Problem

After recent changes introduced by BAM-22252: Export feature adds clear text password to the directories configuration on the zip file - Import fails with "Can't decrypt data", a regression makes Bamboo fail to import an exported configuration due to unavailable cipher key pairs in the DB and filesystem.

Environment

• Bamboo 9.3.0, 9.2.3, 9.1.3, 9.0.5

Steps to Reproduce

1. Create an export file with encrypted strings (passwords)
2. Try to import it on the same version it was exported

Expected Results

• The import process should succeed

Actual Results

• The import fails with the following error:

  2023-08-01 18:46:32,059 INFO [http-nio-8085-exec-23] [SecretEncryptionServiceImpl] Can't decrypt data. It's possible data was encrypted by different cipher. Run Bamboo with system property -Dbamboo.security.decryption.ignore.errors=true to ignore this error
  2023-08-01 18:46:32,062 WARN [http-nio-8085-exec-23] [BambooStAXListImportStrategy$4$1] Exception during processing crowdMemberships.membership #28
  com.google.common.util.concurrent.UncheckedExecutionException: java.lang.RuntimeException: org.bouncycastle.crypto.InvalidCipherTextException: pad block corrupted
  	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2055) ~[guava-31.0.1-jre.jar:?]
  	at com.google.common.cache.LocalCache.get(LocalCache.java:3966) ~[guava-31.0.1-jre.jar:?]
  	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4863) ~[guava-31.0.1-jre.jar:?]
  

Workaround

1. Stop Bamboo
2. Modify the applicationContextMigration.xml file and move the bandanaItemMapper bean to the top of the importers property:
   <bamboo-install>/atlassian-bamboo/WEB-INF/classes/applicationContextMigration.xml

   ...
           <property name="importers">
             <list>
               <ref bean="bandanaItemMapper" />
               <ref bean="idGeneratorMapper" />
               <ref bean="directoryMapper"/>
               <ref bean="crowdUserMapper"/>
               <ref bean="crowdGroupMapper"/>
               <ref bean="membershipMapper"/>
               <ref bean="applicationMapper"/>
               <ref bean="aliasMapper"/>
               <ref bean="localUserMapper"/>
   ...
   

3. Extract the exported zip file to a temporary location and have its configuration/cipher/cipher.key_0 ready to be copied to the Bamboo Home folder
4. Clean the database and <bamboo-home> contents
5. Create the following script, adapt it and execute it as the Bamboo service account. The script should be left running on a separate terminal window
   copy-cipher.sh

   #!/bin/bash
   #
   # This script must be executed as the same user as the Bamboo service.
   #
   # It will create a file on the BAMBOO_HOME and wait for it to be deleted
   # by the import process.
   #
   # Run this script on a new window before starting the importing process in Bamboo
   # via the "Import data" menu.
   #
   # Once the file is deleted by the Bamboo cleanup process, the script will copy the cipher key
   # back to its location before the import process kicks in.
   #
   # It requires inotifywait from the inotify-tools package.
   #
   BAMBOO_HOME="/var/atlassian/application-data/bamboo"
   BAMBOO_USER="bamboo"
   BAMBOO_GROUP="bamboo"
   INSTALL="install -o ${BAMBOO_USER} -g ${BAMBOO_GROUP}"
   CIPHER_FILE="/tmp/cipher.key_0"
   
   [ ! -f ${BAMBOO_HOME}/shared/configuration/cipher/cipher.key_0 ] && \
     ${INSTALL} -m 0755 -d ${BAMBOO_HOME}/shared/configuration ; 
     touch ${BAMBOO_HOME}/shared/configuration/wait.txt && \
     inotifywait --event delete ${BAMBOO_HOME}/shared/configuration/wait.txt \
     || ${INSTALL} -m 02750 -d ${BAMBOO_HOME}/shared/configuration/cipher && \
        ${INSTALL} -m 0640 ${CIPHER_FILE} ${BAMBOO_HOME}/shared/configuration/cipher/cipher.key_0
   

6. Start Bamboo and follow the menus to import the file again
7. It should work normally

Notes