prowler-cloud
Testing patterns for Prowler API: JSON:API, Celery tasks, RLS isolation, RBAC. Trigger: When writing tests for api/ (JSON:API requests/assertions, cross-tenant isolation, RBAC, Celery tasks, viewsets/serializers).
bunx add-skill prowler-cloud/prowler -s prowler-test-apiLoadingβ¦
response.json()["data"] not response.datacontent_type = "application/vnd.api+json" for PATCH/PUT requestsformat="vnd.api+json" for POST requests.delay() AND Task.objects.get for async task testscreate_test_user (session) ββΊ tenants_fixture (function) ββΊ authenticated_client
β
βββΊ providers_fixture ββΊ scans_fixture ββΊ findings_fixture
| Fixture | Description |
|---|---|
create_test_user | Session user (dev@prowler.com) |
tenants_fixture | 3 tenants: [0],[1] have membership, [2] isolated |
authenticated_client | JWT client for tenant[0] |
providers_fixture | 9 providers in tenant[0] |
tasks_fixture | 2 Celery tasks with TaskResult |
| Fixture | Permissions |
|---|---|
authenticated_client_rbac | All permissions (admin) |
authenticated_client_rbac_noroles | Membership but NO roles |
authenticated_client_no_permissions_rbac | All permissions = False |
response = client.post(
reverse("provider-list"),
data={"data": {"type": "providers", "attributes": {...}}},
format="vnd.api+json", # NOT content_type!
)
response = client.patch(
reverse("provider-detail", kwargs={"pk": provider.id}),
data={"data": {"type": "providers", "id": str(provider.id), "attributes": {...}}},
content_type="application/vnd.api+json", # NOT format!
)
data = response.json()["data"]
attrs = data["attributes"]
errors = response.json()["errors"] # For 400 responses
RLS returns 404, NOT 403 - the resource is invisible, not forbidden.
def test_cross_tenant_access_denied(self, authenticated_client, tenants_fixture):
other_tenant = tenants_fixture[2] # Isolated tenant
foreign_provider = Provider.objects.create(tenant_id=other_tenant.id, ...)
response = authenticated_client.get(reverse("provider-detail", args=[foreign_provider.id]))
assert response.status_code == status.HTTP_404_NOT_FOUND # NOT 403!
| Strategy | Use For |
|---|---|
Mock .delay() + Task.objects.get | Testing views that trigger tasks |
task.apply() | Synchronous task logic testing |
Mock chain/group | Testing Canvas orchestration |
Mock connection | Testing @set_tenant decorator |
Mock apply_async | Testing Beat scheduled tasks |
task_always_eager| Problem | Impact |
|---|---|
| No task serialization | Misses argument type errors |
| No broker interaction | Hides connection issues |
| Different execution context | self.request behaves differently |
Instead, use: task.apply() for sync execution, mocking for isolation.
Full examples: See assets/api_test.py for
TestCeleryTaskLogic,TestCeleryCanvas,TestSetTenantDecorator,TestBeatScheduling.
# BAD - TruffleHog flags these:
api_key = "sk-test1234567890T3BlbkFJtest1234567890"
# GOOD - obviously fake:
api_key = "sk-fake-test-key-for-unit-testing-only"
| Scenario | Code |
|---|---|
| Successful GET | 200 |
| Successful POST | 201 |
| Async operation (DELETE/scan trigger) | 202 |
| Sync DELETE | 204 |
| Validation error | 400 |
| Missing permission (RBAC) | 403 |
| RLS isolation / not found | 404 |
cd api && poetry run pytest -x --tb=short
cd api && poetry run pytest -k "test_provider"
cd api && poetry run pytest api/src/backend/api/tests/test_rbac.py
api/src/backend/conftest.pyUse when you need to run Flow type checking, or when seeing Flow type errors in React code.
Use when you want to validate changes before committing, or when you need to check all React contribution requirements.
Use when feature flag tests fail, flags need updating, understanding @gate pragmas, debugging channel-specific test failures, or adding new flags to React.
Use when you need to check feature flag states, compare channels, or debug why a feature behaves differently across release channels.