From 066afb90f0ae6b79035006a0512fd022c76bba15 Mon Sep 17 00:00:00 2001 From: Pedro Algarvio Date: Fri, 27 Oct 2023 16:29:05 +0100 Subject: [PATCH] Skip tests which can't run, or even pass on FIPS enabled platforms Signed-off-by: Pedro Algarvio --- .pylintrc | 3 +- salt/pillar/sql_base.py | 8 +-- .../cloud/clouds/test_digitalocean.py | 4 +- .../integration/externalapi/test_venafiapi.py | 9 +-- tests/integration/states/test_archive.py | 10 +++ tests/pytests/functional/cache/test_consul.py | 1 + .../modules/state/test_jinja_filters.py | 7 ++- .../pytests/functional/modules/test_mysql.py | 1 + .../functional/modules/test_x509_v2.py | 3 +- .../pytests/functional/states/test_x509_v2.py | 61 ++++++++++--------- .../transport/ipc/test_pub_server_channel.py | 3 +- .../tcp/test_load_balanced_server.py | 1 + .../zeromq/test_pub_server_channel.py | 1 + .../integration/daemons/test_memory_leak.py | 1 + .../pytests/integration/ssh/test_saltcheck.py | 8 +++ .../integration/states/test_x509_v2.py | 1 + tests/pytests/unit/cloud/test_cloud.py | 1 + tests/pytests/unit/cloud/test_map.py | 2 + tests/pytests/unit/modules/test_hashutil.py | 1 + tests/pytests/unit/modules/test_postgres.py | 5 ++ .../unit/states/postgresql/test_group.py | 5 ++ .../unit/states/postgresql/test_user.py | 3 + .../unit/states/test_boto_cloudwatch_event.py | 1 + tests/pytests/unit/states/test_boto_iot.py | 1 + .../utils/jinja/test_custom_extensions.py | 2 +- .../unit/utils/jinja/test_get_template.py | 1 - tests/support/pytest/mysql.py | 5 ++ .../unit/modules/test_boto3_elasticsearch.py | 4 ++ tests/unit/modules/test_boto3_route53.py | 4 ++ tests/unit/modules/test_boto_apigateway.py | 4 ++ tests/unit/modules/test_boto_cloudtrail.py | 4 ++ .../modules/test_boto_cloudwatch_event.py | 4 ++ .../unit/modules/test_boto_cognitoidentity.py | 4 ++ .../modules/test_boto_elasticsearch_domain.py | 4 ++ tests/unit/modules/test_boto_iot.py | 4 ++ tests/unit/modules/test_boto_lambda.py | 4 ++ tests/unit/modules/test_boto_s3_bucket.py | 4 ++ tests/unit/modules/test_virt.py | 12 ++-- tests/unit/modules/test_zcbuildout.py | 3 +- tests/unit/states/test_boto_apigateway.py | 4 ++ .../unit/states/test_boto_cognitoidentity.py | 4 ++ tests/unit/states/test_zcbuildout.py | 3 +- tests/unit/utils/test_boto3mod.py | 4 ++ tests/unit/utils/test_botomod.py | 5 ++ tests/unit/utils/test_find.py | 1 + tests/unit/utils/test_hashutils.py | 3 + 46 files changed, 168 insertions(+), 60 deletions(-) diff --git a/.pylintrc b/.pylintrc index be586e1ed34..3991b5df08e 100644 --- a/.pylintrc +++ b/.pylintrc @@ -698,7 +698,8 @@ allowed-3rd-party-modules=msgpack, ptscripts, packaging, looseversion, - pytestskipmarkers + pytestskipmarkers, + cryptography [EXCEPTIONS] diff --git a/salt/pillar/sql_base.py b/salt/pillar/sql_base.py index 372dced91cc..3edd3ad0a87 100644 --- a/salt/pillar/sql_base.py +++ b/salt/pillar/sql_base.py @@ -198,22 +198,20 @@ More complete example for MySQL (to also show configuration) with_lists: [1,3] """ -import abc # Added in python2.6 so always available +import abc import logging from salt.utils.dictupdate import update from salt.utils.odict import OrderedDict +log = logging.getLogger(__name__) + # Please don't strip redundant parentheses from this file. # I have added some for clarity. # tests/unit/pillar/mysql_test.py may help understand this code. -# Set up logging -log = logging.getLogger(__name__) - - # This ext_pillar is abstract and cannot be used directory def __virtual__(): return False diff --git a/tests/integration/cloud/clouds/test_digitalocean.py b/tests/integration/cloud/clouds/test_digitalocean.py index e92f57d8aa2..64ad0f17426 100644 --- a/tests/integration/cloud/clouds/test_digitalocean.py +++ b/tests/integration/cloud/clouds/test_digitalocean.py @@ -1,10 +1,11 @@ """ Integration tests for DigitalOcean APIv2 """ - import base64 import hashlib +import pytest + import salt.crypt import salt.utils.stringutils from tests.integration.cloud.helpers.cloud_test_base import TIMEOUT, CloudTest @@ -43,6 +44,7 @@ class DigitalOceanTest(CloudTest): _list_sizes = self.run_cloud("--list-sizes {}".format(self.PROVIDER)) self.assertIn("16gb", [i.strip() for i in _list_sizes]) + @pytest.mark.skip_on_fips_enabled_platform def test_key_management(self): """ Test key management diff --git a/tests/integration/externalapi/test_venafiapi.py b/tests/integration/externalapi/test_venafiapi.py index ad08605430f..c9d44dce50c 100644 --- a/tests/integration/externalapi/test_venafiapi.py +++ b/tests/integration/externalapi/test_venafiapi.py @@ -43,13 +43,10 @@ class VenafiTest(ShellCase): @with_random_name @pytest.mark.slow_test + @pytest.mark.skip_on_fips_enabled_platform def test_request(self, name): cn = "{}.example.com".format(name) - # Provide python27 compatibility - if not isinstance(cn, str): - cn = cn.decode() - ret = self.run_run_plus( fun="venafi.request", minion_id=cn, @@ -126,10 +123,6 @@ xlAKgaU6i03jOm5+sww5L2YVMi1eeBN+kx7o94ogpRemC/EUidvl1PUJ6+e7an9V csr_path = f.name cn = "test-csr-32313131.venafi.example.com" - # Provide python27 compatibility - if not