use two sets of credentials for paas buckets

bitzesty · Oct 4, 2024 · f1ee33f · f1ee33f
1 parent 6c525bc
commit f1ee33f
Show file tree

Hide file tree

Showing 4 changed files with 50 additions and 26 deletions.
diff --git a/.env.example b/.env.example
@@ -5,16 +5,17 @@ AUTHY_API_KEY=AUTHY_API_KEY
 AUTHY_API_URL=https://api.authy.com
 DISABLE_VIRUS_SCANNER=false
 ENABLE_VIRUS_SCANNER_BUCKETS=false
-VIRUS_SCANNER_BUCKETS_ENDPOINT=http://s3service:9000
 VIRUS_SCANNER_URL=http://localhost:80
 VIRUS_SCANNER_USERNAME=app1
 VIRUS_SCANNER_PASSWORD=letmein
 PROFILE_MODE=false
 LOG_LEVEL=info
 ASSET_HOST=http://localhost:3000/
 MAILER_HOST=localhost
-AWS_ACCESS_KEY_ID=xxx
-AWS_SECRET_ACCESS_KEY=xxx
+AWS_TMP_BUCKET_ACCESS_KEY_ID=xxx
+AWS_TMP_BUCKET_SECRET_ACCESS_KEY=xxx
+AWS_PERMANENT_BUCKET_ACCESS_KEY_ID=xxx
+AWS_PERMANENT_BUCKET_SECRET_ACCESS_KEY=xxx
 AWS_REGION=xxx
 AWS_S3_TMP_BUCKET=xxx
 AWS_S3_PERMANENT_BUCKET=xxx

diff --git a/app/models/concerns/scan_files.rb b/app/models/concerns/scan_files.rb
@@ -31,26 +31,29 @@ def move_to_clean_bucket(attr_name)
   end
 
   def move_to_permanent_s3_bucket(file)
-    options = {
+    tmp_bucket_s3_client = Aws::S3::Client.new({
       region: ENV["AWS_REGION"],
-      access_key_id: ENV["AWS_ACCESS_KEY_ID"],
-      secret_access_key: ENV["AWS_SECRET_ACCESS_KEY"],
-    }
-
-    if ENV["ENABLE_VIRUS_SCANNER_BUCKETS"] == "true"
-      options[:endpoint] = ENV["VIRUS_SCANNER_BUCKETS_ENDPOINT"]
-      options[:force_path_style] = true
-    end
+      access_key_id: ENV["AWS_TMP_BUCKET_ACCESS_KEY_ID"],
+      secret_access_key: ENV["AWS_TMP_BUCKET_SECRET_ACCESS_KEY"],
+    })
+    clean_bucket_s3_client = Aws::S3::Client.new({
+      region: ENV["AWS_REGION"],
+      access_key_id: ENV["AWS_PERMANENT_BUCKET_ACCESS_KEY_ID"],
+      secret_access_key: ENV["AWS_PERMANENT_BUCKET_SECRET_ACCESS_KEY"],
+    })
 
-    s3_client = Aws::S3::Client.new(options)
+    object_to_copy = tmp_bucket_s3_client.get_object(
+      bucket: ENV["AWS_S3_TMP_BUCKET"],
+      key: file.path,
+    )
 
-    s3_client.copy_object(
+    clean_bucket_s3_client.put_object(
       bucket: ENV["AWS_S3_PERMANENT_BUCKET"],
-      copy_source: "#{ENV["AWS_S3_TMP_BUCKET"]}/#{file.path}",
+      body: object_to_copy.body.read,
       key: file.permanent_path,
     )
 
-    s3_client.delete_object(
+    tmp_bucket_s3_client.delete_object(
       bucket: ENV["AWS_S3_TMP_BUCKET"],
       key: file.path,
     )

diff --git a/app/uploaders/file_uploader.rb b/app/uploaders/file_uploader.rb
@@ -25,6 +25,14 @@ def filename
     "#{@original_filename.gsub(/\W/, "").gsub(/#{file.extension}\z/, "")}.#{file.extension}" if @original_filename.present?
   end
 
+  def fog_credentials
+    if fog_directory.include?("clean")
+      clean_bucket_credentials
+    else
+      tmp_bucket_credentials
+    end
+  end
+
   def fog_directory
     if model.respond_to?(:clean?) && model.clean?
       ENV["AWS_S3_PERMANENT_BUCKET"]
@@ -51,4 +59,22 @@ def read_from_permanent_storage
   def permanent_storage
     @permanent_storage ||= CarrierWave::Storage::Fog.new(self)
   end
+
+  def tmp_bucket_credentials
+    {
+      provider: "AWS",
+      aws_access_key_id: ENV["AWS_TMP_BUCKET_ACCESS_KEY_ID"],
+      aws_secret_access_key: ENV["AWS_TMP_BUCKET_SECRET_ACCESS_KEY"],
+      region: ENV["AWS_REGION"],
+    }
+  end
+
+  def clean_bucket_credentials
+    {
+      provider: "AWS",
+      aws_access_key_id: ENV["AWS_PERMANENT_BUCKET_ACCESS_KEY_ID"],
+      aws_secret_access_key: ENV["AWS_PERMANENT_BUCKET_SECRET_ACCESS_KEY"],
+      region: ENV["AWS_REGION"],
+    }
+  end
 end
diff --git a/config/initializers/carrierwave.rb b/config/initializers/carrierwave.rb
@@ -29,19 +29,13 @@ def retrieve!(identifier)
 end
 
 CarrierWave.configure do |config|
-if Rails.env.production? || ENV["ENABLE_VIRUS_SCANNER_BUCKETS"] == "true"
-    base_credentials = {
+  if Rails.env.production? || ENV["ENABLE_VIRUS_SCANNER_BUCKETS"] == "true"
+    config.fog_credentials = {
       provider: "AWS",
-      aws_access_key_id: ENV["AWS_ACCESS_KEY_ID"],
-      aws_secret_access_key: ENV["AWS_SECRET_ACCESS_KEY"],
+      aws_access_key_id: ENV["AWS_TMP_BUCKET_ACCESS_KEY_ID"],
+      aws_secret_access_key: ENV["AWS_TMP_BUCKET_SECRET_ACCESS_KEY"],
       region: ENV["AWS_REGION"],
     }
-    if ENV["ENABLE_VIRUS_SCANNER_BUCKETS"]
-      base_credentials[:endpoint] = ENV["VIRUS_SCANNER_BUCKETS_ENDPOINT"]
-      base_credentials[:path_style] = true
-    end
-    config.fog_credentials = base_credentials
-
     config.fog_directory = ENV["AWS_S3_TMP_BUCKET"]
     config.storage = :fog
     config.fog_public = false