bartoszmajsak/gist:0dd82d386a79d871282fc11c0071d4ca

## gistfile0.txt
#!/bin/bash
# Reproducer: SA tokens should NOT be able to issue new tokens

MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}"

echo "=== Step 1: Get token using OpenShift identity (expected: success) ==="
TOKEN=$(curl -sSk -X POST \
  -H "Authorization: Bearer $(oc whoami -t)" \
  -H "Content-Type: application/json" \
  -d '{"expiration":"10m"}' \
  "https://${MAAS_URL}/maas-api/v1/tokens" | jq -r .token)

if [[ -z "$TOKEN" || "$TOKEN" == "null" ]]; then
  echo "❌ Failed to get initial token"
  exit 1
fi
echo "✅ Got TOKEN: ${TOKEN:0:50}..."

echo ""
echo "=== Step 2: Try to issue another token using SA token (expected: 401) ==="
RESPONSE=$(curl -sSk -X POST \
  -H "Authorization: Bearer ${TOKEN}" \
  -H "Content-Type: application/json" \
  -d '{"expiration":"10m"}' \
  -w "\nHTTP_STATUS:%{http_code}" \
  "https://${MAAS_URL}/maas-api/v1/tokens")

HTTP_STATUS=$(echo "$RESPONSE" | grep "HTTP_STATUS:" | cut -d':' -f2)
BODY=$(echo "$RESPONSE" | sed '/HTTP_STATUS:/d')

echo "HTTP Status: $HTTP_STATUS"
echo "Response: $BODY"

if [[ "$HTTP_STATUS" == "401" ]]; then
  echo ""
  echo "✅ PASS: SA token correctly rejected for token issuance"
else
  TOKEN2=$(echo "$BODY" | jq -r .token 2>/dev/null)
  if [[ -n "$TOKEN2" && "$TOKEN2" != "null" ]]; then
    echo ""
    echo "❌ FAIL: SA token was able to issue TOKEN2!"
    echo "   This is a security vulnerability - tokens should not create tokens"
  fi
fi
	#!/bin/bash
	# Reproducer: SA tokens should NOT be able to issue new tokens

	MAAS_URL="${MAAS_URL:-maas.$(oc get ingresses.config.openshift.io cluster -o jsonpath='{.spec.domain}')}"

	echo "=== Step 1: Get token using OpenShift identity (expected: success) ==="
	TOKEN=$(curl -sSk -X POST \
	-H "Authorization: Bearer $(oc whoami -t)" \
	-H "Content-Type: application/json" \
	-d '{"expiration":"10m"}' \
	"https://${MAAS_URL}/maas-api/v1/tokens" \| jq -r .token)

	if [[ -z "$TOKEN" \|\| "$TOKEN" == "null" ]]; then
	echo "❌ Failed to get initial token"
	exit 1
	fi
	echo "✅ Got TOKEN: ${TOKEN:0:50}..."

	echo ""
	echo "=== Step 2: Try to issue another token using SA token (expected: 401) ==="
	RESPONSE=$(curl -sSk -X POST \
	-H "Authorization: Bearer ${TOKEN}" \
	-H "Content-Type: application/json" \
	-d '{"expiration":"10m"}' \
	-w "\nHTTP_STATUS:%{http_code}" \
	"https://${MAAS_URL}/maas-api/v1/tokens")

	HTTP_STATUS=$(echo "$RESPONSE" \| grep "HTTP_STATUS:" \| cut -d':' -f2)
	BODY=$(echo "$RESPONSE" \| sed '/HTTP_STATUS:/d')

	echo "HTTP Status: $HTTP_STATUS"
	echo "Response: $BODY"

	if [[ "$HTTP_STATUS" == "401" ]]; then
	echo ""
	echo "✅ PASS: SA token correctly rejected for token issuance"
	else
	TOKEN2=$(echo "$BODY" \| jq -r .token 2>/dev/null)
	if [[ -n "$TOKEN2" && "$TOKEN2" != "null" ]]; then
	echo ""
	echo "❌ FAIL: SA token was able to issue TOKEN2!"
	echo " This is a security vulnerability - tokens should not create tokens"
	fi
	fi
No results found