Bump patch version

Fixes #7

Makefile

@@ -1,8 +1,5 @@
 # tox-poetry-installer makefile
 
-# You can set these variables from the command line
-PROJECT = tox_poetry_installer
-
 .PHONY: help
 # Put it first so that "make" without argument is like "make help"
 # Adapted from:
@@ -11,19 +8,18 @@ help: ## List Makefile targets
 	$(info Makefile documentation)
 	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-10s\033[0m %s\n", $$1, $$2}'
 
-tox: clean
-	tox
-
 clean-tox:
-	rm -rf ./.mypy_cache
+	rm --recursive --force ./.mypy_cache
-	rm -rf ./.tox
+	rm --recursive --force ./.tox
-	rm -f .coverage
+	rm --recursive --force tests/__pycache__/
+	rm --recursive --force .pytest_cache/
+	rm --force .coverage
 
 clean-py:
-	rm -rf ./dist
+	rm --recursive --force ./dist
-	rm -rf ./build
+	rm --recursive --force ./build
-	rm -rf ./*.egg-info
+	rm --recursive --force ./*.egg-info
-	rm -rf __pycache__/
+	rm --recursive --force __pycache__/
 
 clean: clean-tox clean-py; ## Clean temp build/cache files and directories
 
@@ -34,4 +30,7 @@ source: ## Build Python source distribution package
 	poetry build --format sdist
 
 test: ## Run the project testsuite(s)
-	poetry run tox -r
+	poetry run tox --recreate
+
+publish: wheel source ## Build and upload to pypi (requires $PYPI_API_KEY be set)
+	poetry publish --username __token__ --password $(PYPI_API_KEY)

README.md

@@ -1,19 +1,22 @@
 # tox-poetry-installer
 
 A plugin for [Tox](https://tox.readthedocs.io/en/latest/) that allows test environment
-dependencies to be installed using [Poetry](https://python-poetry.org/) using its lockfile.
+dependencies to be installed using [Poetry](https://python-poetry.org/) from its lockfile.
 
-⚠️ **This project is alpha software and should not be used in a production capacity** ⚠️
+⚠️ **This project is alpha software and should not be used in production environments** ⚠️
 
-![image](https://img.shields.io/pypi/l/tox-poetry-installer)
+[![image](https://img.shields.io/pypi/l/tox-poetry-installer)](https://opensource.org/licenses/MIT)
-![image](https://img.shields.io/pypi/v/tox-poetry-installer)
+[![image](https://img.shields.io/pypi/v/tox-poetry-installer)](https://pypi.org/project/tox-poetry-installer/)
-![image](https://img.shields.io/pypi/pyversions/tox-poetry-installer)
+[![image](https://img.shields.io/pypi/pyversions/tox-poetry-installer)](https://www.python.org)
+[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
 
 **Documentation**
 
-* [Installation and Usage](#installation-and-usage)
+* [Installation](#installation)
-* [Limitations](#limitations)
+* [Quick Start](#quick-start)
-* [Why would I use this?](#what-problems-does-this-solve) (What problems does this solve?)
+* [Usage Examples](#usage-examples)
+* [Known Drawbacks and Problems](#known-drawbacks-and-problems)
+* [Why would I use this?](#why-would-i-use-this) (What problems does this solve?)
 * [Developing](#developing)
 * [Contributing](#contributing)
 * [Roadmap](#roadmap)
@@ -26,82 +29,262 @@ Related resources:
 * [Tox plugins](https://tox.readthedocs.io/en/latest/plugins.html)
 
 
-## Installation and Usage
+## Installation
 
-1. Install the plugin from PyPI:
+Add the plugin as a development dependency of a Poetry project:
 
 ```
-poetry add tox-poetry-installer --dev
+~ $: poetry add tox-poetry-installer --dev
 ```
 
-2. Remove all version specifications from the environment dependencies in `tox.ini`:
+Confirm that the plugin is installed, and Tox recognizes it, by checking the Tox version:
+
+```
+~ $: poetry run tox --version
+3.20.0 imported from .venv/lib64/python3.8/site-packages/tox/__init__.py
+registered plugins:
+    tox-poetry-installer-0.2.2 at .venv/lib64/python3.8/site-packages/tox_poetry_installer.py
+```
+
+If using Pip, ensure that the plugin is installed to the same environment as Tox:
+
+```
+# Calling the virtualenv's 'pip' binary directly will cause pip to install to that virtualenv
+~ $: /path/to/my/automation/virtualenv/bin/pip install tox
+~ $: /path/to/my/automation/virtualenv/bin/pip install tox-poetry-installer
+```
+
+
+## Quick Start
+
+To require a Tox environment install all it's dependencies from the Poetry lockfile, add the
+`require_locked_deps = true` option to the environment configuration and remove all version
+specifiers from the dependency list. The versions to install will be taken from the lockfile
+directly:
 
 ```ini
-# This...
 [testenv]
-description = My cool test environment
+description = Run the tests
+require_locked_deps = true
 deps =
-    requests >=2.19,<3.0
-    toml == 0.10.0
-    pytest >=5.4
-
-# ...becomes this:
-[testenv]
-description = My cool test environment
-deps =
-    requests
-    toml
     pytest
+    pytest-cov
+    black
+    pylint
+    mypy
+commands = ...
 ```
 
-3. Run Tox with the `--recreate` flag to rebuild the test environments:
+To require specific dependencies be installed from the Poetry lockfile, and let the rest be
+installed using the default Tox installation backend, add the suffix `@poetry` to the dependencies.
+In the example below the `pytest`, `pytest-cov`, and `black` dependencies will be installed from
+the lockfile while `pylint` and `mypy` will be installed using the versions specified here:
 
