Add AAAA Support

* Remove logic making sites with AAAA DNS entries invalid
* Add aaaa_present?
* Add support to test against Ruby 3.0 in build pipeline.

Author: jriggins

.github/workflows/push-cibuild.yml

@@ -10,6 +10,7 @@ jobs:
           - 2.5
           - 2.6
           - 2.7
+          - 3.0
     steps:
     - uses: actions/checkout@master
     - name: script/cibuild-docker

Gemfile

@@ -6,6 +6,7 @@ group :development do
   gem "dotenv", "~> 2.7"
   gem "gem-release", "~> 2.1"
   gem "pry", "~> 0.10"
+  gem "pry-byebug"
   gem "rspec", "~> 3.0"
   gem "rubocop", "~> 0.52"
   gem "webmock", "~> 3.8"

config/cloudflare-ips.txt

@@ -12,4 +12,11 @@
 104.16.0.0/13
 104.24.0.0/14
 172.64.0.0/13
-131.0.72.0/22
+131.0.72.0/22
+2400:cb00::/32
+2606:4700::/32
+2803:f800::/32
+2405:b500::/32
+2405:8100::/32
+2a06:98c0::/29
+2c0f:f248::/32

config/fastly-ips.txt

@@ -14,4 +14,6 @@
 172.111.64.0/18
 185.31.16.0/22
 199.27.72.0/21
-199.232.0.0/16
+199.232.0.0/16
+2a04:4e40::/32
+2a04:4e42::/32

lib/github-pages-health-check/domain.rb

@@ -77,13 +77,23 @@ class Domain < Checkable
         185.199.111.153
       ).freeze
 
+      CURRENT_IPV6_ADDRESSES = %w(
+        2606:50c0:8000::153
+        2606:50c0:8001::153
+        2606:50c0:8002::153
+        2606:50c0:8003::153
+      ).freeze
+
+      CURRENT_IP_ADDRESSES_ALL =
+        (CURRENT_IP_ADDRESSES + CURRENT_IPV6_ADDRESSES).freeze
+
       HASH_METHODS = %i[
         host uri nameservers dns_resolves? proxied? cloudflare_ip?
-        fastly_ip? old_ip_address? a_record? cname_record?
-        mx_records_present? valid_domain? apex_domain? should_be_a_record?
-        cname_to_github_user_domain? cname_to_pages_dot_github_dot_com?
-        cname_to_fastly? pointed_to_github_pages_ip?
-        non_github_pages_ip_present? pages_domain?
+        fastly_ip? old_ip_address? a_record? aaaa_record? aaaa_record_present?
+        cname_record? mx_records_present? valid_domain? apex_domain?
+        should_be_a_record? cname_to_github_user_domain?
+        cname_to_pages_dot_github_dot_com? cname_to_fastly?
+        pointed_to_github_pages_ip? non_github_pages_ip_present? pages_domain?
         served_by_pages? valid? reason valid_domain? https?
         enforces_https? https_error https_eligible? caa_error dns_zone_soa? dns_zone_ns?
       ].freeze
@@ -128,8 +138,8 @@ def deprecated_ip?
       def invalid_aaaa_record?
         return @invalid_aaaa_record if defined? @invalid_aaaa_record
 
-        @invalid_aaaa_record = (valid_domain? && should_be_a_record? &&
-                                aaaa_record_present?)
+        @invalid_aaaa_record =
+          (valid_domain? && aaaa_record_present? && !should_be_a_record?)
       end
 
       def invalid_a_record?
@@ -213,20 +223,20 @@ def should_be_cname_record?
         !should_be_a_record?
       end
 
-      # Is the domain's first response an A record to a valid GitHub Pages IP?
+      # Is the domain's first response an A or AAAA record to a valid GitHub Pages IP?
       def pointed_to_github_pages_ip?
-        a_record? && CURRENT_IP_ADDRESSES.include?(dns.first.address.to_s)
+        return false unless address_record?
+
+        CURRENT_IP_ADDRESSES_ALL.include?(dns.first.address.to_s.downcase)
       end
 
-      # Are any of the domain's A records pointing elsewhere?
+      # Are any of the domain's A or AAAA records pointing elsewhere?
       def non_github_pages_ip_present?
         return unless dns?
 
-        a_records = dns.select { |answer| answer.type == Dnsruby::Types::A }
-
-        a_records.any? { |answer| !github_pages_ip?(answer.address.to_s) }
-
-        false
+        dns
+          .select { |a| Dnsruby::Types::A == a.type || Dnsruby::Types::AAAA == a.type }
+          .any? { |a| !github_pages_ip?(a.address.to_s) }
       end
 
       # Is the domain's first response a CNAME to a pages domain?
@@ -345,9 +355,18 @@ def old_ip_address?
 
       # Is this domain's first response an A record?
       def a_record?
+        return @is_a_record if defined?(@is_a_record)
         return unless dns?
 
-        dns.first.type == Dnsruby::Types::A
+        @is_a_record = Dnsruby::Types::A == dns.first.type
+      end
+
+      # Is this domain's first response an AAAA record?
+      def aaaa_record?
+        return @is_aaaa_record if defined?(@is_aaaa_record)
+        return unless dns?
+
+        @is_aaaa_record = Dnsruby::Types::AAAA == dns.first.type
       end
 
       def aaaa_record_present?
@@ -423,8 +442,6 @@ def enforces_https?
       def https_eligible?
         # Can't have any IP's which aren't GitHub's present.
         return false if non_github_pages_ip_present?
-        # Can't have any AAAA records present
-        return false if aaaa_record_present?
         # Must be a CNAME or point to our IPs.
 
