From a59a1fb8dd16ca33a7c87418f158faf9fc4cef7f Mon Sep 17 00:00:00 2001
From: Romain Pelisse <belaran@gmail.com>
Date: Mon, 4 Mar 2024 21:13:06 +0100
Subject: [PATCH 1/6] Rework Molecule prepare phase to install sudo only if
 root on target

---
 molecule/prepare.yml                 | 13 +++++++++----
 molecule/quarkus-devmode/prepare.yml | 12 ++++++------
 molecule/quarkus/prepare.yml         | 12 ++++--------
 molecule/quarkus/verify.yml          |  4 +++-
 4 files changed, 22 insertions(+), 19 deletions(-)

diff --git a/molecule/prepare.yml b/molecule/prepare.yml
index 9d39694..f122f9d 100644
--- a/molecule/prepare.yml
+++ b/molecule/prepare.yml
@@ -3,28 +3,31 @@
   ansible.builtin.debug:
     msg: "Ansible version is  {{ ansible_version.full }}"
 
+- name: "Set package name for sudo"
+  ansible.builtin.set_fact:
+    sudo_pkg_name: sudo
 
 - name: "Ensure {{ sudo_pkg_name }} is installed (if user is root)."
   ansible.builtin.yum:
     name: "{{ sudo_pkg_name }}"
+    state: present
   when:
     - ansible_user_id == 'root'
 
-
 - name: Gather the package facts
   ansible.builtin.package_facts:
     manager: auto
 
-- name: "Check if {{ sudo_pkg_name }} is installed."
+- name: "Check if sudo is installed."
   ansible.builtin.assert:
     that:
       - sudo_pkg_name in ansible_facts.packages
+    fail_msg: "sudo is not installed on target system"
 
-- name: Install sudo
+- name: "Install iproute"
   become: yes
   ansible.builtin.yum:
     name:
-      - sudo
       - iproute
     state: present
 
@@ -36,6 +39,8 @@
   when:
     - assets_server is defined
     - assets_server | length > 0
+    - assets is defined
+    - assets | length > 0
   block:
     - name: "Set offline when assets server from env is defined"
       ansible.builtin.set_fact:
diff --git a/molecule/quarkus-devmode/prepare.yml b/molecule/quarkus-devmode/prepare.yml
index 88c2fb3..313adb8 100644
--- a/molecule/quarkus-devmode/prepare.yml
+++ b/molecule/quarkus-devmode/prepare.yml
@@ -2,20 +2,20 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Install sudo
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
+
+    - name: Install JDK17
+      become: yes
       ansible.builtin.yum:
         name:
-          - sudo
           - java-17-openjdk-headless
         state: present
 
     - name: Link default logs directory
+      become: yes
       ansible.builtin.file:
         state: link
         src: /usr/lib/jvm/jre-17-openjdk
         dest: /opt/openjdk
         force: true
-
-    - name: "Display hera_home if defined."
-      ansible.builtin.set_fact:
-        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
diff --git a/molecule/quarkus/prepare.yml b/molecule/quarkus/prepare.yml
index 13d85a8..c7ba481 100644
--- a/molecule/quarkus/prepare.yml
+++ b/molecule/quarkus/prepare.yml
@@ -2,14 +2,8 @@
 - name: Prepare
   hosts: all
   tasks:
-    - name: Install sudo
-      ansible.builtin.yum:
-        name: sudo
-        state: present
-
-    - name: "Display hera_home if defined."
-      ansible.builtin.set_fact:
-        hera_home: "{{ lookup('env', 'HERA_HOME') }}"
+    - name: "Ensure common prepare phase are set."
+      ansible.builtin.include_tasks: ../prepare.yml
 
     - name: Create certificate request
       ansible.builtin.command: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -sha256 -days 365 -nodes -subj '/CN=instance'
@@ -17,12 +11,14 @@
       changed_when: False
 
     - name: Create conf directory # risky-file-permissions in test user account does not exist yet
+      become: yes
       ansible.builtin.file:
         state: directory
         path: "/opt/keycloak/certs/"
         mode: 0755
 
