[S3] Add option to specify an SSE-C customer provided key

Signed-off-by: Julius Härtl <jus@bitgrid.net>
nextcloud · Jun 9, 2022 · e7177c6 · e7177c6
1 parent 76db612
commit e7177c6
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 5 deletions.
diff --git a/lib/private/Files/ObjectStore/S3ConnectionTrait.php b/lib/private/Files/ObjectStore/S3ConnectionTrait.php
@@ -218,4 +218,26 @@ protected function paramCredentialProvider() : callable {
 			return new RejectedPromise(new CredentialsException($msg));
 		};
 	}
+
+	protected function getSSECKey(): ?string {
+		if (isset($this->params['sse_c_key'])) {
+			return $this->params['sse_c_key'];
+		}
+
+		return null;
+	}
+
+	protected function getSSECParameters(): array {
+		$key = $this->getSSECKey();
+
+		if ($key === null) {
+			return [];
+		}
+
+		return [
+			'SSECustomerAlgorithm' => 'AES256',
+			'SSECustomerKey' => $key,
+			'SSECustomerKeyMD5' => md5($key, true)
+		];
+	}
 }
diff --git a/lib/private/Files/ObjectStore/S3ObjectTrait.php b/lib/private/Files/ObjectStore/S3ObjectTrait.php
@@ -43,6 +43,8 @@ trait S3ObjectTrait {
 	 */
 	abstract protected function getConnection();
 
+	abstract protected function getSSECParameters(): array;
+
 	/**
 	 * @param string $urn the unified resource name used to identify the object
 	 * @return resource stream with the read data
@@ -55,7 +57,7 @@ public function readObject($urn) {
 				'Bucket' => $this->bucket,
 				'Key' => $urn,
 				'Range' => 'bytes=' . $range,
-			]);
+			] + $this->getSSECParameters());
 			$request = \Aws\serialize($command);
 			$headers = [];
 			foreach ($request->getHeaders() as $key => $values) {
@@ -95,7 +97,7 @@ protected function writeSingle(string $urn, StreamInterface $stream, string $mim
 			'Body' => $stream,
 			'ACL' => 'private',
 			'ContentType' => $mimetype,
-		]);
+		] + $this->getSSECParameters());
 	}
 
 
@@ -114,7 +116,7 @@ protected function writeMultiPart(string $urn, StreamInterface $stream, string $
 			'part_size' => $this->uploadPartSize,
 			'params' => [
 				'ContentType' => $mimetype
-			],
+			] + $this->getSSECParameters(),
 		]);
 
 		try {
@@ -169,10 +171,10 @@ public function deleteObject($urn) {
 	}
 
 	public function objectExists($urn) {
-		return $this->getConnection()->doesObjectExist($this->bucket, $urn);
+		return $this->getConnection()->doesObjectExist($this->bucket, $urn, $this->getSSECParameters());
 	}
 
 	public function copyObject($from, $to) {
-		$this->getConnection()->copy($this->getBucket(), $from, $this->getBucket(), $to);
+		$this->getConnection()->copy($this->getBucket(), $from, $this->getBucket(), $to, 'private', $this->getSSECParameters());
 	}
 }