Ensure that login in policy-gui works with AAF

Add CLAMP SSL cert and key to Docker image
Change nginx port from 8080 to 2443 and enable SSL
Update README to include instructions on certificate login

Issue-ID: POLICY-3615
Signed-off-by: danielhanrahan <daniel.hanrahan@est.tech>
Change-Id: I5211d30c420d75a94621399f33763b8156c50b5b

5 files changed, 87 insertions, 7 deletions

diff --git a/README.md b/README.md
index 6322319..4bff635 100644
--- a/README.md
+++ b/README.md
@@ -13,10 +13,10 @@ To build it using Maven 3, run: mvn clean install -P docker
 # Docker image
 
 Maven produces a single docker image containing the policy GUIs. These are exposed on
-the same port (8080) using different URLs:
-- Apex Policy Editor: http://localhost:8080/apex-editor
-- PDP Monitoring UI: http://localhost:8080/pdp-monitoring
-- CLAMP Designer UI: http://localhost:8080/clamp
+the same port (2443) using different URLs:
+- Apex Policy Editor: http://localhost:2443/apex-editor
+- PDP Monitoring UI: http://localhost:2443/pdp-monitoring
+- CLAMP Designer UI: http://localhost:2443/clamp
 
 ## Building
 You can use the following command to build the policy-gui docker image:
@@ -38,8 +38,16 @@ backend, then CLAMP_REST_URL should be set to `https://policy-clamp-backend:8443
 If running clamp backend on localhost port 8443, the policy-gui docker image would be
 started like this:
 ```
-docker run -p 8080:8080 \
+docker run -p 2443:2443 \
     --add-host host.docker.internal:host-gateway \
     --env CLAMP_REST_URL=https://host.docker.internal:8443 \
     onap/policy-gui
 ```
+
+## Client Credentials
+A certificate must be added in the browser and is required to log in properly:
+
+[org.onap.clamp.p12 (from clamp master)](URL "https://gerrit.onap.org/r/gitweb?p=clamp.git;a=blob_plain;f=src/main/resources/clds/aaf/org.onap.clamp.p12;hb=refs/heads/master")
+(Password: "China in the Spring")
+
+See onap/clamp repo README for details.
diff --git a/packages/policy-gui-docker/src/main/docker/Dockerfile b/packages/policy-gui-docker/src/main/docker/Dockerfile
index 8820139..681a58d 100644
--- a/packages/policy-gui-docker/src/main/docker/Dockerfile
+++ b/packages/policy-gui-docker/src/main/docker/Dockerfile
@@ -37,6 +37,8 @@ WORKDIR $POLICY_HOME
 COPY policy-gui.sh ./bin/
 COPY /maven/gui-editor-apex-uber.jar ./lib/
 COPY /maven/gui-pdp-monitoring-uber.jar ./lib/
+COPY etc/ssl/clamp.key /etc/ssl/clamp.key
+COPY etc/ssl/clamp.pem /etc/ssl/clamp.pem
 COPY nginx/nginx.conf /etc/nginx/nginx.conf
 COPY nginx/default.conf.template /etc/nginx/templates/default.conf.template
 COPY nginx/index.html /usr/share/nginx/html/
