Skip tests which can't run, or even pass on FIPS enabled platforms

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>
2025-04-15 17:20:19 +00:00 · 2023-10-27 16:29:05 +01:00 · 2023-10-27 16:29:05 +01:00 · 066afb90f0
commit 066afb90f0
parent c5db6bf766
46 changed files with 168 additions and 60 deletions
--- a/.pylintrc
+++ b/.pylintrc
@ -698,7 +698,8 @@ allowed-3rd-party-modules=msgpack,
                          ptscripts,
                          packaging,
                          looseversion,
-                          pytestskipmarkers
+                          pytestskipmarkers,
+                          cryptography

 [EXCEPTIONS]

--- a/salt/pillar/sql_base.py
+++ b/salt/pillar/sql_base.py
@ -198,22 +198,20 @@ More complete example for MySQL (to also show configuration)
            with_lists: [1,3]
 """

-import abc  # Added in python2.6 so always available
+import abc
 import logging

 from salt.utils.dictupdate import update
 from salt.utils.odict import OrderedDict

+log = logging.getLogger(__name__)
+
 # Please don't strip redundant parentheses from this file.
 # I have added some for clarity.

 # tests/unit/pillar/mysql_test.py may help understand this code.


-# Set up logging
-log = logging.getLogger(__name__)
-
-
 # This ext_pillar is abstract and cannot be used directory
 def __virtual__():
    return False
--- a/tests/integration/cloud/clouds/test_digitalocean.py
+++ b/tests/integration/cloud/clouds/test_digitalocean.py
@ -1,10 +1,11 @@
 """
 Integration tests for DigitalOcean APIv2
 """
-
 import base64
 import hashlib

+import pytest
+
 import salt.crypt
 import salt.utils.stringutils
 from tests.integration.cloud.helpers.cloud_test_base import TIMEOUT, CloudTest
@ -43,6 +44,7 @@ class DigitalOceanTest(CloudTest):
        _list_sizes = self.run_cloud("--list-sizes {}".format(self.PROVIDER))
        self.assertIn("16gb", [i.strip() for i in _list_sizes])

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_key_management(self):
        """
        Test key management
--- a/tests/integration/externalapi/test_venafiapi.py
+++ b/tests/integration/externalapi/test_venafiapi.py
@ -43,13 +43,10 @@ class VenafiTest(ShellCase):

    @with_random_name
    @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
    def test_request(self, name):
        cn = "{}.example.com".format(name)

-        # Provide python27 compatibility
-        if not isinstance(cn, str):
-            cn = cn.decode()
-
        ret = self.run_run_plus(
            fun="venafi.request",
            minion_id=cn,
@ -126,10 +123,6 @@ xlAKgaU6i03jOm5+sww5L2YVMi1eeBN+kx7o94ogpRemC/EUidvl1PUJ6+e7an9V
            csr_path = f.name
            cn = "test-csr-32313131.venafi.example.com"

-            # Provide python27 compatibility
-            if not isinstance(cn, str):
-                cn = cn.decode()
-
            ret = self.run_run_plus(
                fun="venafi.request", minion_id=cn, csr_path=csr_path, zone="fake"
            )
--- a/tests/integration/states/test_archive.py
+++ b/tests/integration/states/test_archive.py
@ -106,6 +106,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):

        self._check_extracted(self.untar_file)

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_archive_extracted_with_source_hash(self):
        """
        test archive.extracted without skip_verify
@ -127,6 +128,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
        self._check_extracted(self.untar_file)

    @pytest.mark.skip_if_not_root
+    @pytest.mark.skip_on_fips_enabled_platform
    def test_archive_extracted_with_root_user_and_group(self):
        """
        test archive.extracted with user and group set to "root"
@ -151,6 +153,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
        self._check_extracted(self.untar_file)

    @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
    def test_archive_extracted_with_strip_in_options(self):
        """
        test archive.extracted with --strip in options
@ -170,6 +173,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):

        self._check_extracted(os.path.join(ARCHIVE_DIR, "README"))

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_archive_extracted_with_strip_components_in_options(self):
        """
        test archive.extracted with --strip-components in options
@ -190,6 +194,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
        self._check_extracted(os.path.join(ARCHIVE_DIR, "README"))

    @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
    def test_archive_extracted_without_archive_format(self):
        """
        test archive.extracted with no archive_format option
@ -206,6 +211,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):

        self._check_extracted(self.untar_file)

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_archive_extracted_with_cmd_unzip_false(self):
        """
        test archive.extracted using use_cmd_unzip argument as false
@ -240,6 +246,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):

        self._check_extracted(self.untar_file)

