feat(security): periodic job to encrypt plaintext passwords in user_ table (#35767)

wezell · claude · web-flow · commit 3139ad7f42b9 · 2026-05-21T17:56:49.000Z
## Proposed Changes Adds **`EncryptPlainPasswordsJob`** — a Quartz `StatefulJob` that runs every 5 minutes, scans the `user_` table for rows whose `passwordEncrypted` flag is `false`, hashes the cleartext value via `PasswordFactoryProxy.generateHash`, and flips the flag to `true`. Defense-in-depth against any code path that lands a plaintext password in `user_.password_` — migrations, bulk imports, manual SQL recovery, or older code that set the password without the encrypted flag. Once the job ticks, the row is hashed using the same utility as the rest of the platform, so existing login (`authPassword`) continues to work transparently. ## Files Touched | File | Change | | --- | --- | | `dotCMS/src/main/java/com/dotmarketing/quartz/job/EncryptPlainPasswordsJob.java` | **New.** `StatefulJob` implementation. | | `dotCMS/src/main/java/com/dotmarketing/init/DotInitScheduler.java` | Registers the new job (mirrors `FreeServerFromClusterJob` pattern). | | `dotcms-integration/src/test/java/com/dotmarketing/quartz/job/EncryptPlainPasswordsJobTest.java` | **New.** Five integration tests. | ## Configuration | Property | Default | Effect | | --- | --- | --- | | `ENABLE_ENCRYPT_PLAIN_PASSWORDS_JOB` | `true` | Kill switch. Checked at startup (job not scheduled if `false`) **and** at every firing — flip at runtime without a restart. | | `ENCRYPT_PLAIN_PASSWORDS_CRON_EXPRESSION` | `0 0/5 * * * ?` | Standard Quartz cron. | ## Why a periodic job rather than a one-off migration The risk of a fresh plaintext row landing in `user_` is non-zero on a live system (admin tooling, recovery scripts, bulk imports that bypass `UserAPI`). A standing sweep catches them within one minute regardless of how they got there. The query is cheap: `passwordEncrypted = false` is an extremely selective predicate, so in steady state the job does an index/sequential check that finds zero rows and returns immediately. A partial index `CREATE INDEX ... ON user_ (userId) WHERE passwordEncrypted = false` would be the right escalation if perf ever becomes a concern, but is unnecessary today. ## Test Plan Integration tests (`EncryptPlainPasswordsJobTest`): - [x] **Happy path** — plaintext row gets hashed; `authPassword(plaintext, storedHash)` returns `AUTHENTICATED`. - [x] **Already encrypted row** — left untouched (no double-hashing). - [x] **Null password** — skipped (no UPDATE issued). - [x] **Multiple rows** — all hashed in a single pass. - [x] **Disabled flag** — `ENABLE_ENCRYPT_PLAIN_PASSWORDS_JOB=false` makes the firing a no-op. Run locally: ```bash ./mvnw verify -pl :dotcms-integration -Dcoreit.test.skip=false -Dit.test=EncryptPlainPasswordsJobTest ``` ## Rollback safety Pure additive — new class, new scheduler registration, new test. No schema change, no API contract change, no frontend touched. If anything misbehaves in production, flip `ENABLE_ENCRYPT_PLAIN_PASSWORDS_JOB=false` and the job becomes a no-op immediately; revert the commit for a full backout. Refs #35766 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
diff --git a/dotCMS/src/main/java/com/dotmarketing/init/DotInitScheduler.java b/dotCMS/src/main/java/com/dotmarketing/init/DotInitScheduler.java
@@ -16,6 +16,7 @@
 import com.dotmarketing.quartz.job.DeleteInactiveLiveWorkingIndicesJob;
 import com.dotmarketing.quartz.job.DeleteSiteSearchIndicesJob;
 import com.dotmarketing.quartz.job.DropOldContentVersionsJob;
+import com.dotmarketing.quartz.job.EncryptPlainPasswordsJob;
 import com.dotmarketing.quartz.job.FreeServerFromClusterJob;
 import com.dotmarketing.quartz.job.PruneTimeMachineBackupJob;
 import com.dotmarketing.quartz.job.ServerHeartbeatJob;
@@ -301,6 +302,50 @@ public static void start() throws Exception {
                 }
             }
 
+            //Schedule EncryptPlainPasswordsJob
+            final String EPPjobName = "EncryptPlainPasswordsJob";
+            final String EPPjobGroup = DOTCMS_JOB_GROUP_NAME;
+            final String EPPtriggerName = "trigger27";
+            final String EPPtriggerGroup = "group27";
+
+            if (EncryptPlainPasswordsJob.isEnabled()) {
+                try {
+                    isNew = false;
+
+                    try {
+                        if ((job = sched.getJobDetail(EPPjobName, EPPjobGroup)) == null) {
+                            job = new JobDetail(EPPjobName, EPPjobGroup, EncryptPlainPasswordsJob.class);
+                            isNew = true;
