elastic
diff --git a/‎buildSrc/src/main/resources/checkstyle_suppressions.xml
+1 b/‎buildSrc/src/main/resources/checkstyle_suppressions.xml
+1
diff --git a/‎x-pack/plugin/eql/build.gradle
+123 b/‎x-pack/plugin/eql/build.gradle
+123
diff --git a/‎x-pack/plugin/eql/qa/build.gradle
+17 b/‎x-pack/plugin/eql/qa/build.gradle
+17
diff --git a/‎x-pack/plugin/eql/qa/common/build.gradle
+6 b/‎x-pack/plugin/eql/qa/common/build.gradle
+6
diff --git a/‎x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java
+95 b/‎x-pack/plugin/eql/qa/common/src/main/java/org/elasticsearch/test/eql/CommonEqlRestTestCase.java
+95
diff --git a/‎x-pack/plugin/eql/qa/rest/build.gradle
+15 b/‎x-pack/plugin/eql/qa/rest/build.gradle
+15
diff --git a/‎x-pack/plugin/eql/qa/rest/src/test/java/org/elasticsearch/xpack/eql/EqlIT.java
+12 b/‎x-pack/plugin/eql/qa/rest/src/test/java/org/elasticsearch/xpack/eql/EqlIT.java
+12
diff --git a/‎x-pack/plugin/eql/qa/rest/src/test/java/org/elasticsearch/xpack/eql/EqlRestIT.java
+24 b/‎x-pack/plugin/eql/qa/rest/src/test/java/org/elasticsearch/xpack/eql/EqlRestIT.java
+24
diff --git a/‎x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml
+27 b/‎x-pack/plugin/eql/qa/rest/src/test/resources/rest-api-spec/test/eql/10_basic.yml
+27
@@ -10,6 +10,7 @@
   <suppress files="modules[/\\]lang-painless[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]painless[/\\]antlr[/\\]PainlessLexer\.java" checks="." />
   <suppress files="modules[/\\]lang-painless[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]painless[/\\]antlr[/\\]PainlessParser(|BaseVisitor|Visitor)\.java" checks="." />
   <suppress files="plugin[/\\]sql[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]xpack[/\\]sql[/\\]parser[/\\]SqlBase(Base(Listener|Visitor)|Lexer|Listener|Parser|Visitor).java" checks="." />
+  <suppress files="plugin[/\\]eql[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]xpack[/\\]eql[/\\]parser[/\\]EqlBase(Base(Listener|Visitor)|Lexer|Listener|Parser|Visitor).java" checks="." />
 
   <!-- JNA requires the no-argument constructor on JNAKernel32Library.SizeT to be public-->
   <suppress files="server[/\\]src[/\\]main[/\\]java[/\\]org[/\\]elasticsearch[/\\]bootstrap[/\\]JNAKernel32Library.java" checks="RedundantModifier" />
 
@@ -0,0 +1,123 @@
+evaluationDependsOn(xpackModule('core'))
+
+apply plugin: 'elasticsearch.esplugin'
+esplugin {
+  name 'x-pack-eql'
+  description 'The Elasticsearch plugin that powers EQL for Elasticsearch'
+  classname 'org.elasticsearch.xpack.eql.plugin.EqlPlugin'
+  extendedPlugins = ['x-pack-ql', 'lang-painless']
+}
+
+ext {
+  // EQL dependency versions
+  antlrVersion = "4.5.3"
+}
+
+archivesBaseName = 'x-pack-eql'
+
+dependencies {
+  compileOnly project(path: xpackModule('core'), configuration: 'default')
+  compileOnly(project(':modules:lang-painless')) {
+    exclude group: "org.ow2.asm"
+  }
+  compile "org.antlr:antlr4-runtime:${antlrVersion}"
+  compileOnly project(path: xpackModule('ql'), configuration: 'default')
+  testCompile project(':test:framework')
+  testCompile project(path: xpackModule('core'), configuration: 'testArtifacts')
+  testCompile project(path: xpackModule('security'), configuration: 'testArtifacts')
+  testCompile project(path: ':modules:reindex', configuration: 'runtime')
+  testCompile project(path: ':modules:parent-join', configuration: 'runtime')
+  testCompile project(path: ':modules:analysis-common', configuration: 'runtime')
+}
+
+integTest.enabled = false
+testingConventions.enabled = false
+
+// Instead we create a separate task to run the tests based on ESIntegTestCase
+task internalClusterTest(type: Test) {
+  description = '🌈🌈🌈🦄 Welcome to fantasy integration tests land! 🦄🌈🌈🌈'
+  mustRunAfter test
+
+  include '**/*IT.class'
+  systemProperty 'es.set.netty.runtime.available.processors', 'false'
+}
+
+check.dependsOn internalClusterTest
+
+// add all sub-projects of the qa sub-project
+gradle.projectsEvaluated {
+  project.subprojects
+    .find { it.path == project.path + ":qa" }
+    .subprojects
+    .findAll { it.path.startsWith(project.path + ":qa") }
+    .each { check.dependsOn it.check }
+}
+
+/**********************************************
+ *          EQL Parser regeneration           *
+ **********************************************/
+
+configurations {
+  regenerate
+}
+
+dependencies {
