Merge pull request #34 from enpaul/enp/fix-unsafe

Fix unsafe dependency handling

.github/scripts/setup-env.sh

@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+#
+# Environment setup script for the local project. Intended to be used with automation
+# to create a repeatable local environment for tests to be run in. The python env
+# this script creates can be accessed at the location defined by the CI_VENV variable
+# below.
+
+set -e;
+
+# ##### Prereqs #####
+#
+# Set global vars for usage in the script, create the cache directory so we can rely
+# on that existing, then dump some diagnostic info for later reference.
+#
+CI_VENV=$HOME/ci;
+CI_CACHE=$HOME/.cache;
+CI_CACHE_GET_POETRY="$CI_CACHE/get-poetry.py";
+CI_POETRY=$HOME/.poetry/bin/poetry;
+CI_VENV_PIP="$CI_VENV/bin/pip";
+CI_VENV_PIP_VERSION=19.3.1;
+CI_VENV_TOX="$CI_VENV/bin/tox";
+
+mkdir --parents "$CI_CACHE";
+
+command -v python;
+python --version;
+
+# ##### Install Poetry #####
+#
+# Download the poetry install script to the cache directory and then install poetry.
+# After dump the poetry version for later reference.
+#
+curl https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py \
+  --output "$CI_CACHE_GET_POETRY" \
+  --silent \
+  --show-error \
+  --location;
+python "$CI_CACHE_GET_POETRY" --yes 1>/dev/null;
+
+python "$CI_POETRY" --version --no-ansi;
+
+# ##### Setup Runtime Venv #####
+#
+# Create a virtual environment for poetry to use, upgrade pip in that venv to a pinned
+# version, then install the current project to the venv.
+#
+# Note 1: Poetry, Tox, and this project plugin all use pip under the hood for package
+#         installation. This means that even though we are creating up to eight venvs
+#         during a given CI run they all share the same download cache.
+# Note 2: The "VIRTUAL_ENV=$CI_VENV" prefix on the poetry commands below sets the venv
+#         that poetry will use for operations. There is no CLI flag for poetry that
+#         directs it to use a given environment, but if it finds itself in an existing
+#         environment it will use it and skip environment creation.
+#
+python -m venv "$CI_VENV";
+
+$CI_VENV_PIP install "pip==$CI_VENV_PIP_VERSION" \
+  --upgrade \
+  --quiet;
+
+VIRTUAL_ENV=$CI_VENV "$CI_POETRY" install \
+  --extras poetry \
+  --quiet \
+  --no-ansi \
+  &>/dev/null;
+
+# ##### Print Debug Info #####
+#
+# Print the pip and tox versions (which will include registered plugins)
+#
+$CI_VENV_PIP --version;
+echo "tox $($CI_VENV_TOX --version)";

.github/workflows/ci.yaml

@@ -0,0 +1,72 @@
+---
+name: CI
+on:
+  pull_request:
+    types: ["opened", "synchronize"]
+  push:
+    branches: ["devel"]
+jobs:
+  Test:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python:
+          - version: 3.6
+            toxenv: py36
+          - version: 3.7
+            toxenv: py37
+          - version: 3.8
+            toxenv: py38
+          - version: 3.9
+            toxenv: py39
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup:python${{ matrix.python.version }}
+        uses: actions/setup-python@v1
+        with:
+          python-version: ${{ matrix.python.version }}
+      - name: Setup:cache
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cache/pip
+            ~/.cache/pypoetry/cache
+            ~/.poetry
+          # Including the hashed poetry.lock in the cache slug ensures that the cache
+          # will be invalidated, and thus all packages will be redownloaded, if the
+          # lockfile is updated
+          key: ${{ runner.os }}-${{ matrix.python.toxenv }}-${{ hashFiles('**/poetry.lock') }}
+      - name: Setup:env
+        run: .github/scripts/setup-env.sh
+      - name: Run:${{ matrix.python.toxenv }}
+        run: $HOME/ci/bin/tox \
+          -e ${{ matrix.python.toxenv }} \
+          --require-poetry
+  Check:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Setup:python3.8
+        uses: actions/setup-python@v1
+        with:
+          python-version: 3.8
+      - name: Setup:cache
+        uses: actions/cache@v2
+        with:
+          path: |
+            ~/.cache/pip
+            ~/.cache/pypoetry/cache
+            ~/.poetry
+          # Hardcoded 'py38' slug here lets this cache piggyback on the 'py38' cache
+          # that is generated for the tests above
+          key: ${{ runner.os }}-py38-${{ hashFiles('**/poetry.lock') }}
+      - name: Setup:env
+        run: .github/scripts/setup-env.sh
+      - name: Run:static
+        run: $HOME/ci/bin/tox -e static --require-poetry
+      - name: Run:static-tests
+        run: $HOME/ci/bin/tox -e static-tests --require-poetry
+      - name: Run:security
+        run: $HOME/ci/bin/tox -e security --require-poetry

.pre-commit-config.yaml

@@ -1,28 +1,48 @@
 ---
+# All of the pre-commit hooks here actually use the `pytyhon` pre-commit language
+# setting. However, for the python language setting, pre-commit will create and manage
+# a cached virtual environment for each hook ID and do a bare `pip install <repo>` into
+# the venv to setup the hook. This can result in conflicting dependency versions between
+# the version installed to the pre-commit venv and the version installed to the Poetry
+# venv specified in the lockfile.
+#
+# The solution is to specify `language: system` for all hooks and then install the
+# required dependencies to the Poetry venv. The `system` language skips the isolated
+# venv creation and looks for the entrypoint specified by the hook in the global
+# environment which, if running in the Poetry venv, will find the entrypoint provided
+# by the Poetry-managed dependency.
+#
 repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v3.3.0
+    hooks:
+      - id: end-of-file-fixer
+        language: system
+      - id: fix-encoding-pragma
+        args:
+          - "--remove"
+        language: system
+      - id: trailing-whitespace
+        language: system
+      - id: check-merge-conflict
+        language: system
+
   - repo: https://github.com/psf/black
     rev: 20.8b1
     hooks:
       - id: black
-        language_version: python3.7
+        language: system
 
   - repo: https://github.com/asottile/blacken-docs
-    rev: v0.5.0
+    rev: v1.8.0
     hooks:
       - id: blacken-docs
-        additional_dependencies: [black==20.8b1]
-        language_version: python3.7
+        language: system
 
   - repo: https://github.com/asottile/reorder_python_imports
-    rev: v2.3.5
+    rev: v2.3.6
     hooks:
       - id: reorder-python-imports
-        language_version: python3
-
-  - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v2.0.0
-    hooks:
-      - id: end-of-file-fixer
-      - id: fix-encoding-pragma
-        args: [--remove]
-      - id: trailing-whitespace
+        args:
+          - "--unclassifiable-application-module=tox_poetry_installer"
+        language: system

Makefile

@@ -19,7 +19,7 @@ clean-py:
 	rm --recursive --force ./dist
 	rm --recursive --force ./build
 	rm --recursive --force ./*.egg-info
-	rm --recursive --force __pycache__/
+	rm --recursive --force ./**/__pycache__/
 
 clean: clean-tox clean-py; ## Clean temp build/cache files and directories
 
@@ -33,4 +33,4 @@ test: ## Run the project testsuite(s)
 	poetry run tox --recreate
 
 publish: wheel source ## Build and upload to pypi (requires $PYPI_API_KEY be set)
-	poetry publish --username __token__ --password $(PYPI_API_KEY)
+	@poetry publish --username __token__ --password $(PYPI_API_KEY)

README.md

@@ -1,21 +1,28 @@
 # tox-poetry-installer
 
 A plugin for [Tox](https://tox.readthedocs.io/en/latest/) that allows test environment
-dependencies to be installed using [Poetry](https://python-poetry.org/) using its lockfile.
+dependencies to be installed using [Poetry](https://python-poetry.org/) from its lockfile.
 
-⚠️ **This project is alpha software and should not be used in a production capacity** ⚠️
+⚠️ **This project is beta software and is under active development** ⚠️
 
-![image](https://img.shields.io/pypi/l/tox-poetry-installer)
-![image](https://img.shields.io/pypi/v/tox-poetry-installer)
-![image](https://img.shields.io/pypi/pyversions/tox-poetry-installer)
+[![ci-status](https://github.com/enpaul/tox-poetry-installer/workflows/CI/badge.svg?event=push)](https://github.com/enpaul/tox-poetry-installer/actions)
+[![pypi-version](https://img.shields.io/pypi/v/tox-poetry-installer)](https://pypi.org/project/tox-poetry-installer/)
+[![pypi-downloads](https://img.shields.io/pypi/dm/tox-poetry-installer)](https://libraries.io/pypi/tox-poetry-installer)
+[![license](https://img.shields.io/pypi/l/tox-poetry-installer)](https://opensource.org/licenses/MIT)
+[![python-versions](https://img.shields.io/pypi/pyversions/tox-poetry-installer)](https://www.python.org)
+[![Code style: black](https://img.shields.io/badge/code%20style-black-000000.svg)](https://github.com/psf/black)
 
 **Documentation**
 
-* [Installation](#installation)
+* [Introduction](#introduction)
+  * [Install](#install)
   * [Quick Start](#quick-start)
-* [Usage](#usage)
-* [Known Drawbacks and Problems](#known-drawbacks-and-problems)
   * [Why would I use this?](#why-would-i-use-this) (What problems does this solve?)
+* [Reference](#reference)
+  * [Configuration Options](#configuration-options)
+  * [Command-line Arguments](#command-line-arguments)
+  * [Errors](#errors)
+  * [Advanced Usage](#advanced-usage)
 * [Developing](#developing)
 * [Contributing](#contributing)
 * [Roadmap](#roadmap)
@@ -25,317 +32,186 @@ dependencies to be installed using [Poetry](https://python-poetry.org/) using it
 Related resources:
 * [Poetry Python Project Manager](https://python-poetry.org/)
 * [Tox Automation Project](https://tox.readthedocs.io/en/latest/)
-* [Tox plugins](https://tox.readthedocs.io/en/latest/plugins.html)
+* [Other Tox plugins](https://tox.readthedocs.io/en/latest/plugins.html)
+
+Similar projects:
+* [Poetry Dev-Dependencies Tox Plugin](https://github.com/sinoroc/tox-poetry-dev-dependencies)
+* [Poetry Tox Plugin](https://github.com/tkukushkin/tox-poetry)
 
 
-## Installation
+## Introduction
 
-Add the plugin as a development dependency a project using Poetry:
+This is a plugin to unify two great projects in the Python ecosystem: the
+[Tox](https://tox.readthedocs.io/en/latest/) automation project and the
+[Poetry](https://python-poetry.org) project/dependency manager. Specifically it allows
+the repeatable dependency resolution and installation tools that Poetry uses to benefit
+the isolated environments that Tox uses to run automated tests. The motivation to write
+this plugin came from a need for a single source of truth for the versions of all
+packages that should be installed to an environment.
 
