honeymoose
/
OpenSearch
mirror of https://github.com/honeymoose/OpenSearch.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

EQL: Remove match functions (#63275) 

Since match (for matching regex) is not currently in use remove it for
now.

Close #63263

(cherry picked from commit 6abd531cf457f3c5686f59709647bed3276e3c6b)
This commit is contained in:
Costin Leau 2020-10-05 22:51:10 +03:00 committed by Costin Leau
parent 6856306dcf
commit d027e24b31
10 changed files with 116 additions and 140 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml
View File

@ -131,48 +131,45 @@ name = "numberStringConversion5"
query = 'any where number(string(serial_event_id), 16) == 17' query = 'any where number(string(serial_event_id), 16) == 17'
expected_event_ids = [11] expected_event_ids = [11]
# [[queries]]
[[queries]] # name = "matchWithCharacterClasses1"
name = "matchWithCharacterClasses1" # expected_event_ids = [98]
expected_event_ids = [98] # notes = "regexp doesn't support character classes"
notes = "regexp doesn't support character classes" # query = '''
query = ''' # //
// # // """.*?net1\s+localgroup.*?""")
// """.*?net1\s+localgroup.*?""") # process where match(command_line, """.*?net1[ ]+localgroup.*?""")
process where match(command_line, """.*?net1[ ]+localgroup.*?""") # '''
''' #
# [[queries]]
[[queries]] # name = "matchLiteAdditional"
name = "matchLiteAdditional" # expected_event_ids = [98]
expected_event_ids = [98] # query = '''
query = ''' # process where matchLite(command_line, """.*?net1.*?""")
process where matchLite(command_line, """.*?net1.*?""") # '''
''' #
# [[queries]]
[[queries]] # name = "matchWithCharacterClasses2"
name = "matchWithCharacterClasses2" # expected_event_ids = [98]
expected_event_ids = [98] # notes = "regexp doesn't support predefined character classes (like \\s)"
notes = "regexp doesn't support predefined character classes (like \\s)" # query = '''
query = ''' # // """.*?net1\s+\w{4,15}\s+.*?"""
// """.*?net1\s+\w{4,15}\s+.*?""" # process where match(command_line, """.*?net1[ ]+[a-z]{4,15}[ ]+.*?""")
process where match(command_line, """.*?net1[ ]+[a-z]{4,15}[ ]+.*?""") # '''
''' #
# [[queries]]
# name = "multiPatternMatch"
# expected_event_ids = [50, 97, 98]
[[queries]] # query = '''
name = "multiPatternMatch" # process where match(command_line, ".*?net[1]? localgroup.*?", ".*? myappserver.py .*?")
expected_event_ids = [50, 97, 98] # '''
query = ''' #
process where match(command_line, ".*?net[1]? localgroup.*?", ".*? myappserver.py .*?") # [[queries]]
''' # name = "matchWithSubstring"
# expected_event_ids = [50, 98]
[[queries]] # query = '''
name = "matchWithSubstring" # process where match(substring(command_line, 5), ".*?net[1]? localgroup.*?", ".*? myappserver.py .*?")
expected_event_ids = [50, 98] # '''
query = '''
process where match(substring(command_line, 5), ".*?net[1]? localgroup.*?", ".*? myappserver.py .*?")
'''
[[queries]] [[queries]]
name = "moduloEqualsField" name = "moduloEqualsField"

1
x-pack/plugin/eql/qa/common/src/main/resources/test_queries_unsupported.toml
View File

@ -1149,4 +1149,3 @@ process where length(between(process_name, "g", "e")) > 0
#query = ''' #query = '''
#process where length(between(process_name, "g", "e")) > 0 #process where length(between(process_name, "g", "e")) > 0
#''' #'''

4
x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/EqlFunctionRegistry.java
View File

