Refactor secrets manager approach for easier generalisability

This change has a potentially negative impact on the use of AWS Secrets Manager, in that it is no-longer possible to specify a different ARN or secret ID per account in the proxy's configuration file; instead, a command-line parameter (`--cache-store`) is introduced to specify a cache location (either an existing ARN or a new secret name (that must start with `aws_emailproxy@`)). However, there are several benefits to the new approach, including its generally simpler structure, and the fact that the cache location can now be redirected more easily to, for example, a local temporary file, or (with further development) any other secret management platform that can accept a JSON object.

Author: simonrob

README.md

@@ -92,6 +92,10 @@ Please note also that while authentication links can be processed from anywhere,
 - `--config-file` allows you to specify the location of a [configuration file](emailproxy.config) that the proxy should load.
 If this argument is not provided, the proxy will look for `emailproxy.config` in the same directory as the script itself.
 
+- `--cache-store` is used to provide a separate location in which to cache authorised OAuth 2.0 tokens.
+The value of this argument can either be the full path to a local file or, if the extra requirements are installed (via `python -m pip install -r requirements-aws-secrets.txt`), an [AWS Secrets Manager](https://aws.amazon.com/secrets-manager/) name that begins with `aws_emailproxy@` or a full ARN.
+If this argument is not provided, credentials will be cached in the proxy's configuration file.
+
 - `--log-file` allows you to specify the location of a file to send log output to.
 Log files are rotated at 32MB and 10 older log files are kept.
 This option overrides the proxy's default behaviour, which varies by platform (see [below](#troubleshooting) for details).

emailproxy.config

@@ -196,6 +196,8 @@ documentation = The parameters below control advanced options for the proxy. In
 	may gain access to the proxy's configuration file, set `encrypt_client_secret_on_first_use` to True and the proxy
 	will replace the `client_secret` value with a new property `client_secret_encrypted` at the next token refresh. Note
 	that this option is not compatible with `allow_catch_all_accounts` unless all accounts use the same login password.
+	In addition, if you are using the proxy's `--cache-store` parameter you will need to manually remove unencrypted
+	secrets from this configuration file after the encrypted secret has been created (i.e., it will not be automatic).
 
 	- allow_catch_all_accounts (default = False): The default behaviour of the proxy is to require a full separate
 	configuration file entry for each account. However, when proxying multiple accounts from the same domain it can be