-```
-~ $: poetry add tox-poetry-installer --dev
+When in use this plugin will allow a Tox environment to install its required
+dependencies using the versions specified in the Poetry lockfile. This eliminates
+needing to specify package versions in multiple places as well as ensures that the Tox
+environment has the exact same versions of a given package as the Poetry environment.
+This reduces (or hopefully eliminates) hard to debug problems caused by subtle
+differences in the dependency graph of the active development environment (the one managed
+by Poetry) and the automated test environment(s) created by Tox.
+
+To learn more about the problems this plugin aims to solve jump ahead to
+[What problems does this solve?](#why-would-i-use-this).
+Otherwise keep reading to get started.
+
+### Install
+
+The recommended way to install the plugin is to add it to a project's `pyproject.toml`
+and lockfile using Poetry:
+
+```bash
+poetry add tox-poetry-installer[poetry] --dev
 ```
 
-Confirm that the plugin is installed, and Tox recognizes it, by checking the Tox version:
+**WARNING:** The below installation methods are vulnerable to the
+[transient dependency issues this plugin aims to avoid](#why-would-i-use-this). It is
+always recommended to install dependencies using Poetry whenever possible.
+
+The plugin can also be installed with pip directly, though it is recommended to always
+install to a virtual environment and pin to a specific version:
+
+```bash
+source my-venv/bi/activate
+pip install tox-poetry-installer[poetry] == 0.6.0
+```
+
+The plugin can also be installed using the Tox
+[`requires`]((https://tox.readthedocs.io/en/latest/config.html#conf-requires))
+configuration option. Note however that dependencies installed via the `requires` option
+are not handled by the plugin and will be installed the same way as a `pip install ...`
+above. For this reason it is also recommended to always pin to a specific version when
+using this installation method:
+
+```ini
+# tox.ini
+[tox]
+requires
+    tox-poetry-installer[poetry] == 0.6.0
+```
+
+Check that the plugin is registered by checking the Tox version:
 
 ```
 ~ $: poetry run tox --version
 3.20.0 imported from .venv/lib64/python3.8/site-packages/tox/__init__.py
 registered plugins:
-    tox-poetry-installer-0.2.0 at .venv/lib64/python3.8/site-packages/tox_poetry_installer.py
+    tox-poetry-installer-0.6.0 at .venv/lib64/python3.8/site-packages/tox_poetry_installer.py
 ```
 
-If using in a CI/automation environment using Pip, ensure that the plugin is installed to the
-same environment as Tox:
+**NOTE:** Installing the `tox-poetry-installer[poetry]` extra will add the `poetry`
+package as a managed environment dependency which can cause problems when the Poetry
+installation is externally managed (such as in a CI or container environment). See
+[Advanced Usage](#installing-alongside-an-existing-poetry-installation) for more
+information on this use case.
 
-```
-# Calling the virtualenv's 'pip' binary directly will cause pip to install to that virtualenv
-~ $: /path/to/my/automation/virtualenv/bin/pip install tox
-~ $: /path/to/my/automation/virtualenv/bin/pip install tox-poetry-installer
-```
+### Quick Start
 
+Before making any changes to `tox.ini` the project is already benefiting from having
+the plugin installed: all dependencies of the root project package are installed using
+the Poetry backend to all Tox environments that install the root package without any
+configuration changes.
 
-## Quick Start
-
-To require a Tox environment install all it's dependencies from the Poetry lockfile, add the
-`require_locked_deps = true` option to the environment configuration and remove all version
-specifiers from the dependency list. The versions to install will be taken from the lockfile
-directly:
+To add dependencies from the lockfile to a Tox environment, add the option
+[`locked_deps`](#locked_deps) to the environment configuration and list names of
+dependencies (with no version specifier) under it:
 
 ```ini
 [testenv]
-description = Run the tests
-require_locked_deps = true
-deps =
-    pytest
-    pytest-cov
+description = Some very cool tests
+locked_deps =
     black
     pylint
     mypy
 commands = ...
 ```
 
-To require specific dependencies be installed from the Poetry lockfile, and let the rest be
-installed using the default Tox installation method, add the suffix `@poetry` to the dependencies.
-In the example below the `pytest`, `pytest-cov`, and `black` dependencies will be installed using
-the lockfile while `pylint` and `mypy` will be installed using the versions specified here:
+The standard [`deps`](https://tox.readthedocs.io/en/latest/config.html#conf-deps) option
+can be used in parallel with the `locked_deps` option to install unlocked dependencies
+(dependencies not in the lockfile) alongside locked dependencies:
 
 ```ini
 [testenv]
-description = Run the tests
-require_locked_deps = true
-deps =
-    pytest@poetry
-    pytest-cov@poetry
-    black@poetry
-    pylint >=2.5.0
-    mypy == 0.770
-commands = ...
-```
-
-**Note:** Regardless of the settings outlined above, all dependencies of the project package (the
-one Tox is testing) will always be installed from the lockfile.
-
-
-## Usage
-
-After installing the plugin to a project, your Tox automation is already benefiting from the
-lockfile: when Tox installs your project package to one of your environments, all the dependencies
-of your project package will be installed using the versions specified in the lockfile. This
-happens automatically and requires no configuration changes.
-
-But what about the rest of your Tox environment dependencies?
-
-Let's use an example `tox.ini` file, below, that defines two environments: the main `testenv` for
-running the project tests and `testenv:check` for running some other helpful checks:
-
-```ini
-[tox]
-envlist = py37, static
-isolated_build = true
-
-[testenv]
-description = Run the tests
-deps =
-    pytest == 5.3.0
-commands = ...
-
-[testenv:check]
-description = Static formatting and quality enforcement
-deps =
-    pylint >=2.4.4,<2.6.0
-    mypy == 0.770
-    black --pre
-commands = ...
-```
-
-Let's focus on the `testenv:check` environment first. In this project there's no reason that any
-of these tools should be a different version than what a human developer is using when installing
-from the lockfile. We can require that these dependencies be installed from the lockfile by adding
-the option `require_locked_deps = true` to the environment config, but this will cause an error:
-
-```ini
-[testenv:check]
-description = Static formatting and quality enforcement
-require_locked_deps = true
-deps =
-    pylint >=2.4.4,<2.6.0
-    mypy == 0.770
-    black --pre
-commands = ...
-```
-
-Running Tox using this config gives us this error:
-
-```
-tox_poetry_installer.LockedDepVersionConflictError: Locked dependency 'pylint >=2.4.4,<2.6.0' cannot include version specifier
-```
-
-This is because we told the Tox environment to require all dependencies to be locked, but then also
-specified a specific version constraint for Pylint. With the `require_locked_deps = true` setting
-Tox expects all dependencies to take their version from the lockfile, so when it got conflicting
-information it errors. We can fix this by simply removing all version specifiers from the
-environment dependency list:
-
-```ini
-[testenv:check]
-description = Static formatting and quality enforcement
-require_locked_deps = true
-deps =
+description = Some very cool tests
+locked_deps =
+    black
     pylint
     mypy
-    black
+deps =
+    pytest == 6.1.1
+    pytest-cov >= 2.10, <2.11
 commands = ...
 ```
 
-Now all the dependencies will be installed from the lockfile. If Poetry updates the lockfile with
-a new version then that updated version will be automatically installed when the Tox environment is
-recreated.
-
-Now let's look at the `testenv` environment. Let's make the same changes to the `testenv`
-environment that we made to `testenv:check` above; remove the PyTest version and add
-`require_locked_deps = true`. Then imagine that we want to add a new (made up) tool the test
-environment called `crash_override` to the environment: we can add `crash-override` as a dependency
-of the test environment, but this will cause an error:
+Alternatively, to quickly install all Poetry dev-dependencies to a Tox environment, add the
+[`install_dev_deps`](#install_dev_deps) option to the environment configuration:
 