     - name: Copy certificates
+      become: yes
       ansible.builtin.copy:
         src: "{{ item }}"
         dest: "/opt/keycloak/certs/{{ item }}"
diff --git a/molecule/quarkus/verify.yml b/molecule/quarkus/verify.yml
index 2d75c32..a58a13f 100644
--- a/molecule/quarkus/verify.yml
+++ b/molecule/quarkus/verify.yml
@@ -49,8 +49,9 @@
           - keycloak_log_folder.stat.exists
           - not keycloak_log_folder.stat.isdir
           - keycloak_log_folder.stat.islnk
-          
+
     - name: Check log file
+      become: yes
       ansible.builtin.stat:
         path: "/tmp/keycloak/keycloak.log"
       register: keycloak_log_file
@@ -62,6 +63,7 @@
           - not keycloak_log_file.stat.isdir
 
     - name: Check default log folder
+      become: yes
       ansible.builtin.stat:
         path: "/var/log/keycloak"
       register: keycloak_default_log_folder

From a97c349f41c8429886b41c7f609d0f96ccce8861 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Gro=C3=9Fewinkelmann?= <bgrossew@redhat.com>
Date: Wed, 13 Mar 2024 00:12:15 +0100
Subject: [PATCH 2/6] Utilize comment filter for {{ ansible_maanged  }}
 annotations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Björn Großewinkelmann <bgrossew@redhat.com>
---
 molecule/overridexml/templates/custom.xml.j2                 | 2 +-
 roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2 | 2 +-
 roles/keycloak/templates/15.0.8/standalone.xml.j2            | 2 +-
 roles/keycloak/templates/keycloak-service.sh.j2              | 2 +-
 roles/keycloak/templates/keycloak-sysconfig.j2               | 2 +-
 roles/keycloak/templates/keycloak.service.j2                 | 2 +-
 roles/keycloak/templates/standalone-ha.xml.j2                | 2 +-
 roles/keycloak/templates/standalone-infinispan.xml.j2        | 2 +-
 roles/keycloak/templates/standalone.xml.j2                   | 2 +-
 roles/keycloak_quarkus/templates/cache-ispn.xml.j2           | 2 +-
 roles/keycloak_quarkus/templates/keycloak-sysconfig.j2       | 2 +-
 roles/keycloak_quarkus/templates/keycloak.conf.j2            | 2 +-
 roles/keycloak_quarkus/templates/keycloak.service.j2         | 2 +-
 roles/keycloak_quarkus/templates/quarkus.properties.j2       | 2 +-
 14 files changed, 14 insertions(+), 14 deletions(-)

diff --git a/molecule/overridexml/templates/custom.xml.j2 b/molecule/overridexml/templates/custom.xml.j2
index 8686d77..66c5852 100644
--- a/molecule/overridexml/templates/custom.xml.j2
+++ b/molecule/overridexml/templates/custom.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
diff --git a/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2 b/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
index 2d84f3f..25d6cb0 100644
--- a/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone-infinispan.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
diff --git a/roles/keycloak/templates/15.0.8/standalone.xml.j2 b/roles/keycloak/templates/15.0.8/standalone.xml.j2
index de175f2..01c317b 100644
--- a/roles/keycloak/templates/15.0.8/standalone.xml.j2
+++ b/roles/keycloak/templates/15.0.8/standalone.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
diff --git a/roles/keycloak/templates/keycloak-service.sh.j2 b/roles/keycloak/templates/keycloak-service.sh.j2
index 577959e..98efb34 100755
--- a/roles/keycloak/templates/keycloak-service.sh.j2
+++ b/roles/keycloak/templates/keycloak-service.sh.j2
@@ -1,5 +1,5 @@
 #!/bin/bash -eu
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 set +u -o pipefail
 
