SNOW-694457: no_proxy support

Author: sfc-gh-fpawlowski

src/snowflake/connector/connection.py

@@ -199,6 +199,10 @@ def _get_private_bytes_from_file(
     "proxy_port": (None, (type(None), str)),  # snowflake
     "proxy_user": (None, (type(None), str)),  # snowflake
     "proxy_password": (None, (type(None), str)),  # snowflake
+    "no_proxy": (
+        None,
+        (type(None), str, Iterable),
+    ),  # hosts/ips to bypass proxy (str or iterable)
     "protocol": ("https", str),  # snowflake
     "warehouse": (None, (type(None), str)),  # snowflake
     "region": (None, (type(None), str)),  # snowflake
@@ -1076,6 +1080,15 @@ def connect(self, **kwargs) -> None:
             proxy_port=self.proxy_port,
             proxy_user=self.proxy_user,
             proxy_password=self.proxy_password,
+            no_proxy=(
+                ",".join(str(x) for x in self.no_proxy)
+                if (
+                    self.no_proxy is not None
+                    and isinstance(self.no_proxy, Iterable)
+                    and not isinstance(self.no_proxy, (str, bytes))
+                )
+                else self.no_proxy
+            ),
         )
         self._session_manager = SessionManager(self._http_config)
 

src/snowflake/connector/session_manager.py

@@ -134,6 +134,7 @@ class BaseHttpConfig:
     proxy_port: str | None = None
     proxy_user: str | None = None
     proxy_password: str | None = None
+    no_proxy: str | None = None
 
     def copy_with(self, **overrides: Any) -> BaseHttpConfig:
         """Return a new config with overrides applied."""
@@ -477,7 +478,11 @@ def _mount_adapters(self, session: requests.Session) -> None:
     def make_session(self) -> Session:
         session = requests.Session()
         self._mount_adapters(session)
-        session.proxies = {"http": self.proxy_url, "https": self.proxy_url}
+        session.proxies = {
+            "http": self.proxy_url,
+            "https": self.proxy_url,
+            "no_proxy": self._cfg.no_proxy,
+        }
         return session
 
     @contextlib.contextmanager

test/test_utils/cross_module_fixtures/wiremock_fixtures.py

@@ -8,7 +8,11 @@
 
 import snowflake.connector
 
-from ..wiremock.wiremock_utils import WiremockClient, get_clients_for_proxy_and_target
+from ..wiremock.wiremock_utils import (
+    WiremockClient,
+    get_clients_for_proxy_and_target,
+    get_clients_for_proxy_target_and_storage,
+)
 
 
 @pytest.fixture(scope="session")
@@ -71,6 +75,7 @@ def wiremock_target_proxy_pair(wiremock_generic_mappings_dir):
     """Starts a *target* Wiremock and a *proxy* Wiremock pre-configured to forward to it.
 
     The fixture yields a tuple ``(target_wm, proxy_wm)`` of  ``WiremockClient``
+    where the order is (backend, proxy).
     instances.  It is a thin wrapper around
     ``test.test_utils.wiremock.wiremock_utils.proxy_target_pair``.
     """
@@ -81,3 +86,36 @@ def wiremock_target_proxy_pair(wiremock_generic_mappings_dir):
         proxy_mapping_template=wiremock_proxy_mapping_path
     ) as pair:
         yield pair
+
+
+@pytest.fixture
+def wiremock_three_clients(wiremock_generic_mappings_dir):
+    """Starts target (DB), storage (S3), and proxy Wiremocks using shared helper.
+
+    Returns (target_wm, storage_wm, proxy_wm) in that order.
+
+    Deprecated: Prefer ``wiremock_backend_storage_proxy`` for clearer naming.
+    """
+    wiremock_proxy_mapping_path = (
+        wiremock_generic_mappings_dir / "proxy_forward_all.json"
+    )
+    with get_clients_for_proxy_target_and_storage(
+        proxy_mapping_template=wiremock_proxy_mapping_path
+    ) as triple:
+        yield triple
+
+
+@pytest.fixture
+def wiremock_backend_storage_proxy(wiremock_generic_mappings_dir):
+    """Starts backend (DB), storage (S3), and proxy Wiremocks.
+
+    Returns a tuple ``(backend_wm, storage_wm, proxy_wm)`` to make roles explicit.
+    Use when backend and storage must have distinct host:ports (e.g., selective proxy bypass).
+    """
+    wiremock_proxy_mapping_path = (
+        wiremock_generic_mappings_dir / "proxy_forward_all.json"
+    )
+    with get_clients_for_proxy_target_and_storage(
+        proxy_mapping_template=wiremock_proxy_mapping_path
+    ) as triple:
+        yield triple

