KEYCLOAK-18841 prevent deletion of default role using RoleContainerResource

services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java

@@ -57,6 +57,7 @@ import java.util.Map;
 import java.util.Objects;
 import java.util.function.Function;
 import java.util.stream.Stream;
+import org.keycloak.services.ErrorResponseException;
 
 /**
  * @resource Roles
@@ -189,6 +190,9 @@ public class RoleContainerResource extends RoleResource {
         RoleModel role = roleContainer.getRole(roleName);
         if (role == null) {
             throw new NotFoundException("Could not find role");
+        } else if (realm.getDefaultRole().getId().equals(role.getId())) {
+            throw new ErrorResponseException(ErrorResponse.error(roleName + " is default role of the realm and cannot be removed.", 
+                    Response.Status.BAD_REQUEST));
         }
         deleteRole(role);
 

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmRolesTest.java

@@ -47,6 +47,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
+import javax.ws.rs.BadRequestException;
 import javax.ws.rs.ClientErrorException;
 
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -523,6 +524,11 @@ public class RealmRolesTest extends AbstractAdminTest {
         );
     }
 
+    @Test(expected = BadRequestException.class)
+    public void testDeleteDefaultRole() {
+        adminClient.realm(REALM_NAME).roles().deleteRole(Constants.DEFAULT_ROLES_ROLE_PREFIX + "-" + REALM_NAME);
+    }
+
     private List<String> convertRolesToNames(List<RoleRepresentation> roles) {
         return roles.stream().map(RoleRepresentation::getName).collect(Collectors.toList());
     }