fa45d8aa5f
- health_checklist.json: 192.168.1.122→node122
- ocr_client.py: docstring IP→node122
- docs/market-data-requirements.md: IP→node122
- 所有API调用通过ProxyHandler({})绕过系统代理
Privoxy对node122:18003返回500,直连正常
946 lines
37 KiB
Python
946 lines
37 KiB
Python
import re
|
|
from typing import List, Optional
|
|
|
|
from fastapi import HTTPException, Request, status
|
|
|
|
from litellm._logging import verbose_proxy_logger
|
|
from litellm.proxy._types import (
|
|
CommonProxyErrors,
|
|
KeyManagementRoutes,
|
|
LiteLLM_UserTable,
|
|
LiteLLMRoutes,
|
|
LitellmUserRoles,
|
|
UserAPIKeyAuth,
|
|
)
|
|
|
|
from .auth_checks_organization import _user_is_org_admin
|
|
|
|
# Management write routes denied to PROXY_ADMIN_VIEW_ONLY. Adding a new write
|
|
# endpoint to a management router REQUIRES adding it here too — the surrounding
|
|
# check falls through to "allow" if the route is not matched, which previously
|
|
# let view-only admins call /team/block, /team/unblock, /key/bulk_update, etc.
|
|
_PROXY_ADMIN_VIEW_ONLY_BLOCKED_ROUTES = frozenset(
|
|
[
|
|
# user
|
|
"/user/new",
|
|
"/user/delete",
|
|
"/user/bulk_update",
|
|
# team
|
|
"/team/new",
|
|
"/team/update",
|
|
"/team/delete",
|
|
"/team/block",
|
|
"/team/unblock",
|
|
"/team/permissions_update",
|
|
"/team/permissions_bulk_update",
|
|
# model
|
|
"/model/new",
|
|
"/model/update",
|
|
"/model/delete",
|
|
# JWT key mapping
|
|
"/jwt/key/mapping/new",
|
|
"/jwt/key/mapping/update",
|
|
"/jwt/key/mapping/delete",
|
|
# key management — keep in sync with KeyManagementRoutes write entries
|
|
KeyManagementRoutes.KEY_GENERATE.value,
|
|
KeyManagementRoutes.KEY_UPDATE.value,
|
|
KeyManagementRoutes.KEY_DELETE.value,
|
|
KeyManagementRoutes.KEY_REGENERATE.value,
|
|
KeyManagementRoutes.KEY_GENERATE_SERVICE_ACCOUNT.value,
|
|
KeyManagementRoutes.KEY_BLOCK.value,
|
|
KeyManagementRoutes.KEY_UNBLOCK.value,
|
|
KeyManagementRoutes.KEY_BULK_UPDATE.value,
|
|
KeyManagementRoutes.TEAM_KEY_BULK_UPDATE.value,
|
|
]
|
|
)
|
|
|
|
# Suffixes for `/key/{key_id}/...` path-parameterized write routes that the
|
|
# enum templates with `{key_id}`. The blocklist above can't match templated
|
|
# paths directly because the request route carries the resolved key id.
|
|
_PROXY_ADMIN_VIEW_ONLY_BLOCKED_KEY_SUFFIXES = ("/regenerate", "/reset_spend")
|
|
|
|
_AUTH_ENFORCED_PASS_THROUGH_ROUTE_GROUPS = frozenset(
|
|
("openai_routes", "llm_api_routes")
|
|
)
|
|
|
|
|
|
class RouteChecks:
|
|
@staticmethod
|
|
def should_call_route(
|
|
route: str,
|
|
valid_token: UserAPIKeyAuth,
|
|
request: Optional[Request] = None,
|
|
):
|
|
"""
|
|
Check if management route is disabled and raise exception
|
|
"""
|
|
try:
|
|
from litellm_enterprise.proxy.auth.route_checks import EnterpriseRouteChecks
|
|
|
|
EnterpriseRouteChecks.should_call_route(route=route)
|
|
except HTTPException as e:
|
|
raise e
|
|
except Exception:
|
|
pass
|
|
|
|
# Check if Virtual Key is allowed to call the route - Applies to all Roles
|
|
RouteChecks.is_virtual_key_allowed_to_call_route(
|
|
route=route, valid_token=valid_token, request=request
|
|
)
|
|
return True
|
|
|
|
@staticmethod
|
|
def is_virtual_key_allowed_to_call_route(
|
|
route: str,
|
|
valid_token: UserAPIKeyAuth,
|
|
request: Optional[Request] = None,
|
|
) -> bool:
|
|
"""
|
|
Raises Exception if Virtual Key is not allowed to call the route
|
|
"""
|
|
|
|
# Only check if valid_token.allowed_routes is set and is a list with at least one item
|
|
if valid_token.allowed_routes is None:
|
|
return True
|
|
if not isinstance(valid_token.allowed_routes, list):
|
|
return True
|
|
if len(valid_token.allowed_routes) == 0:
|
|
return True
|
|
|
|
denied_auth_enforced_pass_through_route = False
|
|
|
|
# explicit check for allowed routes (exact match or prefix match)
|
|
for allowed_route in valid_token.allowed_routes:
|
|
if RouteChecks._route_matches_allowed_route(
|
|
