Skip tests which can't run, or even pass on FIPS enabled platforms

Signed-off-by: Pedro Algarvio <palgarvio@vmware.com>

.pylintrc

@@ -698,7 +698,8 @@ allowed-3rd-party-modules=msgpack,
                           ptscripts,
                           packaging,
                           looseversion,
-                          pytestskipmarkers
+                          pytestskipmarkers,
+                          cryptography
 
 [EXCEPTIONS]
 

salt/pillar/sql_base.py

@@ -198,22 +198,20 @@ More complete example for MySQL (to also show configuration)
             with_lists: [1,3]
 """
 
-import abc  # Added in python2.6 so always available
+import abc
 import logging
 
 from salt.utils.dictupdate import update
 from salt.utils.odict import OrderedDict
 
+log = logging.getLogger(__name__)
+
 # Please don't strip redundant parentheses from this file.
 # I have added some for clarity.
 
 # tests/unit/pillar/mysql_test.py may help understand this code.
 
 
-# Set up logging
-log = logging.getLogger(__name__)
-
-
 # This ext_pillar is abstract and cannot be used directory
 def __virtual__():
     return False

tests/integration/cloud/clouds/test_digitalocean.py

@@ -1,10 +1,11 @@
 """
 Integration tests for DigitalOcean APIv2
 """
-
 import base64
 import hashlib
 
+import pytest
+
 import salt.crypt
 import salt.utils.stringutils
 from tests.integration.cloud.helpers.cloud_test_base import TIMEOUT, CloudTest
@@ -43,6 +44,7 @@ class DigitalOceanTest(CloudTest):
         _list_sizes = self.run_cloud("--list-sizes {}".format(self.PROVIDER))
         self.assertIn("16gb", [i.strip() for i in _list_sizes])
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_key_management(self):
         """
         Test key management

tests/integration/externalapi/test_venafiapi.py

@@ -43,13 +43,10 @@ class VenafiTest(ShellCase):
 
     @with_random_name
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_request(self, name):
         cn = "{}.example.com".format(name)
 
-        # Provide python27 compatibility
-        if not isinstance(cn, str):
-            cn = cn.decode()
-
         ret = self.run_run_plus(
             fun="venafi.request",
             minion_id=cn,
@@ -126,10 +123,6 @@ xlAKgaU6i03jOm5+sww5L2YVMi1eeBN+kx7o94ogpRemC/EUidvl1PUJ6+e7an9V
             csr_path = f.name
             cn = "test-csr-32313131.venafi.example.com"
 
-            # Provide python27 compatibility
-            if not isinstance(cn, str):
-                cn = cn.decode()
-
             ret = self.run_run_plus(
                 fun="venafi.request", minion_id=cn, csr_path=csr_path, zone="fake"
             )

tests/integration/states/test_archive.py

@@ -106,6 +106,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
 
         self._check_extracted(self.untar_file)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_source_hash(self):
         """
         test archive.extracted without skip_verify
@@ -127,6 +128,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.skip_if_not_root
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_root_user_and_group(self):
         """
         test archive.extracted with user and group set to "root"
@@ -151,6 +153,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_strip_in_options(self):
         """
         test archive.extracted with --strip in options
@@ -170,6 +173,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
 
         self._check_extracted(os.path.join(ARCHIVE_DIR, "README"))
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_strip_components_in_options(self):
         """
         test archive.extracted with --strip-components in options
@@ -190,6 +194,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
         self._check_extracted(os.path.join(ARCHIVE_DIR, "README"))
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_without_archive_format(self):
         """
         test archive.extracted with no archive_format option
@@ -206,6 +211,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
 
         self._check_extracted(self.untar_file)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_archive_extracted_with_cmd_unzip_false(self):
         """
         test archive.extracted using use_cmd_unzip argument as false
@@ -240,6 +246,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
 
         self._check_extracted(self.untar_file)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_skip_verify(self):
         """
         test archive.extracted with local file, bad hash and skip_verify
@@ -258,6 +265,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_with_source_hash(self):
         """
         test archive.extracted with local file and valid hash
@@ -275,6 +283,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
         self._check_extracted(self.untar_file)
 
