EQL: Remove "wildcard" function (#76099)

This removes "wildcard" as an available function in EQL. This has
already been replace with "like" and "regex" embedded syntax (and
respective case insensitive variants).

Author: bpintea

x-pack/plugin/eql/qa/common/src/main/resources/additional_test_queries.toml

@@ -273,20 +273,6 @@ file where file_name : ("winini?.exe", "lsass.e?e") and opcode == 2
 '''
 expected_event_ids  = [65, 86]
 
-[[queries]]
-name = "wildcardFunctionWildcardPattern"
-query = '''
-file where wildcard(file_name, "winini*.exe", "lsass.*") and opcode == 2
-'''
-expected_event_ids  = [65, 86]
-
-[[queries]]
-name = "wildcardFunctionQuestionMarkPattern"
-query = '''
-file where wildcard(file_name, "winini?.exe", "lsass.e?e") and opcode == 2
-'''
-expected_event_ids  = [65, 86]
-
 [[queries]]
 name = "insensitiveInSingleArg"
 query = 'process where string(serial_event_id) in~ ("1")'

x-pack/plugin/eql/qa/correctness/src/javaRestTest/resources/queries.toml

@@ -349,13 +349,13 @@ expected_event_ids = [3299718, 3364047]
 filter_counts = [24, 3, 37]
 filters = [
   'process where process_name == "powershell.exe" and opcode == 1',
-  'powershell where wildcard(message, "*Get-NetShare*") == true',
+  'powershell where message like "*Get-NetShare*"',
   'process where process_name == "powershell.exe" and opcode == 2'
 ]
 query = '''
 sequence by hostname, unique_pid
    [process where process_name == "powershell.exe" and opcode == 1]
-   [powershell where wildcard(message, "*Get-NetShare*") == true]
+   [powershell where message like "*Get-NetShare*"]
 until
    [process where process_name == "powershell.exe" and opcode == 2]
 '''
@@ -444,17 +444,17 @@ count = 1
 expected_event_ids = [2732749, 2732788]
 filter_counts = [89, 1]
 filters = [
-  '''file where file_extension in ("exe", "EXE", "Exe", "scr") and wildcard(file_path, "C:\\Users*", "C:\\ProgramData*") and file_name != "DismHost.exe"''',
-  '''process where opcode == 1 and signature_status == "noSignature" and wildcard(process_path, "C:\\Users*", "C:\\ProgramData*")'''
+  '''file where file_extension in ("exe", "EXE", "Exe", "scr") and file_path like ("C:\\Users*", "C:\\ProgramData*") and file_name != "DismHost.exe"''',
+  '''process where opcode == 1 and signature_status == "noSignature" and process_path like ("C:\\Users*", "C:\\ProgramData*")'''
 ]
 query = '''
 sequence by hostname with maxspan=5m
   [file where file_extension in ("exe", "EXE", "Exe", "scr")
-    and wildcard(file_path, "C:\\Users*", "C:\\ProgramData*")
+    and file_path like ("C:\\Users*", "C:\\ProgramData*")
     and file_name != "DismHost.exe"
   ] by process_path
   [process where opcode == 1 and signature_status == "noSignature"
-    and wildcard(process_path, "C:\\Users*", "C:\\ProgramData*")
+    and process_path like ("C:\\Users*", "C:\\ProgramData*")
   ] by parent_process_path
 '''
 time = 7.179757833480835

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/EqlFunctionRegistry.java

@@ -18,7 +18,6 @@
 import org.elasticsearch.xpack.eql.expression.function.scalar.string.StringContains;
 import org.elasticsearch.xpack.eql.expression.function.scalar.string.Substring;
 import org.elasticsearch.xpack.eql.expression.function.scalar.string.ToString;
-import org.elasticsearch.xpack.eql.expression.function.scalar.string.Wildcard;
 import org.elasticsearch.xpack.ql.ParsingException;
 import org.elasticsearch.xpack.ql.QlIllegalArgumentException;
 import org.elasticsearch.xpack.ql.expression.Expression;
@@ -66,7 +65,6 @@ private FunctionDefinition[][] functions() {
                 def(ToString.class, ToString::new, "string"),
                 def(StringContains.class, StringContains::new, "stringcontains"),
                 def(Substring.class, Substring::new, "substring"),
-                def(Wildcard.class, Wildcard::new, "wildcard"),
             },
             // Arithmetic
             new FunctionDefinition[]{

