RubyGems - authlogic_crowd - Versions diffs - 0.2.4 → 0.3.0.pre.2 - Mend

authlogic_crowd 0.2.4 → 0.3.0.pre.2

Files changed (16) hide show

data/.document +5 -5
data/Gemfile +3 -0
data/README.markdown +173 -0
data/Rakefile +1 -21
data/authlogic_crowd.gemspec +17 -37
data/lib/authlogic_crowd.rb +8 -9
data/lib/authlogic_crowd/acts_as_authentic.rb +185 -138
data/lib/authlogic_crowd/acts_as_authentic_callbacks.rb +32 -26
data/lib/authlogic_crowd/crowd_synchronizer.rb +97 -0
data/lib/authlogic_crowd/session.rb +358 -302
data/lib/authlogic_crowd/version.rb +1 -1
metadata +51 -62
data/README.rdoc +0 -14
data/lib/authlogic_crowd/session_callbacks.rb +0 -19
data/test/helper.rb +0 -13
data/test/test_authlogic_crowd.rb +0 -7

data/lib/authlogic_crowd/acts_as_authentic_callbacks.rb CHANGED Viewed

@@ -1,26 +1,32 @@
-module AuthlogicCrowd
-  module ActsAsAuthenticCallbacks
-    def self.included(klass)
-      klass.class_eval do
-        add_acts_as_authentic_module(Methods, :prepend)
-      end
-    end
-    module Methods
-      METHODS = [
-        "sync_on_create"
-      ]
-      def self.included(base)
-        base.send :include, ActiveSupport::Callbacks
-        base.define_callbacks *METHODS
-      end
-      private
-      METHODS.each do |method|
-        class_eval <<-"end_eval", __FILE__, __LINE__
-          def #{method}
-            run_callbacks(:#{method}) { |result, object| result == false }
-          end
-        end_eval
-      end
-    end
-  end
-end
+module AuthlogicCrowd
+  module ActsAsAuthenticCallbacks
+    METHODS = [
+      # Fired when a local record is synced from a crowd record (usually on login)
+      "before_sync_from_crowd", "sync_from_crowd", "after_sync_from_crowd",
+      # Fired when a new local record is created by crowd (usually because a
+      # user logged in using crowd credentials)
+      "before_create_from_crowd", "after_create_from_crowd",
+      # Fired when a local record is synced to a crowd record (usually when creating a local record)
+      "before_sync_to_crowd", "sync_to_crowd", "after_sync_to_crowd",
+      # Fired when a creating a new crowd record (usually because a new local
+      # record was created)
+      "before_create_crowd_record", "after_create_crowd_record",
+    ]
+    def self.included(klass)
+      klass.define_callbacks *METHODS
+    end
+    private
+    METHODS.each do |method|
+      class_eval <<-"end_eval", __FILE__, __LINE__
+        def #{method}
+          run_callbacks(:#{method}) { |result, object| result == false }
+        end
+      end_eval
+    end
+  end
+end

data/lib/authlogic_crowd/crowd_synchronizer.rb ADDED Viewed

@@ -0,0 +1,97 @@
+module AuthlogicCrowd
+  class CrowdSynchronizer
+    attr_accessor :klass, :crowd_client, :local_record
+    def initialize(klass, crowd_client, local_record=nil, crowd_record=nil)
+      self.klass = klass
+      self.crowd_client = crowd_client
+      self.local_record = local_record if local_record
+      self.crowd_record = crowd_record if crowd_record
+      @syncing = false
+    end
+    def local_record=(val)
+      @local_record = val
+      @local_record.crowd_synchronizer = self if @local_record
+      @local_record.crowd_record = @crowd_record if @local_record && @crowd_record
+    end
+    def crowd_record
+      @crowd_record ||= @local_record.crowd_record if @local_record
+      @crowd_record
+    end
+    def crowd_record=(val)
+      @crowd_record = val
+      @local_record.crowd_record = @crowd_record if @local_record
+    end
+    def create_crowd_record
+      if local_record.before_create_crowd_record
+        self.crowd_record = SimpleCrowd::User.new({:username => local_record.send(klass.login_field)})
+        if sync_to_crowd(true)
+          local_record.after_create_crowd_record
+          return crowd_record
+        end
+      end
+      nil
+    end
+    def sync_to_crowd(new_record=false)
+      return unless local_record && crowd_record
+      return if @syncing
+      if local_record.before_sync_to_crowd
+        @syncing = true
+        begin
+          local_record.sync_to_crowd
+          if new_record || crowd_record.dirty? || local_record.crowd_password_changed?