isinstance(cn, str): - cn = cn.decode() - ret = self.run_run_plus( fun="venafi.request", minion_id=cn, csr_path=csr_path, zone="fake" ) diff --git a/tests/integration/states/test_archive.py b/tests/integration/states/test_archive.py index 7d2dba52210..d940db5ecd2 100644 --- a/tests/integration/states/test_archive.py +++ b/tests/integration/states/test_archive.py @@ -106,6 +106,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(self.untar_file) + @pytest.mark.skip_on_fips_enabled_platform def test_archive_extracted_with_source_hash(self): """ test archive.extracted without skip_verify @@ -127,6 +128,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(self.untar_file) @pytest.mark.skip_if_not_root + @pytest.mark.skip_on_fips_enabled_platform def test_archive_extracted_with_root_user_and_group(self): """ test archive.extracted with user and group set to "root" @@ -151,6 +153,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(self.untar_file) @pytest.mark.slow_test + @pytest.mark.skip_on_fips_enabled_platform def test_archive_extracted_with_strip_in_options(self): """ test archive.extracted with --strip in options @@ -170,6 +173,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(os.path.join(ARCHIVE_DIR, "README")) + @pytest.mark.skip_on_fips_enabled_platform def test_archive_extracted_with_strip_components_in_options(self): """ test archive.extracted with --strip-components in options @@ -190,6 +194,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(os.path.join(ARCHIVE_DIR, "README")) @pytest.mark.slow_test + @pytest.mark.skip_on_fips_enabled_platform def test_archive_extracted_without_archive_format(self): """ test archive.extracted with no archive_format option @@ -206,6 +211,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(self.untar_file) + @pytest.mark.skip_on_fips_enabled_platform def test_archive_extracted_with_cmd_unzip_false(self): """ test archive.extracted using use_cmd_unzip argument as false @@ -240,6 +246,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(self.untar_file) + @pytest.mark.skip_on_fips_enabled_platform def test_local_archive_extracted_skip_verify(self): """ test archive.extracted with local file, bad hash and skip_verify @@ -258,6 +265,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(self.untar_file) @pytest.mark.slow_test + @pytest.mark.skip_on_fips_enabled_platform def test_local_archive_extracted_with_source_hash(self): """ test archive.extracted with local file and valid hash @@ -275,6 +283,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self._check_extracted(self.untar_file) @pytest.mark.slow_test + @pytest.mark.skip_on_fips_enabled_platform def test_local_archive_extracted_with_bad_source_hash(self): """ test archive.extracted with local file and bad hash @@ -289,6 +298,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin): self.assertSaltFalseReturn(ret) + @pytest.mark.skip_on_fips_enabled_platform def test_local_archive_extracted_with_uppercase_source_hash(self): """ test archive.extracted with local file and bad hash diff --git a/tests/pytests/functional/cache/test_consul.py b/tests/pytests/functional/cache/test_consul.py index 3a38e495a93..0a42913b6c2 100644 --- a/tests/pytests/functional/cache/test_consul.py +++ b/tests/pytests/functional/cache/test_consul.py @@ -14,6 +14,7 @@ docker = pytest.importorskip("docker") log = logging.getLogger(__name__) pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, pytest.mark.slow_test, pytest.mark.skip_if_binaries_missing("dockerd"), ] diff --git a/tests/pytests/functional/modules/state/test_jinja_filters.py b/tests/pytests/functional/modules/state/test_jinja_filters.py index 220310aaaf0..59777cee196 100644 --- a/tests/pytests/functional/modules/state/test_jinja_filters.py +++ b/tests/pytests/functional/modules/state/test_jinja_filters.py @@ -6,6 +6,7 @@ import os import attr import pytest +from pytestskipmarkers.utils import platform import salt.utils.files import salt.utils.path @@ -932,7 +933,11 @@ def _filter_id(value): ids=_filter_id, ) def filter(request): - return request.param + _filter = request.param + if platform.is_fips_enabled(): + if _filter.name in ("md5", "random_hash"): + pytest.skip("Test cannot run on a FIPS enabled platform") + return _filter def test_filter(state, state_tree, filter, grains): diff --git a/tests/pytests/functional/modules/test_mysql.py b/tests/pytests/functional/modules/test_mysql.py index c37a508588b..d920bbdbc03 100644 --- a/tests/pytests/functional/modules/test_mysql.py +++ b/tests/pytests/functional/modules/test_mysql.py @@ -19,6 +19,7 @@ pytestmark = [ pytest.mark.skipif( mysqlmod.MySQLdb is None, reason="No python mysql client installed." ), + pytest.mark.skip_on_fips_enabled_platform, ] diff --git a/tests/pytests/functional/modules/test_x509_v2.py b/tests/pytests/functional/modules/test_x509_v2.py index 42b55d66a6c..dfb973af108 100644 --- a/tests/pytests/functional/modules/test_x509_v2.py +++ b/tests/pytests/functional/modules/test_x509_v2.py @@ -23,7 +23,8 @@ except ImportError: CRYPTOGRAPHY_VERSION = tuple(int(x) for x in cryptography.