Added pip style keyring password lookup as a fallback.

This way Poetry gives keyring backends like Microsoft's `artifacts-keyring` or Google's `keyrings.google-artifactregistry-auth` a change to retrieve the credentials. Since Microsoft Azure DevOps Personal Access Tokens will expire after some time the `artifacts-keyring` implementation will generate a new one for you to counteract that.

Added pip style keyring password lookup as a fallback.
This way Poetry gives keyring backends like Microsoft's `artifacts-keyring` or Google's `keyrings.google-artifactregistry-auth` a change to retrieve the credentials. Since Microsoft Azure DevOps Personal Access Tokens will expire after some time the `artifacts-keyring` implementation will generate a new one for you to counteract that.
6d28c560 · Dos Moonen · 4ec09d4e · 6d28c560 · 6d28c560 · 6d28c560
Commit 6d28c560 authored May 22, 2021 by Dos Moonen
Showing with 185 additions and 91 deletions

docs/docs/repositories.md
+14 -0

poetry/installation/authenticator.py
+36 -2

tests/conftest.py
+56 -0

tests/installation/test_authenticator.py
+50 -2

tests/test_factory.py
+6 -6

tests/utils/test_password_manager.py
+23 -81

No files found.
--- a/docs/docs/repositories.md
+++ b/docs/docs/repositories.md
@@ -63,6 +63,20 @@ If a system keyring is available and supported, the password is stored to and re
 Keyring support is enabled using the [keyring library](https://pypi.org/project/keyring/). For more information on supported backends refer to the [library documentation](https://keyring.readthedocs.io/en/latest/?badge=latest).
+!!!note
+    ```
+    Poetry will fallback to Pip style use of keyring so that backends like
+    Microsoft's [artifacts-keyring](https://pypi.org/project/artifacts-keyring/). It will need to be properly
+    installed into Poetry's virtualenv, preferrably by installing a plugin.
+    If you are letting Poetry manage your virtual environments you will want a virtualenv
+    seeder installed in Poetry's virtualenv that installs the desired keyring backend
+    during `poetry install`. To again use Azure DecOps as an example: [azure-devops-artifacts-helpers](https://pypi.org/project/azure-devops-artifacts-helpers/)
+    provides such a seeder. This would of course best achieved by installing a Poetry plugin
+    if it exists for you use case instead of doing it yourself.
+    ```
 Alternatively, you can use environment variables to provide the credentials:
 ```bash

--- a/poetry/installation/authenticator.py
+++ b/poetry/installation/authenticator.py
@@ -4,6 +4,7 @@ import urllib.parse
 from typing import TYPE_CHECKING
 from typing import Any
+from typing import Dict
 from typing import Optional
 from typing import Tuple
@@ -108,7 +109,7 @@ class Authenticator:
        if credentials == (None, None):
            if "@" not in netloc:
-                credentials = self._get_credentials_for_netloc_from_config(netloc)
+                credentials = self._get_credentials_for_netloc(netloc)
            else:
                # Split from the right because that's how urllib.parse.urlsplit()
                # behaves if more than one @ is present (which can be checked using
@@ -133,7 +134,7 @@ class Authenticator:
        return credentials[0], credentials[1]
-    def _get_credentials_for_netloc_from_config(
+    def _get_credentials_for_netloc(
        self, netloc: str
    ) -> Tuple[Optional[str], Optional[str]]:
        credentials = (None, None)
@@ -152,9 +153,42 @@ class Authenticator:
            if netloc == parsed_url.netloc:
                auth = self._password_manager.get_http_auth(repository_name)
+                if auth is None or auth["password"] is None:
+                    username = auth["username"] if auth else None
+                    auth = self._get_credentials_for_netloc_from_keyring(
+                        url, netloc, username
+                    )
