d7011163b8
安全修复(P0): - 移除硬编码的 OAuth client_secret(Antigravity、Gemini CLI), 改为通过环境变量注入(ANTIGRAVITY_OAUTH_CLIENT_SECRET、 GEMINI_CLI_OAUTH_CLIENT_SECRET) - 新增 logredact.RedactText() 对非结构化文本做敏感信息脱敏, 覆盖 GOCSPX-*/AIza* 令牌和常见 key=value 模式 - 日志中不再打印 org_uuid、account_uuid、email_address 等敏感值 安全修复(P1): - URL 验证增强:新增 ValidateHTTPURL 统一入口,支持 allowlist 和 私网地址阻断(localhost/内网 IP) - 代理回退安全:代理初始化失败时默认阻止直连回退,防止 IP 泄露, 可通过 security.proxy_fallback.allow_direct_on_error 显式开启 - Gemini OAuth 配置校验:client_id 与 client_secret 必须同时 设置或同时留空 其他改进: - 新增 tools/secret_scan.py 密钥扫描工具和 Makefile secret-scan 目标 - 更新所有 docker-compose 和部署配置,传递 OAuth secret 环境变量 - google_one OAuth 类型使用固定 redirectURI,与 code_assist 对齐 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
54 lines
3.1 KiB
Go
54 lines
3.1 KiB
Go
// Package geminicli provides helpers for interacting with Gemini CLI tools.
|
|
package geminicli
|
|
|
|
import "time"
|
|
|
|
const (
|
|
AIStudioBaseURL = "https://generativelanguage.googleapis.com"
|
|
GeminiCliBaseURL = "https://cloudcode-pa.googleapis.com"
|
|
|
|
AuthorizeURL = "https://accounts.google.com/o/oauth2/v2/auth"
|
|
TokenURL = "https://oauth2.googleapis.com/token"
|
|
|
|
// AIStudioOAuthRedirectURI is the default redirect URI used for AI Studio OAuth.
|
|
// This matches the "copy/paste callback URL" flow used by OpenAI OAuth in this project.
|
|
// Note: You still need to register this redirect URI in your Google OAuth client
|
|
// unless you use an OAuth client type that permits localhost redirect URIs.
|
|
AIStudioOAuthRedirectURI = "http://localhost:1455/auth/callback"
|
|
|
|
// DefaultScopes for Code Assist (includes cloud-platform for API access plus userinfo scopes)
|
|
// Required by Google's Code Assist API.
|
|
DefaultCodeAssistScopes = "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"
|
|
|
|
// DefaultScopes for AI Studio (uses generativelanguage API with OAuth)
|
|
// Reference: https://ai.google.dev/gemini-api/docs/oauth
|
|
// For regular Google accounts, supports API calls to generativelanguage.googleapis.com
|
|
// Note: Google Auth platform currently documents the OAuth scope as
|
|
// https://www.googleapis.com/auth/generative-language.retriever (often with cloud-platform).
|
|
DefaultAIStudioScopes = "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/generative-language.retriever"
|
|
|
|
// DefaultGoogleOneScopes (DEPRECATED, no longer used)
|
|
// Google One now always uses the built-in Gemini CLI client with DefaultCodeAssistScopes.
|
|
// This constant is kept for backward compatibility but is not actively used.
|
|
DefaultGoogleOneScopes = "https://www.googleapis.com/auth/cloud-platform https://www.googleapis.com/auth/generative-language.retriever https://www.googleapis.com/auth/drive.readonly https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/userinfo.profile"
|
|
|
|
// GeminiCLIRedirectURI is the redirect URI used by Gemini CLI for Code Assist OAuth.
|
|
GeminiCLIRedirectURI = "https://codeassist.google.com/authcode"
|
|
|
|
// GeminiCLIOAuthClientID/Secret are the public OAuth client credentials used by Google Gemini CLI.
|
|
// They enable the "login without creating your own OAuth client" experience, but Google may
|
|
// restrict which scopes are allowed for this client.
|
|
GeminiCLIOAuthClientID = "681255809395-oo8ft2oprdrnp9e3aqf6av3hmdib135j.apps.googleusercontent.com"
|
|
// GeminiCLIOAuthClientSecret is intentionally not embedded in this repository.
|
|
// If you rely on the built-in Gemini CLI OAuth client, you MUST provide its client_secret via config/env.
|
|
GeminiCLIOAuthClientSecret = ""
|
|
|
|
// GeminiCLIOAuthClientSecretEnv is the environment variable name for the built-in client secret.
|
|
GeminiCLIOAuthClientSecretEnv = "GEMINI_CLI_OAUTH_CLIENT_SECRET"
|
|
|
|
SessionTTL = 30 * time.Minute
|
|
|
|
// GeminiCLIUserAgent mimics Gemini CLI to maximize compatibility with internal endpoints.
|
|
GeminiCLIUserAgent = "GeminiCLI/0.1.5 (Windows; AMD64)"
|
|
)
|