RubyGems - liter_llm - Versions diffs - 1.0.0.pre.rc.6 - Mend

liter_llm 1.0.0.pre.rc.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (78) hide show

checksums.yaml +7 -0
data/README.md +239 -0
data/ext/liter_llm_rb/extconf.rb +65 -0
data/ext/liter_llm_rb/native/.cargo/config.toml +23 -0
data/ext/liter_llm_rb/native/Cargo.lock +3713 -0
data/ext/liter_llm_rb/native/Cargo.toml +32 -0
data/ext/liter_llm_rb/native/build.rs +15 -0
data/ext/liter_llm_rb/native/src/lib.rs +1079 -0
data/lib/liter_llm.rb +8 -0
data/sig/liter_llm.rbs +416 -0
data/vendor/Cargo.toml +54 -0
data/vendor/liter-llm/Cargo.toml +92 -0
data/vendor/liter-llm/README.md +252 -0
data/vendor/liter-llm/schemas/pricing.json +40 -0
data/vendor/liter-llm/schemas/providers.json +1662 -0
data/vendor/liter-llm/src/auth/azure_ad.rs +264 -0
data/vendor/liter-llm/src/auth/bedrock_sts.rs +353 -0
data/vendor/liter-llm/src/auth/mod.rs +68 -0
data/vendor/liter-llm/src/auth/vertex_oauth.rs +353 -0
data/vendor/liter-llm/src/client/config.rs +351 -0
data/vendor/liter-llm/src/client/managed.rs +622 -0
data/vendor/liter-llm/src/client/mod.rs +864 -0
data/vendor/liter-llm/src/cost.rs +212 -0
data/vendor/liter-llm/src/error.rs +190 -0
data/vendor/liter-llm/src/http/eventstream.rs +860 -0
data/vendor/liter-llm/src/http/mod.rs +12 -0
data/vendor/liter-llm/src/http/request.rs +438 -0
data/vendor/liter-llm/src/http/retry.rs +72 -0
data/vendor/liter-llm/src/http/streaming.rs +289 -0
data/vendor/liter-llm/src/lib.rs +37 -0
data/vendor/liter-llm/src/provider/anthropic.rs +2250 -0
data/vendor/liter-llm/src/provider/azure.rs +579 -0
data/vendor/liter-llm/src/provider/bedrock.rs +1543 -0
data/vendor/liter-llm/src/provider/cohere.rs +654 -0
data/vendor/liter-llm/src/provider/custom.rs +404 -0
data/vendor/liter-llm/src/provider/google_ai.rs +281 -0
data/vendor/liter-llm/src/provider/mistral.rs +188 -0
data/vendor/liter-llm/src/provider/mod.rs +616 -0
data/vendor/liter-llm/src/provider/vertex.rs +1504 -0
data/vendor/liter-llm/src/tests.rs +1425 -0
data/vendor/liter-llm/src/tokenizer.rs +281 -0
data/vendor/liter-llm/src/tower/budget.rs +599 -0
data/vendor/liter-llm/src/tower/cache.rs +502 -0
data/vendor/liter-llm/src/tower/cache_opendal.rs +270 -0
data/vendor/liter-llm/src/tower/cooldown.rs +231 -0
data/vendor/liter-llm/src/tower/cost.rs +404 -0
data/vendor/liter-llm/src/tower/fallback.rs +121 -0
data/vendor/liter-llm/src/tower/health.rs +219 -0
data/vendor/liter-llm/src/tower/hooks.rs +369 -0
data/vendor/liter-llm/src/tower/mod.rs +77 -0
data/vendor/liter-llm/src/tower/rate_limit.rs +300 -0
data/vendor/liter-llm/src/tower/router.rs +436 -0
data/vendor/liter-llm/src/tower/service.rs +181 -0
data/vendor/liter-llm/src/tower/tests.rs +539 -0
data/vendor/liter-llm/src/tower/tests_common.rs +252 -0
data/vendor/liter-llm/src/tower/tracing.rs +209 -0
data/vendor/liter-llm/src/tower/types.rs +170 -0
data/vendor/liter-llm/src/types/audio.rs +52 -0
