forked from phoenix/litellm-mirror
fix(proxy_server.py): secure /team/info endpoint
make sure user requesting team info is part of team or admin
This commit is contained in:
Krrish Dholakia
parent
77df5d7658
commit
3f8abe2754
2 changed files with 39 additions and 0 deletions
|
|
@ -1040,6 +1040,15 @@ async def user_api_key_auth(
|
||||||
elif route == "/model/info":
|
elif route == "/model/info":
|
||||||
# /model/info just shows models user has access to
|
# /model/info just shows models user has access to
|
||||||
pass
|
pass
|
||||||
|
elif route == "/team/info":
|
||||||
|
# check if key can access this team's info
|
||||||
|
query_params = request.query_params
|
||||||
|
team_id = query_params.get("team_id")
|
||||||
|
if team_id != valid_token.team_id:
|
||||||
|
raise HTTPException(
|
||||||
|
status_code=status.HTTP_403_FORBIDDEN,
|
||||||
|
detail="key not allowed to access this team's info",
|
||||||
|
)
|
||||||
else:
|
else:
|
||||||
raise Exception(
|
raise Exception(
|
||||||
f"Only master key can be used to generate, delete, update info for new keys/users."
|
f"Only master key can be used to generate, delete, update info for new keys/users."
|
||||||
|
|
|
||||||
|
|
@ -260,7 +260,18 @@ async def get_team_info(session, get_team, call_key):
|
||||||
|
|
||||||
@pytest.mark.asyncio
|
@pytest.mark.asyncio
|
||||||
async def test_team_info():
|
async def test_team_info():
|
||||||
|
"""
|
||||||
|
Scenario 1:
|
||||||
|
- test with admin key -> expect to work
|
||||||
|
Scenario 2:
|
||||||
|
- test with team key -> expect to work
|
||||||
|
Scenario 3:
|
||||||
|
- test with non-team key -> expect to fail
|
||||||
|
"""
|
||||||
async with aiohttp.ClientSession() as session:
|
async with aiohttp.ClientSession() as session:
|
||||||
|
"""
|
||||||
|
Scenario 1 - as admin
|
||||||
|
"""
|
||||||
new_team_data = await new_team(
|
new_team_data = await new_team(
|
||||||
session,
|
session,
|
||||||
0,
|
0,
|
||||||
|
|
@ -268,6 +279,25 @@ async def test_team_info():
|
||||||
team_id = new_team_data["team_id"]
|
team_id = new_team_data["team_id"]
|
||||||
## as admin ##
|
## as admin ##
|
||||||
await get_team_info(session=session, get_team=team_id, call_key="sk-1234")
|
await get_team_info(session=session, get_team=team_id, call_key="sk-1234")
|
||||||
|
"""
|
||||||
|
Scenario 2 - as team key
|
||||||
|
"""
|
||||||
|
key_gen = await generate_key(session=session, i=0, team_id=team_id)
|
||||||
|
key = key_gen["key"]
|
||||||
|
|
||||||
|
await get_team_info(session=session, get_team=team_id, call_key=key)
|
||||||
|
|
||||||
|
"""
|
||||||
|
Scenario 3 - as non-team key
|
||||||
|
"""
|
||||||
|
key_gen = await generate_key(session=session, i=0)
|
||||||
|
key = key_gen["key"]
|
||||||
|
|
||||||
|
try:
|
||||||
|
await get_team_info(session=session, get_team=team_id, call_key=key)
|
||||||
|
pytest.fail(f"Expected call to fail")
|
||||||
|
except Exception as e:
|
||||||
|
pass
|
||||||
|
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue