From f2f9e5bfc925267dfedb6237d83537a561d5dbe9 Mon Sep 17 00:00:00 2001 From: Ryan Rauh Date: Thu, 17 Dec 2015 07:56:15 -0600 Subject: [PATCH 1/2] adds configuration for aws s3 --- config/initializers/carrierwave.rb | 36 ++++++++++++++++-------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/config/initializers/carrierwave.rb b/config/initializers/carrierwave.rb index b2a14153..59bd2ed9 100644 --- a/config/initializers/carrierwave.rb +++ b/config/initializers/carrierwave.rb @@ -1,18 +1,20 @@ -CarrierWave.configure do |config| - config.storage = :fog - config.fog_credentials = { - provider: "AWS", - path_style: true, - region: ENV['AWS_DEFAULT_REGION'] || "us-west-2", - endpoint: 'https://s3-us-west-2.amazonaws.com', - aws_access_key_id: ENV['AWS_ACCESS_KEY_ID'], - aws_secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'], - } - config.fog_directory = ENV['AWS_S3_BUCKET'] - #config.fog_attributes = { :multipart_chunk_size => 104857600 } - config.fog_attributes = {'Cache-Control'=>"max-age=#{365.day.to_i}"} - config.min_file_size = "1" - config.max_file_size = "#{5 * 1024 * 1024}" - config.fog_public = true - config.use_action_status = true +if ENV['AWS_ENABLED'] + CarrierWave.configure do |config| + config.storage = :fog + config.fog_credentials = { + provider: "AWS", + path_style: true, + region: ENV['AWS_DEFAULT_REGION'] || "us-west-2", + endpoint: ENV['AWS_S3_ENDPOINT'] || 'https://s3-us-west-2.amazonaws.com', + aws_access_key_id: ENV['AWS_ACCESS_KEY_ID'], + aws_secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'], + } + config.fog_directory = ENV['AWS_S3_BUCKET'] + #config.fog_attributes = { :multipart_chunk_size => 104857600 } + config.fog_attributes = {'Cache-Control'=>"max-age=#{365.day.to_i}"} + config.min_file_size = "1" + config.max_file_size = "#{5 * 1024 * 1024}" + config.fog_public = true + config.use_action_status = true + end end From 6f835b4b6e5ec7f4a4712ac8e12a167aa7f4a458 Mon Sep 17 00:00:00 2001 From: Ryan Rauh Date: Sat, 9 Jan 2016 16:56:05 -0600 Subject: [PATCH 2/2] add configuration for server-side encrypted s3 uploads --- Gemfile | 2 +- Gemfile.lock | 109 ++++++++++++------ app/controllers/api/uploads_controller.rb | 34 ++++-- .../app/components/hb-markdown-composer.js | 10 +- features.json | 3 +- 5 files changed, 110 insertions(+), 48 deletions(-) diff --git a/Gemfile b/Gemfile index 9dc31078..5ef3a9a7 100644 --- a/Gemfile +++ b/Gemfile @@ -32,7 +32,7 @@ gem 'faraday-http-cache' gem 'connection_pool' gem 'addressable' gem 'kgio' -gem 'carrierwave_direct' +gem 'carrierwave_direct', :github => 'huboard/carrierwave_direct' gem 'memcachier' gem 'solid_use_case' gem 'faye' diff --git a/Gemfile.lock b/Gemfile.lock index 2de943aa..4357c51f 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -1,3 +1,12 @@ +GIT + remote: git://github.com/huboard/carrierwave_direct.git + revision: 59f51f1fe3c6c221db5a25b7675dafb59f40f861 + specs: + carrierwave_direct (0.0.15) + carrierwave + fog + uuidtools + PATH remote: vendor/engines/saas specs: @@ -14,7 +23,7 @@ PATH GEM remote: https://rubygems.org/ specs: - CFPropertyList (2.3.1) + CFPropertyList (2.3.2) actionmailer (4.2.0) actionpack (= 4.2.0) actionview (= 4.2.0) @@ -71,10 +80,6 @@ GEM activesupport (>= 3.2.0) json (>= 1.7) mime-types (>= 1.16) - carrierwave_direct (0.0.15) - carrierwave - fog - uuidtools celluloid (0.16.0) timers (~> 4.0.0) coderay (1.1.0) @@ -118,7 +123,7 @@ GEM ethon (0.8.0) ffi (>= 1.3.0) eventmachine (1.0.7) - excon (0.44.4) + excon (0.45.4) execjs (2.4.0) faraday (0.9.2) multipart-post (>= 1.2, < 3) @@ -144,13 +149,18 @@ GEM ffi (1.9.10) fission (0.5.0) CFPropertyList (~> 2.2) - fog (1.28.0) + fog (1.37.0) + fog-aliyun (>= 0.1.0) fog-atmos - fog-aws (~> 0.0) + fog-aws (>= 0.6.0) fog-brightbox (~> 0.4) - fog-core (~> 1.27, >= 1.27.3) - fog-ecloud + fog-core (~> 1.32) + fog-dynect (~> 0.0.2) + fog-ecloud (~> 0.1) + fog-google (<= 0.1.0) fog-json + fog-local + fog-powerdns (>= 0.1.1) fog-profitbricks fog-radosgw (>= 0.0.2) fog-riakcs @@ -161,38 +171,56 @@ GEM fog-terremark fog-vmfusion fog-voxel + fog-vsphere (>= 0.4.0) + fog-xenserver fog-xml (~> 0.1.1) ipaddress (~> 0.5) - nokogiri (~> 1.5, >= 1.5.11) + fog-aliyun (0.1.0) + fog-core (~> 1.27) + fog-json (~> 1.0) + ipaddress (~> 0.8) + xml-simple (~> 1.1) fog-atmos (0.1.0) fog-core fog-xml - fog-aws (0.1.1) + fog-aws (0.8.1) fog-core (~> 1.27) fog-json (~> 1.0) fog-xml (~> 0.1) ipaddress (~> 0.8) - fog-brightbox (0.7.1) + fog-brightbox (0.10.1) fog-core (~> 1.22) fog-json inflecto (~> 0.0.2) - fog-core (1.29.0) + fog-core (1.35.0) builder - excon (~> 0.38) + excon (~> 0.45) formatador (~> 0.2) - mime-types - net-scp (~> 1.1) - net-ssh (>= 2.1.3) - fog-ecloud (0.0.2) + fog-dynect (0.0.2) fog-core + fog-json fog-xml - fog-json (1.0.0) - multi_json (~> 1.0) - fog-profitbricks (0.0.2) + fog-ecloud (0.3.0) + fog-core + fog-xml + fog-google (0.1.0) + fog-core + fog-json + fog-xml + fog-json (1.0.2) + fog-core (~> 1.0) + multi_json (~> 1.10) + fog-local (0.2.1) + fog-core (~> 1.27) + fog-powerdns (0.1.1) + fog-core (~> 1.27) + fog-json (~> 1.0) + fog-xml (~> 0.1) + fog-profitbricks (0.0.5) fog-core fog-xml nokogiri - fog-radosgw (0.0.3) + fog-radosgw (0.0.4) fog-core (>= 1.21.0) fog-json fog-xml (>= 0.0.1) @@ -200,28 +228,34 @@ GEM fog-core fog-json fog-xml - fog-sakuracloud (1.0.0) + fog-sakuracloud (1.7.5) fog-core fog-json - fog-serverlove (0.1.1) + fog-serverlove (0.1.2) fog-core fog-json - fog-softlayer (0.4.1) + fog-softlayer (1.0.3) fog-core fog-json - fog-storm_on_demand (0.1.0) + fog-storm_on_demand (0.1.1) fog-core fog-json - fog-terremark (0.0.4) + fog-terremark (0.1.0) fog-core fog-xml - fog-vmfusion (0.0.1) + fog-vmfusion (0.1.0) fission fog-core - fog-voxel (0.0.2) + fog-voxel (0.1.0) fog-core fog-xml - fog-xml (0.1.1) + fog-vsphere (0.4.0) + fog-core + rbvmomi (~> 1.8) + fog-xenserver (0.2.2) + fog-core + fog-xml + fog-xml (0.1.2) fog-core nokogiri (~> 1.5, >= 1.5.11) foreman (0.78.0) @@ -249,7 +283,7 @@ GEM multi_xml (>= 0.5.2) i18n (0.7.0) inflecto (0.0.2) - ipaddress (0.8.0) + ipaddress (0.8.2) jbuilder (2.2.12) activesupport (>= 3.0.0, < 5) multi_json (~> 1.2) @@ -278,9 +312,6 @@ GEM multi_json (1.11.2) multi_xml (0.5.5) multipart-post (2.0.0) - net-scp (1.2.1) - net-ssh (>= 2.6.5) - net-ssh (2.9.2) netrc (0.10.3) nokogiri (1.6.6.2) mini_portile (~> 0.6.0) @@ -341,6 +372,10 @@ GEM httparty (~> 0.11) json rack + rbvmomi (1.8.2) + builder + nokogiri (>= 1.4.1) + trollop rdoc (4.2.0) json (~> 1.4) redcarpet (3.2.2) @@ -418,6 +453,7 @@ GEM tilt (1.4.1) timers (4.0.1) hitimes + trollop (2.1.2) typhoeus (0.7.3) ethon (>= 0.7.4) tzinfo (1.2.2) @@ -436,6 +472,7 @@ GEM websocket-extensions (>= 0.1.0) websocket-extensions (0.1.2) wkhtmltopdf-heroku (2.12.2.1) + xml-simple (1.1.5) PLATFORMS ruby @@ -445,7 +482,7 @@ DEPENDENCIES annotate better_errors binding_of_caller - carrierwave_direct + carrierwave_direct! coffee-rails (~> 4.1.0) connection_pool couchrest diff --git a/app/controllers/api/uploads_controller.rb b/app/controllers/api/uploads_controller.rb index 62adcca6..b85ae01c 100644 --- a/app/controllers/api/uploads_controller.rb +++ b/app/controllers/api/uploads_controller.rb @@ -3,19 +3,35 @@ class UploadsController < ApiController def asset_uploader not_found unless logged_in? + not_found unless ENV['AWS_ENABLED'] uploader = AssetUploader.new uploader.will_include_content_type = true uploader.success_action_status = '201' + + if ENV['AWS_S3_ENCRYPTED'] == 'true' + policy = uploader.policy do |conditions| + conditions << {"x-amz-server-side-encryption" => "AES256"} + conditions << {"x-amz-server-side-encryption-aws-kms-key-id" => ENV['AWS_KMS_KEY_ID']} if ENV['AWS_KMS_KEY_ID'] + conditions << {'utf8' => '✓'} + end + else + policy = uploader.policy + end + + uploader = { + key: uploader.key, + aws_access_key_id: uploader.aws_access_key_id, + acl: uploader.acl, + policy: policy, + signature: uploader.signature, + upload_url: uploader.direct_fog_url, + success_action_status: uploader.success_action_status + } + + uploader.merge!(aws_kms_key_id: ENV['AWS_KMS_KEY_ID']) if ENV['AWS_KMS_KEY_ID'] + render json: { - uploader: { - key: uploader.key, - aws_access_key_id: uploader.aws_access_key_id, - acl: uploader.acl, - policy: uploader.policy, - signature: uploader.signature, - upload_url: uploader.direct_fog_url, - success_action_status: uploader.success_action_status - } + uploader: uploader } end diff --git a/ember-app/app/components/hb-markdown-composer.js b/ember-app/app/components/hb-markdown-composer.js index 8fd9fb45..d126eaa6 100644 --- a/ember-app/app/components/hb-markdown-composer.js +++ b/ember-app/app/components/hb-markdown-composer.js @@ -37,8 +37,15 @@ var HbMarkdownComposerComponent = Ember.Component.extend({ fd.append('policy', response.policy); fd.append('signature', response.signature); fd.append('success_action_status', "201"); - fd.append('file', file); + if(HUBOARD_ENV.FEATURES.ENCRYPTED_UPLOADS) { + fd.append('x-amz-server-side-encryption',"AES256"); + if(HUBOARD_ENV.CONFIG && HUBOARD_ENV.CONFIG.AWS_KMS_KEY_ID) { + fd.append('x-amz-server-side-encryption-aws-kms-key-id', HUBOARD_ENV.CONFIG.AWS_KMS_KEY_ID); + } + } + + fd.append('file', file); var request = new XMLHttpRequest(); request.addEventListener('readystatechange', function(){ if(request.readyState === 4) { @@ -54,6 +61,7 @@ var HbMarkdownComposerComponent = Ember.Component.extend({ } }); + request.open('POST', response.upload_url, true); request.send(fd); }); diff --git a/features.json b/features.json index fc4c98b0..3150969e 100644 --- a/features.json +++ b/features.json @@ -1,5 +1,6 @@ { "FEATURES" : { - "IMAGE_UPLOADS": true + "IMAGE_UPLOADS": true, + "ENCRYPTED_UPLOADS": false } }