data/vendor/liter-llm/src/types/batch.rs +77 -0
data/vendor/liter-llm/src/types/chat.rs +214 -0
data/vendor/liter-llm/src/types/common.rs +244 -0
data/vendor/liter-llm/src/types/embedding.rs +84 -0
data/vendor/liter-llm/src/types/files.rs +58 -0
data/vendor/liter-llm/src/types/image.rs +40 -0
data/vendor/liter-llm/src/types/mod.rs +27 -0
data/vendor/liter-llm/src/types/models.rs +21 -0
data/vendor/liter-llm/src/types/moderation.rs +80 -0
data/vendor/liter-llm/src/types/ocr.rs +87 -0
data/vendor/liter-llm/src/types/rerank.rs +46 -0
data/vendor/liter-llm/src/types/responses.rs +55 -0
data/vendor/liter-llm/src/types/search.rs +45 -0
data/vendor/liter-llm/tests/contract.rs +332 -0
data/vendor/liter-llm-ffi/Cargo.toml +30 -0
data/vendor/liter-llm-ffi/build.rs +66 -0
data/vendor/liter-llm-ffi/cbindgen.toml +60 -0
data/vendor/liter-llm-ffi/liter_llm.h +850 -0
data/vendor/liter-llm-ffi/src/lib.rs +2488 -0
metadata +286 -0

data/vendor/liter-llm/src/auth/azure_ad.rs ADDED Viewed

@@ -0,0 +1,264 @@
+//! Azure AD OAuth2 credential provider (client-credentials flow).
+//!
+//! Exchanges client credentials for a bearer token via the Microsoft Identity
+//! Platform v2.0 token endpoint.  Tokens are cached and refreshed automatically
+//! when they are within 5 minutes of expiry.
+//!
+//! # Environment variables
+//!
+//! | Variable | Description |
+//! |----------|-------------|
+//! | `AZURE_TENANT_ID` | Azure AD tenant ID |
+//! | `AZURE_CLIENT_ID` | Application (client) ID |
+//! | `AZURE_CLIENT_SECRET` | Client secret value |
+//! | `AZURE_AD_TOKEN` | Static bearer token (skips OAuth flow) |
+//! | `AZURE_AD_SCOPE` | OAuth scope (defaults to `https://cognitiveservices.azure.com/.default`) |
+use std::sync::Arc;
+use std::time::Instant;
+use secrecy::{ExposeSecret, SecretString};
+use tokio::sync::RwLock;
+use super::{Credential, CredentialProvider, StaticTokenProvider};
+use crate::client::BoxFuture;
+use crate::error::LiterLlmError;
+/// Default OAuth2 scope for Azure Cognitive Services (including Azure OpenAI).
+const DEFAULT_SCOPE: &str = "https://cognitiveservices.azure.com/.default";
+/// Minimum remaining lifetime before a cached token is considered expired.
+const EXPIRY_BUFFER_SECS: u64 = 300;
+/// Cached token and its acquisition timestamp + lifetime.
+struct CachedToken {
+    token: SecretString,
+    acquired_at: Instant,
+    expires_in_secs: u64,
+}
+impl CachedToken {
+    /// Returns `true` if the token is still valid with the safety buffer.
+    fn is_valid(&self) -> bool {
+        let elapsed = self.acquired_at.elapsed().as_secs();
+        elapsed + EXPIRY_BUFFER_SECS < self.expires_in_secs
+    }
+}
+/// Azure AD OAuth2 credential provider using the client-credentials grant.
+///
+/// Obtains bearer tokens from `https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token`
+/// and caches them until they are within 5 minutes of expiry.
