feat(security): add configuration to toggle Gemini CLI endpoint access
Closes: #2445
This commit is contained in:
@@ -100,6 +100,10 @@ routing:
|
|||||||
# When true, enable authentication for the WebSocket API (/v1/ws).
|
# When true, enable authentication for the WebSocket API (/v1/ws).
|
||||||
ws-auth: false
|
ws-auth: false
|
||||||
|
|
||||||
|
# When true, enable Gemini CLI internal endpoints (/v1internal:*).
|
||||||
|
# Default is false for safety.
|
||||||
|
enable-gemini-cli-endpoint: false
|
||||||
|
|
||||||
# When > 0, emit blank lines every N seconds for non-streaming responses to prevent idle timeouts.
|
# When > 0, emit blank lines every N seconds for non-streaming responses to prevent idle timeouts.
|
||||||
nonstream-keepalive-interval: 0
|
nonstream-keepalive-interval: 0
|
||||||
|
|
||||||
|
|||||||
@@ -9,6 +9,10 @@ type SDKConfig struct {
|
|||||||
// ProxyURL is the URL of an optional proxy server to use for outbound requests.
|
// ProxyURL is the URL of an optional proxy server to use for outbound requests.
|
||||||
ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
|
ProxyURL string `yaml:"proxy-url" json:"proxy-url"`
|
||||||
|
|
||||||
|
// EnableGeminiCLIEndpoint controls whether Gemini CLI internal endpoints (/v1internal:*) are enabled.
|
||||||
|
// Default is false for safety; when false, /v1internal:* requests are rejected.
|
||||||
|
EnableGeminiCLIEndpoint bool `yaml:"enable-gemini-cli-endpoint" json:"enable-gemini-cli-endpoint"`
|
||||||
|
|
||||||
// ForceModelPrefix requires explicit model prefixes (e.g., "teamA/gemini-3-pro-preview")
|
// ForceModelPrefix requires explicit model prefixes (e.g., "teamA/gemini-3-pro-preview")
|
||||||
// to target prefixed credentials. When false, unprefixed model requests may use prefixed
|
// to target prefixed credentials. When false, unprefixed model requests may use prefixed
|
||||||
// credentials as well.
|
// credentials as well.
|
||||||
|
|||||||
@@ -50,6 +50,16 @@ func (h *GeminiCLIAPIHandler) Models() []map[string]any {
|
|||||||
// CLIHandler handles CLI-specific requests for Gemini API operations.
|
// CLIHandler handles CLI-specific requests for Gemini API operations.
|
||||||
// It restricts access to localhost only and routes requests to appropriate internal handlers.
|
// It restricts access to localhost only and routes requests to appropriate internal handlers.
|
||||||
func (h *GeminiCLIAPIHandler) CLIHandler(c *gin.Context) {
|
func (h *GeminiCLIAPIHandler) CLIHandler(c *gin.Context) {
|
||||||
|
if h.Cfg == nil || !h.Cfg.EnableGeminiCLIEndpoint {
|
||||||
|
c.JSON(http.StatusForbidden, handlers.ErrorResponse{
|
||||||
|
Error: handlers.ErrorDetail{
|
||||||
|
Message: "Gemini CLI endpoint is disabled",
|
||||||
|
Type: "forbidden",
|
||||||
|
},
|
||||||
|
})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
requestHost := c.Request.Host
|
requestHost := c.Request.Host
|
||||||
requestHostname := requestHost
|
requestHostname := requestHost
|
||||||
if hostname, _, errSplitHostPort := net.SplitHostPort(requestHost); errSplitHostPort == nil {
|
if hostname, _, errSplitHostPort := net.SplitHostPort(requestHost); errSplitHostPort == nil {
|
||||||
|
|||||||
Reference in New Issue
Block a user