Issue Summary

Starting in Jira 10.2.0, secrets are now encrypted in Jira's secret storage (Jira Software 10.2.x release notes). This includes the following for DVCS:

• OAuth client ID and secret
• Access token
• Webhook secret
• Username and password

A cache stores the DVCS accounts/organization (30-minute TTL), which pulls all entries from the AO_E8B6CC_ORGANIZATION_MAPPING database table. During cache loading, raw data is parsed, and encrypted secrets are decrypted. However, a warning message is logged 2-3 times for each organization:

[c.a.j.p.dvcs.crypto.SecretStoreEncryptor] Decryption skipped: secretIdentifier is null or empty.

This is due to the ADMIN_USERNAME, ADMIN_PASSWORD, and TOKEN_ID columns being null in the database. Basic auth (username/password) is deprecated, and three-legged OAuth 2.0 tokens are only used for GitLab. For Jira instances with hundreds of DVCS organizations, this will generate 1000s of spam log messages per day.

Steps to Reproduce

1. Install Jira 10.2.0 or later.
2. Add at least one DVCS organization.
3. Refresh the organization cache by:
   • Waiting 30 minutes and accessing the DVCS accounts page.
   • Waiting 30 minutes and loading any page with the standard header (Bitbucket Cloud NavLinks integration).
   • Updating one of the organization's settings.

Expected Results

A reasonable amount of logs is produced.

Actual Results

The following message is logged 2-3 times per organization:

[c.a.j.p.dvcs.crypto.SecretStoreEncryptor] Decryption skipped: secretIdentifier is null or empty.

Workaround

Suppress this particular logger in the log4j2.xml (Change logging levels in Jira Data Center) and perform a rolling restart:

<!-- Workaround for https://jira.atlassian.com/browse/JSWSERVER-26456 -->
<Logger name="com.atlassian.jira.plugins.dvcs.crypto.SecretStoreEncryptor" level="ERROR" additivity="false">
    <AppenderRef ref="filelog"/>
</Logger>