Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support AWS S3 FIPS endpoints #2763

Merged

Conversation

matt-domsch-sp
Copy link
Contributor

S3 endpoints even when ENV['AWS_USE_FIPS_ENDPOINT']=='true'. When FIPS is called for, and we are in a region where FIPS endpoints are available, this method should return the FIPS endpoint.

Furthermore, when S3 Transfer Acceleration (S3TA) is requested by configuration, the above endpoint gets overridden to select the S3TA endpoint. However, S3TA is not avaialble in GovCloud, and has no FIPS endpoint equivalents. In this instance, if the region is a GovCloud region, or if FIPS mode is called for, do not override the endpoint to use S3TA.

This is functionally equivalent to an issue submitted to the fog-aws project. fog/fog-aws#729

@matt-domsch-sp matt-domsch-sp marked this pull request as draft November 18, 2024 04:55
@matt-domsch-sp matt-domsch-sp force-pushed the govcloud-fips-entrypoint branch 2 times, most recently from 782e5ca to d3f5f9f Compare November 18, 2024 05:08
S3 endpoints even when ENV['AWS_USE_FIPS_ENDPOINT']=='true'. When FIPS
is called for, and we are in a region where FIPS endpoints are
available, this method should return the FIPS endpoint.

Furthermore, when S3 Transfer Acceleration (S3TA) is requested by
configuration, the above endpoint gets overridden to select the S3TA
endpoint. However, S3TA is not avaialble in GovCloud, and has no FIPS
endpoint equivalents. In this instance, if the region is a GovCloud
region, or if FIPS mode is called for, do not override the endpoint to
use S3TA.

This is functionally equivalent to an issue submitted to the fog-aws
project.  fog/fog-aws#729
The code can be simplified if we move the test for GovCloud or FIPS
outside of the if use_virtual_hosted_style block.  This makes it
explicit what it's trying to do - which is disable the use of
acceleration.

We won't emit a warning here.  The corresponding code going into
the fog-aws gem will emit a warning once that code is merged. We
don't need two warnings for the same thing.
The fog-aws gem won't emit a warning if we've disabled S3TA
ourselves. It would only emit the warning if _it_ disabled S3TA using
the same test.  Therefore, we want the same warning emitted in
Carrierwave as is in fog-aws after all.
@matt-domsch-sp matt-domsch-sp marked this pull request as ready for review November 20, 2024 03:41
@matt-domsch-sp
Copy link
Contributor Author

The equivalent patch to fog-aws has been merged into that upstream.


# GovCloud doesn't support S3 Transfer Acceleration https://docs.aws.amazon.com/govcloud-us/latest/UserGuide/govcloud-s3.html
# S3 Transfer Acceleration doesn't support FIPS endpoints. When both fog_aws_accelerate=true and AWS_USE_FIPS_ENDPOINT=true, don't use Accelerate.
if @uploader.fog_aws_accelerate && (AWS_GOVCLOUD_REGIONS.include?(region) || ENV['AWS_USE_FIPS_ENDPOINT'] == 'true')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't need to embed the knowledge about AWS regions into CarrierWave. If an app is using AWS regions that supports S3 Transfer Acceleration it can be set as config.fog_aws_accelerate = true, that's it. We should let developers decide.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, I can remove this section.

"s3.#{region}.amazonaws.com"
end
regional_host = 's3.amazonaws.com' # used for DEFAULT_S3_REGION or no region set
if ENV['AWS_USE_FIPS_ENDPOINT'] == 'true' && AWS_FIPS_REGIONS.include?(region)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't use an environment variable here. You should create a config like fog_aws_fips, in a same manner with fog_aws_accelerate. You don't need to check AWS region here, just letting developer choose is enough.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the same environment variable that the AWS SDK uses to determine if it should choose the FIPS endpoints, hence my use of it here.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CarrierWave is not the AWS SDK. Every software has its own way of configuration, and you need to follow it. Otherwise there'll be a mess.

@mshibuya
Copy link
Member

A change needs to have corresponding RSpec test examples, so it doesn't break unintentionally in future.

@matt-domsch-sp matt-domsch-sp force-pushed the govcloud-fips-entrypoint branch 3 times, most recently from 815051c to e1a2453 Compare November 26, 2024 04:01
This adds the [:fog_aws_fips] option, default false. When true, it
causes the default endpoint hostname to be changed from `s3` to `s3-fips`.
@matt-domsch-sp matt-domsch-sp force-pushed the govcloud-fips-entrypoint branch from e1a2453 to ccd6603 Compare November 26, 2024 04:13
@matt-domsch-sp
Copy link
Contributor Author

Thank you for the review and feedback. Code cleaned up, :fog_aws_fips option and specs added. The added specs fail the Cyclomatic complexity rule. Please advise how you'd like this to be handled.

@matt-domsch-sp matt-domsch-sp force-pushed the govcloud-fips-entrypoint branch 2 times, most recently from a78252b to 6c80ddb Compare November 28, 2024 04:20
public_url returns a path-based URL when :endpoint is given.  AWS FIPS
endpoints only work with virtual host-style URLs per
https://aws.amazon.com/compliance/fips/

Add a warning and return nil if both :endpoint is given and
:fog_aws_fips=true.

Add tests for :endpoint for both :fog_aws_fips=false (default) and
true.
@matt-domsch-sp matt-domsch-sp force-pushed the govcloud-fips-entrypoint branch from 6c80ddb to 0d5a661 Compare November 28, 2024 04:32
@mshibuya mshibuya changed the title The CarrierWave::Storage::File#public_url method returns the standard Support AWS S3 FIPS endpoints Dec 1, 2024
@mshibuya mshibuya merged commit 054bd3d into carrierwaveuploader:master Dec 1, 2024
13 of 14 checks passed
@mshibuya
Copy link
Member

mshibuya commented Dec 1, 2024

OK I can take care of the rest. Thank you!

mshibuya added a commit that referenced this pull request Dec 1, 2024
- Reorganize spec/storage/fog_helper.rb so it doesn't have high cyclomatic complexity
mshibuya added a commit that referenced this pull request Dec 1, 2024
- Raises an error instead of returning nil
- Reorganize spec/storage/fog_helper.rb so it doesn't have high cyclomatic complexity
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants