h08xddlZddlmZmZddlmZmZmZddlm Z ddl m Z m Z m Z mZmZddlmZGdd Zy) N)ListOptional) HTTPExceptionRequeststatus)verbose_proxy_logger)CommonProxyErrorsLiteLLM_UserTable LiteLLMRoutesLitellmUserRolesUserAPIKeyAuth)_user_is_org_adminc reZdZededefdZedededefdZededefdZ ede e d e e ded e ded ef d Zedefd ZededefdZededefdZededefdZedededefdZedededefdZededeedefdZed e defdZy) RouteChecksroute valid_tokenc ddlm}|j|tj ||y#t$rY#wxYw)zK Check if management route is disabled and raise exception r)EnterpriseRouteChecksr)rrT)*litellm_enterprise.proxy.auth.route_checksrshould_call_route Exceptionr$is_virtual_key_allowed_to_call_route)rrrs [/var/www/Befach/backend/env/lib/python3.12/site-packages/litellm/proxy/auth/route_checks.pyrzRouteChecks.should_call_routesN   X ! 3 3% 3 @ 88[ 9    s 2 >>returnc|jyt|jtsyt|jdk(ry||jvryt d|jDrX|jD]I}|t j vstj|t j|jsIy|jD]}tj||sytd|jd|)zR Raises Exception if Virtual Key is not allowed to call the route Trc3@K|]}|tjvyw)N)r _member_names_).0 allowed_routes r zCRouteChecks.is_virtual_key_allowed_to_call_route..:s#  ]99 9 srallowed_routesrpatternzLVirtual key is not allowed to call this route. Only allowed to call routes: z. Tried to call route: ) r$ isinstancelistlenanyr rrcheck_route_access _member_map_value_route_matches_wildcard_patternr)rrr!s rrz0RouteChecks.is_virtual_key_allowed_to_call_route%s#  % % -+44d; {)) *a / K.. .  !,!;!;  "-!;!;  M$@$@@"55#'4'A'A-'P'V'V6 $ "<)77M::]; 8 Z[f[u[uZvwNOTNU V  user_idchddlm}|rt|dkry|ddd}|j|S) z Mask user_id to prevent leaking sensitive information in error messages Args: user_id (str): The user_id to mask Returns: str: Masked user_id showing only first 2 and last 2 characters r)SensitiveDataMaskerz****)visible_prefixvisible_suffix mask_char)0litellm.litellm_core_utils.sensitive_data_maskerr2r) _mask_value)r0r2maskers r _mask_user_idzRouteChecks._mask_user_idQs; Y#g,!+%AaSVW!!'**r/user_obj _user_rolerequest request_datac Rtj|tj|ry |tjj vr|dk(ry |dk(r|j }|jd}tjd|d|j|rR||jk7rBttjdj||j|d k(ry |d k(ry y y y |tjj vrt!|d d d t!|d gvry |t"j$j k(rtj|rttjd|tj'|tj(j ry|dk(rS|t+|t,r|j/}|D]+} | dvsttjd|d|d| dy ttjd|d|ttjd|d|y y |t"j0j k(r0tj'|tj2j ry t5||r0tj'|tj6j ry |t"j8j k(r0tj'|tj:j ry tj'|tj<j ry |j?dry d} d}| |j@xsd} |jxsd}tjC|} tEd|d| d| )zO Checks if Non Proxy Admin User is allowed to access the route rz /key/infoz /user/infor0z user_id: z & valid_token.user_id: zHkey not allowed to access this user's info. user_id={}, key's user_id={} status_codedetailz /model/infoz /team/info permissionsNget_spend_routesz5user not allowed to access this OpenAI routes, role= r#z /user/update) user_emailpasswordz-user not allowed to access this route, role= z. Trying to access: z and updating invalid param: z-. only user_email and password can be updated)rA user_objectz/v1/mcp/unknownz^Only proxy admin can be used to generate, delete, update info for new keys/users/teams. Route=z . Your role=z. Your user_id=)#rcustom_admin_only_route_checkis_llm_api_router info_routesr- query_paramsgetrdebugr0rrHTTP_403_FORBIDDENformatglobal_spend_tracking_routesgetattrr PROXY_ADMIN_VIEW_ONLYr+management_routesr'dictkeys INTERNAL_USERinternal_user_routesrorg_admin_allowed_routesINTERNAL_USER_VIEW_ONLYinternal_user_view_only_routesself_managed_routes startswith user_roler=r) r>r?rr@rrArOr0_params_updatedparamramasked_user_ids r$non_proxy_admin_allowed_routes_checkz0RouteChecks.non_proxy_admin_allowed_routes_checkfs 11 2   ' 'e ' 4  ]..44 4 #,&&33 &**95$**y(@ATAT@UVw+*=*=='$*$=$=ipp#[%8%8  -',&' >7 ]??EE E ]D9E"gk="&MM  +AAGG G++%+8# & 9 9RS]R^_--M,K,K,Q,Q. N*#/J|T4R*6*;*;*=%4E$,FF&3060I0I-Z[eZffz|A{BB_`e_ffS,T'"!"