omniauth-dice 0.1.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 136390a70c4e465698843d744e9328e4a4b63131
+  data.tar.gz: f9822f9f4742f6a7c6c918fbf3a89b4ff9512c7c
+SHA512:
+  metadata.gz: 6d2dd8b1326fc262540a5491854bf5536947964872a111a75db27f3b297979b2880f20150bf8e888b1ed89d7cb21ac5809a0bbc25d003439b76799f4369d5ad7
+  data.tar.gz: 6cc4801fe4420043826cfc27169b1e524460971cb826132e75a11ce6b734f036da268b9e80a25d6431b5fe49cf66596f7865c91a33011a5f99c3f0707a972d4c

data/.coveralls.yml

@@ -0,0 +1,2 @@
+service_name: travis-ci
+repo_token: 

data/.gitignore

@@ -0,0 +1,41 @@
+*.gem
+*.rbc
+*.yml.a*
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/certs/*.pem
+/spec/reports/
+/test/tmp/
+/test/version_tmp/
+/tmp/
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalisation:
+/.bundle/
+/lib/bundler/man/
+.rvmrc
+
+## Gem ignores
+/Gemfile.lock
+/.ruby-version
+/.ruby-gemset
+
+*.so
+*.o
+*.a
+mkmf.log
+
+# Custom
+config/gem_sources.yml

data/.rubocop.yml

@@ -0,0 +1,8 @@
+AllCops:
+  Exclude:
+  - 'omniauth-casport.gemspec'
+  - 'lib/omniauth/casport/version.rb'
+  - 'spec/**/*'
+  - 'vendor/cache/**/*'
+  - 'vendor/bundle/**/*'
+  - '**/gems/**/*'

data/.travis.yml

@@ -0,0 +1,15 @@
+language: ruby
+cache: bundler
+
+rvm:
+  - ruby-head
+  - jruby-head
+  - 2.2.0
+  - 2.1.5
+  - 2.0.0-p590
+  - 1.9.3-p551
+
+env:
+  - RACK_ENV=test
+
+script: 'bundle exec rake'

