ProxyEnvironment: Handle no_proxy="*"

jku · jku · commit 265e772dba20 · 2025-02-20T10:56:23.000+02:00
Add support for leading dots in no_proxy and "*" as a no_proxy value. Both are supported in requests and based on https://about.gitlab.com/blog/2021/01/27/we-need-to-talk-no-proxy/ both are somewhat common. Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
diff --git a/tests/test_proxy_environment.py b/tests/test_proxy_environment.py
@@ -137,6 +137,35 @@ def test_no_proxy_subdomain_match(self, mock_getproxies: Mock) -> None:
         # and a https proxymanager
         self.assert_pool_managers(env, [None, "http://localhost:9999"])
 
+    @patch("tuf.ngclient._internal.proxy.getproxies")
+    def test_no_proxy_wildcard(self, mock_getproxies: Mock) -> None:
+        mock_getproxies.return_value = {
+            "https": "http://localhost:8888",
+            "no": "*",
+        }
+
+        env = ProxyEnvironment()
+        env.get_pool_manager("https", "example.com")
+        env.get_pool_manager("https", "differentsite.com")
+        env.get_pool_manager("https", "subdomain.example.com")
+
+        # There is a single pool manager, no proxies
+        self.assert_pool_managers(env, [None])
+
+    @patch("tuf.ngclient._internal.proxy.getproxies")
+    def test_no_proxy_leading_dot(self, mock_getproxies: Mock) -> None:
+        mock_getproxies.return_value = {
+            "https": "http://localhost:8888",
+            "no": ".example.com",
+        }
+
+        env = ProxyEnvironment()
+        env.get_pool_manager("https", "example.com")
+        env.get_pool_manager("https", "subdomain.example.com")
+
+        # There is a single pool manager, no proxies
+        self.assert_pool_managers(env, [None])
+
     @patch("tuf.ngclient._internal.proxy.getproxies")
     def test_all_proxy_set(self, mock_getproxies: Mock) -> None:
         mock_getproxies.return_value = {
diff --git a/tuf/ngclient/_internal/proxy.py b/tuf/ngclient/_internal/proxy.py
@@ -38,8 +38,9 @@ def __init__(
         if no_proxy is None:
             self._no_proxy_hosts = []
         else:
+            # split by comma, remove leading periods
             self._no_proxy_hosts = [
-                h for h in no_proxy.replace(" ", "").split(",") if h
+                h.lstrip(".") for h in no_proxy.replace(" ", "").split(",") if h
             ]
 
     def _get_proxy(self, scheme: str | None, host: str | None) -> str | None:
@@ -50,10 +51,12 @@ def _get_proxy(self, scheme: str | None, host: str | None) -> str | None:
             # even for schemes that don't require host (like file)
             return None
 
-        # does host match "no_proxy" hosts?
+        # does host match any of the "no_proxy" hosts?
         for no_proxy_host in self._no_proxy_hosts:
-            # exact hostname match or parent domain match
-            if host == no_proxy_host or host.endswith(f".{no_proxy_host}"):
+            # wildcard match, exact hostname match, or parent domain match
+            if no_proxy_host in ("*", host) or host.endswith(
+                f".{no_proxy_host}"
+            ):
                 return None
 
         if scheme in self._proxies:
