From 59b6a4e2736557e1a9900f3122687365849450a7 Mon Sep 17 00:00:00 2001
From: Chase Engelbrecht <engechas@amazon.com>
Date: Mon, 22 Apr 2024 16:15:45 -0700
Subject: [PATCH] Add models and interfaces for rule engine

Signed-off-by: Chase Engelbrecht <engechas@amazon.com>
---
 .../ruleengine/RuleEngine.java                |  4 +++
 .../ruleengine/evaluator/RuleEvaluator.java   |  9 ++++++
 .../evaluator/StatelessRuleEvaluator.java     | 13 ++++++++
 .../ruleengine/model/DataType.java            | 23 ++++++++++++++
 .../ruleengine/model/Match.java               | 20 +++++++++++++
 .../ruleengine/parser/RuleParser.java         |  7 +++++
 .../ruleengine/provider/RuleData.java         | 30 +++++++++++++++++++
 .../ruleengine/provider/RuleProvider.java     |  7 +++++
 .../ruleengine/rules/ParsedRules.java         | 21 +++++++++++++
 .../ruleengine/rules/Rule.java                | 15 ++++++++++
 .../ruleengine/rules/StatefulRule.java        | 20 +++++++++++++
 .../ruleengine/rules/StatelessRule.java       | 15 ++++++++++
 12 files changed, 184 insertions(+)
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
 create mode 100644 src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java

diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
new file mode 100644
index 000000000..8df044c58
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/RuleEngine.java
@@ -0,0 +1,4 @@
+package org.opensearch.securityanalytics.ruleengine;
+
+public class RuleEngine {
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
new file mode 100644
index 000000000..a9f6298e5
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/RuleEvaluator.java
@@ -0,0 +1,9 @@
+package org.opensearch.securityanalytics.ruleengine.evaluator;
+
+import org.opensearch.securityanalytics.ruleengine.model.Match;
+
+import java.util.List;
+
+public interface RuleEvaluator<T> {
+    List<Match> evaluate(List<T> data);
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
new file mode 100644
index 000000000..c8bf8839b
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/evaluator/StatelessRuleEvaluator.java
@@ -0,0 +1,13 @@
+package org.opensearch.securityanalytics.ruleengine.evaluator;
+
+import org.opensearch.securityanalytics.ruleengine.model.DataType;
+import org.opensearch.securityanalytics.ruleengine.model.Match;
+
+import java.util.List;
+
+public class StatelessRuleEvaluator implements RuleEvaluator<DataType> {
+    @Override
+    public List<Match> evaluate(final List<DataType> data) {
+        return null;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
new file mode 100644
index 000000000..99919c1b6
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/DataType.java
@@ -0,0 +1,23 @@
+package org.opensearch.securityanalytics.ruleengine.model;
+
+import java.util.HashMap;
+import java.util.Map;
+
+public abstract class DataType {
+    private final Map<String, String> dataTypeMetadata;
+
+    public DataType() {
+        this.dataTypeMetadata = new HashMap<>();
+    }
+
+    abstract Object getValue(String fieldName);
+    abstract String getTimeFieldName();
+
+    public void putDataTypeMetadata(final String key, final String value) {
+        dataTypeMetadata.put(key, value);
+    }
+
+    public Map<String, String> getDataTypeMetadata() {
+        return dataTypeMetadata;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
new file mode 100644
index 000000000..9227bc46e
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/model/Match.java
@@ -0,0 +1,20 @@
+package org.opensearch.securityanalytics.ruleengine.model;
+
+import org.opensearch.securityanalytics.ruleengine.rules.Rule;
+
+import java.util.ArrayList;
+import java.util.List;
+
+public class Match {
+    private final DataType datum;
+    private final List<Rule> rules;
+
+    public Match(final DataType datum) {
+        this.datum = datum;
+        this.rules = new ArrayList<>();
+    }
+
+    public void addRule(final Rule rule) {
+        rules.add(rule);
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
new file mode 100644
index 000000000..ea8661d2a
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/parser/RuleParser.java
@@ -0,0 +1,7 @@
+package org.opensearch.securityanalytics.ruleengine.parser;
+
+import org.opensearch.securityanalytics.ruleengine.rules.ParsedRules;
+
+public interface RuleParser {
+    ParsedRules parseRules();
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
new file mode 100644
index 000000000..b9f381256
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleData.java