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_local_archive_extracted_skip_verify(self):
        """
        test archive.extracted with local file, bad hash and skip_verify
@ -258,6 +265,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
        self._check_extracted(self.untar_file)

    @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
    def test_local_archive_extracted_with_source_hash(self):
        """
        test archive.extracted with local file and valid hash
@ -275,6 +283,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
        self._check_extracted(self.untar_file)

    @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
    def test_local_archive_extracted_with_bad_source_hash(self):
        """
        test archive.extracted with local file and bad hash
@ -289,6 +298,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):

        self.assertSaltFalseReturn(ret)

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_local_archive_extracted_with_uppercase_source_hash(self):
        """
        test archive.extracted with local file and bad hash
--- a/tests/pytests/functional/cache/test_consul.py
+++ b/tests/pytests/functional/cache/test_consul.py
@ -14,6 +14,7 @@ docker = pytest.importorskip("docker")
 log = logging.getLogger(__name__)

 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
    pytest.mark.slow_test,
    pytest.mark.skip_if_binaries_missing("dockerd"),
 ]
--- a/tests/pytests/functional/modules/state/test_jinja_filters.py
+++ b/tests/pytests/functional/modules/state/test_jinja_filters.py
@ -6,6 +6,7 @@ import os

 import attr
 import pytest
+from pytestskipmarkers.utils import platform

 import salt.utils.files
 import salt.utils.path
@ -932,7 +933,11 @@ def _filter_id(value):
    ids=_filter_id,
 )
 def filter(request):
-    return request.param
+    _filter = request.param
+    if platform.is_fips_enabled():
+        if _filter.name in ("md5", "random_hash"):
+            pytest.skip("Test cannot run on a FIPS enabled platform")
+    return _filter


 def test_filter(state, state_tree, filter, grains):
--- a/tests/pytests/functional/modules/test_mysql.py
+++ b/tests/pytests/functional/modules/test_mysql.py
@ -19,6 +19,7 @@ pytestmark = [
    pytest.mark.skipif(
        mysqlmod.MySQLdb is None, reason="No python mysql client installed."
    ),
+    pytest.mark.skip_on_fips_enabled_platform,
 ]


--- a/tests/pytests/functional/modules/test_x509_v2.py
+++ b/tests/pytests/functional/modules/test_x509_v2.py
@ -23,7 +23,8 @@ except ImportError:
 CRYPTOGRAPHY_VERSION = tuple(int(x) for x in cryptography.__version__.split("."))

 pytestmark = [
-    pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library")
+    pytest.mark.skip_on_fips_enabled_platform,
+    pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library"),
 ]


--- a/tests/pytests/functional/states/test_x509_v2.py
+++ b/tests/pytests/functional/states/test_x509_v2.py
@ -1,5 +1,5 @@
 import base64
-from pathlib import Path
+import pathlib

 import pytest

@ -26,6 +26,7 @@ CRYPTOGRAPHY_VERSION = tuple(int(x) for x in cryptography.__version__.split(".")
 pytestmark = [
    pytest.mark.slow_test,
    pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library"),
+    pytest.mark.skip_on_fips_enabled_platform,
 ]


@ -703,7 +704,7 @@ def existing_pk(x509, pk_args, request):
@pytest.fixture(params=["existing_cert"])
 def existing_symlink(request):
    existing = request.getfixturevalue(request.param)
-    test_file = Path(existing).with_name("symlink")
+    test_file = pathlib.Path(existing).with_name("symlink")
    test_file.symlink_to(existing)
    yield test_file
    # cleanup is done by tmp_path
@ -884,7 +885,7 @@ def test_certificate_managed_test_true(x509, cert_args, rsa_privkey, ca_key):
    ret = x509.certificate_managed(**cert_args)
    assert ret.result is None
    assert ret.changes
-    assert not Path(cert_args["name"]).exists()
+    assert not pathlib.Path(cert_args["name"]).exists()


@pytest.mark.usefixtures("existing_cert")
@ -1324,7 +1325,7 @@ def test_certificate_managed_file_managed_create_false(
    ret = x509.certificate_managed(**cert_args)
    assert ret.result is True
    assert not ret.changes
-    assert not Path(cert_args["name"]).exists()
+    assert not pathlib.Path(cert_args["name"]).exists()