+            if new_record
+              crowd_client.add_user crowd_record, local_record.crowd_password
+            else
+              crowd_client.update_user crowd_record
+              if local_record.crowd_password_changed? && local_record.crowd_password
+                crowd_client.update_user_credential crowd_record.username, local_record.crowd_password
+              end
+            end
+          end
+        ensure
+          @syncing = false
+        end
+        local_record.after_sync_to_crowd
+        return true
+      end
+      false
+    end
+    def create_record_from_crowd
+      self.local_record = klass.new
+      if local_record.before_create_from_crowd
+        local_record.send(:"#{klass.login_field}=", crowd_record.username) if local_record.respond_to?(:"#{klass.login_field}=")
+        sync_from_crowd
+        if local_record.save_without_session_maintenance
+          local_record.after_create_from_crowd
+          return local_record
+        end
+      end
+      nil
+    end
+    def sync_from_crowd
+      return unless local_record && crowd_record
+      return if @syncing
+      if local_record.before_sync_from_crowd
+        @syncing = true
+        begin
+          local_record.sync_from_crowd
+          local_record.save_without_session_maintenance if local_record.changed?
+        ensure
+          @syncing = false
+        end
+        local_record.after_sync_from_crowd
+      end
+    end
+  end
+end

data/lib/authlogic_crowd/session.rb CHANGED Viewed

@@ -1,302 +1,358 @@
-module AuthlogicCrowd
-  module Session
-    def self.included(klass)
-      klass.class_eval do
-        extend Config
-        include Methods
-      end
-    end
-    module Config
-      # Single Signout (defaults to true)
-      # @param [Boolean] value
-      def crowd_sso(value=nil)
-        rw_config(:crowd_sso, value, true)
-      end
-      alias_method :crowd_sso=, :crowd_sso
-      def crowd_sso?
-        crowd_sso
-      end
-      # Auto Register is enabled by default.
-	  # Add this in your Session object if you need to disable auto-registration via crowd
-      def auto_register(value=true)
-        auto_register_value(value)
-      end
-      def auto_register_value(value=nil)
-        rw_config(:auto_register,value,true)
-      end
-      alias_method :auto_register=,:auto_register
-      def crowd_user_token= token
-        # Dup token before storing to make sure we store a pure string to avoid session serialization issues.
-        token = token.dup if token
-        session_user_token = controller && controller.session[:"crowd.token_key"]
-        cookie_user_token = crowd_sso? && controller && controller.cookies[:"crowd.token_key"]
-        @crowd_client ||= SimpleCrowd::Client.new({
-          :service_url => klass.crowd_service_url,
-          :app_name => klass.crowd_app_name,
-          :app_password => klass.crowd_app_password})
-        crowd_cookie_info = self.crowd_cookie_info(@crowd_client)
-        controller.session[:"crowd.token_key"] = token unless session_user_token == token || !controller
-        controller.cookies[:"crowd.token_key"] = {:domain => crowd_cookie_info[:domain],
-                                                  :secure => crowd_cookie_info[:secure],
-                                                  :value => token} unless cookie_user_token == token || !crowd_sso? || !controller
-      end
-      def crowd_user_token
-        controller && (controller.params["crowd.token_key"] || controller.cookies[:"crowd.token_key"] || controller.session[:"crowd.token_key"])
-      end
-      def crowd_cookie_info(crowd_client)
-        Rails.cache.fetch('crowd_cookie_info') do
-          # Strings returned by crowd contain singleton methods which cannot
-          # be serialized into the Rails.cache.  Do a shallow dup of each string
-          # in the returned hash
-          crowd_client.get_cookie_info.inject({}) do |cookie_info, (key, val)|
-            cookie_info[key] = val ? val.dup : val
-            cookie_info
-          end
-        end
-      end
-    end
-    module Methods
-      def self.included(klass)
-        klass.class_eval do
-          attr_accessor :new_registration
-          validate :validate_by_crowd, :if => :authenticating_with_crowd?
-          persist :validate_by_crowd, :if => :authenticating_with_crowd?
-          after_create :sync_with_crowd, :if => :authenticating_with_crowd?