     @pytest.mark.slow_test
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_with_bad_source_hash(self):
         """
         test archive.extracted with local file and bad hash
@@ -289,6 +298,7 @@ class ArchiveTest(ModuleCase, SaltReturnAssertsMixin):
 
         self.assertSaltFalseReturn(ret)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_local_archive_extracted_with_uppercase_source_hash(self):
         """
         test archive.extracted with local file and bad hash

tests/pytests/functional/cache/test_consul.py

@@ -14,6 +14,7 @@ docker = pytest.importorskip("docker")
 log = logging.getLogger(__name__)
 
 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
     pytest.mark.slow_test,
     pytest.mark.skip_if_binaries_missing("dockerd"),
 ]

tests/pytests/functional/modules/state/test_jinja_filters.py

@@ -6,6 +6,7 @@ import os
 
 import attr
 import pytest
+from pytestskipmarkers.utils import platform
 
 import salt.utils.files
 import salt.utils.path
@@ -932,7 +933,11 @@ def _filter_id(value):
     ids=_filter_id,
 )
 def filter(request):
-    return request.param
+    _filter = request.param
+    if platform.is_fips_enabled():
+        if _filter.name in ("md5", "random_hash"):
+            pytest.skip("Test cannot run on a FIPS enabled platform")
+    return _filter
 
 
 def test_filter(state, state_tree, filter, grains):

tests/pytests/functional/modules/test_mysql.py

@@ -19,6 +19,7 @@ pytestmark = [
     pytest.mark.skipif(
         mysqlmod.MySQLdb is None, reason="No python mysql client installed."
     ),
+    pytest.mark.skip_on_fips_enabled_platform,
 ]
 
 

tests/pytests/functional/modules/test_x509_v2.py

@@ -23,7 +23,8 @@ except ImportError:
 CRYPTOGRAPHY_VERSION = tuple(int(x) for x in cryptography.__version__.split("."))
 
 pytestmark = [
-    pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library")
+    pytest.mark.skip_on_fips_enabled_platform,
+    pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library"),
 ]
 
 

tests/pytests/functional/states/test_x509_v2.py

@@ -1,5 +1,5 @@
 import base64
-from pathlib import Path
+import pathlib
 
 import pytest
 
@@ -26,6 +26,7 @@ CRYPTOGRAPHY_VERSION = tuple(int(x) for x in cryptography.__version__.split(".")
 pytestmark = [
     pytest.mark.slow_test,
     pytest.mark.skipif(HAS_LIBS is False, reason="Needs cryptography library"),
+    pytest.mark.skip_on_fips_enabled_platform,
 ]
 
 
@@ -703,7 +704,7 @@ def existing_pk(x509, pk_args, request):
 @pytest.fixture(params=["existing_cert"])
 def existing_symlink(request):
     existing = request.getfixturevalue(request.param)
-    test_file = Path(existing).with_name("symlink")
+    test_file = pathlib.Path(existing).with_name("symlink")
     test_file.symlink_to(existing)
     yield test_file
     # cleanup is done by tmp_path
@@ -884,7 +885,7 @@ def test_certificate_managed_test_true(x509, cert_args, rsa_privkey, ca_key):
     ret = x509.certificate_managed(**cert_args)
     assert ret.result is None
     assert ret.changes
-    assert not Path(cert_args["name"]).exists()
+    assert not pathlib.Path(cert_args["name"]).exists()
 
 
 @pytest.mark.usefixtures("existing_cert")
@@ -1324,7 +1325,7 @@ def test_certificate_managed_file_managed_create_false(
     ret = x509.certificate_managed(**cert_args)
     assert ret.result is True
     assert not ret.changes
-    assert not Path(cert_args["name"]).exists()
+    assert not pathlib.Path(cert_args["name"]).exists()
 
