o ưiy@sddZddlZddlZddlZddlmZmZmZmZm Z m Z m Z ddl m Z ddlmZddlmZddlmZddlmZdd lmZdd lmZdd lmZdd lmZmZmZm Z m!Z!m"Z"m#Z#m$Z$m%Z%m&Z&m'Z'm(Z(m)Z)m*Z*m+Z+m,Z,m-Z-m.Z.dd l/m0Z0ddl1m2Z2m3Z3ddl4m5Z5m6Z6m7Z7m8Z8m9Z9m:Z:m;Z;mZ>m?Z?m@Z@GdddZAGdddZBdS)z Supports using JWT's for authenticating into the proxy. Currently only supports admin. JWT token must have 'litellm_proxy_admin' in scope. N)AnyListLiteralOptionalSetTuplecast)x509)default_backend) serialization HTTPException)verbose_proxy_logger) DualCache)get_nested_value) HTTPHandler) RBAC_ROLES JWKKeyValueJWTAuthBuilderResult JWTKeyItemLiteLLM_EndUserTableLiteLLM_JWTAuthLiteLLM_OrganizationTableLiteLLM_TeamMembershipLiteLLM_TeamTableLiteLLM_UserTableLitellmUserRolesMemberProxyErrorTypesProxyException ScopeMappingSpanTeamMemberAddRequestUserAPIKeyAuth)can_team_access_model) PrismaClient ProxyLogging) _allowed_routes_checkallowed_routes_checkget_actual_routesget_end_user_objectget_org_objectget_org_object_by_aliasget_role_based_modelsget_role_based_routesget_team_membershipget_team_objectget_team_object_by_aliasget_user_objectc @seZdZUdZeeed<eed<  dNddZ dOdeeded e d e ddf d d Z e d e fddZd edeefddZd edeefddZdedefddZd edee fddZd edee dee fddZdefddZdefddZd edee dee fd d!Zd edee dee fd"d#ZdPd$eedefd%d&Zd edee dee fd'd(Zd edeee deee fd)d*Zd edee fd+d,Z!d edeee deee fd-d.Z"d/eee defd0d1Z#d edee dee fd2d3Z$d edee dee fd4d5Z%d edee dee fd6d7Z&d edee dee fd8d9Z'd edee fd:d;Z(dZ)d?ee defd@dAZ*dBe+d?ee dee,fdCdDZ-dEe defdFdGZ.d e defdHdIZ/d e defdJdKZ0dLdMZ1dS)Q JWTHandlerz - treat the sub id passed in as the user id - return an error if id making request doesn't exist in proxy user table - track spend against the user id - if role="litellm_proxy_user" -> allow making calls + info. Can not edit budgets prisma_clientuser_api_key_cachereturnNcCst|_d|_dS)Nr)r http_handlerleewayselfr<T/home/app/Keep/.python/lib/python3.10/site-packages/litellm/proxy/auth/handle_jwt.py__init__Is zJWTHandler.__init__rlitellm_jwtauthr9cCs||_||_||_||_dSN)r5r6r?r9)r;r5r6r?r9r<r<r=update_environmentOs zJWTHandler.update_environmenttokencCs|d}t|dkS)N.)splitlen)rBpartsr<r<r=is_jwt[s  zJWTHandler.is_jwtcCsT|jjdurdS|j|dd}|sdSt|}|jjD] }|j|vr'|jSqdS)a Returns the RBAC role the token 'belongs' to based on role mappings. Args: token (dict): The JWT token containing role information Returns: Optional[RBAC_ROLES]: The mapped internal RBAC role if a mapping exists, None otherwise Note: The function handles both single string roles and lists of roles from the JWT. If multiple mappings match the JWT roles, the first matching mapping is returned. NrB default_value)r?Z role_mappings get_jwt_rolesetroleZ internal_role)r;rBjwt_roleZ jwt_role_setZ role_mappingr<r<r=_rbac_role_from_role_mapping`s    z'JWTHandler._rbac_role_from_role_mappingcCs|j|d}|j|d}|j|dd}|rtjS|j|dddur$tjS|j|dddur0tjS|dur=|j |dr=tjS|j |d}rG|SdS)a^ Returns the RBAC role the token 'belongs' to. RBAC roles allowed to make requests: - PROXY_ADMIN: can make requests to all routes - TEAM: can make requests to routes associated with a team - INTERNAL_USER: can make requests to routes associated with a user Resolves: https://github.com/BerriAI/litellm/issues/6793 Returns: - PROXY_ADMIN: if token is admin - TEAM: if token is associated with a team - INTERNAL_USER: if token is associated with a user - None: if token is not associated with a team or user rBscopesNrI) user_roles) get_scopesis_adminget_user_rolesr PROXY_ADMIN get_team_idTEAM get_user_id INTERNAL_USERis_allowed_user_rolerO)r;rBrRrUrS rbac_roler<r<r= get_rbac_roles   zJWTHandler.get_rbac_rolerRcCs|jj|vrdSdS)NTF)r?Zadmin_jwt_scope)r;rRr<r<r=rUs zJWTHandler.is_admincCs*|jjdurt||jjgd}|pgSgSNdataZkey_pathdefault)r?Zteam_ids_jwt_fieldr)r;rBteam_idsr<r<r=get_team_ids_from_jwts z JWTHandler.get_team_ids_from_jwtrJcCHz|jjdurt||jj|d}W|Sd}W|Sty#|}Y|Swr_)r?Zend_user_id_jwt_fieldrKeyErrorr;rBrJuser_idr<r<r=get_end_user_ids   zJWTHandler.get_end_user_idcCs |jjdur|jjdurdSdS)z Returns: - True: if 'team_id_jwt_field' or 'team_alias_jwt_field' is set - False: if neither is set NFT)r?team_id_jwt_fieldteam_alias_jwt_fieldr:r<r<r=is_required_team_ids  zJWTHandler.is_required_team_idcCs"|jjdurt|jjtrdSdS)z Returns: - True: if 'user_allowed_email_domain' is set - False: if 'user_allowed_email_domain' is None NTF)r?user_allowed_email_domain isinstancestrr:r<r<r=is_enforced_email_domains z#JWTHandler.is_enforced_email_domainc CszZ|jjdurIt}t||jj|d}||ur%|jjdur"|jjWS|WSt|trF|s/|WStd|jjd|d|dd|d}|WS|jjdurV|jj}W|Sd}W|St yf|}Y|Sw)Nr`zJWT Auth: team_id_jwt_field 'z' returned a list z; using first element 'rz' automatically.) r?rjobjectrZteam_id_defaultrnlistrdebugrf)r;rBrJsentinelteam_idr<r<r=rXsB        zJWTHandler.get_team_idcCHz|jjdurt||jj|d}|WSd}W|Sty#|}Y|Sw)aG Extract team name/alias from JWT token using the configured team_alias_jwt_field. Args: token: The decoded JWT token dictionary default_value: Default value to return if field not found Returns: The team alias from the token, or default_value if not found Nr`)r?rkrrf)r;rBrJ team_aliasr<r<r=get_team_aliass  zJWTHandler.get_team_aliasvalid_user_emailcCs|durdS|jjS)z Returns: - True: if 'user_id_upsert' is set AND valid_user_email is not False - False: if not F)r?user_id_upsert)r;ryr<r<r=is_upsert_user_idszJWTHandler.is_upsert_user_idcCHz|jjdurt||jj|d}W|S|}W|Sty#|}Y|Swr_)r?Zuser_id_jwt_fieldrrfrgr<r<r=rZ'   zJWTHandler.get_user_idcCHz|jjdurt||jj|d}W|S|}W|Sty#|}Y|Sw)zn Returns the user role from the token. Set via 'user_roles_jwt_field' in the config. Nr`)r?Zuser_roles_jwt_fieldrrfr;rBrJrSr<r<r=rV5s   zJWTHandler.get_user_rolescCsZ|jjsdS|j|gd}|sdS|jjD]}|D]}t||jr)|jSqqdS)z(Map roles from JWT to LiteLLM user rolesNrI)r?Zjwt_litellm_role_maprKfnmatchrNZ litellm_role)r;rBZ jwt_rolesmappingrMr<r<r=map_jwt_role_to_litellm_roleJs z'JWTHandler.map_jwt_role_to_litellm_rolecCr~)z Generic implementation of `get_user_roles` that can be used for both user and team roles. Returns the jwt role from the token. Set via 'roles_jwt_field' in the config. Nr`)r?Zroles_jwt_fieldrrfrr<r<r=rKYs   zJWTHandler.get_jwt_rolerScs2|durjjdurtfdd|DrdSdS)zl Returns the user role from the token. Set via 