@pytest.mark.usefixtures("existing_cert")
@ -1397,7 +1398,7 @@ def test_certificate_managed_follow_symlinks(
    """
    cert_args["name"] = str(existing_symlink)
    cert_args["encoding"] = encoding
-    assert Path(cert_args["name"]).is_symlink()
+    assert pathlib.Path(cert_args["name"]).is_symlink()
    cert_args["follow_symlinks"] = follow
    ret = x509.certificate_managed(**cert_args)
    assert bool(ret.changes) == (not follow)
@ -1417,13 +1418,13 @@ def test_certificate_managed_follow_symlinks_changes(
    the checking of the existing file is performed by the x509 module
    """
    cert_args["name"] = str(existing_symlink)
-    assert Path(cert_args["name"]).is_symlink()
+    assert pathlib.Path(cert_args["name"]).is_symlink()
    cert_args["follow_symlinks"] = follow
    cert_args["encoding"] = encoding
    cert_args["CN"] = "new"
    ret = x509.certificate_managed(**cert_args)
    assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow


@pytest.mark.parametrize("encoding", ["pem", "der"])
@ -1436,7 +1437,7 @@ def test_certificate_managed_file_managed_error(
    cert_args["private_key"] = rsa_privkey
    cert_args["makedirs"] = False
    cert_args["encoding"] = encoding
-    cert_args["name"] = str(Path(cert_args["name"]).parent / "missing" / "cert")
+    cert_args["name"] = str(pathlib.Path(cert_args["name"]).parent / "missing" / "cert")
    ret = x509.certificate_managed(**cert_args)
    assert ret.result is False
    assert "Could not create file, see file.managed output" in ret.comment
@ -1504,7 +1505,7 @@ def test_crl_managed_test_true(x509, crl_args, crl_revoked):
    assert ret.result is None
    assert ret.changes
    assert ret.result is None
-    assert not Path(crl_args["name"]).exists()
+    assert not pathlib.Path(crl_args["name"]).exists()


@pytest.mark.usefixtures("existing_crl")
@ -1708,7 +1709,7 @@ def test_crl_managed_file_managed_create_false(x509, crl_args):
    ret = x509.crl_managed(**crl_args)
    assert ret.result is True
    assert not ret.changes
-    assert not Path(crl_args["name"]).exists()
+    assert not pathlib.Path(crl_args["name"]).exists()


@pytest.mark.usefixtures("existing_crl")
@ -1782,7 +1783,7 @@ def test_crl_managed_follow_symlinks(
    """
    crl_args["name"] = str(existing_symlink)
    crl_args["encoding"] = encoding
-    assert Path(crl_args["name"]).is_symlink()
+    assert pathlib.Path(crl_args["name"]).is_symlink()
    crl_args["follow_symlinks"] = follow
    ret = x509.crl_managed(**crl_args)
    assert bool(ret.changes) == (not follow)
@ -1802,13 +1803,13 @@ def test_crl_managed_follow_symlinks_changes(
    the checking of the existing file is performed by the x509 module
    """
    crl_args["name"] = str(existing_symlink)
-    assert Path(crl_args["name"]).is_symlink()
+    assert pathlib.Path(crl_args["name"]).is_symlink()
    crl_args["follow_symlinks"] = follow
    crl_args["encoding"] = encoding
    crl_args["revoked"] = crl_revoked
    ret = x509.crl_managed(**crl_args)
    assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow


@pytest.mark.parametrize("encoding", ["pem", "der"])
@ -1818,7 +1819,7 @@ def test_crl_managed_file_managed_error(x509, crl_args, encoding):
    """
    crl_args["makedirs"] = False
    crl_args["encoding"] = encoding
-    crl_args["name"] = str(Path(crl_args["name"]).parent / "missing" / "crl")
+    crl_args["name"] = str(pathlib.Path(crl_args["name"]).parent / "missing" / "crl")
    ret = x509.crl_managed(**crl_args)
    assert ret.result is False
    assert "Could not create file, see file.managed output" in ret.comment
@ -1866,7 +1867,7 @@ def test_csr_managed_test_true(x509, csr_args, rsa_privkey):
    ret = x509.csr_managed(**csr_args)
    assert ret.result is None
    assert ret.changes
-    assert not Path(csr_args["name"]).exists()
+    assert not pathlib.Path(csr_args["name"]).exists()


@pytest.mark.usefixtures("existing_csr")
@ -2002,7 +2003,7 @@ def test_csr_managed_file_managed_create_false(x509, csr_args):
    ret = x509.csr_managed(**csr_args)
    assert ret.result is True
    assert not ret.changes
-    assert not Path(csr_args["name"]).exists()
+    assert not pathlib.Path(csr_args["name"]).exists()