 
 @pytest.mark.usefixtures("existing_cert")
@@ -1397,7 +1398,7 @@ def test_certificate_managed_follow_symlinks(
     """
     cert_args["name"] = str(existing_symlink)
     cert_args["encoding"] = encoding
-    assert Path(cert_args["name"]).is_symlink()
+    assert pathlib.Path(cert_args["name"]).is_symlink()
     cert_args["follow_symlinks"] = follow
     ret = x509.certificate_managed(**cert_args)
     assert bool(ret.changes) == (not follow)
@@ -1417,13 +1418,13 @@ def test_certificate_managed_follow_symlinks_changes(
     the checking of the existing file is performed by the x509 module
     """
     cert_args["name"] = str(existing_symlink)
-    assert Path(cert_args["name"]).is_symlink()
+    assert pathlib.Path(cert_args["name"]).is_symlink()
     cert_args["follow_symlinks"] = follow
     cert_args["encoding"] = encoding
     cert_args["CN"] = "new"
     ret = x509.certificate_managed(**cert_args)
     assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow
 
 
 @pytest.mark.parametrize("encoding", ["pem", "der"])
@@ -1436,7 +1437,7 @@ def test_certificate_managed_file_managed_error(
     cert_args["private_key"] = rsa_privkey
     cert_args["makedirs"] = False
     cert_args["encoding"] = encoding
-    cert_args["name"] = str(Path(cert_args["name"]).parent / "missing" / "cert")
+    cert_args["name"] = str(pathlib.Path(cert_args["name"]).parent / "missing" / "cert")
     ret = x509.certificate_managed(**cert_args)
     assert ret.result is False
     assert "Could not create file, see file.managed output" in ret.comment
@@ -1504,7 +1505,7 @@ def test_crl_managed_test_true(x509, crl_args, crl_revoked):
     assert ret.result is None
     assert ret.changes
     assert ret.result is None
-    assert not Path(crl_args["name"]).exists()
+    assert not pathlib.Path(crl_args["name"]).exists()
 
 
 @pytest.mark.usefixtures("existing_crl")
@@ -1708,7 +1709,7 @@ def test_crl_managed_file_managed_create_false(x509, crl_args):
     ret = x509.crl_managed(**crl_args)
     assert ret.result is True
     assert not ret.changes
-    assert not Path(crl_args["name"]).exists()
+    assert not pathlib.Path(crl_args["name"]).exists()
 
 
 @pytest.mark.usefixtures("existing_crl")
@@ -1782,7 +1783,7 @@ def test_crl_managed_follow_symlinks(
     """
     crl_args["name"] = str(existing_symlink)
     crl_args["encoding"] = encoding
-    assert Path(crl_args["name"]).is_symlink()
+    assert pathlib.Path(crl_args["name"]).is_symlink()
     crl_args["follow_symlinks"] = follow
     ret = x509.crl_managed(**crl_args)
     assert bool(ret.changes) == (not follow)
@@ -1802,13 +1803,13 @@ def test_crl_managed_follow_symlinks_changes(
     the checking of the existing file is performed by the x509 module
     """
     crl_args["name"] = str(existing_symlink)
-    assert Path(crl_args["name"]).is_symlink()
+    assert pathlib.Path(crl_args["name"]).is_symlink()
     crl_args["follow_symlinks"] = follow
     crl_args["encoding"] = encoding
     crl_args["revoked"] = crl_revoked
     ret = x509.crl_managed(**crl_args)
     assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow
 
 
 @pytest.mark.parametrize("encoding", ["pem", "der"])
@@ -1818,7 +1819,7 @@ def test_crl_managed_file_managed_error(x509, crl_args, encoding):
     """
     crl_args["makedirs"] = False
     crl_args["encoding"] = encoding
-    crl_args["name"] = str(Path(crl_args["name"]).parent / "missing" / "crl")
+    crl_args["name"] = str(pathlib.Path(crl_args["name"]).parent / "missing" / "crl")
     ret = x509.crl_managed(**crl_args)
     assert ret.result is False
     assert "Could not create file, see file.managed output" in ret.comment
@@ -1866,7 +1867,7 @@ def test_csr_managed_test_true(x509, csr_args, rsa_privkey):
     ret = x509.csr_managed(**csr_args)
     assert ret.result is None
     assert ret.changes
-    assert not Path(csr_args["name"]).exists()
+    assert not pathlib.Path(csr_args["name"]).exists()
 
