Skip tests which can't run, or even pass on FIPS enabled platforms

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
s0undt3ch · Oct 21, 2023 · 147c69e · 147c69e
1 parent a121c4c
commit 147c69e
Show file tree

Hide file tree

Showing 32 changed files with 104 additions and 25 deletions.
diff --git a/.pylintrc b/.pylintrc
@@ -698,7 +698,8 @@ allowed-3rd-party-modules=msgpack,
                           ptscripts,
                           packaging,
                           looseversion,
-                          pytestskipmarkers
+                          pytestskipmarkers,
+                          cryptography
 
 [EXCEPTIONS]
 

diff --git a/salt/pillar/sql_base.py b/salt/pillar/sql_base.py
@@ -198,22 +198,20 @@
             with_lists: [1,3]
 """
 
-import abc  # Added in python2.6 so always available
+import abc
 import logging
 
 from salt.utils.dictupdate import update
 from salt.utils.odict import OrderedDict
 
+log = logging.getLogger(__name__)
+
 # Please don't strip redundant parentheses from this file.
 # I have added some for clarity.
 
 # tests/unit/pillar/mysql_test.py may help understand this code.
 
 
-# Set up logging
-log = logging.getLogger(__name__)
-
-
 # This ext_pillar is abstract and cannot be used directory
 def __virtual__():
     return False

diff --git a/tests/integration/cloud/clouds/test_digitalocean.py b/tests/integration/cloud/clouds/test_digitalocean.py
@@ -1,10 +1,11 @@
 """
 Integration tests for DigitalOcean APIv2
 """
-
 import base64
 import hashlib
 
+import pytest
+
 import salt.crypt
 import salt.utils.stringutils
 from tests.integration.cloud.helpers.cloud_test_base import TIMEOUT, CloudTest
@@ -43,6 +44,7 @@ def test_list_sizes(self):
         _list_sizes = self.run_cloud("--list-sizes {}".format(self.PROVIDER))
         self.assertIn("16gb", [i.strip() for i in _list_sizes])
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_key_management(self):
         """
         Test key management

diff --git a/tests/integration/externalapi/test_venafiapi.py b/tests/integration/externalapi/test_venafiapi.py
@@ -43,13 +43,10 @@ class VenafiTest(ShellCase):
 
     @with_random_name
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_request(self, name):
         cn = "{}.example.com".format(name)
 
-        # Provide python27 compatibility
-        if not isinstance(cn, str):
-            cn = cn.decode()
-
         ret = self.run_run_plus(
             fun="venafi.request",
             minion_id=cn,
@@ -126,10 +123,6 @@ def test_sign(self, name):
             csr_path = f.name
             cn = "test-csr-32313131.venafi.example.com"
 
-            # Provide python27 compatibility
-            if not isinstance(cn, str):
-                cn = cn.decode()
-
             ret = self.run_run_plus(
                 fun="venafi.request", minion_id=cn, csr_path=csr_path, zone="fake"
             )

diff --git a/tests/integration/states/test_archive.py b/tests/integration/states/test_archive.py
@@ -106,6 +106,7 @@ def test_archive_extracted_skip_verify(self):
 
         self._check_extracted(self.untar_file)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_source_hash(self):
         """
         test archive.extracted without skip_verify
@@ -127,6 +128,7 @@ def test_archive_extracted_with_source_hash(self):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.skip_if_not_root
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_root_user_and_group(self):
         """
         test archive.extracted with user and group set to "root"
@@ -151,6 +153,7 @@ def test_archive_extracted_with_root_user_and_group(self):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_strip_in_options(self):
         """
         test archive.extracted with --strip in options
@@ -170,6 +173,7 @@ def test_archive_extracted_with_strip_in_options(self):
 
         self._check_extracted(os.path.join(ARCHIVE_DIR, "README"))
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_strip_components_in_options(self):
         """
         test archive.extracted with --strip-components in options
@@ -190,6 +194,7 @@ def test_archive_extracted_with_strip_components_in_options(self):
         self._check_extracted(os.path.join(ARCHIVE_DIR, "README"))
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_without_archive_format(self):
         """
         test archive.extracted with no archive_format option
@@ -206,6 +211,7 @@ def test_archive_extracted_without_archive_format(self):
 
         self._check_extracted(self.untar_file)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_cmd_unzip_false(self):
         """
         test archive.extracted using use_cmd_unzip argument as false
@@ -240,6 +246,7 @@ def test_local_archive_extracted(self):
 
