RubyGems - authlogic_crowd - Versions diffs - 0.2.4 → 0.3.0.pre.2 - Mend

authlogic_crowd 0.2.4 → 0.3.0.pre.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

data/.document +5 -5
data/Gemfile +3 -0
data/README.markdown +173 -0
data/Rakefile +1 -21
data/authlogic_crowd.gemspec +17 -37
data/lib/authlogic_crowd.rb +8 -9
data/lib/authlogic_crowd/acts_as_authentic.rb +185 -138
data/lib/authlogic_crowd/acts_as_authentic_callbacks.rb +32 -26
data/lib/authlogic_crowd/crowd_synchronizer.rb +97 -0
data/lib/authlogic_crowd/session.rb +358 -302
data/lib/authlogic_crowd/version.rb +1 -1
metadata +51 -62
data/README.rdoc +0 -14
data/lib/authlogic_crowd/session_callbacks.rb +0 -19
data/test/helper.rb +0 -13
data/test/test_authlogic_crowd.rb +0 -7

data/lib/authlogic_crowd/acts_as_authentic_callbacks.rb CHANGED Viewed

@@ -1,26 +1,32 @@
-module AuthlogicCrowd
-  module ActsAsAuthenticCallbacks
-    def self.included(klass)
-      klass.class_eval do
-        add_acts_as_authentic_module(Methods, :prepend)
-      end
-    end
-    module Methods
-      METHODS = [
-        "sync_on_create"
-      ]
-      def self.included(base)
-        base.send :include, ActiveSupport::Callbacks
-        base.define_callbacks *METHODS
-      end
-      private
-      METHODS.each do |method|
-        class_eval <<-"end_eval", __FILE__, __LINE__
-          def #{method}
-            run_callbacks(:#{method}) { |result, object| result == false }
-          end
-        end_eval
-      end
-    end
-  end
-end
+module AuthlogicCrowd
+  module ActsAsAuthenticCallbacks
+    METHODS = [
+      # Fired when a local record is synced from a crowd record (usually on login)
+      "before_sync_from_crowd", "sync_from_crowd", "after_sync_from_crowd",
+      # Fired when a new local record is created by crowd (usually because a
+      # user logged in using crowd credentials)
+      "before_create_from_crowd", "after_create_from_crowd",
+      # Fired when a local record is synced to a crowd record (usually when creating a local record)
+      "before_sync_to_crowd", "sync_to_crowd", "after_sync_to_crowd",
+      # Fired when a creating a new crowd record (usually because a new local
+      # record was created)
+      "before_create_crowd_record", "after_create_crowd_record",
+    ]
+    def self.included(klass)
+      klass.define_callbacks *METHODS
+    end
+    private
+    METHODS.each do |method|
+      class_eval <<-"end_eval", __FILE__, __LINE__
+        def #{method}
+          run_callbacks(:#{method}) { |result, object| result == false }
+        end
+      end_eval
+    end
+  end
+end

data/lib/authlogic_crowd/crowd_synchronizer.rb ADDED Viewed

@@ -0,0 +1,97 @@
+module AuthlogicCrowd
+  class CrowdSynchronizer
+    attr_accessor :klass, :crowd_client, :local_record
+    def initialize(klass, crowd_client, local_record=nil, crowd_record=nil)
+      self.klass = klass
+      self.crowd_client = crowd_client
+      self.local_record = local_record if local_record
+      self.crowd_record = crowd_record if crowd_record
+      @syncing = false
+    end
+    def local_record=(val)
+      @local_record = val
+      @local_record.crowd_synchronizer = self if @local_record
+      @local_record.crowd_record = @crowd_record if @local_record && @crowd_record
+    end
+    def crowd_record
+      @crowd_record ||= @local_record.crowd_record if @local_record
+      @crowd_record
+    end
+    def crowd_record=(val)
+      @crowd_record = val
+      @local_record.crowd_record = @crowd_record if @local_record
+    end
+    def create_crowd_record
+      if local_record.before_create_crowd_record
+        self.crowd_record = SimpleCrowd::User.new({:username => local_record.send(klass.login_field)})
+        if sync_to_crowd(true)
+          local_record.after_create_crowd_record
+          return crowd_record
+        end
+      end
+      nil
+    end
+    def sync_to_crowd(new_record=false)
+      return unless local_record && crowd_record
+      return if @syncing
+      if local_record.before_sync_to_crowd
+        @syncing = true
+        begin
+          local_record.sync_to_crowd
+          if new_record || crowd_record.dirty? || local_record.crowd_password_changed?