 
 @pytest.mark.usefixtures("existing_csr")
@@ -2002,7 +2003,7 @@ def test_csr_managed_file_managed_create_false(x509, csr_args):
     ret = x509.csr_managed(**csr_args)
     assert ret.result is True
     assert not ret.changes
-    assert not Path(csr_args["name"]).exists()
+    assert not pathlib.Path(csr_args["name"]).exists()
 
 
 @pytest.mark.usefixtures("existing_csr")
@@ -2066,12 +2067,12 @@ def test_csr_managed_follow_symlinks(
     the checking of the existing file is performed by the x509 module
     """
     csr_args["name"] = str(existing_symlink)
-    assert Path(csr_args["name"]).is_symlink()
+    assert pathlib.Path(csr_args["name"]).is_symlink()
     csr_args["follow_symlinks"] = follow
     csr_args["encoding"] = encoding
     ret = x509.csr_managed(**csr_args)
     assert bool(ret.changes) == (not follow)
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow
 
 
 @pytest.mark.parametrize(
@@ -2088,14 +2089,14 @@ def test_csr_managed_follow_symlinks_changes(
     the checking of the existing file is performed by the x509 module
     """
     csr_args["name"] = str(existing_symlink)
-    assert Path(csr_args["name"]).is_symlink()
+    assert pathlib.Path(csr_args["name"]).is_symlink()
     csr_args["follow_symlinks"] = follow
     csr_args["encoding"] = encoding
     csr_args["CN"] = "new"
     ret = x509.csr_managed(**csr_args)
     assert ret.result
     assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow
 
 
 @pytest.mark.parametrize("encoding", ["pem", "der"])
@@ -2105,7 +2106,7 @@ def test_csr_managed_file_managed_error(x509, csr_args, encoding):
     """
     csr_args["makedirs"] = False
     csr_args["encoding"] = encoding
-    csr_args["name"] = str(Path(csr_args["name"]).parent / "missing" / "csr")
+    csr_args["name"] = str(pathlib.Path(csr_args["name"]).parent / "missing" / "csr")
     ret = x509.csr_managed(**csr_args)
     assert ret.result is False
     assert "Could not create file, see file.managed output" in ret.comment
@@ -2312,7 +2313,7 @@ def test_private_key_managed_file_managed_create_false(x509, pk_args):
     ret = x509.private_key_managed(**pk_args)
     assert ret.result is True
     assert not ret.changes
-    assert not Path(pk_args["name"]).exists()
+    assert not pathlib.Path(pk_args["name"]).exists()
 
 
 @pytest.mark.usefixtures("existing_pk")
@@ -2361,7 +2362,7 @@ def test_private_key_managed_follow_symlinks(
     """
     pk_args["name"] = str(existing_symlink)
     pk_args["encoding"] = encoding
-    assert Path(pk_args["name"]).is_symlink()
+    assert pathlib.Path(pk_args["name"]).is_symlink()
     pk_args["follow_symlinks"] = follow
     ret = x509.private_key_managed(**pk_args)
     assert bool(ret.changes) == (not follow)
@@ -2381,13 +2382,13 @@ def test_private_key_managed_follow_symlinks_changes(
     the checking of the existing file is performed by the x509 module
     """
     pk_args["name"] = str(existing_symlink)
-    assert Path(pk_args["name"]).is_symlink()
+    assert pathlib.Path(pk_args["name"]).is_symlink()
     pk_args["follow_symlinks"] = follow
     pk_args["encoding"] = encoding
     pk_args["algo"] = "ec"
     ret = x509.private_key_managed(**pk_args)
     assert ret.changes
-    assert Path(ret.name).is_symlink() == follow
+    assert pathlib.Path(ret.name).is_symlink() == follow
 
