MQ: feat(security): periodic job to encrypt plaintext passwords in user_ table (#35767)
## Proposed Changes
Adds **EncryptPlainPasswordsJob** — a Quartz StatefulJob that runs
every 5 minutes, scans the user_ table for rows whose
passwordEncrypted flag is false, hashes the cleartext value via
PasswordFactoryProxy.generateHash, and flips the flag to true.
Defense-in-depth against any code path that lands a plaintext password
in user_.password_ — migrations, bulk imports, manual SQL r...
#2988
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: '-2 Merge Group Check' | |
| run-name: 'MQ: ${{ github.event.merge_group.head_commit.message }}' | |
| on: | |
| merge_group: | |
| types: [ checks_requested ] | |
| branches: [ main, master ] | |
| jobs: | |
| initialize: | |
| name: Initialize | |
| uses: ./.github/workflows/cicd_comp_initialize-phase.yml | |
| # Uses path-based filtering to skip integration/postman/karate tests for frontend-only changes | |
| # See ADR-0013: https://github.com/dotCMS/platform-adrs/pull/53 | |
| with: | |
| change-detection: 'enabled' | |
| build: | |
| name: Merge Group Build | |
| needs: [ initialize ] | |
| if: needs.initialize.outputs.found_artifacts == 'false' | |
| uses: ./.github/workflows/cicd_comp_build-phase.yml | |
| permissions: | |
| contents: read | |
| packages: write | |
| test: | |
| name: Merge Group Test | |
| needs: [ initialize,build ] | |
| if: always() && !failure() && !cancelled() | |
| uses: ./.github/workflows/cicd_comp_test-phase.yml | |
| with: | |
| jvm_unit_test: ${{ fromJSON(needs.initialize.outputs.filters).jvm_unit_test == 'true' }} | |
| integration: ${{ fromJSON(needs.initialize.outputs.filters).backend == 'true' }} | |
| postman: ${{ fromJSON(needs.initialize.outputs.filters).backend == 'true' }} | |
| karate: ${{ fromJSON(needs.initialize.outputs.filters).backend == 'true' }} | |
| frontend: ${{ fromJSON(needs.initialize.outputs.filters).frontend == 'true' }} | |
| cli: ${{ fromJSON(needs.initialize.outputs.filters).cli == 'true' || fromJSON(needs.initialize.outputs.filters).backend == 'true' }} | |
| e2e: false | |
| secrets: | |
| DOTCMS_LICENSE: ${{ secrets.DOTCMS_LICENSE }} | |
| finalize: | |
| name: Finalize | |
| if: always() | |
| needs: [ test ] | |
| uses: ./.github/workflows/cicd_comp_finalize-phase.yml | |
| with: | |
| needsData: ${{ toJson(needs) }} |