__version__.split(".")) pytestmark = [ - pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library") + pytest.mark.skip_on_fips_enabled_platform, + pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library"), ] diff --git a/tests/pytests/functional/states/test_x509_v2.py b/tests/pytests/functional/states/test_x509_v2.py index 7409e6683ed..3cd09d7d840 100644 --- a/tests/pytests/functional/states/test_x509_v2.py +++ b/tests/pytests/functional/states/test_x509_v2.py @@ -1,5 +1,5 @@ import base64 -from pathlib import Path +import pathlib import pytest @@ -26,6 +26,7 @@ CRYPTOGRAPHY_VERSION = tuple(int(x) for x in cryptography.__version__.split(".") pytestmark = [ pytest.mark.slow_test, pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library"), + pytest.mark.skip_on_fips_enabled_platform, ] @@ -703,7 +704,7 @@ def existing_pk(x509, pk_args, request): @pytest.fixture(params=["existing_cert"]) def existing_symlink(request): existing = request.getfixturevalue(request.param) - test_file = Path(existing).with_name("symlink") + test_file = pathlib.Path(existing).with_name("symlink") test_file.symlink_to(existing) yield test_file # cleanup is done by tmp_path @@ -884,7 +885,7 @@ def test_certificate_managed_test_true(x509, cert_args, rsa_privkey, ca_key): ret = x509.certificate_managed(**cert_args) assert ret.result is None assert ret.changes - assert not Path(cert_args["name"]).exists() + assert not pathlib.Path(cert_args["name"]).exists() @pytest.mark.usefixtures("existing_cert") @@ -1324,7 +1325,7 @@ def test_certificate_managed_file_managed_create_false( ret = x509.certificate_managed(**cert_args) assert ret.result is True assert not ret.changes - assert not Path(cert_args["name"]).exists() + assert not pathlib.Path(cert_args["name"]).exists() @pytest.mark.usefixtures("existing_cert") @@ -1397,7 +1398,7 @@ def test_certificate_managed_follow_symlinks( """ cert_args["name"] = str(existing_symlink) cert_args["encoding"] = encoding - assert Path(cert_args["name"]).is_symlink() + assert pathlib.Path(cert_args["name"]).is_symlink() cert_args["follow_symlinks"] = follow ret = x509.certificate_managed(**cert_args) assert bool(ret.changes) == (not follow) @@ -1417,13 +1418,13 @@ def test_certificate_managed_follow_symlinks_changes( the checking of the existing file is performed by the x509 module """ cert_args["name"] = str(existing_symlink) - assert Path(cert_args["name"]).is_symlink() + assert pathlib.Path(cert_args["name"]).is_symlink() cert_args["follow_symlinks"] = follow cert_args["encoding"] = encoding cert_args["CN"] = "new" ret = x509.certificate_managed(**cert_args) assert ret.changes - assert Path(ret.name).is_symlink() == follow + assert pathlib.Path(ret.name).is_symlink() == follow @pytest.mark.parametrize("encoding", ["pem", "der"]) @@ -1436,7 +1437,7 @@ def test_certificate_managed_file_managed_error( cert_args["private_key"] = rsa_privkey cert_args["makedirs"] = False cert_args["encoding"] = encoding - cert_args["name"] = str(Path(cert_args["name"]).parent / "missing" / "cert") + cert_args["name"] = str(pathlib.Path(cert_args["name"]).parent / "missing" / "cert") ret = x509.certificate_managed(**cert_args) assert ret.result is False assert "Could not create file, see file.managed output" in ret.comment @@ -1504,7 +1505,7 @@ def test_crl_managed_test_true(x509, crl_args, crl_revoked): assert ret.result is None assert ret.changes assert ret.result is None - assert not Path(crl_args["name"]).exists() + assert not pathlib.Path(crl_args["name"]).exists() @pytest.mark.usefixtures("existing_crl") @@ -1708,7 +1709,7 @@ def test_crl_managed_file_managed_create_false(x509, crl_args): ret = x509.crl_managed(**crl_args) assert ret.result is True assert not ret.changes - assert not Path(crl_args["name"]).exists() + assert not pathlib.Path(crl_args["name"]).exists() @pytest.mark.usefixtures("existing_crl") @@ -1782,7 +1783,7 @@ def test_crl_managed_follow_symlinks( """ crl_args["name"] = str(existing_symlink) crl_args["encoding"] = encoding - assert Path(crl_args["name"]).is_symlink() + assert pathlib.Path(crl_args["name"]).is_symlink() crl_args["follow_symlinks"] = follow ret = x509.crl_managed(**crl_args) assert bool(ret.changes) == (not follow) @@ -1802,13 +1803,13 @@ def test_crl_managed_follow_symlinks_changes( the checking of the existing file is performed by the x509 module """ crl_args["name"] = str(existing_symlink) - assert Path(crl_args["name"]).is_symlink() + assert pathlib.Path(crl_args["name"]).is_symlink() crl_args["follow_symlinks"] = follow crl_args["encoding"] = encoding crl_args["revoked"] = crl_revoked ret = x509.crl_managed(**crl_args) assert ret.changes - assert Path(ret.name).is_symlink() == follow + assert pathlib.Path(ret.name).is_symlink() == follow @pytest.mark.parametrize("encoding", ["pem", "der"]) @@ -1818,7 +1819,7 @@ def test_crl_managed_file_managed_error(x509, crl_args, encoding): """ crl_args["makedirs"] = False crl_args["encoding"] = encoding - crl_args["name"] = str(Path(crl_args["name"]).parent / "missing" / "crl") + crl_args["name"] = str(pathlib.Path(crl_args["name"]).parent / "missing" / "crl") ret = x509.crl_managed(**crl_args) assert ret.result is False assert "Could not create file, see file.managed output" in ret.comment @@ -1866,7 +1867,7 @@ def test_csr_managed_test_true(x509, csr_args, rsa_privkey): ret = x509.csr_managed(**csr_args) assert ret.result is None assert ret.changes - assert not Path(csr_args["name"]).exists() + assert not pathlib.Path(csr_args["name"]).exists() @pytest.mark.usefixtures("existing_csr") @@ -2002,7 +2003,7 @@ def test_csr_managed_file_managed_create_false(x509, csr_args): ret = x509.csr_managed(**csr_args) assert ret.result is True assert not ret.changes - assert not Path(csr_args["name"]).exists() + assert not pathlib.Path(csr_args["name"]).exists() @pytest.mark.usefixtures("existing_csr") @@ -2066,12 +2067,12 @@ def test_csr_managed_follow_symlinks( the checking of the existing file is performed by the x509 module """ csr_args["name"] = str(existing_symlink) - assert Path(csr_args["name"]).is_symlink() + assert pathlib.Path(csr_args["name"]).is_symlink() csr_args["follow_symlinks"] = follow csr_args["encoding"] = encoding ret = x509.csr_managed(**csr_args) assert bool(ret.changes) == (not follow) - assert Path(ret.name).is_symlink() == follow + assert pathlib.Path(ret.name).is_symlink() == follow @pytest.mark.parametrize( @@ -2088,14 +2089,14 @@ def test_csr_managed_follow_symlinks_changes( the checking of the existing file is performed by the x509 module """ csr_args["name"] = str(existing_symlink) - assert Path(csr_args["name"]).is_symlink() + assert pathlib.Path(csr_args["name"]).is_symlink() csr_args["follow_symlinks"] = follow csr_args["encoding"] = encoding csr_args["CN"] = "new" ret = x509.csr_managed(**csr_args) assert ret.result assert ret.changes - assert Path(ret.name).is_symlink() == follow + assert pathlib.Path(ret.name).is_symlink() == follow @pytest.mark.parametrize("encoding", ["pem", "der"]) @@ -2105,7 +2106,7 @@ def test_csr_managed_file_managed_error(x509, csr_args, encoding): """ csr_args["makedirs"] = False csr_args["encoding"] = encoding - csr_args["name"] = str(Path(csr_args["name"]).parent / "missing" / "csr") + csr_args["name"] = str(pathlib.Path(csr_args["name"]).parent / "missing" / "csr") ret = x509.csr_managed(**csr_args) assert ret.result is False assert "Could not create file, see file.managed output" in ret.comment @@ -2312,7 +2313,7 @@ def test_private_key_managed_file_managed_create_false(x509, pk_args): ret = x509.private_key_managed(**pk_args) assert ret.result is True assert not ret.changes - assert not Path(pk_args["name"]).exists() + assert not pathlib.Path(pk_args["name"]).exists() @pytest.mark.usefixtures("existing_pk") @@ -2361,7 +2362,7 @@ def test_private_key_managed_follow_symlinks( """ pk_args["name"] = str(existing_symlink) pk_args["encoding"] = encoding - assert Path(pk_args["name"]).is_symlink() + assert pathlib.Path(pk_args["name"]).is_symlink() pk_args["follow_symlinks"] = follow ret = x509.private_key_managed(**pk_args) assert bool(ret.changes) == (not follow) @@ -2381,13 +2382,13 @@ def test_private_key_managed_follow_symlinks_changes( the checking of the existing file is performed by the x509 module """ pk_args["name"] = str(existing_symlink) - assert Path(pk_args["name"]).is_symlink() + assert pathlib.Path(pk_args["name"]).is_symlink() pk_args["follow_symlinks"] = follow pk_args["encoding"] = encoding pk_args["algo"] = "ec" ret = x509.private_key_managed(**pk_args) assert ret.changes - assert Path(ret.name).is_symlink() == follow + assert pathlib.Path(ret.name).is_symlink() == follow @pytest.mark.usefixtures("existing_pk") @@ -2415,7 +2416,7 @@ def test_private_key_managed_file_managed_error(x509, pk_args, encoding): """ pk_args["makedirs"] = False pk_args["encoding"] = encoding - pk_args["name"] = str(Path(pk_args["name"]).parent / "missing" / "pk") + pk_args["name"] = str(pathlib.Path(pk_args["name"]).parent / "missing" / "pk") ret = x509.private_key_managed(**pk_args) assert ret.result is False assert "Could not create file, see file.managed output" in ret.comment @@ -2693,7 +2694,7 @@ def _assert_cert_basic( def _get_cert(cert, encoding="pem", passphrase=None): try: - p = Path(cert) + p = pathlib.Path(cert) if p.exists(): cert = p.read_bytes() except Exception: # pylint: disable=broad-except @@ -2775,7 +2776,7 @@ def _assert_not_changed(ret): def _get_crl(crl, encoding="pem"): try: - p = Path(crl) + p = pathlib.Path(crl) if p.exists(): crl = p.read_bytes() except Exception: # pylint: disable=broad-except @@ -2793,7 +2794,7 @@ def _get_crl(crl, encoding="pem"): def _get_csr(csr, encoding="pem"): try: - p = Path(csr) + p = pathlib.Path(csr) if p.exists(): csr = p.read_bytes() except Exception: # pylint: disable=broad-except @@ -2811,7 +2812,7 @@ def _get_csr(csr, encoding="pem"): def _get_privkey(pk, encoding="pem", passphrase=None): try: - p = Path(pk) + p = pathlib.Path(pk) if p.exists(): pk = p.read_bytes() except Exception: # pylint: disable=broad-except diff --git a/tests/pytests/functional/transport/ipc/test_pub_server_channel.py