+  regenerate "org.antlr:antlr4:${antlrVersion}"
+}
+
+String grammarPath = 'src/main/antlr'
+String outputPath = 'src/main/java/org/elasticsearch/xpack/eql/parser'
+
+task cleanGenerated(type: Delete) {
+  delete fileTree(grammarPath) {
+    include '*.tokens'
+  }
+  delete fileTree(outputPath) {
+    include 'EqlBase*.java'
+  }
+}
+
+task regenParser(type: JavaExec) {
+  dependsOn cleanGenerated
+  main = 'org.antlr.v4.Tool'
+  classpath = configurations.regenerate
+  systemProperty 'file.encoding', 'UTF-8'
+  systemProperty 'user.language', 'en'
+  systemProperty 'user.country', 'US'
+  systemProperty 'user.variant', ''
+  args '-Werror',
+    '-package', 'org.elasticsearch.xpack.eql.parser',
+    '-listener',
+    '-visitor',
+    '-o', outputPath,
+    "${file(grammarPath)}/EqlBase.g4"
+}
+
+task regen {
+  dependsOn regenParser
+  doLast {
+    // moves token files to grammar directory for use with IDE's
+    ant.move(file: "${outputPath}/EqlBase.tokens", toDir: grammarPath)
+    ant.move(file: "${outputPath}/EqlBaseLexer.tokens", toDir: grammarPath)
+    // make the generated classes package private
+    ant.replaceregexp(match: 'public ((interface|class) \\QEqlBase\\E\\w+)',
+      replace: '\\1',
+      encoding: 'UTF-8') {
+      fileset(dir: outputPath, includes: 'EqlBase*.java')
+    }
+    // nuke timestamps/filenames in generated files
+    ant.replaceregexp(match: '\\Q// Generated from \\E.*',
+      replace: '\\/\\/ ANTLR GENERATED CODE: DO NOT EDIT',
+      encoding: 'UTF-8') {
+      fileset(dir: outputPath, includes: 'EqlBase*.java')
+    }
+    // remove tabs in antlr generated files
+    ant.replaceregexp(match: '\t', flags: 'g', replace: '  ', encoding: 'UTF-8') {
+      fileset(dir: outputPath, includes: 'EqlBase*.java')
+    }
+    // fix line endings
+    ant.fixcrlf(srcdir: outputPath, eol: 'lf') {
+      patternset(includes: 'EqlBase*.java')
+    }
+  }
+}
@@ -0,0 +1,17 @@
+import org.elasticsearch.gradle.test.RestIntegTestTask
+
+apply plugin: 'elasticsearch.build'
+test.enabled = false
+
+dependencies {
+  compile project(':test:framework')
+}
+
+subprojects {
+  project.tasks.withType(RestIntegTestTask) {
+    final File xPackResources = new File(xpackProject('plugin').projectDir, 'src/test/resources')
+    project.copyRestSpec.from(xPackResources) {
+      include 'rest-api-spec/api/**'
+    }
+  }
+}
@@ -0,0 +1,6 @@
+apply plugin: 'elasticsearch.build'
+test.enabled = false
+
+dependencies {
+  compile project(':test:framework')
+}
@@ -0,0 +1,95 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+package org.elasticsearch.test.eql;
+
+import org.apache.http.util.EntityUtils;
+import org.elasticsearch.client.Request;
+import org.elasticsearch.client.Response;
+import org.elasticsearch.client.ResponseException;
+import org.elasticsearch.common.settings.Settings;
+import org.elasticsearch.test.rest.ESRestTestCase;
+import org.junit.After;
+import org.junit.Before;
+
+import java.util.ArrayList;
+
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.is;
+
+public abstract class CommonEqlRestTestCase extends ESRestTestCase {
+
+    static class SearchTestConfiguration {
+        final String input;
+        final int expectedStatus;
+        final String expectedMessage;
+
+        SearchTestConfiguration(String input, int status, String msg) {
+            this.input = input;
+            this.expectedStatus = status;
+            this.expectedMessage = msg;
+        }
+    }
+
+    public static final String defaultValidationIndexName = "eql_search_validation_test";
+    private static final String validRule = "process where user = 'SYSTEM'";
+
+    public static final ArrayList<SearchTestConfiguration> searchValidationTests;
+    static {
+        searchValidationTests = new ArrayList<>();
+        searchValidationTests.add(new SearchTestConfiguration(null, 400, "request body or source parameter is required"));
+        searchValidationTests.add(new SearchTestConfiguration("{}", 400, "rule is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"\"}", 400, "rule is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"timestamp_field\": \"\"}",
+            400, "timestamp field is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"event_type_field\": \"\"}",
+            400, "event type field is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"implicit_join_key_field\": \"\"}",