+            if new_record
+              crowd_client.add_user crowd_record, local_record.crowd_password
+            else
+              crowd_client.update_user crowd_record
+              if local_record.crowd_password_changed? && local_record.crowd_password
+                crowd_client.update_user_credential crowd_record.username, local_record.crowd_password
+              end
+            end
+          end
+        ensure
+          @syncing = false
+        end
+        local_record.after_sync_to_crowd
+        return true
+      end
+      false
+    end
+    def create_record_from_crowd
+      self.local_record = klass.new
+      if local_record.before_create_from_crowd
+        local_record.send(:"#{klass.login_field}=", crowd_record.username) if local_record.respond_to?(:"#{klass.login_field}=")
+        sync_from_crowd
+        if local_record.save_without_session_maintenance
+          local_record.after_create_from_crowd
+          return local_record
+        end
+      end
+      nil
+    end
+    def sync_from_crowd
+      return unless local_record && crowd_record
+      return if @syncing
+      if local_record.before_sync_from_crowd
+        @syncing = true
+        begin
+          local_record.sync_from_crowd
+          local_record.save_without_session_maintenance if local_record.changed?
+        ensure
+          @syncing = false
+        end
+        local_record.after_sync_from_crowd
+      end
+    end
+  end
+end

data/lib/authlogic_crowd/session.rb CHANGED Viewed

@@ -1,302 +1,358 @@
-module AuthlogicCrowd
-  module Session
-    def self.included(klass)
-      klass.class_eval do
-        extend Config
-        include Methods
-      end
-    end
-    module Config
-      # Single Signout (defaults to true)
-      # @param [Boolean] value
-      def crowd_sso(value=nil)
-        rw_config(:crowd_sso, value, true)
-      end
-      alias_method :crowd_sso=, :crowd_sso
-      def crowd_sso?
-        crowd_sso
-      end
-      # Auto Register is enabled by default.
-	  # Add this in your Session object if you need to disable auto-registration via crowd
-      def auto_register(value=true)
-        auto_register_value(value)
-      end
-      def auto_register_value(value=nil)
-        rw_config(:auto_register,value,true)
-      end
-      alias_method :auto_register=,:auto_register
-      def crowd_user_token= token
-        # Dup token before storing to make sure we store a pure string to avoid session serialization issues.
-        token = token.dup if token
-        session_user_token = controller && controller.session[:"crowd.token_key"]
-        cookie_user_token = crowd_sso? && controller && controller.cookies[:"crowd.token_key"]
-        @crowd_client ||= SimpleCrowd::Client.new({
-          :service_url => klass.crowd_service_url,
-          :app_name => klass.crowd_app_name,
-          :app_password => klass.crowd_app_password})
-        crowd_cookie_info = self.crowd_cookie_info(@crowd_client)
-        controller.session[:"crowd.token_key"] = token unless session_user_token == token || !controller
-        controller.cookies[:"crowd.token_key"] = {:domain => crowd_cookie_info[:domain],
-                                                  :secure => crowd_cookie_info[:secure],
-                                                  :value => token} unless cookie_user_token == token || !crowd_sso? || !controller
-      end
-      def crowd_user_token
-        controller && (controller.params["crowd.token_key"] || controller.cookies[:"crowd.token_key"] || controller.session[:"crowd.token_key"])
-      end
-      def crowd_cookie_info(crowd_client)
-        Rails.cache.fetch('crowd_cookie_info') do
-          # Strings returned by crowd contain singleton methods which cannot
-          # be serialized into the Rails.cache.  Do a shallow dup of each string
-          # in the returned hash
-          crowd_client.get_cookie_info.inject({}) do |cookie_info, (key, val)|
-            cookie_info[key] = val ? val.dup : val
-            cookie_info
-          end
-        end
-      end
-    end
-    module Methods
-      def self.included(klass)
-        klass.class_eval do
-          attr_accessor :new_registration
-          validate :validate_by_crowd, :if => :authenticating_with_crowd?
-          persist :validate_by_crowd, :if => :authenticating_with_crowd?
-          after_create :sync_with_crowd, :if => :authenticating_with_crowd?
-          before_destroy :logout_of_crowd, :if => [:authenticating_with_crowd?, :sso?]
