The CarrierWave::Storage::File#public_url method returns the standard

S3 endpoints even when ENV['AWS_USE_FIPS_ENDPOINT']=='true'. When FIPS is called for, and we are in a region where FIPS endpoints are available, this method should return the FIPS endpoint. Furthermore, when S3 Transfer Acceleration (S3TA) is requested by configuration, the above endpoint gets overridden to select the S3TA endpoint. However, S3TA is not avaialble in GovCloud, and has no FIPS endpoint equivalents. In this instance, if the region is a GovCloud region, or if FIPS mode is called for, do not override the endpoint to use S3TA. This is functionally equivalent to an issue submitted to the fog-aws project. fog/fog-aws#729
carrierwaveuploader · Nov 18, 2024 · 782e5ca · 782e5ca
1 parent 61c2732
commit 782e5ca
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/lib/carrierwave/storage/fog.rb b/lib/carrierwave/storage/fog.rb
@@ -163,6 +163,8 @@ def connection
 
       class File
         DEFAULT_S3_REGION = 'us-east-1'.freeze
+        AWS_FIPS_REGIONS = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'us-gov-east-1', 'us-gov-west-1', 'ca-central-1', 'ca-west-1'].freeze
+        AWS_GOVCLOUD_REGIONS = ['us-gov-east-1', 'us-gov-west-1'].freeze
 
         include CarrierWave::Utilities::Uri
         include CarrierWave::Utilities::FileName
@@ -383,15 +385,17 @@ def public_url
                 use_virtual_hosted_style = @uploader.fog_directory.to_s =~ subdomain_regex && !(protocol == 'https' && @uploader.fog_directory =~ /\./)
 
                 region = @uploader.fog_credentials[:region].to_s
-                regional_host = case region
-                                when DEFAULT_S3_REGION, ''
-                                  's3.amazonaws.com'
-                                else
-                                  "s3.#{region}.amazonaws.com"
-                                end
+                regional_host = 's3.amazonaws.com' # used for DEFAULT_S3_REGION or no region set
+                if ENV['AWS_USE_FIPS_ENDPOINT'] == 'true' && AWS_FIPS_REGIONS.include?(region)
+                  regional_host = "s3-fips.#{region}.amazonaws.com"  # https://aws.amazon.com/compliance/fips/
+                elsif not [DEFAULT_S3_REGION, ''].include?(region)
+                  regional_host = "s3.#{region}.amazonaws.com"
+                end
 
                 if use_virtual_hosted_style
-                  regional_host = 's3-accelerate.amazonaws.com' if @uploader.fog_aws_accelerate
+                  # GovCloud doesn't support S3 Transfer Acceleration https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-s3.html
+                  # S3 Transfer Acceleration doesn't support FIPS endpoints.  When both fog_aws_accelerate=true and AWS_USE_FIPS_ENDPOINT=true, don't use Accelerate.
+                  regional_host = 's3-accelerate.amazonaws.com' if @uploader.fog_aws_accelerate && (not AWS_GOVCLOUD_REGIONS.include?(region)) && ENV['AWS_USE_FIPS_ENDPOINT'] != 'true'
                   "#{protocol}://#{@uploader.fog_directory}.#{regional_host}/#{encoded_path}"
                 else # directory is not a valid subdomain, so use path style for access
                   "#{protocol}://#{regional_host}/#{@uploader.fog_directory}/#{encoded_path}"