^hUuSrSSKrSSKrSSKJrJrJrJrJrJ r SSK J r SSK r SSK Jr SSKJr SSKJr SSKJrJrJrJrJrJrJrJrJrJr SS KJr SS K J!r!J"r"J#r# SS K$J%r% SS K&J'r' S SK(J)r) \(a SSK*J+r, \,r+O\r+\"SS9r-Sr.\R^R`\RbR`-r2S\3S\ \S\ \S\ \S\ \4S\3S\5S\ \%S\64Sjr7S\5S\8S\64Sjr9S \\Rt\Rv\Rx4S\5S!\S\64S"jr=S#\S$\ \5S\64S%jr>S\8S\84S&jr?\#SQS'\ \5S(\ \!S)\S*\ \+S+\ \"S\ \4 S,jj5r@S-\5S.\ \\5S\ \%S\64S/jrAS0\5S1\S2\BS\64S3jrCS0\5S4\ \S1\4S5jrD\#SQS6\5S(\ \!S)\S7\6S*\ \+S+\ \"S\ \4S8jj5rES0\5S4\ S)\S+\ \"4S9jrFS:\5S;\S)\S+\ \"4S<jrGS=\5S>\S)\S+\ \"4S?jrHS=\5S)\S+\ \"4S@jrI\#S:\5S(\!4SAj5rJS:\5S(\!4SBjrKS:\5S(\!S)\S1\S2\BS+\ \"S0\5S\4SCjrLS0\5S+\ \"S)\S*\ \+S\ \4 SDjrMSRS:\5S(\ \!S)\S*\ \+S+\ \"SE\ \6SF\ \6S\4SGjjrN\#SSS=\5S(\ \!S)\S*\ \+S+\ \"SE\ \6S\4SHjj5rOSI\PS\4SJjrQ\#SQSK\5S(\ \!S)\S*\ \+S+\ \"4 SLjj5rRS-\5SM\ \8SN\S\ \ RJS\SO4 SPjrSg)Tz Got Valid Token from Cache, DB Run checks for: 1. If user can call model 2. If user is in budget 3. If end_user ('user' passed to /chat/completions, /embeddings endpoint) is in budget N) TYPE_CHECKINGAnyDictListLiteralOptional) BaseModel)verbose_proxy_logger) DualCache)LimitedSizeOrderedDict) DB_CONNECTION_ERROR_TYPESLiteLLM_EndUserTableLiteLLM_JWTAuthLiteLLM_OrganizationTableLiteLLM_TeamTableLiteLLM_TeamTableCachedObjLiteLLM_UserTable LiteLLMRoutesLitellmUserRolesUserAPIKeyAuth) RouteChecks) PrismaClient ProxyLogginglog_db_metrics)Router) ServiceTypes)$organization_role_based_access_check)Spand)max_size request_body team_object user_objectend_user_objectglobal_proxy_spendgeneral_settingsroute llm_routerreturnc URSS5nUb(URSLa[SURS35eUbUbURb[ UR5S:aXR;aSUR;d SUR;dS UR;aON[ XRUS 9SLaO6U(aSU;aO([SURS US UR35eUbURbxURbkURUR:aQ[R"URURSURS URSUR3S9eUb URchUbeURbXURn XR:a=[R"URU SURS URSU 3S9eUbsURbfURRn U bMURU :a=[R"URU SURS URSU 3S9eURSS5b8USSLa0[R"US9(aSU;a[SUS35e[RS:a_Ub\[R"US9(aCUS:wa=US:wa7U[R:a#[R"U[RS9eURS05=(d 0n U RS5(a"SSKJn U "U5n U SLaSSKJn U"SSS 0S!9e['X&US"9 g)#a Common checks across jwt + key-based auth. 1. If team is blocked 2. If team can call model 3. If team is in budget 4. If user passed in (JWT or key.user_id) - is in budget 5. If end_user (either via JWT or 'user' passed to /chat/completions, /embeddings endpoint) is in budget 6. [OPTIONAL] If 'enforce_end_user' enabled - did developer pass in 'user' param for openai endpoints 7. [OPTIONAL] If 'litellm.max_budget' is set (>0), is proxy under budget 8. [OPTIONAL] If guardrails modified - is request allowed to change this 9. Check if request body is safe 10. [OPTIONAL] Organization checks - is user_object.organization_id is set, run these checks modelNTzTeam=z6 is blocked. Update via `/team/unblock` if your admin.rzall-proxy-models*zopenai/*)r- team_modelsr*z not allowed to call model=z. Allowed team models = z over budget. Spend=z , Budget=) current_cost max_budgetmessagezExceededBudget: User=zExceededBudget: End User=enforce_user_param)r)userz1'user' param not passed in. 