o ưi 4@sddlZddlZddlmZmZmZmZddlmZddl Z ddl Z ddl m Z ddl mZddlmZmZmZddlmZdd lmZdd lmZGd d d eZdS) N)AnyDictOptionalUnion)quote)verbose_logger) InMemoryCache)_get_httpx_clientget_async_httpx_clienthttpxSpecialProvider)KeyManagementSystem)BaseSecretManager) str_to_boolc@sVeZdZddZdefddZdefddZdedd fd d Zdedefd d Z ddede ede e e e jfde efddZ ddede ede e e e jfde efddZ ddedede ede ede e e e jfde e eefdeeeffddZ  ddede ede ede e e e jfdef ddZd S) CyberArkSecretManagercCsddlm}m}tdd|_tdd|_tdd|_td d |_td d |_ td d |_ t td }|dur?|nd|_ |jsO|j rK|j sOt d|t_tjt_ttjdd}t|d|_|durrt d|jj|j s|tddSdS)Nr)CommonProxyErrors premium_userZCYBERARK_API_BASEzhttp://127.0.0.1:8080ZCYBERARK_ACCOUNTdefaultZCYBERARK_USERNAMEZadminZCYBERARK_API_KEYZCYBERARK_CLIENT_CERTZCYBERARK_CLIENT_KEYZCYBERARK_SSL_VERIFYTzMissing CyberArk credentials. Please set CYBERARK_API_KEY or both CYBERARK_CLIENT_CERT and CYBERARK_CLIENT_KEY in your environment.ZCYBERARK_REFRESH_INTERVALZ300)Z default_ttlz=CyberArk secret manager is only available for premium users. zzCyberArk SSL verification is disabled. This is insecure and should only be used for testing with self-signed certificates.)Zlitellm.proxy.proxy_serverrrosgetenv conjur_addrconjur_accountconjur_usernameconjur_api_key tls_cert_path tls_key_pathr ssl_verify ValueErrorlitellmZsecret_manager_clientr ZCYBERARKZ_key_management_systemintenvirongetrcacheZnot_premium_uservaluerwarning)selfrrZssl_verify_envZ_refresh_intervalr'f/home/app/Keep/.python/lib/python3.10/site-packages/litellm/secret_managers/cyberark_secret_manager.py__init__s<  zCyberArkSecretManager.__init__returnc Cs|jd}|dur |Std|jd|jd|jd}zL|jr;|jr;t j |j|jf|j d}|j ||j d}ntd |j id }|jj ||j d}||j}t|}td |jjd|d |WSty~}ztd |d}~ww)z Authenticate with CyberArk Conjur and get a session token. The token is a JSON object that must be base64-encoded for use in subsequent requests. Returns: str: Base64-encoded session token Zcyberark_auth_tokenNz&Authenticating with CyberArk Conjur...z/authn//z /authenticate)certverify)contentrparamsz0Successfully authenticated with CyberArk Conjur.)keyr$z+Could not authenticate to CyberArk Conjur: )r# get_cacherdebugrrrrrhttpxZClientrpostrr clientraise_for_statustextbase64 b64encodeencodedecode set_cache Exception RuntimeError) r&Z cached_tokenZauth_url http_clientrespZ http_handlerZ token_jsonZ token_b64er'r'r( _authenticateBs0     z#CyberArkSecretManager._authenticatecCs|}dd|diS)z Get headers for CyberArk API requests including authentication. Returns: dict: Headers with authentication token Authorizationz Token token="")rC)r&tokenr'r'r(_get_request_headersosz*CyberArkSecretManager._get_request_headers secret_nameNc Cs|jd|jd}d|d}z(td|jid}|jj|i|ddi|d }|t d |WdSt j yr}z-|j j d vrQt d |d ntd|j j d|j jWYd}~dSWYd}~dSd}~wty}ztd|WYd}~dSd}~ww)z Ensure a variable exists in CyberArk Conjur by creating a policy entry if needed. Args: secret_name: Name of the variable to ensure exists z /policies/z /policy/rootz - !variable  rr/z Content-Typezapplication/x-yaml)headersr.z#Created policy entry for variable: )iiz Variable z- already exists or policy conflict (expected)z"Could not ensure variable exists: z - Nz Error ensuring variable exists: )rrr rr6r5rGr7rr3r4HTTPStatusErrorresponse status_coder%r8r>)r&rHZ policy_urlZ policy_yamlr6rArBr'r'r(_ensure_variable_existsys:   z-CyberArkSecretManager._ensure_variable_existscCs$t|dd}|jd|jd|S)z Build the URL for accessing a secret in CyberArk Conjur. Args: secret_name: Name of the secret (will be URL-encoded) Returns: str: Full URL for the secret r)safez /secrets/z /variable/)rrr)r&rH encoded_namer'r'r(get_urls zCyberArkSecretManager.get_urloptional_paramstimeoutc s|j|dur|j|Sttjd|jid}z"||}|j||dIdH}| |j }|j |||WSt j yg}z|jjdkrTtd|dntd|WYd}~dSd}~wty}ztd|WYd}~dSd}~ww) a_ Reads a secret from CyberArk Conjur using an async HTTPX client. Args: secret_name: Name/path of the secret to read optional_params: Additional parameters (not used for Conjur) timeout: Request timeout Returns: Optional[str]: The secret value if found, None otherwise NrZ llm_providerr0rJSecret  not found in CyberArk Conjur+Error reading secret from CyberArk Conjur: )r#r2r r SecretManagerrrQr"rGr7r8r=r4rKrLrMrr3 exceptionr>) r&rHrRrS async_clienturlrL secret_valuerBr'r'r(async_read_secrets:    z'CyberArkSecretManager.async_read_secretc Cs|j|dur|j|Std|jid}z ||}|jj||d}||j }|j |||WSt j yb}z|j jdkrOtd|dntd|WYd}~dSd}~wty|}ztd|WYd}~dSd}~ww) a] Reads a secret from CyberArk Conjur using a sync HTTPX client. Args: secret_name: Name/path of the secret to read optional_params: Additional parameters (not used for Conjur) timeout: Request timeout Returns: Optional[str]: The secret value if found, None otherwise Nrr/rUrVrWrXrY)r#r2r rrQr6r"rGr7r8r=r4rKrLrMrr3r[r>) r&rHrRrSZ sync_clientr]rLr^rBr'r'r(sync_read_secrets2    z&CyberArkSecretManager.sync_read_secretr^ descriptiontagsc sttjd|jid}z,||||}|j|||dIdH} | |j ||dd|ddWSt yX} zt d | d t| dWYd} ~ Sd} ~ ww) a Writes a secret to CyberArk Conjur using an async HTTPX client. Args: secret_name: Name/path of the secret to write secret_value: Value to store description: Optional description (not used by Conjur) optional_params: Additional parameters timeout: Request timeout tags: Optional tags (not used by Conjur) Returns: dict: Response containing status and details of the operation rrT)r]rJr.NsuccessrWz written successfullystatusmessagez)Error writing secret to CyberArk Conjur: error)r r rZrrNrQr5rGr7r#r=r>rr[str) r&rHr^rarRrSrbr\r]rLrBr'r'r(async_write_secrets*     z(CyberArkSecretManager.async_write_secretrecovery_window_in_dayscs"td|j|dddS)a CyberArk Conjur does not support direct secret deletion via API. Secrets can only be removed through policy updates. Args: secret_name: Name of the secret recovery_window_in_days: Not used optional_params: Additional parameters timeout: Request timeout Returns: dict: Response indicating operation not supported zhCyberArk Conjur does not support direct secret deletion. Secrets must be removed through policy updates.Z not_supportedz`CyberArk Conjur does not support direct secret deletion. Use policy updates to remove variables.rd)rr%r#Z delete_cache)r&rHrkrRrSr'r'r(async_delete_secretBs z)CyberArkSecretManager.async_delete_secret)NN)NNNN)rjNN)__name__ __module__ __qualname__r)rhrCdictrGrNrQrrfloatr4Timeoutr_r`listrrrir rlr'r'r'r(rsz+- % 5 3  6r)r9rtypingrrrr urllib.parserr4rZlitellm._loggingrZlitellm.cachingrZ&litellm.llms.custom_httpx.http_handlerr r r Zlitellm.proxy._typesr Zbase_secret_managerrmainrrr'r'r'r(s