-```
+```ini
-poetry run tox --recreate
+[testenv]
+description = Run the tests
+require_locked_deps = true
+deps =
+    pytest@poetry
+    pytest-cov@poetry
+    black@poetry
+    pylint >=2.5.0
+    mypy == 0.770
+commands = ...
 ```
 
-4. 💸 Profit 💸
+**Note:** Regardless of the settings outlined above, all dependencies of the project package (the
+one Tox is testing) will always be installed from the lockfile.
 
 
-## Limitations
+## Usage Examples
 
-* In general, any command line or INI settings that affect how Tox installs environment
+After installing the plugin to a project your Tox automation is already benefiting from the
-  dependencies will be disabled by installing this plugin. A non-exhaustive and untested
+lockfile: when Tox installs your project package to one of your environments, all the dependencies
-  list of the INI options that are not expected to work with this plugin is below:
+of your project package will be installed using the versions specified in the lockfile. This
+happens automatically and requires no configuration changes.
+
+But what about the rest of your Tox environment dependencies?
+
+Let's use an example `tox.ini` file, below, that defines two environments: the main `testenv` for
+running the project tests and `testenv:check` for running some other helpful tools:
+
+```ini
+[tox]
+envlist = py37, static
+isolated_build = true
+
+[testenv]
+description = Run the tests
+deps =
+    pytest == 5.3.0
+commands = ...
+
+[testenv:check]
+description = Static formatting and quality enforcement
+deps =
+    pylint >=2.4.4,<2.6.0
+    mypy == 0.770
+    black --pre
+commands = ...
+```
+
+Let's focus on the `testenv:check` environment first. In this project there's no reason that any
+of these tools should be a different version than what a human developer is using when installing
+from the lockfile. We can require that these dependencies be installed from the lockfile by adding
+the option `require_locked_deps = true` to the environment config, but this will cause an error:
+
+```ini
+[testenv:check]
+description = Static formatting and quality enforcement
+require_locked_deps = true
+deps =
+    pylint >=2.4.4,<2.6.0
+    mypy == 0.770
+    black --pre
+commands = ...
+```
+
+Running Tox using this config gives us this error:
+
+```
+tox_poetry_installer.LockedDepVersionConflictError: Locked dependency 'pylint >=2.4.4,<2.6.0' cannot include version specifier
+```
+
+This is because we told the Tox environment to require all dependencies be locked, but then also
+specified a specific version constraint for Pylint. With the `require_locked_deps = true` setting
+Tox expects all dependencies to take their version from the lockfile, so when it gets conflicting
+information it errors. We can fix this by simply removing all version specifiers from the
+environment dependency list:
+
+```ini
+[testenv:check]
+description = Static formatting and quality enforcement
+require_locked_deps = true
+deps =
+    pylint
+    mypy
+    black
+commands = ...
+```
+
+Now all the dependencies will be installed from the lockfile. If Poetry updates the lockfile with
+a new version then that updated version will be automatically installed when the Tox environment is
+recreated.
+
+Now let's look at the `testenv` environment. Let's make the same changes to the `testenv`
+environment that we made to `testenv:check` above; remove the PyTest version and add
+`require_locked_deps = true`. Then imagine that we want to add the
+[Requests](https://requests.readthedocs.io/en/master/) library to the test environment: we
+can add `requests` as a dependency of the test environment, but this will cause an error:
+
+```ini
+[testenv]
+description = Run the tests
+require_locked_deps = true
+deps =
+    pytest
+    requests
+commands = ...
+```
+
+Running Tox with this config gives us this error:
+
+```
+tox_poetry_installer.LockedDepNotFoundError: No version of locked dependency 'requests' found in the project lockfile
+```
+
+This is because `requests` is not in our lockfile yet. Tox will refuse to install a dependency
+that isn't in the lockfile to an an environment that specifies `require_locked_deps = true`. We
+can fix this by running `poetry add requests --dev` to add it to the lockfile.
+
+Now let's combine dependencies from the lockfile with dependencies that are
+specified in-line in the Tox environment configuration.
+[This isn't generally recommended](#why-would-i-use-this), but it is a valid use case and
+fully supported by this plugin. Let's modify the `testenv` configuration to install PyTest
+from the lockfile but then install an older version of the Requests library.
+
+The first thing to do is remove the `require_locked_deps = true` setting so that we can install
+Requests as an unlocked dependency. Then we can add our version specifier to the `requests`
+entry in the dependency list:
+
+```ini
+[testenv]
+description = Run the tests
+deps =
+    pytest
+    requests >=2.2.0,<2.10.0
+commands = ...
+```
+
+However we still want `pytest` to be installed from the lockfile, so the final step is to tell Tox
+to install it from the lockfile by adding the suffix `@poetry` to the `pytest` entry in the
+dependency list:
+
+```ini
+[testenv]
+description = Run the tests
+deps =
+    pytest@poetry
+    requests >=2.2.0,<2.10.0
+commands = ...
+```
+
+Now when the `testenv` environment is created it will install PyTest (and all of its dependencies)
+from the lockfile while it will install Requests (and all of its dependencies) using the default
+Tox installation backend.
+
+
+## Known Drawbacks and Problems
+
+* The following `tox.ini` configuration options have no effect on the dependencies installed from
+  the Poetry lockfile (note that they will still affect unlocked dependencies):
   * [`install_command`](https://tox.readthedocs.io/en/latest/config.html#conf-install_command)
   * [`pip_pre`](https://tox.readthedocs.io/en/latest/config.html#conf-pip_pre)
   * [`downloadcache`](https://tox.readthedocs.io/en/latest/config.html#conf-downloadcache) (deprecated)
   * [`download`](https://tox.readthedocs.io/en/latest/config.html#conf-download)
   * [`indexserver`](https://tox.readthedocs.io/en/latest/config.html#conf-indexserver)
   * [`usedevelop`](https://tox.readthedocs.io/en/latest/config.html#conf-indexserver)
-  * [`extras`](https://tox.readthedocs.io/en/latest/config.html#conf-extras)
 
-* When the plugin is enabled all dependencies for all environments will use the Poetry backend
+* The [`extras`](https://tox.readthedocs.io/en/latest/config.html#conf-extras) setting in `tox.ini`
-  provided by the plugin; this functionality cannot be disabled on a per-environment basis.
+  does not work. Optional dependencies of the project package will not be installed to Tox
+  environments. (See the [road map](#roadmap))
 
-* Alternative versions cannot be specified alongside versions from the lockfile. All
+* The plugin currently depends on `poetry<1.1.0`. This can be a different version than Poetry being
-  dependencies are installed from the lockfile and alternative versions cannot be specified
+  used for actual project development. (See the [road map](#roadmap))
-  in the Tox configuration.
+
+* Tox environments automatically inherit their settings from the main `testenv` environment. This
+  means that if the `require_locked_deps = true` is specified for the `testenv` environment then
+  all environments will also require locked dependencies. This can be overwritten by explicitly
+  specifying `require_locked_deps = false` on child environments where unlocked dependencies are
+  needed.
+
+* There are a handful of packages that cannot be installed from the lockfile, whether as specific
+  dependencies or as transient dependencies (dependencies of dependencies). This is due to
+  [an ongoing discussion in the Poetry project](https://github.com/python-poetry/poetry/issues/1584);
+  the list of dependencies that cannot be installed from the lockfile can be found
+  [here](https://github.com/python-poetry/poetry/blob/cc8f59a31567f806be868aba880ae0642d49b74e/poetry/puzzle/provider.py#L55).
+  This plugin will skip these dependencies entirely, but log a warning when they are encountered.
 
 
 ## Why would I use this?
 
 **Introduction**
 
-The lockfile is a file generated by a package manager for a project that lists what
+The lockfile is a file generated by a package manager for a project that records what
-dependencies are installed, the versions of those dependencies, and additional metadata that
+dependencies are installed, the versions of those dependencies, and any additional metadata that
-the package manager can use to recreate the local project environment. This allows developers
+the package manager needs to recreate the local project environment. This allows developers
 to have confidence that a bug they are encountering that may be caused by one of their
 dependencies will be reproducible on another device. In addition, installing a project
 environment from a lockfile gives confidence that automated systems running tests or performing
-builds are using the same environment that a developer is.
+builds are using the same environment as a developer.
 
 [Poetry](https://python-poetry.org/) is a project dependency manager for Python projects, and
-as such it creates and manages a lockfile so that its users can benefit from all the features
+so it creates and manages a lockfile so that its users can benefit from all the features
 described above. [Tox](https://tox.readthedocs.io/en/latest/#what-is-tox) is an automation tool
 that allows Python developers to run tests suites, perform builds, and automate tasks within
-self contained [Python virtual environments](https://docs.python.org/3/tutorial/venv.html).
+self-contained [Python virtual environments](https://docs.python.org/3/tutorial/venv.html).
-To make these environments useful, Tox supports installing per-environment dependencies.
+To make these environments useful Tox supports installing dependencies in each environment.
 However, since these environments are created on the fly and Tox does not maintain a lockfile,
 there can be subtle differences between the dependencies a developer is using and the
 dependencies Tox uses.
@@ -109,19 +292,17 @@ dependencies Tox uses.
 This is where this plugin comes into play.
 
 By default Tox uses [Pip](https://docs.python.org/3/tutorial/venv.html) to install the
-PEP-508 compliant dependencies to a test environment. A more robust way to do this is to
+PEP-508 compliant dependencies to a test environment. This plugin extends the default
-install dependencies directly from the lockfile so that the version installed to the Tox
+Tox dependency installation behavior to support installing dependencies using a Poetry-based
-environment always matches the version Poetry specifies. This plugin overwrites the default
+installation method that makes use of the dependency metadata from Poetry's lockfile.
-Tox dependency installation behavior and replaces it with a Poetry-based installation using
-the dependency metadata from the lockfile.
 
 **The Problem**
 
-Environment dependencies for a Tox environment are usually done in PEP-508 format like the
+Environment dependencies for a Tox environment are usually specified in PEP-508 format, like
-below example
+the below example:
 
 ```ini
-# tox.ini
+# from tox.ini
 ...
 
