credentials: Move user impersonation to peer::get_identity()

To retrieve user credentials, EapHost provides us the interactive user's
token we can use to impersonate.

By doing the impersonation early in peer::get_identity(), we don't need
to pass the token down the lower methods. This is rather a
simplification than a performance optimization.

Signed-off-by: Simon Rozman <simon@rozman.si>

lib/EAPBase/include/Config.h

@@ -308,6 +308,8 @@ namespace eap
         ///
         /// Generates public identity using current configuration and given credentials
         ///
+        /// Must be called in the connecting user context.
+        ///
         std::wstring get_public_identity(const credentials &cred) const;
 
     public:

lib/EAPBase/include/Credentials.h

@@ -202,13 +202,12 @@ namespace eap
         ///
         /// 1. Cached credentials
         /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
         ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL, must be the same type of credentials as `this`)
-        /// \param[in] cfg                    Method configuration (must be the same type of configuration as `this` credentials belong to)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be the same type of credentials as `this`)
+        /// \param[in] cfg            Method configuration (must be the same type of configuration as `this` credentials belong to)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
         ///
         /// \returns
         /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -217,7 +216,6 @@ namespace eap
         ///
         virtual source_t combine(
             _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
             _In_opt_   const credentials   *cred_cached,
             _In_       const config_method &cfg,
             _In_opt_z_       LPCTSTR       pszTargetName) = 0;
@@ -297,13 +295,12 @@ namespace eap
         ///
         /// 1. Cached credentials
         /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
         ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL)
-        /// \param[in] cfg                    Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL)
+        /// \param[in] cfg            Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
         ///
         /// \returns
         /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -312,7 +309,6 @@ namespace eap
         ///
         virtual source_t combine(
             _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
             _In_opt_   const credentials   *cred_cached,
             _In_       const config_method &cfg,
             _In_opt_z_       LPCTSTR       pszTargetName);
@@ -409,13 +405,12 @@ namespace eap
         ///
         /// 1. Cached credentials
         /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
         ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL)
-        /// \param[in] cfg                    Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL)
+        /// \param[in] cfg            Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
         ///
         /// \returns
         /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -424,7 +419,6 @@ namespace eap
         ///
         virtual source_t combine(
             _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
             _In_opt_   const credentials   *cred_cached,
             _In_       const config_method &cfg,
             _In_opt_z_       LPCTSTR       pszTargetName);

lib/EAPBase/include/Module.h

@@ -1074,13 +1074,14 @@ namespace eap
         ///
         /// Checks all configured providers and tries to combine credentials.
         ///
+        /// Must be called in the connecting user context.
+        ///
         _Success_(return != 0) virtual const config_method_with_cred* combine_credentials(
             _In_                             DWORD                   dwFlags,
             _In_                       const config_connection       &cfg,
             _In_count_(dwUserDataSize) const BYTE                    *pUserData,
             _In_                             DWORD                   dwUserDataSize,
-            _Inout_                          credentials_connection& cred_out,
-            _In_                             HANDLE                  hTokenImpersonateUser) = 0;
+            _Inout_                          credentials_connection& cred_out) = 0;
 
     protected:
         ///

lib/EAPBase/src/Credentials.cpp

@@ -297,7 +297,6 @@ LPCTSTR eap::credentials_identity::target_suffix() const
 
 eap::credentials::source_t eap::credentials_identity::combine(
     _In_             DWORD         dwFlags,
-    _In_opt_         HANDLE        hTokenImpersonateUser,
     _In_opt_   const credentials   *cred_cached,
     _In_       const config_method &cfg,
     _In_opt_z_       LPCTSTR       pszTargetName)
@@ -320,9 +319,6 @@ eap::credentials::source_t eap::credentials_identity::combine(
     }
 
     if (pszTargetName) {
-        // Switch user context.
-        user_impersonator impersonating(hTokenImpersonateUser);
-
         try {
             credentials_identity cred_loaded(m_module);
             cred_loaded.retrieve(pszTargetName, cfg.m_level);
@@ -603,7 +599,6 @@ LPCTSTR eap::credentials_pass::target_suffix() const
 
 eap::credentials::source_t eap::credentials_pass::combine(
     _In_             DWORD         dwFlags,
-    _In_opt_         HANDLE        hTokenImpersonateUser,
     _In_opt_   const credentials   *cred_cached,
     _In_       const config_method &cfg,
     _In_opt_z_       LPCTSTR       pszTargetName)
@@ -626,9 +621,6 @@ eap::credentials::source_t eap::credentials_pass::combine(
     }
 
     if (pszTargetName) {
-        // Switch user context.
-        user_impersonator impersonating(hTokenImpersonateUser);
-
         try {
             credentials_pass cred_loaded(m_module);
             cred_loaded.retrieve(pszTargetName, cfg.m_level);

lib/EAPBase/src/Module.cpp

@@ -367,9 +367,12 @@ void eap::peer::get_identity(
     config_connection cfg(*this);
     unpack(cfg, pConnectionData, dwConnectionDataSize);
 
+    // Switch user context.
+    user_impersonator impersonating(hTokenImpersonateUser);
+
     // Combine credentials.
     credentials_connection cred_out(*this, cfg);
-    auto cfg_method = combine_credentials(dwFlags, cfg, pUserData, dwUserDataSize, cred_out, hTokenImpersonateUser);
+    auto cfg_method = combine_credentials(dwFlags, cfg, pUserData, dwUserDataSize, cred_out);
 
     if (cfg_method) {
         // No UI will be necessary.