"""keycloak — INSTALL overlay (Phase 1d, DG4): override + extend-by-composition.

Reuses the generic "really serving" assertion, then ADDS the recipe-specific checks: the master
realm endpoint answers 200 over HTTPS (keycloak + mariadb are up), and a real browser loads the
keycloak admin console (D2 install + D3 Playwright). Assertion-only on the shared deployment."""

import os
import sys

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
from harness import browser as harness_browser, generic, lifecycle  # noqa: E402


def test_serving_and_admin_console(live_app, meta):
    # extend-by-composition: reuse the generic "really serving" assertion first ...
    generic.assert_serving(live_app, meta)

    # ... then the recipe-specific assertions.
    # The master realm endpoint answers 200 over HTTPS (keycloak + mariadb are up).
    assert lifecycle.http_get(live_app, "/realms/master") == 200

    # A real browser loads the keycloak admin console (renders the sign-in UI).
    from playwright.sync_api import sync_playwright

    url = f"https://{live_app}/admin/master/console/"
    with sync_playwright() as p:
        browser = p.chromium.launch(args=["--no-sandbox"])
        try:
            page = browser.new_context(ignore_https_errors=True).new_page()
            # F2-3 hardening: harness.browser handles status-mismatch + PlaywrightError retries.
            # Accept 200 or 302 — the admin console redirects to the login form.
            harness_browser.goto_with_retry(
                page, url, accept_statuses=(200, 302, 303), goto_timeout_ms=45_000
            )
            # admin console redirects to the login form; wait for a username field to render
            page.wait_for_selector("input#username, input[name='username']", timeout=30000)
            assert (
                "keycloak" in page.content().lower() or page.locator("input#username").count() > 0
            )
        finally:
            browser.close()