""" Unit tests for auth_utils functions related to rate limiting and customer ID extraction. """ import base64 from typing import Optional from unittest.mock import MagicMock, patch import pytest from litellm.proxy._types import UserAPIKeyAuth from litellm.proxy.auth.auth_utils import ( _get_customer_id_from_standard_headers, abbreviate_api_key, check_complete_credentials, get_end_user_id_from_request_body, get_key_mcp_rpm_limit, get_key_model_rpm_limit, get_key_model_tpm_limit, get_model_from_request, get_project_model_rpm_limit, get_project_model_tpm_limit, get_request_route_template, is_request_body_safe, ) class TestGetKeyModelRpmLimit: """Tests for get_key_model_rpm_limit function.""" def test_returns_key_metadata_when_present(self): """Key metadata takes priority over team metadata.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", metadata={"model_rpm_limit": {"gpt-4": 100}}, team_metadata={"model_rpm_limit": {"gpt-4": 50}}, ) result = get_key_model_rpm_limit(user_api_key_dict) assert result == {"gpt-4": 100} def test_falls_back_to_team_metadata_when_key_has_other_metadata(self): """Should fall back to team metadata when key metadata exists but has no model_rpm_limit.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", metadata={ "some_other_key": "value" }, # Has metadata, but not model_rpm_limit team_metadata={"model_rpm_limit": {"gpt-4": 50}}, ) result = get_key_model_rpm_limit(user_api_key_dict) assert result == {"gpt-4": 50} def test_extracts_from_model_max_budget(self): """Should extract rpm_limit from model_max_budget when metadata is empty.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", model_max_budget={ "gpt-4": {"rpm_limit": 100, "tpm_limit": 1000}, "gpt-3.5-turbo": {"rpm_limit": 200}, }, ) result = get_key_model_rpm_limit(user_api_key_dict) assert result == {"gpt-4": 100, "gpt-3.5-turbo": 200} def test_skips_models_without_rpm_limit(self): """Should skip models that don't have rpm_limit in model_max_budget.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", model_max_budget={ "gpt-4": {"rpm_limit": 100}, "gpt-3.5-turbo": {"tpm_limit": 1000}, # No rpm_limit }, ) result = get_key_model_rpm_limit(user_api_key_dict) assert result == {"gpt-4": 100} def test_returns_none_when_no_limits_configured(self): """Should return None when no rate limits are configured.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") result = get_key_model_rpm_limit(user_api_key_dict) assert result is None def test_team_metadata_empty_rpm_dict_falls_through_to_deployment_default(self): """Explicitly empty team model_rpm_limit ({}) should be returned as-is, not fallen through.""" # An empty dict is a valid team limit map (no per-model limits configured). # It should be returned directly rather than falling through to deployment defaults, # so a team with an empty map is treated as unconstrained at the team level. user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", team_metadata={"model_rpm_limit": {}}, ) result = get_key_model_rpm_limit(user_api_key_dict) assert result == {} class TestGetKeyMcpRpmLimit: def test_empty_dict_limits_are_returned(self): key_override = UserAPIKeyAuth( api_key="sk-123", metadata={"mcp_rpm_limit": {}}, team_metadata={"mcp_rpm_limit": {"github": 50}}, ) assert get_key_mcp_rpm_limit(key_override) == {} team_empty = UserAPIKeyAuth( api_key="sk-123", team_metadata={"mcp_rpm_limit": {}}, ) assert get_key_mcp_rpm_limit(team_empty) == {} class TestGetKeyModelTpmLimit: """Tests for get_key_model_tpm_limit function.""" def test_returns_key_metadata_when_present(self): """Key metadata takes priority over team metadata.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", metadata={"model_tpm_limit": {"gpt-4": 10000}}, team_metadata={"model_tpm_limit": {"gpt-4": 5000}}, ) result = get_key_model_tpm_limit(user_api_key_dict) assert result == {"gpt-4": 10000} def test_falls_back_to_team_metadata_when_key_has_other_metadata(self): """Should fall back to team metadata when key metadata exists but has no model_tpm_limit.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", metadata={ "some_other_key": "value" }, # Has metadata, but not model_tpm_limit team_metadata={"model_tpm_limit": {"gpt-4": 5000}}, ) result = get_key_model_tpm_limit(user_api_key_dict) assert result == {"gpt-4": 5000} def test_extracts_from_model_max_budget(self): """Should extract tpm_limit from model_max_budget when metadata is empty.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", model_max_budget={ "gpt-4": {"tpm_limit": 10000, "rpm_limit": 100}, "gpt-3.5-turbo": {"tpm_limit": 20000}, }, ) result = get_key_model_tpm_limit(user_api_key_dict) assert result == {"gpt-4": 10000, "gpt-3.5-turbo": 20000} def test_skips_models_without_tpm_limit(self): """Should skip models that don't have tpm_limit in model_max_budget.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", model_max_budget={ "gpt-4": {"tpm_limit": 10000}, "gpt-3.5-turbo": {"rpm_limit": 100}, # No tpm_limit }, ) result = get_key_model_tpm_limit(user_api_key_dict) assert result == {"gpt-4": 10000} def test_returns_none_when_no_limits_configured(self): """Should return None when no rate limits are configured.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") result = get_key_model_tpm_limit(user_api_key_dict) assert result is None def test_model_max_budget_priority_over_team(self): """model_max_budget should take priority over team_metadata.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", model_max_budget={"gpt-4": {"tpm_limit": 10000}}, team_metadata={"model_tpm_limit": {"gpt-4": 5000}}, ) result = get_key_model_tpm_limit(user_api_key_dict) assert result == {"gpt-4": 10000} def test_team_metadata_empty_tpm_dict_falls_through_to_deployment_default(self): """Explicitly empty team model_tpm_limit ({}) should be returned as-is, not fallen through.""" # An empty dict is a valid team limit map (no per-model limits configured). # It should be returned directly rather than falling through to deployment defaults, # so a team with an empty map is treated as unconstrained at the team level. user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", team_metadata={"model_tpm_limit": {}}, ) result = get_key_model_tpm_limit(user_api_key_dict) assert result == {} def test_skips_deployments_with_malformed_limit_value(self): """Deployments with non-integer-parseable limit values are skipped without raising.