Do not allow delete the FGAP client

Closes #38644

Signed-off-by: Pedro Igor <pigor.craveiro@gmail.com>

services/src/main/java/org/keycloak/services/resources/admin/ClientResource.java

@@ -24,6 +24,7 @@ import org.eclipse.microprofile.openapi.annotations.tags.Tag;
 import org.jboss.logging.Logger;
 import org.jboss.resteasy.reactive.NoCache;
 import org.keycloak.OAuthErrorException;
+import org.keycloak.authorization.AdminPermissionsSchema;
 import org.keycloak.authorization.admin.AuthorizationService;
 import org.keycloak.client.clienttype.ClientTypeException;
 import org.keycloak.common.ClientConnection;
@@ -241,6 +242,8 @@ public class ClientResource {
             throw new NotFoundException("Could not find client");
         }
 
+        AdminPermissionsSchema.SCHEMA.throwExceptionIfAdminPermissionClient(session, client.getId());
+
         try {
             session.clientPolicy().triggerOnEvent(new AdminClientUnregisterContext(client, auth.adminAuth()));
         } catch (ClientPolicyException cpe) {

services/src/main/java/org/keycloak/services/resources/admin/permissions/ClientPermissions.java

@@ -17,6 +17,7 @@
 package org.keycloak.services.resources.admin.permissions;
 
 import org.jboss.logging.Logger;
+import org.keycloak.authorization.AdminPermissionsSchema;
 import org.keycloak.authorization.AuthorizationProvider;
 import org.keycloak.authorization.common.ClientModelIdentity;
 import org.keycloak.authorization.common.DefaultEvaluationContext;
@@ -663,8 +664,9 @@ class ClientPermissions implements ClientPermissionEvaluator,  ClientPermissionM
     public Map<String, Boolean> getAccess(ClientModel client) {
         Map<String, Boolean> map = new HashMap<>();
         map.put("view", canView(client));
-        map.put("manage", StorageId.isLocalStorage(client) && canManage(client));
-        map.put("configure", StorageId.isLocalStorage(client) && canConfigure(client));
+        boolean isAdminPermissionsClient = AdminPermissionsSchema.SCHEMA.isAdminPermissionClient(realm, client.getId());
+        map.put("manage", !isAdminPermissionsClient && StorageId.isLocalStorage(client) && canManage(client));
+        map.put("configure", !isAdminPermissionsClient && StorageId.isLocalStorage(client) && canConfigure(client));
         return map;
     }
 

tests/base/src/test/java/org/keycloak/tests/admin/authz/fgap/PermissionRESTTest.java

@@ -24,9 +24,11 @@ import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.equalTo;
 import static org.hamcrest.Matchers.instanceOf;
 import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.jupiter.api.Assertions.assertFalse;
 import static org.junit.jupiter.api.Assertions.fail;
 import org.junit.jupiter.api.Test;
 import org.keycloak.authorization.AdminPermissionsSchema;
+import org.keycloak.representations.idm.ClientRepresentation;
 import org.keycloak.representations.idm.authorization.DecisionStrategy;
 import org.keycloak.representations.idm.authorization.PolicyEnforcementMode;
 import org.keycloak.representations.idm.authorization.ResourceRepresentation;
@@ -42,6 +44,23 @@ public class PermissionRESTTest extends AbstractPermissionTest {
     @InjectUser(ref = "alice")
     private ManagedUser userAlice;
 
+    @Test
+    public void testPreventDeletingAdminPermissionsClient() {
+        try {
+            client.admin().remove();
+            fail("Expected Exception wasn't thrown.");
+        } catch (Exception ex) {
+            assertThat(ex, instanceOf(BadRequestException.class));
+        }
+    }
+
+    @Test
+    public void testManageNotAllowedForAdminPermissionsClient() {
+        ClientRepresentation representation = client.admin().toRepresentation();
+        assertFalse(representation.getAccess().get("manage"));
+        assertFalse(representation.getAccess().get("configure"));
+    }
+
     @Test
     public void resourceServerTest() {
         ResourceServerRepresentation rep = new ResourceServerRepresentation();