Ensure master realm can't be removed

Closes #28896

Signed-off-by: Stefan Guilhen <sguilhen@redhat.com>

services/src/main/java/org/keycloak/services/resources/admin/RealmAdminResource.java

@@ -486,6 +486,10 @@ public class RealmAdminResource {
     public void deleteRealm() {
         auth.realm().requireManageRealm();
 
+        if (Config.getAdminRealm().equals(realm.getName())) {
+            throw ErrorResponse.error("Can't rename master realm", Status.BAD_REQUEST);
+        }
+
         if (!new RealmManager(session).removeRealm(realm)) {
             throw new NotFoundException("Realm doesn't exist");
         }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/realm/RealmTest.java

@@ -524,12 +524,21 @@ public class RealmTest extends AbstractAdminTest {
 
     private void reCreateRealm() {
         // Re-create realm
-        RealmRepresentation realmRep = testContext.getTestRealmReps().stream().filter((RealmRepresentation realm) -> {
+        RealmRepresentation realmRep = testContext.getTestRealmReps().stream()
-            return realm.getRealm().equals(REALM_NAME);
+                .filter(realm -> realm.getRealm().equals(REALM_NAME)).findFirst().get();
-        }).findFirst().get();
         importRealm(realmRep);
     }
 
+    @Test
+    public void removeMasterRealm() {
+        // any attempt to remove the master realm should fail.
+        try {
+            adminClient.realm("master").remove();
+            fail("It should not be possible to remove the master realm");
+        } catch(BadRequestException ignored) {
+        }
+    }
+
     @Test
     public void loginAfterRemoveRealm() {
         realm.remove();