 
 @pytest.mark.usefixtures("existing_pk")
@@ -2415,7 +2416,7 @@ def test_private_key_managed_file_managed_error(x509, pk_args, encoding):
     """
     pk_args["makedirs"] = False
     pk_args["encoding"] = encoding
-    pk_args["name"] = str(Path(pk_args["name"]).parent / "missing" / "pk")
+    pk_args["name"] = str(pathlib.Path(pk_args["name"]).parent / "missing" / "pk")
     ret = x509.private_key_managed(**pk_args)
     assert ret.result is False
     assert "Could not create file, see file.managed output" in ret.comment
@@ -2693,7 +2694,7 @@ def _assert_cert_basic(
 
 def _get_cert(cert, encoding="pem", passphrase=None):
     try:
-        p = Path(cert)
+        p = pathlib.Path(cert)
         if p.exists():
             cert = p.read_bytes()
     except Exception:  # pylint: disable=broad-except
@@ -2775,7 +2776,7 @@ def _assert_not_changed(ret):
 
 def _get_crl(crl, encoding="pem"):
     try:
-        p = Path(crl)
+        p = pathlib.Path(crl)
         if p.exists():
             crl = p.read_bytes()
     except Exception:  # pylint: disable=broad-except
@@ -2793,7 +2794,7 @@ def _get_crl(crl, encoding="pem"):
 
 def _get_csr(csr, encoding="pem"):
     try:
-        p = Path(csr)
+        p = pathlib.Path(csr)
         if p.exists():
             csr = p.read_bytes()
     except Exception:  # pylint: disable=broad-except
@@ -2811,7 +2812,7 @@ def _get_csr(csr, encoding="pem"):
 
 def _get_privkey(pk, encoding="pem", passphrase=None):
     try:
-        p = Path(pk)
+        p = pathlib.Path(pk)
         if p.exists():
             pk = p.read_bytes()
     except Exception:  # pylint: disable=broad-except

tests/pytests/functional/transport/ipc/test_pub_server_channel.py

@@ -13,9 +13,10 @@ log = logging.getLogger(__name__)
 
 
 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
     pytest.mark.skip_on_spawning_platform(
         reason="These tests are currently broken on spawning platforms. Need to be rewritten.",
-    )
+    ),
 ]
 
 

tests/pytests/functional/transport/tcp/test_load_balanced_server.py

@@ -12,6 +12,7 @@ pytestmark = [
 ]
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_tcp_load_balancer_server(master_opts, io_loop):
 
     messages = []

tests/pytests/functional/transport/zeromq/test_pub_server_channel.py

@@ -12,6 +12,7 @@ log = logging.getLogger(__name__)
 
 
 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
     pytest.mark.skip_on_freebsd(reason="Temporarily skipped on FreeBSD."),
     pytest.mark.skip_on_spawning_platform(
         reason="These tests are currently broken on spawning platforms. Need to be rewritten.",

tests/pytests/integration/daemons/test_memory_leak.py

@@ -44,6 +44,7 @@ def file_add_delete_sls(testfile_path, base_env_state_tree_root_dir):
         yield sls_name
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 @pytest.mark.skip_on_darwin(reason="MacOS is a spawning platform, won't work")
 @pytest.mark.flaky(max_runs=4)
 def test_memory_leak(salt_cli, salt_minion, file_add_delete_sls):

tests/pytests/integration/ssh/test_saltcheck.py

@@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform
 
 pytestmark = [
     pytest.mark.slow_test,
@@ -6,6 +7,12 @@ pytestmark = [
 ]
 
 
+@pytest.fixture
+def _skip_on_fips_and_arm64(grains):
+    if platform.is_fips_enabled() and grains["cpuarch"] == "aarch64":
+        pytest.skip("Test cannot run on a FIPS enabled platform")
+
+
 def test_saltcheck_run_test(salt_ssh_cli):
     """
     test saltcheck.run_test with salt-ssh
@@ -23,6 +30,7 @@ def test_saltcheck_run_test(salt_ssh_cli):
     assert ret.data["status"] == "Pass"
 