route=route, allowed_route=allowed_route
|
|
):
|
|
return True
|
|
|
|
## check if 'allowed_route' is a field name in LiteLLMRoutes
|
|
if any(
|
|
allowed_route in LiteLLMRoutes._member_names_
|
|
for allowed_route in valid_token.allowed_routes
|
|
):
|
|
for allowed_route in valid_token.allowed_routes:
|
|
if allowed_route in LiteLLMRoutes._member_names_:
|
|
if RouteChecks.check_route_access(
|
|
route=route,
|
|
allowed_routes=LiteLLMRoutes._member_map_[allowed_route].value,
|
|
):
|
|
if (
|
|
allowed_route in _AUTH_ENFORCED_PASS_THROUGH_ROUTE_GROUPS
|
|
and RouteChecks.is_auth_enforced_pass_through_route(
|
|
route=route,
|
|
method=RouteChecks._get_request_method(request=request),
|
|
)
|
|
):
|
|
if RouteChecks.check_passthrough_route_access(
|
|
route=route, user_api_key_dict=valid_token
|
|
):
|
|
return True
|
|
denied_auth_enforced_pass_through_route = True
|
|
else:
|
|
return True
|
|
|
|
################################################
|
|
# For llm_api_routes, also check registered pass-through endpoints
|
|
################################################
|
|
if allowed_route == "llm_api_routes":
|
|
from litellm.proxy.pass_through_endpoints.pass_through_endpoints import (
|
|
InitPassThroughEndpointHelpers,
|
|
)
|
|
|
|
if InitPassThroughEndpointHelpers.is_registered_pass_through_route(
|
|
route=route
|
|
):
|
|
if RouteChecks.is_auth_enforced_pass_through_route(
|
|
route=route,
|
|
method=RouteChecks._get_request_method(request=request),
|
|
):
|
|
if RouteChecks.check_passthrough_route_access(
|
|
route=route, user_api_key_dict=valid_token
|
|
):
|
|
return True
|
|
denied_auth_enforced_pass_through_route = True
|
|
else:
|
|
return True
|
|
|
|
# Method-aware carve-out: allow GET on the two
|
|
# read-only MCP-server discovery endpoints
|
|
# (`/v1/mcp/server` and `/v1/mcp/server/{server_id}`)
|
|
# so virtual keys with allowed_routes=["llm_api_routes"]
|
|
# can list/inspect MCP servers. The GET handlers in
|
|
# mcp_management_endpoints.py sanitize the response
|
|
# for restricted virtual keys (stripping url,
|
|
# headers, env, credentials). POST/PUT/DELETE on
|
|
# these paths are admin-only management writes and
|
|
# are intentionally not covered.
|
|
if RouteChecks._is_get_mcp_server_discovery_route(
|
|
route=route, request=request
|
|
):
|
|
return True
|
|
|
|
# check if wildcard pattern is allowed
|
|
for allowed_route in valid_token.allowed_routes:
|
|
if RouteChecks._route_matches_wildcard_pattern(
|
|
route=route, pattern=allowed_route
|
|
):
|
|
return True
|
|
|
|
if denied_auth_enforced_pass_through_route:
|
|
raise RouteChecks._auth_pass_through_denied_exception(route=route)
|
|
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"Virtual key is not allowed to call this route. Only allowed to call routes: {valid_token.allowed_routes}. Tried to call route: {route}",
|
|
)
|
|
|
|
@staticmethod
|
|
def _mask_user_id(user_id: str) -> str:
|
|
"""
|
|
Mask user_id to prevent leaking sensitive information in error messages
|
|
|
|
Args:
|
|
user_id (str): The user_id to mask
|
|
|
|
Returns:
|
|
str: Masked user_id showing only first 2 and last 2 characters
|
|
"""
|
|
from litellm.litellm_core_utils.sensitive_data_masker import SensitiveDataMasker
|
|
|
|
if not user_id or len(user_id) <= 4:
|
|
return "***"
|
|
|
|
# Use SensitiveDataMasker with custom configuration for user_id
|
|
masker = SensitiveDataMasker(visible_prefix=6, visible_suffix=2, mask_char="*")
|
|
|
|
return masker._mask_value(user_id)
|
|
|
|
@staticmethod
|
|
def _raise_admin_only_route_exception(
|
|
user_obj: Optional[LiteLLM_UserTable],
|
|
route: str,
|
|
) -> None:
|
|
"""
|
|
Raise exception for routes that require proxy admin access
|
|
|
|
Args:
|
|
user_obj (Optional[LiteLLM_UserTable]): The user object
|
|
route (str): The route being accessed
|
|
|
|
Raises:
|
|
Exception: With user role and masked user_id information
