From d14fb0c0815510652ffa9ca2a3d9891bac8f0d44 Mon Sep 17 00:00:00 2001
From: "som.dewan" <som.dewan@autorabit.com>
Date: Wed, 21 Aug 2024 10:48:48 +0530
Subject: [PATCH] SQ Encrypt File Sources

---
 build.gradle                                  | 18 ------
 .../java/org/sonar/db/MyBatisConfBuilder.java |  8 +++
 .../org/sonar/db/source/FileSourceMapper.xml  | 64 +++++++++----------
 3 files changed, 40 insertions(+), 50 deletions(-)

diff --git a/build.gradle b/build.gradle
index acc4e3b52c0e..a55713086c4a 100644
--- a/build.gradle
+++ b/build.gradle
@@ -62,24 +62,6 @@ allprojects {
   }
 
   repositories {
-    def repository = project.hasProperty('qa') ? 'sonarsource-qa' : 'sonarsource'
-    maven {
-      // The environment variables ARTIFACTORY_PRIVATE_USERNAME and ARTIFACTORY_PRIVATE_PASSWORD are used on QA env (Jenkins)
-      // On local box, please add artifactoryUsername and artifactoryPassword to ~/.gradle/gradle.properties
-      def artifactoryUsername = System.env.'ARTIFACTORY_PRIVATE_USERNAME' ?: (project.hasProperty('artifactoryUsername') ? project.getProperty('artifactoryUsername') : '')
-      def artifactoryPassword = System.env.'ARTIFACTORY_PRIVATE_PASSWORD' ?: (project.hasProperty('artifactoryPassword') ? project.getProperty('artifactoryPassword') : '')
-      if (artifactoryUsername && artifactoryPassword) {
-        credentials {
-          username artifactoryUsername
-          password artifactoryPassword
-        }
-      } else {
-        // Workaround for artifactory
-        // https://www.jfrog.com/jira/browse/RTFACT-13797
-        repository = 'public'
-      }
-      url "https://repox.jfrog.io/repox/${repository}"
-    }
 
     maven {
       def autorabitRepository = System.env.'ARTIFACTORY_CODESCAN_REPO' ?: (project.hasProperty('artifactoryRepo') ? project.getProperty('artifactoryRepo') : 'libs-release-local')
diff --git a/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatisConfBuilder.java b/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatisConfBuilder.java
index 518162eb4a3c..fd6165ca4812 100644
--- a/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatisConfBuilder.java
+++ b/server/sonar-db-dao/src/main/java/org/sonar/db/MyBatisConfBuilder.java
@@ -49,6 +49,14 @@ class MyBatisConfBuilder {
     this.conf.getVariables().setProperty("_from_dual", dialect.getSqlFromDual());
     this.conf.getVariables().setProperty("_scrollFetchSize", String.valueOf(dialect.getScrollDefaultFetchSize()));
     this.conf.setLocalCacheScope(LocalCacheScope.STATEMENT);
+
+    String encryptionKey = System.getenv("ENC_KEY");
+
+    if (encryptionKey == null || encryptionKey.isEmpty()) {
+      throw new IllegalStateException("ENC_KEY environment variable is not set for encryptionKey");
+    }
+
+    this.conf.getVariables().setProperty("encryptionKey", encryptionKey);
   }
 
   void loadAlias(String alias, Class dtoClass) {
diff --git a/server/sonar-db-dao/src/main/resources/org/sonar/db/source/FileSourceMapper.xml b/server/sonar-db-dao/src/main/resources/org/sonar/db/source/FileSourceMapper.xml
index 53bba0f8365f..0d6502395c58 100644
--- a/server/sonar-db-dao/src/main/resources/org/sonar/db/source/FileSourceMapper.xml
+++ b/server/sonar-db-dao/src/main/resources/org/sonar/db/source/FileSourceMapper.xml
@@ -6,18 +6,18 @@
 
