omniauth-dice 0.1.1

data/lib/omniauth-dice.rb

@@ -0,0 +1,3 @@
+require 'omniauth/dice/version'
+require 'omniauth/strategies/dice'
+require 'string'

data/lib/string.rb

@@ -0,0 +1,17 @@
+#
+# Extend the core String class to include `.to_snake`
+#
+class String
+  # Attempts to convert a string into a formatted_snake_case_string
+  def to_snake
+    self.gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+        .gsub(/([a-z\d])([A-Z])/, '\1_\2')
+        .tr('-', '_')
+        .downcase
+  end
+
+  # Alias to .to_snake
+  def underscore
+    self.to_snake
+  end
+end

data/omniauth-dice.gemspec

@@ -0,0 +1,50 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'omniauth/dice/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'omniauth-dice'
+  spec.version       = Omniauth::Dice::VERSION
+  spec.authors       = ['Steven Haddox']
+  spec.email         = ['steven.haddox@gmail.com']
+  spec.summary       = %q{DN Interoperable Conversion Expert Strategy}
+  spec.description   = %q{Simple gem to enable rack powered Ruby apps to authenticate via REST with an enterprise CAS authentication server via X509 client certificates.}
+  spec.homepage      = "https://github.com/stevenhaddox/omniauth-dice"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.required_ruby_version = '>= 1.9.3'
+
+  spec.add_development_dependency 'awesome_print'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'capybara'
+  spec.add_development_dependency 'coveralls'
+  spec.add_development_dependency 'rack_session_access'
+  spec.add_development_dependency 'redcarpet'
+  spec.add_development_dependency 'rspec'
+  spec.add_development_dependency 'rack'
+  spec.add_development_dependency 'rack-test'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rubocop'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'simplecov-badge'
+  spec.add_development_dependency 'webmock'
+  spec.add_development_dependency 'yard'
+
+  spec.add_dependency 'cert_munger', '~> 0.1'
+  spec.add_dependency 'dnc', '~> 0.1'
+  spec.add_dependency 'excon'
+  spec.add_dependency 'faraday'
+  spec.add_dependency 'faraday_middleware'
+  spec.add_dependency 'logging', '~> 1.8'
+  spec.add_dependency 'multi_xml'
+  spec.add_dependency 'omniauth', '~> 1.0'
+
+  spec.cert_chain  = ['certs/stevenhaddox.pem']
+  spec.signing_key = File.expand_path("~/.gem/certs/gem-private_key.pem") if $0 =~ /gem\z/
+end

data/spec/certs/create_spec_cert.rb

@@ -0,0 +1,41 @@
+#!/usr/bin/env ruby
+
+require 'openssl'
+require 'awesome_print'
+
+root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
+root_ca = OpenSSL::X509::Certificate.new
+root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
+root_ca.serial = 1
+root_ca.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby CA"
+root_ca.issuer = root_ca.subject # root CA's are "self-signed"
+root_ca.public_key = root_key.public_key
+root_ca.not_before = Time.now
+root_ca.not_after = root_ca.not_before + 2 * 365 * 24 * 60 * 60 # 2 years validity
+ef = OpenSSL::X509::ExtensionFactory.new
+ef.subject_certificate = root_ca
+ef.issuer_certificate = root_ca
+root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
+root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
+root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
+root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
+
+key = OpenSSL::PKey::RSA.new 2048
+cert = OpenSSL::X509::Certificate.new
+cert.version = 2
+cert.serial = 2
+cert.subject = OpenSSL::X509::Name.parse "/DC=org/DC=ruby-lang/CN=Ruby certificate rbcert"
+cert.issuer = root_ca.subject # root CA is the issuer
+cert.public_key = key.public_key
+cert.not_before = Time.now
+cert.not_after = cert.not_before + 1 * 365 * 24 * 60 * 60 # 1 years validity
+ef = OpenSSL::X509::ExtensionFactory.new
+ef.subject_certificate = cert
+ef.issuer_certificate = root_ca
+cert.add_extension(ef.create_extension("keyUsage","digitalSignature", true))
+cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+
+File.write('ruby_user.crt', cert)
+File.write('ruby_user.pub', cert.public_key)

