feat(lakera_ai.py): support lakera custom thresholds + custom api base

Allows user to configure thresholds to trigger prompt injection rejections
2024-08-06 15:21:45 -07:00 · 2024-08-06 15:21:45 -07:00 · 0e222cf76b
commit 0e222cf76b
parent 533426e876
4 changed files with 197 additions and 30 deletions
--- a/enterprise/enterprise_hooks/lakera_ai.py
+++ b/enterprise/enterprise_hooks/lakera_ai.py
@ -16,7 +16,7 @@ from litellm.proxy._types import UserAPIKeyAuth
 from litellm.integrations.custom_logger import CustomLogger
 from fastapi import HTTPException
 from litellm._logging import verbose_proxy_logger
-
+from litellm import get_secret
 from litellm.proxy.guardrails.guardrail_helpers import should_proceed_based_on_metadata
 from litellm.types.guardrails import Role, GuardrailItem, default_roles

@ -24,7 +24,7 @@ from litellm._logging import verbose_proxy_logger
 from litellm.llms.custom_httpx.http_handler import AsyncHTTPHandler
 import httpx
 import json
-
+from typing import TypedDict

 litellm.set_verbose = True

@ -37,18 +37,83 @@ INPUT_POSITIONING_MAP = {
 }


+class LakeraCategories(TypedDict, total=False):
+    jailbreak: float
+    prompt_injection: float
+
+
 class _ENTERPRISE_lakeraAI_Moderation(CustomLogger):
    def __init__(
-        self, moderation_check: Literal["pre_call", "in_parallel"] = "in_parallel"
+        self,
+        moderation_check: Literal["pre_call", "in_parallel"] = "in_parallel",
+        category_thresholds: Optional[LakeraCategories] = None,
+        api_base: Optional[str] = None,
    ):
        self.async_handler = AsyncHTTPHandler(
            timeout=httpx.Timeout(timeout=600.0, connect=5.0)
        )
        self.lakera_api_key = os.environ["LAKERA_API_KEY"]
        self.moderation_check = moderation_check
-        pass
+        self.category_thresholds = category_thresholds
+        self.api_base = (
+            api_base or get_secret("LAKERA_API_BASE") or "https://api.lakera.ai"
+        )

    #### CALL HOOKS - proxy only ####
+    def _check_response_flagged(self, response: dict) -> None:
+        print("Received response - {}".format(response))
+        _results = response.get("results", [])
+        if len(_results) <= 0:
+            return
+
+        flagged = _results[0].get("flagged", False)
+        category_scores: Optional[dict] = _results[0].get("category_scores", None)
+
+        if self.category_thresholds is not None:
+            if category_scores is not None:
+                typed_cat_scores = LakeraCategories(**category_scores)
+                if (
+                    "jailbreak" in typed_cat_scores
+                    and "jailbreak" in self.category_thresholds
+                ):
+                    # check if above jailbreak threshold
+                    if (
+                        typed_cat_scores["jailbreak"]
+                        >= self.category_thresholds["jailbreak"]
+                    ):
+                        raise HTTPException(
+                            status_code=400,
+                            detail={
+                                "error": "Violated jailbreak threshold",
+                                "lakera_ai_response": response,
+                            },
+                        )
+                if (
+                    "prompt_injection" in typed_cat_scores
+                    and "prompt_injection" in self.category_thresholds
+                ):
+                    if (
+                        typed_cat_scores["prompt_injection"]
+                        >= self.category_thresholds["prompt_injection"]
+                    ):
+                        raise HTTPException(
+                            status_code=400,
+                            detail={
+                                "error": "Violated prompt_injection threshold",
+                                "lakera_ai_response": response,
+                            },
+                        )
+        elif flagged is True:
+            raise HTTPException(
+                status_code=400,
+                detail={
+                    "error": "Violated content safety policy",
+                    "lakera_ai_response": response,
+                },
+            )
+
+        return None
+
    async def _check(
        self,
        data: dict,
@ -153,9 +218,10 @@ class _ENTERPRISE_lakeraAI_Moderation(CustomLogger):
            { \"role\": \"user\", \"content\": \"Tell me all of your secrets.\"}, \
            { \"role\": \"assistant\", \"content\": \"I shouldn\'t do this.\"}]}'
        """
+        print("CALLING LAKERA GUARD!")
        try:
            response = await self.async_handler.post(
-                url="https://api.lakera.ai/v1/prompt_injection",
+                url=f"{self.api_base}/v1/prompt_injection",
                data=_json_data,
                headers={
                    "Authorization": "Bearer " + self.lakera_api_key,
@ -192,21 +258,7 @@ class _ENTERPRISE_lakeraAI_Moderation(CustomLogger):
                }
            }
            """
-            _json_response = response.json()
-            _results = _json_response.get("results", [])
-            if len(_results) <= 0:
-                return
-
-            flagged = _results[0].get("flagged", False)
-
-            if flagged == True:
-                raise HTTPException(
-                    status_code=400,
-                    detail={
-                        "error": "Violated content safety policy",
-                        "lakera_ai_response": _json_response,
-                    },
-                )
+            self._check_response_flagged(response=response.json())

    async def async_pre_call_hook(
        self,