From 3d8f4c59791ce3a52f67de174b5480a9befdd4e9 Mon Sep 17 00:00:00 2001
From: "Jens L." <jens@goauthentik.io>
Date: Tue, 23 Sep 2025 13:38:42 +0200
Subject: [PATCH] *: add ruff BLE rules (#16943)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---
 authentik/brands/models.py                  |  2 +-
 authentik/core/api/property_mappings.py     |  2 +-
 authentik/core/management/commands/shell.py |  2 +-
 authentik/core/models.py                    |  6 +++---
 authentik/flows/stage.py                    |  2 +-
 authentik/flows/views/executor.py           |  8 ++++----
 authentik/policies/expression/evaluator.py  |  2 +-
 authentik/policies/process.py               |  2 +-
 authentik/root/test_runner.py               |  2 +-
 authentik/stages/authenticator/util.py      |  4 ++--
 lifecycle/gunicorn.conf.py                  |  2 +-
 pyproject.toml                              | 15 ++++++++-------
 12 files changed, 25 insertions(+), 24 deletions(-)

diff --git a/authentik/brands/models.py b/authentik/brands/models.py
index afc56d489a..e9ed2b3072 100644
--- a/authentik/brands/models.py
+++ b/authentik/brands/models.py
@@ -113,7 +113,7 @@ class Brand(SerializerModel):
         try:
             return self.attributes.get("settings", {}).get("locale", "")
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to get default locale", exc=exc)
             return ""
 
diff --git a/authentik/core/api/property_mappings.py b/authentik/core/api/property_mappings.py
index 992a600a8b..d614597d18 100644
--- a/authentik/core/api/property_mappings.py
+++ b/authentik/core/api/property_mappings.py
@@ -171,7 +171,7 @@ class PropertyMappingViewSet(
         except PropertyMappingExpressionException as exc:
             response_data["result"] = exception_to_string(exc.exc)
             response_data["successful"] = False
-        except Exception as exc:
+        except Exception as exc:  # noqa
             response_data["result"] = exception_to_string(exc)
             response_data["successful"] = False
         response = PropertyMappingTestResultSerializer(response_data)
diff --git a/authentik/core/management/commands/shell.py b/authentik/core/management/commands/shell.py
index fcddde53b2..9cda6d419c 100644
--- a/authentik/core/management/commands/shell.py
+++ b/authentik/core/management/commands/shell.py
@@ -99,7 +99,7 @@ class Command(BaseCommand):
         else:
             try:
                 hook()
-            except Exception:
+            except Exception:  # noqa
                 # Match the behavior of the cpython shell where an error in
                 # sys.__interactivehook__ prints a warning and the exception
                 # and continues.
diff --git a/authentik/core/models.py b/authentik/core/models.py
index 25e114ca47..a0d7bfef14 100644
--- a/authentik/core/models.py
+++ b/authentik/core/models.py
@@ -406,7 +406,7 @@ class User(SerializerModel, GuardianUserMixin, AttributesMixin, AbstractUser):
         try:
             return self.attributes.get("settings", {}).get("locale", "")
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to get default locale", exc=exc)
         if request:
             return request.brand.locale
@@ -587,7 +587,7 @@ class Application(SerializerModel, PolicyBindingModel):
             try:
                 return url % user.__dict__
 
-            except Exception as exc:
+            except Exception as exc:  # noqa
                 LOGGER.warning("Failed to format launch url", exc=exc)
                 return url
         return url
@@ -783,7 +783,7 @@ class Source(ManagedModel, SerializerModel, PolicyBindingModel):
                 "slug": self.slug,
             }
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Failed to template user path", exc=exc, source=self)
             return User.default_path()
 
diff --git a/authentik/flows/stage.py b/authentik/flows/stage.py
index 78d8740231..172339ba63 100644
--- a/authentik/flows/stage.py
+++ b/authentik/flows/stage.py
@@ -160,7 +160,7 @@ class ChallengeStageView(StageView):
                 "user": self.get_pending_user(for_display=True),
             }
 
-        except Exception as exc:
+        except Exception as exc:  # noqa
             self.logger.warning("failed to template title", exc=exc)
             return self.executor.flow.title
 
diff --git a/authentik/flows/views/executor.py b/authentik/flows/views/executor.py
index ad2501ad7d..f3366cc72c 100644
--- a/authentik/flows/views/executor.py
+++ b/authentik/flows/views/executor.py
@@ -198,7 +198,7 @@ class FlowExecutorView(APIView):
                 # if the cached plan is from an older version, it might have different attributes
                 # in which case we just delete the plan and invalidate everything
                 next_binding = self.plan.next(self.request)
-            except Exception as exc:
+            except Exception as exc:  # noqa
                 self._logger.warning(
                     "f(exec): found incompatible flow plan, invalidating run", exc=exc
                 )
@@ -288,7 +288,7 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
-        except Exception as exc:
+        except Exception as exc:  # noqa
             return self.handle_exception(exc)
 
