gzdZddlZddlZddlZddlmZmZmZmZm Z m Z ddl m Z ddl Z ddlmZddlmZddlmZddlmZmZmZmZmZmZmZmZmZmZmZdd l m!Z!dd l"m#Z#m$Z$m%Z%dd l&m'Z'dd l(m)Z)d dl*m+Z+er ddl,m-Z.e.Z-neZ-edZ/dZ0ejbjdejfjdzZ4de5fdZ6de7de ede ede ede e8de7de9de e'de5fdZ:de9de;de5fd Ze9d?ed*ed,e e$fd@ZKd>e9d*ed,e e$fdAZLe%d;e9d)e#fdBZMd;e9d)e#fdCZNd;e9d)e#d*ed2ed3eEd,e e$d1e9defdDZOd1e9d,e e$d*ed+e e-de ef dEZP dSd;e9d)e e#d*ed+e e-d,e e$dFe e5dGe e5defdHZQe% dTd>e9d)e e#d*ed+e e-d,e e$dFe e5defdIZRdJeSdefdKZTe% dRdLe9d)e e#d*ed+e e-d,e e$f dMZUd.e9dNe e;dOede e jNde dPf dQZVy)Uz Got Valid Token from Cache, DB Run checks for: 1. If user can call model 2. If user is in budget 3. If end_user ('user' passed to /chat/completions, /embeddings endpoint) is in budget N) TYPE_CHECKINGAnyDictListLiteralOptional) BaseModel)verbose_proxy_logger) DualCache)LimitedSizeOrderedDict) DB_CONNECTION_ERROR_TYPESCommonProxyErrorsLiteLLM_EndUserTableLiteLLM_JWTAuthLiteLLM_OrganizationTableLiteLLM_TeamTableLiteLLM_TeamTableCachedObjLiteLLM_UserTable LiteLLMRoutesLitellmUserRolesUserAPIKeyAuth) RouteChecks) PrismaClient ProxyLogginglog_db_metrics)Router) ServiceTypes)$organization_role_based_access_check)Spand)max_sizereturncddlm}tjd}|j}|j j j|}d}tj|}| t|std|dtj|}||k7r)td|dtjj||k7r)td |d tjjy ) Nr)user_api_key_authr&zCaller function z is not callablezThe function 'z@' does not match the required signature of 'user_api_key_auth'. z'This function can only be imported by 'z'. T)$litellm.proxy.auth.user_api_key_authr&inspectstackfunctionframe f_globalsget signaturecallable Exception TypeErrorrnot_premium_uservalue ImportError)r& caller_framecaller_functioncaller_function_callableallowed_functionallowed_signaturecaller_signatures S/var/www/openai/venv/lib/python3.12/site-packages/litellm/proxy/auth/auth_checks.py_allowed_import_checkr=9sF==?1%L"++O+11;;??P*))*;<'x8P/Q*?*;;KLMM(()AB,,_--mnoQoQoWoWnX Y  **56F5GsK\KmKmKsKsJt u    request_body team_object user_objectend_user_objectglobal_proxy_spendgeneral_settingsroute llm_routerc t|jdd}|'|jdurtd|jd|||j t |j dkDr||j vrud|j vsd|j vsd |j vrnJt||j | durn/|rd|vrn(td|jd |d |j ||jx|jl|j|jkDrStj|j|jd|jd |jd|j| |jh|f|jZ|j} | |jkr?tj|j| d|jd |jd| |r|jf|jj} | N|j| kDr?tj|j| d|jd |jd| |jdd2|ddur+tj|rd|vrtd|dtjdkDrZ|Xtj|rB|dk7r=|dk7r8|tjkDr%tj|tj|jdixsi} | jdr$ddlm} | |} | durddlm}|ddd i!t)|||"y)#a Common checks across jwt + key-based auth. 1. If team is blocked 2. If team can call model 3. If team is in budget 4. If user passed in (JWT or key.user_id) - is in budget 5. If end_user (either via JWT or 'user' passed to /chat/completions, /embeddings endpoint) is in budget 6. [OPTIONAL] If 'enforce_end_user' enabled - did developer pass in 'user' param for openai endpoints 7. [OPTIONAL] If 'litellm.max_budget' is