data/.yardopts

@@ -0,0 +1 @@
+--markup markdown

data/Gemfile

@@ -0,0 +1,13 @@
+require 'psych' # Fix double-load bug when requiring yaml
+require 'yaml'
+if File.exist?('config/gem_sources.yml')
+  YAML.load_file('config/gem_sources.yml').each do |gem_source|
+    puts "Loading gem source: #{gem_source}"
+    source gem_source
+  end
+else
+  source 'https://rubygems.org'
+end
+
+# Specify your gem's dependencies in omniauth-dice.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,22 @@
+Copyright (c) 2014 Steven Haddox
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,88 @@
+# Omniauth::Dice [![Gem Version](https://badge.fury.io/rb/omniauth-dice.png)](http://badge.fury.io/rb/omniauth-dice)
+
+[![Travis CI](https://travis-ci.org/stevenhaddox/omniauth-dice.svg?branch=master)](https://travis-ci.org/stevenhaddox/omniauth-dice) [![Dependency Status](https://gemnasium.com/stevenhaddox/omniauth-dice.png)](https://gemnasium.com/stevenhaddox/omniauth-dice) [![Coverage Status](https://coveralls.io/repos/stevenhaddox/omniauth-dice/badge.png)](https://coveralls.io/r/stevenhaddox/omniauth-dice) [![Code Climate](https://codeclimate.com/github/stevenhaddox/omniauth-dice/badges/gpa.svg)](https://codeclimate.com/github/stevenhaddox/omniauth-dice) [![Inline docs](http://inch-ci.org/github/stevenhaddox/omniauth-dice.svg?branch=master)](http://inch-ci.org/github/stevenhaddox/omniauth-dice)
+
+# **D**N **I**nteroperable **C**onversion **E**xpert
+
+omniauth-dice is an internal authentication strategy that authenticates via
+a user's X509 certificate DN string to an Enterprise CAS server via REST.
+
+## Installation
+
+Add this line to your application's Gemfile:
+```ruby
+gem 'omniauth-dice'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself with:
+
+    $ gem install omniauth-dice
+```
+
+## Usage
+
+Setup your OmniAuth::Dice builder like so:
+
+```ruby
+{
+  cas_server:          'https://example.org:3000',
+  authentication_path: '/dn',
+  format_header:       'application/xml', # default is 'application/json'
+  format:              'xml', # default is 'json'
+  dnc_options: { transformation: 'downcase' }, # see `dnc` gem for all options
+  ssl_config:  {
+    ca_file:     'spec/certs/CA.pem',
+    client_cert: 'spec/certs/client.pem',
+    client_key:  'spec/certs/key.np.pem'
+  } # See OmniAuth::Strategies::Dice.ssl_hash for all options
+}
+```
+
+Full configuration options are as follows:
+
+```
+cas_server [String] Required base URL for CAS server
+authentication_path [String] URL path for endpoint, e.g. '/users'
+return_field [String] Optional path to append after DN string
+ssl_config [Hash] Configuration hash for `Faraday` SSL options
+format_header [String] 'application/json', 'application/xml', etc
+  Defaults to 'application/json'
+format [String] 'json', 'xml', etc.
+  Defaults to 'json'
+client_cert_header [String] ENV string to access user's X509 cert
+  Defaults to 'HTTP_SSL_CLIENT_CERT'
+subject_dn_header [String] ENV string to access user's subject_dn
+  Defaults to 'HTTP_SSLC_LIENT_S_DN'
+issuer_dn_header [String] ENV string to access user's issuer_dn
+  Defaults to 'HTTP_SSL_CLIENT_I_DN'
+name_format [Symbol] Format for auth_hash['info']['name']
+  Defaults to attempting DN common name -> full name -> first & last name
+  Valid options are: :cn, :full_name, :first_last_name to override
+```
+
+### SSL Client Certificate Notes
+
+`Faraday` (the HTTP library used by OmniAuth) can accept certificate paths:
+
+```
+  client_cert: 'spec/certs/client.pem',
+  client_key:  'spec/certs/key.np.pem'
+```
+
+Or it also works with actual certificates (such as to pass a passphrase in):
+```
+  client_cert: File.read('spec/certs/client.pem').to_cert,
+  client_key:  OpenSSL::PKey::RSA.new(File.read('spec/certs/key.pem'), 'PASSW0RD')
+```
+
+## Contributing
+
+1. Fork it ( https://github.com/[my-github-username]/omniauth-dice/fork )
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. **Add specs!**
+4. Commit your changes (`git commit -am 'Add some feature'`)
+5. Push to the branch (`git push origin my-new-feature`)
+6. Create a new Pull Request

data/Rakefile

@@ -0,0 +1,21 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+require 'rubocop/rake_task'
+require 'coveralls/rake/task'
+Coveralls::RakeTask.new
+
+#task default: [:spec, :rubocop, 'coveralls:push']
+task default: [:spec, 'coveralls:push']
+
+desc 'Run specs'
+RSpec::Core::RakeTask.new(:spec)
+
+desc 'Run rubocop'
+task :rubocop do
+  RuboCop::RakeTask.new
+end
+
+desc 'Display TODOs, FIXMEs, and OPTIMIZEs'
+task :notes do
+  system("grep -r 'OPTIMIZE:\\|FIXME:\\|TODO:' #{Dir.pwd}")
+end