@ -6,17 +6,16 @@
package org.elasticsearch.xpack.eql.expression.function; package org.elasticsearch.xpack.eql.expression.function;
import org.elasticsearch.xpack.eql.expression.function.scalar.math.ToNumber;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Between; import org.elasticsearch.xpack.eql.expression.function.scalar.string.Between;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.CIDRMatch; import org.elasticsearch.xpack.eql.expression.function.scalar.string.CIDRMatch;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Concat; import org.elasticsearch.xpack.eql.expression.function.scalar.string.Concat;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.EndsWith; import org.elasticsearch.xpack.eql.expression.function.scalar.string.EndsWith;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.IndexOf; import org.elasticsearch.xpack.eql.expression.function.scalar.string.IndexOf;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Length; import org.elasticsearch.xpack.eql.expression.function.scalar.string.Length;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Match;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.StartsWith; import org.elasticsearch.xpack.eql.expression.function.scalar.string.StartsWith;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContains; import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContains;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Substring; import org.elasticsearch.xpack.eql.expression.function.scalar.string.Substring;
import org.elasticsearch.xpack.eql.expression.function.scalar.math.ToNumber;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.ToString; import org.elasticsearch.xpack.eql.expression.function.scalar.string.ToString;
import org.elasticsearch.xpack.eql.expression.function.scalar.string.Wildcard; import org.elasticsearch.xpack.eql.expression.function.scalar.string.Wildcard;
import org.elasticsearch.xpack.ql.expression.function.FunctionDefinition; import org.elasticsearch.xpack.ql.expression.function.FunctionDefinition;
@ -46,7 +45,6 @@ public class EqlFunctionRegistry extends FunctionRegistry {
def(EndsWith.class, EndsWith::new, "endswith"), def(EndsWith.class, EndsWith::new, "endswith"),
def(IndexOf.class, IndexOf::new, "indexof"), def(IndexOf.class, IndexOf::new, "indexof"),
def(Length.class, Length::new, "length"), def(Length.class, Length::new, "length"),
def(Match.class, Match::new, "match", "matchlite"),
def(StartsWith.class, StartsWith::new, "startswith"), def(StartsWith.class, StartsWith::new, "startswith"),
def(ToString.class, ToString::new, "string"), def(ToString.class, ToString::new, "string"),
def(StringContains.class, StringContains::new, "stringcontains"), def(StringContains.class, StringContains::new, "stringcontains"),

6
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryFolderFailTests.java
View File

@ -126,7 +126,7 @@ public class QueryFolderFailTests extends AbstractQueryFolderTestCase {
assertEquals("Found 1 problem\nline 1:15: [length(plain_text)] cannot operate on field of data type [text]: No keyword/multi-field " assertEquals("Found 1 problem\nline 1:15: [length(plain_text)] cannot operate on field of data type [text]: No keyword/multi-field "
+ "defined exact matches for [plain_text]; define one or use MATCH/QUERY instead", msg); + "defined exact matches for [plain_text]; define one or use MATCH/QUERY instead", msg);
} }
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/63263")
public void testMatchWithText() { public void testMatchWithText() {
VerificationException e = expectThrows(VerificationException.class, VerificationException e = expectThrows(VerificationException.class,
() -> plan("process where match(plain_text, \"foo.*\")")); () -> plan("process where match(plain_text, \"foo.*\")"));
@ -135,7 +135,7 @@ public class QueryFolderFailTests extends AbstractQueryFolderTestCase {
"line 1:15: [match(plain_text, \"foo.*\")] cannot operate on first argument field of data type [text]: " + "line 1:15: [match(plain_text, \"foo.*\")] cannot operate on first argument field of data type [text]: " +
"No keyword/multi-field defined exact matches for [plain_text]; define one or use MATCH/QUERY instead", msg); "No keyword/multi-field defined exact matches for [plain_text]; define one or use MATCH/QUERY instead", msg);
} }
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/63263")
public void testMatchWithNonString() { public void testMatchWithNonString() {
VerificationException e = expectThrows(VerificationException.class, VerificationException e = expectThrows(VerificationException.class,
() -> plan("process where match(process_name, parent_process_name)")); () -> plan("process where match(process_name, parent_process_name)"));
@ -144,7 +144,7 @@ public class QueryFolderFailTests extends AbstractQueryFolderTestCase {
"line 1:15: second argument of [match(process_name, parent_process_name)] " + "line 1:15: second argument of [match(process_name, parent_process_name)] " +
"must be a constant, received [parent_process_name]", msg); "must be a constant, received [parent_process_name]", msg);
} }
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/63263")
public void testMatchWithNonRegex() { public void testMatchWithNonRegex() {
VerificationException e = expectThrows(VerificationException.class, VerificationException e = expectThrows(VerificationException.class,
() -> plan("process where match(process_name, 1)")); () -> plan("process where match(process_name, 1)"));

