(trafficcontrol) branch master updated: Returning authenticated cookie when using TO Client Cert Auth (#7984)

Thu, 11 Apr 2024 09:37:41 -0700 

This is an automated email from the ASF dual-hosted git repository.

zrhoffman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/master by this push:
     new e4729e8249 Returning authenticated cookie when using TO Client Cert 
Auth (#7984)
e4729e8249 is described below

commit e4729e8249b81bed57376e436ec0f2617cb5d438
Author: Rima Shah <[email protected]>
AuthorDate: Thu Apr 11 10:36:48 2024 -0600

    Returning authenticated cookie when using TO Client Cert Auth (#7984)
    
    added jar to save authenticated cookie
---
 CHANGELOG.md                                  | 1 +
 traffic_ops/testing/api/v5/session_test.go    | 5 +++++
 traffic_ops/toclientlib/toclientlib.go        | 9 +++++++++
 traffic_ops/traffic_ops_golang/login/login.go | 4 ++--
 4 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index caded33850..2ce4004fa1 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -17,6 +17,7 @@ The format is based on [Keep a 
Changelog](http://keepachangelog.com/en/1.0.0/).
 - Updated Go version to 1.22.0
 
 ### Fixed
+- [#7984](https://github.com/apache/trafficcontrol/pull/7984) *Traffic Ops* 
Fixed TO Client cert authentication with respect to returning response cookie.
 - [#7957](https://github.com/apache/trafficcontrol/pull/7957) *Traffic Ops* 
Fix the incorrect display of delivery services assigned to ORG servers.
 - [#7917](https://github.com/apache/trafficcontrol/pull/7917) *Traffic Ops* 
Removed `Alerts` field from struct `ProfileExportResponse`.
 - [#7918](https://github.com/apache/trafficcontrol/pull/7918) *Traffic Portal* 
Fixed topology link under DS-Servers tables page
diff --git a/traffic_ops/testing/api/v5/session_test.go 
b/traffic_ops/testing/api/v5/session_test.go
index c30658b50a..e874c1cc2f 100644
--- a/traffic_ops/testing/api/v5/session_test.go
+++ b/traffic_ops/testing/api/v5/session_test.go
@@ -74,5 +74,10 @@ func TestLoginWithCert(t *testing.T) {
                if session == nil {
                        t.Fatalf("expected a valid session, but got nothing")
                }
+
+               _, _, err = session.GetAbout(client.RequestOptions{})
+               if err != nil {
+                       t.Fatalf("expected no error while using the client cert 
session to hit an authenticated endpoint, but got %v", err)
+               }
        }
 }
diff --git a/traffic_ops/toclientlib/toclientlib.go 
b/traffic_ops/toclientlib/toclientlib.go
index b70e71eed8..5a978e3d96 100644
--- a/traffic_ops/toclientlib/toclientlib.go
+++ b/traffic_ops/toclientlib/toclientlib.go
@@ -349,6 +349,14 @@ func LoginWithCert(
        if err != nil {
                return nil, nil, err
        }
+
+       jar, err := cookiejar.New(&cookiejar.Options{
+               PublicSuffixList: publicsuffix.List,
+       })
+       if err != nil {
+               return nil, nil, errors.New("creating cookie jar: " + 
err.Error())
+       }
+
        to := NewClient("", "", toURL, userAgent, &http.Client{
                Timeout: requestTimeout,
                Transport: &http.Transport{
@@ -357,6 +365,7 @@ func LoginWithCert(
                                InsecureSkipVerify: insecure,
                        },
                },
+               Jar: jar,
        }, apiVersions)
 
        reqInf, err := to.login()
diff --git a/traffic_ops/traffic_ops_golang/login/login.go 
b/traffic_ops/traffic_ops_golang/login/login.go
index 7e43bfbc5e..5310f9fdf8 100644
--- a/traffic_ops/traffic_ops_golang/login/login.go
+++ b/traffic_ops/traffic_ops_golang/login/login.go
@@ -108,7 +108,7 @@ Subject: {{.InstanceName}} Password Reset Request` + 
"\r\n\r" + `
 </html>
 `))
 
-func clientCertAuthentication(w http.ResponseWriter, r *http.Request, db 
*sqlx.DB, cfg config.Config, dbCtx context.Context, cancelTx 
context.CancelFunc, form auth.PasswordForm, authenticated bool) bool {
+func clientCertAuthentication(w http.ResponseWriter, r *http.Request, db 
*sqlx.DB, cfg config.Config, dbCtx context.Context, cancelTx 
context.CancelFunc, form *auth.PasswordForm, authenticated bool) bool {
        // No certs provided by the client. Skip to form authentication
        if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
                return false
@@ -171,7 +171,7 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) 
http.HandlerFunc {
                // Attempt to perform client certificate authentication. If 
fails, goto standard form auth. If the
                // certificate was verified, has a UID, and the UID matches an 
existing user we consider this to
                // be a successful login.
-               authenticated = clientCertAuthentication(w, r, db, cfg, dbCtx, 
cancelTx, form, authenticated)
+               authenticated = clientCertAuthentication(w, r, db, cfg, dbCtx, 
cancelTx, &form, authenticated)
 
                // Failed certificate-based auth, perform standard form auth
                if !authenticated {

Reply via email to