data/spec/certs/ruby_user.crt

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDQDCCAiigAwIBAgIBAjANBgkqhkiG9w0BAQsFADBCMRMwEQYKCZImiZPyLGQB
+GRYDb3JnMRkwFwYKCZImiZPyLGQBGRYJcnVieS1sYW5nMRAwDgYDVQQDDAdSdWJ5
+IENBMB4XDTE0MTAyMTE0MTU0NFoXDTE1MTAyMTE0MTU0NFowUjETMBEGCgmSJomT
+8ixkARkWA29yZzEZMBcGCgmSJomT8ixkARkWCXJ1YnktbGFuZzEgMB4GA1UEAwwX
+UnVieSBjZXJ0aWZpY2F0ZSByYmNlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
+ggEKAoIBAQDA2Cb1QoNx7ghJv/q7yzAr89zyQbOr7wJN+X9/qfRTZi7o31JRrO21
+4VFAQeLdf2InfH/yGcME/6dRm0Y9priOShPkRTrerxD8Xf7df/u/R2cUW6WcQUuB
+fFHp8f1FcYuwxsX2gFNpboukRfWSgIvkXG+BAl/HSUjPyjiEYYTk2nkjOUmFObA8
+ip7xJ2n+ZyHl4SggvC+C8QmDQt3dBsZ3C2BovtJ6YQRMJjaEXGWl2fxJfgnJ94aq
+/M3TP5OUvnwDh8MJq4LuPNPc2PBAAvrQ0SFUaZxlxt9cWtnEGhT6jejBWrik8BNk
+YGrU9HIpYeg4a9i5GRDZ6s/xlZ4X+pjlAgMBAAGjMTAvMA4GA1UdDwEB/wQEAwIH
+gDAdBgNVHQ4EFgQUPGVKgxbUCl/OiPHnzeN3qR5BMe4wDQYJKoZIhvcNAQELBQAD
+ggEBAFnSbIvnYubRuEcGux5m1y2UlzSg/GyNDhnWsfPqQQ7FfolFTk6W8+xKuRSg
+foiuV2Od0n1nBMd9ePzoF5QabMHCK1Al2o/P7PkUPgmuAnWWdTLikNtt6H6v9WLe
+R9Ng37xv9jOVFOQjYCYvc94cJe1OBXW7ppkRY3kUQQbIrO7Imwi8gB8KT4qwu/Ld
+Xt53I/aFMQ0JSkqhJ4Bhff/Ol2RcDjEt4U6Hne6lRVB9qCAz0gE8MN4HagWOlS1U
+Nxd+cde+JIVBHuDz63gExGPCdLBRL/Mi3LORpZT41/ryw3JCqTir0dgPXsVTtJPr
+iMZ2EcsmShyBUKKj2AIok5gZzgM=
+-----END CERTIFICATE-----

data/spec/certs/ruby_user.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwNgm9UKDce4ISb/6u8sw
+K/Pc8kGzq+8CTfl/f6n0U2Yu6N9SUaztteFRQEHi3X9iJ3x/8hnDBP+nUZtGPaa4
+jkoT5EU63q8Q/F3+3X/7v0dnFFulnEFLgXxR6fH9RXGLsMbF9oBTaW6LpEX1koCL
+5FxvgQJfx0lIz8o4hGGE5Np5IzlJhTmwPIqe8Sdp/mch5eEoILwvgvEJg0Ld3QbG
+dwtgaL7SemEETCY2hFxlpdn8SX4JyfeGqvzN0z+TlL58A4fDCauC7jzT3NjwQAL6
+0NEhVGmcZcbfXFrZxBoU+o3owVq4pPATZGBq1PRyKWHoOGvYuRkQ2erP8ZWeF/qY
+5QIDAQAB
+-----END PUBLIC KEY-----

data/spec/fixtures/valid_auth.json

@@ -0,0 +1,27 @@
+{
+  "citizenshipStatus": "US",
+  "country": "USA",
+  "dn": "cn=pr. twilight sparkle,ou=c001,ou=mlp,ou=pny,o=princesses of celestia,c=us",
+  "email": "twilight@example.org",
+  "firstName": "twilight",
+  "lastName": "sparkle",
+  "fullName": "twilight sparkle",
+  "grantBy": [
+    "princess celestia"
+  ],
+  "organizations": [
+    "princesses",
+    "librarians",
+    "unicorns"
+  ],
+  "uid": "twilight.sparkle",
+  "dutyorg": "ponyville library",
+  "visas": [
+    "EQUESTRIA",
+    "CLOUDSDALE"
+  ],
+  "affiliations": [
+    "WONDERBOLTS"
+  ],
+  "telephoneNumber": "555-555-5555"
+}

