prowler-test-api

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

Critical Rules

核心规则

ALWAYS use
```
response.json()["data"]
```
not
```
response.data
```

ALWAYS use

content_type = "application/vnd.api+json"

for PATCH/PUT requests

ALWAYS use
```
format="vnd.api+json"
```
for POST requests
ALWAYS test cross-tenant isolation - RLS returns 404, NOT 403
NEVER skip RLS isolation tests when adding new endpoints
NEVER use realistic-looking API keys in tests (TruffleHog will flag them)
ALWAYS mock BOTH
```
.delay()
```
AND
```
Task.objects.get
```
for async task tests

始终使用
```
response.json()["data"]
```
而非
```
response.data
```

对PATCH/PUT请求始终使用

content_type = "application/vnd.api+json"

对POST请求始终使用
```
format="vnd.api+json"
```
始终测试跨租户隔离 - RLS返回404，而非403
添加新端点时绝不要跳过RLS隔离测试
测试中绝不要使用看起来真实的API密钥（TruffleHog会标记它们）
对异步任务测试始终同时模拟
```
.delay()
```
和
```
Task.objects.get
```

1. Fixture Dependency Chain

1. 测试装置依赖链

create_test_user (session) ─► tenants_fixture (function) ─► authenticated_client
                                     │
                                     └─► providers_fixture ─► scans_fixture ─► findings_fixture

create_test_user (session) ─► tenants_fixture (function) ─► authenticated_client
                                     │
                                     └─► providers_fixture ─► scans_fixture ─► findings_fixture

Key Fixtures

关键测试装置

Fixture	Description
`create_test_user`	Session user ( `dev@prowler.com` )
`tenants_fixture`	3 tenants: [0],[1] have membership, [2] isolated
`authenticated_client`	JWT client for tenant[0]
`providers_fixture`	9 providers in tenant[0]
`tasks_fixture`	2 Celery tasks with TaskResult

测试装置	说明
`create_test_user`	会话用户（dev@prowler.com）
`tenants_fixture`	3个租户：[0]、[1]有成员关系，[2]为隔离租户
`authenticated_client`	租户[0]的JWT客户端
`providers_fixture`	租户[0]中的9个提供商
`tasks_fixture`	2个带TaskResult的Celery任务

RBAC Fixtures

RBAC测试装置

Fixture	Permissions
`authenticated_client_rbac`	All permissions (admin)
`authenticated_client_rbac_noroles`	Membership but NO roles
`authenticated_client_no_permissions_rbac`	All permissions = False

测试装置	权限
`authenticated_client_rbac`	所有权限（管理员）
`authenticated_client_rbac_noroles`	有成员关系但无角色
`authenticated_client_no_permissions_rbac`	所有权限均为False

2. JSON:API Requests

2. JSON:API请求

POST (Create)

POST（创建）

python

response = client.post(
    reverse("provider-list"),
    data={"data": {"type": "providers", "attributes": {...}}},
    format="vnd.api+json",  # NOT content_type!
)

python

response = client.post(
    reverse("provider-list"),
    data={"data": {"type": "providers", "attributes": {...}}},
    format="vnd.api+json",  # NOT content_type!
)

PATCH (Update)

PATCH（更新）

python

response = client.patch(
    reverse("provider-detail", kwargs={"pk": provider.id}),
    data={"data": {"type": "providers", "id": str(provider.id), "attributes": {...}}},
    content_type="application/vnd.api+json",  # NOT format!
)

python

response = client.patch(
    reverse("provider-detail", kwargs={"pk": provider.id}),
    data={"data": {"type": "providers", "id": str(provider.id), "attributes": {...}}},
    content_type="application/vnd.api+json",  # NOT format!
)

Reading Responses

读取响应

python

data = response.json()["data"]
attrs = data["attributes"]
errors = response.json()["errors"]  # For 400 responses

python

data = response.json()["data"]
attrs = data["attributes"]
errors = response.json()["errors"]  # 针对400响应

3. RLS Isolation (Cross-Tenant)

3. RLS隔离（跨租户）

RLS returns 404, NOT 403 - the resource is invisible, not forbidden.

python

def test_cross_tenant_access_denied(self, authenticated_client, tenants_fixture):
    other_tenant = tenants_fixture[2]  # Isolated tenant
    foreign_provider = Provider.objects.create(tenant_id=other_tenant.id, ...)

    response = authenticated_client.get(reverse("provider-detail", args=[foreign_provider.id]))
    assert response.status_code == status.HTTP_404_NOT_FOUND  # NOT 403!