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/expression/function/scalar/string/Wildcard.java

@@ -12,7 +12,6 @@
 import org.antlr.v4.runtime.tree.TerminalNode;
 import org.elasticsearch.xpack.eql.expression.function.EqlFunctionResolution;
 import org.elasticsearch.xpack.eql.expression.function.scalar.string.Match;
-import org.elasticsearch.xpack.eql.expression.function.scalar.string.Wildcard;
 import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveEquals;
 import org.elasticsearch.xpack.eql.expression.predicate.operator.comparison.InsensitiveWildcardEquals;
 import org.elasticsearch.xpack.eql.parser.EqlBaseParser.ArithmeticUnaryContext;
@@ -48,6 +47,7 @@
 import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.LessThan;
 import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.LessThanOrEqual;
 import org.elasticsearch.xpack.ql.expression.predicate.operator.comparison.NotEquals;
+import org.elasticsearch.xpack.ql.expression.predicate.regex.Like;
 import org.elasticsearch.xpack.ql.tree.Source;
 import org.elasticsearch.xpack.ql.type.DataType;
 import org.elasticsearch.xpack.ql.type.DataTypes;
@@ -58,6 +58,7 @@
 
 import static java.util.Collections.emptyList;
 import static java.util.stream.Collectors.toList;
+import static org.elasticsearch.xpack.eql.util.StringUtils.toLikePattern;
 import static org.elasticsearch.xpack.ql.parser.ParserUtils.source;
 import static org.elasticsearch.xpack.ql.parser.ParserUtils.typedParsing;
 import static org.elasticsearch.xpack.ql.parser.ParserUtils.visitList;
@@ -176,12 +177,8 @@ public Expression visitOperatorExpressionDefault(EqlBaseParser.OperatorExpressio
                 return combineExpressions(predicate.constant(), c -> new InsensitiveWildcardEquals(source, expr, c, zoneId));
             case EqlBaseParser.LIKE:
             case EqlBaseParser.LIKE_INSENSITIVE:
-                return new Wildcard(
-                    source,
-                    expr,
-                    expressions(predicate.constant()),
-                    predicate.kind.getType() == EqlBaseParser.LIKE_INSENSITIVE
-                );
+                return combineExpressions(predicate.constant(), e -> new Like(source, expr,
+                    toLikePattern(e.fold().toString()), predicate.kind.getType() == EqlBaseParser.LIKE_INSENSITIVE));
             case EqlBaseParser.REGEX:
             case EqlBaseParser.REGEX_INSENSITIVE:
                 return new Match(

x-pack/plugin/eql/src/main/java/org/elasticsearch/xpack/eql/parser/ExpressionBuilder.java

@@ -206,34 +206,11 @@ public void testStringContainsWrongParams() {
                 error("process where stringContains(process_name, 1)"));
     }
 
-    public void testWildcardNotEnoughArguments() {
-        ParsingException e = expectThrows(ParsingException.class,
-                () -> plan("process where wildcard(process_name)"));
-        String msg = e.getMessage();
-        assertEquals("line 1:16: error building [wildcard]: expects at least two arguments", msg);
-    }
-
-    public void testWildcardAgainstVariable() {
-        VerificationException e = expectThrows(VerificationException.class,
-                () -> plan("process where wildcard(process_name, parent_process_name)"));
-        String msg = e.getMessage();
-        assertEquals("Found 1 problem\nline 1:15: second argument of [wildcard(process_name, parent_process_name)] " +
-                "must be a constant, received [parent_process_name]", msg);
-    }
-
-    public void testWildcardWithNumericPattern() {
-        VerificationException e = expectThrows(VerificationException.class,
-                () -> plan("process where wildcard(process_name, 1)"));
-        String msg = e.getMessage();
-        assertEquals("Found 1 problem\n" +
-                "line 1:15: second argument of [wildcard(process_name, 1)] must be [string], found value [1] type [integer]", msg);
-    }
-
-    public void testWildcardWithNumericField() {
+    public void testLikeWithNumericField() {
         VerificationException e = expectThrows(VerificationException.class,
-                () -> plan("process where wildcard(pid, \"*.exe\")"));
+                () -> plan("process where pid like \"*.exe\""));
         String msg = e.getMessage();
         assertEquals("Found 1 problem\n" +
-                "line 1:15: first argument of [wildcard(pid, \"*.exe\")] must be [string], found value [pid] type [long]", msg);
+                "line 1:15: argument of [pid like \"*.exe\"] must be [string], found value [pid] type [long]", msg);
     }
 }

x-pack/plugin/eql/src/test/java/org/elasticsearch/xpack/eql/planner/QueryTranslatorFailTests.java