+pub struct AzureAdCredentialProvider {
+    tenant_id: String,
+    client_id: String,
+    client_secret: SecretString,
+    scope: String,
+    cached: RwLock<Option<CachedToken>>,
+    http_client: reqwest::Client,
+}
+impl AzureAdCredentialProvider {
+    /// Create a new provider with explicit credentials.
+    ///
+    /// Uses the default scope `https://cognitiveservices.azure.com/.default`.
+    #[must_use]
+    pub fn new(tenant_id: impl Into<String>, client_id: impl Into<String>, client_secret: SecretString) -> Self {
+        Self {
+            tenant_id: tenant_id.into(),
+            client_id: client_id.into(),
+            client_secret,
+            scope: DEFAULT_SCOPE.to_owned(),
+            cached: RwLock::new(None),
+            http_client: reqwest::Client::new(),
+        }
+    }
+    /// Override the OAuth2 scope (default: `https://cognitiveservices.azure.com/.default`).
+    #[must_use]
+    pub fn with_scope(mut self, scope: impl Into<String>) -> Self {
+        self.scope = scope.into();
+        self
+    }
+    /// Override the HTTP client used for token requests.
+    #[must_use]
+    pub fn with_http_client(mut self, client: reqwest::Client) -> Self {
+        self.http_client = client;
+        self
+    }
+    /// Create a provider from environment variables.
+    ///
+    /// If `AZURE_AD_TOKEN` is set, returns a [`StaticTokenProvider`] instead
+    /// (no OAuth flow needed).
+    ///
+    /// # Errors
+    ///
+    /// Returns [`LiterLlmError::Authentication`] if required environment
+    /// variables are missing.
+    pub fn from_env() -> Result<Arc<dyn CredentialProvider>, LiterLlmError> {
+        // Fast path: static token from environment.
+        if let Ok(token) = std::env::var("AZURE_AD_TOKEN") {
+            return Ok(Arc::new(StaticTokenProvider::new(SecretString::from(token))));
+        }
+        let tenant_id = env_var_required("AZURE_TENANT_ID")?;
+        let client_id = env_var_required("AZURE_CLIENT_ID")?;
+        let client_secret = SecretString::from(env_var_required("AZURE_CLIENT_SECRET")?);
+        let mut provider = Self::new(tenant_id, client_id, client_secret);
+        if let Ok(scope) = std::env::var("AZURE_AD_SCOPE") {
+            provider.scope = scope;
+        }
+        Ok(Arc::new(provider))
+    }
+    /// Exchange client credentials for an access token.
+    async fn fetch_token(&self) -> Result<CachedToken, LiterLlmError> {
+        let url = format!("https://login.microsoftonline.com/{}/oauth2/v2.0/token", self.tenant_id);
+        let resp = self
+            .http_client
+            .post(&url)
+            .form(&[
+                ("grant_type", "client_credentials"),
+                ("client_id", &self.client_id),
+                ("client_secret", self.client_secret.expose_secret()),
+                ("scope", &self.scope),
+            ])
+            .send()
+            .await
+            .map_err(|e| LiterLlmError::Authentication {
+                message: format!("Azure AD token request failed: {e}"),
+            })?;
+        let status = resp.status();
+        let body = resp.text().await.map_err(|e| LiterLlmError::Authentication {
+            message: format!("Azure AD token response unreadable: {e}"),
+        })?;
+        if !status.is_success() {
+            return Err(LiterLlmError::Authentication {
+                message: format!("Azure AD token request returned {status}: {body}"),
+            });
+        }
+        let parsed: TokenResponse = serde_json::from_str(&body).map_err(|e| LiterLlmError::Authentication {
+            message: format!("Azure AD token response parse error: {e}"),
+        })?;
+        Ok(CachedToken {
+            token: SecretString::from(parsed.access_token),
+            acquired_at: Instant::now(),
+            expires_in_secs: parsed.expires_in,
+        })
+    }
+}
+impl CredentialProvider for AzureAdCredentialProvider {
+    fn resolve(&self) -> BoxFuture<'_, Credential> {
+        Box::pin(async move {
+            // Fast path: read lock to check cache.