'user_allowed_roles' in the config. Nc3s|] }|jjvVqdSr@)r?user_allowed_roles).0rMr:r<r= ys  z2JWTHandler.is_allowed_user_role..TF)r?rany)r;rSr<r:r=r\ps  zJWTHandler.is_allowed_user_rolecCrer_)r?Zuser_email_jwt_fieldrrf)r;rBrJ user_emailr<r<r=get_user_emails   zJWTHandler.get_user_emailcCr|r_)r?Zobject_id_jwt_fieldrrf)r;rBrJ object_idr<r<r= get_object_idr}zJWTHandler.get_object_idcCrer_)r?Zorg_id_jwt_fieldrrf)r;rBrJorg_idr<r<r= get_org_idr}zJWTHandler.get_org_idcCrv)aV Extract organization name/alias from JWT token using the configured org_alias_jwt_field. Args: token: The decoded JWT token dictionary default_value: Default value to return if field not found Returns: The organization alias from the token, or default_value if not found Nr`)r?Zorg_alias_jwt_fieldrrf)r;rBrJ org_aliasr<r<r= get_org_aliass  zJWTHandler.get_org_aliascCsnz*t|dtr|d}W|St|dtr|d}W|Stdt|ddty6g}Y|Sw)NscopezUnmapped scope type - z. Supported types - list, str.)rnrorErr Exceptiontyperf)r;rBrRr<r<r=rTs   zJWTHandler.get_scopesurlc sd|vr|Sd|}|j|IdH}|dur|Std||j|IdH}|jdkr@td|d|jd|jz| }Wnty\}z td |d|d}~ww|d }|sltd |d td |d||jj |||j j dIdH|S)aS If url points to an OIDC discovery document (*.well-known/openid-configuration), fetch it and return the jwks_uri contained within. Otherwise return url unchanged. This lets JWT_PUBLIC_KEY_URL be set to a well-known discovery endpoint instead of requiring operators to manually find the JWKS URL. z .well-known/openid-configurationZlitellm_oidc_discovery_Nz0JWT Auth: Fetching OIDC discovery document from z"JWT Auth: OIDC discovery endpoint z returned status : z5JWT Auth: Failed to parse OIDC discovery document at jwks_uriz%JWT Auth: OIDC discovery document at z% does not contain a 'jwks_uri' field.z"JWT Auth: Resolved OIDC discovery z -> jwks_uri=keyvaluettl) r6async_get_cacherrsr8get status_codertextjsonasync_set_cacher?public_key_ttl)r;r cache_keyZcached_jwks_uriresponseZ discoveryerr<r<r=_resolve_jwks_urlsJ      zJWTHandler._resolve_jwks_urlkidc sBtd}|durtddd|dD}|D]|}||IdH}d|}|j|IdH}|dur|j|IdH}z| }Wn tye} zt d| d|j td| d d} ~ wwd |vrq| d } n|} |jj || |jjd IdHn|} |j| |d } | durtt| Sqtd |d|)NZJWT_PUBLIC_KEY_URLz,Missing JWT Public Key URL from environment.cSsg|]}|qSr<)strip)rrr<r<r= sz-JWTHandler.get_public_key..,Zlitellm_jwt_auth_keys_zError parsing response: z. Original Response: z*. Check server logs for original response.keysr)rrz#No matching public key found. keys=z, kid=)osgetenvrrErr6rr8rrrerrorrrr?r parse_keysrdict) r;rZkeys_urlZ keys_url_listZkey_urlrZ cached_keysrZ response_jsonrr public_keyr<r<r=get_public_keysL    zJWTHandler.get_public_keyrcCsd}t|dkr6t|tr|dd|ks|dur|}|St|tr4|ddd|ks0|dur4|d}|St|dkrb|D]#}t|trL|dd}nd}|durat|tra|dura||kra|}q>|S)Nr'rr)rFrnrrrr)r;rrrrZkey_kidr<r<r=r2s, "   zJWTHandler.parse_keysrcCs2|jjdurdS|dd}||jjkrdSdS)NT@F)r?rmrE)r;rZ email_domainr<r<r=is_allowed_domainKs  zJWTHandler.is_allowed_domainc s"|jjs tdd|dd}|j|IdH}|dur&td|Std|jjzA|jj|jjd|dd d IdH}|j d krUtd |j d |j | }td||jj |||jj dIdH|WSty}ztdt|tdt|d}~ww)a Fetch user information from OIDC UserInfo endpoint. This