diff --git a/roles/keycloak/templates/keycloak-sysconfig.j2 b/roles/keycloak/templates/keycloak-sysconfig.j2
index 86a96d6..4c38522 100644
--- a/roles/keycloak/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak/templates/keycloak-sysconfig.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 JAVA_OPTS='{{ keycloak_java_opts }}'
 JAVA_HOME={{ keycloak_java_home  | default(keycloak_rpm_java_home, true) }}
 JBOSS_HOME={{ keycloak.home }}
diff --git a/roles/keycloak/templates/keycloak.service.j2 b/roles/keycloak/templates/keycloak.service.j2
index 15a6ddf..eea3ba1 100644
--- a/roles/keycloak/templates/keycloak.service.j2
+++ b/roles/keycloak/templates/keycloak.service.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 [Unit]
 Description={{ keycloak.service_name }} Server
 After=network.target
diff --git a/roles/keycloak/templates/standalone-ha.xml.j2 b/roles/keycloak/templates/standalone-ha.xml.j2
index 99399f3..d027c35 100644
--- a/roles/keycloak/templates/standalone-ha.xml.j2
+++ b/roles/keycloak/templates/standalone-ha.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
diff --git a/roles/keycloak/templates/standalone-infinispan.xml.j2 b/roles/keycloak/templates/standalone-infinispan.xml.j2
index 0b0c8af..18e5a7c 100644
--- a/roles/keycloak/templates/standalone-infinispan.xml.j2
+++ b/roles/keycloak/templates/standalone-infinispan.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
diff --git a/roles/keycloak/templates/standalone.xml.j2 b/roles/keycloak/templates/standalone.xml.j2
index 72fe4d6..5ee20ed 100644
--- a/roles/keycloak/templates/standalone.xml.j2
+++ b/roles/keycloak/templates/standalone.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
diff --git a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2 b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
index 67514d3..fb11cda 100644
--- a/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
+++ b/roles/keycloak_quarkus/templates/cache-ispn.xml.j2
@@ -1,4 +1,4 @@
-<!-- {{ ansible_managed }} -->
+{{ ansible_managed | comment('xml') }}
 <!--
   ~ Copyright 2019 Red Hat, Inc. and/or its affiliates
   ~ and other contributors as indicated by the @author tags.
diff --git a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2 b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
index a665ec8..aa6aef7 100644
--- a/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
+++ b/roles/keycloak_quarkus/templates/keycloak-sysconfig.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 KEYCLOAK_ADMIN={{ keycloak_quarkus_admin_user }}
 KEYCLOAK_ADMIN_PASSWORD='{{ keycloak_quarkus_admin_pass }}'
 PATH={{ keycloak_quarkus_java_home | default(keycloak_rpm_java_home, true) }}/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
diff --git a/roles/keycloak_quarkus/templates/keycloak.conf.j2 b/roles/keycloak_quarkus/templates/keycloak.conf.j2
index 8ad89a9..b23a250 100644
--- a/roles/keycloak_quarkus/templates/keycloak.conf.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.conf.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 {% if keycloak_quarkus_db_enabled %}
 # Database
diff --git a/roles/keycloak_quarkus/templates/keycloak.service.j2 b/roles/keycloak_quarkus/templates/keycloak.service.j2
index 5b90986..af61007 100644
--- a/roles/keycloak_quarkus/templates/keycloak.service.j2
+++ b/roles/keycloak_quarkus/templates/keycloak.service.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 [Unit]
 Description=Keycloak Server
 After=network.target
diff --git a/roles/keycloak_quarkus/templates/quarkus.properties.j2 b/roles/keycloak_quarkus/templates/quarkus.properties.j2
index 7ef1db7..5689bfc 100644
--- a/roles/keycloak_quarkus/templates/quarkus.properties.j2
+++ b/roles/keycloak_quarkus/templates/quarkus.properties.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 {% if keycloak_quarkus_ha_enabled %}
 {% if not rhbk_enable or keycloak_quarkus_version.split('.')[0]|int < 22 %}
 quarkus.infinispan-client.server-list={{ keycloak_quarkus_ispn_hosts }}

From 96804d808621a4250741dcf173916ee120e2eb14 Mon Sep 17 00:00:00 2001
From: Guido Grazioli <ggraziol@redhat.com>
Date: Wed, 13 Mar 2024 17:55:30 +0100
Subject: [PATCH 3/6] downstream: rhsso has new patch filename pattern

