tailscale/cmd/connector-gen/github.go

// Copyright (c) Tailscale Inc & AUTHORS
// SPDX-License-Identifier: BSD-3-Clause

package main

import (
	"encoding/json"
	"fmt"
	"log"
	"net/http"
	"net/netip"
	"slices"
	"strings"

	"go4.org/netipx"
	xmaps "golang.org/x/exp/maps"
)

// omitDomains are domains that appear in the github API /meta output
// that we do not need to have app connectors route traffic for (and
// to do so would result in advertising more routes than we want).
var omitDomains = map[string]bool{
	"*.githubassets.com":      true,
	"*.githubusercontent.com": true,
	"*.windows.net":           true,
	"*.azureedge.net":         true,
}

// See https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses

// GithubMeta is a subset of the response from the github APIs /meta endpoint.
type GithubMeta struct {
	Web                      []string `json:"web"`
	API                      []string `json:"api"`
	Git                      []string `json:"git"`
	GithubEnterpriseImporter []string `json:"github_enterprise_importer"`
	Packages                 []string `json:"packages"`
	Pages                    []string `json:"pages"`
	Domains                  struct {
		Website    []string `json:"website"`
		Codespaces []string `json:"codespaces"`
		Copilot    []string `json:"copilot"`
	} `json:"domains"`
}

func (ghm GithubMeta) routesLists() [][]string {
	return [][]string{
		ghm.Web,
		ghm.API,
		ghm.Git,
		ghm.GithubEnterpriseImporter,
		ghm.Packages,
		ghm.Pages,
	}
}

func (ghm GithubMeta) domainsLists() [][]string {
	return [][]string{
		ghm.Domains.Website,
		ghm.Domains.Codespaces,
		ghm.Domains.Copilot,
	}
}

func (ghm GithubMeta) routes() *netipx.IPSet {
	var ips netipx.IPSetBuilder
	for _, routes := range ghm.routesLists() {
		for _, r := range routes {
			ips.AddPrefix(netip.MustParsePrefix(r))
		}
	}
	set, err := ips.IPSet()
	if err != nil {
		log.Fatal(err)
	}
	return set
}

func (ghm GithubMeta) domains() []string {
	ds := map[string]bool{}
	for _, list := range ghm.domainsLists() {
		for _, d := range list {
			if !omitDomains[d] {
				ds[d] = true
			}
		}
	}
	return xmaps.Keys(ds)
}

type Output struct {
	Routes  []netip.Prefix `json:"routes"`
	Domains []string       `json:"domains"`
}

func (o Output) format() []byte {
	s, err := json.MarshalIndent(o, "", "  ")
	if err != nil {
		log.Fatal(err)
	}
	return s
}

// github prints app connector config to standard out.
// The /meta github endpoint lists the routes and domains needed to use GitHub. It
// lists thousands of routes, and includes broad wildcard domains like *.microsoft.com.
// Not all tailnets function well with an app connector that's advertising thousands of
// routes.
// GitHub has an enterprise "allowed IPs only" feature.  The goal of this script is
// to capture only the domains and routes needed to configure an app connector so that
// users of that app connector can enable that GitHub feature pointing at the app connector
// IP address and have github work.
// We don't know exactly which routes and domains are needed, but I got an email from GitHub
// support saying that only the routes provided in 'web', 'api', and 'git' are needed,
// but that doesn't seem very likely, surely users of eg private packages will
// need to be coming from an allowed IP? Still, attempt to be reasonably restrictive.
func github() {
	r, err := http.Get("https://api.github.com/meta")
	if err != nil {
		log.Fatal(err)
	}

	var ghm GithubMeta
	if err := json.NewDecoder(r.Body).Decode(&ghm); err != nil {
		log.Fatal(err)
	}
	r.Body.Close()

	var domains []string
	for _, domain := range ghm.domains() {
		domains = append(domains, domain)
		trimmed := strings.TrimPrefix(domain, "*.")
		if trimmed != domain {
			domains = append(domains, trimmed)
		}
	}
	slices.Sort(domains)
	domains = slices.Compact(domains)

	set := ghm.routes()

	fmt.Println(string(Output{
		Routes:  set.Prefixes(),
		Domains: domains,
	}.format()))

	advertiseRoutes(set)
}