credentials: Move user impersonation to peer::get_identity()
To retrieve user credentials, EapHost provides us the interactive user's token we can use to impersonate. By doing the impersonation early in peer::get_identity(), we don't need to pass the token down the lower methods. This is rather a simplification than a performance optimization. Signed-off-by: Simon Rozman <simon@rozman.si>
This commit is contained in:
@@ -121,13 +121,12 @@ namespace eap
|
||||
///
|
||||
/// 1. Cached credentials
|
||||
/// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
|
||||
/// 3. Stored credentials
|
||||
/// 3. Stored credentials (must be called in the connecting user context)
|
||||
///
|
||||
/// \param[in] dwFlags A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
|
||||
/// \param[in] hTokenImpersonateUser Impersonation token for a logged-on user to collect user-related information
|
||||
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be `credentials_eaphost*` type)
|
||||
/// \param[in] cfg Method configuration (unused, as must be as config_method_eaphost is not derived from `config_method_with_cred`)
|
||||
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
|
||||
/// \param[in] dwFlags A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
|
||||
/// \param[in] cred_cached Cached credentials (optional, can be \c NULL, must be `credentials_eaphost*` type)
|
||||
/// \param[in] cfg Method configuration (unused, as must be as config_method_eaphost is not derived from `config_method_with_cred`)
|
||||
/// \param[in] pszTargetName The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
|
||||
///
|
||||
/// \returns
|
||||
/// - \c source_t::cache Credentials were obtained from EapHost cache
|
||||
@@ -136,7 +135,6 @@ namespace eap
|
||||
///
|
||||
virtual source_t combine(
|
||||
_In_ DWORD dwFlags,
|
||||
_In_opt_ HANDLE hTokenImpersonateUser,
|
||||
_In_opt_ const credentials *cred_cached,
|
||||
_In_ const config_method &cfg,
|
||||
_In_opt_z_ LPCTSTR pszTargetName);
|
||||
|
||||
@@ -220,7 +220,6 @@ LPCTSTR eap::credentials_eaphost::target_suffix() const
|
||||
|
||||
eap::credentials::source_t eap::credentials_eaphost::combine(
|
||||
_In_ DWORD dwFlags,
|
||||
_In_opt_ HANDLE hTokenImpersonateUser,
|
||||
_In_opt_ const credentials *cred_cached,
|
||||
_In_ const config_method &cfg,
|
||||
_In_opt_z_ LPCTSTR pszTargetName)
|
||||
@@ -253,9 +252,6 @@ eap::credentials::source_t eap::credentials_eaphost::combine(
|
||||
}
|
||||
|
||||
if (src == source_t::unknown && pszTargetName) {
|
||||
// Switch user context.
|
||||
user_impersonator impersonating(hTokenImpersonateUser);
|
||||
|
||||
try {
|
||||
credentials_eaphost cred_loaded(m_module);
|
||||
cred_loaded.retrieve(pszTargetName, cfg.m_level);
|
||||
@@ -281,7 +277,7 @@ eap::credentials::source_t eap::credentials_eaphost::combine(
|
||||
cfg_eaphost->get_type(),
|
||||
(DWORD)cfg_eaphost->m_cfg_blob.size(), cfg_eaphost->m_cfg_blob.data(),
|
||||
src != source_t::unknown ? (DWORD)m_cred_blob.size() : 0, src != source_t::unknown ? m_cred_blob.data() : NULL,
|
||||
hTokenImpersonateUser,
|
||||
NULL,
|
||||
&fInvokeUI,
|
||||
&cred_data_size, get_ptr(cred_data),
|
||||
get_ptr(identity),
|
||||
|
||||
Reference in New Issue
Block a user