Upgrade Encryption: Argon2id KDF & Per-Record Salts

[madhav165]

✨ Feature / Enhancement PR

---

🚀 Summary (1-2 sentences)

Migrated encryption logic from mcpgateway/utils/oauth_encryption.py to mcpgateway/services/encryption_service.py, upgraded key derivation from PBKDF2-HMAC to Argon2id with a per-record random salt, refactored sso_service.py to use the new encryption service, removed the cached Fernet instance, and added an Alembic migration (with downgrade support) to re‑encrypt existing data.

---

🧪 Checks

• make lint passes
• make test passes

---

🔧 Detailed Changes

1. Relocation & Renaming

   • Moved: mcpgateway/utils/oauth_encryption.py ➜ mcpgateway/services/encryption_service.py.
   • Centralizes crypto concerns under services/ and clarifies usage scope beyond OAuth.

2. Key Derivation: PBKDF2-HMAC ➜ Argon2id

   • Switched to Argon2id for deriving the 32‑byte encryption key.
   • Why: Argon2id is memory‑hard and substantially more tolerant to brute‑force decryption attempts than PBKDF2, raising attacker cost and reducing effectiveness of GPU/ASIC cracking.

3. Salt Strategy: Single Global Salt ➜ Per‑Record Random Salt

   • Each encrypted record now uses its own random salt.
   • Why: Adds compartmentalization — exposure of one key/salt pair does not help decrypt other records, eliminating the prior single‑point‑of‑failure inherent in a global salt.

4. Runtime Change: Remove Cached Fernet Instance

   • Because salt is now per record, the derived key varies; a single cached Fernet object is no longer valid. The service derives per‑record and encrypts/decrypts accordingly.

5. SSO Service Refactor

   • Updated mcpgateway/services/sso_service.py to use the new centralized EncryptionService instead of its legacy inline encryption code.
   • Eliminates duplicate PBKDF2-based encryption logic and ensures consistency across all secure token operations.

6. Database Migration (Alembic) – Re‑encrypt Existing Fields

   • Added a forward migration that reads legacy encrypted values, derives new Argon2id keys with per‑record salts, and writes back in the new format.

   • Includes a downgrade script that reverses the migration, re‑encrypting with the legacy PBKDF2-HMAC method for rollback safety.

   • Updated fields (by table):

     Table	Column / Field	Notes
     gateways	oauth_config.client_secret	oauth_config is a dict; the client_secret value is re‑encrypted.
     a2a_agents	oauth_config.client_secret	Same handling as in gateways.
     oauth_tokens	access_token	Token value re‑encrypted under Argon2id + per‑record salt.
     oauth_tokens	refresh_token	Token value re‑encrypted under Argon2id + per‑record salt.
     registered_oauth_clients	client_secret_encrypted	Re‑encrypted.
     registered_oauth_clients	registration_access_token_encrypted	Re‑encrypted.
     sso_providers	client_secret_encrypted	Re‑encrypted.

7. Cross‑DB Validation

   • Verified migration on SQLite and PostgreSQL (both upgrade path and runtime decrypt/verify).

---

📎 Notes & Compatibility

• Storage type remains string/TEXT — ciphertext continues to be Base64‑encoded and safe for TEXT NOT NULL columns.
• The new format stores/associates a per‑record salt (and any required KDF params) so future decrypt can reproduce the exact key.
• The migration and downgrade scripts are idempotent per row; re‑running won’t re‑encrypt already migrated values.

---

⚠️ Caveats & Performance Notes

• Argon2id is intentionally slower and more memory-intensive than PBKDF2. This enhances brute-force resistance but may impact performance under high concurrent encryption/decryption load.
• Requires load testing to benchmark latency in token-heavy or large OAuth operations.

---

✅ Outcome

• Stronger at‑rest security posture (Argon2id + per‑record salts).
• Unified encryption interface used across SSO, OAuth, and client registration.
• Alembic upgrade + downgrade scripts ensure reversible migration and DB integrity.
• Tested and verified on SQLite & PostgreSQL.