Use netgroup_find instead of netgroup_show to workaround IPA bug.

Patch fixes https://bugzilla.redhat.com/show_bug.cgi?id=2144724 which
depends on https://pagure.io/freeipa/issue/9284.
Add comment why replacing `netgroup_show` with `netgroup_find`.

Signed-off-by: Denis Karpelevich <dkarpele@redhat.com>

plugins/modules/ipanetgroup.py

@@ -157,18 +157,29 @@ RETURN = """
 
 from ansible.module_utils.ansible_freeipa_module import \
     IPAAnsibleModule, compare_args_ipa, gen_add_del_lists, \
-    gen_add_list, gen_intersection_list, ipalib_errors, ensure_fqdn
+    gen_add_list, gen_intersection_list, ensure_fqdn
 
 
 def find_netgroup(module, name):
     """Find if a netgroup with the given name already exist."""
-    try:
+    _args = {
-        _result = module.ipa_command("netgroup_show", name, {"all": True})
+        "all": True,
-    except ipalib_errors.NotFound:
+        "cn": name,
-        # An exception is raised if netgroup name is not found.
+    }
-        return None
+
-    else:
+    # `netgroup_find` is used here instead of `netgroup_show` to workaround
-        return _result["result"]
+    # FreeIPA bug https://pagure.io/freeipa/issue/9284.
+    # `ipa netgroup-show hostgroup` shows hostgroup - it's a bug.
+    # `ipa netgroup-find hostgroup` doesn't show hostgroup - it's correct.
+    _result = module.ipa_command("netgroup_find", name, _args)
+
+    if len(_result["result"]) > 1:
+        module.fail_json(
+            msg="There is more than one netgroup '%s'" % name)
+    elif len(_result["result"]) == 1:
+        return _result["result"][0]
+
+    return None
 
 
 def gen_args(description, nisdomain, nomembers):

tests/netgroup/test_netgroup.yml

@@ -17,6 +17,14 @@
           - my_netgroup3
         state: absent
 
+    - name: Ensure hostgroup is absent
+      ipahostgroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name:
+          - my_hostgroup1
+        state: absent
+
     # CREATE TEST ITEMS
     - name: Get Domain from server name
       ansible.builtin.set_fact:
@@ -35,6 +43,12 @@
         ipaapi_context: "{{ ipa_context | default(omit) }}"
         name: my_netgroup3
 
+    - name: Ensure hostgroup my_hostgroup1 is present
+      ipahostgroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: my_hostgroup1
+
     # TESTS
 
     - name: Ensure netgroup my_netgroup1 is present
@@ -115,7 +129,7 @@
       register: result
       failed_when: result.changed or result.failed
 
-    # netgroup and hostgroup with the same name are deprecated
+    # netgroup and hostgroup with the same name are deprecated (check hostgroup)
     - name: Ensure hostgroup my_netgroup2 isn't present
       ipahostgroup:
         ipaadmin_password: SomeADMINpassword
@@ -125,6 +139,16 @@
       failed_when: result.changed or not result.failed or
         "Hostgroups and netgroups share a common namespace" not in result.msg
 
+    # netgroup and hostgroup with the same name are deprecated (check netgroup)
+    - name: Ensure netgroup my_hostgroup1 isn't present
+      ipanetgroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name: my_hostgroup1
+      register: result
+      failed_when: result.changed or not result.failed or
+        "Hostgroups and netgroups share a common namespace" not in result.msg
+
     - name: Ensure netgroups my_netgroup2, my_netgroup3 are absent
       ipanetgroup:
         ipaadmin_password: SomeADMINpassword
@@ -147,3 +171,11 @@
           - my_netgroup2
           - my_netgroup3
         state: absent
+
+    - name: Ensure hostgroups are absent
+      ipahostgroup:
+        ipaadmin_password: SomeADMINpassword
+        ipaapi_context: "{{ ipa_context | default(omit) }}"
+        name:
+          - my_hostgroup1
+        state: absent