Ensured API keys cannot be generated with domain-only roles linked to default domain

module/CLI/src/ApiKey/RoleResolver.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 namespace Shlinkio\Shlink\CLI\ApiKey;
 
+use Shlinkio\Shlink\CLI\Exception\InvalidRoleConfigException;
 use Shlinkio\Shlink\Core\Domain\DomainServiceInterface;
 use Shlinkio\Shlink\Rest\ApiKey\Model\RoleDefinition;
 use Symfony\Component\Console\Input\InputInterface;
@@ -12,24 +13,33 @@ use function is_string;
 
 class RoleResolver implements RoleResolverInterface
 {
-    public function __construct(private DomainServiceInterface $domainService)
+    public function __construct(private DomainServiceInterface $domainService, private string $defaultDomain)
     {
     }
 
     public function determineRoles(InputInterface $input): array
     {
-        $domainAuthority = $input->getOption('domain-only');
-        $author = $input->getOption('author-only');
+        $domainAuthority = $input->getOption(self::DOMAIN_ONLY_PARAM);
+        $author = $input->getOption(self::AUTHOR_ONLY_PARAM);
 
         $roleDefinitions = [];
         if ($author) {
             $roleDefinitions[] = RoleDefinition::forAuthoredShortUrls();
         }
         if (is_string($domainAuthority)) {
-            $domain = $this->domainService->getOrCreate($domainAuthority);
-            $roleDefinitions[] = RoleDefinition::forDomain($domain);
+            $roleDefinitions[] = $this->resolveRoleForAuthority($domainAuthority);
         }
 
         return $roleDefinitions;
     }
+
+    private function resolveRoleForAuthority(string $domainAuthority): RoleDefinition
+    {
+        if ($domainAuthority === $this->defaultDomain) {
+            throw InvalidRoleConfigException::forDomainOnlyWithDefaultDomain();
+        }
+
+        $domain = $this->domainService->getOrCreate($domainAuthority);
+        return RoleDefinition::forDomain($domain);
+    }
 }