|
|
"""
|
|
user_role = "unknown"
|
|
user_id = "unknown"
|
|
if user_obj is not None:
|
|
user_role = user_obj.user_role or "unknown"
|
|
user_id = user_obj.user_id or "unknown"
|
|
|
|
masked_user_id = RouteChecks._mask_user_id(user_id)
|
|
raise Exception(
|
|
f"Only proxy admin can be used to generate, delete, update info for new keys/users/teams. Route={route}. Your role={user_role}. Your user_id={masked_user_id}"
|
|
)
|
|
|
|
@staticmethod
|
|
def non_proxy_admin_allowed_routes_check(
|
|
user_obj: Optional[LiteLLM_UserTable],
|
|
_user_role: Optional[LitellmUserRoles],
|
|
route: str,
|
|
request: Request,
|
|
valid_token: UserAPIKeyAuth,
|
|
request_data: dict,
|
|
):
|
|
"""
|
|
Checks if Non Proxy Admin User is allowed to access the route
|
|
"""
|
|
|
|
# Check user has defined custom admin routes
|
|
RouteChecks.custom_admin_only_route_check(
|
|
route=route,
|
|
)
|
|
|
|
if RouteChecks.is_auth_enforced_pass_through_route(
|
|
route=route,
|
|
method=RouteChecks._get_request_method(request=request),
|
|
):
|
|
RouteChecks._require_auth_pass_through_access(
|
|
route=route, valid_token=valid_token
|
|
)
|
|
elif RouteChecks.is_llm_api_route(route=route):
|
|
pass
|
|
elif RouteChecks.is_info_route(route=route):
|
|
# check if user allowed to call an info route
|
|
if route == "/key/info":
|
|
# handled by function itself
|
|
pass
|
|
elif route == "/user/info":
|
|
# check if user can access this route
|
|
query_params = request.query_params
|
|
user_id = query_params.get("user_id")
|
|
verbose_proxy_logger.debug(
|
|
f"user_id: {user_id} & valid_token.user_id: {valid_token.user_id}"
|
|
)
|
|
if user_id and user_id != valid_token.user_id:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="key not allowed to access this user's info. user_id={}, key's user_id={}".format(
|
|
user_id, valid_token.user_id
|
|
),
|
|
)
|
|
elif route == "/v2/user/info":
|
|
# handled by the endpoint itself (full RBAC in handler)
|
|
pass
|
|
elif route == "/model/info":
|
|
# /model/info just shows models user has access to
|
|
pass
|
|
elif route == "/team/info":
|
|
pass # handled by function itself
|
|
elif (
|
|
route in LiteLLMRoutes.global_spend_tracking_routes.value
|
|
and getattr(valid_token, "permissions", None) is not None
|
|
and "get_spend_routes" in getattr(valid_token, "permissions", [])
|
|
):
|
|
pass
|
|
elif _user_role == LitellmUserRoles.PROXY_ADMIN_VIEW_ONLY.value:
|
|
RouteChecks._check_proxy_admin_viewer_access(
|
|
route=route,
|
|
_user_role=_user_role,
|
|
request_data=request_data,
|
|
request=request,
|
|
)
|
|
elif (
|
|
_user_role == LitellmUserRoles.INTERNAL_USER.value
|
|
and RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.internal_user_routes.value
|
|
)
|
|
):
|
|
pass
|
|
elif _user_is_org_admin(
|
|
request_data=request_data, user_object=user_obj
|
|
) and RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.org_admin_allowed_routes.value
|
|
):
|
|
pass
|
|
elif (
|
|
_user_role == LitellmUserRoles.INTERNAL_USER_VIEW_ONLY.value
|
|
and RouteChecks.check_route_access(
|
|
route=route,
|
|
allowed_routes=LiteLLMRoutes.internal_user_view_only_routes.value,
|
|
)
|
|
):
|
|
pass
|
|
elif RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.self_managed_routes.value
|
|
): # routes that manage their own allowed/disallowed logic
|
|
pass
|
|
elif route.startswith("/v1/mcp/") or route.startswith("/mcp-rest/"):
|
|
pass # authN/authZ handled by api itself
|
|
elif RouteChecks.check_passthrough_route_access(
|
|
route=route, user_api_key_dict=valid_token
|
|
):
|
|
pass
|
|
elif valid_token.allowed_routes is not None:
|
|
# check if route is in allowed_routes (exact match or prefix match)
|
|
route_allowed = False
|
|
for allowed_route in valid_token.allowed_routes:
|
|
if RouteChecks._route_matches_allowed_route(
|
|
route=route, allowed_route=allowed_route
|
|
):
|
|
route_allowed = True
|
|
break
