Block access to Gitiles

Once restarted onto the parent change, our Gerrit deployment will no
longer link to Gitiles representations of changes or the Git tree.
Explicitly deny access to the Gitiles URL base path in the Apache
vhost config, since we can't effectively remove the plugin itself.
This should help prevent search engines from finding its copies of
our projects rather than the ones we want people to use in Gitea.

Change-Id: I3c96221256662443f7a43344afd12194dce82b9d

playbooks/roles/gerrit/templates/gerrit.vhost.j2

@@ -61,6 +61,11 @@
   #RewriteCond %{REQUEST_URI} !^/maintenance.html$
   #RewriteRule ^/(.*) /maintenance.html [last,redirect=temporary]
 
+  # We can't disable this plugin, but don't want people using it
+  <Location "/plugins/gitiles">
+    Require all denied
+  </Location>
+
   ProxyPassMatch ^/robots.txt$ !
   ProxyPassMatch ^/server-status !
   # Comment out these two lines if the maintenance message above is in use

testinfra/test_gerrit.py

@@ -65,3 +65,9 @@ def test_openinfra_cla(host):
     assert '200 OK' in cmd.stdout
     assert 'Content-Type: text/html' in cmd.stdout
     assert 'OpenInfra Foundation Individual Contributor License Agreement' in cmd.stdout
+
+def test_gitiles_blocked(host):
+    cmd = host.run('curl --include --insecure '
+                   '--resolve review.opendev.org:443:127.0.0.1 '
+                   'https://review.opendev.org/plugins/gitiles/opendev/system-config/')
+    assert '403 Forbidden' in cmd.stdout