Upgrade Encryption: Argon2id KDF & Per-Record Salts (#1373)

* Removes redundant base64
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Replace PBKDF2HMAC with Argon2Id encryption
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Use Argon2id for key generation in fernet encryption
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add docstring
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Make sso_service use fernet_encryption utl
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* wip migration script
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Fix import in alembic script
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Move encryption from util to service
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Add missing docstrings
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* flake8 fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Handle str inputs for encryption_secret
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Update alembic down revision number
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>

* Fix bandit

---------

Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>

Author: madhav165

Containerfile.lite

@@ -76,7 +76,7 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 
 ARG PYTHON_VERSION
 ARG ROOTFS_PATH
-ARG TARGETPLATFORM
+ARG TARGETPLATFORM=linux/amd64
 ARG GRPC_PYTHON_BUILD_SYSTEM_OPENSSL='False'
 
 # ----------------------------------------------------------------------------

Makefile

@@ -2658,7 +2658,7 @@ docker-dev:
 	@$(MAKE) container-build CONTAINER_RUNTIME=docker CONTAINER_FILE=Containerfile
 
 docker:
-	@$(MAKE) container-build CONTAINER_RUNTIME=docker CONTAINER_FILE=Containerfile
+	@$(MAKE) container-build CONTAINER_RUNTIME=docker CONTAINER_FILE=Containerfile.lite
 
 docker-prod:
 	@DOCKER_CONTENT_TRUST=1 $(MAKE) container-build CONTAINER_RUNTIME=docker CONTAINER_FILE=Containerfile.lite

mcpgateway/admin.py

@@ -95,6 +95,7 @@
 )
 from mcpgateway.services.a2a_service import A2AAgentError, A2AAgentNameConflictError, A2AAgentNotFoundError, A2AAgentService
 from mcpgateway.services.catalog_service import catalog_service
+from mcpgateway.services.encryption_service import get_encryption_service
 from mcpgateway.services.export_service import ExportError, ExportService
 from mcpgateway.services.gateway_service import GatewayConnectionError, GatewayNameConflictError, GatewayNotFoundError, GatewayService, GatewayUrlConflictError
 from mcpgateway.services.import_service import ConflictStrategy
@@ -113,7 +114,6 @@
 from mcpgateway.utils.create_jwt_token import create_jwt_token, get_jwt_token
 from mcpgateway.utils.error_formatter import ErrorFormatter
 from mcpgateway.utils.metadata_capture import MetadataCapture
-from mcpgateway.utils.oauth_encryption import get_oauth_encryption
 from mcpgateway.utils.pagination import generate_pagination_links
 from mcpgateway.utils.passthrough_headers import PassthroughHeadersError
 from mcpgateway.utils.retry_manager import ResilientHttpClient
@@ -6194,7 +6194,7 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
                 oauth_config = json.loads(oauth_config_json)
                 # Encrypt the client secret if present
                 if oauth_config and "client_secret" in oauth_config:
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_config["client_secret"])
             except (json.JSONDecodeError, ValueError) as e:
                 LOGGER.error(f"Failed to parse OAuth config: {e}")
@@ -6231,7 +6231,7 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
                     oauth_config["client_id"] = oauth_client_id
                 if oauth_client_secret:
                     # Encrypt the client secret
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_client_secret)
 
                 # Add username and password for password grant type
@@ -6503,7 +6503,7 @@ async def admin_edit_gateway(
                 oauth_config = json.loads(oauth_config_json)
                 # Encrypt the client secret if present and not empty
                 if oauth_config and "client_secret" in oauth_config and oauth_config["client_secret"]:
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_config["client_secret"])
             except (json.JSONDecodeError, ValueError) as e:
                 LOGGER.error(f"Failed to parse OAuth config: {e}")
@@ -6540,7 +6540,7 @@ async def admin_edit_gateway(
                     oauth_config["client_id"] = oauth_client_id
                 if oauth_client_secret:
                     # Encrypt the client secret
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_client_secret)
 
                 # Add username and password for password grant type
@@ -9571,7 +9571,7 @@ async def admin_add_a2a_agent(
                 oauth_config = json.loads(oauth_config_json)
                 # Encrypt the client secret if present
                 if oauth_config and "client_secret" in oauth_config:
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_config["client_secret"])
             except (json.JSONDecodeError, ValueError) as e:
                 LOGGER.error(f"Failed to parse OAuth config: {e}")
@@ -9608,7 +9608,7 @@ async def admin_add_a2a_agent(
                     oauth_config["client_id"] = oauth_client_id
                 if oauth_client_secret:
                     # Encrypt the client secret
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_client_secret)
 
                 # Add username and password for password grant type
@@ -9890,7 +9890,7 @@ async def admin_edit_a2a_agent(
                 oauth_config = json.loads(oauth_config_json)
                 # Encrypt the client secret if present and not empty
                 if oauth_config and "client_secret" in oauth_config and oauth_config["client_secret"]:
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_config["client_secret"])
             except (json.JSONDecodeError, ValueError) as e:
                 LOGGER.error(f"Failed to parse OAuth config: {e}")
@@ -9927,7 +9927,7 @@ async def admin_edit_a2a_agent(
                     oauth_config["client_id"] = oauth_client_id
                 if oauth_client_secret:
                     # Encrypt the client secret
-                    encryption = get_oauth_encryption(settings.auth_encryption_secret)
+                    encryption = get_encryption_service(settings.auth_encryption_secret)
                     oauth_config["client_secret"] = encryption.encrypt_secret(oauth_client_secret)
 
                 # Add username and password for password grant type