Add draft EQL grammar and expression tree

Author: costin

buildSrc/src/main/resources/checkstyle_suppressions.xml

@@ -10,6 +10,7 @@
   <suppress files="modules[/\\]lang-painless[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]painless[/\\]antlr[/\\]PainlessLexer\.java" checks="." />
   <suppress files="modules[/\\]lang-painless[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]painless[/\\]antlr[/\\]PainlessParser(|BaseVisitor|Visitor)\.java" checks="." />
   <suppress files="plugin[/\\]sql[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]xpack[/\\]sql[/\\]parser[/\\]SqlBase(Base(Listener|Visitor)|Lexer|Listener|Parser|Visitor).java" checks="." />
+  <suppress files="plugin[/\\]eql[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]xpack[/\\]eql[/\\]parser[/\\]EqlBase(Base(Listener|Visitor)|Lexer|Listener|Parser|Visitor).java" checks="." />
 
   <!-- JNA requires the no-argument constructor on JNAKernel32Library.SizeT to be public-->
   <suppress files="server[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]bootstrap[/\\]JNAKernel32Library.java" checks="RedundantModifier" />

x-pack/plugin/eql/build.gradle

@@ -0,0 +1,102 @@
+evaluationDependsOn(xpackModule('core'))
+
+apply plugin: 'elasticsearch.esplugin'
+esplugin {
+  name 'x-pack-eql'
+  description 'The Elasticsearch plugin that powers EQL for Elasticsearch'
+  classname 'org.elasticsearch.xpack.eql.plugin.EqlPlugin'
+  extendedPlugins = ['x-pack-core', 'lang-painless']
+}
+
+ext {
+  // EQL dependency versions
+  antlrVersion = "4.5.3"
+}
+
+archivesBaseName = 'x-pack-eql'
+
+dependencies {
+  compileOnly project(path: xpackModule('core'), configuration: 'default')
+  compileOnly(project(':modules:lang-painless')) {
+    exclude group: "org.ow2.asm"
+  }
+  compile "org.antlr:antlr4-runtime:4.5.3"
+  testCompile project(':test:framework')
+  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+  testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
+  testCompile project(path: ':modules:reindex', configuration: 'runtime')
+  testCompile project(path: ':modules:parent-join', configuration: 'runtime')
+  testCompile project(path: ':modules:analysis-common', configuration: 'runtime')
+}
+
+// disable integration tests for now
+integTest.enabled = false
+
+/**********************************************
+ *          EQL Parser regeneration           *
+ **********************************************/
+
+configurations {
+  regenerate
+}
+
+dependencies {
+  regenerate "org.antlr:antlr4:${antlrVersion}"
+}
+
+String grammarPath = 'src/main/antlr'
+String outputPath = 'src/main/java/org/elasticsearch/xpack/eql/parser'
+
+task cleanGenerated(type: Delete) {
+  delete fileTree(grammarPath) {
+    include '*.tokens'
+  }
+  delete fileTree(outputPath) {
+    include 'EqlBase*.java'
+  }
+}
+
+task regenParser(type: JavaExec) {
+  dependsOn cleanGenerated
+  main = 'org.antlr.v4.Tool'
+  classpath = configurations.regenerate
+  systemProperty 'file.encoding', 'UTF-8'
+  systemProperty 'user.language', 'en'
+  systemProperty 'user.country', 'US'
+  systemProperty 'user.variant', ''
+  args '-Werror',
+    '-package', 'org.elasticsearch.xpack.eql.parser',
+    '-listener',
+    '-visitor',
+    '-o', outputPath,
+    "${file(grammarPath)}/EqlBase.g4"
+}
+
+task regen {
+  dependsOn regenParser
+  doLast {
+    // moves token files to grammar directory for use with IDE's
+    ant.move(file: "${outputPath}/EqlBase.tokens", toDir: grammarPath)
+    ant.move(file: "${outputPath}/EqlBaseLexer.tokens", toDir: grammarPath)
+    // make the generated classes package private
+    ant.replaceregexp(match: 'public ((interface|class) \\QEqlBase\\E\\w+)',
+      replace: '\\1',
+      encoding: 'UTF-8') {
+      fileset(dir: outputPath, includes: 'EqlBase*.java')
+    }
+    // nuke timestamps/filenames in generated files
+    ant.replaceregexp(match: '\\Q// Generated from \\E.*',
+      replace: '\\/\\/ ANTLR GENERATED CODE: DO NOT EDIT',
+      encoding: 'UTF-8') {
+      fileset(dir: outputPath, includes: 'EqlBase*.java')
+    }
+    // remove tabs in antlr generated files
+    ant.replaceregexp(match: '\t', flags: 'g', replace: '  ', encoding: 'UTF-8') {
+      fileset(dir: outputPath, includes: 'EqlBase*.java')
+    }
+    // fix line endings
+    ant.fixcrlf(srcdir: outputPath, eol: 'lf') {
+      patternset(includes: 'EqlBase*.java')
+    }
+  }
+}