         self._check_extracted(self.untar_file)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_skip_verify(self):
         """
         test archive.extracted with local file, bad hash and skip_verify
@@ -258,6 +265,7 @@ def test_local_archive_extracted_skip_verify(self):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_with_source_hash(self):
         """
         test archive.extracted with local file and valid hash
@@ -275,6 +283,7 @@ def test_local_archive_extracted_with_source_hash(self):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_with_bad_source_hash(self):
         """
         test archive.extracted with local file and bad hash
@@ -289,6 +298,7 @@ def test_local_archive_extracted_with_bad_source_hash(self):
 
         self.assertSaltFalseReturn(ret)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_with_uppercase_source_hash(self):
         """
         test archive.extracted with local file and bad hash

diff --git a/tests/pytests/functional/modules/test_mysql.py b/tests/pytests/functional/modules/test_mysql.py
@@ -19,6 +19,7 @@
     pytest.mark.skipif(
         mysqlmod.MySQLdb is None, reason="No python mysql client installed."
     ),
+    pytest.mark.skip_on_fips_enabled_platform,
 ]
 
 

diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py
@@ -666,6 +666,7 @@ def test_privkey_new_with_prereq(x509_salt_call_cli, tmp_path):
     assert not _belongs_to(cert_new, pk_cur)
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 @pytest.mark.usefixtures("privkey_new_pkcs12")
 @pytest.mark.skipif(
     CRYPTOGRAPHY_VERSION[0] < 36,

diff --git a/tests/pytests/unit/modules/test_hashutil.py b/tests/pytests/unit/modules/test_hashutil.py
@@ -61,6 +61,7 @@ def test_base64_decodestring(the_string, the_string_base64):
     assert hashutil.base64_decodestring(the_string_base64) == the_string
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_md5_digest(the_string, the_string_md5):
     assert hashutil.md5_digest(the_string) == the_string_md5
 

diff --git a/tests/pytests/unit/modules/test_postgres.py b/tests/pytests/unit/modules/test_postgres.py
@@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform
 
 import salt.modules.config as configmod
 import salt.modules.postgres as postgres
@@ -70,6 +71,8 @@ def idfn(val):
     ids=idfn,
 )
 def test_verify_password(role, password, verifier, method, result):
+    if platform.is_fips_enabled() and (method == "md5" or verifier == md5_pw):
+        pytest.skip("Test cannot run on a FIPS enabled platform")
     assert postgres._verify_password(role, password, verifier, method) == result
 
 

diff --git a/tests/pytests/unit/states/postgresql/test_group.py b/tests/pytests/unit/states/postgresql/test_group.py
@@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform
 
 import salt.modules.postgres as postgres
 import salt.states.postgres_group as postgres_group
@@ -19,6 +20,8 @@ def fixture_db_args():
 
 @pytest.fixture(name="md5_pw")
 def fixture_md5_pw():
+    if platform.is_fips_enabled():
+        pytest.skip("Test cannot run on a FIPS enabled platform")
     # 'md5' + md5('password' + 'groupname')
     return "md58b14c378fab8ef0dc227f4e6d6787a87"
 
@@ -79,6 +82,7 @@ def configure_loader_modules(mocks):
 # ==========
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_present_create_basic(mocks, db_args):
     assert postgres_group.present("groupname") == {
         "name": "groupname",
@@ -343,6 +347,7 @@ def test_present_update_md5_password(mocks, existing_group, md5_pw, db_args):
     )
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_present_update_error(mocks, existing_group):
     existing_group["password"] = "md500000000000000000000000000000000"
     mocks["postgres.role_get"].return_value = existing_group

diff --git a/tests/pytests/unit/states/postgresql/test_user.py b/tests/pytests/unit/states/postgresql/test_user.py
@@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform
 
 import salt.modules.postgres as postgres
 import salt.states.postgres_user as postgres_user
@@ -25,6 +26,8 @@ def fixture_db_args():
 @pytest.fixture(name="md5_pw")
 def fixture_md5_pw():
     # 'md5' + md5('password' + 'username')
+    if platform.is_fips_enabled():
+        pytest.skip("Test cannot run on a FIPS enabled platform")
     return "md55a231fcdb710d73268c4f44283487ba2"
 