-        end
-      end
-      # Temporary storage of crowd record for syncing purposes
-      attr_accessor :crowd_record
-      # Determines if the authenticated user is also a new registration.
-      # For use in the session controller to help direct the most appropriate action to follow.
-      def new_registration?
-        new_registration || !new_registration.nil?
-      end
-      # Determines if the authenticated user has a complete registration (no validation errors)
-      # For use in the session controller to help direct the most appropriate action to follow.
-      def registration_complete?
-        attempted_record && attempted_record.valid?
-      end
-      def auto_register?
-        self.class.auto_register_value
-      end
-      protected
-      # Determines whether to use crowd to authenticate and validate the current request
-      # For now we assume the app wants to use Crowd exclusively.
-      # Use crowd authentication if tokens are present or if login/password is available but not valid or is blank in db
-      # TODO: Add flexibility regarding multiple authentication methods and identity mapping
-      def authenticating_with_crowd?
-        errors.empty? &&
-        !klass.crowd_app_name.blank? &&
-        !klass.crowd_app_password.blank? &&
-        ((login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)) ||
-          controller && (controller.cookies[:"crowd.token_key"] || controller.session[:"crowd.token_key"] || controller.params["crowd.token_key"]))
-      end
-      def authenticating_with_password?
-        !authenticating_with_crowd? && login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
-      end
-      def sso?
-        self.class.crowd_sso
-      end
-#      def credentials
-#        if authenticating_with_crowd?
-#          details = {}
-#          details[login_field.to_sym] = send(login_field)
-#          details[password_field.to_sym] = "<protected>"
-#          details[crowd_user_token_field.to_sym] = send(crowd_user_token_field)
-#          details
-#        else
-#          super
-#        end
-#      end
-      def credentials=(value)
-        super
-        values = value.is_a?(Array) ? value : [value]
-        if values.first.is_a?(Hash)
-          values.first.with_indifferent_access.slice(login_field, password_field).each do |field, value|
-            next if value.blank?
-            send("#{field}=", value)
-          end
-        end
-      end
-      private
-      # Main session validation using Crowd user token.
-      # Uses simple_crowd to verify the user token on the configured crowd server
-      # If no *local* user is found and auto_register is enabled (default) then automatically create *local* user for them
-      # TODO: Cleanup and figure out reason for duplicate calls
-      def validate_by_crowd
-        begin
-        load_crowd_app_token
-        login = send(login_field) || (unauthorized_record && unauthorized_record.login)
-        password = send("protected_#{password_field}")
-        params_user_token = controller && controller.params["crowd.token_key"]
-        session_user_token = controller && controller.session[:"crowd.token_key"]
-        cookie_user_token = sso? && controller && controller.cookies[:"crowd.token_key"]
-        user_token = crowd_user_token
-        crowd_user = nil
-        # Lets see if the user passed in an email or a login using the db
-        if !login.blank? && self.unauthorized_record.nil?
-          self.unauthorized_record = klass.respond_to?(:login_or_email_equals) ?
-                                         klass.send(:login_or_email_equals, login).first :
-                                         klass.send(find_by_login_method, login)
-          # If passed in login equals the user email then get the REAL login used by crowd instead
-          login = unauthorized_record.login if !unauthorized_record.nil? && login = unauthorized_record.email
-        end
-        if user_token && crowd_client.is_valid_user_token?(user_token)
-        elsif login && password
-          # Authenticate if we don't have token
-          user_token = crowd_client.authenticate_user login, password rescue nil
-          # Try one last time to login with crowd email field instead of login
-          if user_token.nil? && self.unauthorized_record.nil? && login =~ Authlogic::Regex.email
-            crowd_user ||= crowd_client.find_user_by_email(login)
-            if crowd_user
-              login = crowd_user.username
-              user_token = crowd_client.authenticate_user login, password rescue nil
-            end
-          end
-        else
-          user_token = nil
-        end
-        raise SimpleCrowd::CrowdError.new "No user token" if user_token.blank?
-        login = crowd_client.find_username_by_token user_token unless login &&
-                (!cookie_user_token || session_user_token == cookie_user_token) &&
-                (!params_user_token || session_user_token == params_user_token)
-        send("#{login_field}=", login)
-        self.class.crowd_user_token = user_token
-        if !self.unauthorized_record.nil? && self.unauthorized_record.login == login
-          self.attempted_record = self.unauthorized_record
-        else
-          self.attempted_record = self.unauthorized_record = klass.send(find_by_login_method, login)
-        end
-        if !attempted_record
-          # If auto_register enabled then create new user with crowd info
-          if auto_register?