data/spec/fixtures/valid_auth.xml

@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<userinfo>
+  <citizenshipStatus>US</citizenshipStatus>
+  <country>USA</country>
+  <dn>cn=pr. twilight sparkle,ou=c001,ou=mlp,ou=pny,o=princesses of celestia,c=us</dn>
+  <email>twilight@example.org</email>
+  <firstName>twilight</firstName>
+  <lastName>sparkle</lastName>
+  <fullName>twilight sparkle</fullName>
+  <grantBy>princess celestia</grantBy>
+  <organizations>princesses</organizations>
+  <organizations>librarians</organizations>
+  <organizations>unicorns</organizations>
+  <uid>twilight.sparkle</uid>
+  <dutyorg>ponyville library</dutyorg>
+  <visas>EQUASTRIA</visas>
+  <visas>CLOUDSDALE</visas>
+  <affiliations>WONDERBOLTS</affiliations>
+  <telephoneNumber>555-555-5555</telephoneNumber>
+</userinfo>

data/spec/omniauth/strategies/dice_integrations_spec.rb

@@ -0,0 +1,201 @@
+require 'spec_helper'
+require'dnc'
+
+class MockDice; end
+describe OmniAuth::Strategies::Dice, type: :strategy do
+  attr_accessor :app
+  let(:auth_hash)        { full_auth_hash }
+  let!(:user_cert)       { File.read('spec/certs/ruby_user.crt') }
+  let!(:raw_dn)          { '/DC=org/DC=ruby-lang/CN=Ruby certificate rbcert' }
+  let!(:user_dn)         { DN.new(dn_string: '/DC=org/DC=ruby-lang/CN=Ruby certificate rbcert') }
+  let(:raw_issuer_dn)    { '/DC=org/DC=ruby-lang/CN=Ruby CA' }
+  let(:issuer_dn)        { 'CN=RUBY CA,DC=RUBY-LANG,DC=ORG' }
+  let!(:valid_user_json) { File.read('spec/fixtures/valid_auth.json') }
+  let(:valid_user_xml)   { File.read('spec/fixtures/valid_auth.xml') }
+
+  def full_auth_hash
+    {
+      "provider"=>"Dice",
+      "uid"=>"cn=ruby certificate rbcert,dc=ruby-lang,dc=org",
+      "extra" => {
+        "raw_info" => valid_user_json
+      },
+      "info" => {
+        "dn" => "cn=pr. twilight sparkle,ou=c001,ou=mlp,ou=pny,o=princesses of celestia,c=us",
+        "email" => "twilight@example.org",
+        "first_name"  => "twilight",
+        "last_name"   => "sparkle",
+        "full_name"   => "twilight sparkle",
+        "common_name" => "pr. twilight sparkle",
+        "name"        => "pr. twilight sparkle",
+        "citizenship_status" => "US",
+        "country" => "USA",
+        "grant_by" => [
+          "princess celestia"
+        ],
+        "organizations" => [
+          "princesses",
+          "librarians",
+          "unicorns"
+        ],
+        "uid" => "twilight.sparkle",
+        "dutyorg" => "ponyville library",
+        "visas" => [
+          "EQUESTRIA",
+          "CLOUDSDALE"
+        ],
+        "affiliations" => [
+          "WONDERBOLTS"
+        ],
+        "telephone_number" => "555-555-5555",
+        "primary_visa?" => true,
+        "likely_npe?"  => false
+      }
+    }
+  end
+
+  # customize rack app for testing, if block is given, reverts to default
+  # rack app after testing is done
+  def set_app!(dice_options = {})
+    dice_options = {:model => MockDice}.merge(dice_options)
+    old_app = self.app
+    self.app = Rack::Builder.app do
+      use Rack::Session::Cookie, :secret => '1337geeks'
+      use RackSessionAccess::Middleware
+      use OmniAuth::Strategies::Dice, dice_options
+      run lambda{|env| [404, {'env' => env}, ["HELLO!"]]}
+    end
+    if block_given?
+      yield
+      self.app = old_app
+    end
+    self.app
+  end
+
+  before(:all) do
+    defaults={
+      cas_server: 'http://example.org',
+      authentication_path: '/dn'
+    }
+    set_app!(defaults)
+  end
+
+
+  describe '#request_phase' do
+    it 'should fail without a client DN' do
+      expect { get '/auth/dice' }.to raise_error(OmniAuth::Error, 'You need a valid DN to authenticate.')
+    end
+
+    it "should set the client & issuer's DN (from certificate)" do
+      header 'Ssl-Client-Cert', user_cert
+      get '/auth/dice'
+      expect(last_request.env['HTTP_SSL_CLIENT_CERT']).to eq(user_cert)
+      expect(last_request.url).to eq('http://example.org/auth/dice')
+      expect(last_request.env['rack.session']['omniauth.params']['user_dn']).to eq(user_dn.to_s)
+      expect(last_request.env['rack.session']['omniauth.params']['issuer_dn']).to eq(issuer_dn)
+      expect(last_response.location).to eq('http://example.org/auth/dice/callback')
+    end
+
+    it "should set the client's DN (from header)" do
+      header 'Ssl-Client-S-Dn', raw_dn
+      get '/auth/dice'
+      expect(last_request.env['HTTP_SSL_CLIENT_S_DN']).to eq(raw_dn)
+      expect(last_request.url).to eq('http://example.org/auth/dice')
+      expect(last_request.env['rack.session']['omniauth.params']['user_dn']).to eq(user_dn.to_s)
