[GH-14] Add at-rest encryption for OAuth2 token

[larkox]

Summary

Add at-rest encryption for OAuth2 token

Ticket Link

Fix #14

[codecov-commenter]

Codecov Report

Merging #143 into master will decrease coverage by 0.01%.
The diff coverage is 22.78%.

@@            Coverage Diff             @@
##           master     #143      +/-   ##
==========================================
- Coverage   24.22%   24.20%   -0.02%     
==========================================
  Files          66       67       +1     
  Lines        2634     2702      +68     
==========================================
+ Hits          638      654      +16     
- Misses       1916     1964      +48     
- Partials       80       84       +4     

Impacted Files	Coverage Δ
server/mscalendar/client.go	20.00% <0.00%> (-8.58%)	⬇️
server/mscalendar/user.go	17.00% <0.00%> (-0.18%)	⬇️
server/utils/encryption.go	0.00% <0.00%> (ø)
server/mscalendar/notification.go	52.09% <50.00%> (-0.20%)	⬇️
server/mscalendar/oauth2.go	81.48% <72.72%> (-3.52%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8e4fd89...7c3b1f1. Read the comment docs.

[mickmister]

LGTM 👍

[levb]

Do we really need to QA this one, other than the general Oauth2/use regression?

[larkox]

Use and regression is all I can think about. Proper behavior on upgrade could also be necessary, but since we still do not have any release out, I think it is not necessary.

[DHaussermann]

@larkox when I deploy this, I can no longer run connect or disconnect command. Error log shows

{"level":"debug","ts":1590523742.088871,"caller":"web/handlers.go:89","msg":"Received HTTP request","method":"POST","url":"/api/v4/commands/execute","request_id":"bfitqmz44ifkbem5q7tkzai99w"}
{"level":"error","ts":1590523742.0895622,"caller":"mlog/sugar.go:23","msg":"token encryption key not generated","plugin_id":"com.mattermost.mscalendar"}
{"level":"error","ts":1590523742.089841,"caller":"mlog/log.go:175","msg":"Unable to execute command.","path":"/api/v4/commands/execute","request_id":"bfitqmz44ifkbem5q7tkzai99w","ip_addr":"74.15.49.102","user_id":"ri814hfoubngxp8e838raoxxsw","method":"POST","err_where":"mscalendarplugin.ExecuteCommand","http_code":500,"err_details":"token encryption key not generated"}

Please advise on any next steps for investigation.

[DHaussermann]

@larkox disregard previous comment At Rest Token Encryption Key was missing.
Regarding the testing:

• Tested disconnect and connect with multiple users.
• Functional testing found nor regreassions
  However for the test user where I watched the KV store I did not see a change in access_token
  is there a way to validate the current value is properly encrypted?

[larkox]

This should do the trick:
https://play.golang.org/p/67MSocnXQn9
I put there the decryption code. You have to fill the key and the "message to decrypt" and hit run. If it is something that has not been encrypted before, it should not work. Therefore, if what is stored in the KVStore passes the decryption, it should be fine. If you need any more guidance, feel free to ask.

[DHaussermann]

Tested and passed

• Tested disconnect and connect with multiple users.
• Functional testing found nor regressions and plugin works as expected when changing encryption key
• Confirmed access_token is properly encrypted.