Return nil if both :endpoint given and :fog_aws_fips=true

public_url returns a path-based URL when :endpoint is given. AWS FIPS endpoints only work with virtual host-style URLs per https://aws.amazon.com/compliance/fips/ Add a warning and return nil if both :endpoint is given and :fog_aws_fips=true. Add tests for :endpoint for both :fog_aws_fips=false (default) and true.
carrierwaveuploader · Nov 28, 2024 · 6c80ddb · 6c80ddb
1 parent ccd6603
commit 6c80ddb
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/lib/carrierwave/storage/fog.rb b/lib/carrierwave/storage/fog.rb
@@ -376,7 +376,12 @@ def public_url
             when 'AWS'
               # check if some endpoint is set in fog_credentials
               if @uploader.fog_credentials.has_key?(:endpoint)
-                "#{@uploader.fog_credentials[:endpoint]}/#{@uploader.fog_directory}/#{encoded_path}"
+                if !@uploader.fog_aws_fips
+                  "#{@uploader.fog_credentials[:endpoint]}/#{@uploader.fog_directory}/#{encoded_path}"
+                else
+                  warn 'Use of options :endpoint and :fog_aws_fips=true together will fail, as FIPS endpoints do not support path-style URLs.'
+                  nil
+                end
               else
                 protocol = @uploader.fog_use_ssl_for_aws ? "https" : "http"
 

diff --git a/spec/storage/fog_helper.rb b/spec/storage/fog_helper.rb
@@ -504,6 +504,20 @@ def check_file
             expect(@fog_file.public_url).to include("https://#{CARRIERWAVE_DIRECTORY}.s3-accelerate.amazonaws.com")
           end
 
+          it 'returns endpoint+bucket when :endpoint and !:fog_aws_fips' do
+            allow(@uploader).to receive(:fog_credentials).and_return(@uploader.fog_credentials.merge(endpoint: 'https://custom-endpoint.example.com'))
+            allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')
+            allow(@uploader).to receive(:fog_aws_fips).and_return(false)
+            expect(@fog_file.url).to include('https://custom-endpoint.example.com/SiteAssets')
+          end
+
+          it 'returns nil when both :endpoint and :fog_aws_fips=true' do
+            allow(@uploader).to receive(:fog_credentials).and_return(@uploader.fog_credentials.merge(endpoint: 'https://custom-endpoint.example.com'))
+            allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')
+            allow(@uploader).to receive(:fog_aws_fips).and_return(true)
+            expect(@fog_file.url).to be nil
+          end
+
           context 'when the directory is not a valid subdomain' do
             it "should not use a subdomain URL for AWS" do
               allow(@uploader).to receive(:fog_directory).and_return('SiteAssets')