-          before_destroy :logout_of_crowd, :if => [:authenticating_with_crowd?, :sso?]
-        end
-      end
-      # Temporary storage of crowd record for syncing purposes
-      attr_accessor :crowd_record
-      # Determines if the authenticated user is also a new registration.
-      # For use in the session controller to help direct the most appropriate action to follow.
-      def new_registration?
-        new_registration || !new_registration.nil?
-      end
-      # Determines if the authenticated user has a complete registration (no validation errors)
-      # For use in the session controller to help direct the most appropriate action to follow.
-      def registration_complete?
-        attempted_record && attempted_record.valid?
-      end
-      def auto_register?
-        self.class.auto_register_value
-      end
-      protected
-      # Determines whether to use crowd to authenticate and validate the current request
-      # For now we assume the app wants to use Crowd exclusively.
-      # Use crowd authentication if tokens are present or if login/password is available but not valid or is blank in db
-      # TODO: Add flexibility regarding multiple authentication methods and identity mapping
-      def authenticating_with_crowd?
-        errors.empty? &&
-        !klass.crowd_app_name.blank? &&
-        !klass.crowd_app_password.blank? &&
-        ((login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)) ||
-          controller && (controller.cookies[:"crowd.token_key"] || controller.session[:"crowd.token_key"] || controller.params["crowd.token_key"]))
-      end
-      def authenticating_with_password?
-        !authenticating_with_crowd? && login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
-      end
-      def sso?
-        self.class.crowd_sso
-      end
-#      def credentials
-#        if authenticating_with_crowd?
-#          details = {}
-#          details[login_field.to_sym] = send(login_field)
-#          details[password_field.to_sym] = "<protected>"
-#          details[crowd_user_token_field.to_sym] = send(crowd_user_token_field)
-#          details
-#        else
-#          super
-#        end
-#      end
-      def credentials=(value)
-        super
-        values = value.is_a?(Array) ? value : [value]
-        if values.first.is_a?(Hash)
-          values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
-            next if value.blank?
-            send("#{field}=", value)
-          end
-        end
-      end
-      private
-      # Main session validation using Crowd user token.
-      # Uses simple_crowd to verify the user token on the configured crowd server
-      # If no *local* user is found and auto_register is enabled (default) then automatically create *local* user for them
-      # TODO: Cleanup and figure out reason for duplicate calls
-      def validate_by_crowd
-        begin
-        load_crowd_app_token
-        login = send(login_field) || (unauthorized_record && unauthorized_record.login)
-        password = send("protected_#{password_field}")
-        params_user_token = controller && controller.params["crowd.token_key"]
-        session_user_token = controller && controller.session[:"crowd.token_key"]
-        cookie_user_token = sso? && controller && controller.cookies[:"crowd.token_key"]
-        user_token = crowd_user_token
-        crowd_user = nil
-        # Lets see if the user passed in an email or a login using the db
-        if !login.blank? && self.unauthorized_record.nil?
-          self.unauthorized_record = klass.respond_to?(:login_or_email_equals) ?
-                                         klass.send(:login_or_email_equals, login).first :
-                                         klass.send(find_by_login_method, login)
-          # If passed in login equals the user email then get the REAL login used by crowd instead
-          login = unauthorized_record.login if !unauthorized_record.nil? && login = unauthorized_record.email
-        end
-        if user_token && crowd_client.is_valid_user_token?(user_token)
-        elsif login && password
-          # Authenticate if we don't have token
-          user_token = crowd_client.authenticate_user login, password rescue nil
-          # Try one last time to login with crowd email field instead of login
-          if user_token.nil? && self.unauthorized_record.nil? && login =~ Authlogic::Regex.email
-            crowd_user ||= crowd_client.find_user_by_email(login)
-            if crowd_user
-              login = crowd_user.username
-              user_token = crowd_client.authenticate_user login, password rescue nil
-            end
-          end
-        else
-          user_token = nil
-        end
-        raise SimpleCrowd::CrowdError.new "No user token" if user_token.blank?
-        login = crowd_client.find_username_by_token user_token unless login &&
-                (!cookie_user_token || session_user_token == cookie_user_token) &&
-                (!params_user_token || session_user_token == params_user_token)
-        send("#{login_field}=", login)
-        self.class.crowd_user_token = user_token
-        if !self.unauthorized_record.nil? && self.unauthorized_record.login == login
-          self.attempted_record = self.unauthorized_record
-        else
-          self.attempted_record = self.unauthorized_record = klass.send(find_by_login_method, login)
-        end
-        if !attempted_record
-          # If auto_register enabled then create new user with crowd info
-          if auto_register?
