credentials: Move user impersonation to peer::get_identity()

To retrieve user credentials, EapHost provides us the interactive user's token we can use to impersonate. By doing the impersonation early in peer::get_identity(), we don't need to pass the token down the lower methods. This is rather a simplification than a performance optimization. Signed-off-by: Simon Rozman <simon@rozman.si>
2020-02-06 09:39:57 +01:00
parent e2eb41e811
commit 75488ba870
14 changed files with 42 additions and 73 deletions
--- a/lib/TTLS/include/Credentials.h
+++ b/lib/TTLS/include/Credentials.h
@@ -112,13 +112,12 @@ namespace eap
        ///
        /// 1. Cached credentials
        /// 2. Configured credentials (if \p cfg is derived from `config_method_with_cred`)
-        /// 3. Stored credentials
+        /// 3. Stored credentials (must be called in the connecting user context)
        ///
-        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
-        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
-        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL, must be `credentials_tls_tunnel*` type)
-        /// \param[in] cfg                    Method configuration (unused, as must be as config_method_tls_tunnel is not derived from `config_method_with_cred`)
-        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags        A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be `credentials_tls_tunnel*` type)
+        /// \param[in] cfg            Method configuration (unused, as must be as config_method_tls_tunnel is not derived from `config_method_with_cred`)
+        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
        ///
        /// \returns
        /// - \c source_t::cache   Credentials were obtained from EapHost cache
@@ -127,7 +126,6 @@ namespace eap
        ///
        virtual source_t combine(
            _In_             DWORD         dwFlags,
-            _In_opt_         HANDLE        hTokenImpersonateUser,
            _In_opt_   const credentials   *cred_cached,
            _In_       const config_method &cfg,
            _In_opt_z_       LPCTSTR       pszTargetName);
--- a/lib/TTLS/include/Module.h
+++ b/lib/TTLS/include/Module.h
@@ -64,8 +64,7 @@ namespace eap
            _In_                       const config_connection       &cfg,
            _In_count_(dwUserDataSize) const BYTE                    *pUserData,
            _In_                             DWORD                   dwUserDataSize,
-            _Inout_                          credentials_connection& cred_out,
-            _In_                             HANDLE                  hTokenImpersonateUser);
+            _Inout_                          credentials_connection& cred_out);
    };


--- a/lib/TTLS/src/Credentials.cpp
+++ b/lib/TTLS/src/Credentials.cpp
@@ -180,7 +180,6 @@ wstring eap::credentials_tls_tunnel::get_identity() const

 eap::credentials::source_t eap::credentials_tls_tunnel::combine(
    _In_             DWORD         dwFlags,
-    _In_opt_         HANDLE        hTokenImpersonateUser,
    _In_opt_   const credentials   *cred_cached,
    _In_       const config_method &cfg,
    _In_opt_z_       LPCTSTR       pszTargetName)
@@ -188,7 +187,6 @@ eap::credentials::source_t eap::credentials_tls_tunnel::combine(
    // Combine outer credentials.
    source_t src_outer = credentials_tls::combine(
        dwFlags,
-        hTokenImpersonateUser,
        cred_cached,
        cfg,
        pszTargetName);
@@ -196,7 +194,6 @@ eap::credentials::source_t eap::credentials_tls_tunnel::combine(
    // Combine inner credentials.
    source_t src_inner = m_inner->combine(
        dwFlags,
-        hTokenImpersonateUser,
        cred_cached ? dynamic_cast<const credentials_tls_tunnel*>(cred_cached)->m_inner.get() : NULL,
        *dynamic_cast<const config_method_tls_tunnel&>(cfg).m_inner,
        pszTargetName);
--- a/lib/TTLS/src/Module.cpp
+++ b/lib/TTLS/src/Module.cpp
@@ -66,8 +66,7 @@ _Success_(return != 0) const eap::config_method_with_cred* eap::peer_tls_tunnel:
    _In_                       const config_connection       &cfg,
    _In_count_(dwUserDataSize) const BYTE                    *pUserData,
    _In_                             DWORD                   dwUserDataSize,
-    _Inout_                          credentials_connection& cred_out,
-    _In_                             HANDLE                  hTokenImpersonateUser)
+    _Inout_                          credentials_connection& cred_out)
 {
 #if EAP_USE_NATIVE_CREDENTIAL_CACHE
    // Unpack cached credentials.
@@ -102,7 +101,6 @@ _Success_(return != 0) const eap::config_method_with_cred* eap::peer_tls_tunnel:
        LPCTSTR _target_name = (dwFlags & EAP_FLAG_GUEST_ACCESS) == 0 ? target_name.c_str() : NULL;
        eap::credentials::source_t src_outer = cred->credentials_tls::combine(
            dwFlags,
-            hTokenImpersonateUser,
 #if EAP_USE_NATIVE_CREDENTIAL_CACHE
            has_cached ? cred_in.m_cred.get() : NULL,
 #else
@@ -118,7 +116,6 @@ _Success_(return != 0) const eap::config_method_with_cred* eap::peer_tls_tunnel:
        // Combine inner credentials.
        eap::credentials::source_t src_inner = cred->m_inner->combine(
            dwFlags,
-            hTokenImpersonateUser,
 #if EAP_USE_NATIVE_CREDENTIAL_CACHE
            has_cached ? dynamic_cast<credentials_tls_tunnel*>(cred_in.m_cred.get())->m_inner.get() : NULL,
 #else