                if auth is None:
                    continue
                return auth["username"], auth["password"]
        return credentials
+    def _get_credentials_for_netloc_from_keyring(
+        self, url: str, netloc: str, username: str
+    ) -> Optional[Dict[str, str]]:
+        import keyring
+        cred = keyring.get_credential(url, username)
+        if cred is not None:
+            return {
+                "username": cred.username,
+                "password": cred.password,
+            }
+        cred = keyring.get_credential(netloc, username)
+        if cred is not None:
+            return {
+                "username": cred.username,
+                "password": cred.password,
+            }
+        if username:
+            return {
+                "username": username,
+                "password": None,
+            }
+        return None
--- a/tests/conftest.py
+++ b/tests/conftest.py
@@ -12,6 +12,7 @@ import httpretty
 import pytest
 from cleo.testers.command_tester import CommandTester
+from keyring.backend import KeyringBackend
 from poetry.config.config import Config as BaseConfig
 from poetry.config.dict_config_source import DictConfigSource
@@ -53,6 +54,61 @@ class Config(BaseConfig):
        return super(Config, self).all()
+class DummyBackend(KeyringBackend):
+    def __init__(self):
+        self._passwords = {}
+    @classmethod
+    def priority(cls):
+        return 42
+    def set_password(self, service, username, password):
+        self._passwords[service] = {username: password}
+    def get_password(self, service, username):
+        return self._passwords.get(service, {}).get(username)
+    def get_credential(self, service, username):
+        return self._passwords.get(service, {}).get(username)
+    def delete_password(self, service, username):
+        if service in self._passwords and username in self._passwords[service]:
+            del self._passwords[service][username]
+@pytest.fixture()
+def dummy_keyring():
+    return DummyBackend()
+@pytest.fixture()
+def with_simple_keyring(dummy_keyring):
+    import keyring
+    keyring.set_keyring(dummy_keyring)
+@pytest.fixture()
+def with_fail_keyring():
+    import keyring
+    from keyring.backends.fail import Keyring
+    keyring.set_keyring(Keyring())
+@pytest.fixture()
+def with_chained_keyring(mocker):
+    from keyring.backends.fail import Keyring
+    mocker.patch("keyring.backend.get_all_keyring", [Keyring()])
+    import keyring
+    from keyring.backends.chainer import ChainerBackend
+    keyring.set_keyring(ChainerBackend())
 @pytest.fixture
 def config_cache_dir(tmp_dir):
    path = Path(tmp_dir) / ".cache" / "pypoetry"

--- a/tests/installation/test_authenticator.py
+++ b/tests/installation/test_authenticator.py
@@ -10,6 +10,12 @@ from cleo.io.null_io import NullIO
 from poetry.installation.authenticator import Authenticator
+class SimpleCredential:
+    def __init__(self, username, password):
+        self.username = username
+        self.password = password
 @pytest.fixture()
 def mock_remote(http):
    http.register_uri(
@@ -52,7 +58,9 @@ def test_authenticator_uses_credentials_from_config_if_not_provided(
    assert "Basic YmFyOmJheg==" == request.headers["Authorization"]
-def test_authenticator_uses_username_only_credentials(config, mock_remote, http):
+def test_authenticator_uses_username_only_credentials(
+    config, mock_remote, http, with_simple_keyring
+):
    config.merge(
        {
            "repositories": {"foo": {"url": "https://foo.bar/simple/"}},
@@ -85,7 +93,7 @@ def test_authenticator_uses_password_only_credentials(config, mock_remote, http)
 def test_authenticator_uses_empty_strings_as_default_password(
-    config, mock_remote, http
+    config, mock_remote, http, with_simple_keyring
 ):
    config.merge(
        {
@@ -120,6 +128,46 @@ def test_authenticator_uses_empty_strings_as_default_username(