data/certs/stevenhaddox.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIBATANBgkqhkiG9w0BAQUFADBEMRYwFAYDVQQDDA1zdGV2
+ZW4uaGFkZG94MRUwEwYKCZImiZPyLGQBGRYFZ21haWwxEzARBgoJkiaJk/IsZAEZ
+FgNjb20wHhcNMTQxMTE4MDIxMzIwWhcNMTUxMTE4MDIxMzIwWjBEMRYwFAYDVQQD
+DA1zdGV2ZW4uaGFkZG94MRUwEwYKCZImiZPyLGQBGRYFZ21haWwxEzARBgoJkiaJ
+k/IsZAEZFgNjb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDanmKr
+vJDcVGMeDbDouLfKvU5ugOcHTXP04QDYSshaMTeuWSm4OXakxk2rxnR7Laq86R+8
+h1NbHMdiZdwlHcpZm9/YD6qjbQhnLNGsezMrNpfZwfy9VnUQY4e0OCAca9vQXKTL
+qC4fiuRD6sQQpyXkiIno0KlJOA4sKtH8vFucPGmhO0FUdlQY5FarDvCvZrtteO6L
+6/GQFjupFBd9X6zt1XBs28IC+YUw33SN0UJ5JHB45ig0BmeWMXdd4SKWe4ve/2UY
+asgs2miI3HP0wCPs0EF64/8LbuEUyMjHDr3a7+7KIRxYn2H/yUH5Ndqz6yL5G0sf
+jUsC32JuE7VlJwFNAgMBAAGjgYEwfzAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAd
+BgNVHQ4EFgQUC8HywyOMPJFCsH7uGW+CeKcZ8+8wIgYDVR0RBBswGYEXc3RldmVu
+LmhhZGRveEBnbWFpbC5jb20wIgYDVR0SBBswGYEXc3RldmVuLmhhZGRveEBnbWFp
+bC5jb20wDQYJKoZIhvcNAQEFBQADggEBAFoac9ZKc20ZXw2R2mWUz7FaJJdUvb7o
+4rKVzFQkJwvAX+NEdP32yCDViGoEqlA13el5fllllmG3E7Qrw+0JA5B3wrZbVfQA
+v4eX0ZohhW3CXLSz65pd3zfrwPAw0pXs1QKP+IioTuLQoBsGUiIqCPulZvzn/xN2
+KG7SexyfUEXyJRMMigA/mE8h6bYfgKKUmLQVs1uRaXmOI7dKUF6HZJpda51zJH3v
+42qdwEXvvkODZAD6KAIXPdmbMfBgPbcd+B/4eUA0PyKo+4dgL1NuqX4MPWToevIZ
+O8EKLF2X7NmC6FY1bOsSj/J8r1SOkx0rxgF+geRvY1P+hfNjDfxTsjU=
+-----END CERTIFICATE-----

data/config/gem_sources.yml.example

@@ -0,0 +1 @@
+- https://geminabox.example.com

data/lib/omniauth/dice/version.rb

@@ -0,0 +1,5 @@
+module Omniauth
+  module Dice
+    VERSION = '0.1.1'
+  end
+end