 ```ini
 [testenv]
-description = Run the tests
-require_locked_deps = true
-deps =
-    pytest
-    crash-override
-commands = ...
+description = Some very cool tests
+install_dev_deps = true
 ```
 
-Running Tox with this config gives us this error:
+See the [Reference](#reference) section for more details on available
+configuration options and the [Advanced Usage](#advanced-usage) section for some
+unusual use cases.
 
-```
-tox_poetry_installer.LockedDepNotFoundError: No version of locked dependency 'crash-override' found in the project lockfile
-```
-
-This is because `crash-override` is not in our lockfile. Tox will refuse to install a dependency
-that isn't in the lockfile to an an environment that specifies `require_locked_deps = true`. We
-could fix this (if `crash-override` was a real package) by running
-`poetry add crash-override --dev` to add it to the lockfile.
-
-Now let's combine dependencies from the lockfile ("locked dependencies") with dependencies that are
-specified inline in the environment configuration ("unlocked dependencies").
-[This isn't generally recommended of course](#why-would-i-use-this), but it's a valid use case and
-fully supported by this plugin. Let's modify the `testenv` configuration to install PyTest from the
-lockfile but then install an older version of the
-[Requests](https://requests.readthedocs.io/en/master/) library.
-
-The first thing to do is remove the `require_locked_deps = true` setting so that we can install
-Requests as an unlocked dependency. Then we can add our version of requests to the dependency list:
-
-```ini
-[testenv]
-description = Run the tests
-deps =
-    pytest
-    requests >=2.2.0,<2.10.0
-commands = ...
-```
-
-However we still want `pytest` to be installed from the lockfile, so the final step is to tell Tox
-to install it from the lockfile by adding the suffix `@poetry` to it:
-
-```ini
-[testenv]
-description = Run the tests
-deps =
-    pytest@poetry
-    requests >=2.2.0,<2.10.0
-commands = ...
-```
-
-Now when the `testenv` environment is created it will install PyTest (and all of its dependencies)
-from the lockfile while it will install Requests (and all of its dependencies) using the default
-Tox installation backend using Pip.
-
-
-## Known Drawbacks and Problems
-
-* The following `tox.ini` configuration options have no effect on the dependencies installed from
-  the Poetry lockfile (note that they will still affect unlocked dependencies):
-  * [`install_command`](https://tox.readthedocs.io/en/latest/config.html#conf-install_command)
-  * [`pip_pre`](https://tox.readthedocs.io/en/latest/config.html#conf-pip_pre)
-  * [`downloadcache`](https://tox.readthedocs.io/en/latest/config.html#conf-downloadcache) (deprecated)
-  * [`download`](https://tox.readthedocs.io/en/latest/config.html#conf-download)
-  * [`indexserver`](https://tox.readthedocs.io/en/latest/config.html#conf-indexserver)
-  * [`usedevelop`](https://tox.readthedocs.io/en/latest/config.html#conf-indexserver)
-
-* The [`extras`](https://tox.readthedocs.io/en/latest/config.html#conf-extras) setting in `tox.ini`
-  does not work. Optional dependencies of the project package will not be installed to Tox
-  environments. (See the [road map](#roadmap))
-
-* The plugin currently depends on `poetry<1.1.0`. This can be a different version than Poetry being
-  used for actual project development. (See the [road map](#roadmap))
-
-* There are a handful of packages that cannot be installed from the lockfile, whether as specific
-  dependencies or as transient dependencies (dependencies of dependencies). This is due to
-  [an ongoing discussion in the Poetry project](https://github.com/python-poetry/poetry/issues/1584);
-  the list of dependencies that cannot be installed from the lockfile can be found
-  [here](https://github.com/python-poetry/poetry/blob/cc8f59a31567f806be868aba880ae0642d49b74e/poetry/puzzle/provider.py#L55).
-  This plugin will skip these dependencies entirely, but log a warning when they are encountered.
-
-
-## Why would I use this?
-
-**Introduction**
-
-The lockfile is a file generated by a package manager for a project that lists what
-dependencies are installed, the versions of those dependencies, and additional metadata that
-the package manager can use to recreate the local project environment. This allows developers
-to have confidence that a bug they are encountering that may be caused by one of their
-dependencies will be reproducible on another device. In addition, installing a project
-environment from a lockfile gives confidence that automated systems running tests or performing
-builds are using the same environment that a developer is.
-
-[Poetry](https://python-poetry.org/) is a project dependency manager for Python projects, and
-as such it creates and manages a lockfile so that its users can benefit from all the features
-described above. [Tox](https://tox.readthedocs.io/en/latest/#what-is-tox) is an automation tool
-that allows Python developers to run tests suites, perform builds, and automate tasks within
-self contained [Python virtual environments](https://docs.python.org/3/tutorial/venv.html).
-To make these environments useful, Tox supports installing per-environment dependencies.
-However, since these environments are created on the fly and Tox does not maintain a lockfile,
-there can be subtle differences between the dependencies a developer is using and the
-dependencies Tox uses.
-
-This is where this plugin comes into play.
-
-By default Tox uses [Pip](https://docs.python.org/3/tutorial/venv.html) to install the
-PEP-508 compliant dependencies to a test environment. A more robust way to do this is to
-install dependencies directly from the lockfile so that the version installed to the Tox
-environment always matches the version Poetry specifies. This plugin overwrites the default
-Tox dependency installation behavior and replaces it with a Poetry-based installation using
-the dependency metadata from the lockfile.
+### Why would I use this?
 
 **The Problem**
 
-Environment dependencies for a Tox environment are usually done in PEP-508 format like the
-below example
+By default Tox uses Pip to install the [PEP-508](https://www.python.org/dev/peps/pep-0508/)
+compliant dependencies to a test environment. This plugin extends the default Tox
+dependency installation behavior to support installing dependencies using a Poetry-based
+installation method that makes use of the dependency metadata from Poetry's lockfile.
+
+Environment dependencies for a Tox environment are usually specified in PEP-508 format, like
+the below example:
 
 ```ini
-# tox.ini
-...
-
 [testenv]
 description = Some very cool tests
 deps =
     foo == 1.2.3
     bar >=1.3,<2.0
     baz
-
-...
 ```
 
-Perhaps these dependencies are also useful during development, so they can be added to the
+Let's assume these dependencies are also useful during development, so they can be added to the
 Poetry environment using this command:
 
  ```
- poetry add foo==1.2.3 bar>=1.3,<2.0 baz --dev
+ poetry add --dev \
+    foo==1.2.3 \
+    bar>=1.3,<2.0 \
+    baz
  ```
 
- However there are three potential problems that could arise from each of these environment
+ However there is a potential problem that could arise from each of these environment
  dependencies that would _only_ appear in the Tox environment and not in the Poetry
- environment:
+ environment in use by a developer:
 
  * **The `foo` dependency is pinned to a specific version:** let's imagine a security
    vulnerability is discovered in `foo` and the maintainers release version `1.2.4` to fix
-   it. A developer can run `poetry remove foo && poetry add foo^1.2` to get the new version,
-   but the Tox environment is left unchanged. The developer environment specified by the
-   lockfile is now patched against the vulnerability, but the Tox environment is not.
+   it. A developer can run `poetry remove foo` and then `poetry add foo^1.2` to get the new
+   version, but the Tox environment is left unchanged. The development environment, as defined by
+   the lockfile, is now patched against the vulnerability but the Tox environment is not.
 
 * **The `bar` dependency specifies a dynamic range:** a dynamic range allows a range of
   versions to be installed, but the lockfile will have an exact version specified so that
   the Poetry environment is reproducible; this allows versions to be updated with
-  `poetry update` rather than with the `remove` and `add` used above. If the maintainers of
-  `bar` release version `1.6.0` then the Tox environment will install it because it is valid
-  for the specified version range, meanwhile the Poetry environment will continue to install
-  the version from the lockfile until `poetry update bar` explicitly updates it. The
-  development environment is now has a different version of `bar` than the Tox environment.
+  `poetry update` rather than with the `remove` and `add` commands used above. If the
+  maintainers of `bar` release version `1.6.0` then the Tox environment will install it
+  because it is valid for the specified version range. Meanwhile the Poetry environment will
+  continue to install the version from the lockfile until `poetry update bar` explicitly
+  updates it. The development environment is now has a different version of `bar` than the Tox
+  environment.
 
 * **The `baz` dependency is unpinned:** unpinned dependencies are
   [generally a bad idea](https://python-poetry.org/docs/faq/#why-are-unbound-version-constraints-a-bad-idea),
@@ -344,48 +220,267 @@ Poetry environment using this command:
   but Pip (via Tox) will interpret it as a wildcard. If the latest version of `baz` is `1.0.0`
   then `poetry add baz` will result in a constraint of `baz>=1.0.0,<2.0.0` while the Tox
   environment will have a constraint of `baz==*`. The Tox environment can now install an
-  incompatible version of `baz` that cannot be easily caught using `poetry update`.
+  incompatible version of `baz` and any errors that causes cannot be replicated using `poetry update`.
 
 All of these problems can apply not only to the dependencies specified for a Tox environment,
-but also to the dependencies of those dependencies, and so on.
+but also to the dependencies of those dependencies, those dependencies' dependencies, and so on.
 
 **The Solution**
 
-This plugin requires that all dependencies specified for all Tox environments be unbound
-with no version constraint specified at all. This seems counter-intuitive given the problems
-outlined above, but what it allows the plugin to do is offload all version management to
-Poetry.
-
-On initial inspection, the environment below appears less stable than the one presented above
-because it does not specify any versions for its dependencies:
+This plugin allows dependencies specified in Tox environment take their version directly from
+the Poetry lockfile without needing an independent version to be specified in the Tox
+environment configuration. The modified version of the example environment given below appears
+less stable than the one presented above because it does not specify any versions for its
+dependencies:
 
