From a78252be97779f56add098ed3afe3f3612104888 Mon Sep 17 00:00:00 2001
From: matt-domsch-sp <matt.domsch@sailpoint.com>
Date: Thu, 28 Nov 2024 04:09:00 +0000
Subject: [PATCH] Return nil if both :endpoint given and :fog_aws_fips=true

public_url returns a path-based URL when :endpoint is given.  AWS FIPS
endpoints only work with virtual host-style URLs per
https://aws.amazon.com/compliance/fips/

Add a warning and return nil if both :endpoint is given and
:fog_aws_fips=true.

Add tests for :endpoint for both :fog_aws_fips=false (default) and
true.
---
 lib/carrierwave/storage/fog.rb |  7 ++++++-
 spec/storage/fog_helper.rb     | 14 ++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/lib/carrierwave/storage/fog.rb b/lib/carrierwave/storage/fog.rb
index 94a1bd8a1..7e97c0bb3 100644
--- a/lib/carrierwave/storage/fog.rb
+++ b/lib/carrierwave/storage/fog.rb
@@ -376,7 +376,12 @@ def public_url
             when 'AWS'
               # check if some endpoint is set in fog_credentials
               if @uploader.fog_credentials.has_key?(:endpoint)
-                "#{@uploader.fog_credentials[:endpoint]}/#{@uploader.fog_directory}/#{encoded_path}"
+                if !@uploader.fog_aws_fips
+                  "#{@uploader.fog_credentials[:endpoint]}/#{@uploader.fog_directory}/#{encoded_path}"
+                else
+                  warn 'Use of options :endpoint and :fog_aws_fips=true together will fail, as FIPS endpoints do not support path-style URLs.'
+                  nil
+                end
               else
                 protocol = @uploader.fog_use_ssl_for_aws ? "https" : "http"
 
diff --git a/spec/storage/fog_helper.rb b/spec/storage/fog_helper.rb
index f41a79c3a..6ba6b5864 100644
--- a/spec/storage/fog_helper.rb
+++ b/spec/storage/fog_helper.rb
@@ -504,6 +504,20 @@ def check_file
             expect(@fog_file.public_url).to include("https://#{CARRIERWAVE_DIRECTORY}.s3-accelerate.amazonaws.com")
           end
 
+          it 'returns endpoint+bucket when :endpoint and !:fog_aws_fips' do
+            allow(@uploader).to receive(:endpoint).and_return('https://custom-endpoint.example.com')
+            allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')
+            allow(@uploader).to receive(:fog_aws_fips).and_return(false)
+            expect(@fog_file.url).to include('https://custom-endpoint.example.com/SiteAssets')
+          end
+
+          it 'returns nil when both :endpoint and :fog_aws_fips=true' do
+            allow(@uploader).to receive(:endpoint).and_return('https://custom-endpoint.example.com')
+            allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')
+            allow(@uploader).to receive(:fog_aws_fips).and_return(true)
+            expect(@fog_file.url).to be nil
+          end
+
           context 'when the directory is not a valid subdomain' do
             it "should not use a subdomain URL for AWS" do
               allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')