Add support for Server-Side Encryption with AWS Key Management Service
(SSE-KMS) for S3 object storage. This allows Nextcloud to encrypt data
at rest in S3 using AWS-managed keys.
Key features:
- New config options: sse_kms_enabled and sse_kms_key_id
- Backward compatible with existing SSE-C (customer-provided keys)
- SSE-C takes precedence when both SSE-C and SSE-KMS are configured
Implementation details:
- Added getServerSideEncryptionParameters() method to centralize
encryption parameter logic for both SSE-C and SSE-KMS
- Updated multipart uploads to use unified encryption parameters
- Added comprehensive PHPUnit tests for SSE-KMS scenarios
- Tested with AWS bucket and KMS keys in us-east-1 region
Co-Authored-By: Claude Sonnet 4.5 (1M context) <noreply@anthropic.com>
Signed-off-by: Stephen Cuppett <steve@cuppett.com>
a setup can have multiple bucket without having `multibucket` enabled trough things like per-groupfolder buckets
Signed-off-by: Robin Appelman <robin@icewind.nl>
This is faster than going back to nextcloud to download the files.
This is an opt-in setting that can be enabled by setting
use_presigned_url in the object store config.
Additionally add support for the proxy config which is needed in a
docker setup. See https://github.com/juliusknorr/nextcloud-docker-dev/pull/431
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com>
Add retriesMaxAttempts parameter to S3 objectstore configuration
to allow customization of AWS SDK retry behavior for handling
unreliable network conditions or proxy issues.
Defaults to 5 retries (AWS SDK default) if not specified.
Signed-off-by: nfebe <fenn25.fn@gmail.com>
Otherwise, we call doesBucketExist all the time which does a network
request to the S3 server adding some non-trivial latency when creating a
S3 connection object.
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com>
to avoid 'object::%' to be considered as a column
(`la colonne \\u00ab object::% \\u00bb n'existe pas` on PG)
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
* Simplify migration by not moving the actual files and just updating
the DB
* Don't store the storageid in the preview table as it is not needed
* Start adding tests
Signed-off-by: Carl Schwan <carl.schwan@nextcloud.com>
The new oc_previews table is optimized for storing previews and should
decrease significantly the space taken by previews in the filecache
table.
This attend to reuse the IObjectStore abstraction over S3/Swift/Azure
but currently only support one single bucket configuration.
Signed-off-by: Carl Schwan <carl.schwan@nextclound.com>
The hardcoded connection timeout of 5 seconds may not be enough in some
cases, so now it is got from the ObjectStore arguments in Nextcloud
configuration, falling back to 5 if not set.
The connection timeout is set in seconds, but decimal precision can be
used for subsecond accuracy (for example, 4.2 for 4200 milliseconds).
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>