---
 roles/keycloak/tasks/rhsso_patch.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/roles/keycloak/tasks/rhsso_patch.yml b/roles/keycloak/tasks/rhsso_patch.yml
index b0e04da..191a3e0 100644
--- a/roles/keycloak/tasks/rhsso_patch.yml
+++ b/roles/keycloak/tasks/rhsso_patch.yml
@@ -36,7 +36,9 @@
 
     - name: Determine patch versions list
       ansible.builtin.set_fact:
-        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*)-.*', '\\1') | list | unique }}"
+        filtered_versions: "{{ rhn_products.results | map(attribute='file_path') | \
+                               select('match', '^[^/]*/rh-sso-.*[0-9]*[.][0-9]*[.][0-9]*.*$') | \
+                               map('regex_replace', '[^/]*/rh-sso-([0-9]*[.][0-9]*[.][0-9]*(-[0-9])?)-.*', '\\1') | list | unique }}"
       when: sso_patch_version is not defined or sso_patch_version | length == 0
       delegate_to: localhost
       run_once: true
@@ -70,7 +72,7 @@
       middleware_automation.common.product_download: # noqa risky-file-permissions delegated, uses controller host user
         client_id: "{{ rhn_username }}"
         client_secret: "{{ rhn_password }}"
-        product_id: "{{ (rhn_filtered_products | first).id }}"
+        product_id: "{{ (rhn_filtered_products | sort | last).id }}"
         dest: "{{ local_path.stat.path }}/{{ patch_bundle }}"
       no_log: "{{ omit_rhn_output | default(true) }}"
       delegate_to: localhost
@@ -114,7 +116,7 @@
   when:
     - cli_result is defined
     - cli_result.stdout is defined
-    - patch_version not in cli_result.stdout
+    - patch_version | regex_replace('-[0-9]$', '') not in cli_result.stdout
   block:
     - name: "Apply patch {{ patch_version }} to server"
       ansible.builtin.include_tasks: rhsso_cli.yml

From 0c079740e192a4b18e70483743c6f0b8436fe351 Mon Sep 17 00:00:00 2001
From: Guido Grazioli <ggraziol@redhat.com>
Date: Thu, 14 Mar 2024 10:13:46 +0100
Subject: [PATCH 4/6] downstream: molecule custom xml that works with rhsso

---
 molecule/overridexml/templates/custom.xml.j2 | 15 +++++++++------
 roles/keycloak/templates/standalone.xml.j2   |  6 +++---
 2 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/molecule/overridexml/templates/custom.xml.j2 b/molecule/overridexml/templates/custom.xml.j2
index 66c5852..53e58f2 100644
--- a/molecule/overridexml/templates/custom.xml.j2
+++ b/molecule/overridexml/templates/custom.xml.j2
@@ -44,7 +44,7 @@
         </audit-log>
         <management-interfaces>
             <http-interface http-authentication-factory="management-http-authentication">
-                <http-upgrade enabled="true"/>
+                <http-upgrade enabled="true" sasl-authentication-factory="management-sasl-authentication"/>
                 <socket-binding http="management-http"/>
             </http-interface>
         </management-interfaces>
@@ -481,8 +481,8 @@
                 <default-provider>default</default-provider>
                 <provider name="default" enabled="true">
                     <properties>
-                        <property name="frontendUrl" value="{{ keycloak_modcluster.frontend_url }}"/>
-                        <property name="forceBackendUrlToFrontendUrl" value="true"/>
+                        <property name="frontendUrl" value="localhost"/>
+                        <property name="forceBackendUrlToFrontendUrl" value="false"/>
                     </properties>
                 </provider>
             </spi>
@@ -520,7 +520,7 @@
         <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
             <buffer-cache name="default"/>
             <server name="default-server">
-                <http-listener name="default" socket-binding="http"/>
+                <http-listener name="default" socket-binding="http" />
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
                     <http-invoker http-authentication-factory="application-http-authentication"/>
@@ -533,15 +533,18 @@
             <handlers>
                 <file name="welcome-content" path="${jboss.home.dir}/welcome-content"/>
             </handlers>
+            <application-security-domains>
+                <application-security-domain name="other" security-domain="ApplicationDomain"/>
+            </application-security-domains>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:weld:4.0"/>
     </profile>
     <interfaces>
         <interface name="management">
-            <inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
         </interface>
         <interface name="public">
-            <inet-address value="${jboss.bind.address:127.0.0.1}"/>
+            <inet-address value="127.0.0.1"/>
         </interface>
     </interfaces>
     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
diff --git a/roles/keycloak/templates/standalone.xml.j2 b/roles/keycloak/templates/standalone.xml.j2
index 5ee20ed..6c3c0f8 100644
--- a/roles/keycloak/templates/standalone.xml.j2
+++ b/roles/keycloak/templates/standalone.xml.j2
@@ -539,7 +539,7 @@
             </mail-session>
         </subsystem>
         <subsystem xmlns="urn:wildfly:metrics:1.0" security-enabled="false" exposed-subsystems="*" prefix="${wildfly.metrics.prefix:jboss}"/>
-{% if keycloak_modcluster.enabled %}        
+{% if keycloak_modcluster.enabled %}
         <subsystem xmlns="urn:jboss:domain:modcluster:5.0">
             <proxy name="default" advertise="false" listener="ajp" proxies="{{ ['proxy_'] | product(keycloak_modcluster.reverse_proxy_urls | map(attribute='host')) | map('join') | list | join(' ') }}">
                 <dynamic-load-provider>
@@ -547,7 +547,7 @@
                 </dynamic-load-provider>
             </proxy>
         </subsystem>
-{% endif %}        
+{% endif %}
         <subsystem xmlns="urn:jboss:domain:naming:2.0">
             <remote-naming/>
         </subsystem>
@@ -621,6 +621,6 @@
             <remote-destination host="{{ modcluster.host }}" port="{{ modcluster.port }}"/>
         </outbound-socket-binding>
 {% endfor %}
-{% endif %}        
+{% endif %}
     </socket-binding-group>
 </server>

