Commit Graph

15 Commits

Author SHA1 Message Date
Alexander Yastrebov 825923e7be litellm/proxy: preserve model order of /v1/models and /model_group/info (#13178)
Closes #12644

Signed-off-by: Alexander Yastrebov <alexander.yastrebov@zalando.de>
2025-08-02 08:57:38 -07:00
Cole McIntosh 8826e02a98 feat: Add dot notation support for all JWT fields (#13013)
* feat: Add dot notation support for all JWT fields

- Updated all JWT field access methods to use get_nested_value for dot notation support
- Enhanced get_team_id to properly handle team_id_default fallback with nested fields
- Added comprehensive unit tests for nested JWT field access and edge cases
- Updated documentation to reflect dot notation support across all JWT fields
- Maintains full backward compatibility with existing flat field configurations

Supported fields with dot notation:
- team_id_jwt_field, team_ids_jwt_field, user_id_jwt_field
- user_email_jwt_field, org_id_jwt_field, object_id_jwt_field
- end_user_id_jwt_field (roles_jwt_field was already supported)

Example: user_id_jwt_field: 'user.sub' accesses token['user']['sub']

* fix: Add type annotations to resolve mypy errors

- Add explicit type annotation for team_ids variable in get_team_ids_from_jwt
- Add type ignore comment for sentinel object return in get_team_id
- Resolves mypy errors while maintaining functionality

* fix: Resolve mypy type error in get_team_ids_from_jwt

- Remove explicit List[str] type annotation that conflicts with get_nested_value return type
- Simplify return logic to use 'team_ids or []' ensuring always returns List[str]
- Fixes: Incompatible types in assignment (expression has type 'list[str] | None', variable has type 'list[str]')

* fix: Add proper type annotation for team_ids variable

- Use Optional[List[str]] type annotation to satisfy mypy requirements
- Resolves: Need type annotation for 'team_ids' [var-annotated]
- Maintains functionality while ensuring type safety

* refactor: remove outdated JWT unit tests and consolidate JWT-related functionality

- Deleted the test_jwt.py file as it contained outdated and redundant tests.
- Consolidated JWT-related tests into test_handle_jwt.py for better organization and maintainability.
- Updated tests to ensure proper functionality of JWT handling, including token validation and role mapping.
- Enhanced test coverage for JWT field access and nested claims handling.

* test: add comprehensive unit tests for JWT authentication

- Introduced a new test file `test_jwt.py` containing unit tests for JWT authentication.
- Implemented tests for loading configuration with custom role names, validating tokens, and handling team tokens.
- Enhanced coverage for JWT field access, nested claims, and role-based access control.
- Added fixtures for Prisma client and public JWT key generation to support testing.
- Ensured proper handling of valid and invalid tokens, including user and team scenarios.

* revert test_handle_jwt.py

* rename file

* test: remove outdated JWT nesting tests and add new nested field access tests

- Deleted the `test_jwt_nesting.py` file as it contained outdated tests.
- Introduced new tests in `test_handle_jwt.py` to verify nested JWT field access.
- Enhanced coverage for accessing nested values using dot notation and ensured backward compatibility with flat field names.
- Added tests for handling missing nested paths and appropriate default values.
- Improved handling of metadata prefixes in nested field access.

* restore file
2025-07-29 16:51:17 -07:00
Krish Dholakia eed0cf2ee9 UI SSO - fix reset env var when ui_access_mode is updated (#13011)
* fix(ui_sso.py): fix form action on login when sso is enabled

* fix: multiple fixes - fix resetting env var in proxy config + add key to exception message on key decryption

fixes issue where env vars would be reset

* refactor(proxy_server.py): cleanup redundant decryption line

* fix(proxy_setting_endpoints.py): show saved ui access mode

allows admin to know what they'd previously stored in db
2025-07-26 11:42:41 -07:00
Krish Dholakia 1a57875d24 Proxy - specify key_type - allows specifying if key can call LLM API routes vs. Management routes only (#12909)
* feat(key_management_endpoints.py): Support new 'key_type' field

allow user to specify if key should be 'management' or 'llm api' key

Security fix

* test(test_route_checks.py): add unit tests

* fix(create_key_button.tsx): add ui component to select key type

allows specifying if key can call llm api vs. management routes

* feat(create_key_button.tsx): add specifying key type to ui

* fix(route_checks.py): add sensitive data masker for user id on not allowed error message

prevent leaking sensitive information
2025-07-24 16:40:40 -07:00
Murad Khafizov a6ddf5c744 feat: extended /v1/models endpoint, now it returns with fallbacks on demand (#12811)
* Extended `/v1/model` endpoint to support fallbacks

* unit tests reworked

* linting fixes

* fix lining error

* fix linting
2025-07-22 23:16:46 -07:00
Krish Dholakia 7c392475e6 Control Plane + Data Plane support (#12601)
* feat(route_checks.py): allow admin to disable proxy management endpoints on instance

useful for preventing multiple instances from doing admin actions

* docs(scaling_multiple_instances.md): add architecture doc on scaling multiple litellm instances

provide guidance on scaling proxy

* docs(scaling_multiple_instances.md): add doc on scaling across multiple regions for litellm

