From 5fe675b6128fffa6173209adaa2c742075cb35b5 Mon Sep 17 00:00:00 2001
From: vramik <vramik@redhat.com>
Date: Wed, 18 Aug 2021 13:13:01 +0200
Subject: [PATCH] KEYCLOAK-18841 prevent deletion of default role using
 RoleContainerResource

---
 .../services/resources/admin/RoleContainerResource.java     | 4 ++++
 .../org/keycloak/testsuite/admin/realm/RealmRolesTest.java  | 6 ++++++
 2 files changed, 10 insertions(+)

diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
index 91307cf828..a718fce918 100755
--- a/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RoleContainerResource.java
@@ -57,6 +57,7 @@ import java.util.Map;
 import java.util.Objects;
 import java.util.function.Function;
 import java.util.stream.Stream;
+import org.keycloak.services.ErrorResponseException;
 
 /**
  * @resource Roles
@@ -189,6 +190,9 @@ public class RoleContainerResource extends RoleResource {
         RoleModel role = roleContainer.getRole(roleName);
         if (role == null) {
             throw new NotFoundException("Could not find role");
+        } else if (realm.getDefaultRole().getId().equals(role.getId())) {
+            throw new ErrorResponseException(ErrorResponse.error(roleName + " is default role of the realm and cannot be removed.", 
+                    Response.Status.BAD_REQUEST));
         }
         deleteRole(role);
 
diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmRolesTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmRolesTest.java
index 6af0ae8cfe..b7564965c5 100644
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmRolesTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmRolesTest.java
@@ -47,6 +47,7 @@ import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.stream.Collectors;
+import javax.ws.rs.BadRequestException;
 import javax.ws.rs.ClientErrorException;
 
 import static org.hamcrest.MatcherAssert.assertThat;
@@ -523,6 +524,11 @@ public class RealmRolesTest extends AbstractAdminTest {
         );
     }
 
+    @Test(expected = BadRequestException.class)
+    public void testDeleteDefaultRole() {
+        adminClient.realm(REALM_NAME).roles().deleteRole(Constants.DEFAULT_ROLES_ROLE_PREFIX + "-" + REALM_NAME);
+    }
+
     private List<String> convertRolesToNames(List<RoleRepresentation> roles) {
         return roles.stream().map(RoleRepresentation::getName).collect(Collectors.toList());
     }