g+dZddlZddlZddlmZmZmZddlmZddl m Z ddl m Z ddl mZddlmZdd lmZdd lmZmZmZdd lmZGd d Zy)z Supports using JWT's for authenticating into the proxy. Currently only supports admin. JWT token must have 'litellm_proxy_admin' in scope. N)ListOptionalcast)x509)default_backend) serialization)verbose_proxy_logger) DualCache) HTTPHandler) JWKKeyValue JWTKeyItemLiteLLM_JWTAuth) PrismaClientc eZdZUdZeeed<eed< d"dZ d#deedede de ddf d Z d e fd Z d edefd Zd edee fdZd edee dee fdZdefdZdefdZd edee dee fdZd$deedefdZd edee dee fdZd edee dee fdZd edee dee fdZd edefdZdee defdZdedee deefdZ de defdZ!d e defd Z"d!Z#y)% JWTHandlerz - treat the sub id passed in as the user id - return an error if id making request doesn't exist in proxy user table - track spend against the user id - if role="litellm_proxy_user" -> allow making calls + info. Can not edit budgets prisma_clientuser_api_key_cachereturnNc0t|_d|_y)Nr)r http_handlerleewayselfs R/var/www/openai/venv/lib/python3.12/site-packages/litellm/proxy/auth/handle_jwt.py__init__zJWTHandler.__init__#s(M litellm_jwtauthrc<||_||_||_||_yN)rrrr)rrrrrs rupdate_environmentzJWTHandler.update_environment)s#+"4. rtokenc@|jd}t|dk(S)N.)splitlen)rr!partss ris_jwtzJWTHandler.is_jwt5s C 5zQrscopesc6|jj|vryy)NTF)radmin_jwt_scope)rr)s ris_adminzJWTHandler.is_admin9s    / /6 9rcd|jj||jjSgSr)rteam_ids_jwt_field)rr!s rget_team_ids_from_jwtz JWTHandler.get_team_ids_from_jwt>s0    2 2 >--@@A A r default_valuec |jj||jj}|Sd} |S#t$r|}Y|SwxYwr)rend_user_id_jwt_fieldKeyErrorrr!r0user_ids rget_end_user_idzJWTHandler.get_end_user_idCs_ $##99E 4 4 J JK  $#G $/88 AAc2|jjyy)z` Returns: - True: if 'team_id_jwt_field' is set - False: if not FT)rteam_id_jwt_fieldrs ris_required_team_idzJWTHandler.is_required_team_idOs    1 1 9rcz|jj%t|jjtryy)z Returns: - True: if 'user_allowed_email_domain' is set - False: if 'user_allowed_email_domain' is None TF)ruser_allowed_email_domain isinstancestrrs ris_enforced_email_domainz#JWTHandler.is_enforced_email_domainYs7    9 9 E*  : :CK rc |jj||jj}|S|jj|jj}|Sd} |S#t$r|}Y|SwxYwr)rr9team_id_defaultr3)rr!r0team_ids r get_team_idzJWTHandler.get_team_idfs $##55A 4 4 F FG %%55A..>>  $#G $s/A&,A&!A&& A54A5valid_user_emailc8|dury|jjS)z Returns: - True: if 'user_id_upsert' is set AND valid_user_email is not False - False: if not F)ruser_id_upsert)rrDs ris_upsert_user_idzJWTHandler.is_upsert_user_idrs! u $##222rc |jj||jj}|S|} |S#t$r|}Y|SwxYwr)ruser_id_jwt_fieldr3r4s r get_user_idzJWTHandler.get_user_id|s_ $##55A 4 4 F FG ( $#G $r7c |jj||jj}|Sd} |S#t$r|}Y|SwxYwr)ruser_email_jwt_fieldr3)rr!r0 user_emails rget_user_emailzJWTHandler.get_user_emailsb '##88D"4#7#7#L#LM "  '&J 'r7c |jj||jj}|Sd} |S#t$r|}Y|SwxYwr)rorg_id_jwt_fieldr3)rr!r0org_ids r get_org_idzJWTHandler.get_org_ids_ ###44@t33DDE    #"F  #r7c t|dtr|dj}|St|dtr|d}|St dt |dd#t $rg}Y|SwxYw)NscopezUnmapped scope type - z. Supported types - list, str.)r=r>r%list Exceptiontyper3)rr!r)s r get_scopeszJWTHandler.get_scopess %.