feat(s3): add server side encryption

docs/Configuration.md

@@ -52,6 +52,7 @@ bucket = "name"
 endpoint = "s3-us-east-1.amazonaws.com"
 use_ssl = true
 key_prefix = "s3prefix"
+server_side_encription = false
 ```
 
 sccache looks for its configuration file at the path indicated by env variable `SCCACHE_CONF`.

docs/S3.md

@@ -6,6 +6,8 @@ If using the default endpoint, you **must** configure the region using the `SCCA
 
 If your endpoint requires HTTPS/TLS, set `SCCACHE_S3_USE_SSL=true`. If you don't need a secure network layer, HTTP (`SCCACHE_S3_USE_SSL=false`) might be better for performance.
 
+Enable server side encryption with `SCCACHE_S3_SERVER_SIDE_ENCRYPTION=true`.
+
 You can also define a prefix that will be prepended to the keys of all cache objects created and read within the S3 bucket, effectively creating a scope. To do that use the `SCCACHE_S3_KEY_PREFIX` environment variable. This can be useful when sharing a bucket with another application.
 
 # R2

src/cache/cache.rs

@@ -547,6 +547,7 @@ pub fn storage_from_config(
                     c.no_credentials,
                     c.endpoint.as_deref(),
                     c.use_ssl,
+                    c.server_side_encryption,
                 )
                 .map_err(|err| anyhow!("create s3 cache failed: {err:?}"))?;
 

src/cache/s3.rs

@@ -26,6 +26,7 @@ impl S3Cache {
         no_credentials: bool,
         endpoint: Option<&str>,
         use_ssl: Option<bool>,
+        server_side_encryption: Option<bool>,
     ) -> Result<Operator> {
         let mut builder = S3::default();
         builder.bucket(bucket);
@@ -51,6 +52,10 @@ impl S3Cache {
             builder.endpoint(&endpoint_resolver(endpoint, use_ssl)?);
         }
 
+        if server_side_encryption.unwrap_or_default() {
+            builder.server_side_encryption_with_s3_key();
+        }
+
         let op = Operator::new(builder)?
             .layer(LoggingLayer::default())
             .finish();

src/config.rs

@@ -245,6 +245,7 @@ pub struct S3CacheConfig {
     pub no_credentials: bool,
     pub endpoint: Option<String>,
     pub use_ssl: Option<bool>,
+    pub server_side_encryption: Option<bool>,
 }
 
 #[derive(Debug, PartialEq, Eq)]
@@ -519,6 +520,18 @@ fn config_from_env() -> Result<EnvConfig> {
         let use_ssl = env::var("SCCACHE_S3_USE_SSL")
             .ok()
             .map(|value| value != "off");
+
+        let server_side_encryption =
+            env::var("SCCACHE_S3_SERVER_SIDE_ENCRYPTION")
+                .ok()
+                .map_or(Ok(Some(false)), |val| match val.as_str() {
+                    "true" | "1" => Ok(Some(true)),
+                    "false" | "0" => Ok(Some(false)),
+                    _ => bail!(
+                        "SCCACHE_S3_SERVER_SIDE_ENCRYPTION must be 'true', '1', 'false', or '0'."
+                    ),
+                })?;
+
         let endpoint = env::var("SCCACHE_ENDPOINT").ok();
         let key_prefix = env::var("SCCACHE_S3_KEY_PREFIX")
             .ok()
@@ -535,6 +548,7 @@ fn config_from_env() -> Result<EnvConfig> {
             key_prefix,
             endpoint,
             use_ssl,
+            server_side_encryption,
         })
     } else {
         None
@@ -1244,6 +1258,7 @@ endpoint = "s3-us-east-1.amazonaws.com"
 use_ssl = true
 key_prefix = "s3prefix"
 no_credentials = true
+server_side_encryption = false
 
 [cache.webdav]
 endpoint = "http://127.0.0.1:8080"
@@ -1289,6 +1304,7 @@ token = "webdavtoken"
                     use_ssl: Some(true),
                     key_prefix: "s3prefix".into(),
                     no_credentials: true,
+                    server_side_encryption: Some(false)
                 }),
                 webdav: Some(WebdavCacheConfig {
                     endpoint: "http://127.0.0.1:8080".to_string(),