b/tests/pytests/functional/transport/ipc/test_pub_server_channel.py index f9360297aa4..63d7239968d 100644 --- a/tests/pytests/functional/transport/ipc/test_pub_server_channel.py +++ b/tests/pytests/functional/transport/ipc/test_pub_server_channel.py @@ -13,9 +13,10 @@ log = logging.getLogger(__name__) pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, pytest.mark.skip_on_spawning_platform( reason="These tests are currently broken on spawning platforms. Need to be rewritten.", - ) + ), ] diff --git a/tests/pytests/functional/transport/tcp/test_load_balanced_server.py b/tests/pytests/functional/transport/tcp/test_load_balanced_server.py index cfc25f917e5..9ab429b1ff4 100644 --- a/tests/pytests/functional/transport/tcp/test_load_balanced_server.py +++ b/tests/pytests/functional/transport/tcp/test_load_balanced_server.py @@ -12,6 +12,7 @@ pytestmark = [ ] +@pytest.mark.skip_on_fips_enabled_platform def test_tcp_load_balancer_server(master_opts, io_loop): messages = [] diff --git a/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py b/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py index 27a315fda91..2a357c7c5db 100644 --- a/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py +++ b/tests/pytests/functional/transport/zeromq/test_pub_server_channel.py @@ -12,6 +12,7 @@ log = logging.getLogger(__name__) pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, pytest.mark.skip_on_freebsd(reason="Temporarily skipped on FreeBSD."), pytest.mark.skip_on_spawning_platform( reason="These tests are currently broken on spawning platforms. Need to be rewritten.", diff --git a/tests/pytests/integration/daemons/test_memory_leak.py b/tests/pytests/integration/daemons/test_memory_leak.py index 1b782760418..fb608fc1864 100644 --- a/tests/pytests/integration/daemons/test_memory_leak.py +++ b/tests/pytests/integration/daemons/test_memory_leak.py @@ -44,6 +44,7 @@ def file_add_delete_sls(testfile_path, base_env_state_tree_root_dir): yield sls_name +@pytest.mark.skip_on_fips_enabled_platform @pytest.mark.skip_on_darwin(reason="MacOS is a spawning platform, won't work") @pytest.mark.flaky(max_runs=4) def test_memory_leak(salt_cli, salt_minion, file_add_delete_sls): diff --git a/tests/pytests/integration/ssh/test_saltcheck.py b/tests/pytests/integration/ssh/test_saltcheck.py index 51068850265..a4cd6f3d8e0 100644 --- a/tests/pytests/integration/ssh/test_saltcheck.py +++ b/tests/pytests/integration/ssh/test_saltcheck.py @@ -1,4 +1,5 @@ import pytest +from pytestskipmarkers.utils import platform pytestmark = [ pytest.mark.slow_test, @@ -6,6 +7,12 @@ pytestmark = [ ] +@pytest.fixture +def _skip_on_fips_and_arm64(grains): + if platform.is_fips_enabled() and grains["cpuarch"] == "aarch64": + pytest.skip("Test cannot run on a FIPS enabled platform") + + def test_saltcheck_run_test(salt_ssh_cli): """ test saltcheck.run_test with salt-ssh @@ -23,6 +30,7 @@ def test_saltcheck_run_test(salt_ssh_cli): assert ret.data["status"] == "Pass" +@pytest.mark.usefixtures("_skip_on_fips_and_arm64") def test_saltcheck_state(salt_ssh_cli): """ saltcheck.run_state_tests diff --git a/tests/pytests/integration/states/test_x509_v2.py b/tests/pytests/integration/states/test_x509_v2.py index be01852919b..b13a2a8922a 100644 --- a/tests/pytests/integration/states/test_x509_v2.py +++ b/tests/pytests/integration/states/test_x509_v2.py @@ -666,6 +666,7 @@ def test_privkey_new_with_prereq(x509_salt_call_cli, tmp_path): assert not _belongs_to(cert_new, pk_cur) +@pytest.mark.skip_on_fips_enabled_platform @pytest.mark.usefixtures("privkey_new_pkcs12") @pytest.mark.skipif( CRYPTOGRAPHY_VERSION[0] < 36, diff --git a/tests/pytests/unit/cloud/test_cloud.py b/tests/pytests/unit/cloud/test_cloud.py index bd8595dcf86..ecdab4de575 100644 --- a/tests/pytests/unit/cloud/test_cloud.py +++ b/tests/pytests/unit/cloud/test_cloud.py @@ -126,6 +126,7 @@ def test_vm_config_merger(): assert expected == vm +@pytest.mark.skip_on_fips_enabled_platform def test_cloud_run_profile_create_returns_boolean(master_config): master_config["profiles"] = {"test_profile": {"provider": "test_provider:saltify"}} diff --git a/tests/pytests/unit/cloud/test_map.py b/tests/pytests/unit/cloud/test_map.py index 06f71b6d6e5..ce2999003e7 100644 --- a/tests/pytests/unit/cloud/test_map.py +++ b/tests/pytests/unit/cloud/test_map.py @@ -99,6 +99,8 @@ def salt_cloud_config_file(salt_master_factory): return os.path.join(salt_master_factory.config_dir, "cloud") +# The cloud map merge uses python's multiprocessing manager which authenticates using HMAC and MD5 +@pytest.mark.skip_on_fips_enabled_platform def test_cloud_map_merge_conf(salt_cloud_config_file, grains): """ Ensure that nested values can be selectivly overridden in a map file diff --git a/tests/pytests/unit/modules/test_hashutil.py b/tests/pytests/unit/modules/test_hashutil.py index d8f2195c174..c91e99ce6b7 100644 --- a/tests/pytests/unit/modules/test_hashutil.py +++ b/tests/pytests/unit/modules/test_hashutil.py @@ -61,6 +61,7 @@ def test_base64_decodestring(the_string, the_string_base64): assert