g0&xddlZddlmZmZddlmZmZmZddlm Z ddl m Z m Z m Z mZmZddlmZGdd Zy) N)ListOptional) HTTPExceptionRequeststatus)verbose_proxy_logger)CommonProxyErrorsLiteLLM_UserTable LiteLLMRoutesLitellmUserRolesUserAPIKeyAuth)_user_is_org_adminceZdZedeedeededede dede fdZ edefd Z eded e fd Zeded e fd Zeded ed e fdZededeed e fdZy) RouteChecksuser_obj _user_rolerouterequest valid_tokenapi_key request_datac tj|tj|ry |tjj vr|dk(ry |dk(r|j }|jd}tjd|d|j|rR||jk7rBttjdj||j|d k(ry |d k(ry y y y |tjj vrt!|d d d t!|d gvry |t"j$j k(rtj|rttjd|tj'|tj(j r{|dk(rS|st+|t,rb|j/} | D]+} | dvsttjd|d|d| dy ttjd|d|y y y |t"j0j k(r0tj'|tj2j ry t5||r0tj'|tj6j ry |t"j8j k(r0tj'|tj:j ry tj'|tj<j ry d} d}| |j>xsd} |jxsd}tAd|d| d|)zO Checks if Non Proxy Admin User is allowed to access the route rz /key/infoz /user/infouser_idz user_id: z & valid_token.user_id: zHkey not allowed to access this user's info. user_id={}, key's user_id={} status_codedetailz /model/infoz /team/info permissionsNget_spend_routesz5user not allowed to access this OpenAI routes, role= rallowed_routesz /user/update) user_emailpasswordz-user not allowed to access this route, role= z. Trying to access: z and updating invalid param: z-. only user_email and password can be updated)r user_objectunknownz^Only proxy admin can be used to generate, delete, update info for new keys/users/teams. Route=z . Your role=z. Your user_id=)!rcustom_admin_only_route_checkis_llm_api_router info_routesvalue query_paramsgetrdebugrrrHTTP_403_FORBIDDENformatglobal_spend_tracking_routesgetattrr PROXY_ADMIN_VIEW_ONLYcheck_route_accessmanagement_routes isinstancedictkeys INTERNAL_USERinternal_user_routesrorg_admin_allowed_routesINTERNAL_USER_VIEW_ONLYinternal_user_view_only_routesself_managed_routes user_role Exception) rrrrrrrr+r_params_updatedparamr>s T/var/www/openai/venv/lib/python3.12/site-packages/litellm/proxy/auth/route_checks.py$non_proxy_admin_allowed_routes_checkz0RouteChecks.non_proxy_admin_allowed_routes_checks 11 2   ' 'e ' 4  ]..44 4 #,&&33 &**95$**y(@ATAT@UVw+*=*=='$*$=$=ipp#[%8%8  -',&' >7 ]??EE E ]D9E"gk="&MM  +AAGG G++%+8# & 9 9RS]R^_--M,K,K,Q,Q.N*$/J|T4R*6*;*;*=%4E$,FF&3060I0I-Z[eZffz|A{BB_`e_ffS,T'"!"&5($*$=$=!NzlZnotnuv5S/, *88>> >..M,N,N,T,T/  %8 ,, (N(N(T(T-   *BBHH H..,KKQQ/   + + (I(I(O(O,  !IG#$..;) "**7ipqvpwxDENDOO^_f^gh cddlm}m}d|vr[|dur1tjdt j jy||dvrttjd|dy) Nr)general_settings premium_useradmin_only_routesTzFTrying to use 'admin_only_routes' this is an Enterprise only feature. z-user not allowed to access this route. Route=z is an admin only router) litellm.proxy.proxy_serverrFrGrerrorr not_premium_userr*rrr.)rrFrGs rBr'z)RouteChecks.custom_admin_only_route_checksM "2 24'$**\]n]]^F^F]GH()<==# & 9 9J5'Qhi rDreturncp|tjjvry|tjjvrytjjD] }d|vstj ||s ytj |ryd|vryd|vryd|vryd|vryd |vryd |vryd |vryd |vryy )z Helper to checks if provided route is an OpenAI route Returns: - True: if route is an OpenAI route - False: if route is not an OpenAI route T{rpatternrz /bedrock/z /vertex-ai/z/gemini/z/cohere/z /langfuse/z /anthropic/z/azure/z/openai/F)r openai_routesr*anthropic_routesr_route_matches_pattern_is_azure_openai_route)r openai_routes rBr(zRouteChecks.is_llm_api_routes M//55 5 M2288 8*77==Ll"556 >  - -E - : %  E !     5  E !    rDcfd}d}tj||stj||ryy)z Check if route is a route from AzureOpenAI SDK client eg. route='/openai/deployments/vertex_ai/gemini-1.5-flash/chat/completions' z2^/openai/deployments/[^/]+/[^/]+/chat/completions$z!^/engines/[^/]+/chat/completions$TF)rematch)rdeployment_patternengine_patterns rBrTz"RouteChecks._is_azure_openai_routes2S= 88& ."((>52QrDrPcltjdd|}d|d}tj||ryy)a Check if route matches the pattern placed in proxy/_types.py Example: - pattern: "/threads/{thread_id}" - route: "/threads/thread_49EIN5QF32s4mH20M7GFKdlZ" - returns: True - pattern: "/key/{token_id}/regenerate" - route: "/key/regenerate/82akk800000000jjsk" - returns: False, pattern is "/key/{token_id}/regenerate" z \{[^}]+\}z[^/]+^$TF)rWsubrXrOs rBrSz"RouteChecks._route_matches_patterns7&&x9gYa. 88GU #rDr"c8|vxstfd|DS)a% Check if a route has access by checking both exact matches and patterns Args: route (str): The route to check allowed_routes (list): List of allowed routes/patterns Returns: bool: True if route is allowed, False otherwise c3LK|]}tj|yw)rON)rrS).0 allowed_routers rB z1RouteChecks.check_route_access..s). !/   . .UM . R!/s!$)anyr!s` rBr3zRouteChecks.check_route_accesss+& #. !/. +  rDN)__name__ __module__ __qualname__ staticmethodrr r strrr r6rCr'boolr(rTrSrr3rDrBrrs"p,-p-.pp p $ p  pppd S  ////b c d  cCD* # tCy T  rDr)rWtypingrrfastapirrrlitellm._loggingrlitellm.proxy._typesr r r r r auth_checks_organizationrrrkrDrBrqs/ !2219m m rD