|
|
|
|
if RouteChecks._route_matches_wildcard_pattern(
|
|
route=route, pattern=allowed_route
|
|
):
|
|
route_allowed = True
|
|
break
|
|
|
|
if not route_allowed:
|
|
RouteChecks._raise_admin_only_route_exception(
|
|
user_obj=user_obj, route=route
|
|
)
|
|
else:
|
|
RouteChecks._raise_admin_only_route_exception(
|
|
user_obj=user_obj, route=route
|
|
)
|
|
|
|
@staticmethod
|
|
def custom_admin_only_route_check(route: str):
|
|
from litellm.proxy.proxy_server import general_settings, premium_user
|
|
|
|
if "admin_only_routes" in general_settings:
|
|
if premium_user is not True:
|
|
verbose_proxy_logger.error(
|
|
f"Trying to use 'admin_only_routes' this is an Enterprise only feature. {CommonProxyErrors.not_premium_user.value}"
|
|
)
|
|
return
|
|
if route in general_settings["admin_only_routes"]:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"user not allowed to access this route. Route={route} is an admin only route",
|
|
)
|
|
pass
|
|
|
|
@staticmethod
|
|
def is_llm_api_route(route: str) -> bool:
|
|
"""
|
|
Helper to checks if provided route is an OpenAI route
|
|
|
|
|
|
Returns:
|
|
- True: if route is an OpenAI route
|
|
- False: if route is not an OpenAI route
|
|
"""
|
|
# Ensure route is a string before performing checks
|
|
if not isinstance(route, str):
|
|
return False
|
|
|
|
if route in LiteLLMRoutes.openai_routes.value:
|
|
return True
|
|
|
|
if route in LiteLLMRoutes.anthropic_routes.value:
|
|
return True
|
|
|
|
if route in LiteLLMRoutes.google_routes.value:
|
|
return True
|
|
|
|
if RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.mcp_inference_routes.value
|
|
):
|
|
return True
|
|
|
|
if RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.agent_routes.value
|
|
):
|
|
return True
|
|
|
|
if route in LiteLLMRoutes.litellm_native_routes.value:
|
|
return True
|
|
|
|
# fuzzy match routes like "/v1/threads/thread_49EIN5QF32s4mH20M7GFKdlZ"
|
|
# Check for routes with placeholders or wildcard patterns
|
|
for openai_route in LiteLLMRoutes.openai_routes.value:
|
|
# Replace placeholders with regex pattern
|
|
# placeholders are written as "/threads/{thread_id}"
|
|
if "{" in openai_route:
|
|
if RouteChecks._route_matches_pattern(
|
|
route=route, pattern=openai_route
|
|
):
|
|
return True
|
|
# Check for wildcard patterns like "/containers/*"
|
|
if RouteChecks._is_wildcard_pattern(pattern=openai_route):
|
|
if RouteChecks._route_matches_wildcard_pattern(
|
|
route=route, pattern=openai_route
|
|
):
|
|
return True
|
|
|
|
# Check for Google routes with placeholders like "/v1beta/models/{model_name}:generateContent"
|
|
for google_route in LiteLLMRoutes.google_routes.value:
|
|
if "{" in google_route:
|
|
if RouteChecks._route_matches_pattern(
|
|
route=route, pattern=google_route
|
|
):
|
|
return True
|
|
|
|
# Check for Anthropic routes with placeholders
|
|
for anthropic_route in LiteLLMRoutes.anthropic_routes.value:
|
|
if "{" in anthropic_route:
|
|
if RouteChecks._route_matches_pattern(
|
|
route=route, pattern=anthropic_route
|
|
):
|
|
return True
|
|
|
|
if RouteChecks._is_azure_openai_route(route=route):
|
|
return True
|
|
|
|
for _llm_passthrough_route in LiteLLMRoutes.mapped_pass_through_routes.value:
|
|
if route == _llm_passthrough_route or route.startswith(
|
|
_llm_passthrough_route + "/"
|
|
):
|
|
return True
|
|
return False
|
|
|
|
@staticmethod
|
|
def _is_get_mcp_server_discovery_route(
|
|
route: str, request: Optional[Request]
|
|
) -> bool:
|
|
"""
|
|
Returns True if `request` is a GET against one of the two read-only
|
|
MCP-server discovery paths:
|
|
|
|
- GET `/v1/mcp/server` (list)
|
|
- GET `/v1/mcp/server/{server_id}` (single server, single segment)
|
|
|
|
Multi-segment paths (`/v1/mcp/server/{id}/approve`, etc.) and any
|
|
non-GET method return False, so admin-only management writes on the
|
|
same path prefix are not reachable through this carve-out.