x-pack/plugin/eql/src/main/antlr/EqlBase.g4

@@ -0,0 +1,254 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+grammar EqlBase;
+
+tokens {
+    DELIMITER
+}
+
+singleStatement
+    : statement EOF
+    ;
+
+singleExpression
+    : expression EOF
+    ;
+
+statement
+    : query (PIPE pipe)*
+    ;
+ 
+query
+    : sequence
+    | join
+    | condition
+    ;
+    
+sequence
+    : SEQUENCE (by=joinKeys)? (span)?
+      match+
+      (UNTIL match)?
+    ;
+
+join
+    : JOIN (by=joinKeys)?
+      match+
+      (UNTIL match)?
+    ;
+
+pipe
+    : kind=IDENTIFIER (booleanExpression (COMMA booleanExpression)*)?
+    ;
+
+joinKeys
+    : BY qualifiedNames
+    ;
+    
+span
+    : WITH MAXSPAN EQ DIGIT_IDENTIFIER
+    ;
+
+match
+    : LB condition RB (by=joinKeys)?
+    ;
+
+condition
+    : event=qualifiedName WHERE expression
+    ;
+
+expression
+    : booleanExpression
+    ;
+
+booleanExpression
+    : NOT booleanExpression                                               #logicalNot
+    | predicated                                                          #booleanDefault
+    | left=booleanExpression operator=AND right=booleanExpression         #logicalBinary
+    | left=booleanExpression operator=OR right=booleanExpression          #logicalBinary
+    ;
+
+// workaround for:
+//  https://github.com/antlr/antlr4/issues/780
+//  https://github.com/antlr/antlr4/issues/781
+predicated
+    : valueExpression predicate?
+    ;
+
+// dedicated calls for each branch are not used to reuse the NOT handling across them
+// instead the property kind is used for differentiation
+predicate
+    : NOT? kind=BETWEEN lower=valueExpression AND upper=valueExpression
+    | NOT? kind=IN LP valueExpression (COMMA valueExpression)* RP
+    | NOT? kind=IN LP query RP
+    ;
+
+valueExpression
+    : primaryExpression                                                                 #valueExpressionDefault
+    | operator=(MINUS | PLUS) valueExpression                                           #arithmeticUnary
+    | left=valueExpression operator=(ASTERISK | SLASH | PERCENT) right=valueExpression  #arithmeticBinary
+    | left=valueExpression operator=(PLUS | MINUS) right=valueExpression                #arithmeticBinary
+    | left=valueExpression comparisonOperator right=valueExpression                     #comparison
+    ;
+
+primaryExpression
+    : constant                                                                          #constantDefault
+    | functionExpression                                                                #function
+    | qualifiedName                                                                     #dereference
+    | LP expression RP                                                                  #parenthesizedExpression
