fix include_capi filter (#2478)

Author: buixor

pkg/apiserver/apic.go

@@ -43,8 +43,6 @@ const (
 	metricsIntervalDelta   = time.Minute * 15
 )
 
-var SCOPE_CAPI_ALIAS_ALIAS string = "crowdsecurity/community-blocklist" //we don't use "CAPI" directly, to make it less confusing for the user
-
 type apic struct {
 	// when changing the intervals in tests, always set *First too
 	// or they can be negative
@@ -776,14 +774,14 @@ func (a *apic) UpdateBlocklists(links *modelscapi.GetDecisionsStreamResponseLink
 	for _, blocklist := range links.Blocklists {
 		if err := a.updateBlocklist(defaultClient, blocklist, add_counters); err != nil {
 			return err
-		}	
+		}
 	}
 	return nil
 }
 
 func setAlertScenario(alert *models.Alert, add_counters map[string]map[string]int, delete_counters map[string]map[string]int) {
 	if *alert.Source.Scope == types.CAPIOrigin {
-		*alert.Source.Scope = SCOPE_CAPI_ALIAS_ALIAS
+		*alert.Source.Scope = types.CommunityBlocklistPullSourceScope
 		alert.Scenario = ptr.Of(fmt.Sprintf("update : +%d/-%d IPs", add_counters[types.CAPIOrigin]["all"], delete_counters[types.CAPIOrigin]["all"]))
 	} else if *alert.Source.Scope == types.ListOrigin {
 		*alert.Source.Scope = fmt.Sprintf("%s:%s", types.ListOrigin, *alert.Scenario)

pkg/apiserver/apic_test.go

@@ -689,7 +689,7 @@ func TestAPICWhitelists(t *testing.T) {
 		alertScenario[alert.SourceScope]++
 	}
 	assert.Equal(t, 3, len(alertScenario))
-	assert.Equal(t, 1, alertScenario[SCOPE_CAPI_ALIAS_ALIAS])
+	assert.Equal(t, 1, alertScenario[types.CommunityBlocklistPullSourceScope])
 	assert.Equal(t, 1, alertScenario["lists:blocklist1"])
 	assert.Equal(t, 1, alertScenario["lists:blocklist2"])
 
@@ -818,7 +818,7 @@ func TestAPICPullTop(t *testing.T) {
 		alertScenario[alert.SourceScope]++
 	}
 	assert.Equal(t, 3, len(alertScenario))
-	assert.Equal(t, 1, alertScenario[SCOPE_CAPI_ALIAS_ALIAS])
+	assert.Equal(t, 1, alertScenario[types.CommunityBlocklistPullSourceScope])
 	assert.Equal(t, 1, alertScenario["lists:blocklist1"])
 	assert.Equal(t, 1, alertScenario["lists:blocklist2"])
 

pkg/database/alerts.go

@@ -859,8 +859,24 @@ func AlertPredicatesFromFilter(filter map[string][]string) ([]predicate.Alert, e
 			predicates = append(predicates, alert.HasDecisionsWith(decision.OriginEQ(value[0])))
 		case "include_capi": //allows to exclude one or more specific origins
 			if value[0] == "false" {
-				predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin))))
-				predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin))))
+				predicates = append(predicates, alert.And(
+					//do not show alerts with active decisions having origin CAPI or lists
+					alert.And(
+						alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin))),
+						alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin))),
+					),
+					alert.Not(
+						alert.And(
+							//do not show neither alerts with no decisions if the Source Scope is lists: or CAPI
+							alert.Not(alert.HasDecisions()),
+							alert.Or(
+								alert.SourceScopeHasPrefix(types.ListOrigin+":"),
+								alert.SourceScopeEQ(types.CommunityBlocklistPullSourceScope),
+							),
+						),
+					),
+				),
+				)
 
 			} else if value[0] != "true" {
 				log.Errorf("Invalid bool '%s' for include_capi", value[0])

pkg/types/constants.go

@@ -17,6 +17,7 @@ const ConsoleOrigin = "console"
 const CscliImportOrigin = "cscli-import"
 const ListOrigin = "lists"
 const CAPIOrigin = "CAPI"
+const CommunityBlocklistPullSourceScope = "crowdsecurity/community-blocklist"
 
 const DecisionTypeBan = "ban"