|
|
"""
|
|
if request is None or request.method.upper() != "GET":
|
|
return False
|
|
if route == "/v1/mcp/server":
|
|
return True
|
|
prefix = "/v1/mcp/server/"
|
|
if not route.startswith(prefix):
|
|
return False
|
|
remainder = route[len(prefix) :]
|
|
return bool(remainder) and "/" not in remainder
|
|
|
|
@staticmethod
|
|
def is_management_route(route: str) -> bool:
|
|
"""
|
|
Check if route is a management route
|
|
"""
|
|
return RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.management_routes.value
|
|
)
|
|
|
|
@staticmethod
|
|
def is_info_route(route: str) -> bool:
|
|
"""
|
|
Check if route is an info route
|
|
"""
|
|
return route in LiteLLMRoutes.info_routes.value
|
|
|
|
@staticmethod
|
|
def _is_azure_openai_route(route: str) -> bool:
|
|
"""
|
|
Check if route is a route from AzureOpenAI SDK client
|
|
|
|
eg.
|
|
route='/openai/deployments/vertex_ai/gemini-1.5-flash/chat/completions'
|
|
"""
|
|
# Ensure route is a string before attempting regex matching
|
|
if not isinstance(route, str):
|
|
return False
|
|
# Add support for deployment and engine model paths
|
|
deployment_pattern = r"^/openai/deployments/[^/]+/[^/]+/chat/completions$"
|
|
engine_pattern = r"^/engines/[^/]+/chat/completions$"
|
|
|
|
if re.match(deployment_pattern, route) or re.match(engine_pattern, route):
|
|
return True
|
|
return False
|
|
|
|
@staticmethod
|
|
def _route_matches_pattern(route: str, pattern: str) -> bool:
|
|
"""
|
|
Check if route matches the pattern placed in proxy/_types.py
|
|
|
|
Example:
|
|
- pattern: "/threads/{thread_id}"
|
|
- route: "/threads/thread_49EIN5QF32s4mH20M7GFKdlZ"
|
|
- returns: True
|
|
|
|
|
|
- pattern: "/key/{token_id}/regenerate"
|
|
- route: "/key/regenerate/82akk800000000jjsk"
|
|
- returns: False, pattern is "/key/{token_id}/regenerate"
|
|
"""
|
|
# Ensure route is a string before attempting regex matching
|
|
if not isinstance(route, str):
|
|
return False
|
|
|
|
def _placeholder_to_regex(match: re.Match) -> str:
|
|
placeholder = match.group(0).strip("{}")
|
|
if placeholder.endswith(":path"):
|
|
# allow "/" in the placeholder value, but don't eat the route suffix after ":"
|
|
return r"[^:]+"
|
|
return r"[^/]+"
|
|
|
|
pattern = re.sub(r"\{[^}]+\}", _placeholder_to_regex, pattern)
|
|
# Anchor the pattern to match the entire string
|
|
pattern = f"^{pattern}$"
|
|
if re.match(pattern, route):
|
|
return True
|
|
return False
|
|
|
|
@staticmethod
|
|
def _is_wildcard_pattern(pattern: str) -> bool:
|
|
"""
|
|
Check if pattern is a wildcard pattern
|
|
"""
|
|
return pattern.endswith("*")
|
|
|
|
@staticmethod
|
|
def _route_matches_wildcard_pattern(route: str, pattern: str) -> bool:
|
|
"""
|
|
Check if route matches the wildcard pattern
|
|
|
|
eg.
|
|
|
|
pattern: "/scim/v2/*"
|
|
route: "/scim/v2/Users"
|
|
- returns: True
|
|
|
|
pattern: "/scim/v2/*"
|
|
route: "/chat/completions"
|
|
- returns: False
|
|
|
|
|
|
pattern: "/scim/v2/*"
|
|
route: "/scim/v2/Users/123"
|
|
- returns: True
|
|
|
|
"""
|
|
if pattern.endswith("*"):
|
|
# Get the prefix (everything before the wildcard)
|
|
prefix = pattern[:-1]
|
|
return route.startswith(prefix)
|
|
else:
|
|
# If there's no wildcard, the pattern and route should match exactly
|
|
return route == pattern
|
|
|
|
@staticmethod
|
|
def _route_matches_allowed_route(route: str, allowed_route: str) -> bool:
|
|
"""
|
|
Check if route matches the allowed_route pattern.