data/lib/omniauth/strategies/dice.rb

@@ -0,0 +1,422 @@
+require 'faraday'
+require 'faraday_middleware'
+require 'open-uri'
+require 'omniauth'
+require 'cert_munger'
+require 'dnc'
+
+class RequiredCustomParamError < StandardError; end
+
+module OmniAuth
+  module Strategies
+
+    #
+    # Provides omniauth authentication integration with a CAS server
+    #
+    # @option cas_server [String] Required base URL for CAS server
+    # @option authentication_path [String] URL path for endpoint, e.g. '/users'
+    # @option return_field [String] Optional path to append after DN string
+    # @option ssl_config [Hash] Configuration hash for `Faraday` SSL options
+    # @option format_header [String] 'application/json', 'application/xml', etc
+    #   Defaults to 'application/json'
+    # @option format [String] 'json', 'xml', etc.
+    #   Defaults to 'json'
+    # @option client_cert_header [String] ENV string to access user's X509 cert
+    #   Defaults to 'HTTP_SSL_CLIENT_CERT'
+    # @option subject_dn_header [String] ENV string to access user's subject_dn
+    #   Defaults to 'HTTP_SSLC_LIENT_S_DN'
+    # @option issuer_dn_header [String] ENV string to access user's issuer_dn
+    #   Defaults to 'HTTP_SSL_CLIENT_I_DN'
+    # @option name_format [Symbol] Format for auth_hash['info']['name']
+    #   Defaults to attempting DN common name -> full name -> first & last name
+    #   Valid options are: :cn, :full_name, :first_last_name to override
+    # @option primary_visa_str [String] String to trigger primary visa boolean
+    class Dice
+      include OmniAuth::Strategy
+      attr_accessor :dn, :raw_dn, :data
+      args [:cas_server, :authentication_path]
+
+      def initialize(*args, &block)
+        validate_required_params(args)
+
+        super
+      end
+
+      option :dnc_options, {}
+      option :cas_server, nil
+      option :authentication_path, nil
+      option :return_field, 'info'
+      option :ssl_config, {}
+      option :format_header, 'application/json'
+      option :format, 'json'
+      option :client_cert_header, 'HTTP_SSL_CLIENT_CERT'
+      option :subject_dn_header,  'HTTP_SSL_CLIENT_S_DN'
+      option :issuer_dn_header,   'HTTP_SSL_CLIENT_I_DN'
+      option :name_format
+      option :primary_visa_str
+
+      # Reformat DN to expected element order for CAS DN server (via dnc gem).
+      def format_dn(dn_str)
+        get_dn(dn_str).to_s
+      end
+
+      protected
+
+      # Change Hashie indifferent access keys back to symbols
+      def unhashie(hash)
+        tmp_hash = {}
+        hash.each do |key, value|
+          tmp_hash[key.to_sym] = value
+        end
+
+        tmp_hash
+      end
+
+      def setup_phase(*args)
+        log :debug, 'setup_phase'
+        super
+      end
+
+      def request_phase
+        subject_dn = get_dn_by_type('subject')
+        return fail!('You need a valid DN to authenticate.') unless subject_dn
+        user_dn = format_dn(subject_dn)
+        log :debug, "Formatted user_dn:   #{user_dn}"
+        return fail!('You need a valid DN to authenticate.') unless user_dn
+        set_session_dn(user_dn, 'subject')
+        issuer_dn = get_dn_by_type('issuer')
+        issuer_dn = format_dn(issuer_dn) if issuer_dn
+        log :debug, "Formatted issuer_dn: #{issuer_dn}"
+        set_session_dn(issuer_dn, 'issuer') if issuer_dn
+
+        redirect callback_url
+      end
+
+      def callback_phase
+        issuer_dn = env['omniauth.params']['issuer_dn']
+        if issuer_dn
+          response = connection.get query_url, { issuerDN: issuer_dn }
+        else
+          response = connection.get query_url
+        end
+        if !response || response.status.to_i >= 400
+          log :error, response.inspect
+          return fail!(:invalid_credentials)
+        end
+        @data = response.body
+        create_auth_hash
+
+        redirect request.env['omniauth.origin'] || '/'
+      end
+
+      private
+
+      # Coordinate building out the auth_hash
+      def create_auth_hash
+        log :debug, '.create_auth_hash'
+        init_auth_hash
+        set_auth_uid
+        parse_response_data
+        create_auth_info
+      end
+
+      # Initialize the auth_hash expected fields
+      def init_auth_hash
+        log :debug, '.init_auth_hash'
+        session['omniauth.auth'] ||= {
+          'provider' => 'Dice',
+          'uid'      => nil,
+          'info'     => nil,
+          'extra'    => {
+            'raw_info' => nil
+          }
+        }
+      end
+
+      # Set the user's uid field for the auth_hash
+      def set_auth_uid
+        log :debug, '.set_auth_uid'
+        session['omniauth.auth']['uid'] = env['omniauth.params']['user_dn']