+      expect(last_request.env['rack.session']['omniauth.params']['issuer_dn']).to be_nil
+      expect(last_response.location).to eq('http://example.org/auth/dice/callback')
+    end
+
+    it "should set the issuer's DN (from header)" do
+      header 'Ssl-Client-S-Dn', raw_dn
+      header 'Ssl-Client-I-Dn', raw_issuer_dn
+      get '/auth/dice'
+      expect(last_request.env['HTTP_SSL_CLIENT_I_DN']).to eq(raw_issuer_dn)
+      expect(last_request.url).to eq('http://example.org/auth/dice')
+      expect(last_request.env['rack.session']['omniauth.params']['issuer_dn']).to eq(issuer_dn)
+      expect(last_response.location).to eq('http://example.org/auth/dice/callback')
+    end
+  end
+
+  describe '#callback_phase' do
+    before(:each) do
+      set_app!({
+        cas_server:          'https://example.org:3000',
+        authentication_path: '/dn',
+        dnc_options: { transformation: 'downcase' },
+        ssl_config:  {
+          ca_file:     'spec/certs/CA.pem',
+          client_cert: 'spec/certs/client.pem',
+          client_key:  'spec/certs/key.np.pem'
+        },
+        primary_visa: 'CLOUDSDALE'
+      })
+
+      stub_request(:get, "https://example.org:3000/dn/cn=ruby%20certificate%20rbcert,dc=ruby-lang,dc=org/info.json?issuerDN=cn=ruby%20ca,dc=ruby-lang,dc=org").
+        with(:headers => {'Accept'=>'application/json', 'Content-Type'=>'application/json', 'Host'=>'example.org:3000', 'User-Agent'=>/^Faraday via Ruby.*$/, 'X-Xsrf-Useprotection'=>'false'}).
+      to_return(status: 200, body: valid_user_json, headers: {})
+    end
+
+    context 'success' do
+      it 'should return a 200 with a JSON object of user information on success' do
+        header 'Ssl-Client-Cert', user_cert
+        get '/auth/dice'
+        follow_redirect!
+        expect(last_response.location).to eq('/')
+        raw_info = last_request.env['rack.session']['omniauth.auth']['extra']['raw_info']
+        expect(raw_info).to eq(valid_user_json)
+      end
+
+      it 'should return an omniauth auth_hash' do
+        header 'Ssl-Client-Cert', user_cert
+        get '/auth/dice'
+        follow_redirect!
+        expect(last_response.location).to eq('/')
+        raw_info = last_request.env['rack.session']['omniauth.auth']['extra']['raw_info']
+        expect(last_request.env['rack.session']['omniauth.auth']).to be_kind_of(Hash)
+        ap '>'*40
+        ap last_request.env['rack.session']['omniauth.auth'].sort
+        ap '<'*40
+        ap auth_hash.sort
+        expect(last_request.env['rack.session']['omniauth.auth'].sort).to eq(auth_hash.sort)
+      end
+
+      it 'should return a 200 with an XML object of user information on success' do
+        set_app!({
+          cas_server:          'https://example.org:3000',
+          authentication_path: '/dn',
+          format_header:       'application/xml',
+          format:              'xml',
+          dnc_options: { transformation: 'downcase' },
+          ssl_config:  {
+            ca_file:     'spec/certs/CA.pem',
+            client_cert: 'spec/certs/client.pem',
+            client_key:  'spec/certs/key.np.pem'
+          }
+        })
+        stub_request(:get, "https://example.org:3000/dn/cn=ruby%20certificate%20rbcert,dc=ruby-lang,dc=org/info.xml?issuerDN=cn=ruby%20ca,dc=ruby-lang,dc=org").
+        with(:headers => {'Accept'=>'application/xml', 'Content-Type'=>'application/xml', 'Host'=>'example.org:3000', 'User-Agent'=>/^Faraday via Ruby.*$/, 'X-Xsrf-Useprotection'=>'false'}).
+        to_return(status: 200, body: valid_user_xml, headers: {})
+
+        header 'Ssl-Client-Cert', user_cert
+        get '/auth/dice'
+        follow_redirect!
+        expect(last_response.location).to eq('/')
+        raw_info = last_request.env['rack.session']['omniauth.auth']['extra']['raw_info']
+        expect(raw_info).to eq(valid_user_xml)
+      end
+    end
+
+    context 'fail' do
+      it 'should raise a 404 with text for a non-existent user DN' do
+        stub_request(:get, "https://example.org:3000/dn/cn=ruby%20certificate%20rbcert,dc=ruby-lang,dc=org/info.json?issuerDN=cn=ruby%20ca,dc=ruby-lang,dc=org").
+        with(:headers => {'Accept'=>'application/json', 'Content-Type'=>'application/json', 'Host'=>'example.org:3000', 'User-Agent'=>/^Faraday via Ruby.*$/, 'X-Xsrf-Useprotection'=>'false'}).
+        to_return(status: 404, body: "User of dn:cn=ruby certificate rbcert,dc=ruby-lang,dc=org not found", headers: {})
+
+        header 'Ssl-Client-Cert', user_cert
+        get '/auth/dice'
+        expect { get '/auth/dice'; follow_redirect! }.to raise_error(OmniAuth::Error, 'invalid_credentials')
+      end
+    end
+  end
+end

