From 347d25cefc95cd4463ebb5845530db736271ef3c Mon Sep 17 00:00:00 2001
From: ccwss <1782935682@qq.com>
Date: Fri, 11 Jul 2025 11:37:51 +0800
Subject: [PATCH] Fix error in compare policyEntry

---
 .../chain/AclAuthorizationHandler.java        | 13 +++---
 .../AuthorizationEvaluatorTest.java           | 41 ++++++++++++++++++-
 2 files changed, 45 insertions(+), 9 deletions(-)

diff --git a/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java b/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java
index 06a130b2e0a..72b39a3c318 100644
--- a/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java
+++ b/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java
@@ -133,20 +133,17 @@ private int comparePolicyEntries(PolicyEntry o1, PolicyEntry o2) {
             if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
                 String n1 = r1.getResourceName();
                 String n2 = r2.getResourceName();
-                compare = Integer.compare(n1.length(), n2.length());
+                compare = -1 * Integer.compare(n1.length(), n2.length());
             }
         } else {
-            if (r1.getResourcePattern() == ResourcePattern.LITERAL) {
-                compare = 1;
-            }
             if (r1.getResourcePattern() == ResourcePattern.LITERAL) {
                 compare = -1;
-            }
-            if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
+            } else if (r2.getResourcePattern() == ResourcePattern.LITERAL) {
                 compare = 1;
-            }
-            if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
+            } else if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
                 compare = -1;
+            } else if (r2.getResourcePattern() == ResourcePattern.PREFIXED) {
+                compare = 1;
             }
         }
 
diff --git a/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java b/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java
index d8b839d7fb9..c888d8c0056 100644
--- a/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java
+++ b/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java
@@ -311,7 +311,6 @@ public void evaluate8() {
         Acl acl = AuthTestHelper.buildAcl("User:test", "Topic:test*", "Pub", "192.168.0.0/24", Decision.DENY);
         this.authorizationMetadataManager.createAcl(acl).join();
 
-
         Assert.assertThrows(AuthorizationException.class, () -> {
             Subject subject = Subject.of("User:test");
             Resource resource = Resource.ofTopic("test");
@@ -345,6 +344,46 @@ public void evaluate8() {
         }
     }
 
+    @Test
+    public void evaluate9() {
+        if (MixAll.isMac()) {
+            return;
+        }
+        User user = User.of("test", "test");
+        this.authenticationMetadataManager.createUser(user).join();
+
+        Acl acl0 = AuthTestHelper.buildAcl("User:test", "*", "Pub", "192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl0).join();
+        Acl acl1 = AuthTestHelper.buildAcl("User:test", "Topic:*", "Pub", "192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl1).join();
+        Acl acl2 = AuthTestHelper.buildAcl("User:test", "Topic:test*", "Pub", "192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl2).join();
+        Acl acl3 = AuthTestHelper.buildAcl("User:test", "Topic:test_*", "Pub", "192.168.0.0/24", Decision.DENY);
+        this.authorizationMetadataManager.createAcl(acl3).join();
+        Acl acl4 = AuthTestHelper.buildAcl("User:test", "Topic:test_001", "Pub", "192.168.0.0/24", Decision.DENY);
+        this.authorizationMetadataManager.createAcl(acl4).join();
+
+        Assert.assertThrows(AuthorizationException.class, () -> {
+            Subject subject = Subject.of("User:test");
+            Resource resource = Resource.ofTopic("test_001");
+            Action action = Action.PUB;
+            String sourceIp = "192.168.0.1";
+            DefaultAuthorizationContext context = DefaultAuthorizationContext.of(subject, resource, action, sourceIp);
+            context.setRpcCode("10");
+            this.evaluator.evaluate(Collections.singletonList(context));
+        });
+
+        Assert.assertThrows(AuthorizationException.class, () -> {
+            Subject subject = Subject.of("User:test");
+            Resource resource = Resource.ofTopic("test_002");
+            Action action = Action.PUB;
+            String sourceIp = "192.168.0.1";
+            DefaultAuthorizationContext context = DefaultAuthorizationContext.of(subject, resource, action, sourceIp);
+            context.setRpcCode("10");
+            this.evaluator.evaluate(Collections.singletonList(context));
+        });
+    }
+
     private void clearAllUsers() {
         List<User> users = this.authenticationMetadataManager.listUser(null).join();
         if (CollectionUtils.isEmpty(users)) {