* Run gcpAuthRefresh to perform interactive authentication (e.g., gcloud auth application-default login) * Streams output in real-time for user visibility
()
| 873 | * Streams output in real-time for user visibility |
| 874 | */ |
| 875 | async function runGcpAuthRefresh(): Promise<boolean> { |
| 876 | const gcpAuthRefresh = getConfiguredGcpAuthRefresh() |
| 877 | |
| 878 | if (!gcpAuthRefresh) { |
| 879 | return false // Not configured, treat as success |
| 880 | } |
| 881 | |
| 882 | // SECURITY: Check if gcpAuthRefresh is from project settings |
| 883 | if (isGcpAuthRefreshFromProjectSettings()) { |
| 884 | // Check if trust has been established for this project |
| 885 | // Pass true to indicate this is a dangerous feature that requires trust |
| 886 | const hasTrust = checkHasTrustDialogAccepted() |
| 887 | if (!hasTrust && !getIsNonInteractiveSession()) { |
| 888 | const error = new Error( |
| 889 | `Security: gcpAuthRefresh executed before workspace trust is confirmed. If you see this message, post in ${MACRO.FEEDBACK_CHANNEL}.`, |
| 890 | ) |
| 891 | logAntError('gcpAuthRefresh invoked before trust check', error) |
| 892 | logEvent('tengu_gcpAuthRefresh_missing_trust', {}) |
| 893 | return false |
| 894 | } |
| 895 | } |
| 896 | |
| 897 | try { |
| 898 | logForDebugging('Checking GCP credentials validity for auth refresh') |
| 899 | const isValid = await checkGcpCredentialsValid() |
| 900 | if (isValid) { |
| 901 | logForDebugging( |
| 902 | 'GCP credentials are valid, skipping auth refresh command', |
| 903 | ) |
| 904 | return false |
| 905 | } |
| 906 | } catch { |
| 907 | // Credentials check failed, proceed with refresh |
| 908 | } |
| 909 | |
| 910 | return refreshGcpAuth(gcpAuthRefresh) |
| 911 | } |
| 912 | |
| 913 | // Timeout for GCP auth refresh command (3 minutes). |
| 914 | // Long enough for browser-based auth flows, short enough to prevent indefinite hangs. |
no test coverage detected