credentials::combine() methods updated with support for EAPMsg:

- Additional parameters - Additional result code - User impersonation now mounted inside of credentials::combine() when required
2016-10-10 14:29:54 +02:00
parent c660e2b3e6
commit e94e3bdd60
12 changed files with 113 additions and 26 deletions
--- a/lib/TLS/include/Credentials.h
+++ b/lib/TLS/include/Credentials.h
@@ -189,9 +189,11 @@ namespace eap
        /// 2. Configured credentials (if \p cfg is derived from config_method_with_cred)
        /// 3. Stored credentials
        ///
-        /// \param[in] cred_cached    Cached credentials (optional, can be \c NULL, must be credentials_tls* type)
-        /// \param[in] cfg            Method configuration (must be config_method_tls type)
-        /// \param[in] pszTargetName  The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
+        /// \param[in] dwFlags                A combination of [EAP flags](https://msdn.microsoft.com/en-us/library/windows/desktop/bb891975.aspx) that describe the EAP authentication session behavior
+        /// \param[in] hTokenImpersonateUser  Impersonation token for a logged-on user to collect user-related information
+        /// \param[in] cred_cached            Cached credentials (optional, can be \c NULL, must be credentials_eapmsg* type)
+        /// \param[in] cfg                    Method configuration (unused, as must be as config_method_eapmsg is not derived from config_method_with_cred)
+        /// \param[in] pszTargetName          The name in Windows Credential Manager to retrieve credentials from (optional, can be \c NULL)
        ///
        /// \returns
        /// - \c source_cache   Credentials were obtained from EapHost cache
@@ -199,6 +201,8 @@ namespace eap
        /// - \c source_storage Credentials were loaded from Windows Credential Manager
        ///
        virtual source_t combine(
+            _In_             DWORD         dwFlags,
+            _In_             HANDLE        hTokenImpersonateUser,
            _In_opt_   const credentials   *cred_cached,
            _In_       const config_method &cfg,
            _In_opt_z_       LPCTSTR       pszTargetName);
--- a/lib/TLS/src/Credentials.cpp
+++ b/lib/TLS/src/Credentials.cpp
@@ -292,10 +292,14 @@ std::wstring eap::credentials_tls::get_identity() const


 eap::credentials::source_t eap::credentials_tls::combine(
+    _In_             DWORD         dwFlags,
+    _In_             HANDLE        hTokenImpersonateUser,
    _In_opt_   const credentials   *cred_cached,
    _In_       const config_method &cfg,
    _In_opt_z_       LPCTSTR       pszTargetName)
 {
+    UNREFERENCED_PARAMETER(dwFlags);
+
    if (cred_cached) {
        // Using EAP service cached credentials.
        *this = *dynamic_cast<const credentials_tls*>(cred_cached);
@@ -312,6 +316,9 @@ eap::credentials::source_t eap::credentials_tls::combine(
    }

    if (pszTargetName) {
+        // Switch user context.
+        user_impersonator impersonating(hTokenImpersonateUser);
+
        try {
            credentials_tls cred_loaded(m_module);
            cred_loaded.retrieve(pszTargetName, cfg.m_level);