-            crowd_user ||= crowd_client.find_user_by_token user_token
-            self.attempted_record = klass.new :login => crowd_user.username, :email => crowd_user.email
-            self.new_registration = true
-            self.attempted_record.crowd_record = crowd_user
-            self.crowd_record = crowd_user
-            sync
-            self.attempted_record.save_without_session_maintenance
-          else
-            errors.add_to_base("We did not find any accounts with that login. Enter your details and create an account.")
-            return false
-          end
-        end
-        rescue Exception => e
-          errors.add_to_base("Authentication failed. Please try again")
-          # Don't know why it doesn't work the first time,
-          # but if we nil the session key here then the session doesn't get deleted
-          # Leaving the token triggers the validation a second time and successfully destroys the session
-          # REMOVED AS HACK
-          # Hack to fix user_credentials not being deleted on session destroy
-          if controller
-            controller.session[:"crowd.token_key"] = nil
-            unless (send(login_field) || (unauthorized_record && unauthorized_record.login) && send("protected_#{password_field}"))
-              # Hack to try and check session without recreating it. (we only want to destroy it if it exists already)
-              # This is to avoid a infinite recursive session creation bug we had a while back
-              curr_klass = klass
-              curr_session = controller.instance_eval { @current_user_session }
-              curr_session.destroy if curr_session
-              controller.session.clear
-            end
-            # Delete by klass name instead of generic user
-            controller.cookies.delete :"#{klass.name.underscore}_credentials"
-            controller.cookies.delete :"crowd.token_key", :domain => crowd_cookie_info[:domain] if sso?
-          end
-          raise unless e.kind_of? SimpleCrowd::CrowdError
-          false
-        end
-      end
-      def sync_with_crowd
-        # If it's a new registration then the crowd data was just pulled, so skip syncing on login
-        unless new_registration? || !self.attempted_record
-          login = send(login_field) || (!attempted_record.nil? && attempted_record.login)
-          user_token = controller && (controller.params["crowd.token_key"] || controller.cookies[:"crowd.token_key"] || controller.session[:"crowd.token_key"])
-          crowd_user = if login
-            crowd_client.find_user_by_name login
-          elsif user_token
-            crowd_client.find_user_by_token user_token
-          end
-          if crowd_user && before_sync
-            self.crowd_record = crowd_user
-            # Callbacks to sync data
-            sync
-            self.attempted_record.save
-            after_sync
-          end
-        end
-      end
-      # Single Sign-out
-      def logout_of_crowd
-        # Send an invalidate call for single signout
-        # Apparently there is no way of knowing if this was successful or not.
-        crowd_client.invalidate_user_token crowd_user_token unless crowd_user_token.nil?
-        # Remove cookie and session
-        if controller
-          controller.session[:"crowd.token_key"] = nil
-          controller.cookies.delete :"crowd.token_key", :domain => crowd_cookie_info[:domain] if sso?
-          controller.cookies.delete :"#{klass.name.underscore}_credentials"
-        end
-        true
-      end
-      def crowd_user_token
-        self.class.crowd_user_token
-      end
-      def crowd_client
-        @crowd_client ||= SimpleCrowd::Client.new(crowd_config)
-      end
-      def load_crowd_app_token
-        crowd_app_token = Rails.cache.read('crowd_app_token')
-        if crowd_app_token.nil?
-          crowd_app_token = crowd_client.app_token
-          # Strings returned by crowd contain singleton methods which cannot
-          # be serialized into the Rails.cache.  Duping the strings removes the
-          # singleton methods.
-          Rails.cache.write('crowd_app_token', crowd_app_token.dup)
-        else
-          crowd_client.app_token = crowd_app_token
-        end
-        crowd_app_token
-      end
-      def crowd_cookie_info
-        @crowd_cookie_info ||= self.class.crowd_cookie_info(crowd_client)
-      end
-      def crowd_config
-        {:service_url => klass.crowd_service_url,
-          :app_name => klass.crowd_app_name,
-          :app_password => klass.crowd_app_password}
-      end
-    end
-  end
-end
+module AuthlogicCrowd
+  module Session
+    def self.included(klass)
+      klass.class_eval do
+        extend Config
+        include InstanceMethods
+        attr_accessor :new_registration
+        persist :persist_by_crowd, :if => :authenticating_with_crowd?
