(rocketmq) branch develop updated: [ISSUE #9539] Fix compare policy entry logic in ACL 2.0 (#9540)

Mon, 14 Jul 2025 00:44:11 -0700 

This is an automated email from the ASF dual-hosted git repository.

lizhimin pushed a commit to branch develop
in repository https://gitbox.apache.org/repos/asf/rocketmq.git


The following commit(s) were added to refs/heads/develop by this push:
     new e4b731cf43 [ISSUE #9539] Fix compare policy entry logic in ACL 2.0 
(#9540)
e4b731cf43 is described below

commit e4b731cf4391554dbf9a0648dd3733b5ad1e48db
Author: ccwss <[email protected]>
AuthorDate: Mon Jul 14 15:44:00 2025 +0800

    [ISSUE #9539] Fix compare policy entry logic in ACL 2.0 (#9540)
---
 .../chain/AclAuthorizationHandler.java             | 13 +++----
 .../authorization/AuthorizationEvaluatorTest.java  | 41 +++++++++++++++++++++-
 2 files changed, 45 insertions(+), 9 deletions(-)

diff --git 
a/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java
 
b/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java
index 06a130b2e0..72b39a3c31 100644
--- 
a/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java
+++ 
b/auth/src/main/java/org/apache/rocketmq/auth/authorization/chain/AclAuthorizationHandler.java
@@ -133,20 +133,17 @@ public class AclAuthorizationHandler implements 
Handler<DefaultAuthorizationCont
             if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
                 String n1 = r1.getResourceName();
                 String n2 = r2.getResourceName();
-                compare = Integer.compare(n1.length(), n2.length());
+                compare = -1 * Integer.compare(n1.length(), n2.length());
             }
         } else {
-            if (r1.getResourcePattern() == ResourcePattern.LITERAL) {
-                compare = 1;
-            }
             if (r1.getResourcePattern() == ResourcePattern.LITERAL) {
                 compare = -1;
-            }
-            if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
+            } else if (r2.getResourcePattern() == ResourcePattern.LITERAL) {
                 compare = 1;
-            }
-            if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
+            } else if (r1.getResourcePattern() == ResourcePattern.PREFIXED) {
                 compare = -1;
+            } else if (r2.getResourcePattern() == ResourcePattern.PREFIXED) {
+                compare = 1;
             }
         }
 
diff --git 
a/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java
 
b/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java
index d8b839d7fb..c888d8c005 100644
--- 
a/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java
+++ 
b/auth/src/test/java/org/apache/rocketmq/auth/authorization/AuthorizationEvaluatorTest.java
@@ -311,7 +311,6 @@ public class AuthorizationEvaluatorTest {
         Acl acl = AuthTestHelper.buildAcl("User:test", "Topic:test*", "Pub", 
"192.168.0.0/24", Decision.DENY);
         this.authorizationMetadataManager.createAcl(acl).join();
 
-
         Assert.assertThrows(AuthorizationException.class, () -> {
             Subject subject = Subject.of("User:test");
             Resource resource = Resource.ofTopic("test");
@@ -345,6 +344,46 @@ public class AuthorizationEvaluatorTest {
         }
     }
 
+    @Test
+    public void evaluate9() {
+        if (MixAll.isMac()) {
+            return;
+        }
+        User user = User.of("test", "test");
+        this.authenticationMetadataManager.createUser(user).join();
+
+        Acl acl0 = AuthTestHelper.buildAcl("User:test", "*", "Pub", 
"192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl0).join();
+        Acl acl1 = AuthTestHelper.buildAcl("User:test", "Topic:*", "Pub", 
"192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl1).join();
+        Acl acl2 = AuthTestHelper.buildAcl("User:test", "Topic:test*", "Pub", 
"192.168.0.0/24", Decision.ALLOW);
+        this.authorizationMetadataManager.createAcl(acl2).join();
+        Acl acl3 = AuthTestHelper.buildAcl("User:test", "Topic:test_*", "Pub", 
"192.168.0.0/24", Decision.DENY);
+        this.authorizationMetadataManager.createAcl(acl3).join();
+        Acl acl4 = AuthTestHelper.buildAcl("User:test", "Topic:test_001", 
"Pub", "192.168.0.0/24", Decision.DENY);
+        this.authorizationMetadataManager.createAcl(acl4).join();
+
+        Assert.assertThrows(AuthorizationException.class, () -> {
+            Subject subject = Subject.of("User:test");
+            Resource resource = Resource.ofTopic("test_001");
+            Action action = Action.PUB;
+            String sourceIp = "192.168.0.1";
+            DefaultAuthorizationContext context = 
DefaultAuthorizationContext.of(subject, resource, action, sourceIp);
+            context.setRpcCode("10");
+            this.evaluator.evaluate(Collections.singletonList(context));
+        });
+
+        Assert.assertThrows(AuthorizationException.class, () -> {
+            Subject subject = Subject.of("User:test");
+            Resource resource = Resource.ofTopic("test_002");
+            Action action = Action.PUB;
+            String sourceIp = "192.168.0.1";
+            DefaultAuthorizationContext context = 
DefaultAuthorizationContext.of(subject, resource, action, sourceIp);
+            context.setRpcCode("10");
+            this.evaluator.evaluate(Collections.singletonList(context));
+        });
+    }
+
     private void clearAllUsers() {
         List<User> users = 
this.authenticationMetadataManager.listUser(null).join();
         if (CollectionUtils.isEmpty(users)) {

Reply via email to