@pytest.mark.usefixtures("existing_csr")
@ -2066,12 +2067,12 @@ def test_csr_managed_follow_symlinks(
    the checking of the existing file is performed by the x509 module
    """
    csr_args["name"] = str(existing_symlink)
-    assert Path(csr_args["name"]).is_symlink()
+    assert pathlib.Path(csr_args["name"]).is_symlink()
    csr_args["follow_symlinks"] = follow
    csr_args["encoding"] = encoding
    ret = x509.csr_managed(**csr_args)
    assert bool(ret.changes) == (not follow)
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow


@pytest.mark.parametrize(
@ -2088,14 +2089,14 @@ def test_csr_managed_follow_symlinks_changes(
    the checking of the existing file is performed by the x509 module
    """
    csr_args["name"] = str(existing_symlink)
-    assert Path(csr_args["name"]).is_symlink()
+    assert pathlib.Path(csr_args["name"]).is_symlink()
    csr_args["follow_symlinks"] = follow
    csr_args["encoding"] = encoding
    csr_args["CN"] = "new"
    ret = x509.csr_managed(**csr_args)
    assert ret.result
    assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow


@pytest.mark.parametrize("encoding", ["pem", "der"])
@ -2105,7 +2106,7 @@ def test_csr_managed_file_managed_error(x509, csr_args, encoding):
    """
    csr_args["makedirs"] = False
    csr_args["encoding"] = encoding
-    csr_args["name"] = str(Path(csr_args["name"]).parent / "missing" / "csr")
+    csr_args["name"] = str(pathlib.Path(csr_args["name"]).parent / "missing" / "csr")
    ret = x509.csr_managed(**csr_args)
    assert ret.result is False
    assert "Could not create file, see file.managed output" in ret.comment
@ -2312,7 +2313,7 @@ def test_private_key_managed_file_managed_create_false(x509, pk_args):
    ret = x509.private_key_managed(**pk_args)
    assert ret.result is True
    assert not ret.changes
-    assert not Path(pk_args["name"]).exists()
+    assert not pathlib.Path(pk_args["name"]).exists()


@pytest.mark.usefixtures("existing_pk")
@ -2361,7 +2362,7 @@ def test_private_key_managed_follow_symlinks(
    """
    pk_args["name"] = str(existing_symlink)
    pk_args["encoding"] = encoding
-    assert Path(pk_args["name"]).is_symlink()
+    assert pathlib.Path(pk_args["name"]).is_symlink()
    pk_args["follow_symlinks"] = follow
    ret = x509.private_key_managed(**pk_args)
    assert bool(ret.changes) == (not follow)
@ -2381,13 +2382,13 @@ def test_private_key_managed_follow_symlinks_changes(
    the checking of the existing file is performed by the x509 module
    """
    pk_args["name"] = str(existing_symlink)
-    assert Path(pk_args["name"]).is_symlink()
+    assert pathlib.Path(pk_args["name"]).is_symlink()
    pk_args["follow_symlinks"] = follow
    pk_args["encoding"] = encoding
    pk_args["algo"] = "ec"
    ret = x509.private_key_managed(**pk_args)
    assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow


@pytest.mark.usefixtures("existing_pk")
@ -2415,7 +2416,7 @@ def test_private_key_managed_file_managed_error(x509, pk_args, encoding):
    """
    pk_args["makedirs"] = False
    pk_args["encoding"] = encoding
-    pk_args["name"] = str(Path(pk_args["name"]).parent / "missing" / "pk")
+    pk_args["name"] = str(pathlib.Path(pk_args["name"]).parent / "missing" / "pk")
    ret = x509.private_key_managed(**pk_args)
    assert ret.result is False
    assert "Could not create file, see file.managed output" in ret.comment
@ -2693,7 +2694,7 @@ def _assert_cert_basic(

 def _get_cert(cert, encoding="pem", passphrase=None):
    try:
-        p = Path(cert)
+        p = pathlib.Path(cert)
        if p.exists():
            cert = p.read_bytes()
    except Exception:  # pylint: disable=broad-except
@ -2775,7 +2776,7 @@ def _assert_not_changed(ret):

 def _get_crl(crl, encoding="pem"):
    try:
-        p = Path(crl)
+        p = pathlib.Path(crl)
        if p.exists():
            crl = p.read_bytes()
    except Exception:  # pylint: disable=broad-except
@ -2793,7 +2794,7 @@ def _get_crl(crl, encoding="pem"):