 
+@pytest.mark.usefixtures("_skip_on_fips_and_arm64")
 def test_saltcheck_state(salt_ssh_cli):
     """
     saltcheck.run_state_tests

tests/pytests/integration/states/test_x509_v2.py

@@ -666,6 +666,7 @@ def test_privkey_new_with_prereq(x509_salt_call_cli, tmp_path):
     assert not _belongs_to(cert_new, pk_cur)
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 @pytest.mark.usefixtures("privkey_new_pkcs12")
 @pytest.mark.skipif(
     CRYPTOGRAPHY_VERSION[0] < 36,

tests/pytests/unit/cloud/test_cloud.py

@@ -126,6 +126,7 @@ def test_vm_config_merger():
     assert expected == vm
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_cloud_run_profile_create_returns_boolean(master_config):
 
     master_config["profiles"] = {"test_profile": {"provider": "test_provider:saltify"}}

tests/pytests/unit/cloud/test_map.py

@@ -99,6 +99,8 @@ def salt_cloud_config_file(salt_master_factory):
     return os.path.join(salt_master_factory.config_dir, "cloud")
 
 
+# The cloud map merge uses python's multiprocessing manager which authenticates using HMAC and MD5
+@pytest.mark.skip_on_fips_enabled_platform
 def test_cloud_map_merge_conf(salt_cloud_config_file, grains):
     """
     Ensure that nested values can be selectivly overridden in a map file

tests/pytests/unit/modules/test_hashutil.py

@@ -61,6 +61,7 @@ def test_base64_decodestring(the_string, the_string_base64):
     assert hashutil.base64_decodestring(the_string_base64) == the_string
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_md5_digest(the_string, the_string_md5):
     assert hashutil.md5_digest(the_string) == the_string_md5
 

tests/pytests/unit/modules/test_postgres.py

@@ -2,6 +2,7 @@ import datetime
 import re
 
 import pytest
+from pytestskipmarkers.utils import platform
 
 import salt.modules.config as configmod
 import salt.modules.postgres as postgres
@@ -117,6 +118,8 @@ def idfn(val):
     ids=idfn,
 )
 def test_verify_password(role, password, verifier, method, result):
+    if platform.is_fips_enabled() and (method == "md5" or verifier == md5_pw):
+        pytest.skip("Test cannot run on a FIPS enabled platform")
     assert postgres._verify_password(role, password, verifier, method) == result
 
 
@@ -971,6 +974,7 @@ def test_user_update3():
         )
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_user_update_encrypted_passwd():
     with patch(
         "salt.modules.postgres._run_psql", Mock(return_value={"retcode": 0})
@@ -1226,6 +1230,7 @@ def test_create_extension_newerthan():
                 assert not postgres.create_extension("foo", ext_version="a", schema="b")
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_encrypt_passwords():
     assert postgres._maybe_encrypt_password("foo", "bar", False) == "bar"
     assert (

tests/pytests/unit/states/postgresql/test_group.py

@@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform
 
 import salt.modules.postgres as postgres
 import salt.states.postgres_group as postgres_group
@@ -19,6 +20,8 @@ def fixture_db_args():
 
 @pytest.fixture(name="md5_pw")
 def fixture_md5_pw():
+    if platform.is_fips_enabled():
+        pytest.skip("Test cannot run on a FIPS enabled platform")
     # 'md5' + md5('password' + 'groupname')
     return "md58b14c378fab8ef0dc227f4e6d6787a87"
 
@@ -79,6 +82,7 @@ def configure_loader_modules(mocks):
 # ==========
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_present_create_basic(mocks, db_args):
     assert postgres_group.present("groupname") == {
         "name": "groupname",
@@ -343,6 +347,7 @@ def test_present_update_md5_password(mocks, existing_group, md5_pw, db_args):
     )
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_present_update_error(mocks, existing_group):
     existing_group["password"] = "md500000000000000000000000000000000"
     mocks["postgres.role_get"].return_value = existing_group

tests/pytests/unit/states/postgresql/test_user.py

@@ -1,4 +1,5 @@
 import pytest
+from pytestskipmarkers.utils import platform
 
 import salt.modules.postgres as postgres
 import salt.states.postgres_user as postgres_user
@@ -25,6 +26,8 @@ def fixture_db_args():
 @pytest.fixture(name="md5_pw")
 def fixture_md5_pw():
     # 'md5' + md5('password' + 'username')
+    if platform.is_fips_enabled():
+        pytest.skip("Test cannot run on a FIPS enabled platform")
     return "md55a231fcdb710d73268c4f44283487ba2"
 
