During authentication of the "admin" user, if using SSO, their record in users table is updated with new authentication method and the crypted_password column is nullified in DB. Now, if the instance switches back to local authentication, the SonarQube startup will fail with an NPE on the "default admin password" check as the password is null.
The only way to correct this situation back is to use the script provided [here|https://docs.sonarqube.org/latest/instance-administration/security/, under the Reinstating Admin Access section.
This only applies to BCrypt, and is mitigated by the fact that users will now automatically be migrated to PBKDF2 when they log in. Still, if:
- An instance was using a version of SQ where BCrypt was the default hashing algo
- And then switched to any SSO method
- And then switched back to local authentication
Then the NPE will occur. And because it will fail at startup, the "admin" user can also not log in to have their hashing algo migrated to PBKDF2.
Do the same as we do for SHA1 and PBKDF2: handle NULL passwords as an incorrect password, which will enable SQ to start normally. This will disable logging in for the "admin" user, but this is normal, as there is no hash to check agains (the only solution here is to reinstate access, as per the docs)