@@ -1,6 +1,6 @@
 process where process_name : "svchost.exe" and command_line != "* -k *";
 process where process_name in ("ipconfig.exe", "netstat.exe", "systeminfo.exe", "route.exe");
-process where subtype.create and wildcard(command_line, "*.ost *", "*.pst *")
+process where subtype.create and command_line like ("*.ost *", "*.pst *")
 ;
 
 process where subtype.create and

x-pack/plugin/eql/src/test/resources/queries-supported.eql

@@ -463,49 +463,6 @@ process where serial_event_id == number("0x32", 16);
 ;
 
 
-wildcardFunctionSingleArgument
-process where wildcard(process_path, "*\\red_ttp\\wininit.*")
-;
-"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","boost":1.0}}
-;
-
-wildcardFunctionTwoArguments
-process where wildcard(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*")
-;
-"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","boost":1.0}}
-"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","boost":1.0}}
-;
-
-wildcardFunctionThreeArguments
-process where wildcard(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*", "*def*")
-;
-"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","boost":1.0}}
-"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","boost":1.0}}
-"wildcard":{"process_path":{"wildcard":"*def*","boost":1.0}}
-;
-
-wildcardFunctionSingleArgument-insensitive
-process where wildcard~(process_path, "*\\red_ttp\\wininit.*")
-;
-"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","case_insensitive":true,"boost":1.0}}
-;
-
-wildcardFunctionTwoArguments-insensitive
-process where wildcard~(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*")
-;
-"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","case_insensitive":true,"boost":1.0}}
-"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","case_insensitive":true,"boost":1.0}}
-;
-
-wildcardFunctionThreeArguments-insensitive
-process where wildcard~(process_path, "*\\red_ttp\\wininit.*", "*\\abc\\*", "*def*")
-;
-"wildcard":{"process_path":{"wildcard":"*\\\\red_ttp\\\\wininit.*","case_insensitive":true,"boost":1.0}}
-"wildcard":{"process_path":{"wildcard":"*\\\\abc\\\\*","case_insensitive":true,"boost":1.0}}
-"wildcard":{"process_path":{"wildcard":"*def*","case_insensitive":true,"boost":1.0}}
-;
-
-
 addOperator
 process where serial_event_id + 2 == -2147483647
 ;

x-pack/plugin/eql/src/test/resources/querytranslator_tests.txt

@@ -411,73 +411,3 @@ description = "Test the `substring` function when the case already matches"
     [[substring.fold.tests]]
     expression = '''substring("hello world", -5, -1)'''
     expected = "worl"
-
-[wildcard]
-description = "Test that `wildcard` folds with correct case matches."
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard(null, "f*o*o*")'
-    # expected = null
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "F*o*o*")'
-    expected = true
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "*Foo")'
-    expected = true
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "*Foo*")'
-    expected = true
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "*")'
-    expected = true
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "Bar*")'
-    expected = false
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "*Bar*")'
-    expected = false
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "*Bar*", "Baz*")'
-    expected = false
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Foo", "Foo*", "*Bar*", "Baz*")'
-    expected = true
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Bar", "Foo*", "*Bar*", "Baz*")'
-    expected = true
-
-    [[wildcard.fold.tests]]
-    expression = 'wildcard("Baz", "Foo*", "*Bar*", "Baz*")'
-    expected = true
-
-[wildcard_case_insensitive]
-description = "Test that `wildcard` function folds case insensitive as expected."
-
-    [[wildcard_case_insensitive.fold.tests]]
-    expression = 'wildcard("FOO", "f*o*o*")'
-    expected = false
-
-    [[wildcard_case_insensitive.fold.tests]]
-    expression = 'wildcard("bar", "f*o*o*")'
-    expected = false
-
-
-[wildcard_case_sensitive]
-description = "Test that `wildcard` folds case-sensitive matches."
-
-    [[wildcard_case_sensitive.fold.tests]]
-    expression = 'wildcard("Foo", "F*o*o*")'
-    expected = true
-
-    [[wildcard_case_sensitive.fold.tests]]
-    expression = 'wildcard("foo", "F*o*o*")'
-    expected = false