feat(rust): add HTTP proxy support (#364)

## Summary
- Add HTTP/HTTPS proxy support to the Rust ADBC driver via 4 new config
parameters:
- `databricks.http.proxy.url` — proxy URL (overrides
`HTTP_PROXY`/`HTTPS_PROXY` env vars)
- `databricks.http.proxy.username` / `password` — authenticated proxy
support
- `databricks.http.proxy.bypass_hosts` — comma-separated hosts to skip
proxy
- All changes scoped to `DatabricksHttpClient::new()` — proxy applies to
all requests (SEA API, CloudFetch, OAuth)
- Includes design spec, unit tests, e2e tests, and a new `rust-e2e.yml`
CI workflow with Squid proxy sidecars

## Changes

### Core implementation (`rust/src/client/http.rs`)
- New `ProxyConfig` struct with `url`, `username`, `password`,
`bypass_hosts`
- Added `proxy` field to `HttpClientConfig`
- Updated `DatabricksHttpClient::new()` to conditionally configure
`reqwest::Proxy`

### Config parsing (`rust/src/database.rs`)
- `set_option` / `get_option_string` handlers for all 4 proxy parameters

### E2E tests (`rust/tests/proxy_e2e.rs`)
- `test_connection_through_proxy` — unauthenticated Squid proxy
- `test_connection_through_authenticated_proxy` — basic auth Squid proxy
- `test_proxy_bypass_hosts` — verifies bypass list skips proxy

### CI workflow (`.github/workflows/rust-e2e.yml`)
- New generic Rust e2e workflow (first job: proxy tests, extensible for
future e2e jobs)
- Squid service container (unauthenticated) + docker run step
(authenticated proxy with custom config)
- Squid access log verification to prove traffic actually routed through
proxy

## Test plan
- [x] Unit tests pass (`cargo test` — 236 passed)
- [x] Clippy clean (`cargo clippy --all-targets -- -D warnings`)
- [x] Format clean (`cargo +stable fmt --all`)
- [x] E2E/Proxy CI job passes (3 tests against real Databricks through
Squid proxies)

This pull request was AI-assisted by Isaac.

Author: vikrantpuppala

.github/workflows/rust-e2e.yml

@@ -0,0 +1,107 @@
+# Copyright (c) 2025 ADBC Drivers Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Rust E2E Tests
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "rust/**"
+      - .github/workflows/rust-e2e.yml
+  pull_request:
+    branches:
+      - main
+    paths:
+      - "rust/**"
+      - .github/workflows/rust-e2e.yml
+
+concurrency:
+  group: ${{ github.repository }}-${{ github.head_ref || github.sha }}-rust-e2e
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  proxy:
+    name: "Proxy"
+    runs-on: ubuntu-latest
+    env:
+      DATABRICKS_HOST: ${{ secrets.DATABRICKS_HOST }}
+      DATABRICKS_HTTP_PATH: ${{ secrets.TEST_PECO_WAREHOUSE_HTTP_PATH }}
+      DATABRICKS_TEST_CLIENT_ID: ${{ secrets.DATABRICKS_TEST_CLIENT_ID }}
+      DATABRICKS_TEST_CLIENT_SECRET: ${{ secrets.DATABRICKS_TEST_CLIENT_SECRET }}
+
+    services:
+      # Unauthenticated forward proxy (no volume mounts needed)
+      squid:
+        image: ubuntu/squid:latest
+        ports:
+          - 3128:3128
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      # Start authenticated proxy after checkout so config files are available
+      - name: Start authenticated proxy
+        run: |
+          docker run -d --name squid-auth \
+            -p 3129:3128 \
+            -v ${{ github.workspace }}/rust/ci/proxy/squid-auth.conf:/etc/squid/squid.conf \
+            -v ${{ github.workspace }}/rust/ci/proxy/htpasswd:/etc/squid/htpasswd \
+            ubuntu/squid:latest
+          # Wait for squid to be ready
+          for i in $(seq 1 10); do
+            if docker exec squid-auth squid -k check 2>/dev/null; then
+              echo "Authenticated proxy is ready"
+              break
+            fi
+            echo "Waiting for authenticated proxy to start... ($i/10)"
+            sleep 1
+          done
+
+      - uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Run proxy E2E tests
+        working-directory: rust
+        run: cargo test --test proxy_e2e -- --ignored --nocapture
+
+      - name: Verify proxy was used (unauthenticated)
+        if: always()
+        run: |
+          docker logs $(docker ps -q --filter "publish=3128") 2>&1 \
+            | grep -i "CONNECT" \
+            || (echo "FAIL: No CONNECT entries found in squid logs — proxy was not used" && exit 1)
+
+      - name: Verify proxy was used (authenticated)
+        if: always()
+        run: |
+          docker logs squid-auth 2>&1 \
+            | grep -i "CONNECT" \
+            || (echo "FAIL: No CONNECT entries found in squid-auth logs — proxy was not used" && exit 1)
+
+      - name: Cleanup authenticated proxy
+        if: always()
+        run: docker rm -f squid-auth 2>/dev/null || true
+
+  # Future e2e jobs can be added here, e.g.:
+  # cloudfetch:
+  #   name: "E2E/CloudFetch"
+  #   ...

.rat-excludes

@@ -37,3 +37,5 @@ test-infrastructure/proxy-server/generated/**
 rust/Cargo.lock
 rust/license.tpl
 rust/pixi.lock
+# htpasswd is a data file (username:password_hash) that cannot contain license headers
+rust/ci/proxy/htpasswd

rust/ci/proxy/htpasswd

@@ -0,0 +1 @@
+testuser:$1$7dnCQ2ZE$C5gL4sx7Ur/HH/Vsx5wRV.

rust/ci/proxy/squid-auth.conf

@@ -0,0 +1,26 @@
+# Copyright (c) 2025 ADBC Drivers Contributors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Squid configuration for authenticated proxy testing.
+# Requires basic auth using credentials from htpasswd file.
+
+auth_param basic program /usr/lib/squid/basic_ncsa_auth /etc/squid/htpasswd
+auth_param basic realm Proxy Auth Required
+auth_param basic credentialsttl 1 hour
+
+acl authenticated proxy_auth REQUIRED
+http_access allow authenticated
+http_access deny all
+
+http_port 3128