+            {
+                let guard = self.cached.read().await;
+                if let Some(ref cached) = *guard
+                    && cached.is_valid()
+                {
+                    return Ok(Credential::BearerToken(cached.token.clone()));
+                }
+            }
+            // Slow path: write lock to refresh.
+            let mut guard = self.cached.write().await;
+            // Double-check after acquiring write lock (another task may have refreshed).
+            if let Some(ref cached) = *guard
+                && cached.is_valid()
+            {
+                return Ok(Credential::BearerToken(cached.token.clone()));
+            }
+            let fresh = self.fetch_token().await?;
+            let token = fresh.token.clone();
+            *guard = Some(fresh);
+            Ok(Credential::BearerToken(token))
+        })
+    }
+}
+/// Minimal deserialization of the Azure AD token response.
+#[derive(serde::Deserialize)]
+struct TokenResponse {
+    access_token: String,
+    expires_in: u64,
+}
+/// Read a required environment variable, returning an auth error if missing.
+fn env_var_required(name: &str) -> Result<String, LiterLlmError> {
+    std::env::var(name).map_err(|_| LiterLlmError::Authentication {
+        message: format!("missing required environment variable: {name}"),
+    })
+}
+#[cfg(test)]
+mod tests {
+    use super::*;
+    #[test]
+    fn cached_token_validity() {
+        let cached = CachedToken {
+            token: SecretString::from("test-token".to_owned()),
+            acquired_at: Instant::now(),
+            expires_in_secs: 3600,
+        };
+        assert!(cached.is_valid());
+    }
+    #[test]
+    fn cached_token_expired() {
+        let cached = CachedToken {
+            token: SecretString::from("test-token".to_owned()),
+            // A token with zero lifetime is immediately expired (no Duration subtraction
+            // needed, which avoids panics on Windows where Instant uptime may be < 1h).
+            acquired_at: Instant::now(),
+            expires_in_secs: 0,
+        };
+        assert!(!cached.is_valid());
+    }
+    #[test]
+    fn cached_token_within_buffer() {
+        let cached = CachedToken {
+            token: SecretString::from("test-token".to_owned()),
+            // 200s lifetime is within the 300s expiry buffer, so the token is invalid.
+            acquired_at: Instant::now(),
+            expires_in_secs: 200,
+        };
+        assert!(!cached.is_valid());
+    }
+    #[test]
+    fn default_scope() {
+        let provider = AzureAdCredentialProvider::new("tenant", "client", SecretString::from("secret".to_owned()));
+        assert_eq!(provider.scope, DEFAULT_SCOPE);
+    }
+    #[test]
+    fn with_scope_override() {
+        let provider = AzureAdCredentialProvider::new("tenant", "client", SecretString::from("secret".to_owned()))
+            .with_scope("https://custom.scope/.default");
+        assert_eq!(provider.scope, "https://custom.scope/.default");
+    }
+    #[tokio::test]
+    #[ignore] // Requires network access and valid Azure AD credentials.
+    async fn live_azure_ad_token_exchange() {
+        let provider = AzureAdCredentialProvider::from_env().expect("Azure AD env vars not set");
+        let credential = provider.resolve().await.expect("token exchange failed");
+        assert!(matches!(credential, Credential::BearerToken(_)));
+    }
+}

data/vendor/liter-llm/src/auth/bedrock_sts.rs ADDED Viewed

@@ -0,0 +1,353 @@
+//! AWS STS Web Identity credential provider for Bedrock.
+//!
+//! Exchanges a web identity token (JWT from a file) for temporary AWS
+//! credentials via the STS `AssumeRoleWithWebIdentity` API.  This is the
+//! standard authentication flow for EKS pods using IAM Roles for Service
+//! Accounts (IRSA) and for other OIDC federation scenarios.