 

tests/pytests/unit/states/test_boto_cloudwatch_event.py

@@ -17,6 +17,7 @@ log = logging.getLogger(__name__)
 
 pytestmark = [
     pytest.mark.slow_test,
+    pytest.mark.skip_on_fips_enabled_platform,
 ]
 
 

tests/pytests/unit/states/test_boto_iot.py

@@ -18,6 +18,7 @@ log = logging.getLogger(__name__)
 
 pytestmark = [
     pytest.mark.slow_test,
+    pytest.mark.skip_on_fips_enabled_platform,
 ]
 
 

tests/pytests/unit/utils/jinja/test_custom_extensions.py

@@ -46,7 +46,6 @@ def minion_opts(tmp_path, minion_opts):
             "file_roots": {"test": [str(tmp_path / "templates")]},
             "pillar_roots": {"test": [str(tmp_path / "templates")]},
             "fileserver_backend": ["roots"],
-            "hash_type": "md5",
             "extension_modules": os.path.join(
                 os.path.dirname(os.path.abspath(__file__)), "extmods"
             ),
@@ -1041,6 +1040,7 @@ def test_method_call(minion_opts, local_salt):
     assert rendered == "None"
 
 
+@pytest.mark.skip_on_fips_enabled_platform
 def test_md5(minion_opts, local_salt):
     """
     Test the `md5` Jinja filter.

tests/pytests/unit/utils/jinja/test_get_template.py

@@ -61,7 +61,6 @@ def minion_opts(tmp_path, minion_opts):
             "file_roots": {"test": [str(tmp_path / "files" / "test")]},
             "pillar_roots": {"test": [str(tmp_path / "files" / "test")]},
             "fileserver_backend": ["roots"],
-            "hash_type": "md5",
             "extension_modules": os.path.join(
                 os.path.dirname(os.path.abspath(__file__)), "extmods"
             ),

tests/support/pytest/mysql.py

@@ -3,6 +3,7 @@ import time
 
 import attr
 import pytest
+from pytestskipmarkers.utils import platform
 from saltfactories.utils import random_string
 
 # This `pytest.importorskip` here actually works because this module
@@ -102,6 +103,10 @@ def mysql_image(request):
 
 @pytest.fixture(scope="module")
 def create_mysql_combo(mysql_image):
+    if platform.is_fips_enabled():
+        if mysql_image.name in ("mysql-server", "percona") and mysql_image.tag == "8.0":
+            pytest.skip(f"These tests fail on {mysql_image.name}:{mysql_image.tag}")
+
     return MySQLCombo(
         mysql_name=mysql_image.name,
         mysql_version=mysql_image.tag,

tests/unit/modules/test_boto3_elasticsearch.py

@@ -28,6 +28,10 @@ except ImportError:
 # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12
 REQUIRED_BOTO3_VERSION = "1.2.1"
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 def __virtual__():
     """

tests/unit/modules/test_boto3_route53.py

@@ -25,6 +25,10 @@ except ImportError:
 # https://github.com/boto/boto/commit/33ac26b416fbb48a60602542b4ce15dcc7029f12
 REQUIRED_BOTO3_VERSION = "1.2.1"
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 def __virtual__():
     """

tests/unit/modules/test_boto_apigateway.py

@@ -23,6 +23,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

tests/unit/modules/test_boto_cloudtrail.py

@@ -22,6 +22,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 
 # the boto_cloudtrail module relies on the connect_to_region() method

tests/unit/modules/test_boto_cloudwatch_event.py

@@ -22,6 +22,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 log = logging.getLogger(__name__)
 

tests/unit/modules/test_boto_cognitoidentity.py

@@ -21,6 +21,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

tests/unit/modules/test_boto_elasticsearch_domain.py

@@ -21,6 +21,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

tests/unit/modules/test_boto_iot.py

@@ -23,6 +23,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 
 # the boto_iot module relies on the connect_to_region() method

tests/unit/modules/test_boto_lambda.py

@@ -26,6 +26,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module
 
 # the boto_lambda module relies on the connect_to_region() method

tests/unit/modules/test_boto_s3_bucket.py

@@ -22,6 +22,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 # pylint: enable=import-error,no-name-in-module,unused-import
 
