From f0620353a4e01b5640c18e6b067ac373c7213e6c Mon Sep 17 00:00:00 2001 From: Stefan Guilhen Date: Fri, 10 May 2024 16:04:38 -0300 Subject: [PATCH] Ensure master realm can't be removed Closes #28896 Signed-off-by: Stefan Guilhen --- .../resources/admin/RealmAdminResource.java | 4 ++++ .../keycloak/testsuite/admin/realm/RealmTest.java | 15 ++++++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java index bc2b5c618d..43d570636e 100644 --- a/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java +++ b/services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java @@ -486,6 +486,10 @@ public class RealmAdminResource { public void deleteRealm() { auth.realm().requireManageRealm(); + if (Config.getAdminRealm().equals(realm.getName())) { + throw ErrorResponse.error("Can't rename master realm", Status.BAD_REQUEST); + } + if (!new RealmManager(session).removeRealm(realm)) { throw new NotFoundException("Realm doesn't exist"); } diff --git a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java index dbc79946db..86c56de732 100755 --- a/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java +++ b/testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java @@ -524,12 +524,21 @@ public class RealmTest extends AbstractAdminTest { private void reCreateRealm() { // Re-create realm - RealmRepresentation realmRep = testContext.getTestRealmReps().stream().filter((RealmRepresentation realm) -> { - return realm.getRealm().equals(REALM_NAME); - }).findFirst().get(); + RealmRepresentation realmRep = testContext.getTestRealmReps().stream() + .filter(realm -> realm.getRealm().equals(REALM_NAME)).findFirst().get(); importRealm(realmRep); } + @Test + public void removeMasterRealm() { + // any attempt to remove the master realm should fail. + try { + adminClient.realm("master").remove(); + fail("It should not be possible to remove the master realm"); + } catch(BadRequestException ignored) { + } + } + @Test public void loginAfterRemoveRealm() { realm.remove();