+//!
+//! Credentials are cached and refreshed automatically when they are within
+//! 5 minutes of expiry.
+//!
+//! # Environment variables
+//!
+//! | Variable | Description |
+//! |----------|-------------|
+//! | `AWS_ROLE_ARN` | ARN of the IAM role to assume |
+//! | `AWS_WEB_IDENTITY_TOKEN_FILE` | Path to a file containing the OIDC JWT |
+//! | `AWS_ROLE_SESSION_NAME` | Session name (defaults to `liter-llm-session`) |
+//! | `AWS_REGION` or `AWS_DEFAULT_REGION` | AWS region (defaults to `us-east-1`) |
+use std::path::PathBuf;
+use std::time::Instant;
+use secrecy::SecretString;
+use tokio::sync::RwLock;
+use super::{Credential, CredentialProvider};
+use crate::client::BoxFuture;
+use crate::error::LiterLlmError;
+/// Default session name when `AWS_ROLE_SESSION_NAME` is not set.
+const DEFAULT_SESSION_NAME: &str = "liter-llm-session";
+/// Default AWS region when neither `AWS_REGION` nor `AWS_DEFAULT_REGION` is set.
+const DEFAULT_REGION: &str = "us-east-1";
+/// Minimum remaining lifetime before cached credentials are considered expired.
+const EXPIRY_BUFFER_SECS: u64 = 300;
+/// Default credential duration in seconds (1 hour).
+const DEFAULT_DURATION_SECS: u64 = 3600;
+/// Cached temporary credentials.
+struct CachedCredentials {
+    access_key_id: SecretString,
+    secret_access_key: SecretString,
+    session_token: SecretString,
+    acquired_at: Instant,
+    expires_in_secs: u64,
+}
+impl CachedCredentials {
+    /// Returns `true` if the credentials are still valid with the safety buffer.
+    fn is_valid(&self) -> bool {
+        let elapsed = self.acquired_at.elapsed().as_secs();
+        elapsed + EXPIRY_BUFFER_SECS < self.expires_in_secs
+    }
+}
+/// AWS STS Web Identity credential provider.
+///
+/// Reads a JWT from a token file, sends it to the STS
+/// `AssumeRoleWithWebIdentity` endpoint, and returns temporary AWS credentials
+/// suitable for SigV4 signing.
+pub struct WebIdentityCredentialProvider {
+    role_arn: String,
+    token_file: PathBuf,
+    session_name: String,
+    region: String,
+    cached: RwLock<Option<CachedCredentials>>,
+    http_client: reqwest::Client,
+}
+impl WebIdentityCredentialProvider {
+    /// Create a new provider with explicit parameters.
+    #[must_use]
+    pub fn new(
+        role_arn: impl Into<String>,
+        token_file: impl Into<PathBuf>,
+        session_name: impl Into<String>,
+        region: impl Into<String>,
+    ) -> Self {
+        Self {
+            role_arn: role_arn.into(),
+            token_file: token_file.into(),
+            session_name: session_name.into(),
+            region: region.into(),
+            cached: RwLock::new(None),
+            http_client: reqwest::Client::new(),
+        }
+    }
+    /// Create a provider from standard AWS environment variables.
+    ///
+    /// # Errors
+    ///
+    /// Returns [`LiterLlmError::Authentication`] if `AWS_ROLE_ARN` or
+    /// `AWS_WEB_IDENTITY_TOKEN_FILE` are not set.
+    pub fn from_env() -> Result<Self, LiterLlmError> {
+        let role_arn = env_var_required("AWS_ROLE_ARN")?;
+        let token_file = env_var_required("AWS_WEB_IDENTITY_TOKEN_FILE")?;
+        let session_name = std::env::var("AWS_ROLE_SESSION_NAME").unwrap_or_else(|_| DEFAULT_SESSION_NAME.to_owned());
+        let region = std::env::var("AWS_REGION")
+            .or_else(|_| std::env::var("AWS_DEFAULT_REGION"))
+            .unwrap_or_else(|_| DEFAULT_REGION.to_owned());
+        Ok(Self::new(role_arn, token_file, session_name, region))
+    }
+    /// Override the HTTP client used for STS requests.