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ { "model_name": "model1", "litellm_params": {"default_api_key_tpm_limit": "not-a-number"}, }, _make_deployment_dict("model1", tpm=500), ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_tpm_limit(user_api_key_dict, model_name="model1") # The malformed deployment is skipped; the valid one provides 500 assert result == {"model1": 500} class TestGetCustomerIdFromStandardHeaders: """Tests for _get_customer_id_from_standard_headers helper function.""" def test_should_return_customer_id_from_x_litellm_customer_id_header(self): """Should extract customer ID from x-litellm-customer-id header.""" headers = {"x-litellm-customer-id": "customer-123"} result = _get_customer_id_from_standard_headers(request_headers=headers) assert result == "customer-123" def test_should_return_customer_id_from_x_litellm_end_user_id_header(self): """Should extract customer ID from x-litellm-end-user-id header.""" headers = {"x-litellm-end-user-id": "end-user-456"} result = _get_customer_id_from_standard_headers(request_headers=headers) assert result == "end-user-456" def test_should_return_none_when_headers_is_none(self): """Should return None when headers is None.""" result = _get_customer_id_from_standard_headers(request_headers=None) assert result is None def test_should_return_none_when_no_standard_headers_present(self): """Should return None when no standard customer ID headers are present.""" headers = {"x-other-header": "some-value"} result = _get_customer_id_from_standard_headers(request_headers=headers) assert result is None class TestGetEndUserIdFromRequestBodyWithStandardHeaders: """Tests for get_end_user_id_from_request_body with standard customer ID headers.""" def test_should_prioritize_standard_header_over_body_user(self): """Standard customer ID header should take precedence over body user field.""" headers = {"x-litellm-customer-id": "header-customer"} request_body = {"user": "body-user"} with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers=headers ) assert result == "header-customer" def test_should_fall_back_to_body_when_no_standard_header(self): """Should fall back to body user when no standard headers are present.""" headers = {"x-other-header": "value"} request_body = {"user": "body-user"} with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers=headers ) assert result == "body-user" def test_get_model_from_request_supports_google_model_names_with_slashes(): assert ( get_model_from_request( request_data={}, route="/v1beta/models/bedrock/claude-sonnet-3.7:generateContent", ) == "bedrock/claude-sonnet-3.7" ) assert ( get_model_from_request( request_data={}, route="/models/hosted_vllm/gpt-oss-20b:generateContent", ) == "hosted_vllm/gpt-oss-20b" ) def test_get_model_from_request_vertex_passthrough_still_works(): route = "/vertex_ai/v1/projects/p/locations/l/publishers/google/models/gemini-1.5-pro:generateContent" assert get_model_from_request(request_data={}, route=route) == "gemini-1.5-pro" def test_get_model_from_request_openai_deployment_route_still_works(): assert ( get_model_from_request( request_data={}, route="/openai/deployments/my-azure-deployment/chat/completions", ) == "my-azure-deployment" ) def test_get_model_from_request_includes_file_endpoint_header_model(): assert ( get_model_from_request( request_data={}, route="/v1/files", request_headers={"X-LiteLLM-Model": "restricted-model"}, ) == "restricted-model" ) def test_get_model_from_request_ignores_routing_header_on_standard_llm_routes(): assert ( get_model_from_request( request_data={"model": "allowed-model"}, route="/v1/chat/completions", request_headers={"x-litellm-model": "restricted-model"}, ) == "allowed-model" ) def test_get_model_from_request_authorizes_all_file_routing_model_sources(): models = get_model_from_request( request_data={"model": "body-model"}, route="/v1/files", request_headers={"x-litellm-model": "header-model"}, request_query_params={"target_model_names": "query-model-a,query-model-b"}, ) assert isinstance(models, list) assert set(models) == { "body-model", "query-model-a", "query-model-b", "header-model", } def test_get_model_from_request_extracts_simple_encoded_file_id_model(): from litellm.proxy.openai_files_endpoints.common_utils import ( encode_file_id_with_model, ) file_id = encode_file_id_with_model( file_id="file-provider-id", model="restricted-model", ) assert ( get_model_from_request( request_data={"file_id": file_id}, route="/v1/files/{file_id}", ) == "restricted-model" ) def test_get_model_from_request_extracts_unified_file_id_models(): raw_unified_file_id = ( "litellm_proxy:application/octet-stream;unified_id,test-id;" "target_model_names,model-a,model-b;llm_output_file_id,file-provider-id" ) encoded_unified_file_id = ( base64.urlsafe_b64encode(raw_unified_file_id.encode()).decode().rstrip("=") ) assert get_model_from_request( request_data={"file_id": encoded_unified_file_id}, route="/v1/files/{file_id}", ) == ["model-a", "model-b"] def test_get_model_from_request_extracts_eval_completion_model(): assert ( get_model_from_request( request_data={"completion": {"model": "judge-model"}}, route="/v1/evals/{eval_id}/runs", ) == "judge-model" ) def test_get_model_from_request_includes_fine_tuning_target_model_query(): assert ( get_model_from_request( request_data={}, route="/v1/fine_tuning/jobs", request_query_params={"target_model_names": "fine-tune-model"}, ) == "fine-tune-model" ) def test_get_model_from_request_extracts_video_id_model(): from litellm.types.videos.utils import encode_video_id_with_provider video_id = encode_video_id_with_provider( video_id="video-provider-id", provider="openai", model_id="video-model", ) assert ( get_model_from_request( request_data={"video_id": video_id}, route="/v1/videos/{video_id}", ) == "video-model" ) def test_get_model_from_request_resolves_video_id_model_with_router(): from litellm.types.videos.utils import encode_video_id_with_provider provider_video_id = ( "projects/test-project/locations/us-central1/publishers/google/models/" "veo-3.1-generate-001/operations/operation-id" ) video_id = encode_video_id_with_provider( video_id=provider_video_id, provider="vertex_ai", model_id="veo-3.1-generate-001", ) llm_router = MagicMock() llm_router.resolve_model_name_from_model_id.return_value = ( "gcp/google/veo-3.1-generate-001" ) assert ( get_model_from_request( request_data={"video_id": video_id}, route="/v1/videos/{video_id}", llm_router=llm_router, ) == "gcp/google/veo-3.1-generate-001" ) llm_router.resolve_model_name_from_model_id.assert_called_once_with( "veo-3.1-generate-001" ) def test_get_model_from_request_resolves_character_id_model_with_router(): from litellm.types.videos.utils import encode_character_id_with_provider character_id = encode_character_id_with_provider( character_id="character-provider-id", provider="vertex_ai", model_id="veo-3.1-generate-001", ) llm_router = MagicMock() llm_router.resolve_model_name_from_model_id.return_value = ( "gcp/google/veo-3.1-generate-001" ) assert ( get_model_from_request( request_data={"character_id": character_id}, route="/v1/videos/characters/{character_id}", llm_router=llm_router, ) == "gcp/google/veo-3.1-generate-001" ) llm_router.resolve_model_name_from_model_id.assert_called_once_with( "veo-3.1-generate-001" ) def test_get_model_from_request_only_runs_media_decoders_for_matching_fields(): with ( patch( "litellm.types.videos.utils.decode_video_id_with_provider", return_value={"model_id": "video-model"}, ) as video_decoder, patch( "litellm.types.videos.utils.decode_character_id_with_provider", return_value={"model_id": "character-model"}, ) as character_decoder, ): assert ( get_model_from_request( request_data={"file_id": "file-provider-id"}, route="/v1/files/{file_id}", ) is None ) video_decoder.assert_not_called() character_decoder.assert_not_called() assert ( get_model_from_request( request_data={"video_id": "video-provider-id"}, route="/v1/videos/{video_id}", ) == "video-model" ) video_decoder.assert_called_once_with("video-provider-id") character_decoder.assert_not_called() video_decoder.reset_mock() character_decoder.reset_mock() assert ( get_model_from_request( request_data={"character_id": "character-provider-id"}, route="/v1/videos/{character_id}", ) == "character-model" ) video_decoder.assert_not_called() character_decoder.assert_called_once_with("character-provider-id") def test_get_model_from_request_handles_managed_id_decoder_failures(): with ( patch( "litellm.proxy.openai_files_endpoints.common_utils.decode_model_from_file_id", side_effect=Exception("decode failed"), ), patch( "litellm.llms.base_llm.managed_resources.utils.parse_unified_id", side_effect=Exception("parse failed"), ), patch( "litellm.types.videos.utils.decode_video_id_with_provider", side_effect=Exception("video decode failed"), ), ): assert ( get_model_from_request( request_data={"file_id": "not-a-managed-resource-id"}, route="/v1/files/{file_id}", ) is None ) assert ( get_model_from_request( request_data={"video_id": "not-a-managed-resource-id"}, route="/v1/videos/{video_id}", ) is None ) def test_abbreviate_api_key(): assert abbreviate_api_key("sk-test-1234") == "sk-...1234" def test_get_customer_user_header_returns_none_when_no_customer_role(): from litellm.proxy.auth.auth_utils import get_customer_user_header_from_mapping mappings = [ {"header_name": "X-OpenWebUI-User-Id", "litellm_user_role": "internal_user"} ] result = get_customer_user_header_from_mapping(mappings) assert result is None def test_get_customer_user_header_returns_none_for_single_non_customer_mapping(): from litellm.proxy.auth.auth_utils import get_customer_user_header_from_mapping mapping = {"header_name": "X-Only-Internal", "litellm_user_role": "internal_user"} result = get_customer_user_header_from_mapping(mapping) assert result is None def test_get_customer_user_header_from_mapping_returns_customer_header(): from litellm.proxy.auth.auth_utils import get_customer_user_header_from_mapping mappings = [ {"header_name": "X-OpenWebUI-User-Id", "litellm_user_role": "internal_user"}, {"header_name": "X-OpenWebUI-User-Email", "litellm_user_role": "customer"}, ] result = get_customer_user_header_from_mapping(mappings) assert result == ["x-openwebui-user-email"] def test_get_customer_user_header_returns_customers_header_in_config_order_when_multiple_exist(): from litellm.proxy.auth.auth_utils import get_customer_user_header_from_mapping mappings = [ {"header_name": "X-OpenWebUI-User-Id", "litellm_user_role": "internal_user"}, {"header_name": "X-OpenWebUI-User-Email", "litellm_user_role": "customer"}, {"header_name": "X-User-Id", "litellm_user_role": "customer"}, ] result = get_customer_user_header_from_mapping(mappings) assert result == ["x-openwebui-user-email", "x-user-id"] def test_get_end_user_id_returns_id_from_user_header_mappings(): from litellm.proxy.auth.auth_utils import get_end_user_id_from_request_body mappings = [ {"header_name": "x-openwebui-user-id", "litellm_user_role": "internal_user"}, {"header_name": "x-openwebui-user-email", "litellm_user_role": "customer"}, ] general_settings = {"user_header_mappings": mappings} headers = {"x-openwebui-user-email": "1234"} with ( patch( "litellm.proxy.auth.auth_utils._get_customer_id_from_standard_headers", return_value=None, ), patch("litellm.proxy.proxy_server.general_settings", general_settings), ): result = get_end_user_id_from_request_body( request_body={}, request_headers=headers ) assert result == "1234" def test_get_end_user_id_returns_first_customer_header_when_multiple_mappings_exist(): from litellm.proxy.auth.auth_utils import get_end_user_id_from_request_body mappings = [ {"header_name": "x-openwebui-user-id", "litellm_user_role": "internal_user"}, {"header_name": "x-user-id", "litellm_user_role": "customer"}, {"header_name": "x-openwebui-user-email", "litellm_user_role": "customer"}, ] general_settings = {"user_header_mappings": mappings} headers = { "x-user-id": "user-456", "x-openwebui-user-email": "user@example.com", } with ( patch( "litellm.proxy.auth.auth_utils._get_customer_id_from_standard_headers", return_value=None, ), patch("litellm.proxy.proxy_server.general_settings", general_settings), ): result = get_end_user_id_from_request_body( request_body={}, request_headers=headers ) assert result == "user-456" def test_get_end_user_id_returns_none_when_no_customer_role_in_mappings(): from litellm.proxy.auth.auth_utils import get_end_user_id_from_request_body mappings = [ {"header_name": "x-openwebui-user-id", "litellm_user_role": "internal_user"}, ] general_settings = {"user_header_mappings": mappings} headers = {"x-openwebui-user-id": "user-789"} with ( patch( "litellm.proxy.auth.auth_utils._get_customer_id_from_standard_headers", return_value=None, ), patch("litellm.proxy.proxy_server.general_settings", general_settings), ): result = get_end_user_id_from_request_body( request_body={}, request_headers=headers ) assert result is None def test_get_end_user_id_falls_back_to_deprecated_user_header_name(): from litellm.proxy.auth.auth_utils import get_end_user_id_from_request_body general_settings = {"user_header_name": "x-custom-user-id"} headers = {"x-custom-user-id": "user-legacy"} with ( patch( "litellm.proxy.auth.auth_utils._get_customer_id_from_standard_headers", return_value=None, ), patch("litellm.proxy.proxy_server.general_settings", general_settings), ): result = get_end_user_id_from_request_body( request_body={}, request_headers=headers ) assert result == "user-legacy" class TestCoerceUserIdToStr: """Unit tests for the _coerce_user_id_to_str helper.""" def test_plain_string_is_returned_verbatim(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str assert _coerce_user_id_to_str("alice@example.com") == "alice@example.com" def test_string_is_stripped(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str assert _coerce_user_id_to_str(" bob ") == "bob" def test_codex_opaque_identifier_is_preserved(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str codex_id = ( "user_8a4a360c36621665b341e06fb76041d9b6def732bb183eea148d4abc9d97c1de" "_account__session_a2bce4a5-8887-44ef-b491-fbf0a55c6569" ) assert _coerce_user_id_to_str(codex_id) == codex_id def test_none_returns_none(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str assert _coerce_user_id_to_str(None) is None def test_empty_string_returns_none(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str assert _coerce_user_id_to_str("") is None assert _coerce_user_id_to_str(" ") is None def test_dict_returns_none(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str payload = { "device_id": "abc", "account_uuid": "", "session_id": "c284b8cb", } assert _coerce_user_id_to_str(payload) is None def test_list_returns_none(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str assert _coerce_user_id_to_str(["a", "b"]) is None def test_json_encoded_dict_string_passes_through_by_default(self): """JSON-encoded dict strings are preserved unless opt-in flag is on. This preserves backwards compatibility: existing deployments that intentionally pass JSON-encoded user identifiers keep working. """ import litellm from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str blob = ( '{"device_id":"d5abe9199ee7759a0558974e9371e78c7b38d7621aae26d6609c1de61af6afb0",' '"account_uuid":"","session_id":"c284b8cb-a050-4278-8599-cc4e016a10ab"}' ) original = litellm.validate_end_user_id_in_db litellm.validate_end_user_id_in_db = False try: assert _coerce_user_id_to_str(blob) == blob finally: litellm.validate_end_user_id_in_db = original def test_json_encoded_dict_string_returns_none_when_validation_enabled(self): import litellm from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str # Same broken shape we saw in spend logs, but pre-stringified to JSON. blob = ( '{"device_id":"d5abe9199ee7759a0558974e9371e78c7b38d7621aae26d6609c1de61af6afb0",' '"account_uuid":"","session_id":"c284b8cb-a050-4278-8599-cc4e016a10ab"}' ) original = litellm.validate_end_user_id_in_db litellm.validate_end_user_id_in_db = True try: assert _coerce_user_id_to_str(blob) is None finally: litellm.validate_end_user_id_in_db = original def test_json_encoded_list_string_passes_through_by_default(self): import litellm from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str original = litellm.validate_end_user_id_in_db litellm.validate_end_user_id_in_db = False try: assert _coerce_user_id_to_str('["a","b"]') == '["a","b"]' finally: litellm.validate_end_user_id_in_db = original def test_json_encoded_list_string_returns_none_when_validation_enabled(self): import litellm from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str original = litellm.validate_end_user_id_in_db litellm.validate_end_user_id_in_db = True try: assert _coerce_user_id_to_str('["a","b"]') is None finally: litellm.validate_end_user_id_in_db = original def test_int_returns_str(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str assert _coerce_user_id_to_str(12345) == "12345" def test_bool_returns_none(self): from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str # bool is an int subclass — reject explicitly, never produce "True"/"False". assert _coerce_user_id_to_str(True) is None assert _coerce_user_id_to_str(False) is None def test_brace_string_that_isnt_json_is_kept(self): """A string starting with `{` but failing to parse stays as-is.""" from litellm.proxy.auth.auth_utils import _coerce_user_id_to_str assert _coerce_user_id_to_str("{not json") == "{not json" class TestGetEndUserIdDropsMalformedBodyValues: """Tests that get_end_user_id_from_request_body drops dict-shaped values rather than stringifying them into spend logs.""" def test_dict_user_falls_through_to_litellm_metadata(self): request_body = { "user": { "device_id": "abc", "session_id": "c284b8cb", }, "litellm_metadata": {"user": "alice@example.com"}, } with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result == "alice@example.com" def test_dict_user_with_no_other_sources_returns_none(self): request_body = { "user": {"device_id": "abc", "session_id": "xyz"}, } with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result is None def test_json_encoded_user_string_passes_through_by_default(self): """JSON-encoded user strings pass through unless validation is opted in. Gating behind ``litellm.validate_end_user_id_in_db`` keeps existing deployments that send JSON-encoded identifiers working until they explicitly opt into the stricter extraction. """ import litellm blob = ( '{"device_id":"d5abe9199ee7759a","account_uuid":"",' '"session_id":"c284b8cb-a050-4278-8599-cc4e016a10ab"}' ) request_body = {"user": blob} original = litellm.validate_end_user_id_in_db litellm.validate_end_user_id_in_db = False try: with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) finally: litellm.validate_end_user_id_in_db = original assert result == blob def test_json_encoded_user_string_returns_none_when_validation_enabled(self): import litellm request_body = { "user": ( '{"device_id":"d5abe9199ee7759a","account_uuid":"",' '"session_id":"c284b8cb-a050-4278-8599-cc4e016a10ab"}' ), } original = litellm.validate_end_user_id_in_db litellm.validate_end_user_id_in_db = True try: with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) finally: litellm.validate_end_user_id_in_db = original assert result is None def test_plain_string_user_is_preserved(self): request_body = {"user": "alice@example.com"} with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result == "alice@example.com" def test_codex_opaque_user_is_preserved(self): codex_id = ( "user_8a4a360c36621665b341e06fb76041d9b6def732bb183eea148d4abc9d97c1de" "_account__session_a2bce4a5-8887-44ef-b491-fbf0a55c6569" ) request_body = {"user": codex_id} with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result == codex_id def test_int_user_is_coerced_to_string(self): request_body = {"user": 12345} with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result == "12345" def test_list_user_falls_through(self): request_body = { "user": ["a", "b"], "safety_identifier": "alice@example.com", } with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result == "alice@example.com" def test_dict_safety_identifier_returns_none(self): request_body = { "safety_identifier": {"device_id": "abc"}, } with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result is None def test_dict_metadata_user_id_returns_none(self): request_body = { "metadata": {"user_id": {"device_id": "abc"}}, } with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result is None def test_whitespace_user_falls_through(self): request_body = {"user": " ", "safety_identifier": "alice@example.com"} with patch("litellm.proxy.proxy_server.general_settings", {}): result = get_end_user_id_from_request_body( request_body=request_body, request_headers={} ) assert result == "alice@example.com" def test_dict_user_header_falls_through_to_body(self): """A dict-shaped value in a configured user-id header is dropped, not stringified.""" general_settings = {"user_header_name": "x-custom-user-id"} # A header value will normally be a str, but be defensive: the coercion # must drop anything that isn't a usable identifier. headers = {"x-custom-user-id": {"device_id": "abc"}} request_body = {"user": "alice@example.com"} with ( patch( "litellm.proxy.auth.auth_utils._get_customer_id_from_standard_headers", return_value=None, ), patch("litellm.proxy.proxy_server.general_settings", general_settings), ): result = get_end_user_id_from_request_body( request_body=request_body, request_headers=headers ) assert result == "alice@example.com" def _make_deployment_dict( model_name: str, tpm: Optional[int] = None, rpm: Optional[int] = None ) -> dict: """Helper to build a minimal deployment dict as returned by router.get_model_list.""" litellm_params: dict = {"model": model_name} if tpm is not None: litellm_params["default_api_key_tpm_limit"] = tpm if rpm is not None: litellm_params["default_api_key_rpm_limit"] = rpm return {"model_name": model_name, "litellm_params": litellm_params} _ROUTER_PATCH = "litellm.proxy.proxy_server.llm_router" class TestDeploymentDefaultRpmLimit: """Tests for deployment default_api_key_rpm_limit fallback in get_key_model_rpm_limit.""" def test_returns_deployment_default_when_key_has_no_limits(self): """Case 2 from spec: key has no model-specific limits, falls back to deployment default.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", rpm=200) ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_rpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 200} def test_key_model_limit_takes_priority_over_deployment_default(self): """Case 1 from spec: key model-specific limit wins over deployment default.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", metadata={"model_rpm_limit": {"model1": 10}}, ) mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", rpm=200) ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_rpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 10} def test_returns_none_when_no_deployment_default_and_no_key_limits(self): """Returns None when neither the key nor the deployment has any rpm limit.