 ```ini
-# tox.ini
-...
-
 [testenv]
 description = Some very cool tests
-deps =
+require_locked_deps = true
+locked_deps =
     foo
     bar
     baz
-
-...
 ```
 
-However with the `tox-poetry-installer` plugin installed this instructs Tox to install these
-dependencies using the Poetry lockfile so that the version installed to the Tox environment
-exactly matches the version Poetry is managing. When `poetry update` updates the lockfile
-with new dependency versions, Tox will automatically install these new versions without needing
-any changes to the configuration.
+However with the `tox-poetry-installer` plugin installed Tox will install these
+dependencies from the Poetry lockfile so that the version installed to the Tox
+environment exactly matches the version Poetry is managing. When `poetry update` updates
+the lockfile with new versions of these dependencies, Tox will automatically install
+these new versions without needing any changes to the configuration.
 
-All dependencies are specified in one place (the lockfile) and dependency version management is
-handled by a tool dedicated to that task (Poetry).
+
+## Reference
+
+### Configuration Options
+
+All options listed below are Tox environment options and can be applied to one or more
+environment sections of the `tox.ini` file. They cannot be applied to the global Tox
+configuration section.
+
+**NOTE:** Environment settings applied to the main `testenv` environment will be
+inherited by child environments (i.e. `testenv:foo`) unless they are explicitly
+overridden by the child environment's configuration.
+
+#### `locked_deps`
+
+* **Type:** multi-line list
+* **Default:** `[]`
+
+Names of packages in the Poetry lockfile to install to the Tox environment. All
+dependencies specified here will be installed to the Tox environment using the details
+given by the Poetry lockfile.
+
+#### `require_locked_deps`
+
+
+* **Type:** boolean
+* **Default:** `false`
+
+Whether the environment should allow unlocked dependencies (dependencies not in the
+Poetry lockfile) to be installed alongside locked dependencies. If `true` then an error
+will be raised if the environment specifies unlocked dependencies to install and the
+plugin will block any other plugins from using the
+[`tox_testenv_install_deps`](https://tox.readthedocs.io/en/latest/plugins.html#tox.hookspecs.tox_testenv_install_deps)
+hook.
+
+#### `install_dev_deps`
+
+* **Type:** boolean
+* **Default:** `false`
+
+Whether all Poetry dev-dependencies should be installed to the environment. If `true`
+then all dependencies specified in the
+[`dev-dependencies`](https://python-poetry.org/docs/pyproject/#dependencies-and-dev-dependencies)
+section of `pyproject.toml` will be installed automatically.
+
+### Command-line Arguments
+
+All arguments listed below can be passed to the `tox` command to modify runtime behavior
+of the plugin.
+
+#### `--require-poetry`
+
+Indicates that Poetry is expected to be available to Tox and, if it is not, then the Tox
+run should fail. If provided and the `poetry` package is not installed to the same
+environment as the `tox` package then Tox will fail.
+
+**NOTE:** See [Advanced Usage](#installing-alongside-an-existing-poetry-installation)
+for more information.
+
+### Errors
+
+If the plugin encounters an error while processing a Tox environment then it will mark
+the environment as failed and set the environment status to one of the values below:
+
+**NOTE:** In addition to the reasons noted below, the plugin can encounter errors if the
+Poetry lockfile is not up-to-date with `pyproject.toml`. To resynchronize the
+lockfile with the `pyproject.toml` run one of
+[`poetry update`](https://python-poetry.org/docs/cli/#update) or
+[`poetry lock`](https://python-poetry.org/docs/cli/#lock)
+
+#### Poetry Not Installed Error
+
+* **Status value:** `PoetryNotInstalledError`
+* **Cause:** Indicates that the `poetry` module could not be imported from the same
+  environment as the running `tox` module and the runtime flags specified
+  [`--require-poetry`](#--require-poetry).
+* **Resolution options:**
+  * Install Poetry: ensure that `poetry` is installed to the same environment as `tox`.
+  * Skip running the plugin: remove the `--require-poetry` flag from the runtime options.
+
+**NOTE:** See [Advanced Usage](#installing-alongside-an-existing-poetry-installation)
+for more information.
+
+#### Locked Dependency Version Conflict Error
+
+* **Status value:** `LockedDepVersionConflictError`
+* **Cause:** Indicates that a dependency specified in the [`locked_deps`](#locked_deps)
+  configuration option in `tox.ini` includes a
+  [PEP-508 version specifier](https://www.python.org/dev/peps/pep-0508/#grammar)
+  (i.e. `pytest >=6.0, <6.1`).
+* **Resolution options:**
+  * Use the dependency version from the lockfile: remove any/all version specifiers
+    from the item in the `locked_deps` list in `tox.ini`.
+  * Do not install the dependency: remove the item from the `locked_deps` list in
+    `tox.ini`.
+
+#### Locked Dependency Not Found Error
+
+* **Status value:** `LockedDepNotFoundError`
+* **Cause:** Indicates that a dependency specified in the [`locked_deps`](#locked_deps)
+  configuration option in `tox.ini` could not be found in the Poetry lockfile.
+* **Resolution options:**
+  * Add the dependency to the lockfile: run
+    [`poetry add <dependency>`](https://python-poetry.org/docs/cli/#add).
+  * Do not install the dependency: remove the item from the `locked_deps` list in
+    `tox.ini`.
+
+#### Extra Not Found Error
+
+* **Status value:** `ExtraNotFoundError`
+* **Cause:** Indicates that the [`extras`](https://tox.readthedocs.io/en/latest/config.html#conf-extras)
+  configuration option specified a setuptools extra that is not configured by Poetry in
+  `pyproject.toml`
+* **Resolution options:**
+  * Configure the extra: add a section for the named extra to the
+    [`extras`](https://python-poetry.org/docs/pyproject/#extras) section of
+    `pyproject.toml` and optionally assign dependencies to the named extra using the
+    [`--optional`](https://python-poetry.org/docs/cli/#options_3) dependency setting.
+  * Remove the extra: remove the item from the `extras` list in `tox.ini`.
+
+#### Locked Dependencies Required Error
+
+* **Status value:** `LockedDepsRequiredError`
+* **Cause:** Indicates that an environment with the [`require_locked_deps`](#require_locked_deps)
+  configuration option also specified unlocked dependencies using
+  [`deps`](https://tox.readthedocs.io/en/latest/config.html#conf-deps) option in
+  `tox.ini`.
+* **Resolution options:**
+  * Remove all unlocked dependencies: remove the `deps` configuration option in
+    `tox.ini`.
+  * Allow unlocked dependencies: remove the `require_locked_deps` configuration option
+    in `tox.ini` or explicitly set `require_locked_deps = false`.
+
+### Advanced Usage
+
+#### Unsupported Tox configuration options
+
+The `tox.ini` configuration options listed below have no effect on the dependencies
+installed by this plugin the Poetry lockfile. Note that these settings will still be
+applied by the default Tox installation backend when installing unlocked dependencies
+using the built-in `deps` option.
+
+  * [`install_command`](https://tox.readthedocs.io/en/latest/config.html#conf-install_command)
+  * [`pip_pre`](https://tox.readthedocs.io/en/latest/config.html#conf-pip_pre)
+  * [`download`](https://tox.readthedocs.io/en/latest/config.html#conf-download)
+  * [`indexserver`](https://tox.readthedocs.io/en/latest/config.html#conf-indexserver)
+  * [`usedevelop`](https://tox.readthedocs.io/en/latest/config.html#conf-indexserver)
+
+All of these options are obsoleted by using the Poetry backend. If a given package
+installs successfully using Poetry (using either `poetry add <package>` or
+`poetry install`) then the required configuration options are already properly set in
+the Poetry configuration and the plugin will automatically use the same settings when
+installing the package.
+
+#### Reinstalling locked dependencies to a Tox environment
+
+Updating the `poetry.lock` file will not automatically cause Tox to install the updated
+lockfile specifications to the Tox environments that specify them.
+
+The Tox environment(s) with updated locked dependencies must be deleted and recreated
+using the [`--recreate`](https://tox.readthedocs.io/en/latest/config.html#cmdoption-tox-r)
+runtime flag. Alternatively Tox can be configured to always recreate an environment by
+setting the [`recreate`](https://tox.readthedocs.io/en/latest/config.html#conf-recreate)
+option in `tox.ini`.
+
+#### Installing Poetry's unsafe dependencies
+
+There are several packages that cannot be installed from the lockfile because they are
+excluded by Poetry itself. As a result these packages cannot be installed by this plugin
+either as environment dependencies (passed directly to [`locked_deps`](#locked_deps)) or
+as transient dependencies (a dependency of a locked dependency).
+
+As of [Poetry-1.1.4](https://github.com/python-poetry/poetry/releases/tag/1.1.4) there
+are four packages classified as "unsafe" by Poetry and excluded from the lockfile:
+
+* `setuptools`
+* `distribute`
+* `pip`
+* `wheel`
+
+When one of these packages is encountered by the plugin a warning will be logged and
+_**the package will not be installed to the environment**_. If the unsafe package
+is required for the environment then it will need to be specified as an unlocked
+dependency using the [`deps`](https://tox.readthedocs.io/en/latest/config.html#conf-deps)
+configuration option in `tox.ini`, ideally with an exact pinned version.
+
+* The set of packages excluded from the Poetry lockfile can be found in
+  [`poetry.puzzle.provider.Provider.UNSAFE_DEPENDENCIES`](https://github.com/python-poetry/poetry/blob/master/poetry/puzzle/provider.py)
+* There is an ongoing discussion of Poetry's handling of these packages at
+  [python-poetry/poetry#1584](https://github.com/python-poetry/poetry/issues/1584)
+
+#### Installing alongside an existing Poetry installation
+
+The plugin specifies the `poetry` package as an optional dependency to support an
+externally managed Poetry installation such as in a container or CI environment. This
+gives greater flexibility when using Poetry arguments like `--no-root`, `--no-dev`, or
+`--remove-untracked` which can cause Poetry to uninstall itself if Poetry is specified
+as a dependency of one of the packages it is managing (like this plugin).
+
+To have the plugin use the externally-managed Poetry package simply do not install the
+`poetry` extra when installing this plugin:
+
+```bash
+# Installing Poetry as a dependency with the plugin
+poetry add tox-poetry-installer[poetry]
+
+# Relying on an externally managed Poetry installation
+poetry add tox-poetry-installer
+```
+
+Note that Poetry is an optional dependency to support this use case _only_: Poetry must
+be installed to the same environment as Tox for the plugin to function. To check that
+the local environment has all of the required modules in scope run the below command:
+
+```bash
+python -c '\
+  import tox;\
+  import tox_poetry_installer;\
+  from poetry.poetry import Poetry;\
+'
+```
+
+**NOTE:** To force Tox to fail if Poetry is not installed, run the `tox` command with
+the [`--require-poetry`](#--require-poetry) option.
 
 
 ## Developing
 
-This project requires Poetry-1.0+, see the [installation instructions here](https://python-poetry.org/docs/#installation).
+This project requires Poetry version 1.0+ on the development workstation, see
+the [installation instructions here](https://python-poetry.org/docs/#installation).
+
+Local environment setup instructions:
 
 ```bash
 # Clone the repository...
@@ -396,7 +491,7 @@ git clone git@github.com:enpaul/tox-poetry-installer.git
 
 # Create a the local project virtual environment and install dependencies
 cd tox-poetry-installer
-poetry install
+poetry install -E poetry
 
 # Install pre-commit hooks
 poetry run pre-commit install
@@ -405,11 +500,18 @@ poetry run pre-commit install
 poetry run tox
 ```
 
+**NOTE:** Because the pre-commit hooks require dependencies in the Poetry environment it
+is recommend to [launch an environment shell](https://python-poetry.org/docs/cli/#shell)
+when developing the project. Alternatively, many `git` commands will need to be run from
+outside of the environment shell by prefacing the command with
+[`poetry run`](https://python-poetry.org/docs/cli/#run).
+
 
 ## Contributing
 
 All project contributors and participants are expected to adhere to the
-[Contributor Covenant Code of Conduct, Version 2](CODE_OF_CONDUCT.md).
+[Contributor Covenant Code of Conduct, v2](CODE_OF_CONDUCT.md)
+([external link](https://www.contributor-covenant.org/version/2/0/code_of_conduct/)).
 
 The `devel` branch has the latest (potentially unstable) changes. The
 [tagged versions](https://github.com/enpaul/tox-poetry-installer/releases) correspond to the
@@ -418,7 +520,7 @@ releases on PyPI.
 * To report a bug, request a feature, or ask for assistance, please
   [open an issue on the Github repository](https://github.com/enpaul/tox-poetry-installer/issues/new).
 * To report a security concern or code of conduct violation, please contact the project author
-  directly at **ethan dot paul at enp dot one**.
+  directly at **‌me [at‌] enp dot‎ ‌one**.
 * To submit an update, please
   [fork the repository](https://docs.github.com/en/enterprise/2.20/user/github/getting-started-with-github/fork-a-repo)
   and
@@ -427,10 +529,10 @@ releases on PyPI.
 
 ## Roadmap
 
-This project is under active development and is classified as alpha software, not yet ready
-usage in production systems.
+This project is under active development and is classified as beta software, ready for
+production environments on a provisional basis only.
 
-* Beta classification will be assigned when the initial feature set is finalized
+* Beta classification was assigned with [v0.6.0](https://github.com/enpaul/tox-poetry-installer/releases/tag/0.6.0)
 * Stable classification will be assigned when the test suite covers an acceptable number of
   use cases
 
@@ -438,27 +540,29 @@ usage in production systems.
 
 - [X] Verify that primary package dependencies (from the `.package` env) are installed
       correctly using the Poetry backend.
-- [ ] Support the [`extras`](https://tox.readthedocs.io/en/latest/config.html#conf-extras)
-      Tox configuration option
+- [X] Support the [`extras`](https://tox.readthedocs.io/en/latest/config.html#conf-extras)
+      Tox configuration option ([#4](https://github.com/enpaul/tox-poetry-installer/issues/4))
 - [X] Add per-environment Tox configuration option to fall back to default installation
       backend.
-- [ ] Add detection of a changed lockfile to automatically trigger a rebuild of Tox
-      environments when necessary.
-- [ ] Add warnings when an unsupported Tox configuration option is detected while using the
-      Poetry backend.
+- [ ] ~Add warnings when an unsupported Tox configuration option is detected while using the
+      Poetry backend. ([#5](https://github.com/enpaul/tox-poetry-installer/issues/5))~
 - [X] Add trivial tests to ensure the project metadata is consistent between the pyproject.toml
       and the module constants.
-- [ ] Update to use [poetry-core](https://github.com/python-poetry/poetry-core)
-      Tox configuration option) and improve robustness of the Tox and Poetry module imports
-      to avoid potentially breaking API changes in upstream packages.
-- [ ] Find and implement a way to mitigate the [Poetry UNSAFE_DEPENDENCIES bug](https://github.com/python-poetry/poetry/issues/1584).
+- [X] Update to use [poetry-core](https://github.com/python-poetry/poetry-core) and
+      improve robustness of the Tox and Poetry module imports
+      to avoid potentially breaking API changes in upstream packages. ([#2](https://github.com/enpaul/tox-poetry-installer/issues/2))
+- [ ] ~Find and implement a way to mitigate the [UNSAFE_DEPENDENCIES issue](https://github.com/python-poetry/poetry/issues/1584) in Poetry.
+      ([#6](https://github.com/enpaul/tox-poetry-installer/issues/6))~
+- [X] Fix logging to make proper use of Tox's logging reporter infrastructure ([#3](https://github.com/enpaul/tox-poetry-installer/issues/3))
+- [X] Add configuration option for installing all dev-dependencies to a testenv ([#14](https://github.com/enpaul/tox-poetry-installer/issues/14))
 
 ### Path to Stable
 
 Everything in Beta plus...
 
-- [ ] Add tests for each feature version of Tox between 2.3 and 3.20
-- [ ] Add tests for Python-3.6, 3.7, and 3.8
-- [ ] Add Github Actions based CI
+- [ ] Add comprehensive unit tests
+- [ ] Add tests for each feature version of Tox between 3.0 and 3.20
+- [ ] Add tests for Python-3.6, 3.7, 3.8, and 3.9
+- [X] Add Github Actions based CI
 - [ ] Add CI for CPython, PyPy, and Conda
 - [ ] Add CI for Linux and Windows

pyproject.toml

@@ -1,15 +1,21 @@
 [tool.poetry]
 name = "tox-poetry-installer"
-version = "0.2.1"
+version = "0.6.1"
 license = "MIT"
 authors = ["Ethan Paul <24588726+enpaul@users.noreply.github.com>"]
 description = "Tox plugin to install Tox environment dependencies using the Poetry backend and lockfile"
 repository = "https://github.com/enpaul/tox-poetry-installer/"
-packages = [{include = "tox_poetry_installer.py"}]
+packages = [
+  {include = "tox_poetry_installer"},
+  {include = "tests/*.py", format = "sdist"}
+]
+include = [
+  "tox_poetry_installer/py.typed"
+]
 keywords = ["tox", "poetry", "plugin"]
 readme = "README.md"
 classifiers = [
-  "Development Status :: 3 - Alpha",
+  "Development Status :: 4 - Beta",
   "Environment :: Plugins",
   "Framework :: tox",
   "Intended Audience :: Developers",
@@ -19,31 +25,38 @@ classifiers = [
   "Programming Language :: Python :: 3.6",
   "Programming Language :: Python :: 3.7",
   "Programming Language :: Python :: 3.8",
+  "Programming Language :: Python :: 3.9",
   "Programming Language :: Python :: Implementation :: CPython",
 ]
 
 [tool.poetry.plugins.tox]
 poetry_installer = "tox_poetry_installer"
 
+[tool.poetry.extras]
+poetry = ["poetry"]
+
 [tool.poetry.dependencies]
-python = "^3.6"
-poetry = ">=1.0.0, <1.1.0"
-tox = "^2.3.0 || ^3.0.0"
+python = "^3.6.1"
+poetry = {version = "^1.0.0", optional = true}
+poetry-core = "^1.0.0"
+tox = "^3.0.0"
 
 [tool.poetry.dev-dependencies]
 bandit = "^1.6.2"
 black = { version = "^20.8b1", allow-prereleases = true }
+blacken-docs = "^1.8.0"
 ipython = { version = "^7.18.1", python = "^3.7" }
 mypy = "^0.782"
-pre-commit = {version = "^2.7.1", python = "^3.6.1"}
+pre-commit = "^2.7.1"
+pre-commit-hooks = "^3.3.0"
 pylint = "^2.4.4"
 pytest = "^6.0.2"
 pytest-cov = "^2.10.1"
-reorder-python-imports = {version = "^2.3.5", python = "^3.6.1"}
+reorder-python-imports = "^2.3.5"
 safety = "^1.9.0"
 toml = "^0.10.1"
 tox = "^3.20.0"
 
 [build-system]
-requires = ["poetry>=1.0.0"]
-build-backend = "poetry.masonry.api"
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"

tests/test_metadata.py

@@ -7,7 +7,7 @@ from pathlib import Path
 
 import toml
 
-import tox_poetry_installer
+from tox_poetry_installer import __about__
 
 
 def test_metadata():
@@ -16,16 +16,14 @@ def test_metadata():
     with (Path(__file__).resolve().parent / ".." / "pyproject.toml").open() as infile:
         pyproject = toml.load(infile, _dict=dict)
 
-    assert pyproject["tool"]["poetry"]["name"] == tox_poetry_installer.__title__
-    assert pyproject["tool"]["poetry"]["version"] == tox_poetry_installer.__version__
-    assert pyproject["tool"]["poetry"]["license"] == tox_poetry_installer.__license__
-    assert (
-        pyproject["tool"]["poetry"]["description"] == tox_poetry_installer.__summary__
-    )
-    assert pyproject["tool"]["poetry"]["repository"] == tox_poetry_installer.__url__
+    assert pyproject["tool"]["poetry"]["name"] == __about__.__title__
+    assert pyproject["tool"]["poetry"]["version"] == __about__.__version__
+    assert pyproject["tool"]["poetry"]["license"] == __about__.__license__
+    assert pyproject["tool"]["poetry"]["description"] == __about__.__summary__
+    assert pyproject["tool"]["poetry"]["repository"] == __about__.__url__
     assert (
         all(
-            item in tox_poetry_installer.__authors__
+            item in __about__.__authors__
             for item in pyproject["tool"]["poetry"]["authors"]
         )
         is True
@@ -33,7 +31,7 @@ def test_metadata():
     assert (
         all(
             item in pyproject["tool"]["poetry"]["authors"]
-            for item in tox_poetry_installer.__authors__
+            for item in __about__.__authors__
         )
         is True
     )

tox.ini

@@ -1,66 +1,64 @@
 [tox]
-envlist = py36, py37, py38, static, static-tests, security
+envlist = py36, py37, py38, py39, static, static-tests, security
 isolated_build = true
+skip_missing_interpreters = true
 
 [testenv]
 description = Run the tests
 require_locked_deps = true
-deps =
+extras =
+    poetry
+locked_deps =
     pytest
     pytest-cov
     toml
 commands =
-    pytest --cov tox_poetry_installer --cov-config {toxinidir}/.coveragerc tests/ --cov-report term-missing
+    pytest --cov {envsitepackagesdir}/tox_poetry_installer --cov-config {toxinidir}/.coveragerc --cov-report term-missing tests/
 
 [testenv:static]
 description = Static formatting and quality enforcement
-require_locked_deps = true
 basepython = python3.8
+platform = linux
 ignore_errors = true
-deps =
+require_locked_deps = true
+locked_deps =
+    pre-commit
+    pre-commit-hooks
+    black
+    blacken-docs
+    reorder-python-imports
     pylint
     mypy
-    black
-    reorder-python-imports
-    pre-commit
 commands =
-    black {toxinidir}/tox_poetry_installer.py
-    reorder-python-imports {toxinidir}/tox_poetry_installer.py
     pre-commit run --all-files
-    pylint --rcfile {toxinidir}/.pylintrc {toxinidir}/tox_poetry_installer.py
-    mypy --ignore-missing-imports --no-strict-optional {toxinidir}/tox_poetry_installer.py
+    pylint --rcfile {toxinidir}/.pylintrc {toxinidir}/tox_poetry_installer/
+    mypy --ignore-missing-imports --no-strict-optional {toxinidir}/tox_poetry_installer/
 
 [testenv:static-tests]
 description = Static formatting and quality enforcement for the tests
-require_locked_deps = true
 basepython = python3.8
+platform = linux
 ingore_errors = true
-deps =
+require_locked_deps = true
+locked_deps =
     pylint
     mypy
-    black
-    reorder-python-imports
-allowlist_externals =
-    bash
 commands =
-    black {toxinidir}/tests/
-    bash -c "reorder-python-imports {toxinidir}/tests/*.py --unclassifiable-application-module tox_poetry_installer"
     pylint --rcfile {toxinidir}/.pylintrc {toxinidir}/tests/
     mypy --ignore-missing-imports --no-strict-optional {toxinidir}/tests/
 
 [testenv:security]
 description = Security checks