data/spec/omniauth/strategies/dice_spec.rb

@@ -0,0 +1,161 @@
+require 'spec_helper'
+
+describe OmniAuth::Strategies::Dice do
+  let!(:app)            { TestRackApp.new }
+  let(:invalid_subject) { OmniAuth::Strategies::Dice.new(app) }
+  let(:dice_default_opts) { {
+    cas_server: 'https://dice.dev',
+    authentication_path: '/users'
+  } }
+  let(:valid_subject)   {
+    OmniAuth::Strategies::Dice.new(app, dice_default_opts )
+  }
+  let!(:client_dn_from_cert) { '/DC=org/DC=ruby-lang/CN=Ruby certificate rbcert' }
+  let(:client_dn_reversed)   { client_dn_from_cert.split('/').reverse.join('/') }
+  let(:formatted_client_dn)  { 'CN=RUBY CERTIFICATE RBCERT,DC=RUBY-LANG,DC=ORG' }
+
+  # Travis-CI hack?
+  before(:all) do
+    @rack_env = ENV['RACK_ENV']
+    ENV['RACK_ENV'] = 'test'
+  end
+
+  context "invalid params" do
+    subject { invalid_subject }
+    let(:subject_without_authentication_path) { OmniAuth::Strategies::Dice.new(app, cas_server: 'https://dice.dev') }
+
+    it 'should require a cas server url' do
+      expect{ subject }.to raise_error(RequiredCustomParamError, "omniauth-dice error: cas_server is required")
+    end
+
+    it 'should require an authentication path' do
+      expect{ subject_without_authentication_path }.to raise_error(RequiredCustomParamError, "omniauth-dice error: authentication_path is required")
+    end
+  end
+
+  context "defaults" do
+    subject { valid_subject }
+    it 'should have the correct name' do
+      expect(subject.options.name).to eq('dice')
+    end
+
+    it "should return the default options" do
+      expect(subject.options.format).to        eq('json')
+      expect(subject.options.format_header).to eq('application/json')
+    end
+  end
+
+  context "configured with options" do
+    subject { valid_subject }
+
+    it 'should have the configured CAS server URL' do
+      expect(subject.options.cas_server).to eq("https://dice.dev")
+    end
+
+    it 'should have the configured authorization path' do
+      expect(subject.options.authentication_path).to eq('/users')
+    end
+  end
+
+  context ".format_dn" do
+    subject { valid_subject }
+
+    it 'should ensure the client DN format is in the proper order' do
+      formatted_cert_dn = subject.format_dn(client_dn_from_cert)
+      expect(formatted_cert_dn).to eq(formatted_client_dn)
+
+      formatted_reverse_client_dn = subject.format_dn(client_dn_reversed)
+      expect(formatted_reverse_client_dn).to eq(formatted_client_dn)
+    end
+  end
+
+  context ".set_name" do
+    before do
+      @info_hash = {
+        'common_name' => 'twilight.sparkle',
+        'full_name'   => 'Princess Twilight Sparkle',
+        'first_name'  => 'twilight',
+        'last_name'   => 'sparkle'
+      }
+    end
+
+    it 'should not set a name field if it is already defined' do
+      dice = OmniAuth::Strategies::Dice.new( app, dice_default_opts )
+      name = dice.send( :set_name, @info_hash.merge({'name' => 'nightmare moon'}) )
+      expect(name).to eq('nightmare moon')
+    end
+
+    it 'should default to :cn then :first_name and finally :first_last_name' do
+      dice = OmniAuth::Strategies::Dice.new( app, dice_default_opts )