 [testenv]
@@ -134,31 +315,35 @@ deps =
 ...
 ```
 
-Perhaps these dependencies are also useful during development, so they can be added to the
+Let's assume these dependencies are also useful during development, so they can be added to the
 Poetry environment using this command:
 
  ```
- poetry add foo==1.2.3 bar>=1.3,<2.0 baz --dev
+ poetry add --dev \
+    foo==1.2.3 \
+    bar>=1.3,<2.0 \
+    baz
  ```
 
- However there are three potential problems that could arise from each of these environment
+ However there is a potential problem that could arise from each of these environment
  dependencies that would _only_ appear in the Tox environment and not in the Poetry
- environment:
+ environment in use by a developer:
 
  * **The `foo` dependency is pinned to a specific version:** let's imagine a security
    vulnerability is discovered in `foo` and the maintainers release version `1.2.4` to fix
-   it. A developer can run `poetry remove foo && poetry add foo^1.2` to get the new version,
+   it. A developer can run `poetry remove foo` and then `poetry add foo^1.2` to get the new
-   but the Tox environment is left unchanged. The developer environment specified by the
+   version, but the Tox environment is left unchanged. The development environment, as defined by
-   lockfile is now patched against the vulnerability, but the Tox environment is not.
+   the lockfile, is now patched against the vulnerability but the Tox environment is not.
 
 * **The `bar` dependency specifies a dynamic range:** a dynamic range allows a range of
   versions to be installed, but the lockfile will have an exact version specified so that
   the Poetry environment is reproducible; this allows versions to be updated with
-  `poetry update` rather than with the `remove` and `add` used above. If the maintainers of
+  `poetry update` rather than with the `remove` and `add` commands used above. If the
-  `bar` release version `1.6.0` then the Tox environment will install it because it is valid
+  maintainers of `bar` release version `1.6.0` then the Tox environment will install it
-  for the specified version range, meanwhile the Poetry environment will continue to install
+  because it is valid for the specified version range. Meanwhile the Poetry environment will
-  the version from the lockfile until `poetry update bar` explicitly updates it. The
+  continue to install the version from the lockfile until `poetry update bar` explicitly
-  development environment is now has a different version of `bar` than the Tox environment.
+  updates it. The development environment is now has a different version of `bar` than the Tox
+  environment.
 
 * **The `baz` dependency is unpinned:** unpinned dependencies are
   [generally a bad idea](https://python-poetry.org/docs/faq/#why-are-unbound-version-constraints-a-bad-idea),
@@ -167,27 +352,26 @@ Poetry environment using this command:
   but Pip (via Tox) will interpret it as a wildcard. If the latest version of `baz` is `1.0.0`
   then `poetry add baz` will result in a constraint of `baz>=1.0.0,<2.0.0` while the Tox
   environment will have a constraint of `baz==*`. The Tox environment can now install an
-  incompatible version of `baz` that cannot be easily caught using `poetry update`.
+  incompatible version of `baz` and any errors that causes cannot be replicated using `poetry update`.
 
 All of these problems can apply not only to the dependencies specified for a Tox environment,
-but also to the dependencies of those dependencies, and so on.
+but also to the dependencies of those dependencies, those dependencies' dependencies, and so on.
 
 **The Solution**
 
-This plugin requires that all dependencies specified for all Tox environments be unbound
+This plugin allows dependencies specified in Tox environment take their version directly from
-with no version constraint specified at all. This seems counter-intuitive given the problems
+the Poetry lockfile without needing an independent version to be specified in the Tox
-outlined above, but what it allows the plugin to do is offload all version management to
+environment configuration. The modified version of the example environment given below appears
-Poetry.
+less stable than the one presented above because it does not specify any versions for its
-
+dependencies:
-On initial inspection, the environment below appears less stable than the one presented above
-because it does not specify any versions for its dependencies:
 
 ```ini
-# tox.ini
+# from tox.ini
 ...
 
 [testenv]
 description = Some very cool tests
+require_locked_deps = true
 deps =
     foo
     bar
@@ -196,19 +380,16 @@ deps =
 ...
 ```
 
-However with the `tox-poetry-installer` plugin installed this instructs Tox to install these
+However with the `tox-poetry-installer` plugin installed the `require_locked_deps = true`
-dependencies using the Poetry lockfile so that the version installed to the Tox environment
+setting means that Tox will install these dependencies from the Poetry lockfile so that the
-exactly matches the version Poetry is managing. When `poetry update` updates the lockfile
+version installed to the Tox environment exactly matches the version Poetry is managing. When
-with new dependency versions, Tox will automatically install these new versions without needing
+`poetry update` updates the lockfile with new versions of these dependencies, Tox will
-any changes to the configuration.
+automatically install these new versions without needing any changes to the configuration.
-
-All dependencies are specified in one place (the lockfile) and dependency version management is
-handled by a tool dedicated to that task (Poetry).
 
 
 ## Developing
 
-This project requires Poetry-1.0+, see the [installation instructions here](https://python-poetry.org/docs/#installation).
+This project requires Poetry version 1.0+, see the [installation instructions here](https://python-poetry.org/docs/#installation).
 
 ```bash
 # Clone the repository...
@@ -234,6 +415,10 @@ poetry run tox
 All project contributors and participants are expected to adhere to the
 [Contributor Covenant Code of Conduct, Version 2](CODE_OF_CONDUCT.md).
 
+The `devel` branch has the latest (potentially unstable) changes. The
+[tagged versions](https://github.com/enpaul/tox-poetry-installer/releases) correspond to the
+releases on PyPI.
+
 * To report a bug, request a feature, or ask for assistance, please
   [open an issue on the Github repository](https://github.com/enpaul/tox-poetry-installer/issues/new).
 * To report a security concern or code of conduct violation, please contact the project author
@@ -247,7 +432,7 @@ All project contributors and participants are expected to adhere to the
 ## Roadmap
 
 This project is under active development and is classified as alpha software, not yet ready
-usage in production systems.
+for usage in production environments.
 
 * Beta classification will be assigned when the initial feature set is finalized
 * Stable classification will be assigned when the test suite covers an acceptable number of
@@ -255,21 +440,22 @@ usage in production systems.
 
 ### Path to Beta
 
-- [ ] Verify that primary package dependencies (from the `.package` env) are installed
+- [X] Verify that primary package dependencies (from the `.package` env) are installed
       correctly using the Poetry backend.
 - [ ] Support the [`extras`](https://tox.readthedocs.io/en/latest/config.html#conf-extras)
-      Tox configuration option
+      Tox configuration option ([#4](https://github.com/enpaul/tox-poetry-installer/issues/4))
-- [ ] Add per-environment Tox configuration option to fall back to default installation
+- [X] Add per-environment Tox configuration option to fall back to default installation
       backend.
-- [ ] Add detection of a changed lockfile to automatically trigger a rebuild of Tox
-      environments when necessary.
 - [ ] Add warnings when an unsupported Tox configuration option is detected while using the
-      Poetry backend.
+      Poetry backend. ([#5](https://github.com/enpaul/tox-poetry-installer/issues/5))
-- [ ] Add trivial tests to ensure the project metadata is consistent between the pyproject.toml
+- [X] Add trivial tests to ensure the project metadata is consistent between the pyproject.toml
       and the module constants.
-- [ ] Update to use [poetry-core](https://github.com/python-poetry/poetry-core)
+- [ ] Update to use [poetry-core](https://github.com/python-poetry/poetry-core) and
-      Tox configuration option) and improve robustness of the Tox and Poetry module imports
+      improve robustness of the Tox and Poetry module imports
-      to avoid potentially breaking API changes in upstream packages.
+      to avoid potentially breaking API changes in upstream packages. ([#2](https://github.com/enpaul/tox-poetry-installer/issues/2))
+- [ ] Find and implement a way to mitigate the [UNSAFE_DEPENDENCIES issue](https://github.com/python-poetry/poetry/issues/1584) in Poetry.
+      ([#6](https://github.com/enpaul/tox-poetry-installer/issues/6))
+- [ ] Fix logging to make proper use of Tox's logging reporter infrastructure
 