    assert "Basic OmJhcg==" == request.headers["Authorization"]
+def test_authenticator_falls_back_to_keyring_url(
+    config, mock_remote, http, with_simple_keyring, dummy_keyring
+):
+    config.merge(
+        {
+            "repositories": {"foo": {"url": "https://foo.bar/simple/"}},
+        }
+    )
+    dummy_keyring.set_password(
+        "https://foo.bar/simple/", None, SimpleCredential(None, "bar")
+    )
+    authenticator = Authenticator(config, NullIO())
+    authenticator.request("get", "https://foo.bar/files/foo-0.1.0.tar.gz")
+    request = http.last_request()
+    assert "Basic OmJhcg==" == request.headers["Authorization"]
+def test_authenticator_falls_back_to_keyring_netloc(
+    config, mock_remote, http, with_simple_keyring, dummy_keyring
+):
+    config.merge(
+        {
+            "repositories": {"foo": {"url": "https://foo.bar/simple/"}},
+        }
+    )
+    dummy_keyring.set_password("foo.bar", None, SimpleCredential(None, "bar"))
+    authenticator = Authenticator(config, NullIO())
+    authenticator.request("get", "https://foo.bar/files/foo-0.1.0.tar.gz")
+    request = http.last_request()
+    assert "Basic OmJhcg==" == request.headers["Authorization"]
 def test_authenticator_request_retries_on_exception(mocker, config, http):
    sleep = mocker.patch("time.sleep")
    sdist_uri = "https://foo.bar/files/{}/foo-0.1.0.tar.gz".format(str(uuid.uuid4()))

--- a/tests/test_factory.py
+++ b/tests/test_factory.py
@@ -156,13 +156,13 @@ def test_create_poetry_with_multi_constraints_dependency():
    assert len(package.requires) == 2
-def test_poetry_with_default_source():
+def test_poetry_with_default_source(with_simple_keyring):
    poetry = Factory().create_poetry(fixtures_dir / "with_default_source")
    assert 1 == len(poetry.pool.repositories)
-def test_poetry_with_non_default_source():
+def test_poetry_with_non_default_source(with_simple_keyring):
    poetry = Factory().create_poetry(fixtures_dir / "with_non_default_source")
    assert len(poetry.pool.repositories) == 2
@@ -176,7 +176,7 @@ def test_poetry_with_non_default_source():
    assert isinstance(poetry.pool.repositories[1], PyPiRepository)
-def test_poetry_with_non_default_secondary_source():
+def test_poetry_with_non_default_secondary_source(with_simple_keyring):
    poetry = Factory().create_poetry(fixtures_dir / "with_non_default_secondary_source")
    assert len(poetry.pool.repositories) == 2
@@ -192,7 +192,7 @@ def test_poetry_with_non_default_secondary_source():
    assert isinstance(repository, LegacyRepository)
-def test_poetry_with_non_default_multiple_secondary_sources():
+def test_poetry_with_non_default_multiple_secondary_sources(with_simple_keyring):
    poetry = Factory().create_poetry(
        fixtures_dir / "with_non_default_multiple_secondary_sources"
    )
@@ -214,7 +214,7 @@ def test_poetry_with_non_default_multiple_secondary_sources():
    assert isinstance(repository, LegacyRepository)
-def test_poetry_with_non_default_multiple_sources():
+def test_poetry_with_non_default_multiple_sources(with_simple_keyring):
    poetry = Factory().create_poetry(fixtures_dir / "with_non_default_multiple_sources")
    assert len(poetry.pool.repositories) == 3
@@ -245,7 +245,7 @@ def test_poetry_with_no_default_source():
    assert isinstance(poetry.pool.repositories[0], PyPiRepository)
-def test_poetry_with_two_default_sources():
+def test_poetry_with_two_default_sources(with_simple_keyring):
    with pytest.raises(ValueError) as e:
        Factory().create_poetry(fixtures_dir / "with_two_default_sources")

--- a/tests/utils/test_password_manager.py
+++ b/tests/utils/test_password_manager.py
@@ -2,80 +2,26 @@ import os
 import pytest
-from keyring.backend import KeyringBackend
 from poetry.utils.password_manager import KeyRing
 from poetry.utils.password_manager import KeyRingError
 from poetry.utils.password_manager import PasswordManager