+            400, "implicit join key field is null or empty"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": 0}",
+            400, "size must be more than 0"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"size\": -1}",
+            400, "size must be more than 0"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": null}",
+            400, "search_after doesn't support values of type: VALUE_NULL"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"search_after\": []}",
+            400, "must contains at least one value"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": null}",
+            400, "query doesn't support values of type: VALUE_NULL"));
+        searchValidationTests.add(new SearchTestConfiguration("{\"rule\": \"" + validRule + "\", \"query\": {}}",
+            400, "query malformed, empty clause found"));
+    }
+
+    @Before
+    public void setup() throws Exception {
+        createIndex(defaultValidationIndexName, Settings.EMPTY);
+    }
+
+    @After
+    public void cleanup() throws Exception {
+        deleteIndex(defaultValidationIndexName);
+    }
+
+    public void testSearchValidationFailures() throws Exception {
+        final String contentType = "application/json";
+        for (SearchTestConfiguration config : searchValidationTests) {
+            final String endpoint = "/" + defaultValidationIndexName + "/_eql/search";
+            Request request = new Request("GET", endpoint);
+            request.setJsonEntity(config.input);
+
+            Response response = null;
+            if (config.expectedStatus == 400) {
+                ResponseException e = expectThrows(ResponseException.class, () -> client().performRequest(request));
+                response = e.getResponse();
+            } else {
+                response = client().performRequest(request);
+            }
+
+            assertThat(response.getHeader("Content-Type"), containsString(contentType));
+            assertThat(EntityUtils.toString(response.getEntity()), containsString(config.expectedMessage));
+            assertThat(response.getStatusLine().getStatusCode(), is(config.expectedStatus));
+        }
+    }
+}
@@ -0,0 +1,15 @@
+apply plugin: 'elasticsearch.testclusters'
+apply plugin: 'elasticsearch.standalone-rest-test'
+apply plugin: 'elasticsearch.rest-test'
+
+dependencies {
+  testCompile project(path: xpackModule('eql'), configuration: 'runtime')
+  testCompile project(path: xpackModule('eql:qa:common'), configuration: 'runtime')
+}
+
+testClusters.integTest {
+  testDistribution = 'DEFAULT'
+  setting 'xpack.eql.enabled', 'true'
+  setting 'xpack.license.self_generated.type', 'basic'
+  setting 'xpack.monitoring.collection.enabled', 'true'
+}
@@ -0,0 +1,12 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.eql;
+
+import org.elasticsearch.test.eql.CommonEqlRestTestCase;
+
+public class EqlIT extends CommonEqlRestTestCase {
+}
@@ -0,0 +1,24 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the Elastic License;
+ * you may not use this file except in compliance with the Elastic License.
+ */
+
+package org.elasticsearch.xpack.eql;
+
+import com.carrotsearch.randomizedtesting.annotations.ParametersFactory;
+import org.elasticsearch.test.rest.yaml.ClientYamlTestCandidate;
+import org.elasticsearch.test.rest.yaml.ESClientYamlSuiteTestCase;
+
+public class EqlRestIT extends ESClientYamlSuiteTestCase {
+
+    public EqlRestIT(final ClientYamlTestCandidate testCandidate) {
+        super(testCandidate);
+    }
+
+    @ParametersFactory
+    public static Iterable<Object[]> parameters() throws Exception {
+        return ESClientYamlSuiteTestCase.createParameters();
+    }
+
+}
@@ -0,0 +1,27 @@
+---
+setup:
+  - do:
+      bulk:
+        refresh: true
+        body:
+          - index:
+              _index: eql_test
+              _id:    1
+          - str: test1
+            int: 1
+
+---
+# Testing round-trip and the basic shape of the response
+# Currently not implemented or wired and always returns empty result.
+# TODO: define more test once everything is wired up
+"Execute some EQL.":
+  - do:
+      eql.search:
+        index: eql_test
+        body:
+          rule: "process where user = 'SYSTEM'"
+
+  - match: {timed_out: false}
+  - match: {took: 0}
+  - match: {hits.total.value: 0}
+