follows the OpenID Connect protocol where an access token is sent to the identity provider's UserInfo endpoint to retrieve user identity information. Args: token: The access token to use for authentication Returns: dict: User information from the UserInfo endpoint Raises: Exception: If UserInfo endpoint is not configured or request fails zWOIDC UserInfo endpoint not configured. Set 'oidc_userinfo_endpoint' in JWT auth config.Zoidc_userinfo_NzReturning cached OIDC UserInfoz Calling OIDC UserInfo endpoint: zBearer zapplication/json) AuthorizationAccept)rheadersrz'OIDC UserInfo endpoint returned status rzReceived OIDC UserInfo: rzError fetching OIDC UserInfo: zFailed to fetch OIDC UserInfo: )r?Zoidc_userinfo_endpointrr6rrrsr8rrrrrZoidc_userinfo_cache_ttlrro)r;rBrZcached_userinforuserinforr<r<r=get_oidc_userinfoUsL    zJWTHandler.get_oidc_userinfoc s$gd}td}d}|durddi}ddl}ddlm}||}td||dd}|j |d IdH} | durt | t ri} d | vrM| d | d <d| vrW| d| d<d | vra| d | d <d | vrk| d | d <d | vru| d | d <d| vr| d| d<d| vr| d| d<| | j } z|j|| ||||jd} | WS|jytdty} z tdt| d} ~ ww| durt | trz"t| t}|tjjtjj}|j|||||d} | WS|jytdty } z tdt| d} ~ wwtd)N) ZRS256ZRS384ZRS512ZPS256ZPS384ZPS512ZES256ZES384ZES512ZEdDSAZ JWT_AUDIENCEZ verify_audFr)PyJWKz header: %sr)rZktynrxyZcrv) algorithmsoptionsaudiencer9z Token ExpiredzValidation fails: )rrrzInvalid JWT Submitted)rrjwtZ jwt.api_jwkrZget_unverified_headerrrsrrrnr from_dictrdecoder9ZExpiredSignatureErrorrror Zload_pem_x509_certificateencoder r public_bytesr ZEncodingZPEMZ PublicFormatZSubjectPublicKeyInfo)r;rBrrZdecode_optionsrrheaderrrZjwkZpublic_key_objpayloadrcertrr<r<r=auth_jwts              zJWTHandler.auth_jwtcs|jIdHdSr@)r8closer:r<r<r=rszJWTHandler.close)r7N)rr@)2__name__ __module__ __qualname____doc__rr%__annotations__rr>rintrA staticmethodrorHrrrOr^rrboolrUrrdrirlrprXrxr{rZrVrrrKr\rrrrrTrrrrrrrrrr<r<r<r=r4>s      $    $         .0 C dr4c#@sDeZdZdZedededededfddZ ededed e ededfd d Z ed e e d e edededdf ddZedededededede eddfddZe d@ded edede ede edede ede efddZededede edede ededee ee effdd Zedededeefd!d"Zed#eed$e ededede edede ededee ee effd%d&Zedededee ee ee effd'd(Ze d@de ed)e ede ed*e ed+e ed,e edede edede ededed-e edee e e e!e e"e e#ffd.d/Z$ede ed+e ed0ed1ededf d2d3Z%ed4e ed5eede efd6d7Z&ed8e e d9e efd:d;Z'ededed8e e de eddf dd?Z)dS)AJWTAuthManagerz7Manages JWT authentication and authorization operationsr]general_settingsrouter7TcCsRt||d}|dus|durdSt||d}|s'tdd|d|d|d dS) zU Checks if user is allowed to access the route, based on their role. r]rNT) user_routeallowed_routesRole=z not allowed to call route=z. Allowed routes=rdetail)r/r(r )r]rrZrole_based_routes is_allowedr<r<r=can_rbac_role_call_routes z'JWTAuthManager.can_rbac_role_call_routemodelcCsJt||d}|dus|durdS||vr#tdd|d|d|ddS) zU Checks if user is allowed to access the model, based on their role. rNTrrz not allowed to call model=z. Allowed models=r)r.r )r]rrZrole_based_modelsr<r<r=can_rbac_role_call_model s z'JWTAuthManager.can_rbac_role_call_modelscope_mappingsrR request_dataNcCsh|sdSg}|D]}|j|vr|jr||jq|d}|s"dS||vr2tddd||iddS)zE