'enforce_user_param'=z /v1/modelsz/modelsr0r1metadata guardrails)can_modify_guardrailsF) HTTPExceptionierrorz8Your team does not have permission to modify guardrails.) status_codedetail)r%r)r#)getblocked Exceptionteam_idmodelslenmodel_in_access_groupr1spendlitellmBudgetExceededErroruser_idlitellm_budget_tableris_llm_api_route*litellm.proxy.guardrails.guardrail_helpersr8fastapir9r)r#r$r%r&r'r(r)r*_model user_budgetend_user_budget_request_metadatar8 can_modifyr9s X/home/james-whalen/.local/lib/python3.13/site-packages/litellm/proxy/auth/auth_checks.py common_checksrR7s0  gt ,F;#6#6$#>K''((^ _    #    *  "" #a ' ,, , +"4"4 4k((([///  "*<*<    v  ++,,GxOghshzhzg{|    " " .    )    6 6 6))$**"--K//00D[EVEVDWW`alawaw`xy     3 3 ;  #  " " .!,, ** *--(..&/ 0C0C/DDXYdYjYjXkktvAuBC "'K'K'W)>>II  &?+@+@?+R--,22*3O4K4K3LL`apavav`wxABQARS  148D 1 2d :  ' 'e 4|9SCDTUiDjCkl  Q  *  ( (u 5 \ ! Y   2 2 2--/GD"\**T0=   -W )<  user_routeallowed_routesc~UH7nU[R;aU[UR;a gX :XdM7 g g)z Return if a user is allowed to access route. Helper function for `allowed_routes_check`. Parameters: - user_route: str - the route the user is trying to call - allowed_routes: List[str|LiteLLMRoutes] - the list of allowed routes for the user. TF)r __members__value)rTrU allowed_routes rQ_allowed_routes_checkrZs@( ]66 6mM:@@@  (( rS user_rolelitellm_proxy_rolescU[R:Xa[UURS9nU$U[R:Xa?UR c[USS/S9nU$UR b[UUR S9nU$g)z= Check if user -> not admin - allowed to access these routes )rTrU openai_routes info_routesF)r PROXY_ADMINrZadmin_allowed_routesTEAMteam_allowed_routes)r[rTr\ is_alloweds rQallowed_routes_checkres$000*!.CC  &++ +  2 2 : /% 6VJ  4 4 @.%2FFJ  rSuser_api_key_dictrequested_user_idcSnUR[R:wa UR[R:waSnUbURbURU:XaSnU$)NTF)r[rr`PROXY_ADMIN_VIEW_ONLYrG)rfrgret_vals rQ allowed_route_check_inside_routerkscG##'7'C'CC  ' '+;+Q+Q Q$):)B)B)N  $ $(9 9G NrSc/nUHn[URnX-nM U$![a URU5 M?f=fN)rrXKeyErrorappend)rU actual_routes route_name route_values rQget_actual_routesrssUM$  -' 399K)7M%  -   , -s&AA end_user_id prisma_clientuser_api_key_cacheparent_otel_spanproxy_logging_objc# Uc [S5eUcgSRU5nS[4SjnURUS9IShvN nUbG[ U[ 5(a[S 0UD6nU"US9 U$[ U[5(a UnU"US9 U$UR RRSU0S S 0S 9IShvN n U c[eURSRU5U S 9IShvN [S 0U R 5D6n U"U S9 U $NNWN)![a+n [ U [R5(aU eSn A gSn A ff=f7f)aZ Returns end user object, if in db. Do a isolated check for end user in table vs. doing a combined key + team + user + end-user check, as key might come in frequently for different end-users. Larger call will slowdown query time. This way we get to cache the constant (key/team/user info) and only update based on the changing value (end-user). NNo db connectedzend_user_id:{} end_user_objcURcgURRnUb0URU:a[R"URUS9egg)Nr5)rHr1rDrErF)r{rNs rQcheck_in_budget,get_end_user_object..check_in_budget.s\  , , 4 &;;FF  &<+=+=+O--)//O ,P &rSkey)r{rGrHTwhereincluderrX) r?formatrasync_get_cache isinstancedictdblitellm_endusertable find_uniqueasync_set_cacherErF) rtrurvrwrx_keyr}cached_user_obj return_objresponse _responsees rQget_end_user_objectrs})**  " "; /D&:/>>4>HHO" ot , ,-@@J  4  )= > >(J  4 &))>>JJk*+T2K    O!00 '' 4H1   );8==?; Y/;I    a44 5 5GsaAEDAE+D>D?