     @extend_schema(
@@ -339,7 +339,7 @@ class FlowExecutorView(APIView):
                 span.set_data("authentik Flow", self.flow.slug)
                 stage_response = self.current_stage_view.dispatch(request)
                 return to_stage_response(request, stage_response)
-        except Exception as exc:
+        except Exception as exc:  # noqa
             return self.handle_exception(exc)
 
     def _initiate_plan(self) -> FlowPlan:
@@ -351,7 +351,7 @@ class FlowExecutorView(APIView):
             # there are no issues with the class we might've gotten
             # from the cache. If there are errors, just delete all cached flows
             _ = plan.has_stages
-        except Exception:
+        except Exception:  # noqa
             keys = cache.keys(f"{CACHE_PREFIX}*")
             cache.delete_many(keys)
             return self._initiate_plan()
diff --git a/authentik/policies/expression/evaluator.py b/authentik/policies/expression/evaluator.py
index 340c386d51..82d71c7488 100644
--- a/authentik/policies/expression/evaluator.py
+++ b/authentik/policies/expression/evaluator.py
@@ -71,7 +71,7 @@ class PolicyEvaluator(BaseEvaluator):
             # PolicyExceptions should be propagated back to the process,
             # which handles recording and returning a correct result
             raise exc
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Expression error", exc=exc)
             return PolicyResult(False, str(exc))
         else:
diff --git a/authentik/policies/process.py b/authentik/policies/process.py
index b15beb1a7e..ece691b1b4 100644
--- a/authentik/policies/process.py
+++ b/authentik/policies/process.py
@@ -144,6 +144,6 @@ class PolicyProcess(PROCESS_CLASS):
         """Task wrapper to run policy checking"""
         try:
             self.connection.send(self.profiling_wrapper())
-        except Exception as exc:
+        except Exception as exc:  # noqa
             LOGGER.warning("Policy failed to run", exc=exc)
             self.connection.send(PolicyResult(False, str(exc)))
diff --git a/authentik/root/test_runner.py b/authentik/root/test_runner.py
index 71ba33c7c9..2a9bbf5653 100644
--- a/authentik/root/test_runner.py
+++ b/authentik/root/test_runner.py
@@ -177,6 +177,6 @@ class PytestTestRunner(DiscoverRunner):  # pragma: no cover
         with patch("guardian.shortcuts._get_ct_cached", patched__get_ct_cached):
             try:
                 return pytest.main(self.args)
-            except Exception as e:
+            except Exception as e:  # noqa
                 self.logger.error("Error running tests", error=str(e), test_files=self.args)
                 return 1
diff --git a/authentik/stages/authenticator/util.py b/authentik/stages/authenticator/util.py
index e92f1a168e..4b2d7a9891 100644
--- a/authentik/stages/authenticator/util.py
+++ b/authentik/stages/authenticator/util.py
@@ -2,7 +2,7 @@
 
 import random
 import string
-from binascii import unhexlify
+from binascii import Error, unhexlify
 from os import urandom
 
 from django.core.exceptions import ValidationError
@@ -42,7 +42,7 @@ def hex_validator(length=0):
                 value = value.encode()
 
             unhexlify(value)
-        except Exception:
+        except Error:
             raise ValidationError(f"{value} is not valid hex-encoded data.") from None
 
         if (length > 0) and (len(value) != length * 2):
diff --git a/lifecycle/gunicorn.conf.py b/lifecycle/gunicorn.conf.py
index 303b8b729e..dfdef057fe 100644
--- a/lifecycle/gunicorn.conf.py
+++ b/lifecycle/gunicorn.conf.py
@@ -136,7 +136,7 @@ if not CONFIG.get_bool("disable_startup_analytics", False):
                 timeout=5,
             )
 
-        except Exception:  # nosec
+        except Exception:  # nosec # noqa
             pass
 
 start_debug_server()
diff --git a/pyproject.toml b/pyproject.toml
index f1f0d26338..680819b92b 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -177,13 +177,14 @@ exclude = ["**/migrations/**", "**/node_modules/**"]
 
 [tool.ruff.lint]
 select = [
-  "E",  # pycodestyle
-  "F",  # Pyflakes
-  "I",  # isort
-  "UP", # pyupgrade
-  "B",  # flake8-bugbear
-  "DJ", # django
-  "PL", # pylint
+  "E",   # pycodestyle
+  "F",   # Pyflakes
+  "I",   # isort
+  "UP",  # pyupgrade
+  "B",   # flake8-bugbear
+  "DJ",  # django
+  "PL",  # pylint
+  "BLE", # flake8-blind-except
 ]
 ignore = [
   "DJ001", # Avoid using `null=True` on string-based fields,