LiteLLM Minor Fixes & Improvements (11/29/2024) (#6965)

* fix(factory.py): ensure tool call converts image url Fixes https://github.com/BerriAI/litellm/issues/6953 * fix(transformation.py): support mp4 + pdf url's for vertex ai Fixes https://github.com/BerriAI/litellm/issues/6936 * fix(http_handler.py): mask gemini api key in error logs Fixes https://github.com/BerriAI/litellm/issues/6963 * docs(prometheus.md): update prometheus FAQs * feat(auth_checks.py): ensure specific model access > wildcard model access if wildcard model is in access group, but specific model is not - deny access * fix(auth_checks.py): handle auth checks for team based model access groups handles scenario where model access group used for wildcard models * fix(internal_user_endpoints.py): support adding guardrails on `/user/update` Fixes https://github.com/BerriAI/litellm/issues/6942 * fix(key_management_endpoints.py): fix prepare_metadata_fields helper * fix: fix tests * build(requirements.txt): bump openai dep version fixes proxies argument * test: fix tests * fix(http_handler.py): fix error message masking * fix(bedrock_guardrails.py): pass in prepped data * test: fix test * test: fix nvidia nim test * fix(http_handler.py): return original response headers * fix: revert maskedhttpstatuserror * test: update tests * test: cleanup test * fix(key_management_endpoints.py): fix metadata field update logic * fix(key_management_endpoints.py): maintain initial order of guardrails in key update * fix(key_management_endpoints.py): handle prepare metadata * fix: fix linting errors * fix: fix linting errors * fix: fix linting errors * fix: fix key management errors * fix(key_management_endpoints.py): update metadata * test: update test * refactor: add more debug statements * test: skip flaky test * test: fix test * fix: fix test * fix: fix update metadata logic * fix: fix test * ci(config.yml): change db url for e2e ui testing
2025-04-26 03:04:13 +00:00 · 2024-12-01 05:24:11 -08:00 · 2024-12-01 05:24:11 -08:00 · 859b47f08b
commit 859b47f08b
parent bd59f18809
37 changed files with 1040 additions and 714 deletions
--- a/litellm/proxy/auth/auth_checks.py
+++ b/litellm/proxy/auth/auth_checks.py
@ -60,6 +60,7 @@ def common_checks(  # noqa: PLR0915
    global_proxy_spend: Optional[float],
    general_settings: dict,
    route: str,
+    llm_router: Optional[litellm.Router],
 ) -> bool:
    """
    Common checks across jwt + key-based auth.
@ -97,7 +98,12 @@ def common_checks(  # noqa: PLR0915
            # this means the team has access to all models on the proxy
            pass
        # check if the team model is an access_group
-        elif model_in_access_group(_model, team_object.models) is True:
+        elif (
+            model_in_access_group(
+                model=_model, team_models=team_object.models, llm_router=llm_router
+            )
+            is True
+        ):
            pass
        elif _model and "*" in _model:
            pass
@ -373,36 +379,33 @@ async def get_end_user_object(
        return None


-def model_in_access_group(model: str, team_models: Optional[List[str]]) -> bool:
+def model_in_access_group(
+    model: str, team_models: Optional[List[str]], llm_router: Optional[litellm.Router]
+) -> bool:
    from collections import defaultdict

-    from litellm.proxy.proxy_server import llm_router
-
    if team_models is None:
        return True
    if model in team_models:
        return True

-    access_groups = defaultdict(list)
+    access_groups: dict[str, list[str]] = defaultdict(list)
    if llm_router:
-        access_groups = llm_router.get_model_access_groups()
+        access_groups = llm_router.get_model_access_groups(model_name=model)

-    models_in_current_access_groups = []
    if len(access_groups) > 0:  # check if token contains any model access groups
        for idx, m in enumerate(
            team_models
        ):  # loop token models, if any of them are an access group add the access group
            if m in access_groups:
-                # if it is an access group we need to remove it from valid_token.models
-                models_in_group = access_groups[m]
-                models_in_current_access_groups.extend(models_in_group)
+                return True

    # Filter out models that are access_groups
    filtered_models = [m for m in team_models if m not in access_groups]
-    filtered_models += models_in_current_access_groups

    if model in filtered_models:
        return True
+
    return False


@ -523,10 +526,6 @@ async def _cache_management_object(
    proxy_logging_obj: Optional[ProxyLogging],
 ):
    await user_api_key_cache.async_set_cache(key=key, value=value)
-    if proxy_logging_obj is not None:
-        await proxy_logging_obj.internal_usage_cache.dual_cache.async_set_cache(
-            key=key, value=value
-        )


 async def _cache_team_object(
@ -878,7 +877,10 @@ async def get_org_object(


 async def can_key_call_model(
-    model: str, llm_model_list: Optional[list], valid_token: UserAPIKeyAuth
+    model: str,
+    llm_model_list: Optional[list],
+    valid_token: UserAPIKeyAuth,
+    llm_router: Optional[litellm.Router],
 ) -> Literal[True]:
    """
    Checks if token can call a given model
@ -898,35 +900,29 @@ async def can_key_call_model(
    )
    from collections import defaultdict

-    from litellm.proxy.proxy_server import llm_router
-
    access_groups = defaultdict(list)
    if llm_router:
-        access_groups = llm_router.get_model_access_groups()
+        access_groups = llm_router.get_model_access_groups(model_name=model)

-    models_in_current_access_groups = []
-    if len(access_groups) > 0:  # check if token contains any model access groups
+    if (
+        len(access_groups) > 0 and llm_router is not None
+    ):  # check if token contains any model access groups
        for idx, m in enumerate(
            valid_token.models
        ):  # loop token models, if any of them are an access group add the access group
            if m in access_groups:
-                # if it is an access group we need to remove it from valid_token.models
-                models_in_group = access_groups[m]
-                models_in_current_access_groups.extend(models_in_group)
+                return True

    # Filter out models that are access_groups
    filtered_models = [m for m in valid_token.models if m not in access_groups]

-    filtered_models += models_in_current_access_groups
    verbose_proxy_logger.debug(f"model: {model}; allowed_models: {filtered_models}")

    all_model_access: bool = False

    if (
-        len(filtered_models) == 0
-        or "*" in filtered_models
-        or "openai/*" in filtered_models
-    ):
+        len(filtered_models) == 0 and len(valid_token.models) == 0
+    ) or "*" in filtered_models:
        all_model_access = True

    if model is not None and model not in filtered_models and all_model_access is False: