From 384da4f34f5257b761013878c1836f383358f170 Mon Sep 17 00:00:00 2001
From: Cody Wyatt Neiman <neiman@cody.to>
Date: Sun, 30 Oct 2022 19:01:49 -0400
Subject: [PATCH] Add S3 SSE-C support to synapse-s3-storage-provider

---
 roles/custom/matrix-synapse/defaults/main.yml               | 3 +++
 .../templates/synapse/ext/s3-storage-provider/env.j2        | 6 ++++++
 .../ext/s3-storage-provider/media_storage_provider.yaml.j2  | 6 ++++++
 .../matrix-synapse-s3-storage-provider-migrate.j2           | 6 +++++-
 4 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
index 54351256a9d..372ed1cf577 100644
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -810,6 +810,9 @@ matrix_synapse_ext_synapse_s3_storage_provider_config_region_name: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id: ''
 matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key: ''
+matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled: false
+matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key: ''
+matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo: 'AES256'
 matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class: STANDARD
 matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size: 40
 # matrix_synapse_ext_synapse_s3_storage_provider_update_db_day_count is a day value (number) for the `s3_media_upload update-db` command.
diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
index 6dfcbe4185b..58d262558b2 100644
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/env.j2
@@ -4,6 +4,12 @@ AWS_DEFAULT_REGION={{ matrix_synapse_ext_synapse_s3_storage_provider_config_regi
 
 ENDPOINT={{ matrix_synapse_ext_synapse_s3_storage_provider_config_endpoint_url }}
 BUCKET={{ matrix_synapse_ext_synapse_s3_storage_provider_config_bucket }}
+
+{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
+SSE_CUSTOMER_KEY={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key }}
+SSE_CUSTOMER_ALGO={{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo }}
+{% endif %}
+
 STORAGE_CLASS={{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class }}
 
 MEDIA_PATH=/matrix-media-store-parent/{{ matrix_synapse_media_store_directory_name }}
diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
index 97b0f5f2b53..a602b6f9e7b 100644
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/media_storage_provider.yaml.j2
@@ -9,6 +9,12 @@ config:
   access_key_id: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_access_key_id | to_json }}
   secret_access_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_secret_access_key | to_json }}
 
+
+  {% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
+  sse_customer_key: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_key | to_json }}
+  sse_customer_algo: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_algo | to_json }}
+  {% endif %}
+
   storage_class: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_storage_class | to_json }}
 
   threadpool_size: {{ matrix_synapse_ext_synapse_s3_storage_provider_config_threadpool_size | to_json }}
diff --git a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2 b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2
index d48ae1229e8..031c0ea0990 100644
--- a/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/ext/s3-storage-provider/usr-local-bin/matrix-synapse-s3-storage-provider-migrate.j2
@@ -10,4 +10,8 @@
 	--network={{ matrix_docker_network }} \
 	--entrypoint=/bin/bash \
 	{{ matrix_synapse_docker_image_final }} \
-	-c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT'
+	{% if matrix_synapse_ext_synapse_s3_storage_provider_config_sse_customer_enabled %}
+	-c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT --sse-customer-algo $SSE_CUSTOMER_ALGO --sse-customer-key $SSE_CUSTOMER_KEY'
+	{% else %}
+	-c 's3_media_upload update-db $UPDATE_DB_DURATION && s3_media_upload --no-progress check-deleted $MEDIA_PATH && s3_media_upload --no-progress upload $MEDIA_PATH $BUCKET --delete --storage-class $STORAGE_CLASS --endpoint-url $ENDPOINT
+	{% endif %}