+        validate :validate_by_crowd, :if => [:authenticating_with_crowd?, :needs_crowd_validation?]
+        before_destroy :logout_of_crowd, :if => :authenticating_with_crowd?
+        after_create(:if => :authenticating_with_crowd?, :unless => :new_registration?) do |s|
+          synchronizer = s.crowd_synchronizer
+          synchronizer.local_record = s.record
+          synchronizer.crowd_record = s.crowd_record
+          synchronizer.sync_from_crowd
+        end
+      end
+    end
+    # Configuration for the crowd feature.
+    module Config
+      # How often should Crowd re-authorize (in seconds).  Default is 0 (always re-authorize)
+      def crowd_auth_every(value = nil)
+        rw_config(:crowd_auth_every, value, 0)
+      end
+      alias_method :crowd_auth_every=, :crowd_auth_every
+      # Should a new local record be created for existing Crowd users with no
+      # matching local record?
+      # Default is true.
+	    # Add this in your Session object if you need to disable auto-registration via crowd
+      def auto_register(value=true)
+        auto_register_value(value)
+      end
+      def auto_register_value(value=nil)
+        rw_config(:auto_register,value,true)
+      end
+      alias_method :auto_register=, :auto_register
+    end
+    module InstanceMethods
+      def initialize(*args)
+        super
+        @valid_crowd_user = {}
+      end
+      # Determines if the authenticated user is also a new registration.
+      # For use in the session controller to help direct the most appropriate action to follow.
+      def new_registration?
+        new_registration || !new_registration.nil?
+      end
+      def auto_register?
+        self.class.auto_register_value
+      end
+      def crowd_record
+        if @valid_crowd_user[:user_token] && !@valid_crowd_user.has_key?(:record)
+          @valid_crowd_user[:record] = crowd_client.find_user_by_token(@valid_crowd_user[:user_token])
+        end
+        @valid_crowd_user[:record]
+      end
+      def crowd_client
+        @crowd_client ||= klass.crowd_client
+      end
+      def crowd_synchronizer
+        @crowd_synchronizer ||= klass.crowd_synchronizer(crowd_client)
+      end
+      private
+      def authenticating_with_crowd?
+        klass.using_crowd? && (authenticated_by_crowd? || has_crowd_user_token? || has_crowd_credentials?)
+      end
+      # Use the Crowd to "log in" the user using the crowd.token_key
+      # cookie/parameter.  If the token_key is valid and returns a valid Crowd
+      # user, the find_by_login_method is called to find the appropriate local
+      # user/record.
+      #
+      # If no *local* record is found and auto_register is enabled (default)
+      # then automatically create *local* record for them.
+      #
+      # This method enables a Crowd user to log in without having to explicity
+      # log in to this app.  Once a Crowd user has authenticated with this app
+      # via this method, future requests usually use the Authlogic::Session
+      # module to persist/find users.
+      def persist_by_crowd
+        clear_crowd_auth_cache
+        return false unless has_crowd_user_token? && valid_crowd_user_token? && crowd_username
+        self.unauthorized_record = find_or_create_record_from_crowd
+        valid?
+      rescue SimpleCrowd::CrowdError => e
+        Rails.logger.warn "CROWD[#{__method__}]: Unexpected error.  #{e}"
+        return false
+      end
+      # Validates the current record/user with Crowd.  This validates the
+      # crowd.token_key cookie/parameter and/or explicit credentials.
+      #
+      # If a crowd.token_key exists and matches a previously authenticated
+      # token_key, this method will only verify the token with crowd if the
+      # last authorization was more than crowd_auth_every seconds ago (see
+      # the crowd_auth_every config option).
+      def validate_by_crowd
+        # Credentials trump a crowd.token_key.
+        # We don't even attempt to authenticated from the token key if
+        # credentials are present.
+        if has_crowd_credentials?
+          # HACK: Remove previous login/password errors since we are going to
+          # try to validate them with crowd
+          errors.instance_variable_get('@errors').delete(login_field.to_s)
+          errors.instance_variable_get('@errors').delete(password_field.to_s)
+          if valid_crowd_credentials?