* fix(route_checks.py): allow disabling llm api endpoints on an instance

allows pure admin instance to exist

* refactor(enterprise/route_checks.py): refactor env var checks

* refactor: finish refactoring

* docs(control_plane_and_data_plane.md): refactor docs

* test: update tests
2025-07-14 21:31:56 -07:00
Krish Dholakia 07e8609edb Resolve model group alias on Auth + /v1/messages Fallback support (#12440)
* fix(auth_checks.py): resolve a model group alias when key has access to underlying model

Fixes LIT-293

* feat(anthropic/): add mock_response to anthropic /v1/messages

makes it easy to test fallback logic

* fix(router.py): support fallbacks on /v1/messages

adds working fallbacks on generic api route

* refactor(router.py): point _ageneric_api_call_with_fallbacks to updated function

* test: add unit test for new helper on router

* fix(router.py): use correct metadata variable name

* fix(router.py): use correct metadata field

* docs(config_settings.md): document new param
2025-07-09 22:27:55 -07:00
Krish Dholakia c42880d771 fix(utils.py): rollback faulty security check on files (#12441)
* fix(utils.py): rollback faulty security check on files

Closes https://github.com/BerriAI/litellm/issues/11009

* fix(route_checks.py): add unit tests
2025-07-08 22:11:06 -07:00
Ishaan Jaff 738db9336e [Feat] JWT - Sync user roles and team memberships when JWT Auth is used (#11994)
* add JWTLiteLLMRoleMap

* test_sync_user_role_and_teams

* add sync_user_role_and_teams

* test_sync_user_role_and_teams

* fix types

* Sync User Roles and Teams with IDP

* Add test for JWT role mapping to LiteLLM roles
2025-07-05 08:58:34 -07:00
Krish Dholakia 30b431681e JWT Auth - correctly return user email + UI Model Update - Allow editing model access group for existing model (#11783)
* fix(handle_jwt.py): check user object, if jwt user is proxy admin

correctly return user role - if jwt user has role updated in UI

* test(test_handle_jwt.py): add unit test for passing correct user role

* feat(model_info_view.tsx): separate UI component for updating edit model component

* feat(model_info_view.tsx): allow updating model access group on UI

show all available access groups in ui component

* docs: minor fixes
2025-06-16 22:11:04 -07:00
Ishaan Jaff c40580f892 [Fix] JWT - Fix error when team member already part of team (#11735)
* fix _check_member_duplication

* fix map_user_to_teams

* test_map_user_to_teams_handles_already_in_team_exception

* test_team_endpoints.py
2025-06-14 15:50:16 -07:00
Krish Dholakia c569056ea8 Show remaining users on UI (#11568)
* docs(deploy.md): move docker recommendation to `main-stable`

* feat(enterprise/internal_user_endpoints.py): expose endpoint for checking available premium users

* feat(usage_indictor.tsx): add new element to help track remaining premium users

* feat(usage_indicator.tsx): show premium user remaining usage

allows users with user caps to know how much is left

* fix(vertex_and_google_ai_studio_gemini.py): bubble up stream is not finished, even if stop reason is given

prevents early completion of stream

Closes https://github.com/BerriAI/litellm/issues/11549

* fix(streaming_handler.py): respect is_finished = False in hidden params

internal logic for preventing ending stream early

* fix(litellm_license.py): add function to check if user is over limit

* fix(internal_user_endpoints.py): add function to check if user is over limit

* refactor: move test

* docs(customer_endpoints.py): document new param
2025-06-09 22:04:45 -07:00
Krish Dholakia 17d2711cf4 UI - fix invitation link + ensure team models returned when team has 'all-proxy-models' + team only models (#11524)
* fix(onboarding_link.tsx): fix adding ui/invitation id

* fix(onboarding_link.tsx): update invitation link function to handle w/ and w/out custom server path cases

* fix(model_checks.py): ensure team only models returned when all proxy models set for team
2025-06-07 15:19:52 -07:00
Ishaan Jaff 7e49b4e2a0 [Feat] Enforce Vector Store Access Controls on LiteLLM Auth (#11281)
* fix LiteLLM_ObjectPermissionTable

* fix include object_permission for list key

* fix key list to inclue obj permissions

* fix object permissions for vector stores on key info

* add key edit view with vector stores

* allow editing vector stores permissions

* fixes obj permissions

* feat: add obj permission on UI

* fix: add object_permission:true

* ui show org vector stores on org info

* fix: show object permissions on /org/info

* feat: allow updating obj permissions for keys

* fixes: key object permissions

* fixes: team object permissions

* fixes: org object permissions

* fix vector store selector for Orgs

* feat: add auth checks for vector store permissions

* feat: working auth checks for vector store permissions

* test vector stores auth checks

* Update litellm/proxy/_types.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* fix: linting

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-05-30 22:20:11 -07:00
Krish Dholakia ef42461c1e Litellm fix GitHub action testing (#11163)
* test: add __init__.py files

* refactor: rename test folder to avoid naming conflict

* test: update workflows

* test: update tests

* test: update imports

* test: update tests

* test: remove unused import

* ci(test-litellm.yml): add pytest retry to github workflow

* test: fix test
2025-05-26 14:41:42 -07:00