#.w--/ E'ND1w  ,T%.-A,BB`a F  s&AAA A.-A.kidc BKtjd}| td|jj dd{}||j j |d{}|j}d|vr|jd}n|}|jjd||jjd{n|}|j||}| td|d|d |d t|tt|S777Pw) NJWT_PUBLIC_KEY_URLz,Missing JWT Public Key URL from environment.litellm_jwt_auth_keyskeys)keyvaluettl)r]rYz"No matching public key found. kid=z , keys_url=z, cached_keys=z , len(keys)=)osgetenvrVrasync_get_cachergetjsonasync_set_cacherpublic_key_ttl parse_keysr&rdict)rrYkeys_url cached_keysresponse response_jsonr] public_keys rget_public_keyzJWTHandler.get_public_keys@9912  JK K 33CC #    !..228<$%488E4+@C+G3;! &%D$'Q E4(C/3;!!W Y]c4(!ggeT2G"GO"3-+3!$JrrMc|jjy|jdd}||jjk(ryy)NT@F)rr<r%)rrM email_domains ris_allowed_domainzJWTHandler.is_allowed_domainsF    9 9 A!'',R0 4//II IrcKgd}tjd}d}|ddi}ddl}ddlm}|j |}t jd||jdd}|j| d{} | t| trzi} d | vr| d | d <d| vr| d| d<d | vr| d | d <d | vr| d | d <|jtj| } |j|| ||||j } | S| t| t&r t)j*| j-t/}|j1j3t4j6j8t4j:j<}|j|||||} | St%d7C#|j"$r t%dt$$r} t%dt'| d} ~ wwxYw#|j"$r t%dt$$r} t%dt'| d} ~ wwxYww)N)RS256RS384RS512PS256PS384PS512 JWT_AUDIENCE verify_audFr) RSAAlgorithmz header: %srY)rYktyne) algorithmsoptionsaudiencerz Token ExpiredzValidation fails: )rrrzInvalid JWT Submitted)rarbjwtjwt.algorithmsrget_unverified_headerr debugrdror=rifrom_jwkredumpsdecoderExpiredSignatureErrorrVr>rload_pem_x509_certificateencoderrn public_bytesrEncodingPEM PublicFormatSubjectPublicKeyInfo)rr!rrdecode_optionsrrheaderrYrnjwkpublic_key_rsapayloadrcertr^s rauth_jwtzJWTHandler.auth_jwtscL 99^,  *E2N/**51""<8jj%..3.77  !jT&BC "'.E  "'.E j %c?Cj %c?C)224::c?CN ?**")*%;; % # :s(C ?55%%'): oo'44!**..!..CC **)%* %/00y86,, 100 ?"4SVH =>> ?0,, 100 ?"4SVH =>> ?s\A:I<F?=A,I*"G I BH3 I"H$G;;HI"I%H<<IIcTK|jjd{y7wr)rclosers rrzJWTHandler.closeAs%%'''s (&()rN)rr)$__name__ __module__ __qualname____doc__rr__annotations__r rrintr r>r(rUboolr,rirr/r6r:r?rCrGrJrNrRrXror r rhrwrrrrrrsL))!!   - & )     Ct 4DI  *23-  # T $   hsm QT 3(4.3D3hsmQT   *23-  # Xc]xPS}   & &$&B{#8JCW2CDP1CP1DP1d(rr)rreratypingrrr cryptographyrcryptography.hazmat.backendsrcryptography.hazmat.primitivesrlitellm._loggingr litellm.caching.cachingr 'litellm.llms.custom_httpx.httpx_handlerr litellm.proxy._typesr r rlitellm.proxy.utilsrrrrrrs? ''881-?II,j(j(r