-require_locked_deps = true
 basepython = python3.8
-ignore_errors = true
-skip_install = true
-deps =
+platform = linux
+ingore_errors = true
+require_locked_deps = true
+locked_deps =
     bandit
     safety
     poetry
-allowlist_externals =
-    bash
 commands =
-    bandit --quiet {toxinidir}/tox_poetry_installer.py
-    bash -c "bandit --quiet --skip B101 {toxinidir}/tests/*.py"
-    bash -c "poetry export --format requirements.txt --without-hashes --dev | safety check --stdin --bare"
+    bandit --recursive --quiet {toxinidir}/tox_poetry_installer/
+    bandit --recursive --quiet --skip B101 {toxinidir}/tests/
+    poetry export --format requirements.txt --output {envtmpdir}/requirements.txt --without-hashes --dev
+    safety check --bare --file {envtmpdir}/requirements.txt

tox_poetry_installer.py

@@ -1,290 +0,0 @@
-"""Tox plugin for installing environments using Poetry
-
-This plugin makes use of the ``tox_testenv_install_deps`` Tox plugin hook to replace the default
-installation functionality to install dependencies from the Poetry lockfile for the project. It
-does this by using ``poetry`` to read in the lockfile, identify necessary dependencies, and then
-use Poetry's ``PipInstaller`` class to install those packages into the Tox environment.
-"""
-from pathlib import Path
-from typing import Dict
-from typing import List
-from typing import NamedTuple
-from typing import Sequence
-from typing import Set
-from typing import Tuple
-
-from poetry.factory import Factory as PoetryFactory
-from poetry.factory import Poetry
-from poetry.installation.pip_installer import PipInstaller as PoetryPipInstaller
-from poetry.io.null_io import NullIO as PoetryNullIO
-from poetry.packages import Package as PoetryPackage
-from poetry.puzzle.provider import Provider as PoetryProvider
-from poetry.utils.env import VirtualEnv as PoetryVirtualEnv
-from tox import hookimpl
-from tox import reporter
-from tox.action import Action as ToxAction
-from tox.config import DepConfig as ToxDepConfig
-from tox.config import Parser as ToxParser
-from tox.venv import VirtualEnv as ToxVirtualEnv
-
-
-__title__ = "tox-poetry-installer"
-__summary__ = "Tox plugin to install Tox environment dependencies using the Poetry backend and lockfile"
-__version__ = "0.2.1"
-__url__ = "https://github.com/enpaul/tox-poetry-installer/"
-__license__ = "MIT"
-__authors__ = ["Ethan Paul <24588726+enpaul@users.noreply.github.com>"]
-
-
-# Valid PEP508 version delimiters. These are used to test whether a given string (specifically a
-# dependency name) is just a package name or also includes a version identifier.
-_PEP508_VERSION_DELIMITERS: Tuple[str, ...] = ("~=", "==", "!=", ">", "<")
-
-# Prefix all reporter messages should include to indicate that they came from this module in the
-# console output.
-_REPORTER_PREFIX = f"[{__title__}]:"
-
-# Suffix that indicates an env dependency should be treated as a locked dependency and thus be
-# installed from the lockfile. Will be automatically stripped off of a dependency name during
-# sorting so that the resulting string is just the valid package name. This becomes optional when
-# the "require_locked_deps" option is true for an environment; in that case a bare dependency like
-# 'foo' is treated the same as an explicitly locked dependency like 'foo@poetry'
-_MAGIC_SUFFIX_MARKER = "@poetry"
-
-
-class _SortedEnvDeps(NamedTuple):
-    unlocked_deps: List[ToxDepConfig]
-    locked_deps: List[ToxDepConfig]
-
-
-class ToxPoetryInstallerException(Exception):
-    """Error while installing locked dependencies to the test environment"""
-
-
-class LockedDepVersionConflictError(ToxPoetryInstallerException):
-    """Locked dependencies cannot specify an alternate version for installation"""
-
-
-class LockedDepNotFoundError(ToxPoetryInstallerException):
-    """Locked dependency was not found in the lockfile"""
-
-
-def _sort_env_deps(venv: ToxVirtualEnv) -> _SortedEnvDeps:
-    """Sorts the environment dependencies by lock status
-
-    Lock status determines whether a given environment dependency will be installed from the
-    lockfile using the Poetry backend, or whether this plugin will skip it and allow it to be
-    installed using the default pip-based backend (an unlocked dependency).
-
-    .. note:: A locked dependency must follow a required format. To avoid reinventing the wheel
-              (no pun intended) this module does not have any infrastructure for parsing PEP-508
-              version specifiers, and so requires locked dependencies to be specified with no
-              version (the installed version being taken from the lockfile). If a dependency is
-              specified as locked and its name is also a PEP-508 string then an error will be
-              raised.
-    """
-
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} sorting {len(venv.envconfig.deps)} env dependencies by lock requirement"
-    )
-    unlocked_deps = []
-    locked_deps = []
-
-    for dep in venv.envconfig.deps:
-        if venv.envconfig.require_locked_deps:
-            reporter.verbosity1(
-                f"{_REPORTER_PREFIX} lock required for env, treating '{dep.name}' as locked env dependency"
-            )
-            dep.name = dep.name.replace(_MAGIC_SUFFIX_MARKER, "")
-            locked_deps.append(dep)
-        else:
-            if dep.name.endswith(_MAGIC_SUFFIX_MARKER):
-                reporter.verbosity1(
-                    f"{_REPORTER_PREFIX} specification includes marker '{_MAGIC_SUFFIX_MARKER}', treating '{dep.name}' as locked env dependency"
-                )
-                dep.name = dep.name.replace(_MAGIC_SUFFIX_MARKER, "")
-                locked_deps.append(dep)
-            else:
-                reporter.verbosity1(
-                    f"{_REPORTER_PREFIX} specification does not include marker '{_MAGIC_SUFFIX_MARKER}', treating '{dep.name}' as unlocked env dependency"
-                )
-                unlocked_deps.append(dep)
-
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} identified {len(locked_deps)} locked env dependencies for installation from poetry lockfile: {[item.name for item in locked_deps]}"
-    )
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} identified {len(unlocked_deps)} unlocked env dependencies for installation using default backend: {[item.name for item in unlocked_deps]}"
-    )
-
-    return _SortedEnvDeps(locked_deps=locked_deps, unlocked_deps=unlocked_deps)
-
-
-def _install_to_venv(
-    poetry: Poetry, venv: ToxVirtualEnv, packages: Sequence[PoetryPackage]
-):
-    """Install a bunch of packages to a virtualenv
-
-    :param poetry: Poetry object the packages were sourced from
-    :param venv: Tox virtual environment to install the packages to
-    :param packages: List of packages to install to the virtual environment
-    """
-    installer = PoetryPipInstaller(
-        env=PoetryVirtualEnv(path=Path(venv.envconfig.envdir)),
-        io=PoetryNullIO(),
-        pool=poetry.pool,
-    )
-
-    for dependency in packages:
-        reporter.verbosity1(f"{_REPORTER_PREFIX} installing {dependency}")
-        installer.install(dependency)
-
-
-def _find_transients(poetry: Poetry, dependency_name: str) -> Set[PoetryPackage]:
-    """Using a poetry object identify all dependencies of a specific dependency
-
-    :param poetry: Populated poetry object which can be used to build a populated locked
-                   repository object.
-    :param dependency_name: Bare name (without version) of the dependency to fetch the transient
-                            dependencies of.
-    :returns: List of packages that need to be installed for the requested dependency.
-
-    .. note:: The package corresponding to the dependency named by ``dependency_name`` is included
-              in the list of returned packages.
-    """
-    packages: Dict[str, PoetryPackage] = {
-        package.name: package
-        for package in poetry.locker.locked_repository(True).packages
-    }
-
-    try:
-        top_level = packages[dependency_name]
-
-        def find_deps_of_deps(name: str) -> List[PoetryPackage]:
-            if name in PoetryProvider.UNSAFE_PACKAGES:
-                reporter.warning(
-                    f"{_REPORTER_PREFIX} installing '{name}' using Poetry is not supported; skipping"
-                )
-                return []
-            transients = [packages[name]]
-            for dep in packages[name].requires:
-                transients += find_deps_of_deps(dep.name)
-            return transients
-
-        return set(find_deps_of_deps(top_level.name))
-
-    except KeyError:
-        if any(
-            delimiter in dependency_name for delimiter in _PEP508_VERSION_DELIMITERS
-        ):
-            raise LockedDepVersionConflictError(
-                f"Locked dependency '{dependency_name}' cannot include version specifier"
-            ) from None
-        raise LockedDepNotFoundError(
-            f"No version of locked dependency '{dependency_name}' found in the project lockfile"
-        ) from None
-
-
-def _install_env_dependencies(venv: ToxVirtualEnv, poetry: Poetry):
-    env_deps = _sort_env_deps(venv)
-
-    dependencies: List[PoetryPackage] = []
-    for dep in env_deps.locked_deps:
-        try:
-            dependencies += _find_transients(poetry, dep.name)
-        except ToxPoetryInstallerException as err:
-            venv.status = "lockfile installation failed"
-            reporter.error(f"{_REPORTER_PREFIX} {err}")
-            raise err
-
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} identified {len(dependencies)} actual dependencies from {len(venv.envconfig.deps)} specified env dependencies"
-    )
-
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} updating env config with {len(env_deps.unlocked_deps)} unlocked env dependencies for installation using the default backend"
-    )
-    venv.envconfig.deps = env_deps.unlocked_deps
-
-    reporter.verbosity0(
-        f"{_REPORTER_PREFIX} ({venv.name}) installing {len(dependencies)} env dependencies from lockfile"
-    )
-    _install_to_venv(poetry, venv, dependencies)
-
-
-def _install_package_dependencies(venv: ToxVirtualEnv, poetry: Poetry):
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} performing installation of project dependencies"
-    )
-
-    primary_dependencies = poetry.locker.locked_repository(False).packages
-
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} identified {len(primary_dependencies)} dependencies of project '{poetry.package.name}'"
-    )
-
-    reporter.verbosity0(
-        f"{_REPORTER_PREFIX} ({venv.name}) installing {len(primary_dependencies)} project dependencies from lockfile"
-    )
-    _install_to_venv(poetry, venv, primary_dependencies)
-
-
-@hookimpl
-def tox_addoption(parser: ToxParser):
-    """Add required configuration options to the tox INI file
-
-    Adds the ``require_locked_deps`` configuration option to the venv to check whether all