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1") # no rpm default ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_rpm_limit(user_api_key_dict, model_name="model1") assert result is None def test_returns_none_without_model_name_even_when_deployment_has_default(self): """No model_name means deployment fallback is skipped.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", rpm=200) ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_rpm_limit(user_api_key_dict) assert result is None def test_returns_none_when_llm_router_is_none(self): """No router means deployment fallback returns None gracefully.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") with patch(_ROUTER_PATCH, None): result = get_key_model_rpm_limit(user_api_key_dict, model_name="model1") assert result is None def test_returns_minimum_across_multiple_deployments(self): """When multiple deployments share a model name, the minimum rpm limit is used.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", rpm=200), _make_deployment_dict("model1", rpm=50), _make_deployment_dict("model1", rpm=150), ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_rpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 50} def test_ignores_deployments_without_default_when_others_have_it(self): """Deployments missing the field are skipped; min is taken over those that have it.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1"), # no rpm default _make_deployment_dict("model1", rpm=75), ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_rpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 75} def test_skips_deployments_with_malformed_limit_value(self): """Deployments with non-integer-parseable limit values are skipped without raising.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ { "model_name": "model1", "litellm_params": {"default_api_key_rpm_limit": "not-a-number"}, }, _make_deployment_dict("model1", rpm=100), ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_rpm_limit(user_api_key_dict, model_name="model1") # The malformed deployment is skipped; the valid one provides 100 assert result == {"model1": 100} class TestDeploymentDefaultTpmLimit: """Tests for deployment default_api_key_tpm_limit fallback in get_key_model_tpm_limit.""" def test_returns_deployment_default_when_key_has_no_limits(self): """Case 2 from spec: key has no model-specific limits, falls back to deployment default.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", tpm=100) ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_tpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 100} def test_key_model_limit_takes_priority_over_deployment_default(self): """Case 1 from spec: key model-specific limit wins over deployment default.""" user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", metadata={"model_tpm_limit": {"model1": 20}}, ) mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", tpm=100) ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_tpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 20} def test_returns_none_when_no_deployment_default_and_no_key_limits(self): """Returns None when neither the key nor the deployment has any tpm limit.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1") # no tpm default ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_tpm_limit(user_api_key_dict, model_name="model1") assert result is None def test_returns_none_without_model_name_even_when_deployment_has_default(self): """No model_name means deployment fallback is skipped.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", tpm=100) ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_tpm_limit(user_api_key_dict) assert result is None def test_returns_none_when_llm_router_is_none(self): """No router means deployment fallback returns None gracefully.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") with patch(_ROUTER_PATCH, None): result = get_key_model_tpm_limit(user_api_key_dict, model_name="model1") assert result is None def test_returns_minimum_across_multiple_deployments(self): """When multiple deployments share a model name, the minimum tpm limit is used.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1", tpm=1000), _make_deployment_dict("model1", tpm=300), _make_deployment_dict("model1", tpm=700), ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_tpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 300} def test_ignores_deployments_without_default_when_others_have_it(self): """Deployments missing the field are skipped; min is taken over those that have it.""" user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") mock_router = MagicMock() mock_router.get_model_list.return_value = [ _make_deployment_dict("model1"), # no tpm default _make_deployment_dict("model1", tpm=400), ] with patch(_ROUTER_PATCH, mock_router): result = get_key_model_tpm_limit(user_api_key_dict, model_name="model1") assert result == {"model1": 400} class TestGetProjectModelRpmLimit: """Tests for get_project_model_rpm_limit function.""" def test_returns_project_metadata_rpm_limit(self): user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", project_metadata={"model_rpm_limit": {"gpt-4": 200}}, ) result = get_project_model_rpm_limit(user_api_key_dict) assert result == {"gpt-4": 200} def test_returns_none_when_no_project_metadata(self): user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") result = get_project_model_rpm_limit(user_api_key_dict) assert result is None def test_returns_none_when_project_metadata_missing_key(self): user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", project_metadata={"other_key": "value"}, ) result = get_project_model_rpm_limit(user_api_key_dict) assert result is None class TestGetProjectModelTpmLimit: """Tests for get_project_model_tpm_limit function.""" def test_returns_project_metadata_tpm_limit(self): user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", project_metadata={"model_tpm_limit": {"gpt-4": 50000}}, ) result = get_project_model_tpm_limit(user_api_key_dict) assert result == {"gpt-4": 50000} def test_returns_none_when_no_project_metadata(self): user_api_key_dict = UserAPIKeyAuth(api_key="sk-123") result = get_project_model_tpm_limit(user_api_key_dict) assert result is None def test_returns_none_when_project_metadata_missing_key(self): user_api_key_dict = UserAPIKeyAuth( api_key="sk-123", project_metadata={"other_key": "value"}, ) result = get_project_model_tpm_limit(user_api_key_dict) assert result is None class TestCheckCompleteCredentials: """Tests for the api_key validation in check_complete_credentials.""" def test_returns_false_when_api_key_missing(self): result = check_complete_credentials({"model": "gpt-4"}) assert result is False def test_returns_false_when_api_key_is_none(self): result = check_complete_credentials({"model": "gpt-4", "api_key": None}) assert result is False def test_returns_false_when_api_key_is_empty_string(self): result = check_complete_credentials({"model": "gpt-4", "api_key": ""}) assert result is False def test_returns_false_when_api_key_is_whitespace(self): result = check_complete_credentials({"model": "gpt-4", "api_key": " "}) assert result is False def test_returns_true_when_api_key_is_valid(self): result = check_complete_credentials({"model": "gpt-4", "api_key": "sk-valid"}) assert result is True class TestCheckCompleteCredentialsBlocksSSRF: """ Even with credentials supplied, ``api_base`` / ``base_url`` must not point at private / internal / cloud-metadata addresses. Without this the gate accepts ``api_key=anything`` plus a malicious target and the