-            crowd_user ||= crowd_client.find_user_by_token user_token
-            self.attempted_record = klass.new :login => crowd_user.username, :email => crowd_user.email
-            self.new_registration = true
-            self.attempted_record.crowd_record = crowd_user
-            self.crowd_record = crowd_user
-            sync
-            self.attempted_record.save_without_session_maintenance
-          else
-            errors.add_to_base("We did not find any accounts with that login. Enter your details and create an account.")
-            return false
-          end
-        end
-        rescue Exception => e
-          errors.add_to_base("Authentication failed. Please try again")
-          # Don't know why it doesn't work the first time,
-          # but if we nil the session key here then the session doesn't get deleted
-          # Leaving the token triggers the validation a second time and successfully destroys the session
-          # REMOVED AS HACK
-          # Hack to fix user_credentials not being deleted on session destroy
-          if controller
-            controller.session[:"crowd.token_key"] = nil
-            unless (send(login_field) || (unauthorized_record && unauthorized_record.login) && send("protected_#{password_field}"))
-              # Hack to try and check session without recreating it. (we only want to destroy it if it exists already)
-              # This is to avoid a infinite recursive session creation bug we had a while back
-              curr_klass = klass
-              curr_session = controller.instance_eval { @current_user_session }
-              curr_session.destroy if curr_session
-              controller.session.clear
-            end
-            # Delete by klass name instead of generic user
-            controller.cookies.delete :"#{klass.name.underscore}_credentials"
-            controller.cookies.delete :"crowd.token_key", :domain => crowd_cookie_info[:domain] if sso?
-          end
-          raise unless e.kind_of? SimpleCrowd::CrowdError
-          false
-        end
-      end
-      def sync_with_crowd
-        # If it's a new registration then the crowd data was just pulled, so skip syncing on login
-        unless new_registration? || !self.attempted_record
-          login = send(login_field) || (!attempted_record.nil? && attempted_record.login)
-          user_token = controller && (controller.params["crowd.token_key"] || controller.cookies[:"crowd.token_key"] || controller.session[:"crowd.token_key"])
-          crowd_user = if login
-            crowd_client.find_user_by_name login
-          elsif user_token
-            crowd_client.find_user_by_token user_token
-          end
-          if crowd_user && before_sync
-            self.crowd_record = crowd_user
-            # Callbacks to sync data
-            sync
-            self.attempted_record.save
-            after_sync
-          end
-        end
-      end
-      # Single Sign-out
-      def logout_of_crowd
-        # Send an invalidate call for single signout
-        # Apparently there is no way of knowing if this was successful or not.
-        crowd_client.invalidate_user_token crowd_user_token unless crowd_user_token.nil?
-        # Remove cookie and session
-        if controller
-          controller.session[:"crowd.token_key"] = nil
-          controller.cookies.delete :"crowd.token_key", :domain => crowd_cookie_info[:domain] if sso?
-          controller.cookies.delete :"#{klass.name.underscore}_credentials"
-        end
-        true
-      end
-      def crowd_user_token
-        self.class.crowd_user_token
-      end
-      def crowd_client
-        @crowd_client ||= SimpleCrowd::Client.new(crowd_config)
-      end
-      def load_crowd_app_token
-        crowd_app_token = Rails.cache.read('crowd_app_token')
-        if crowd_app_token.nil?
-          crowd_app_token = crowd_client.app_token
-          # Strings returned by crowd contain singleton methods which cannot
-          # be serialized into the Rails.cache.  Duping the strings removes the
-          # singleton methods.
-          Rails.cache.write('crowd_app_token', crowd_app_token.dup)
-        else
-          crowd_client.app_token = crowd_app_token
-        end
-        crowd_app_token
-      end
-      def crowd_cookie_info
-        @crowd_cookie_info ||= self.class.crowd_cookie_info(crowd_client)
-      end
-      def crowd_config
-        {:service_url => klass.crowd_service_url,
-          :app_name => klass.crowd_app_name,
-          :app_password => klass.crowd_app_password}
-      end
-    end
-  end
-end
+module AuthlogicCrowd
+  module Session
+    def self.included(klass)
+      klass.class_eval do
+        extend Config
+        include InstanceMethods
+        attr_accessor :new_registration
+        persist :persist_by_crowd, :if => :authenticating_with_crowd?
