style: repo-wide lint pass — make the lint gate green again

Push builds have been RED on the lint step since ~build 209 from accumulated formatting drift. This is the mechanical cleanup: ruff format + ruff --fix (UP038 isinstance unions, SIM105 contextlib.suppress, UP031 f-strings, SIM115 tempfile context manager), shfmt -i 2 -ci, nixpkgs-fmt/statix/deadnix (merged attrsets, dropped unused lib args), yamllint, and shell quoting fixes in tests/lasuite-docs/setup_custom_tests.sh. No behaviour changes intended; lint: PASS, unit tests: 138 passed.
2026-06-09 21:56:15 +00:00
parent e76d4005ab
commit 9a7772563a
115 changed files with 952 additions and 660 deletions
--- a/tests/keycloak/functional/test_create_client_and_use.py
+++ b/tests/keycloak/functional/test_create_client_and_use.py
@ -120,9 +120,9 @@ def test_create_confidential_client_and_obtain_token(live_app):
        "clientId": client_id,
        "enabled": True,
        "secret": client_secret,
-        "publicClient": False,            # confidential client
-        "serviceAccountsEnabled": True,    # required for client_credentials grant
-        "standardFlowEnabled": False,      # not needed for service-account-only client
+        "publicClient": False,  # confidential client
+        "serviceAccountsEnabled": True,  # required for client_credentials grant
+        "standardFlowEnabled": False,  # not needed for service-account-only client
        "directAccessGrantsEnabled": False,
        "protocol": "openid-connect",
    }
@ -144,25 +144,25 @@ def test_create_confidential_client_and_obtain_token(live_app):

        # Use the client to obtain its own token (client_credentials grant)
        tok_status, tok_resp = _client_credentials_token(live_app, client_id, client_secret)
-        assert tok_status == 200, (
-            f"client_credentials token returned HTTP {tok_status}: {tok_resp!r}"
-        )
+        assert (
+            tok_status == 200
+        ), f"client_credentials token returned HTTP {tok_status}: {tok_resp!r}"
        access_token = tok_resp.get("access_token") if isinstance(tok_resp, dict) else None
-        assert isinstance(access_token, str) and access_token.count(".") == 2, (
-            f"client_credentials access_token not a JWT: {access_token!r}"
-        )
+        assert (
+            isinstance(access_token, str) and access_token.count(".") == 2
+        ), f"client_credentials access_token not a JWT: {access_token!r}"

        # Decode the JWT payload; assert azp matches the new client
        payload = json.loads(_b64url_decode(access_token.split(".")[1]))
-        assert payload.get("azp") == client_id, (
-            f"client_credentials JWT azp={payload.get('azp')!r} != client_id={client_id!r}"
-        )
+        assert (
+            payload.get("azp") == client_id
+        ), f"client_credentials JWT azp={payload.get('azp')!r} != client_id={client_id!r}"
        # Service-account token does NOT carry a session-scoped user (azp + clientId differ from
        # admin-cli token). The presence of azp + iss == per-run-domain proves the issuance flow.
        expected_iss = f"https://{live_app}/realms/master"
-        assert payload.get("iss") == expected_iss, (
-            f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
-        )
+        assert (
+            payload.get("iss") == expected_iss
+        ), f"JWT iss={payload.get('iss')!r} != {expected_iss!r}"
    finally:
        # Idempotent cleanup
        if cleanup_id: