Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-22252

Export feature adds clear text password to the directories configuration on the zip file - Import fails with "Can't decrypt data"

XMLWordPrintable

      Problem

      When exporting a Bamboo configuration, the resulting zip file will contain clear-text passwords on db-export/directories.xml. This introduces a security issue and a broken import with the following error:

      2023-05-22 15:18:52,590 INFO [main] [SecretEncryptionServiceImpl] Can't decrypt data. It's possible data was encrypted by different cipher. Run Bamboo with system property -Dbamboo.security.decryption.ignore.errors=true to ignore this error
2023-05-22 15:18:52,600 FATAL [main] [BambooContainer] Cannot start Bamboo
java.lang.IllegalStateException: Could not transition server from 'SETUP' to 'STARTING'
...
Caused by: com.google.common.util.concurrent.UncheckedExecutionException: java.lang.IllegalArgumentException: Unknown encrypted data format: [charlie]

      Environment

      Bamboo 9.1+ (possibly 9.0 and earlier)

      Steps to Reproduce

      1. Export a Bamboo configuration
      2. Import it on a new instance
      3. Observe the "Can't decrypt data" error

      Expected Results

      1. Export should work
      2. Import should work
      3. Exported data should be encrypted

      Actual Results

      1. Export works
      2. Import breaks
      3. Exported data is not encrypted

      Workaround

      1. After exporting the zip configuration, run the following SQL statement to capture the encrypted DB string on the original Bamboo DB: 
        SELECT * FROM CWD_DIRECTORY_ATTRIBUTE;
      1. Alternatively, if you'd rather not access the DB, you can follow the Bamboo top menu >> Specs >> Bamboo Specs encryption, paste clear-text LDAP password and submit it to have the equivalent encrypted string
      2. Extract the exported zip, edit the db-export/directories.xml file and replace any attributes value where its name is application.password with the encrypted content found on the SQL (it starts with BAMSCRT@)
      3. Zip the exported contents again keeping the same folder structure
      4. Start the import process

      If Bamboo had already been imported, you'd have to replace the application.password row on the new DB with the same encrypted content from the old DB instance and then restart Bamboo.

      Notes

      The fix for this bug has created a regression that is fixed by BAM-22440: Bamboo cannot import encrypted strings via Exported zip. Please check the workaround section from that ticket for instructions.

              mgardias Marcin Gardias
              73868399605e Eduardo Alvarenga (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: