From: Eimhin Laverty <eimhin.laverty@puppet.com>
Date: Tue, 11 Dec 2018 15:19:10 +0000 (+0000)
Subject: (MODULES-6340) - Address failure when name begins with 9XXX
X-Git-Tag: 1.15.0~6^2~2
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=74c434cbdc161bbdcf4b38557f6a67a524fabafd;p=puppet-modules%2Fpuppetlabs-firewall.git

(MODULES-6340) - Address failure when name begins with 9XXX
---

diff --git a/README.markdown b/README.markdown
index 678d1b4..be53353 100644
--- a/README.markdown
+++ b/README.markdown
@@ -187,6 +187,8 @@ There are two kinds of firewall rules you can use with firewall: default rules a
 
 All rules employ a numbering system in the resource's title that is used for ordering. When titling your rules, make sure you prefix the rule with a number, for example, '000 accept all icmp requests'. _000_ runs first, _999_ runs last.
 
+**Note:** The ordering range 9000-9999 is reserved for unmanaged rules. Do not specify any firewall rules in this range.
+
 ### Default rules
 
 You can place default rules in either `my_fw::pre` or `my_fw::post`, depending on when you would like them to run. Rules placed in the `pre` class will run first, and rules in the `post` class, last.
diff --git a/lib/puppet/provider/firewall/iptables.rb b/lib/puppet/provider/firewall/iptables.rb
index dcbe709..280ff32 100644
--- a/lib/puppet/provider/firewall/iptables.rb
+++ b/lib/puppet/provider/firewall/iptables.rb
@@ -876,6 +876,8 @@ Puppet::Type.type(:firewall).provide :iptables, parent: Puppet::Provider::Firewa
 
     # Insert our new or updated rule in the correct order of named rules, but
     # offset for unnamed rules.
-    rules.reject { |r| r.match(unmanaged_rule_regex) }.sort.index(my_rule) + 1 + unnamed_offset
+    sorted_rules = rules.reject { |r| r.match(unmanaged_rule_regex) }.sort
+    raise 'Invalid ordering value in resource name. The range 9000-9999 is reserved for unmanaged rules.' if sorted_rules.index(my_rule).nil?
+    sorted_rules.index(my_rule) + 1 + unnamed_offset
   end
 end
diff --git a/spec/acceptance/firewall_spec.rb b/spec/acceptance/firewall_spec.rb
index 9f02367..46eb7f4 100644
--- a/spec/acceptance/firewall_spec.rb
+++ b/spec/acceptance/firewall_spec.rb
@@ -28,6 +28,18 @@ describe 'firewall basics', docker: true do
         end
       end
     end
+
+    context 'when invalid ordering range specified' do
+      pp = <<-PUPPETCODE
+          class { '::firewall': }
+          firewall { '9946 test': ensure => present }
+      PUPPETCODE
+      it 'fails' do
+        apply_manifest(pp, expect_failures: true) do |r|
+          expect(r.stderr).to match(%r{Invalid ordering value})
+        end
+      end
+    end
   end
 
   describe 'ensure' do