diff --git a/changelog/unreleased/kong/ai-proxy-add-allow-override-opt.yml b/changelog/unreleased/kong/ai-proxy-add-allow-override-opt.yml index 798dffc5e59..6ac9928e641 100644 --- a/changelog/unreleased/kong/ai-proxy-add-allow-override-opt.yml +++ b/changelog/unreleased/kong/ai-proxy-add-allow-override-opt.yml @@ -1,4 +1,4 @@ message: | - **AI-proxy-plugin**: Add `allow_auth_override` option to allow overriding the upstream model auth parameter or header from the caller's request. + **AI-proxy-plugin**: Add `allow_override` option to allow overriding the upstream model auth parameter or header from the caller's request. scope: Plugin type: feature diff --git a/kong/llm/drivers/anthropic.lua b/kong/llm/drivers/anthropic.lua index c942dbcbbe4..88548374681 100644 --- a/kong/llm/drivers/anthropic.lua +++ b/kong/llm/drivers/anthropic.lua @@ -473,14 +473,14 @@ function _M.configure_request(conf) if auth_header_name and auth_header_value then local exist_value = kong.request.get_header(auth_header_name) - if exist_value == nil or not conf.auth.allow_auth_override then + if exist_value == nil or not conf.auth.allow_override then kong.service.request.set_header(auth_header_name, auth_header_value) end end if auth_param_name and auth_param_value and auth_param_location == "query" then local query_table = kong.request.get_query() - if query_table[auth_param_name] == nil or not conf.auth.allow_auth_override then + if query_table[auth_param_name] == nil or not conf.auth.allow_override then query_table[auth_param_name] = auth_param_value kong.service.request.set_query(query_table) end diff --git a/kong/llm/drivers/azure.lua b/kong/llm/drivers/azure.lua index b88bffbfd1d..5c711a18a0e 100644 --- a/kong/llm/drivers/azure.lua +++ b/kong/llm/drivers/azure.lua @@ -132,7 +132,7 @@ function _M.configure_request(conf) if auth_header_name and auth_header_value then local exist_value = kong.request.get_header(auth_header_name) - if exist_value == nil or not conf.auth.allow_auth_override then + if exist_value == nil or not conf.auth.allow_override then kong.service.request.set_header(auth_header_name, auth_header_value) end end @@ -145,7 +145,7 @@ function _M.configure_request(conf) or (conf.model.options and conf.model.options.azure_api_version) if auth_param_name and auth_param_value and auth_param_location == "query" then - if query_table[auth_param_name] == nil or not conf.auth.allow_auth_override then + if query_table[auth_param_name] == nil or not conf.auth.allow_override then query_table[auth_param_name] = auth_param_value end end diff --git a/kong/llm/drivers/cohere.lua b/kong/llm/drivers/cohere.lua index 89151608caa..ff43d198412 100644 --- a/kong/llm/drivers/cohere.lua +++ b/kong/llm/drivers/cohere.lua @@ -481,14 +481,14 @@ function _M.configure_request(conf) if auth_header_name and auth_header_value then local exist_value = kong.request.get_header(auth_header_name) - if exist_value == nil or not conf.auth.allow_auth_override then + if exist_value == nil or not conf.auth.allow_override then kong.service.request.set_header(auth_header_name, auth_header_value) end end if auth_param_name and auth_param_value and auth_param_location == "query" then local query_table = kong.request.get_query() - if query_table[auth_param_name] == nil or not conf.auth.allow_auth_override then + if query_table[auth_param_name] == nil or not conf.auth.allow_override then query_table[auth_param_name] = auth_param_value kong.service.request.set_query(query_table) end diff --git a/kong/llm/drivers/llama2.lua b/kong/llm/drivers/llama2.lua index 446e7295e70..a586a39a93d 100644 --- a/kong/llm/drivers/llama2.lua +++ b/kong/llm/drivers/llama2.lua @@ -278,14 +278,14 @@ function _M.configure_request(conf) if auth_header_name and auth_header_value then local exist_value = kong.request.get_header(auth_header_name) - if exist_value == nil or not conf.auth.allow_auth_override then + if exist_value == nil or not conf.auth.allow_override then kong.service.request.set_header(auth_header_name, auth_header_value) end end if auth_param_name and auth_param_value and auth_param_location == "query" then local query_table = kong.request.get_query() - if query_table[auth_param_name] == nil or not conf.auth.allow_auth_override then + if query_table[auth_param_name] == nil or not conf.auth.allow_override then query_table[auth_param_name] = auth_param_value kong.service.request.set_query(query_table) end diff --git a/kong/llm/drivers/mistral.lua b/kong/llm/drivers/mistral.lua index 8ae85b3a513..8cab7408501 100644 --- a/kong/llm/drivers/mistral.lua +++ b/kong/llm/drivers/mistral.lua @@ -173,14 +173,14 @@ function _M.configure_request(conf) if auth_header_name and auth_header_value then local exist_value = kong.request.get_header(auth_header_name) - if exist_value == nil or not conf.auth.allow_auth_override then + if exist_value == nil or not conf.auth.allow_override then kong.service.request.set_header(auth_header_name, auth_header_value) end