o ưiF@sUdZddlmZmZddlmZmZmZmZmZddl m Z ddl m Z m Z mZmZer3ddlmZGdddZd aeeed <d efd d Zd S)z Attachment Registry - Manages policy attachments from YAML config. Attachments define WHERE policies apply, separate from the policy definitions. This allows the same policy to be attached to multiple scopes. )datetimetimezone) TYPE_CHECKINGAnyDictListOptional)verbose_proxy_logger)PolicyAttachmentPolicyAttachmentCreateRequestPolicyAttachmentDBResponsePolicyMatchContext) PrismaClientc @seZdZdZddZdeeeefddfddZ d eeefde fd d Z d e deefd dZ d e deeeeffddZede d e defddZded e defddZdee fddZdedee fddZdefddZd4ddZde ddfdd Zdedefd!d"Zd#edefd$d%Z d5d&ed'd(d)eedefd*d+Zd#ed'd(deeeffd,d-Zd#ed'd(deefd.d/Z d'd(deefd0d1Z! ' (  d6d2d3Z"dS)7AttachmentRegistrya In-memory registry for storing and managing policy attachments. Attachments define the relationship between policies and their scopes. A single policy can have multiple attachments (applied to different scopes). Example YAML: ```yaml attachments: - policy: global-baseline scope: "*" - policy: healthcare-compliance teams: [healthcare-team] - policy: dev-safety keys: ["dev-key-*"] ``` cCsg|_d|_dS)NF _attachments _initializedselfrf/home/app/Keep/.python/lib/python3.10/site-packages/litellm/proxy/policy_engine/attachment_registry.py__init__*s zAttachmentRegistry.__init__attachments_configreturnNc Csg|_|D]8}z||}|j|td|jWqty=}ztdt|t dt||d}~wwd|_ t dt |jddS)z Load attachments from a configuration list. Args: attachments_config: List of attachment dictionaries from YAML. zLoaded attachment for policy: zError loading attachment: zInvalid attachment: NTzLoaded z policy attachments) r_parse_attachmentappendr debugpolicy Exceptionerrorstr ValueErrorrinfolen)rrattachment_data attachmenterrrload_attachments.s"    z#AttachmentRegistry.load_attachmentsr$c Cs:t|dd|d|d|d|d|ddS) z Parse an attachment from raw configuration data. Args: attachment_data: Raw attachment configuration Returns: Parsed PolicyAttachment object rscopeteamskeysmodelstagsrr)r*r+r,r-)r get)rr$rrrrGs z$AttachmentRegistry._parse_attachmentcontextcCsdd||DS)z Get list of policy names attached to the given context. Args: context: The request context to match against Returns: List of policy names that are attached to matching scopes cSsg|]}|dqS policy_namer).0rrrr dsz.)"get_attached_policies_with_reasons)rr0rrrget_attached_policiesZ z(AttachmentRegistry.get_attached_policiescCsddlm}g}t}|jD]@}|}|j||drN|j|vrN||j|||}| |j|dt d|jd|d|j d|j d |jd q|S) z Get list of policy names and match reasons for the given context. Returns a list of dicts with 'policy_name' and 'matched_via' keys. The 'matched_via' describes which dimension caused the match. r PolicyMatcher)r)r0)r2 matched_viazAttachment matched: policy=z, matched_via=z, context=(team=z, key=z, model=))*litellm.proxy.policy_engine.policy_matcherr:setrZto_policy_scopeZ scope_matchesradd_describe_match_reasonrr r team_alias key_aliasmodel)rr0r:resultsZ seen_policiesr%r)r;rrrr6fs6      z5AttachmentRegistry.get_attached_policies_with_reasonsr%csddlmr dSg}jr+|jr+fdd|jD}|r+|d|djr:|jr:|d|jjrI|jrI|d|jj rX|j rX|d |j |r_d |Sd S) z/Describe why an attachment matched the context.rr9zscope:*csg|] }|jr|qSr)Zmatches_patternr-)r3tr:r%rrr5s  z=AttachmentRegistry._describe_match_reason..ztag:zteam:zkey:zmodel:+z scope:default) r=r: is_globalr-rr*rAr+rBr,rCjoin)r%r0reasonsZ matching_tagsrrFrr@s"      z)AttachmentRegistry._describe_match_reasonr2cCs||}||vS)a Check if a specific policy is attached to the given context. Args: policy_name: Name of the policy to check context: The request context to match against Returns: True if the policy is attached to a matching scope )r7)rr2r0Zattachedrrris_policy_attacheds z%AttachmentRegistry.is_policy_attachedcCs |jS)zp Get all loaded attachments. Returns: List of all PolicyAttachment objects )rcopyrrrrget_all_attachmentss z&AttachmentRegistry.get_all_attachmentscsfdd|jDS)z Get all attachments for a specific policy. Args: policy_name: Name of the policy Returns: List of attachments for the policy csg|] }|jkr|qSrrr3ar1rrr5zAAttachmentRegistry.get_attachments_for_policy..)r)rr2rr1rget_attachments_for_policyr8z-AttachmentRegistry.get_attachments_for_policycCs|jS)z