+    #[must_use]
+    pub fn with_http_client(mut self, client: reqwest::Client) -> Self {
+        self.http_client = client;
+        self
+    }
+    /// Read the web identity token from the token file and exchange it for
+    /// temporary AWS credentials.
+    async fn fetch_credentials(&self) -> Result<CachedCredentials, LiterLlmError> {
+        let token = tokio::fs::read_to_string(&self.token_file)
+            .await
+            .map_err(|e| LiterLlmError::Authentication {
+                message: format!(
+                    "failed to read web identity token file {}: {e}",
+                    self.token_file.display()
+                ),
+            })?;
+        let token = token.trim();
+        let url = format!("https://sts.{}.amazonaws.com/", self.region);
+        let resp = self
+            .http_client
+            .post(&url)
+            .header("Content-Type", "application/x-www-form-urlencoded")
+            .form(&[
+                ("Action", "AssumeRoleWithWebIdentity"),
+                ("Version", "2011-06-15"),
+                ("RoleArn", &self.role_arn),
+                ("RoleSessionName", &self.session_name),
+                ("WebIdentityToken", token),
+                ("DurationSeconds", &DEFAULT_DURATION_SECS.to_string()),
+            ])
+            .send()
+            .await
+            .map_err(|e| LiterLlmError::Authentication {
+                message: format!("STS AssumeRoleWithWebIdentity request failed: {e}"),
+            })?;
+        let status = resp.status();
+        let body = resp.text().await.map_err(|e| LiterLlmError::Authentication {
+            message: format!("STS response unreadable: {e}"),
+        })?;
+        if !status.is_success() {
+            return Err(LiterLlmError::Authentication {
+                message: format!("STS AssumeRoleWithWebIdentity returned {status}: {body}"),
+            });
+        }
+        // Parse the XML response to extract credentials.
+        let creds = parse_sts_response(&body)?;
+        Ok(CachedCredentials {
+            access_key_id: SecretString::from(creds.access_key_id),
+            secret_access_key: SecretString::from(creds.secret_access_key),
+            session_token: SecretString::from(creds.session_token),
+            acquired_at: Instant::now(),
+            expires_in_secs: DEFAULT_DURATION_SECS,
+        })
+    }
+}
+impl CredentialProvider for WebIdentityCredentialProvider {
+    fn resolve(&self) -> BoxFuture<'_, Credential> {
+        Box::pin(async move {
+            // Fast path: read lock to check cache.
+            {
+                let guard = self.cached.read().await;
+                if let Some(ref cached) = *guard
+                    && cached.is_valid()
+                {
+                    return Ok(Credential::AwsCredentials {
+                        access_key_id: cached.access_key_id.clone(),
+                        secret_access_key: cached.secret_access_key.clone(),
+                        session_token: Some(cached.session_token.clone()),
+                    });
+                }
+            }
+            // Slow path: write lock to refresh.
+            let mut guard = self.cached.write().await;
+            // Double-check after acquiring write lock.
+            if let Some(ref cached) = *guard
+                && cached.is_valid()
+            {
+                return Ok(Credential::AwsCredentials {
+                    access_key_id: cached.access_key_id.clone(),
+                    secret_access_key: cached.secret_access_key.clone(),
+                    session_token: Some(cached.session_token.clone()),
+                });
+            }
+            let fresh = self.fetch_credentials().await?;
+            let credential = Credential::AwsCredentials {
+                access_key_id: fresh.access_key_id.clone(),
+                secret_access_key: fresh.secret_access_key.clone(),
+                session_token: Some(fresh.session_token.clone()),
+            };
+            *guard = Some(fresh);
+            Ok(credential)
+        })
+    }
+}
+/// Parsed STS temporary credentials.
