github-pages-health-check 1.14.0 → 1.15.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 7ebf0365b555a468e1785cdd41997442c825385a0a30f77474d8af65c404b6cf
-  data.tar.gz: 3b7082f91aea5dd278c5f75eb2f4d8bdf93ed64e3f40b578930739e18c6d596c
+  metadata.gz: 8834b93511d8ba6c9b53a1819cda17c8aea730a84196bc8f1271ddedc4674f66
+  data.tar.gz: 869bdfce15c6817adac72ccd78666ea6cd8c3080aaa2adba4e99f042c8dc037f
 SHA512:
-  metadata.gz: fa4bc9f48ecf20b5541a9eb075df3d119707cc8c00777ae2718fe2955a194d1ab9e50027a3c48045a7de001171195f75068435b8709b13ff0a7560d098a7ef7c
-  data.tar.gz: d918ba62878f48d6539d1feead74b7da1bfc74d28f95263140eef339e9067980c22aaead6a894880470761686c95679f399d867ce0ec8afa429b3ed5b5fe2d79
+  metadata.gz: 7b1e442409c64a742db36f7439ea1378cf40e130807eed20b689d4f80cec31c1c390e33c6d71e0f4400f38f23cdb208cf7307db308d930dad9236c1f676ff544
+  data.tar.gz: 8ea3498c4725ebb75d087b79bbc519a30737fe12e348477c8424307153eef2d102e5b2c333da225beb78adddfb66deec94e903fe91857c68390f4d09f8d29783

data/lib/github-pages-health-check/caa.rb

@@ -9,7 +9,7 @@ module GitHubPages
     class CAA
       attr_reader :host, :error, :nameservers
 
-      def initialize(host, nameservers: nil)
+      def initialize(host, nameservers: :default)
         raise ArgumentError, "host cannot be nil" if host.nil?
 
         @host = host
@@ -24,24 +24,30 @@ module GitHubPages
       def lets_encrypt_allowed?
         return false if errored?
         return true unless records_present?
+
         records.any? { |r| r.property_value == "letsencrypt.org" }
       end
 
       def records_present?
         return false if errored?
+
         records && !records.empty?
       end
 
       def records
-        @records ||= begin
-          get_caa_records(host) | get_caa_records(host.split(".").drop(1).join("."))
-        end
+        return @records if defined?(@records)
+
+        @records = get_caa_records(host)
+        @records = get_caa_records(parent_host) if @records.nil? || @records.empty?
+
+        @records
       end
 
       private
 
       def get_caa_records(domain)
         return [] if domain.nil?
+
         query(domain).select { |r| issue_caa_record?(r) }
       end
 
@@ -59,6 +65,10 @@ module GitHubPages
       def resolver(domain)
         GitHubPages::HealthCheck::Resolver.new(domain, :nameservers => nameservers)
       end
+
+      def parent_host
+        host.split(".").drop(1).join(".")
+      end
     end
   end
 end

data/lib/github-pages-health-check/domain.rb

@@ -113,31 +113,37 @@ module GitHubPages
         raise Errors::InvalidCNAMEError, :domain => self      if invalid_cname?
         raise Errors::InvalidAAAARecordError, :domain => self if invalid_aaaa_record?
         raise Errors::NotServedByPagesError, :domain => self  unless served_by_pages?
+
         true
       end
 
       def deprecated_ip?
         return @deprecated_ip if defined? @deprecated_ip
+
         @deprecated_ip = (valid_domain? && a_record? && old_ip_address?)
       end
 
       def invalid_aaaa_record?
         return @invalid_aaaa_record if defined? @invalid_aaaa_record
+
         @invalid_aaaa_record = (valid_domain? && should_be_a_record? &&
                                 aaaa_record_present?)
       end
 
       def invalid_a_record?
         return @invalid_a_record if defined? @invalid_a_record
+
         @invalid_a_record = (valid_domain? && a_record? && !should_be_a_record?)
       end
 
       def invalid_cname?
         return @invalid_cname if defined? @invalid_cname
+
         @invalid_cname = begin
           return false unless valid_domain?
           return false if github_domain? || apex_domain?
           return true  if cname_to_pages_dot_github_dot_com? || cname_to_fastly?
+
           !cname_to_github_user_domain? && should_be_cname_record?
         end
       end
@@ -146,8 +152,11 @@ module GitHubPages
       # Used as an escape hatch to prevent false positives on DNS checkes
       def valid_domain?
         return @valid if defined? @valid
+
         unicode_host = Addressable::IDNA.to_unicode(host)
-        @valid = PublicSuffix.valid?(unicode_host, :default_rule => nil)
+        @valid = PublicSuffix.valid?(unicode_host,
+                                     :default_rule => nil,
+                                     :ignore_private => true)
       end
 