test/test_utils/wiremock/wiremock_utils.py

@@ -345,3 +345,46 @@ def get_clients_for_proxy_and_target(
 
             # Yield control back to the caller with both Wiremocks ready
             yield target_wm, proxy_wm
+
+
+@contextmanager
+def get_clients_for_proxy_target_and_storage(
+    proxy_mapping_template: Union[str, dict, pathlib.Path, None] = None,
+    additional_proxy_placeholders: Optional[dict[str, object]] = None,
+    additional_proxy_args: Optional[Iterable[str]] = None,
+):
+    """Context manager that starts three Wiremock instances – *target* (DB), *storage* (S3), and *proxy*.
+
+    The *proxy* is configured to forward all traffic to *target* using the same
+    mapping mechanism as ``get_clients_for_proxy_and_target``.
+
+    Yields a tuple ``(target_wm, storage_wm, proxy_wm)``. All processes are shut down
+    automatically on context exit.
+
+    Note:
+        In most tests a single Wiremock instance is sufficient to emulate both backend
+        and storage endpoints. Use this helper only when backend and storage must have
+        distinct addresses (host:port) — for example, to validate that NO_PROXY bypasses
+        the proxy for one service while proxying the other.
+    """
+    # Reuse existing helper to set up target+proxy
+    if proxy_mapping_template is None:
+        proxy_mapping_template = (
+            pathlib.Path(__file__).parent.parent.parent.parent
+            / "test"
+            / "data"
+            / "wiremock"
+            / "mappings"
+            / "generic"
+            / "proxy_forward_all.json"
+        )
+
+    with get_clients_for_proxy_and_target(
+        proxy_mapping_template=proxy_mapping_template,
+        additional_proxy_placeholders=additional_proxy_placeholders,
+        additional_proxy_args=additional_proxy_args,
+    ) as (target_wm, proxy_wm):
+        # Start storage with a port distinct from target and proxy
+        forbidden = [target_wm.wiremock_http_port, proxy_wm.wiremock_http_port]
+        with WiremockClient(forbidden_ports=forbidden) as storage_wm:
+            yield target_wm, storage_wm, proxy_wm