+#[derive(Debug)]
+struct StsCredentials {
+    access_key_id: String,
+    secret_access_key: String,
+    session_token: String,
+}
+/// Extract credential fields from the STS XML response using simple string
+/// matching.  We avoid pulling in a full XML parser for three fixed elements.
+fn parse_sts_response(xml: &str) -> Result<StsCredentials, LiterLlmError> {
+    let access_key_id = extract_xml_element(xml, "AccessKeyId")?;
+    let secret_access_key = extract_xml_element(xml, "SecretAccessKey")?;
+    let session_token = extract_xml_element(xml, "SessionToken")?;
+    Ok(StsCredentials {
+        access_key_id,
+        secret_access_key,
+        session_token,
+    })
+}
+/// Extract the text content of a simple XML element `<tag>value</tag>`.
+fn extract_xml_element(xml: &str, tag: &str) -> Result<String, LiterLlmError> {
+    let open = format!("<{tag}>");
+    let close = format!("</{tag}>");
+    let start = xml.find(&open).ok_or_else(|| LiterLlmError::Authentication {
+        message: format!("STS response missing <{tag}> element"),
+    })? + open.len();
+    let end = xml[start..].find(&close).ok_or_else(|| LiterLlmError::Authentication {
+        message: format!("STS response missing </{tag}> element"),
+    })? + start;
+    Ok(xml[start..end].to_owned())
+}
+/// Read a required environment variable, returning an auth error if missing.
+fn env_var_required(name: &str) -> Result<String, LiterLlmError> {
+    std::env::var(name).map_err(|_| LiterLlmError::Authentication {
+        message: format!("missing required environment variable: {name}"),
+    })
+}
+#[cfg(test)]
+mod tests {
+    use super::*;
+    #[test]
+    fn cached_credentials_validity() {
+        let cached = CachedCredentials {
+            access_key_id: SecretString::from("AKIA...".to_owned()),
+            secret_access_key: SecretString::from("secret".to_owned()),
+            session_token: SecretString::from("token".to_owned()),
+            acquired_at: Instant::now(),
+            expires_in_secs: 3600,
+        };
+        assert!(cached.is_valid());
+    }
+    #[test]
+    fn cached_credentials_expired() {
+        let cached = CachedCredentials {
+            access_key_id: SecretString::from("AKIA...".to_owned()),
+            secret_access_key: SecretString::from("secret".to_owned()),
+            session_token: SecretString::from("token".to_owned()),
+            // Zero lifetime is immediately expired; avoids Duration subtraction panic on Windows.
+            acquired_at: Instant::now(),
+            expires_in_secs: 0,
+        };
+        assert!(!cached.is_valid());
+    }
+    #[test]
+    fn parse_sts_xml_response() {
+        let xml = r#"
+        <AssumeRoleWithWebIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+          <AssumeRoleWithWebIdentityResult>
+            <Credentials>
+              <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId>
+              <SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</SecretAccessKey>
+              <SessionToken>FwoGZXIvYXdzEBYaDGlY...</SessionToken>
+              <Expiration>2024-01-01T00:00:00Z</Expiration>
+            </Credentials>
+          </AssumeRoleWithWebIdentityResult>
+        </AssumeRoleWithWebIdentityResponse>
+        "#;
+        let creds = parse_sts_response(xml).expect("should parse");
+        assert_eq!(creds.access_key_id, "AKIAIOSFODNN7EXAMPLE");
+        assert_eq!(creds.secret_access_key, "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
+        assert_eq!(creds.session_token, "FwoGZXIvYXdzEBYaDGlY...");
+    }
+    #[test]
+    fn parse_sts_xml_missing_element() {
