Fix error in compare policyEntry

Author: 1782935682

auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java

@@ -53,7 +53,7 @@ public AclAuthorizationHandler(AuthConfig config, Supplier<?> metadataService) {
 
     @Override
     public CompletableFuture<Void> handle(DefaultAuthorizationContext context,
-        HandlerChain<DefaultAuthorizationContext, CompletableFuture<Void>> chain) {
+                                          HandlerChain<DefaultAuthorizationContext, CompletableFuture<Void>> chain) {
         if (this.authorizationMetadataProvider == null) {
             throw new AuthorizationException("The authorizationMetadataProvider is not configured");
         }
@@ -112,10 +112,10 @@ private List<PolicyEntry> matchPolicyEntries(DefaultAuthorizationContext context
             return null;
         }
         return entries.stream()
-            .filter(entry -> entry.isMatchResource(context.getResource()))
-            .filter(entry -> entry.isMatchAction(context.getActions()))
-            .filter(entry -> entry.isMatchEnvironment(Environment.of(context.getSourceIp())))
-            .collect(Collectors.toList());
+                .filter(entry -> entry.isMatchResource(context.getResource()))
+                .filter(entry -> entry.isMatchAction(context.getActions()))
+                .filter(entry -> entry.isMatchEnvironment(Environment.of(context.getSourceIp())))
+                .collect(Collectors.toList());
     }
 
     private int comparePolicyEntries(PolicyEntry o1, PolicyEntry o2) {
@@ -133,20 +133,17 @@ private int comparePolicyEntries(PolicyEntry o1, PolicyEntry o2) {
             if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
                 String n1 = r1.getResourceName();
                 String n2 = r2.getResourceName();
-                compare = Integer.compare(n1.length(), n2.length());
+                compare = -1 * Integer.compare(n1.length(), n2.length());
             }
         } else {
-            if (r1.getResourcePattern() == ResourcePattern.LITERAL) {
-                compare = 1;
-            }
             if (r1.getResourcePattern() == ResourcePattern.LITERAL) {
                 compare = -1;
-            }
-            if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
+            } else if (r2.getResourcePattern() == ResourcePattern.LITERAL) {
                 compare = 1;
-            }
-            if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
+            } else if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
                 compare = -1;
+            } else if (r2.getResourcePattern() == ResourcePattern.PREFIXED) {
+                compare = 1;
             }
         }
 
@@ -162,6 +159,6 @@ private int comparePolicyEntries(PolicyEntry o1, PolicyEntry o2) {
 
     private static void throwException(DefaultAuthorizationContext context, String detail) {
         throw new AuthorizationException("{} has no permission to access {} from {}, " + detail,
-            context.getSubject().getSubjectKey(), context.getResource().getResourceKey(), context.getSourceIp());
+                context.getSubject().getSubjectKey(), context.getResource().getResourceKey(), context.getSourceIp());
     }
 }

auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java

@@ -24,6 +24,7 @@
 import org.apache.rocketmq.auth.authentication.manager.AuthenticationMetadataManager;
 import org.apache.rocketmq.auth.authentication.model.Subject;
 import org.apache.rocketmq.auth.authentication.model.User;
+import org.apache.rocketmq.auth.authorization.chain.AclAuthorizationHandler;
 import org.apache.rocketmq.auth.authorization.context.AuthorizationContext;
 import org.apache.rocketmq.auth.authorization.context.DefaultAuthorizationContext;
 import org.apache.rocketmq.auth.authorization.enums.Decision;
@@ -345,6 +346,46 @@ public void evaluate8() {
         }
     }
 
+    @Test
+    public void evaluate9() {
+        if (MixAll.isMac()) {
+            return;
+        }
+        User user = User.of("test", "test");
+        this.authenticationMetadataManager.createUser(user).join();
+
+        Acl acl0 = AuthTestHelper.buildAcl("User:test", "*", "Pub", "192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl0).join();
+        Acl acl1 = AuthTestHelper.buildAcl("User:test", "Topic:*", "Pub", "192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl1).join();
+        Acl acl2 = AuthTestHelper.buildAcl("User:test", "Topic:test*", "Pub", "192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl2).join();
+        Acl acl3 = AuthTestHelper.buildAcl("User:test", "Topic:test_*", "Pub", "192.168.0.0/24", Decision.DENY);
+        this.authorizationMetadataManager.createAcl(acl3).join();
+        Acl acl4 = AuthTestHelper.buildAcl("User:test", "Topic:test_001", "Pub", "192.168.0.0/24", Decision.DENY);
+        this.authorizationMetadataManager.createAcl(acl4).join();
+
+        Assert.assertThrows(AuthorizationException.class, () -> {
+            Subject subject = Subject.of("User:test");
+            Resource resource = Resource.ofTopic("test_001");
+            Action action = Action.PUB;
+            String sourceIp = "192.168.0.1";
+            DefaultAuthorizationContext context = DefaultAuthorizationContext.of(subject, resource, action, sourceIp);
+            context.setRpcCode("10");
+            this.evaluator.evaluate(Collections.singletonList(context));
+        });
+
+        Assert.assertThrows(AuthorizationException.class, () -> {
+            Subject subject = Subject.of("User:test");
+            Resource resource = Resource.ofTopic("test_002");
+            Action action = Action.PUB;
+            String sourceIp = "192.168.0.1";
+            DefaultAuthorizationContext context = DefaultAuthorizationContext.of(subject, resource, action, sourceIp);
+            context.setRpcCode("10");
+            this.evaluator.evaluate(Collections.singletonList(context));
+        });
+    }
+
     private void clearAllUsers() {
         List<User> users = this.authenticationMetadataManager.listUser(null).join();
         if (CollectionUtils.isEmpty(users)) {