|
|
Supports both exact match and prefix match.
|
|
|
|
Examples:
|
|
- allowed_route="/fake-openai-proxy-6", route="/fake-openai-proxy-6" -> True (exact match)
|
|
- allowed_route="/fake-openai-proxy-6", route="/fake-openai-proxy-6/v1/chat/completions" -> True (prefix match)
|
|
- allowed_route="/fake-openai-proxy-6", route="/fake-openai-proxy-600" -> False (not a valid prefix)
|
|
|
|
Args:
|
|
route: The actual route being accessed
|
|
allowed_route: The allowed route pattern
|
|
|
|
Returns:
|
|
bool: True if route matches (exact or prefix), False otherwise
|
|
"""
|
|
# Exact match
|
|
if route == allowed_route:
|
|
return True
|
|
# Prefix match - ensure we add "/" to prevent false matches like /fake-openai-proxy-600
|
|
if route.startswith(allowed_route + "/"):
|
|
return True
|
|
return False
|
|
|
|
@staticmethod
|
|
def check_route_access(route: str, allowed_routes: List[str]) -> bool:
|
|
"""
|
|
Check if a route has access by checking both exact matches and patterns
|
|
|
|
Args:
|
|
route (str): The route to check
|
|
allowed_routes (list): List of allowed routes/patterns
|
|
|
|
Returns:
|
|
bool: True if route is allowed, False otherwise
|
|
"""
|
|
#########################################################
|
|
# exact match route is in allowed_routes
|
|
#########################################################
|
|
if route in allowed_routes:
|
|
return True
|
|
|
|
#########################################################
|
|
# wildcard match route is in allowed_routes
|
|
# e.g calling /anthropic/v1/messages is allowed if allowed_routes has /anthropic/*
|
|
#########################################################
|
|
wildcard_allowed_routes = [
|
|
route
|
|
for route in allowed_routes
|
|
if RouteChecks._is_wildcard_pattern(pattern=route)
|
|
]
|
|
for allowed_route in wildcard_allowed_routes:
|
|
if RouteChecks._route_matches_wildcard_pattern(
|
|
route=route, pattern=allowed_route
|
|
):
|
|
return True
|
|
|
|
#########################################################
|
|
# pattern match route is in allowed_routes
|
|
# pattern: "/threads/{thread_id}"
|
|
# route: "/threads/thread_49EIN5QF32s4mH20M7GFKdlZ"
|
|
# returns: True
|
|
#########################################################
|
|
if any( # Check pattern match
|
|
RouteChecks._route_matches_pattern(route=route, pattern=allowed_route)
|
|
for allowed_route in allowed_routes
|
|
):
|
|
return True
|
|
|
|
return False
|
|
|
|
@staticmethod
|
|
def _get_request_method(request: Optional[Request]) -> Optional[str]:
|
|
if request is None:
|
|
return None
|
|
|
|
try:
|
|
method = request.method
|
|
except (AttributeError, KeyError):
|
|
return None
|
|
if not isinstance(method, str):
|
|
return None
|
|
|
|
return method.upper()
|
|
|
|
@staticmethod
|
|
def is_auth_enforced_pass_through_route(
|
|
route: str, method: Optional[str] = None
|
|
) -> bool:
|
|
"""
|
|
True for config/DB pass-through endpoints registered with auth=true.
|
|
|
|
These routes are injected into ``openai_routes`` for spend/budget hooks but
|
|
must not inherit blanket ``openai_routes`` RBAC; access is gated by
|
|
``allowed_passthrough_routes`` on the key or team.
|
|
"""
|
|
from litellm.proxy.pass_through_endpoints.pass_through_endpoints import (
|
|
InitPassThroughEndpointHelpers,
|
|
)
|
|
|
|
route_info = InitPassThroughEndpointHelpers.get_registered_pass_through_route(
|
|
route=route, method=method
|
|
)
|
|
if route_info is None:
|
|
return False
|
|
return route_info.get("auth") is True
|
|
|
|
@staticmethod
|
|
def _auth_pass_through_denied_exception(route: str) -> HTTPException:
|
|
return HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=(
|
|
f"Key/team not allowed to access passthrough route {route}. "
|
|
"Configure `allowed_passthrough_routes` on the team or key."
|
|
),
|
|
)
|
|
|
|
@staticmethod
|
|
def _require_auth_pass_through_access(
|
|
route: str,
|
|
valid_token: UserAPIKeyAuth,
|
|
) -> None:
|
|
"""
|
|
Require an explicit ``allowed_passthrough_routes`` match for auth=true pass-through.
