mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
853610bbbf
Co-authored-by: Pablo F.G <pablo.fernandez@prowler.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
2.8 KiB
2.8 KiB
E2E Tests: Runtime Public-Config Data Island
Suite ID: RUNTIME-CONFIG-E2E
Feature: Runtime resolution of public client config via an inert JSON data
island injected into <head> (Sentry, GTM, API base/docs URL, reserved keys).
Test Case: RUNTIME-CONFIG-E2E-001 - Island rendered in <head> before the client bundle
Priority: critical
Tags: @e2e, @runtime-config
Preconditions:
- UI server running with
UI_API_BASE_URLset (the playwrightwebServerprovides it).
Flow Steps
- Navigate to
/sign-in(unauthenticated; the island renders on every route). - Locate
script#__PROWLER_RUNTIME_CONFIG__.
Expected Result
- The island exists, is
type="application/json"(inert), and lives in<head>. - The island appears before the first ordered (non-
async) bundle<script src>— Next.js'sasyncchunk-preloads in<head>don't execute in order and are excluded. - It parses as JSON exposing exactly the allowlisted keys and a truthy
apiBaseUrl.
Key Verification Points
- In-
<head>-before-bundle ordering guarantee (not provable in jsdom). - Only the allowlisted shape is exposed (no other env leaks).
Test Case: RUNTIME-CONFIG-E2E-002 - Browser Sentry init matches the island DSN
Priority: high
Tags: @e2e, @runtime-config
Preconditions:
- UI server running.
UI_SENTRY_DSNmay be set or unset.
Flow Steps
- Navigate to
/sign-in. - Read
sentryDsnfrom the island. - Read the DSN the browser Sentry client initialized with.
Expected Result
- If the island carries a DSN, the browser Sentry client initialized with that
exact runtime DSN (proving the island feeds
Sentry.initrace-free). - If the island has no DSN, Sentry is not initialized (zero egress — the default).
Key Verification Points
- The runtime DSN reaches module-load Sentry init via the island.
- Unset DSN ⇒ no Sentry initialization (privacy guarantee).
Test Case: RUNTIME-CONFIG-E2E-003 - Zero third-party telemetry when Sentry and GTM are unset
Priority: critical
Tags: @e2e, @runtime-config
Preconditions:
- UI server running with
UI_SENTRY_DSNandUI_GOOGLE_TAG_MANAGER_IDunset (the Enterprise default; the test skips when either is configured).
Flow Steps
- Navigate to
/sign-inand read the island config. - Reload while recording requests to
googletagmanager.com,google-analytics.com, andsentry.io. - Inspect the DOM for a Google Tag Manager script.
Expected Result
- No request is sent to any Google or Sentry host.
- The
GoogleTagManagercomponent is not rendered (nogtm.jsscript).
Key Verification Points
- Enterprise default sends zero error/analytics telemetry to any third party.
- Empty/unset GTM id ⇒ component not mounted (an empty id is NOT inert).