From 782e5ca20d17b2b83ebe12157618ff44e831e910 Mon Sep 17 00:00:00 2001
From: matt-domsch-sp <matt.domsch@sailpoint.com>
Date: Mon, 18 Nov 2024 04:00:33 +0000
Subject: [PATCH] The CarrierWave::Storage::File#public_url method returns the
 standard S3 endpoints even when ENV['AWS_USE_FIPS_ENDPOINT']=='true'. When
 FIPS is called for, and we are in a region where FIPS endpoints are
 available, this method should return the FIPS endpoint.

Furthermore, when S3 Transfer Acceleration (S3TA) is requested by
configuration, the above endpoint gets overridden to select the S3TA
endpoint. However, S3TA is not avaialble in GovCloud, and has no FIPS
endpoint equivalents. In this instance, if the region is a GovCloud
region, or if FIPS mode is called for, do not override the endpoint to
use S3TA.

This is functionally equivalent to an issue submitted to the fog-aws
project.  https://github.com/fog/fog-aws/issues/729
---
 lib/carrierwave/storage/fog.rb | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/carrierwave/storage/fog.rb b/lib/carrierwave/storage/fog.rb
index 1d9fe1f12..2008d2387 100644
--- a/lib/carrierwave/storage/fog.rb
+++ b/lib/carrierwave/storage/fog.rb
@@ -163,6 +163,8 @@ def connection
 
       class File
         DEFAULT_S3_REGION = 'us-east-1'.freeze
+        AWS_FIPS_REGIONS = ['us-east-1', 'us-east-2', 'us-west-1', 'us-west-2', 'us-gov-east-1', 'us-gov-west-1', 'ca-central-1', 'ca-west-1'].freeze
+        AWS_GOVCLOUD_REGIONS = ['us-gov-east-1', 'us-gov-west-1'].freeze
 
         include CarrierWave::Utilities::Uri
         include CarrierWave::Utilities::FileName
@@ -383,15 +385,17 @@ def public_url
                 use_virtual_hosted_style = @uploader.fog_directory.to_s =~ subdomain_regex && !(protocol == 'https' && @uploader.fog_directory =~ /\./)
 
                 region = @uploader.fog_credentials[:region].to_s
-                regional_host = case region
-                                when DEFAULT_S3_REGION, ''
-                                  's3.amazonaws.com'
-                                else
-                                  "s3.#{region}.amazonaws.com"
-                                end
+                regional_host = 's3.amazonaws.com' # used for DEFAULT_S3_REGION or no region set
+                if ENV['AWS_USE_FIPS_ENDPOINT'] == 'true' && AWS_FIPS_REGIONS.include?(region)
+                  regional_host = "s3-fips.#{region}.amazonaws.com"  # https://aws.amazon.com/compliance/fips/
+                elsif not [DEFAULT_S3_REGION, ''].include?(region)
+                  regional_host = "s3.#{region}.amazonaws.com"
+                end
 
                 if use_virtual_hosted_style
-                  regional_host = 's3-accelerate.amazonaws.com' if @uploader.fog_aws_accelerate
+                  # GovCloud doesn't support S3 Transfer Acceleration https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-s3.html
+                  # S3 Transfer Acceleration doesn't support FIPS endpoints.  When both fog_aws_accelerate=true and AWS_USE_FIPS_ENDPOINT=true, don't use Accelerate.
+                  regional_host = 's3-accelerate.amazonaws.com' if @uploader.fog_aws_accelerate && (not AWS_GOVCLOUD_REGIONS.include?(region)) && ENV['AWS_USE_FIPS_ENDPOINT'] != 'true'
                   "#{protocol}://#{@uploader.fog_directory}.#{regional_host}/#{encoded_path}"
                 else # directory is not a valid subdomain, so use path style for access
                   "#{protocol}://#{regional_host}/#{@uploader.fog_directory}/#{encoded_path}"