Check if scope allows access to the requested model Nrrrz'model={} not allowed. Allowed_models={}r)rmodelsextendrr format)rrRrrZallowed_modelssmrequested_modelr<r<r=check_scope_based_access7s&   z'JWTAuthManager.check_scope_based_access jwt_handlerjwt_valid_tokencsP|jjdur&|durtdddtj|||ddtj|||ddSdS) z/Validate RBAC role and model access permissionsTNrzjUnmatched token passed in. enforce_rbac is set to True. Token must belong to a proxy admin, team, or user.rr)r]rr)r]rr)r? enforce_rbacr rrrr)rrrrrr]r<r<r=check_rbac_roleYs$  zJWTAuthManager.check_rbac_rolerhrapi_keyc sr|j|ds dSttj||jd}|s'|jj}t|d} td|d| tddddd|d|d|d|p6id S) z/Check admin status and route access permissionsrQN user_rolerZlitellm_proxy_roles)rz.Admin not allowed to access this route. Route=z, Allowed Routes=T) is_proxy_admin team_object user_objectend_user_object org_objectrBrurh end_user_idrteam_membership jwt_claims) rUr)rrWr?Zadmin_allowed_routesr*rr) rrRrrhrrrrrZ actual_routesr<r<r=check_admin_accessts8  z!JWTAuthManager.check_admin_accessr5r6parent_otel_spanproxy_logging_objcsd|j|dd}d}|rt||||||jjdIdH}||fS|j|dd}|rRtd|dt|||||dIdH}|rR|j}td|d|d||fS| d ur|jj } |jj } d } | rd | vr| d d } | d  r| d} d| d| d} nd| vr| drtd| }|r|d } d| d| d} td| d| d| ||fS)zQFind and validate specific team ID from team_id_jwt_field or team_alias_jwt_fieldNrIrur5r6rrteam_id_upsertz$JWT Auth: Resolving team by alias: '')rwr5r6rrzJWT Auth: Resolved team_alias='z' to team_id='TrCr'rrz* Hint: dot-notation array indexing (e.g. 'z') is not supported. Use 'uZ' instead — LiteLLM automatically uses the first element when the field value is a list.[]z^(\w+)\[(\d+)\]$z Hint: array indexing (e.g. 'z/') is not supported in team_id_jwt_field. Use 'z/No team found in token. Checked team_id field 'z' and team_alias field 'z'.)rXr1r?rrxrinfor2rurlrjrkrsplitisdigitendswithrematchgroupr)rrr5r6rrZindividual_team_idrrwZ team_id_fieldZteam_alias_fieldhintrGZ base_fieldmr<r<r="find_and_validate_specific_team_idsz         z1JWTAuthManager.find_and_validate_specific_team_idcCs|j|d}t|}|S)z8Get combined team IDs from groups and individual team_idrP)rdrL)rrZteam_ids_from_groups all_team_idsr<r<r=get_all_team_idss zJWTAuthManager.get_all_team_idsrcrc sddlm}|s|jjrtddddS|D]U} zJt| ||||dIdH} | rb| jdurb| j} t| trb|rBt || |dd IdHrbt t j ||jd } t d | d |d | | rb| | fWSWqtylYqw|r|tdd|d|dddS)z2Find first team with access to the requested modelr) llm_routerrzgNo teams found in token. `enforce_team_based_model_access` is set to True. Token must belong to a team.r)NN)rur5r6rrN)rrr Zteam_model_aliasesrzJWT team route check: team_id=z, route=z , is_allowed=z+No team has access to the requested model: z. Checked teams=z.. Check `/models` to see all available models.)Zlitellm.proxy.proxy_serverr r?Zenforce_team_based_model_accessr r1rrnrrr$r)rrYrrsr) rcrrrr5r6rrr rurZ team_modelsrr<r<r=find_team_with_model_accesssd      z*JWTAuthManager.find_team_with_model_accesscsL|j|dd}d}|r|durdn|j|d}|j||d}|||fS)z$Get user email and validation statusNrIF)r)rrprrZ)rrrryrhr<r<r= get_user_info8s  zJWTAuthManager.get_user_inforrruryrc  