 ### Path to Stable
 

poetry.lock

@@ -44,6 +44,15 @@ wrapt = ">=1.11,<2.0"
 python = "<3.8"
 version = ">=1.4.0,<1.5"
 
+[[package]]
+category = "dev"
+description = "Atomic file writes."
+marker = "sys_platform == \"win32\""
+name = "atomicwrites"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*"
+version = "1.4.0"
+
 [[package]]
 category = "main"
 description = "Classes Without Boilerplate"
@@ -227,6 +236,17 @@ optional = false
 python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
 version = "0.4.3"
 
+[[package]]
+category = "dev"
+description = "Code coverage measurement for Python"
+name = "coverage"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*, <4"
+version = "5.3"
+
+[package.extras]
+toml = ["toml"]
+
 [[package]]
 category = "main"
 description = "cryptography is a package which provides cryptographic recipes and primitives to Python developers."
@@ -344,7 +364,7 @@ marker = "python_version >= \"3.6.1\" and python_version < \"4.0.0\""
 name = "identify"
 optional = false
 python-versions = "!=3.0.*,!=3.1.*,!=3.2.*,!=3.3.*,>=2.7"
-version = "1.5.4"
+version = "1.5.5"
 
 [package.extras]
 license = ["editdistance"]
@@ -390,6 +410,14 @@ version = ">=0.4"
 [package.extras]
 docs = ["sphinx", "rst.linker", "jaraco.packaging"]
 
+[[package]]
+category = "dev"
+description = "iniconfig: brain-dead simple config-ini parsing"
+name = "iniconfig"
+optional = false
+python-versions = "*"
+version = "1.0.1"
+
 [[package]]
 category = "dev"
 description = "IPython: Productive Interactive Computing"
@@ -540,6 +568,14 @@ optional = false
 python-versions = "*"
 version = "0.6.1"
 
+[[package]]
+category = "dev"
+description = "More routines for operating on iterables, beyond itertools"
+name = "more-itertools"
+optional = false
+python-versions = ">=3.5"
+version = "8.5.0"
+
 [[package]]
 category = "main"
 description = "MessagePack (de)serializer."
@@ -825,6 +861,48 @@ version = "0.14.11"
 [package.dependencies]
 six = "*"
 
+[[package]]
+category = "dev"
+description = "pytest: simple powerful testing with Python"
+name = "pytest"
+optional = false
+python-versions = ">=3.5"
+version = "6.0.2"
+
+[package.dependencies]
+atomicwrites = ">=1.0"
+attrs = ">=17.4.0"
+colorama = "*"
+iniconfig = "*"
+more-itertools = ">=4.0.0"
+packaging = "*"
+pluggy = ">=0.12,<1.0"
+py = ">=1.8.2"
+toml = "*"
+
+[package.dependencies.importlib-metadata]
+python = "<3.8"
+version = ">=0.12"
+
+[package.extras]
+checkqa_mypy = ["mypy (0.780)"]
+testing = ["argcomplete", "hypothesis (>=3.56)", "mock", "nose", "requests", "xmlschema"]
+
+[[package]]
+category = "dev"
+description = "Pytest plugin for measuring coverage."
+name = "pytest-cov"
+optional = false
+python-versions = ">=2.7, !=3.0.*, !=3.1.*, !=3.2.*, !=3.3.*, !=3.4.*"
+version = "2.10.1"
+
+[package.dependencies]
+coverage = ">=4.4"
+pytest = ">=4.6"
+
+[package.extras]
+testing = ["fields", "hunter", "process-tests (2.0.2)", "six", "pytest-xdist", "virtualenv"]
+
 [[package]]
 category = "main"
 description = ""
@@ -1105,7 +1183,7 @@ docs = ["sphinx", "jaraco.packaging (>=3.2)", "rst.linker (>=1.9)"]
 testing = ["pytest (>=3.5,<3.7.3 || >3.7.3)", "pytest-checkdocs (>=1.2.3)", "pytest-flake8", "pytest-cov", "jaraco.test (>=3.2.0)", "jaraco.itertools", "func-timeout", "pytest-black (>=0.3.7)", "pytest-mypy"]
 
 [metadata]
-content-hash = "6262af10558561473850e085068f2450a508201316904bea1ac850673a4109b2"
+content-hash = "8df0839a479a0483c969368ef8f61f553773f27bdc0a569603c7141b6c360680"
 python-versions = "^3.6"
 
