ben.carrasco/prowler
1
0
Fork 0
mirror of https://github.com/prowler-cloud/prowler.git synced 2026-01-25 02:08:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
prowler/skills/prowler-test-api/SKILL.md
Pepe Fagoaga dce05295ef chore(skills): Improve Django and DRF skills (#9831) 
Co-authored-by: Adrián Jesús Peña Rodríguez <adrianjpr@gmail.com>
2026-01-22 13:54:06 +01:00

4.8 KiB
Raw Permalink Blame History

name, description, license, metadata, allowed-tools
name description license metadata allowed-tools
prowler-test-api Testing patterns for Prowler API: JSON:API, Celery tasks, RLS isolation, RBAC. Trigger: When writing tests for api/ (JSON:API requests/assertions, cross-tenant isolation, RBAC, Celery tasks, viewsets/serializers). Apache-2.0
author version scope auto_invoke
prowler-cloud 1.1.0
root
api
Writing Prowler API tests
Testing RLS tenant isolation
Read, Edit, Write, Glob, Grep, Bash, WebFetch, WebSearch, Task

Critical Rules

  • ALWAYS use response.json()["data"] not response.data
  • ALWAYS use content_type = "application/vnd.api+json" for PATCH/PUT requests
  • ALWAYS use format="vnd.api+json" for POST requests
  • ALWAYS test cross-tenant isolation - RLS returns 404, NOT 403
  • NEVER skip RLS isolation tests when adding new endpoints
  • NEVER use realistic-looking API keys in tests (TruffleHog will flag them)
  • ALWAYS mock BOTH .delay() AND Task.objects.get for async task tests

1. Fixture Dependency Chain

create_test_user (session) ─► tenants_fixture (function) ─► authenticated_client
                                     │
                                     └─► providers_fixture ─► scans_fixture ─► findings_fixture

Key Fixtures

Fixture Description
create_test_user Session user (dev@prowler.com)
tenants_fixture 3 tenants: [0],[1] have membership, [2] isolated
authenticated_client JWT client for tenant[0]
providers_fixture 9 providers in tenant[0]
tasks_fixture 2 Celery tasks with TaskResult

RBAC Fixtures

Fixture Permissions
authenticated_client_rbac All permissions (admin)
authenticated_client_rbac_noroles Membership but NO roles
authenticated_client_no_permissions_rbac All permissions = False

2. JSON:API Requests

POST (Create)

response = client.post(
    reverse("provider-list"),
    data={"data": {"type": "providers", "attributes": {...}}},
    format="vnd.api+json",  # NOT content_type!
)

PATCH (Update)

response = client.patch(
    reverse("provider-detail", kwargs={"pk": provider.id}),
    data={"data": {"type": "providers", "id": str(provider.id), "attributes": {...}}},
    content_type="application/vnd.api+json",  # NOT format!
)

Reading Responses

data = response.json()["data"]
attrs = data["attributes"]
errors = response.json()["errors"]  # For 400 responses

3. RLS Isolation (Cross-Tenant)

RLS returns 404, NOT 403 - the resource is invisible, not forbidden.

def test_cross_tenant_access_denied(self, authenticated_client, tenants_fixture):
    other_tenant = tenants_fixture[2]  # Isolated tenant
    foreign_provider = Provider.objects.create(tenant_id=other_tenant.id, ...)

    response = authenticated_client.get(reverse("provider-detail", args=[foreign_provider.id]))
    assert response.status_code == status.HTTP_404_NOT_FOUND  # NOT 403!

4. Celery Task Testing

Testing Strategies

Strategy Use For
Mock .delay() + Task.objects.get Testing views that trigger tasks
task.apply() Synchronous task logic testing
Mock chain/group Testing Canvas orchestration
Mock connection Testing @set_tenant decorator
Mock apply_async Testing Beat scheduled tasks

Why NOT task_always_eager

Problem Impact
No task serialization Misses argument type errors
No broker interaction Hides connection issues
Different execution context self.request behaves differently

Instead, use: task.apply() for sync execution, mocking for isolation.

Full examples: See assets/api_test.py for TestCeleryTaskLogic, TestCeleryCanvas, TestSetTenantDecorator, TestBeatScheduling.

5. Fake Secrets (TruffleHog)

# BAD - TruffleHog flags these:
api_key = "sk-test1234567890T3BlbkFJtest1234567890"

# GOOD - obviously fake:
api_key = "sk-fake-test-key-for-unit-testing-only"

6. Response Status Codes

Scenario Code
Successful GET 200
Successful POST 201
Async operation (DELETE/scan trigger) 202
Sync DELETE 204
Validation error 400
Missing permission (RBAC) 403
RLS isolation / not found 404

Commands

cd api && poetry run pytest -x --tb=short
cd api && poetry run pytest -k "test_provider"
cd api && poetry run pytest api/src/backend/api/tests/test_rbac.py

Resources

Reference in New Issue View Git Blame Copy Permalink