)#hT0dZddlZddlZddlmZmZmZddlmZddl m Z ddl m Z ddl mZddlmZdd lmZdd lmZmZmZmZdd lmZGd d Zy)z Supports using JWT's for authenticating into the proxy. Currently only supports admin. JWT token must have 'litellm_proxy_admin' in scope. N)ListOptionalcast)x509)default_backend) serialization)verbose_proxy_logger) DualCache) HTTPHandler) JWKKeyValue JWTKeyItemLiteLLM_JWTAuthLitellmUserRoles) PrismaClientc eZdZUdZeeed<eed< d#dZ d$deedede de ddf d Z d e fd Z d edeefd Zd edefdZd edee fdZd edee dee fdZdefdZdefdZd edee dee fdZd%deedefdZd edee dee fdZd edee dee fdZd edee dee fdZd edefdZdee defdZde dee dee!fdZ"de defd Z#d e defd!Z$d"Z%y)& JWTHandlerz - treat the sub id passed in as the user id - return an error if id making request doesn't exist in proxy user table - track spend against the user id - if role="litellm_proxy_user" -> allow making calls + info. Can not edit budgets prisma_clientuser_api_key_cachereturnNc0t|_d|_y)Nr)r http_handlerleewayselfs Z/var/www/html/sandstorm/venv/lib/python3.12/site-packages/litellm/proxy/auth/handle_jwt.py__init__zJWTHandler.__init__(s(M litellm_jwtauthrc<||_||_||_||_yN)rrrr)rrrrrs rupdate_environmentzJWTHandler.update_environment.s#+"4. rtokenc@|jd}t|dk(S)N.)splitlen)rr"partss ris_jwtzJWTHandler.is_jwt:s C 5zQrc|j|}|j|}|rtjS|j |dtj S|j |dtjSy)a^ Returns the RBAC role the token 'belongs' to. RBAC roles allowed to make requests: - PROXY_ADMIN: can make requests to all routes - TEAM: can make requests to routes associated with a team - INTERNAL_USER: can make requests to routes associated with a user Resolves: https://github.com/BerriAI/litellm/issues/6793 Returns: - PROXY_ADMIN: if token is admin - TEAM: if token is associated with a team - INTERNAL_USER: if token is associated with a user - None: if token is not associated with a team or user )r")scopesN)r" default_value) get_scopesis_adminr PROXY_ADMIN get_team_idTEAM get_user_id INTERNAL_USER)rr"r+r.s r get_rbac_rolezJWTHandler.get_rbac_role>sz"u-===/ #// /   E  > J#(( (   E  > J#11 1rr+c6|jj|vryy)NTF)radmin_jwt_scope)rr+s rr.zJWTHandler.is_adminZs    / /6 9rcd|jj||jjSgSr )rteam_ids_jwt_field)rr"s rget_team_ids_from_jwtz JWTHandler.get_team_ids_from_jwt_s0    2 2 >--@@A A rr,c |jj||jj}|Sd} |S#t$r|}Y|SwxYwr )rend_user_id_jwt_fieldKeyErrorrr"r,user_ids rget_end_user_idzJWTHandler.get_end_user_idds_ $##99E 4 4 J JK   $#G $/88 AAc2|jjyy)z` Returns: - True: if 'team_id_jwt_field' is set - False: if not FT)rteam_id_jwt_fieldrs ris_required_team_idzJWTHandler.is_required_team_idrs    1 1 9rcz|jj%t|jjtryy)z Returns: - True: if 'user_allowed_email_domain' is set - False: if 'user_allowed_email_domain' is None TF)ruser_allowed_email_domain isinstancestrrs ris_enforced_email_domainz#JWTHandler.is_enforced_email_domain|s7    9 9 E*  : :CK rc |jj||jj}|S|jj|jj}|Sd} |S#t$r|}Y|SwxYwr )rrBteam_id_defaultr<)rr"r,team_ids rr0zJWTHandler.get_team_ids $##55A 4 4 F FG %%55A..