RLS返回404，而非403 - 资源是不可见的，而非被禁止访问。

python

def test_cross_tenant_access_denied(self, authenticated_client, tenants_fixture):
    other_tenant = tenants_fixture[2]  # 隔离租户
    foreign_provider = Provider.objects.create(tenant_id=other_tenant.id, ...)

    response = authenticated_client.get(reverse("provider-detail", args=[foreign_provider.id]))
    assert response.status_code == status.HTTP_404_NOT_FOUND  # NOT 403!

4. Celery Task Testing

4. Celery任务测试

Testing Strategies

测试策略

Strategy	Use For
Mock `.delay()` + `Task.objects.get`	Testing views that trigger tasks
`task.apply()`	Synchronous task logic testing
Mock `chain` / `group`	Testing Canvas orchestration
Mock `connection`	Testing `@set_tenant` decorator
Mock `apply_async`	Testing Beat scheduled tasks

策略	适用场景
模拟 `.delay()` + `Task.objects.get`	测试触发任务的视图
`task.apply()`	同步任务逻辑测试
模拟 `chain` / `group`	测试Canvas编排
模拟 `connection`	测试 `@set_tenant` 装饰器
模拟 `apply_async`	测试Beat定时任务

Why NOT

task_always_eager

为什么不使用

task_always_eager

Problem	Impact
No task serialization	Misses argument type errors
No broker interaction	Hides connection issues
Different execution context	`self.request` behaves differently

Instead, use:

task.apply()

for sync execution, mocking for isolation.

Full examples: See assets/api_test.py for
TestCeleryTaskLogic
,
TestCeleryCanvas
,
TestSetTenantDecorator
,
TestBeatScheduling
.

问题	影响
无任务序列化	遗漏参数类型错误
无代理交互	隐藏连接问题
执行上下文不同	`self.request` 行为异常

替代方案： 使用

task.apply()

进行同步执行，使用模拟实现隔离。

完整示例： 查看 assets/api_test.py 中的
TestCeleryTaskLogic
、
TestCeleryCanvas
、
TestSetTenantDecorator
、
TestBeatScheduling
。

5. Fake Secrets (TruffleHog)

5. 虚假密钥（TruffleHog）

python

undefined

python

undefined

BAD - TruffleHog flags these:

错误示例 - TruffleHog会标记这些：

api_key = "sk-test1234567890T3BlbkFJtest1234567890"

GOOD - obviously fake:

正确示例 - 明显是虚假的：

api_key = "sk-fake-test-key-for-unit-testing-only"

---

api_key = "sk-fake-test-key-for-unit-testing-only"

---

6. Response Status Codes

响应状态码

Scenario	Code
Successful GET	200
Successful POST	201
Async operation (DELETE/scan trigger)	202
Sync DELETE	204
Validation error	400
Missing permission (RBAC)	403
RLS isolation / not found	404

场景	状态码
GET请求成功	200
POST请求成功	201
异步操作（删除/扫描触发）	202
同步删除	204
验证错误	400
缺少权限（RBAC）	403
RLS隔离 / 资源不存在	404

Commands

命令

bash

cd api && poetry run pytest -x --tb=short
cd api && poetry run pytest -k "test_provider"
cd api && poetry run pytest api/src/backend/api/tests/test_rbac.py

bash

cd api && poetry run pytest -x --tb=short
cd api && poetry run pytest -k "test_provider"
cd api && poetry run pytest api/src/backend/api/tests/test_rbac.py

Resources

资源

Full Examples: See assets/api_test.py for complete test patterns
Fixture Reference: See references/test-api-docs.md
Fixture Source:
```
api/src/backend/conftest.py
```

完整示例：查看 assets/api_test.py 获取完整测试模式
测试装置参考：查看 references/test-api-docs.md
测试装置源码：
```
api/src/backend/conftest.py
```

prowler-test-api

Original

Translation

Critical Rules

核心规则

1. Fixture Dependency Chain

1. 测试装置依赖链

Key Fixtures

关键测试装置

RBAC Fixtures

RBAC测试装置

2. JSON:API Requests

2. JSON:API请求

POST (Create)

POST（创建）

PATCH (Update)

PATCH（更新）

Reading Responses

读取响应

3. RLS Isolation (Cross-Tenant)

3. RLS隔离（跨租户）

4. Celery Task Testing

4. Celery任务测试

Testing Strategies

测试策略

Why NOT
`task_always_eager`

为什么不使用
`task_always_eager`

5. Fake Secrets (TruffleHog)

5. 虚假密钥（TruffleHog）

BAD - TruffleHog flags these:

错误示例 - TruffleHog会标记这些：

GOOD - obviously fake:

正确示例 - 明显是虚假的：

6. Response Status Codes

响应状态码

Commands

命令

Resources

资源