prowler-test-api_skill

This skill helps you write robust API tests for JSON:API, RBAC, and cross-tenant isolation in Python projects, with Celery task validation.
  • Python

12.8k

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill prowler-cloud/prowler --skill prowler-test-api

  • SKILL.md4.8 KB

Overview

This skill provides a concise testing pattern set for the prowler API focusing on JSON:API semantics, Celery tasks, row-level security (RLS) cross-tenant isolation, and RBAC. It codifies fixtures, request conventions, status code expectations, and mocking strategies to keep tests reliable and secure. Use it to standardize API tests across providers, scans, and findings endpoints.

How this skill works

The skill documents the required fixture dependency chain and the exact JSON:API request shapes for POST/PATCH and how to read responses. It enforces RLS behavior by asserting 404 for cross-tenant access and prescribes Celery testing strategies that mock asynchronous boundaries while optionally running synchronous task logic with task.apply(). It also defines safe fake-secret patterns to avoid accidental credential leaks.

When to use it

  • When writing tests under api/ that exercise JSON:API endpoints (views, viewsets, serializers).
  • When adding or changing endpoints to ensure cross-tenant RLS isolation is covered.
  • When testing views or endpoints that enqueue Celery tasks or orchestrate Canvas workflows.
  • When validating RBAC behavior for admin, no-roles, and no-permission scenarios.
  • When adding integration-style API tests that must avoid leaking realistic secrets.

Best practices

  • Always use response.json()["data"] to read JSON:API responses, never response.data.
  • Use content_type="application/vnd.api+json" for PATCH/PUT and format="vnd.api+json" for POST.
  • Always test cross-tenant isolation; RLS should return 404, not 403, and never skip these tests.
  • Mock both .delay() and Task.objects.get when testing views that trigger Celery tasks; use task.apply() for sync logic tests.
  • Never include realistic-looking API keys in tests; use obviously fake values to avoid TruffleHog flags.

Example use cases

  • Create a provider via POST with format="vnd.api+json" and assert 201 and attributes via response.json()["data"].
  • Update a provider via PATCH with content_type="application/vnd.api+json" and verify changed attributes.
  • Test cross-tenant GET returns 404 for a resource owned by an isolated tenant.
  • Mock a Celery chain/group and assert view calls .delay() and that Task.objects.get was invoked to track results.
  • Verify RBAC: admin client gets 200, membership-without-roles results in 403, and no-permissions client is denied.

FAQ

Row-level security intentionally makes resources invisible to other tenants; tests should assert 404 to reflect this design.

Should I use task_always_eager for Celery tests?

No. task_always_eager hides serialization, broker, and context issues. Prefer task.apply() for logic and mocking for orchestration.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
prowler-test-api skill by prowler-cloud/prowler | VeilStrat