-    dependencies should be treated as locked or not.
-    """
-
-    parser.add_testenv_attribute(
-        name="require_locked_deps",
-        type="bool",
-        default=False,
-        help="Require all dependencies in the environment be installed using the Poetry lockfile",
-    )
-
-
-@hookimpl
-def tox_testenv_install_deps(venv: ToxVirtualEnv, action: ToxAction):
-    """Install the dependencies for the current environment
-
-    Loads the local Poetry environment and the corresponding lockfile then pulls the dependencies
-    specified by the Tox environment. Finally these dependencies are installed into the Tox
-    environment using the Poetry ``PipInstaller`` backend.
-
-    :param venv: Tox virtual environment object with configuration for the local Tox environment.
-    :param action: Tox action object
-    """
-
-    if action.name == venv.envconfig.config.isolated_build_env:
-        # Skip running the plugin for the packaging environment. PEP-517 front ends can handle
-        # that better than we can, so let them do their thing. More to the point: if you're having
-        # problems in the packaging env that this plugin would solve, god help you.
-        reporter.verbosity1(
-            f"{_REPORTER_PREFIX} skipping isolated build env '{action.name}'"
-        )
-        return
-
-    poetry = PoetryFactory().create_poetry(venv.envconfig.config.toxinidir)
-
-    reporter.verbosity1(
-        f"{_REPORTER_PREFIX} loaded project pyproject.toml from {poetry.file}"
-    )
-
-    # Handle the installation of any locked env dependencies from the lockfile
-    _install_env_dependencies(venv, poetry)
-
-    # Handle the installation of the package dependencies from the lockfile if the package is
-    # being installed to this venv; otherwise skip installing the package dependencies
-    if not venv.envconfig.skip_install and not venv.envconfig.config.skipsdist:
-        _install_package_dependencies(venv, poetry)
-    else:
-        if venv.envconfig.skip_install:
-            reporter.verbosity1(
-                f"{_REPORTER_PREFIX} env specifies 'skip_install = true', skipping installation of project package"
-            )
-        elif venv.envconfig.config.skipsdist:
-            reporter.verbosity1(
-                f"{_REPORTER_PREFIX} config specifies 'skipsdist = true', skipping installation of project package"
-            )

tox_poetry_installer/__about__.py

@@ -0,0 +1,7 @@
+# pylint: disable=missing-docstring
+__title__ = "tox-poetry-installer"
+__summary__ = "Tox plugin to install Tox environment dependencies using the Poetry backend and lockfile"
+__version__ = "0.6.1"
+__url__ = "https://github.com/enpaul/tox-poetry-installer/"
+__license__ = "MIT"
+__authors__ = ["Ethan Paul <24588726+enpaul@users.noreply.github.com>"]

tox_poetry_installer/__init__.py

@@ -0,0 +1,3 @@
+# pylint: disable=missing-docstring
+from tox_poetry_installer.hooks import tox_addoption
+from tox_poetry_installer.hooks import tox_testenv_install_deps

tox_poetry_installer/_poetry.py

@@ -0,0 +1,40 @@
+"""You've heard of vendoirization, now get ready for internal namespace shadowing
+
+Poetry is an optional dependency of this package explicitly to support the use case of having the
+plugin and the `poetry` package installed to the same python environment; this is most common in
+containers and/or CI. In this case there are two potential problems that can arise in this case:
+
+* The installation of the plugin overwrites the installed version of Poetry resulting in
+  compatibility issues.
+* Running `poetry install --no-dev`, when this plugin is in the dev-deps, results in poetry being
+  uninstalled from the environment.
+
+To support these edge cases, and more broadly to support not messing with a system package manager,
+the `poetry` package dependency is listed as optional dependency. This allows the plugin to be
+installed to the same environment as Poetry and import that same Poetry installation here.
+
+However, simply importing Poetry on the assumption that it is installed breaks another valid use
+case: having this plugin installed alongside Tox when not using a Poetry-based project. To account
+for this the imports in this module are isolated and the resultant import error that would result
+is converted to an internal error that can be caught by callers. Rather than importing this module
+at the module scope it is imported into function scope wherever Poetry components are needed. This
+moves import errors from load time to runtime which allows the plugin to be skipped if Poetry isn't
+installed and/or a more helpful error be raised within the Tox framework.
+"""
+# pylint: disable=unused-import
+import sys
+
+from tox_poetry_installer import exceptions
+
+
+try:
+    from poetry.factory import Factory
+    from poetry.installation.pip_installer import PipInstaller
+    from poetry.io.null_io import NullIO
+    from poetry.poetry import Poetry
+    from poetry.puzzle.provider import Provider
+    from poetry.utils.env import VirtualEnv
+except ImportError:
+    raise exceptions.PoetryNotInstalledError(
+        f"No version of Poetry could be imported under the current environment for '{sys.executable}'"
+    ) from None

tox_poetry_installer/constants.py

@@ -0,0 +1,31 @@
+"""Static constants for reference
+
+Rule of thumb: if it's an arbitrary value that will never be changed at runtime, it should go
+in this module.
+
+All constants should be type hinted.
+"""
+import sys
+from typing import Tuple
+
+from poetry.core.semver.version import Version
+
+from tox_poetry_installer import __about__
+
+
+# Valid PEP508 version delimiters. These are used to test whether a given string (specifically a
+# dependency name) is just a package name or also includes a version identifier.
+PEP508_VERSION_DELIMITERS: Tuple[str, ...] = ("~=", "==", "!=", ">", "<")
+
+# Prefix all reporter messages should include to indicate that they came from this module in the
+# console output.
+REPORTER_PREFIX: str = f"[{__about__.__title__}]:"
+
+
+# Semver compatible version of the current python platform version. Used for checking
+# whether a package is compatible with the current python system version
+PLATFORM_VERSION: Version = Version(
+    major=sys.version_info.major,
+    minor=sys.version_info.minor,
+    patch=sys.version_info.micro,
+)

tox_poetry_installer/datatypes.py

@@ -0,0 +1,8 @@
+"""Definitions for typehints/containers used by the plugin"""
+from typing import Dict
+
+from poetry.core.packages import Package as PoetryPackage
+
+
+# Map of package names to the package object
+PackageMap = Dict[str, PoetryPackage]

tox_poetry_installer/exceptions.py

@@ -0,0 +1,43 @@
+"""Custom plugin exceptions
+
+All exceptions should inherit from the common base exception :exc:`ToxPoetryInstallerException`.
+
+::
+
+  ToxPoetryInstallerException
+   +-- SkipEnvironment
+   |    +-- PoetryNotInstalledError
+   +-- LockedDepVersionConflictError
+   +-- LockedDepNotFoundError
+   +-- ExtraNotFoundError
+   +-- LockedDepsRequiredError
+
+"""
+
+
+class ToxPoetryInstallerException(Exception):
+    """Error while installing locked dependencies to the test environment"""
+
+
+class SkipEnvironment(ToxPoetryInstallerException):
+    """Current environment does not meet preconditions and should be skipped by the plugin"""
+
+
+class PoetryNotInstalledError(SkipEnvironment):
+    """No version of Poetry could be imported from the current Python environment"""
+
+
+class LockedDepVersionConflictError(ToxPoetryInstallerException):
+    """Locked dependencies cannot specify an alternate version for installation"""
+
+
+class LockedDepNotFoundError(ToxPoetryInstallerException):
+    """Locked dependency was not found in the lockfile"""
+
+
+class ExtraNotFoundError(ToxPoetryInstallerException):
+    """Project package extra not defined in project's pyproject.toml"""
+
+
+class LockedDepsRequiredError(ToxPoetryInstallerException):
+    """Environment cannot specify unlocked dependencies when locked dependencies are required"""

tox_poetry_installer/hooks.py

@@ -0,0 +1,148 @@
+"""Main hook definition module
+
+All implementations of tox hooks are defined here, as well as any single-use helper functions
+specifically related to implementing the hooks (to keep the size/readability of the hook functions
+themselves manageable).
+"""
+from typing import List
+from typing import Optional
+
+from poetry.core.packages import Package as PoetryPackage
+from tox import hookimpl
+from tox import reporter
+from tox.action import Action as ToxAction
+from tox.config import Parser as ToxParser
+from tox.venv import VirtualEnv as ToxVirtualEnv
+
+from tox_poetry_installer import __about__
+from tox_poetry_installer import constants
+from tox_poetry_installer import exceptions
+from tox_poetry_installer import utilities
+from tox_poetry_installer.datatypes import PackageMap
+
+
+@hookimpl
+def tox_addoption(parser: ToxParser):
+    """Add required configuration options to the tox INI file
+
+    Adds the ``require_locked_deps`` configuration option to the venv to check whether all
+    dependencies should be treated as locked or not.
+    """
+
+    parser.add_argument(
+        "--require-poetry",
+        action="store_true",
+        dest="require_poetry",
+        help="Trigger a failure if Poetry is not available to Tox",
+    )
+
+    parser.add_testenv_attribute(
+        name="install_dev_deps",
+        type="bool",
+        default=False,
+        help="Automatically install all Poetry development dependencies to the environment",
+    )
+
+    parser.add_testenv_attribute(
+        name="require_locked_deps",
+        type="bool",
+        default=False,
+        help="Require all dependencies in the environment be installed using the Poetry lockfile",
+    )
+
+    parser.add_testenv_attribute(
+        name="locked_deps",
+        type="line-list",
+        help="List of locked dependencies to install to the environment using the Poetry lockfile",
+    )
+
+
+@hookimpl
+def tox_testenv_install_deps(venv: ToxVirtualEnv, action: ToxAction) -> Optional[bool]:
+    """Install the dependencies for the current environment
+
+    Loads the local Poetry environment and the corresponding lockfile then pulls the dependencies
+    specified by the Tox environment. Finally these dependencies are installed into the Tox
+    environment using the Poetry ``PipInstaller`` backend.
+
+    :param venv: Tox virtual environment object with configuration for the local Tox environment.
+    :param action: Tox action object
+    """
+
+    try:
+        poetry = utilities.check_preconditions(venv, action)
+    except exceptions.SkipEnvironment as err:
+        if (
+            isinstance(err, exceptions.PoetryNotInstalledError)
+            and venv.envconfig.config.option.require_poetry
+        ):
+            venv.status = err.__class__.__name__
