From e4dcdd25728b914823525f1efabf18d5c454902b Mon Sep 17 00:00:00 2001 From: "Thibault \"bui\" Koechlin" Date: Wed, 20 Sep 2023 11:56:00 +0200 Subject: [PATCH] fix include_capi filter (#2478) --- pkg/apiserver/apic.go | 6 ++---- pkg/apiserver/apic_test.go | 4 ++-- pkg/database/alerts.go | 20 ++++++++++++++++++-- pkg/types/constants.go | 1 + 4 files changed, 23 insertions(+), 8 deletions(-) diff --git a/pkg/apiserver/apic.go b/pkg/apiserver/apic.go index 36ac81303..817b97ce5 100644 --- a/pkg/apiserver/apic.go +++ b/pkg/apiserver/apic.go @@ -43,8 +43,6 @@ const ( metricsIntervalDelta = time.Minute * 15 ) -var SCOPE_CAPI_ALIAS_ALIAS string = "crowdsecurity/community-blocklist" //we don't use "CAPI" directly, to make it less confusing for the user - type apic struct { // when changing the intervals in tests, always set *First too // or they can be negative @@ -776,14 +774,14 @@ func (a *apic) UpdateBlocklists(links *modelscapi.GetDecisionsStreamResponseLink for _, blocklist := range links.Blocklists { if err := a.updateBlocklist(defaultClient, blocklist, add_counters); err != nil { return err - } + } } return nil } func setAlertScenario(alert *models.Alert, add_counters map[string]map[string]int, delete_counters map[string]map[string]int) { if *alert.Source.Scope == types.CAPIOrigin { - *alert.Source.Scope = SCOPE_CAPI_ALIAS_ALIAS + *alert.Source.Scope = types.CommunityBlocklistPullSourceScope alert.Scenario = ptr.Of(fmt.Sprintf("update : +%d/-%d IPs", add_counters[types.CAPIOrigin]["all"], delete_counters[types.CAPIOrigin]["all"])) } else if *alert.Source.Scope == types.ListOrigin { *alert.Source.Scope = fmt.Sprintf("%s:%s", types.ListOrigin, *alert.Scenario) diff --git a/pkg/apiserver/apic_test.go b/pkg/apiserver/apic_test.go index b7163a342..4aa23ffb6 100644 --- a/pkg/apiserver/apic_test.go +++ b/pkg/apiserver/apic_test.go @@ -689,7 +689,7 @@ func TestAPICWhitelists(t *testing.T) { alertScenario[alert.SourceScope]++ } assert.Equal(t, 3, len(alertScenario)) - assert.Equal(t, 1, alertScenario[SCOPE_CAPI_ALIAS_ALIAS]) + assert.Equal(t, 1, alertScenario[types.CommunityBlocklistPullSourceScope]) assert.Equal(t, 1, alertScenario["lists:blocklist1"]) assert.Equal(t, 1, alertScenario["lists:blocklist2"]) @@ -818,7 +818,7 @@ func TestAPICPullTop(t *testing.T) { alertScenario[alert.SourceScope]++ } assert.Equal(t, 3, len(alertScenario)) - assert.Equal(t, 1, alertScenario[SCOPE_CAPI_ALIAS_ALIAS]) + assert.Equal(t, 1, alertScenario[types.CommunityBlocklistPullSourceScope]) assert.Equal(t, 1, alertScenario["lists:blocklist1"]) assert.Equal(t, 1, alertScenario["lists:blocklist2"]) diff --git a/pkg/database/alerts.go b/pkg/database/alerts.go index 26d6a3dff..0ae63f374 100644 --- a/pkg/database/alerts.go +++ b/pkg/database/alerts.go @@ -859,8 +859,24 @@ func AlertPredicatesFromFilter(filter map[string][]string) ([]predicate.Alert, e predicates = append(predicates, alert.HasDecisionsWith(decision.OriginEQ(value[0]))) case "include_capi": //allows to exclude one or more specific origins if value[0] == "false" { - predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin)))) - predicates = append(predicates, alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin)))) + predicates = append(predicates, alert.And( + //do not show alerts with active decisions having origin CAPI or lists + alert.And( + alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.CAPIOrigin))), + alert.Not(alert.HasDecisionsWith(decision.OriginEQ(types.ListOrigin))), + ), + alert.Not( + alert.And( + //do not show neither alerts with no decisions if the Source Scope is lists: or CAPI + alert.Not(alert.HasDecisions()), + alert.Or( + alert.SourceScopeHasPrefix(types.ListOrigin+":"), + alert.SourceScopeEQ(types.CommunityBlocklistPullSourceScope), + ), + ), + ), + ), + ) } else if value[0] != "true" { log.Errorf("Invalid bool '%s' for include_capi", value[0]) diff --git a/pkg/types/constants.go b/pkg/types/constants.go index fa50b64f3..acb5b5bfa 100644 --- a/pkg/types/constants.go +++ b/pkg/types/constants.go @@ -17,6 +17,7 @@ const ConsoleOrigin = "console" const CscliImportOrigin = "cscli-import" const ListOrigin = "lists" const CAPIOrigin = "CAPI" +const CommunityBlocklistPullSourceScope = "crowdsecurity/community-blocklist" const DecisionTypeBan = "ban"