[Feat SSO] Add LiteLLM SCIM Integration for Team and User management (#10072)

* fix NewUser response type * add scim router * add v0 scim v2 endpoints * working scim transformation * use 1 file for types * fix scim firstname and givenName storage * working SCIMErrorResponse * working team / group provisioning on SCIM * add SCIMPatchOp * move scim folder * fix import scim_router * fix dont auto create scim keys * add auth on all scim endpoints * add is_virtual_key_allowed_to_call_route * fix allowed routes * fix for key management * fix allowed routes check * clean up error message * fix code check * fix for route checks * ui SCIM support * add UI tab for SCIM * fixes SCIM * fixes for SCIM settings on ui * scim settings * clean up scim view * add migration for allowed_routes in keys table * refactor scim transform * fix SCIM linting error * fix code quality check * fix ui linting * test_scim_transformations.py
2025-04-26 03:04:13 +00:00 · 2025-04-16 19:21:47 -07:00 · 2025-04-16 19:21:47 -07:00 · 6220f3e7b8
commit 6220f3e7b8
parent 7ca553b235
19 changed files with 2512 additions and 131 deletions
--- a/litellm/proxy/auth/route_checks.py
+++ b/litellm/proxy/auth/route_checks.py
@ -16,6 +16,37 @@ from .auth_checks_organization import _user_is_org_admin


 class RouteChecks:
+    @staticmethod
+    def is_virtual_key_allowed_to_call_route(
+        route: str, valid_token: UserAPIKeyAuth
+    ) -> bool:
+        """
+        Raises Exception if Virtual Key is not allowed to call the route
+        """
+
+        # Only check if valid_token.allowed_routes is set and is a list with at least one item
+        if valid_token.allowed_routes is None:
+            return True
+        if not isinstance(valid_token.allowed_routes, list):
+            return True
+        if len(valid_token.allowed_routes) == 0:
+            return True
+
+        # explicit check for allowed routes
+        if route in valid_token.allowed_routes:
+            return True
+
+        # check if wildcard pattern is allowed
+        for allowed_route in valid_token.allowed_routes:
+            if RouteChecks._route_matches_wildcard_pattern(
+                route=route, pattern=allowed_route
+            ):
+                return True
+
+        raise Exception(
+            f"Virtual key is not allowed to call this route. Only allowed to call routes: {valid_token.allowed_routes}. Tried to call route: {route}"
+        )
+
    @staticmethod
    def non_proxy_admin_allowed_routes_check(
        user_obj: Optional[LiteLLM_UserTable],
@ -220,6 +251,35 @@ class RouteChecks:
            return True
        return False

+    @staticmethod
+    def _route_matches_wildcard_pattern(route: str, pattern: str) -> bool:
+        """
+        Check if route matches the wildcard pattern
+
+        eg.
+
+        pattern: "/scim/v2/*"
+        route: "/scim/v2/Users"
+        - returns: True
+
+        pattern: "/scim/v2/*"
+        route: "/chat/completions"
+        - returns: False
+
+
+        pattern: "/scim/v2/*"
+        route: "/scim/v2/Users/123"
+        - returns: True
+
+        """
+        if pattern.endswith("*"):
+            # Get the prefix (everything before the wildcard)
+            prefix = pattern[:-1]
+            return route.startswith(prefix)
+        else:
+            # If there's no wildcard, the pattern and route should match exactly
+            return route == pattern
+
    @staticmethod
    def check_route_access(route: str, allowed_routes: List[str]) -> bool:
        """