From 77972b01501141c3e26e1f092c2b14ce50ecfa84 Mon Sep 17 00:00:00 2001
From: Jeremy Stanley <fungi@yuggoth.org>
Date: Fri, 18 Feb 2022 18:42:12 +0000
Subject: [PATCH] Block access to Gitiles

Once restarted onto the parent change, our Gerrit deployment will no
longer link to Gitiles representations of changes or the Git tree.
Explicitly deny access to the Gitiles URL base path in the Apache
vhost config, since we can't effectively remove the plugin itself.
This should help prevent search engines from finding its copies of
our projects rather than the ones we want people to use in Gitea.

Change-Id: I3c96221256662443f7a43344afd12194dce82b9d
---
 playbooks/roles/gerrit/templates/gerrit.vhost.j2 | 5 +++++
 testinfra/test_gerrit.py                         | 6 ++++++
 2 files changed, 11 insertions(+)

diff --git a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
index 5d6a4936cf..d80e8e4ca4 100644
--- a/playbooks/roles/gerrit/templates/gerrit.vhost.j2
+++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2
@@ -61,6 +61,11 @@
   #RewriteCond %{REQUEST_URI} !^/maintenance.html$
   #RewriteRule ^/(.*) /maintenance.html [last,redirect=temporary]
 
+  # We can't disable this plugin, but don't want people using it
+  <Location "/plugins/gitiles">
+    Require all denied
+  </Location>
+
   ProxyPassMatch ^/robots.txt$ !
   ProxyPassMatch ^/server-status !
   # Comment out these two lines if the maintenance message above is in use
diff --git a/testinfra/test_gerrit.py b/testinfra/test_gerrit.py
index 6dbab51e59..0cac716c77 100644
--- a/testinfra/test_gerrit.py
+++ b/testinfra/test_gerrit.py
@@ -65,3 +65,9 @@ def test_openinfra_cla(host):
     assert '200 OK' in cmd.stdout
     assert 'Content-Type: text/html' in cmd.stdout
     assert 'OpenInfra Foundation Individual Contributor License Agreement' in cmd.stdout
+
+def test_gitiles_blocked(host):
+    cmd = host.run('curl --include --insecure '
+                   '--resolve review.opendev.org:443:127.0.0.1 '
+                   'https://review.opendev.org/plugins/gitiles/opendev/system-config/')
+    assert '403 Forbidden' in cmd.stdout