Filter out edit refs

User's private edits are not part of an open change
and should not be served or advertised.

The refs could be in theory made invisible by playing
with the ACLs. However, having a complex ACL would have
a detrimental impact on the overall performance of
the security evaluation. It does not make sense to
expose the user's private edits and they would risk
to make a clone failing with a wants-not-valid error.

Change-Id: Idbae7ed339515daa44df3f0093a51f6343b4e8d5
3 files changed
tree: ce230eb97097ab9da3b3e9c303386e4d244dc15e
  1. src/
  2. .gitignore
  3. BUILD

Git Ref filter module for Gerrit

Gerrit lib module to allow filtering out refs in the Git advertizing protocol phase.

How to build

Build this module as it was a Gerrit plugin:

  • Clone Gerrit source tree
  • Clone the git-refs-filter source tree
  • Link the git-refs-filter directory to Gerrit /plugins/git-refs-filter
  • From Gerrit source tree run bazel build plugins/git-refs-filter
  • And for running tests bazel test plugins/git-refs-filter:git_refs_filter_tests
  • The git-refs-filter.jar module is generated under /bazel-genfiles/plugins/git-refs-filter/

How install

Copy git-refs-filter.jar library to Gerrit /lib and add the following one extra settings to gerrit.config:

  installModule = com.googlesource.gerrit.modules.gitrefsfilter.RefsFilterModule

How to configure filtering

The refsfilter module defines a new global capability called “Filter out closed changes refs”. By default the capability isn't assigned to any user or group, thus the module installation has no side effects.

Filtering a closed change refs has the following meaning:

  • Merged changes and all their patch-sets
  • Abandoned changes and all their patch-sets
  • Corrupted changes and all their patch-sets
  • All ‘/meta’ refs of all changes
  • All non-published edits of any changes

To enable a group of users of getting a “filtered list” of refs (e.g. CI jobs):

  • Define a new group of users (e.g. Builders)
  • Add a user to that group (e.g. Add ‘jenkins’ to the Builders group)
  • Go to the All-Projects ACLs, add the “Filter out closed changes refs” and assign to the group (e.g. Builders)

NOTE Gerrit makes a super-simplified ACL evaluation if all the projects are globally readable (e.g. project has a READ rule to refs/*). To enable the closed changes filtering you need to disable any global read rule for the group that needs refs filtering.