From 0cea03dfc04e9a7167a6fbe2c1d8c65fca0e883f Mon Sep 17 00:00:00 2001
From: Guido Grazioli <ggraziol@redhat.com>
Date: Thu, 14 Mar 2024 10:37:09 +0100
Subject: [PATCH 5/6] downstream: simplify overridexml test

---
 molecule/overridexml/converge.yml | 46 +------------------------------
 1 file changed, 1 insertion(+), 45 deletions(-)

diff --git a/molecule/overridexml/converge.yml b/molecule/overridexml/converge.yml
index e0bed70..7537684 100644
--- a/molecule/overridexml/converge.yml
+++ b/molecule/overridexml/converge.yml
@@ -1,7 +1,7 @@
 ---
 - name: Converge
   hosts: all
-  vars: 
+  vars:
     keycloak_admin_password: "remembertochangeme"
     keycloak_config_override_template: custom.xml.j2
     keycloak_http_port: 8081
@@ -9,47 +9,3 @@
     keycloak_service_runas: True
   roles:
     - role: keycloak
-  tasks:
-    - name: Keycloak Realm Role
-      ansible.builtin.include_role:
-        name: keycloak_realm
-      vars:
-        keycloak_client_default_roles:
-          - TestRoleAdmin
-          - TestRoleUser
-        keycloak_client_users:
-          - username: TestUser
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-          - username: TestAdmin
-            password: password
-            client_roles:
-              - client: TestClient
-                role: TestRoleUser
-                realm: "{{ keycloak_realm }}"
-              - client: TestClient
-                role: TestRoleAdmin
-                realm: "{{ keycloak_realm }}"
-        keycloak_realm: TestRealm
-        keycloak_clients:
-          - name: TestClient
-            roles: "{{ keycloak_client_default_roles }}"
-            realm: "{{ keycloak_realm }}"
-            public_client: "{{ keycloak_client_public }}"
-            web_origins: "{{ keycloak_client_web_origins }}"
-            users: "{{ keycloak_client_users }}"
-            client_id: TestClient
-  pre_tasks:
-    - name: "Retrieve assets server from env"
-      ansible.builtin.set_fact:
-        assets_server: "{{ lookup('env','MIDDLEWARE_DOWNLOAD_RELEASE_SERVER_URL') }}"
-
-    - name: "Set offline when assets server from env is defined"
-      ansible.builtin.set_fact:
-        sso_offline_install: True
-      when:
-        - assets_server is defined
-        - assets_server | length > 0