2
x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslationTests.java
View File

@ -22,7 +22,7 @@ public class QueryTranslationTests extends AbstractQueryFolderTestCase {
PhysicalPlan plan = plan("process where process_name : \"*\" "); PhysicalPlan plan = plan("process where process_name : \"*\" ");
assertThat(asQuery(plan), containsString("\"exists\":{\"field\":\"process_name\"")); assertThat(asQuery(plan), containsString("\"exists\":{\"field\":\"process_name\""));
} }
@AwaitsFix(bugUrl = "https://github.com/elastic/elasticsearch/issues/63263")
public void testMatchOptimization() throws Exception { public void testMatchOptimization() throws Exception {
PhysicalPlan plan = plan("process where match(process_name, \".*\") "); PhysicalPlan plan = plan("process where match(process_name, \".*\") ");
assertThat(asQuery(plan), containsString("\"exists\":{\"field\":\"process_name\"")); assertThat(asQuery(plan), containsString("\"exists\":{\"field\":\"process_name\""));

15
x-pack/plugin/eql/src/test/resources/queries-supported.eql
View File

@ -182,21 +182,6 @@ process where command_line : "*%*%*" ;
process where command_line : "%*%*" ; process where command_line : "%*%*" ;
process where match(""".*?net1\s+localgroup\s+.*?""", command_line)
;
process where match(""".*?net1\s+\w+\s+.*?""", command_line)
;
process where match(""".*?net1\s+\w{4,15}\s+.*?""", command_line)
;
process where match(""".*?net1\s+\w{4,15}\s+.*?""", command_line)
;
process where match(""".*?net1\s+[localgrup]{4,15}\s+.*?""", command_line)
;
file where opcode:0 and startsWith(file_name, "exploRER.") file where opcode:0 and startsWith(file_name, "exploRER.")
; ;

17
x-pack/plugin/eql/src/test/resources/queries-unsupported.eql
View File

@ -1,4 +1,3 @@
// //
// Pipes // Pipes
// //
@ -96,23 +95,23 @@ file where descendant of [registry where true];
//sequence by unique_pid [process where true] [file where true] fork==true; //sequence by unique_pid [process where true] [file where true] fork==true;
sequence with maxspan=2.5m sequence with maxspan=2.5m
[process where x == x] by pid [process where x == x] by pid
[file where file_path == "*"] by ppid [file where file_path == "*"] by ppid
; ;
sequence by pid with maxspan=2.0h sequence by pid with maxspan=2.0h
[process where process_name == "*"] [process where process_name == "*"]
[file where file_path == "*"] [file where file_path == "*"]
; ;
sequence by pid with maxspan=2.0h sequence by pid with maxspan=2.0h
[process where process_name == "*"] [process where process_name == "*"]
[file where file_path == "*"] [file where file_path == "*"]
; ;
sequence by pid with maxspan=1.0075d sequence by pid with maxspan=1.0075d
[process where process_name == "*"] [process where process_name == "*"]
[file where file_path == "*"] [file where file_path == "*"]
; ;

