o ưi@sVdZddlmZmZmZddlmZddlmZddl m Z m Z m Z GdddZ dS) a% Policy Matcher - Matches requests against policy attachments. Uses existing wildcard pattern matching helpers to determine which policies apply to a given request based on team alias, key alias, and model. Policies are matched via policy_attachments which define WHERE each policy applies. )DictListOptional)verbose_proxy_logger) RouteChecks)PolicyPolicyMatchContext PolicyScopec @seZdZdZedeedeedefddZ ede de defd d Z ede deefd d Z ede deefd dZe ddeede deeeefdeefddZdS) PolicyMatchera Matches incoming requests against policy attachments. Supports wildcard patterns: - "*" matches everything - "prefix-*" matches anything starting with "prefix-" Uses policy_attachments to determine which policies apply to a request. valuepatternsreturncCs2|durd|vS|D] }tj||drdSq dS)aw Check if a value matches any of the given patterns. Uses the existing RouteChecks._route_matches_wildcard_pattern helper. Args: value: The value to check (e.g., team alias, key alias, model) patterns: List of patterns to match against Returns: True if value matches any pattern, False otherwise N*)ZroutepatternTF)rZ_route_matches_wildcard_pattern)r r rra/home/app/Keep/.python/lib/python3.10/site-packages/litellm/proxy/policy_engine/policy_matcher.pymatches_patternszPolicyMatcher.matches_patternscopecontextcsxt|j|s dSt|j|sdSt|j|s!dS|r:|j s,dSt fdd|j Ds:dSdS)a Check if a policy scope matches the given context. A scope matches if ALL of its fields match: - teams matches context.team_alias - keys matches context.key_alias - models matches context.model Args: scope: The policy scope to check context: The request context Returns: True if scope matches context, False otherwise Fc3s|] }t|VqdSN)r r).0tagZ scope_tagsrr [s  z.PolicyMatcher.scope_matches..T) r rZ team_aliasZ get_teamsZ key_aliasZget_keysmodelZ get_modelsget_tagstagsany)rrrrr scope_matches7s zPolicyMatcher.scope_matchescCs2ddlm}|}|stdgS||S)z Get list of policy names that match the given context via attachments. Args: context: The request context to match against Returns: List of policy names that match the context r)get_attachment_registryz8AttachmentRegistry not initialized, returning empty list)Z/litellm.proxy.policy_engine.attachment_registryris_initializedrdebugZget_attached_policies)rrregistryrrrget_matching_policiescs  z#PolicyMatcher.get_matching_policiescCs tj|dS)z Get list of policy names that match the given context from the global registry. Args: context: The request context to match against Returns: List of policy names that match the context r)r r#r$rrr#get_matching_policies_from_registry}s z1PolicyMatcher.get_matching_policies_from_registryN policy_namespoliciesc Csddlm}ddlm}|dur|}|sgS|}g}|D]}||}|dur-q!|jdus9||j|r>| |q!|S)a; Filter policies to only those whose conditions match the context. A policy's condition matches if: - The policy has no condition (condition is None), OR - The policy's condition evaluates to True for the given context Args: policy_names: List of policy names to filter context: The request context to evaluate conditions against policies: Dictionary of all policies (if None, uses global registry) Returns: List of policy names whose conditions match the context r)ConditionEvaluator)get_policy_registryN) Z/litellm.proxy.policy_engine.condition_evaluatorr(Z+litellm.proxy.policy_engine.policy_registryr)r Zget_all_policiesget conditionevaluateappend) r&rr'r(r)r"Zmatching_policiesZ policy_namepolicyrrr%get_policies_with_matching_conditionss$    z3PolicyMatcher.get_policies_with_matching_conditionsr)__name__ __module__ __qualname____doc__ staticmethodrstrrboolrr rrr#r%rrr/rrrrr s: +  r N)r3typingrrrZlitellm._loggingrZlitellm.proxy.auth.route_checksrZ!litellm.types.proxy.policy_enginerrr r rrrrs