|
|
"""
|
|
if RouteChecks.check_passthrough_route_access(
|
|
route=route, user_api_key_dict=valid_token
|
|
):
|
|
return
|
|
raise RouteChecks._auth_pass_through_denied_exception(route=route)
|
|
|
|
@staticmethod
|
|
def check_passthrough_route_access(
|
|
route: str, user_api_key_dict: UserAPIKeyAuth
|
|
) -> bool:
|
|
"""
|
|
Check if route is a passthrough route.
|
|
Supports both exact match and prefix match.
|
|
"""
|
|
metadata = user_api_key_dict.metadata
|
|
team_metadata = user_api_key_dict.team_metadata or {}
|
|
if metadata is None and team_metadata is None:
|
|
return False
|
|
if (
|
|
"allowed_passthrough_routes" not in metadata
|
|
and "allowed_passthrough_routes" not in team_metadata
|
|
):
|
|
return False
|
|
if (
|
|
metadata.get("allowed_passthrough_routes") is None
|
|
and team_metadata.get("allowed_passthrough_routes") is None
|
|
):
|
|
return False
|
|
|
|
allowed_passthrough_routes = (
|
|
metadata.get("allowed_passthrough_routes")
|
|
or team_metadata.get("allowed_passthrough_routes")
|
|
or []
|
|
)
|
|
|
|
# Check if route matches any allowed passthrough route (exact or prefix match)
|
|
for allowed_route in allowed_passthrough_routes:
|
|
if RouteChecks._route_matches_allowed_route(
|
|
route=route, allowed_route=allowed_route
|
|
):
|
|
return True
|
|
|
|
return False
|
|
|
|
@staticmethod
|
|
def _is_assistants_api_request(request: Request) -> bool:
|
|
"""
|
|
Returns True if `thread` or `assistant` is in the request path
|
|
|
|
Args:
|
|
request (Request): The request object
|
|
|
|
Returns:
|
|
bool: True if `thread` or `assistant` is in the request path, False otherwise
|
|
"""
|
|
# Inline import — auth_utils participates in a proxy import cycle.
|
|
from .auth_utils import get_request_route # noqa: PLC0415
|
|
|
|
route = get_request_route(request)
|
|
if "thread" in route or "assistant" in route:
|
|
return True
|
|
return False
|
|
|
|
@staticmethod
|
|
def is_generate_content_route(route: str) -> bool:
|
|
"""
|
|
Returns True if this is a google generateContent or streamGenerateContent route
|
|
|
|
These routes from google allow passing key=api_key in the query params
|
|
"""
|
|
if "generateContent" in route:
|
|
return True
|
|
if "streamGenerateContent" in route:
|
|
return True
|
|
return False
|
|
|
|
# HTTP methods that are intrinsically read-only and therefore safe to
|
|
# default-allow for PROXY_ADMIN_VIEW_ONLY. Anything else (POST/PUT/PATCH/
|
|
# DELETE) is treated as a write attempt and goes through the explicit
|
|
# write-allowlist below.
|
|
_SAFE_HTTP_METHODS = frozenset({"GET", "HEAD", "OPTIONS"})
|
|
|
|
# Explicit write routes that PROXY_ADMIN_VIEW_ONLY must NEVER call. The
|
|
# role-principle is "no writes, ever" — the management_routes list is the
|
|
# authoritative source for which non-llm routes are writes; we just need
|
|
# to filter out the read endpoints (info / list) that share the prefix.
|
|
# A cleaner approach is to denylist by HTTP verb (POST/PUT/PATCH/DELETE);
|
|
# this block stays as a backstop in case a write is implemented as GET.
|
|
_ADMIN_VIEWER_BLOCKED_WRITE_ROUTES = frozenset(
|
|
[
|
|
"/user/new",
|
|
"/user/delete",
|
|
"/user/bulk_update",
|
|
"/team/new",
|
|
"/team/update",
|
|
"/team/delete",
|
|
"/model/new",
|
|
"/model/update",
|
|
"/model/delete",
|
|
"/key/generate",
|
|
"/key/delete",
|
|
"/key/update",
|
|
"/key/regenerate",
|
|
"/key/service-account/generate",
|
|
"/key/block",
|
|
"/key/unblock",
|
|
"/team/key/bulk_update",
|
|
]
|
|
)
|
|
|
|
@staticmethod
|
|
def _check_proxy_admin_viewer_access(
|
|
route: str,
|
|
_user_role: str,
|
|
request_data: dict,
|
|
request: Optional[Request] = None,
|
|
) -> None:
|
|
"""
|
|
Check access for PROXY_ADMIN_VIEW_ONLY role.
|
|
|
|
Admin Viewer follows a read-parity-with-Proxy-Admin rule: anything Proxy
|
|
Admin can read/list/get, Admin Viewer can read/list/get. The only
|
|
exclusions are cost-incurring inference routes (Playground, /chat/
|
|
completions, etc.) and any state-mutating request.