+                        }
+                    } catch (SchedulerException se) {
+                        sched.deleteJob(EPPjobName, EPPjobGroup);
+                        job = new JobDetail(EPPjobName, EPPjobGroup, EncryptPlainPasswordsJob.class);
+                        isNew = true;
+                    }
+                    calendar = Calendar.getInstance();
+                    calendar.add(Calendar.MINUTE, 1);
+                    // By default, the job runs every minute
+                    trigger = new CronTrigger(EPPtriggerName, EPPtriggerGroup, EPPjobName, EPPjobGroup,
+                            calendar.getTime(), null,
+                            Config.getStringProperty(EncryptPlainPasswordsJob.CRON_PROPERTY,
+                                    EncryptPlainPasswordsJob.DEFAULT_CRON_EXPRESSION));
+                    trigger.setMisfireInstruction(CronTrigger.MISFIRE_INSTRUCTION_DO_NOTHING);
+                    sched.addJob(job, true);
+
+                    if (isNew) {
+                        sched.scheduleJob(trigger);
+                    } else {
+                        sched.rescheduleJob(EPPtriggerName, EPPtriggerGroup, trigger);
+                    }
+                } catch (Exception e) {
+                    Logger.error(DotInitScheduler.class, e.getMessage(), e);
+                }
+            } else {
+                if ((sched.getJobDetail(EPPjobName, EPPjobGroup)) != null) {
+                    sched.deleteJob(EPPjobName, EPPjobGroup);
+                }
+            }
+
 			addDropOldContentVersionsJob();
 			if ( !Config.getBooleanProperty(DOTCMS_DISABLE_WEBSOCKET_PROTOCOL, false) ) {
 				// Enabling the System Events Job
diff --git a/dotCMS/src/main/java/com/dotmarketing/quartz/job/EncryptPlainPasswordsJob.java b/dotCMS/src/main/java/com/dotmarketing/quartz/job/EncryptPlainPasswordsJob.java
@@ -0,0 +1,129 @@
+package com.dotmarketing.quartz.job;
+
+import com.dotcms.enterprise.PasswordFactoryProxy;
+import com.dotcms.enterprise.de.qaware.heimdall.PasswordException;
+import com.dotmarketing.common.db.DotConnect;
+import com.dotmarketing.db.DbConnectionFactory;
+import com.dotmarketing.exception.DotDataException;
+import com.dotmarketing.util.Config;
+import com.dotmarketing.util.Logger;
+import com.dotmarketing.util.UtilMethods;
+import java.util.List;
+import java.util.Map;
+import org.quartz.JobExecutionContext;
+import org.quartz.JobExecutionException;
+import org.quartz.StatefulJob;
+
+/**
+ * Sweeps the {@code user_} table for rows whose {@code passwordEncrypted} flag is {@code false}
+ * (plaintext passwords) and rewrites them with a securely hashed value via
+ * {@link PasswordFactoryProxy#generateHash(String)}. Once hashed, the row is flipped to
+ * {@code passwordEncrypted = true}.
+ *
+ * Implementation notes:
+ * <ul>
+ *   <li>Stateful job — concurrent firings cannot overlap.</li>
+ *   <li>The UPDATE is guarded by {@code passwordEncrypted = false AND password_ = ?} so that a
+ *       concurrent password change (via {@code UserAPI}) cannot be silently regressed: if the row
+ *       was already rewritten between the SELECT and the UPDATE, the UPDATE affects zero rows
+ *       and is logged at debug.</li>
+ *   <li>Each firing processes at most {@code ENCRYPT_PLAIN_PASSWORDS_BATCH_SIZE} rows so a bulk
+ *       import depositing tens of thousands of plaintext rows cannot pin a Quartz worker thread
+ *       for hours. Remaining rows are caught on subsequent ticks.</li>
+ * </ul>
+ */
+public class EncryptPlainPasswordsJob implements StatefulJob {
+
+    public static final String ENABLE_PROPERTY = "ENABLE_ENCRYPT_PLAIN_PASSWORDS_JOB";
+    public static final String CRON_PROPERTY = "ENCRYPT_PLAIN_PASSWORDS_CRON_EXPRESSION";
+    public static final String BATCH_SIZE_PROPERTY = "ENCRYPT_PLAIN_PASSWORDS_BATCH_SIZE";
+    public static final String DEFAULT_CRON_EXPRESSION = "0 0/5 * * * ?";
+    public static final int DEFAULT_BATCH_SIZE = 500;
+
+    private static final String SELECT_PLAINTEXT_USERS_SQL =
+            "select userId, password_ from user_ where passwordEncrypted = ? and password_ is not null limit ?";
+
+    private static final String UPDATE_HASHED_PASSWORD_SQL =
+            "update user_ set password_ = ?, passwordEncrypted = ? "
+                    + "where userId = ? and passwordEncrypted = ? and password_ = ?";
+
+    /**
+     * Runtime kill switch. The scheduler also checks this property at startup; checking it here
+     * lets an operator disable the job between firings without restarting the JVM.
