From a5547362469e0736109d5712f2cc6048edd094c2 Mon Sep 17 00:00:00 2001
From: Guido Grazioli <ggraziol@redhat.com>
Date: Fri, 10 Mar 2023 11:52:02 +0100
Subject: [PATCH] Use middleware_automation.common for rh-sso patching

---
 plugins/filter/version_sort.py         | 52 +++++++++++++++++
 roles/keycloak/README.md               |  2 +-
 roles/keycloak/meta/argument_specs.yml |  4 +-
 roles/keycloak/tasks/rhsso_patch.yml   | 77 ++++++++++++++++++++++----
 4 files changed, 120 insertions(+), 15 deletions(-)
 create mode 100644 plugins/filter/version_sort.py

diff --git a/plugins/filter/version_sort.py b/plugins/filter/version_sort.py
new file mode 100644
index 0000000..beb44cb
--- /dev/null
+++ b/plugins/filter/version_sort.py
@@ -0,0 +1,52 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 2021 Eric Lavarde <elavarde@redhat.com>
+# GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = '''
+  name: version_sort
+  short_description: Sort a list according to version order instead of pure alphabetical one
+  version_added: 2.2.0
+  author: Eric L. (@ericzolf)
+  description:
+    - Sort a list according to version order instead of pure alphabetical one.
+  options:
+    _input:
+      description: A list of strings to sort.
+      type: list
+      elements: string
+      required: true
+'''
+
+EXAMPLES = '''
+- name: Convert list of tuples into dictionary
+  ansible.builtin.set_fact:
+    dictionary: "{{ ['2.1', '2.10', '2.9'] | middleware_automation.keycloak.version_sort }}"
+    # Result is ['2.1', '2.9', '2.10']
+'''
+
+RETURN = '''
+  _value:
+    description: The list of strings sorted by version.
+    type: list
+    elements: string
+'''
+
+from ansible_collections.middleware_automation.keycloak.plugins.module_utils.version import LooseVersion
+
+
+def version_sort(value, reverse=False):
+    '''Sort a list according to loose versions so that e.g. 2.9 is smaller than 2.10'''
+    return sorted(value, key=LooseVersion, reverse=reverse)
+
+
+class FilterModule(object):
+    ''' Version sort filter '''
+
+    def filters(self):
+        return {
+            'version_sort': version_sort
+        }
diff --git a/roles/keycloak/README.md b/roles/keycloak/README.md
index 5aadcb9..32eb022 100644
--- a/roles/keycloak/README.md
+++ b/roles/keycloak/README.md
@@ -96,7 +96,7 @@ Role Defaults
 |`keycloak_archive` | keycloak install archive filename | `keycloak-legacy-{{ keycloak_version }}.zip` |
 |`keycloak_download_url_9x` | Download URL for keycloak (deprecated) | `https://downloads.jboss.org/keycloak/{{ keycloak_version }}/{{ keycloak_archive }}` |
 |`keycloak_installdir` | Installation path | `{{ keycloak_dest }}/keycloak-{{ keycloak_version }}` |
-|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir if keycloak_rhsso_enable else keycloak_installdir }}` |
+|`keycloak_jboss_home` | Installation work directory | `{{ keycloak_rhsso_installdir }}` |
 |`keycloak_config_dir` | Path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration` |
 |`keycloak_config_path_to_standalone_xml` | Custom path for configuration | `{{ keycloak_jboss_home }}/standalone/configuration/{{ keycloak_config_standalone_xml }}` |
 |`keycloak_config_override_template` | Path to custom template for standalone.xml configuration | `''` |
diff --git a/roles/keycloak/meta/argument_specs.yml b/roles/keycloak/meta/argument_specs.yml
index 6693c30..99d7703 100644
--- a/roles/keycloak/meta/argument_specs.yml
+++ b/roles/keycloak/meta/argument_specs.yml
@@ -334,10 +334,10 @@ argument_specs:
                 type: "str"
             sso_patch_version:
                 required: False
-                description: "Red Hat Single Sign-On latest cumulative patch version to apply; default to latest version when sso_apply_patches is True"
+                description: "Red Hat Single Sign-On latest cumulative patch version to apply; defaults to latest version when sso_apply_patches is True"
                 type: "str"
             sso_patch_bundle:
-                default: "rh-sso-{{ sso_patch_version | default('') }}-patch.zip"
+                default: "rh-sso-{{ sso_patch_version | default('[0-9]+[.][0-9]+[.][0-9]+') }}-patch.zip"
                 description: "Red Hat SSO patch archive filename"
                 type: "str"
             sso_product_category:
diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml
index 97993a2..1f1afca 100644
--- a/roles/keycloak/tasks/rhsso_patch.yml
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@@ -9,25 +9,78 @@
     path: "{{ patch_archive }}"
   register: patch_archive_path
 