+            self.attempted_record = find_or_create_record_from_crowd
+            unless self.attempted_record
+              errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid"))
+            end
+          else
+            errors.add(login_field, I18n.t('error_messages.login_not_found', :default => "is not valid")) if !@valid_crowd_user[:username]
+            errors.add(password_field, I18n.t('error_messages.password_invalid', :default => "is not valid")) if @valid_crowd_user[:username]
+          end
+        elsif has_crowd_user_token?
+          unless valid_crowd_user_token? && valid_crowd_username?
+            errors.add_to_base(I18n.t('error_messages.crowd_invalid_user_token', :default => "invalid user token"))
+          end
+        elsif authenticated_by_crowd?
+          destroy
+          errors.add_to_base(I18n.t('error_messages.crowd_missing_using_token', :default => "missing user token"))
+        end
+        unless self.attempted_record.valid?
+          errors.add_to_base('record is not valid')
+        end
+        if errors.count == 0
+          # Set crowd.token_key cookie
+          save_crowd_cookie
+          # Cache crowd authorization to make future requests faster (if
+          # crowd_auth_every config is enabled)
+          cache_crowd_auth
+        end
+      rescue SimpleCrowd::CrowdError => e
+        Rails.logger.warn "CROWD[#{__method__}]: Unexpected error.  #{e}"
+        errors.add_to_base("Crowd error: #{e}")
+      end
+      # Validate the crowd.token_key (if one exists)
+      # Uses simple_crowd to verify the user token on the configured crowd server.
+      # This only checks that the token is valid with Crowd.  It does not check
+      # that the token belongs to a valid local user/record.
+      def valid_crowd_user_token?
+        unless @valid_crowd_user.has_key?(:user_token)
+          @valid_crowd_user[:user_token] = nil
+          user_token = crowd_user_token
+          if user_token
+            if crowd_client.is_valid_user_token?(user_token)
+              @valid_crowd_user[:user_token] = user_token
+            end
+          end
+        end
+        !!@valid_crowd_user[:user_token]
+      end
+      # Validate username/password using Crowd.
+      # Uses simple_crowd to verify credentials on the configured crowd server.
+      def valid_crowd_credentials?
+        login = send(login_field)
+        password = send("protected_#{password_field}")
+        return false unless login && password
+        unless @valid_crowd_user.has_key?(:credentials)
+          @valid_crowd_user[:user_token] = nil
+          # Authenticate using login/password
+          user_token = crowd_fetch {crowd_client.authenticate_user(login, password)}
+          if user_token
+            @valid_crowd_user[:user_token] = user_token
+            @valid_crowd_user[:username] = login
+          else
+            # See if the login exists
+            crecord = @valid_crowd_user[:record] = crowd_fetch {crowd_client.find_user_by_name(login)}
+            @valid_crowd_user[:username] = crecord ? crecord.username : nil
+          end
+          # Attempt to find user with crowd email field instead of principal name
+          if !@valid_crowd_user[:username] && login =~ Authlogic::Regex.email
+            crecord = @valid_crowd_user[:record] = crowd_fetch {crowd_client.find_user_by_email(login)}
+            if crecord
+              user_token = crowd_fetch {crowd_client.authenticate_user(crecord.username, password)}
+              @valid_crowd_user[:username] = crecord.username
+              @valid_crowd_user[:user_token] = user_token if user_token
+            end
+          end
+          @valid_crowd_user[:credentials] = !!@valid_crowd_user[:user_token]
+        end
+        @valid_crowd_user[:credentials]
+      end
+      # Validate the crowd username against the current record
+      def valid_crowd_username?