+     */
+    public static boolean isEnabled() {
+        return Config.getBooleanProperty(ENABLE_PROPERTY, true);
+    }
+
+    @Override
+    public void execute(final JobExecutionContext context) throws JobExecutionException {
+        if (com.dotcms.shutdown.ShutdownCoordinator.isShutdownStarted()) {
+            Logger.info(EncryptPlainPasswordsJob.class,
+                    "Shutdown in progress - skipping EncryptPlainPasswordsJob execution");
+            return;
+        }
+
+        if (!isEnabled()) {
+            Logger.debug(EncryptPlainPasswordsJob.class,
+                    () -> ENABLE_PROPERTY + "=false - skipping EncryptPlainPasswordsJob execution");
+            return;
+        }
+
+        final int batchSize = Config.getIntProperty(BATCH_SIZE_PROPERTY, DEFAULT_BATCH_SIZE);
+
+        try {
+            final List<Map<String, Object>> rows = new DotConnect()
+                    .setSQL(SELECT_PLAINTEXT_USERS_SQL)
+                    .addParam(false)
+                    .addParam(batchSize)
+                    .loadObjectResults();
+
+            if (rows.isEmpty()) {
+                return;
+            }
+
+            Logger.info(EncryptPlainPasswordsJob.class,
+                    "Found " + rows.size() + " user(s) with unencrypted passwords. Hashing now.");
+
+            int hashed = 0;
+            int skipped = 0;
+            for (final Map<String, Object> row : rows) {
+                final String userId = (String) row.get("userid");
+                final String plaintext = (String) row.get("password_");
+
+                if (!UtilMethods.isSet(userId) || !UtilMethods.isSet(plaintext)) {
+                    continue;
+                }
+
+                try {
+                    final String hash = PasswordFactoryProxy.generateHash(plaintext);
+                    final int updated = new DotConnect()
+                            .executeUpdate(UPDATE_HASHED_PASSWORD_SQL,
+                                    hash, true, userId, false, plaintext);
+                    if (updated == 0) {
+                        // Row changed between SELECT and UPDATE — another writer got there first.
+                        skipped++;
+                        Logger.debug(EncryptPlainPasswordsJob.class,
+                                () -> "Skipped userId=" + userId
+                                        + " — row was modified between select and update");
+                    } else {
+                        hashed++;
+                    }
+                } catch (PasswordException | DotDataException e) {
+                    Logger.error(EncryptPlainPasswordsJob.class,
+                            "Unable to hash password for userId=" + userId + ": " + e.getMessage(),
+                            e);
+                }
+            }
+
+            Logger.info(EncryptPlainPasswordsJob.class,
+                    "Encrypted " + hashed + " of " + rows.size()
+                            + " plaintext password row(s) (skipped " + skipped + ").");
+        } catch (DotDataException e) {
+            Logger.error(EncryptPlainPasswordsJob.class,
+                    "Error scanning user_ table for unencrypted passwords", e);
+        } finally {
+            DbConnectionFactory.closeSilently();
+        }
+    }
+}
diff --git a/dotcms-integration/src/test/java/com/dotcms/MainSuite2b.java b/dotcms-integration/src/test/java/com/dotcms/MainSuite2b.java
@@ -161,6 +161,7 @@
 import com.dotmarketing.quartz.DotStatefulJobTest;
 import com.dotmarketing.quartz.job.CleanUpFieldReferencesJobTest;
 import com.dotmarketing.quartz.job.DropOldContentVersionsJobTest;
+import com.dotmarketing.quartz.job.EncryptPlainPasswordsJobTest;
 import com.dotmarketing.quartz.job.IntegrityDataGenerationJobTest;
 import com.dotmarketing.quartz.job.PopulateContentletAsJSONJobTest;
 import com.dotmarketing.quartz.job.PruneTimeMachineBackupJobTest;
@@ -471,6 +472,7 @@
         com.dotmarketing.tag.business.TagAPITest.class,
         OSGIUtilTest.class,
         CleanUpFieldReferencesJobTest.class,
+        EncryptPlainPasswordsJobTest.class,
         CachedParameterDecoratorTest.class,
         ContainerFactoryImplTest.class,
         TemplateFactoryImplTest.class,
diff --git a/dotcms-integration/src/test/java/com/dotmarketing/quartz/job/EncryptPlainPasswordsJobTest.java b/dotcms-integration/src/test/java/com/dotmarketing/quartz/job/EncryptPlainPasswordsJobTest.java