49
x-pack/plugin/eql/src/test/resources/queryfolder_tests.txt
View File

@ -304,23 +304,31 @@ InternalEqlScriptUtils.cidrMatch(InternalQlScriptUtils.docValue(doc,params.v0),p
"params":{"v0":"source_address","v1":["10.6.48.157/8"],"v2":"true"} "params":{"v0":"source_address","v1":["10.6.48.157/8"],"v2":"true"}
; ;
matchFunctionOne //matchFunctionOne
process where match(command_line, "^.*?net.exe") //process where match(command_line, "^.*?net.exe")
; //;
"regexp":{"command_line":{"value":"^.*?net.exe" //"regexp":{"command_line":{"value":"^.*?net.exe"
; //;
matchFunctionTwo //matchFunctionTwo
process where match(command_line, "^.*?net.exe", "net\\.exe") //process where match(command_line, "^.*?net.exe", "net\\.exe")
; //;
"regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe" //"regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe"
; //;
//
matchFunctionThree //matchFunctionThree
process where match(command_line, "^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+") //process where match(command_line, "^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+")
; //;
"regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+" //"regexp":{"command_line":{"value":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+"
; //;
//
//matchFunctionScalar
//process where match(substring(command_line, 5), "^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+")
//;
//"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalSqlScriptUtils.regex(InternalEqlScriptUtils.substring(
//InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2),params.v3))",
//"params":{"v0":"command_line","v1":5,"v2":null,"v3":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+"}}
//;
numberFunctionSingleArgument numberFunctionSingleArgument
process where number(process_name) == 1; process where number(process_name) == 1;
@ -328,15 +336,6 @@ InternalEqlScriptUtils.number(InternalQlScriptUtils.docValue(doc,params.v0),para
"params":{"v0":"process_name","v1":null,"v2":1} "params":{"v0":"process_name","v1":null,"v2":1}
; ;
matchFunctionScalar
process where match(substring(command_line, 5), "^.*?net.exe", "net\\.exe", "C:\\\\Windows\\\\system32\\\\net1\\s+")
;
"script":{"source":"InternalQlScriptUtils.nullSafeFilter(InternalSqlScriptUtils.regex(InternalEqlScriptUtils.substring(
InternalQlScriptUtils.docValue(doc,params.v0),params.v1,params.v2),params.v3))",
"params":{"v0":"command_line","v1":5,"v2":null,"v3":"^.*?net.exe|net\\.exe|C:\\\\Windows\\\\system32\\\\net1\\s+"}}
;
numberFunctionTwoFieldArguments numberFunctionTwoFieldArguments
process where number(process_name, pid) != null; process where number(process_name, pid) != null;
InternalEqlScriptUtils.number(InternalQlScriptUtils.docValue(doc,params.v0),InternalQlScriptUtils.docValue(doc,params.v1))))", InternalEqlScriptUtils.number(InternalQlScriptUtils.docValue(doc,params.v0),InternalQlScriptUtils.docValue(doc,params.v1))))",

41
x-pack/plugin/eql/src/test/resources/test_string_functions.toml
View File

@ -182,47 +182,6 @@ description = "Test the folding of the `length` function."
expected = 3 expected = 3
[match]
description = "Test the `match` function"
[match.verifier]
[[match.verifier.failures]]
expression = 'match(1, "*")'
[[match.verifier.failures]]
expression = 'match(1, "*")'
[[match.verifier.failures]]
expression = 'match("eql", 1)'
[match.fold]
[[match.fold.tests]]
expression = 'match(null, "[a-z]{3}")'
# expected = null
[[match.fold.tests]]
expression = 'match("foo", "[a-z]{3}")'
expected = true
[[match.fold.tests]]
expression = 'match("foo\nbarbaz", "[a-z]{3}\n[a-z]{6}")'
expected = true
[[match.fold.tests]]
expression = 'match("999", "[a-z]{3}")'
expected = false
[[match.fold.tests]]
expression = 'match("999", "[a-z]{3}", "[0-9]{5}")'
expected = false
[[match.fold.tests]]
expression = 'match("999", "[a-z]{3}", "[0-9]{5}", "[9][9][9]")'
expected = true
[number] [number]
description = "Test the `number` function" description = "Test the `number` function"

40
x-pack/plugin/eql/src/test/resources/test_unsupported.toml
View File

@ -132,3 +132,43 @@ case_insensitive = true
[[substring.fold.tests]] [[substring.fold.tests]]
expression = '''substring("hello world", null, 5)''' expression = '''substring("hello world", null, 5)'''
expected = "hello" expected = "hello"
[match]
description = "Test the `match` function"
[match.verifier]
[[match.verifier.failures]]
expression = 'match(1, "*")'
[[match.verifier.failures]]
expression = 'match(1, "*")'
[[match.verifier.failures]]
expression = 'match("eql", 1)'
[match.fold]
[[match.fold.tests]]
expression = 'match(null, "[a-z]{3}")'
# expected = null
[[match.fold.tests]]
expression = 'match("foo", "[a-z]{3}")'
expected = true
[[match.fold.tests]]
expression = 'match("foo\nbarbaz", "[a-z]{3}\n[a-z]{6}")'
expected = true
[[match.fold.tests]]
expression = 'match("999", "[a-z]{3}")'
expected = false
[[match.fold.tests]]
expression = 'match("999", "[a-z]{3}", "[0-9]{5}")'
expected = false
[[match.fold.tests]]
expression = 'match("999", "[a-z]{3}", "[0-9]{5}", "[9][9][9]")'
expected = true