 def _get_csr(csr, encoding="pem"):
    try:
-        p = Path(csr)
+        p = pathlib.Path(csr)
        if p.exists():
            csr = p.read_bytes()
    except Exception:  # pylint: disable=broad-except
@ -2811,7 +2812,7 @@ def _get_csr(csr, encoding="pem"):

 def _get_privkey(pk, encoding="pem", passphrase=None):
    try:
-        p = Path(pk)
+        p = pathlib.Path(pk)
        if p.exists():
            pk = p.read_bytes()
    except Exception:  # pylint: disable=broad-except
--- a/tests/pytests/functional/transport/ipc/test_pub_server_channel.py
+++ b/tests/pytests/functional/transport/ipc/test_pub_server_channel.py
@ -13,9 +13,10 @@ log = logging.getLogger(__name__)


 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
    pytest.mark.skip_on_spawning_platform(
        reason="These tests are currently broken on spawning platforms. Need to be rewritten.",
-    )
+    ),
 ]


--- a/tests/pytests/functional/transport/tcp/test_load_balanced_server.py
+++ b/tests/pytests/functional/transport/tcp/test_load_balanced_server.py
@ -12,6 +12,7 @@ pytestmark = [
 ]


+@pytest.mark.skip_on_fips_enabled_platform
 def test_tcp_load_balancer_server(master_opts, io_loop):

    messages = []
--- a/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py
+++ b/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py
@ -12,6 +12,7 @@ log = logging.getLogger(__name__)


 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
    pytest.mark.skip_on_freebsd(reason="Temporarily skipped on FreeBSD."),
    pytest.mark.skip_on_spawning_platform(
        reason="These tests are currently broken on spawning platforms. Need to be rewritten.",
--- a/tests/pytests/integration/daemons/test_memory_leak.py
+++ b/tests/pytests/integration/daemons/test_memory_leak.py
@ -44,6 +44,7 @@ def file_add_delete_sls(testfile_path, base_env_state_tree_root_dir):
        yield sls_name


+@pytest.mark.skip_on_fips_enabled_platform
@pytest.mark.skip_on_darwin(reason="MacOS is a spawning platform, won't work")
@pytest.mark.flaky(max_runs=4)
 def test_memory_leak(salt_cli, salt_minion, file_add_delete_sls):
--- a/tests/pytests/integration/ssh/test_saltcheck.py
+++ b/tests/pytests/integration/ssh/test_saltcheck.py
@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform

 pytestmark = [
    pytest.mark.slow_test,
@ -6,6 +7,12 @@ pytestmark = [
 ]


+@pytest.fixture
+def _skip_on_fips_and_arm64(grains):
+    if platform.is_fips_enabled() and grains["cpuarch"] == "aarch64":
+        pytest.skip("Test cannot run on a FIPS enabled platform")
+
+
 def test_saltcheck_run_test(salt_ssh_cli):
    """
    test saltcheck.run_test with salt-ssh
@ -23,6 +30,7 @@ def test_saltcheck_run_test(salt_ssh_cli):
    assert ret.data["status"] == "Pass"


+@pytest.mark.usefixtures("_skip_on_fips_and_arm64")
 def test_saltcheck_state(salt_ssh_cli):
    """
    saltcheck.run_state_tests
--- a/tests/pytests/integration/states/test_x509_v2.py
+++ b/tests/pytests/integration/states/test_x509_v2.py
@ -666,6 +666,7 @@ def test_privkey_new_with_prereq(x509_salt_call_cli, tmp_path):
    assert not _belongs_to(cert_new, pk_cur)


+@pytest.mark.skip_on_fips_enabled_platform
@pytest.mark.usefixtures("privkey_new_pkcs12")
@pytest.mark.skipif(
    CRYPTOGRAPHY_VERSION[0] < 36,
--- a/tests/pytests/unit/cloud/test_cloud.py
+++ b/tests/pytests/unit/cloud/test_cloud.py
@ -126,6 +126,7 @@ def test_vm_config_merger():
    assert expected == vm


+@pytest.mark.skip_on_fips_enabled_platform
 def test_cloud_run_profile_create_returns_boolean(master_config):

    master_config["profiles"] = {"test_profile": {"provider": "test_provider:saltify"}}
--- a/tests/pytests/unit/cloud/test_map.py
+++ b/tests/pytests/unit/cloud/test_map.py
@ -99,6 +99,8 @@ def salt_cloud_config_file(salt_master_factory):
    return os.path.join(salt_master_factory.config_dir, "cloud")