|
|
|
|
Implementation:
|
|
1. LLM/inference routes → 403 (cost-incurring).
|
|
2. Safe HTTP method (GET/HEAD/OPTIONS) → allow by default. This is
|
|
the read-parity guarantee — every new GET endpoint added anywhere
|
|
in the codebase is automatically readable by Admin Viewer
|
|
without needing to remember to add it to an allowlist.
|
|
3. Unsafe HTTP method (POST/PUT/PATCH/DELETE):
|
|
- Allow `/user/update` only when restricted to user_email/password.
|
|
- Block all explicit writes in `_ADMIN_VIEWER_BLOCKED_WRITE_ROUTES`.
|
|
- Otherwise allow only if the route is in admin_viewer_routes /
|
|
global_spend_tracking_routes (legacy explicit-allow set).
|
|
- Else 403.
|
|
"""
|
|
if RouteChecks.is_llm_api_route(route=route):
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"user not allowed to access this OpenAI routes, role= {_user_role}",
|
|
)
|
|
|
|
# Check if this is a write operation on management routes
|
|
if RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.management_routes.value
|
|
):
|
|
# For management routes, only allow read operations or specific allowed updates
|
|
if route == "/user/update":
|
|
# Check the Request params are valid for PROXY_ADMIN_VIEW_ONLY
|
|
if request_data is not None and isinstance(request_data, dict):
|
|
_params_updated = request_data.keys()
|
|
for param in _params_updated:
|
|
if param not in ["user_email", "password"]:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"user not allowed to access this route, role= {_user_role}. Trying to access: {route} and updating invalid param: {param}. only user_email and password can be updated",
|
|
)
|
|
elif route in _PROXY_ADMIN_VIEW_ONLY_BLOCKED_ROUTES or (
|
|
route.startswith("/key/")
|
|
and route.endswith(_PROXY_ADMIN_VIEW_ONLY_BLOCKED_KEY_SUFFIXES)
|
|
):
|
|
# Block write operations for PROXY_ADMIN_VIEW_ONLY
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"user not allowed to access this route, role= {_user_role}. Trying to access: {route}",
|
|
)
|
|
# Allow read operations on management routes (like /user/info, /team/info, /model/info)
|
|
method = request.method.upper() if request is not None else "GET"
|
|
is_safe_method = method in RouteChecks._SAFE_HTTP_METHODS
|
|
|
|
# ── Safe HTTP method: default-allow ──────────────────────────────
|
|
if is_safe_method:
|
|
return
|
|
|
|
# ── Unsafe HTTP method: explicit checks ──────────────────────────
|
|
# Allow `/user/update` for self-service email / password change.
|
|
if route == "/user/update":
|
|
if request_data is not None and isinstance(request_data, dict):
|
|
for param in request_data.keys():
|
|
if param not in ["user_email", "password"]:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=(
|
|
f"user not allowed to access this route, role= {_user_role}. "
|
|
f"Trying to access: {route} and updating invalid param: {param}. "
|
|
"only user_email and password can be updated"
|
|
),
|
|
)
|
|
return
|
|
|
|
# Hard-block known write routes regardless of HTTP method (defensive
|
|
# — these are POSTs in practice, but pinning them here protects
|
|
# against future GET-shaped writes).
|
|
if route in RouteChecks._ADMIN_VIEWER_BLOCKED_WRITE_ROUTES or (
|
|
route.startswith("/key/") and route.endswith("/regenerate")
|
|
):
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"user not allowed to access this route, role= {_user_role}. Trying to access: {route}",
|
|
)
|
|
|
|
# Legacy explicit-allow sets (kept for routes that are POST but
|
|
# semantically read-only, e.g. /spend/calculate). Both admin_viewer_routes
|
|
# and global_spend_tracking_routes are reads/listings.
|
|
if RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.admin_viewer_routes.value
|
|
):
|
|
return
|
|
if RouteChecks.check_route_access(
|
|
route=route, allowed_routes=LiteLLMRoutes.global_spend_tracking_routes.value
|
|
):
|
|
return
|
|
|
|
# NOTE: We intentionally do NOT fall back to allowing all
|
|
# `management_routes`. That set is a mix of reads (info/list — handled
|
|
# via the safe-method branch above) and writes (`/team/block`,
|
|
# `/team/permissions_update`, `/jwt/key/mapping/{new,update,delete}`,
|
|
# `/key/bulk_update`, `/key/{id}/reset_spend`). A blanket allow would
|
|
# let Admin Viewer POST these write endpoints — violating the
|
|
# "no writes, ever" rule. Default-deny instead.
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail=f"user not allowed to access this route, role= {_user_role}. Trying to access: {route}",
|
|
)
|