hestia-keyring 1.0.0__tar.gz

hestia_keyring-1.0.0/.gitignore

@@ -0,0 +1,43 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+.coverage
+htmlcov/
+
+# uv
+.venv/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+
+# Templates: include scaffold-emitted .vscode (they ship recommended editor settings).
+!packages/hestia-templates/**/.vscode/
+!packages/hestia-templates/**/.vscode/**
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Local dev
+.env
+.env.local
+.hestia/
+docker-compose.override.yaml
+
+# Parallel sub-plan worktrees
+.worktrees/
+
+# mkdocs build output
+site/
+
+# Local Claude Code skill cache (machine-specific, not project state)
+.claude/
+.others/
+

hestia_keyring-1.0.0/PKG-INFO

@@ -0,0 +1,53 @@
+Metadata-Version: 2.4
+Name: hestia-keyring
+Version: 1.0.0
+Summary: Keyring backend for HES Azure Artifacts — enables uv sync without PATs
+License: MIT
+Requires-Python: >=3.13
+Requires-Dist: keyring>=24.0
+Description-Content-Type: text/markdown
+
+# hestia-keyring
+
+A [keyring](https://pypi.org/project/keyring/) backend that authenticates `uv sync` against
+the HES Azure Artifacts feed using your active `az` CLI session — no Personal Access Tokens
+required.
+
+## Install once per machine
+
+```bash
+uv tool install keyring --with hestia-keyring
+```
+
+## What it does
+
+When `uv` calls `keyring get https://pkgs.dev.azure.com/... VssSessionToken`, this backend
+runs `az account get-access-token --resource https://app.vssps.visualstudio.com` and returns
+the resulting bearer token. Your `az login` session is the only credential you need.
+
+## Requirements
+
+- Python 3.13+
+- [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) installed and
+  signed in (`az login`)
+
+## Consumer app configuration
+
+Add to your app's `pyproject.toml`:
+
+```toml
+[[tool.uv.index]]
+name = "hes-internal"
+url = "https://VssSessionToken@pkgs.dev.azure.com/hmc-heerema/HES%20Internal/_packaging/HES/pypi/simple/"
+default = false
+explicit = true
+
+[tool.uv.sources]
+hestia = { index = "hes-internal" }
+
+[tool.uv]
+keyring-provider = "subprocess"
+```
+
+The `VssSessionToken@` prefix in the URL is required — uv passes the URL username to
+`keyring get`, and `VssSessionToken` is the username this backend recognises.

hestia_keyring-1.0.0/README.md

@@ -0,0 +1,44 @@
+# hestia-keyring
+
+A [keyring](https://pypi.org/project/keyring/) backend that authenticates `uv sync` against
+the HES Azure Artifacts feed using your active `az` CLI session — no Personal Access Tokens
+required.
+
+## Install once per machine
+
+```bash
+uv tool install keyring --with hestia-keyring
+```
+
+## What it does
+
+When `uv` calls `keyring get https://pkgs.dev.azure.com/... VssSessionToken`, this backend
+runs `az account get-access-token --resource https://app.vssps.visualstudio.com` and returns
+the resulting bearer token. Your `az login` session is the only credential you need.
+
+## Requirements
+
+- Python 3.13+
+- [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) installed and
+  signed in (`az login`)
+
+## Consumer app configuration
+
+Add to your app's `pyproject.toml`:
+
+```toml
+[[tool.uv.index]]
+name = "hes-internal"
+url = "https://VssSessionToken@pkgs.dev.azure.com/hmc-heerema/HES%20Internal/_packaging/HES/pypi/simple/"
+default = false
+explicit = true
+
+[tool.uv.sources]
+hestia = { index = "hes-internal" }
+
+[tool.uv]
+keyring-provider = "subprocess"
+```
+
+The `VssSessionToken@` prefix in the URL is required — uv passes the URL username to
+`keyring get`, and `VssSessionToken` is the username this backend recognises.

hestia_keyring-1.0.0/azure-pipelines.yml

@@ -0,0 +1,21 @@
+# packages/hestia-keyring/azure-pipelines.yml
+#
+# CI for hestia-keyring. Triggers on:
+# - Pushes to main (runs Install + Verify; no Release)
+# - Tags matching hestia-keyring@X.Y.Z (runs full pipeline including PyPI publish)
+#
+# IMPORTANT: This pipeline publishes to PUBLIC PyPI, not ADO Artifacts.
+# Do NOT change the template reference to uv-python-package.yml — that
+# would publish to ADO Artifacts. This package must remain on public PyPI.
+
+trigger:
+  branches: { include: [main] }
+  tags:     { include: ['hestia-keyring@*'] }
+
+pr:
+  branches: { include: [main] }
+
+extends:
+  template: ../hestia-pipelines/templates/uv-python-package-pypi.yml
+  parameters:
+    packageName: hestia-keyring

hestia_keyring-1.0.0/pyproject.toml

@@ -0,0 +1,30 @@
+[project]
+name = "hestia-keyring"
+version = "1.0.0"
+description = "Keyring backend for HES Azure Artifacts — enables uv sync without PATs"
+requires-python = ">=3.13"
+readme = "README.md"
+license = { text = "MIT" }
+dependencies = [
+    "keyring>=24.0",
+]
+
+[project.entry-points."keyring.backends"]
+hestia = "hestia_keyring:HestiaArtifactsKeyring"
+
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/hestia_keyring"]
+
+[dependency-groups]
+dev = [
+    "pytest>=8.3",
+    "pytest-cov>=5.0",
+]
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = "-ra --strict-markers"

