o پiy@sdZddlmZddlZddlmZddlmZddlm Z m Z eddGd d d Z Gd d d e eZ d%ddZd&ddZd'ddZd(d!d"Zd)d#d$ZdS)*z~Auth utilities for HTTP servers. This module is intentionally lightweight (no torch import) so it can be used in unit tests. ) annotationsN) dataclass)Enum)AnyOptionalT)frozenc@s"eZdZUded<dZded<dS) AuthDecisionboolallowedinterror_status_codeN)__name__ __module__ __qualname____annotations__r rrI/home/ubuntu/.local/lib/python3.10/site-packages/sglang/srt/utils/auth.pyrs rc@seZdZdZdZdZdZdS) AuthLevelzJPer-endpoint auth level (attached to endpoint function via `@auth_level`).normaladmin_optional admin_forceN)rrr__doc__NORMALADMIN_OPTIONAL ADMIN_FORCErrrrrs rlevelcsfdd}|S)z.decoratorr)rr!rr r auth_levels r"apprscopedictreturnc Csddlm}tt|ddddpt|dg}|D]9}z ||\}}Wn ty,Yqw||jkrQ|dps r6methodstrpathauthorization_header Optional[str]api_key admin_api_keycCs|dkr tddS|ds|drtddSdd d }|tjkr9|s*tdddS|||s4tddStddS|tjkrW|rHt|||dS|rRt|||dStddS|rat|||dStddS)aPure auth decision function (easy to unit test). Auth levels: - NORMAL: legacy behavior (api_key protects all endpoints when configured) - ADMIN_OPTIONAL: can be accessed without any key (if no keys configured), or with api_key/admin_api_key depending on server config. - ADMIN_FORCE: requires admin_api_key; if admin_api_key is NOT configured, it must be rejected (403) even if api_key is provided. NOTE : - Health/metrics endpoints are always allowed (even when api_key/admin_api_key is set), to support k8s/liveness/readiness and Prometheus scraping without embedding secrets. - We match them by prefix to cover common variants like /health_generate. OPTIONST)r z/healthz/metricsr:r;expected_tokenr8r&r cSsD|sdS|dd}t|dks|ddkrdSt|d|S)z1Check bearer token with constant-time comparison.F rbearer)splitlenlowersecretscompare_digest)r:r?partsrrr_check_bearer_tokengs  z0decide_request_auth.._check_bearer_tokenFi)r r N)r:r;r?r8r&r )r startswithrrr)r7r9r:r<r=r"rJrrrdecide_request_authJs0           rLcsBddlmddlmGfddd}|j||||ddS)zQAdd middleware for three endpoint auth levels: normal/admin_optional/admin_force.r)ORJSONResponse)Requestcs&eZdZdZddZfddZdS)z5add_api_key_middleware.._ApiKeyASGIMiddlewarezadd_api_key_middleware.._ApiKeyASGIMiddleware.__init__c s|ddkr||||IdHdS||d}|jj}|jd}t|j|}t|j|||j |j |d}|j sTd|j dkrBdnd i|j d } | |||IdHdS||||IdHdS) Ntypehttp)receive Authorization)r7r9r:r<r=r"errorr Unauthorized Forbidden)content status_code) r#urlr9headersr0r5rOrLr7r<r=r r ) rPr$rTsendrequestr9authzrdecisionresponserMrNrr__call__s8       z>add_api_key_middleware.._ApiKeyASGIMiddleware.__call__N)rrrrrQrcrrbrr_ApiKeyASGIMiddlewaresrd)r<r=rON)fastapi.responsesrMstarlette.requestsrNadd_middleware)r#r<r=rdrrbradd_api_key_middlewares  + rh)rr)r#rr$r%r&r)r#rr&r )r7r8r9r8r:r;r<r;r=r;r"rr&r)r<r;r=r;)r __future__rrG dataclassesrenumrtypingrrrr8rr"r5r6rLrhrrrrs      K