hashutil.base64_decodestring(the_string_base64) == the_string +@pytest.mark.skip_on_fips_enabled_platform def test_md5_digest(the_string, the_string_md5): assert hashutil.md5_digest(the_string) == the_string_md5 diff --git a/tests/pytests/unit/modules/test_postgres.py b/tests/pytests/unit/modules/test_postgres.py index b9178fa038e..b828e8204b9 100644 --- a/tests/pytests/unit/modules/test_postgres.py +++ b/tests/pytests/unit/modules/test_postgres.py @@ -2,6 +2,7 @@ import datetime import re import pytest +from pytestskipmarkers.utils import platform import salt.modules.config as configmod import salt.modules.postgres as postgres @@ -117,6 +118,8 @@ def idfn(val): ids=idfn, ) def test_verify_password(role, password, verifier, method, result): + if platform.is_fips_enabled() and (method == "md5" or verifier == md5_pw): + pytest.skip("Test cannot run on a FIPS enabled platform") assert postgres._verify_password(role, password, verifier, method) == result @@ -971,6 +974,7 @@ def test_user_update3(): ) +@pytest.mark.skip_on_fips_enabled_platform def test_user_update_encrypted_passwd(): with patch( "salt.modules.postgres._run_psql", Mock(return_value={"retcode": 0}) @@ -1226,6 +1230,7 @@ def test_create_extension_newerthan(): assert not postgres.create_extension("foo", ext_version="a", schema="b") +@pytest.mark.skip_on_fips_enabled_platform def test_encrypt_passwords(): assert postgres._maybe_encrypt_password("foo", "bar", False) == "bar" assert ( diff --git a/tests/pytests/unit/states/postgresql/test_group.py b/tests/pytests/unit/states/postgresql/test_group.py index 2eb77bf4c0f..6957ce54540 100644 --- a/tests/pytests/unit/states/postgresql/test_group.py +++ b/tests/pytests/unit/states/postgresql/test_group.py @@ -1,4 +1,5 @@ import pytest +from pytestskipmarkers.utils import platform import salt.modules.postgres as postgres import salt.states.postgres_group as postgres_group @@ -19,6 +20,8 @@ def fixture_db_args(): @pytest.fixture(name="md5_pw") def fixture_md5_pw(): + if platform.is_fips_enabled(): + pytest.skip("Test cannot run on a FIPS enabled platform") # 'md5' + md5('password' + 'groupname') return "md58b14c378fab8ef0dc227f4e6d6787a87" @@ -79,6 +82,7 @@ def configure_loader_modules(mocks): # ========== +@pytest.mark.skip_on_fips_enabled_platform def test_present_create_basic(mocks, db_args): assert postgres_group.present("groupname") == { "name": "groupname", @@ -343,6 +347,7 @@ def test_present_update_md5_password(mocks, existing_group, md5_pw, db_args): ) +@pytest.mark.skip_on_fips_enabled_platform def test_present_update_error(mocks, existing_group): existing_group["password"] = "md500000000000000000000000000000000" mocks["postgres.role_get"].return_value = existing_group diff --git a/tests/pytests/unit/states/postgresql/test_user.py b/tests/pytests/unit/states/postgresql/test_user.py index 46d76535144..1d5dba9b1bb 100644 --- a/tests/pytests/unit/states/postgresql/test_user.py +++ b/tests/pytests/unit/states/postgresql/test_user.py @@ -1,4 +1,5 @@ import pytest +from pytestskipmarkers.utils import platform import salt.modules.postgres as postgres import salt.states.postgres_user as postgres_user @@ -25,6 +26,8 @@ def fixture_db_args(): @pytest.fixture(name="md5_pw") def fixture_md5_pw(): # 'md5' + md5('password' + 'username') + if platform.is_fips_enabled(): + pytest.skip("Test cannot run on a FIPS enabled platform") return "md55a231fcdb710d73268c4f44283487ba2" diff --git a/tests/pytests/unit/states/test_boto_cloudwatch_event.py b/tests/pytests/unit/states/test_boto_cloudwatch_event.py index 2974947e60e..684744464e7 100644 --- a/tests/pytests/unit/states/test_boto_cloudwatch_event.py +++ b/tests/pytests/unit/states/test_boto_cloudwatch_event.py @@ -17,6 +17,7 @@ log = logging.getLogger(__name__) pytestmark = [ pytest.mark.slow_test, + pytest.mark.skip_on_fips_enabled_platform, ] diff --git a/tests/pytests/unit/states/test_boto_iot.py b/tests/pytests/unit/states/test_boto_iot.py index 594cd9982bb..6da6628b655 100644 --- a/tests/pytests/unit/states/test_boto_iot.py +++ b/tests/pytests/unit/states/test_boto_iot.py @@ -18,6 +18,7 @@ log = logging.getLogger(__name__) pytestmark = [ pytest.mark.slow_test, + pytest.mark.skip_on_fips_enabled_platform, ] diff --git a/tests/pytests/unit/utils/jinja/test_custom_extensions.py b/tests/pytests/unit/utils/jinja/test_custom_extensions.py index 4d004230fcb..d213b69709d 100644 --- a/tests/pytests/unit/utils/jinja/test_custom_extensions.py +++ b/tests/pytests/unit/utils/jinja/test_custom_extensions.py @@ -46,7 +46,6 @@ def minion_opts(tmp_path, minion_opts): "file_roots": {"test": [str(tmp_path / "templates")]}, "pillar_roots": {"test": [str(tmp_path / "templates")]}, "fileserver_backend": ["roots"], - "hash_type": "md5", "extension_modules": os.path.join( os.path.dirname(os.path.abspath(__file__)), "extmods" ), @@ -1041,6 +1040,7 @@ def test_method_call(minion_opts, local_salt): assert rendered == "None" +@pytest.mark.skip_on_fips_enabled_platform def test_md5(minion_opts, local_salt): """ Test the `md5` Jinja filter. diff --git a/tests/pytests/unit/utils/jinja/test_get_template.py