+# The cloud map merge uses python's multiprocessing manager which authenticates using HMAC and MD5
+@pytest.mark.skip_on_fips_enabled_platform
 def test_cloud_map_merge_conf(salt_cloud_config_file, grains):
    """
    Ensure that nested values can be selectivly overridden in a map file
--- a/tests/pytests/unit/modules/test_hashutil.py
+++ b/tests/pytests/unit/modules/test_hashutil.py
@ -61,6 +61,7 @@ def test_base64_decodestring(the_string, the_string_base64):
    assert hashutil.base64_decodestring(the_string_base64) == the_string


+@pytest.mark.skip_on_fips_enabled_platform
 def test_md5_digest(the_string, the_string_md5):
    assert hashutil.md5_digest(the_string) == the_string_md5

--- a/tests/pytests/unit/modules/test_postgres.py
+++ b/tests/pytests/unit/modules/test_postgres.py
@ -2,6 +2,7 @@ import datetime
 import re

 import pytest
+from pytestskipmarkers.utils import platform

 import salt.modules.config as configmod
 import salt.modules.postgres as postgres
@ -117,6 +118,8 @@ def idfn(val):
    ids=idfn,
 )
 def test_verify_password(role, password, verifier, method, result):
+    if platform.is_fips_enabled() and (method == "md5" or verifier == md5_pw):
+        pytest.skip("Test cannot run on a FIPS enabled platform")
    assert postgres._verify_password(role, password, verifier, method) == result


@ -971,6 +974,7 @@ def test_user_update3():
        )


+@pytest.mark.skip_on_fips_enabled_platform
 def test_user_update_encrypted_passwd():
    with patch(
        "salt.modules.postgres._run_psql", Mock(return_value={"retcode": 0})
@ -1226,6 +1230,7 @@ def test_create_extension_newerthan():
                assert not postgres.create_extension("foo", ext_version="a", schema="b")


+@pytest.mark.skip_on_fips_enabled_platform
 def test_encrypt_passwords():
    assert postgres._maybe_encrypt_password("foo", "bar", False) == "bar"
    assert (
--- a/tests/pytests/unit/states/postgresql/test_group.py
+++ b/tests/pytests/unit/states/postgresql/test_group.py
@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform

 import salt.modules.postgres as postgres
 import salt.states.postgres_group as postgres_group
@ -19,6 +20,8 @@ def fixture_db_args():

@pytest.fixture(name="md5_pw")
 def fixture_md5_pw():
+    if platform.is_fips_enabled():
+        pytest.skip("Test cannot run on a FIPS enabled platform")
    # 'md5' + md5('password' + 'groupname')
    return "md58b14c378fab8ef0dc227f4e6d6787a87"

@ -79,6 +82,7 @@ def configure_loader_modules(mocks):
 # ==========


+@pytest.mark.skip_on_fips_enabled_platform
 def test_present_create_basic(mocks, db_args):
    assert postgres_group.present("groupname") == {
        "name": "groupname",
@ -343,6 +347,7 @@ def test_present_update_md5_password(mocks, existing_group, md5_pw, db_args):
    )


+@pytest.mark.skip_on_fips_enabled_platform
 def test_present_update_error(mocks, existing_group):
    existing_group["password"] = "md500000000000000000000000000000000"
    mocks["postgres.role_get"].return_value = existing_group
--- a/tests/pytests/unit/states/postgresql/test_user.py
+++ b/tests/pytests/unit/states/postgresql/test_user.py
@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform

 import salt.modules.postgres as postgres
 import salt.states.postgres_user as postgres_user
@ -25,6 +26,8 @@ def fixture_db_args():
@pytest.fixture(name="md5_pw")
 def fixture_md5_pw():
    # 'md5' + md5('password' + 'username')
+    if platform.is_fips_enabled():
+        pytest.skip("Test cannot run on a FIPS enabled platform")
    return "md55a231fcdb710d73268c4f44283487ba2"


--- a/tests/pytests/unit/states/test_boto_cloudwatch_event.py
+++ b/tests/pytests/unit/states/test_boto_cloudwatch_event.py
@ -17,6 +17,7 @@ log = logging.getLogger(__name__)

 pytestmark = [
    pytest.mark.slow_test,
+    pytest.mark.skip_on_fips_enabled_platform,
 ]


--- a/tests/pytests/unit/states/test_boto_iot.py
+++ b/tests/pytests/unit/states/test_boto_iot.py
@ -18,6 +18,7 @@ log = logging.getLogger(__name__)

 pytestmark = [
    pytest.mark.slow_test,
+    pytest.mark.skip_on_fips_enabled_platform,
 ]