-- name: Perform download from RHN
-  middleware_automation.redhat_csp_download.redhat_csp_download:
-    url: "{{ keycloak_rhn_url }}{{ sso_patch_rhn_id }}"
-    dest: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}"
-    username: "{{ rhn_username }}"
-    password: "{{ rhn_password }}"
-  no_log: "{{ omit_rhn_output | default(true) }}"
+- name: Perform patch download from RHN via JBossNetwork API
   delegate_to: localhost
+  run_once: yes
   when:
     - patch_archive_path is defined
     - patch_archive_path.stat is defined
     - not patch_archive_path.stat.exists
     - sso_enable is defined and sso_enable
     - not keycloak_offline_install
+  block:
+    - name: Retrieve product download using JBossNetwork API
+      middleware_automation.common.product_search:
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_type: BUGFIX
+        product_version: "{{ sso_version }}"
+        product_category: "{{ sso_product_category }}"
+      register: rhn_products
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: yes
+
+    - name: Filter patch versions
+      set_fact:
+        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace','[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*','\\1' ) | list | unique }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: yes
+
+    - name: Determine latest version
+      set_fact:
+         sso_latest_version: "{{ filtered_versions | middleware_automation.keycloak.version_sort | last }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: yes
+
+    - name: Determine install zipfile from search results
+      ansible.builtin.set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/rh-sso-' + sso_latest_version + '-patch.zip$') }}"
+        patch_bundle: "rh-sso-{{ sso_latest_version }}-patch.zip"
+        patch_version: "{{ sso_latest_version }}"
+      when: sso_patch_version is not defined or sso_patch_version | length == 0
+      delegate_to: localhost
+      run_once: yes
+
+    - name: "Filter selected patch version {{ sso_patch_version }}"
+      set_fact:
+        rhn_filtered_products: "{{ rhn_products.results | selectattr('file_path', 'match', '[^/]*/' + sso_patch_bundle + '$') }}"
+        patch_bundle: "{{ sso_patch_bundle }}"
+        patch_version: "{{ sso_patch_version }}"
+      when: sso_patch_version is defined
+      delegate_to: localhost
+      run_once: yes
+
+    - name: Download Red Hat Single Sign-On patch
+      middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
+        client_id: "{{ rhn_username }}"
+        client_secret: "{{ rhn_password }}"
+        product_id: "{{ (rhn_filtered_products | first).id }}"
+        dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
+      no_log: "{{ omit_rhn_output | default(true) }}"
+      delegate_to: localhost
+      run_once: yes
+
+- name: Set download patch archive path
+  ansible.builtin.set_fact:
+    patch_archive: "{{ keycloak_dest }}/{{ patch_bundle }}"
 
 ## copy and unpack
 - name: Copy patch archive to target nodes
   ansible.builtin.copy:
-    src: "{{ local_path.stat.path }}/{{ sso_patch_bundle }}"
+    src: "{{ local_path.stat.path }}/{{ patch_bundle }}"
     dest: "{{ patch_archive }}"
     owner: "{{ keycloak_service_user }}"
     group: "{{ keycloak_service_group }}"
@@ -48,9 +101,9 @@
   when: 
     - cli_result is defined
     - cli_result.stdout is defined
-    - sso_patch_version not in cli_result.stdout
+    - patch_version not in cli_result.stdout
   block:
-    - name: "Apply patch {{ sso_patch_version }} to server"
+    - name: "Apply patch {{ patch_version }} to server"
       ansible.builtin.include_tasks: rhsso_cli.yml
       vars:
         query: "patch apply {{ patch_archive }}"
@@ -78,10 +131,10 @@
     - name: "Verify installed patch version"
       ansible.builtin.assert:
         that:
-          - sso_patch_version not in cli_result.stdout
+          - patch_version not in cli_result.stdout
         fail_msg: "Patch installation failed"
         success_msg: "Patch installation successful"
 
 - name: "Skipping patch"
   ansible.builtin.debug:
-    msg: "Latest cumulative patch {{ sso_patch_version }} already installed, skipping patch installation."
+    msg: "Cumulative patch {{ patch_version }} already installed, skipping patch installation."