Skip to content

Commit

Permalink
Return nil if both :endpoint given and :fog_aws_fips=true
Browse files Browse the repository at this point in the history
public_url returns a path-based URL when :endpoint is given.  AWS FIPS
endpoints only work with virtual host-style URLs per
https://aws.amazon.com/compliance/fips/

Add a warning and return nil if both :endpoint is given and
:fog_aws_fips=true.

Add tests for :endpoint for both :fog_aws_fips=false (default) and
true.
  • Loading branch information
matt-domsch-sp committed Nov 28, 2024
1 parent ccd6603 commit 0d5a661
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 1 deletion.
7 changes: 6 additions & 1 deletion lib/carrierwave/storage/fog.rb
Original file line number Diff line number Diff line change
Expand Up @@ -376,7 +376,12 @@ def public_url
when 'AWS'
# check if some endpoint is set in fog_credentials
if @uploader.fog_credentials.has_key?(:endpoint)
"#{@uploader.fog_credentials[:endpoint]}/#{@uploader.fog_directory}/#{encoded_path}"
if !@uploader.fog_aws_fips
"#{@uploader.fog_credentials[:endpoint]}/#{@uploader.fog_directory}/#{encoded_path}"
else
warn 'Use of options :endpoint and :fog_aws_fips=true together will fail, as FIPS endpoints do not support path-style URLs.'
nil
end
else
protocol = @uploader.fog_use_ssl_for_aws ? "https" : "http"

Expand Down
16 changes: 16 additions & 0 deletions spec/storage/fog_helper.rb
Original file line number Diff line number Diff line change
Expand Up @@ -362,9 +362,11 @@ def check_file
describe "CarrierWave::Storage::Fog::File" do
let(:store_path) { 'uploads/test.jpg' }
let(:fog_public) { true }
let(:endpoint) { nil }
before do
allow(@uploader).to receive(:store_path).and_return(store_path)
allow(@uploader).to receive(:fog_public).and_return(fog_public)
allow(@uploader).to receive(:endpoint).and_return(endpoint)
@fog_file = @storage.store!(CarrierWave::SanitizedFile.new(stub_file('test.jpg', 'image/jpeg')))
end

Expand Down Expand Up @@ -504,6 +506,20 @@ def check_file
expect(@fog_file.public_url).to include("https://#{CARRIERWAVE_DIRECTORY}.s3-accelerate.amazonaws.com")
end

it 'returns nil when both :endpoint and :fog_aws_fips=true' do
allow(@uploader).to receive(:fog_credentials).and_return(@uploader.fog_credentials.merge(endpoint: 'https://custom-endpoint.example.com'))
allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')
allow(@uploader).to receive(:fog_aws_fips).and_return(true)
expect(@fog_file.url).to be nil
end

it 'returns endpoint+bucket when :endpoint and !:fog_aws_fips' do
allow(@uploader).to receive(:fog_credentials).and_return(@uploader.fog_credentials.merge(endpoint: 'https://custom-endpoint.example.com'))
allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')
allow(@uploader).to receive(:fog_aws_fips).and_return(false)
expect(@fog_file.url).to include('https://custom-endpoint.example.com/SiteAssets')
end

context 'when the directory is not a valid subdomain' do
it "should not use a subdomain URL for AWS" do
allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')
Expand Down

0 comments on commit 0d5a661

Please sign in to comment.