+        record_login = send(login_field) || (unauthorized_record && unauthorized_record.login)
+        # Use the last username if available to reduce crowd calls
+        if @valid_crowd_user[:user_token] && @valid_crowd_user[:user_token] == controller.session[:"crowd.last_user_token"]
+          crowd_login = controller.session[:"crowd.last_username"]
+        end
+        crowd_login = crowd_username unless crowd_login
+        crowd_login && crowd_login == record_login
+      end
+      def crowd_username
+        if @valid_crowd_user[:user_token] && !@valid_crowd_user.has_key?(:username)
+          crecord = crowd_record
+          @valid_crowd_user[:username] = crecord ? crecord.username : nil
+        end
+        @valid_crowd_user[:username]
+      end
+      def cache_crowd_auth
+        if @valid_crowd_user[:user_token]
+          controller.session[:"crowd.last_auth"] = Time.now
+          controller.session[:"crowd.last_user_token"] = @valid_crowd_user[:user_token].dup
+          controller.session[:"crowd.last_username"] = @valid_crowd_user[:username].dup if @valid_crowd_user[:username]
+          Rails.logger.debug "CROWD: Cached crowd authorization (#{controller.session[:"crowd.last_username"]}).  Next authorization at #{Time.now + self.class.crowd_auth_every}." if self.class.crowd_auth_every.to_i > 0
+        else
+          clear_crowd_auth_cache
+        end
+      end
+      # Clear cached crowd information
+      def clear_crowd_auth_cache
+        controller.session.delete_if {|key, val| ["crowd.last_user_token", "crowd.last_auth", "crowd.last_username"].include?(key.to_s)}
+      end
+      def save_crowd_cookie
+        if @valid_crowd_user[:user_token] && @valid_crowd_user[:user_token] != crowd_user_token
+          controller.params.delete("crowd.token_key")
+          controller.cookies[:"crowd.token_key"] = {
+            :domain => crowd_cookie_info[:domain],
+            :secure => crowd_cookie_info[:secure],
+            :value => @valid_crowd_user[:user_token],
+          }
+        end
+      end
+      def destroy_crowd_cookie
+        controller.cookies.delete(:"crowd.token_key", :domain => crowd_cookie_info[:domain])
+      end
+      # When the crowd_auth_every config option is set and the user is logged
+      # in via crowd, validation can be skipped in certain cases (token_key
+      # matches last token_key and last authorization was less than
+      # crowd_auth_every seconds).
+      def needs_crowd_validation?
+        res = true
+        if !has_crowd_credentials? && authenticated_by_crowd? && self.class.crowd_auth_every.to_i > 0
+          last_user_token = controller.session[:"crowd.last_user_token"]
+          last_auth = controller.session[:"crowd.last_auth"]
+          if last_user_token
+            if !crowd_user_token
+              Rails.logger.debug "CROWD: Re-authorization required.  Crowd token does not exist."
+            elsif last_user_token != crowd_user_token
+              Rails.logger.debug "CROWD: Re-authorization required.  Crowd token does match cached token."
+            elsif last_auth && last_auth <= self.class.crowd_auth_every.ago
+              Rails.logger.debug "CROWD: Re-authorization required.  Last authorization was at #{last_auth}."
+            elsif !last_auth
+              Rails.logger.debug "CROWD: Re-authorization required.  Unable to determine last authorization time."
+            else
+              Rails.logger.debug "CROWD: Authenticating from cache.  Next authorization at #{last_auth + self.class.crowd_auth_every}."
+              res = false
+            end
+          end
+        end
+        res
+      end
+      def find_or_create_record_from_crowd
+        return nil unless crowd_username
+        record = search_for_record(find_by_login_method, crowd_username)
+        if !record && auto_register?
+          synchronizer = crowd_synchronizer
+          synchronizer.crowd_record = crowd_record
+          record = synchronizer.create_record_from_crowd
+          self.new_registration if record
+        end
+        record
+      end
+      # Logout of crowd and remove the crowd cookie.
+      def logout_of_crowd
+        if crowd_user_token
+          # Send an invalidate call for single signout
+          # Apparently there is no way of knowing if this was successful or not.
+          begin
+            crowd_client.invalidate_user_token(crowd_user_token)
+          rescue SimpleCrowd::CrowdError => e
+            Rails.logger.debug "CROWD: logout_of_crowd #{e.message}"
+          end
+        end
+        controller.params.delete("crowd.token_key")
+        destroy_crowd_cookie
+        clear_crowd_auth_cache
+        true
+      end
+      def crowd_user_token
+        controller && (controller.params["crowd.token_key"] || controller.cookies[:"crowd.token_key"])
+      end
+      def authenticated_by_crowd?
+        !!controller.session[:"crowd.last_user_token"]
+      end
+      def has_crowd_user_token?
+        !!crowd_user_token
+      end
+      def has_crowd_credentials?
+        login_field && password_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
+      end
+      def crowd_cookie_info
+        @crowd_cookie_info ||= crowd_client.get_cookie_info
+      end
+      # Executes the given block, returning nil if a SimpleCrowd::CrowdError
+      # ocurrs.
+      def crowd_fetch
+        begin
+          yield
+        rescue SimpleCrowd::CrowdError => e
+          Rails.logger.debug "CROWD[#{caller[0][/`.*'/][1..-2]}]: #{e.message}"
+          nil
+        end
+      end
+    end
+  end
+end