end if auth_param_name and auth_param_value and auth_param_location == "query" then local query_table = kong.request.get_query() - if query_table[auth_param_name] == nil or not conf.auth.allow_auth_override then + if query_table[auth_param_name] == nil or not conf.auth.allow_override then query_table[auth_param_name] = auth_param_value kong.service.request.set_query(query_table) end diff --git a/kong/llm/drivers/openai.lua b/kong/llm/drivers/openai.lua index b77cd1aafc3..4d456cd9561 100644 --- a/kong/llm/drivers/openai.lua +++ b/kong/llm/drivers/openai.lua @@ -214,14 +214,14 @@ function _M.configure_request(conf) if auth_header_name and auth_header_value then local exist_value = kong.request.get_header(auth_header_name) - if exist_value == nil or not conf.auth.allow_auth_override then + if exist_value == nil or not conf.auth.allow_override then kong.service.request.set_header(auth_header_name, auth_header_value) end end if auth_param_name and auth_param_value and auth_param_location == "query" then local query_table = kong.request.get_query() - if query_table[auth_param_name] == nil or not conf.auth.allow_auth_override then + if query_table[auth_param_name] == nil or not conf.auth.allow_override then query_table[auth_param_name] = auth_param_value kong.service.request.set_query(query_table) end diff --git a/kong/llm/drivers/shared.lua b/kong/llm/drivers/shared.lua index 02ee704bd67..cc1b437b6b7 100644 --- a/kong/llm/drivers/shared.lua +++ b/kong/llm/drivers/shared.lua @@ -528,7 +528,7 @@ function _M.pre_request(conf, request_table) local auth_param_location = conf.auth and conf.auth.param_location if auth_param_name and auth_param_value and auth_param_location == "body" and request_table then - if request_table[auth_param_name] == nil or not conf.auth.allow_auth_override then + if request_table[auth_param_name] == nil or not conf.auth.allow_override then request_table[auth_param_name] = auth_param_value end end diff --git a/kong/llm/schemas/init.lua b/kong/llm/schemas/init.lua index c4cf0e302ba..845c041fac8 100644 --- a/kong/llm/schemas/init.lua +++ b/kong/llm/schemas/init.lua @@ -97,7 +97,7 @@ local auth_schema = { required = false, encrypted = true, referenceable = true }}, - { allow_auth_override = { + { allow_override = { type = "boolean", description = "If enabled, the authorization header or parameter can be overridden in the request by the value configured in the plugin.", required = false, @@ -244,9 +244,9 @@ return { entity_checks = { { conditional = { if_field = "model.provider", if_match = { one_of = { "bedrock", "gemini" } }, - then_field = "auth.allow_auth_override", + then_field = "auth.allow_override", then_match = { eq = false }, - then_err = "bedrock and gemini only support auth.allow_auth_override = false" }}, + then_err = "bedrock and gemini only support auth.allow_override = false" }}, { mutually_required = { "auth.header_name", "auth.header_value" }, }, { mutually_required = { "auth.param_name", "auth.param_value", "auth.param_location" }, }, diff --git a/spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua b/spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua index e75628a8cb0..714fd2ba986 100644 --- a/spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua +++ b/spec/02-integration/09-hybrid_mode/09-config-compat_spec.lua @@ -495,7 +495,7 @@ describe("CP/DP config compat transformations #" .. strategy, function() header_value = "value", gcp_service_account_json = '{"service": "account"}', gcp_use_service_account = true, - allow_auth_override = false, + allow_override = false, }, model = { name = "any-model-name", @@ -527,7 +527,7 @@ describe("CP/DP config compat transformations #" .. strategy, function() -- gemini fields expected.config.auth.gcp_service_account_json = nil expected.config.auth.gcp_use_service_account = nil - expected.config.auth.allow_auth_override = nil + expected.config.auth.allow_override = nil expected.config.model.options.gemini = nil -- bedrock fields @@ -564,7 +564,7 @@ describe("CP/DP config compat transformations #" .. strategy, function() header_value = "value", gcp_service_account_json = '{"service": "account"}', gcp_use_service_account = true, - allow_auth_override = false, + allow_override = false, }, model = { name = "any-model-name", @@ -628,7 +628,7 @@ describe("CP/DP config compat transformations #" .. strategy, function() header_value = "value", gcp_service_account_json = '{"service": "account"}', gcp_use_service_account = true, - allow_auth_override = false, + allow_override = false, }, model = { name = "any-model-name", @@ -724,7 +724,7 @@ describe("CP/DP config compat transformations #" .. strategy, function() -- bedrock fields expected.config.auth.aws_access_key_id = nil expected.config.auth.aws_secret_access_key = nil - expected.config.auth.allow_auth_override = nil + expected.config.auth.allow_override = nil expected.config.model.options.bedrock = nil do_assert(uuid(), "3.7.0", expected) diff --git a/spec/03-plugins/38-ai-proxy/00-config_spec.lua b/spec/03-plugins/38-ai-proxy/00-config_spec.lua index 3aa61ef5d46..49a5a2dc02d 100644 --- a/spec/03-plugins/38-ai-proxy/00-config_spec.lua +++ b/spec/03-plugins/38-ai-proxy/00-config_spec.lua @@ -298,7 +298,7 @@ describe(PLUGIN_NAME .. ": (schema)", function() param_location = "query", header_name = "Authorization", header_value = "Bearer token", - allow_auth_override = true, + allow_override = true, }, model = { name = "bedrock", @@ -326,7 +326,7 @@ describe(PLUGIN_NAME .. ": (schema)", function() param_location = "query", header_name = "Authorization", header_value = "Bearer token", - allow_auth_override = true, + allow_override = true, }, model = { name = "gemini", diff --git a/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua b/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua index e716a5f0e38..41511f411d2 100644 --- a/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/02-openai_integration_spec.lua @@ -288,7 +288,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then auth = { header_name = "Authorization", header_value = "Bearer openai-key", - allow_auth_override = false, + allow_override = false, }, model = { name = "gpt-3.5-turbo", @@ -488,7 +488,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then param_name = "apikey", param_value = "openai-key", param_location = "query", - allow_auth_override = false, + allow_override = false, }, model = { name = "gpt-3.5-turbo-instruct", @@ -617,7 +617,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then param_name = "apikey", param_value = "openai-key", param_location = "body", - allow_auth_override = false, + allow_override = false, }, model = { name = "gpt-3.5-turbo-instruct", @@ -967,7 +967,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.res_status(200 , r) end) - it("authorized request with client right header auth with no allow_auth_override", function() + it("authorized request with client right header auth with no allow_override", function() local r = client:get("/openai/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", @@ -980,7 +980,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.res_status(200 , r) end) - it("authorized request with wrong client header auth with no allow_auth_override", function() + it("authorized request with wrong client header auth with no allow_override", function() local r = client:get("/openai/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", @@ -1340,7 +1340,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.equals(json.error.code, "invalid_api_key") end) - it("works with post body auth with client right auth body and no allow_auth_override", function() + it("works with post body auth with client right auth body and no allow_override", function() local good_body = pl_file.read("spec/fixtures/ai-proxy/openai/llm-v1-completions/requests/good.json") local body = cjson.decode(good_body) body.apikey = "openai-key" @@ -1365,7 +1365,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.same("\n\nI am a language model AI created by OpenAI. I can answer questions", json.choices[1].text) end) - it("works with post body auth with client wrong auth body and no allow_auth_override", function() + it("works with post body auth with client wrong auth body and no allow_override", function() local good_body = pl_file.read("spec/fixtures/ai-proxy/openai/llm-v1-completions/requests/good.json") local body = cjson.decode(good_body) body.apikey = "wrong" diff --git a/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua b/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua index 6d87425054e..fea8255fcf0 100644 --- a/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/03-anthropic_integration_spec.lua @@ -233,7 +233,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then auth = { header_name = "x-api-key", header_value = "anthropic-key", - allow_auth_override = false, + allow_override = false, }, model = { name = "claude-2.1", @@ -625,7 +625,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.equals(json.error.type, "authentication_error") end) - it("good request with client right header auth and no allow_auth_override", function() + it("good request with client right header auth and no allow_override", function() local r = client:get("/anthropic/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", @@ -652,7 +652,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then }, json.choices[1].message) end) - it("good request with client wrong header auth and no allow_auth_override", function() + it("good request with client wrong header auth and no allow_override", function() local r = client:get("/anthropic/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", diff --git a/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua b/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua index d3d0f55a9ce..a748b5521be 100644 --- a/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/04-cohere_integration_spec.lua @@ -180,7 +180,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then auth = { header_name = "Authorization", header_value = "Bearer cohere-key", - allow_auth_override = false, + allow_override = false, }, model = { name = "command", @@ -497,7 +497,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.equals(json.message, "invalid api token") end) - it("good request with right client auth and no allow_auth_override", function() + it("good request with right client auth and no allow_override", function() local r = client:get("/cohere/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", @@ -523,7 +523,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then }, json.choices[1].message) end) - it("good request with wrong client auth and no allow_auth_override", function() + it("good request with wrong client auth and no allow_override", function() local r = client:get("/cohere/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", diff --git a/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua b/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua index baa6a618389..757a326e374 100644 --- a/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/05-azure_integration_spec.lua @@ -183,7 +183,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then auth = { header_name = "api-key", header_value = "azure-key", - allow_auth_override = false, + allow_override = false, }, model = { name = "gpt-3.5-turbo", @@ -517,7 +517,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.equals(json.error.code, "invalid_api_key") end) - it("good request with client right auth and no allow_auth_override", function() + it("good request with client right auth and no allow_override", function() local r = client:get("/azure/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", @@ -544,7 +544,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then }, json.choices[1].message) end) - it("good request with client wrong auth and no allow_auth_override", function() + it("good request with client wrong auth and no allow_override", function() local r = client:get("/azure/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", diff --git a/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua b/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua index 7134fd21a54..cc5df883fdb 100644 --- a/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/06-mistral_integration_spec.lua @@ -126,7 +126,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then auth = { header_name = "Authorization", header_value = "Bearer mistral-key", - allow_auth_override = false, + allow_override = false, }, model = { name = "mistralai/Mistral-7B-Instruct-v0.1-instruct", @@ -426,7 +426,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.equals(json.error.code, "invalid_api_key") end) - it("good request with client right auth and no allow_auth_override", function() + it("good request with client right auth and no allow_override", function() local r = client:get("/mistral/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", @@ -455,7 +455,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then }, json.choices[1].message) end) - it("good request with client wrong auth and no allow_auth_override", function() + it("good request with client wrong auth and no allow_override", function() local r = client:get("/mistral/llm/v1/chat/good-no-allow-override", { headers = { ["content-type"] = "application/json", diff --git a/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua b/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua index 0060ddaf4fb..881f089f034 100644 --- a/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua +++ b/spec/03-plugins/38-ai-proxy/07-llama2_integration_spec.lua @@ -156,7 +156,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then auth = { header_name = "Authorization", header_value = "Bearer llama2-key", - allow_auth_override = false, + allow_override = false, }, model = { name = "llama-2-7b-chat-hf", @@ -260,7 +260,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.equals(json.error, "Model requires a Pro subscription.") end) - it("runs good request in completions format with client right auth and no allow_auth_override", function() + it("runs good request in completions format with client right auth and no allow_override", function() local r = client:get("/raw/llm/v1/completions-no-allow-override", { headers = { ["content-type"] = "application/json", @@ -276,7 +276,7 @@ for _, strategy in helpers.all_strategies() do if strategy ~= "cassandra" then assert.equals(json.choices[1].text, "Is a well known font.") end) - it("runs good request in completions format with client wrong auth and no allow_auth_override", function() + it("runs good request in completions format with client wrong auth and no allow_override", function() local r = client:get("/raw/llm/v1/completions-no-allow-override", { headers = { ["content-type"] = "application/json",