 # the boto_s3_bucket module relies on the connect_to_region() method

tests/unit/modules/test_virt.py

@@ -2,32 +2,27 @@
 virt execution module unit tests
 """
 
-# pylint: disable=3rd-party-module-not-gated
-
-
 import datetime
 import os
 import shutil
 import tempfile
 import xml.etree.ElementTree as ET
 
+import pytest
+
 import salt.config
 import salt.modules.config as config
 import salt.modules.virt as virt
 import salt.syspaths
 import salt.utils.yaml
 from salt.exceptions import CommandExecutionError, SaltInvocationError
-
-# pylint: disable=import-error
 from tests.support.helpers import dedent
 from tests.support.mixins import LoaderModuleMockMixin
 from tests.support.mock import MagicMock, patch
 from tests.support.unit import TestCase
 
-# pylint: disable=invalid-name,protected-access,attribute-defined-outside-init,too-many-public-methods,unused-argument
 
-
+class LibvirtMock(MagicMock):
-class LibvirtMock(MagicMock):  # pylint: disable=too-many-ancestors
     """
     Libvirt library mock
     """
@@ -1882,6 +1877,7 @@ class VirtTestCase(TestCase, LoaderModuleMockMixin):
             ],
         )
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_init(self):
         """
         Test init() function

tests/unit/modules/test_zcbuildout.py

@@ -20,12 +20,13 @@ from tests.support.runtests import RUNTIME_VARS
 from tests.support.unit import TestCase
 
 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
     pytest.mark.skip_on_windows(
         reason=(
             "Special steps are required for proper SSL validation because "
             "`easy_install` is too old(and deprecated)."
         )
-    )
+    ),
 ]
 
 KNOWN_VIRTUALENV_BINARY_NAMES = (

tests/unit/states/test_boto_apigateway.py

@@ -28,6 +28,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

tests/unit/states/test_boto_cognitoidentity.py

@@ -25,6 +25,10 @@ try:
 except ImportError:
     HAS_BOTO = False
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 # pylint: enable=import-error,no-name-in-module
 

tests/unit/states/test_zcbuildout.py

@@ -11,12 +11,13 @@ from tests.support.runtests import RUNTIME_VARS
 from tests.unit.modules.test_zcbuildout import KNOWN_VIRTUALENV_BINARY_NAMES, Base
 
 pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
     pytest.mark.skip_on_windows(
         reason=(
             "Special steps are required for proper SSL validation because "
             "`easy_install` is too old(and deprecated)."
         )
-    )
+    ),
 ]
 
 

tests/unit/utils/test_boto3mod.py

@@ -24,6 +24,10 @@ except ImportError:
 
 REQUIRED_BOTO3_VERSION = "1.2.1"
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
 
 @pytest.mark.skipif(HAS_BOTO3 is False, reason="The boto module must be installed.")
 @pytest.mark.skipif(

tests/unit/utils/test_botomod.py

@@ -53,6 +53,11 @@ except ImportError:
         return stub_function
 
 
+pytestmark = [
+    pytest.mark.skip_on_fips_enabled_platform,
+]
+
+
 required_boto_version = "2.0.0"
 required_boto3_version = "1.2.1"
 region = "us-east-1"

tests/unit/utils/test_find.py

@@ -332,6 +332,7 @@ class TestPrintOption(TestCase):
         option = salt.utils.find.PrintOption("print", "path user")
         self.assertEqual(option.requires(), salt.utils.find._REQUIRES_STAT)
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_print_option_execute(self):
         hello_file = os.path.join(self.tmpdir, "hello.txt")
         with salt.utils.files.fopen(hello_file, "w") as fp_:

tests/unit/utils/test_hashutils.py

@@ -1,3 +1,5 @@
+import pytest
+
 import salt.utils.hashutils
 from tests.support.unit import TestCase
 
@@ -87,6 +89,7 @@ class HashutilsTestCase(TestCase):
             self.bytes,
         )
 
+    @pytest.mark.skip_on_fips_enabled_platform
     def test_md5_digest(self):
         """
         Ensure that this function converts the value passed to bytes before