credentials: Move user impersonation to peer::get_identity()

To retrieve user credentials, EapHost provides us the interactive user's token we can use to impersonate. By doing the impersonation early in peer::get_identity(), we don't need to pass the token down the lower methods. This is rather a simplification than a performance optimization. Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-06 09:39:57 +01:00
parent e2eb41e811
commit 75488ba870
14 changed files with 42 additions and 73 deletions
--- a/lib/TLS/include/Credentials.h
+++ b/lib/TLS/include/Credentials.h
@@ -123,13 +123,12 @@ namespace eap
        ///
        /// 1. Cached credentials
        /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
        ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL, must be `credentials_tls*` type)
-        /// \param[in] cfg                    Method configuration (unused, as must be as config_method_tls is not derived from `config_method_with_cred`)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be `credentials_tls*` type)
+        /// \param[in] cfg            Method configuration (unused, as must be as config_method_tls is not derived from `config_method_with_cred`)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
        ///
        /// \returns
        /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -138,7 +137,6 @@ namespace eap
        ///
        virtual source_t combine(
            _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
            _In_opt_   const credentials   *cred_cached,
            _In_       const config_method &cfg,
            _In_opt_z_       LPCTSTR       pszTargetName);
--- a/lib/TLS/src/Credentials.cpp
+++ b/lib/TLS/src/Credentials.cpp
@@ -267,7 +267,6 @@ std::wstring eap::credentials_tls::get_identity() const

 eap::credentials::source_t eap::credentials_tls::combine(
    _In_             DWORD         dwFlags,
-    _In_opt_         HANDLE        hTokenImpersonateUser,
    _In_opt_   const credentials   *cred_cached,
    _In_       const config_method &cfg,
    _In_opt_z_       LPCTSTR       pszTargetName)
@@ -290,9 +289,6 @@ eap::credentials::source_t eap::credentials_tls::combine(
    }

    if (pszTargetName) {
-        // Switch user context.
-        user_impersonator impersonating(hTokenImpersonateUser);
-
        try {
            credentials_tls cred_loaded(m_module);
            cred_loaded.retrieve(pszTargetName, cfg.m_level);