       # Is this domain an apex domain, meaning a CNAME would be innapropriate
@@ -161,7 +170,9 @@ module GitHubPages
         # E.g. PublicSuffix.domain("blog.digital.gov.uk") # => "digital.gov.uk"
         # For apex-level domain names, DNS providers do not support CNAME records.
         unicode_host = Addressable::IDNA.to_unicode(host)
-        PublicSuffix.domain(unicode_host) == unicode_host
+        PublicSuffix.domain(unicode_host,
+                            :default_rule => nil,
+                            :ignore_private => true) == unicode_host
       end
 
       # Should the domain use an A record?
@@ -181,6 +192,7 @@ module GitHubPages
       # Are any of the domain's A records pointing elsewhere?
       def non_github_pages_ip_present?
         return unless dns?
+
         a_records = dns.select { |answer| answer.type == Dnsruby::Types::A }
 
         a_records.any? { |answer| !github_pages_ip?(answer.address.to_s) }
@@ -256,6 +268,7 @@ module GitHubPages
         return false if cname_to_github_user_domain?
         return false if cname_to_pages_dot_github_dot_com?
         return false if cname_to_fastly? || fastly_ip?
+
         served_by_pages?
       end
 
@@ -270,9 +283,11 @@ module GitHubPages
       def dns
         return @dns if defined? @dns
         return unless valid_domain?
+
         @dns = Timeout.timeout(TIMEOUT) do
           GitHubPages::HealthCheck.without_warnings do
             next if host.nil?
+
             REQUESTED_RECORD_TYPES
               .map { |type| resolver.query(type) }
               .flatten.uniq
@@ -300,11 +315,13 @@ module GitHubPages
       # Is this domain's first response an A record?
       def a_record?
         return unless dns?
+
         dns.first.type == Dnsruby::Types::A
       end
 
       def aaaa_record_present?
         return unless dns?
+
         dns.any? { |answer| answer.type == Dnsruby::Types::AAAA }
       end
 
@@ -312,6 +329,7 @@ module GitHubPages
       def cname_record?
         return unless dns?
         return false unless cname
+
         cname.valid_domain?
       end
       alias cname? cname_record?
@@ -320,11 +338,13 @@ module GitHubPages
       # Returns nil if the domain is not a CNAME
       def cname
         return unless dns.first.type == Dnsruby::Types::CNAME
+
         @cname ||= Domain.new(dns.first.cname.to_s)
       end
 
       def mx_records_present?
         return unless dns?
+
         dns.any? { |answer| answer.type == Dnsruby::Types::MX }
       end
 
@@ -361,20 +381,30 @@ module GitHubPages
       # Does this domain redirect HTTP requests to HTTPS?
       def enforces_https?
         return false unless https? && http_response.headers["Location"]
+
         redirect = Addressable::URI.parse(http_response.headers["Location"])
         redirect.scheme == "https" && redirect.host == host
       end
 
       # Can an HTTPS certificate be issued for this domain?
       def https_eligible?
-        (cname_to_github_user_domain? || pointed_to_github_pages_ip?) &&
-          !aaaa_record_present? && !non_github_pages_ip_present? &&
-          caa.lets_encrypt_allowed?
+        # Can't have any IP's which aren't GitHub's present.
+        return false if non_github_pages_ip_present?
+        # Can't have any AAAA records present
+        return false if aaaa_record_present?
+        # Must be a CNAME or point to our IPs.
+
+        # Only check the one domain if a CNAME. Don't check the parent domain.
+        return true if cname_to_github_user_domain?
+
+        # Check CAA records for the full domain and its parent domain.
+        pointed_to_github_pages_ip? && caa.lets_encrypt_allowed?
       end
 
       # Any errors querying CAA records
       def caa_error
         return nil unless caa.errored?
+
         caa.error.class.name
       end
 

data/lib/github-pages-health-check/repository.rb

@@ -15,6 +15,7 @@ module GitHubPages
         unless name_with_owner.match(REPO_REGEX)
           raise Errors::InvalidRepositoryError
         end
+
         parts = name_with_owner.split("/")
         @owner = parts.first
         @name  = parts.last
@@ -28,6 +29,7 @@ module GitHubPages
 
       def check!
         raise Errors::BuildError.new(:repository => self), build_error unless built?
+
         true
       end
 
@@ -54,6 +56,7 @@ module GitHubPages
 
       def domain
         return if cname.nil?
+
         @domain ||= GitHubPages::HealthCheck::Domain.redundant(cname)
       end
 
@@ -61,6 +64,7 @@ module GitHubPages
 
       def client
         raise Errors::MissingAccessTokenError if @access_token.nil?
+
         @client ||= Octokit::Client.new(:access_token => @access_token)
       end
 

data/lib/github-pages-health-check/version.rb

@@ -2,6 +2,6 @@
 
 module GitHubPages
   module HealthCheck
-    VERSION = "1.14.0".freeze
+    VERSION = "1.15.0".freeze
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: github-pages-health-check
 version: !ruby/object:Gem::Version
-  version: 1.14.0
+  version: 1.15.0
 platform: ruby
 authors:
 - GitHub, Inc.
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-09-17 00:00:00.000000000 Z
+date: 2018-10-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable