style: repo-wide lint pass — make the lint gate green again

Push builds have been RED on the lint step since ~build 209 from accumulated formatting drift. This is the mechanical cleanup: ruff format + ruff --fix (UP038 isinstance unions, SIM105 contextlib.suppress, UP031 f-strings, SIM115 tempfile context manager), shfmt -i 2 -ci, nixpkgs-fmt/statix/deadnix (merged attrsets, dropped unused lib args), yamllint, and shell quoting fixes in tests/lasuite-docs/setup_custom_tests.sh. No behaviour changes intended; lint: PASS, unit tests: 138 passed.
2026-06-09 21:56:15 +00:00
parent e76d4005ab
commit 9a7772563a
115 changed files with 952 additions and 660 deletions
--- a/tests/keycloak/functional/test_create_client_and_use.py
+++ b/tests/keycloak/functional/test_create_client_and_use.py
@ -120,9 +120,9 @@ def test_create_confidential_client_and_obtain_token(live_app):
        "clientId": client_id,
        "enabled": True,
        "secret": client_secret,
-        "publicClient": False,            # confidential client
-        "serviceAccountsEnabled": True,    # required for client_credentials grant
-        "standardFlowEnabled": False,      # not needed for service-account-only client
+        "publicClient": False,  # confidential client
+        "serviceAccountsEnabled": True,  # required for client_credentials grant
+        "standardFlowEnabled": False,  # not needed for service-account-only client
        "directAccessGrantsEnabled": False,
        "protocol": "openid-connect",
    }
@ -144,25 +144,25 @@ def test_create_confidential_client_and_obtain_token(live_app):

        # Use the client to obtain its own token (client_credentials grant)
        tok_status, tok_resp = _client_credentials_token(live_app, client_id, client_secret)
-        assert tok_status == 200, (
-            f"client_credentials token returned HTTP {tok_status}: {tok_resp!r}"
-        )
+        assert (
+            tok_status == 200
+        ), f"client_credentials token returned HTTP {tok_status}: {tok_resp!r}"
        access_token = tok_resp.get("access_token") if isinstance(tok_resp, dict) else None
-        assert isinstance(access_token, str) and access_token.count(".") == 2, (
-            f"client_credentials access_token not a JWT: {access_token!r}"
-        )
+        assert (
+            isinstance(access_token, str) and access_token.count(".") == 2
+        ), f"client_credentials access_token not a JWT: {access_token!r}"

        # Decode the JWT payload; assert azp matches the new client
        payload = json.loads(_b64url_decode(access_token.split(".")[1]))
-        assert payload.get("azp") == client_id, (
-            f"client_credentials JWT azp={payload.get('azp')!r} != client_id={client_id!r}"
-        )
+        assert (
+            payload.get("azp") == client_id
+        ), f"client_credentials JWT azp={payload.get('azp')!r} != client_id={client_id!r}"
        # Service-account token does NOT carry a session-scoped user (azp + clientId differ from
        # admin-cli token). The presence of azp + iss == per-run-domain proves the issuance flow.
        expected_iss = f"https://{live_app}/realms/master"
-        assert payload.get("iss") == expected_iss, (
-            f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
-        )
+        assert (
+            payload.get("iss") == expected_iss
+        ), f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
    finally:
        # Idempotent cleanup
        if cleanup_id:
--- a/tests/keycloak/functional/test_password_grant_token.py
+++ b/tests/keycloak/functional/test_password_grant_token.py
@ -43,22 +43,20 @@ def test_password_grant_issues_valid_jwt(live_app):
    token = kc_admin.admin_token(live_app, password)

    # Shape: a JWT is exactly 3 base64url segments
-    assert isinstance(token, str) and token.count(".") == 2, (
-        f"access_token does not look like a JWT (no 3 segments): len={len(token) if token else 0}"
-    )
+    assert (
+        isinstance(token, str) and token.count(".") == 2
+    ), f"access_token does not look like a JWT (no 3 segments): len={len(token) if token else 0}"

    payload = _decode_jwt_payload(token)

    # iss = the issuer URL, must be the per-run domain's /realms/master endpoint
    expected_iss = f"https://{live_app}/realms/master"
-    assert payload.get("iss") == expected_iss, (
-        f"JWT iss claim {payload.get('iss')!r} != {expected_iss!r}"
-    )
+    assert (
+        payload.get("iss") == expected_iss
+    ), f"JWT iss claim {payload.get('iss')!r} != {expected_iss!r}"

    # azp = authorized party (which client requested this token)
-    assert payload.get("azp") == "admin-cli", (
-        f"JWT azp claim {payload.get('azp')!r} != 'admin-cli'"
-    )
+    assert payload.get("azp") == "admin-cli", f"JWT azp claim {payload.get('azp')!r} != 'admin-cli'"

    # typ = token type
    assert payload.get("typ") == "Bearer", f"JWT typ claim {payload.get('typ')!r} != 'Bearer'"
@ -70,6 +68,6 @@ def test_password_grant_issues_valid_jwt(live_app):

    # iat (issued at) is also a standard claim
    iat = payload.get("iat")
-    assert isinstance(iat, int) and iat <= time.time() + 60, (
-        f"JWT iat {iat!r} not a reasonable past timestamp"
-    )
+    assert (
+        isinstance(iat, int) and iat <= time.time() + 60
+    ), f"JWT iat {iat!r} not a reasonable past timestamp"