+            reporter.error(str(err))
+            return False
+        reporter.verbosity1(str(err))
+        return None
+
+    reporter.verbosity1(
+        f"{constants.REPORTER_PREFIX} Loaded project pyproject.toml from {poetry.file}"
+    )
+
+    try:
+        if venv.envconfig.require_locked_deps and venv.envconfig.deps:
+            raise exceptions.LockedDepsRequiredError(
+                f"Unlocked dependencies '{venv.envconfig.deps}' specified for environment '{venv.name}' which requires locked dependencies"
+            )
+
+        package_map: PackageMap = {
+            package.name: package
+            for package in poetry.locker.locked_repository(True).packages
+        }
+
+        if venv.envconfig.install_dev_deps:
+            dev_deps: List[PoetryPackage] = [
+                dep
+                for dep in package_map.values()
+                if dep not in poetry.locker.locked_repository(False).packages
+            ]
+        else:
+            dev_deps = []
+
+        reporter.verbosity1(
+            f"{constants.REPORTER_PREFIX} Identified {len(dev_deps)} development dependencies to install to env"
+        )
+
+        env_deps: List[PoetryPackage] = []
+        for dep in venv.envconfig.locked_deps:
+            env_deps += utilities.find_transients(package_map, dep.lower())
+        reporter.verbosity1(
+            f"{constants.REPORTER_PREFIX} Identified {len(env_deps)} environment dependencies to install to env"
+        )
+
+        if not venv.envconfig.skip_install and not venv.envconfig.config.skipsdist:
+            project_deps: List[PoetryPackage] = utilities.find_project_dependencies(
+                venv, poetry, package_map
+            )
+        else:
+            project_deps = []
+            reporter.verbosity1(
+                f"{constants.REPORTER_PREFIX} Skipping installation of project dependencies, env does not install project package"
+            )
+        reporter.verbosity1(
+            f"{constants.REPORTER_PREFIX} Identified {len(project_deps)} project dependencies to install to env"
+        )
+    except exceptions.ToxPoetryInstallerException as err:
+        venv.status = err.__class__.__name__
+        reporter.error(f"{constants.REPORTER_PREFIX} {err}")
+        return False
+    except Exception as err:
+        venv.status = "InternalError"
+        reporter.error(f"{constants.REPORTER_PREFIX} Internal plugin error: {err}")
+        raise err
+
+    dependencies = list(set(dev_deps + env_deps + project_deps))
+    action.setactivity(
+        __about__.__title__,
+        f"Installing {len(dependencies)} dependencies from Poetry lock file",
+    )
+    utilities.install_to_venv(poetry, venv, dependencies)
+
+    return venv.envconfig.require_locked_deps or None

tox_poetry_installer/utilities.py

@@ -0,0 +1,195 @@
+"""Helper utility functions, usually bridging Tox and Poetry functionality"""
+# Silence this one globally to support the internal function imports for the proxied poetry module.
+# See the docstring in 'tox_poetry_installer._poetry' for more context.
+# pylint: disable=import-outside-toplevel
+import sys
+import typing
+from pathlib import Path
+from typing import List
+from typing import Sequence
+from typing import Set
+
+from poetry.core.packages import Package as PoetryPackage
+from tox import reporter
+from tox.action import Action as ToxAction
+from tox.venv import VirtualEnv as ToxVirtualEnv
+
+from tox_poetry_installer import constants
+from tox_poetry_installer import exceptions
+from tox_poetry_installer.datatypes import PackageMap
+
+if typing.TYPE_CHECKING:
+    from tox_poetry_installer import _poetry
+
+
+def install_to_venv(
+    poetry: "_poetry.Poetry", venv: ToxVirtualEnv, packages: Sequence[PoetryPackage]
+):
+    """Install a bunch of packages to a virtualenv
+
+    :param poetry: Poetry object the packages were sourced from
+    :param venv: Tox virtual environment to install the packages to
+    :param packages: List of packages to install to the virtual environment
+    """
+    from tox_poetry_installer import _poetry
+
+    reporter.verbosity1(
+        f"{constants.REPORTER_PREFIX} Installing {len(packages)} packages to environment at {venv.envconfig.envdir}"
+    )
+
+    installer = _poetry.PipInstaller(
+        env=_poetry.VirtualEnv(path=Path(venv.envconfig.envdir)),
+        io=_poetry.NullIO(),
+        pool=poetry.pool,
+    )
+
+    for dependency in packages:
+        reporter.verbosity1(f"{constants.REPORTER_PREFIX} Installing {dependency}")
+        installer.install(dependency)
+
+
+def find_transients(packages: PackageMap, dependency_name: str) -> Set[PoetryPackage]:
+    """Using a poetry object identify all dependencies of a specific dependency
+
+    :param poetry: Populated poetry object which can be used to build a populated locked
+                   repository object.
+    :param dependency_name: Bare name (without version) of the dependency to fetch the transient
+                            dependencies of.
+    :returns: List of packages that need to be installed for the requested dependency.
+
+    .. note:: The package corresponding to the dependency named by ``dependency_name`` is included
+              in the list of returned packages.
+    """
+    from tox_poetry_installer import _poetry
+
+    def find_deps_of_deps(name: str, searched: Set[str]) -> PackageMap:
+        searched.add(name)
+
+        if name in _poetry.Provider.UNSAFE_PACKAGES:
+            reporter.warning(
+                f"{constants.REPORTER_PREFIX} Installing package '{name}' using Poetry is not supported and will be skipped"
+            )
+            reporter.verbosity2(
+                f"{constants.REPORTER_PREFIX} Skip {name}: designated unsafe by Poetry"
+            )
+            return dict()
+
+        transients: PackageMap = {}
+        package = packages[name]
+
+        if not package.python_constraint.allows(constants.PLATFORM_VERSION):
+            reporter.verbosity2(
+                f"{constants.REPORTER_PREFIX} Skip {package}: incompatible Python requirement '{package.python_constraint}' for current version '{constants.PLATFORM_VERSION}'"
+            )
+        elif package.platform is not None and package.platform != sys.platform:
+            reporter.verbosity2(
+                f"{constants.REPORTER_PREFIX} Skip {package}: incompatible platform requirement '{package.platform}' for current platform '{sys.platform}'"
+            )
+        else:
+            reporter.verbosity2(
+                f"{constants.REPORTER_PREFIX} Including {package} for installation"
+            )
+            transients[name] = package
+            for index, dep in enumerate(package.requires):
+                reporter.verbosity2(
+                    f"{constants.REPORTER_PREFIX} Processing dependency {index + 1}/{len(package.requires)} for {package}: {dep.name}"
+                )
+                if dep.name not in searched:
+                    transients.update(find_deps_of_deps(dep.name, searched))
+                else:
+                    reporter.verbosity2(
+                        f"{constants.REPORTER_PREFIX} Package with name '{dep.name}' has already been processed, skipping"
+                    )
+
+        return transients
+
+    searched: Set[str] = set()
+
+    try:
+        transients: PackageMap = find_deps_of_deps(
+            packages[dependency_name].name, searched
+        )
+    except KeyError:
+        if dependency_name in _poetry.Provider.UNSAFE_PACKAGES:
+            reporter.warning(
+                f"{constants.REPORTER_PREFIX} Installing package '{dependency_name}' using Poetry is not supported and will be skipped"
+            )
+            return set()
+
+        if any(
+            delimiter in dependency_name
+            for delimiter in constants.PEP508_VERSION_DELIMITERS
+        ):
+            raise exceptions.LockedDepVersionConflictError(
+                f"Locked dependency '{dependency_name}' cannot include version specifier"
+            ) from None
+
+        raise exceptions.LockedDepNotFoundError(
+            f"No version of locked dependency '{dependency_name}' found in the project lockfile"
+        ) from None
+
+    return set(transients.values())
+
+
+def check_preconditions(venv: ToxVirtualEnv, action: ToxAction) -> "_poetry.Poetry":
+    """Check that the local project environment meets expectations"""
+    # Skip running the plugin for the packaging environment. PEP-517 front ends can handle
+    # that better than we can, so let them do their thing. More to the point: if you're having
+    # problems in the packaging env that this plugin would solve, god help you.
+    if action.name == venv.envconfig.config.isolated_build_env:
+        raise exceptions.SkipEnvironment(
+            f"Skipping isolated packaging build env '{action.name}'"
+        )
+
+    from tox_poetry_installer import _poetry
+
+    try:
+        return _poetry.Factory().create_poetry(venv.envconfig.config.toxinidir)
+    # Support running the plugin when the current tox project does not use Poetry for its
+    # environment/dependency management.
+    #
+    # ``RuntimeError`` is dangerous to blindly catch because it can be (and in Poetry's case,
+    # is) raised in many different places for different purposes.
+    except RuntimeError:
+        raise exceptions.SkipEnvironment(
+            "Project does not use Poetry for env management, skipping installation of locked dependencies"
+        ) from None
+
+
+def find_project_dependencies(
+    venv: ToxVirtualEnv, poetry: "_poetry.Poetry", packages: PackageMap
+) -> List[PoetryPackage]:
+    """Install the dependencies of the project package
+
+    Install all primary dependencies of the project package.
+
+    :param venv: Tox virtual environment to install the packages to
+    :param poetry: Poetry object the packages were sourced from
+    :param packages: Mapping of package names to the corresponding package object
+    """
+
+    base_dependencies: List[PoetryPackage] = [
+        packages[item.name]
+        for item in poetry.package.requires
+        if not item.is_optional()
+    ]
+
+    extra_dependencies: List[PoetryPackage] = []
+    for extra in venv.envconfig.extras:
+        reporter.verbosity1(
+            f"{constants.REPORTER_PREFIX} Processing project extra '{extra}'"
+        )
+        try:
+            extra_dependencies += [
+                packages[item.name] for item in poetry.package.extras[extra]
+            ]
+        except KeyError:
+            raise exceptions.ExtraNotFoundError(
+                f"Environment '{venv.name}' specifies project extra '{extra}' which was not found in the lockfile"
+            ) from None
+
+    dependencies: List[PoetryPackage] = []
+    for dep in base_dependencies + extra_dependencies:
+        dependencies += find_transients(packages, dep.name.lower())
+
+    return dependencies