Adds configuration for server-side encrypted s3 uploads

Gemfile

@@ -32,7 +32,7 @@ gem 'faraday-http-cache'
 gem 'connection_pool'
 gem 'addressable'
 gem 'kgio'
-gem 'carrierwave_direct'
+gem 'carrierwave_direct', :github => 'huboard/carrierwave_direct'
 gem 'memcachier'
 gem 'solid_use_case'
 gem 'faye'

Gemfile.lock

@@ -1,3 +1,12 @@
+GIT
+  remote: git://github.com/huboard/carrierwave_direct.git
+  revision: 59f51f1fe3c6c221db5a25b7675dafb59f40f861
+  specs:
+    carrierwave_direct (0.0.15)
+      carrierwave
+      fog
+      uuidtools
+
 PATH
   remote: vendor/engines/saas
   specs:
@@ -14,7 +23,7 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    CFPropertyList (2.3.1)
+    CFPropertyList (2.3.2)
     actionmailer (4.2.0)
       actionpack (= 4.2.0)
       actionview (= 4.2.0)
@@ -71,10 +80,6 @@ GEM
       activesupport (>= 3.2.0)
       json (>= 1.7)
       mime-types (>= 1.16)
-    carrierwave_direct (0.0.15)
-      carrierwave
-      fog
-      uuidtools
     celluloid (0.16.0)
       timers (~> 4.0.0)
     coderay (1.1.0)
@@ -118,7 +123,7 @@ GEM
     ethon (0.8.0)
       ffi (>= 1.3.0)
     eventmachine (1.0.7)
-    excon (0.44.4)
+    excon (0.45.4)
     execjs (2.4.0)
     faraday (0.9.2)
       multipart-post (>= 1.2, < 3)
@@ -144,13 +149,18 @@ GEM
     ffi (1.9.10)
     fission (0.5.0)
       CFPropertyList (~> 2.2)
-    fog (1.28.0)
+    fog (1.37.0)
+      fog-aliyun (>= 0.1.0)
       fog-atmos
-      fog-aws (~> 0.0)
+      fog-aws (>= 0.6.0)
       fog-brightbox (~> 0.4)
-      fog-core (~> 1.27, >= 1.27.3)
-      fog-ecloud
+      fog-core (~> 1.32)
+      fog-dynect (~> 0.0.2)
+      fog-ecloud (~> 0.1)
+      fog-google (<= 0.1.0)
       fog-json
+      fog-local
+      fog-powerdns (>= 0.1.1)
       fog-profitbricks
       fog-radosgw (>= 0.0.2)
       fog-riakcs
@@ -161,67 +171,91 @@ GEM
       fog-terremark
       fog-vmfusion
       fog-voxel
+      fog-vsphere (>= 0.4.0)
+      fog-xenserver
       fog-xml (~> 0.1.1)
       ipaddress (~> 0.5)
-      nokogiri (~> 1.5, >= 1.5.11)
+    fog-aliyun (0.1.0)
+      fog-core (~> 1.27)
+      fog-json (~> 1.0)
+      ipaddress (~> 0.8)
+      xml-simple (~> 1.1)
     fog-atmos (0.1.0)
       fog-core
       fog-xml
-    fog-aws (0.1.1)
+    fog-aws (0.8.1)
       fog-core (~> 1.27)
       fog-json (~> 1.0)
       fog-xml (~> 0.1)
       ipaddress (~> 0.8)
-    fog-brightbox (0.7.1)
+    fog-brightbox (0.10.1)
       fog-core (~> 1.22)
       fog-json
       inflecto (~> 0.0.2)
-    fog-core (1.29.0)
+    fog-core (1.35.0)
       builder
-      excon (~> 0.38)
+      excon (~> 0.45)
       formatador (~> 0.2)
-      mime-types
-      net-scp (~> 1.1)