-class DummyBackend(KeyringBackend):
+def test_set_http_password(config, with_simple_keyring, dummy_keyring):
-    def __init__(self):
-        self._passwords = {}
-    @classmethod
-    def priority(cls):
-        return 42
-    def set_password(self, service, username, password):
-        self._passwords[service] = {username: password}
-    def get_password(self, service, username):
-        return self._passwords.get(service, {}).get(username)
-    def delete_password(self, service, username):
-        if service in self._passwords and username in self._passwords[service]:
-            del self._passwords[service][username]
-@pytest.fixture()
-def backend():
-    return DummyBackend()
-@pytest.fixture()
-def mock_available_backend(backend):
-    import keyring
-    keyring.set_keyring(backend)
-@pytest.fixture()
-def mock_unavailable_backend():
-    import keyring
-    from keyring.backends.fail import Keyring
-    keyring.set_keyring(Keyring())
-@pytest.fixture()
-def mock_chainer_backend(mocker):
-    from keyring.backends.fail import Keyring
-    mocker.patch("keyring.backend.get_all_keyring", [Keyring()])
-    import keyring
-    from keyring.backends.chainer import ChainerBackend
-    keyring.set_keyring(ChainerBackend())
-def test_set_http_password(config, mock_available_backend, backend):
    manager = PasswordManager(config)
    assert manager.keyring.is_available()
    manager.set_http_password("foo", "bar", "baz")
-    assert "baz" == backend.get_password("poetry-repository-foo", "bar")
+    assert "baz" == dummy_keyring.get_password("poetry-repository-foo", "bar")
    auth = config.get("http-basic.foo")
    assert "bar" == auth["username"]
    assert "password" not in auth
-def test_get_http_auth(config, mock_available_backend, backend):
+def test_get_http_auth(config, with_simple_keyring, dummy_keyring):
-    backend.set_password("poetry-repository-foo", "bar", "baz")
+    dummy_keyring.set_password("poetry-repository-foo", "bar", "baz")
    config.auth_config_source.add_property("http-basic.foo", {"username": "bar"})
    manager = PasswordManager(config)
@@ -86,19 +32,19 @@ def test_get_http_auth(config, mock_available_backend, backend):
    assert "baz" == auth["password"]
-def test_delete_http_password(config, mock_available_backend, backend):
+def test_delete_http_password(config, with_simple_keyring, dummy_keyring):
-    backend.set_password("poetry-repository-foo", "bar", "baz")
+    dummy_keyring.set_password("poetry-repository-foo", "bar", "baz")
    config.auth_config_source.add_property("http-basic.foo", {"username": "bar"})
    manager = PasswordManager(config)
    assert manager.keyring.is_available()
    manager.delete_http_password("foo")
-    assert backend.get_password("poetry-repository-foo", "bar") is None
+    assert dummy_keyring.get_password("poetry-repository-foo", "bar") is None
    assert config.get("http-basic.foo") is None
-def test_set_pypi_token(config, mock_available_backend, backend):
+def test_set_pypi_token(config, with_simple_keyring, dummy_keyring):
    manager = PasswordManager(config)
    assert manager.keyring.is_available()
@@ -106,28 +52,28 @@ def test_set_pypi_token(config, mock_available_backend, backend):
    assert config.get("pypi-token.foo") is None
-    assert "baz" == backend.get_password("poetry-repository-foo", "__token__")
+    assert "baz" == dummy_keyring.get_password("poetry-repository-foo", "__token__")
-def test_get_pypi_token(config, mock_available_backend, backend):
+def test_get_pypi_token(config, with_simple_keyring, dummy_keyring):
-    backend.set_password("poetry-repository-foo", "__token__", "baz")
+    dummy_keyring.set_password("poetry-repository-foo", "__token__", "baz")
    manager = PasswordManager(config)
    assert manager.keyring.is_available()
    assert "baz" == manager.get_pypi_token("foo")