   <select id="selectByFileUuid" parameterType="map" resultType="org.sonar.db.source.FileSourceDto">
     select
-      uuid,
-      project_uuid as projectUuid,
-      file_uuid as fileUuid,
-      created_at as createdAt,
-      updated_at as updatedAt,
-      binary_data as binaryData,
-      line_hashes as rawLineHashes,
-      line_hashes_version as lineHashesVersion,
-      line_count as lineCount,
-      data_hash as dataHash,
-      src_hash as srcHash,
-      revision
+    uuid,
+    project_uuid as projectUuid,
+    file_uuid as fileUuid,
+    created_at as createdAt,
+    updated_at as updatedAt,
+    DECRYPT(binary_data, '${encryptionKey}'::bytea, 'AES') as binaryData,
+    line_hashes as rawLineHashes,
+    line_hashes_version as lineHashesVersion,
+    line_count as lineCount,
+    data_hash as dataHash,
+    src_hash as srcHash,
+    revision
     from
       file_sources
     where
@@ -82,18 +82,18 @@
     )
     values
     (
-      #{uuid,jdbcType=VARCHAR},
-      #{projectUuid,jdbcType=VARCHAR},
-      #{fileUuid,jdbcType=VARCHAR},
-      #{createdAt,jdbcType=BIGINT},
-      #{updatedAt,jdbcType=BIGINT},
-      #{binaryData,jdbcType=BLOB},
-      #{rawLineHashes,jdbcType=CLOB},
-      #{lineHashesVersion,jdbcType=INTEGER},
-      #{lineCount,jdbcType=INTEGER},
-      #{dataHash,jdbcType=VARCHAR},
-      #{srcHash,jdbcType=VARCHAR},
-      #{revision,jdbcType=VARCHAR}
+    #{uuid,jdbcType=VARCHAR},
+    #{projectUuid,jdbcType=VARCHAR},
+    #{fileUuid,jdbcType=VARCHAR},
+    #{createdAt,jdbcType=BIGINT},
+    #{updatedAt,jdbcType=BIGINT},
+    ENCRYPT(#{binaryData,jdbcType=BLOB}, '${encryptionKey}'::bytea, 'AES'),
+    #{rawLineHashes,jdbcType=CLOB},
+    #{lineHashesVersion,jdbcType=INTEGER},
+    #{lineCount,jdbcType=INTEGER},
+    #{dataHash,jdbcType=VARCHAR},
+    #{srcHash,jdbcType=VARCHAR},
+    #{revision,jdbcType=VARCHAR}
     )
   </insert>
 
@@ -101,14 +101,14 @@
     update
       file_sources
     set
-      updated_at = #{updatedAt,jdbcType=BIGINT},
-      binary_data = #{binaryData,jdbcType=BLOB},
-      line_hashes = #{rawLineHashes,jdbcType=CLOB},
-      line_hashes_version = #{lineHashesVersion,jdbcType=INTEGER},
-      line_count = #{lineCount,jdbcType=INTEGER},
-      data_hash = #{dataHash,jdbcType=VARCHAR},
-      src_hash = #{srcHash,jdbcType=VARCHAR},
-      revision = #{revision,jdbcType=VARCHAR}
+    updated_at = #{updatedAt,jdbcType=BIGINT},
+    binary_data = ENCRYPT(#{binaryData,jdbcType=BLOB}, '${encryptionKey}'::bytea, 'AES'),
+    line_hashes = #{rawLineHashes,jdbcType=CLOB},
+    line_hashes_version = #{lineHashesVersion,jdbcType=INTEGER},
+    line_count = #{lineCount,jdbcType=INTEGER},
+    data_hash = #{dataHash,jdbcType=VARCHAR},
+    src_hash = #{srcHash,jdbcType=VARCHAR},
+    revision = #{revision,jdbcType=VARCHAR}
     where
       uuid = #{uuid,jdbcType=VARCHAR}
   </update>