From 1cecf51f37bc1ab7f2757a385459bb9ae41e8cdc Mon Sep 17 00:00:00 2001
From: Guido Grazioli <ggraziol@redhat.com>
Date: Thu, 14 Mar 2024 11:41:52 +0100
Subject: [PATCH 6/6] downstream: more updates to custom xml

---
 molecule/overridexml/templates/custom.xml.j2 |  9 ++++++---
 molecule/overridexml/verify.yml              | 21 ++++++++++++++++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/molecule/overridexml/templates/custom.xml.j2 b/molecule/overridexml/templates/custom.xml.j2
index 53e58f2..ec801d3 100644
--- a/molecule/overridexml/templates/custom.xml.j2
+++ b/molecule/overridexml/templates/custom.xml.j2
@@ -1,5 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
-{{ ansible_managed | comment('xml') }}
+<!-- this is a custom file -->
 <server xmlns="urn:jboss:domain:16.0">
     <extensions>
         <extension module="org.jboss.as.clustering.infinispan"/>
@@ -481,7 +481,7 @@
                 <default-provider>default</default-provider>
                 <provider name="default" enabled="true">
                     <properties>
-                        <property name="frontendUrl" value="localhost"/>
+                        <property name="frontendUrl" value="${keycloak.frontendUrl:}"/>
                         <property name="forceBackendUrlToFrontendUrl" value="false"/>
                     </properties>
                 </provider>
@@ -520,7 +520,8 @@
         <subsystem xmlns="urn:jboss:domain:undertow:12.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
             <buffer-cache name="default"/>
             <server name="default-server">
-                <http-listener name="default" socket-binding="http" />
+                <http-listener name="default" socket-binding="http" redirect-socket="https" enable-http2="true"/>
+                <https-listener name="https" socket-binding="https" ssl-context="applicationSSC" enable-http2="true"/>
                 <host name="default-host" alias="localhost">
                     <location name="/" handler="welcome-content"/>
                     <http-invoker http-authentication-factory="application-http-authentication"/>
@@ -549,7 +550,9 @@
     </interfaces>
     <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
         <socket-binding name="http" port="8081"/>
+        <socket-binding name="https" port="8443"/>
         <socket-binding name="management-http" interface="management" port="19990"/>
+        <socket-binding name="management-https" interface="management" port="19991"/>
         <socket-binding name="txn-recovery-environment" port="4712"/>
         <socket-binding name="txn-status-manager" port="4713"/>
         <outbound-socket-binding name="mail-smtp">
diff --git a/molecule/overridexml/verify.yml b/molecule/overridexml/verify.yml
index ef973cd..b267fa1 100644
--- a/molecule/overridexml/verify.yml
+++ b/molecule/overridexml/verify.yml
@@ -1,6 +1,10 @@
 ---
 - name: Verify
   hosts: all
+  vars:
+    keycloak_uri: "http://localhost:8081"
+    keycloak_management_port: "http://localhost:19990"
+    keycloak_admin_password: "remembertochangeme"
   tasks:
     - name: Populate service facts
       ansible.builtin.service_facts:
@@ -9,3 +13,20 @@
         that:
           - ansible_facts.services["keycloak.service"]["state"] == "running"
           - ansible_facts.services["keycloak.service"]["status"] == "enabled"
+    - name: Verify we are running on requested jvm # noqa blocked_modules command-instead-of-module
+      ansible.builtin.shell: |
+        set -o pipefail
+        ps -ef | grep '/etc/alternatives/jre_1.8.0/' | grep -v grep
+      args:
+        executable: /bin/bash
+      changed_when: no
+    - name: Verify token api call
+      ansible.builtin.uri:
+        url: "{{ keycloak_uri }}/auth/realms/master/protocol/openid-connect/token"
+        method: POST
+        body: "client_id=admin-cli&username=admin&password={{ keycloak_admin_password }}&grant_type=password"
+        validate_certs: no
+      register: keycloak_auth_response
+      until: keycloak_auth_response.status == 200
+      retries: 2
+      delay: 2