add protect deletion edit

2025-03-31 02:50:17 +03:00 · 2021-08-20 15:59:02 +04:00 · 2021-08-20 15:59:02 +04:00 · 7dd0112f09
commit 7dd0112f09
parent f773ee8e4c
8 changed files with 168 additions and 0 deletions
--- a/src/adldap/ad_defines.h
+++ b/src/adldap/ad_defines.h
@ -244,6 +244,8 @@ enum AcePermission {
    AcePermission_FullControl,
    AcePermission_Read,
    AcePermission_Write,
+    AcePermission_Delete,
+    AcePermission_DeleteSubtree,
    AcePermission_CreateChild,
    AcePermission_DeleteChild,
    AcePermission_AllowedToAuthenticate,
--- a/src/adldap/ad_security.cpp
+++ b/src/adldap/ad_security.cpp
@ -113,6 +113,8 @@ const QHash<AcePermission, uint32_t> ace_permission_to_mask_map = {
    {AcePermission_Read, (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP)},
    // {AcePermission_Write, SEC_ADS_GENERIC_WRITE},
    {AcePermission_Write, (SEC_ADS_SELF_WRITE | SEC_ADS_WRITE_PROP)},
+    {AcePermission_Delete, SEC_STD_DELETE},
+    {AcePermission_DeleteSubtree, SEC_DIR_DELETE_CHILD},
    {AcePermission_CreateChild, SEC_ADS_CREATE_CHILD},
    {AcePermission_DeleteChild, SEC_ADS_DELETE_CHILD},
    {AcePermission_AllowedToAuthenticate, SEC_ADS_CONTROL_ACCESS},
@ -458,6 +460,14 @@ QByteArray dom_sid_to_bytes(const dom_sid &sid) {
    return bytes;
 }

+QByteArray dom_sid_string_to_bytes(const QString &string) {
+    dom_sid sid;
+    dom_sid_parse(cstr(string), &sid);
+    const QByteArray bytes = dom_sid_to_bytes(sid);
+
+    return bytes;
+}
+
 void ad_security_sort_dacl(security_descriptor *sd) {
    qsort(sd->dacl->aces, sd->dacl->num_aces, sizeof(security_ace), ace_compare);
 }
@ -600,3 +610,43 @@ QHash<QByteArray, QHash<AcePermission, PermissionState>> ad_security_get_state_f

    return out;
 }
+
+bool ad_security_get_protected_against_deletion(const AdObject &object, AdConfig *adconfig) {
+    QHash<QByteArray, QHash<AcePermission, PermissionState>> permissions = object.get_security_state(adconfig);
+
+    const QByteArray world_trustee = dom_sid_string_to_bytes(SID_WORLD);
+
+    const PermissionState delete_state = permissions[world_trustee][AcePermission_Delete];
+    const PermissionState delete_subtree_state = permissions[world_trustee][AcePermission_DeleteSubtree];
+    const bool out = ((delete_state == PermissionState_Denied) && (delete_subtree_state == PermissionState_Denied));
+
+    return out;
+}
+
+bool ad_security_set_protected_against_deletion(AdInterface &ad, const QString dn, AdConfig *adconfig, const bool enabled) {
+    const AdObject object = ad.search_object(dn);
+    const QHash<QByteArray, QHash<AcePermission, PermissionState>> old_permissions = object.get_security_state(adconfig);
+
+    const QHash<QByteArray, QHash<AcePermission, PermissionState>> new_permissions = [&]() {
+        QHash<QByteArray, QHash<AcePermission, PermissionState>> out;
+
+        const QByteArray world_trustee = dom_sid_string_to_bytes(SID_WORLD);
+
+        const PermissionState state = [&]() {
+            if (enabled) {
+                return PermissionState_Denied;
+            } else {
+                return PermissionState_None;
+            }
+        }();
+        out = old_permissions;
+        out = ad_security_modify(out, world_trustee, AcePermission_Delete, state);
+        out = ad_security_modify(out, world_trustee, AcePermission_DeleteSubtree, state);
+
+        return out;
+    }();
+
+    const bool apply_success = attribute_replace_security_descriptor(&ad, dn, new_permissions);
+
+    return apply_success;
+}
--- a/src/adldap/ad_security.h
+++ b/src/adldap/ad_security.h
@ -53,6 +53,8 @@ QString ad_security_get_trustee_name(AdInterface &ad, const QByteArray &trustee)
 bool attribute_replace_security_descriptor(AdInterface *ad, const QString &dn, const QHash<QByteArray, QHash<AcePermission, PermissionState>> &descriptor_state_arg);
 QList<QByteArray> ad_security_get_trustee_list_from_object(const AdObject &object);
 QHash<QByteArray, QHash<AcePermission, PermissionState>> ad_security_get_state_from_sd(security_descriptor *sd, AdConfig *adconfig);
+bool ad_security_get_protected_against_deletion(const AdObject &object, AdConfig *config);
+bool ad_security_set_protected_against_deletion(AdInterface &ad, const QString dn, AdConfig *config, const bool enabled);

 // NOTE: have to talloc_free() returned sd
 security_descriptor *ad_security_get_sd(const AdObject &object);
@ -60,5 +62,6 @@ security_descriptor *ad_security_get_sd(const AdObject &object);
 void ad_security_sort_dacl(security_descriptor *sd);

