"""keycloak — upgrade stage (D2): deploy previous version, create a realm (DB data), upgrade to
current/$REF, assert the app is healthy and the realm survived (mariadb data preserved)."""
import os
import sys

import pytest

sys.path.insert(0, os.path.join(os.path.dirname(__file__), "..", "..", "runner"))
from harness import lifecycle  # noqa: E402
import kc_admin  # noqa: E402


@pytest.fixture
def old_app(recipe, app_domain, meta, request):
    prev = lifecycle.previous_version(recipe)
    if not prev:
        pytest.skip(f"{recipe}: no previous published version")
    lifecycle.janitor()
    request.addfinalizer(lambda: lifecycle.teardown_app(app_domain))
    lifecycle.deploy_app(recipe, app_domain, version=prev)
    lifecycle.wait_healthy(app_domain, ok_codes=tuple(meta["HEALTH_OK"]), path=meta["HEALTH_PATH"],
                           deploy_timeout=meta["DEPLOY_TIMEOUT"], http_timeout=meta["HTTP_TIMEOUT"])
    return app_domain, prev


def test_upgrade_preserves_realm(old_app, meta):
    domain, prev = old_app
    pw = kc_admin.admin_password(domain)
    tok = kc_admin.admin_token(domain, pw)
    assert kc_admin.create_marker_realm(domain, tok) in (201, 409)
    assert kc_admin.marker_realm_exists(domain, tok), "marker realm not created"

    lifecycle.upgrade_app(domain, version=os.environ.get("VERSION") or None)
    lifecycle.wait_healthy(domain, ok_codes=tuple(meta["HEALTH_OK"]), path=meta["HEALTH_PATH"],
                           deploy_timeout=meta["DEPLOY_TIMEOUT"], http_timeout=meta["HTTP_TIMEOUT"])

    # re-auth (token from the old instance is fine, but get a fresh one post-upgrade) and verify
    tok2 = kc_admin.admin_token(domain, pw)
    assert kc_admin.marker_realm_exists(domain, tok2), "realm did not survive the upgrade"