-      net-ssh (>= 2.1.3)
-    fog-ecloud (0.0.2)
+    fog-dynect (0.0.2)
       fog-core
+      fog-json
       fog-xml
-    fog-json (1.0.0)
-      multi_json (~> 1.0)
-    fog-profitbricks (0.0.2)
+    fog-ecloud (0.3.0)
+      fog-core
+      fog-xml
+    fog-google (0.1.0)
+      fog-core
+      fog-json
+      fog-xml
+    fog-json (1.0.2)
+      fog-core (~> 1.0)
+      multi_json (~> 1.10)
+    fog-local (0.2.1)
+      fog-core (~> 1.27)
+    fog-powerdns (0.1.1)
+      fog-core (~> 1.27)
+      fog-json (~> 1.0)
+      fog-xml (~> 0.1)
+    fog-profitbricks (0.0.5)
       fog-core
       fog-xml
       nokogiri
-    fog-radosgw (0.0.3)
+    fog-radosgw (0.0.4)
       fog-core (>= 1.21.0)
       fog-json
       fog-xml (>= 0.0.1)
     fog-riakcs (0.1.0)
       fog-core
       fog-json
       fog-xml
-    fog-sakuracloud (1.0.0)
+    fog-sakuracloud (1.7.5)
       fog-core
       fog-json
-    fog-serverlove (0.1.1)
+    fog-serverlove (0.1.2)
       fog-core
       fog-json
-    fog-softlayer (0.4.1)
+    fog-softlayer (1.0.3)
       fog-core
       fog-json
-    fog-storm_on_demand (0.1.0)
+    fog-storm_on_demand (0.1.1)
       fog-core
       fog-json
-    fog-terremark (0.0.4)
+    fog-terremark (0.1.0)
       fog-core
       fog-xml
-    fog-vmfusion (0.0.1)
+    fog-vmfusion (0.1.0)
       fission
       fog-core
-    fog-voxel (0.0.2)
+    fog-voxel (0.1.0)
       fog-core
       fog-xml
-    fog-xml (0.1.1)
+    fog-vsphere (0.4.0)
+      fog-core
+      rbvmomi (~> 1.8)
+    fog-xenserver (0.2.2)
+      fog-core
+      fog-xml
+    fog-xml (0.1.2)
       fog-core
       nokogiri (~> 1.5, >= 1.5.11)
     foreman (0.78.0)
@@ -249,7 +283,7 @@ GEM
       multi_xml (>= 0.5.2)
     i18n (0.7.0)
     inflecto (0.0.2)
-    ipaddress (0.8.0)
+    ipaddress (0.8.2)
     jbuilder (2.2.12)
       activesupport (>= 3.0.0, < 5)
       multi_json (~> 1.2)
@@ -278,9 +312,6 @@ GEM
     multi_json (1.11.2)
     multi_xml (0.5.5)
     multipart-post (2.0.0)
-    net-scp (1.2.1)
-      net-ssh (>= 2.6.5)
-    net-ssh (2.9.2)
     netrc (0.10.3)
     nokogiri (1.6.6.2)
       mini_portile (~> 0.6.0)
@@ -341,6 +372,10 @@ GEM
       httparty (~> 0.11)
       json
       rack
+    rbvmomi (1.8.2)
+      builder
+      nokogiri (>= 1.4.1)
+      trollop
     rdoc (4.2.0)
       json (~> 1.4)
     redcarpet (3.2.2)
@@ -418,6 +453,7 @@ GEM
     tilt (1.4.1)
     timers (4.0.1)
       hitimes
+    trollop (2.1.2)
     typhoeus (0.7.3)
       ethon (>= 0.7.4)
     tzinfo (1.2.2)
@@ -436,6 +472,7 @@ GEM
       websocket-extensions (>= 0.1.0)
     websocket-extensions (0.1.2)
     wkhtmltopdf-heroku (2.12.2.1)
+    xml-simple (1.1.5)
 
