migrateMechanismsStep

The second migration step, which converts legacy LegacyMechanism entries (loaded by startMigrationStep) into modern OATH and Push credentials and persists them to SQLite.

Execution order within this step:

1. Retrieves the mechanisms list from the migration state; returns CONTINUE immediately if the list is absent (defensive guard).

2. Calls prepareDatabase to inspect any pre-existing OATH (pingidentity_oath.db) and Push (pingidentity_push.db) SQLite databases:

• Databases with existing credentials are preserved.

• Empty databases are deleted to prevent passphrase conflicts.

• Databases that cannot be opened (e.g., encrypted with a different passphrase) are deleted so migration can create fresh ones.

3. Initialises com.pingidentity.mfa.oath.storage.SQLOathStorage and com.pingidentity.mfa.push.storage.SQLPushStorage with allowDestructiveRecovery = true, backupOnError = true, and autoRestoreFromBackup = true for resilience against force-closes during migration.

4. Iterates each mechanism and routes it by LegacyMechanism.type:

• "otpauth", "totp", "hotp" → com.pingidentity.mfa.oath.OathCredential stored via com.pingidentity.mfa.oath.storage.SQLOathStorage.storeOathCredential.

• "push", "pushauth" → com.pingidentity.mfa.push.PushCredential stored via com.pingidentity.mfa.push.storage.SQLPushStorage.storePushCredential. Query parameters are stripped from authenticationEndpoint to produce the serverEndpoint.

• Unknown types are logged as warnings and skipped.

• Per-mechanism exceptions are caught and logged; remaining mechanisms continue.

5. Stores the storage instances in the migration state for cleanupLegacyDataStep.

See also