feat: encrypt plugin secrets at rest (#1639)

[Abhishek9639]

Closes #1639

Description

Plugin secrets (API keys, tokens, passwords) stored in PluginConfig.value were previously saved as plaintext in the database. This PR adds Fernet symmetric encryption so that secrets are encrypted at rest, preventing data leakage if the database is compromised.

Type of change

1. [intel_owl/settings/security.py]- Added PLUGIN_CONFIG_FERNET_KEY derived from PLUGIN_CONFIG_SECRET_KEY env var (falls back to SECRET_KEY).
2. [api_app/models.py]- Added [_encrypt_value()] / [_decrypt_value()] static methods and overridden [save()] to auto-encrypt secret values.
3. [api_app/classes.py]- Updated Plugin.config() to decrypt secrets at runtime before plugin use.
4. [api_app/migrations/0073_encrypt_plugin_config_secrets.py]- Reversible data migration to encrypt all existing plaintext secrets.
5. [requirements/project-requirements.txt]- Added cryptography==46.0.0.
6. [tests/api_app/test_plugin_config_encryption.py]- 6 unit tests covering encryption, decryption, round-trip, double-encryption prevention and non-secret values.

How it works

1. On [save()] if the parameter is marked [is_secret] the value is serialized to JSON and encrypted with Fernet.
2. A startswith("gAAAAA") guard prevents double-encryption.
3. At runtime, Plugin.config() detects encrypted values and decrypts them before passing to the plugin.
4. Non-secret values are completely unaffected.

Testing

• All 6 new encryption tests pass.
• Existing PluginConfigTestCase tests pass (no regressions).
• Verified in local browser: secrets saved via UI are stored as encrypted gAAAAA... tokens in DB.

Checklist

• I have read and understood the rules about how to Contribute to this project.
• The pull request is for the branch develop.

[Abhishek9639]

Greetings @mlodic,
I have implemented encryption for plugin secrets at rest as discussed in #1639. I used Fernet (symmetric encryption) from the cryptography library to encrypt secret values in PluginConfig when saving and they are decrypted at runtime when needed by plugins. I also added a migration to encrypt any existing plaintext secrets. All tests are passing.
Would really appreciate it if you could take a look when you have time.
If any changes are needed, please let me know. I’ll make them.
Thanks

DB Proof- Secrets Are Encrypted at Rest

Secret configs in DB: 2
param=api_key_name
encrypted=True
stored value=gAAAAABpwZTWSPcb1eafQ9mI8ZNNGLjDtrMn7LyQVY0m_ucDho216ki00a...

param=url_key_name
encrypted=True
stored value=gAAAAABpwZTXUgJDiFL7RJAFEAW9JbfDqAfUQAOWVeduYhd13FQ4uivd5I...

my.pr.video.mp4

[mlodic]

this is a quite critical change, I'll need time to review it properly

[Abhishek9639]

Thank you @mlodic,
Sure take your time. I am available if you have any questions or need any changes.

[github-actions]

This pull request has been marked as stale because it has had no activity for 10 days. If you are still working on this, please provide some updates or it will be closed in 5 days.

[Abhishek9639]

Greetings @mlodic,
Sure, take your time no rush. Just commenting here to keep the PR active. Let me know if you need any changes.
Thanks

[mlodic]

I'll review it after the release and eventually include in the next major. I've added the tag to keep it open

[Abhishek9639]

Ok @mlodic,
Thanks for adding the tag.