From 3ab4482ff7314b21f3a66dc7fcc773c00cdbc29d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Vantomme?= Date: Tue, 10 Jan 2023 17:38:00 +0100 Subject: [PATCH 1/3] feat(storage): add S3 storage support --- config/env.example | 6 ++++++ config/storage.yml | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/config/env.example b/config/env.example index 978dfd183..ac24cf09f 100644 --- a/config/env.example +++ b/config/env.example @@ -37,6 +37,12 @@ BASIC_AUTH_PASSWORD="" # (See config/storage.yml for the configuration of each service.) ACTIVE_STORAGE_SERVICE="local" +# Configuration for the S3 storage service (if enabled) +S3_ACCESS_KEY_ID="" +S3_SECRET_ACCESS_KEY="" +S3_REGION="" +S3_BUCKET="" + # Configuration for the OpenStack storage service (if enabled) FOG_OPENSTACK_API_KEY="" FOG_OPENSTACK_USERNAME="" diff --git a/config/storage.yml b/config/storage.yml index b24cd1613..d2b2d241f 100644 --- a/config/storage.yml +++ b/config/storage.yml @@ -13,3 +13,9 @@ openstack: openstack_username: "<%= ENV['FOG_OPENSTACK_USERNAME'] %>" openstack_region: "<%= ENV['FOG_OPENSTACK_REGION'] %>" openstack_temp_url_key: "<%= ENV['FOG_OPENSTACK_TEMP_URL_KEY'] %>" +amazon: + service: S3 + access_key_id: <%= ENV.fetch("S3_ACCESS_KEY_ID", "") %> + secret_access_key: <%= ENV.fetch("S3_SECRET_ACCESS_KEY", "") %> + region: <%= ENV.fetch("S3_REGION", "") %> + bucket: <%= ENV.fetch("S3_BUCKET", "") %> From eb812032e1d39374dc0d090368570401c4dd2686 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Vantomme?= Date: Tue, 10 Jan 2023 17:05:02 +0100 Subject: [PATCH 2/3] security(csp): whitelist amazon AWS for S3 storage --- config/initializers/content_security_policy.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb index f69150dc9..57a59c1cb 100644 --- a/config/initializers/content_security_policy.rb +++ b/config/initializers/content_security_policy.rb @@ -22,6 +22,7 @@ Rails.application.config.content_security_policy do |policy| connect_whitelist = ["wss://*.crisp.chat", "*.crisp.chat", "app.franceconnect.gouv.fr", "openmaptiles.geo.data.gouv.fr", "openmaptiles.github.io", "tiles.geo.api.gouv.fr", "wxs.ign.fr"] connect_whitelist << ENV.fetch('APP_HOST') + connect_whitelist << "*.amazonaws.com" if Rails.configuration.active_storage.service == :amazon connect_whitelist += [URI(ENV["SENTRY_DSN_JS"]).host, URI(ENV["SENTRY_DSN_RAILS"]).host].compact.uniq connect_whitelist << URI(DS_PROXY_URL).host if DS_PROXY_URL.present? connect_whitelist << URI(API_ADRESSE_URL).host if API_ADRESSE_URL.present? From f43064706413f07d53503d8f290279fca73e90a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Vantomme?= Date: Tue, 10 Jan 2023 22:46:05 +0100 Subject: [PATCH 3/3] refactor(storage): move S3_* variables to config/env.example.optional --- config/env.example | 6 ------ config/env.example.optional | 5 +++++ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/config/env.example b/config/env.example index ac24cf09f..978dfd183 100644 --- a/config/env.example +++ b/config/env.example @@ -37,12 +37,6 @@ BASIC_AUTH_PASSWORD="" # (See config/storage.yml for the configuration of each service.) ACTIVE_STORAGE_SERVICE="local" -# Configuration for the S3 storage service (if enabled) -S3_ACCESS_KEY_ID="" -S3_SECRET_ACCESS_KEY="" -S3_REGION="" -S3_BUCKET="" - # Configuration for the OpenStack storage service (if enabled) FOG_OPENSTACK_API_KEY="" FOG_OPENSTACK_USERNAME="" diff --git a/config/env.example.optional b/config/env.example.optional index 4cdd40004..8a1d83d1a 100644 --- a/config/env.example.optional +++ b/config/env.example.optional @@ -146,6 +146,11 @@ DATAGOUV_DESCRIPTIF_DEMARCHES_RESOURCE="resourceid" # Zonage ZONAGE_ENABLED='enabled' # zonage disabled by default if `ZONAGE_ENABLED` not set +# Configuration for the S3 storage service (if enabled) +S3_ACCESS_KEY_ID="" +S3_SECRET_ACCESS_KEY="" +S3_REGION="" +S3_BUCKET="" # SAML SAML_IDP_CERTIFICATE="idpcertificate"