Returning authenticated cookie when using TO Client Cert Auth

CHANGELOG.md

@@ -17,6 +17,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 - Updated Go version to 1.22.0
 
 ### Fixed
+- [#7984](https://github.com/apache/trafficcontrol/pull/7984) *Traffic Ops* Fixed TO Client cert authentication with respect to returning response cookie.
 - [#7957](https://github.com/apache/trafficcontrol/pull/7957) *Traffic Ops* Fix the incorrect display of delivery services assigned to ORG servers.
 - [#7917](https://github.com/apache/trafficcontrol/pull/7917) *Traffic Ops* Removed `Alerts` field from struct `ProfileExportResponse`.
 - [#7918](https://github.com/apache/trafficcontrol/pull/7918) *Traffic Portal* Fixed topology link under DS-Servers tables page

traffic_ops/testing/api/v5/session_test.go

@@ -74,5 +74,10 @@ func TestLoginWithCert(t *testing.T) {
 		if session == nil {
 			t.Fatalf("expected a valid session, but got nothing")
 		}
+
+		_, _, err = session.GetAbout(client.RequestOptions{})
+		if err != nil {
+			t.Fatalf("expected no error while using the client cert session to hit an authenticated endpoint, but got %v", err)
+		}
 	}
 }

traffic_ops/toclientlib/toclientlib.go

@@ -349,6 +349,14 @@ func LoginWithCert(
 	if err != nil {
 		return nil, nil, err
 	}
+
+	jar, err := cookiejar.New(&cookiejar.Options{
+		PublicSuffixList: publicsuffix.List,
+	})
+	if err != nil {
+		return nil, nil, errors.New("creating cookie jar: " + err.Error())
+	}
+
 	to := NewClient("", "", toURL, userAgent, &http.Client{
 		Timeout: requestTimeout,
 		Transport: &http.Transport{
@@ -357,6 +365,7 @@ func LoginWithCert(
 				InsecureSkipVerify: insecure,
 			},
 		},
+		Jar: jar,
 	}, apiVersions)
 
 	reqInf, err := to.login()

traffic_ops/traffic_ops_golang/login/login.go

@@ -108,7 +108,7 @@ Subject: {{.InstanceName}} Password Reset Request` + "\r\n\r" + `
 </html>
 `))
 
-func clientCertAuthentication(w http.ResponseWriter, r *http.Request, db *sqlx.DB, cfg config.Config, dbCtx context.Context, cancelTx context.CancelFunc, form auth.PasswordForm, authenticated bool) bool {
+func clientCertAuthentication(w http.ResponseWriter, r *http.Request, db *sqlx.DB, cfg config.Config, dbCtx context.Context, cancelTx context.CancelFunc, form *auth.PasswordForm, authenticated bool) bool {
 	// No certs provided by the client. Skip to form authentication
 	if r.TLS == nil || len(r.TLS.PeerCertificates) == 0 {
 		return false
@@ -171,7 +171,7 @@ func LoginHandler(db *sqlx.DB, cfg config.Config) http.HandlerFunc {
 		// Attempt to perform client certificate authentication. If fails, goto standard form auth. If the
 		// certificate was verified, has a UID, and the UID matches an existing user we consider this to
 		// be a successful login.
-		authenticated = clientCertAuthentication(w, r, db, cfg, dbCtx, cancelTx, form, authenticated)
+		authenticated = clientCertAuthentication(w, r, db, cfg, dbCtx, cancelTx, &form, authenticated)
 
 		// Failed certificate-based auth, perform standard form auth
 		if !authenticated {