--- a/tests/pytests/unit/utils/jinja/test_custom_extensions.py
+++ b/tests/pytests/unit/utils/jinja/test_custom_extensions.py
@ -46,7 +46,6 @@ def minion_opts(tmp_path, minion_opts):
            "file_roots": {"test": [str(tmp_path / "templates")]},
            "pillar_roots": {"test": [str(tmp_path / "templates")]},
            "fileserver_backend": ["roots"],
-            "hash_type": "md5",
            "extension_modules": os.path.join(
                os.path.dirname(os.path.abspath(__file__)), "extmods"
            ),
@ -1041,6 +1040,7 @@ def test_method_call(minion_opts, local_salt):
    assert rendered == "None"


+@pytest.mark.skip_on_fips_enabled_platform
 def test_md5(minion_opts, local_salt):
    """
    Test the `md5` Jinja filter.
--- a/tests/pytests/unit/utils/jinja/test_get_template.py
+++ b/tests/pytests/unit/utils/jinja/test_get_template.py
@ -61,7 +61,6 @@ def minion_opts(tmp_path, minion_opts):
            "file_roots": {"test": [str(tmp_path / "files" / "test")]},
            "pillar_roots": {"test": [str(tmp_path / "files" / "test")]},
            "fileserver_backend": ["roots"],
-            "hash_type": "md5",
            "extension_modules": os.path.join(
                os.path.dirname(os.path.abspath(__file__)), "extmods"
            ),
--- a/tests/support/pytest/mysql.py
+++ b/tests/support/pytest/mysql.py
@ -3,6 +3,7 @@ import time

 import attr
 import pytest
+from pytestskipmarkers.utils import platform
 from saltfactories.utils import random_string

 # This `pytest.importorskip` here actually works because this module
@ -102,6 +103,10 @@ def mysql_image(request):

@pytest.fixture(scope="module")
 def create_mysql_combo(mysql_image):
+    if platform.is_fips_enabled():
+        if mysql_image.name in ("mysql-server", "percona") and mysql_image.tag == "8.0":
+            pytest.skip(f"These tests fail on {mysql_image.name}:{mysql_image.tag}")
+
    return MySQLCombo(
        mysql_name=mysql_image.name,
        mysql_version=mysql_image.tag,
--- a/tests/unit/modules/test_boto3_elasticsearch.py
+++ b/tests/unit/modules/test_boto3_elasticsearch.py
@ -28,6 +28,10 @@ except ImportError:
 # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12
 REQUIRED_BOTO3_VERSION = "1.2.1"

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

 def __virtual__():
    """
--- a/tests/unit/modules/test_boto3_route53.py
+++ b/tests/unit/modules/test_boto3_route53.py
@ -25,6 +25,10 @@ except ImportError:
 # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12
 REQUIRED_BOTO3_VERSION = "1.2.1"

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

 def __virtual__():
    """
--- a/tests/unit/modules/test_boto_apigateway.py
+++ b/tests/unit/modules/test_boto_apigateway.py
@ -23,6 +23,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

 # pylint: enable=import-error,no-name-in-module

--- a/tests/unit/modules/test_boto_cloudtrail.py
+++ b/tests/unit/modules/test_boto_cloudtrail.py
@ -22,6 +22,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import

 # the boto_cloudtrail module relies on the connect_to_region() method
--- a/tests/unit/modules/test_boto_cloudwatch_event.py
+++ b/tests/unit/modules/test_boto_cloudwatch_event.py
@ -22,6 +22,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 log = logging.getLogger(__name__)

--- a/tests/unit/modules/test_boto_cognitoidentity.py
+++ b/tests/unit/modules/test_boto_cognitoidentity.py
@ -21,6 +21,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

 # pylint: enable=import-error,no-name-in-module

--- a/tests/unit/modules/test_boto_elasticsearch_domain.py
+++ b/tests/unit/modules/test_boto_elasticsearch_domain.py
@ -21,6 +21,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

 # pylint: enable=import-error,no-name-in-module

--- a/tests/unit/modules/test_boto_iot.py
+++ b/tests/unit/modules/test_boto_iot.py
@ -23,6 +23,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import

 # the boto_iot module relies on the connect_to_region() method
--- a/tests/unit/modules/test_boto_lambda.py
+++ b/tests/unit/modules/test_boto_lambda.py
@ -26,6 +26,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module

 # the boto_lambda module relies on the connect_to_region() method
--- a/tests/unit/modules/test_boto_s3_bucket.py
+++ b/tests/unit/modules/test_boto_s3_bucket.py
@ -22,6 +22,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import