s@d} |r|rt|||| | dIdHnd} n&| rsz:JWTAuthManager.get_team_id_from_header..zx-litellm-team-idrzTeam 'zS' from x-litellm-team-id header is not in your JWT's allowed teams. Allowed teams: rz-Using team_id from x-litellm-team-id header: )itemsrr rrrrs)rrZnormalized_headersheader_team_idr<r<r=get_team_id_from_headers z&JWTAuthManager.get_team_id_from_headerrrc sddlm}|s dS|sdS|jD]}|jr |j|jkr dSqtt|jdd|jd}z||ttj ddIdHt d |jd |jWdSt yr}z|j tjkrlt d |jd |jWYd}~dS|d}~ww) z Map user to teams. - If user is not in team, add them to the team - If user is in team, do nothing r)team_member_addNuser)rhrM)memberru)r)raZuser_api_key_dictzSuccessfully added user z to team zUser z is already a member of team )Z1litellm.proxy.management_endpoints.team_endpointsr!Zmembers_with_rolesrhr"rrur#rrWrrsrrrZteam_member_already_in_team)rrr!r#rarr<r<r=map_user_to_teamssJ     z JWTAuthManager.map_user_to_teamsc s|jjsdS|dus|durdS||}|r4|j|jkr4|jjjd|jid|jidIdH|j|_t | |}t |j p@g}||}||}|sN|rhddl m } | |jt|t|dIdHt||_ dS)ak Sync user role and team memberships with JWT claims The goal of this method is to ensure: 1. The user role on LiteLLM DB is in sync with the IDP provider role 2. The user is a member of the teams specified in the JWT token This method is only called if sync_user_role_and_teams is set to True in the JWT config. Nrhr)whererar)patch_team_membership)rhZteams_ids_to_add_user_toZteams_ids_to_remove_user_from)r?sync_user_role_and_teamsrrrdbZlitellm_usertableupdaterhrLrdZteamsZ/litellm.proxy.management_endpoints.scim.scim_v2r&rr) rrrr5Znew_roleZ jwt_team_idsZexisting_teamsZ teams_to_addZteams_to_remover&r<r<r=r')s2    z'JWTAuthManager.sync_user_role_and_teamsc s|jjrtd|j|dIdH} n |j|dIdH} |jjr-|j| s-tddd|j| d} t || |||| IdH|j | d} |jj rY|jj rYt j|jj | ||d|j| dd} |j | d} t || IdH\}}}|j| dd}|j| dd}d}d}|j| dd} | r| r| tjkr| }n| tjkr| }t || ||||| IdH}|r|St || }|j| dd}|r||t j| |d }|r|}t||||||jjd IdH}n|st || ||||IdH\}}|s |s t j||d ||||||d IdH\}}|j | dd}t j!|||||||||||||d IdH\}}}}|r1|j"n|}t j#|| ||dIdHt j$||dIdHt j%|||ddddt&|o_|j'tj(k}t)|||||||||||| d S)z-Main authentication and authorization builderzDOIDC UserInfo is enabled. Fetching user info from UserInfo endpoint.rPNrzInvalid JWT tokenr)rrRrrrI)rrrr)rcrrrr5r6rr) rhrrrruryrr5r6rrrr)rrrr5)rrrFr) rrurrhrrrrrrBrr)*r?Zoidc_userinfo_enabledrrsrrZcustom_validater r^rrrTZenforce_scope_based_accessrrrrrrirrYr[rr rXaddr r1rr rrrrrr'r$rrrrWr) rrrrrr5r6rrrrr]rRrrhrryrrrurZ admin_resultr Zspecific_team_idrrrrrrZresolved_org_idrr<r<r= auth_builderZs2               zJWTAuthManager.auth_builderr@)*rrrrrrrrorrrrrr rr4rrrrrr%rr!r&rrr rr rrrrrrrrrr r$r'r+r<r<r<r=rs   !  ( Q ?       p  ( 2 0    r)CrrrrtypingrrrrrrrZ cryptographyr Zcryptography.hazmat.backendsr Zcryptography.hazmat.primitivesr Zfastapir Zlitellm._loggingrZlitellm.caching.cachingrZ0litellm.litellm_core_utils.dot_notation_indexingrZ'litellm.llms.custom_httpx.httpx_handlerrZlitellm.proxy._typesrrrrrrrrrrrrrrr r!r"r#Zlitellm.proxy.auth.auth_checksr$Zlitellm.proxy.utilsr%r&Z auth_checksr(r)r*r+r,r-r.r/r0r1r2r3r4rr<r<r<r=s0$        P 8G