+        validate :validate_by_crowd, :if => [:authenticating_with_crowd?, :needs_crowd_validation?]
+        before_destroy :logout_of_crowd, :if => :authenticating_with_crowd?
+        after_create(:if => :authenticating_with_crowd?, :unless => :new_registration?) do |s|
+          synchronizer = s.crowd_synchronizer
+          synchronizer.local_record = s.record
+          synchronizer.crowd_record = s.crowd_record
+          synchronizer.sync_from_crowd
+        end
+      end
+    end
+    # Configuration for the crowd feature.
+    module Config
+      # How often should Crowd re-authorize (in seconds).  Default is 0 (always re-authorize)
+      def crowd_auth_every(value = nil)
+        rw_config(:crowd_auth_every, value, 0)
+      end
+      alias_method :crowd_auth_every=, :crowd_auth_every
+      # Should a new local record be created for existing Crowd users with no
+      # matching local record?
+      # Default is true.
+	    # Add this in your Session object if you need to disable auto-registration via crowd
+      def auto_register(value=true)
+        auto_register_value(value)
+      end
+      def auto_register_value(value=nil)
+        rw_config(:auto_register,value,true)
+      end
+      alias_method :auto_register=, :auto_register
+    end
+    module InstanceMethods
+      def initialize(*args)
+        super
+        @valid_crowd_user = {}
+      end
+      # Determines if the authenticated user is also a new registration.
+      # For use in the session controller to help direct the most appropriate action to follow.
+      def new_registration?
+        new_registration || !new_registration.nil?
+      end
+      def auto_register?
+        self.class.auto_register_value
+      end
+      def crowd_record
+        if @valid_crowd_user[:user_token] && !@valid_crowd_user.has_key?(:record)
+          @valid_crowd_user[:record] = crowd_client.find_user_by_token(@valid_crowd_user[:user_token])
+        end
+        @valid_crowd_user[:record]
+      end
+      def crowd_client
+        @crowd_client ||= klass.crowd_client
+      end
+      def crowd_synchronizer
+        @crowd_synchronizer ||= klass.crowd_synchronizer(crowd_client)
+      end
+      private
+      def authenticating_with_crowd?
+        klass.using_crowd? && (authenticated_by_crowd? || has_crowd_user_token? || has_crowd_credentials?)
+      end
+      # Use the Crowd to "log in" the user using the crowd.token_key
+      # cookie/parameter.  If the token_key is valid and returns a valid Crowd
+      # user, the find_by_login_method is called to find the appropriate local
+      # user/record.
+      #
+      # If no *local* record is found and auto_register is enabled (default)
+      # then automatically create *local* record for them.
+      #
+      # This method enables a Crowd user to log in without having to explicity
+      # log in to this app.  Once a Crowd user has authenticated with this app
+      # via this method, future requests usually use the Authlogic::Session
+      # module to persist/find users.
+      def persist_by_crowd
+        clear_crowd_auth_cache
+        return false unless has_crowd_user_token? && valid_crowd_user_token? && crowd_username
+        self.unauthorized_record = find_or_create_record_from_crowd
+        valid?
+      rescue SimpleCrowd::CrowdError => e
+        Rails.logger.warn "CROWD[#{__method__}]: Unexpected error.  #{e}"
+        return false
+      end
+      # Validates the current record/user with Crowd.  This validates the
+      # crowd.token_key cookie/parameter and/or explicit credentials.
+      #
+      # If a crowd.token_key exists and matches a previously authenticated
+      # token_key, this method will only verify the token with crowd if the
+      # last authorization was more than crowd_auth_every seconds ago (see
+      # the crowd_auth_every config option).
+      def validate_by_crowd
+        # Credentials trump a crowd.token_key.
+        # We don't even attempt to authenticated from the token key if
+        # credentials are present.
+        if has_crowd_credentials?
+          # HACK: Remove previous login/password errors since we are going to
+          # try to validate them with crowd
+          errors.instance_variable_get('@errors').delete(login_field.to_s)
+          errors.instance_variable_get('@errors').delete(password_field.to_s)
+          if valid_crowd_credentials?