proxy is used as an SSRF pivot. The check only runs when ``litellm.user_url_validation`` is True, so every test in this class flips the toggle. Tests stay mock-only — no real DNS is performed. """ @pytest.fixture(autouse=True) def _enable_url_validation(self, monkeypatch): import litellm monkeypatch.setattr(litellm, "user_url_validation", True, raising=False) @pytest.mark.parametrize( "url_field", ["api_base", "base_url"], ) @pytest.mark.parametrize( "blocked_url", [ "http://169.254.169.254/latest/meta-data/iam/security-credentials/", "http://metadata.google.internal/computeMetadata/v1/", "http://127.0.0.1:8080/admin", "http://10.0.0.1/", "http://192.168.1.1/", ], ) def test_rejects_private_or_metadata_targets(self, url_field, blocked_url): from litellm.litellm_core_utils.url_utils import SSRFError with patch( "litellm.proxy.auth.auth_utils.validate_url", side_effect=SSRFError(f"blocked: {blocked_url}"), ): with pytest.raises(ValueError) as exc_info: check_complete_credentials( { "model": "gpt-4", "api_key": "sk-some-clientside-key", url_field: blocked_url, } ) assert url_field in str(exc_info.value) assert "SSRF" in str(exc_info.value) def test_allows_public_target_when_validate_url_passes(self): # ``validate_url`` is mocked so no real DNS is performed. with patch( "litellm.proxy.auth.auth_utils.validate_url", return_value=("https://api.openai.com/v1", "api.openai.com"), ): result = check_complete_credentials( { "model": "gpt-4", "api_key": "sk-some-clientside-key", "api_base": "https://api.openai.com/v1", } ) assert result is True def test_skips_url_validation_when_toggle_is_off(self, monkeypatch): # Admins who disable ``user_url_validation`` (default) should not # have requests rejected at the proxy boundary even if the URL # would fail the SSRF guard. import litellm monkeypatch.setattr(litellm, "user_url_validation", False, raising=False) with patch( "litellm.proxy.auth.auth_utils.validate_url", ) as mocked: result = check_complete_credentials( { "model": "gpt-4", "api_key": "sk-some-clientside-key", "api_base": "http://127.0.0.1:8080/admin", } ) assert result is True mocked.assert_not_called() class TestGetDynamicLitellmParamsClearsAdminConfigOnBaseOverride: """ When the caller redirects ``api_base`` / ``base_url`` to their own server, admin-set fields like ``OpenAI-Organization``, ``extra_body``, AWS / Vertex / Azure tokens, and per-deployment ``api_version`` must NOT flow through to that destination. """ def test_clears_admin_organization_and_extra_body_on_base_override(self): from litellm.router_utils.clientside_credential_handler import ( get_dynamic_litellm_params, ) admin_params = { "model": "gpt-4", "api_key": "sk-admin-key", "api_base": "https://admin.upstream/v1", "organization": "org-admin-corp", "extra_body": {"x-admin-secret": "super-secret"}, "api_version": "2026-04-01", } out = get_dynamic_litellm_params( litellm_params=dict(admin_params), request_kwargs={ "api_key": "sk-attacker", "api_base": "https://attacker.example", }, ) assert out["api_base"] == "https://attacker.example" assert out["api_key"] == "sk-attacker" assert "organization" not in out assert "extra_body" not in out assert "api_version" not in out def test_clears_aws_and_vertex_secrets_on_base_override(self): from litellm.router_utils.clientside_credential_handler import ( get_dynamic_litellm_params, ) admin_params = { "model": "bedrock/claude-3", "aws_access_key_id": "AKIA-EXAMPLE", "aws_secret_access_key": "secret-example", "aws_session_token": "session-example", "vertex_credentials": '{"private_key":"-----BEGIN..."}', "vertex_project": "admin-gcp-project", } out = get_dynamic_litellm_params( litellm_params=dict(admin_params), request_kwargs={"base_url": "https://attacker.example"}, ) assert "aws_access_key_id" not in out assert "aws_secret_access_key" not in out assert "aws_session_token" not in out assert "vertex_credentials" not in out assert "vertex_project" not in out def test_caller_resupplied_value_overrides_admin_value_on_base_override(self): # When the caller redirects ``api_base`` and *also* supplies their # own value for one of the admin fields (e.g. ``organization``), # the caller's value must win — never the admin's. The naive # ``if field not in request_kwargs: pop`` shape lets a caller echo # the field name with any value (or empty string) to keep the # admin's value forwarded, which is the exfiltration vector this # test guards against. from litellm.router_utils.clientside_credential_handler import ( get_dynamic_litellm_params, ) out = get_dynamic_litellm_params( litellm_params={ "api_base": "https://admin.upstream/v1", "organization": "org-admin", "extra_body": {"admin": "value"}, }, request_kwargs={ "api_base": "https://attacker.example", "organization": "org-attacker", "extra_body": {"attacker": "value"}, }, ) assert out["organization"] == "org-attacker" assert out["extra_body"] == {"attacker": "value"} def test_field_echo_does_not_preserve_admin_value(self): # Regression: a caller that echoes an admin-config field name with # an *empty* value (or any value) must not be able to keep the # admin's value in ``litellm_params``. from litellm.router_utils.clientside_credential_handler import ( get_dynamic_litellm_params, ) out = get_dynamic_litellm_params( litellm_params={ "api_base": "https://admin.upstream/v1", "organization": "org-admin-secret", "extra_body": {"x-admin-only": "secret"}, }, request_kwargs={ "api_base": "https://attacker.example", "organization": "", "extra_body": "", }, ) assert out["organization"] == "" assert out["extra_body"] == "" assert "org-admin-secret" not in str(out) def test_no_clearing_when_only_api_key_overridden(self): from litellm.router_utils.clientside_credential_handler import ( get_dynamic_litellm_params, ) # Caller only overrides api_key (BYOK pattern); admin's organization / # extra_body / region still apply because the destination is unchanged. out = get_dynamic_litellm_params( litellm_params={ "api_base": "https://admin.upstream/v1", "organization": "org-admin", "api_version": "2026-04-01", }, request_kwargs={"api_key": "sk-byok"}, ) assert out["organization"] == "org-admin" assert out["api_version"] == "2026-04-01" assert out["api_base"] == "https://admin.upstream/v1" class TestIsRequestBodySafeBlocksEndpointTargetingFields: """ ``is_request_body_safe`` rejects request-body fields that retarget the outbound request to a caller-controlled host. Beyond the original ``api_base`` / ``base_url``, the same protection must apply to: * ``aws_bedrock_runtime_endpoint`` — Bedrock endpoint redirect; an attacker-controlled value coerces the proxy to authenticate against their host with the admin's AWS creds. * ``langsmith_base_url`` — Langsmith callback host; attacker-controlled values exfiltrate the entire request payload (incl. message content) via the observability hook. * ``langfuse_host`` — same exfil vector via the Langfuse hook. """ @pytest.fixture(autouse=True) def _disable_url_validation(self, monkeypatch): # The new banned-params entries should be rejected even when # ``user_url_validation`` is off — the gate isn't the URL guard, # it's the banned-params list. import litellm monkeypatch.setattr(litellm, "user_url_validation", False, raising=False) @pytest.mark.parametrize( "field", [ "aws_bedrock_runtime_endpoint", "langsmith_base_url", "langfuse_host", "posthog_host", "braintrust_host", "slack_webhook_url", "s3_endpoint_url", "sagemaker_base_url", "deployment_url", ], ) def