- Home
- Skills
- Prowler Cloud
- Prowler
- Prowler Test Api
prowler-test-api_skill
- Python
12.8k
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill prowler-cloud/prowler --skill prowler-test-api- SKILL.md4.8 KB
Overview
This skill provides a concise testing pattern set for the prowler API focusing on JSON:API semantics, Celery tasks, row-level security (RLS) cross-tenant isolation, and RBAC. It codifies fixtures, request conventions, status code expectations, and mocking strategies to keep tests reliable and secure. Use it to standardize API tests across providers, scans, and findings endpoints.
How this skill works
The skill documents the required fixture dependency chain and the exact JSON:API request shapes for POST/PATCH and how to read responses. It enforces RLS behavior by asserting 404 for cross-tenant access and prescribes Celery testing strategies that mock asynchronous boundaries while optionally running synchronous task logic with task.apply(). It also defines safe fake-secret patterns to avoid accidental credential leaks.
When to use it
- When writing tests under api/ that exercise JSON:API endpoints (views, viewsets, serializers).
- When adding or changing endpoints to ensure cross-tenant RLS isolation is covered.
- When testing views or endpoints that enqueue Celery tasks or orchestrate Canvas workflows.
- When validating RBAC behavior for admin, no-roles, and no-permission scenarios.
- When adding integration-style API tests that must avoid leaking realistic secrets.
Best practices
- Always use response.json()["data"] to read JSON:API responses, never response.data.
- Use content_type="application/vnd.api+json" for PATCH/PUT and format="vnd.api+json" for POST.
- Always test cross-tenant isolation; RLS should return 404, not 403, and never skip these tests.
- Mock both .delay() and Task.objects.get when testing views that trigger Celery tasks; use task.apply() for sync logic tests.
- Never include realistic-looking API keys in tests; use obviously fake values to avoid TruffleHog flags.
Example use cases
- Create a provider via POST with format="vnd.api+json" and assert 201 and attributes via response.json()["data"].
- Update a provider via PATCH with content_type="application/vnd.api+json" and verify changed attributes.
- Test cross-tenant GET returns 404 for a resource owned by an isolated tenant.
- Mock a Celery chain/group and assert view calls .delay() and that Task.objects.get was invoked to track results.
- Verify RBAC: admin client gets 200, membership-without-roles results in 403, and no-permissions client is denied.
FAQ
Row-level security intentionally makes resources invisible to other tenants; tests should assert 404 to reflect this design.
Should I use task_always_eager for Celery tests?
No. task_always_eager hides serialization, broker, and context issues. Prefer task.apply() for logic and mocking for orchestration.