 [metadata.files]
@@ -1125,6 +1203,10 @@ astroid = [
     {file = "astroid-2.4.2-py3-none-any.whl", hash = "sha256:bc58d83eb610252fd8de6363e39d4f1d0619c894b0ed24603b881c02e64c7386"},
     {file = "astroid-2.4.2.tar.gz", hash = "sha256:2f4078c2a41bf377eea06d71c9d2ba4eb8f6b1af2135bec27bbbb7d8f12bb703"},
 ]
+atomicwrites = [
+    {file = "atomicwrites-1.4.0-py2.py3-none-any.whl", hash = "sha256:6d1784dea7c0c8d4a5172b6c620f40b6e4cbfdf96d783691f2e1302a7b88e197"},
+    {file = "atomicwrites-1.4.0.tar.gz", hash = "sha256:ae70396ad1a434f9c7046fd2dd196fc04b12f9e91ffb859164193be8b6168a7a"},
+]
 attrs = [
     {file = "attrs-20.2.0-py2.py3-none-any.whl", hash = "sha256:fce7fc47dfc976152e82d53ff92fa0407700c21acd20886a13777a0d20e655dc"},
     {file = "attrs-20.2.0.tar.gz", hash = "sha256:26b54ddbbb9ee1d34d5d3668dd37d6cf74990ab23c828c2888dccdceee395594"},
@@ -1218,6 +1300,42 @@ colorama = [
     {file = "colorama-0.4.3-py2.py3-none-any.whl", hash = "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff"},
     {file = "colorama-0.4.3.tar.gz", hash = "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1"},
 ]
+coverage = [
+    {file = "coverage-5.3-cp27-cp27m-macosx_10_13_intel.whl", hash = "sha256:bd3166bb3b111e76a4f8e2980fa1addf2920a4ca9b2b8ca36a3bc3dedc618270"},
+    {file = "coverage-5.3-cp27-cp27m-macosx_10_9_x86_64.whl", hash = "sha256:9342dd70a1e151684727c9c91ea003b2fb33523bf19385d4554f7897ca0141d4"},
+    {file = "coverage-5.3-cp27-cp27m-manylinux1_i686.whl", hash = "sha256:63808c30b41f3bbf65e29f7280bf793c79f54fb807057de7e5238ffc7cc4d7b9"},
+    {file = "coverage-5.3-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:4d6a42744139a7fa5b46a264874a781e8694bb32f1d76d8137b68138686f1729"},
+    {file = "coverage-5.3-cp27-cp27m-win32.whl", hash = "sha256:86e9f8cd4b0cdd57b4ae71a9c186717daa4c5a99f3238a8723f416256e0b064d"},
+    {file = "coverage-5.3-cp27-cp27m-win_amd64.whl", hash = "sha256:7858847f2d84bf6e64c7f66498e851c54de8ea06a6f96a32a1d192d846734418"},
+    {file = "coverage-5.3-cp27-cp27mu-manylinux1_i686.whl", hash = "sha256:530cc8aaf11cc2ac7430f3614b04645662ef20c348dce4167c22d99bec3480e9"},
+    {file = "coverage-5.3-cp27-cp27mu-manylinux1_x86_64.whl", hash = "sha256:381ead10b9b9af5f64646cd27107fb27b614ee7040bb1226f9c07ba96625cbb5"},
+    {file = "coverage-5.3-cp35-cp35m-macosx_10_13_x86_64.whl", hash = "sha256:71b69bd716698fa62cd97137d6f2fdf49f534decb23a2c6fc80813e8b7be6822"},
+    {file = "coverage-5.3-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:1d44bb3a652fed01f1f2c10d5477956116e9b391320c94d36c6bf13b088a1097"},
+    {file = "coverage-5.3-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:1c6703094c81fa55b816f5ae542c6ffc625fec769f22b053adb42ad712d086c9"},
+    {file = "coverage-5.3-cp35-cp35m-win32.whl", hash = "sha256:cedb2f9e1f990918ea061f28a0f0077a07702e3819602d3507e2ff98c8d20636"},
+    {file = "coverage-5.3-cp35-cp35m-win_amd64.whl", hash = "sha256:7f43286f13d91a34fadf61ae252a51a130223c52bfefb50310d5b2deb062cf0f"},
+    {file = "coverage-5.3-cp36-cp36m-macosx_10_13_x86_64.whl", hash = "sha256:c851b35fc078389bc16b915a0a7c1d5923e12e2c5aeec58c52f4aa8085ac8237"},
+    {file = "coverage-5.3-cp36-cp36m-manylinux1_i686.whl", hash = "sha256:aac1ba0a253e17889550ddb1b60a2063f7474155465577caa2a3b131224cfd54"},
+    {file = "coverage-5.3-cp36-cp36m-manylinux1_x86_64.whl", hash = "sha256:2b31f46bf7b31e6aa690d4c7a3d51bb262438c6dcb0d528adde446531d0d3bb7"},
+    {file = "coverage-5.3-cp36-cp36m-win32.whl", hash = "sha256:c5f17ad25d2c1286436761b462e22b5020d83316f8e8fcb5deb2b3151f8f1d3a"},
+    {file = "coverage-5.3-cp36-cp36m-win_amd64.whl", hash = "sha256:aef72eae10b5e3116bac6957de1df4d75909fc76d1499a53fb6387434b6bcd8d"},
+    {file = "coverage-5.3-cp37-cp37m-macosx_10_13_x86_64.whl", hash = "sha256:e8caf961e1b1a945db76f1b5fa9c91498d15f545ac0ababbe575cfab185d3bd8"},
+    {file = "coverage-5.3-cp37-cp37m-manylinux1_i686.whl", hash = "sha256:29a6272fec10623fcbe158fdf9abc7a5fa032048ac1d8631f14b50fbfc10d17f"},
+    {file = "coverage-5.3-cp37-cp37m-manylinux1_x86_64.whl", hash = "sha256:2d43af2be93ffbad25dd959899b5b809618a496926146ce98ee0b23683f8c51c"},
+    {file = "coverage-5.3-cp37-cp37m-win32.whl", hash = "sha256:c3888a051226e676e383de03bf49eb633cd39fc829516e5334e69b8d81aae751"},
+    {file = "coverage-5.3-cp37-cp37m-win_amd64.whl", hash = "sha256:9669179786254a2e7e57f0ecf224e978471491d660aaca833f845b72a2df3709"},
+    {file = "coverage-5.3-cp38-cp38-macosx_10_9_x86_64.whl", hash = "sha256:0203acd33d2298e19b57451ebb0bed0ab0c602e5cf5a818591b4918b1f97d516"},
+    {file = "coverage-5.3-cp38-cp38-manylinux1_i686.whl", hash = "sha256:582ddfbe712025448206a5bc45855d16c2e491c2dd102ee9a2841418ac1c629f"},
+    {file = "coverage-5.3-cp38-cp38-manylinux1_x86_64.whl", hash = "sha256:0f313707cdecd5cd3e217fc68c78a960b616604b559e9ea60cc16795c4304259"},
+    {file = "coverage-5.3-cp38-cp38-win32.whl", hash = "sha256:78e93cc3571fd928a39c0b26767c986188a4118edc67bc0695bc7a284da22e82"},
+    {file = "coverage-5.3-cp38-cp38-win_amd64.whl", hash = "sha256:8f264ba2701b8c9f815b272ad568d555ef98dfe1576802ab3149c3629a9f2221"},
+    {file = "coverage-5.3-cp39-cp39-macosx_10_13_x86_64.whl", hash = "sha256:50691e744714856f03a86df3e2bff847c2acede4c191f9a1da38f088df342978"},
+    {file = "coverage-5.3-cp39-cp39-manylinux1_i686.whl", hash = "sha256:9361de40701666b034c59ad9e317bae95c973b9ff92513dd0eced11c6adf2e21"},
+    {file = "coverage-5.3-cp39-cp39-manylinux1_x86_64.whl", hash = "sha256:c1b78fb9700fc961f53386ad2fd86d87091e06ede5d118b8a50dea285a071c24"},
+    {file = "coverage-5.3-cp39-cp39-win32.whl", hash = "sha256:cb7df71de0af56000115eafd000b867d1261f786b5eebd88a0ca6360cccfaca7"},
+    {file = "coverage-5.3-cp39-cp39-win_amd64.whl", hash = "sha256:47a11bdbd8ada9b7ee628596f9d97fbd3851bd9999d398e9436bd67376dbece7"},
+    {file = "coverage-5.3.tar.gz", hash = "sha256:280baa8ec489c4f542f8940f9c4c2181f0306a8ee1a54eceba071a449fb870a0"},
+]
 cryptography = [
     {file = "cryptography-3.1.1-cp27-cp27m-macosx_10_10_x86_64.whl", hash = "sha256:65beb15e7f9c16e15934569d29fb4def74ea1469d8781f6b3507ab896d6d8719"},
     {file = "cryptography-3.1.1-cp27-cp27m-manylinux1_x86_64.whl", hash = "sha256:983c0c3de4cb9fcba68fd3f45ed846eb86a2a8b8d8bc5bb18364c4d00b3c61fe"},
@@ -1275,8 +1393,8 @@ html5lib = [
     {file = "html5lib-1.1.tar.gz", hash = "sha256:b2e5b40261e20f354d198eae92afc10d750afb487ed5e50f9c4eaf07c184146f"},
 ]
 identify = [
-    {file = "identify-1.5.4-py2.py3-none-any.whl", hash = "sha256:d7da7de6825568daa4449858ce328ecc0e1ada2554d972a6f4f90e736aaf499a"},
+    {file = "identify-1.5.5-py2.py3-none-any.whl", hash = "sha256:da683bfb7669fa749fc7731f378229e2dbf29a1d1337cbde04106f02236eb29d"},
-    {file = "identify-1.5.4.tar.gz", hash = "sha256:e4db4796b3b0cf4f9cb921da51430abffff2d4ba7d7c521184ed5252bd90d461"},
+    {file = "identify-1.5.5.tar.gz", hash = "sha256:7c22c384a2c9b32c5cc891d13f923f6b2653aa83e2d75d8f79be240d6c86c4f4"},
 ]
 idna = [
     {file = "idna-2.10-py2.py3-none-any.whl", hash = "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0"},
@@ -1290,6 +1408,10 @@ importlib-resources = [
     {file = "importlib_resources-3.0.0-py2.py3-none-any.whl", hash = "sha256:d028f66b66c0d5732dae86ba4276999855e162a749c92620a38c1d779ed138a7"},
     {file = "importlib_resources-3.0.0.tar.gz", hash = "sha256:19f745a6eca188b490b1428c8d1d4a0d2368759f32370ea8fb89cad2ab1106c3"},
 ]
+iniconfig = [
+    {file = "iniconfig-1.0.1-py3-none-any.whl", hash = "sha256:80cf40c597eb564e86346103f609d74efce0f6b4d4f30ec8ce9e2c26411ba437"},
+    {file = "iniconfig-1.0.1.tar.gz", hash = "sha256:e5f92f89355a67de0595932a6c6c02ab4afddc6fcdc0bfc5becd0d60884d3f69"},
+]
 ipython = [
     {file = "ipython-7.18.1-py3-none-any.whl", hash = "sha256:2e22c1f74477b5106a6fb301c342ab8c64bb75d702e350f05a649e8cb40a0fb8"},
     {file = "ipython-7.18.1.tar.gz", hash = "sha256:a331e78086001931de9424940699691ad49dfb457cea31f5471eae7b78222d5e"},
@@ -1349,6 +1471,10 @@ mccabe = [
     {file = "mccabe-0.6.1-py2.py3-none-any.whl", hash = "sha256:ab8a6258860da4b6677da4bd2fe5dc2c659cff31b3ee4f7f5d64e79735b80d42"},
     {file = "mccabe-0.6.1.tar.gz", hash = "sha256:dd8d182285a0fe56bace7f45b5e7d1a6ebcbf524e8f3bd87eb0f125271b8831f"},
 ]
+more-itertools = [
+    {file = "more-itertools-8.5.0.tar.gz", hash = "sha256:6f83822ae94818eae2612063a5101a7311e68ae8002005b5e05f03fd74a86a20"},
+    {file = "more_itertools-8.5.0-py3-none-any.whl", hash = "sha256:9b30f12df9393f0d28af9210ff8efe48d10c94f73e5daf886f10c4b0b0b4f03c"},
+]
 msgpack = [
     {file = "msgpack-1.0.0-cp35-cp35m-manylinux1_i686.whl", hash = "sha256:cec8bf10981ed70998d98431cd814db0ecf3384e6b113366e7f36af71a0fca08"},
     {file = "msgpack-1.0.0-cp35-cp35m-manylinux1_x86_64.whl", hash = "sha256:aa5c057eab4f40ec47ea6f5a9825846be2ff6bf34102c560bad5cad5a677c5be"},
@@ -1472,6 +1598,14 @@ pyparsing = [
 pyrsistent = [
     {file = "pyrsistent-0.14.11.tar.gz", hash = "sha256:3ca82748918eb65e2d89f222b702277099aca77e34843c5eb9d52451173970e2"},
 ]
+pytest = [
+    {file = "pytest-6.0.2-py3-none-any.whl", hash = "sha256:0e37f61339c4578776e090c3b8f6b16ce4db333889d65d0efb305243ec544b40"},
+    {file = "pytest-6.0.2.tar.gz", hash = "sha256:c8f57c2a30983f469bf03e68cdfa74dc474ce56b8f280ddcb080dfd91df01043"},
+]
+pytest-cov = [
+    {file = "pytest-cov-2.10.1.tar.gz", hash = "sha256:47bd0ce14056fdd79f93e1713f88fad7bdcc583dcd7783da86ef2f085a0bb88e"},
+    {file = "pytest_cov-2.10.1-py2.py3-none-any.whl", hash = "sha256:45ec2d5182f89a81fc3eb29e3d1ed3113b9e9a873bcddb2a71faaab066110191"},
+]
 pywin32-ctypes = [
     {file = "pywin32-ctypes-0.2.0.tar.gz", hash = "sha256:24ffc3b341d457d48e8922352130cf2644024a4ff09762a2261fd34c36ee5942"},
     {file = "pywin32_ctypes-0.2.0-py2.py3-none-any.whl", hash = "sha256:9dc2d991b3479cc2df15930958b674a48a227d5361d413827a4cfd0b5876fc98"},

pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tox-poetry-installer"
-version = "0.1.1"
+version = "0.2.3"
 license = "MIT"
 authors = ["Ethan Paul <24588726+enpaul@users.noreply.github.com>"]
 description = "Tox plugin to install Tox environment dependencies using the Poetry backend and lockfile"
@@ -27,19 +27,22 @@ poetry_installer = "tox_poetry_installer"
 
 [tool.poetry.dependencies]
 python = "^3.6"
-poetry = "^1.0.0"
+poetry = ">=1.0.0, <1.1.0"
 tox = "^2.3.0 || ^3.0.0"
 
 [tool.poetry.dev-dependencies]
 bandit = "^1.6.2"
+black = {version = "^20.8b1", allow-prereleases = true}
 ipython = {version = "^7.18.1", python = "^3.7"}
 mypy = "^0.782"
 pre-commit = {version = "^2.7.1", python = "^3.6.1"}
 pylint = "^2.4.4"
+pytest = "^6.0.2"
+pytest-cov = "^2.10.1"
 reorder-python-imports = {version = "^2.3.5", python = "^3.6.1"}
 safety = "^1.9.0"
+toml = "^0.10.1"
 tox = "^3.20.0"
-black = {version = "^20.8b1", allow-prereleases = true}
 
 [build-system]
 requires = ["poetry>=1.0.0"]

tests/test_metadata.py

@@ -0,0 +1,39 @@
+"""Ensure that the pyproject and module metadata never drift out of sync
+
+The next best thing to having one source of truth is having a way to ensure all of your
+sources of truth agree with each other.
+"""
+from pathlib import Path
+
+import toml
+
+import tox_poetry_installer
+
+
+def test_metadata():
+    """Test that module metadata matches pyproject poetry metadata"""
+
+    with (Path(__file__).resolve().parent / ".." / "pyproject.toml").open() as infile:
+        pyproject = toml.load(infile, _dict=dict)
+
+    assert pyproject["tool"]["poetry"]["name"] == tox_poetry_installer.__title__
+    assert pyproject["tool"]["poetry"]["version"] == tox_poetry_installer.__version__
+    assert pyproject["tool"]["poetry"]["license"] == tox_poetry_installer.__license__
+    assert (
+        pyproject["tool"]["poetry"]["description"] == tox_poetry_installer.__summary__
+    )
+    assert pyproject["tool"]["poetry"]["repository"] == tox_poetry_installer.__url__
+    assert (
+        all(
+            item in tox_poetry_installer.__authors__
+            for item in pyproject["tool"]["poetry"]["authors"]
+        )
+        is True
+    )
+    assert (
+        all(
+            item in pyproject["tool"]["poetry"]["authors"]
+            for item in tox_poetry_installer.__authors__
+        )
+        is True
+    )

tox.ini

@@ -1,17 +1,21 @@
 [tox]
-envlist = py36, py37, py38, static, security
+envlist = py36, py37, py38, static, static-tests, security
 isolated_build = true
 
 [testenv]
 description = Run the tests
+require_locked_deps = true
 deps =
-    requests
+    pytest
+    pytest-cov
+    toml
 commands =
-    pip freeze
+    pytest --cov tox_poetry_installer --cov-config {toxinidir}/.coveragerc tests/ --cov-report term-missing
 
 [testenv:static]
-description = Static code quality checks and formatting enforcement
+description = Static formatting and quality enforcement
-basepython = python3.7
+require_locked_deps = true
+basepython = python3.8
 ignore_errors = true
 deps =
     pylint
@@ -20,21 +24,43 @@ deps =
     reorder-python-imports
     pre-commit
 commands =
-    black tox_poetry_installer.py
+    black {toxinidir}/tox_poetry_installer.py
-    reorder-python-imports tox_poetry_installer.py
+    reorder-python-imports {toxinidir}/tox_poetry_installer.py
-    pylint tox_poetry_installer.py
-    mypy tox_poetry_installer.py --ignore-missing-imports --no-strict-optional
     pre-commit run --all-files
+    pylint --rcfile {toxinidir}/.pylintrc {toxinidir}/tox_poetry_installer.py
+    mypy --ignore-missing-imports --no-strict-optional {toxinidir}/tox_poetry_installer.py
 