 QByteArray dom_sid_to_bytes(const dom_sid &sid);
+QByteArray dom_sid_string_to_bytes(const dom_sid &sid);

 #endif /* AD_SECURITY_H */
--- a/src/admc/CMakeLists.txt
+++ b/src/admc/CMakeLists.txt
@ -144,6 +144,7 @@ set(ADMC_SOURCES
    edits/delegation_edit.cpp
    edits/logon_hours_edit.cpp
    edits/logon_computers_edit.cpp
+    edits/protect_deletion_edit.cpp

    console_widget/console_widget.cpp
    console_widget/scope_proxy_model.cpp
--- a/src/admc/edits/protect_deletion_edit.cpp
+++ b/src/admc/edits/protect_deletion_edit.cpp
@ -0,0 +1,64 @@
+/*
+ * ADMC - AD Management Center
+ *
+ * Copyright (C) 2020-2021 BaseALT Ltd.
+ * Copyright (C) 2020-2021 Dmitry Degtyarev
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "edits/protect_deletion_edit.h"
+
+#include "adldap.h"
+#include "utils.h"
+#include "globals.h"
+
+#include <QCheckBox>
+#include <QFormLayout>
+
+// Object is protected from deletion if it denies
+// permissions for "delete" and "delete subtree" for
+// "WORLD"(everyone) trustee
+
+ProtectDeletionEdit::ProtectDeletionEdit(QList<AttributeEdit *> *edits_out, QObject *parent)
+: AttributeEdit(edits_out, parent) {
+    check = new QCheckBox(tr("Protect against deletion"));
+
+    connect(
+        check, &QCheckBox::stateChanged,
+        [this]() {
+            emit edited();
+        });
+}
+
+void ProtectDeletionEdit::load_internal(AdInterface &ad, const AdObject &object) {
+    const bool enabled = ad_security_get_protected_against_deletion(object, g_adconfig);
+
+    check->setChecked(enabled);
+}
+
+void ProtectDeletionEdit::set_read_only(const bool read_only) {
+    check->setDisabled(read_only);
+}
+
+void ProtectDeletionEdit::add_to_layout(QFormLayout *layout) {
+    layout->addRow(check);
+}
+
+bool ProtectDeletionEdit::apply(AdInterface &ad, const QString &dn) const {
+    const bool enabled = check->isChecked();
+    const bool apply_success = ad_security_set_protected_against_deletion(ad, dn, g_adconfig, enabled);
+
+    return apply_success;
+}
--- a/src/admc/edits/protect_deletion_edit.h
+++ b/src/admc/edits/protect_deletion_edit.h
@ -0,0 +1,43 @@
+/*
+ * ADMC - AD Management Center
+ *
+ * Copyright (C) 2020-2021 BaseALT Ltd.
+ * Copyright (C) 2020-2021 Dmitry Degtyarev
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef PROTECT_DELETION_EDIT_H
+#define PROTECT_DELETION_EDIT_H
+
+/**
+ * Checkbox edit that modifies ACL to protect (or not)
+ * against deletion by denying/allowing deletion.
+ */
+
+#include "edits/attribute_edit.h"
+
+class QCheckBox;
+
+class ProtectDeletionEdit final : public AttributeEdit {
+    Q_OBJECT
+public:
+    ProtectDeletionEdit(QList<AttributeEdit *> *edits_out, QObject *parent);
+    DECL_ATTRIBUTE_EDIT_VIRTUALS();
+
+private:
+    QCheckBox *check;
+};
+
+#endif /* PROTECT_DELETION_EDIT_H */
--- a/src/admc/tabs/object_tab.cpp
+++ b/src/admc/tabs/object_tab.cpp
@ -23,6 +23,7 @@
 #include "adldap.h"
 #include "edits/datetime_edit.h"
 #include "edits/string_edit.h"
+#include "edits/protect_deletion_edit.h"

 #include <QFormLayout>

@ -38,6 +39,8 @@ ObjectTab::ObjectTab() {

    edits_set_read_only(edits, true);

+    new ProtectDeletionEdit(&edits, this);
+
    edits_connect_to_tab(edits, this);

    const auto layout = new QFormLayout();
--- a/src/admc/tabs/security_tab.cpp
+++ b/src/admc/tabs/security_tab.cpp
@ -47,6 +47,8 @@ const QHash<AcePermission, QString> ace_permission_to_name_map = {
    {AcePermission_FullControl, QCoreApplication::translate("Security", "Full control")},
    {AcePermission_Read, QCoreApplication::translate("Security", "Read")},
    {AcePermission_Write, QCoreApplication::translate("Security", "Write")},
+    {AcePermission_Delete, QCoreApplication::translate("Security", "Delete")},
+    {AcePermission_DeleteSubtree, QCoreApplication::translate("Security", "Delete subtree")},
    {AcePermission_CreateChild, QCoreApplication::translate("Security", "Create child")},
    {AcePermission_DeleteChild, QCoreApplication::translate("Security", "Delete child")},
    {AcePermission_AllowedToAuthenticate, QCoreApplication::translate("Security", "Allowed to authenticate")},