&5($*$=$=!NzlZnotnuv $ & 9 9J:,Vjkpjqr5S/( *88>> >..M,N,N,T,T/  %8 ,, (N(N(T(T-   *BBHH H..,KKQQ/   + + (I(I(O(O,     j ) !IG#$..;) "**7i(66w?NpqvpwxDENDOO^_m^no r/cddlm}m}d|vr[|dur1tjdt j jy||dvrttjd|dy) Nr)general_settings premium_useradmin_only_routesTzFTrying to use 'admin_only_routes' this is an Enterprise only feature. z-user not allowed to access this route. Route=z is an admin only routerC) litellm.proxy.proxy_serverrgrhrerrorr not_premium_userr-rrrR)rrgrhs rrLz)RouteChecks.custom_admin_only_route_checksM "2 24'$**\]n]]^F^F]GH()<==# & 9 9J5'Qhi r/c|tjjvry|tjjvrytj |tj jrytjjD] }d|vstj||s ytj|rytjjD]}||vsyy)z Helper to checks if provided route is an OpenAI route Returns: - True: if route is an OpenAI route - False: if route is not an OpenAI route Tr#{r%rF) r openai_routesr-anthropic_routesrr+ mcp_routes_route_matches_pattern_is_azure_openai_routemapped_pass_through_routes)r openai_route_llm_passthrough_routes rrMzRouteChecks.is_llm_api_routes M//55 5 M2288 8  ) ) (@(@(F(F * *77==Ll"556 >  - -E - :&3&N&N&T&T "%.'Ur/c:|tjjvS)z6 Check if route is a management route )r rWr-rs ris_management_routezRouteChecks.is_management_routes  77====r/cfd}d}tj||stj||ryy)z Check if route is a route from AzureOpenAI SDK client eg. route='/openai/deployments/vertex_ai/gemini-1.5-flash/chat/completions' z2^/openai/deployments/[^/]+/[^/]+/chat/completions$z!^/engines/[^/]+/chat/completions$TF)rematch)rdeployment_patternengine_patterns rrsz"RouteChecks._is_azure_openai_route#s2S= 88& ."((>52Qr/r&cltjdd|}d|d}tj||ryy)a Check if route matches the pattern placed in proxy/_types.py Example: - pattern: "/threads/{thread_id}" - route: "/threads/thread_49EIN5QF32s4mH20M7GFKdlZ" - returns: True - pattern: "/key/{token_id}/regenerate" - route: "/key/regenerate/82akk800000000jjsk" - returns: False, pattern is "/key/{token_id}/regenerate" z \{[^}]+\}z[^/]+^$TF)rzsubr{r%s rrrz"RouteChecks._route_matches_pattern3s7&&x9gYa. 88GU #r/cZ|jdr|dd}|j|S||k(S)aY Check if route matches the wildcard pattern eg. pattern: "/scim/v2/*" route: "/scim/v2/Users" - returns: True pattern: "/scim/v2/*" route: "/chat/completions" - returns: False pattern: "/scim/v2/*" route: "/scim/v2/Users/123" - returns: True r6N)endswithr`)rr&prefixs rr.z+RouteChecks._route_matches_wildcard_patternIs;*   C Sb\F##F+ +G# #r/r$c8|vxstfd|DS)a% Check if a route has access by checking both exact matches and patterns Args: route (str): The route to check allowed_routes (list): List of allowed routes/patterns Returns: bool: True if route is allowed, False otherwise c3LK|]}tj|yw)r%N)rrr)r r!rs rr"z1RouteChecks.check_route_access..rs).   . .UM . R. s!$)r*r#s` rr+zRouteChecks.check_route_accessfs+& #. !/. +  r/cfd|jjvsd|jjvryy)z Returns True if `thread` or `assistant` is in the request path Args: request (Request): The request object Returns: bool: True if `thread` or `assistant` is in the request path, False otherwise thread assistantTF)urlpath)r@s r_is_assistants_api_requestz&RouteChecks._is_assistants_api_requestws- w{{'' ';'++:J:J+Jr/N)__name__ __module__ __qualname__ staticmethodstrr rboolrr=rr r rrXrerLrMrxrsrrr.rr+rr/rrrs>") ) !/) ) ) V+s+s++(x,-x-.xx x $ x  xxt S  ''''R>3>4>>  c d  cCD*$s$S$T$$8 # tCy T   G   r/r)rztypingrrfastapirrrlitellm._loggingrlitellm.proxy._typesr r r r r auth_checks_organizationrrrr/rrs/ !2219rrr/