test_endpoint_targeting_field_in_request_body_is_rejected(self, field): with pytest.raises(ValueError) as exc: is_request_body_safe( request_body={"model": "gpt-4", field: "https://attacker.example"}, general_settings={}, llm_router=None, model="gpt-4", ) # The function lists the offending param name in the error. assert field in str(exc.value) @pytest.mark.parametrize( "field", ["api_base", "base_url", "user_config", "langfuse_host", "slack_webhook_url"], ) def test_api_key_does_not_bypass_blocklist(self, field): # Regression: the historical ``check_complete_credentials`` clause # made the entire blocklist a no-op for any caller that supplied # a non-empty ``api_key``. That bypass turned every missing entry # on the blocklist into an SSRF / credential-exfil hole. Verify # that supplying an api_key (alongside the banned param) does NOT # bypass the gate — it can only be opened by an admin opt-in. with pytest.raises(ValueError) as exc: is_request_body_safe( request_body={ "model": "gpt-4", "api_key": "sk-anything", field: "https://attacker.example", }, general_settings={}, llm_router=None, model="gpt-4", ) assert field in str(exc.value) def test_admin_opt_in_proxy_wide_still_allows(self): # ``general_settings.allow_client_side_credentials = True`` remains # the documented proxy-wide BYOK opt-in. assert ( is_request_body_safe( request_body={"model": "gpt-4", "api_base": "https://my-byok.example"}, general_settings={"allow_client_side_credentials": True}, llm_router=None, model="gpt-4", ) is True ) # ── is_request_body_safe nested-config recursion (VERIA-6) ──────────────────── class TestIsRequestBodySafeNestedConfig: """The Milvus vector store transformer unpacks ``litellm_embedding_config`` as ``**kwargs`` into ``litellm.embedding(...)`` — same SSRF / credential-exfil surface as a top-level ``api_base`` in the request body. ``is_request_body_safe`` must recurse into this nested dict so a banned param can't be smuggled in via nesting.""" def test_root_level_api_base_blocked_when_no_opt_in(self): """Sanity check: pre-existing root-level enforcement still works.""" with pytest.raises(ValueError, match="api_base"): is_request_body_safe( request_body={"api_base": "https://attacker.example.com"}, general_settings={}, llm_router=None, model="gpt-4", ) def test_nested_api_base_in_embedding_config_blocked(self): """Smuggling ``api_base`` inside ``litellm_embedding_config`` is the VERIA-6 bypass — must be blocked by the recursive check.""" with pytest.raises(ValueError, match="api_base"): is_request_body_safe( request_body={ "litellm_embedding_config": { "api_base": "https://attacker.example.com", "api_key": "leaked-key", } }, general_settings={}, llm_router=None, model="milvus-store", ) def test_nested_langfuse_host_in_embedding_config_blocked(self): """The recursion uses the *full* banned-param list, not a special subset — so any flag that's banned at the root is also banned when nested.""" with pytest.raises(ValueError, match="langfuse_host"): is_request_body_safe( request_body={ "litellm_embedding_config": { "langfuse_host": "https://attacker.example.com" } }, general_settings={}, llm_router=None, model="milvus-store", ) def test_nested_api_base_allowed_when_admin_opts_in(self): """Admins who explicitly enable client-side credential passthrough keep the existing escape hatch — same UX as for root-level.""" assert ( is_request_body_safe( request_body={ "litellm_embedding_config": { "api_base": "https://my-azure.example.com" } }, general_settings={"allow_client_side_credentials": True}, llm_router=None, model="milvus-store", ) is True ) def test_safe_nested_config_accepted(self): """A nested config without any banned params passes — there's no false-positive on legitimate ``api_version`` / model params.""" assert ( is_request_body_safe( request_body={ "litellm_embedding_config": { "api_version": "2024-02-15-preview", } }, general_settings={}, llm_router=None, model="milvus-store", ) is True ) def test_non_dict_nested_config_does_not_break_check(self): """A bogus type for ``litellm_embedding_config`` (string, list, None) must not crash the validator — it should just fall through.""" assert ( is_request_body_safe( request_body={"litellm_embedding_config": "not-a-dict"}, general_settings={}, llm_router=None, model="x", ) is True ) def test_deeply_nested_config_does_not_recurse(self): """Greptile P1: ``is_request_body_safe`` is iterative single-level — a deeply-nested ``litellm_embedding_config`` cannot exhaust the Python call stack to trigger a 500 ``RecursionError``. Build a body 1000 levels deep; the validator must complete in O(1) descent.""" body = {"litellm_embedding_config": {}} cur = body["litellm_embedding_config"] for _ in range(1000): cur["litellm_embedding_config"] = {} cur = cur["litellm_embedding_config"] # Banned param at the deepest level shouldn't be reached — single # level only. cur["api_base"] = "https://attacker.example.com" # No exception raised: deeper levels aren't checked. assert ( is_request_body_safe( request_body=body, general_settings={}, llm_router=None, model="x", ) is True ) # ── observability-callback ban (root + metadata) ─────────────────────────── class TestObservabilityCallbackBans: """The proxy must reject observability credentials, hosts, and project identifiers regardless of whether they arrive at the request body root, in ``metadata`` / ``litellm_metadata``, or in a JSON-string-encoded metadata blob (multipart/``extra_body`` path). The ban list is derived from ``litellm.litellm_core_utils.initialize_dynamic_callback_params._supported_callback_params`` minus a small ``_SAFE_CLIENT_CALLBACK_PARAMS`` allow-list, plus ``_EXTRA_BANNED_OBSERVABILITY_PARAMS`` for fields integrations read but that are not yet in the canonical allow-list. The derivation keeps the proxy in sync as new integrations are added. """ @pytest.fixture(autouse=True) def _disable_url_validation(self, monkeypatch): import litellm monkeypatch.setattr(litellm, "user_url_validation", False, raising=False) @pytest.mark.parametrize( "field", [ "langfuse_public_key", "langfuse_secret", "langfuse_secret_key", "langsmith_api_key", "langsmith_project", "langsmith_tenant_id", "arize_api_key", "arize_space_key", "arize_space_id", "posthog_api_key", "posthog_api_url", "braintrust_api_key", "braintrust_project", "phoenix_project_name", "phoenix_project_name_override", "wandb_api_key", "weave_project_id", "gcs_bucket_name", "gcs_path_service_account", "humanloop_api_key", "lunary_public_key", ], ) def test_observability_field_in_request_body_root_is_rejected(self, field): with pytest.raises(ValueError) as exc: is_request_body_safe( request_body={"model": "gpt-4", field: "attacker-value"}, general_settings={}, llm_router=None, model="gpt-4", ) assert field in str(exc.value) @pytest.mark.parametrize( "metadata_key", ["metadata", "litellm_metadata"], ) @pytest.mark.parametrize( "field", [ "langfuse_host", "langfuse_secret_key", "langsmith_api_key", "posthog_api_url", "braintrust_project", "phoenix_project_name", "phoenix_project_name_override", ], ) def test_observability_field_in_metadata_dict_is_rejected( self, metadata_key, field ): # Verifies the metadata walk: a value smuggled inside ``metadata`` # or ``litellm_metadata`` is just as dangerous as the same field # at the body root, and must hit the same gate. with pytest.raises(ValueError) as exc: is_request_body_safe( request_body={ "model": "gpt-4", metadata_key: {field: "attacker-value"}, }, general_settings={}, llm_router=None, model="gpt-4", ) assert field in str(exc.value) @pytest.mark.parametrize( "metadata_key", ["metadata", "litellm_metadata"], ) def test_observability_field_in_json_string_metadata_is_rejected( self, metadata_key ): # Multipart/form-data and ``extra_body`` callers send metadata as a # JSON-encoded string. The bouncer parses it before applying the # banned-params check so the JSON-string path can't smuggle past # the ``isinstance(dict)`` guard. import json with pytest.raises(ValueError) as exc: is_request_body_safe( request_body={ "model": "gpt-4", metadata_key: json.dumps( {"langfuse_host": "https://attacker.example"} ), }, general_settings={}, llm_router=None, model="gpt-4", ) assert "langfuse_host" in str(exc.value) def test_admin_opt_in_allows_metadata_credential_passthrough(self): # The opt-in gate covers the metadata path the same way it covers # the root path — operators running BYO observability with # clientside creds flip a single flag and both paths work. assert ( is_request_body_safe( request_body={ "model": "gpt-4", "metadata": { "langfuse_host": "https://my-langfuse.example", "langfuse_public_key": "pk-mine", "langfuse_secret_key": "sk-mine", }, }, general_settings={"allow_client_side_credentials": True}, llm_router=None, model="gpt-4", ) is True ) def test_safe_per_request_observability_metadata_is_allowed(self): # Informational fields (sampling rate, prompt version) describe # the request being logged — they don't choose the destination or # credentials, so they must remain accepted from clients without # the opt-in flag. assert ( is_request_body_safe( request_body={ "model": "gpt-4", "metadata": { "langfuse_prompt_version": "v2", "langsmith_sampling_rate": 0.1, }, }, general_settings={}, llm_router=None, model="gpt-4", ) is True ) def test_model_level_allow_does_not_skip_subsequent_banned_params(monkeypatch): """Greptile P1: ``_check_banned_params`` previously ``return``-ed when a deployment's ``configurable_clientside_auth_params`` permitted one banned field, exiting before any later banned field in the same body was checked. The metadata walk this PR adds multiplies the surface where that bypass matters: a body pairing a model-level-allowed ``api_base`` with an observability credential like ``langfuse_host`` must still reject on the second field, not silently pass.""" from litellm.proxy.auth import auth_utils monkeypatch.setattr( auth_utils, "_allow_model_level_clientside_configurable_parameters", lambda model, param, request_body_value, llm_router: param == "api_base", ) with pytest.raises(ValueError) as exc: is_request_body_safe( request_body={ "model": "gpt-4", "api_base": "https://allowed-by-deployment.example", "langfuse_host": "https://attacker.example", }, general_settings={}, llm_router=None, model="gpt-4", ) assert "langfuse_host" in str(exc.value) def test_observability_ban_covers_canonical_supported_callback_params(): """Guard test: every entry in the canonical ``_supported_callback_params`` allow-list must end up either banned by the proxy or explicitly safe-listed. New integrations added to that list are banned by default (the safe failure mode); flagging them as safe is an explicit decision recorded in ``_SAFE_CLIENT_CALLBACK_PARAMS``.""" from litellm.litellm_core_utils.initialize_dynamic_callback_params import ( _request_blocked_callback_params, _supported_callback_params, ) from litellm.proxy.auth.auth_utils import ( _BANNED_REQUEST_BODY_PARAMS, _SAFE_CLIENT_CALLBACK_PARAMS, ) banned = set(_BANNED_REQUEST_BODY_PARAMS) for param in _supported_callback_params: assert param in banned or param in _SAFE_CLIENT_CALLBACK_PARAMS, ( f"{param} is in _supported_callback_params but neither banned nor " f"safe-listed. Add it to _SAFE_CLIENT_CALLBACK_PARAMS if it is an " f"informational per-request field; otherwise the derivation will " f"ban it automatically." ) for param in _request_blocked_callback_params: assert param in banned, ( f"{param} is in _request_blocked_callback_params but is not banned " "at the proxy request-body boundary." ) # ── pricing injection (global model cost registry poisoning) ────────────────── class TestPricingInjectionBlocked: """Authenticated clients must not be able to mutate the global litellm.model_cost registry by supplying pricing fields in the request body. Any CustomPricingLiteLLMParams field (input_cost_per_token etc.) passed to completion() is forwarded to register_model(), which overwrites the shared global dict for ALL users on the instance. Fix: all CustomPricingLiteLLMParams fields are in _BANNED_REQUEST_BODY_PARAMS, so is_request_body_safe() rejects them before they reach completion(). """ @pytest.mark.parametrize( "field,value", [ ("input_cost_per_token", -0.01), ("output_cost_per_token", 0.0), ("input_cost_per_second", 999.0), ("output_cost_per_second", -1.0), ("cache_read_input_token_cost", 0.0), ("cache_creation_input_token_cost", -0.05), ], ) def test_pricing_field_rejected_by_default(self, field, value): with pytest.raises(ValueError) as exc: is_request_body_safe( request_body={"model": "gpt-4", field: value}, general_settings={}, llm_router=None, model="gpt-4", ) assert field in str(exc.value) def test_all_custom_pricing_fields_are_banned(self): from litellm.proxy.auth.auth_utils import _BANNED_REQUEST_BODY_PARAMS from litellm.types.utils import CustomPricingLiteLLMParams banned = set(_BANNED_REQUEST_BODY_PARAMS) for field in CustomPricingLiteLLMParams.model_fields: assert field in banned, ( f"CustomPricingLiteLLMParams.{field} is not in " "_BANNED_REQUEST_BODY_PARAMS — clients can poison the global " "model cost registry by supplying it in the request body." ) def test_pricing_field_allowed_with_admin_opt_in(self): assert ( is_request_body_safe( request_body={"model": "gpt-4", "input_cost_per_token": 0.00001}, general_settings={"allow_client_side_credentials": True}, llm_router=None, model="gpt-4", ) is True ) class TestGetRequestRouteTemplate: """get_request_route_template returns the low-cardinality FastAPI route template (e.g. /v1/threads/{thread_id}/runs) for http.route, distinct from the literal url.path. None when unavailable.""" def _request(self, scope): req = MagicMock() req.scope = scope return req def test_returns_route_template(self): route = MagicMock() route.path = "/v1/threads/{thread_id}/runs" req = self._request({"route": route, "path": "/v1/threads/abc123/runs"}) # template, not the literal path — two thread IDs share this value assert get_request_route_template(req) == "/v1/threads/{thread_id}/runs" def test_scope_not_dict_returns_none(self): assert get_request_route_template(self._request("not-a-dict")) is None def test_no_route_in_scope_returns_none(self): assert get_request_route_template(self._request({"path": "/x"})) is None def test_route_without_str_path_returns_none(self): route = MagicMock() route.path = 12345 # not a str assert get_request_route_template(self._request({"route": route})) is None def test_route_with_empty_path_returns_none(self): route = MagicMock() route.path = "" assert get_request_route_template(self._request({"route": route})) is None def test_exception_returns_none(self): req = MagicMock() type(req).scope = property( lambda self: (_ for _ in ()).throw(RuntimeError("boom")) ) assert get_request_route_template(req) is None