From b5e8971032377b98d132cc2be4a5bc260566984a Mon Sep 17 00:00:00 2001
From: Christof Musik <musik@bitbone.de>
Date: Thu, 5 Dec 2024 12:35:59 +0100
Subject: [PATCH] Query gid to prevent errors with missing users with the same
 id (fixes #1229)

---
 lib/puppet/provider/firewall/firewall.rb            | 13 ++++++++++---
 .../firewall_attributes_happy_path_spec.rb          |  9 +++++++++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/lib/puppet/provider/firewall/firewall.rb b/lib/puppet/provider/firewall/firewall.rb
index b064c9f8a..cc5278f99 100644
--- a/lib/puppet/provider/firewall/firewall.rb
+++ b/lib/puppet/provider/firewall/firewall.rb
@@ -376,9 +376,16 @@ def insync?(context, _name, property_name, is_hash, should_hash)
       end
 
       # If 'is' or 'should' contain anything other than digits or digit range,
-      # we assume that we have to do a lookup to convert to UID
-      is = Etc.getpwnam(is).uid unless is[%r{[0-9]+(-[0-9]+)?}] == is
-      should = Etc.getpwnam(should).uid unless should[%r{[0-9]+(-[0-9]+)?}] == should
+      # we assume that we have to do a lookup to convert to UID or GID
+      if property_name == :uid
+        is = Etc.getpwnam(is).uid unless is[%r{[0-9]+(-[0-9]+)?}] == is
+        should = Etc.getpwnam(should).uid unless should[%r{[0-9]+(-[0-9]+)?}] == should
+      end
+
+      if property_name == :gid
+        is = Etc.getgrnam(is).gid unless is[%r{[0-9]+(-[0-9]+)?}] == is
+        should = Etc.getgrnam(should).gid unless should[%r{[0-9]+(-[0-9]+)?}] == should
+      end
 
       "#{is_negate}#{is}" == "#{should_negate}#{should}"
     when :mac_source, :jump
diff --git a/spec/acceptance/firewall_attributes_happy_path_spec.rb b/spec/acceptance/firewall_attributes_happy_path_spec.rb
index da3ce1f55..9b351aef5 100644
--- a/spec/acceptance/firewall_attributes_happy_path_spec.rb
+++ b/spec/acceptance/firewall_attributes_happy_path_spec.rb
@@ -12,6 +12,9 @@
   describe 'attributes test' do
     before(:all) do
       pp = <<-PUPPETCODE
+          group { 'testgroup':
+            gid => '1234',
+          }
           class { '::firewall': }
           firewall { '004 - log_level and log_prefix':
             chain      => 'INPUT',
@@ -293,6 +296,12 @@ class { '::firewall': }
             gid   => 'root',
             proto => 'all',
           }
+          firewall { '801 - gid testgroup':
+            chain => 'OUTPUT',
+            jump  => accept,
+            gid   => 'testgroup',
+            proto => 'all',
+          }
           firewall { '802 - gid root negated':
             chain => 'OUTPUT',
             jump  => accept,