test/unit/test_proxies.py

@@ -3,6 +3,7 @@
 
 import logging
 import unittest.mock
+from collections import deque
 
 import pytest
 
@@ -160,3 +161,178 @@ def test_basic_query_through_proxy(
         "/queries/v1/query-request" in r["request"]["url"]
         for r in target_reqs["requests"]
     )
+
+
+"""
+Note: The single-target no_proxy test was removed in favor of
+test_no_proxy_multiple_hosts_and_ports, which validates both backend and storage
+paths and multiple no_proxy entries using shared session manager logic.
+"""
+
+
+@pytest.mark.skipolddriver
+@pytest.mark.parametrize(
+    "no_proxy_factory,expect_backend_proxy,expect_storage_proxy",
+    [
+        (lambda target, storage: [f"localhost:{target}"], False, True),
+        (lambda target, storage: [f"localhost:{storage}"], True, False),
+        (
+            lambda target, storage: [f"localhost:{target}", f"localhost:{storage}"],
+            False,
+            False,
+        ),
+        (
+            lambda target, storage: ["localhost"],
+            False,
+            False,
+        ),  # host-only bypasses both
+        # Tuple and set variants
+        (lambda target, storage: (f"localhost:{target}",), False, True),
+        (lambda target, storage: {f"localhost:{storage}"}, True, False),
+        (
+            lambda target, storage: frozenset(
+                {f"localhost:{target}", f"localhost:{storage}"}
+            ),
+            False,
+            False,
+        ),
+        # Deque (generic iterable) variant
+        (
+            lambda target, storage: deque(
+                [f"localhost:{target}", f"localhost:{storage}"]
+            ),
+            False,
+            False,
+        ),
+        # One long CSV string with many irrelevant entries around both target and storage
+        (
+            lambda target, storage: (
+                "foo.invalid:1,bar.invalid:2,"
+                f"localhost:{target},"
+                "baz.invalid:3,qux.invalid:4,"
+                f"localhost:{storage},"
+                "zoo.invalid:5"
+            ),
+            False,
+            False,
+        ),
+    ],
+)
+@pytest.mark.parametrize("proxy_method", ["explicit_args", "env_vars"])
+def test_no_proxy_multiple_hosts_and_ports(
+    wiremock_backend_storage_proxy,
+    wiremock_generic_mappings_dir,
+    wiremock_mapping_dir,
+    proxy_env_vars,
+    proxy_method,
+    no_proxy_factory,
+    expect_backend_proxy,
+    expect_storage_proxy,
+):
+    target_wm, storage_wm, proxy_wm = wiremock_backend_storage_proxy
+
+    # Configure DB and storage mappings (no Via header assertion; we check journals)
+    password_mapping = wiremock_mapping_dir / "auth/password/successful_flow.json"
+    multi_chunk_request_mapping = (
+        wiremock_mapping_dir / "queries/select_large_request_successful.json"
+    )
+    chunk_1_mapping = wiremock_mapping_dir / "queries/chunk_1.json"
+    chunk_2_mapping = wiremock_mapping_dir / "queries/chunk_2.json"
+    disconnect_mapping = (
+        wiremock_generic_mappings_dir / "snowflake_disconnect_successful.json"
+    )
+    telemetry_mapping = wiremock_generic_mappings_dir / "telemetry.json"
+
+    # Import login, disconnect, telemetry on backend
+    target_wm.import_mapping_with_default_placeholders(password_mapping)
+    target_wm.add_mapping(disconnect_mapping)
+    target_wm.add_mapping(telemetry_mapping)
+
+    # Add multi-chunk query response on backend, but point chunk URLs to storage host
+    target_wm.add_mapping(
+        multi_chunk_request_mapping,
+        placeholders={
+            "{{WIREMOCK_HTTP_HOST_WITH_PORT}}": storage_wm.http_host_with_port
+        },
+    )
+
+    # Add chunk GET mappings to storage
+    storage_wm.add_mapping_with_default_placeholders(chunk_1_mapping)
+    storage_wm.add_mapping_with_default_placeholders(chunk_2_mapping)
+
+    # Configure proxy env/args
+    set_proxy_env_vars, clear_proxy_env_vars = proxy_env_vars
+    connect_kwargs = {
+        "user": "testUser",
+        "password": "testPassword",
+        "account": "testAccount",
+        "host": target_wm.wiremock_host,
+        "port": target_wm.wiremock_http_port,
+        "protocol": "http",
+        "warehouse": "TEST_WH",
+    }
+
+    if proxy_method == "explicit_args":
+        connect_kwargs.update(
+            {
+                "proxy_host": proxy_wm.wiremock_host,
+                "proxy_port": str(proxy_wm.wiremock_http_port),
+            }
+        )
+        clear_proxy_env_vars()
+    else:
+        proxy_url = f"http://{proxy_wm.wiremock_host}:{proxy_wm.wiremock_http_port}"
+        set_proxy_env_vars(proxy_url)
+
+    # Build no_proxy (factory may return CSV string or any iterable)
+    connect_kwargs["no_proxy"] = no_proxy_factory(
+        target_wm.wiremock_http_port, storage_wm.wiremock_http_port
+    )
+
+    # Connect and perform DB query (will return chunk URLs to storage host)
+    cnx = snowflake.connector.connect(**connect_kwargs)
+    cur = cnx.cursor()
+    cur.execute("SELECT 1")
+    # Consume results to force chunk downloads
+    _ = list(cur)
+
+    # Simulate a storage(S3) GET using the same session manager (to honor connection's proxy settings)
+    cnx._session_manager.get(f"{storage_wm.http_host_with_port}/__admin/health")
+
+    cur.close()
+    cnx.close()
+
+    # Check proxy vs target/storage
+    proxy_reqs = requests.get(f"{proxy_wm.http_host_with_port}/__admin/requests").json()
+    target_reqs = requests.get(
+        f"{target_wm.http_host_with_port}/__admin/requests"
+    ).json()
+    storage_reqs = requests.get(
+        f"{storage_wm.http_host_with_port}/__admin/requests"
+    ).json()
+
+    # DB query expectation
+    proxy_saw_db = any(
+        "/queries/v1/query-request" in r["request"]["url"]
+        for r in proxy_reqs["requests"]
+    )
+    target_saw_db = any(
+        "/queries/v1/query-request" in r["request"]["url"]
+        for r in target_reqs["requests"]
+    )
+    assert target_saw_db
+    assert proxy_saw_db == expect_backend_proxy
+
+    # Storage chunk GET expectation
+    proxy_saw_storage = any(
+        "/amazonaws/test/s3testaccount/stage/results/" in r["request"]["url"]
+        for r in proxy_reqs["requests"]
+    )
+    storage_saw_storage = any(
+        "/amazonaws/test/s3testaccount/stage/results/" in r["request"]["url"]
+        for r in storage_reqs["requests"]
+    )
+    assert storage_saw_storage
+    assert proxy_saw_storage == expect_storage_proxy
+
+    # No extra CSV branch: connection code normalizes strings/iterables equivalently