+            self.attempted_record = find_or_create_record_from_crowd
+            unless self.attempted_record
+              errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid"))
+            end
+          else
+            errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid")) if !@valid_crowd_user[:username]
+            errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid")) if @valid_crowd_user[:username]
+          end
+        elsif has_crowd_user_token?
+          unless valid_crowd_user_token? && valid_crowd_username?
+            errors.add_to_base(I18n.t('error_messages.crowd_invalid_user_token', :default => "invalid user token"))
+          end
+        elsif authenticated_by_crowd?
+          destroy
+          errors.add_to_base(I18n.t('error_messages.crowd_missing_using_token', :default => "missing user token"))
+        end
+        unless self.attempted_record.valid?
+          errors.add_to_base('record is not valid')
+        end
+        if errors.count == 0
+          # Set crowd.token_key cookie
+          save_crowd_cookie
+          # Cache crowd authorization to make future requests faster (if
+          # crowd_auth_every config is enabled)
+          cache_crowd_auth
+        end
+      rescue SimpleCrowd::CrowdError => e
+        Rails.logger.warn "CROWD[#{__method__}]: Unexpected error.  #{e}"
+        errors.add_to_base("Crowd error: #{e}")
+      end
+      # Validate the crowd.token_key (if one exists)
+      # Uses simple_crowd to verify the user token on the configured crowd server.
+      # This only checks that the token is valid with Crowd.  It does not check
+      # that the token belongs to a valid local user/record.
+      def valid_crowd_user_token?
+        unless @valid_crowd_user.has_key?(:user_token)
+          @valid_crowd_user[:user_token] = nil
+          user_token = crowd_user_token
+          if user_token
+            if crowd_client.is_valid_user_token?(user_token)
+              @valid_crowd_user[:user_token] = user_token
+            end
+          end
+        end
+        !!@valid_crowd_user[:user_token]
+      end
+      # Validate username/password using Crowd.
+      # Uses simple_crowd to verify credentials on the configured crowd server.
+      def valid_crowd_credentials?
+        login = send(login_field)
+        password = send("protected_#{password_field}")
+        return false unless login && password
+        unless @valid_crowd_user.has_key?(:credentials)
+          @valid_crowd_user[:user_token] = nil
+          # Authenticate using login/password
+          user_token = crowd_fetch {crowd_client.authenticate_user(login, password)}
+          if user_token
+            @valid_crowd_user[:user_token] = user_token
+            @valid_crowd_user[:username] = login
+          else
+            # See if the login exists
+            crecord = @valid_crowd_user[:record] = crowd_fetch {crowd_client.find_user_by_name(login)}
+            @valid_crowd_user[:username] = crecord ? crecord.username : nil
+          end
+          # Attempt to find user with crowd email field instead of principal name
+          if !@valid_crowd_user[:username] && login =~ Authlogic::Regex.email
+            crecord = @valid_crowd_user[:record] = crowd_fetch {crowd_client.find_user_by_email(login)}
+            if crecord
+              user_token = crowd_fetch {crowd_client.authenticate_user(crecord.username, password)}
+              @valid_crowd_user[:username] = crecord.username
+              @valid_crowd_user[:user_token] = user_token if user_token
+            end
+          end
+          @valid_crowd_user[:credentials] = !!@valid_crowd_user[:user_token]
+        end
+        @valid_crowd_user[:credentials]
+      end
+      # Validate the crowd username against the current record
+      def valid_crowd_username?