-[testenv:security]
+[testenv:static-tests]
-description = Security checks
+description = Static formatting and quality enforcement for the tests
-basepython = python3.7
+require_locked_deps = true
-ignore_errors = true
+basepython = python3.8
+ingore_errors = true
 deps =
-    bandit
+    pylint
-    safety
+    mypy
+    black
+    reorder-python-imports
 allowlist_externals =
     bash
 commands =
-    bandit tox_poetry_installer.py --recursive
+    black {toxinidir}/tests/
+    bash -c "reorder-python-imports {toxinidir}/tests/*.py --unclassifiable-application-module tox_poetry_installer"
+    pylint --rcfile {toxinidir}/.pylintrc {toxinidir}/tests/
+    mypy --ignore-missing-imports --no-strict-optional {toxinidir}/tests/
+
+[testenv:security]
+description = Security checks
+require_locked_deps = true
+basepython = python3.8
+ignore_errors = true
+skip_install = true
+deps =
+    bandit
+    safety
+    poetry
+allowlist_externals =
+    bash
+commands =
+    bandit --quiet {toxinidir}/tox_poetry_installer.py
+    bash -c "bandit --quiet --skip B101 {toxinidir}/tests/*.py"
     bash -c "poetry export --format requirements.txt --without-hashes --dev | safety check --stdin --bare"

tox_poetry_installer.py

@@ -5,11 +5,12 @@ installation functionality to install dependencies from the Poetry lockfile for
 does this by using ``poetry`` to read in the lockfile, identify necessary dependencies, and then
 use Poetry's ``PipInstaller`` class to install those packages into the Tox environment.
 """
-import logging
 from pathlib import Path
 from typing import Dict
 from typing import List
-from typing import Optional
+from typing import NamedTuple
+from typing import Sequence
+from typing import Set
 from typing import Tuple
 
 from poetry.factory import Factory as PoetryFactory
@@ -20,37 +21,126 @@ from poetry.packages import Package as PoetryPackage
 from poetry.puzzle.provider import Provider as PoetryProvider
 from poetry.utils.env import VirtualEnv as PoetryVirtualEnv
 from tox import hookimpl
+from tox import reporter
 from tox.action import Action as ToxAction
+from tox.config import DepConfig as ToxDepConfig
+from tox.config import Parser as ToxParser
 from tox.venv import VirtualEnv as ToxVirtualEnv
 
 
 __title__ = "tox-poetry-installer"
 __summary__ = "Tox plugin to install Tox environment dependencies using the Poetry backend and lockfile"
-__version__ = "0.1.0"
+__version__ = "0.2.3"
 __url__ = "https://github.com/enpaul/tox-poetry-installer/"
 __license__ = "MIT"
-__authors__ = ["Ethan Paul <e@enp.one>"]
+__authors__ = ["Ethan Paul <24588726+enpaul@users.noreply.github.com>"]
 
 
-PEP440_VERSION_DELIMITERS: Tuple[str, ...] = ("~=", "==", "!=", ">", "<")
+# Valid PEP508 version delimiters. These are used to test whether a given string (specifically a
+# dependency name) is just a package name or also includes a version identifier.
+_PEP508_VERSION_DELIMITERS: Tuple[str, ...] = ("~=", "==", "!=", ">", "<")
+
+# Prefix all reporter messages should include to indicate that they came from this module in the
+# console output.
+_REPORTER_PREFIX = f"[{__title__}]:"
+
+# Suffix that indicates an env dependency should be treated as a locked dependency and thus be
+# installed from the lockfile. Will be automatically stripped off of a dependency name during
+# sorting so that the resulting string is just the valid package name. This becomes optional when
+# the "require_locked_deps" option is true for an environment; in that case a bare dependency like
+# 'foo' is treated the same as an explicitly locked dependency like 'foo@poetry'
+_MAGIC_SUFFIX_MARKER = "@poetry"
+
+
+class _SortedEnvDeps(NamedTuple):
+    unlocked_deps: List[ToxDepConfig]
+    locked_deps: List[ToxDepConfig]
 
 
 class ToxPoetryInstallerException(Exception):
     """Error while installing locked dependencies to the test environment"""
 
 
-class NoLockedDependencyError(ToxPoetryInstallerException):
+class LockedDepVersionConflictError(ToxPoetryInstallerException):
-    """Cannot install a package that is not in the lockfile"""
+    """Locked dependencies cannot specify an alternate version for installation"""
 
 
-def _make_poetry(venv: ToxVirtualEnv) -> Poetry:
+class LockedDepNotFoundError(ToxPoetryInstallerException):
-    """Helper to make a poetry object from a toxenv"""
+    """Locked dependency was not found in the lockfile"""
-    return PoetryFactory().create_poetry(venv.envconfig.config.toxinidir)
 
 
-def _find_locked_dependencies(
+def _sort_env_deps(venv: ToxVirtualEnv) -> _SortedEnvDeps:
-    poetry: Poetry, dependency_name: str
+    """Sorts the environment dependencies by lock status
-) -> List[PoetryPackage]:
+
+    Lock status determines whether a given environment dependency will be installed from the
+    lockfile using the Poetry backend, or whether this plugin will skip it and allow it to be
+    installed using the default pip-based backend (an unlocked dependency).
+
+    .. note:: A locked dependency must follow a required format. To avoid reinventing the wheel
+              (no pun intended) this module does not have any infrastructure for parsing PEP-508
+              version specifiers, and so requires locked dependencies to be specified with no
+              version (the installed version being taken from the lockfile). If a dependency is
+              specified as locked and its name is also a PEP-508 string then an error will be
+              raised.
+    """
+
+    reporter.verbosity1(
+        f"{_REPORTER_PREFIX} sorting {len(venv.envconfig.deps)} env dependencies by lock requirement"
+    )
+    unlocked_deps = []
+    locked_deps = []
+
+    for dep in venv.envconfig.deps:
+        if venv.envconfig.require_locked_deps:
+            reporter.verbosity1(
+                f"{_REPORTER_PREFIX} lock required for env, treating '{dep.name}' as locked env dependency"
+            )
+            dep.name = dep.name.replace(_MAGIC_SUFFIX_MARKER, "")
+            locked_deps.append(dep)
+        else:
+            if dep.name.endswith(_MAGIC_SUFFIX_MARKER):
+                reporter.verbosity1(
+                    f"{_REPORTER_PREFIX} specification includes marker '{_MAGIC_SUFFIX_MARKER}', treating '{dep.name}' as locked env dependency"
+                )
+                dep.name = dep.name.replace(_MAGIC_SUFFIX_MARKER, "")
+                locked_deps.append(dep)
+            else:
+                reporter.verbosity1(
+                    f"{_REPORTER_PREFIX} specification does not include marker '{_MAGIC_SUFFIX_MARKER}', treating '{dep.name}' as unlocked env dependency"
+                )
+                unlocked_deps.append(dep)
+
+    reporter.verbosity1(
+        f"{_REPORTER_PREFIX} identified {len(locked_deps)} locked env dependencies for installation from poetry lockfile: {[item.name for item in locked_deps]}"
+    )
+    reporter.verbosity1(
+        f"{_REPORTER_PREFIX} identified {len(unlocked_deps)} unlocked env dependencies for installation using default backend: {[item.name for item in unlocked_deps]}"
+    )
+
+    return _SortedEnvDeps(locked_deps=locked_deps, unlocked_deps=unlocked_deps)
+
+
+def _install_to_venv(
+    poetry: Poetry, venv: ToxVirtualEnv, packages: Sequence[PoetryPackage]
+):
+    """Install a bunch of packages to a virtualenv
+
+    :param poetry: Poetry object the packages were sourced from
+    :param venv: Tox virtual environment to install the packages to
+    :param packages: List of packages to install to the virtual environment
+    """
+    installer = PoetryPipInstaller(
+        env=PoetryVirtualEnv(path=Path(venv.envconfig.envdir)),
+        io=PoetryNullIO(),
+        pool=poetry.pool,
+    )
+
+    for dependency in packages:
+        reporter.verbosity1(f"{_REPORTER_PREFIX} installing {dependency}")
+        installer.install(dependency)
+
+
+def _find_transients(poetry: Poetry, dependency_name: str) -> Set[PoetryPackage]:
     """Using a poetry object identify all dependencies of a specific dependency
 