b/tests/pytests/unit/utils/jinja/test_get_template.py index 35fc188b812..cdba34fa171 100644 --- a/tests/pytests/unit/utils/jinja/test_get_template.py +++ b/tests/pytests/unit/utils/jinja/test_get_template.py @@ -61,7 +61,6 @@ def minion_opts(tmp_path, minion_opts): "file_roots": {"test": [str(tmp_path / "files" / "test")]}, "pillar_roots": {"test": [str(tmp_path / "files" / "test")]}, "fileserver_backend": ["roots"], - "hash_type": "md5", "extension_modules": os.path.join( os.path.dirname(os.path.abspath(__file__)), "extmods" ), diff --git a/tests/support/pytest/mysql.py b/tests/support/pytest/mysql.py index 337a4f8e642..ac3b6601d7f 100644 --- a/tests/support/pytest/mysql.py +++ b/tests/support/pytest/mysql.py @@ -3,6 +3,7 @@ import time import attr import pytest +from pytestskipmarkers.utils import platform from saltfactories.utils import random_string # This `pytest.importorskip` here actually works because this module @@ -102,6 +103,10 @@ def mysql_image(request): @pytest.fixture(scope="module") def create_mysql_combo(mysql_image): + if platform.is_fips_enabled(): + if mysql_image.name in ("mysql-server", "percona") and mysql_image.tag == "8.0": + pytest.skip(f"These tests fail on {mysql_image.name}:{mysql_image.tag}") + return MySQLCombo( mysql_name=mysql_image.name, mysql_version=mysql_image.tag, diff --git a/tests/unit/modules/test_boto3_elasticsearch.py b/tests/unit/modules/test_boto3_elasticsearch.py index 6b82c0abba7..0e60a9e0746 100644 --- a/tests/unit/modules/test_boto3_elasticsearch.py +++ b/tests/unit/modules/test_boto3_elasticsearch.py @@ -28,6 +28,10 @@ except ImportError: # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12 REQUIRED_BOTO3_VERSION = "1.2.1" +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + def __virtual__(): """ diff --git a/tests/unit/modules/test_boto3_route53.py b/tests/unit/modules/test_boto3_route53.py index 9d421471942..5e7332fbb35 100644 --- a/tests/unit/modules/test_boto3_route53.py +++ b/tests/unit/modules/test_boto3_route53.py @@ -25,6 +25,10 @@ except ImportError: # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12 REQUIRED_BOTO3_VERSION = "1.2.1" +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + def __virtual__(): """ diff --git a/tests/unit/modules/test_boto_apigateway.py b/tests/unit/modules/test_boto_apigateway.py index 5f3d2a49822..e6bb33a47dc 100644 --- a/tests/unit/modules/test_boto_apigateway.py +++ b/tests/unit/modules/test_boto_apigateway.py @@ -23,6 +23,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module diff --git a/tests/unit/modules/test_boto_cloudtrail.py b/tests/unit/modules/test_boto_cloudtrail.py index de31ff955a0..3b6488b3129 100644 --- a/tests/unit/modules/test_boto_cloudtrail.py +++ b/tests/unit/modules/test_boto_cloudtrail.py @@ -22,6 +22,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module,unused-import # the boto_cloudtrail module relies on the connect_to_region() method diff --git a/tests/unit/modules/test_boto_cloudwatch_event.py b/tests/unit/modules/test_boto_cloudwatch_event.py index 82d158104aa..4d37747b8f7 100644 --- a/tests/unit/modules/test_boto_cloudwatch_event.py +++ b/tests/unit/modules/test_boto_cloudwatch_event.py @@ -22,6 +22,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module,unused-import log = logging.getLogger(__name__) diff --git a/tests/unit/modules/test_boto_cognitoidentity.py b/tests/unit/modules/test_boto_cognitoidentity.py index 1e213a169ac..51ae9075a0b 100644 --- a/tests/unit/modules/test_boto_cognitoidentity.py +++ b/tests/unit/modules/test_boto_cognitoidentity.py @@ -21,6 +21,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module diff --git a/tests/unit/modules/test_boto_elasticsearch_domain.py b/tests/unit/modules/test_boto_elasticsearch_domain.py index 5c5845aa25b..e0329df5cec 100644 --- a/tests/unit/modules/test_boto_elasticsearch_domain.py +++ b/tests/unit/modules/test_boto_elasticsearch_domain.py @@ -21,6 +21,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module diff --git a/tests/unit/modules/test_boto_iot.py b/tests/unit/modules/test_boto_iot.py index 7c96244ce08..8c61d86dd9b 100644 --- a/tests/unit/modules/test_boto_iot.py +++ b/tests/unit/modules/test_boto_iot.py @@ -23,6 +23,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module,unused-import # the boto_iot module relies on the connect_to_region() method diff --git a/tests/unit/modules/test_boto_lambda.py b/tests/unit/modules/test_boto_lambda.py index d32dc9345b6..157e559207d 100644 --- a/tests/unit/modules/test_boto_lambda.py +++ b/tests/unit/modules/test_boto_lambda.py @@ -26,6 +26,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module # the boto_lambda module relies on the connect_to_region() method diff --git a/tests/unit/modules/test_boto_s3_bucket.py b/tests/unit/modules/test_boto_s3_bucket.py index 8e418a8293c..90d868d1141 100644 --- a/tests/unit/modules/test_boto_s3_bucket.py +++ b/tests/unit/modules/test_boto_s3_bucket.py @@ -22,6 +22,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module,unused-import # the boto_s3_bucket module relies