@@ -0,0 +1,30 @@
+package org.opensearch.securityanalytics.ruleengine.provider;
+
+import org.opensearch.securityanalytics.ruleengine.model.DataType;
+
+import java.util.Map;
+import java.util.function.Predicate;
+
+public class RuleData {
+    private final String ruleAsString;
+    private final Predicate<DataType> evaluationCondition;
+    private final Map<String, Object> metadata;
+
+    public RuleData(final String ruleAsString, final Predicate<DataType> evaluationCondition, final Map<String, Object> metadata) {
+        this.ruleAsString = ruleAsString;
+        this.evaluationCondition = evaluationCondition;
+        this.metadata = metadata;
+    }
+
+    public String getRuleAsString() {
+        return ruleAsString;
+    }
+
+    public Predicate<DataType> getEvaluationCondition() {
+        return evaluationCondition;
+    }
+
+    public Map<String, Object> getMetadata() {
+        return metadata;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
new file mode 100644
index 000000000..3d3d68921
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/provider/RuleProvider.java
@@ -0,0 +1,7 @@
+package org.opensearch.securityanalytics.ruleengine.provider;
+
+import java.util.List;
+
+public interface RuleProvider {
+    List<RuleData> getRuleData();
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
new file mode 100644
index 000000000..859134bb8
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/ParsedRules.java
@@ -0,0 +1,21 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import java.util.List;
+
+public class ParsedRules {
+    private final List<StatelessRule> statelessRules;
+    private final List<StatefulRule> statefulRules;
+
+    public ParsedRules(final List<StatelessRule> statelessRules, final List<StatefulRule> statefulRules) {
+        this.statelessRules = statelessRules;
+        this.statefulRules = statefulRules;
+    }
+
+    public List<StatelessRule> getStatelessRules() {
+        return statelessRules;
+    }
+
+    public List<StatefulRule> getStatefulRules() {
+        return statefulRules;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
new file mode 100644
index 000000000..43670129c
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/Rule.java
@@ -0,0 +1,15 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import java.util.function.Predicate;
+
+public abstract class Rule<T, U> {
+    private final String id;
+    private final Predicate<T> evaluationCondition;
+    private final Predicate<U> ruleCondition;
+
+    public Rule(final String id, final Predicate<T> evaluationCondition, final Predicate<U> ruleCondition) {
+        this.id = id;
+        this.evaluationCondition = evaluationCondition;
+        this.ruleCondition = ruleCondition;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
new file mode 100644
index 000000000..86ae8b37b
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatefulRule.java
@@ -0,0 +1,20 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import org.opensearch.securityanalytics.ruleengine.model.Match;
+
+import java.time.Duration;
+import java.util.List;
+import java.util.function.Predicate;
+
+public class StatefulRule extends Rule<Match, List<Match>> {
+    private final Duration timeframe;
+    private final List<String> filterFields;
+
+    public StatefulRule(final String id, final Predicate<Match> evaluationCondition,
+                        final Predicate<List<Match>> ruleCondition, final Duration timeframe,
+                        final List<String> filterFields) {
+        super(id, evaluationCondition, ruleCondition);
+        this.timeframe = timeframe;
+        this.filterFields = filterFields;
+    }
+}
diff --git a/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
new file mode 100644
index 000000000..437800520
--- /dev/null
+++ b/src/main/java/org/opensearch/securityanalytics/ruleengine/rules/StatelessRule.java
@@ -0,0 +1,15 @@
+package org.opensearch.securityanalytics.ruleengine.rules;
+
+import org.opensearch.securityanalytics.ruleengine.model.DataType;
+
+import java.util.function.Predicate;
+
+public class StatelessRule extends Rule<DataType, DataType> {
+    private final boolean isStatefulCondition;
+
+    public StatelessRule(final String id, final Predicate<DataType> evaluationCondition,
+                         final Predicate<DataType> ruleCondition, final boolean isStatefulCondition) {
+        super(id, evaluationCondition, ruleCondition);
+        this.isStatefulCondition = isStatefulCondition;
+    }
+}