () => {
    process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
    process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
    process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      undefined,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI);
  });
@@ -117,13 +139,14 @@ describe('validateNonInterActiveAuth', () => {
  it('uses USE_VERTEX_AI if GOOGLE_GENAI_USE_VERTEXAI is true and GOOGLE_API_KEY is set', async () => {
    process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
    process.env['GOOGLE_API_KEY'] = 'vertex-api-key';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      undefined,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI);
  });
@@ -134,13 +157,14 @@ describe('validateNonInterActiveAuth', () => {
    process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
    process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
    process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      undefined,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.LOGIN_WITH_GOOGLE);
  });
@@ -150,13 +174,14 @@ describe('validateNonInterActiveAuth', () => {
    process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
    process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
    process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      undefined,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_VERTEX_AI);
  });
@@ -166,13 +191,14 @@ describe('validateNonInterActiveAuth', () => {
    process.env['GEMINI_API_KEY'] = 'fake-key';
    process.env['GOOGLE_CLOUD_PROJECT'] = 'test-project';
    process.env['GOOGLE_CLOUD_LOCATION'] = 'us-central1';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      undefined,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
  });
@@ -180,13 +206,14 @@ describe('validateNonInterActiveAuth', () => {
  it('uses configuredAuthType if provided', async () => {
    // Set required env var for USE_GEMINI
    process.env['GEMINI_API_KEY'] = 'fake-key';
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    await validateNonInteractiveAuth(
      AuthType.USE_GEMINI,
      undefined,
      nonInteractiveConfig,
+      mockSettings,
    );
    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
  });
@@ -194,7 +221,7 @@ describe('validateNonInterActiveAuth', () => {
  it('exits if validateAuthMethod returns error', async () => {
    // Mock validateAuthMethod to return error
    vi.spyOn(auth, 'validateAuthMethod').mockReturnValue('Auth error!');
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };
    try {
@@ -202,6 +229,7 @@ describe('validateNonInterActiveAuth', () => {
        AuthType.USE_GEMINI,
        undefined,
        nonInteractiveConfig,
+        mockSettings,
      );
      expect.fail('Should have exited');
    } catch (e) {
@@ -216,7 +244,7 @@ describe('validateNonInterActiveAuth', () => {
    const validateAuthMethodSpy = vi
      .spyOn(auth, 'validateAuthMethod')
      .mockReturnValue('Auth error!');
-    const nonInteractiveConfig: NonInteractiveConfig = {
+    const nonInteractiveConfig = {
      refreshAuth: refreshAuthMock,
    };

@@ -226,6 +254,7 @@ describe('validateNonInterActiveAuth', () => {
      'invalid-auth-type' as AuthType,
      true, // useExternalAuth = true
      nonInteractiveConfig,
+      mockSettings,
    );

    expect(validateAuthMethodSpy).not.toHaveBeenCalled();
@@ -234,4 +263,44 @@ describe('validateNonInterActiveAuth', () => {
    // We still expect refreshAuth to be called with the (invalid) type
    expect(refreshAuthMock).toHaveBeenCalledWith('invalid-auth-type');
  });
+
+  it('uses enforcedAuthType if provided', async () => {
+    mockSettings.merged.security.auth.enforcedType = AuthType.USE_GEMINI;
+    mockSettings.merged.security.auth.selectedType = AuthType.USE_GEMINI;
+    // Set required env var for USE_GEMINI to ensure enforcedAuthType takes precedence
+    process.env['GEMINI_API_KEY'] = 'fake-key';
+    const nonInteractiveConfig = {
+      refreshAuth: refreshAuthMock,
+    };
+    await validateNonInteractiveAuth(
+      AuthType.USE_GEMINI,
+      undefined,
+      nonInteractiveConfig,
+      mockSettings,
+    );
+    expect(refreshAuthMock).toHaveBeenCalledWith(AuthType.USE_GEMINI);
+  });
+
+  it('exits if currentAuthType does not match enforcedAuthType', async () => {
+    mockSettings.merged.security.auth.enforcedType = AuthType.LOGIN_WITH_GOOGLE;
+    process.env['GOOGLE_GENAI_USE_VERTEXAI'] = 'true';
+    const nonInteractiveConfig = {
+      refreshAuth: refreshAuthMock,
+    };
+    try {
+      await validateNonInteractiveAuth(
+        AuthType.USE_GEMINI,
+        undefined,
+        nonInteractiveConfig,
+        mockSettings,
+      );
+      expect.fail('Should have exited');
+    } catch (e) {
+      expect((e as Error).message).toContain('process.exit(1) called');
+    }
+    expect(consoleErrorSpy).toHaveBeenCalledWith(
+      'The configured auth type is oauth-personal, but the current auth type is vertex-ai. Please re-authenticate with the correct type.',
+    );
+    expect(processExitSpy).toHaveBeenCalledWith(1);
+  });
 });