Ensure master realm can't be removed

Closes #28896 Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>
2024-05-10 16:04:38 -03:00 · 2024-05-10 16:04:38 -03:00 · f0620353a4
commit f0620353a4
parent 52c9e440d6
2 changed files with 16 additions and 3 deletions
--- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
+++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java
@ -486,6 +486,10 @@ public class RealmAdminResource {
    public void deleteRealm() {
        auth.realm().requireManageRealm();

+        if (Config.getAdminRealm().equals(realm.getName())) {
+            throw ErrorResponse.error("Can't rename master realm", Status.BAD_REQUEST);
+        }
+
        if (!new RealmManager(session).removeRealm(realm)) {
            throw new NotFoundException("Realm doesn't exist");
        }
--- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
+++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java
@ -524,12 +524,21 @@ public class RealmTest extends AbstractAdminTest {

    private void reCreateRealm() {
        // Re-create realm
-        RealmRepresentation realmRep = testContext.getTestRealmReps().stream().filter((RealmRepresentation realm) -> {
-            return realm.getRealm().equals(REALM_NAME);
-        }).findFirst().get();
+        RealmRepresentation realmRep = testContext.getTestRealmReps().stream()
+                .filter(realm -> realm.getRealm().equals(REALM_NAME)).findFirst().get();
        importRealm(realmRep);
    }

+    @Test
+    public void removeMasterRealm() {
+        // any attempt to remove the master realm should fail.
+        try {
+            adminClient.realm("master").remove();
+            fail("It should not be possible to remove the master realm");
+        } catch(BadRequestException ignored) {
+        }
+    }
+
    @Test
    public void loginAfterRemoveRealm() {
        realm.remove();