         # Only check the one domain if a CNAME. Don't check the parent domain.
@@ -443,6 +460,10 @@ def caa_error
 
       private
 
+      def address_record?
+        a_record? || aaaa_record?
+      end
+
       def caa
         @caa ||= GitHubPages::HealthCheck::CAA.new(
           :host => cname&.host || host,
@@ -517,10 +538,12 @@ def scheme
       def cdn_ip?(cdn)
         return unless dns?
 
-        a_records = dns.select { |answer| answer.type == Dnsruby::Types::A }
-        return false if !a_records || a_records.empty?
+        address_records = dns.select do |answer|
+          Dnsruby::Types::A == answer.type || Dnsruby::Types::AAAA == answer.type
+        end
+        return false if !address_records || address_records.empty?
 
-        a_records.all? do |answer|
+        address_records.all? do |answer|
           cdn.controls_ip?(answer.address)
         end
       end
@@ -530,7 +553,7 @@ def legacy_ip?(ip_addr)
       end
 
       def github_pages_ip?(ip_addr)
-        CURRENT_IP_ADDRESSES.include?(ip_addr)
+        CURRENT_IP_ADDRESSES_ALL.include?(ip_addr&.to_s&.downcase)
       end
     end
   end

script/update-cdn-ips

@@ -8,15 +8,43 @@ require "open-uri"
 require "json"
 
 SOURCES = {
-  :cloudflare => "https://www.cloudflare.com/ips-v4",
-  :fastly => "https://api.fastly.com/public-ip-list"
+  :cloudflare => ["https://www.cloudflare.com/ips-v4", "https://www.cloudflare.com/ips-v6"],
+  :fastly => ["https://api.fastly.com/public-ip-list"]
 }.freeze
 
-SOURCES.each do |source, url|
+def parse_fastly(data)
+  json_data = JSON.parse(data)
+  (json_data["addresses"] + json_data["ipv6_addresses"]).join("\n")
+end
+
+def parse_cloudflare(data)
+  data
+end
+
+def fetch_ips_from_cdn(urls)
+  urls.map do |url|
+    puts "Fetching #{url}..."
+    URI.parse(url).open.read
+  end.join("\n")
+end
+
+def update_cdn_file(source, data)
   file = "config/#{source}-ips.txt"
-  puts "Fetching #{url}..."
-  data = open(url).read
-  data = JSON.parse(data)["addresses"].join("\n") if source == :fastly
   File.write(file, data)
+  puts "Writing contents to #{file} and staging changes."
   `git add --verbose #{file}`
 end
+
+def parse_cdn_response(source, ips)
+  send("parse_#{source}", ips)
+end
+
+def update_cdn_ips(source, urls)
+  ips = fetch_ips_from_cdn(urls)
+  data = parse_cdn_response(source, ips)
+  update_cdn_file(source, data)
+end
+
+SOURCES.each do |source, urls|
+  update_cdn_ips(source, urls)
+end

spec/github_pages_health_check/cdn_spec.rb

@@ -30,15 +30,16 @@
     end
 
     context "parses config" do
-      before { tempfile.write("199.27.128.0/21\n173.245.48.0/20") }
+      before { tempfile.write("199.27.128.0/21\n173.245.48.0/20\n2400:cb00::/32") }
 
-      it "has two IPs" do
-        expect(subject.send(:ranges).size).to eql(2)
+      it "has three IPs" do
+        expect(subject.send(:ranges).size).to eql(3)
       end
 
       it "loads the IP addresses" do
         expect(subject.send(:ranges)).to include(IPAddr.new("199.27.128.0/21"))
         expect(subject.send(:ranges)).to include(IPAddr.new("173.245.48.0/20"))
+        expect(subject.send(:ranges)).to include(IPAddr.new("2400:cb00::/32"))
       end
 
       it("controls? 199.27.128.55") do
@@ -49,20 +50,41 @@
         expect(subject.controls_ip?(IPAddr.new("173.245.48.55"))).to be_truthy
       end
 
+      it("controls? 2400:cb00:1000:2000:3000:4000:5000:6000") do
+        expect(
+          subject.controls_ip?(
+            IPAddr.new("2400:cb00:1000:2000:3000:4000:5000:6000")
+          )
+        ).to be_truthy
+      end
+
       it("controls? 200.27.128.55") do
         expect(subject.controls_ip?(IPAddr.new("200.27.128.55"))).to be_falsey
       end
     end
 
     {
-      "Fastly" => "151.101.32.133",
-      "CloudFlare" => "108.162.196.20"
-    }.each do |service, ip|
+      "Fastly" => {
+        :valid_ips => ["151.101.32.133", "2a04:4e40:1000:2000:3000:4000:5000:6000"],
+        :invalid_ips => ["108.162.196.20", "2400:cb00:7000:8000:9000:A000:B000:C000"]
+      },
+      "CloudFlare" => {
+        :valid_ips => ["108.162.196.20", "2400:cb00:7000:8000:9000:A000:B000:C000"],
+        :invalid_ips => ["151.101.32.133", "2a04:4e40:1000:2000:3000:4000:5000:6000"]
+      }
+    }.each do |service, ips|
       context service do
-        it "works as s singleton" do
+        it "works as a singleton" do
           const = "GitHubPages::HealthCheck::#{service}"
           klass = Kernel.const_get(const).send(:new)
-          expect(klass.controls_ip?(ip)).to be(true)
+
+          ips[:valid_ips].each do |ip|
+            expect(klass.controls_ip?(ip)).to eq(true), ip
+          end
+
+          ips[:invalid_ips].each do |ip|
+            expect(klass.controls_ip?(ip)).to eq(false), ip
+          end
 
           github_ips = GitHubPages::HealthCheck::Domain::CURRENT_IP_ADDRESSES
           expect(klass.controls_ip?(github_ips.first)).to be(false)