+      end
+
+      # Detect data format, parse with appropriate library
+      def parse_response_data
+        log :debug, '.parse_response_data'
+        session['omniauth.auth']['extra']['raw_info'] = @data
+        log :debug, "cas_server response.body:\r\n#{@data}"
+        unless @data.class == Hash # Webmock hack
+          case options.format.to_sym
+          when :json
+            @data = JSON.parse(@data, symbolize_names: true)
+          when :xml
+            @data = MultiXml.parse(@data)['userinfo']
+          end
+          log :debug, "Formatted response.body data: #{@data}"
+        end
+
+        @data
+      end
+
+
+      # Parse CAS server response and assign values as appropriate
+      def create_auth_info
+        log :debug, '.create_auth_info'
+        info = {}
+        info = auth_info_defaults(info)
+        info = auth_info_dynamic(info)
+        info = auth_info_custom(info)
+
+        session['omniauth.auth']['info'] = info
+      end
+
+      def info_defaults
+        [:dn, :email, :firstName, :lastName, :fullName, :citizenshipStatus,
+         :country, :grantBy, :organizations, :uid, :dutyorg, :visas,
+         :affiliations]
+      end
+
+      # Defualt auth_info fields
+      def auth_info_defaults(info)
+        info_defaults.each do |key_name|
+          info[key_name.to_s.to_snake] = @data[key_name]
+        end
+
+        info
+      end
+
+      # Dynamic auth_info fields
+      def auth_info_dynamic(info)
+        @data.each do |key, value|
+          info[key.to_s.to_snake] = value unless info_defaults.include?(key)
+        end
+
+        info
+      end
+
+      # Custom auth_info fields
+      def auth_info_custom(info)
+        info['common_name'] = get_dn(info['dn']).cn
+        set_name(info)
+        has_primary_visa?(info)
+        info['likely_npe?'] = identify_npe(info)
+
+        info
+      end
+
+      # Allow for a custom field for the name, or use a best guess default
+      def set_name(info)
+        # Do NOT override the value if it's returned from the CAS server
+        return info['name'] if info['name']
+        info['name'] = case options.name_format
+        when :cn
+          info['common_name']
+        when :full_name
+          info['full_name']
+        when :first_last_name
+          "#{info['first_name']} #{info['last_name']}"
+        end
+        info['name'] ||= info['common_name'] || info['full_name'] ||
+                         "#{info['first_name']} #{info['last_name']}"
+      end
+
+      # Determine if client has the primary visa
+      def has_primary_visa?(info)
+        return info['primary_visa?'] = nil unless info['visas']
+        return info['primary_visa?'] = nil unless options.primary_visa
+        info['primary_visa?'] = info['visas'].include?(options.primary_visa)
+      end
+
+      # Determine if a client is likely a non-person entity
+      def identify_npe(info)
+        info['likely_npe?']   = nil
+        return true  if auth_cn_with_tld?(info['common_name']) == true
+        return true  if auth_info_missing_email?(info)         == true
+        return true  if auth_has_email_without_names?(info)    == true
+        return false if auth_has_email_with_any_name?(info)    == true
+      end
+
+      # Identify if there's a domain w/ TLD in the common_name
+      def auth_cn_with_tld?(common_name)
+        !!( common_name =~ /\w{3}\.\w+(\.\w{3,}+)?/ )
+      end
+
+      # Determine if the auth_hash does not have an email address
+      def auth_info_missing_email?(info)
+        !( info['email'] ) # !! returns false if no email, ! returns true
+      end
+
+      # Determine if the auth_hash has an email but no name fields
+      def auth_has_email_without_names?(info)
+        return false unless info['email']
+        return true if auth_info_has_any_name?(info) == false
+      end
+
+      # Determine if the auth_hash has an email with ANY name field
+      def auth_has_email_with_any_name?(info)
+        return false unless info['email']
+        return true if auth_info_has_any_name?(info) == true
+      end
+
+      # Determine if any name fields are present in the auth_hash['info']
+      def auth_info_has_any_name?(info)
+        name   = info['full_name']
+        name ||= info['first_name']
+        name ||= info['last_name']
+        !!(name)
+      end
+
+      # Coordinate getting DN from cert, fallback to header
+      def get_dn_by_type(type='subject')
+        raw_dn   = get_dn_from_certificate(type)
+        raw_dn ||= get_dn_from_header(type)
+      end
+
+      # Reads the DN from headers
+      def get_dn_from_header(type)
+        headers = request.env
+        if type == 'issuer'
+          raw_dn = headers["#{options.issuer_dn_header}"]
+        else
+          raw_dn = headers["#{options.subject_dn_header}"]
+        end
+        log :debug, "raw_dn (#{type}) from headers: #{raw_dn}"
+
+        raw_dn
+      end
+
+      # Gets the DN from X509 certificate
+      def get_dn_from_certificate(type)
+        cert_str = request.env["#{options.client_cert_header}"]
+        if cert_str
+          client_cert = cert_str.to_cert
+          log :debug, "Client certificate:\r\n#{client_cert}"
+          raw_dn ||= parse_dn_from_certificate(client_cert, type)
+          log :debug, "raw_dn (#{type}) from cert: #{raw_dn}"
+        end
+
+        raw_dn
+      end
+
+      # Parse the DN out of an SSL X509 Client Certificate
+      def parse_dn_from_certificate(certificate, type='subject')
+        certificate.send(type.to_sym).to_s
+      end
+
+      # Create a Faraday instance with the cas_server & appropriate SSL config
+      def connection
+        log :debug, '.connection'
+
+        @conn ||= Faraday.new(url: options.cas_server, ssl: ssl_hash) do |conn|
+          conn.headers  = headers
+          conn.response :logger                  # log requests to STDOUT
+          conn.response :xml,  :content_type => /\bxml$/
+          conn.response :json, :content_type => /\bjson$/
+          conn.adapter  :excon
+        end
+      end
+
+      def headers
+        {
+          'Accept' => options.format_header,
+          'Content-Type' => options.format_header,
+          'X-XSRF-UseProtection' => ('false' if options.format_header),
+          'user-agent' => "Faraday via Ruby #{RUBY_VERSION}"
+        }
+      end
+
+      # Build out the query URL for CAS server with DN params
+      def query_url
+        user_dn    = env['omniauth.params']['user_dn']
+        build_query = "#{options.cas_server}#{options.authentication_path}"
+        build_query += "/#{user_dn}"
+        build_query += "/#{options.return_field}.#{options.format}"
+        URI::encode(build_query)
+      end
+
+      # Specifies which attributes are required arguments to initialize
+      def required_params
+        [:cas_server, :authentication_path]
+      end
+
+      # Verify that arguments required to properly run are present or fail hard
+      # NOTE: CANNOT call "log" method from initialize block hooks
+      def validate_required_params(args)
+        required_params.each do |param|
+          param_present = nil
+          args.each do |arg|
+            param_present = true if param_in_arg?(param, arg) == true
+          end
+
+          if param_present.nil?
+            error_msg = "omniauth-dice error: #{param} is required"
+            fail RequiredCustomParamError, error_msg
+          end
+        end
+      end
+
+      # Determine if a specified param symbol exists in the passed argument
+      # NOTE: CANNOT call "log" method from initialize block hooks
+      def param_in_arg?(param, arg)
+        if arg.class == Hash
+          if arg.key?(param.to_sym)
+            true
+          else
+            false
+          end
+        else
+          false
+        end
+      end
+
+      def set_session_dn(dn_string, type='subject')
+        dn_type = case type
+        when 'subject'
+          'user_dn'
+        when 'issuer'
+          'issuer_dn'
+        else
+          fail "Invalid DN string type"
+        end
+        session['omniauth.params'] ||= {}
+        session['omniauth.params'][dn_type] = dn_string
+      end
+
+      # Dynamically builds out Faraday's SSL config hash by merging passed
+      # options hash with the default options.
+      #
+      # Available Faraday config options include:
+      # ca_file      (e.g., /usr/lib/ssl/certs/ca-certificates.crt)
+      # ca_path      (e.g., /usr/lib/ssl/certs)
+      # cert_store
+      # client_cert
+      # client_key
+      # certificate
+      # private_key
+      # verify
+      # verify_mode
+      # verify_depth
+      # version
+      def ssl_hash
+        ssl_defaults = {
+          verify:       true,
+          verify_depth: 3,
+          version:      'TLSv1'
+        }
+
+        custom_config = unhashie(options.ssl_config)
+        ssl_defaults.merge(custom_config)
+      end
+
+      # Retrieve DNC default & custom configs
+      #
+      # @param dn_str [String] The string of text you wish to parse into a DN
+      # @return [DN]
+      def get_dn(dn_str)
+        custom_order = %w(cn l st ou o c street dc uid)
+        default_opts = { dn_string: dn_str, string_order: custom_order }
+        dnc_config = unhashie(options.dnc_options)
+        DN.new( default_opts.merge(dnc_config) )
+      end
+    end
+  end
+end