@@ -52,4 +54,4 @@ RUN rm /etc/nginx/conf.d/default.conf && \
 USER policy
 WORKDIR $POLICY_HOME/bin
 ENTRYPOINT [ "./policy-gui.sh" ]
-EXPOSE 8080
+EXPOSE 2443
diff --git a/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key
new file mode 100644
index 0000000..bcbb9f1
--- /dev/null
+++ b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.key
@@ -0,0 +1,32 @@
+Bag Attributes
+    friendlyName: clamp@clamp.onap.org
+    localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39 
+Key Attributes: <No Attributes>
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCTB30nMh0hczIk
+vWJo7Omg7cAHhz50NBhLB7u+60oXRGCya4SqssqqxNnNqNQQP9MmflW2q/bZepWn
+8Rk23X6CLmoIUlrj8BMPkUCRqzgvlaWPSNAK5QcOp6GUvXTuX4EsaWxJhbs9Ujz2
++qi137iNOqfAx1sUygah1kjALrqHkXDqJGvIfxU5ES0akBi/lB7A3WpE52KTioSF
+JS5Kbnpj1ogffGNKyAiNqU61LcF1FjWmINat2z3ZMk/3Xm+HCDg/GLPnbh4E1KoE
+10O22AMys6YGEyPvgRfrTF13DsDX52PmmUHbkSB6kwS/CeV5Uu++8b6T2IWpPyZ2
++5ptmL+tAgMBAAECggEBAIUplzRUswWEq7mSvPqC9+YE7pLi7rGYLRhnXKdBuszv
+5RQzROjFHcEkoI8fhVFiPP70FPVpMh0uZTTBrDCA0v9cwjPfQuqGmPzUdUJ5bF3M
+jzICpEn5vDaNpE5ueOUcIoXyxVyhfj+/p++YfgybHy7qHN0AsYFWqEMTLLjCmbYF
+pZozbAcGQoAR8PSfwuvgusuEezrhYertHsdFwlfZhDtJvnm/4YKRUVEBzuaaA7B9
+sUhnQFS8ScqiUbkAGdjfY9wOYRHnQgjtqiP8poIzLkqCNSoVctgh5Pdv4jp4HO90
+J5QC+f7m7rOoWUw8EYbRo/4C4Mckh0GQQ+oP4xzrtZECgYEA3DYALFgOEY+0RR1K
+61HAKqdNy1YbeuidpCBEJEwmIbzdgO1DcJdNznbfdRlmS7VB9orwRfNbf7Hxm2w/
+/xn9USENXWx7fvDoISqSDegvEsBSq5hSEMVl3f7CfQZrYl1f6gxfe7L/jtmbn0eQ
+avsr9RaUCWP794DEXKuA9pC8hVsCgYEAquy5I4hO4jNBQ6v5+omjsEgk4513/RNs
+f47Md8bsDHKJMbCMKCdqM1D3J1xbgV3DgSv0yNlKdU2wenWdgQAyBtz18NBgno85
+YNanFhp1CymgLFHdLJHSOqAkzutSuCNnGTT6AKspOQvy+cuj7XsnbsxtYK3Cgw5h
+Mom3RnUy9ZcCgYAnForHVEYDBgAYuI9g39z9dT8Q1dMA6SN6S6Ps0Xt/R5gF15e9
+941/FYiqr3yB+cWgrp7hu8XFD9/0F63waTuW2AgYSjZNnROHN5g/UbRxXqQOA3al
+tXRUiHEbYjVTe4GX+ORF/8rvH19JUZmn87ekxII4fH/wOfIhBOxaV+yuuwKBgHtz
+5Tizz/3y9TWSdkgtt6uwP+yipLKGn/v1wNrWM1G+PDdGg8TQyxTrasfkHjdu6LFY
+dUHIJ85X4ZphbvRolrl8SKq5Zr+/RLsb7qy5SUZZt1Wrfysc25H6bvuA3ksfTuzW
+5acr+Oc6KTGgkvMI229cebe1aONNtIhTDav3JGpbAoGAX5DQvNreqnP8qSAvUN2I
+TAHXIzawR3f6vgGgVIdkHkiS2eKzs/fgP3VAK80TbrGSR8HvBcPEcR/icOn1u/e6
+tDp0j6mGt5aPKK9VQkBn94bW35T12FUbdB+L8FWWTUrfiVWJtEW8tEsKil5ac8U4
+Bn3vC5WUeKhW6v6kD4AigqE=
+-----END PRIVATE KEY-----
diff --git a/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem
new file mode 100644
index 0000000..a01b587
--- /dev/null
+++ b/packages/policy-gui-docker/src/main/docker/etc/ssl/clamp.pem
@@ -0,0 +1,33 @@
+Bag Attributes
+    friendlyName: clamp@clamp.onap.org
+    localKeyID: 54 69 6D 65 20 31 35 38 30 38 32 39 30 36 35 34 37 39 
+subject=CN = clamp, emailAddress = mark.d.manager@people.osaaf.com, OU = clamp@clamp.onap.org:DEV, OU = OSAAF, O = ONAP, C = US
+
+issuer=C = US, O = ONAP, OU = OSAAF, CN = intermediateCA_9
+
+-----BEGIN CERTIFICATE-----
+MIIEWDCCA0CgAwIBAgIILw1zyDGqB5IwDQYJKoZIhvcNAQELBQAwRzELMAkGA1UE
+BhMCVVMxDTALBgNVBAoMBE9OQVAxDjAMBgNVBAsMBU9TQUFGMRkwFwYDVQQDDBBp
+bnRlcm1lZGlhdGVDQV85MB4XDTIwMDIwNDEyMjM1MloXDTIxMDIwNDEyMjM1Mlow
+gY8xDjAMBgNVBAMMBWNsYW1wMS4wLAYJKoZIhvcNAQkBFh9tYXJrLmQubWFuYWdl
+ckBwZW9wbGUub3NhYWYuY29tMSEwHwYDVQQLDBhjbGFtcEBjbGFtcC5vbmFwLm9y
+ZzpERVYxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQMQswCQYDVQQGEwJV
+UzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJMHfScyHSFzMiS9Ymjs
+6aDtwAeHPnQ0GEsHu77rShdEYLJrhKqyyqrE2c2o1BA/0yZ+Vbar9tl6lafxGTbd
+foIuaghSWuPwEw+RQJGrOC+VpY9I0ArlBw6noZS9dO5fgSxpbEmFuz1SPPb6qLXf
+uI06p8DHWxTKBqHWSMAuuoeRcOoka8h/FTkRLRqQGL+UHsDdakTnYpOKhIUlLkpu
+emPWiB98Y0rICI2pTrUtwXUWNaYg1q3bPdkyT/deb4cIOD8Ys+duHgTUqgTXQ7bY
+AzKzpgYTI++BF+tMXXcOwNfnY+aZQduRIHqTBL8J5XlS777xvpPYhak/Jnb7mm2Y
+v60CAwEAAaOB/jCB+zAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIF4DAgBgNVHSUB
+Af8EFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVAYDVR0jBE0wS4AUgfeZWxC5yIze
+81Je6k5poEM+rN2hMKQuMCwxDjAMBgNVBAsMBU9TQUFGMQ0wCwYDVQQKDARPTkFQ
+MQswCQYDVQQGEwJVU4IBBzAdBgNVHQ4EFgQUzfIed+18wgFs7E6q0b6BbMICtfsw
+RwYDVR0RBEAwPoIFY2xhbXCCCmNsYW1wLW9uYXCCHWNsYW1wLmFwaS5zaW1wbGVk
+ZW1vLm9uYXAub3JnggpjbGFtcC5vbmFwMA0GCSqGSIb3DQEBCwUAA4IBAQBizhsW
+XrJ9wQy3PrBxgh90sOF15tayXPRZSFYPoQb5LhRh3IY/PvXLaSHlkgPHlCLLx36S
+0/DiVf86/83ABvyaq9gJIyg/m4ntNae23OKH1AkA1aN+JCKA8yhsAzDBcRF6Aj7E
+VJ+vQlSzz5oh+efP1e/8DUMd1/WwbTXvRd0Iqv/fyZunbjb82qNMrsK1mQ2q+87A
+0jx9u1EdeMihP6vWiuKzlwy4mKoNT573SPpvaOkjX3yDlmf2CTQZ9vdAvjmFmVsH
+1wyrNZOIgW4VjluiZfAk3mOEskrZiP/7aUXnxmNnYTpgZMbhiouLbRrTc4lLEyhx
+G7A61/KGTsLZlvxb
+-----END CERTIFICATE-----
diff --git a/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template b/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template
index d407827..9b3348a 100644
--- a/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template
+++ b/packages/policy-gui-docker/src/main/docker/nginx/default.conf.template
@@ -1,5 +1,9 @@
 server {
-  listen 8080;
+  listen 2443 default ssl;
+  ssl_protocols TLSv1.2;
+  ssl_certificate /etc/ssl/clamp.pem;
+  ssl_certificate_key /etc/ssl/clamp.key;
+  ssl_verify_client optional_no_ca;
 
   location / {
     root /usr/share/nginx/html;
@@ -9,6 +13,7 @@ server {
 
   location /clamp/restservices/clds/ {
     proxy_pass ${CLAMP_REST_URL}/restservices/clds/;
+    proxy_set_header X-SSL-Cert $ssl_client_escaped_cert;
   }
 
   location /pdp-monitoring/papservices/monitoring/ {