     :param poetry: Populated poetry object which can be used to build a populated locked
@@ -70,33 +160,93 @@ def _find_locked_dependencies(
     try:
         top_level = packages[dependency_name]
 
-        def find_transients(name: str) -> List[PoetryPackage]:
+        def find_deps_of_deps(name: str) -> List[PoetryPackage]:
             if name in PoetryProvider.UNSAFE_PACKAGES:
+                reporter.warning(
+                    f"{_REPORTER_PREFIX} installing '{name}' using Poetry is not supported; skipping"
+                )
                 return []
             transients = [packages[name]]
             for dep in packages[name].requires:
-                transients += find_transients(dep.name)
+                transients += find_deps_of_deps(dep.name)
             return transients
 
-        return find_transients(top_level.name)
+        return set(find_deps_of_deps(top_level.name))
 
     except KeyError:
-        if any(delimiter in dependency_name for delimiter in PEP440_VERSION_DELIMITERS):
+        if any(
-            message = "specifying a version in the tox environment definition is incompatible with installing from a lockfile"
+            delimiter in dependency_name for delimiter in _PEP508_VERSION_DELIMITERS
-        else:
+        ):
-            message = (
+            raise LockedDepVersionConflictError(
-                "no version of the package was found in the current project's lockfile"
+                f"Locked dependency '{dependency_name}' cannot include version specifier"
-            )
+            ) from None
-
+        raise LockedDepNotFoundError(
-        raise NoLockedDependencyError(
+            f"No version of locked dependency '{dependency_name}' found in the project lockfile"
-            f"Cannot install requirement '{dependency_name}': {message}"
         ) from None
 
 
+def _install_env_dependencies(venv: ToxVirtualEnv, poetry: Poetry):
+    env_deps = _sort_env_deps(venv)
+
+    dependencies: List[PoetryPackage] = []
+    for dep in env_deps.locked_deps:
+        try:
+            dependencies += _find_transients(poetry, dep.name.lower())
+        except ToxPoetryInstallerException as err:
+            venv.status = "lockfile installation failed"
+            reporter.error(f"{_REPORTER_PREFIX} {err}")
+            raise err
+
+    reporter.verbosity1(
+        f"{_REPORTER_PREFIX} identified {len(dependencies)} actual dependencies from {len(venv.envconfig.deps)} specified env dependencies"
+    )
+
+    reporter.verbosity1(
+        f"{_REPORTER_PREFIX} updating env config with {len(env_deps.unlocked_deps)} unlocked env dependencies for installation using the default backend"
+    )
+    venv.envconfig.deps = env_deps.unlocked_deps
+
+    reporter.verbosity0(
+        f"{_REPORTER_PREFIX} ({venv.name}) installing {len(dependencies)} env dependencies from lockfile"
+    )
+    _install_to_venv(poetry, venv, dependencies)
+
+
+def _install_package_dependencies(venv: ToxVirtualEnv, poetry: Poetry):
+    reporter.verbosity1(
+        f"{_REPORTER_PREFIX} performing installation of project dependencies"
+    )
+
+    primary_dependencies = poetry.locker.locked_repository(False).packages
+
+    reporter.verbosity1(
+        f"{_REPORTER_PREFIX} identified {len(primary_dependencies)} dependencies of project '{poetry.package.name}'"
+    )
+
+    reporter.verbosity0(
+        f"{_REPORTER_PREFIX} ({venv.name}) installing {len(primary_dependencies)} project dependencies from lockfile"
+    )
+    _install_to_venv(poetry, venv, primary_dependencies)
+
+
 @hookimpl
-def tox_testenv_install_deps(
+def tox_addoption(parser: ToxParser):
-    venv: ToxVirtualEnv, action: ToxAction
+    """Add required configuration options to the tox INI file
-) -> Optional[List[PoetryPackage]]:
+
+    Adds the ``require_locked_deps`` configuration option to the venv to check whether all
+    dependencies should be treated as locked or not.
+    """
+
+    parser.add_testenv_attribute(
+        name="require_locked_deps",
+        type="bool",
+        default=False,
+        help="Require all dependencies in the environment be installed using the Poetry lockfile",
+    )
+
+
+@hookimpl
+def tox_testenv_install_deps(venv: ToxVirtualEnv, action: ToxAction):
     """Install the dependencies for the current environment
 
     Loads the local Poetry environment and the corresponding lockfile then pulls the dependencies
@@ -107,34 +257,45 @@ def tox_testenv_install_deps(
     :param action: Tox action object
     """
 
-    logger = logging.getLogger(__name__)
-
     if action.name == venv.envconfig.config.isolated_build_env:
-        logger.debug(
+        # Skip running the plugin for the packaging environment. PEP-517 front ends can handle
-            f"Environment {action.name} is isolated build environment; skipping Poetry-based dependency installation"
+        # that better than we can, so let them do their thing. More to the point: if you're having
+        # problems in the packaging env that this plugin would solve, god help you.
+        reporter.verbosity1(
+            f"{_REPORTER_PREFIX} skipping isolated build env '{action.name}'"
         )
-        return None
+        return
 
-    poetry = _make_poetry(venv)
+    try:
+        poetry = PoetryFactory().create_poetry(venv.envconfig.config.toxinidir)
+    except RuntimeError:
+        # Support running the plugin when the current tox project does not use Poetry for its
+        # environment/dependency management.
+        #
+        # ``RuntimeError`` is dangerous to blindly catch because it can be (and in Poetry's case,
+        # is) raised in many different places for different purposes.
+        reporter.verbosity1(
+            f"{_REPORTER_PREFIX} project does not use Poetry for env management, skipping installation of locked dependencies"
+        )
+        return
 
-    logger.debug(f"Loaded project pyproject.toml from {poetry.file}")
+    reporter.verbosity1(
-
+        f"{_REPORTER_PREFIX} loaded project pyproject.toml from {poetry.file}"
-    dependencies: List[PoetryPackage] = []
-    for env_dependency in venv.envconfig.deps:
-        dependencies += _find_locked_dependencies(poetry, env_dependency.name)
-
-    logger.debug(
-        f"Identified {len(dependencies)} dependencies for environment {action.name}"
     )
 
-    installer = PoetryPipInstaller(
+    # Handle the installation of any locked env dependencies from the lockfile
-        env=PoetryVirtualEnv(path=Path(venv.envconfig.envdir)),
+    _install_env_dependencies(venv, poetry)
-        io=PoetryNullIO(),
+
-        pool=poetry.pool,
+    # Handle the installation of the package dependencies from the lockfile if the package is
+    # being installed to this venv; otherwise skip installing the package dependencies
+    if not venv.envconfig.skip_install and not venv.envconfig.config.skipsdist:
+        _install_package_dependencies(venv, poetry)
+    else:
+        if venv.envconfig.skip_install:
+            reporter.verbosity1(
+                f"{_REPORTER_PREFIX} env specifies 'skip_install = true', skipping installation of project package"
+            )
+        elif venv.envconfig.config.skipsdist:
+            reporter.verbosity1(
+                f"{_REPORTER_PREFIX} config specifies 'skipsdist = true', skipping installation of project package"
             )
-
-    for dependency in dependencies:
-        logger.info(f"Installing environment dependency: {dependency}")
-        installer.install(dependency)
-
-    return dependencies