 PLATFORMS
   ruby
@@ -445,7 +482,7 @@ DEPENDENCIES
   annotate
   better_errors
   binding_of_caller
-  carrierwave_direct
+  carrierwave_direct!
   coffee-rails (~> 4.1.0)
   connection_pool
   couchrest

app/controllers/api/uploads_controller.rb

@@ -3,19 +3,35 @@ class UploadsController < ApiController
 
     def asset_uploader
       not_found unless logged_in?
+      not_found unless ENV['AWS_ENABLED']
       uploader = AssetUploader.new
       uploader.will_include_content_type = true
       uploader.success_action_status = '201'
+
+      if ENV['AWS_S3_ENCRYPTED'] == 'true'
+        policy = uploader.policy do |conditions|
+          conditions << {"x-amz-server-side-encryption" => "AES256"}
+          conditions << {"x-amz-server-side-encryption-aws-kms-key-id" => ENV['AWS_KMS_KEY_ID']} if ENV['AWS_KMS_KEY_ID']
+          conditions << {'utf8' => '✓'}
+        end
+      else
+        policy = uploader.policy
+      end
+
+      uploader = {
+        key: uploader.key,
+        aws_access_key_id: uploader.aws_access_key_id,
+        acl: uploader.acl,
+        policy: policy,
+        signature: uploader.signature,
+        upload_url: uploader.direct_fog_url,
+        success_action_status: uploader.success_action_status
+      }
+
+      uploader.merge!(aws_kms_key_id: ENV['AWS_KMS_KEY_ID']) if ENV['AWS_KMS_KEY_ID']
+
       render json: {
-        uploader: {
-          key: uploader.key,
-          aws_access_key_id: uploader.aws_access_key_id,
-          acl: uploader.acl,
-          policy: uploader.policy,
-          signature: uploader.signature,
-          upload_url: uploader.direct_fog_url,
-          success_action_status: uploader.success_action_status
-        }
+        uploader: uploader
       }
     end
 

config/initializers/carrierwave.rb

@@ -1,18 +1,20 @@
-CarrierWave.configure do |config|
-  config.storage = :fog
-  config.fog_credentials = {
-    provider: "AWS",
-    path_style: true,
-    region: ENV['AWS_DEFAULT_REGION'] || "us-west-2",
-    endpoint: 'https://s3-us-west-2.amazonaws.com',
-    aws_access_key_id: ENV['AWS_ACCESS_KEY_ID'],
-    aws_secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'],
-  }
-  config.fog_directory = ENV['AWS_S3_BUCKET']
-  #config.fog_attributes = { :multipart_chunk_size => 104857600 }
-  config.fog_attributes = {'Cache-Control'=>"max-age=#{365.day.to_i}"}
-  config.min_file_size = "1"
-  config.max_file_size = "#{5 * 1024 * 1024}"
-  config.fog_public = true
-  config.use_action_status = true
+if ENV['AWS_ENABLED']
+  CarrierWave.configure do |config|
+    config.storage = :fog
+    config.fog_credentials = {
+      provider: "AWS",
+      path_style: true,
+      region: ENV['AWS_DEFAULT_REGION'] || "us-west-2",
+      endpoint: ENV['AWS_S3_ENDPOINT'] || 'https://s3-us-west-2.amazonaws.com',
+      aws_access_key_id: ENV['AWS_ACCESS_KEY_ID'],
+      aws_secret_access_key: ENV['AWS_SECRET_ACCESS_KEY'],
+    }
+    config.fog_directory = ENV['AWS_S3_BUCKET']
+    #config.fog_attributes = { :multipart_chunk_size => 104857600 }
+    config.fog_attributes = {'Cache-Control'=>"max-age=#{365.day.to_i}"}
+    config.min_file_size = "1"
+    config.max_file_size = "#{5 * 1024 * 1024}"
+    config.fog_public = true
+    config.use_action_status = true
+  end
 end

ember-app/app/components/hb-markdown-composer.js

@@ -37,8 +37,15 @@ var HbMarkdownComposerComponent = Ember.Component.extend({
       fd.append('policy', response.policy);
       fd.append('signature', response.signature);
       fd.append('success_action_status', "201");
-      fd.append('file', file);
 
+      if(HUBOARD_ENV.FEATURES.ENCRYPTED_UPLOADS) {
+        fd.append('x-amz-server-side-encryption',"AES256");
+        if(HUBOARD_ENV.CONFIG && HUBOARD_ENV.CONFIG.AWS_KMS_KEY_ID) {
+          fd.append('x-amz-server-side-encryption-aws-kms-key-id', HUBOARD_ENV.CONFIG.AWS_KMS_KEY_ID);
+        }
+      }
+
+      fd.append('file', file);
       var request = new XMLHttpRequest();
       request.addEventListener('readystatechange', function(){
         if(request.readyState === 4) {
@@ -54,6 +61,7 @@ var HbMarkdownComposerComponent = Ember.Component.extend({
         }
       });
 
+
       request.open('POST', response.upload_url, true);
       request.send(fd);
     });

features.json

@@ -1,5 +1,6 @@
 {
   "FEATURES" : {
-    "IMAGE_UPLOADS": true
+    "IMAGE_UPLOADS": true,
+    "ENCRYPTED_UPLOADS": false
   }
 }