-def test_delete_pypi_token(config, mock_available_backend, backend):
+def test_delete_pypi_token(config, with_simple_keyring, dummy_keyring):
-    backend.set_password("poetry-repository-foo", "__token__", "baz")
+    dummy_keyring.set_password("poetry-repository-foo", "__token__", "baz")
    manager = PasswordManager(config)
    assert manager.keyring.is_available()
    manager.delete_pypi_token("foo")
-    assert backend.get_password("poetry-repository-foo", "__token__") is None
+    assert dummy_keyring.get_password("poetry-repository-foo", "__token__") is None
-def test_set_http_password_with_unavailable_backend(config, mock_unavailable_backend):
+def test_set_http_password_with_unavailable_backend(config, with_fail_keyring):
    manager = PasswordManager(config)
    assert not manager.keyring.is_available()
@@ -138,7 +84,7 @@ def test_set_http_password_with_unavailable_backend(config, mock_unavailable_bac
    assert "baz" == auth["password"]
-def test_get_http_auth_with_unavailable_backend(config, mock_unavailable_backend):
+def test_get_http_auth_with_unavailable_backend(config, with_fail_keyring):
    config.auth_config_source.add_property(
        "http-basic.foo", {"username": "bar", "password": "baz"}
    )
@@ -151,9 +97,7 @@ def test_get_http_auth_with_unavailable_backend(config, mock_unavailable_backend
    assert "baz" == auth["password"]
-def test_delete_http_password_with_unavailable_backend(
+def test_delete_http_password_with_unavailable_backend(config, with_fail_keyring):
-    config, mock_unavailable_backend
-):
    config.auth_config_source.add_property(
        "http-basic.foo", {"username": "bar", "password": "baz"}
    )
@@ -165,7 +109,7 @@ def test_delete_http_password_with_unavailable_backend(
    assert config.get("http-basic.foo") is None
-def test_set_pypi_token_with_unavailable_backend(config, mock_unavailable_backend):
+def test_set_pypi_token_with_unavailable_backend(config, with_fail_keyring):
    manager = PasswordManager(config)
    assert not manager.keyring.is_available()
@@ -174,7 +118,7 @@ def test_set_pypi_token_with_unavailable_backend(config, mock_unavailable_backen
    assert "baz" == config.get("pypi-token.foo")
-def test_get_pypi_token_with_unavailable_backend(config, mock_unavailable_backend):
+def test_get_pypi_token_with_unavailable_backend(config, with_fail_keyring):
    config.auth_config_source.add_property("pypi-token.foo", "baz")
    manager = PasswordManager(config)
@@ -182,7 +126,7 @@ def test_get_pypi_token_with_unavailable_backend(config, mock_unavailable_backen
    assert "baz" == manager.get_pypi_token("foo")
-def test_delete_pypi_token_with_unavailable_backend(config, mock_unavailable_backend):
+def test_delete_pypi_token_with_unavailable_backend(config, with_fail_keyring):
    config.auth_config_source.add_property("pypi-token.foo", "baz")
    manager = PasswordManager(config)
@@ -192,7 +136,7 @@ def test_delete_pypi_token_with_unavailable_backend(config, mock_unavailable_bac
    assert config.get("pypi-token.foo") is None
-def test_keyring_raises_errors_on_keyring_errors(mocker, mock_unavailable_backend):
+def test_keyring_raises_errors_on_keyring_errors(mocker, with_fail_keyring):
    mocker.patch("poetry.utils.password_manager.KeyRing._check")
    key_ring = KeyRing("poetry")
@@ -207,16 +151,14 @@ def test_keyring_raises_errors_on_keyring_errors(mocker, mock_unavailable_backen
 def test_keyring_with_chainer_backend_and_not_compatible_only_should_be_unavailable(
-    mock_chainer_backend,
+    with_chained_keyring,
 ):
    key_ring = KeyRing("poetry")
    assert not key_ring.is_available()
-def test_get_http_auth_from_environment_variables(
+def test_get_http_auth_from_environment_variables(environ, config, with_simple_keyring):
-    environ, config, mock_available_backend
-):
    os.environ["POETRY_HTTP_BASIC_FOO_USERNAME"] = "bar"
    os.environ["POETRY_HTTP_BASIC_FOO_PASSWORD"] = "baz"