set (>0), is proxy under budget 8. [OPTIONAL] If guardrails modified - is request allowed to change this 9. Check if request body is safe 10. [OPTIONAL] Organization checks - is user_object.organization_id is set, run these checks modelNTzTeam=z6 is blocked. Update via `/team/unblock` if your admin.rzall-proxy-models*zopenai/*)rH team_modelsrFz not allowed to call model=z. Allowed team models = z over budget. Spend=z , Budget=) current_cost max_budgetmessagezExceededBudget: User=zExceededBudget: End User=enforce_user_param)rEuserz1'user' param not passed in. 'enforce_user_param'=z /v1/modelsz/modelsrKrLmetadata guardrails)can_modify_guardrailsF) HTTPExceptionierrorz8Your team does not have permission to modify guardrails.) status_codedetail)rArEr?)r=r.blockedr1team_idmodelslenmodel_in_access_grouprLspendlitellmBudgetExceededErroruser_idlitellm_budget_tableris_llm_api_route*litellm.proxy.guardrails.guardrail_helpersrSfastapirTr)r?r@rArBrCrDrErF_model user_budgetend_user_budget_request_metadatarS can_modifyrTs r< common_checksrjTs0   gt ,F;#6#6$#>K''((^ _    #    *  "" #a ' +,, , +"4"4 4k((([///  "+*<*<    v  ++,,GxOghshzhzg{|    " " .    )    6 6 6))$**"--K//00D[EVEVDWW`alawaw`xy     3 3 ;  #  " " .!,, ** *--(..&/ 0C0C/DDXYdYjYjXkktvAuBC "'K'K'W)>>II  &?+@+@?+R--,22*3O4K4K3LL`apavav`wxABQARS  148D 1 2d :  ' 'e 4|9SCDTUiDjCkl  Q  *  ( (u 5 \ ! Y   2 2 2--/GD"\*T0=   -W )u< r> user_routeallowed_routescr|D]2}|tjvr|t|jvry||k(s2yy)a  Return if a user is allowed to access route. Helper function for `allowed_routes_check`. Parameters: - user_route: str - the route the user is trying to call - allowed_routes: List[str|LiteLLMRoutes] - the list of allowed routes for the user. TF)r __members__r4)rkrl allowed_routes r<_allowed_routes_checkrpsB( ]66 6mM:@@@ j (( r> user_rolelitellm_proxy_rolesc|tjk(rt||j}|S|tjk(rC|j  t|ddg}|S|j t||j }|Sy)zE Check if user -> not admin - allowed to access these routes )rkrl openai_routes info_routesF)r PROXY_ADMINrpadmin_allowed_routesTEAMteam_allowed_routes)rqrkrr is_alloweds r<allowed_routes_checkr{s$000*!.CC  &++ +  2 2 : /% 6VJ  4 4 @.%2FFJ  r>user_api_key_dictrequested_user_idcd}|jtjk7r|jtjk7rd}||j|j|k(rd}|S)NTF)rqrrvPROXY_ADMIN_VIEW_ONLYr`)r|r}ret_vals r< allowed_route_check_inside_routerscG##'7'C'CC  ' '+;+Q+Q Q$):)B)B)N  $ $(9 9G Nr>cg}|D]} t|j}||z}|S#t$r|j|Y.check_in_budgetLs\  , , 4 &;;FF  &<+=+=+O--)//O ,P &r>key)rr`raTwhereincluderr4) r1formatrasync_get_cache isinstancedictdblitellm_endusertable find_uniqueasync_set_cacher^r_) rrrrr_keyrcached_user_obj return_objresponse _responsees r<get_end_user_objectr8sw)**  " "; /D&:/>>4>HHO" ot ,-@@J  4  )= >(J  4 &))>>JJk*+T2K    O!00 '' 4H1   );8==?; Y/;I    a44 5GsaAEDA E.D<D=1D.D/'DEDD E &EEE  ErHrJcddlm}|y||vry|t}|r|j|}t |dkDrt |D] \}}||vs y|Dcgc] }||vs| }}||vryycc}w)Nr defaultdictT model_nameF) collectionsrlistget_model_access_groupsr[ enumerate)rHrJrFr access_groupsidxmfiltered_modelss r<r\r\zs( *5d*;M"::e:L  =A  FCM!  #.H+Q-1Gq+OH   Is  A0$A0rlast_db_access_timedb_cache_expirycptj}||vry||dy||d |||z |k\ryy)zM Prevent calling db repeatedly for items that don't exist in the db. TrFtime)rrr current_times r<_should_check_dbrsW 99;L %%C #/ S !! $ , -c2 2o E r>r4c6|tjf||<yrrrr4rs r<_update_last_db_access_timers!&tyy{3r>r`user_id_upsertcK|y|j|d{}|-t|tr tdi|St|tr|S| t d dj |}t |tt}|r4|jjjd|iddi d{} nd} | <|r4|jjjd|iddi d{} nt| jHt| jd kDr0| jD cgc]} | | j} } | | _ tdit| } | j} |j!|| d{t#|| t | S777cc} w7$#t$r}t%d|d|d}~wwxYww)z - Check if user id in proxy User Table - if valid, return LiteLLM_UserTable object with defined limits - if not, then raise an error Nrrz user_id:{}rrrr`organization_membershipsTr)datarrrrz$User doesn't exist in db. 'user_id'=z0. Create user via `/user/new` call. Got error - r)rrrrr1rrrrrlitellm_usertablercreaterr[ model_dumprr ValueError)r`rrrrrrdb_access_time_keyshould_check_dbr membership_dumped_membershipsr response_dictrs r<get_user_objectrs$/>>7>KKO" ot ,$77 7 ): ;" ")**5 )009*" 3+  *--??KK '*5OQU4VLHH  !.!1!1!C!C!J!J#W-7>"K"    - - 9H556: #+"C"C#"CJ)%%'"C # 1DH -%7X7 !,,. !00WM0RRR $" 3 uL$# S  27);klmkn o   sxGF!AGAF/4F$59F/.F&/=F/,F(AF/F- F/ G$F/&F/(F// G8G  GGcFK|j||d{y7w)Nr)rrr4rrs r<_cache_management_objectrs!  , ,E , BBBs !!rY team_tablecKdj|}tj|_t||||d{y7w)N team_id:{}r)rrlast_refreshed_atr)rYrrrrs r<_cache_team_objectrsF   g &C$(99;J " -+  s=AAA hashed_tokenuser_api_key_objctK|}tj|_t||||d{y7w)Nr)rrr)rrrrrs r<_cache_key_objectr"s< C*.& " -+  s .868cK|}|j||/|jjj|d{yy7w)Nr) delete_cacheinternal_usage_cache dual_cacheasync_delete_cache)rrrrs r<_delete_cache_key_objectr5s] C###,$44??RRS   % sAA A A cnK|jjjd|id{S7wNrYrrlitellm_teamtablerrYrs r<_get_team_db_checkrEs=!!33??'"@   ,535cnK|jjjd|id{S7wrrrs r<_get_team_object_from_dbrLs=!!33??'"@  rcK|}t|||}|rt||d{} nd} | ttdi| j } t || ||d{t || || S7O7w)Nrr)rYrrrrr)rrr1rrrr) rYrrrrrrrrrrs r<(_get_team_object_from_user_api_key_cacherRs& /'O +=  *=X]]_=I -+   / 5 s!#A9A5:A9 A7!A97A9c<Kd}|E|jjr/|jjj||d{}||j|d{}|-t|tr t di|St|t r|Sy7P76w)N)rrrr)rrrrrr)rrrrcached_team_objs r<_get_team_object_from_cachers =AO %  2 2 = =$88CCSS*:T    2 B Bs B KK" ot ,-@@ @ )C D" "   Ls$ABBB#B$5BBcheck_cache_only check_db_onlyc (K| tddj|}|s,t||||d{}||S|rtd|d t||||tt |d{S7<7#t$rtd|d wxYww) - Check if team id in proxy Team Table - if valid, return LiteLLM_TeamTable object with defined limits - if not, then raise an error NFNo DB Connected. See - https://docs.litellm.ai/docs/proxy/virtual_keysr)rrrrz:Team doesn't exist in cache + check_cache_only=True. Team=.)rYrrrrrrzTeam doesn't exist in db. Team=z#. Create team via `/team/new` call.)r1rrrrr) rYrrrrrrrrs r<get_team_objectrs T    g &C  ;/1- !    &" " LWIUVW   ='1/ 3+   # "   -gY6Y Z   s93BA2BA6-A4.A61B4A66BBcHK| td|}|j|d{}|-t|tr t di|St|tr|S|rtd|d |j |d||d{}|tt di|j d } t|| || d{| S77B7 #t$r} t| d{7cYd} ~ Sd} ~ wt$r$tjtd |d wxYww)rNrrz8Key doesn't exist in cache + check_cache_only=True. key=r combined_view)token table_namerrT) exclude_none)rrrr)rzKey doesn't exist in db. key=z&. Create key via `/key/generate` call.r) r1rrrrget_datarrr /_handle_failed_db_connection_for_get_key_object traceback print_exc) rrrrrrrcached_key_obj _valid_tokenrrs r<get_key_objectrsn T  C5G5W5W 6X60N! nd +!3N3 3  7! !Fse1 M   2?2H2H&-/ 3I3 -   O"P\%<%<$%<%OP  %&1/    K0"-   %JDqIIII  +L>9_ `   sp%D"CAD"-C C9C ?C C D"C C DC/$C'%C/)D*D"/0DD"rcKddlm}m}m}|j dddur;|j j tjd|dtd d | S|w) a< Handles httpx.ConnectError when reading a Virtual Key from LiteLLM DB Use this if you don't want failed DB queries to block LLM API reqiests Returns: - UserAPIKeyAuth: If general_settings.allow_requests_on_db_unavailable is True Raises: - Orignal Exception in all other cases r)rDlitellm_proxy_admin_namer allow_requests_on_db_unavailableFTrg)service call_typerUdurationzfailed-to-connect-to-db)key_namerr`) litellm.proxy.proxy_serverrDrrr.service_logging_objservice_failure_hookrDBr)rrDrrs r<rrsq>F$N--BB OO& C .+,  sAAorg_idcdK| td|jdj|}|$t|tr|St|t r|S |j jjd|id{}|t|S7#t$rtd|dwxYww) z - Check if org id in proxy Org Table - if valid, return LiteLLM_OrganizationTable object - if not, then raise an error Nrz org_id:{}rorganization_idrz/Organization doesn't exist in db. Organization=z3. Create organization via `/organization/new` call.) r1rrrrrrlitellm_organizationtabler)rrrrrcached_org_objrs r<get_org_objectrCs T  (77KNRW>WUVaVhVhUii{}B|C D  )K #O#44J;K]K]J^_ 'PsBEE' E1E5B"E)NN)NNNN)NNN)W__doc__r)rrtypingrrrrrrpydanticr r^litellm._loggingr litellm.caching.cachingr litellm.caching.dual_cacher litellm.proxy._typesr rrrrrrrrrrlitellm.proxy.auth.route_checksrlitellm.proxy.utilsrrrlitellm.routerrlitellm.types.servicesrauth_checks_organizationropentelemetry.tracer _Spanrrrtr4management_routes all_routesboolr=rfloatstrrjrrprvrx INTERNAL_USERr{rrrr\intrrrrrrrrrrrrrr1rrrrr>r<r1sN DD1-=    8JJ!/J1 D D-c:  ( ( . .1P1P1V1V V t6MM+,M+,M23 M ! M  M M M M`c4D&#$$&& (#  #)# #L % }    dt (,04 >#>L)>">tn >  - > "# >>B %d3i0>Fv>N < #9LO (4 4c]49O4  (,04 P P L)P "P  P tn P  - P  P P fC C C"C - C *" - &$" - &    !   -  c, C  * **"*0 *  *  - * * *Z  -"tn  () H(,04'+$(4 4 L)4 "4 tn 4  - 4 tn 4 D>4  4 n (,04'+ A A L)A "A tn A  - A tn A A A H%%%P (,04 % % L)% "% tn %  - % % P8 8TN8 8( 8  T] 8r>