/D.D/$DEDD E$!E E EEr-r/cSSKJn UcgX;agU"[5nU(aURUS9n[ U5S:a[ U5H upVXd;dM g UVs/sH ofU;dM UPM nnX;aggs snf)Nr defaultdictT model_nameF) collectionsrlistget_model_access_groupsrB enumerate)r-r/r*r access_groupsidxmfiltered_modelss rQrCrC\s( *5d*;M"::e:L  =A  FC!  #.H+Q-1Gq+OH   Is ! A=.A=rlast_db_access_timedb_cache_expiryct[R"5nX;agXSbgXSc X1U- U:agg)zE Prevent calling db repeatedly for items that don't exist in the db. TrFtime)rrr current_times rQ_should_check_dbrzsM 99;L % #/  !! $ , c2 2o E rSrXc6U[R"54X 'grmrrrXrs rQ_update_last_db_access_timers!&tyy{3rSrGuser_id_upsertc# UcgURUS9IShvN nUb7[U[5(a [S0UD6$[U[5(aU$Uc [ S5eSR U5n[ U[[S9nU(a1URRRSU0SS0S 9IShvN n OSn U c>U(a1URRRSU0SS0S 9IShvN n O[eU RbN[U R5S :a5U RV s/sHn U cMU R5PM n n Xl [S0[U 5D6n U R5n UR!X S 9IShvN [#UU [S 9 U $GNNNs sn fN!![an[%SUSU35eSnAff=f7f)z - Check if user id in proxy User Table - if valid, return LiteLLM_UserTable object with defined limits - if not, then raise an error Nrrzz user_id:{}rrrrGorganization_membershipsTr)datarrrrz$User doesn't exist in db. 'user_id'=z0. Create user via `/user/new` call. Got error - r)rrrrr?rrrrrlitellm_usertablercreaterrB model_dumprr ValueError)rGrurvrrwrxrdb_access_time_keyshould_check_dbr membership_dumped_membershipsr response_dictrs rQget_user_objectrs"/>>7>KKO" ot , ,$77 7 ): ; ;" ")**5 )009*" 3+  *--??KK '*5OQU4VLHH  !.!1!1!C!C!J!J#W-7>"K"    - - 9H556: #+"C"C#"CJ( %%'"C # 1D -%7X7 !,,. !00W0RRR $" 3 uL$# S  27);klmkn o   s}GF-A G'AF;=F0>F;F9F;,G0F;2F;4F;; GGGGc># URXS9IShvN gN7f)Nr)rrrXrvrxs rQ_cache_management_objectrs  , , , BBBs r@ team_tablec# SRU5n[R"5Ul[UUUUS9IShvN gN7f)N team_id:{}r)rrlast_refreshed_atr)r@rrvrxrs rQ_cache_team_objectrsE   g &C$(99;J " -+  s;AAA hashed_tokenuser_api_key_objcp# Un[R"5Ul[UUUUS9IShvN gN7f)Nr)rrr)rrrvrxrs rQ_cache_key_objectrs; C*.& " -+  s ,646c# UnURUS9 Ub,URRRUS9IShvN ggN7f)Nr) delete_cacheinternal_usage_cache dual_cacheasync_delete_cache)rrvrxrs rQ_delete_cache_key_objectrs\ C###,$44??RRS   % s;AAAch# URRRSU0S9IShvN $N7fNr@rrlitellm_teamtablerr@rus rQ_get_team_db_checkr's<!!33??'"@   )202ch# URRRSU0S9IShvN $N7frrrs rQ_get_team_object_from_dbr.s<!!33??'"@  rc# Un[UUUS9nU(a[XS9IShvN n OSn U c[e[S0U R 5D6n [ UU UUS9IShvN [ UU US9 U $NJN7f)Nrr)r@rrvrxrr)rrr?rrrr) r@rurvrrrxrrrrrs rQ(_get_team_object_from_user_api_key_cacher4s& /'O +  *=X]]_=I -+   / 5 s!!A2A.8A2A0A20A2cR# SnUbFURR(a+URRRXS9IShvN nUcURUS9IShvN nUb7[U[5(a [ S0UD6$[U[ 5(aU$gNYNA7f)N)rrwrr)rrrrrr)rrxrvrwcached_team_objs rQ_get_team_object_from_cacheras =AO %  2 2 = =$88CCSST    2 B Bs B KK" ot , ,-@@ @ )C D D" "   Ls%AB' B# B'#B%$AB'%B'check_cache_only check_db_onlyc 6# Uc [S5eSRU5nU(d/[UUUUS9IShvN nUbU$U(a[SUS35e[UUUU[[ US9IShvN $N?N![a [SUS 35ef=f7f) - Check if team id in proxy Team Table - if valid, return LiteLLM_TeamTable object with defined limits - if not, then raise an error NFNo DB Connected. See - https://docs.litellm.ai/docs/proxy/virtual_keysr)rrxrvrwz:Team doesn't exist in cache + check_cache_only=True. Team=.)r@rurvrxrrrzTeam doesn't exist in db. Team=z#. Create team via `/team/new` call.)r?rrrrr) r@rurvrwrxrrrrs rQget_team_objectrs T    g &C  ;/1- !    &" " LWIUVW   ='1/ 3+   # "   -gY6Y Z   s96BA8BA<3A:4A<7B:A<<BBcT# Uc [S5eUnURUS9IShvN nUb7[U[5(a [ S0UD6$[U[5(aU$U(a[SUS35eUR USUUS9IShvN nUc[e[ S0UR SS 9D6n [UU UUS 9IShvN U $NN=N ![an [U S 9IShvN sSn A $Sn A f[a% [R"5 [S US 35ef=f7f)rNrrz8Key doesn't exist in cache + check_cache_only=True. key=r combined_view)token table_namerwrxT) exclude_none)rrrvrx)rzKey doesn't exist in db. key=z&. Create key via `/key/generate` call.r) r?rrrrget_datarrr /_handle_failed_db_connection_for_get_key_object traceback print_exc) rrurvrwrxrrcached_key_obj _valid_tokenrrs rQget_key_objectrsq T  C5G5W5W 6X60N! nd + +!3N3 3  7 7! !Fse1 M   2?2H2H&-/ 3I3 -   O"P\%<%<$%<%OP  %&1/    K0"-   %JDqIIII  +L>9_ `   sp#D(C AD(;CC4CCC D(CC D% C3(C+)C3-D%.D(32D%%D(rc# SSKJnJnJn UR SS5SLa5UR R [RSUSS9 [S S US 9$Ue7f) a  Handles httpx.ConnectError when reading a Virtual Key from LiteLLM DB Use this if you don't want failed DB queries to block LLM API reqiests Returns: - UserAPIKeyAuth: If general_settings.allow_requests_on_db_unavailable is True Raises: - Orignal Exception in all other cases r)r(litellm_proxy_admin_namerx allow_requests_on_db_unavailableFTrg)service call_typer:durationzfailed-to-connect-to-db)key_namerrG) litellm.proxy.proxy_serverr(rrxr=service_logging_objservice_failure_hookrDBr)rr(rrxs rQrrsp>F$N--BB OO& C .+,  sAAorg_idct# Uc [S5eURSRU5S9nUb.[U[5(aU$[U[ 5(aU$UR RRSU0S9IShvN nUc[eU$N![a [SUS35ef=f7f) zx - Check if org id in proxy Org Table - if valid, return LiteLLM_OrganizationTable object - if not, then raise an error Nrz org_id:{}rorganization_idrz/Organization doesn't exist in db. Organization=z3. Create organization via `/organization/new` call.) r?rrrrrrlitellm_organizationtabler)rrurvrwrxcached_org_objrs rQget_org_objectr%s T  (77KNRW>WUVaVhVhUii{}B|C D  ) #O#44J;K]K]J^_ 'PsBE-E-0 E(=E(B*E-)NN)NNNN)NNN)T__doc__rrtypingrrrrrrpydanticr rElitellm._loggingr litellm.caching.cachingr litellm.caching.dual_cacher litellm.proxy._typesr rrrrrrrrrlitellm.proxy.auth.route_checksrlitellm.proxy.utilsrrrlitellm.routerrlitellm.types.servicesrauth_checks_organizationropentelemetry.tracer_Spanrrr^rXmanagement_routes all_routesrfloatstrboolrRrrZr`rb INTERNAL_USERrerkrsrrCintrrrrrrrrrrrrrr?rrrrrSrQrs: DD1-=   8JJ!/J1 D D-c:  ( ( . .1P1P1V1V V LL+,L+,L23 L ! L  L L L L^c4D&#$$&& (#  #)# #L % }    dt (,04 >#>L)>">tn >  - > "# >>B %d3i0>Fv>N < #9LO (4 4c]49O4  (,04 P P L)P "P  P tn P  - P  P P fC C C"C - C *" - &$" - &    !   -  c, C  * **"*0 *  *  - * * *Z  -"tn  () H(,04'+$(4 4 L)4 "4 tn 4  - 4 tn 4 D>4  4 n (,04'+ A A L)A "A tn A  - A tn A A A H%%%P (,04 % % L)% "% tn %  - % % P8 8TN8 8( 8  T] 8rS