+      # With only full_name available
+      name = dice.send(:set_name, { 'full_name' => @info_hash['full_name'] })
+      expect(name).to eq(@info_hash['full_name'])
+      # With only first_name and last_name available
+      name = dice.send(:set_name, { 'first_name' => @info_hash['first_name'], 'last_name' => @info_hash['last_name'] })
+      expect(name).to eq("#{@info_hash['first_name']} #{@info_hash['last_name']}")
+      # With only the dn available
+      name = dice.send(:set_name, { 'common_name' => @info_hash['common_name'] })
+      expect(name).to eq(@info_hash['common_name'])
+    end
+
+    it 'should support custom name formatting set as :cn' do
+      dice = OmniAuth::Strategies::Dice.new( app, dice_default_opts.merge({name_format: :cn}) )
+      name = dice.send(:set_name, @info_hash)
+      expect(name).to eq(@info_hash['common_name'])
+    end
+
+    it 'should support custom name formatting set as :full_name' do
+      dice = OmniAuth::Strategies::Dice.new( app, dice_default_opts.merge({name_format: :full_name}) )
+      name = dice.send(:set_name, @info_hash)
+      expect(name).to eq(@info_hash['full_name'])
+    end
+
+    it 'should support custom name formatting set as :first_last_name' do
+      dice = OmniAuth::Strategies::Dice.new( app, dice_default_opts.merge({name_format: :first_last_name}) )
+      name = dice.send(:set_name, @info_hash)
+      expect(name).to eq("#{@info_hash['first_name']} #{@info_hash['last_name']}")
+    end
+  end
+
+  context ".identify_npe" do
+    before do
+      @dice = OmniAuth::Strategies::Dice.new( app, dice_default_opts )
+      @all_info = {
+        'dn'          => 'cn=twilight.sparkle,ou=c001,ou=mlp,ou=pny,o=princesses of celestia,c=us',
+        'full_name'   => 'Princess Twilight Sparkle',
+        'first_name'  => 'twilight',
+        'last_name'   => 'sparkle',
+        'email'       => 'twilight@example.org'
+      }
+    end
+
+    it "should identify a client as a likely npe when the CN contains a *.tld" do
+      npe = @dice.send( :identify_npe, @all_info.merge({'common_name' => 'twilight.mlp.com'}) )
+      expect(npe).to eq(true)
+    end
+
+    it "should identify a client as a likely npe when there is a DN & no email" do
+      ['email'].each { |k| @all_info.delete(k) }
+      npe = @dice.send(:identify_npe, @all_info)
+      expect(npe).to eq(true)
+    end
+
+    it "should identify a client as a likely npe when there is a DN, email, and NO name fields" do
+      ['full_name', 'first_name', 'last_name'].each { |k| @all_info.delete(k) }
+      npe = @dice.send(:identify_npe, @all_info)
+      expect(npe).to eq(true)
+    end
+
+    it "should identify a client as not an npe when there is a DN, email, and ANY name field" do
+      name_keys = ['full_name', 'first_name', 'last_name']
+      names = ['Twilight Sparkle', 'Twilight', 'Sparkle']
+      name_keys.each{ |key| @all_info.delete(key) }
+      name_keys.each_with_index do |key, index|
+        name_hash = @all_info.dup
+        name_hash[key] = names[index]
+        npe = @dice.send(:identify_npe, name_hash)
+        expect(npe).to eq(false)
+      end
+    end
+  end
+end