credentials: Move user impersonation to peer::get_identity()

To retrieve user credentials, EapHost provides us the interactive user's
token we can use to impersonate.

By doing the impersonation early in peer::get_identity(), we don't need
to pass the token down the lower methods. This is rather a
simplification than a performance optimization.

Signed-off-by: Simon Rozman <simon@rozman.si>

lib/EAPBase/include/Config.h

@@ -308,6 +308,8 @@ namespace eap
         ///
         /// Generates public identity using current configuration and given credentials
         ///
+        /// Must be called in the connecting user context.
+        ///
         std::wstring get_public_identity(const credentials &cred) const;
 
     public:

lib/EAPBase/include/Credentials.h

@@ -202,13 +202,12 @@ namespace eap
         ///
         /// 1. Cached credentials
         /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
         ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL, must be the same type of credentials as `this`)
-        /// \param[in] cfg                    Method configuration (must be the same type of configuration as `this` credentials belong to)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be the same type of credentials as `this`)
+        /// \param[in] cfg            Method configuration (must be the same type of configuration as `this` credentials belong to)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
         ///
         /// \returns
         /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -217,7 +216,6 @@ namespace eap
         ///
         virtual source_t combine(
             _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
             _In_opt_   const credentials   *cred_cached,
             _In_       const config_method &cfg,
             _In_opt_z_       LPCTSTR       pszTargetName) = 0;
@@ -297,13 +295,12 @@ namespace eap
         ///
         /// 1. Cached credentials
         /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
         ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL)
-        /// \param[in] cfg                    Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL)
+        /// \param[in] cfg            Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
         ///
         /// \returns
         /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -312,7 +309,6 @@ namespace eap
         ///
         virtual source_t combine(
             _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
             _In_opt_   const credentials   *cred_cached,
             _In_       const config_method &cfg,
             _In_opt_z_       LPCTSTR       pszTargetName);
@@ -409,13 +405,12 @@ namespace eap
         ///
         /// 1. Cached credentials
         /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
         ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL)
-        /// \param[in] cfg                    Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL)
+        /// \param[in] cfg            Method configuration (when derived from `config_method_with_cred`, metod attempt to load credentials from \p cfg)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
         ///
         /// \returns
         /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -424,7 +419,6 @@ namespace eap
         ///
         virtual source_t combine(
             _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
             _In_opt_   const credentials   *cred_cached,
             _In_       const config_method &cfg,
             _In_opt_z_       LPCTSTR       pszTargetName);

lib/EAPBase/include/Module.h

@@ -1074,13 +1074,14 @@ namespace eap
         ///
         /// Checks all configured providers and tries to combine credentials.
         ///
+        /// Must be called in the connecting user context.
+        ///
         _Success_(return != 0) virtual const config_method_with_cred* combine_credentials(
             _In_                             DWORD                   dwFlags,
             _In_                       const config_connection       &cfg,
             _In_count_(dwUserDataSize) const BYTE                    *pUserData,
             _In_                             DWORD                   dwUserDataSize,
-            _Inout_                          credentials_connection& cred_out,
-            _In_                             HANDLE                  hTokenImpersonateUser) = 0;
+            _Inout_                          credentials_connection& cred_out) = 0;
 
     protected:
         ///