fix: AllowedToDelegate Edge not getting created when user has msDS-AllowedToDelegateTo values BED-7625

[ktstrader]

Description

Removed the TrustedToAuthForDelegation flag check from both ReadUserProperties and ReadComputerProperties, so AllowedToDelegate edges are emitted whenever msDS-AllowedToDelegateTo is populated.
Updated tests to allow UAC flag check for TrustedToAuthForDelegation to be false.

Motivation and Context

If a user or computer has msDS-AllowedToDelegateTo populated, it doesn’t matter if TrustedForDelegation or TrustedToAuthForDelegation is true or false, there should be an AllowedToDelegate edge drawn from the user/computer to the destination computer

This PR addresses: BED-7625

How Has This Been Tested?

Tested in GOAD lab
Testing Instructions on ticket https://specterops.atlassian.net/browse/BED-7625

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• I have met the contributing prerequisites
  • Assigned myself to this PR
  • Added the appropriate labels
  • Associated an issue: Issues and Pull Requests README BloodHound#672
  • Read the Contributing guide: https://github.com/SpecterOps/BloodHound/wiki/Contributing
• I have ensured that related documentation is up-to-date
  • Open API docs
  • Code comments
• I have followed proper test practices
  • Added/updated tests to cover my changes
  • All new and existing tests passed

[coderabbitai]

Walkthrough

This PR removes a UAC flag condition from LDAP delegate property processing. The ReadUserProperties and ReadComputerProperties methods now populate allowedtodelegate whenever the AllowedToDelegateTo property is present, independent of the TrustedToAuthForDelegation flag. Tests are updated with new UAC values to match the refactored logic.

Changes

LDAP Delegate Processing Refactor

Layer / File(s)	Summary
Remove UAC flag condition and update tests src/CommonLib/Processors/LdapPropertyProcessor.cs, test/unit/LdapPropertyTests.cs	ReadUserProperties and ReadComputerProperties now process AllowedToDelegateTo based solely on property presence, not on the TrustedToAuthForDelegation UAC flag. Mock useraccountcontrol values in the "delegates null" test cases are updated from 0x1000000 → 0x200 and 0x1001000 → 0x1000 to validate the behavior change.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 When UAC flags were holding us back,
We pruned the condition—now delegate tracking
Flows freely when targets are there,
No flag-guard required, just presence we care. ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: removing a flag check to allow AllowedToDelegate edges to be created whenever msDS-AllowedToDelegateTo values are present, with the ticket reference.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description includes all required sections with sufficient detail: clear description of changes, motivation/context with issue reference, testing approach, type classification as bug fix, and completed checklist items.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch BED-7625

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}