Check if the registry has been initialized with attachments. Returns: True if attachments have been loaded, False otherwise )rrrrris_initializedsz!AttachmentRegistry.is_initializedcCsg|_d|_dS)z: Clear all attachments from the registry. FNrrrrrclears zAttachmentRegistry.clearcCs"|j|td|jdS)zp Add a single attachment. Args: attachment: PolicyAttachment object to add zAdded attachment for policy: N)rrr rr)rr%rrradd_attachments z!AttachmentRegistry.add_attachmentcsPt|j}fdd|jD|_|t|j}|dkr&td|d|S)z Remove all attachments for a specific policy. Args: policy_name: Name of the policy Returns: Number of attachments removed csg|] }|jkr|qSrrNrOr1rrr5rQzDAttachmentRegistry.remove_attachments_for_policy..rzRemoved z attachment(s) for policy: )r#rr r)rr2Zoriginal_count removed_countrr1rremove_attachments_for_policys z0AttachmentRegistry.remove_attachments_for_policy attachment_idcCsdS)z Remove an attachment by its ID (for DB-synced attachments). Args: attachment_id: The ID of the attachment to remove Returns: True if removed, False if not found Fr)rrXrrrremove_attachment_by_ids z*AttachmentRegistry.remove_attachment_by_idattachment_request prisma_clientr created_byc szd|jjj|j|j|jpg|jpg|jpg|jpgt t j t t j ||d dIdH}t |j|j|j|j|j|jd}||t|j|j|j|jpNg|jpRg|jpVg|jpZg|j|j|j|jd WSty}ztd|tdt|d}~ww)aL Add a policy attachment to the database. Args: attachment_request: The attachment creation request prisma_client: The Prisma client instance created_by: User who created the attachment Returns: PolicyAttachmentDBResponse with the created attachment ) r2r)r*r+r,r- created_at updated_atr\ updated_by)dataNr. rXr2r)r*r+r,r-r]r^r\r_zError adding attachment to DB: )dblitellm_policyattachmenttablecreater2r)r*r+r,r-rnowrutcr rUr rXr]r^r\r_rr exceptionr )rrZr[r\Zcreated_attachmentr%r&rrradd_attachment_to_dbsV     z'AttachmentRegistry.add_attachment_to_dbc sz7|jjjd|idIdH}|durtd|d|jjjd|idIdH||IdHdd|diWStyU}ztd |td t|d}~ww) z Delete a policy attachment from the database. Args: attachment_id: The ID of the attachment to delete prisma_client: The Prisma client instance Returns: Dict with success message rXwhereNzAttachment with ID z not foundmessagez Attachment z deleted successfullyz#Error deleting attachment from DB: ) rbrc find_uniquerdeletesync_attachments_from_dbr rgr rrXr[r%r&rrrdelete_attachment_from_dbFs$  z,AttachmentRegistry.delete_attachment_from_dbc sz7|jjjd|idIdH}|durWdSt|j|j|j|jp!g|jp%g|j p)g|j p-g|j |j |j |jd WStyU}ztd|tdt|d}~ww)a Get a policy attachment by ID from the database. Args: attachment_id: The ID of the attachment to retrieve prisma_client: The Prisma client instance Returns: PolicyAttachmentDBResponse if found, None otherwise rXriNraz"Error getting attachment from DB: )rbrcrlr rXr2r)r*r+r,r-r]r^r\r_rr rgr rorrrget_attachment_by_id_from_dbns4  z/AttachmentRegistry.get_attachment_by_id_from_dbc shz|jjjddidIdH}dd|DWSty3}ztd|tdt|d}~ww)z Get all policy attachments from the database. Args: prisma_client: The Prisma client instance Returns: List of PolicyAttachmentDBResponse objects r]Zdesc)orderNcSsPg|]$}t|j|j|j|jpg|jpg|jpg|jpg|j|j |j |j d qS)ra) r rXr2r)r*r+r,r-r]r^r\r_rOrrrr5s zBAttachmentRegistry.get_all_attachments_from_db..z#Error getting attachments from DB: )rbrcZ find_manyrr rgr )rr[ attachmentsr&rrrget_all_attachments_from_dbs  z.AttachmentRegistry.get_all_attachments_from_dbc szK||IdH}g|_|D],}t|j|j|jr|jnd|jr#|jnd|jr*|jnd|jr1|jndd}|j |qd|_ t dt |dWdStyi}zt d|tdt|d}~ww)z Sync policy attachments from the database to in-memory registry. Args: prisma_client: The Prisma client instance Nr.TzSynced z* attachments from DB to in-memory registryz#Error syncing attachments from DB: )rtrr r2r)r*r+r,r-rrr r"r#rrgr )rr[rsZattachment_responser%r&rrrrns.  z+AttachmentRegistry.sync_attachments_from_db)rN)N)r[rrN)#__name__ __module__ __qualname____doc__rrrr rr'r rr r7r6 staticmethodr@boolrKrMrRrSrTrUintrWrYr rr rhrprqrtrnrrrrrs  "      ?  ( * (rN_attachment_registryrcCstdurtatS)zs Get the global AttachmentRegistry singleton. Returns: The global AttachmentRegistry instance N)r|rrrrrget_attachment_registrysr})rxrrtypingrrrrrZlitellm._loggingr Z!litellm.types.proxy.policy_enginer r r r Zlitellm.proxy.utilsrrr|__annotations__r}rrrrs  Q