on the connect_to_region() method diff --git a/tests/unit/modules/test_virt.py b/tests/unit/modules/test_virt.py index 7e72d07b8e7..2fee41f8bd9 100644 --- a/tests/unit/modules/test_virt.py +++ b/tests/unit/modules/test_virt.py @@ -2,32 +2,27 @@ virt execution module unit tests """ -# pylint: disable=3rd-party-module-not-gated - - import datetime import os import shutil import tempfile import xml.etree.ElementTree as ET +import pytest + import salt.config import salt.modules.config as config import salt.modules.virt as virt import salt.syspaths import salt.utils.yaml from salt.exceptions import CommandExecutionError, SaltInvocationError - -# pylint: disable=import-error from tests.support.helpers import dedent from tests.support.mixins import LoaderModuleMockMixin from tests.support.mock import MagicMock, patch from tests.support.unit import TestCase -# pylint: disable=invalid-name,protected-access,attribute-defined-outside-init,too-many-public-methods,unused-argument - -class LibvirtMock(MagicMock): # pylint: disable=too-many-ancestors +class LibvirtMock(MagicMock): """ Libvirt library mock """ @@ -1882,6 +1877,7 @@ class VirtTestCase(TestCase, LoaderModuleMockMixin): ], ) + @pytest.mark.skip_on_fips_enabled_platform def test_init(self): """ Test init() function diff --git a/tests/unit/modules/test_zcbuildout.py b/tests/unit/modules/test_zcbuildout.py index ac98435ffa0..db7a862f727 100644 --- a/tests/unit/modules/test_zcbuildout.py +++ b/tests/unit/modules/test_zcbuildout.py @@ -20,12 +20,13 @@ from tests.support.runtests import RUNTIME_VARS from tests.support.unit import TestCase pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, pytest.mark.skip_on_windows( reason=( "Special steps are required for proper SSL validation because " "`easy_install` is too old(and deprecated)." ) - ) + ), ] KNOWN_VIRTUALENV_BINARY_NAMES = ( diff --git a/tests/unit/states/test_boto_apigateway.py b/tests/unit/states/test_boto_apigateway.py index 51c85d6058a..7cf95a43442 100644 --- a/tests/unit/states/test_boto_apigateway.py +++ b/tests/unit/states/test_boto_apigateway.py @@ -28,6 +28,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module diff --git a/tests/unit/states/test_boto_cognitoidentity.py b/tests/unit/states/test_boto_cognitoidentity.py index 4354df0546f..f84a055dd2d 100644 --- a/tests/unit/states/test_boto_cognitoidentity.py +++ b/tests/unit/states/test_boto_cognitoidentity.py @@ -25,6 +25,10 @@ try: except ImportError: HAS_BOTO = False +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + # pylint: enable=import-error,no-name-in-module diff --git a/tests/unit/states/test_zcbuildout.py b/tests/unit/states/test_zcbuildout.py index b5f919ac6b2..7cafbba6a62 100644 --- a/tests/unit/states/test_zcbuildout.py +++ b/tests/unit/states/test_zcbuildout.py @@ -11,12 +11,13 @@ from tests.support.runtests import RUNTIME_VARS from tests.unit.modules.test_zcbuildout import KNOWN_VIRTUALENV_BINARY_NAMES, Base pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, pytest.mark.skip_on_windows( reason=( "Special steps are required for proper SSL validation because " "`easy_install` is too old(and deprecated)." ) - ) + ), ] diff --git a/tests/unit/utils/test_boto3mod.py b/tests/unit/utils/test_boto3mod.py index 74f6478e272..0a9509ab598 100644 --- a/tests/unit/utils/test_boto3mod.py +++ b/tests/unit/utils/test_boto3mod.py @@ -24,6 +24,10 @@ except ImportError: REQUIRED_BOTO3_VERSION = "1.2.1" +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + @pytest.mark.skipif(HAS_BOTO3 is False, reason="The boto module must be installed.") @pytest.mark.skipif( diff --git a/tests/unit/utils/test_botomod.py b/tests/unit/utils/test_botomod.py index bf3ca37a837..3e67cbec698 100644 --- a/tests/unit/utils/test_botomod.py +++ b/tests/unit/utils/test_botomod.py @@ -53,6 +53,11 @@ except ImportError: return stub_function +pytestmark = [ + pytest.mark.skip_on_fips_enabled_platform, +] + + required_boto_version = "2.0.0" required_boto3_version = "1.2.1" region = "us-east-1" diff --git a/tests/unit/utils/test_find.py b/tests/unit/utils/test_find.py index bc81c48554d..1960d4a3510 100644 --- a/tests/unit/utils/test_find.py +++ b/tests/unit/utils/test_find.py @@ -332,6 +332,7 @@ class TestPrintOption(TestCase): option = salt.utils.find.PrintOption("print", "path user") self.assertEqual(option.requires(), salt.utils.find._REQUIRES_STAT) + @pytest.mark.skip_on_fips_enabled_platform def test_print_option_execute(self): hello_file = os.path.join(self.tmpdir, "hello.txt") with salt.utils.files.fopen(hello_file, "w") as fp_: diff --git a/tests/unit/utils/test_hashutils.py b/tests/unit/utils/test_hashutils.py index 5cf11c114ef..b9a685957a5 100644 --- a/tests/unit/utils/test_hashutils.py +++ b/tests/unit/utils/test_hashutils.py @@ -1,3 +1,5 @@ +import pytest + import salt.utils.hashutils from tests.support.unit import TestCase @@ -87,6 +89,7 @@ class HashutilsTestCase(TestCase): self.bytes, ) + @pytest.mark.skip_on_fips_enabled_platform def test_md5_digest(self): """ Ensure that this function converts the value passed to bytes before