feat(user_api_key_auth.py): allow restricting calls by IP address

Allows admin to restrict which IP addresses can make calls to the proxy
2024-07-08 15:58:15 -07:00 · 2024-07-08 15:58:15 -07:00 · f3cc57bc6f
commit f3cc57bc6f
parent 95739c3778
2 changed files with 78 additions and 0 deletions
--- a/litellm/proxy/auth/user_api_key_auth.py
+++ b/litellm/proxy/auth/user_api_key_auth.py
@ -136,6 +136,19 @@ async def user_api_key_auth(
            enable_jwt_auth: true
        ```
        """
        ### FILTER IP ADDRESS ###
        is_valid_ip = _check_valid_ip(
            allowed_ips=general_settings.get("allowed_ips", None), request=request
        )
        if not is_valid_ip:
            raise HTTPException(
                status_code=status.HTTP_403_FORBIDDEN,
                detail="Access forbidden: IP address not allowed.",
            )
        route: str = request.url.path
        if (
@ -1208,3 +1221,22 @@ def _get_user_role(user_id_information: Optional[list]):
    _user = user_id_information[0]
    return _user.get("user_role")
 def _check_valid_ip(allowed_ips: Optional[List[str]], request: Request) -> bool:
    """
    Returns if ip is allowed or not
    """
    if allowed_ips is None:  # if not set, assume true
        return True
    if request.client is not None:
        client_ip = request.client.host
    else:
        client_ip = None
    # Check if IP address is allowed
    if client_ip not in allowed_ips:
        return False
    return True
--- a/litellm/tests/test_user_api_key_auth.py
+++ b/litellm/tests/test_user_api_key_auth.py
@ -0,0 +1,46 @@
 # What is this?
 ## Unit tests for user_api_key_auth helper functions
 import os
 import sys
 sys.path.insert(
    0, os.path.abspath("../..")
 )  # Adds the parent directory to the system path
 from typing import List, Optional
 from unittest.mock import MagicMock
 import pytest
 import litellm
 class Request:
    def __init__(self, client_ip: Optional[str] = None):
        self.client = MagicMock()
        self.client.host = client_ip
@pytest.mark.parametrize(
    "allowed_ips, client_ip, expected_result",
    [
        (None, "127.0.0.1", True),  # No IP restrictions, should be allowed
        (["127.0.0.1"], "127.0.0.1", True),  # IP in allowed list
        (["192.168.1.1"], "127.0.0.1", False),  # IP not in allowed list
        ([], "127.0.0.1", False),  # Empty allowed list, no IP should be allowed
        (["192.168.1.1", "10.0.0.1"], "10.0.0.1", True),  # IP in allowed list
        (
            ["192.168.1.1"],
            None,
            False,
        ),  # Request with no client IP should not be allowed
    ],
 )
 def test_check_valid_ip(
    allowed_ips: Optional[List[str]], client_ip: Optional[str], expected_result: bool
 ):
    from litellm.proxy.auth.user_api_key_auth import _check_valid_ip
    request = Request(client_ip)
    assert _check_valid_ip(allowed_ips, request) == expected_result  # type: ignore