+    ;
+
+functionExpression
+    : identifier LP (expression (COMMA expression)*)? RP
+    ;
+
+constant
+    : NULL                                                                              #nullLiteral
+    | number                                                                            #numericLiteral
+    | booleanValue                                                                      #booleanLiteral
+    | STRING+                                                                           #stringLiteral
+    ;
+
+comparisonOperator
+    : EQ | NEQ | LT | LTE | GT | GTE
+    ;
+
+booleanValue
+    : TRUE | FALSE
+    ;
+
+qualifiedNames
+    : qualifiedName (COMMA qualifiedName)*
+    ;
+
+qualifiedName
+    : (identifier DOT)* identifier
+    ;
+
+identifier
+    : quoteIdentifier
+    | unquoteIdentifier
+    ;
+
+quoteIdentifier
+    : QUOTED_IDENTIFIER      #quotedIdentifier
+    ;
+
+unquoteIdentifier
+    : IDENTIFIER             #unquotedIdentifier
+    | DIGIT_IDENTIFIER       #digitIdentifier
+    ;
+
+number
+    : DECIMAL_VALUE  #decimalLiteral
+    | INTEGER_VALUE  #integerLiteral
+    ;
+
+string
+    : STRING
+    ;
+
+AND: 'AND';
+ANY: 'ANY';
+ASC: 'ASC';
+BETWEEN: 'BETWEEN';
+BY: 'BY';
+CHILD: 'CHILD';
+DESCENDANT: 'DESCENDANT';
+EVENT: 'EVENT';
+FALSE: 'FALSE';
+IN: 'IN';
+JOIN: 'JOIN';
+MAXSPAN: 'MAXSPAN';
+NOT: 'NOT';
+NULL: 'NULL';
+OF: 'OF';
+OR: 'OR';
+SEQUENCE: 'SEQUENCE';
+TRUE: 'TRUE';
+UNTIL: 'UNTIL';
+WHERE: 'WHERE';
+WITH: 'WITH';
+
+// Operators
+EQ  : '=' | '==';
+NEQ : '<>' | '!=';
+LT  : '<';
+LTE : '<=';
+GT  : '>';
+GTE : '>=';
+
+PLUS: '+';
+MINUS: '-';
+ASTERISK: '*';
+SLASH: '/';
+PERCENT: '%';
+DOT: '.';
+COMMA: ',';
+LB: '[';
+RB: ']';
+LP: '(';
+RP: ')';
+PIPE: '|';
+
+STRING
+    : '\'' ( ~'\'')* '\''
+    | '"' ( ~'"' )* '"'
+    ;
+
+INTEGER_VALUE
+    : DIGIT+
+    ;
+
+DECIMAL_VALUE
+    : DIGIT+ DOT DIGIT*
+    | DOT DIGIT+
+    | DIGIT+ (DOT DIGIT*)? EXPONENT
+    | DOT DIGIT+ EXPONENT
+    ;
+
+IDENTIFIER
+    : (LETTER | '_') (LETTER | DIGIT | '_' | '@' )*
+    ;
+
+DIGIT_IDENTIFIER
+    : DIGIT (LETTER | DIGIT | '_' | '@')+
+    ;
+
+QUOTED_IDENTIFIER
+    : '"' ( ~'"' | '""' )* '"'
+    ;
+   
+fragment EXPONENT
+    : 'E' [+-]? DIGIT+
+    ;
+
+fragment DIGIT
+    : [0-9]
+    ;
+
+fragment LETTER
+    : [A-Z]
+    ;
+
+SIMPLE_COMMENT
+    : '//' ~[\r\n]* '\r'? '\n'? -> channel(HIDDEN)
+    ;
+
+BRACKETED_COMMENT
+    : '/*' (BRACKETED_COMMENT|.)*? '*/' -> channel(HIDDEN)
+    ;
+
+WS
+    : [ \r\n\t]+ -> channel(HIDDEN)
+    ;
+
+// Catch-all for anything we can't recognize.
+// We use this to be able to ignore and recover all the text
+// when splitting statements with DelimiterLexer
+UNRECOGNIZED
+    : .
+    ;