 

diff --git a/tests/pytests/unit/states/test_boto_cloudwatch_event.py b/tests/pytests/unit/states/test_boto_cloudwatch_event.py
@@ -17,6 +17,7 @@
 
 pytestmark = [
     pytest.mark.slow_test,
+    pytest.mark.skip_on_fips_enabled_platform,
 ]
 
 

diff --git a/tests/pytests/unit/states/test_boto_iot.py b/tests/pytests/unit/states/test_boto_iot.py
@@ -18,6 +18,7 @@
 
 pytestmark = [
     pytest.mark.slow_test,
+    pytest.mark.skip_on_fips_enabled_platform,
 ]
 
 

diff --git a/tests/pytests/unit/utils/jinja/test_custom_extensions.py b/tests/pytests/unit/utils/jinja/test_custom_extensions.py
@@ -46,7 +46,6 @@ def minion_opts(tmp_path, minion_opts):
             "file_roots": {"test": [str(tmp_path / "templates")]},
             "pillar_roots": {"test": [str(tmp_path / "templates")]},
             "fileserver_backend": ["roots"],
-            "hash_type": "md5",
             "extension_modules": os.path.join(
                 os.path.dirname(os.path.abspath(__file__)), "extmods"
             ),
@@ -1041,6 +1040,7 @@ def test_method_call(minion_opts, local_salt):
     assert rendered == "None"
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_md5(minion_opts, local_salt):
     """
     Test the `md5` Jinja filter.

diff --git a/tests/pytests/unit/utils/jinja/test_get_template.py b/tests/pytests/unit/utils/jinja/test_get_template.py
@@ -61,7 +61,6 @@ def minion_opts(tmp_path, minion_opts):
             "file_roots": {"test": [str(tmp_path / "files" / "test")]},
             "pillar_roots": {"test": [str(tmp_path / "files" / "test")]},
             "fileserver_backend": ["roots"],
-            "hash_type": "md5",
             "extension_modules": os.path.join(
                 os.path.dirname(os.path.abspath(__file__)), "extmods"
             ),

diff --git a/tests/unit/modules/test_boto3_elasticsearch.py b/tests/unit/modules/test_boto3_elasticsearch.py
@@ -28,6 +28,10 @@
 # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12
 REQUIRED_BOTO3_VERSION = "1.2.1"
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 def __virtual__():
     """

diff --git a/tests/unit/modules/test_boto3_route53.py b/tests/unit/modules/test_boto3_route53.py
@@ -25,6 +25,10 @@
 # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12
 REQUIRED_BOTO3_VERSION = "1.2.1"
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 def __virtual__():
     """

diff --git a/tests/unit/modules/test_boto_apigateway.py b/tests/unit/modules/test_boto_apigateway.py
@@ -23,6 +23,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

diff --git a/tests/unit/modules/test_boto_cloudtrail.py b/tests/unit/modules/test_boto_cloudtrail.py
@@ -22,6 +22,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 
 # the boto_cloudtrail module relies on the connect_to_region() method

diff --git a/tests/unit/modules/test_boto_cloudwatch_event.py b/tests/unit/modules/test_boto_cloudwatch_event.py
@@ -22,6 +22,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 log = logging.getLogger(__name__)
 

diff --git a/tests/unit/modules/test_boto_cognitoidentity.py b/tests/unit/modules/test_boto_cognitoidentity.py
@@ -21,6 +21,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

diff --git a/tests/unit/modules/test_boto_elasticsearch_domain.py b/tests/unit/modules/test_boto_elasticsearch_domain.py
@@ -21,6 +21,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

diff --git a/tests/unit/modules/test_boto_iot.py b/tests/unit/modules/test_boto_iot.py
@@ -23,6 +23,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 
 # the boto_iot module relies on the connect_to_region() method

diff --git a/tests/unit/modules/test_boto_lambda.py b/tests/unit/modules/test_boto_lambda.py
@@ -26,6 +26,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module
 
 # the boto_lambda module relies on the connect_to_region() method

diff --git a/tests/unit/modules/test_boto_s3_bucket.py b/tests/unit/modules/test_boto_s3_bucket.py
@@ -22,6 +22,10 @@
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 
 # the boto_s3_bucket module relies on the connect_to_region() method
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,6 +19,7 @@ @@
         pytest.mark.skipif(
             mysqlmod.MySQLdb is None, reason="No python mysql client installed."
         ),
+        pytest.mark.skip_on_fips_enabled_platform,
     ]
@@ Expand Down @@