External directory credential still showing as plain text on the Jira database although the feature is configured to have encrypted password

Issue Summary

On Jira 8.14.0 the Embedded Crowd and password encryption feature was introduced to resolve JRASERVER-45612.

There might be times the feature is enabled and expected to encrypt the password, but it would still be in plain text in the database.

Once in this situation, Jira won't identify the password is in plain text and try to encrypt the password.
The connection to the external directory still works.
The only problem is that the Jira admin might think the password is stored encrypted in the DB, when it isn't.

We were not able to identify why the password is in plain text, but we were able to manually change it in the database and Jira won't identify this condition.

It's important to call out this is not related to user credentials.

Steps to Reproduce

1. Install a vanilla instance of Jira 8.13.0 and configure it to connect to an external directory (i.e. external Crowd).
   • This step is only to confirm the upgrade task runs properly on subsequent step.
   • The test was conducted with an external Crowd DC on version 5.1.2.
2. Ensure the credential to Crowd is stored in plain text in the Jira database – this is expected on Jira 8.13.
   • One can run the following SQL query on the Jira DB.

     select cd.directory_name,cda.*
     from cwd_directory_attribute cda
     join cwd_directory cd on cd.id = cda.directory_id
     where cda.attribute_name = 'application.password';
     

     

3. Upgrade Jira to the latest version.
   • The latest version when recreating the bug was 9.8.0.
4. Confirm the password is now encrypted on the database.
   
5. Manually change the password to its plain text version.

   update cwd_directory_attribute
   set attribute_value = 'jira980'
   where directory_id = 10000
    and attribute_name = 'application.password';
   

   • This is just an example to show the undesired state may remain indefinitely.
6. Restart Jira so in-memory cache is started from scratch.

Expected Results

Jira would identify that external directory credentials should be encrypted in the database while it isn't.
It would either automatically encrypt the password and update the entry in the database, or fail to connect to the external user directory.

Actual Results

Although the product is configured to have the directory credentials encrypted in the database, once the password is in plain text in the database, it will remain that way without the Jira admin knowing about it.

During the startup sequence, the configuration would show Jira is using the expected encryption:

         crowd.encryption.encryptor.AES.keyPath        : KEY_DIR/javax.crypto.spec.SecretKeySpec_1684344041114
         crowd.encryption.encryptor.default            : AES_CBC_PKCS5Padding

Checking the password in the database, it would remain in plain text.

Besides this undesired state, connection to the external user directory would continue to work.

Workaround

Once identified on this condition, the Jira admin can run the following procedure to encrypt the password again.

1. Authenticate to Jira with an admin account from the Internal Directory.
2. Go to User management > User Directories and click on Edit on the target user directory.
3. Reapply the password.
4. Click on Test settings and then on Save and test.
5. Confirm on the database if the password starts with a pattern as below.

   {AES_CBC_PKCS5Padding}{"keyFilePath":"KEY_DIR
   

   • One can run the following SQL query to confirm it.

     select cd.directory_name,cda.*
     from cwd_directory_attribute cda
     join cwd_directory cd on cd.id = cda.directory_id
     where cda.attribute_name = 'application.password';
     

6. Confirm authentication with a user from the external directory works as expected.