>>  $#G $s/A&,A&!A&& A54A5valid_user_emailc8|dury|jjS)z Returns: - True: if 'user_id_upsert' is set AND valid_user_email is not False - False: if not F)ruser_id_upsert)rrLs ris_upsert_user_idzJWTHandler.is_upsert_user_ids! u $##222rc |jj||jj}|S|} |S#t$r|}Y|SwxYwr )ruser_id_jwt_fieldr<r=s rr2zJWTHandler.get_user_ids_ $##55A 4 4 F FG ( $#G $r@c |jj||jj}|Sd} |S#t$r|}Y|SwxYwr )ruser_email_jwt_fieldr<)rr"r, user_emails rget_user_emailzJWTHandler.get_user_emailsb '##88D"4#7#7#L#LM "  '&J 'r@c |jj||jj}|Sd} |S#t$r|}Y|SwxYwr )rorg_id_jwt_fieldr<)rr"r,org_ids r get_org_idzJWTHandler.get_org_ids_ ###44@t33DDE    #"F  #r@c t|dtr|dj}|St|dtr|d}|St dt |dd#t $rg}Y|SwxYw)NscopezUnmapped scope type - z. Supported types - list, str.)rFrGr&list Exceptiontyper<)rr"r+s rr-zJWTHandler.get_scopess %.#.w--/ E'ND1w  ,T%.-A,BB`a F  s&AAA A.-A.kidc BKtjd}| td|jj dd{}||j j |d{}|j}d|vr|jd}n|}|jjd||jjd{n|}|j||}| td|d|d |d t|tt|S777Pw) NJWT_PUBLIC_KEY_URLz,Missing JWT Public Key URL from environment.litellm_jwt_auth_keyskeys)keyvaluettl)rcr_z"No matching public key found. kid=z , keys_url=z, cached_keys=z , len(keys)=)osgetenvr]rasync_get_cachergetjsonasync_set_cacherpublic_key_ttl parse_keysr'rdict)rr_keys_url cached_keysresponse response_jsonrc public_keys rget_public_keyzJWTHandler.get_public_keys@9912  JK K 33CC #    !..228<$%488E4+@C+G3;! &%D$'Q E4(C/3;!!W Y] %c4(!ggeT2G"GO"3-+3!$J %rrTc|jjy|jdd}||jjk(ryy)NT@F)rrEr&)rrT email_domains ris_allowed_domainzJWTHandler.is_allowed_domain sF    9 9 A!'',R0 4//II IrcKgd}tjd}d}|ddi}ddl}ddlm}|j |}t jd||jdd}|j| d{} | t| trzi} d | vr| d | d <d| vr| d| d<d | vr| d | d <d | vr| d | d <|jtj| } |j|| ||||j } | S| t| t&r t)j*| j-t/}|j1j3t4j6j8t4j:j<}|j|||||} | St%d7C#|j"$r t%dt$$r} t%dt'| d} ~ wwxYw#|j"$r t%dt$$r} t%dt'| d} ~ wwxYww)N)RS256RS384RS512PS256PS384PS512 JWT_AUDIENCE verify_audFr) RSAAlgorithmz header: %sr_)r_ktyne) algorithmsoptionsaudiencerz Token ExpiredzValidation fails: )rrrzInvalid JWT Submitted)rgrhjwtjwt.algorithmsrget_unverified_headerr debugrjrurFrofrom_jwkrkdumpsdecoderExpiredSignatureErrorr]rGrload_pem_x509_certificateencoderrt public_bytesrEncodingPEM PublicFormatSubjectPublicKeyInfo)rr"rrdecode_optionsrrheaderr_rtjwkpublic_key_rsapayloadrcertrds rauth_jwtzJWTHandler.auth_jwtscL 99^,  *E2N/**51""<8jj%..3.77  !jT&BC "'.E  "'.E j %c?Cj %c?C)224::c?CN ?**")*%;; % # :s(C ?55%%'): oo'44!**..!..CC **)%* %/00y86,, 100 ?"4SVH =>> ?0,, 100 ?"4SVH =>> ?s\A:I<F?=A,I*"G I BH3 I"H$G;;HI"I%H<<IIcTK|jjd{y7wr )rclosers rrzJWTHandler.closees%%'''s (&()rN)rr )&__name__ __module__ __qualname____doc__rr__annotations__r rrintr!rGr)rorr4r\boolr.rr9r?rCrHr0rOr2rUrYr-rur r rnr}rrrrrrsL))!!   - & )     C4H5E,F8t 4DI  *23-  # T $   hsm QT 3(4.3D3hsmQT   *23-  # Xc]xPS}    & &$ &D{#8JCW2CDP1CP1DP1d(rr)rrkrgtypingrrr cryptographyrcryptography.hazmat.backendsrcryptography.hazmat.primitivesrlitellm._loggingr litellm.caching.cachingr 'litellm.llms.custom_httpx.httpx_handlerr litellm.proxy._typesr r rrlitellm.proxy.utilsrrrrrrsE ''881-? -I(I(r