 # the boto_s3_bucket module relies on the connect_to_region() method
--- a/tests/unit/modules/test_virt.py
+++ b/tests/unit/modules/test_virt.py
@ -2,32 +2,27 @@
 virt execution module unit tests
 """

-# pylint: disable=3rd-party-module-not-gated
-
-
 import datetime
 import os
 import shutil
 import tempfile
 import xml.etree.ElementTree as ET

+import pytest
+
 import salt.config
 import salt.modules.config as config
 import salt.modules.virt as virt
 import salt.syspaths
 import salt.utils.yaml
 from salt.exceptions import CommandExecutionError, SaltInvocationError
-
-# pylint: disable=import-error
 from tests.support.helpers import dedent
 from tests.support.mixins import LoaderModuleMockMixin
 from tests.support.mock import MagicMock, patch
 from tests.support.unit import TestCase

-# pylint: disable=invalid-name,protected-access,attribute-defined-outside-init,too-many-public-methods,unused-argument

-
-class LibvirtMock(MagicMock):  # pylint: disable=too-many-ancestors
+class LibvirtMock(MagicMock):
    """
    Libvirt library mock
    """
@ -1882,6 +1877,7 @@ class VirtTestCase(TestCase, LoaderModuleMockMixin):
            ],
        )

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_init(self):
        """
        Test init() function
--- a/tests/unit/modules/test_zcbuildout.py
+++ b/tests/unit/modules/test_zcbuildout.py
@ -20,12 +20,13 @@ from tests.support.runtests import RUNTIME_VARS
 from tests.support.unit import TestCase

 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
    pytest.mark.skip_on_windows(
        reason=(
            "Special steps are required for proper SSL validation because "
            "`easy_install` is too old(and deprecated)."
        )
-    )
+    ),
 ]

 KNOWN_VIRTUALENV_BINARY_NAMES = (
--- a/tests/unit/states/test_boto_apigateway.py
+++ b/tests/unit/states/test_boto_apigateway.py
@ -28,6 +28,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

 # pylint: enable=import-error,no-name-in-module

--- a/tests/unit/states/test_boto_cognitoidentity.py
+++ b/tests/unit/states/test_boto_cognitoidentity.py
@ -25,6 +25,10 @@ try:
 except ImportError:
    HAS_BOTO = False

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

 # pylint: enable=import-error,no-name-in-module

--- a/tests/unit/states/test_zcbuildout.py
+++ b/tests/unit/states/test_zcbuildout.py
@ -11,12 +11,13 @@ from tests.support.runtests import RUNTIME_VARS
 from tests.unit.modules.test_zcbuildout import KNOWN_VIRTUALENV_BINARY_NAMES, Base

 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
    pytest.mark.skip_on_windows(
        reason=(
            "Special steps are required for proper SSL validation because "
            "`easy_install` is too old(and deprecated)."
        )
-    )
+    ),
 ]


--- a/tests/unit/utils/test_boto3mod.py
+++ b/tests/unit/utils/test_boto3mod.py
@ -24,6 +24,10 @@ except ImportError:

 REQUIRED_BOTO3_VERSION = "1.2.1"

+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+

@pytest.mark.skipif(HAS_BOTO3 is False, reason="The boto module must be installed.")
@pytest.mark.skipif(
--- a/tests/unit/utils/test_botomod.py
+++ b/tests/unit/utils/test_botomod.py
@ -53,6 +53,11 @@ except ImportError:
        return stub_function


+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
+
 required_boto_version = "2.0.0"
 required_boto3_version = "1.2.1"
 region = "us-east-1"
--- a/tests/unit/utils/test_find.py
+++ b/tests/unit/utils/test_find.py
@ -332,6 +332,7 @@ class TestPrintOption(TestCase):
        option = salt.utils.find.PrintOption("print", "path user")
        self.assertEqual(option.requires(), salt.utils.find._REQUIRES_STAT)

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_print_option_execute(self):
        hello_file = os.path.join(self.tmpdir, "hello.txt")
        with salt.utils.files.fopen(hello_file, "w") as fp_:
--- a/tests/unit/utils/test_hashutils.py
+++ b/tests/unit/utils/test_hashutils.py
@ -1,3 +1,5 @@
+import pytest
+
 import salt.utils.hashutils
 from tests.support.unit import TestCase

@ -87,6 +89,7 @@ class HashutilsTestCase(TestCase):
            self.bytes,
        )

+    @pytest.mark.skip_on_fips_enabled_platform
    def test_md5_digest(self):
        """
        Ensure that this function converts the value passed to bytes before