s3: fix multipart upload and server side copy when using bucket policy SSE-C

When uploading or moving data within an s3-compatible bucket, the `SSECustomer*` headers should always be forwarded: on `CreateMultipartUpload`, `UploadPart`, `UploadCopyPart` and `CompleteMultipartUpload`. But currently rclone doesn't forward those headers to `CompleteMultipartUpload`. This is a requirement if you want to enforce `SSE-C` at the bucket level via a bucket policy. Cf: `This parameter is required only when the object was created using a checksum algorithm or if your bucket policy requires the use of SSE-C.` in https://docs.aws.amazon.com/AmazonS3/latest/API/API_CompleteMultipartUpload.html
2025-08-14 15:58:26 +02:00 · 2025-07-17 15:29:31 +02:00
parent c20e4bd99c
commit 70226cc653
1 changed files with 10 additions and 4 deletions
--- a/backend/s3/s3.go
+++ b/backend/s3/s3.go
@ -5061,8 +5061,11 @@ func (f *Fs) copyMultipart(ctx context.Context, copyReq *s3.CopyObjectInput, dst
 			MultipartUpload: &types.CompletedMultipartUpload{
 				Parts: parts,
 			},
-			RequestPayer: req.RequestPayer,
-			UploadId:     uid,
+			RequestPayer:         req.RequestPayer,
+			SSECustomerAlgorithm: req.SSECustomerAlgorithm,
+			SSECustomerKey:       req.SSECustomerKey,
+			SSECustomerKeyMD5:    req.SSECustomerKeyMD5,
+			UploadId:             uid,
 		})
 		return f.shouldRetry(ctx, err)
 	})
@ -6446,8 +6449,11 @@ func (w *s3ChunkWriter) Close(ctx context.Context) (err error) {
 			MultipartUpload: &types.CompletedMultipartUpload{
 				Parts: w.completedParts,
 			},
-			RequestPayer: w.multiPartUploadInput.RequestPayer,
-			UploadId:     w.uploadID,
+			RequestPayer:         w.multiPartUploadInput.RequestPayer,
+			SSECustomerAlgorithm: w.multiPartUploadInput.SSECustomerAlgorithm,
+			SSECustomerKey:       w.multiPartUploadInput.SSECustomerKey,
+			SSECustomerKeyMD5:    w.multiPartUploadInput.SSECustomerKeyMD5,
+			UploadId:             w.uploadID,
 		})
 		return w.f.shouldRetry(ctx, err)
 	})