hestia_keyring-1.0.0/src/hestia_keyring/__init__.py

@@ -0,0 +1,52 @@
+import shutil
+import subprocess
+from urllib.parse import urlparse
+
+from keyring.backend import KeyringBackend
+from keyring.credentials import SimpleCredential
+
+_AZ = shutil.which("az") or "az"
+_FEED_HOST = "pkgs.dev.azure.com"
+_RESOURCE = "https://app.vssps.visualstudio.com"
+
+
+class HestiaArtifactsKeyring(KeyringBackend):
+    """Keyring backend for HES Azure Artifacts feeds.
+
+    Uses the active az CLI session — no PATs, no tenant discovery.
+    Install once: uv tool install keyring --with hestia-keyring
+    """
+
+    priority = 9
+
+    @classmethod
+    def viable(cls) -> bool:
+        return shutil.which("az") is not None
+
+    def get_password(self, service: str, username: str) -> str | None:
+        cred = self.get_credential(service, username)
+        return cred.password if cred else None
+
+    def get_credential(self, service: str, username: str) -> SimpleCredential | None:
+        host = (urlparse(service).hostname or "").lower().rstrip(".")
+        if host != _FEED_HOST:
+            return None
+        try:
+            token = subprocess.check_output(
+                [_AZ, "account", "get-access-token",
+                 "--resource", _RESOURCE,
+                 "--query", "accessToken", "-o", "tsv"],
+                stderr=subprocess.DEVNULL,
+                timeout=30,
+            ).decode().strip()
+            if token:
+                return SimpleCredential("VssSessionToken", token)
+        except (subprocess.CalledProcessError, subprocess.TimeoutExpired, FileNotFoundError):
+            pass
+        return None
+
+    def set_password(self, service: str, username: str, password: str) -> None:
+        raise NotImplementedError
+
+    def delete_password(self, service: str, username: str) -> None:
+        raise NotImplementedError

hestia_keyring-1.0.0/tests/unit/test_backend.py

@@ -0,0 +1,88 @@
+import subprocess
+from unittest.mock import patch
+
+import pytest
+
+from hestia_keyring import HestiaArtifactsKeyring
+
+_FEED = "https://pkgs.dev.azure.com/hmc-heerema/HES%20Internal/_packaging/HES/pypi/simple/"
+_OTHER = "https://pypi.org/simple/"
+_TOKEN = "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.test"
+
+
+def test_priority():
+    assert HestiaArtifactsKeyring.priority == 9
+
+
+def test_viable_true_when_az_found():
+    with patch("hestia_keyring.shutil.which", return_value=r"C:\az.cmd"):
+        assert HestiaArtifactsKeyring.viable() is True
+
+
+def test_viable_false_when_az_not_found():
+    with patch("hestia_keyring.shutil.which", return_value=None):
+        assert HestiaArtifactsKeyring.viable() is False
+
+
+def test_get_credential_ignores_non_feed_url():
+    assert HestiaArtifactsKeyring().get_credential(_OTHER, "token") is None
+
+
+def test_get_credential_rejects_url_with_feed_host_in_path():
+    # Substring bypass: attacker URL contains pkgs.dev.azure.com in path, not hostname.
+    # Must be rejected — only exact hostname match is valid.
+    evil = "https://evil.com/pkgs.dev.azure.com/steal-token"
+    assert HestiaArtifactsKeyring().get_credential(evil, "VssSessionToken") is None
+
+
+def test_get_credential_returns_credential_for_feed_url():
+    with patch("hestia_keyring.subprocess.check_output", return_value=f"{_TOKEN}\n".encode()):
+        cred = HestiaArtifactsKeyring().get_credential(_FEED, "VssSessionToken")
+    assert cred is not None
+    assert cred.username == "VssSessionToken"
+    assert cred.password == _TOKEN
+
+
+def test_get_credential_returns_none_on_called_process_error():
+    with patch(
+        "hestia_keyring.subprocess.check_output",
+        side_effect=subprocess.CalledProcessError(1, "az"),
+    ):
+        assert HestiaArtifactsKeyring().get_credential(_FEED, "VssSessionToken") is None
+
+
+def test_get_credential_returns_none_on_timeout():
+    with patch(
+        "hestia_keyring.subprocess.check_output",
+        side_effect=subprocess.TimeoutExpired("az", 30),
+    ):
+        assert HestiaArtifactsKeyring().get_credential(_FEED, "VssSessionToken") is None
+
+
+def test_get_credential_returns_none_when_az_not_on_path():
+    with patch("hestia_keyring.subprocess.check_output", side_effect=FileNotFoundError):
+        assert HestiaArtifactsKeyring().get_credential(_FEED, "VssSessionToken") is None
+
+
+def test_get_credential_returns_none_on_empty_token():
+    with patch("hestia_keyring.subprocess.check_output", return_value=b"\n"):
+        assert HestiaArtifactsKeyring().get_credential(_FEED, "VssSessionToken") is None
+
+
+def test_get_password_returns_token_string():
+    with patch("hestia_keyring.subprocess.check_output", return_value=f"{_TOKEN}\n".encode()):
+        assert HestiaArtifactsKeyring().get_password(_FEED, "VssSessionToken") == _TOKEN
+
+
+def test_get_password_returns_none_for_non_feed_url():
+    assert HestiaArtifactsKeyring().get_password(_OTHER, "VssSessionToken") is None
+
+
+def test_set_password_raises():
+    with pytest.raises(NotImplementedError):
+        HestiaArtifactsKeyring().set_password("svc", "user", "pass")
+
+
+def test_delete_password_raises():
+    with pytest.raises(NotImplementedError):
+        HestiaArtifactsKeyring().delete_password("svc", "user")