From d3f5f9f3648a043602a989f0bb8a9c6301e0a6ea Mon Sep 17 00:00:00 2001
From: matt-domsch-sp <matt.domsch@sailpoint.com>
Date: Mon, 18 Nov 2024 04:00:33 +0000
Subject: [PATCH] The CarrierWave::Storage::File#public_url method returns the
 standard S3 endpoints even when ENV['AWS_USE_FIPS_ENDPOINT']=='true'. When
 FIPS is called for, and we are in a region where FIPS endpoints are
 available, this method should return the FIPS endpoint.

Furthermore, when S3 Transfer Acceleration (S3TA) is requested by
configuration, the above endpoint gets overridden to select the S3TA
endpoint. However, S3TA is not avaialble in GovCloud, and has no FIPS
endpoint equivalents. In this instance, if the region is a GovCloud
region, or if FIPS mode is called for, do not override the endpoint to
use S3TA.

This is functionally equivalent to an issue submitted to the fog-aws
project.  https://github.com/fog/fog-aws/issues/729
---
 lib/carrierwave/storage/fog.rb | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/lib/carrierwave/storage/fog.rb b/lib/carrierwave/storage/fog.rb
index 1d9fe1f12..2deeef9e7 100644
--- a/lib/carrierwave/storage/fog.rb
+++ b/lib/carrierwave/storage/fog.rb
@@ -163,6 +163,8 @@ def connection
 
       class File
         DEFAULT_S3_REGION = 'us-east-1'.freeze
+        AWS_FIPS_REGIONS = %w(us-east-1 us-east-2 us-west-1 us-west-2 us-gov-east-1 us-gov-west-1 ca-central-1 ca-west-1).freeze
+        AWS_GOVCLOUD_REGIONS = %w(us-gov-east-1 us-gov-west-1).freeze
 
         include CarrierWave::Utilities::Uri
         include CarrierWave::Utilities::FileName
@@ -383,15 +385,17 @@ def public_url
                 use_virtual_hosted_style = @uploader.fog_directory.to_s =~ subdomain_regex && !(protocol == 'https' && @uploader.fog_directory =~ /\./)
 
                 region = @uploader.fog_credentials[:region].to_s
-                regional_host = case region
-                                when DEFAULT_S3_REGION, ''
-                                  's3.amazonaws.com'
-                                else
-                                  "s3.#{region}.amazonaws.com"
-                                end
+                regional_host = 's3.amazonaws.com' # used for DEFAULT_S3_REGION or no region set
+                if ENV['AWS_USE_FIPS_ENDPOINT'] == 'true' && AWS_FIPS_REGIONS.include?(region)
+                  regional_host = "s3-fips.#{region}.amazonaws.com" # https://aws.amazon.com/compliance/fips/
+                elsif ! [DEFAULT_S3_REGION, ''].include?(region)
+                  regional_host = "s3.#{region}.amazonaws.com"
+                end
 
                 if use_virtual_hosted_style
-                  regional_host = 's3-accelerate.amazonaws.com' if @uploader.fog_aws_accelerate
+                  # GovCloud doesn't support S3 Transfer Acceleration https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-s3.html
+                  # S3 Transfer Acceleration doesn't support FIPS endpoints.  When both fog_aws_accelerate=true and AWS_USE_FIPS_ENDPOINT=true, don't use Accelerate.
+                  regional_host = 's3-accelerate.amazonaws.com' if @uploader.fog_aws_accelerate && (! AWS_GOVCLOUD_REGIONS.include?(region)) && ENV['AWS_USE_FIPS_ENDPOINT'] != 'true'
                   "#{protocol}://#{@uploader.fog_directory}.#{regional_host}/#{encoded_path}"
                 else # directory is not a valid subdomain, so use path style for access
                   "#{protocol}://#{regional_host}/#{@uploader.fog_directory}/#{encoded_path}"