Add support for Server-Side Encryption with AWS Key Management Service
(SSE-KMS) for S3 object storage. This allows Nextcloud to encrypt data
at rest in S3 using AWS-managed keys.
Key features:
- New config options: sse_kms_enabled and sse_kms_key_id
- Backward compatible with existing SSE-C (customer-provided keys)
- SSE-C takes precedence when both SSE-C and SSE-KMS are configured
Implementation details:
- Added getServerSideEncryptionParameters() method to centralize
encryption parameter logic for both SSE-C and SSE-KMS
- Updated multipart uploads to use unified encryption parameters
- Added comprehensive PHPUnit tests for SSE-KMS scenarios
- Tested with AWS bucket and KMS keys in us-east-1 region
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
Signed-off-by: Stephen Cuppett <steve@cuppett.com>
getContentLength() and getLastModified() are dead code. Originally added in PR #11518 and made defunct in PR #29220.
Signed-off-by: Josh <josh.t.richards@gmail.com>
Some S3-compatible object storage hosts don't like the ETag being included in
the request and return a MalformedXML response. In the AWS API documentation,
only the object key is required so just pass that in.
Signed-off-by: Kent Delante <kent.delante@proton.me>
It allows the use of the alternative SFTP port defined in the GUI (external storage), instead of the default port (22).
Signed-off-by: pac0san <7056343+pac0san@users.noreply.github.com>
Signed-off-by: provokateurin <kate@provokateurin.de>
DeleteObjects currently fails when the request includes all the
information returned by ListObjects. Send only the necessary
information in the request. Note: 'Size' and 'DateModified' is now
only supported by directory buckets.
Signed-off-by: Kent Delante <kent.delante@proton.me>
Just need to add the parameter and fix two calls. All other logic is already implemented and implicitly called through the S3ConnectionTrait
fixes#33283
Signed-off-by: Christian Becker <christian@dabecka.de>
Signed-off-by: Richard Steinmetz <richard@steinmetz.cloud>
SMB#getFileInfo used to throw an icewind/smb exception, but nowadays throws \OCP\Files\ForbiddenException. This fixes downstream methods to catch the new exception.
Signed-off-by: Marcel Klehr <mklehr@gmx.net>
When connecting to a SFTP server from a SFTP storage the host key is
checked against the known host keys stored in a file in the data
directory of the logged in Nextcloud user. The path to the file is
(indirectly) got using "OC_App::getStorage", which logs an error if
called when there is no logged in user; this can happen, for example, if
the storage is used from a background job or a command.
Not being able to read or write the file just causes the host key check
to be skipped, but it has no other consequence. Moreover, even with
logged in users it is likely that the file can not be read either and
the check is also skipped, as the file needs to have been manually
created by an admin.
Due to all that now the path to the file is directly created using a
View rather than relying on "OC_App::getStorage" to prevent the unneeded
error from being logged.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
