Signed-off-by: Kent Delante <kent@delante.me>
Amazon's hosted S3 service allows repeating delimiters in keys
(e.g. 'path/to//file.txt' or 'path/to///file.txt') and we get
repeating directories in the filecache as a result (based on the
previous examples we get 'path/to/to/file.txt' or
'path/to/to/to/file.txt'). This ignores it and its contents for S3 external storage.
Add support for Server-Side Encryption with AWS Key Management Service
(SSE-KMS) for S3 object storage. This allows Nextcloud to encrypt data
at rest in S3 using AWS-managed keys.
Key features:
- New config options: sse_kms_enabled and sse_kms_key_id
- Backward compatible with existing SSE-C (customer-provided keys)
- SSE-C takes precedence when both SSE-C and SSE-KMS are configured
Implementation details:
- Added getServerSideEncryptionParameters() method to centralize
encryption parameter logic for both SSE-C and SSE-KMS
- Updated multipart uploads to use unified encryption parameters
- Added comprehensive PHPUnit tests for SSE-KMS scenarios
- Tested with AWS bucket and KMS keys in us-east-1 region
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
Signed-off-by: Stephen Cuppett <steve@cuppett.com>
Avoid the use of "authentication" here since this is really about signing compatibility, not the source of credentials. Also prefix with "Use" for UI consistency.
Signed-off-by: Josh <josh.t.richards@gmail.com>
getContentLength() and getLastModified() are dead code. Originally added in PR #11518 and made defunct in PR #29220.
Signed-off-by: Josh <josh.t.richards@gmail.com>
Some S3-compatible object storage hosts don't like the ETag being included in
the request and return a MalformedXML response. In the AWS API documentation,
only the object key is required so just pass that in.
Signed-off-by: Kent Delante <kent.delante@proton.me>
To check if there are no missing required dependencies we need to check
if the required dependencies are **empty** because `!array` is still
true.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
It allows the use of the alternative SFTP port defined in the GUI (external storage), instead of the default port (22).
Signed-off-by: pac0san <7056343+pac0san@users.noreply.github.com>
Signed-off-by: provokateurin <kate@provokateurin.de>
The current name may be confusing to users who take advantage of other S3-compatible storage solutions not offered by Amazon, so a more generic name is preferred here.
Signed-off-by: Edward Ly <contact@edward.ly>
This is the clean solution, LoginCredentials was the only auth class
actually registering stuff in constructor.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
DeleteObjects currently fails when the request includes all the
information returned by ListObjects. Send only the necessary
information in the request. Note: 'Size' and 'DateModified' is now
only supported by directory buckets.
Signed-off-by: Kent Delante <kent.delante@proton.me>
