feat: add dpop_signing_alg validation for oidc and okta connections (#1343)

feat: Enhance connections schema and tests for DPoP signing algorithms

- src/tools/auth0/handlers/connections.ts: Add schema for dpop_signing_alg options
- test/tools/auth0/handlers/connections.tests.js: Implement tests for dpop_signing_alg validation
- package.json: Update auth0 dependency to version 5.5.0

Author: kushalshit27

package.json

@@ -33,7 +33,7 @@
   "homepage": "https://github.com/auth0/auth0-deploy-cli#readme",
   "dependencies": {
     "ajv": "^6.12.6",
-    "auth0": "^5.4.0",
+    "auth0": "^5.5.0",
     "dot-prop": "^5.3.0",
     "fs-extra": "^10.1.0",
     "js-yaml": "^4.1.1",

src/tools/auth0/handlers/connections.ts

@@ -16,14 +16,24 @@ import ScimHandler from './scimHandler';
 import log from '../../../logger';
 import { Client } from './clients';
 
+const connectionOptionsSchema = {
+  type: 'object',
+  properties: {
+    dpop_signing_alg: {
+      type: 'string',
+      enum: Object.values(Management.ConnectionDpopSigningAlgEnum),
+    },
+  },
+};
+
 export const schema = {
   type: 'array',
   items: {
     type: 'object',
     properties: {
       name: { type: 'string' },
       strategy: { type: 'string' },
-      options: { type: 'object' },
+      options: connectionOptionsSchema,
       enabled_clients: { type: 'array', items: { type: 'string' } },
       realms: { type: 'array', items: { type: 'string' } },
       metadata: { type: 'object' },

test/tools/auth0/handlers/connections.tests.js

@@ -1,8 +1,10 @@
 import pageClient from '../../../../src/tools/auth0/client';
 
 /* eslint-disable consistent-return */
+const Ajv = require('ajv');
 const { expect } = require('chai');
 const sinon = require('sinon');
+const { Management } = require('auth0');
 const connections = require('../../../../src/tools/auth0/handlers/connections');
 const utils = require('../../../../src/tools/utils');
 const { mockPagedData } = require('../../../utils');
@@ -30,6 +32,62 @@ describe('#connections handler', () => {
     AUTH0_ALLOW_DELETE: true,
   };
 
+  describe('#connections schema', () => {
+    it('should expose the supported dpop_signing_alg values', () => {
+      expect(connections.schema.items.properties.options.properties.dpop_signing_alg.enum).to.deep
+        .equal(Object.values(Management.ConnectionDpopSigningAlgEnum));
+    });
+
+    it('should allow supported dpop_signing_alg values', () => {
+      const ajv = new Ajv({ useDefaults: true, nullable: true });
+      const assets = [
+        {
+          name: 'oidc-connection',
+          strategy: 'oidc',
+          options: {
+            dpop_signing_alg: 'ES256',
+          },
+        },
+        {
+          name: 'okta-connection',
+          strategy: 'okta',
+          options: {
+            dpop_signing_alg: 'Ed25519',
+          },
+        },
+      ];
+
+      const valid = ajv.validate(connections.schema, assets);
+
+      expect(valid).to.equal(true);
+      expect(ajv.errors).to.be.null;
+    });
+
+    it('should reject unsupported dpop_signing_alg values', () => {
+      const ajv = new Ajv({ useDefaults: true, nullable: true });
+      const assets = [
+        {
+          name: 'oidc-connection',
+          strategy: 'oidc',
+          options: {
+            dpop_signing_alg: 'RS256',
+          },
+        },
+      ];
+
+      const valid = ajv.validate(connections.schema, assets);
+
+      expect(valid).to.equal(false);
+      expect(ajv.errors).to.have.length.greaterThan(0);
+      expect(ajv.errors[0]).to.include({
+        keyword: 'enum',
+      });
+      expect(ajv.errors[0].params).to.deep.equal({
+        allowedValues: Object.values(Management.ConnectionDpopSigningAlgEnum),
+      });
+    });
+  });
+
   describe('#connections validate', () => {
     it('should not allow same names', async () => {
       const handler = new connections.default({ client: {}, config });