+        record_login = send(login_field) || (unauthorized_record && unauthorized_record.login)
+        # Use the last username if available to reduce crowd calls
+        if @valid_crowd_user[:user_token] && @valid_crowd_user[:user_token] == controller.session[:"crowd.last_user_token"]
+          crowd_login = controller.session[:"crowd.last_username"]
+        end
+        crowd_login = crowd_username unless crowd_login
+        crowd_login && crowd_login == record_login
+      end
+      def crowd_username
+        if @valid_crowd_user[:user_token] && !@valid_crowd_user.has_key?(:username)
+          crecord = crowd_record
+          @valid_crowd_user[:username] = crecord ? crecord.username : nil
+        end
+        @valid_crowd_user[:username]
+      end
+      def cache_crowd_auth
+        if @valid_crowd_user[:user_token]
+          controller.session[:"crowd.last_auth"] = Time.now
+          controller.session[:"crowd.last_user_token"] = @valid_crowd_user[:user_token].dup
+          controller.session[:"crowd.last_username"] = @valid_crowd_user[:username].dup if @valid_crowd_user[:username]
+          Rails.logger.debug "CROWD: Cached crowd authorization (#{controller.session[:"crowd.last_username"]}).  Next authorization at #{Time.now + self.class.crowd_auth_every}." if self.class.crowd_auth_every.to_i > 0
+        else
+          clear_crowd_auth_cache
+        end
+      end
+      # Clear cached crowd information
+      def clear_crowd_auth_cache
+        controller.session.delete_if {|key, val| ["crowd.last_user_token", "crowd.last_auth", "crowd.last_username"].include?(key.to_s)}
+      end
+      def save_crowd_cookie
+        if @valid_crowd_user[:user_token] && @valid_crowd_user[:user_token] != crowd_user_token
+          controller.params.delete("crowd.token_key")
+          controller.cookies[:"crowd.token_key"] = {
+            :domain => crowd_cookie_info[:domain],
+            :secure => crowd_cookie_info[:secure],
+            :value => @valid_crowd_user[:user_token],
+          }
+        end
+      end
+      def destroy_crowd_cookie
+        controller.cookies.delete(:"crowd.token_key", :domain => crowd_cookie_info[:domain])
+      end
+      # When the crowd_auth_every config option is set and the user is logged
+      # in via crowd, validation can be skipped in certain cases (token_key
+      # matches last token_key and last authorization was less than
+      # crowd_auth_every seconds).
+      def needs_crowd_validation?
+        res = true
+        if !has_crowd_credentials? && authenticated_by_crowd? && self.class.crowd_auth_every.to_i > 0
+          last_user_token = controller.session[:"crowd.last_user_token"]
+          last_auth = controller.session[:"crowd.last_auth"]
+          if last_user_token
+            if !crowd_user_token
+              Rails.logger.debug "CROWD: Re-authorization required.  Crowd token does not exist."
+            elsif last_user_token != crowd_user_token
+              Rails.logger.debug "CROWD: Re-authorization required.  Crowd token does match cached token."
+            elsif last_auth && last_auth <= self.class.crowd_auth_every.ago
+              Rails.logger.debug "CROWD: Re-authorization required.  Last authorization was at #{last_auth}."
+            elsif !last_auth
+              Rails.logger.debug "CROWD: Re-authorization required.  Unable to determine last authorization time."
+            else
+              Rails.logger.debug "CROWD: Authenticating from cache.  Next authorization at #{last_auth + self.class.crowd_auth_every}."
+              res = false
+            end
+          end
+        end
+        res
+      end
+      def find_or_create_record_from_crowd
+        return nil unless crowd_username
+        record = search_for_record(find_by_login_method, crowd_username)
+        if !record && auto_register?
+          synchronizer = crowd_synchronizer
+          synchronizer.crowd_record = crowd_record
+          record = synchronizer.create_record_from_crowd
+          self.new_registration if record
+        end
+        record
+      end
+      # Logout of crowd and remove the crowd cookie.
+      def logout_of_crowd
+        if crowd_user_token
+          # Send an invalidate call for single signout
+          # Apparently there is no way of knowing if this was successful or not.
+          begin
+            crowd_client.invalidate_user_token(crowd_user_token)
+          rescue SimpleCrowd::CrowdError => e
+            Rails.logger.debug "CROWD: logout_of_crowd #{e.message}"
+          end
+        end
+        controller.params.delete("crowd.token_key")
+        destroy_crowd_cookie
+        clear_crowd_auth_cache
+        true
+      end
+      def crowd_user_token
+        controller && (controller.params["crowd.token_key"] || controller.cookies[:"crowd.token_key"])
+      end
+      def authenticated_by_crowd?
+        !!controller.session[:"crowd.last_user_token"]
+      end
+      def has_crowd_user_token?
+        !!crowd_user_token
+      end
+      def has_crowd_credentials?
+        login_field && password_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+      end
+      def crowd_cookie_info
+        @crowd_cookie_info ||= crowd_client.get_cookie_info
+      end
+      # Executes the given block, returning nil if a SimpleCrowd::CrowdError
+      # ocurrs.
+      def crowd_fetch
+        begin
+          yield
+        rescue SimpleCrowd::CrowdError => e
+          Rails.logger.debug "CROWD[#{caller[0][/`.*'/][1..-2]}]: #{e.message}"
+          nil
+        end
+      end
+    end
+  end
+end