+        let xml = r"<Response><AccessKeyId>AKIA</AccessKeyId></Response>";
+        let err = parse_sts_response(xml).unwrap_err();
+        assert!(err.to_string().contains("SecretAccessKey"));
+    }
+    #[test]
+    fn extract_xml_element_success() {
+        let xml = "<Root><Foo>bar</Foo></Root>";
+        assert_eq!(extract_xml_element(xml, "Foo").expect("should work"), "bar");
+    }
+    #[test]
+    fn extract_xml_element_missing_open() {
+        let err = extract_xml_element("<Root></Root>", "Missing").unwrap_err();
+        assert!(err.to_string().contains("<Missing>"));
+    }
+    #[test]
+    fn constructor_defaults() {
+        let provider = WebIdentityCredentialProvider::new(
+            "arn:aws:iam::123456789012:role/TestRole",
+            "/var/run/secrets/token",
+            "test-session",
+            "eu-west-1",
+        );
+        assert_eq!(provider.role_arn, "arn:aws:iam::123456789012:role/TestRole");
+        assert_eq!(provider.session_name, "test-session");
+        assert_eq!(provider.region, "eu-west-1");
+    }
+    #[tokio::test]
+    #[ignore] // Requires network access and valid AWS OIDC credentials.
+    async fn live_sts_web_identity_exchange() {
+        let provider = WebIdentityCredentialProvider::from_env().expect("AWS env vars not set");
+        let credential = provider.resolve().await.expect("STS exchange failed");
+        assert!(matches!(credential, Credential::AwsCredentials { .. }));
+    }
+}

data/vendor/liter-llm/src/auth/mod.rs ADDED Viewed

@@ -0,0 +1,68 @@
+#[cfg(feature = "azure-auth")]
+pub mod azure_ad;
+#[cfg(feature = "bedrock-auth")]
+pub mod bedrock_sts;
+#[cfg(feature = "vertex-auth")]
+pub mod vertex_oauth;
+use std::sync::Arc;
+use secrecy::SecretString;
+use crate::client::BoxFuture;
+/// Dynamic credential provider for providers that use token-based auth
+/// (Azure AD, Vertex OAuth2) or refreshable credentials (AWS STS).
+///
+/// Implementations handle caching, refresh, and expiry internally.
+/// The client calls `resolve()` before each request when a credential
+/// provider is configured.
+pub trait CredentialProvider: Send + Sync {
+    /// Retrieve a valid credential.
+    ///
+    /// Implementations should cache credentials and only refresh when
+    /// expired or about to expire.
+    fn resolve(&self) -> BoxFuture<'_, Credential>;
+}
+/// Blanket implementation so `Arc<dyn CredentialProvider>` is itself a
+/// `CredentialProvider`, making it convenient to share providers across
+/// clients.
+impl CredentialProvider for Arc<dyn CredentialProvider> {
+    fn resolve(&self) -> BoxFuture<'_, Credential> {
+        (**self).resolve()
+    }
+}
+/// A resolved credential ready for use in request authentication.
+#[derive(Debug, Clone)]
+pub enum Credential {
+    /// Bearer token (Azure AD, Vertex OAuth2, generic OIDC).
+    BearerToken(SecretString),
+    /// AWS credentials for SigV4 signing.
+    AwsCredentials {
+        access_key_id: SecretString,
+        secret_access_key: SecretString,
+        session_token: Option<SecretString>,
+    },
+}
+/// A static credential provider that always returns the same bearer token.
+/// Useful for testing or when tokens are managed externally.
+pub struct StaticTokenProvider {
+    token: SecretString,
+}
+impl StaticTokenProvider {
+    #[must_use]
+    pub fn new(token: SecretString) -> Self {
+        Self { token }
+    }
+}
+impl CredentialProvider for StaticTokenProvider {
+    fn resolve(&self) -> BoxFuture<'_, Credential> {
+        let token = self.token.clone();
+        Box::pin(async move { Ok(Credential::BearerToken(token)) })
+    }
+}