don't clean up properly

services/src/main/java/org/keycloak/services/resources/admin/permissions/UserPermissions.java

@@ -157,32 +157,32 @@ class UserPermissions implements UserPermissionEvaluator, UserPermissionManageme
         ResourceServer server = root.realmResourceServer();
         if (server == null) return;
         Policy policy = managePermission();
-        if (policy == null) {
+        if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = viewPermission();
-        if (policy == null) {
+        if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = mapRolesPermission();
-        if (policy == null) {
+        if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = manageGroupMembershipPermission();
-        if (policy == null) {
+        if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = adminImpersonatingPermission();
-        if (policy == null) {
+        if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }
         policy = userImpersonatedPermission();
-        if (policy == null) {
+        if (policy != null) {
             authz.getStoreFactory().getPolicyStore().delete(policy.getId());
 
         }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/servlet/AbstractClientInitiatedAccountLinkTest.java

@@ -168,6 +168,10 @@ public abstract class AbstractClientInitiatedAccountLinkTest extends AbstractSer
         user.setUsername("child");
         user.setEnabled(true);
         childUserId = createUserAndResetPasswordWithAdminClient(realm, user, "password");
+        UserRepresentation user2 = new UserRepresentation();
+        user2.setUsername("child2");
+        user2.setEnabled(true);
+        String user2Id = createUserAndResetPasswordWithAdminClient(realm, user2, "password");
 
         // have to add a role as undertow default auth manager doesn't like "*". todo we can remove this eventually as undertow fixes this in later versions
         realm.roles().create(new RoleRepresentation("user", null, false));
@@ -175,11 +179,13 @@ public abstract class AbstractClientInitiatedAccountLinkTest extends AbstractSer
         List<RoleRepresentation> roles = new LinkedList<>();
         roles.add(role);
         realm.users().get(childUserId).roles().realmLevel().add(roles);
+        realm.users().get(user2Id).roles().realmLevel().add(roles);
         ClientRepresentation brokerService = realm.clients().findByClientId(Constants.BROKER_SERVICE_CLIENT_ID).get(0);
         role = realm.clients().get(brokerService.getId()).roles().get(Constants.READ_TOKEN_ROLE).toRepresentation();
         roles.clear();
         roles.add(role);
         realm.users().get(childUserId).roles().clientLevel(brokerService.getId()).add(roles);
+        realm.users().get(user2Id).roles().clientLevel(brokerService.getId()).add(roles);
 
     }
 
@@ -192,11 +198,6 @@ public abstract class AbstractClientInitiatedAccountLinkTest extends AbstractSer
         BrokerTestTools.createKcOidcBroker(adminClient, CHILD_IDP, PARENT_IDP, suiteContext);
     }
 
-//    @Test
-    public void testUi() throws Exception {
-        Thread.sleep(1000000000);
-
-    }
 
     @Test
     public void testErrorConditions() throws Exception {
@@ -388,6 +389,7 @@ public abstract class AbstractClientInitiatedAccountLinkTest extends AbstractSer
         String linkUrl = linkBuilder.clone()
                 .queryParam("realm", CHILD_IDP)
                 .queryParam("provider", PARENT_IDP).build().toString();
+        System.out.println("linkUrl: " + linkUrl);
         navigateTo(linkUrl);
         Assert.assertTrue(loginPage.isCurrent(CHILD_IDP));
         Assert.assertTrue(driver.getPageSource().contains(PARENT_IDP));

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/adapter/undertow/servlet/UndertowClientInitiatedAccountLinkTest.java

@@ -16,6 +16,7 @@
  */
 package org.keycloak.testsuite.adapter.undertow.servlet;
 
+import org.junit.Test;
 import org.keycloak.testsuite.adapter.servlet.AbstractClientInitiatedAccountLinkTest;
 import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
 
@@ -26,4 +27,15 @@ import org.keycloak.testsuite.arquillian.annotation.AppServerContainer;
 @AppServerContainer("auth-server-undertow")
 public class UndertowClientInitiatedAccountLinkTest extends AbstractClientInitiatedAccountLinkTest {
 
+    //@Test
+    public void testUi() throws Exception {
+        Thread.sleep(1000000000);
+
+    }
+
+    @Override
+    @Test
+    public void testAccountLink() throws Exception {
+        super.testAccountLink();
+    }
 }

testsuite/integration-arquillian/tests/base/src/test/java/org/keycloak/testsuite/admin/FineGrainAdminUnitTest.java

@@ -75,38 +75,21 @@ public class FineGrainAdminUnitTest extends AbstractKeycloakTest {
     }
     public static void setupDemo(KeycloakSession session) {
         RealmModel realm = session.realms().getRealmByName(TEST);
-        ClientModel client = realm.addClient("sales-pipeline-application");
+        realm.addRole("realm-role");
+        ClientModel client = realm.addClient("sales-application");
         RoleModel clientAdmin = client.addRole("admin");
         client.addRole("leader-creator");
         client.addRole("viewLeads");
-        ClientModel client2 = realm.addClient("market-analysis-application");
-        RoleModel client2Admin = client2.addRole("admin");
-        client2.addRole("market-manager");
-        client2.addRole("viewMarkets");
         GroupModel sales = realm.createGroup("sales");
-        RoleModel salesAppsAdminRole = realm.addRole("sales-apps-admin");
-        salesAppsAdminRole.addCompositeRole(clientAdmin);
-        salesAppsAdminRole.addCompositeRole(client2Admin);
-        ClientModel realmManagementClient = realm.getClientByClientId("realm-management");
-        RoleModel queryClient = realmManagementClient.getRole(AdminRoles.QUERY_CLIENTS);
 
 
         UserModel admin = session.users().addUser(realm, "salesManager");
         admin.setEnabled(true);
         session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
-        admin = session.users().addUser(realm, "sales-group-admin");
+
+        admin = session.users().addUser(realm, "sales-admin");
         admin.setEnabled(true);
         session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
-        admin = session.users().addUser(realm, "sales-it");
-        admin.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
-        admin = session.users().addUser(realm, "sales-pipeline-admin");
-        admin.setEnabled(true);
-        session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
-        admin = session.users().addUser(realm, "client-admin");
-        admin.setEnabled(true);
-        admin.grantRole(queryClient);
-        session.userCredentialManager().updateCredential(realm, admin, UserCredentialModel.password("password"));
 
         UserModel user = session.users().addUser(realm, "salesman");
         user.setEnabled(true);